SID-02086: Disable SSO - mod_auth

Status:	Answered	TWiki version:	6.0.1	Perl version:	5.18.2
Category:	CategoryAuthentication	Server OS:	Ubuntu 14.04.2	Last update:	10 years ago

I am using mod_auth in apache2 to protect my TWiki, just with a single username/password. I'd like people to still be required to register/login with their own TWiki accounts, but currently it's auto-logging them in as the user in my .htpasswd that apache is using.

As I've searched around I find plenty of pages talking about enabling single sign on, but I want to go the other way and turn it off so TWiki functions as though I didn't password protect the TWiki directory.

I tried using the plugin 'RequireRegistration', which automatically forwards them to the registration page as the mod_auth user doesn't have a TWiki account created, but I couldn't find a way to logout of the current mod_auth user to change to another user.

Thanks for any help or suggestions.

-- Gavin Kalms - 2015-07-14

Discussion and Answer

I'm not sure whether I understand exactly what you mean because I have no idea how "auto-logging them in" should work. If people are logged in without entering the single username/password, then there's no point in authentication at all - unless you are using an AuthBasicFake directive in your Apache configuration. I am also not sure whether you are using - or intending to use - TemplateLogin or whether you want to use ApacheLogin in your TWiki configuration. So here are just some basic hints about how Apache and TWiki authentications interact. You could also experiment with the different settings of ApacheConfigGenerator and inspect the configuration settings it suggests.

• If, for a certain directory, Apache fires off its own authentication mechanism (typically by require valid-user in its configuration), then from that point on browsers will continue to send the same authorization information for all subsequent requests to the same directory. The only ways to "log out" is to tell the browser to forget the password or to close the browser, but you can't do that from the server.
• You can, however, use different AuthName directives with different .htpasswd files for different sections of your web server.
• You can not use TWiki's TemplateLogin to "override" a login username which has been negotiated between Apache and the user. This is not by law, but just the way TWiki works: If Apache provides a login name, then this login name is simply accepted.
• You can, however, delegate your authentication to Apache by using ApacheLogin in TWiki's configuration, so that instead of a single username/password every user has his own combination. TWiki and Apache should use the same .htpasswd file in their configurations, so that registration and password change work through TWiki, and you might need to enable AllowLoginName in TWiki's configuration if your Apache logins are different from TWiki's Firstname%NOP%Lastname notation.

-- Harald Jörg - 2015-07-15

Thanks for your response, hopefully I can clarify some things below

My intention is to use TemplateLogin, I wanted people to be able to Register and Login all by themselves, but the content of the TWiki not to be visible to the public, hence the AuthType Basic config in apache.

My understanding is apaches mod_auth sets REMOTE_USER, my assumption is that TWiki would maintain their own session and TWiki was trying to be smart by noticing the REMOTE_USER and converting it to their own.

If TWiki also uses the same REMOTE_USER var, then I understand nothing can be done and will need to rethink my approach, probably as you suggest where TWiki and apache share the .htpasswd file, down side of this is I'll need to create peoples accounts first so they can get past the apache login.

-- Gavin Kalms - 2015-07-15

Ah, ok, I understand better now. I still don't know where the value for REMOTE_USER comes from. Is the single username/password sort of a "shared secret" between the designated user community?

The interesting question is: How do new users (who, by the definition of "new", don't have a TWiki account) get read access to the registration page, and execute access to bin/register? There are two possible paths to explore.

1. The TemplateLogin path: In TWiki's configuration, there's an "EXPERT" setting {AuthScripts}. If you add view and other scripts from the bin directory to this list, then TWiki's content is no longer visible to the public. TWiki.TWikiAccessControl#Restrict_Access_to_Whole_TWiki_S has a detailed recipe.
2. The ApacheLogin path: If TWiki and Apache share the same .htpasswd file, then TWiki's usual registration process "just works", you don't have to create people's accounts. The web server user id needs write access to .htpasswd, of course!

The usual trick to allow self-service registration by new users is to copy TWikiRegistration as a static HTML page outside of TWiki directories, but served by Apache. If your single username is a shared secret, use Apache configuration to protect this page with these settings. Regarding creating peoples account: If the list of users is known in advance, There's a tool to register all of them in one swoop: BulkRegistration.

-- Harald Jörg - 2015-07-15

Thanks for your help, I just decided to go down the road of getting Apache to handle it and TWiki to use the same .htpasswd file. I found that any registered user can register new users, so it removes the work load from me after I create a few users (-:

Thanks again.

-- Gavin Kalms - 2015-07-16

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.