LoginNameAliasesPlugin
This plugin is used to map login names (typically determined by the REMOTE_USER
variable set by the web server) to usernames.
LoginNameAliasesPlugin documentation
In an intranet (PubCookie, windows Domains etc) users are identified to Foswiki via
a REMOTE_USER variable that is set by the webserver. This can lead to the following issues:
- This remote user value may not be suitable for direct use as a Foswiki login name
- e.g. it may contain special characters, or be a windows Domain such as WORKGROUP/UserName
- The same person may connect to Foswiki via various authentication domains or methods. For example, JohnSmith may connect both as jsmith@DOMAIN1 and johns@DOMAIN2, and should be identified as the same user to Foswiki.
- Non-registered but identified users may connect to Foswiki in this way and one may wish to map such users to a particular registered user.
These issues have been discussed in several Foswiki support topics
on
http://foswiki.org. Proposed solutions have often involved making small changes to Foswiki source files. The LoginNameAliasesPlugin makes use of initializeUserHandler and attempts to provide a configurable, plugin-based solution to some of these problems. It was originally
designed to be used in a intranet environment where all registered users have both a WikiName and a user name (which is often the same as a Unix or Windows username).
Settings
Behavior of this plugin is controlled through the following settings in
configure
(in the Extensions /
LoginNameAliasesPlugin section).
- MAP_BLANK_USER = <login name> (replaces the internal guest user)
- USE_ALIASES = <boolean>
- REMOVE_PREFIX = <string>
- REMOVE_SUFFIX = <string> * CHANGE_CASE =
none,upper,lower,uppercasefirst
- MAP_UNREGISTERED = <login name>
- RETURN_NOTHING_IF_UNCHANGED = <boolean>
- LOGGING = <boolean>
- DEBUG = <boolean>
In addition to these settings, the plugin topic may contain aliases. An alias entry is a single line of the form:
<multiple of 3 spaces>*<space>ALIAS:<space><string><space><username>
For example:
* ALIAS: johns@BAR.COM jsmith
If the user (as passed to the plugin) is an exact match for the first string, the plugin will return the given username.
How it works
When it runs, the plugin performs the following steps in succession to the username passed to initializeUserHandler.
- If the username is blank return either "", or the value of MAP_BLANK_USER if it is set. Note: a username that would evaluate to false in Perl (e.g. the user "0") is treated as blank.
- If USE_ALIASES is set, the alias list is checked for a match and the first match found is returned.
- If REMOVE_PREFIX is set, an attempt is made to remove that string from the beginning of the username (quotemeta is applied to the string before it is used).
- If REMOVE_SUFFIX is set, an attempt is made to remove that string from the end of the username (quotemeta is applied to the string before it is used).
- If CHANGE_CASE is set to
upper
, convert all letters to uppercase, lower
to lowercase, and uppercasefirst
convert only the first letter to upper-case.
- The MAP_BLANK_USER check from step 1 is applied again, since steps 3 or 4 may have zapped the whole username.
- If MAP_UNREGISTERED is set, then check to see if the user has a WikiName. If not, then return the value of MAP_UNREGISTERED. If the user already has a WikiName, go to step 7. Note: This setting will not work unless doMapUserToWikiName is set to 1 in Foswiki.cfg.
- If the username after the PREFIX/SUFFIX transformations is different from the one passed to us in the original username argument, the new name will be returned. If it is the same as the original one, then the original username will be returned, unless RETURN_NOTHING_IF_UNCHANGED is true.
If LOGGING is turned on, the following fields will be logged to to the file (workdir)/_logfile.txt: timestamp, $ENV{'REMOTE_ADDR'}, $ENV{'REMOTE_USER'}, the username that was passed to the plugin, the username that the plugin returned.
This is useful for debugging and keeping a record of user names before they are mapped. Note that the logfile must be writable by the web server (just like other Foswiki log files).
Security
There are obvious security risks with allowing arbitrary user names to get mapped to arbitrary Foswiki users. To mitigate these risks:
- The plugin configuration topic, System.LoginNameAliasesPlugin, should have access permissions set such that only people in the AdminGroup (or other people who can be trusted) can change it. By default, the topic is distributed with this access restriction.
Caution
Misconfiguration of this plugin could cause problems for Foswiki operation, and/or create various security problems.
Aliases
If you enable
{LoginNameAliasesPlugin}{USE_ALIASES}
in configure, the following Alias definitions are used.
Sample alias (disabled by a # character):
* #ALIAS: foo@BAR.COM foobar
The currently logged in user's
%!USERINFO%
is
Installation
You do not need to install anything in the browser to use this extension. The following instructions are for the administrator who installs the extension on the server.
Open configure, and open the "Extensions" section. Use "Find More Extensions" to get a list of available extensions. Select "Install".
If you have any problems, or if the extension isn't available in
configure
, then you can still install manually from the command-line. See
http://foswiki.org/Support/ManuallyInstallingExtensions for more help.
Plugin Info