Question

How do I have to setup a TWiki system so that it authenticates via an internal LDAP server. The BugZilla instance using the same server as our TWiki system does that already using some kind of hand made login mechanism (page).

Can anybody provide me with his (abstracted) running configuration files ( TWiki.cfg and Apaches httpd.conf snippet) or scripts that are necessary to implement this kind of functionality.

Environment

Kind regards

-- FranzJosefSilli - 13 Feb 2004

Answer

Here is one example of how we did it. The company-specific details have been removed:

• Load auth_ldap module in Apache
• The .htaccess file in twiki/bin is modified as per below:

Redirect http://50nm7panwb5yw1yg74jj8.roads-uae.org/index.html http://50nm7panwb5yw1yg74jj8.roads-uae.org/bin/view.cgi

AuthType                 Basic
AuthName                 "LDAP Login"
AuthLDAPURL ldap://ldap.yy.zz.com:389/ou=People,ou=Intranet,dc=zz,dc=com?uid?sub?(objectClass=*)

SetHandler cgi-script

ErrorDocument 401 /bin/oops.cgi/TWiki/TWikiRegistration?template=oopsauth

<Files ~ "[^/]*\.html$">
       SetHandler blabla
       allow from all
</Files>

<Files "*">
       require valid-user
   allow from all
</Files>

Note that our internal TWiki site, which is used to track internal Intellectual Property related subjects, requires that everyone authenticate. While seemingly flying in the face of TWiki, keep in mind that we are using TWiki in a more controlled manner and most internal websites here require base authentication to make sure that you are a company employee.

Hope this helps.

-- SteveRJones - 16 Feb 2004

I don't see any additional input from anyone, so I'll mark this question as answered??

-- SteveRJones - 05 Mar 2004

Should I configure any file in the "httpd.conf" or in any TWIki-File, cause when I try to authenticate I recieve the error "LDAP error: Invalid credentials; URI /twiki/bin/..." in the error LOG of the Apache

Sincerely Robert

-- RobertMueller - 17 Jan 2005

Sorry, I think I have a bit more to this. Apparently the .htaccess file belongs in /twiki/html and is simply

RedirectPermanent / http://50nm7panwb5yw1yg74jj8.roads-uae.org/bin/view.cgi

We also have a httpd.conf file in twiki/conf that Apache refers to:

<VirtualHost *>
        ServerAdmin webmaster@yy.xx.com
        DocumentRoot "/proj/sysadmin/ess/www/twiki/html"
        ServerAlias twiki.yy.xx.com
        ServerAlias twiki.ww.yy.xx.net
        ServerName twiki.zz.net
        ErrorLog /proj/sysadmin/ess/www/twiki/logs/error_log
        CustomLog /proj/sysadmin/ess/www/twiki/logs/access_log combined
        <Directory "/proj/sysadmin/ess/www/twiki/html/bin/">
                Options +ExecCGI
                allow from all
                AllowOverride Authconfig FileInfo Indexes Limit Options
        </Directory>
        <Location /bin>
                Options +ExecCGI
                AuthType Basic
                AuthName CoreID
                AuthLDAPURL ldap://ldap.zz.net:389/ou=People,ou=Intranet,dc=company,dc=com?uid?sub?(objectClass=*)
                require valid-user
                allow from all
                <Limit OPTIONS>
                        Order Deny,Allow
                        Deny from all
                </LIMIT>
        </Location>
</VirtualHost>

-- SteveRJones - 20 Jan 2005

I'm interested in generating some of my TWikiGroups via the LdapPlugin and our organisation's LDAP repository. I have got LdapPlugin working, but have a problem - maybe just a format specification problem - in getting the results formatted into a group topic in a suitable manner.

With

%LDAP{host="ldap.host.name" base="ou=bar,ou=foo,o=org" filter="groupMembership=cn=foobar,ou=bar,ou=foo,o=org"
 header="   * Set LDAPGROUP = " format="$givenname$surname, " notfounderror="%ADMONCAUTION% LDAP not working" order="surname"}%

I get a line break between the Set LDAPGROUP, and the values I want. I've tried leaving a blank header, but I end up with the first LDAP entry correctly on the Set line, but all the others on the next.

Can anyone advise, either on a fix or an alternate strategy. I've looked at the manual setup as proposed in GroupManagementTools and MegaTWiki, but would prefer a automatic one.

(This is maybe Slightly off topic, but I can't find a reference elsewhere)

-- ScottClaridge - 03 Feb 2005

This possibly works since bullets can span multiple lines provided that followup lines are indented:

format="     $givenname$surname, "

-- PeterThoeny - 03 Feb 2005

Works a treat. I didn't know that you could do that with lists. Your learn something all the time.

Well actually it doesn't work. I guess that the code in Access.pm doesn't actually render the page, so thus the plugin never fires, so the list contains the variable text and not any user names. Maybe I'll have to go back to a automatic, script generate approach... Should some one else have differing experiences, then let me know.
-- ScottClaridge - 03 Feb 2005

I'm probably not getting what you're looking for, but I think you want mvformat. You want to tell the ldap query what to separate multiple values with.

-- GeraldSkerbitz - 26 Apr 2005

TWiki has now an LdapContrib that allows you to transparently authenticate users via LDAP.

-- PeterThoeny - 22 Jul 2006

Please look up GroupManagementTools for more details..

-- SurajChatrath - 04 Aug 2006

Hi i have got AuthenticationWithApacheAndLDAP working, Please read for details

-- LarreDo - 07 Sep 2006

Hi. I need to allow guest users to browse my twiki on selected pages, but also I need to add a Login Button by LDAP, so if the user get logged a new set of pages will be available. Is there a way to do that?

-- GabrielCutri - 10 Apr 2007

I tried LdapContrib now. And everything works fine after a few hours (maybe days ) until i got the right configuration to ask the LDAP Server the right questions :-). Well now i can see my LDAP (AD) Groups if i click on TWikiGroups. In there i can see all the membes of the group. And if i want to edit a page i have to authenticate me with my Domain Account and my Domain Password. But i can't see the Users if i click TWikiUsers. Well the Users should also be mapped, i use 'givenName, sn' as WikiName . And when i watch the logfile, the Wikinames buld correctly but i cant see the users in my system. Anyone know why?

-- GeorgSauseng - 08 Oct 2007

I made a new major release of the LdapContrib. There's a questionairy in the docu now that helps you to plan your TWiki-LDAP-integration.

-- MichaelDaum - 11 Oct 2007

Did any of you get it working on Debian 4?

-- RobertoRocha - 23 Oct 2007

Yes, I am using Debian on all of my systems.

-- MichaelDaum - 26 Oct 2007

I keep getting the following message after typing the user/pass: Could not connect to LDAP server: No such file or directory I'm not sure if I'm doing something wrong in the configuration, but I checked the LocalSite.cfg and the apache.conf files and they all look fine. I am using the auth_ldap from http://d8ngmj9jtk7uamm5hkae4.roads-uae.org/auth_ldap/. Apache 1.3 doesn't give me any errors when I load it up. Michael: Which module are you using? Anyone: Any suggestions?

-- RobertoRocha - 31 Oct 2007

It may come from your AuthLDAPURL, could you paste your configure here?

-- HieuLeTrung - 16 Mar 2008

The problem in TWiki 5.1.4 is:

• Login name is "user.name" and TWiki says: username , not UserName.

The fix for this is:

_/path/to/your/twiki/lib/Twiki/Users /_

diff -uNr a/TWikiUserMapping.pm b/TWikiUserMapping.pm
--- a/TWikiUserMapping.pm       2013-02-17 00:10:50.000000000 +0100
+++ b/TWikiUserMapping.pm       2013-06-27 14:00:18.000000000 +0200
@@ -453,7 +453,9 @@
         if ($wikiname) {
             # sanitise the generated WikiName
             $wikiname =~ s/$TWiki::cfg{NameFilter}//go;
-            $wikiname =~ s/\.//go;
+           $wikiname =~ s/((^\w)|(\.\w))/\U$1/xg;//go;
+           $wikiname =~ s/\.//go;
         }
     }

after this patch, the Username login with user.name is: UserName

-- Michael Berger - 2013-07-04

Thanks Michael for providing the patch. This is tracked in TWikibug:Item7288.

I had to change the patch, it made the Bugs:WebHome web inoperable due to an uninitialized error. I fixed the wikification in a different way.

-- Peter Thoeny - 2013-07-05