On an intranet users will often have already been authenticated against their central login server, and it's just annoying to force them login again, sometimes using a different name & password, in order to use TWiki. Wouldn't it be nice if we could just use the existing authenticated session?
(Also referred to as SingleSignOn)
TWiki supports a range of different authentication methods. These are:
- Pure TWiki authentication (no other authentication system is involved)
- a.k.a TemplateLogin
- TWiki uses it's own
.htpasswd file, and handles all password negotiation itself.
- TWiki uses cookied sessions to remember user logins.
- Mainly used when TWiki stands alone (isn't integrated with any other applications)
- Apache authentication
- a.k.a ApacheLogin
- TWiki uses the
REMOTE_USER environment variable, which is set by an apache module, to recognise the user.
- Any Apache login module that sets
REMOTE_USER can be used.
- This is the usual login method used on intranets.
- Homebrew login
- Any third-party login system can be used by writing Perl login and password management modules to integrate with TWiki
- Example: LdapContrib
- Use if there is no Apache module available to support your login system, or you want a tighter integration.
The rest of this page discusses methods for transparent authentication based on the Apache authentication
On Unix, authenticated against a Windows domain
- NTLM works perfectly for me, using mod_ntlm and Apache 1.3, authenticating against a Windows 2003 server. I did have to remove a few "static" declarations from the source file of mod_ntlm to compile successfully on my Ubuntu server. Once I did that it worked transparently on IE.
- You can make Firefox do NTLM transparently as well, by following these instructions.
- Note that I had no luck getting mod_ntlm2 built against Apache 2.0. Luckily Ubuntu has both Apache 1.3 and 2.0 available.
- Note also that after enabling NTLM, I needed to do a few final steps to get the logon name to map to WikiName properly. First I had to rewrite my TWikiUsers page. The default version only included the user WikiName instead of WikiName - WindowsLogonName. Then I switched to the version of the TWikiRegistration page that asks for your network logon name. Finally I edited TWiki.cfg and set doMapUserToWikiName to "1". Note this is apparently a security risk but I'm on a small intranet so am not too worried.
- -- BillyCharlton
- There is a report that http://search.cpan.org/~speeves/Apache-AuthenNTLM-2.10/ works more easily than the apache module for Apache2. Using it would require modifying the twiki bin scripts or creating a plugin. -- MattWilkie - 12 Apr 2006
- I was not able to get ntlm authentication to work on a 64 bit linux with Apache 2. Compilation of mod_ntlm gave lot's of errors of mismatching pointer sizes etc, but got eventually compiled afer removing the same few "static" declarations as others had to do. The installation did not work either because compilation did not produce .so, but an .slo. I Installed the mod_ntml with
apxs -i -a -n 'ntlm' mod_ntlm.la. When I start apache after this, it crashes with segmentation fault.
Using PAM and SMB
It works great, but not transparently. Doesn't suffer from the performance issues that PAM and Winbind does. For installation use the same procedure and modules as in Using PAM and Winbind
below, but use the following configuration instead.
Overall authentication with Apache is forwarded to PAM using the Auth_PAM module. Here is a sample from httpd.conf:
AuthName "Documentation Center"
Allow from all
Next, add a SMB module to PAM (
) and changed the
auth sufficient /lib/security/pam_smb_auth.so nolocal debug
account optional /lib/security/pam_permit.so
Note: auth and account 'required' also work.
Lastly, the PAM SMB module requires a config file (
) with the domain on the first line, and the IP of the PDC on the following line. (Note: you can also use the NETBIOS name of the PDC if
is running and configured properly).
When you login, don't use the
syntax that winbind uses, just username.
Troubleshooting tip: SSH or telnet in to your linux machine and run:
tail -f /var/log/apache/error.log
and then point a browser at twiki.
Adapted from GettingWindowsLoginPassedToTwiki. Thanks go to RussellAdams.
Using PAM and Winbind
It was working, but then I broke it somehow, and now it's working again but I don't exactly why. As near as I can tell, in order to get it working you need to :
Update: I had
samba, winbind, libapache-mod-auth-pam more or less as detailed below.
- enable mod-auth-pam in
- do something which forces Twiki authentication, e.g. edit a page
- now you can disable
$twiki-bin/.htaccess and transparent authentication will work (for an unkown length of time).
$doRememberRemoteUser turned on in
Twiki.cfg . With this turned off, you once again need to have .htaccess enabled all the time. So, the end result is authentication via PAM and Winbind works, but not transparently. -- MattWilkie - 27 Aug 2002
Once more unto the breach:
I've mustered the resolve to take another crack at this. I have pam+winbind+apache authentication working (not transparently), but it is vveeerrrrry sllooowwwww. Authentication takes 60+ seconds on every
page read. Winbind authentication requests via SSH and SAMBA take less than 5 seconds. Yuk.
Feb 10 09:57:44 BUMBLEBEE sshd: PAM pam_parse: expecting return value; [...sufficienti]
these lines correspond to logging in from remote via ssh, using winbind for authentication. Elapsed time: 4 seconds, including the time it takes to type my password.
Feb 10 09:57:48 BUMBLEBEE pam_winbind: user 'ynet+mhwilkie' granted access
Feb 10 09:57:48 BUMBLEBEE pam_winbind: user 'ynet+mhwilkie' granted access
Feb 10 09:57:48 BUMBLEBEE sshd: Accepted password for ynet+mhwilkie from 184.108.40.206 port 1424 ssh2
Feb 10 09:57:48 BUMBLEBEE PAM_unix: (ssh) session opened for user ynet+mhwilkie by (uid=10000)
Feb 10 09:59:03 BUMBLEBEE sshd: PAM pam_putenv: delete non-existent entry; MAIL
these lines correspond to accessing \\bumblee\a_share\ by another user. Elapsed time: 4 seconds.
Feb 10 10:02:29 BUMBLEBEE PAM_unix: (samba) session opened for user ynet+dpdavids by (uid=0)
[Mon Feb 10 10:09:08 2003] [error] [client 220.127.116.11] File does not exist: /var/www/bin/oops/TWiki/TWikiRegistration
corresponds to pointing a browser at $twiki/bin/view/Sandbox/WebHome. Response time: instantaneous. The user is prompted with a login dialog.
[Mon Feb 10 10:10:24 2003] view: print() on closed filehandle TWiki::Store::FILE at ../lib/TWiki/Store.pm line 667.
some 70 seconds later. This corresponds to Sandbox/WebHome finally being displayed. %REMOTE_USER% corresponds to the authenticated username.
Feb 10 10:09:22 BUMBLEBEE apache: PAM pam_parse: expecting return value; [...sufficienti]
This what shows up in the auth log for the same browser request.
Feb 10 10:09:23 BUMBLEBEE pam_winbind: user 'ynet+mhwilkie' granted access
Feb 10 10:09:24 BUMBLEBEE pam_winbind: user 'ynet+mhwilkie' granted access
- 11 Feb 2003
this blockquote section probably contains erroneous information, use with caution
I've finally gotten this to work on a debian machine within a Windows NT domain and it's fast, smooth & painless. Not the setup, the setup was hell, but it sure works lickity split after that.
Packages installed (first indented bullet = required, second level bullet = not sure, but I installed it anyway):
Debian is v3.0.r0 using
- apache w/ apxs (apache-dev)
- Samba 2.2.2 or later
stable, main, contrib, testing in my apt sources config.
The packages were installed with the command:
apt-get install samba libpam-smb winbindd apache-dev libapache-mod-auth-pam libauthen-smb-perl
Note: I actually installed samba and got it working seperately a few days before
I used the document /usr/share/samba/swat/help/winbind.html as my guide for configuration. Read the whole thing for understanding but you can skip ahead to the Configure nsswitch.conf and the winbind libraries section:
Join the SAMBA server to the PDC domain
- I just used the example verbatim
Start up the winbindd daemon and test it!
- skipped this step because it was already completed a few days before
Fix the /etc/rc.d/init.d/smb startup files
There is no need to do anything here. The debian startup script is
- no changes from the doc's instructions
/etc/init.d/winbind . Test by running
/etc/init.d/winbind restart && ps -ae |grep winbind
Configure Winbind and PAM
Didn't use any of the examples in this section, except for understanding.
/etc/pam.d/httpd looks like:
auth required pam_winbind.so
account required pam_winbind.so
#auth sufficient pam_unix.so use_first_pass
#account sufficient pam_unix.so
I did not change any other pam.d files.
This completes the winbind setup. The only thing remaining to do is point your browser at http://.../view/TWiki/TWikiVariables. If everything is working your % USERNAME% should look like
DOMAIN+mhwilkie . If that is the case, go delete or rename
../bin/.htaccess because you don't need it anymore.
-- MattWilkie - 22 Aug 2002
AAaaaRgh! It worked flawlessly for about 4 hours and then started reporting USERNAME as "guest" for everybody across the board. yech.
-- MattWilkie - later on 22 Aug 2002
On Windows, in a Windows domain
- WindowsInstallModNTLM - Apache modules (mod_ntlm and mod_auth_sspi) to authenticate against an NT Domain server.
- ntlm: (apache 1.3) works, there are major performance issues in some configurations. This module has good quality code but is not maintained
- sspi: (apache 2.0) proven to work, code is maintained, no speed issues so far
- Apache (Cygwin or Unix) with mod_auth_kerb
- I have managed to get transparent TWiki authentication running for clients from a Windows2003 domain using mod_auth_kerb. This needed some patches which are unlikely to make it into DakarRelease, so no cookbook yet. More a proof of concept, and a guideline for me where to go with future contributions.
-- HaraldJoerg - 15 Nov 2005
23 Aug 2002, 05 Nov 2002, 30 Jul 2003
A writeup on how to use windows 2000/2003 active directory to authenticate and auto-populate twiki registeration details would be a great addition for many
- 20 Mar 2007
I setup mod_auth_kerb to a Win2k3 domain.
The apache lines are thus:
This will send the user credentials on. You need to use LdapContrib
to handle the rest, but I don't have that working yet.
- 01 Nov 2007
I use mod-auth-kerb to transparently authenticate with Windows 2003 as well. With a couple of plugins the registration details seem to flow into the right place. I'm working on a writeup at Windows2003Authentication
- 06 Dec 2007
Some more general links: