NTLM SSO

NTLM SSO

by Alek Steva -
Number of replies: 9

Dear all,

Let me firstly emphasize that I'm new to Linux and Moodle community, so pardon my lack of respective knowledge.

Despite of all of that, I have to enable NTML SSO on previously successfully enabled LDAP on Moodle.

So my environment consists of:

1. Windows AD

2. Moodle 2.9 on Ubuntu 14.04. server with LAMP, added to AD via Centrify Express.

As I mentioned LDAP is working and for the NTLM SSO, I've tried next settings:

  • LDAP User attribute: samaccountname
  • NTLM SSO: enable: Yes, subnet: local subnet 192.168.1.0/24, MS IE fast path: Attempt NTLM with all browsers, Authentication: NTLM, Remote username format: blank.

 I've followed NTLM authentication document https://docs.moodle.org/30/en/NTLM_authentication (tried to follow Using the NTLM part of Samba for Apache on Linux part best that I can), but unfortunately SSO is not working.

I've tried php script, mentioned somewhere in forum, which says "NTLM is not working".

Is it to do with the fact I've used Centrify or shall I start troubleshooting with something else?

Thank you very much for kind help for Linux & Moodle novice guy smile




 

Average of ratings: -
In reply to Alek Steva

Re: NTLM SSO

by Dave Perry -
Picture of Testers

If a reliable test script failed, it's probably your web server configuration that isn't correct. I had to get some help internally making it work under Apache for Windows, someone else found the magic <Location> lines. I could grab and share them, but I believe you need a different Apache module for Linux-based SSO.

Average of ratings: -
In reply to Dave Perry

Re: NTLM SSO

by Alek Steva -

Regarding Apache on Ubuntu 14.04, I've done the following:

1. apache2.conf has:

<IfModule !mod_auth_ntlm_winbind.c>
    LoadModule auth_ntlm_winbind_module /usr/lib/apache2/modules/mod_auth_ntlm_winbind.so
</IfModule>

<Directory "/var/www/moodle/auth/ldap/">
    <Files ntlmsso_magic.php>
        NTLMAuth on
        AuthType NTLM
        AuthName "Moodle NTLM Authentication"
        NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
        NTLMBasicAuthoritative on
        require valid-user
    </Files>
</Directory>


2. smb.conf has:

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of

workgroup = dom
password server = *
security = domain
realm = dom.com
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = true
restrict anonymous = 2

3. wbinfo -u
Error looking up domain users
wbinfo -g
failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
Error looking up domain groups

Based on given info, what could I do next in order to troubleshoot the root of the problem?

Thanks a lot!

Average of ratings: -
In reply to Alek Steva

Re: NTLM SSO

by Sam Stevens -

What exactly does the test script return? I seem to remember one (that I can't find now unfortunately) that returned how the user login string was being presented by the LDAP server.

This then leads to what you put in Remote Username Format: You have that as blank I had to change ours to %domain%\%username% to get it to work.

If your script doesn't do that post the content of it and I will see if I can remember how to tweak it to return that.

Average of ratings: -
In reply to Sam Stevens

Re: NTLM SSO

by Alek Steva -

Hello,

Here's the script:

<?php

if (isset($_SERVER['REMOTE_USER']) && !empty($_SERVER['REMOTE_USER'])) {

echo "<p>NTLM authentication seems to be working. User: " . $_SERVER['REMOTE_USER'] . "</p>";

} else {

echo '<p>NTLM is not working</p>';

}

?>

Thanks a lot!




Average of ratings: -
In reply to Alek Steva

Re: NTLM SSO

by Sam Stevens -
Ah so NTLM is not working. 


Just re-read your post. you say it is then that it isn't. It isn't


Check the steps on this https://docs.moodle.org/30/en/NTLM_authentication#Using_the_NTLM_part_of_Samba_for_Apache_on_Linux and make suer you installed cifs-utils not smbfs as in your version of ubuntu it is cifs-utils now. So the command would be.

sudo apt-get install php5-ldap libapache2-mod-auth-ntlm-winbind winbind cifs-utils smbclient samba sudo a2enmod auth_ntlm_winbind sudo /etc/init.d/apache2 restart

Then follow from Once you have compiled..... 

Not done it myself on that set up but if LDAP for user creation is working you are already half way there so should be possible.


I wish I could fins the damn script I had for LDAP testing. Returned much more detail than "Working" "Not Working"

Average of ratings: -
In reply to Sam Stevens

Re: NTLM SSO

by Alek Steva -

Tried again with new Moodle installation (joined the domain by net join..instead of centrify), but without success sad

At least, wbinfo -g pulls all domain users, which was not the case on previous Moodle install.

PHP script again returns  "NTLM is not working".

I'm running of ideas. I would hate to use Lync/SharePoint instead of Moodle/BBB combo.

Thanks anyway...




Average of ratings: -
In reply to Sam Stevens

Re: NTLM SSO

by Alek Steva -

Is there a youtube step-by-step tutorial on how to properly setup NTLM SSO on Apache webserver and Ubuntu Moodle server?

Tried to find it, but to no avail.

Average of ratings: -
In reply to Alek Steva

Re: NTLM SSO

by Mike Alavi -

Hi Alek,

In order to test NTLM using the test script, you need to add your test script to apache2.conf:

<Directory "/var/www/Path on your server/auth/ldap/">

       <Files test.php>

           NTLMAuth on

           AuthType NTLM

           AuthName "Moodle NTLM Authentication"

           NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"

           NTLMBasicAuthoritative on

           require valid-user

       </Files>

   </Directory>

The first thing to test is LDAP connection, you can use ldp.exe to see if you can bind and connect to your AD using the same account that you are using in moodle. 

Average of ratings: Useful (1)
In reply to Mike Alavi

Re: NTLM SSO

by Alek Steva -

Thanks Mike,

Now it's working!  smile smile

It was altogether my fault. As you mentioned path to moodle server, I double checked it and saw mistake, since I forgot to include /html/ folder, in ,,path to moodle server'' so it should be:

<Directory "/var/www/html/moodle/auth/ldap/">

            <Files ntlmsso_magic.php>...

       instead of

     <Directory "/var/www/moodle/auth/ldap/">

Sorry again to everyone, because of my mistake.

Thanks to all, regards, Alex



Average of ratings: -