Our LDAP works now (thanks Inaki) and correctly pulls all active directory data into their profile. However, I can't get SSO to work yet. I followed the instructions using the single moodle setup for apache (2.2). It gives a dialogue box asking for username and password which I researched solutions and tried putting it in our intranet, internet, setting these custom and advanced tab to use windows authentication, and also tried mozilla after reading Anthony Borrow's suggestions there. no luck. tried using broader names for our server, http://*moodle.hilmar.k12.ca.us without success and edited group policies without success. I downloaded fiddler to check what happens- a great program but more detail than I know how to use. I finally asked our head admin and he edited as follows the file at c:\moodle\apache\conf\httpd.conf on lines
160 serveradmin admin@moodle
169 servername moodle:80
without success. He said I could use IIS which I already installed but we both realize that apache is much nicer and want to make it work.
The original file I edited to make ldap work is at c:\moodle\apache\bin\php.ini
Clues:
1. if we just type moodle in browser, instead of going to intranet it goes ot internet and appends it to moodle.hilmar.k12.ca.us unlike other places we go in our network
2. although ldap works, I never was able to figure out how to verify the path:I tried -command when I type php -m it would error. I changed the settings in mycomputer/advanced/environment variables where in path I tried many things finally ending with all of these: c:\windows,c:\windows\system32, c:\windows\system32\wbem,c\moodle\apache\bin all in an effort to get it to show on my admin webpage the path c:\windows\php.ini and not just c:\windows. it says my path is c:\windows in command, Path, but I never find php there but in apache\bin
3. does the binding user have to be my head admin who can edit all active directory settings? I have access to change active directory and policies for all students and teacher accounts but not admin accounts.
4. location of ntlmsso_magic.php is in c:\moodle\moodle\auth\ldap which never shows any windows authentication when right clicking properties like you do for IIS setup - not sure if it should for apache setup say it there.
5. there are some ldap modules commented out in the file httpd.conf I noticed they were modules of some kind
Thanks in advance, hope these details give someone a clue as I'm pulling my hair out on this one. Thanks
James
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
I'm reading where others solved this by editing their config.php file - I assume the one in c:\moodle\moodle\config.php
i have these values, what should they be?
$CFG->dbtype = 'mysql';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'moodle';
$CFG->dbuser = '**********';
$CFG->dbpass = '**********';
$CFG->dbpersist = false;
$CFG->prefix = 'mdl_';
$CFG->wwwroot = 'http://moodle.hilmar.k12.ca.us';
$CFG->dirroot = 'C:\moodle\moodle';
$CFG->dataroot = 'C:\moodle/moodledata';
$CFG->admin = 'admin';
i have these values, what should they be?
$CFG->dbtype = 'mysql';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'moodle';
$CFG->dbuser = '**********';
$CFG->dbpass = '**********';
$CFG->dbpersist = false;
$CFG->prefix = 'mdl_';
$CFG->wwwroot = 'http://moodle.hilmar.k12.ca.us';
$CFG->dirroot = 'C:\moodle\moodle';
$CFG->dataroot = 'C:\moodle/moodledata';
$CFG->admin = 'admin';
(Edited by Anthony Borrow - original submission Friday, February 6, 2009, 12:18 PM - blocked out username/password)
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
I can see this is a hard issue to wrestle from the many posts here: http://moodle.org/mod/forum/discuss.php?d=93426
I found my php.ini file (in apache\bin\php.ini and the error log is turned off. If I turn it on, I am not sure how to define where it should save them.
fiddler gives as much information or more than any log file. Maybe posting something from here would help someone help me. Let me know what to post.
I tried to install the diff patch and did a dry run with these a request for the "file to patch:" in the command line so I did not know what's wrong with my command:
C:\MOODLE\MOODLE\AUTH\LDAP>c:\bin\patch.exe --dry-run -p1 < ntlm-debugging.diff
can't find file to patch at input line 5
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php
|index 592a8c4..30c6cb4 100644
|--- a/auth/ldap/auth.php
|+++ b/auth/ldap/auth.php
--------------------------
File to patch:
What to do next, I know someone will eventually read my posts and help - this is obviously one of those pandora's boxes no one wants to open as it takes a while to solve but I'm going to keep posting information I read and try in hopes it helps diagnose my problem. Thanks in advance,
James
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Richard Enison -
JT,
- I know very little about LDAP & SSO but I just had to respond because in your second post you TOLD THE WHOLE WORLD YOUR DATABASE P/W!!! Pls change it.
- Other than that, your config.php settings look fine, just from the point of view of a Moodle site in general. What changes, if any, would need to be made to it to get SSO to work I don't know, because as I said I know very little about it.
- The other thing I couldn't help but notice is that the pathnames in your site suggest very strongly that you are using the Complete Windows Moodle Package. If this is so, please stop using it on your server. It is for practice, learning to use Moodle, development, etc. on your home PC; for security reasons, it should not be used on servers.
- You're not sure where to put the log file? Anywhere you want. I mean you can define it as c:\moodle\php\errorlog.txt, or you can make it d:\united\nations\plaza.txt. Just as long as the directory you specify for it exists (create it first!).
- I've never used the patch utility, so my questions may seem dumb. But according to Development:How to apply a patch#Apply_a_Patch_in_Windows_using_gnuwin32, you should open the patch (diff) file in Wordpad and save it under a different name in MS-DOS format in your Moodle directory. Did you do that?
- It also said the number you put after the -p should depend on how the diff file was generated. Did you check? Btw offhand, from what I have just read in the patch command man page, -p1 is correct in your case.
- The error msg. seems to list four lines of input from the diff file preceding the line that produced the error. Does that list match the first four lines in the file (ntlm-debugging.diff)? What does line 5 look like?
In reply to Richard Enison
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Thanks Richard - obviously a newbie still. But I can't edit my posts after 30 minutes so how can I change it now? can I now change my password? how? THanks,
James
James
You will need to change your password in MySQL and then change the setting in your config.php file. The other thing that is noticeable from your config details, is that you are using the root user for access to your database. Again this is huge security risk and you should set up a MySQL user with access only to your moodle database.
See http://docs.moodle.org/en/Step-by-step_Install_Guide_for_Ubuntu#Install_MySQL_.28skip_Postgresql.29 for how to create new MySQL users from the MySQL command line.
I would agree with RLE in regards to not using the complete download package on a production server. You will get a much more configurable and secure system by install each of the components (Apache, MySQL, PHP and Moodle) separately.
Jon
See http://docs.moodle.org/en/Step-by-step_Install_Guide_for_Ubuntu#Install_MySQL_.28skip_Postgresql.29 for how to create new MySQL users from the MySQL command line.
I would agree with RLE in regards to not using the complete download package on a production server. You will get a much more configurable and secure system by install each of the components (Apache, MySQL, PHP and Moodle) separately.
Jon
Hi Jon,
I went to your link above but I don't understand why I'm using ubuntu on my server 2003 or what program I put in the commands - do I do this on the run/command window? where do I type in mysql commands? I already installed phpmyadmin add in - I thought I read I can run SQL commands from there, or no? Thanks - I've been wanting to know how to program things in sql, I know this is a very basic question and I should know but I'm a new admin learning.
Thanks, James
In reply to Richard Enison
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
I know I can put the logfile anywhere, but I mean how do I specify in php code where to put it? It's been a while since I installed it and my password and admin password are not the same as posted above so that must be the installation password I created or my other admin when we first deployed it. I don't remember where that was, I looked in the moodle user database for it but have not yet found it. Nor do I see it as a setting in admin somewhere - it's not the user admin password I use I know that.
If I installed the complete moodle package, I've had a hard time figuring out how to update moodle without losing my courses. Is it as simple as backing up a class, just backup the site, download latest 1.9, and then restore it? That would be nice. I installed another moodle for another school and probably made the same error.
I did not save the file under a new name, I will try that. I guess I better turn of apache until I figure out how to make the password safe - can I just change the one where I found and posted it or will that prevent moodle from running? I guess I'll find out, I can always change it back there. Thanks for your input and caring to respond.
James
If I installed the complete moodle package, I've had a hard time figuring out how to update moodle without losing my courses. Is it as simple as backing up a class, just backup the site, download latest 1.9, and then restore it? That would be nice. I installed another moodle for another school and probably made the same error.
I did not save the file under a new name, I will try that. I guess I better turn of apache until I figure out how to make the password safe - can I just change the one where I found and posted it or will that prevent moodle from running? I guess I'll find out, I can always change it back there. Thanks for your input and caring to respond.
James
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Richard Enison -
JT,
Seems JW and I are in agreement on most things. Great minds think alike!
But to fill in some details:
Seems JW and I are in agreement on most things. Great minds think alike!
But to fill in some details:- It occurred to me that that's what you meant about the log file after I posted last. I guess I thought that since you saw in php.ini that the log was turned off, you saw (or soon would see) later in that same section of the file how the pathname of the log file is specified. It's not done with PHP code. Moodle is designed to be usable by non-programmers. Look for a line in php.ini that looks like this:
; Log errors to specified file.
This line should be followed by a line (probably commented out with a semicolon at the beginning of it) that begins
error_log = "
Uncomment that line (delete the semicolon) and put the pathname you want between the quotation marks. Wow! Wasn't that complicated? - I said in my post that it was your database p/w you had revealed, not your Moodle admin user p/w. As JW said, use a MySQL client program like MySQLAdmin or phpMyAdmin to change the p/w, then change the $CFG->dbpass line in config.php (top-level Moodle directory) to reflect the change and don't publish the new p/w! And I didn't ask you to change the post, I asked you to change the p/w.
- What p/w did you look for in the database? The database p/w isn't there; it's in config.php, as JW implied and as described in #2 above. The user p/w's are, but in encrypted form, so that won't do you any good if you forget them. There are ways around that problem, but let's cross that bridge when we come to it.
- How to update Moodle? See Upgrading. Be sure to follow the links to other Moodle doc pages on more specialized areas within the subject of upgrading, such as Upgrading to Moodle 1.9. See also Installation FAQ#How_do_I_upgrade_Moodle.3F_Do_I_just_overwrite_the_files.3F.
- Since the p/w that was compromised was a database p/w, turning off Apache would not do a whole lot of good. Turning off MySQL might! I'm not sure I understand your question about changing the p/w where you found and posted it. But if you change it in MySQL but not config.php (or vice versa), yes, that will prevent Moodle from working properly, if that's what you mean.
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Iñaki Arenaza -
This patch file seems to be one of the ntlm debugging patches I've posted in the forums. So you need to put the file in the same folder you have your config.php file (i.e., the 'top' moodle directory), not the auth/ldap directory, and from then execute the patch command you've used aboe.
I'll answer to your other posts in separate replies
Saludos. Iñaki.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Hi Inaki,
look at my error messages I posted earlier today and see if any tell you something. Also, on running this debugging patch, which file is it changing so I can back it up first? Then I'll try to run the patch again. It is so close - I fixed my apache, fixed my password, got all the code changes you asked for to allow apache to still work so I assume they are right or very close. What's the next step? Thanks Inaki
James
look at my error messages I posted earlier today and see if any tell you something. Also, on running this debugging patch, which file is it changing so I can back it up first? Then I'll try to run the patch again. It is so close - I fixed my apache, fixed my password, got all the code changes you asked for to allow apache to still work so I assume they are right or very close. What's the next step? Thanks Inaki
James
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Hi Inaki,
please read my new posts for error messages and progress. I think my sspi domain may be part of the problem. I've tried everything I can think of. apache error messages only show up when I completely fail to even log on. Your diff patch I still can't get past the hunk error on dry run. This should not be hard from here.
ok, my sspidomain - I read is my dns and found it by typing in command ipconfig/all and it shows it as
10.xx.xx.xx. also, I found by going to start/settings/network places, tcp/properties/advanced, dns it shows both that
address and also 10.xx.yy.yy Inaki posted I need the long name. I know I log in with hilmar/jtinley
I read in cmd type nslookup, and it shows both long and short name as the ip above and talon.hilmar.k12.ca.us
lets try it.edited httpd line 216 and restarted apache with no joy.I also read to use nbstat which again lists above
but interestingly it says it is a nonexistent domain. I also read at this site, http://www.tech-faq.com/netbios-names.shtml
the diff btween netbios name and DNS host name
tried hilmar.local. tried moodle.hilmar.k12.ca.us
set moodle for the intranet zone and retested all above.
no joy. I notice if I move it to the internet zone (moodle web page) in ie, then it requests my username and password.
So that definitely is something. I added to moodle admin ldap settings the 10.xx.yy.yy/24 ip with no effect
I tried the test.php which I put into moodle/moodle and deeper in admin but it givesme the same blank page it give others
see link http://moodle.org/mod/forum/discuss.php?d=114316
I also gave permision to config.php to everyone without joy.
I tried forward and backward slashes in front of every single one in red above with http:// or http:\\ and restarted apache every time (although not ie)
ideas? How do I find my sspidomain for sure? SHould I have a name in for valid user or leave it as valid-user?
SSPIDomain http://moodle.hilmar.k12.ca.us
require valid-user
and yes, I have checked off to use sso in ldap settings and have all my correct subnet addresses because every computer in our district on different ip addresses all try to log in with sso and fail. and they all correctly authenticate with ldap once you log in manuallly.
I'll be back Wed 25th and I'm hoping one of you read my posts since Thursday. Thanks
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Iñaki Arenaza -
Based on what you've posted recently, I think this is the block you need to put in your apache configuration file (Note: using forward or backward slashes in directory paths works exactly the same on Apache 2.x for Windows):
<Directory "C:\moodle\moodle\auth\ldap">
<Files ntlmsso_magic.php>
AuthName "Pu whatever text you want here"
AuthType SSPI
SSPIAuth On
SSPIOfferBasic Off
SSPIAuthoritative On
SSPIDomain hilmar.k12.ca.us
require valid-user
</Files>
</Directory>
The text you put in the AuthName configuration setting is a any free form text you want. This text is displayed in the authentication dialog box for those users that are inside the configured subnets, but have not logged onto the domain, or that aren't using Internet Explorer.
Regarding the SSPIDomain name, this is the long Active Directory name. It's called the DNS name, but it has nothing to do with the configured DNS servers' IP addresses.
In you first post of this thread you stated that LDAP authentication was working ok. For LDAP authentication to work, you need to specify a bind user account. You can specify that user account using two different syntaxes in Active Directory:
* The user principal name. That syntax looks like an email address. For example, my username is 'iarenaza' and my Active Directory DNS name is 'windows2003.local'. So my user principal name looks like 'iarenaza@windows2003.local'. Remember, this is **not** an email address even if it looks like one, but a user account. :-)
* The distinghised name of the user. The syntax for the same user as the example above (assuming it's located in the 'Users' folder of the Active Directory tree) is cn=iarenaza,cn=users,dc=windows2003,dc=local.
So having a look at you already working LDAP settings for the bind user account you should be able to infer your Active Directory DNS name. It's either the part after the '@' sign, or the part that looks like 'dc=something,dc=something-else,...' (in fact 'dc' stands for domain component :-)). For example, if your bind user account looks like 'cn=ldap-user,cn=users,dc=hilmar,dc=k12,dc=ca,dc=us', then the Active Directory DNS name would be hilmar.k12.ca.us
Could you paste your LDAP settings here? (just make sure you don't post passwords and such). Some of the error log messages make me think there's something still misconfigured in your LDAP settings.
I hope this helps.
Saludos. Iñaki.
<Directory "C:\moodle\moodle\auth\ldap">
<Files ntlmsso_magic.php>
AuthName "Pu whatever text you want here"
AuthType SSPI
SSPIAuth On
SSPIOfferBasic Off
SSPIAuthoritative On
SSPIDomain hilmar.k12.ca.us
require valid-user
</Files>
</Directory>
The text you put in the AuthName configuration setting is a any free form text you want. This text is displayed in the authentication dialog box for those users that are inside the configured subnets, but have not logged onto the domain, or that aren't using Internet Explorer.
Regarding the SSPIDomain name, this is the long Active Directory name. It's called the DNS name, but it has nothing to do with the configured DNS servers' IP addresses.
In you first post of this thread you stated that LDAP authentication was working ok. For LDAP authentication to work, you need to specify a bind user account. You can specify that user account using two different syntaxes in Active Directory:
* The user principal name. That syntax looks like an email address. For example, my username is 'iarenaza' and my Active Directory DNS name is 'windows2003.local'. So my user principal name looks like 'iarenaza@windows2003.local'. Remember, this is **not** an email address even if it looks like one, but a user account. :-)
* The distinghised name of the user. The syntax for the same user as the example above (assuming it's located in the 'Users' folder of the Active Directory tree) is cn=iarenaza,cn=users,dc=windows2003,dc=local.
So having a look at you already working LDAP settings for the bind user account you should be able to infer your Active Directory DNS name. It's either the part after the '@' sign, or the part that looks like 'dc=something,dc=something-else,...' (in fact 'dc' stands for domain component :-)). For example, if your bind user account looks like 'cn=ldap-user,cn=users,dc=hilmar,dc=k12,dc=ca,dc=us', then the Active Directory DNS name would be hilmar.k12.ca.us
Could you paste your LDAP settings here? (just make sure you don't post passwords and such). Some of the error log messages make me think there's something still misconfigured in your LDAP settings.
I hope this helps.
Saludos. Iñaki.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Hi Inaki,
so are you saying I do or do not need to change
require valid-user - should I use my bind user for valid-user or just say valid-user
Here's my ldap settings:
host url: ldap://pdc08.hilmar.k12.ca.us
version 3
ecoding utf-8
hide/password yes
distinguished name CN=James Tinley,OU=EES Staff,OU=Staff Accounts,DC=hilmar,DC=k12,DC=ca,DC=us
usertype MS active directory
contexts: many here, one example: OU=2016,OU=EES Students,OU=Student Accounts,DC=hilmar,DC=k12,DC=ca,DC=us
search sub context: yes
deference alias NO
user attribute: sAMAccountName
force password no
use standard change password: no
expiration no
warning no
grace logins yes
create users externally no
removed ex user : keep internal
ntlm sso
enable: yes
subnet: many, one example: 10.16.7.0/24
the other fields I filled in that I needed like givenName
I hope this helps and that I did not give out too much information again
James - ps, how do I single space on this page?
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Iñaki Arenaza -
so are you saying I do or do not need to change 'require valid-user' - should I use my bind user for valid-user or just say valid-user
Just say valid-user
grace logins yes
This doesn't have anything to do with NTLM SSO, but Moodle can't use grace logins with Active Directory, so you should set it to no.
Regarding the ldap warnings you posted previously, it seems they are generated because one (or more) LDAP contexts don't exist (probably there's a typo somewhere).
Other than that, I don't see anything out of place in your settings.
Saludos. Iñaki.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Thanks Inkaki,
Can you help me make the ntlmsso patch program work so I can log errors - what kind of errors will point me in a direction to solve the sso issue? it seems so close. I will try to do each context one at a time and see if one is messing it up or if one at least works with sso. How about my path in server advanced environment settings - I never figured that out right - could that affect it? Help me with ideas to try to solve this sso thing. Thanks
James
Can you help me make the ntlmsso patch program work so I can log errors - what kind of errors will point me in a direction to solve the sso issue? it seems so close. I will try to do each context one at a time and see if one is messing it up or if one at least works with sso. How about my path in server advanced environment settings - I never figured that out right - could that affect it? Help me with ideas to try to solve this sso thing. Thanks
James
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Iñaki Arenaza -
I'd need the exact version of Moodle you are using. Have a look at c:\moodle\version.php (or wherever your Moodle is installed) and post the numbers here.
That will allow me to produce a patch tailored for that version which in turn will reduce the potential problems when trying to apply it
Saludos. Iñaki.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Hi Inaki,
Here is my version below. I tried each of my contexts separately and also made grace logins no but it did not work for any context (student, teacher, admin) for sso, all work for ldap to recognize user and all prompt for username and password.
Note my location is NOT c:\moodle\version but mine is at c:\moodle\moodle\version
this is copied from my version:
<?php
// MOODLE VERSION INFORMATION
// This file defines the current version of the core Moodle code being used.
// This is compared against the values stored in the database to determine
// whether upgrades should be performed (see lib/db/*.php)
$version = 2007101509; // YYYYMMDD = date of the 1.9 branch (don't change)
// X = release number 1.9.[0,1,2,3...]
// Y.YY = micro-increments between releases
$release = '1.9 + (Build: 20080313)'; // Human-friendly version name
?>
Thanks,
James
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Iñaki Arenaza -
Hi James,
try the attached patch. It should apply cleanly and I've converted it to MS-DOS line endings so you can use patch for win32 without problems.
Saludos. Iñaki.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Thanks Inaki,
I can't seem to get it to even give me the same error as last time. I re-downloaded and re-installed patch.exe and tried it from every file folder I can think of but it either says file not found or command not recognized. Here is my command window: (note I also tried shortening the file name to NTLM.diff and it still did not work both with and without .diff
C:\bin>C:\Program Files\GnuWin32\bin\patch.exe --dry-run -p1 < ntlm-debugging-ja
mes-tinley.diff
The system cannot find the file specified.
C:\bin>CD C:\moodle\moodle
C:\moodle\moodle>C:\Program Files\GnuWin32\bin\patch.exe --dry-run -p1 < ntlm-de
bugging-james-tinley.diff
'C:\Program' is not recognized as an internal or external command,
operable program or batch file.
C:\moodle\moodle>cd c:\program files\gnuwin32\bin
C:\Program Files\GnuWin32\bin>C:\Program Files\GnuWin32\bin\patch.exe --dry-run
-p1 < ntlm-debugging-james-tinley.diff
The system cannot find the file specified.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
OK, I finally got the patch to work! What's my next step? How do I test the SSO out - where is the error log for this patch?
it did not like the space between program and files and I tried no space and underline but finally just copied it and put it back in c:/bin as per moodle documentation. Curiously, it was there already yet I could not duplicate my previous attempt and I figured out why: the old patch somehow became 0 kb. when I pasted in a new copy, and ran it from the location c:\moodle\moodle it finally worked. Just to be sure, here's my command code
C:\moodle\moodle\auth\ldap>cd c:\moodle\moodle
C:\moodle\moodle>c:\bin\patch.exe --dry-run -p1 < ntlm-debugging-james-tinley.di
ff
patching file auth/ldap/auth.php
C:\moodle\moodle>c:\bin\patch.exe -p1 < ntlm-debugging-james-tinley.diff
patching file auth/ldap/auth.php
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Iñaki Arenaza -
What's my next step? How do I test the SSO out - where is the error log for this patch?
You have to enable debugging (go to Administration >> Server >> Debugging and set the debugging level to 'NORMAL'). Then try to login from a client that has an IP address that is inside one of the configured subnets and that is part of the AD domain, so the SSO triggers.
The error log from this patch will go to PHP error logs, just like other Moodle error logging messages.
Saludos. Iñaki.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
When logging on I see auth.php line 1869 has errors, then here's what's in my error log
[10-Mar-2009 09:14:08] ntlmsso_finish(): $key: deleted for protection
[10-Mar-2009 09:14:08] PHP Notice: Undefined index: rvT01GbYvT in C:\moodle\moodle\auth\ldap\auth.php on line 1869
[10-Mar-2009 09:14:08] ntlmsso_finish(): $cf[$key]:
[10-Mar-2009 09:14:08] ntlmsso_finish(): no sesskey or ntlmsess cache flag not set
[10-Mar-2009 09:14:08] ntlmsso_finish(): http://moodle.hilmar.k12.ca.us/auth/ldap/ntlmsso_attempt.php
Does this tell you something to try? Thanks Inaki,
James
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Iñaki Arenaza -
Are these the only log messages you get? Because there should be others too (before those ones). I suspect the NTLM SSO process is not taking place at all, or the NTLM authentication is failing. Could you please paste the lines I propose here http://moodle.org/mod/forum/discuss.php?d=112896#p518943 and see what you get in your logs?
Iñaki.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
replied on that forum accidentally. Added lines of code to auth.php but now it does not even prompt me or let me log in: Here's the error log:
[10-Mar-2009 10:14:22] ntlmsso_finish(): $key: ZhULHBQL1N
[10-Mar-2009 10:14:22] PHP Notice: Undefined index: ZhULHBQL1N in C:\moodle\moodle\auth\ldap\auth.php on line 1869
[10-Mar-2009 10:14:22] ntlmsso_finish(): $cf[$key]:
[10-Mar-2009 10:14:22] ntlmsso_finish(): no sesskey or ntlmsess cache flag not set
[10-Mar-2009 10:14:22] PHP Notice: Undefined index: HTTP_REFERER in C:\moodle\moodle\auth\ldap\auth.php on line 1874
[10-Mar-2009 10:14:22] ntlmsso_finish():
[10-Mar-2009 12:18:17] REQUEST_METHOD: GET
[10-Mar-2009 12:18:17] ntlmsso_enabled: 1
[10-Mar-2009 12:18:17] ntlmsso_subnet: 10.16.20.10/24,10.16.7.0/24,10.16.8.0/24,10.16.150.0/23,10.16.3.0/24
[10-Mar-2009 12:18:17] PHP Notice: Undefined index: authldap_skipntlmsso in C:\moodle\moodle\auth\ldap\auth.php on line 1809
[10-Mar-2009 12:18:17] authldap_skipntlmsso:
[10-Mar-2009 12:18:17] isguestuser:
[10-Mar-2009 12:18:17] isloggedin:
[10-Mar-2009 12:18:17] REMOTE_ADDR: 10.16.151.58
I # line 1809, now it prompts me my name again but does not work to login that way.
I also tried from ip address [10-Mar-2009 13:12:11] REMOTE_ADDR: 10.16.8.199
and [10-Mar-2009 13:18:12] REMOTE_ADDR: 10.16.150.10
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Hi INaki, did you see my other error messages above? I know most of my subnets are on my list and that I have sso checked. I see the error about no sesskey, could that be part of the problem as well as the other errors above? ( viewed in newest post order)
[10-Mar-2009 19:56:25] ntlmsso_finish(): no sesskey or ntlmsess cache flag not set
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Hi Inaki,
THere are a lot more error messages now but I don't want to paste the whole thing. Maybe I can attach it here for you to look at. I hope you have time to see this. Thanks for making the error log work for me - I just don't know what to look for to fix it.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Hi Inaki,
see previous posts since march 10th. Today I found out only my OLD user are authenticated. All new users fail to authenticate now on LDAP. I'm looking for changes - at Active Directory level I can't edit some staff profile fields now as I could - head admin recreated my account and tried to give me all again without success. I can edit student's just fine. Neither authenticate. My name is the bind user. Other changes: moodle password I had given out earlier to you. Patch from you on diff format. We upgraded one server to 2008 (was 2003). Could any of these things be stopping ldap auth? Can't believe I'm back to square one
Thanks for hanging with me. James
here are errors from error.log
[Mon Mar 16 11:01:52 2009] [notice] Parent: Received shutdown signal -- Shutting down the server.
[Mon Mar 16 11:01:52 2009] [notice] Child 5820: Exit event signaled. Child process is ending.
[Mon Mar 16 11:01:53 2009] [notice] Child 5820: Released the start mutex
[Mon Mar 16 11:01:54 2009] [notice] Child 5820: Waiting for 50 worker threads to exit.
[Mon Mar 16 11:01:54 2009] [notice] Child 5820: All worker threads have exited.
[Mon Mar 16 11:01:54 2009] [notice] Child 5820: Child process is exiting
[Mon Mar 16 11:01:54 2009] [notice] Parent: Child process exited successfully.
[Mon Mar 16 11:01:58 2009] [notice] Apache/2.2.6 (Win32) mod_ssl/2.2.6 OpenSSL/0.9.8g mod_autoindex_color mod_auth_sspi/1.0.1 PHP/5.2.5 configured -- resuming normal operations
[Mon Mar 16 11:01:58 2009] [notice] Server built: Nov 7 2007 11:48:48
[Mon Mar 16 11:01:58 2009] [notice] Parent: Created child process 4880
[Mon Mar 16 11:02:00 2009] [notice] Child 4880: Child process is running
[Mon Mar 16 11:02:00 2009] [notice] Child 4880: Acquired the start mutex.
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Iñaki Arenaza -
I've finally had a bit of time to look at your logs, and there's something that stumps me. There are three "successful" attemtps for the user 'jtinley'. Successful in that the user is retrieved via NTLM authentication and the last step of the authentication process seems to go smoothly, only to fail at the last step (when we call authenticate_user_login()).
This is a bit strange, unless the user 'jtinley' is not configured to authenticate via LDAP or the LDAP settings somehow prevent him from logging on.
Is that user configured to use 'ldap' as the authentication plugin? Can that user log if it uses the regular login? (not the SSO auto-login).
Saludos. Iñaki.
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Iñaki Arenaza -
I don't think upgrading to Windows 2008 server makes a difference, but I've never tested NTLM SSO with W2008. I'll see if I can setup a W2008 test machine in the following days just to make sure that isn't a problem in itself.
Saludos. Iñaki.
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Iñaki Arenaza -
Your moodle URL is 'http://moodle.hilmar.k12.ca.us' according to your config.php file, so you should edit your httpd.conf file and set the ServerName setting to that hostname:
ServerName moodle.hilmar.k12.ca.us
Then, assuming you are using the SSPI authentication module for Apache, you need to make sure that you have a block of lines like these in your httpd.conf file (assuming that moodle is installed in C:\moodle\moodle):
<Directory "C:\moodle\moodle\auth\ldap">
<Files ntlmsso_magic.php>
AuthName "Moodle at My School"
AuthType SSPI
SSPIAuth On
SSPIOfferBasic Off
SSPIAuthoritative On
SSPIDomain my.windows.domain.name
require valid-user
</Files>
</Directory>
where 'my.windows.domain.name' is the DNS (long) name of your Active Directory domain name. For example, my test box Active Directory NETBIOS (short) name is 'WINDOWS2003' and the DNS (long name) is 'windows2003.local'.
Then you need to make sure you enable the NTLM SSO login option in the LDAP settings page, and that you specify the IP subnet addresses for the clients you want to apply NTLM SSO login.
Lastly, you need to add 'http://moodle.hilmar.k12.ca.us' to your Internet Explorer 'Local Intranet' security zone.
Regarding your PATH questions, I'm afraid I don't understand them
And the question regarding the binding user, it doesn't have to be a priviledged user at all. It justs needs to be able to read the objects (users, groups, etc.) moodle needs to work.
Saludos. Iñaki.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Hi all,
Thanks for everyone's replies and help. I made some changes and so currently apache fails to restart saying to check the service log which I did and found under system events this error: "the apache 2.2 service termininate with server specific error 1 (0x1). Not sure what that means.
Here's what I changed:
1. changed php.ini file at these lines to allow it to save error log file
330 changed it to track_errors = on
353: error_log = "C:\moodle\apache\logs\phperror.log"
took ; off in front so it saves (Richard, you were right, it was easy & I missed it my first read through)
2. I put patch (ntlm-debugging.diff) in wrong folder, (C:\moodle\moodle\auth\ldap) now I put it into C:\moodle\moodle
now in command I get this result copied from command
C:\MOODLE\MOODLE>c:\bin\patch.exe --dry-run -p1 < ntlm-debugging.diff
patching file auth/ldap/auth.php
Assertion failed: hunk, file ../patch-2.5.9-src/patch.c, line 354
This application has requested the Runtime to terminate it in an unus
Please contact the application's support team for more information.
3. edited httpd.conf file servername as moodle.hilmar.k12.ca.us
169 ServerName moodle.hilmar.k12.ca.us #moodle:80 I assume # comments things out like I use the ' in VBA maybe this is causing apache not to restart?
204 <Directory "C:\moodle\moodle\auth\ldap"> #"C:/moodle/moodle">
and I added lines 205 to 214 exactly as you wrote as follows but with indents.
Do I need a specific user or just put what I used below?
<Files ntlmsso_magic.php>
AuthName "Moodle at my school"
AuthType SSPI
SSPIAuth on
SSPIOfferBasic Off
SSPIAuthoritative on
SSPIDomain pdc08.hilmar.k12.ca.us
require valid-user
</Files>
</Directory>
4. I'm reading about how to correctly install moodle and have not yet figured out the SQL commands to change my password yet. I'm reading still.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Hi all,
Thanks for everyone's replies and help. I made some changes and so currently apache fails to restart saying to check the service log which I did and found under system events this error: "the apache 2.2 service termininate with server specific error 1 (0x1). Not sure what that means.
Here's what I changed:
1. changed php.ini file at these lines to allow it to save error log file
330 changed it to track_errors = on
353: error_log = "C:\moodle\apache\logs\phperror.log"
took ; off in front so it saves (Richard, you were right, it was easy & I missed it my first read through)
2. I put patch (ntlm-debugging.diff) in wrong folder, (C:\moodle\moodle\auth\ldap) now I put it into C:\moodle\moodle
now in command I get this result copied from command
C:\MOODLE\MOODLE>c:\bin\patch.exe --dry-run -p1 < ntlm-debugging.diff
patching file auth/ldap/auth.php
Assertion failed: hunk, file ../patch-2.5.9-src/patch.c, line 354
This application has requested the Runtime to terminate it in an unus
Please contact the application's support team for more information.
3. edited httpd.conf file servername as moodle.hilmar.k12.ca.us
169 ServerName moodle.hilmar.k12.ca.us #moodle:80 I assume # comments things out like I use the ' in VBA maybe this is causing apache not to restart?
204 <Directory "C:\moodle\moodle\auth\ldap"> #"C:/moodle/moodle">
and I added lines 205 to 214 exactly as you wrote as follows but with indents.
Do I need a specific user or just put what I used below?
<Files ntlmsso_magic.php>
AuthName "Moodle at my school"
AuthType SSPI
SSPIAuth on
SSPIOfferBasic Off
SSPIAuthoritative on
SSPIDomain pdc08.hilmar.k12.ca.us
require valid-user
</Files>
</Directory>
4. I'm reading about how to correctly install moodle and have not yet figured out the SQL commands to change my password yet. I'm reading still.
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Richard Enison -
JT,
- OK. Your error-log line looks perfect. But it won't do anything unless you also have an uncommented line that says
log_errors = On - The "assertion failed" msg. seems to be saying that the difference between the two versions of auth.php do not correspond to what is in the patch file. But that's just an educated guess.
- Yes, the # is the comment character for Apache .conf files. I don't think your ServerName directive is the reason Apache won't restart. Contrary to what IA said in his post, I found these comments near the beginning of my httpd.conf file, which came with the Complete Windows Moodle Package:
# NOTE: Where filenames are specified, you must use forward slashes
# instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
If that is true, maybe that is why Apache won't start. Also, I don't know how you figure pdc08 is part of your domain name. It is not in your URL. - The MySQL query to change your p/w is described at http://dev.mysql.com/doc/refman/5.0/en/set-password.html. You can enter it using any MySQL client program, including the Query tab in phpMyAdmin. But to do that, you have to be able to run phpMyAdmin. If you really did install the add-in, then assuming you can log into Moodle as admin (problematic since you still have the Moodle database set up with the p/w the world knows!), you can access it by going to the Server submenu of the Administrator menu and clicking on Database, as documented at MySQL Admin.
RLE
In reply to Richard Enison
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Hi Richard, out yesterday to doctors. back. still no apache service! tried undoing everything i did and no luck still
1. changed log_errors = On (I had only changed track_errors to be on)
2 - skipping for now
3. tried forward slashes, now put it back as it was exactly deleting my extra lines.
changed url back to http://moodle.hilmar.k12.ca.us trying both forward/backward slashes. now deleted this to return it to original state - still no apache
4. Have not tired the sql commands yet - although I have a security risk that allows others to get in, I'm not yet smart enough to get back in myself. Thanks in advance
looking at config.php, I don't think I renamed the root but mine says:
'http://moodle.hilmar.k12.ca.us';
Was that different before? are the slashes wrong?
JT
1. changed log_errors = On (I had only changed track_errors to be on)
2 - skipping for now
3. tried forward slashes, now put it back as it was exactly deleting my extra lines.
changed url back to http://moodle.hilmar.k12.ca.us trying both forward/backward slashes. now deleted this to return it to original state - still no apache
4. Have not tired the sql commands yet - although I have a security risk that allows others to get in, I'm not yet smart enough to get back in myself. Thanks in advance
looking at config.php, I don't think I renamed the root but mine says:
'http://moodle.hilmar.k12.ca.us';
Was that different before? are the slashes wrong?
JT
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Richard Enison -
JT,
- Good.
- OK.
- I only reported what the comments said. I didn't write them. But I'm not sure what you mean by "it was exactly deleting my extra lines."
- Not much I can do about that.
- Looks okay to me. And it appears to be consistent with your earlier posts in this thread, except that in your very first post there was an asterisk before moodle. I presumed that was a typo.
In reply to Richard Enison
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Finally got apache to start - I had used comment lines # in middle and not at begginning (like I can in VBA for excel - I did not know I can't do that here)
So now I will go back and try to put in changes WITHOUT using # in middle and report back to you.
So now I will go back and try to put in changes WITHOUT using # in middle and report back to you.
In reply to Richard Enison
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Hi Richard and Inaki,
finally changed my site password using phpmyadmin. That seemed really hard but ended up being super easy (always after the fact). Will post here later for others. Now back to sso and upgrading to a true moodle system and not a demo one like you say I'm using. I don't quite get how to do upgrades but I'll post back my specific question later. for now, at least it's safe and I want to make SSO work.
Thanks,
James
finally changed my site password using phpmyadmin. That seemed really hard but ended up being super easy (always after the fact). Will post here later for others. Now back to sso and upgrading to a true moodle system and not a demo one like you say I'm using. I don't quite get how to do upgrades but I'll post back my specific question later. for now, at least it's safe and I want to make SSO work.
Thanks,
James
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Hi Inaki,
server is back up, I re-added your lines but see my notes and questions next to each: also, does it matter if it is indented the same or not? mine are all flush left.
<Directory "C:\moodle\moodle\auth\ldap"> yes this is correct
<Files ntlmsso_magic.php>
AuthName "Moodle at My School" I kept this exactly, should I have a different name in quotes?
AuthType SSPI ** I think this is what I use but how can I tell?
SSPIAuth On
SSPIOfferBasic Off
SSPIAuthoritative On
SSPIDomain http://moodle.hilmar.k12.ca.us **are my slashes wrong? tried with and without the http on the front and changed the slashes to no avail. apache works
require valid-user ** am I supposed to put some user like me here?
</Files>
</Directory>
apache works and I get the request for login - it even fills my name in jtinley. ideas?
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Ok, my php.ini error code is working great. here are some of my errors for you:
20-Feb-2009 13:31:14] [client 10.16.7.10] http://moodle.hilmar.k12.ca.us Failed Login: jtinley Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
I also tried from internet explorer and from two different servers - one asked for credentials in a popup dialogue. Both failed to log me in automatically. Mozilla firefox failed because we have something wrong with it today so it would not even load. Not sure how it logged an error for firefox when I could not even get firefox to load at all. Here are some other errors from previous days before I re-instated above post Directory code
[19-Feb-2009 10:17:48] [client 10.16.7.10] http://moodle.hilmar.k12.ca.us Failed Login: reyesliliana Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
[19-Feb-2009 10:18:05] PHP Warning: ldap_search() [<a href='function.ldap-search'>function.ldap-search</a>]: Search: No such object in C:\moodle\moodle\auth\ldap\auth.php on line 1624
[19-Feb-2009 10:18:05] PHP Warning: ldap_first_entry(): supplied argument is not a valid ldap result resource in C:\moodle\moodle\auth\ldap\auth.php on line 1632
[19-Feb-2009 10:18:05] [client 10.16.7.10] http://moodle.hilmar.k12.ca.us Failed Login: quevedofanny Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
[19-Feb-2009 10:18:56] PHP Warning: ldap_search() [<a href='function.ldap-search'>function.ldap-search</a>]: Search: No such object in C:\moodle\moodle\auth\ldap\auth.php on line 1624
[19-Feb-2009 10:18:56] PHP Warning: ldap_first_entry(): supplied argument is not a valid ldap result resource in C:\moodle\moodle\auth\ldap\auth.php on line 1632
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Matt Gibson -
AuthType SSPI ** I think this is what I use but how can I tell?
This entire process only works is Apache is retrieving the user's credentials from the browser so that it knows the AD username of the person logging on.
This means that you need a module installed in apache that will do this, either mod_auth_sspi or mod_auth_ntlm.
Go to Admin block -> server -> phpinfo and find the bit about the apache2handler. You can see a list of installed modules there, so first thing is do you have mod_auth_sspi? If not, google it and install. It's pretty easy.
If you do, check the details are coming through with a small text file called something like test.php which you can put in your moodle directory containing
then go to www.yourmoodle.com/test.php and see if you see your username.
This entire process only works is Apache is retrieving the user's credentials from the browser so that it knows the AD username of the person logging on.
This means that you need a module installed in apache that will do this, either mod_auth_sspi or mod_auth_ntlm.
Go to Admin block -> server -> phpinfo and find the bit about the apache2handler. You can see a list of installed modules there, so first thing is do you have mod_auth_sspi? If not, google it and install. It's pretty easy.
If you do, check the details are coming through with a small text file called something like test.php which you can put in your moodle directory containing
<?php
echo $_SERVER['REMOTE_USER'];
?>then go to www.yourmoodle.com/test.php and see if you see your username.
In reply to Matt Gibson
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Thanks Matt and Inaki, I'm so thankful to have new responses! I check 3x a day and spend hours each day after school trying to understand ntlmsso (I'm a slow learner but determined). Here's what it says in phpinfo apache2handler
Apache/2.2.6 (Win32) mod_ssl/2.2.6 OpenSSL/0.9.8g mod_autoindex_color mod_auth_sspi/1.0.1 PHP/5.2.5
which directory should I put this text file test? /c/moodle/moodle/test.php?
Thank you both so much for replying. Inaki, we have BOTH server 2003 and 2008. I am testing from both and so it does not seem to matter. I only mention it because I lost some admin rights to change a few things - like my vmware duplicate test moodle server won't let my credential work now and my profile in AD (my head admin recreated my name again and put me in the root of both students and teachers but still no change. I'm 1/2 teacher 1/2 tech. I can edit all students but ldap no longer pulls in any information to profile page so is not working again. I tried putting original php.ini, http.conf back in without success. However it DOES know if they are in AD and their password because if I purposely type it wrong, it tells me so.
I, Jtinley, have rights to everything he can possibly give me my head admin said. More tomorrow when I'm back at work and can get into our moodle.
YES, I can login fine from home, fine when I bypass sso by clicking continue and logging in. In fact, all AD users can login and it creates a profile page for them - it's just blank now when it used to fill in information perfectly before we moved to server 2008 and I made many changes trying to make sso work.
you ask, "Is that user configured to use 'ldap' as the authentication plugin" How can I tell? where is my user configuration for ldap? You've seen my posted ldap settings. Where else do I look?
to test I use a new student, myself, and teacher who was in moodle but I deleted her to test ldap finding her profile info from AD (no success again when there was before Jan 30th)
Inaki, can I send you all my relevant files: httpd.conf, php.ini, etc so you can really see them better?
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Iñaki Arenaza -
Hi Jamie,
I don't think php.ini makes a difference here, although httpd.conf could (though I'd say the NTLM config works, as I get an authentication dialog box if I directly ask for http://moodle.hilmar.k12.ca.us/auth/ldap/ntlmsso_magic.php).
I've sent you a private message via Moodle messaging with my email address. If possible, I'd like to get a copy of your config.php file (make sure you erase or obscure your database username/password, as they are not necessary to troubleshoot this), a copy of your current .../auth/ldap/ folder (all the files in there) and a copy of your current .../lib/moodlelib.php file.
In addition to that, I'd like a copy of your LDAP auth settings. You can get them by executing the following SQL query in your Moodle database:
select name, value from mdl_config_plugins where plugin = 'auth/ldap';
Save the results to a file, erase or obscure the password you get in the 'bind_pw' value and send them to me, please.
Also, if you can use the 'Active Directory Users and Computers' tool, start it up, go to the 'View' menu and make sure you have 'Advanced Features' enabled. Next find your user in the Active Directory tree, right-click on it, select 'Properties' and go to the 'Object' tab and copy the 'Canonical name of object' value, and send that value to me too.
I hope with all this information we'll be able to troubleshoot this little mess we have
you ask, "Is that user configured to use 'ldap' as the authentication plugin" How can I tell? where is my user configuration for ldap? You've seen my posted ldap settings. Where else do I look?
Log in as a Moodle admin, go to Administration >> Users >> Accounts >> Browse List of Accounts, find your user, click on the 'Edit' link, when you get the user details page click on 'Show Advanced' and see what appears in the 'Choose an authentication method' setting. It should read 'LDAP server'.
Saludos. Iñaki.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
Thanks so much for your continued support! Ldap is back! crazy - I checked my profile and it was manual authentication which I could not edit so I went to admin/auth and saw the arrows said ldap was 2nd after "no authentication" which I never remember. so I disabled 'no athentication' and put ldap ahead (making it 3rd, manual comes first by default I guess, then no login, then ldap.
I went back to my profile but it still says manual login. Students work now and their profile says: ldap server and actually gives a drop down, but only on students I added by loggin into ldap. I guess I created my name so those like mine might always say manual which makes sense.
Ldap works perfect for new teacher, but was not working for some students. The reason was our AD folders structure changed:head admin took some students out of one folder and put them all together for one school instead of by grade: ie
normal
OU=2015,OU=MES Students,OU=Student Accounts,DC=hilmar,DC=k12,DC=ca,DC=us
but some have no year because he pulled them out of the year folder
OU=EES Students,OU=Student Accounts,DC=hilmar,DC=k12,DC=ca,DC=us
One issue on profile for students it stays on profile when they log in: email address is blank and it says invalid email address and fails to save profile. On teachers it works fine because I assume there is an email address (students don't have one). I can't change this in either of two ways I tried: 1. can't edit profile right now in AD. 2. taking 'mail' off of ldap data mapping does not change anything - I guess moodle wants an email address.
It still promps for SSO on all subnets that I listed so those are correct. - it just can't finish authenticating. (undefined index on auth.php line 1878 and 1883 )
I remember reading about SSO when you are prompted for username that it can have something to do with ie local internet security but I already made moodle part of that security as a trusted place.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
90% success now: sso skips the prompt and automatically puts in the username but just not the password. Also positive: when I put in a users password it authenticates and no longer hangs on the profile (was caused by no email address). Clear communication is important: Our head admin put into AD field of users a fake email for all of them. But not all of them like I thought: I was trying a username in an O.U. that did NOT have the new fake email: hence moodle logins for new students got stuck on the profile page. Once I checked the A.D. students from various schools I found the one that had the new fake emails and then tried them in moodle and they authenticate fine without stopping at profile.
Last step is to make the SSO put in the password. I'm getting these errors when trying to load our moodle website from any users's login to a mstsc terminal session: (it happens very fast and moves onto login page quickly)
Notice: Undefined index: authldap_skipntlmsso in C:\moodle\moodle\auth\ldap\auth.php on line 1809
Notice: Undefined index: authldap_skipntlmsso in C:\moodle\moodle\auth\ldap\auth.php on line 1809
Warning: Cannot modify header information - headers already sent by (output started at C:\moodle\moodle\auth\ldap\auth.php:1809) in C:\moodle\moodle\lib\moodlelib.php on line 2636
Warning: Cannot modify header information - headers already sent by (output started at C:\moodle\moodle\auth\ldap\auth.php:1809) in C:\moodle\moodle\lib\moodlelib.php on line 2637
Thanks again for reading: hopefully someone will benefit from posting all the details and all the great advice I'm getting. Maybe your learning curve will be reduced.
Jamie
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
update: one server was not allowing them to login still: it had the error 'unfortunately cookies are not enabled. This prevented them from logging in. I did 3 solutions but this last one worked:
see link http://moodle.org/mod/forum/post.php?reply=393897
where I said this: Thanks Siegmund, this worked for me! I too had the cookie error on just one server address, others worked fine. Just to re-explain: go to your moodle server. I searched for index.php but there are a lot so make sure to get the one in /moodle/moodle/login. I found that line 13 on my file had $testcookies = optional_param etc. Use notepad++ you can download for free. It's easier to read than wordpad. Once you comment it out it really works. I restarted apache just in case.
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
HI Inaki,
just an update. We found that it's running very very slowly with more than 5 users logged on. My head admin is helping now first we noticed the access log was being written to a lot. commenting out that helped 10 users log on but it still hung with more users. He realized it's mostly apache. We considered using a 64 bit system but apache does not have a 64 bit version. He tried increasing ram without effect. Our Moodle was on a quad core virtual server with each at 2000 so we tried putting it on a dual core server that runs faster at 2800. Still slow. Now we're checking into a ubuntu system setup. I also noted what one person said here about complete vs manual installations so we will look into that:
http://moodle.org/mod/forum/post.php?reply=522128
Lastly, he wondered if the ntlm-debugging-james-tinley.diff
might be slowing moodle down. is there a way I can undo those differences to check without having to manually comment out all the changes?
Thanks again for your help. I'm check my blocked emails daily for your name. Thanks for your time
Jamie
In reply to Iñaki Arenaza
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
For anyone reading, we finally solved SSO!!! It took a long time to solve. I spent a lot of unnecessary time makingchanges to the Moodle settings and the php code without success. The solutionended up being pretty easy but required multiple settings or it wouldn’twork. I would have never found it myselfever so I want to thank both Larry Rego and Inaki Arenaza for all theirhelp. Larry is our District Admin andhere is how he explained what he did (mycomments are in italics):
Steps:
- (most of you will not need this but it really sidetracked us) Our domain was still windows 2000 and policies for IE7 and 8 were not replicating because they hadn't been uploaded just yet. That was one of our problems. The other was that the domain controller we used was the original in our system and has had LOTS of problems over the years. When I pulled that system out of the domain, lots of strange issues were fixed without me doing anything
2. Group Policy Settings:
a. (site to zone):UserConfiguration > Policies > Administrative Templates > WindowsComponents > Internet Explorer > Internet Control Panel > SecurityPage > Site to Zone Assignment List
This setting needs to include the site(s) that SSO will beused with.
See attachment picture 01
b. (logon options – anew one for me) User Configuration > Policies > AdministrativeTemplates > Windows Components > Internet Explorer > Internet ControlPanel > Security Page > Trusted Sites Zone > Logon Options
In addition to the option above, set this so that when the Moodlesite is opened, IE will automatically sends the current user’s credentials tologon.
See attachment picture 02
3. Also, I noted thatin active directory, you have to have an email address for it to work or youget this error below:
See attachment picture 03
In Active Directory, changethe users’ email to at least something – we don’t let students use email so wemade a fake one as my example below shows:
See attachment picture 04
And don’t forget the best tipI’ve ever learned and used: Never Give Up!
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
In reply to Jamie Tinley
Re: Windows server: NTLM SSO so close now but can't finish
by Jamie Tinley -
