Question

I've been trying to get TemplateLogin to work on my freebsd box for quite an while now. Up until recently any attempt to login with TemplateLoginManager was answered with the "Unrecognized user and/or password". I tried to create several users, and when I turned off the {Register}{NeedVerification} variable I thought I had licked the problem. But, alas it wasn't so. When {Register}{NeedVerification} is turned off an newly registered users is automatically logged on, and CGI sessions containing userid are created. But, if I logged off an new user and tried to logon again I always got the "Unrecognized user and/or password" message from the TemplateLogin script. When changing to ApacheAuth login works perfectly. So, in the last day or so I finally managed to get TemplateLoginManager to work.. Kind of. Because when I change {Htpasswd}{Encoding} = Plain then TemplateLoginManager works. Suddenly any new_ Twikiuser created with plain passwords can login/logout without any problems. Previous users still has the same problem though.

But, I'm still not happy with an solution where all the passwords inside ./htpasswd has to be saved as plaintext.

Personally I suspect an problem between Apache on Freebsd and TemplateLoginManager, but I practically useless to read code. If someone could answer a couple of questions I'd appreciate it.

Questions:

1. Does TemplateLoginManager interact with the Apache's Authentication mechanisms? If so, why does plain encryption work but neither crypt,SHA1 or md5?
2. If TemplateLoginManager doesn't interact with Apache's Authentication? again, why does plain encryption work when the other types of encryption doesn't?

About the site:

• The server runs Freebsd and Apache 2.2.3+openSSL.
• The twiki site is running on an SSL enabled site, but I tested the wiki against an identical virtualhost running without openSSL and the problem persisted.
  
• If I disable email confirmations then an newly created user is automatically logged in and can edit files. But if I hit the logout button or restart the webbrowser the authentication is lost and I can't login again with that user. Unless the user is created with plain password encryption.
  
• When I switch to ApacheLogin both registration and authentication works, so the issue is specific to TemplateLogin.
  
• CGI:Session is installed. I've confirmed that session files are created in /tmp.
  
• data/.htpasswd is writable and readable by apache CGI user. (At the moment I don't use the suexec wrapper.) I have confirmed that new TwikiUsers are added to the file.
  
• Apache config files were generated with ApacheGenerator and all paths used in ApacheGenerator tripplechecked.
  
• The TWiki/SettingFileAccessRightsLinuxUnix document has been read and implemented. * se also configure, apache.conf attachments.
  
• MODperl is not implemented to avoid complicating the issues.

Environment

-- HeikkiSoerum - 17 Aug 2006

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

One month passed, closing question as unanswered.

-- PeterThoeny - 01 Oct 2006

Update and reopening the question.

• configure.html: configure.html

-- HeikkiSoerum - 11 Nov 2006

Your first paragraph reads to me as though there is a mismatch in how the passwords are hashed

there used to be such as issue on solaris

it sounds like twiki is working ok, but when it uses the MD5, etc cpan modules that its failing to encrypt/decrypt

so i guess the first q is have you got those cpan modules installed and are they current

also: if you use tmeplatelogin & md5 (or whatever is supposed to match youe apache auth setup) to register a user and then switch to apachlogin

is that user able to log in?

if so, then its 'just' the pwd checking thats going badly, and thus we can add a few lines of code to debug

-- SvenDowideit - 13 Nov 2006

I've done som testing as you suggested. I manually checked all Required CPAN modules with 'perl -e 'use FileHandle; print $FileHandle::VERSION."\n"' '

I was missing some p5 modules like Data::Dumper and IO::File but those dependencies have now been installed. (thumbs up for Freebsd ports!)

I then created some additional users with crypt() encoded passwords and changed the LoginManager to apachelogin. All users created in templatelogin with crypt passwords were capable of login in with apachelogin.

Created then a couple of users with crypt passwords while using apachelogin and then tested them both on apachelogin and templatelogin. Users created with crypt() encoding by apachelogin couldn't login when using templatelogin.

So yes, it seems like there is an problem with the pwd checking.

-- HeikkiSoerum - 14 Nov 2006

Since the pwd checkin uses standard perl mechanisms, and it works on all other platforms, i can only guess that either crypt is broken on FreeBSD, or there is some environment variable modifying it's behaviour in some way. Suggest you write a short perl script that encodes and then decodes a password. Note that all the TWiki .htpasswd handling is in lib/TWiki/Users/HtPasswdUser.pm, which is a subclass of lib/TWiki/Users/Password.pm.

Closing unless there is more information, as this report has been inactive for over a month.

-- CrawfordCurrie - 16 Dec 2006