I have briefly looked at the windows options ie local intranet etc with IIS/IE but we are runing Linux - we have come accross something call Vintela but am unsure of its potential etc.
any help in pointing me in the right direction would be great.
of course if this makes any sense to anyone.
- you currently run a LDAP service as the central authentication
- some active directory get synchronized from the LDAP
- wenn your users login to a machine, it get the credentials from the LDAP service
- you run Linux
- logging-in to moodle is also authenticated from the same LDAP service
What ist the problem? That users have to login twice (machine and moodle)?
- MS Active Directory domain
- IIS Server with NTLM authentication
- IE browser or Firefox
- computer running Windows OS participating in a domain
I am testing this solution, it seems to be working ok. If there is enough demand I might prepare a patch for 1.5 and eventually add it later to 1.6.
I suppose I am checking to make sure I do not waste my time on this one.
tks
I have made a modification to our c:\inetpub\wwwroot\moodle\login\index.php script which makes this happen. This means that a user who has been authenticated by IIS using NTLM will automatically try to authenticate against the database with their username and the password 'NTLM-ONLY', we maintain our moodle user database to have all of the users in it and their passwords are set to 'NTLM-ONLY' for moodle. This works fairly well for us.
The mod is (in diff format) There are a couple of my debuggin variables in this diff as well which you can ignore. You should probably only try this if you have some understanding of PHP code.
33,42d32
< $ntlm = $_SERVER["LOGON_USER"];
< if (strlen($ntlm) > 0) {
< $oldntlm = $ntlm;
< $ntlm = substr($ntlm,strlen("TYNDALE\"));
< $mymessage2 = "NTLMPOS-$oldntlm-$ntlm-";
< if (strlen($frm->username) == 0) {
< $frm->username = $ntlm;
< }
< }
<
46,55d35
< if (strcasecmp($frm->username,$ntlm) == 0) {
< $frm->password = "NTLM-ONLY";
< $mymessage = "Match1";
< } else if (strcasecmp($frm->password,"NTLM-ONLY")==0) {
< $frm->password = "";
< $mymessage = "Match2";
< } else {
< $mymessage = "[$ntlm][$frm->username]";
< }
<
Petr,
i would be intrested in this, could you let me know if/when you release this.
- we carry on regardless
So we can now proceed with a single login to our windows domain and then straight to our internet and moodle. We are however faced with restructuing our security model which was based on LDAP groups.
We manage access to moodle from our interanet, which is all pretty automatic. We are going to have to re-think how we restrict students and have several options open to us, and a lot of work. For those of you who are interested I used some guidance from a 'Plone' document and can be found at http://plone.org/documentation/how-to/singlesignonwindowsdomains to implement NTLM using apache.
Wayne,
I would be interested to see if we can help. Moodle may then be option for our clients internal Learning environmnet.
We integrated Active Directory into three other LMS systems based on ASP, java, and asp.net, for clients who required users of the domain to be automatically authenticated to the LMS if they were active directory users and registered into the LMS. A second process directs students to Active Directory user request page if not currently a user. If automatic domain credentials are not provided, we use a Forms authentication over SSL, to validate against the Active Directory and then redirect them to the LMS home page.
There is an article on installing Moodle on IIS6 which would then allow the use of the ASP.NET forms authentication, with only remaining link being validation of user in the Moodle Database (normally mysql) and setting the session for the PHP code.
I personnally am not a strong PHP coder, but I did see two links of interest:
http://adldap.sourceforge.net/ (Open source php ldap to active directory)
http://www.weberdev.com/get_example-3261.html http://www.weberdev.com/get_example-4132.html
(Source code for authentication to active directory via ldap)..aslo links to other code for PHP
Peter,
Could you update the status of your "automatic login" patch for version 1.5
Thanks,
Dave
We have setup an ntlm server and have done limited testing which seems to be ok. The major issue is that we use the LDAP group function for securing staff areas which cannot be done with ntlm. We think we will have to run 2 apache servers , 1 with ntlm for college based access and the other with ldap for external access and private areas using the same www root for both servers. We are still testing and there is some firewall issues for us to sort at present.
Please contact me for more clarification.
I too would be very interested in this patch.
The more the merrier, and the more, the more chance that we will get the patch.
Thanks
Just wondering if anyone has got the automatic windows logon to work as yet?
I've been looking everywhere to find a solution, but to no avil.
The php code above, where is in the /login/index.php does it go? I have had some experience with php in the past.
Thanks
The login/index.php file should be on you web server in the moodle source code files. My new patch which integrates into the ldap authentication system also changes the 'auth/ldap/lib.php' file.
The patch code that I posted here is for Moodle running on a Windows Server running IIS, setting to use Integrated authentication in the IIS configuration mmc snap-in.
Attached is my patch code for moodle 1.5 to perform this integrated authentication. To use this you need to have your system set to authenticate using LDAP (from a Windows Active Directory Server) using the moodle ldap authentication module. Essentially what this code does is to submit the username that was authenticated by IIS and to skip the ldap password authentication (where IIS has already performed password authentication).
NOTE: you need to change the DOMAINNAME in the code to your own NetBIOS Domain Name.
Fellows i am using single sign-on. I need to be sure that a certain host of domain is alive. To autenticate i am using a connection to active directory with ntlm. Can any one tell me how can i be sure that the host who is connecting to my webserver by SSO is same or alive. it's just a matter of security. Thanks.
I have made some modifications to Matthew's patches (functional changes at the bottom of this post), and find that they appear to work correctly here, please let me know if there are any glaring errors and/or major security issues i've created.
Notes:
We have 3 domains in our forest, STAFF, STUDENTS and WORTECH, you will notice in both auth/ldap/lib.php and login/index.php a segment of code that matches the domain names:
if(preg_match('/(?i)WORTECH\\\\/', $ntlm)) {
$ntlm = substr($ntlm,8);
}
You will need to change "WORTECH" to your domain name (case-insensitive), and you will need to change the digit 8, to the total number of characters in your domain's name, plus a \ character.
Major functional changes made to code:
Now matches AUTH_TYPEs "NTLM" and "Negotiate"
Support for multiple domain names
Uses AUTH_USER instead of LOGON_USER (i believe this is preferred)
If you need to apply these to any other version of moodle ensure you view diff changes in the files specified between 1.5.2 and the version you wish to use, if we upgrade, i will nodoubt release updated patches.
Last but not least, all patches are not guranteed in anyway shape or form! I will try to support them, but i can't promise anything!