• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item5480: TWiki::LoginManager::ApacheLogin doesn't work correctly with auth_kerb Apache module

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal New SvenDowideit n/a  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

When TWiki release 4.2 is used with TWiki::LoginManager::ApacheLogin and Apache is configure to Kerberos authentication (auth_kerb module) the Apache gives the logged in REMOTEUSER in the format of ' username@realm'. TWiki expects the REMOTEUSER being in the format of 'username'. There seems to be no configuration options to set this correctly.

Workaround is to patch the lib/TWiki/Users.pm file and to simply strip the realm part of the REMOTEUSER variable. The patch is added to the report.

More cleaner solution would be to have a configuration option for ApacheLogin module, which could perhaps specify a REMOTEUSER format.


I'll take a look at it, as I'm using email addresses as the login for a project i'm doing right now

-- SvenDowideit - 28 Mar 2008

I don't understand why you need to strip off the realm. I'm using email addresses as is, and it seems to be working. All i needed to do is adjust the LoginName Filter to remove the @, and everthing seems happy. Any chance you can confirm why you can't?

-- TWiki:Main.SvenDowideit - 31 Mar 2008

Right, I should have explained more. I need to map the users to LDAP directory with LdapContrib as well. The right attribute to do that would be userPrincipalName, but unfortunately this attribute use different domain and doesn't match. E-mail addresses are in the long format (firstname.lastname@domainNOSPAM.com) and also do not match.

Which leaves me to patching the Users.pm

-- TWiki:Main.AivoJurgenson - 02 Apr 2008

aha, that makes alot more sense to me smile I I have the vague feeling there are other ways to doit, but i need to ponder smile

Harald would do that change in LocalLib.cfg or something equally trixy (insert link here) - maybe we should write a howto/blog on that and see how it goes.

-- TWiki:Main.SvenDowideit - 03 Apr 2008

This issue might be connected or already solved with http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item4771 There seems to be an attachment, which is called KerberosLogin.pm and which seems to be much more cleaner solution.

-- TWiki:Main.AivoJurgenson - 11 Apr 2008

ItemTemplate
Summary TWiki::LoginManager::ApacheLogin doesn't work correctly with auth_kerb Apache module
ReportedBy TWiki:Main.AivoJurgenson
Codebase 4.2.0, ~twiki4
SVN Range TWiki-5.0.0, Sun, 09 Mar 2008, build 16496
AppliesTo Engine
Component

Priority Normal
CurrentState New
WaitingFor SvenDowideit
Checkins

TargetRelease n/a
ReleasedIn

Topic attachments
I Attachment History Action Size Date Who Comment
Texttxt Users.pm.patch.txt r1 manage 0.6 K 2008-03-28 - 09:30 UnknownUser workaround patch
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r6 - 2008-04-11 - AivoJurgenson
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback