I've just got NTLM going (Thanks for the hard work guys!) on 1.9 and it seems to work well.
I had it set up about 6 months ago for a short while, and it seemed a lot faster. The multi-step process adds a long lag, especially for users with non-LDAP accounts who log in from inside school, who have to wait for a failed NTLM lookup via 2 timed delays, adding about 10 seconds to their wait for the login page before they can start to type their details.
Is there a way of speeding things up e.g. reducing the delays? I picked up something about waiting for spacer.gif to load, but otherwise don't understand the need for the delays, so not sure if hacking them to speed it will break it?
Hi,
Can you give me the steps needed to run NTLM authenticatin. I have managed to setup LDAP. But i need to have a single sign-on to Moodle using our AD.
I use apache and mySQL on moodle1.9 which runs on winXP.
Can you pls. advice?
Can you give me the steps needed to run NTLM authenticatin. I have managed to setup LDAP. But i need to have a single sign-on to Moodle using our AD.
I use apache and mySQL on moodle1.9 which runs on winXP.
Can you pls. advice?
Thats pretty much what I did, after following the auth SSPI bit of the apache instructions in the docs. After that it just worked Using the same setup as you on Win2k3.
Anyone have any tips for improving the speed on Linux based machines? The old NTLM plugin used to work very fast, but unfortunately Moodle 1.9's integrated NTLM SSO is fairly slow (it loads an image[.php] to authenticate?). I edited the timeout speed to make the page refresh faster but it's still very noticeable.
Maybe we could call check_browser_version() to check for IE -- so we only attempt NTLM with IE. Note however that FF _can_ do NTLM: http://www.testingreflections.com/node/view/1365
That would be good, as The machine I use firefox on is not on the windows network at work. Probably an unusual scenario though
Checking for IE would still involve the image loading though. What happens without this step? Am I right in assuming its to see if the login is possible before trying it? If so, is there no way to set a timeout or something so that the wait happens only in the event of a login failure? I don't think there are many (any?) instances of login being impossible now that things are set up ok, so this check is kind of redundant for me now.
Checking for IE would still involve the image loading though. What happens without this step? Am I right in assuming its to see if the login is possible before trying it? If so, is there no way to set a timeout or something so that the wait happens only in the event of a login failure? I don't think there are many (any?) instances of login being impossible now that things are set up ok, so this check is kind of redundant for me now.
> Checking for IE would still involve the image loading though.
No need for that step, just skip it, and the delay is gone. The very first step works like this: User goes to login/index.php and the active plugins get a chance to exec a hook. Right now, if NTLM auth is enabled, the hook redirects to the page that tries to load the image.
If we make that redirect conditional on MSIE, we are sorted. But I would only make it so with a config option -- some people may have Firefox with NTLM support enabled, and I don't know of any way to detect that reliably.
No need for that step, just skip it, and the delay is gone. The very first step works like this: User goes to login/index.php and the active plugins get a chance to exec a hook. Right now, if NTLM auth is enabled, the hook redirects to the page that tries to load the image.
If we make that redirect conditional on MSIE, we are sorted. But I would only make it so with a config option -- some people may have Firefox with NTLM support enabled, and I don't know of any way to detect that reliably.
No need for that step, just skip it, and the delay is gone. [...] If we make that redirect conditional on MSIE, we are sorted.
Well, in fact we need the redirect and specially the image loading. That's where the NTLM stuff really happens. If we skip it, there's no NTLM involved on the login at all.
Something like the attached patch (slightly tested with IE and FF in Windows) could do the trick.
Saludos. Iñaki.
Cool. But let's keep the technical discussion here (bugtracker is a bit too narrow-cast)
that would only be ok if admin was able enable/disable the check for IE - we use NTLM in FF as well as IE, as do many other NTLM installations.
Dan
Dan
(Sorry to dig up such an old discussion; MDL-13760 references this thread. I did look for a newer discussion and didn’t find one, but if I missed it, please direct me.)
Throughout this discussion, there seems to be a general assumption that having IE do NTLM quickly and having Firefox able to do NTLM at all are mutually exclusive. Maybe I’m missing something, but I don’t understand why that is.
Would it not be possible to always do the fast behaviour for IE clients, but still do the regular slow image check behaviour for non-IE clients? Seems to me that this would be an appropriate default behaviour, perhaps with a configurable option to always disable NTLM for non-IE clients.
The current way it is – being able to have fast IE, or Firefox support, but not both – is kind of restrictive.
Throughout this discussion, there seems to be a general assumption that having IE do NTLM quickly and having Firefox able to do NTLM at all are mutually exclusive. Maybe I’m missing something, but I don’t understand why that is.
Would it not be possible to always do the fast behaviour for IE clients, but still do the regular slow image check behaviour for non-IE clients? Seems to me that this would be an appropriate default behaviour, perhaps with a configurable option to always disable NTLM for non-IE clients.
The current way it is – being able to have fast IE, or Firefox support, but not both – is kind of restrictive.