LDAP NTLM SSO Queries (Moodle 2.6)

LDAP NTLM SSO Queries (Moodle 2.6)

by Chris Chapman -
Number of replies: 6

Hi all, 

We've just configured our moodle install to use LDAP SSO, following the instructions in the Moodle Docs page http://docs.moodle.org/26/en/NTLM_authentication

All appeared fine and dandy on initial testing. However I was expecting it to work differently once we put all our IP/Subnet masks. Correct me If i'm wrong, but me and the network admin, were under the assumption that once users goto the moodle home page they would automatically be logged in if they were within the subnet, without having to click login.

also - for users working outside of the subnet, that it should not attempt SSO?- it seems to loop and not ever give you a chance to enter credentials or present with the original login page. 


Is there some setting I'm missing, please advise, or is this how it's supposed to work?

Average of ratings: -
In reply to Chris Chapman

Re: LDAP NTLM SSO Queries (Moodle 2.6)

by Dave Perry -
Picture of Testers

From memory (looked at this a few months back, then decided Shibboleth would be smarter for us):

  • It doesn't SSO you when you hit the homepage - you have to hit wwwroot/login/ for it to try SSO if it picks up you're in the right subnet.
  • If it fails, you should get the option to login manually (a link to the form).
  • Bear in mind there is a link to skip the SSO login (you need this to login as admin and any manual user):
    http://yoursite/login/index.php?authldap_skipntlmsso=1

HTH

 

Average of ratings: Useful (1)
In reply to Dave Perry

Re: LDAP NTLM SSO Queries (Moodle 2.6)

by Chris Chapman -

Hi David thanks for the response,  

The problem is that the SSO, tries regardless whether their in the subnet or not, and the /login/index.php?authldap_skipntlmsso=1 doesnt seem to bypass the SSO attempt and doesn't present with the traditional login screen. What is the url of the traditional login screen?

At the moment it's fine if your in the subnet and get logged in, but external is a right pain, with the SSO loop and no bypass link or alternate login form working.


once I've worked this out, I guess I can use the 'Force Login' in Site policies, to redirect users to  wwwroot/login/, don't wanna do that till I've got the alternate login working properly though!!

Thanks, anybody else got any ideas?

Average of ratings: -
In reply to Chris Chapman

Re: LDAP NTLM SSO Queries (Moodle 2.6)

by Chris Chapman -

Just tested again on my Mac (see image), (not in subnet) and when I click login, it brings up the login box, over the top of ntlmsso_attempt, which is looping with ntlmsso_finish  while I try and login manually, I click login and nothing happens, just tries the sso and fails and loops over and over, 

I've also tried loading up the https://vle.exe-coll.ac.uk/vle/login/index.php?authldap_skipntlmsso=1 which gives the same result,  

weird, surely it should stop attempting and looping, and either redirect to a login page or let me login with the manual box provided?

Attachment ntlmsso_attempt-despite-external.png
Average of ratings: -
In reply to Chris Chapman

Re: LDAP NTLM SSO Queries (Moodle 2.6)

by Dave Perry -
Picture of Testers

How is your moodle site published? We put our (internal server in the AD domain) test one through Forefront, and it didn't have any weird behaviour.

The FFTMG settings I couldn't tell, you our admins did that (and when he tried to do a settings export it wasn't a nice XML thing so we couldn't be sure it was free of sensitive information, hence not sharing it).

Average of ratings: -
In reply to Dave Perry

Re: LDAP NTLM SSO Queries (Moodle 2.6)

by Chris Chapman -

We tried to get it to run behind FFTMG before to no avail, (or should I say the Systems Admin team did, before I arrived at Exeter) It is an internal virtual server (I believe to be in the AD domain). 

Anyway, we managed to fix the problem- such a small thing, moodle was being fussy about the subnets format when we entered them as xxx.xx.x.x/255.255.0, etc so instead I thought I'd give a stab at entering them as CIDR notation, bingo all working fine!

Have set the Site Policy to 'Force Login' therefore any moodle page that is loaded, it starts the NTLM auth process and either logs you in, or redirects to the default login/index.php!


it's always the overlooked small things isnt it!


Thanks though.


Average of ratings: -
In reply to Chris Chapman

Re: LDAP NTLM SSO Queries (Moodle 2.6)

by Dave Perry -
Picture of Testers

Glad you found something that worked

For the purposes of archive, on ours (10. at the start of all our workstations/internal servers, beyond that based on site, server etc) we used 10.0.0.0/8 for the subnets for NTLM to be triggered by setting.

Average of ratings: -