Colas.Nahaboo.net - ldapColas Nahaboo personal site, with discussions about programming code, web and computing topics, surfing and SUPing, and various musings.Zola2007-05-24T00:00:00+00:00https://colas.nahaboo.net/tags/ldap/atom.xmlLDAP TWiki authentication2007-05-24T00:00:00+00:002007-05-24T00:00:00+00:00
Unknown
https://colas.nahaboo.net/code/ldap-twiki-authentication/<h2 id="principles">Principles<a class="zola-anchor" href="#principles" aria-label="Anchor link for: principles">🔗</a></h2>
<p>This is how we use LDAP auth with TWiki (Cairo) with Microsoft Active
Directory</p>
<ul>
<li>We make TWiki use standard apache basic authentication (The
non-cookie, standard method). In this mode TWiki expects Apache to do
all the auth work, and then execute TWiki perl scripts with the user
login set into the environment variable <code>REMOTE_USER</code> by apache. Our
trick is to use a modified mod_ladp apache module that wil get the AD
login of the user, auth with AD/LDAP with it, and then <strong>change</strong> the
<code>REMOTE_USER</code> variable from windows login to the wiki name that is
dynamically computed by fetching First Name and Last Name in LDAP, and
concatenating them after some cleaning (capitalization, removing on
non-letter chars)</li>
<li>every N hours (for us, 4) a shell script dumps all
the LDAP accounts, checks the one not yet declared as TWiki accounts,
and for them create them via a modified (to be used non-interactively,
and without declaring a password) version of the <code>register</code> TWiki perl
CGI script</li>
<li>This shell script keeps the list of all LDAP accounts as a
wiki page for reference, and mails the changes to an admin mailing list</li>
</ul>
<h2 id="implementation">Implementation<a class="zola-anchor" href="#implementation" aria-label="Anchor link for: implementation">🔗</a></h2>
<h3 id="apache-module">Apache module<a class="zola-anchor" href="#apache-module" aria-label="Anchor link for: apache-module">🔗</a></h3>
<p>We are based on the v2.4.2 of
<a rel="noopener external" target="_blank" href="https://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html">https://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html</a></p>
<ul>
<li>
<a href="/code/ldap-twiki-authentication/mod_auth_ldap.colas.tgz">mod_auth_ldap.colas.tgz</a>
: The
whole module, modified</li>
<li>
<a href="/code/ldap-twiki-authentication/README.colas">README.colas</a>
: The readme</li>
</ul>
<h3 id="the-modified-register-twiki-file">The modified register TWiki file<a class="zola-anchor" href="#the-modified-register-twiki-file" aria-label="Anchor link for: the-modified-register-twiki-file">🔗</a></h3>
<p>to be placed in the TWiki <code>bin/</code> dir *
<a href="/code/ldap-twiki-authentication/register-ldap">register-ldap</a>
: modified version of the
Cairo TWiki bin/register script</p>
<h3 id="the-offline-account-generation-scripts">The offline account-generation scripts<a class="zola-anchor" href="#the-offline-account-generation-scripts" aria-label="Anchor link for: the-offline-account-generation-scripts">🔗</a></h3>
<ul>
<li>
<a href="/code/ldap-twiki-authentication/README_scripts.txt">README_scripts.txt</a>
: The README of scripts</li>
<li>
<a href="/code/ldap-twiki-authentication/ldap-ilog-update-wikinames">ldap-ilog-update-wikinames</a>
: main script</li>
<li>
<a href="/code/ldap-twiki-authentication/ldap-ilog-dump-wikiname">ldap-ilog-dump-wikiname</a>
: dump info for one account</li>
<li>
<a href="/code/ldap-twiki-authentication/wiki-register">wiki-register</a>
: shell script calling the CGI register-ldap via wget</li>
</ul>
<p>debug / dev ones:</p>
<ul>
<li>
<a href="/code/ldap-twiki-authentication/wiki-register-all">wiki-register-all</a>
: batch account creation</li>
<li>
<a href="/code/ldap-twiki-authentication/wiki-ldap-check-accounts">wiki-ldap-check-accounts</a>
: one shot: clean all wiki pages accounts</li>
</ul>