Question

I am using twiki with ldap authentication. My boss would like it if users would NOT have to register manually. While ldap allows the users to view the pages, they cannot edit anything. I've searched the twiki docs and site and the net for any ideas to 'auto-register' users, creating wikinames via data in ldap. I've seen some similar discussions but none that describe how to do what I want to do. I can't quite figure out how or even when or where to do that or if it is even possible. To repeat, we do not want the users to have to go through registration. I do plan to have TWikiGroups so I can control topic access. I would prefer not to use BulkRegistration because it would require verification and that's something we want to avoid. We want to keep it as simple as possible for the users who are/will be using this web. Am I asking for the impossible?

Environment

-- ChristineHowell - 19 Jul 2006

Answer

You are not asking for the impossible. I know that, because I run automatic registration at my site, horribly hacked into TWiki, ignoring any notion of "guaranteed API".

Part of what you want to do should be described in RegistrationOnDemandHack, which has been reported to work until 4.0.2, but unfortunately breaks in recent versions. The hack doesn't do fully automatic registration, it just redirects a modified registration page (in which you could populate the fields with LdapPlugin).

The main task with fully automatic registration as an official TWiki contrib is the number of configuration variables you need to get the LDAP working (LDAP server name, maybe even user/password to authenticate the query, LDAP base, filter, which fields to be used....).

I hope to get some free minutes to work on that in August, so don't hold your breath... (but feel free to add yourself to the "interested parties" section in RegistrationOnDemandHack)

-- HaraldJoerg - 19 Jul 2006

If Christine's organisation needed it sooner, would you be available for a quick contract on this?

-- MartinCleaver - 19 Jul 2006

I cannot seem to gunzip/untar the RegistrationOnDemandHack.gz.tar file in the RegistrationOnDemandHack topic. I wanted to look at the file/code to see what Harald did and what I could do.

-- ChristineHowell - 19 Jul 2006

Here's what I am thinking...when a user logs on to the twiki site, he/she will be authenticated via ldap. If they have 'passed muster', then I would like to do the following steps (via a script?):

1. Extract their WikiName from LDAP
2. Look to see if they don't already exist in TWikiUsers
3. 'Register' them if they aren't TWikiUsers yet, using info from LDAP db
4. Put them into the appropriate TWikiGroups based on the LDAP group they are in.

I'm stuck as to where I can start this process code wise...

-- ChristineHowell - 19 Jul 2006

Sorry, Christine - Currently twiki.org seems to have difficulties to serve gzip'ped files, they always end up doubly gzip'ped. A workaround is to save the file as RegistrationOnDemandHack.tgz.gz, running gunzip to get RegistrationOnDemandHack.tgz, and then tar -xzvf RegistrationOnDemandHack.tgz. Sorry for the inconvenience.

The description of what you are thinking is almost how it should work. Most welcome, at this point in time, is that MichaelDaum has published LdapContrib which has solved most ot the configuration problems I mentioned above. This looks really promising and should make hooking an auto-registration into RegistrationOnDemandHack much easier. However, I have no clear idea how to map an LDAP group to a TWiki group. TWiki groups, per convention, end in "Group", which is not a requirement for LDAP groups. It seems that LdapContrib holds enough code to completely replace TWiki's user/group mapping by LDAP (a change which has been enabled by 4.0.3). In that case, you would not have to bother with TWiki groups at all. However, I am not yet familiar with that, and it would not help in my own installation with regard to testing, because here LDAP and TWiki groups are not related to each other.

Stay tuned,

-- HaraldJoerg - 19 Jul 2006

I'm still trying to figure out how to do this. What I'd like to do, is, upon logging in, check to see if they are already registered. If not, use the ldap info to automatically register them. What I'm getting stuck at is where to call the code from and how. What should I write? A plugin? Add-on? Right now, I just want to register the users but just don't know when to make the call. Thanks.

-- ChristineHowell - 30 Aug 2006

I apologize for not having worked on that recently - real life can get into the way

You should write a "Login Manager", put it into lib/TWiki/Client (alongside TemplateLogin.pm) and activate it in your configuration under $cfg{LoginManager}. Put shortly, you need to define three routines in that module - I simply copypaste from my untested dev area:

---

Number one: Tell TWiki that your users can authenticate

sub new {
    my( $class, $twiki ) = @_;
    my $this = bless( $class->SUPER::new($twiki), $class );
    $twiki->enterContext( 'can_login', 1 );
    return $this;
}

---

Number two: "cheat" by mapping authenticated, but unregistered users to TWikiGuest/guest:

sub getUser {
    my $this = shift;
    my $twiki = $this->{twiki};
    my $remote_user  =  $twiki->{remoteUser};
    # This is actually cheating:  If a user is registered then he should be
    # found by findUser.  Otherwise *pretend* we are logged in as guest
    # so that lateron the session gets marked as "unauthenticated"
    # by our caller.
    my $user         =  $twiki->{users}->findUser($remote_user,undef,1)
                     || $twiki->{users}->findUser($TWiki::cfg{DefaultUserLogin});
    return $user->login();
}

---

Number three: Do the automatic registration when TWiki wants to do a login (that's why we had to map unregistered users to the "unauthenticated" guest account). I haven't done that part properly yet because I fail to set up a LDAP server on my dev machine....

sub forceAuthentication {
    my $this  = shift;
    my $twiki = $this->{twiki};

    if ($twiki->inContext( 'authenticated' )) {
   # We are already authenticated - can't authenticate *more*
   return undef;
    }
    # This is the "unfinished" part.  Here you need to perform
    # the steps which normally are done by =sub finish= in
    # =lib/TWiki/UI/Register.pm=: Create the user's home topic,
    # add to TWikiUsers.txt (if you want to use traditional user
    # Mapping), and so on.  Whereas =sub finish= pulls its data from
    # the registration form, you have to create and fire off a LDAP
    # query.
}

-- HaraldJoerg - 31 Aug 2006

Is LDAP mandatory for you or would you be open to other suggestions? If your users are in a Windows environment then they can be authenticated by NTLM. By using this you can achieve two simultaneous goals:

1. Your users do not need to login. Apache will already know their identity, i.e. users are not prompted for login.
2. Your users will not need to register.

Of course you will still be able to greate groups for authentication.

You do not need to hack Twiki to accomplish this, it's all in Apache.

In order to authenticate against NTLM you do not even need to put a password to your config files.

By using NTLM all you really do is pass the username into Twiki. LDAP of course has additional features as it is able to convey a lot of other information such as the user's long name, user groupings, permissions, etc. This was not needed in my case and then NTLM seemed a hell of a lot more simple .. and I did not have to understand LDAP which seemed overwhelming to me.

Lot's of good stuff on NTLM on TWiki.org. One of them by me, NtlmForSolaris10, which despite its name applies pretty well on Linux as well.

-- Lars Bruun-Hansen - 31 Aug 2006

Hi I read posts here that NTLM is slow?

-- LarreDo - 06 Sep 2006

With regards to slowness of NTLM this is not something I have experienced. When you first open TWiki (the very first page you access) it takes approx 15 sec for me but then all pages after that are served as fast as without NTLM, at least I cannot tell the difference. It seems to me that the Apache mod_ntlm module somehow cache the information. I'm guessing that people that complain about slowness of NTLM are on old versions 1.3 of Apache or have old Domain Controllers. My experience is from Apache 2.x.

-- LarsBruunxHansen - 06 Sep 2006

Hi check out ChangeDefaultLoggedOnUserLink i had an idea, what if you change the sidebar to instead say "create my user page" you could then link that to a template which pulls in details from LDAP into a form? I havent seen any other responses so im going to set this to answered.

-- LarreDo - 08 Sep 2006

Can I use JUST ldap for the twiki site and not require any kind of registration? If so, I haven't been able to determine how to set up twiki to allow users to edit pages with just ldap authenticatin/authorization. Can anyone help me out here please? I've gotten nowhere with writing my own Login Manager. TWiki is just too convoluted for someone like me.

-- ChristineHowell - 08 Dec 2006

You do not need to have TWiki user accounts in order to edit content. However, there is a drawback: Signatures do not point to homepages, they are just unlinked text, such as "-- Main.chowell" instead of a linked "-- ChristineHowell". Also people in TWiki groups will not link to user's homepages. So you are losing the networking effect linked homepages give.

If you want to use just LDAP you can do that either all on the Apache level (see LdapAuthenticationHowTo) or use the LdapContrib.

-- PeterThoeny - 08 Dec 2006

But if a user wants to EDIT a page, how do we avoid getting the message: invalid string argument 'uid=testperson,ou=Staff,dc=franklin,dc=edu' %USERNAME|S% It appears that this shows if the user is NOT officially registered.

-- ChristineHowell - 19 Dec 2006