Moodle in a DMZ with NTLM

Moodle in a DMZ with NTLM

by Heather P -
Number of replies: 5

Hello

I'm beginning to think this is not possible. Can anybody confirm or dispprove.

Moodle 1.9.11 in a DMZ on WIndows 2008 server with IIS 7.5 with NTLM turned on.

I'm beginning to think it is not possible. I still want to be able to have guest access on so that those without accounts can see the home pages and maybe one or two bits and pieces. I don't want the site to prompt to log in to even get to the home page, I need to be able to see the home page from the Internet.

If I put IP ranges in the field which implies it is optional but according to another posting is actually mandatory then it doesn't actually match the IP by the time it has got through the Firewall to the DMZ.

Any thoughts, suggestions, confirmations or disproves would be wonderful.

Thanks

Heather

Average of ratings: -
In reply to Heather P

Re: Moodle in a DMZ with NTLM

by Heather P -

I have a suspicion it might work I just can't get the NTLM to trigger. I don't want to select 'force users to log in' I want the home page available.

It does however look odd in that at the top it says you are logged in as etc.  whilst at the same time offering you the login page, making it look like you aren't logged in. All a bit of a mess really.

I think the NTLM is working but only if you go directly to the page /auth/ldap/ntlmsso_attempt.php

I would like it to trigger that page whenever you click a link that needs to be logged in for, e.g. a course name.

When is the NTLM triggered?

Is this solvable do you think?

Thanks

Heather

Average of ratings: -
In reply to Heather P

Re: Moodle in a DMZ with NTLM

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

> When is the NTLM triggered?

NTLM authentication is trigger if all the following conditions are met (I'm looking at the code to list them):

  • NTLM is enabled (in the LDAP auth config settings)
  • You have configured one or more subnets (IP ranges) for the clients you want to use NTLM with. So yes, it's mandatory wink
  • You haven't specified the 'authldap_skipntlmsso' parameter with a non-zero value in the requested URL.
  • You are the guest user, or you are still not logged in
  • The IP of the client machine (as seen by the Moodle server!!!, so you need to take into account NAT, proxies, etc.) is inside of one of the configured subnets.
  • It's a GET request, or a POST request from another page (not the login page itself). This is to handle a couple of corner cases.

Saludos. Iñaki.

Average of ratings: Useful (1)
In reply to Iñaki Arenaza

Re: Moodle in a DMZ with NTLM

by Luis de Vasconcelos -

Thanks Iñaki - a very useful post!

The wording on the NTLM SSO setup page in Moodle (admin/auth_config.php) implies that specifying a subnet value is optional. It says "If set, it will only attempt SSO with clients in this subnet", but here you say that it is mandatory. Will NTLM SSO not work if this Subnet field is left blank?

What if we want to specify the "whole world" in the subnet? Can we use 0.0.0.0/0? MDL-19509 has a discussion about this, but I'm not sure what the final resolution was. Does Moodle now accept 0.0.0.0/0 as a subnet?

Average of ratings: -
In reply to Luis de Vasconcelos

Re: Moodle in a DMZ with NTLM

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Hi Luis,

Will NTLM SSO not work if this Subnet field is left blank?

maybe the wording is a bit misleading, but the code is quite clear smile : if you don't specify a value in that field (i.e., left blank or just white space) NTLM will not work.In fact, Moodle won't even try to start using NTLM at all.

Does Moodle now accept 0.0.0.0/0 as a subnet?

Yes it does, meaning the usual thing: any ip, i.e., the whole IPv4 address space. In Moodle 2.x you can even specify the whole IPv6 address space using equivalent syntax (0:0:0:0:0:0:0:0/0). Of course, you can specify both at the same time smile

Moodle 1.9 has accepted it since MDL-19509 was fixed (June 2009). Moodle 2.x has accepted it since MDL-14123 was committed (January 2009).

Saludos. Iñaki.

Average of ratings: Useful (1)