Tags:
authentication1Add my vote for this tag windows1Add my vote for this tag create new tag
, view all tags

Integrated Windows Authentication (SSPI) with Indigo Perl

If you've managed to install Twiki on a Windows using Indigo Perl and would like to make use of Windows security to authenticate users mapping them to Twiki users automatically the following short tutorial may be of use.

Apache can authenticate Windows uses, using local Windows security or an Active Directory. The source code control system Subversion has shipped with an Apache module to allow this form of integrated Windows Security for some time.

First you'll need the mod_auth_sspi module which you can download version 1.0.3 from: http://www.gknw.at/development/apache/httpd-2.0/win32/modules/. 1.0.3 is important since it allows us to configure the authentication to strip the domain (or machine name) from the user's fully qualified name. This makes it straight forward to map users to Twiki names.

  • Decompress the zip archive and copy the mod_auth_sspi.so file to \indigoperl\apache\modules
  • Edit the Apache configuration file to configure authentication for the Twiki virtual directory. Either edit the \indigoperl\apache\conf\httpd.conf directly or if you followed the original IndigoPerlCookbook the Twiki settings will be in the \twiki\twiki.conf file. Add the following lines:

<Location /twiki>
AuthType SSPI
AuthName "Wiki"

Require valid-user

SSPIAuth On
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOmitDomain On
SSPIOfferBasic On
</Location>

If you've changed the virtual directory for your wiki you will have to update the Location element and include the correct name above.

Also, add the LoadModule line to httpd.conf as described in the INSTALL file from the zip.

Restart Apache and navigate to a Twiki page, you should now see the authenticated Windows user mapped to a Twiki user.

-- Contributors: DarrenSyzling, TorHovland

Discussion

Thanks Darren for sharing your experience with the TWikiCommunity. This topic is now tagged, and linked from TWikiUserAuthenticationSupplement and WindowsInstallCookbook.

-- PeterThoeny - 13 May 2006

Has anyone had success getting Windows Authentication (SSPI) working on a linux platform? TWikiVMDebianStable is an important project because it makes installing a wiki nearly as trivial as downloading a file. And the fact that the TWiki performs better within a virtual machine than natively on top of Windows on the same hardware is a big win also! Obviously, there are a lot of Unix/Linux experts hanging out here, but that is not necessarily so at many corporate companies. The TWiki-VM can make major in-roads in this regard, in getting TWiki installed in companies around the world.

However, many companies (like ours) will require NT authentication/integration, for a variety of reasons. When I followed these instructions, I only got a "invalid ELF Header" in Apache, and then refuses to load. Is there something I'm missing? Is it that mod_auth_sspi.so needs to be compiled for linux? Any guidance will be greatly appreciated (and I promise if I can get it up and running I'll detail the instructions on TWikiVMDebianStable). Thanks in advance, RickVanderveer.

-- RickVanderveer - 14 Jun 2006

Rick - the .so or .o you've downloaded must be wrong in some way for you get the ELF header message (this is from the Linux kernel, saying the executable binary format is wrong). So you'll need to compile this from source code.

I'm not sure if TWikiVMDebianStable includes a compiler setup (gcc, make, etc), but you can simply type apt-get install build-essential at the shell prompt, as root, to install everything you need (see http://packages.debian.org/testing/devel/build-essential if need be).

You will need to read up on how to compile this module etc, but if you can find a suitable mailing list you might have some luck. Do check first that this Apache module works under Linux, I'd expect that it does though.

Hope that helps...

-- RichardDonkin - 05 Jul 2006

mod_auth_sspi only works for the Windows version of Apache2 since it uses the WININET API to authenticate. I am working on a solution using mod_auth_kerb to do a single-sign-on into a Windows 2003 AD. Once that is up, TWiki will just pull the REMOTE_USER from Apache, translate it to the WikiName and move on from there.

I had kerberos up and running fine on a test domain and using a Fedora Core 6 box but the Apache module was not behaving properly. I'll post a full tutorial once I get this all figured out. For now, the research is based on these docs:

http://www.grolmsnet.de/kerbtut/

and

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx

Someone let me know if they've gotten any closer.

-- DaveCampbell - 21 Feb 2007

My only other pointer is NtlmForSolaris10 - a general version of that HOWTO page would be helpful for Linux, Unix and TWikiVMDebianStable.

-- RichardDonkin - 22 Feb 2007

Purely FYI:

I have TWiki 4.2.0 in Apache 2.2.9 (with mod_perl 2.0.3 and mod_auth_sspi 1.0.4) on Windows Server 2003 SP2 (a domain member) with ActiveState Perl 5.8.8 build 822 and I've got domain authentication working with mod_auth_sspi using the following Apache directive within my twiki.conf:

# For NTLM Authentication
<Directory "D:/inetpub/twiki>
    AuthType SSPI
    AuthName "Login using your DOMAIN username and password please"

    # only the Apps Support team can log into TWiki with their domain username and password
    require user greent marshalk moorej

    SSPIAuth On
    SSPIAuthoritative Off
    SSPIOfferSSPI Off
    SSPIDomain abc.gov.uk
    SSPIOmitDomain On
    SSPIOfferBasic On

</Directory>

I have also specified in the TWiki Configuration the use of the ApacheLoginManager, sessions and cookies.

In TWiki I have ensured that only the TWikiAdminGroup can edit all pages and made all my users members of that group.

This works a treat however I would prefer it if the authentication was transparent, even though IE can save the username/password.

In both IE7 and FF3 I get asked for the username/password once only and I can omit the domain part of the username no problems. i.e. I can type in moorej instead of ABC\moorej.

-- JamesGMoore - 11 Jul 2008

Forgot to mention what my TWikiUsers topic looks like.

Here is one line from that topic, its all you need to figure it out:

JamesMoore - moorej - 02 Jun 2008

-- JamesGMoore - 11 Jul 2008

Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2008-07-11 - JamesGMoore
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.