How would I go about getting TWiki to transparently authenticate against Windows Active Directory with Single Sign-on?
Asked
Active
Viewed 7,037 times
5 Answers
4
I wrote part of the supplemental documentation for this feature. The guide targets TWiki 4.2, but the setup process remains the same.
Kerberos SSO works in Firefox, just be sure to add your server name to network.negotiate-auth.trusted-uris in about:config
Name mapping is the hardest part. The TWiki LDAP plugin has a regex which maps Active Directory login names to TWiki user names. It had capitalization problems with our firstname.lastname format, but changing the regex produced the TWiki user names we wanted.
Matt Everson
- 268
- 1
- 7
2
Do you mean single sign-on or merely authentication?
Authentication is probably pretty easy. Just point twiki to the OU that you keep your users in, if it's like every other LDAP authentication scheme out there. Single sign-on is much more complex, and I have no idea.
Here's a HOWTO that might help: http://twiki.org/cgi-bin/view/Support/LdapAuthenticationHowTo
Matt Simmons
- 20,218
- 10
- 67
- 114
2
Matt Simmons' answer is a good starting point.
I add some details as I use TWiki with LDAP (pure LDAP not AD).
In you apache conf where you normally have:
AuthUserFile /var/www/twiki42/data/.htpasswd
...
replace it with this:
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthName "login with your AD/domain credentials ..."
AuthLDAPURL ldap://your.ad.example.org/ou=people,dc=example,dc=org
require valid-user
(You have to set the proper values in AuthLDAPURL of course.) You have to enable the proper auth module for ldap. On debian based systems use:
a2enmod authnz_ldap
ensure you have
$TWiki::cfg{PasswordManager} = 'TWiki::Users::HtPasswdUser';
in your LocalSite.cfg The other way is to use the admin interface to set this up. Maybe you also want to disable registration:
$TWiki::cfg{Register}{EnableNewUserRegistration} = 0;
Just ask if you have any questions.
This is one way to do it (maybe the easiest). The other way is to use the ldap plugin and force your users to registrate a new user based on the ldap data (this was not what I wanted).
1
As far as I understand it, you will need a web browser that supports Kerberos for SSO. IE will probably have the functionality built in for communication with, at least, AD servers.
There also used to be Kerberos support in Firefox, but I just checked and e.g. the one from Debian Stable doesn't seem to have it linked in.
Bernd Haug
- 878
- 5
- 11
1
One method of doing single-sign-on on against AD is to use NTLM. You can do NTLM over HTTP to provide your users with automatic logins, but it's not really straightforward.
I've come across this article from 2006, and this somewhat more garish website from 2005, but this third and final link seems far more useful. Hopefully one of them will help you out!
Dan Udey
- 1,460
- 12
- 17