Authentication

LDAP NTLM SSO Queries (Moodle 2.6)

 
Picture of Chris Chapman
LDAP NTLM SSO Queries (Moodle 2.6)
 

Hi all, 

We've just configured our moodle install to use LDAP SSO, following the instructions in the Moodle Docs page http://docs.moodle.org/26/en/NTLM_authentication

All appeared fine and dandy on initial testing. However I was expecting it to work differently once we put all our IP/Subnet masks. Correct me If i'm wrong, but me and the network admin, were under the assumption that once users goto the moodle home page they would automatically be logged in if they were within the subnet, without having to click login.

also - for users working outside of the subnet, that it should not attempt SSO?- it seems to loop and not ever give you a chance to enter credentials or present with the original login page. 


Is there some setting I'm missing, please advise, or is this how it's supposed to work?

 
Average of ratings: -
Picture of Dave Perry
Re: LDAP NTLM SSO Queries (Moodle 2.6)
Particularly helpful MoodlersTesters

From memory (looked at this a few months back, then decided Shibboleth would be smarter for us):

  • It doesn't SSO you when you hit the homepage - you have to hit wwwroot/login/ for it to try SSO if it picks up you're in the right subnet.
  • If it fails, you should get the option to login manually (a link to the form).
  • Bear in mind there is a link to skip the SSO login (you need this to login as admin and any manual user):
    http://yoursite/login/index.php?authldap_skipntlmsso=1

HTH

 

 
Average of ratings: Useful (1)
Picture of Chris Chapman
Re: LDAP NTLM SSO Queries (Moodle 2.6)
 

Hi David thanks for the response,  

The problem is that the SSO, tries regardless whether their in the subnet or not, and the /login/index.php?authldap_skipntlmsso=1 doesnt seem to bypass the SSO attempt and doesn't present with the traditional login screen. What is the url of the traditional login screen?

At the moment it's fine if your in the subnet and get logged in, but external is a right pain, with the SSO loop and no bypass link or alternate login form working.


once I've worked this out, I guess I can use the 'Force Login' in Site policies, to redirect users to  wwwroot/login/, don't wanna do that till I've got the alternate login working properly though!!

Thanks, anybody else got any ideas?

 
Average of ratings: -
Picture of Chris Chapman
Re: LDAP NTLM SSO Queries (Moodle 2.6)
 

Just tested again on my Mac (see image), (not in subnet) and when I click login, it brings up the login box, over the top of ntlmsso_attempt, which is looping with ntlmsso_finish  while I try and login manually, I click login and nothing happens, just tries the sso and fails and loops over and over, 

I've also tried loading up the https://vle.exe-coll.ac.uk/vle/login/index.php?authldap_skipntlmsso=1 which gives the same result,  

weird, surely it should stop attempting and looping, and either redirect to a login page or let me login with the manual box provided?


 
Average of ratings: -
Picture of Dave Perry
Re: LDAP NTLM SSO Queries (Moodle 2.6)
Particularly helpful MoodlersTesters

How is your moodle site published? We put our (internal server in the AD domain) test one through Forefront, and it didn't have any weird behaviour.

The FFTMG settings I couldn't tell, you our admins did that (and when he tried to do a settings export it wasn't a nice XML thing so we couldn't be sure it was free of sensitive information, hence not sharing it).

 
Average of ratings: -
Picture of Chris Chapman
Re: LDAP NTLM SSO Queries (Moodle 2.6)
 

We tried to get it to run behind FFTMG before to no avail, (or should I say the Systems Admin team did, before I arrived at Exeter) It is an internal virtual server (I believe to be in the AD domain). 

Anyway, we managed to fix the problem- such a small thing, moodle was being fussy about the subnets format when we entered them as xxx.xx.x.x/255.255.0, etc so instead I thought I'd give a stab at entering them as CIDR notation, bingo all working fine!

Have set the Site Policy to 'Force Login' therefore any moodle page that is loaded, it starts the NTLM auth process and either logs you in, or redirects to the default login/index.php!


it's always the overlooked small things isnt it!


Thanks though.


 
Average of ratings: -
Picture of Dave Perry
Re: LDAP NTLM SSO Queries (Moodle 2.6)
Particularly helpful MoodlersTesters

Glad you found something that worked

For the purposes of archive, on ours (10. at the start of all our workstations/internal servers, beyond that based on site, server etc) we used 10.0.0.0/8 for the subnets for NTLM to be triggered by setting.

 
Average of ratings: -