Authentication

 
 
Picture of Wayne Gaish
Automatic Login from a Windows Domain
 
We are using ldap authentication against our active directory - at the moment our users login to the network and then login to our intranet/moodle. We want to be able to automatically log them in if they are on campus and logged into the MS network. We don't want to do it by IP becuase we need their username to determine resources available prior to accessing moodle.

I have briefly looked at the windows options ie local intranet etc with IIS/IE but we are runing Linux - we have come accross  something call Vintela but am unsure of its potential etc.

any help in pointing me in the right direction would be great.

of course if this makes any sense to anyone.



 
Average of ratings: -
Picture of Visvanath Ratnaweera
Re: Automatic Login from a Windows Domain
Group Particularly helpful Moodlers
The szenario you describe is difficult to understand:

- you currently run a LDAP service as the central authentication

- some active directory get synchronized from the LDAP

- wenn your users login to a machine, it get the credentials from the LDAP service

- you run Linux

- logging-in to moodle is also authenticated from the same LDAP service

What ist the problem? That users have to login twice (machine and moodle)?
 
Average of ratings: -
Picture of Petr Škoda
Re: Automatic Login from a Windows Domain
Group DevelopersGroup Documentation writersGroup Moodle HQGroup Particularly helpful Moodlers
The only transparent login solution for intranet I know is:
  • MS Active Directory domain
  • IIS Server with NTLM authentication
  • IE browser or Firefox
  • computer running Windows OS participating in a domain

I am testing this solution, it seems to be working ok. If there is enough demand I might prepare a patch for 1.5 and eventually add it later to 1.6.
 
Average of ratings:Useful (1)
Picture of Wayne Gaish
Re: Automatic Login from a Windows Domain
 
It looks like the NTLM option is the one where looking at. We currently log our users into our intranet and then directly to moodle. but they do have to login twice - not a client friendly approach. I think we are going to look into the ntlm option unless anyone has other views ?

I suppose I am checking to make sure I do not waste my time on this one.

tkssmile
 
Average of ratings: -
Picture of Matthew HOLMES
Re: Automatic Login from a Windows Domain
 

I have made a modification to our c:\inetpub\wwwroot\moodle\login\index.php script which makes this happen. This means that a user who has been authenticated by IIS using NTLM will automatically try to authenticate against the database with their username and the password 'NTLM-ONLY', we maintain our moodle user database to have all of the users in it and their passwords are set to 'NTLM-ONLY' for moodle. This works fairly well for us.

The mod is (in diff format) There are a couple of my debuggin variables in this diff as well which you can ignore. You should probably only try this if you have some understanding of PHP code.

33,42d32

< $ntlm = $_SERVER["LOGON_USER"];
< if (strlen($ntlm) > 0) {
< $oldntlm = $ntlm;
< $ntlm = substr($ntlm,strlen("TYNDALE\"));
< $mymessage2 = "NTLMPOS-$oldntlm-$ntlm-";
< if (strlen($frm->username) == 0) {
< $frm->username = $ntlm;
< }
< }
<
46,55d35
< if (strcasecmp($frm->username,$ntlm) == 0) {
< $frm->password = "NTLM-ONLY";
< $mymessage = "Match1";
< } else if (strcasecmp($frm->password,"NTLM-ONLY")==0) {
< $frm->password = "";
< $mymessage = "Match2";
< } else {
< $mymessage = "[$ntlm][$frm->username]";
< }
<

 
Average of ratings: -
Picture of Steve Relf
Re: Automatic Login from a Windows Domain
 

Petr,

i would be intrested in this, could you let me know if/when you release this.

 
Average of ratings: -
Picture of Wayne Gaish
Re: Automatic Login from a Windows Domain
 
This one could be bigger than I though - I am now looking at a company called Vintela who provide authentication services. This goes much further than just logging into moodle from the windows domain. The question is if we can just have that solution and what are the costs - it would be nice to have an open source solution but ntlm seems the only option and we are strugling at present with that.

- we carry on regardless thoughtful
 
Average of ratings: -
Picture of Wayne Gaish
Re: Automatic Login from a Windows Domain
 
For those of you interested in my progress , I have managed to test and implementation of  NTLM (I realise there are some security issues) We have got automatic login when using IE and Firefox within the domain (some config with Firefox but it works)
So we can now proceed with a single login to our windows domain and then straight to our internet and moodle. We are however faced with restructuing  our security model which was based on LDAP groups.

We manage access to moodle from our interanet, which is all pretty automatic. We are going to have to re-think how we restrict students and have several options open to us, and a lot of work. For those of you who are interested I used some guidance from a 'Plone' document and can be found at http://plone.org/documentation/how-to/singlesignonwindowsdomains to implement NTLM using apache.

smile


 
Average of ratings: -
Picture of phillip sparks
Re: Automatic Login from a Windows Domain
 

Wayne,

I would be interested to see if we can help. Moodle may then be option for our clients internal Learning environmnet. 

We integrated Active Directory into three other LMS systems based on ASP, java, and asp.net, for clients who required users of the domain to be automatically authenticated to the LMS if they were active directory users and registered into the LMS. A second process directs students to Active Directory user request page if not currently a user. If automatic domain credentials are not provided, we use a Forms authentication over SSL, to validate against the Active Directory and then redirect them to the LMS home page. 

There is an article on installing Moodle on IIS6 which would then allow the use of the ASP.NET forms authentication, with only remaining link being validation of user in the Moodle Database (normally mysql) and setting the session for the PHP code.

I personnally am not a strong PHP coder, but I did see two links of interest:

http://adldap.sourceforge.net/  (Open source php ldap to active directory)

http://www.weberdev.com/get_example-3261.html  http://www.weberdev.com/get_example-4132.html

(Source code for authentication to active directory via ldap)..aslo links to other code for PHP

 
Average of ratings: -
Picture of Dave Kennedy
Re: Automatic Login from a Windows Domain
 

Peter,

Could you update the status of your "automatic login" patch for version 1.5

Thanks,
Dave

 
Average of ratings: -
Picture of Wayne Gaish
Re: Automatic Login from a Windows Domain
 
Hi - yes we are currently testing mod_ntlm for apache . We don't actualy use moodle authentication becuase we authenticate to our intranet using LDAP and therefore take that as the login.

We have setup an ntlm server and have done limited testing which seems to be ok. The major issue is that we use the LDAP group function for securing staff areas which cannot be done with ntlm. We think we will have to run 2 apache servers , 1 with ntlm for college based access and the other with ldap for external access and private areas using the same www root for both servers. We are still testing and there is some firewall issues for us to sort at present.


Please contact me for more clarification.

smile smile
 
Average of ratings: -
Picture of Chris Simpson
Re: Automatic Login from a Windows Domain
 

I too would be very interested in this patch.

The more the merrier, and the more, the more chance that we will get the patch. smile

Thanks

 
Average of ratings: -
Picture of John Wood
Re: Automatic Login from a Windows Domain
 

Just wondering if anyone has got the automatic windows logon to work as yet?

I've been looking everywhere to find a solution, but to no avil.

The php code above, where is in the /login/index.php does it go? I have had some experience with php in the past.

Thanks

 
Average of ratings: -
Picture of Matthew HOLMES
Re: Automatic Login from a Windows Domain
 

The login/index.php file should be on you web server in the moodle source code files.  My new patch which integrates into the ldap authentication system also changes the 'auth/ldap/lib.php' file.

The patch code that I posted here is for Moodle running on a Windows  Server running IIS, setting to use Integrated authentication in the IIS configuration mmc snap-in.

Attached is my patch code for moodle 1.5 to perform this integrated authentication. To use this you need to have your system set to authenticate using LDAP (from a Windows Active Directory Server) using the moodle ldap authentication module.  Essentially what this code does is to submit the username that was authenticated by IIS and to skip the ldap password authentication (where IIS has already performed password authentication).

NOTE: you need to change the DOMAINNAME in the code to your own NetBIOS Domain Name.

 
Average of ratings: -
Picture of Pratik Patel
Re: Automatic Login from a Windows Domain
 
Hello.
Fellows i am using single sign-on. I need to be sure that a certain host of domain is alive. To autenticate i am using a connection to active directory with ntlm. Can any one tell me how can i be sure that the host who is connecting to my webserver by SSO is  same  or alive. it's just a matter of security. Thanks.
 
Average of ratings: -
Picture of Edmund Haworth
Re: Automatic Login from a Windows Domain
 
Hi All,

I have made some modifications to Matthew's patches (functional changes at the bottom of this post), and find that they appear to work correctly here, please let me know if there are any glaring errors and/or major security issues i've created.

Notes:
We have 3 domains in our forest, STAFF, STUDENTS and WORTECH, you will notice in both auth/ldap/lib.php and login/index.php a segment of code that matches the domain names:
    if(preg_match('/(?i)WORTECH\\\\/', $ntlm)) {
        $ntlm = substr($ntlm,8);
    }

You will need to change "WORTECH" to your domain name (case-insensitive), and you will need to change the digit 8, to the total number of characters in your domain's name, plus a \ character.

Major functional changes made to code:
Now matches AUTH_TYPEs "NTLM" and "Negotiate"
Support for multiple domain names
Uses AUTH_USER instead of LOGON_USER (i believe this is preferred)
 
Average of ratings: -
Picture of Edmund Haworth
Re: Automatic Login from a Windows Domain
 
I should really mention that these are only to be applied to the 1.5.2 release of moodle.

If you need to apply these to any other version of moodle ensure you view diff changes in the files specified between 1.5.2 and the version you wish to use, if we upgrade, i will nodoubt release updated patches.

Last but not least, all patches are not guranteed in anyway shape or form!  I will try to support them, but i can't promise anything!
 
Average of ratings: -