Question

I am new to twiki and not sure how I can use existing LDAP groups from our Novell eDirectory to restrict access control. Any guidelines will be very helpful

Ali

Environment

-- AliBalandy - 10 Sep 2005

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

I would imagine that such a feature would need to somehow plug into Twiki's core authorization code - and I am not aware (nor have I seen) any plugin callback handlers that specifically deal with groups. The function checkAccessPermission( $type, $wikiName, $text, $topic, $web ) deals with user permissions and I suspect somewhere buried deep is a function that expands a group prior to invoking this function. Someone on the Codev team will likely have to elaborate but I see alot of value in modularizing Twiki authorization . Note that Twiki already supports Authentication via LDAP by virtue of supporting Apache's ability to proxy for Twiki. It is the Authorization piece that is missing.

Perhaps one of the Dakar gurus would be willing to divulge whethor or not Dakar has an improved Authorization model.

-- SteveRJones - 11 Sep 2005

Good info Steve.

1. Authentication: All what TWiki needs is the REMOTE_USER environment variable, which is set by Apache. For LDAP authentication use the auth_ldap module (make sure to compile the latest version 1.6). TWiki can map between login name ("jsmith") and WikiName ("JohnSmith"). TWikiUserAuthentication has more.

2. Authorization: TWiki does its own group handling based on group topics, see TWikiAccessControl. A simple LDAP integration would be to run a script from a cron job that creates/updates TWikiGroups topics based on LDAP data. This can be done totally outside of TWiki if you do not worry about audit trail (revision control) of group topics, e.g. you could simply create file twiki/data/Main/EngineeringGroup.txt. A cleaner solution is to create a Plugin or Add-on that does a proper topic update.

-- PeterThoeny - 13 Sep 2005

Peter, yes creating a timed import of LDAP groups can easily be done, however, do so would not give one the transparency that I believe alot of people would desire (including me!) We wouldn't want people digging/hacking through the code so it would be handy to provide an API that supported referrals to an authority other than the TWikiGroups topic. I'm not sure, though, how clean the group lookup code is. Once an API is provided writing an LDAP plugin would then be, I would imagine, easy.

Thoughts?

-- SteveRJones - 13 Sep 2005

I was referring to a simple solution with the existing code. Yes, a Plugin API to manipulate groups would be a better solution. You can add an enhancement request in the Codev web if you wish to discuss this.

-- PeterThoeny - 14 Sep 2005

Yes, I see your perspective - the question is really about what could be done right now. I'm not sure if the Ldap plugin can do something like this - perhaps it would be worth exploring.

Ali, it looks like this is a manual process right now. There are examples of ldap querying tool (like an Ldap plugin) but nothing that will query for an ldap group and import the members into TWiki.

-- SteveRJones - 19 Sep 2005

Has this become an automated process yet? The ability to assign ACLs by LDAP groups is a killer need for me.

-- ErnieOporto - 27 Jun 2007

What if you use LdapNg inside group topics to expand out the group list via LDAP? I'm thinking about doing that but my problem is that some of the groups are very large (as in 10,000 or more members). My simple-minded perusal of the access control code doesn't indicate that it is very pluggable for group stuff.

-- RobertWithrow - 17 Jul 2007