Tags:
create new tag
, view all tags

Question

How do you get the NewUserPlugin to render the LDAP user CN as the WikiName for the user page? Also, should this also add the name to the Users list. Once a User page is created can this name be added to TWiki Groups pages and work for authorization? (Currently the page crypticuid is rendered as user page name. I would like CommonName as WikiName.) I have LDAP Authentication working and NewUserPlugin generates a user page, but how do I use this for Authorization? Does not seem to work even with crypticuid. Thank you in advance for your help. (new to TWiki)

Environment

TWiki version: TWikiRelease04x00x04
TWiki plugins: LdapContrib 0.91, LdapNgPlugin 0.20, NewUserPlugin 0.11,
Server OS: Debian Linux, VMWare
Web server: Apache 2
Perl version: w/ Debian Linux, VMWare, TWiki 4.04 install
Client OS: Windows XP
Web Browser: Firefox
Categories: Permissions, Registration, Authorisation, Plugins

-- CharlesLogan - 09 Jan 2007

Answer

ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

Hi Charles, I think there's some misunderstanding on what's going on here.

First, the LdapContrib takes whatever LDAP attribute you give him to generate the WikiName for TWiki. Second, the User list, as can be seen in TWikiUsers, is not needed in an LDAP setup as this is only used by TWiki's default mechanism to register and keep track of WikiNames. In an LDAP setup all this information is stored in your LDAP directory and none in TWiki. You can generate a list of user accounts similar to the one in TWikiUsers by using the LdapNgPlugin. Third, once the system knows the WikiNames (via LDAP or the default mechanism does not matter) you can use these names to put them into groups. If you want to add LDAP users to TWikiGroups "automatically" you might want to store and administrate your groups in LDAP also. These can integrated into TWiki using the LdapContrib. See the docu there. Note, that til now the NewUserPlugin didn't play any relevant role here, and it should not. Its sole purpose is to create a user topic once it detects that a logged in user has none yet. That's all. If you don't want TWikiGroups stored in LDAP and just use the user accounts there in TWiki then there's no way to automatically add them to TWikiGroups, on whatever reasoning that should have happened anyway. In any case enabling LdapContrib's user mapping and optional group mapping will allow you to use those names in TWiki's access control. Oh, btw. did you enable TemplateLogin as your login manager? This is needed to authenticate using LDAP. Otherwise you have to resort to apache's LDAP modules for that.

-- MichaelDaum - 10 Jan 2007

I'm still not able to get things to work based on what I'm reading above. Let me see if I can lay out what I have that might be relevant...

In my apache2/conf.d directory, I have a config file, twiki, as such:

<Directory "/home/httpd/twiki">
  Options Includes Indexes ExecCGI
  AllowOverride None
  AuthName "Login (use CSL & CIP)"
  AuthType Basic
  AuthLDAPURL ldap://<my ldap url>:389/o=<my base>?uid?sub
  Order allow,deny
  Allow from all
  require valid-user
</Directory>

My LocalSite.cfg:

$TWiki::cfg{DataDir} = '/home/httpd/twiki/data';
$TWiki::cfg{Password} = '5pdjOxubks83w';
$TWiki::cfg{Site}{Lang} = 'en';
$TWiki::cfg{LocalesDir} = '/home/httpd/twiki/locale';
$TWiki::cfg{ScriptUrlPath} = '/twiki/bin';
$TWiki::cfg{DefaultUrlHost} = 'http://twiki-vm';
$TWiki::cfg{Site}{FullLang} = 'en-us';
$TWiki::cfg{PubUrlPath} = '/twiki/pub';
$TWiki::cfg{PubDir} = '/home/httpd/twiki/pub';
$TWiki::cfg{TemplateDir} = '/home/httpd/twiki/templates';
$TWiki::cfg{Site}{CharSet} = 'iso-8859-15';
$TWiki::cfg{Plugins}{WysiwygPlugin}{Enabled} = 1;
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'cn';
$TWiki::cfg{Ldap}{WikiNameRemoveWhiteSpace} = 1;
$TWiki::cfg{Plugins}{TWikiDrawPlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{CalendarPlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{HolidaylistPlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{PloticusPlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{SnmpCommandPlugin}{Enabled} = 0;
$TWiki::cfg{Plugins}{EasyTimelinePlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{DateTimePlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{FlowchartPlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{GaugePlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{SmiliesPlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{PreferencesPlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{EmptyPlugin}{Enabled} = 0;
$TWiki::cfg{Plugins}{RenderListPlugin}{Enabled} = 0;
$TWiki::cfg{Plugins}{ContributorsPlugin}{Enabled} = 0;
$TWiki::cfg{Plugins}{LdapNgPlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{ToolTipPlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{WorkflowPlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{EmbedPlugin}{Enabled} = 0;
$TWiki::cfg{AntiSpam}{HideUserDetails} = 1;
$TWiki::cfg{MailProgram} = '/usr/sbin/sendmail -t -oi -oeq';
$TWiki::cfg{Plugins}{ActionTrackerPlugin}{Enabled} = 1;
$TWiki::cfg{AdminUserWikiName} = 'TWikiAdminGroup';
$TWiki::cfg{Register}{NeedVerification} = 1;
$TWiki::cfg{MinPasswordLength} = 5;
$TWiki::cfg{Register}{AllowLoginName} = 1;
$TWiki::cfg{AuthScripts} = 'attach,changes,configure,edit,manage,rename,save,upload,viewauth,rdiffauth,change';
$TWiki::cfg{SuperAdminGroup} = 'TWikiAdminGroup';
$TWiki::cfg{Plugins}{GluePlugin}{Enabled} = 1;
$TWiki::cfg{Plugins}{NewUserPlugin}{Enabled} = 1;
$TWiki::cfg{PasswordManager} = 'TWiki::Users::LdapUser';
$TWiki::cfg{UserMappingManager} = 'TWiki::Users::TWikiUserMapping';

# LDAP configuration file

# please include the contents of this file into lib/LocalSite.cfg and edit it
# to your needs

# ip address (or hostname) of the LDAP server
$TWiki::cfg{Ldap}{Host} = '<removed for this post>';

# port used when binding to the LDAP server
$TWiki::cfg{Ldap}{Port} = 389;

# ldap protocol version to use when querying the server; possible values: 2, 3
#$TWiki::cfg{Ldap}{Version} = '3';

# the base DN to use in searches
$TWiki::cfg{Ldap}{Base} = 'o=<removed for this post>';

# define the DN of the users tree
#$TWiki::cfg{Ldap}{BasePasswd} = '';

# define the DN of the groups tree
#$TWiki::cfg{Ldap}{BaseGroup} = '';

# define the user login name attribute
$TWiki::cfg{Ldap}{LoginAttribute} = 'uid';

# define the user's wiki name attribute
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'cn';

# flag to remove whitespaces in wiki names that come from ldap
$TWiki::cfg{Ldap}{WikiNameRemoveWhiteSpace} = 1;

# filter to be used to find login accounts
#$TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=posixAccount';

# define the group name
$TWiki::cfg{Ldap}{GroupAttribute} = 'cn';

# filter to be used to find groups 
#$TWiki::cfg{Ldap}{GroupFilter} = 'objectClass=posixGroup';

# flag indicating wether we fallback to TWikiGroups
#$TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;

# define the attribute that should be used to collect group members
#$TWiki::cfg{Ldap}{MemberAttribute} = 'memberUid';

# flag indicating wether the member attribute of a group stores a DN
#$TWiki::cfg{Ldap}{MemberIndirection} = 0;

# the dn to use when binding to the LDAP server; if undefined anonymous binding
# will be used
#$TWiki::cfg{Ldap}{BindDN} = 'cn=proxyuser,dc=my,dc=domain,dc=com';

# the password used when binding to the LDAP server
#$TWiki::cfg{Ldap}{BindPassword} = 'secret';

# negotiate ssl when binding to the server; possible values: 0, 1
# TODO: not implemented yet
#$TWiki::cfg{Ldap}{SSL} = 0;

# refresh rate when the ldap cache is fetched from the LDAP server; 
# a value of -1 means unlimitted caching; 
# a value of 0 disables the cache; 
# default is -1
#$TWiki::cfg{Ldap}{MaxCacheHits} = -1;

# suppress ldap group mapping
$TWiki::cfg{Ldap}{MapGroups} = 0;
$TWiki::cfg{LoginManager} = 'TWiki::Client::ApacheLogin';
1;

All that happens so far is that I'm logged in with apache as uid which is not the same as my cn which is what I would like generated for WikiName.

When I run RenderLdapUser, I see all my info, so clearly the LDAP part is working. When I tried the TemplateLogin as manager, I can't ever authenticate using my uid, WikiName, or CN. (Prefer the apache login.)

What don't I have set up correctly?


You have to enable the LdapUserManager:

$TWiki::cfg{UserMappingManager} = 'TWiki::Users::LdapUserMapping';
I am not sure why the TemplateLogin manager did not work out for you. Anyway, you can do a mixture of authentication using apache's means and then use the LdapUserMapping to create the WikiNames...

-- MichaelDaum - 11 Jan 2007


No change in result. I still get uid for WikiName.

Why does it state "Currently only TWikiUserMapping is implemented." on 4.0.4 configure page? (I have LdapUserMapping selected without effect.)

-- CharlesLogan - 11 Jan 2007

Concerning the Template Login, I thought that I needed to have apache "require valid-user" turned off at the server, so I turned it off which presented the template. This time I turned on the "require valid" and I logged in using apache, but now it just behaves as before with a prompt from apache, but it still shows user as uid instead of using the cn.

Now I disabled the "require valid-user" for apache and rebooted. This time the template login worked fine. Not sure why it did not work before. BUT, it still uses my uid instead of cn for WikiName.

Could the fact that my last name in the cn is all in upper case cause a problem? Why won't it map my cn to WikiName?

-- CharlesLogan - 11 Jan 2007

If I set PasswordManager = 'TWiki::Users::LdapUser' the template fails. It appears that the LdapContrib states that this needs to be set to resolve WikiName.

-- CharlesLogan - 11 Jan 2007


As far as I remember, in TWiki-4.0.4, you are not able to able to select LdapUserMapping from within configure. You have to edit lib/LocalSite.cfg and set the UserMappingManager variable as I described above. Make sure that the correct setting is in that file and don't rely on configure only, please. This issue has been fixed in TWiki-4.1 and the newest LdapContrib. Btw. which version of the LdapContrib do you use? You did not mention that before. In any case, use the latest available at twiki.org. Next, if you try to set up the TemplateLogin in compbination with the LdapContrib, switch off AllowLoginName and only use the LDAP settings to define which LDAP attribute is to be used for the login and which one for the WikiName. This is independent of the AllowLoginName setting.

-- MichaelDaum - 12 Jan 2007


I had noticed that LocalSite.cfg seems to overwrite the configure settings sometimes. So, I had made the UserMappingManager change in lib/LocalSite.cfg. It is 5 lines from end of the file now - no other re-setting in file. (Configure seems to move items to end of file when changed if not original form or some similar behavior.)

I had turned on AllowLoginName thinking that might help - bad choice - changing back. Its domain was not clear to me.

LdapContrib info
Version: v0.7
03 Nov 2006

Still can not authenticate using template. Will turn on require valid-user.

Version: v0.91, 12 Jan 2007 latest. I'll install.

-- CharlesLogan - 12 Jan 2007


Hmmm.. got a problem. The installer failed. Here is the web-based message.

Software error:

User Mapping Manager: Can't locate Unicode/MapUTF8.pm in @INC (@INC contains: /home/httpd/twiki/lib/CPAN/lib//arch/ /home/httpd/twiki/lib/CPAN/lib//5.8.4/i386-linux-thread-multi/ /home/httpd/twiki/lib/CPAN/lib//5.8.4/ /home/httpd/twiki/lib/CPAN/lib// /home/httpd/twiki/lib . /etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at /home/httpd/twiki/lib/TWiki/Users/LdapUserMapping.pm line 23, line 439. BEGIN failed--compilation aborted at /home/httpd/twiki/lib/TWiki/Users/LdapUserMapping.pm line 23, line 439. Compilation failed in require at (eval 19) line 2, line 439. BEGIN failed--compilation aborted at (eval 19) line 2, line 439.

-- CharlesLogan - 12 Jan 2007

Yes, you need CPAN:Unicode::MapUTF8. All LDAP strings are UTF8 and your twiki might have an arbitrary other encoding. So things need to be converted.

-- MichaelDaum - 12 Jan 2007


Ok. LdapContrib v0.91 is installed and working. Condition unchanged from above. What should I look at next?

-- CharlesLogan - 12 Jan 2007

I've also tried setting debug to both 1 and -1 in lib/TWikiContrib/LdapContrib.pm. I've looked in data/debug.txt and see nothing reported by LDAP. I guess I need to uncomment debug statements...

I still don't know why ldap is not mapping.

-- CharlesLogan - 12 Jan 2007


I've now upgraded to TWiki 4.1 and installed the latest versions of LdapContrib (0.91), LdapNgPlugin (0.20), and NewUserPlugin (0.11). Same issue still exists. My uid (shortname/login name) does not map CN as wikiname.

Where should I look in LdapUserMapping.pm or elsewhere? How do I use the debugging?

-- CharlesLogan - 22 Jan 2007

I am also having issues with getting my wikiName to be displayed (as opposed to my loginName) with TWiki 4.1 and LdapContrib .91. Does the UserMappingManager need to be set to 'TWiki::Users::LdapUserMapping' for the wikiName to be different from the loginName?

-- AndrewErickson - 26 Jan 2007

Closing after more than 30 days. Please reopen with more details if needed...

-- PeterThoeny - 02 Mar 2007

Change status to:
Edit | Attach | Watch | Print version | History: r13 < r12 < r11 < r10 < r9 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r13 - 2007-03-02 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.