Question

We have been using TWiki for more than a year now as an Enterprise documentation platform for our system administrators to write, store, and update documentation. Because this is a tightly restricted audience, we have chosen to restrict access to the TWiki instance we have much more severely than appears to be normal.

Among other things, we are not using local passwords stored in a .htpassword file; instead, we've modified the .htaccess file in /var/www/twiki/bin/.htaccess to force Apache to handle the authentication step. The relevant lines from this .htaccess file are copied below:

AuthType Basic
AuthName "Carleton Documentation - Secure Auth Required"
AuthPAM_Enabled On
AuthGroupFile /var/www/twiki/data/.htgroup
Require group itsusers

This is a pretty basic setup, or so it seems. Authentication is done via a pam module loaded into Apache, which contacts our authoritative Radius password store over the network. A simple group file is used to restrict the valid username/password combinations that should have access to the wiki.

Furthermore, there appears to be a distinction between the username provided during the authentication step (with password) and the TWiki username that is checked when authorization to view or change a particular topic is evaluated. My wikiname, as listed in the top right of the TWiki page, is "main.dflynn", rather than just "dflynn" (my username, which I use to authenticate against Apache and the .htaccess file mentioned above). For this reason, in my group configurations, all users are identified as "Main.username", where 'username' alone is used to authenticate.

The problem we're having is that some users are unable to view some topics some of the time. For example, I cannot run the testenv script; I am prompted for authentication when I enter the appropriate URL (which makes sense, since testenv is in /twiki/bin, which is protected by the .htaccess file), but the authentication doesn't seem to work; I am simply re-prompted for my credentials and I am never allowed to see the topic I want (testenv). I can run it if I choose to remove or rename the .htaccess file that protects the /bin directory, but that's not a workable solution since that file provides the authentication step for users trying to use the Wiki. Looking through the Apache logs at the time of the failure yields the following error messages (or messages like them; the specific topic names do not seem to be relevant):

access to /twiki/bin/oops/Selfstudy/WebHome failed, reason: user dflynn not allowed access, referer: https://wiki.xxx.xxx.xxx/twiki/bin/save/Selfstudy/WebHome

I've looked around some in your documentation here and elsewhere on the web, and I don't know what's causing this error. The weird thing is that most topics seem to be fine; only a handful exhibit this behavior, and they do not seem to be related in any obvious way.

More peculiar still, I am part of the TWikiAdminGroup, which is configured in the /twiki/lib/twiki.cfg file to have superuser privileges; yet I still run into topics that I have neither view nor right access to.

I've tried a lot of stuff to troubleshoot this, and I'm still coming up empty. Any help is appreciated; if you need more information, please let me know and I will provide it.

Output from the testenv script is available by email upon request; but I would prefer not to post it publicly.

Environment

-- DaveFlynn - 18 Oct 2005

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

You need to tell TWiki to map from login name (e.g. dflynn) to WikiName (e.g. DaveFlynn). Use the registration form for intranet use (not asking for password, but asking for login name), and fix your TWikiUsers topic to include login name, such as:

   * DaveFlynn - dflynn - 17 Apr 2005

See details in TWikiUserAuthentication

-- PeterThoeny - 20 Oct 2005

Peter,

Thanks for your help. Where do I find the intranet-use registration form? The two I found in /TWiki/data/TWiki were identical, and neither had a field for login name exclusive of password.

The registration form isn't a big deal if I can make the necessary changes myself. To map the login name to the WikiName properly, do I simply need to modify the TWikiUsers topic to something of the form:

* DaveFlynn - dflynn - date

For each user? That would be better for me than asking all of the users to re-register in a different way.

Thanks in advance,

~Dave

-- DaveFlynn - 20 Oct 2005

Please get the original TWikiRegistration topic from the zip file.

Correct, simply fix all the user entries in the TWikiUsers topic.

Make sure the $doMapUserToWikiName flag is set in TWiki.cfg.

-- PeterThoeny - 21 Oct 2005