Integrated Windows Authentication (SSPI) with Indigo Perl
If you've managed to install Twiki on a Windows using Indigo Perl and would like to make use of Windows security to authenticate users mapping them to Twiki users automatically the following short tutorial may be of use.
Apache can authenticate Windows uses, using local Windows security or an Active Directory. The source code control system Subversion has shipped with an Apache module to allow this form of integrated Windows Security for some time.
First you'll need the mod_auth_sspi module which you can download version 1.0.3 from: http://www.gknw.at/development/apache/httpd-2.0/win32/modules/
. 1.0.3 is important since it allows us to configure the authentication to strip the domain (or machine name) from the user's fully qualified name. This makes it straight forward to map users to Twiki names.
- Decompress the zip archive and copy the mod_auth_sspi.so file to \indigoperl\apache\modules
- Edit the Apache configuration file to configure authentication for the Twiki virtual directory. Either edit the \indigoperl\apache\conf\httpd.conf directly or if you followed the original IndigoPerlCookbook the Twiki settings will be in the \twiki\twiki.conf file. Add the following lines:
(Please see UsingWYSIWYGwithNTLM
for recommendadtion about
, or your WYSIWYG editing may go pear shaped
31 Aug 2010)
If you've changed the virtual directory for your wiki you will have to update the Location element and include the correct name above.
Also, add the
as described in the
file from the zip.
Restart Apache and navigate to a Twiki page, you should now see the authenticated Windows user mapped to a Twiki user.
-- Contributors: DarrenSyzling
Thanks Darren for sharing your experience with the TWikiCommunity
. This topic is now tagged, and linked from TWikiUserAuthenticationSupplement
- 13 May 2006
Has anyone had success getting Windows Authentication (SSPI) working on a linux platform? TWikiVMDebianStable
is an important project because it makes installing a wiki nearly as trivial as downloading a file. And the fact that the TWiki performs better within a virtual machine than natively on top of Windows on the same hardware is a big win also! Obviously, there are a lot of Unix/Linux experts hanging out here, but that is not necessarily so at many corporate companies. The TWiki-VM can make major in-roads in this regard, in getting TWiki installed in companies around the world.
However, many companies (like ours) will require NT authentication/integration, for a variety of reasons. When I followed these instructions, I only got a "invalid ELF Header" in Apache, and then refuses to load. Is there something I'm missing? Is it that mod_auth_sspi.so needs to be compiled for linux? Any guidance will be greatly appreciated (and I promise if I can get it up and running I'll detail the instructions on TWikiVMDebianStable
). Thanks in advance, RickVanderveer
- 14 Jun 2006
Rick - the .so or .o you've downloaded must be wrong in some way for you get the ELF header message (this is from the Linux kernel, saying the executable binary format is wrong). So you'll need to compile this from source code.
I'm not sure if TWikiVMDebianStable
includes a compiler setup (
, etc), but you can simply type
apt-get install build-essential
at the shell prompt, as root, to install everything you need (see http://packages.debian.org/testing/devel/build-essential
if need be).
You will need to read up on how to compile this module etc, but if you can find a suitable mailing list you might have some luck. Do check first that this Apache module works under Linux, I'd expect that it does though.
Hope that helps...
- 05 Jul 2006
mod_auth_sspi only works for the Windows version of Apache2 since it uses the WININET API to authenticate. I am working on a solution using mod_auth_kerb to do a single-sign-on into a Windows 2003 AD. Once that is up, TWiki will just pull the REMOTE_USER from Apache, translate it to the WikiName
and move on from there.
I had kerberos up and running fine on a test domain and using a Fedora Core 6 box but the Apache module was not behaving properly. I'll post a full tutorial once I get this all figured out. For now, the research is based on these docs:
Someone let me know if they've gotten any closer.
- 21 Feb 2007
My only other pointer is NtlmForSolaris10
- a general version of that HOWTO page would be helpful for Linux, Unix and TWikiVMDebianStable
- 22 Feb 2007
I have TWiki 4.2.0 in Apache 2.2.9 (with mod_perl 2.0.3 and mod_auth_sspi 1.0.4) on Windows Server 2003 SP2 (a domain member) with ActiveState
Perl 5.8.8 build 822 and I've got domain authentication working with mod_auth_sspi using the following Apache directive within my twiki.conf:
# For NTLM Authentication
AuthName "Login using your DOMAIN username and password please"
# only the Apps Support team can log into TWiki with their domain username and password
require user greent marshalk moorej
I have also specified in the TWiki Configuration the use of the ApacheLoginManager
, sessions and cookies.
In TWiki I have ensured that only the TWikiAdminGroup
can edit all pages and made all my users members of that group.
This works a treat however I would prefer it if the authentication was transparent, even though IE can save the username/password.
In both IE7 and FF3 I get asked for the username/password once only and I can omit the domain part of the username no problems. i.e. I can type in moorej instead of ABC\moorej.
- 11 Jul 2008
Forgot to mention what my TWikiUsers
topic looks like.
Here is one line from that topic, its all you need to figure it out:
JamesMoore - moorej - 02 Jun 2008
- 11 Jul 2008