• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item3946: No LDAP password check on user registration page

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal No Action Required TWiki:Main/StevenTeeter n/a  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

We are using TWiki with the LDAP authentication feature. On a user registration, the registration page accepts the supplied information WITH NO PASSWORD CHALLENGE and puts the user into the wiki. The registration page should collect the information and then put the user back to the logon page, where he/she would supply the LDAP account and password.

-- TWiki:Main/StevenTeeter - 24 Apr 2007

I am not clear what you are trying to report here.

TWiki has no "LDAP authentication feature" - unless you are perhaps referring to the TWiki:Plugins.LdapContrib? Normally Ldap authentication is done using mod_authldap or similar in the Apache server. AFAIK none of the password managers support changing passwords in LDAP servers.

Please clarify your configuration, and what modules you have selected (what password manager and what login manager). If the problem is with mod_authldap or a similar Apache module then this is not a TWiki bug, and you should raise your questions in Support web or to the Apache people. If the problem is with LdapContrib please describe your configuration to give the developer a chance to debug the problem.

Waiting for feedback from Steven.

CC

If you use LDAP authentication, the basic Apache kind, not the LdapContrib, then it is correct that a user is not required to provide a password to register. Is that a bug? Is it a feature? To us it is a feature. It is nice that you can assist the more "heavy headed" users by registering them. Sometimes when you define a new group and one member has not yet registered you register the bloke. He gets an email that he is registered and is normally happy.

In our TWiki I have setup that you have to provide a password to view anything. By denying access to TWikiGuest to the registration topic, the user is asked to authenticate himself. This way you know that the user doing the registration is an employee that should have access. But there is no check that the user that does the registration is also the user that gets registered. But I find that perfectly OK because TWiki cannot and does not change the password on the LDAP server. So if you register someone else than yourself, only he can login as that person.

Normally in an LDAP authenticated setup you also turn off email confirmation. There is no point. The only thing the registration does is to link the login name to a WikiName and creates a nice TWiki home for the person and enables the person to get access rights to access restricted content. But even without registration a person can authenticate and view and edit non-restricted content and even view (but not edit) content not accessible to TWikiGuest.

This is a very good feature of TWiki in a large corporation where you have a departent TWiki where the department members are typically registering themselves (or you register them all for them) and other departments that visit very occationally can both view and edit content just using their corporate user ID. Very good. Very nice. Let us not destroy that.

There is no security impact. If a hacker registers a bogus username with an outside email address, he cannot use it for anything because he is still not in the corporate LDAP and cannot authenticate and login as the bogus user. And by denying access to the registration page to TWikiGuest the guys that registers need to authenticate first and better you know who they were because it gets logged.

Remember to set {PasswordManager} to None in configure. This also hides the unused password field on the registration page.

I dare setting this to No Action Required. If the issue is with LdapContrib then reopen and provide more info.

-- TWiki:Main.KennethLavrsen - 26 Apr 2007

ItemTemplate
Summary No LDAP password check on user registration page
ReportedBy TWiki:Main.StevenTeeter
Codebase ~twiki4
SVN Range TWiki-4.1.2, Sun, 15 Apr 2007, build 13419
AppliesTo Engine
Component

Priority Normal
CurrentState No Action Required
WaitingFor TWiki:Main/StevenTeeter
Checkins

TargetRelease n/a
ReleasedIn

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2007-04-26 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback