• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item5303: LdapContrib for TWiki 4.2

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Extension LdapContrib Enhancement New   n/a  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

-- TWiki:Main/MichaelDaum - 30 Jan 2008

Should have put my comments from LdapContribDev here:

-- TWiki:Main.BryanEllsaesser - 07 Feb 2008

I can confirm a variation on Kevin's issue as well with 2.99.3. I am using LdapContrib with LdapNGPlugin and NewUserPlugin. Everything works great, my new user topics are autocreated on first login by Windows AD users. I can even set the TWikiAdminGroup GROUP= to include a user. I think because the topic exists, the TWikiGroups topic shows the membership as set, but the actual membership is not applied. When logged in as a user in TWikiAdminGroup, I don't have change priviledges for a web eventhough Preferences has this group set to Allow Changes.

-- BryanEllsaesser - 06 Feb 2008

As a follow up to my earlier post: If in TWikiAdminGroup, I

   * Set GROUP = Main.BryanEllsaesser 
Because BryanEllsaesser exists in Main, it shows up in the TWikiGroups summary topic for the TWikiAdminGroup. But BryanEllsaesser does not have modification access despite group membership. If I add my loginid (ellsabr1) to the group
   * Set GROUP=Main.BryanEllsaesser, ellsabr1
Then everything works great, except of course TWikiGroups lists BryanEllsaesser twice!.

-- BryanEllsaesser - 06 Feb 2008

-- TWiki:Main.BryanEllsaesser - 07 Feb 2008

I debugged this problem further: TWiki 4.2.0 internally does all access checks with username, not wikiname (if both are different) TWiki::Access::checkAccessPermission uses TWiki::User::isInList to check for a username in the lists for allow or deny of different actions. Groupnames should be expanded to lists ot usernames. This is correct for a "standard" (non-SSO) setup with TWikiUserMapping and without LdapUserMapping. It is also correct when using LdapUserMapping, as long as ldap groups are concerned. But with

  $TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;
TWiki::Users::LdapUserMapping::eachGroupMember falls back to TWiki::Users::TWikiUserMapping::eachGroupMember, when the group does not exist inside ldap. In this case TWikiUserMapping knows nothing about the ldap based usernames, so a group like TWikiAdminGroup is expanded only to wikinames not usernames. Therefore the username can not be identified to be an admin.

If my analysis is correct, another workaround for this problem would be: Manually define a "wikiname - username" entry inside Main.TWikiUsers for every member of a "backoff" TWikiGroup. Normally thÝs is without any function when using TWiki::Users::LdapUserMapping. But now TWiki::Users::TWikiUserMapping::eachGroupMember has knowledge of the relevant wikiname to username transformation. And the checkAccessPermission now can successfully compare the membership of the current user inside non-ldap groups.

-- TWiki:Main.MarkusSchuh - 20 Feb 2008

I can confirm this bug on TWiki 4.2.0 and LdapContrib 2.99.4 where wikinames do not work with group assignments, but usernames do. User TWiki:Main.SimonHarrison submitted a patch to Users.pm on 22 Apr 2008 in the comments section of LdapContribDev. In said patch, he seems to have changed $user to $wn on line 543 of Users.pm in his TWiki installation. As he mentions, I'm not sure what the ramifications of such a global change are, but maybe it will give TWiki:Main.MichaelDaum some ideas or otherwise escalate this to a general TWiki 4.2.0 bug.

-- TWiki:Main.KavehAhmadian - 26 Apr 2008

ItemTemplate
Summary LdapContrib for TWiki 4.2
ReportedBy TWiki:Main.MichaelDaum
Codebase 4.2.0
SVN Range TWiki-5.0.0, Wed, 23 Jan 2008, build 16283
AppliesTo Extension
Component LdapContrib
Priority Enhancement
CurrentState New
WaitingFor

Checkins TWikirev:16315 TWikirev:16316 TWikirev:16317 TWikirev:16335 TWikirev:16840
TargetRelease n/a
ReleasedIn

Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2008-04-26 - KavehAhmadian
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback