Item4123: Registration script inserts wrong line into TWikiUsers

We discovered a problem to day on our Dakar installation regarding user registration. I installed 4.1.2, but the problem also shows up there also:

Our system is set up to authenticate via LDAP and is therefore not using TWiki internal authentication. Basically, the directories are locked by the web server (apache) and when one is trying to access it goes out to LDAP via the apache LDAP module and authenticates the user.

This worked in the past, but now the following happens: When a user registers, instead of the usual line:

• <wikiname> - <loginname> - <date>

the following is inserted into TWikiUsers

• <wikiname> - <wikiname> - <date>

and from then on, of course, the mapping from user to wikiname does not work.

Note that the webserver correctly puts the loginname into the CGI object.

-- TWiki:Main/ThomasWeigert - 24 May 2007

I run 4.1.2 in the same company using the same LDAP server as you. So it sounds more like a config issue. Send me your Apache and TWiki config to my work email and let me compare with ours.

-- TWiki:Main.KennethLavrsen - 24 May 2007

Ken, thanks. Sent this as you instructed. Please note that the very same settings work for Cairo and earlier as expected.

I was surprised to run into this as I thought for sure that somebody must have hit that issue before. This give credence to your configuration theory, were it not for the fact that really nothing changed about these settings...

-- TWiki:Main.ThomasWeigert - 24 May 2007

I have received the configs now and there were several issues that for sure would cause this problem.

To people reading this bug report

When you use the Apache LDAP modules for authorisation (not the LDAP plugin for TWiki) you need to pay attention to...

• Configure setting $TWiki::cfg{PasswordManager} must be set to 'None' - When you use mod_ldap the whole password handling it totally out of the hands of TWiki.
• Configure setting $TWiki::cfg{LoginManager} must be set to 'TWiki::Client::ApacheLogin'. You cannot use TemplateLogin. The authentication with ApacheLogin is taken care of entirely between the Apache server and the browser and between Apache server and LDAP server. The TWiki code is just told via Apache environment variables that the user is authenticated and the login name he is authenticated with.
• In the apache config you authenticate only a selection of the scripts

    <FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
        require valid-user
    </FilesMatch>

• • Note that for example view is not authenticated. An LDAP server can be pretty slow in a big corporation. You only want to authenticate when you need it. The view script redirects to viewauth if TWiki sees that the user is not authenticated OR that there is no valid session cookie / session file pair. For this to work make sure that the configure setting $TWiki::cfg{UseClientSessions} is 1 and that the CPAN lib CGI::Session is installed.

The Apache settings that Thomas used would have worked but the 4.1.2 Twiki config was not correctly setup for LDAP auth. And additionally the optimisation I describe above was not implemented because that required extra plugins in Cairo to work. Sessions are now built into TWiki 4.X and this allows a much more optimal apache configuration.

I am setting this to No Action Required. But naturally Thomas we continue corresponding directly until you have your 4.1.2 working.

-- KennethLavrsen - 24 May 2007