We are using ldap authentication against our active directory - at the moment our users login to the network and then login to our intranet/moodle. We want to be able to automatically log them in if they are on campus and logged into the MS network. We don't want to do it by IP becuase we need their username to determine resources available prior to accessing moodle.
I have briefly looked at the windows options ie local intranet etc with IIS/IE but we are runing Linux - we have come accross something call Vintela but am unsure of its potential etc.
any help in pointing me in the right direction would be great.
of course if this makes any sense to anyone.
The szenario you describe is difficult to understand:
- you currently run a LDAP service as the central authentication
- some active directory get synchronized from the LDAP
- wenn your users login to a machine, it get the credentials from the LDAP service
- you run Linux
- logging-in to moodle is also authenticated from the same LDAP service
What ist the problem? That users have to login twice (machine and moodle)?
- you currently run a LDAP service as the central authentication
- some active directory get synchronized from the LDAP
- wenn your users login to a machine, it get the credentials from the LDAP service
- you run Linux
- logging-in to moodle is also authenticated from the same LDAP service
What ist the problem? That users have to login twice (machine and moodle)?
The only transparent login solution for intranet I know is:
I am testing this solution, it seems to be working ok. If there is enough demand I might prepare a patch for 1.5 and eventually add it later to 1.6.
- MS Active Directory domain
- IIS Server with NTLM authentication
- IE browser or Firefox
- computer running Windows OS participating in a domain
I am testing this solution, it seems to be working ok. If there is enough demand I might prepare a patch for 1.5 and eventually add it later to 1.6.
It looks like the NTLM option is the one where looking at. We currently log our users into our intranet and then directly to moodle. but they do have to login twice - not a client friendly approach. I think we are going to look into the ntlm option unless anyone has other views ?
I suppose I am checking to make sure I do not waste my time on this one.
tks
I suppose I am checking to make sure I do not waste my time on this one.
tks
I have made a modification to our c:\inetpub\wwwroot\moodle\login\index.php script which makes this happen. This means that a user who has been authenticated by IIS using NTLM will automatically try to authenticate against the database with their username and the password 'NTLM-ONLY', we maintain our moodle user database to have all of the users in it and their passwords are set to 'NTLM-ONLY' for moodle. This works fairly well for us.
The mod is (in diff format) There are a couple of my debuggin variables in this diff as well which you can ignore. You should probably only try this if you have some understanding of PHP code.
33,42d32
< $ntlm = $_SERVER["LOGON_USER"];
< if (strlen($ntlm) > 0) {
< $oldntlm = $ntlm;
< $ntlm = substr($ntlm,strlen("TYNDALE\"));
< $mymessage2 = "NTLMPOS-$oldntlm-$ntlm-";
< if (strlen($frm->username) == 0) {
< $frm->username = $ntlm;
< }
< }
<
46,55d35
< if (strcasecmp($frm->username,$ntlm) == 0) {
< $frm->password = "NTLM-ONLY";
< $mymessage = "Match1";
< } else if (strcasecmp($frm->password,"NTLM-ONLY")==0) {
< $frm->password = "";
< $mymessage = "Match2";
< } else {
< $mymessage = "[$ntlm][$frm->username]";
< }
<
Petr,
i would be intrested in this, could you let me know if/when you release this.
This one could be bigger than I though - I am now looking at a company called Vintela who provide authentication services. This goes much further than just logging into moodle from the windows domain. The question is if we can just have that solution and what are the costs - it would be nice to have an open source solution but ntlm seems the only option and we are strugling at present with that.
- we carry on regardless
- we carry on regardless
For those of you interested in my progress , I have managed to test and implementation of NTLM (I realise there are some security issues) We have got automatic login when using IE and Firefox within the domain (some config with Firefox but it works)
So we can now proceed with a single login to our windows domain and then straight to our internet and moodle. We are however faced with restructuing our security model which was based on LDAP groups.
We manage access to moodle from our interanet, which is all pretty automatic. We are going to have to re-think how we restrict students and have several options open to us, and a lot of work. For those of you who are interested I used some guidance from a 'Plone' document and can be found at http://plone.org/documentation/how-to/singlesignonwindowsdomains to implement NTLM using apache.
So we can now proceed with a single login to our windows domain and then straight to our internet and moodle. We are however faced with restructuing our security model which was based on LDAP groups.
We manage access to moodle from our interanet, which is all pretty automatic. We are going to have to re-think how we restrict students and have several options open to us, and a lot of work. For those of you who are interested I used some guidance from a 'Plone' document and can be found at http://plone.org/documentation/how-to/singlesignonwindowsdomains to implement NTLM using apache.
Wayne,
I would be interested to see if we can help. Moodle may then be option for our clients internal Learning environmnet.
We integrated Active Directory into three other LMS systems based on ASP, java, and asp.net, for clients who required users of the domain to be automatically authenticated to the LMS if they were active directory users and registered into the LMS. A second process directs students to Active Directory user request page if not currently a user. If automatic domain credentials are not provided, we use a Forms authentication over SSL, to validate against the Active Directory and then redirect them to the LMS home page.
There is an article on installing Moodle on IIS6 which would then allow the use of the ASP.NET forms authentication, with only remaining link being validation of user in the Moodle Database (normally mysql) and setting the session for the PHP code.
I personnally am not a strong PHP coder, but I did see two links of interest:
http://adldap.sourceforge.net/ (Open source php ldap to active directory)
http://www.weberdev.com/get_example-3261.html http://www.weberdev.com/get_example-4132.html
(Source code for authentication to active directory via ldap)..aslo links to other code for PHP
Peter,
Could you update the status of your "automatic login" patch for version 1.5
Thanks,
Dave
Hi - yes we are currently testing mod_ntlm for apache . We don't actualy use moodle authentication becuase we authenticate to our intranet using LDAP and therefore take that as the login.
We have setup an ntlm server and have done limited testing which seems to be ok. The major issue is that we use the LDAP group function for securing staff areas which cannot be done with ntlm. We think we will have to run 2 apache servers , 1 with ntlm for college based access and the other with ldap for external access and private areas using the same www root for both servers. We are still testing and there is some firewall issues for us to sort at present.
Please contact me for more clarification.
We have setup an ntlm server and have done limited testing which seems to be ok. The major issue is that we use the LDAP group function for securing staff areas which cannot be done with ntlm. We think we will have to run 2 apache servers , 1 with ntlm for college based access and the other with ldap for external access and private areas using the same www root for both servers. We are still testing and there is some firewall issues for us to sort at present.
Please contact me for more clarification.
I too would be very interested in this patch.
The more the merrier, and the more, the more chance that we will get the patch.
Thanks
Just wondering if anyone has got the automatic windows logon to work as yet?
I've been looking everywhere to find a solution, but to no avil.
The php code above, where is in the /login/index.php does it go? I have had some experience with php in the past.
Thanks
The login/index.php file should be on you web server in the moodle source code files. My new patch which integrates into the ldap authentication system also changes the 'auth/ldap/lib.php' file.
The patch code that I posted here is for Moodle running on a Windows Server running IIS, setting to use Integrated authentication in the IIS configuration mmc snap-in.
Attached is my patch code for moodle 1.5 to perform this integrated authentication. To use this you need to have your system set to authenticate using LDAP (from a Windows Active Directory Server) using the moodle ldap authentication module. Essentially what this code does is to submit the username that was authenticated by IIS and to skip the ldap password authentication (where IIS has already performed password authentication).
NOTE: you need to change the DOMAINNAME in the code to your own NetBIOS Domain Name.
Hello.
Fellows i am using single sign-on. I need to be sure that a certain host of domain is alive. To autenticate i am using a connection to active directory with ntlm. Can any one tell me how can i be sure that the host who is connecting to my webserver by SSO is same or alive. it's just a matter of security. Thanks.
Fellows i am using single sign-on. I need to be sure that a certain host of domain is alive. To autenticate i am using a connection to active directory with ntlm. Can any one tell me how can i be sure that the host who is connecting to my webserver by SSO is same or alive. it's just a matter of security. Thanks.
Hi All,
I have made some modifications to Matthew's patches (functional changes at the bottom of this post), and find that they appear to work correctly here, please let me know if there are any glaring errors and/or major security issues i've created.
Notes:
We have 3 domains in our forest, STAFF, STUDENTS and WORTECH, you will notice in both auth/ldap/lib.php and login/index.php a segment of code that matches the domain names:
if(preg_match('/(?i)WORTECH\\\\/', $ntlm)) {
$ntlm = substr($ntlm,8);
}
You will need to change "WORTECH" to your domain name (case-insensitive), and you will need to change the digit 8, to the total number of characters in your domain's name, plus a \ character.
Major functional changes made to code:
Now matches AUTH_TYPEs "NTLM" and "Negotiate"
Support for multiple domain names
Uses AUTH_USER instead of LOGON_USER (i believe this is preferred)
I have made some modifications to Matthew's patches (functional changes at the bottom of this post), and find that they appear to work correctly here, please let me know if there are any glaring errors and/or major security issues i've created.
Notes:
We have 3 domains in our forest, STAFF, STUDENTS and WORTECH, you will notice in both auth/ldap/lib.php and login/index.php a segment of code that matches the domain names:
if(preg_match('/(?i)WORTECH\\\\/', $ntlm)) {
$ntlm = substr($ntlm,8);
}
You will need to change "WORTECH" to your domain name (case-insensitive), and you will need to change the digit 8, to the total number of characters in your domain's name, plus a \ character.
Major functional changes made to code:
Now matches AUTH_TYPEs "NTLM" and "Negotiate"
Support for multiple domain names
Uses AUTH_USER instead of LOGON_USER (i believe this is preferred)
I should really mention that these are only to be applied to the 1.5.2 release of moodle.
If you need to apply these to any other version of moodle ensure you view diff changes in the files specified between 1.5.2 and the version you wish to use, if we upgrade, i will nodoubt release updated patches.
Last but not least, all patches are not guranteed in anyway shape or form! I will try to support them, but i can't promise anything!
If you need to apply these to any other version of moodle ensure you view diff changes in the files specified between 1.5.2 and the version you wish to use, if we upgrade, i will nodoubt release updated patches.
Last but not least, all patches are not guranteed in anyway shape or form! I will try to support them, but i can't promise anything!