after trying a lot of SSO solutions wich all too complex to understand i found a solution to SSO 3 services (Moodle, foswiki, mrbs) with ldap and apache basic auth - all on 1 server.
Meanwhile, I have found a solution:
- Foswiki: Plugin ContribLdap with LoginManager::LdapApacheLogin and Users::LdapUserMapping
- Mrbs: Session-Management: remote_user, Auth: ldap
- Moodle: ldap-auth with enabled ntlm-sso and ntlm-subnet: 255.255.255.255/0
You have to patch <moodle-dir>/auth/ldap/auth.php ....
root@www2:/var/www/moodle20/auth/ldap# diff -bB auth.php /root/moodle20-orig/auth/ldap/auth.php
1812c1811
< // && (isguestuser() || !isloggedin()) // guestuser or not-logged-in users
---
> && (isguestuser() || !isloggedin()) // guestuser or not-logged-in users
1880c1880
< //$username = substr(strrchr($username, '\\'), 1); //strip domain info
---
> $username = substr(strrchr($username, '\\'), 1); //strip domain info
in apache you have to configure for all directorys:
(for example Moodle20, auth against LDAP paedML Linux
<Directory /var/www/moodle20>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthName "Insert Username/Password"
AuthLDAPURL "ldap://10.16.1.1:389/ou=accounts,dc=domain,dc=local?uid?one?(&(&(objectClass=inetOrgPerson)(!(cn=Computer)))(!(cn=ExamAccount)))"
AuthLDAPGroupAttribute cn
AuthLDAPGroupAttributeIsDN off
require valid-user
<Limit GET POST PUT>
require group cn=teachers,ou=groups,dc=domain,dc=local
</Limit>
</Directory>
I hope this helps someone...
Bertold