This is a thread-mode topic for discussion of TWiki as used on Intranets. If you have informal stories to tell and discuss, this is the place!
If you have a more focused story (especially a success
to tell, please put it into its own topic! TWikiSuccessStories
has more on that.
I just installed TWiki for our Systems/Network teams here on campus. We needed a central repository for all kinds of info. Thank god for TWiki! Anywho, we have all of our accounts inside an openldap db. I was wondering how to set this up so all of our users would have access to edit TWiki and it would be public otherwise, except for our more sensitive internal UNIX FAQ/Howtos that are specific to our way of doing things. So, anyone can read, users can edit, how did I do this you ask? Well I edited the .htaccess file in /bin to look like this:
#<Limit GET POST PUT>
# require group cn=mygroup,ou=groups,dc=yourldapserver,dc=com
So when the simple web auth pops up, you have to have a valid account!
All I have left to do now is change my userreg form and possibly have it autocomplete some information, or maybe not. I don't know, thats what I am going to do now. I am just using this space to document my changes. So, I will be back later today.
- 27 Jan 2003
I've been using TWiki as a PIM; it's amazing what a couple of self imposed rules for names and a list of keywords can do. My intranet is a single user site. It's a measure of the flexibility of wikis (and TWiki in particular) that it can be adapted for this kind of use.
I'd be interested in knowing what kinds of site-imposed constraints are out there: what rules do you use to make TWiki be what you want, without recoding the scripts?
- 04 Jun 2000
We're going to move over to TWiki from an inhouse simple Java Wiki. However, I'm unsure what to do about login. At present, we have no logins, anyone can edit. However, it seems a shame to do that in TWiki as you won't know whose made changes and can't do user customisation. Ways I can go:
- User/password, including registration - I don't think people will like that very much
- Connect up to our LDAP system - likely to be a pain as we don't have Apache connectivity at present
- Ignore user names
(The only login people do is to their NT system, this information is available from MS IE by NTLM, but we've had enough trouble using that from IIS, so there's no way I'll want to do it for Apache/Solaris).
- 14 Dec 2000
You probably still need the one time registration in TWiki, this is to have a home page for each user. At work we use TWiki registration (without password) and authentication based on the company wide Unix account.
Regarding your authentication, anything that identifies users is OK; e.g. all TWiki needs is the
environment variable, which is set when you enable basic authentication or SSL. The most flexible authentication for users is to use your NT domain accounts. Not sure how easy it is to accomplish that on your Apache/Solaris system.
- 15 Dec 2000
Thanks for your thoughts. To work with the NT login you need to use NTLM which is only really supported for IE. That's not too bad, the real killer is that most proxies are set (for good security reasons) not to pass on NTLM. So not a good solution in a big company with lots of proxies managed by different people. I think the best solution has to be to use SSL and connect up to our LDAP server. Unfortunatly, not yet done for Apache or Perl yet and I must a least do Apache, advantage of doing the Perl part too is I can get various user information from the LDAP directory, including email address. So a fair bit of work to do before I can move from the current (Internet) username/password approach.
- 16 Dec 2000
I'm attempting to do the same thing. My approach is from the x.509 certificate side, since I have to unify NT Domain users on one side, and Kerberos users on the other. (All this to avoid intoducing yet another authentication scheme in TWiki to maintain and have people remember.) Netscape's Enterprise Server (& iPlanet) support user authentication with x.509, but I haven't been able to find it for Apache yet.
My assumption is that TWiki will handle any authentication that is passed to it via the system name and web server authentication scheme, is this correct?
- 16 Jan 2001
TWiki handles any authentication scheme you throw at the web server, works as long as the TWiki scripts get the user name set in the
environment variable for the scripts you want to have authenticated, typically edit, preview, save, attach and upload.
BTW, TWiki translates your existing user login names (i.e. bsmith) to the TWiki user names (i.e. BillSmith
) based on the TWikiUsers
topic; that topic gets updated when users register in TWiki.
- 19 Jan 2001
Any good pointers on how to do SSL authentication with Apache? I know this might be considered off-topic on the TWiki. Also, is there a good way to setup multiple authentication methods for different webs within TWiki? Like having no authentication for Main, but SSL for a "private" web?
- 20 Jan 2002
What is the easiest way to map between a certificate such as "/CN=Joe User/Emailfirstname.lastname@example.org" and the username that should wind up in REMOTE_USER? Do I need to wind up using mod_rewrite to reparse things
or is there a better way?
Also can I avoid using +FakeBasicAuth altogether and have REMOTE_USER set somehow?.
- 01 Jul 2002
This page should not really be in Main - best to ask any questions initially in the Support web, as very few people monitor Main for changes due to the constant influx of new users.
For some pointers on authentication, see ForgettingPasswords
, and do some searching on suitable keywords - at least one TWiki installation uses certificates to authenticate all users, and others have got NTLM authentication working (see WindowsInstallCookbook
, near the end).
- 02 Jul 2002
- I have added your htaccess changes to the CairoRelease
- 27 Apr 2004