I'm beginning to think this is not possible. Can anybody confirm or dispprove.
I'm beginning to think it is not possible. I still want to be able to have guest access on so that those without accounts can see the home pages and maybe one or two bits and pieces. I don't want the site to prompt to log in to even get to the home page, I need to be able to see the home page from the Internet.
If I put IP ranges in the field which implies it is optional but according to another posting is actually mandatory then it doesn't actually match the IP by the time it has got through the Firewall to the DMZ.
Any thoughts, suggestions, confirmations or disproves would be wonderful.
I have a suspicion it might work I just can't get the NTLM to trigger. I don't want to select 'force users to log in' I want the home page available.
It does however look odd in that at the top it says you are logged in as etc. whilst at the same time offering you the login page, making it look like you aren't logged in. All a bit of a mess really.
I think the NTLM is working but only if you go directly to the page /auth/ldap/ntlmsso_attempt.php
I would like it to trigger that page whenever you click a link that needs to be logged in for, e.g. a course name.
When is the NTLM triggered?
Is this solvable do you think?
> When is the NTLM triggered?
NTLM authentication is trigger if all the following conditions are met (I'm looking at the code to list them):
- NTLM is enabled (in the LDAP auth config settings)
- You have configured one or more subnets (IP ranges) for the clients you want to use NTLM with. So yes, it's mandatory
- You haven't specified the 'authldap_skipntlmsso' parameter with a non-zero value in the requested URL.
- You are the guest user, or you are still not logged in
- The IP of the client machine (as seen by the Moodle server!!!, so you need to take into account NAT, proxies, etc.) is inside of one of the configured subnets.
- It's a GET request, or a POST request from another page (not the login page itself). This is to handle a couple of corner cases.
Thanks Iñaki - a very useful post!
The wording on the NTLM SSO setup page in Moodle (admin/auth_config.php) implies that specifying a subnet value is optional. It says "If set, it will only attempt SSO with clients in this subnet", but here you say that it is mandatory. Will NTLM SSO not work if this Subnet field is left blank?
What if we want to specify the "whole world" in the subnet? Can we use 0.0.0.0/0? MDL-19509 has a discussion about this, but I'm not sure what the final resolution was. Does Moodle now accept 0.0.0.0/0 as a subnet?
Will NTLM SSO not work if this Subnet field is left blank?
maybe the wording is a bit misleading, but the code is quite clear : if you don't specify a value in that field (i.e., left blank or just white space) NTLM will not work.In fact, Moodle won't even try to start using NTLM at all.
Does Moodle now accept 0.0.0.0/0 as a subnet?
Yes it does, meaning the usual thing: any ip, i.e., the whole IPv4 address space. In Moodle 2.x you can even specify the whole IPv6 address space using equivalent syntax (0:0:0:0:0:0:0:0/0). Of course, you can specify both at the same time