Over the past 12 months i have seen various discussions as to ways in which organisations have been attempting to get single sign-on solutions working on different platforms.

After reading through many of these i now feel more confused than before, mainly due to the reason that there have been so many variations and hacks needed to get this working.

My question is, is there a currently available solution to bypass users logging on by using their NTLM credentials (internal use only at this point, external is another kettle of fish), on moodle running on IIS?

Please don't point me to previous discussions, as i have read them exhaustivley already. i am sure there are many others that would like to achieve this. I believe our staff and students would be far more likely to use systems that didnt require secondary logins. And also it would put our blackboard 'champions' backs up!

Any help would be greatly appreciated

Paul

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Thursday, 18 May 2006, 3:39 AM

Hi Paul,

we are currently doing this in our installation - we point our internal users to an "oncampuslogin" page which logs the user in via ntlm authentication and an offcampuslogin page which logs the user in via ldap.

what version of Moodle are you using? - I could pass on a copy of our code.

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by J Handler - Thursday, 18 May 2006, 4:25 AM

Dan,

Does the oncampuslogin not actually require a login if they are already logged into IE. That is it is able to pass along their Active Directory login information to the system sdo there is no need to type their username and password. I have successfully been able to get the LDAP authentication to work with my Active Directory accounts (one user name, 1 password) for all systems, but they still are required to type it in when they are already logged into an XP machine here on campus. If you are able to pass through the credentials, I would be very excited to see how.

Thanks,

Joel

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Thursday, 18 May 2006, 5:37 AM

yes. - let me know what version of moodle you're using, and I'll post some of our code here!

- it works using NTLM/Integrated Authentication - the credentials they log onto the computer with.

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by J Handler - Thursday, 18 May 2006, 8:03 PM

I am using 1.5.3 running on apache on Windows (strange but true and it works great). Can you send me the hacks you used? Thanks

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Martín Langhoff - Thursday, 18 May 2006, 6:13 AM

Interesting! Two questions for you Dan:

Can you place the code in an auth plugin? No external roundtrips?
In that case, does Moodle need to run under IIS? Or are you using Apache's NTLM Auth support?

From afar, it seems to be that it would be a matter of writing a super simple 'trust apache' auth plugin, and use the Apache NTLM Auth plugin

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Thursday, 18 May 2006, 6:30 AM

no roundtrips, most in the auth plugin but it does require modification to the login/index.php page - the modifications could possibly be useful to add to moodle anyway.
The login index.php file is renamed to offcampuslogin.php, then a 2 new files are created - oncampuslogin.php which has integrated authentication turned on in IIS, and is basically a copy of the normal index.php with a few extra functions to handle getting the ntlm credentials.
the other new page replaces the normal index.php which looks at the IP address of the user and directs to either the oncampuslogin page or the offcampuslogin page.

- I'm not sure how the apache ntlm auth works, but the only IIS interaction is setting the oncampuslogin page to run under Integrated Authentication

we also set up the custom error page in IIS for auth type not supported to direct to the offcampuslogin.php page, so that users inside our network using Firefox/Opera/Safari etc get directed to the offcampuslogin.php page as well.

If moodle allowed you to set group of IP ranges, addresses for directing to a different login page it would mean the index.php could be used as is. - I might look at setting up the Auth plugin to handle most of this - put the oncampuslogin.php page in the auth plugin dir, and a function for handling the ip filters, and then just call that function from the normal login\index.php file.

we filter the addreses quite extensively - eg users on our Wifi,Guest,Laptop Vlans get directed to the offcampuslogin.php page as they are not normally logged into the domain.

hope that explains things!

Dan

*edit* I notice from Martín's link, Apache NTLM allows you to turn on NTLM on a virtual directory does anyone know if this works on an individual file? - if not I'll look at structuring the plugin to contain an ntlm directory so you can set it at a dir level.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Martín Langhoff - Thursday, 18 May 2006, 7:25 AM

Cool! Sounds like with a bit of work it can probably be turned into a just-works plugin... In terms of apache modules, it can probably be enabled on any of

   <Directory /var/www/foo>
        config stuff
   </Directory>

   <Location /foo>
        config stuff
   </Location>

   <File /var/www/foo/bar.php>
        config stuff
   </File>

   <Location /foo/bar.php>
        config stuff
   </Location>

I haven't seen your code... is it ready for /contrib?

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Thursday, 18 May 2006, 8:17 AM

hmmm - probably not ready for contrib. - I'll do a bit more work on it & try to get more of it located in the auth/ntlm folder with less modifications on the login page. I've been getting a 1.6 version ready anyway. - uses the current 1.6 ldap code as a base.

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Paul Shephard - Thursday, 18 May 2006, 4:12 PM

Hi Dan,

Thanks for your responses. We are using version 1.5.3 running on Windows server 2000 with IIS.

If you could send me the relevant code hacks (including where to add them please) that would be great.

Thanks

Paul

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Friday, 19 May 2006, 6:03 AM

had another look at the code, wrote a bit more documentation and I have now placed the code in contrib. - you can get at it here:
http://moodle.org/mod/data/view.php?d=13&rid=314

(note: the download link won't work until tomorrow when the nightly build happens!) - in the meantime you can get it here:
http://learn.lincoln.ac.nz/moodle/auth_ntlm.zip
(I will delete this file soon so if it doesn't work you will need to get it from the other link!)

PLEASE run this on your test systems FIRST before running it in production! - see the readme file inside the download for instructions on how to install it.

have fun!

Dan

Average of ratings: -

NTLM bug fix

by Dan Marsden - Thursday, 25 May 2006, 7:42 AM

oops - left in a line in the code I was using for debug - you should get the new version of the file.

I've updated CVS and my locally hosted download, - the download from the modules & plugins may take till overnight to get updated though.

the new file is ntlm\auth\lib.php
* @version $Id: lib.php,v 1.2 2006/05/24 23:14:40 danmarsden Exp $

- I've also put up a patch for 1.6 - we've been running this in a test environment (NOT IN PRODUCTION YET) - have a look if you're testing!

Dan

Average of ratings: -

Re: NTLM AUTH V 2.0 for Moodle 1.6

by Dan Marsden - Wednesday, 9 August 2006, 4:50 AM

I have just updated the ntlm plugin for 1.6 - it's available in the modules and plugins database on the homepage of moodle.org

The new version no longer requires modification to standard moodle files - all the files are included in the auth\ntlm directory.

let me know if you have any issues!

Dan

Average of ratings: -

Re: NTLM AUTH V 2.0 for Moodle 1.6

by Ian Fogarty - Wednesday, 9 August 2006, 7:17 PM

Hi Dan

Just downloaded this and found a few typos in the

<moodle>\auth\ntlm\index.php (1.6 version) file

The IF statement starts as If with a capital I,

the other is that both the if and the else points to the offcampuslogin.php. Based on the code and the older version, the second should be oncampuslogin.php shouldn't it?

Ian

Average of ratings: -

Re: NTLM AUTH V 2.0 for Moodle 1.6

by Steve Power - Wednesday, 9 August 2006, 10:27 PM

Dan

Thank you for this. I have been working on your previous version and before I look at applying my mods to this version I thought I should run the ideas past you.

My problem is that sometimes we need to log in as users other than ourselves. I have several demo accounts that teachers use and an admin account that I use. I modded the code so that the login block cleared the username and the login\index.php checked whether the username / password were blank before passing to oncampuslogin. If the username is not blank then someone has typed something in and so I pass to offcampuslogin.

I understand that the same can be achieved by directly calling offcampuslogin.php when on campus but my logic is that if someone has typed in a username (& password) then we should use this. It also seems easier for colleagues.

I will look at your version 2 soon (I am away now until Tuesday) but in the meantime do you have any thoughts on my solution?

Regards
Steve

Average of ratings: -

Re: NTLM AUTH V 2.0 for Moodle 1.6

by Dan Marsden - Thursday, 10 August 2006, 4:49 AM

Hi Steve, cool idea! - we force login on the homepage of our site, so that hadn't even occured to me!

- I've fixed the above issues - thanks for the report! - if you flick me a copy of your ,old code via e-mail, I'll add it in to the new version.

I want to improve the module a bit more soon so that people can use the config page instead of having to hard code the ip addreses in the index.php file too.

Dan

Average of ratings: -

Re: NTLM AUTH V 2.0.1 for Moodle 1.6

by Dan Marsden - Thursday, 10 August 2006, 9:36 AM

just updated the module - the offcampuslogin page wasn't working properly becuase it is now using a custom login page. - should be fixed now, - will take overnight for the download link in the modules and plugins db to be updated though.

Dan

Average of ratings: -

Re: NTLM AUTH V 2.0 for Moodle 1.6

by Kieran Denny - Tuesday, 15 August 2006, 10:06 AM

Hi Dan
i'm still using v1.1 for 1.6, but have come up with a thought for extending the module. currently we use the 'ldap_creators' option from within ntlm to assign our supervisory teachers into the system. what i would love to see is a similar option, but instead used to manage system admins [ie. so i could point the option to our Windows Active Directory 'Domain Admins' group]. i will prob migrate us accross to v2.0 once i find some time for testing.

regards,

Kieran

Average of ratings: -

Re: NTLM AUTH V 2.0 for Moodle 1.6

by Dan Marsden - Tuesday, 15 August 2006, 12:12 PM

hmmm - I'm not soo sure...... - it may be useful for some people, but in 1.7 with better Roles, you shouldn't need to add as many people as site Admins..... You probably shouldn't have that many Domain Admins in AD either.......

Dan

Average of ratings: -

Re: NTLM AUTH V 2.0 for Moodle 1.6

by Dan Marsden - Tuesday, 15 August 2006, 12:28 PM

...now what WOULD be useful for 1.7 is the ability to assign ANY Group in LDAP to a role in 1.7..... something to think on, - I might get a chance to look at that.....

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Jeff Hague - Sunday, 4 June 2006, 1:29 AM

I am playing with ntlmauth on a Moodle 1.6 / Win2003 / IIS6 test site - wonderful piece of work!

I have found something a bit strange though. I have only had a chance to create this uding the offcampus login because I am not at work today but heres the scenario.

I create a new user in Active Directory and then log in to Moodle using that account. It creates the user and copies the info I specified just fine - works great.

Then I go change the users password in AD and wait 10 minutes or so to make sure the change has replicated about.

When I log back in to Moodle, I can use either password - the old one or the new one. I can not log in to moodle using an account that does not exist in AD and I can not log in to Moodle using an altogether wrong password but Moodle does seem to remember the original password somehow. I have deleted cookies in IE between tries and even rebooted the Moodle server but I can still use either password.

I set ntlm auth to not store passwords in the Moodle db - is it possible that is not working? How can I check to see where that first password is stored?

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Sunday, 4 June 2006, 2:30 PM

you might be right! - If you set ntlm auth to not store passwords, it doesn't "clear" the previously saved passwords. so any old passwords stored in the db still sit in the db. This should work as it does in the normal LDAP auth module.

Test this with an account that doesn't already exist in Moodle or delete the current account aand login fresh, then change the password and try to authenticate with the old password and the new password.

let me know how you go!

Dan

*PS* - the Oncampus login page can't store any passwords as the password isn't available to the plugin - only the username!

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Jeff Hague - Sunday, 4 June 2006, 10:32 PM

I have tested with both a new account that didnt exist in Moodle and I have deleted an account and tried again. In both cases, it remembers the original password. I havent tried it through two password changes yet but am planning to do so today - Ill post the results.

What is the reason for having an oncampus and an offcampus login? Is it simply to take advantage of integrated Windows authentication when on campus? That is nice, but Id be just as happy if the Moodle username / password and AD username / password were the same even though students may need to log in to Moodle seperatly...

Thanks!

Jeff

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Monday, 5 June 2006, 8:37 AM

Hi Jeff,

sounds like you are wanting to use the LDAP auth module as-is. - NTLM is a modified version of LDAP which allows single sign-on for users inside your network. - if you are happy with your users entering their username/password then just use the standard LDAP one.

The reason 2 pages are used is so that you can direct on-campus users to ntlm based authentication, and off-campus users to moodle forms based authentication.

If Integrated authentication was set for both on-campus and off-campus users you need to educate off-campus users how to use NTLM(Integrated authentication) - if a user is prompted with integrated authentication and they are not on-campus this will cause all sorts of difficulty! - They will have to enter their username prefixed or suffixed with the domain. - prefix: domain\username or suffix: username@domain this causes all sorts of grief - the backslash not the forward slash must be used when using the prefix method, and sometimes the domain is not the same as a persons e-mail address which causes trouble when people are using the suffix method, as users always get these things confused!

Firefox is set by default to not allow Integrated Authentication, an admin - person with knowledge must set these values. - many other browsers do not support NTLM authentication. This means that supporting NTLM authentication off-campus becomes very difficult for your support team.

- Ideally NTLM should ONLY be used inside your network, and then standard forms based authentication outside your network!

hope that clears things up!

good luck!

Dan

*PS* - don't think about turning "basic authentication" on to support off-campus use - it passes username/passwords in clear text - nice and easy to sniff those! - not to mention it's almost impossible for your support team to work out whether an off-campus user is being prompted for basic or integrated, and then give them the correct instructions for each!

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Jeff Hague - Monday, 5 June 2006, 10:00 PM

Thanks - yes it clears things up.

Our users are already used to the annoying NTLM authentication issues thanks to Outlook Web Access - also, an SSL cert goes a long way toward tightening up Basic authentication on IIS.

I am going to leave it up to the Faculty group as to whether they want to use Integrated auth when on campus. The concensus on those things around here tends to be to make things as similar as possible regardless of where the student is so Id imagine they will opt for the straight LDAP authentication.

Thanks for your help!

Jeff

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Price - Thursday, 28 June 2007, 10:38 PM

I'm trying to get the NTLM auth plugin to work, and there's one thing the docs aren't clear on - what format does the plugin expect IP address ranges in?

Thanks

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Friday, 29 June 2007, 4:36 AM

probably best to talk to your network admin on this! - the plugin expects an IP address (eg: 192.168.1.0) and a Subnet Mask (eg: 255.255.255.0)

Subnet Masks get quite confusing if you aren't familiar with them, but network admins/firewall/switch maintainers work with them on an almost daily basis. so if there is someone else in charge of that stuff in your organisation, - ask them!

Good luck!

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Barry O'Kane - Friday, 23 August 2013, 10:43 PM

Hi guys, I've just got LDAP &amp; NTLM SSO working on windows server 2008 r2 in an MS AD domain. Just thought I'd drop in this wee tip as it took me a while to find.

IE doesn't recognize a site as being local intranet if it has a FQDN. Our installation was set up so that the URL was http://ServerIP/moodle. As soon as I changed it to http://ServerName/moodle NTLM began working.

I found the info under Microsoft KB 258063.

Cheers.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Peter de Groot - Tuesday, 15 July 2014, 1:06 PM

Ubuntu 14.04 - Samba 4 -Server 2008R2 - AD - SSO - Change to Kerberos

Just upgraded my moodle server to Ubuntu 14.04.

This also upgrades Samba to version 4. It appears the ntlm_auth_winbind is broken in this rev and they do not seem too keen on fixing it. Ergo .. my NTLM auth SSO is now broken also,

So .. I "sucked it up" and went for Kerberos.

MY experience ... so it "may" help others.

My biggest problem is that my web site was called http://myschool.edu.au and the actual moodle/web server followed company rules and was called server01.

Thus I had to add a SPN to AD so that the Kerberos will then issue a ticket for the moodle web site. This is assuming that all the Kerberos and DNS are good.... There is lots of doc out there for this.

After weeks of googling it seems .. and I have joined the server to AD via net ads net join.

1. Despite a lot of warnings around the place.. it appears that I can add the SPN to the machine name in AD, that samba uses.

2. Microsoft have a great utility called setspn for server 2008R2 (and now for 2003) which allow me to add the SPN for our website to the machine name in AD. Now it appears that samba can also do it .. but I really struggle with their doc... Watch out for the single "/" in the syntax.

so I typed ......... setspn -s http/myschool.edu.au server01

3. Update the apache and moodle auth pages as per the doc.

4. Good to go.

Comments welcome and appreciated...

Peter

PS ... the doc for this stuff REALLY needs a good going over...

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Skip Marshall - Thursday, 18 May 2006, 9:17 PM

Dan,
It sounds like you are doing exactly like what we are working toward. We are running Moodle 1.5.3+ and currently testing 1.6. Our server is running IIS 6.0 under Win 2003 server. We would appreciate an opportunity to look at your code hacks as well.

Thanks.
Skip

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Paul Shephard - Friday, 19 May 2006, 5:40 PM

Thanks for the link to the code Dan. It worked a treat on our 1.5.2 test sytem, after my intial mistake of forgetting to change the internal IP addresses in index.php to our own. I will test it on our 1.5.3 production server later today.

Just a note to anyone else who panics like i did blush , thinking that i could no longer access my admin account. just use the offcampuslogin url to login using your admin account.

Thanks again for this Dan, you have made my life a lot easier!

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Saturday, 20 May 2006, 12:13 PM

Hi Paul,

glad to hear it worked well for you!

I should add that to the documentation! - If you have access to contrib, feel free to add that to the readme, otherwise I'll add it when I get back to work on Monday!

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Peter de Groot - Wednesday, 31 May 2006, 10:21 AM

This looks just like what we need ..... am keen to give it a try..

We are running version 1.6 on apache and fedora.

Is the 1.6 version fairly stable ?? and ready for release ??

Cheers

Peter

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Wednesday, 31 May 2006, 7:04 PM

Hi Peter,

we are running a Test 1.6 Environment with the code above, and it seems to be running fine. - We will probably deploy before the final 1.6 release, so if we experience any issues, I will update the patch and post here!

As always - I highly suggest you run this in a test environment BEFORE running it in a live environment and make sure you can get it to work with your internal systems first. - I also don't know anyone who has tried this with the apache NTLM plugin yet, - I'd be keen to hear how you go. - if there is any update to documentation you could provide for other Apache users that would be great!

thanks,

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Peter de Groot - Thursday, 1 June 2006, 8:36 AM

Many thanks .. will get onto it asap.

We are also running Samba/winbind for squid proxy
authentication..... which uses NTLM auth.... so I am
thinking that it should be easy ..... big grin

Mmmm .. better set up a test site thoughtful

Cheers
Peter

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Thursday, 1 June 2006, 8:42 AM

You should always test custom modifications! - let me know how you go!

Bounce me an e-mail if you manage to put together any instructions, and I will update the readme.

good luck!

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Peter de Groot - Wednesday, 21 June 2006, 12:14 PM

Rather than the modltlm from sourceforg.. I have ntlm part of samba working fine on my system (Un*x, apache etc).

Recommend it for linux boxes ... the modntlm is a bit stale. The samba one is very recent .. you have to apsx(2) it into apache... but that was easy. It uses the winbind ntlm as part of the running samba

Get it from here

http://samba.org/ftp/unpacked/lorikeet/mod_ntlm_winbind/

I had no problems.. but it does returns different variables....

Snip from my http2.conf

LoadModule ntlm_winbind_module modules/mod_ntlm_winbind.so

Directory "/mnt/hd/website/moodle-test">

Options -Indexes FollowSymLinks MultiViews
DirectoryIndex index.php

     AuthName "NTLM Authentication thingy"
     NTLMAuth on
     NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
     NTLMBasicAuthoritative on
     AuthType NTLM
     require valid-user

</Directory>

I just added some more to the oncampuslogin.php.

The problem I am having at the moment ... is that I want it to auto-magically add the users, if they do not exist in moodle.... If the user already exists, then it seems to work fine... am still tracing

// -- first try samba winbind ntlm auth

    if (isset($_SERVER['REMOTE_USER']) && $_SERVER['REMOTE_USER'] != '') {   // --- this for samba NTLM auth
        $_SERVER['REMOTE_USER'] = substr(strrchr($_SERVER['REMOTE_USER'], '+'), 1); //strip domain info
        $_SERVER['REMOTE_USER'] = strtolower($_SERVER['REMOTE_USER']); //compatibility hack
        fwrite ($handle,"\ngot to samba ntlm auth username is ".$_SERVER['REMOTE_USER']) ;
        $frm->username = $_SERVER['REMOTE_USER'];
        $frm->password = '';
        $user = get_complete_user_data('username',$_SERVER['REMOTE_USER']);

    } else if (isset($_SERVER['AUTH_USER']) && $_SERVER['AUTH_USER'] != '') {
        $_SERVER['AUTH_USER'] = substr(strrchr($_SERVER['AUTH_USER'], '\'), 1); //strip domain info
        $_SERVER['AUTH_USER'] = strtolower($_SERVER['AUTH_USER']); //compatibility hack

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Wednesday, 21 June 2006, 6:33 PM

Hi Peter,

thanks for the tips for the linux users! - our install "automagically" adds users when they're not in moodle already - I'm not sure why yours doesn't work - I'm away from work tomorrow, but I'll have a look at your code on friday, and see if I can spot anything! - have you made any other changes to the ntlm plugin? - or just the oncampuslogin.php file?

thanks!

Dan

Average of ratings: -

NTLM Single Sign-On + multiple AD domains

by Peter de Groot - Tuesday, 24 October 2006, 1:30 PM

Interesting ... saw the SSPI ntlm and that seems the better way to go. Works on both windows and linux apache.

Anyway .... over the holidays I got the samba ntlm one working and made some other MAJOR hacks ....

We run 2 separate domains. One for students and one for teachers.. Unfotunately there is no global catalog. (and I do not have the privs to change this) There is a trust however, so the samba NTLM sees both of them.

The NTLM authentication works well. But I had to shamelessly hack your code so that it does a LDAP lookup on 2 domains to add/authenticate the users.

I did this by having a one to one mapping of the server name, Bind User and Bind Password and DN lookup.

i.e. domain server 1, domain server 2 ......
Bind user 1, bind user 2 .....
Bind password 1, bind password 2 ........
context 1, context 2 ..........

These were just stuck in the existing form separated by a ; as per the norm.

The auth modules then just bind to each of the servers in turn using the supplied bind user name and password, and then does a lookup for the user name in the supplied context.

As moodle is our standard intranet site (home page) ... I did not even check for guest accounts, course creators, automatic enrollments etc etc. In the event of duplicate user names in separate domains, the first one gets used...

I also force them to login before using moodle .. so the moodle login screen is the first to come up. Have not tested for the above ..

A much better solution would be a re-write to ask the user for the domain, but I did not want to get into forms etc etc ....

Am also worried about basic auth off site. .. with look at https .. should not be hard.

Anyway FWIW ... here is my code. I am not very proud of it ... but it is my first go with PHP. For an old FORTRAN hacker .. the semi colons drove me MAD

along with the sloppy variable typing

It is currently working in production ..... but more checking probably required ..

The wiki with the apache conf file is incorrect .. it should be this .. similar to the SSI one.. My bad.

# ----- moodle

<Directory "/d2/website/moodle/">
Options -Indexes MultiViews FollowSymLinks
DirectoryIndex index.php

<Files oncampuslogin.php>
AuthName "NTLM Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Files>
</Directory>

Mmm.... recommend turning the basic auth off... I was using FF for testing . can change the username password in the browser

.. am now actived the trusted URI stuff in FF..

BTW. I used the NuSpere PHP IDE and was VERY impressed... with samba mapped drives I was able to leave the source on the server and run in debug mode. Price seems reasonable..... It has a free trial if you are interested.

auth_ntlm.zip

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Peter Day - Tuesday, 20 June 2006, 7:19 PM

Hi,

I am a new Moodle user and just trying to get the NTLM Authentication to work. I have copied the files into their respective directory, no problem. I am now trying to set the Authentication to work in Apache. I am running on Windows with Apache. What do I do with the .tar file?

Thank you

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Wednesday, 21 June 2006, 4:25 AM

HI Peter,

I don't know if the plugin works with Windows/apache - this page:
contains all the instructions on how to install it, but it does say that it is for implementing NTLM authentication for Apache on Unix platforms

the tar file is a zip file, you will need to find a program to unzip it. - then follow the instructions on this page:
http://modntlm.sourceforge.net/

otherwise - install IIS and use that instead of apache.

good luck!

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Colin G - Thursday, 22 June 2006, 12:39 PM

An even easier way to authenticate NTLM clients is with this PHP script....I currently use this to authenticate LAN moodle clients at an 800 user site & it works very well :
http://ng.secusquad.com/wiki/index.php/PHP_NTLM_GET_LOGIN
This could easily be build into Moodle for internal authentication. The great thing about it is there is no need to install apache modules or any other 3rd party software on your server.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Peter de Groot - Thursday, 22 June 2006, 1:42 PM

Certainly looks interesting .. could you put up a snippet of code, so we can see how you have implememted it ??

Peter

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Friday, 23 June 2006, 7:03 AM

Hi Col,

looks interesting if it works! - It's a bit hard to understand the page as it's all in French.....

lets put the following scenario to work.....

your internal Active Directory calls the "domain" mydomain.

an internal user account, lets say danmarsden is created and has associated access etc.

when you log in using normal NTLM authentication theres some info passed between the users Browser and the server. and Danmarsden is recognised and given access.

now try the following scenario.
an "interesting" user has a network at home, and their domain is also called "mydomain" - and it just so happens that they create an account on their network called "danmarsden" just to see what happens. - then try to authenticate to a page that uses your script.

Normally this 2nd scenario would fail because the Server passes both the username and password to Active Directory to make sure that the details are correct. Have you tested this with your installation? - also what happens if the first authentication fails, does it prompt a 2nd and 3rd time asking the user to manually enter the credentials via a pop-up box, like NTLM normally would, or does it just fail?

ML - how's your French? - any chance you could have a look see what you think?

the site was down when I looked, I got to it via googles Cache

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Colin G - Monday, 26 June 2006, 8:05 PM

ok well the way it would work is as follows:

1 - set the ntlm.php script as the LAN home page via group policy
2 - the user opens browser & the script executes
3 - the web browser sends the current logged in username via http headers to the page which stores the $login variable
4 - check if the user $login exist and then the write the $login moodle session/cookie
5 - redirect to the moodle login page

There are catches with this.
- the nt login username must be the same as the moodle username
- this will not work outside a LAN ... but no need.
- there needs to be some code added to the bottom of the script to make sure the user exists, then create the session & cookie and redirect to the moodle/login/index.php
- would be a good idea to restrict access the the ntlm.php script to LAN users.

So this is how I did it...our users have 2 passwords, their NT login password and an admin (secret) password which is the same for all users. This makes it easy for me to post the secret password to moodle (not ideal but it works!_) . This page self closes & the user does not see it on their screen.

A much better way as I mentioned before would be to write the $login moodle session/cookie data before redirecting to index.php but I will leave this up to someone else to write !!

add to the end of the script:

?>

<form action="https://mysite.com/moodle/login/index.php" method="post" name="login" id="form" target="_blank">
<p><input type="text" name="username" value="<?php echo $login ?>">
<p><input type="hidden" name="password" value="secret">
<a href="https://mysite.com/moodle/" There was an error. Contact your Administrator or here to continue.</a>
<script language="JavaScript">
function Validate()
{
document.login.submit();
self.opener = this;
self.close();
}
Validate();
</script>

</form>

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Tuesday, 27 June 2006, 5:42 AM

Hi Col,

this still sounds VERY dangerous - what happens when a user connects their laptop up to your network, but isn't a member of the local domain? - they log into their laptop as "danmarsden" - then use other methods to gain access to the local network - then open up a page that uses your fake ntlm auth and elevates their permissions to the admin of the site.

normal NTLM doesn't simply "check" the currently logged in user, it passes both the username and password in an encrypted form before allowing the users access. - I may be missing something - this may be how your script works....

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Colin G - Tuesday, 27 June 2006, 7:28 AM

I am not sure if that would work but will have to test it out. I realise this is not ideal but is fine for the site it is used on. It would be better to use sessions/cookies though (someone please have a go at this

). If you want passwordless authentication or true single sign on for your web apps I think NTLM auth is the only way it can be done ?

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Ian Fogarty - Thursday, 20 July 2006, 8:58 PM

This is most probably a stupid user error on my part, but.....

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Our Moodle server (http://moodle.<server>) is using LDAP authentication against our forest root active directory server (a different server to the web server) and all is working fine. I have just tried to apply the NTLM module and altered the index.php so that it recognises our internal network and forwards appropriately. When forwarding to the oncampuslogin page, I receive an NTLM login box saying Connecting to Moodle.<server name>. I have tried logging into this with the prefix method and suffix method but it is not authenticated and after 3 attempts I receive a 401.3 error saying access denied by ACL on resource.

The oncampuslogin have permissions set for administrators, Internet Guest and Internet Launch Process.

The Moodle is on Windows 2000 Server, PHP 5.1.4, Mysql 5, Moodle 1.6. The server is part of the main domain and is connecting to the forest root for our Windows 2000 AD DC.

Have I missed something obvious?

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Wednesday, 9 August 2006, 4:52 AM

sorry Ian - only just spotted this now! - did you manage to sort out the problem?

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Ian Fogarty - Wednesday, 9 August 2006, 4:43 PM

Hi Dan

No unfortunately I was unable to. I have since created a moodle development/test site so I will have another go today at setting this up but I have a feeling I will get the same results sad . I will post these later on today.

From what i mentioned in my last post, is there anything obvious I have missed out?

Ian

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Scott Dewald - Thursday, 26 October 2006, 10:14 AM

Hey everyone, (silly question maybe)

Followed all of the advice and instructions for getting the NTLM Single up and going. Start the web page, get directed to ../auth/ntml/oncampuslogin.php correctly. Then "SLAM" ...

"NTLM/Integrated Authentication on this page has not been enabled, please contact your server admin for details."
It acts like I'm missing something in the oncampuslogin.php Some variable is not right and a default error message is being displayed.

All of the LDAP links and the bind account are right and checking out. If I go to the offcampuslogin.php it appears that is able to post the bind request and it is validating and receiving a response from the LDAP server.

Now to the "Silly" part... In Step 3 of the installation, we are directed to do the following:

Turn Integrated Authentication ON and Anonymous Authentication OFF for the moodle\auth\ntlm\oncampuslogin.php file. (see below for more detailed instructions.

I chose the mod_auth_sspi option. Is there an actual variable or script line that needs to have its comment removed or is the whole process just adding the two snippets of code to httpd.conf?

Thanks in advance,

Scott D.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Red Morris - Thursday, 26 October 2006, 3:36 PM

Don't know if this will be of help or not Scott as I'm running an Apache system, but I have got that same message too. First of all I needed to get the authentication sorted which is fair enough, but I was still getting the message. I got someone else to try it and since I'd changed the page authentication theirs worked! I tried my login on another PC and that worked too. It seems to be something with my profile on my PC, but I haven't tracked down what yet

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Alastair Hole - Friday, 27 October 2006, 1:21 AM

Check admin/phpinfo.php to double check that mod_auth_sspi is being loaded correctly, also paste the lines you added to your httpd.conf and I'll check them for you.

Also, are you using the very latest version of auth/ntlm? I believe it has changed recently to improve apache support.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Scott Dewald - Saturday, 28 October 2006, 1:51 AM

I dug through all of the various discussions on NTLM (how do get these crossed referenced) and applied several of the various suggestions. I D/Led auth/ntlm this week and it is the latest version. same with the sspi pack The admin/phpinfo.php referenceing correctly (6 entires). I've noted red morris' problem and tried on a clean XP/IE computer (no profiles) still no luck. I'm get to the point where I've modified and removed suggestions that I might need to start over with a fresh install of the module.

Thanks Again Scott D.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Tuesday, 31 October 2006, 6:47 AM

Hi Scott,

make sure you check out the documentation page - it should contain everything you need! - it has been formed as a result of a lot of the discussion here!

http://docs.moodle.org/en/auth/ntlm

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Gary Parr - Monday, 27 November 2006, 5:18 PM

Installed the new version, followed the new instructions, but when I goto the NTLM config page, it only shows the line "Settings" but non of the config page.

Gary

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Tuesday, 28 November 2006, 1:19 AM

Hi Gary,

that sounds weird - which version of Moodle are you running, and did you select the correct version of the NTLM module? - can you send me a screenshot offline (or here is fine!) - so I can see exactly where it is failing?

thanks,

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by jason enzer - Sunday, 17 December 2006, 9:22 AM

Gary,

i had that blank settings issue as well. try enabling short open tags in php.

worked for me!

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Mark Andrews - Wednesday, 10 January 2007, 10:41 PM

This is a fantastic addition to moodle & one that I would really like to get working, however I am having a slight problem when I go to the URL: moodlesite.com/auth/ntlm/oncampuslogin.php I just get the standard windows login pop-up for authentication.

I think I've followed the instuctions correctly and already have LDAP working so know those settings are correct.

Any help with this would be greatly appreciated!

Thanks in advance

Mark

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Sunday, 14 January 2007, 3:47 PM

Hi Mark,

Is the server a member of your Domain? - and is the machine you are trying to connect from also in the domain - are you using IE, and have you checked the settings in Internet Options, -> intranet zone & internet zone (set integrated Logon in intranet zone) - and make sure IE is recognising the site as an intranet based page.

good luck!

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Mark Andrews - Monday, 29 January 2007, 6:13 PM

Hi Dan - Thanks for your help as a result we have it working, well partially.

The Single Sign On seems to work for the network Admins but not for the rest of us. They seem to be lost as to why this is, do you know of anything they may have overlooked?

Thanks again for you help, were almost there!

Regards

Mark

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Mark Andrews - Thursday, 15 February 2007, 11:07 PM

It seems the network admins have fixed my above problem! should anyone else have the same problem, it was down to security restrictions on our profiles that stop us from reading from the C drive.

It is a fantastic bit of code that I think will really help the uptake of moodle at my instituation so thanks again Dan!

Mark

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Balwinder Ahluwalia - Friday, 10 August 2007, 9:55 AM

Mark,

Can you please ask your net admin to post what they did to fix it as I am having the same problem in our network. It will not work at all.

Please let me know.

Balwinder.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Chad Outten - Thursday, 1 February 2007, 8:09 AM

First, thanks to Dan for your work on this. I've installed ntlm & have tried to follow instructions carefully! SSO works nicely, but I'm a bit stuck with synchronising users from ldap to moodle. In other words, how do I run a regular cron job that adds new, removes old AD users to, from moodle?

When I run ourmoodlesite/auth/ntlm/auth_ldap_sync_users.php

I get this msg:

Configuring temp table connecting to ldap Did not get any users from LDAP -- error? -- exiting

Moodle 1.7 Windows 2003 IIS 6 PHP 5.2.0 MySQL 5.0.27

Any suggestions? Thanks in advance.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Iñaki Arenaza - Saturday, 10 February 2007, 3:04 AM

It seems either Moodle is unable to retrieve your users from your LDAP directory or there is some trouble putting them in the temporary database table.

Which exact NTLM module version are you using? There was a little bug in previous versions that created trouble inserting the users in the database table.

Saludos. Iñaki.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Chad Outten - Monday, 12 February 2007, 10:07 AM

my ntlm version info as follows:

@version $Id: lib.php,v 1.5 2006/11/23 23:46:22
@version $Id: lib_ntlm.php,v 1.1 2006/11/23 17:24:42 danmarsden Exp $

is this before the bug fix?!..

Cheers, Chad

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Iñaki Arenaza - Monday, 12 February 2007, 10:23 PM

No, that lib.php versio has the bug I was refering to already fixed. So it must be something else. I guess you should add some debugging output to the ntlm plugin to see what's going on...

Saludos. Iñaki.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Matt Peacock - Wednesday, 14 February 2007, 10:34 PM

I'm struggling with this module. We've been using the NTLM authenticator from Samba on the rest of our site for ages and it is working fine. It's definitely authenticating when I access oncampuslogin.php as I've changed oncampuslogin.php to echo REMOTE_USER and it's showing up fine, however I still get the error "NTLM/Integrated Authentication on this page has not been enabled, please contact your server admin for details."

We're running Apache 1.3 (an upgrade to 2 is not possible at the moment) and PHP 5.2.

Any ideas?

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Jack Eapen - Wednesday, 28 February 2007, 7:49 PM

Hi,

can anyone please email me a working copy of mod_ntml.so for Apache 2.0.52 on Redhat, please?

Jack
jackec at suntecgroup.com

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Matt Gibson - Wednesday, 14 March 2007, 7:38 PM

I've got an odd problem with NTLM - I got it all working and loved it, but then two teachers came and said that they couldn't log in any more. They just got 'This page cannot be displayed'. When I switched it back to LDAP, they had no problems.

I've no idea how to start debugging this, so could anyone suggest what it might be? Using Apache2 on win 2k3.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Matt Gibson - Thursday, 15 March 2007, 12:10 AM

Checked apache logs and found no record of them having accessed the page at all.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Stephen Jessop - Tuesday, 3 July 2007, 8:46 PM

I am having trouble getting NTLM Auth working. I am new to all this although I do have the help of a chap who is very Linux literate. I have setup an Debian (ETCH) box with the latest Apache2 Mysql, PHP, MyAdmin, moodle1.8+ and it is a member of our 2003 Windows Server domain. I can connect to the laptop from my XP pc using a logon from a user I have setup within Linux but I can not connect to moodle through my browser on the PC. Nor can I log into moodle using my windows id, when I try I get 'NTLM/Integrated Authentication on this page has not been turned enabled, please contact your server admin for details.' and under this it says click here to use the offcampuslogin page. I try to use this but but this does not work either. I have followed the documents on the moodle web site to try and get this to work and the administration docs on the debian web site for the relevant things but I seem to have reached a point of what do I try next.

Can you help please?

Thanks

Steve

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Chris Shearing - Friday, 6 July 2007, 7:20 PM

Is there a problem with the download of the NTLM Auth plugin for Moodle 1.6?

The URL for the 1.6 download is http://download.moodle.org/download.php/modules/auth_ntlm.zip

and I get the error "Sorry, but the file you are looking for was not found!" when trying to go to the link

however for 1.7 and 1.8 the format is

http://download.moodle.org/plugins17/auth/ntlm.zip
http://download.moodle.org/plugins18/auth/ntlm.zip

I have tried the url of

http://download.moodle.org/plugins16/auth/ntlm.zip

and this does give me a file, but I just cannot get it to work, the offcampuslogin page just cycles round when you put in a username and password, and there are error when logging in and out,

I have downloaded the 1.7 version now, and there were errors when logging in on both pages but I have commented out the lines that it was erroring out on

146 - // load_all_capabilities();

and

185 -// if (!has_capability('moodle/site:config',get_context_instance(CONTEXT_SYSTEM, SITEID)) and !empty($CFG->mymoodleredirect) and !isguest()) {
186 - // if ($urltogo == $CFG->wwwroot or $urltogo == $CFG->wwwroot.'/' or $urltogo == $CFG->wwwroot.'/index.php') {
187 - // $urltogo = $CFG->wwwroot.'/my/';
188 - // }
189 - // }

We should be upgrading to 1.7 then 1.8 during the summer, but I was just wondering if a working version of the NTLM Auth should be available for 1.6? Commening out the 6 lines in offcampus and oncampus php files seems to have sorted me for the moment though,

Thanks!

Chris Shearing
Network Manager
The Sixth Form College Colchester.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Dan Marsden - Friday, 6 July 2007, 8:43 PM

Hi Chris,

You may need to pull the 1.6 code out of CVS - there may not be a zip download available anymore - CVS Contrib was re-organsied a while back and the old 1.6 code is now stored here:

http://moodle.cvs.sourceforge.net/moodle/contrib/old/auth_ntlm/1.6/

have a look at moodledocs to see how to install something like tortoisecvs and download stuff from contrib.

good luck!

Dan

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Chris Shearing - Saturday, 7 July 2007, 2:37 AM

Hi Dan,

Thanks a lot for the info ! works fine,

though there is one little thing, on the offcampuslogin page this error appears

Warning: require_once(../auth/ntlm/lib.php) [function.require-once]: failed to open stream: No such file or directory in E:\moodle\auth\ntlm\index_form.html on line 97

changing the following line in the index_form.html

97 - require_once("../auth/$CFG->auth/lib.php");

to

97 - require_once("../../auth/$CFG->auth/lib.php");

fixes the error though, this error appeared in the other versions of the NTLM auth too,

Chris.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Stephen Jessop - Monday, 16 July 2007, 6:54 PM

Sorry me again.

This is not working for me at all the oncampus login is still saying that ntlm_auth has not been enabled. I was wondering if any one is using moodle on a Linux server, probably a stupid question. I am using Debian etch server, apache 2.2, PHP5, mySQL5. I followed the documentation to install and set up ntlm auth but it has not worked, we have been trying for over a week now to get this up and running.

Could some one please tell me what I need to set to get this to work or what you need from me to look at so you can check the setting I am using or send a config file/s so I can compare mine with a working set or do I need to reinstall everything and start again. There is no data in this moodle build yet as it is just a test thing at the mo but we need to be able to use SSO before we take it any further and start using it as part of our site.

Thank you

Steve

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Stephen Jessop - Tuesday, 17 July 2007, 6:05 PM

When going to our moodle page Apache is asking for for our credntials with ntlm but when the oncampuslogin.php appears it says that the ntlm is not enabled on this page click here to use offcampus login. When the offcampus login is clicked Apache agains uses ntlm to get our u/n & p/w which it accepts and you get what looks like the default moodle login screen. When you enter your windows username and password here the error that appears is LDAP-module cannot connect to any servers.

We turned on debug and the error given is Search: Operations error (at a particular line number)

Average of ratings: -

Re: NTLM 1.8 - problem

by Mark Andrews - Thursday, 19 July 2007, 10:40 PM

Hi,

I've been running the NTLM plugin on our 1.62+ installation successfully all year. However I have just upgraded to the latest version 1.8+ and downloaded the 1.8 version of the NTLM plugin and it's stopped working. I get the windows authentication box requesting a username and password.

Other than upgrading moodle I have not made any changes to the server so am a little stumped - any help would be greatly recived.

After the luxary of one-click entry staff will start to grumble at having to type in their username and passwords!

Thanks in advance

Mark

Average of ratings: -

Re: NTLM 1.8 - problem

by Balwinder Ahluwalia - Friday, 10 August 2007, 9:53 AM

I am also having problems with the NTLM. I am running Windows 2003, IIS6 with PHP. ldap is working fine but when I go to oncampus.php file it keeps poping the windows login box.

If I type the login info in the login box it lets me in. But won't pull it automatically.

Please help with this.

Average of ratings: -

Re: NTLM Single Sign-On state of play?

by Mike Wilson - Monday, 13 August 2007, 5:10 PM

Hi, we're trying to get NTLM working in a Moodle 1.8 environment.

I've been asked to get hold of an example of some completed NTLM settings. Just to make sure we're entering the correct information.

Would it be possible for some-one to send me a copy of their NTLM settings (with sensitive bits blanked out ;) ) so we can make sure we get them correct. We could probably get there through trial and error, but we don't want to take the chance.

Thanks for any help any-one can give.

Mike

mike.wilson@southampton-city.ac.uk

Average of ratings: -

NTLM Single Sign-On Settings

by Mike Wilson - Tuesday, 14 August 2007, 9:55 PM

I've recently installed the NTLM module to achieve a single sign-on for our students onto Moodle.

I'm working with our IT guys to get it working. We're stuck on a few settings though. At the top of the NTLM settings screen, you are prompted for the following:

ntlm_net1:		The IP Address - eg 192.168.10.0
ntlm_Sub1:	These users are Internal (On Campus) External (Off Campus)	The Subnet Mask - eg 255.255.255.0 (leave blank for fixed IP addresses)

My question is:

What IP address is required? Is it perhaps the IP address of the server which holds the global catalogue or active directory?

Any help any-one can give on this, would be greatly appreciated

Thanks, Mike

Average of ratings: -

Testing NTLM authentication in Moodle 1.8 - are you there Dan?

by Johnathan Kemp - Wednesday, 5 September 2007, 10:55 PM

Dan,
According to the NTLM Authentication Module Plugin Title page you want to hear from people who are testing NTLM authentication with Moodle 1.8.

I have now got two virtual machines running the NTLM plugin with Moodle 1.8.2.
Both are running windows 2000
One is running Apache 2.0.55, PHP 5.1.2, and MySQL 5.0.18, the other is running Apache 2.0.59, PHP 5.2.3 and PostgreSQL 8.2.3

Both use mod_auth_sspi-1.0.4-2.0.58.zip to provide the NTLM support for apache.

After some challenges in setting everything up I now have two servers which will log users on automatically using ntlm or will use ldap if outside the specified ip range.

The one issue I am hitting is with the Data Mapping section of the NTLM configuration screen.

On the MySQL machine I can save data mappings, i.e. I can enter values like Surname = sn and it will save the value so that if I re-open the configuration screen it still shows the value sn as mapped against the surname. However the screen refuses to accept values that are mixed case, e.g. I can save "telephonenumber" but not "telephoneNumber". This then results in a failure to match with the LDAP data as the correct term is "telephoneNumber" and it is case sensitive.

At present on the PostgreSQL screen I can't get any values in the Data Mapping section to display at all, i.e. I enter some values, Save Changes and then re-open the configuration form to find that the Data Mapping settings are blank. But the peculiar thing is, it appears to be saving the values and even has saved mixed case values as it will pull in givenName, telephoneNumber data from LDAP when it creates a new account. However it is most confusing not being able to re-open the configuration to see how it is configured and to be able to tell if the configuration has been changed. I have not tested whether simply opening the form and clicking Save Changes would wipe out the configuration for Data Mapping as the form fields are empty.

Any ideas would be much appreciated. Worst case scenario - is there a table I can query which will tell me the current configuration settings so that I'm not working in the dark?

Kind regards

Johnathan Kemp

Average of ratings: -

Re: Testing NTLM authentication in Moodle 1.8 - are you there Dan?

by Dan Marsden - Thursday, 6 September 2007, 2:11 PM

Hi Johnathan,

It's been a crazy winter for us here! - the whole family's done the rounds being sick, and then done the rounds again....and again! - I'm hoping we're getting near the end!

Iñaki has posted a fix to your problem in the Tracker - MDL-9399 - have a look there, I was going to commit it to cvs today but forgot!

Dan

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Johnathan Kemp - Wednesday, 5 September 2007, 11:15 PM

Mike,

You will see from my other posting "are you there Dan" that I have got two Moodle servers working with NTLM - to some degree at least.

The IP address you are specifying is that which will define the IP address range of the computers on your network that will be logging in to Moodle. When a computer connects to the Moodle server if the IP address is within the range you specify then NTLM will be used as a means of logging the user in. If they are outside of that range then LDAP will be used and the user, instead of being automatically logged in, will be presented with a login box in which they enter their network userid and their network password.

As an example the configuration I used was
ntlm_net1 = 172.21.0.0
ntlm_sub1 = 255.255.246.0

I am no expert in working out IP addresses and subnet masks but I am advised that this should include the range 172.21.0.0 to 172.21.15.255

There is a useful utility included with the ntlm module called check_ip.php which you can use to test the boundaries of the range you have defined.

The place you need to specify an IP address for a specific server is in the LDAP server settings in Host URL where you need to provide a list of the servers that handle LDAP in the form 123.4.4.0; 123.4.4.23; 123.4.4.17 or whatever (these numbers are made up but the syntax is correct).

I hope this helps

Kind regards

Johnathan

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Rod Ward - Thursday, 6 September 2007, 3:58 PM

The check_ip.php file needs to have a few changes made so that it will work better.

Change <? to <?php

Then all PHP setups will handle it, otherwise you'll see code like that in this graphic appearing in the output:

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Rod Ward - Thursday, 6 September 2007, 4:07 PM

Another question about check_ip.php...

When I put in an IP address within the accepted range for oncampuslogin.php it shows the URL of this page as follows:

The IP address: 10.100.0.0 will be directed to the Internal (On Campus) page:

http://myserver/moodle/auth/oncampuslogin.php

However, this URL is incorrect and going there gives you a 404 error.
The oncampuslogin.php actually lives inside the NTLM directory underneath moodle/auth/

So the correct path should be:

http://myserver/moodle/auth/ntlm/oncampuslogin.php

Is this a bug in the code for check_ip.php perhaps?
Should the line:
echo "<br/><br />".$CFG->wwwroot."/auth/".$location."login.php";
be changed to:
echo "<br/><br />".$CFG->wwwroot."/auth/ntlm/".$location."login.php";

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Iñaki Arenaza - Friday, 7 September 2007, 12:53 AM

Yes, I'd say this is a bug and should be changed like you propose

Saludos. Iñaki.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Rod Ward - Thursday, 6 September 2007, 5:30 PM

I'm also trying to get NTLM working on Moodle 1.8.2 with a Windows 2003/Apache 2.2 setup. I downloaded the NTLM module on 5th September 2007 so I'm pretty sure I have the latest build.

I thought I had it working because after following all the instructions on the NTLM documentation it appeared to log me in perfectly.

However, when I sent the oncampuslogin.php link to a number of other users around the network to test it, they all experienced various issues.

Authorization Required - This server could not verify that you are authorized to access the document requested.
LDAP module cannot connect to any servers (after it popped up a login dialog and the user entered their domain\username and password combination)

All of these users would appear to be inside the IP range of our LAN so I'm mystified as to why I appear to have single signon working for me but nobody else does.

Does any of this make sense?
Is there something that I can do to check where the issue may lie?
Is it possible in any way that I'm not actually getting logged in, even though it looks that way?

Any help appreciated. I thought I had this thing licked and it's turned around and bitten me instead.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Rod Ward - Friday, 7 September 2007, 1:56 PM

This is the error message one of my users reports when trying to login via NTLM. So far she is the only one with this error. All the others that are having problems show LDAP cannot connect errors.

Can anyone confirm for me that this is in fact an Apache error page and not something generated from Moodle?

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Iñaki Arenaza - Saturday, 8 September 2007, 7:00 AM

There is nothing in Moodle that generates this error. So it has to be Apache...

Saludos. Iñaki.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Rod Ward - Saturday, 8 September 2007, 12:59 PM

Quite correct again, it's not a Moodle error.

I've found this to be an Apache 401 error, which means that it has not served up the oncampuslogin.php page to this user because it does not believe they have permission to view the file because it isn't getting any credentials from the browser. This seems to indicate that the authenticated username and password are not being cached by the user's browser to pass to the server.

It may have something to do with the way that this file is named inside the Apache http.conf file as requiring a valid user. But I'm also beginning to suspect that, although phpinfo confirms that Apache has loaded mod_auth_sspi, it may not be exposing the user's authentication variables.

Can anyone confirm whether or not loading mod_auth_sspi should give you extra variables appearing inside phpinfo?

I'm looking down through the variables there but I can't find anything like $_SERVER['REMOTE_USER'] or $_SERVER['PHP_AUTH_USER']

Shouldn't I be able to see these variables if mod_auth_sspi is working?

Is there any other reason (e.g. some browser config setting) that might prevent this user from getting access to the file?

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Rod Ward - Sunday, 9 September 2007, 12:27 AM

Just discovered something that fixed this issue.

It turns out that the $_SERVER["REMOTE_USER"] variable, and a number of other useful authentication variables such as $_SERVER["AUTH_TYPE"] will only show up in your PHPINFO if:

mod_auth_sspi is loaded in Apache
your http.conf file has the necessary settings (explained elsewhere in this thread) to define authentication on a given directory in your site

and...

phpinfo.php is sitting inside that directory. If phpinfo.php is sitting in a directory that the authentication settings don't cover, you won't see the user variable mentioned

So now I can see $_SERVER["REMOTE_USER"] and can confirm that this all important variable is available for the scripts running inside the NTLM directory.

However one thing still worries me...The NTLM documentation says to set up your httpd.conf file as follows:

<Directory "C:\moodle\auth\ntlm">
       <Files oncampuslogin.php>
           AuthName "Moodle at My College"
           AuthType SSPI
           SSPIAuth On
           SSPIOfferBasic Off
           SSPIAuthoritative On
           SSPIDomain mycollege.ac.uk
           require valid-user
       </Files>
   </Directory>

This shows oncampuslogin.php sitting inside the <Files> tag, which effectively means it will be the only file that requires a valid-user, and from what I've found, this would mean that the $_SERVER["REMOTE_USER"] variable would only become available to this one file.

Are there any other files and scripts inside the NTLM folder that need this variable in order to work properly? If so, would it not be better to omit the <Files></Files> tags here and just make the settings apply to the entire NTLM directory instead?

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Iñaki Arenaza - Sunday, 9 September 2007, 7:07 PM

As far as I know, that file is the only one dealing with _$SERVER["REMOTE_USER"] and frieds, so it makes sense to leave it like that.

If you omit the directive, every single file under C:\moodle\auth\ntlm would require being autenticated via SSPI, prior to accessing it. This would be a big problem for those users offcampus, as IE woldn't send the domain credentials and they wouln't be able to get to offcampuslogin.php.

So I'd say the current way of doing things is The Right Way(tm)

Saludos. Iñaki.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Rod Ward - Sunday, 9 September 2007, 9:29 PM

OK. That's good to know.

If oncampuslogin.php is the only file requiring the variable, and you also need to provide access to users via offcampuslogin.php, it would indeed seem best that the authentication only applied to oncampuslogin.php.

Thanks for the clarification.

However, this still doesn't explain my original question about why this user is getting a 401 Authorization error from Apache.

Does anyone have any suggestions about what I could try to debug this error?

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Iñaki Arenaza - Sunday, 9 September 2007, 11:30 PM

I don't really have a clue, but will shot in the dark anyway

. Is this the only user to get this error message? Does is consistently get it or only sometimes? If the later, does it depend on the time? On the client computer? On the browser version?

The only way I can think of to debug this, is by using Apache's forensics module (mod_log_forensic), which logs tons (and I mean tons) of details of what is going on, and wade through the logs with a lot of patience.

Saludos. Iñaki.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Rod Ward - Monday, 10 September 2007, 11:58 AM

So far it is only this one user and it is for any page within a directory that has authentication configured to require a valid-user.

I'm checking to see if any other users at the same location have the same propblem. And I'll look into the Apache forensics module as well. Thanks for the tip. Hadn't heard of this one.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Rod Ward - Monday, 10 September 2007, 12:29 PM

Yeehaaah!!! Success...

I now have NTLM single sign on working for at least some users at my site.

Here's what resolved my main issues:

I created a little page to test the basic PHP ldap_connect() and ldap_bind() functions using the values supplied by the person in charge of our LDAP server.

I found that the settings were neither allowing me to connect or bind to the server.

One problem was that the LDAP admin had sent me the a URL to the server with a spelling mistake in it. I only noticed this when comparing various emails we had traded about the issue.

However, even with that fixed, although it would now connect, it still wouldn't bind. Even when he tried to input the correct settings into my little test page.

He was adamant that the settings were correct because he was able to use them to connect to LDAP via an application called LDAP Browser. So I downloaded this app off the internet and tried for myself. However, it still wouldn't work. It wouln't even connect again.

Then I noticed that when he input the LDAP Host value he omitted to use ldap:// on the front of the URL. So I did the same and lo...it worked!

I had not even considered doing this before because on the ldap configuration page inside Moodle the notes beside this field specifically say that the URLs should use the format ldap://myserver etc.

I'm posting this so that maybe someone else may find it useful to resolve an issue. We might also consider altering the field notes on the config page to include this possibility.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Thomas Gavin - Saturday, 22 September 2007, 1:30 AM

Do you have some good detailed instructions on how to set up NTLM? I have been unable to get it to work. I am slo running W2K3 Server and Apache 2. I also want to get to single sign on. We are being required that our web apps authenticate the users login to the computer and eleiminate the login to the application. We are on a 15 Oct 07 deadline to get this done; any help would be great. I downloaded the NTLM auth documnet and it is very confusing. Any help and detailed step by step documents would be very helpful!

Thanks.

Tom

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Iñaki Arenaza - Saturday, 22 September 2007, 1:47 AM

There is an ongoing effort to completely rewrite the NTLM plugin and make it more integrated into Moodle, easier to configure and bit more friendlier to the users.

We are trying to make it as fast as possible, to get it into the upcoming 1.9 release. So if you want to try it (we are looking for testers), have a look at this forum thread: http://moodle.org/mod/forum/discuss.php?d=80104

You don't need to understand all the details (we're dicussing the different coding options and so on), just the few bits where we say where you can download the plugin from, and how you should configure it.

Feel free to ask any questions you have there

As I say, we are looking for testers, as the code is almost release quality code (it works in all the tests I've done in my test setup).

Saludos. Iñaki.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Martín Langhoff - Saturday, 22 September 2007, 8:08 AM

Great! More testers! A word of warning though: don't do it on your production system! The branch talks about is based on 1.9 which is still alpha-ish quality.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Thomas Gavin - Sunday, 23 September 2007, 12:22 AM

I would be willing to try. I only have a production system at this time; that's the only draw back. I would need some good detailed step by step instructions on how to configure everything, where to copy things, etc. My Moodle guy is in the military and he is getting ready to deploy overseas to Afghanistan for the next 14 months. I was handed the task of getting the sign on fixed for users so their windows authentication login to the computer will sign them on to Moodle without having to enter a username an password. The military is also using CAC card login/authentication for all web apps. I have to tackle that next......LOTS OF FUN!

Thanks for any help you give me!

Tom

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Iñaki Arenaza - Monday, 1 October 2007, 4:42 AM

Are you using IIS or Apache?

Saludos. Iñaki.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Sreeram C.A. - Monday, 22 October 2007, 4:10 PM

Hi,

I also need help on this. I am running 1.8.x on Windows server 2003 and IIS. I have already implemented e-mail based authentication and is working fine. But I want to implement SSO. please help

Average of ratings: -

(ANYONE) pls help Sw identification for corp setup

by Sumit Batra - Tuesday, 15 April 2008, 5:35 PM

Dear All

I am sorry!! if I am putting query at a wrong place..and lot of extra details

I am pretty new to opensource and hence moodle.But with what I have browsed in last few days ..I must compliment you all for marvellous work.

I work for a Insurance major in India in training department, we plan to start our elearning (LMS & TMS) functionality in next 3-4 months.My problem is my IT department is very rigid with use of MySql and what we have browsed is lot of issues with integration with MSSQL & Oracle.

Could anyone (who is currently using moodle in a corporate setup) , pls guide me in selecting a optimised SW combination for a corporate setup.

I have tried reading lot of forum readings , unfortunately I am still confused and still awaiting an answer. THKS Sumit

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Martín Langhoff - Saturday, 22 September 2007, 8:39 AM

Rod - it'd be great to have a "test settings" page for auth/ldap, don't you think? Any volunteers?

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Rod Ward - Saturday, 22 September 2007, 12:35 PM

I could not agree more. I thought of this when I created the testLDAP.php to debug my own LDAP settings.

All we should really need is a button on the LDAP settings page that said TEST or TEST SETTINGS or something like that. If the settings don't achieve LDAP connection and bind then it should show error messages to indicate where the issue lies.

At present, you just enter the settings and hope for the best.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Martín Langhoff - Saturday, 22 September 2007, 2:45 PM

> I could not agree more

Cool. Keen on lending a hand?

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Rod Ward - Saturday, 22 September 2007, 4:59 PM

Martin,

I'm flattered that you'd even think I would be useful. My PHP skills are rudimentary at best. I'm actually a technical writer and elearning developer, not a programmer.

You're welcome to take a look at the page I created to test my own LDAP settings and figure out why it wasn't working when I was setting up NTLM a week or so ago. But you'll soon see that I'm no expert when it comes to programming.

I've attached the file as a contribution, but I'm sure there are much more elegant solutions that a decent programmer could come up with.

test_ldap.zip

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Dan Stoll - Thursday, 10 April 2008, 12:43 PM

ok so...

Can someone please do a step by step 1.9 LDAP setup for WAMP install....

This thing is doing my head in,.. There are so many discussions on LDAP auth / AD Auth and I can't seem to get any straight forward answers.. Is it supposed to work straight out of the box ???

I've tried the litte LDAP test util and that works great.. I can connect, and bind no worries.. However SSO still doesn't work.. I have all the modules active and working, the php.ini is configured correctly and looks fine. and still no joy.. The only thing that I though it may be is the path to where the users are..

Contexts = OU=Users,OU=MHAC Corporate,DC=mercynet,DC=com,DC=au

(Is it posible to just have contexts, DC=mercynet,DC=com,DC=au ?? we have users based on their geographical layout, thus many different OUs,, not everyone is in the users ou.. Can just a group be specified ? then I can just please every one in a group has logon access...

I know I have the subnet working becuase when I change it to a incorrect address, it deosn't try to log me in,, So that works.

[Thu Apr 10 14:13:24 2008] [error] [client xxx.xxx.xxx.xxx] (OS 1326)Logon failure: unknown user name or bad password. : authentication failure for "/moodle/auth/ldap/ntlmsso_magic.php": user unknown, referer: http://site/moodle/auth/ldap/ntlmsso_attempt.php

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Iñaki Arenaza - Thursday, 17 April 2008, 7:52 PM

Is it posible to just have contexts, DC=mercynet,DC=com,DC=au ?

Sure it is. Just make sure you enable 'Search subcontexts'.

Can just a group be specified ?

I'm afraid not, without modifying the code quite a bit.

By the way, have you had a look at the LDAP authentication documentation?

Saludos. Iñaki.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Les Ingleby - Tuesday, 26 May 2009, 11:07 PM

Hi everyone, I am in need of some help here.

Basically I have LDAP working fine and on Friday set up NTLM so that users would not need to sign in to the network and then into Moodle. This works fine, users can open moodle click login and they are auto logged in using NTLM. I did find an issue with having to add the Moodle URL to the local intranet trusted sites which is now working spot on as this was done via network policy.

However my problem is that when you try and log in from an external location you have to authenticate to the domain and they log into Moodle. So having fixed the log in internally I have made it worse externally. http://moodle.tynemet.ac.uk this is the url so that you can see what i mean.

I have been reading this thread all day and cant seem to make sense of it at all (mainly how to configure the oncampus - offcampus logins)

I would love some help if you would be so kind.

Setup

Windows 2003 Server SP3

IIS v6.0

PHP version 5.2.6

mysql version 5.0.51a

and finally moodle version 1.9.5 build 20090513

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Dan Marsden - Wednesday, 27 May 2009, 7:57 AM

Hi Les,

you want to configure a subnet mask - see:

http://docs.moodle.org/en/NTLM_authentication#Configuring_IP.2FSubnet_Mask

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Les Ingleby - Wednesday, 27 May 2009, 4:48 PM

Hi Dan thanks for the reply. Are you saying that I need to specify the subnet mask for everything that will connect from outside?

I already have specified our internal subnets and thats working fine, still not sure how I would go about specifiying the internets subnet

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Dan Marsden - Wednesday, 27 May 2009, 6:28 PM

the subnet mask is for sites that should use NTLM - so if you've specified your internal network correctly, then you should find that external users aren't prompted for the ntlm credentials.

Average of ratings: Useful (1)

Re: NTLM Single Sign-On Settings

by Les Ingleby - Wednesday, 27 May 2009, 6:43 PM

thanks for making that clear to me, will go take a look now and see if i can resolve the issue. thanks Dan.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Les Ingleby - Wednesday, 27 May 2009, 8:41 PM

I have tried everything and still cant seem to get anywhere.

I have set up NTLM SSO and added the vaild subnets for my network. Now when you sit on a machine onsite and open moodle then click logon you are logged in fine. However when a user is logging in from home they are still being prompted with the NTLM auth box.

I have checked again and again and cant see where I am going wrong.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Iñaki Arenaza - Thursday, 28 May 2009, 12:05 AM

If you are using some sort of reverse-proxy in fron of your Moodle server (Ms-Proxy, ISA Server, any kind of firewall with PAT/port forwarding or equivalente technology, etc.), make sure you _exclude_ that IP from the SSO subnet list.

Saludos. Iñaki.

Average of ratings: Useful (1)

Re: NTLM Single Sign-On Settings

by Les Ingleby - Monday, 1 June 2009, 6:04 PM

Hi, I have just spoken to our network admin and we have agreed that when a user logs in from a network/subnet which is not valid then they will be given the normal moodle username login box. Also then they are in a valid subnet they are logged in fine.

However when logging in from outside (off site, home) users are still prompted with the NTLM auth box, this is because before moodle can check if the network/subnet is valid IIS is wanting authentication as the Integrated box is checked in IIS.

The only way I can see a work around is if I can some how pass the NTLM credentials over to moodle so that when users have entered credentials in the NTLM box they are then auto logged into moodle and do not have to log in a second time when moodle then checks the see if the user is in a vaild subnet and finds they are not.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Iñaki Arenaza - Monday, 1 June 2009, 8:32 PM

The Integrated box should only be checked for the ntlmsso_magic.php file. If this is so, when you try to log in, you always hit /login/index.php which in turn calls the NTLM SSO pre login hook. This is where Moodle checks the client's network/subnet and either redirects the user to the SSO process (which in turn hits ntlmsso_magic.php) or continues the normal regular with the normal login box.

So if your external users are getting the NTLM credentials box it's either because they hit /auth/ldap/ntlmsso_magic.php directly (which they shouldn't) or Moodle thinks the client is coming from one of the SSO configured network/subnets.

You could add a couple of debugging lines to the NTLM SSO code to log the client's IP (according to Moodle) and then try to see what's going on.

Saludos. Iñaki.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Les Ingleby - Monday, 1 June 2009, 10:27 PM

Thanks so much for your help I now have it working fine. The problem was that I had set integrated over my entire site on not specifically onto the ntlmsso_magic.php file.

Next is to find a script to click login for users onsite so they dont have to

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Iñaki Arenaza - Tuesday, 2 June 2009, 1:58 AM

If you enable 'forcelogin' under Administration >> Security >> Site Policies, then Moodle will automatically redirect non-logged in users to the login page and NTLM SSO will take care of the rest

Saludos.
Iñaki.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Sean Beggs - Tuesday, 30 June 2009, 11:04 PM

Hi!
Im havin a bit of trouble gettin SSO to work also.
Ive got LDAP working fine, users can login with their windows usernames/passwords fine.
So ive checked the Enable SSO now, put subnet mask in, its showin in IE as an Intranet Site, but failing on SSO and reverting to the standard login box!
Would anyone be kind enough to point in the right direction here? any logs i should check for errors maybe? im sure it will be something straight forward ive missed.

Im running:
Moodle 1.9 on Apache 2/Ubuntu Server 9.04.

THANKS ALL

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Iñaki Arenaza - Wednesday, 1 July 2009, 2:22 AM

Exactly which version are you running? (please, paste the contents of version.php

) There have been some ntlm related bugs fixed in the lastest releases and I'd like to be sure you are not hitting them before we start digging around

Saludos.
Iñaki.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Sean Beggs - Wednesday, 1 July 2009, 9:19 PM

Im running Version 1.9.5 (Build 20090626). It doesnt try the SSO by default either, should it? I have to go to myserver.org/auth/ldap/ntlmsso_attempt.php and it just fails. LDAP is working, because ActiveDirectory users can login no probs.

Thanks
Sean

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Iñaki Arenaza - Monday, 6 July 2009, 6:17 PM

Your version is recent enough, so it should have all the bugfixes (which is good )

Have you configured your Apache server to ask for user credentials using NTLM? (as described in the NTLM SSO documentation: http://docs.moodle.org/en/NTLM_authentication#APACHE_Configuration).

Also, are you trying to SSO from one of the configured subnets?

Saludos. Iñaki.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Paul Clarke - Thursday, 8 October 2009, 8:46 PM

I see that I am not alone in trying to get SSO working with 1.9.5

I am running it on a server 2003, under IIS.

I have set LDAP up, and can only assume that it is working, but the SSO fails.

Auto-login failed, try the normal login page...

So I then attempt to login using the alternative method, but it still does not look as though it is talking to AD. I have a user that I created in Moodle, that can login, but a domain user can not login.

I am NOT using apache.

How do I get it to create the accounts in moodle from Active Directory?

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Paul Clarke - Thursday, 8 October 2009, 10:14 PM

Ok, I know that LDAP is working as I have just done it with a student account and it prompted me to enter the names.

So SSO and NLTM /LDAP is working, just not on MY account.

The admin user in moodle is set as ME. with MY E-mail address. Could this be the problem?

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Mark Wilfan - Tuesday, 26 October 2010, 3:53 PM

Hey guys

I know this thread has been untouched for a while but thought I would add my findings.

We use Centos 5.5 to host our Moodle which has samba 3.0.33 in the default software channel. For the life of me I could not get NTLM working with 3.0.33 or any of the previous 3.0.x versions i have tried. Our authentication servers are Win server 2008 R2 servers and apparently this is a known issue.

wbinfo -u shows all users fine

wbinfo -g shows all groups fine

wbinfo -t reports that the trust secret is fine

when trying to use ntlm this is error is put into the messages log

\NETLOGON returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED

upgrading to 3.5.6 via sernet fixed this problem.

The caveat to this is that this version of samba breaks the "My Documents" (smbclient) block.

Average of ratings: -

Re: NTLM Single Sign-On Settings

by Jon Witts - Wednesday, 27 October 2010, 4:30 AM

Hi Mark,

There are a number of tweaks you may have to perform to get smbclient working with the latest versions of Samba. I have tried to document as many of these as possible on the talk page for the smbclient block download page...

In the first instance; have you tried doing a smbclient connection from the command line of your server to see what error messages you get?

Jon

Average of ratings: Useful (1)

Re: NTLM Single Sign-On Settings

by Peter de Groot - Tuesday, 2 August 2011, 3:07 PM

Just rolled out SSO here.. LAMP and samba on Ubuntu.

Traps for young players.. IF you specify

winbind use default domain = yes

in the smb.comf then the string returned from winbind does NOT contain the domain name..... just the user name. This crashes the magic script

Cheers

Peter

Average of ratings: Useful (3)

Re: NTLM Single Sign-On Settings

by Guy Thomas - Monday, 16 April 2012, 5:30 AM

Thanks Peter - this advice saved me!

Average of ratings: -