Tags:
faq1Add my vote for this tag create new tag
, view all tags

Question

How can I pass the Windows login to Twiki?

  • TWiki version: 01 FEB 2003
  • Perl version: 5.8.0-1 (Cygwin)
  • Web server & version: Apache/1.3.27
  • Server OS: Windows 2000
  • Web browser & version: IE 6.0
  • Client OS: Windows 2000

I really hate to bother everyone, but I've spent a lot of time trying to resolve this issue, and found lots here to help, but I'm still struggling. Here is what I'm trying to resolve:

I am currently running Twiki in a "test" environment on my own pc, however want to eventually move this to an intranet installation for our group to have access to. In my "test" environment, I log onto Windows using my domain login. What I would like to do is then have this login "mapped" to a Twiki user, so that when I go to edit a Twiki topic, my Twiki user name appears without having to enter a username/password again.

What happens now is that when I select "edit" on a topic, I am given a window where I must enter my domain login and password (this part works as described in TWikiInstallationGuide). After entering my login, I am then recognized in the "edit pages" as Main.wikiname. There is a small comment in NoIntranetUserLogon that is my exact situation. However from the comment in NoIntranetUserLogon, I think it should work without asking to enter the domain login and password.

Here are some things I have done and observations made(including searching the entire Twiki.org site):

a) I have installed mod_ntlm according to WindowsInstallModNTLM (the result is what I have described above)

b) I have also tried mod_auth_ntsec which I found at CygwinAuthentication. After making the appropriate change in httpd.conf, I could not get Apache to start. So I had to abandon this.

c) I ran across a discussion of mod_auth_sspi in WindowsInstallModNTLM. When I tried using it, I found that again I could not get Apache to start. DavidKosa claims to be using it with Apache 1.3.24(at least according to TWikiOnWindowsKnownConfigurations) but I don't see how because according to http://www.syneapps.com/software/mod_auth_sspi/ it requires Apache 2.0.

Any ideas? The thing I would like to do is not have to ask people to enter their domain passsowrd again.

-- WilliamHolly - 7 April 2003

I can see you've read most of my funbling around in the dark already, but I'll summarise my experiences to date for clarity:

  • mod_auth_ntsec (apache-cygwin): I couldn't make it work, maybe because I am in multi-domained environment
  • pam_winbind (apache-linux): works, is extremely slow, prompts for NT password
  • mod_ntlm (apache-cygwin): works, is very slow
  • mod_sspi (apache2-cygwin): works, slowly, is transparent for IE users only. UPDATE: it should be transparent for Mozilla 1.4+ too now!
  • pam_smb (apache-linux): works with existing NT password, but prompts for password
  • ldap (apache-linux): still attempting to understand how to set it up

please note that I am no expert. I'm fumbling my way through this. Just because I can't make it work, doesn't mean that it won't. In summary, if twiki is going to be deployed on a windows server, and you are not a stubborn mule who must use open source software where ever possible, your best bet is is to use CookbookWindowsIISSetup. I expect that sooner or later a truly transparent method will be found. It will require a developer to bring all the pieces together.

UPDATE:

  1. the attached file .htaccess.txt is not accessible because dot filenames are restricted by twiki.org. Rename it to htaccess.txt (or whatever) and upload it again if you want people to be able to look at it. This should probably be considered a bug.
  2. on your server to have .htaccess.txt actually have an effect it must be renamed to .htaccess (no extension)

(moved Peter's comment above the Answer heading because although it provides a useful viewpoint it doesn't answer the question asked)

-- MattWilkie - 08 Apr 2003

I was thinking hard to con somehow Twiki to use Windows login, and decided not to. We use Twiki also as a web-based help system. Having my own independent password allows me to log into our Twiki from any computer (from home, or even when on customer site when I do not have any account at all), and edit help pages to elaborate on any questions.

I know it's a pain and users keep ForgettingPasswords, but on your desktop PC you can set "Remember my password", and on other PC's - you'll learn it eventually. wink

You'll lose significant flexibility, IMHO. Good luck!

-- PeterMasiar - 08 Apr 2003

I've not used native windows password stuff, so I can't help on that front but should you decide to take Peter's advice you'd probably find the patch to ResetPassword really helpful. HOH. M.

-- MartinCleaver - 08 Apr 2003

I thought I'd drop a note in here regarding Windows authentication.

I've got Twiki running on a Linux system, that uses our Windows PDC for authentication. It works great.

Overall authentication with Apache is forwarded to PAM using the Auth_PAM module. Here is a sample from httpd.conf:

<Directory "/home/twiki/bin">
    AllowOverride None
    AuthPAM_Enabled on
    AuthName "Documentation Center"
    AuthType Basic
    Require valid-user
    SSLRequireSSL
    Options ExecCGI
    Order allow,deny
    Allow from all
</Directory>

Next, I've added a SMB module to PAM (pam_smb_auth.so) and changed the /etc/pam.d/httpd entry to:

auth       sufficient   /lib/security/pam_smb_auth.so nolocal debug
account    optional   /lib/security/pam_permit.so

Lastly, the PAM SMB module requires a config file (/etc/pam_smb.conf) with the domain on the first line, and the IP of the PDC on the following line.

Again, this works great for me in a mixed OS environment. I know it doesn't specifically answer your question regarding Windows authentication under Windows, but perhaps it will be useful to others looking for a means to integrate into a Windows environment.

-- RussellAdams - 09 Apr 2003

Russell, thank you for outlining this approach. I've added it to TransparentAuthentication. Feel free to update/correct.

-- MattWilkie - 10 Apr 2003

Answer

Thanks for the info above. I have found the source of my problem and wanted to record it here should anyone be sent to this topic in a search.

When I did another installation on Windows NT, I tried using Cygwin Perl version 5.6.1-2 rather than 5.8.0-1. When I changed to use the 5.6.1-2 version, the mod_ntlm authenticated users without asking for a password again. In addition I found that the older verion of Perl resolved a problem being unable to load attachements.

In general I think people should not use Perl 5.8.0-1, at least with Windows NT or 2000. There are some comments in several places to this affect on this site, but I think it should be made explicit, possibly in the WindowsInstallCookbook.

WilliamHolly - 06 May 2003

Thanks for updating the topic, very useful to know that you got this working. Re 5.8.0, I put in some warnings in bold not to use this in WindowsInstallCookbook quite recently - have a look and let me know any comments. IssuesWithPerl5dot8 has some other known problems including a new solution to the upload attachment problem that allows 5.8 to be used.

-- RichardDonkin - 06 May 2003

mod_auth_sspi binary for apache2.0.46

Since mod_auth_sspi no longer has binaries available for latest apache versions I have compiled one against apache 2.0.46 for those without access to MSVC can be found at http://www.firepages.org/public/mod_auth_sspi-apache2046.zip

-- SimonWheeler - 22 June 2003

An update on that: you can get the binaries at http://www.gknw.at/development/apache/httpd-2.2/win32/modules/ (obviously go up a couple of directories if you aren't on win32).

I have more comments on that at TWiki:Codev.WindowsInstallModNTLM#mod_auth_sspi_Apache_2_0, and some implementation tips at TWiki:Codev.WindowsInstallCookbookComments.

-- SeanCMorgan - 12 Mar 2008

mod_auth_sspi binary with basic authentication bug fix.

There is a bug in mod_auth_sspi that breaks basic authentication. I have created the following patch:

Index: trunk/src/interface.c
===================================================================
--- trunk/src/interface.c       (revision 7)
+++ trunk/src/interface.c       (revision 8)
@@ -238,14 +238,38 @@
 {
     char *decoded;

-    *decodelength = apr_base64_decode_len(data);
-    decoded = apr_palloc(p, *decodelength);
+    /* -VB- 04/15/2003
+       Bug fix.  Old code calculated length of the decoded string incorrectly, because
+       apr_base64_decode_len seems to be designed to estimate memory necessary for a decoding
+       buffer and so over estimates the needed size. The proof is the last line of apr_base64_decode_len
+       "return nbytesdecoded + 1;" which means we always get the extra byte at the end.
+
+       This explains why SSPI token authentication worked while basic authentication was extremely flaky.
+
+       The code would work fine for SSPI token authentications because those tokens usually have
+       either predetermined sizes or length is specified inside the token itself.  However, for
+       basic authentication the string of the form "username:password" would end up looking
+       "username:password{up to 3 bytes of random data}". If the first character happened to be '\0'
+       everything worked fine and would fail otherwise, as the password would not be correct.
+    */
+
+
+    // -VB- 04/15/2003
+    // Initialize value, just in case
+    *decodelength = 0;
+
+    // -VB- 04/15/2003
+    // Make sure to allocate enough memory plus a byte for terminating '\0'
+    // Don't rely on apr_base64_decode_len to allocate that extra byte since
+    // nowhere in documentation is guaranties that.
+    decoded = apr_palloc(p, apr_base64_decode_len(data) + 1);

     if (decoded != NULL) {
-        if (apr_base64_decode_binary(decoded, data) > 0) {
-            decoded[(*decodelength) - 1] = '\0';
-            return decoded;
-        }
+        // -VB- 04/15/2003
+        // Now save the read decoded size and add a terminating 0
+        *decodelength = apr_base64_decode_binary(decoded, data);
+        decoded[(*decodelength)] = '\0';
+        return decoded;
     }

     return NULL;

The precompiled binaries with the patch applied can be found http://tortoisesvn.tigris.org/mod_auth_sspi.zip

-- VladimirBerezniker - 01 Nov 2004

mod_authnz_ldap with Ubuntu 7.10 and Apache2.2

I'm using Ubuntu 7.10 and the Apache2 module, mod_authnz_ldap - here is the config:
  • Enable the mod_authnz_ldap module
      $ sudo a2enmod authnz_ldap
      $ sudo /etc/init.d/apache2 restart
  • Add the authentication into twiki_httpd.conf - customise this to fit your LDAP / Active Directory setup:
      AuthBasicProvider ldap
      AuthType Basic
      AuthzLDAPAuthoritative off
      AuthLDAPURL "ldap://ldap.cybersoft.vn:389/OU=GCS Staff,DC=cybersoft,DC=vn?sAMAccountName?sub?(objectClass=user)" NONE
      AuthLDAPBindDN "myusername@CYBERSOFT.VN"
      AuthLDAPBindPassword mypassword

-- HieuLeTrung - 16 Mar 2008

mod_ntlm with Ubuntu 7.10 and Apache2.2

This part makes Apache authenticate a Windows user for TWiki access, using the NTLM protocol. See NtlmForSolaris10 for some detail on the compile and install step, this should also apply to Ubuntu, particularly the comment near the end about use on Debian, as this is close to Ubuntu.
  • Compile and Install the Apache2 module, mod_ntlm
    • Download mod_ntlm from http://modntlm.sourceforge.net/
    • Extract and run the make install command
    • You might need to fix the mod_ntlm to be compiled with Apache 2.2
      • mod_ntlm.c
// apr_pool_sub_make(&sp,p,NULL);
// Replace the apr_pool_sub_make with apr_pool_create_ex
   apr_pool_create_ex(&sp, p, NULL, NULL);
      • Makefile
# install the shared object file into Apache
install: all
   $(APXS) -i -a -n 'ntlm' mod_ntlm.la
  • Enable the mod_ntlm in Apache2, by putting the following into httpd.conf
      LoadModule ntlm_module /usr/lib/apache2/modules/mod_ntlm.so
  • Add the authentication into twiki_httpd.conf
      AuthType NTLM
      NTLMAuth on
      NTLMAuthoritative off
      NTLMDomain cybersoft.vn
      NTLMServer hue.cybersoft.vn
  • Restart Apache2 to take effect
      $ sudo /etc/init.d/apache2 restart

NOTE:

  • You need to set KeepAlive to On in order to make mod_ntlm works smile
  • If you are using SSL, you also need to remove the following line in the ssl.conf file
# SetEnvIf User-Agent ".*MSIE.*" \
#              nokeepalive ssl-unclean-shutdown \
#              downgrade-1.0 force-response-1.0

-- HieuLeTrung - 16 Mar 2008

Thanks for posting this - not an easy area to get right, so if your steps work for other people that would be great! Could you confirm which version of Ubuntu you ar using, e.g. Gutsy 7.10?

I have included this in a new section of TWikiOnUbuntu.

-- RichardDonkin - 24 Mar 2008

Topic attachments
I Attachment History Action Size Date Who Comment
Texttxt .htaccess.txt r1 manage 1.8 K 2003-03-13 - 21:02 WilliamHolly  
Unknown file formatcfg TWiki.cfg r1 manage 21.3 K 2003-03-13 - 19:07 WilliamHolly  
Texttxt TestEnvOutput.txt r1 manage 7.5 K 2003-03-13 - 19:09 WilliamHolly  
Edit | Attach | Watch | Print version | History: r24 < r23 < r22 < r21 < r20 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r24 - 2008-06-29 - HieuLeTrung
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.