Tags:
faq1Add my vote for this tag create new tag
, view all tags

Question

I authorize Users against LDAP and this works fine on Dakar. On Cairo I used this hack (RecognisedButUnregisteredUsers) to force first time users to create a WikiUser. Is there any convenient way to do this in Dakar? Do I have to get my settings right in configure, or is there a plugin, or do I have to use that hack? And if so, where exactly do I place it in lib/TWiki.pm?

Environment

TWiki version: TWikiRelease04x00x00
TWiki plugins: DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS: SuSE Linux 9.3
Web server: Apache
Perl version: 5.8.3
Client OS:  
Web Browser: Mozilla FF
Categories: Htaccess, Registration, Authentication, Security, Authorisation

-- CedricWeber - 01 Mar 2006

Answer

ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

The hack in RecognisedButUnregisteredUsers won't do in DakarRelease.

However, without even knowing that RecognisedButUnregisteredUsers exists, I ran into the same problem in Dakar, and have come up with RegistrationOnDemandHack for Dakar. This has been working for several beta versions of Dakar, but to be honest I haven't tried it on vanilla TWikiRelease04x00. I myself am using a version with even more hacks in it (if I authenticate against LDAP, then there's nothing wrong in pulling user data like first and last name from LDAP as well, is it?), and consolidating this into something which could be thrown upon TWikiRelease04x00 is on my roadmap.

If you're interested, I could give it a priority rise wink

-- HaraldJoerg - 01 Mar 2006

Seems to be a good feature for intranets. I'll have to look into this further. I don't want to bother users since their data should be in LDAP and a User-Page could be automatically generatet on first twiki login.

-- CedricWeber - 02 Mar 2006

Harald, a clean integration between LDAP and TWiki would be most welcome by many admins, that's for sure.

-- FranzJosefSilli - 02 Mar 2006

Harald, This is exactly what I need, prioity++ pretty-please. I'm setting up this TWiki i've got Ldap Auth going no probs, and with the ldap pluging the registration page auto fills the wikiName name and email. now i just need to make that work automatically on first login

-- SimonHarrison - 09 Mar 2006

-- TWikiGuest - 25 May 2006

Nice feature to add. But also make sure that it is still possible in an LDAP environment NOT to force registration. Because I depend heavily on that. I have a local registered user base and a lot of casual users from other sites in our big corporation and they are all allowed to edit pages that are denied to noone else than TWikiGuest.

But it will be a nice feature for many TWikis to force non-registered users to register the first time they need authentication. Just make sure if anyone implements it that you can enable/disable such feature in configure.

-- KennethLavrsen - 26 May 2006

Yes, please make it so we can force LDAP-authenticated users to register.

-- AndrewBanks - 07 Jun 2006

Hmm, how un-democratic. Forcing users to do something they would probably do on their own anyway.

-- RobLeach - 13 Jun 2006

In authenticated intranets, if your users don't register, you might have signatures like Main.wghrstfg which aren't really helpful. But in these environments, "forcing" registration can be done almost automatically if the LDAP server allows to collect the interesting data (mail address, name, phone number) from the login name.

-- HaraldJoerg - 13 Jun 2006

Harald -- could you please supply examples of how to do exactly what you mention? We authenticate through LDAP at the Apache level simply due to our own local LDAP policies set forth by IT security. I would like to have anyone who needs to edit register to avoid the Main.wghrstfg you mention. -- Thanks.

-- DanaCarrington - 19 Jun 2006

If you are authenticating at Apache level it isn't really important which of Apache's authentication schemes you are using. Of course, mod_auth_ldap will do.

There are two alternatives how such a scenario can be used:

  1. Redirect people who are editing - attaching - whatever needs a "readable userid" - to the registration page. This is what is described in RegistrationOnDemandHack: A "login manager" detects the situation and does the redirection. However, due to a couple of code changes in TWiki, the attached file will no longer work in the upcoming release TWikiRelease04x00x03 frown It will need some spare time of mine (or someone else) to fix, and perhaps to add some test routines to become a real "TWiki Contrib package".
  2. Especially in a LDAP environment there is the question whether you need registration at all. If it is only to get readable WikiNames, then maybe an easier approach is to use a LDAP query to map login names to something more friendly? For this second method, TWikiRelease04x00x03 will offer much better support than any of the previous releases. SvenDowideit is introducing "user mapping managers", which unfortunately are documented only in the code right now. In the developer mailing list CrawfordCurrie has announced the upcoming release of three "user mapping managers", but I don't know whether one of them is LDAP based. I'd expect the LDAP scenario to be a rather common one if authentication is done against Windows Domain Controllers: They usually can be queried by LDAP, and the login name is a suitable key (called sAMAccountName) for LDAP queries.

-- HaraldJoerg - 19 Jun 2006

Herald, thank you for all the time you have put forth toward this issue, from your old RegistrationOnDemandHack to your support of the wandering lot of us now.

As you said, Especially in a LDAP environment there is the question whether you need registration at all. Yes. We already have user pages. Linking to a TWiki-made user page, like AndrewBanks, would likely confuse our users: "What's this new page about me?" For those who began their intranet with TWiki, it works. But we want TWiki to become part of our (already patchwork) intranet transparently, seamlessly. TWiki registration, in our case, just gets in the way.

In our case, though, again, it would be nice if, as you said, there will be a way in TWikiRelease04x00x03 to get readable WikiNames . . . to use a LDAP query to map login names to something more friendly.

-- AndrewBanks - 21 Jun 2006

Does anyone know if anymore work has been done on this? I'm investigating using Twiki in our intranet invironment but need LDAP authentication - and agree that it seems redundant to have both LDAP and Twiki registration?

-- JimPriest - 09 Mar 2007

Has anyone tried LdapContrib. I think this might be the answer all are looking for.

-- SibiJoseph - 20 Mar 2007

I would like to force registration for the simple reason that the system cannot correctly map our LDAP(via Apache) logon names (first.last@corpPLEASENOSPAM.com). The resulting name becomes (first/last@corp.com) which of course confuses things when editing. I have heard rumors of better name mappers, but have been unable to find a resolution to this problem. Implicit registration would be the best solution for us.

-- EricRoss - 04 Apr 2007

Have you tried using TWiki:Plugins/NewUserPlugin? The Plugin checks if a user-topic exists and generates it via LDAP in case it is not.

-- CedricWeber - 27 Jun 2007

See RequireRegistrationPlugin.

-- PeterThoeny - 28 Jul 2007

Edit | Attach | Watch | Print version | History: r20 < r19 < r18 < r17 < r16 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r20 - 2007-07-28 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.