Moodle in English: Multiple Authentication

Hi all,

Perhaps I had better introduce myself and say "Hi, I'm a guy at Catalyst working on multi-authentication"

It is in a state of unfinished-ness, but we have a branch from 1.6 available (for interested developers and testers only at this stage!) here as a git repository:
http://git.catalyst.net.nz/gitweb?p=moodle-r2.git;a=shortlog;h=mdl-mnet-multiauth

For those not using git/cogito, you can download snapshots from the snapshot link:
http://git.catalyst.net.nz/gitweb?p=moodle-r2.git;a=snapshot;h=mdl-mnet-multiauth

The major changes are:

Refactoring each set of auth functions in auth/foo/lib.php into a plugin class analogous to enrolment plugins. This class is now contained in the file auth/foo/auth.php
Adding some supporting functions to moodlelib to retreive and check for existence of plugins
Shifting the auth plugin configurations into the config_plugin database table, using 'auth/foo' as the plugin name
Changing the admin interface to allow selecting and reordering of multiple plugins (similar to the up/down arrows in admin/filters)
Instead of $CFG->auth, we now have $CFG->auth_plugins_enabled
Tweaking Moodle code to handle auth plugin classes

So, now we can say

$authplugin = get_auth_plugin('foo')

and instead of using a static auth_user_login() function, we can say

$authplugin->user_login()

authenticate_user_login() in moodlelib now checks the $USER auth, then walks the plugins specified in the admin interface, in order.

This branch also includes an aborted auth-plugin language string refactor, moving strings out of lang/xx/auth and into lang/xx/auth_foo, but this was aborted due to the moving of too much cheese at once.

The code now refers to strings in auth.php as normal, but it explains why all those files are there, just in case anyone was wondering; it might make sense to do this at some later point.

I also fixed pop3, nntp and imap plugins to check for imap functions first and gracefully exit with an error, rather than present the user with a blank page.

Additionally I have spring-cleaned here and there, cleaning up comments, crazy indenting, and so on using the recommended Moodle code style.

Comments and so on would be most welcome! For instance, I'm not at all sure how the cas plugin will work with the ldap functions in the ldap plugin. There are also some other bits and pieces that are still broken because I haven't figured out exactly how some of it hangs together yet

Average of ratings: -

Re: Multiple Authentication

by Martín Langhoff - Thursday, 28 September 2006, 9:37 AM

Wohoo!

The work started with Howard Miller and Iñaki Arenaza is coming together!

We've been talking about multi-auth for a while -- with this code you can actually have several auth plugins enabled at the same time ... you can fake it a bit with the current code, but there are a million little pitfalls in doing that -- this work is supposed to cure them all, and make it a supported mode of operation. That in itself is a useful thing.

So there have been quite a few changes in the auth modules -- all of them, and we need testers and review. And comments from from plugin authors, maintainers & users.

This whole thing is aimed at 1.8 though we will probably put together an unsupported "at your own risk" patch on top of 1.7 for people who want to play with it.

Long term, this is part of a cunning plan to get us doing transparent SSO and a few other things across moodle installations. If you really want to know, I've written some notes at http://docs.moodle.org/en/Community_hub_technotes

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Thursday, 28 September 2006, 4:39 PM

If there is interest in multi-authentication with multiple instances of the same plugin type (e.g., using several ldap servers with completely different sets of parameters -which is not yet possible with the great work from Jonathan-) I'd be grateful if some knowledged enough about the internals of authentication (that's you MartinL, among others

) would answer some of the remaining questions at http://docs.moodle.org/en/Multi_Authentication so I could design a proper solution to this

Saludos. Iñaki.

Average of ratings: -

Re: Multiple Authentication

by Martín Langhoff - Friday, 29 September 2006, 3:38 AM

Hola Iñaki!

You never ask easy questions do you?

I think once the switch to class-based auth is done and all the bugs fixed, it should be easy to make multi-instance by

+ modifying how we store config data to be per-instance -- perhaps extend mdl_config_plugins a bit to match the table 'auth_instance_settings' you describe

+ changing admin/auth UI to match

+ changing how we deal with mdl_user.auth

I am interested -- and we were discussing it with Jonathan yesterday -- but it's beyond our immediate goals (we have to get the rest of 'moodlenet' done!).

So I'm hoping we move the ball close enough to the goal so that a top scorer can kick it in. Is that you?

BTW, I had forgotten about that Wiki page. We could describe there the implementation as it's happening.

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Saturday, 30 September 2006, 4:49 AM

You never ask easy questions do you?

The easy ones were already answered here in the forums... So I went for the rest

So I'm hoping we move the ball close enough to the goal so that a top scorer can kick it in. Is that you?

Well, I don't play soccer but basketball, so I'm not really sure

But the work Jonathan is doing will greatly simplify things like upgrading to the full multi-instance scenario undoubtly.

Maybe part of the problem with the questions in the wiki page is that I'm a little bit too ambitious, allowing things like instance removal, which create their own set of problems. But I guess we'll arrive there someday anyway, so the questions will need to be answered sooner or later. I obviously prefer sooner than later

I intend to advance the multi-instace thing slowly but steadly in the following months, and keep the wiki page updated with any architectural decision I make, so anyone interested in the multi-instance thing can have an idea of what's going on.

But don't hold your breath waiting for the code. I'll be doing this is my spare time and it can take quite a while. I'll be putting the code at this git repository from time to time:

http://git.eteo.mondragon.edu/git/moodle-multiauth.git/

Of course, I'll keep an eye in your work and the stock Moodle authentication changes

Saludos. Iñaki.

Average of ratings: -

Re: Multiple Authentication

by Martín Langhoff - Saturday, 30 September 2006, 2:41 PM

> I intend to advance the multi-instace thing slowly but steadly
> in the following months

Cool!!!

One question though: what code are you going to base it on? If you plan on following Jonathan's branch, be aware that we will probably rebase it on top of 1.7 as soon as it is a bit more stable.

Average of ratings: -

Re: Multiple Authentication

by Michael Vaughan - Sunday, 1 October 2006, 2:02 AM

Hello,

I am VERY interested in making moodle multi-authentication capable...even if I have to code the mods myself. I have a mission I must complete in the next 6 months that involves my being able to authenticate folks using EITHER manual, LDAP1, LDAP2, LDAP3, or other means such as NTLM or smart card auto aware. Smart Card would be once you select it, it would search you browser for PKI certs from an inserted smart card and simply ask you for your pin from your inserted smart card to authenticate you. A 'wee' bit simplistic since this smart card would need to be authenticated via a central CA...! This is extremely important because of the sheer number of various authentication mechanisms I will need to use. A common database and website is mission essential. Appreciate your feedback and/or assistance as to means of attacking this problem...

-Michael

Average of ratings: -

Re: Multiple Authentication

by Martín Langhoff - Sunday, 1 October 2006, 8:27 AM

Michael,

WRT code infrastructure, see the code I am linking to, and the Wiki page Iñaki is linking to. Those are the architectural plans. If you want to join the coding effort, welcome!

In terms of PKI -- I have _just_ been in the Moodle Moot Spain where a university there has implemented what you are after, using OpenCA, smartcards, all that jazz. The presentation was called "MoodlePKI", by Jorge Miguel Moneo, Universidad de San Jorge.

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Sunday, 1 October 2006, 5:05 AM

Right now it's based on stock 1.6, but I've done very little code so far. Just a very few accessory functions and some of the mono-to-multi upgrade infrastructure. So I don't think this is a real problem right now.

Saludos. Iñaki.

Average of ratings: -

Re: Multiple Authentication

by Michael Vaughan - Thursday, 16 November 2006, 10:39 PM

Any chance I could see the code for the PKI module? Once I get it working, i would release it the world.

-Michael

Average of ratings: -

Re: Multiple Authentication

by Bruce Crevensten - Thursday, 5 October 2006, 7:26 AM

Hello -- I have some recent experience with multiple-authentication systems. I recently wrote an LDAP server in PHP which had these requirements:

- Run as a daemonized socket server and decode LDAP network requests
- Authenticate users against a fast local MySQL cache, Apple Password Server, and ActiveDirectory.
- Be able to easily extend the code to add additional authentication backends as necessary.
- Each authentication backend can accept two operations: Authenticate (bind), Change Password.
- Synchronize users' passwords across all systems.
- The system must respond with a valid LDAP response.

Happily, this worked and the project is being used to authenticate all staff and students on all web-based infrastructure in our school district (~10,000 users). Because of the small number of backend systems that were required up-front, I didn't do much work abstracting them as "plugins", and I'm not sure how much of my code would be valuable here. I can locate the UML for the design, though, and share if there is interest.

I CAN share the number-one lesson learned: how does the system respond if one (or more) backend systems become unavailable? Our Apple Password Server installation has had an ongoing issue which causes it to ...not quite give up, but take up to 30 seconds per request for authentication. What should the system do? Should we fork for every authentication request? (that invites its own set of problems, though) ...etc. Worth considering.

Average of ratings: -

Re: Multiple Authentication

by Martín Langhoff - Thursday, 5 October 2006, 8:18 AM

Hi Bruce

now that's an interesting project you've done. Is the code licensed under a free license (crosses fingers)? Wouldn't mind hacking a bit on it

I have often been quite frustrated with OpenLDAP and considered writing a lightweight Perl implementation of the LDAP protocol that would deal with simple bind/search operations using MySQL or Postgres as a fast fast fast backend. And being able to pull the tricks you describe... priceless!

OpenLDAP is usually a big disappointment when it comes to performance and reliability

I normally need something FAST and reliable rather than fiddly/slow/pseudosophisticated. I am hoping FDS is better than OpenLDAP.

[And if you think I'm weird, earlier this year I coded a perl implementation of the cvs protocol, that stores the actual project history in ... git

]

Now -- to answer your question: if you are doing multiple LDAP auth, you _must_ shorten the timeouts on connect and on search/retrieve ops. Except that... I now realise PHP doesn't have such controls!

I was hoping for something like Perl's Net::LDAP->new("ldapserver.domain.name", timeout=>30);

And in the context of an apache child process, forking is messy enough that I don't want to go there. Hmmmmm. File a bug with PHP?

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Thursday, 5 October 2006, 4:51 PM

> if you are doing multiple LDAP auth, you _must_ shorten the timeouts on connect and on search/retrieve ops. Except that... I now realise PHP doesn't have such controls! sad

Uh? You don't have a 'connect' timeout because you don't need it (connect calls ldap_init(), which doesn't really connect the server until an operation is attempted, so no need to have a timeout

. 'bind' is a different beast though. It uses ldap_bind_s() which can't take a timeout as a parameter. I guess keeping the connection open if you really need to reduce the bind time to a minimum is the way to go (which opens another can of worms

)

But you _do_ have search/retrieve timeous (have a look at 'timelimit' optional parameter in ldap_search(), ldap_list(), ldap_read(), etc.).

Saludos. Iñaki.

Average of ratings: -

Re: Multiple Authentication

by Martín Langhoff - Thursday, 5 October 2006, 7:03 PM

But you do have search/retrieve timeous (have a look at 'timelimit' optional parameter in ldap_search(), ldap_list(), ldap_read(), etc.).

Oops. I wasn't paying attention then -- I did a quick lookup for an operation timeout (as opposed to a connection idle timeout) and didn't see a global per-connection one.

Good catch! I guess we should start using a really short timelimit for those ops when called interactively.

Average of ratings: -

Re: Multiple Authentication

by Jonathan Harker - Thursday, 12 October 2006, 12:41 PM

Hi again,

After talking to Martin about authentication, it seems that most of the calls to is_internal_auth() are coupled with something else (eg. inspecting stdchangepassword or such) to see if Moodle can change the password, or if it needs to redirect to another URL to manage the user's password.

Thinking that a bunch of code in moodlelib and elsewhere can be tidied up by adding a couple of methods to each auth plugin:

.can_change_password() returns bool, whether Moodle can change the user's password by itself (either internally, or externally with sufficient access, permissions, etc)

.change_password_url() returns the URL of the external change password page or false if the default can be used. This subsumes both stdchangepassword and changepasswordurl settings.

Any thoughts most welcome!

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Thursday, 12 October 2006, 11:06 PM

+1 for the changes

Saludos. Iñaki.

Average of ratings: -

Re: Multiple Authentication

by Jonathan Harker - Friday, 13 October 2006, 4:58 AM

I'm also thinking that all auth plugins have a user_update_password() method if can_change_password() is true. The plugins that already know that they are "internal" can just call the update_internal_user_password() in moodlelib, whilst the ones that aren't can roll their own code as they do now.

This involves shifting some code around but ultimately results in looser coupling and easier code maintenance/reuse etc.

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Friday, 13 October 2006, 5:15 AM

Now that I think about it and the way I'm designing multi-instance authentication, instead of having a bunch of can_XXXX_() or has_XXXX_() functions, I'm having all this as auth-type/instance values (where an instance is a PHP object) instead of functions.

I guess if you are coming from Java, where you have all those setters & getters, this doesn't make sense. But coming PHP where class variables are much more accesible, it seems more natural to me. I normally use class variables for properties and methods for actions, but YMMV.

Anyway, I think the proposed changes are worth it.

Saludos. Iñaki.

Average of ratings: -

Re: Multiple Authentication

by Martín Langhoff - Friday, 13 October 2006, 10:56 AM

> But coming PHP where class variables are much more accesible,
> it seems more natural to me. I normally use class variables
> for properties and methods for actions, but YMMV.

I tend to use properties and methods too...

{...thinking...}

I guess the thing is that we have situations where the plugin may know how to do something but in this given configuration it doesn't have enough rights to do it, so just checking for method_exists() isn't enough.

It _is_ something that falls out of current configuration -- the idea we discussed with Jonathan was that can_foo() would check configuration to see if it could. Following that idea, at configuration change time, we could update the can_foo property. But at config time, the plugin doesn't get a chance to do anything -- the framework stores the values...

Hmmm. I think I got it: we can set it as a property at object init time, and it's more consistent with PHP style.

What do you guys think?

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Friday, 13 October 2006, 5:25 PM

The way I'm currently doing this (it's the only coded part of the whole multi-instance thing) is:

$auth_instance is an object with all of the instance properties: type, name, back-end settings, capabilities (can be disabled, is internal, can have multiple instances, etc.). Then I have a function called get_auth_instance_settings() that you pass an instance object (that you get from the database) and you are returned the full blown object.

This is the code (just to show the idea, not to suggest any actual implementation, see http://docs.moodle.org/en/Multi_Authentication to have a look at the database tables and their meanings):

/**
 * Get the configuration settings for a given auth instance, including
 * auth type properties.
 *
 * @param $authinstance object holding all the authinstance details.
 * @return false on error, true otherwise.
 *
 */
function get_auth_instance_settings(&$authinstance) {
    global $CFG;

    if ((!is_object($authinstance)) or empty($authinstance->id)) {
        return false;
    }

    // First, get all the instance settings.
    if ($settings = get_records('auth_instance_settings', 'instanceid',
                                $authinstance->id, '', 'name,value')) {
        foreach ($settings as $setting) {
            $authinstance->settings[$setting->name] = $setting->value;
        }
    } else {
        return false;
    }

    // Next, get instance type properties (isinternal, multiple, etc.).
    if ($typeprops = get_record_sql ('SELECT at.* FROM ' . $CFG->prefix .
                                     'auth_type at, '. $CFG->prefix .
                                     'auth_instance ai WHERE ' .
                                     'at.id = ai.typeid ' .
                                     'AND ai.id = '.$instanceid)) {

        $authinstance->type = $typeprops;
        return true;
    } else {
        return false;
    }
}

/**
 * Get an array with all the authentication instance objects
 * completely defined.
 *
 * @param none
 * @return array of authentication instance objects or false on error.
 * 
 */
function get_auth_instances() {
    global $CFG;

    if (!($intances = get_records ('auth_instance', '','','sortorder'))) {
        return false;
    }

    foreach ($instances as $instance) {
        if (!get_auth_instance_settings ($instance)) {
            return false;
        }
    }

    return $instances;
}

Then you can say $auth_intance->enabled, or $auth_instance->settings['ldap_host_url], or $auth_instance->type->candisable or whatever you stored in your database config (for the auth instance itself or the auth type it belongs to).

Saludos. Iñaki.

Average of ratings: -

Re: Multiple Authentication

by Jonathan Harker - Monday, 16 October 2006, 11:05 AM

I have a similar thing but in the constructor. The constructor looks up settings in the config_plugins table and loads them into a config property, thus we can go $authinstance->config['foo']. So as Martin suggests I guess I can set the can_do_blah properties in the constructor also.

The cool thing about doing them as functions, eg. $authinstance->can_do_blah(), is that it can look up the config in the function call without having to reload anything (it is thus more "live")

J

Average of ratings: -

Re: Multiple Authentication

by Jonathan Harker - Monday, 16 October 2006, 11:10 AM

...although I notice you are using a better structure than I am that allows for multiple auths of the same type... hmmmm [thinking noises]

Average of ratings: -

Re: Multiple Authentication

by Don Hinkelman - Saturday, 14 October 2006, 4:40 PM

Hi Everyone,

We have a little question at our school, and wondered if "Multi-Authentication" will solve our problem.

Problem: Our moodle site has evolved slowly and the university IT department has now given us permission to use LDAP for user ID/passwords. This will save the number one headache of all of our Moodle-using teachers (registering students and helping them remember their IDs and passwords by making one, not three different ID systems). The issue is then how do we continue to allow a significant number of non-enrolled, non-official students who participate in our moodle courses. These include students in sister-universities abroad who join discussion forums, former students who graduated, yet participate in a meta-course learning community, guest speakers who lead a chat or forum, and friends and researchers who join us for other reasons. With LDAP, we can only allow official-students, not these other participants (which we expect to keep increasing, as we teachers begin loosening the boundaries of classroom walls).

Solution: Do we need to build a second database of users? Thus in multi-authentication, the moodle would first look into the official database for authentication, and if not there, would go to this second database to see if the user was manually entered there. If this is what "multi-authentication" can do, then it sounds like we can begin using LDAP and wait for version 1.8 to handle our non-official participants in our moodle learning community.

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Saturday, 14 October 2006, 5:09 PM

Hi Don,

you can do that already (in fact, you could do it since 1.5.x

)

If you use LDAP authentication, you can use internal authentication too. In fact, all of the existing users will retain their current authentication method (whatever that method is), as the auth method is attached to the user. Only if the user doesn't have an auth method the default method is used (and asigned to the user for future logins).

This is a quite limited multi-auth, but I'd say it's enough for your needs. In fact, this is what we are currently doing for exactly the same scenario that you are talking about. The only drawback is that you need to create the users manually (or via upload files).

Saludos. Iñaki.

Average of ratings: -

Re: Multiple Authentication

by Don Hinkelman - Monday, 16 October 2006, 3:10 PM

Dear Iñaki-bearer-of-good-news

,

Wonderful! I am glad to hear a system for our needs is and has been already in place. Now then, the problem is that we do not want 95% of our current users to use the old authentication attached to them as users. We want to remove those inconsistant, confusing IDs and replace them with the official school ID. How do we do that? We were thinking we have to wipe out all users and start afresh with all new users on a new site next year when we start to use LDAP. But it would be nice not to have to do that.

Average of ratings: -

Re: Multiple Authentication

by Timothy Takemoto - Monday, 16 October 2006, 6:45 PM

Hi Don

The simple answer is to start afresh and import the people that use the non-LDAP users using a flat file.

I am not sure what takes priority when a username is registered in two different authentication systems. But anyway, the usernames are not consistent so you are going to need to delete all the 95%. I don't know a way of deleting en masse via a file.

You could however use some SQL to set mdl_user->deleted for those majority of users. Unfortunately the teachers and admins are stored in another table so it is not a walk in the park (for my level of SQL). Is there anything about their department, email address, language, etc, etc (all the settings on the profile page) that distinguishes users that you want to go LDAP from those that you want to remain using internal authentication?

If not, and it is for instance teachers that need to be internal, then somewhere Eloy did teach me a two stage SQL command keying from a different table.

Or if it is practical to say, change the language of all the internal authenticated to catalan and then use the following SQL via phpmyadmin
UPDATE mdl_user SET delete = 1 where lang = "ca"

Tim

Average of ratings: -

Re: Multiple Authentication

by Timothy Takemoto - Monday, 16 October 2006, 9:31 PM

Don
Sorry that should have been
UPDATE mdl_user SET delete = 1 WHERE lang <> "ca"
That will delete all users whose language is not Catalan. Then you could do
UPDATE mdl_user SET lang = en
to set the language setting back to english afterwards

Average of ratings: -

Re: Multiple Authentication

by Don Hinkelman - Monday, 23 October 2006, 8:39 AM

Thanks, Inaki and Tim, for all the advice. We will start afresh for the next school year and register all 5000 students in a new installation, using LDAP authentication. And we will "save" some non-official students using Tim's suggestion and upload them separately. They will be authenticated separately with manual authentication.

Actually, I find it amazing that a simple teacher like me has learned the ins and outs of large school server administration.

These forums make it possible.

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Tuesday, 17 October 2006, 3:56 AM

Hummmm, I'm not sure I understand what you want. You don't want to remove your existing users, but you can't use them the way they are configured right now (basically their username). Is that right?

If this is so, then you need some information to map 'old' usernames to 'new' usernames. Maybe they already have a userid field with some sort of unique id that you can use to 'search & replace' usernames.

If you have something like this, then you could build a SQL query to 'upgrade' all of your existing users to the new names, and then change them to LDAP authentication.

Saludos. Iñaki.

Average of ratings: -

Re: Multiple Authentication

by Richard Cory - Sunday, 11 February 2007, 5:58 AM

Do I understand this to say that if a user is originally set up via LDAPand if the LDAP server is down, the student can use their login credentials by logging in directly to the moodle server?

thanks
RC

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Sunday, 11 February 2007, 8:35 AM

Humm, not so. It means that if a user is originally setup to use LDAP auth, and you later change your Moodle site to use POP3 auth, that user will keep being authenticated against your LDAP server, not your POP3 server.

Saludos. Iñaki.

Average of ratings: -

Re: Multiple Authentication

by Richard Cory - Sunday, 11 February 2007, 5:35 PM

So if the LDAPP server goes down, there is now way for those students to get onto the Moodle site. Is this correct?

RC

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Sunday, 11 February 2007, 7:27 PM

Absolutely correct. That's why you can specifiy multiple LDAP servers, to have redundancy and availability of the service. Of course, you need to make sure all the LDAP servers have the same data (via some replication protocol, for example).

Saludos. Iñaki.

Average of ratings: -

Re: Multiple Authentication

by Jonathan Harker - Monday, 30 October 2006, 5:48 AM

For those interested in testing and breaking things, I have posted an update over on the General Developer forum for those that want to play with it and give feedback. The multiauth code is now rebased to the 1.7 codebase. The code is still fresh and green, so it is certainly not ready for production use until it has been thoroughly thrashed!

Cheers,
Jonathan

Average of ratings: -

Re: Multiple Authentication - In HEAD now, changes for Auth plugins

by Martín Langhoff - Thursday, 4 January 2007, 2:05 PM

This is in HEAD right now. If you maintain an auth plugin either in the Moodle tree or in-house, there are changes coming in 1.8 to how these work. We have updated the README and added README2 for more info.

Jonathan's converted the plugins in the Moodle tree already, so you only have to have a look at the new API, and perhaps port over those changes you've forgotten to commit earlier

We have tested those auth plugins we could test with the software we have available (POP3, IMAP, LDAP, DB, etc). For plugins are are not easy to test (hi FC!) we've been extra careful... and we need your help testing

In any case, feel free to post questions/flames related to multiauth here, and I'll be glad to help with any migration pains.

Other notes on the code being merged can be found here http://moodle.org/mod/forum/discuss.php?d=59215

1.8... here we cooooooommmmmmeeeeeeeeee....

Average of ratings: -

Re: Multiple Authentication

by Charlie Owen - Sunday, 4 February 2007, 7:05 PM

I know this might be rather late in the day but can I ask if the pending multi-authentication will work with multiple plug-ins of the same type? In the most recent version of 1.8 I have there doesn't seem to be any way of doing this.

To explain, we've got a weird situation at our organisation where we have not just two separate AD domains, but two separate AD forests, so we need to be able to specify a couple LDAP/AD servers in the Moodle config. (we've tried adding a recursive server, but that doesn't work due to the separate forests).

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Monday, 5 February 2007, 12:56 AM

I know this might be rather late in the day but can I ask if the pending multi-authentication will work with multiple plug-ins of the same type?

As far as I know, this isn't supported yet. There is some work in
progress, but it's far from being complete.

To explain, we've got a weird situation at our organisation where we have not just two separate AD domains, but two separate AD forests, so we need to be able to specify a couple LDAP/AD servers in the Moodle config. (we've tried adding a recursive server, but that doesn't work due to the separate forests).

In case you are in a hurry, you can build a meta-directory using
OpenLDAP and its 'meta' backend. This creates the illusion of a single
LDAP tree which incorporates the two (or more) separete LDAP
trees. This is what we are currently using at our site.

We are using OpenLDAP (on a Linux box, but you should be able to do
this in Windows too) to 'glue' toghether two AD domains (in two
different forests) and present it as just one single domain. Beware:
this breaks if you have users with the same
displayName/cn/sAMAccountName in both domains and you are using any of
them in Moodle for anything (as the meta backend can't tell them
apart)

This is our setup:

First AD domain (in one of the forests): eteo.mondragon.edu
- Domain controller: 10.0.0.1
Second AD domain (in the other forets): bidasoa.eteo.mondragon.edu
- Domain controller: 192.168.0.1
Both domains have a user called 'ldap-user' we use to bind to AD.
We create a meta directory called eteo.mondragon.local
Each of the real directories appear as leafs of the meta directory, namely onati.eteo.mondragon.local (for the first AD domain) and bidasoa.eteo.mondragon.local (for the second one).
We have a bind user (the root user in fact) for the meta directory, called 'ldap-user' aswell. This is the user Moodle needs to bind to the meta-directory.
All of this is running in a Linux box with the IP address 172.31.1.1. This is the ldap server Moodle needs to use.

Here is our slapd.conf file (have a look at the man pages to see what every line means):

----- [/etc/ldap/slapd.conf] -----

database meta
suffix "dc=eteo,dc=mondragon,dc=local"
rootdn "cn=ldap-user,ou=moodle-staff,dc=eteo,dc=mondragon,dc=local"
rootpw {SSHA}12345678901234567890123456789012
lastmod off
dncache-ttl disabled

access to attrs=userPassword
 by dn="cn=ldap-user,ou=moodle-staff,dc=eteo,dc=mondragon,dc=local" write
 by anonymous auth
 by self write
 by * none
access to dn.base="" by * read
access to *
 by dn="cn=ldap-user,ou=moodle-staff,dc=eteo,dc=mondragon,dc=local" write
 by * read

uri "ldap://10.0.0.1/ou=moodle-users,dc=onati,dc=eteo,dc=mondragon,dc=local"
pseudorootdn "cn=ldap-user,ou=moodle-staff,dc=eteo,dc=mondragon,dc=edu"
pseudorootpw "ldap-user-password"
rebind-as-user
map objectclass groupOfNames group
suffixmassage "ou=moodle-users,dc=onati,dc=eteo,dc=mondragon,dc=local" "ou=moodle-users,dc=eteo,dc=mondragon,dc=edu"

uri "ldap://192.168.0.1/ou=moodle-users,dc=bidasoa,dc=eteo,dc=mondragon,dc=local"
pseudorootdn "cn=ldap-user,ou=moodle-staff,dc=bidasoa,dc=eteo,dc=mondragon,dc=edu"
pseudorootpw "ldap-user-password"
rebind-as-user
map objectclass groupOfNames group
suffixmassage "ou=moodle-users,dc=bidasoa,dc=eteo,dc=mondragon,dc=local" "ou=moodle-users,dc=bidasoa,dc=eteo,dc=mondragon,dc=edu"

----- [/etc/ldap/slapd.conf] -----

Then in Moodle's LDAP authentication settings we have (I show only the most relevant settings, fill the rest as usual):

ldap_host_url: ldap://172.31.3.4
ldap_bind_dn: cn=ldap-user,ou=moodle-staff, dc=eteo,dc=mondragon,dc=local
ldap_user_type: posixAccount (rfc2307)
ldap_contexts: dc=eteo,dc=mondragon,dc=local

Notice we set the user type to posixAccount, even if we are using Active Directory for the real users. Remember Moodle is really talking to OpenLDAP, not to AD domain controllers. This is sort of a reverse LDAP proxy.

Just a couple of warnings:

You can't change users' passwords in AD from Moodle (or any other AD data, for that matter).
If one of the AD domain controllers is unreachable (for any reason) the meta directory times out after a long wait (something in the order of a couple of minutes or so), even if the user we were looking for is in the other domain controller. This is a limitation of the OpenLDAP meta backend (at least in the version we are using).
We have been using this framework for over 18 months without any side effects (except the ones mentionned above) for LDAP authentication only. We haven't tested LDAP enrollment at all, and we haven't run auth_ldap_sync_users.php at all, so I can't comment on them.

Saludos. Iñaki.

Average of ratings: -

Re: Multiple Authentication

by Charlie Owen - Monday, 5 February 2007, 7:08 PM

Hi Iñaki,

Thank you so much for posting all that help. I feel decidedly wretched now in letting you know it won't work for us, for one of the reasons you touched upon: we have a lot of sAMaccountnames that are identical on both staff and student domains. We've tried to get your solution working when we first moved to Moodle and immediately hit this barrier.

We currently have a custom login page that allows a user to choose whether to login using a staff domain, a student domain or internal Moodle authentication. It works very well for us but I was hoping that we could abandon it in favour of a native solution. (I really must post the code that our developer wrote to implement this).

When multiple plug-ins of the same type are implemented in the future could some consideration be given to addressing the problem of identical usernames on multiple authentication sources? Perhaps a solution like we currently have, where a user can choose which authentication source to use at login?

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Tuesday, 6 February 2007, 5:11 AM

> When multiple plug-ins of the same type are implemented in the future could some consideration be given to addressing the problem of identical usernames on multiple authentication sources? Perhaps a solution like we currently have, where a user can choose which authentication source to use at login?

I don't know what the final solution will be, but we'll need something along those lines, not just for multiple authentication sources, but for Moodle Network as well.

Saludos. Iñaki.

Average of ratings: -

Re: Multiple Authentication

by Hélène Bouley - Friday, 23 February 2007, 7:02 AM

I have the same question in mind. It's quite important collisions can occur often without solution to solve them. MAy we should consider not to have an unique username but instead an unique (auth,username).

Just an idea

Average of ratings: -

Re: Multiple Authentication

by Iñaki Arenaza - Friday, 23 February 2007, 6:27 PM

In fact, unless auth is somehow linked to a unique authentication source (LDAP domain, AD domain, site, campus, host, whatever), having unique (auth,username) won't be enough.

That's why I proposed the separation between the authentication types (db, ldap, etc.) and the authentication instances (this db, that other db, this other ldap server, etc.) in the 'multi-instance' multi-auth "specification" (http://docs.moodle.org/en/Development:Multi_authentication).

This way an auth instance completely specifies the 'namespace' where a given username is valid, thus making collisions only possible inside that namespace (where you can easily fix them).

Of course this creates its own set of problems, like having to specify not only your username but your 'namespace' too when you log in, and having a default 'namespace' for self-created accounts, etc.

Saludos. Iñaki.

Average of ratings: -