TWiki LDAP Registration (need LdapPlugin)

THIS TOPIC FORM SHOULD NOT BE USED TO REGISTER TO twiki.org

For discussion only !

Welcome new TWiki user,

this seems to be the first time I meet you. To be more friendly, I would prefer you to use a WikiName rather your LDAP login name.

Simply click on REGISTER button when these values are ok for you :

Your full name (first & last name) : Your WikiName : Your LDAP alias (TWiki login name) : Your Email address :

Submitting the form will automatically:

• Create an account for you, so that you can start editing pages using your WikiName.
• Create your personal TWiki topic using your WikiName as topic name, and add the data you submitted to the topic.
• Add your name to the list of users in the TWikiUsers topic in the Main web.
• Send you a confirmation of your registration by email.

Once registered, you will still use your LDAP login name and password to use TWiki.

If you have any questions about registration, send an email to info@twiki.org.

Ok, the end is here, you can give your comments now :

This is version of TWikiRegistration TOPIC, based on Javascript to initialize form from LDAP values. Note that, if Javascript nor LDAP are available, it is the normal way to register.

An idea would be to re-add missing fields or simply merge the Javascript wich initialize the form, if the LdapPlugin is here and gives informations....

-- PatrickNomblot - 21 Jun 2003

added error free case Plugin is not installed, or no LDAP rcord is found (need enhanced LdapPlugin to be installed).

-- PatrickNomblot - 26 Jun 2003

I'd prefer to see this all done on the server so that it works with virtually any browser as with most other TWiki features - I can see why you've done this to work with LdapPlugin but another approach would be useful here. It would also be good to integrate with the work on abstracting away from the various Apache password file formats, i.e. to do a generic user registration and authentication framework for password files, LDAP, etc. See Google:twiki+htpasswd+sha1+md5

Re-classifying this as a FeatureHack since it would be hard to put this into the core given TWikiSystemRequirements.

-- RichardDonkin - 26 Jun 2003

Oh, richard -:( I'm afraid you don't have seen code the orginal TWikiRegistration TOPIC, did you ? The WikiName is set in Javascript too ! The main difference is that my version is more readable and that it initialize form with LDAP values if they exist (so is stay compatible, and yes, it is done in javascript) !

It seems that you do not really know what LDAP is, do you ? I will not tell you to google I say that because LDAP has really nothing to do with md5, crypt, etc..

LDAP is a Directory Server Database, widely used (in companies) which handle secure identification and store all informations about people as a directory does (name, adress, phone, photos, etc, etc, ... ). So, when you use LDAP, you really do not care about MD5, CRYPT, etc has it is APACHE web server + an LDAP plugin which does the user identification and there is no password file ! .

In conclusion, I hope you understand how this TOPIC can be usefull in case TWiki is installed with LDAP identification. In this case, it is really not a good idea to put users infos (address, phone, etc...) in TWiki when you have really much more powerfull LDAP server.

Ok, so the right place for this Topic could certainly be in LdapPlugin package.

Sorry for my bad english

-- PatrickNomblot - 26 Jun 2003

Actually I'm quite familiar with LDAP and have written some Perl code against it in the past, as part of evaluating it for use in a software product my company built. I was proposing a sort of pluggable user authentication (as in PAM, popularised by Red Hat and Sun) - LDAP's just one way of authenticating, but MD5 password files etc are important for non-LDAP users of Apache. The idea is that the administrator can choose to authenticate via password file (MD5, SHA1, etc) or via LDAP, or whatever. See ConfigurablePasswordFileHandling for the password file level of abstraction.

The original registration topic just sets the WikiName based on the first name and last name, as a user convenience - if JavaScript isn't working, it's not a big deal. I suppose the same is true of LDAP, though typing in a DN from scratch is a bit more painful if the LDAP code doesn't work.

-- RichardDonkin - 26 Jun 2003

John - if you are making changes to the RegisterCgiScript or anything in this area, can you please send me your changes so that I am aware and do not conflict.

-- MartinCleaver - 08 Oct 2004

Martin - I didn't have to modify the RegisterCgiScript because I am using Apache's auth_ldap module. I just force Apache to require valid-user for edit, diff, etc. This auths them against LDAP (eDirectory in our case). Since they don't have a WikiName until they register, it won't let them edit anything, and sends them to the registration page (which I attached below). This all seems to be working well, but they are changing requirements on me now, so I may have to do something differently anyway...

Here is the .htaccess: AuthLDAPURL ldap://ldap.snip.us/o=ORG?uid?sub?(objectClass=account) AuthName "eDirectory Login" AuthType Basic ErrorDocument 401 /twiki/bin/oops/Main/UserRegistration?template=oopsauth

-- JohnVanBoxtel - 12 Oct 2004

John, I must be missing something about how you set your TWiki up to force registration. With an .htacess file, I, too, force Apache to "require valid user" for edit, diff, etc, which "auths them against LDAP." But if the user does not have a WikiName, it still lets them edit. Their signature is just their LDAP username instead of a WikiName.

So, how do you force an LDAP-authenticated user to register?

-- AndrewBanks - 07 Jun 2006