LDAP & NTLM for SSO

LDAP & NTLM for SSO

by Stephan Tedesco -
Number of replies: 2

We are planing to use Moodle in our DMZ. 


Before it, we configured only LDAP in our intranet, so we can test the user data. 


My question is: 

  1.  We are importing to the Moodle in the DMZ users from AD through LDAP, what we should assure, so the user data import is functioning?
    1. Which ports?
    2. What are the most common problems? (We have a Moodle 2.9, AD & RedHat)
  2. For the SSO & NTLM: Should we be aware of problems, when we are in DMZ?

Thank you for the feedback, as we are trying this for the first time. 

Regards, 


S. 


Average of ratings: -
In reply to Stephan Tedesco

Re: LDAP & NTLM for SSO

by Dave Perry -
Picture of Testers

For SSO to work, you still need the server in AD

Whilst you can find out the firewall ports needed to make this work, it is a VERY bad idea - if your server is compromised, the fact it can talk to AD (and NTLM for SSO) means that someone could roam around your network and you may not have a clue.

We had to move our server out of the DMZ to make SSO work internally, on the above security grounds. We then use a Reverse Proxy to publish the site.

Note, when our server was in the DMZ we just had an LDAP lookup to AD - which was deemed acceptable and necessary.

Average of ratings: -
In reply to Dave Perry

Re: LDAP & NTLM for SSO

by Stephan Tedesco -

Hi Dave, 


First, thanks for the answer. We configured it and it works also fine in the DMZ. The only problem is, that the SSO works only with IE and with Chrome and Firefox it shows something like "Server errror... has to be fixed by the server administrator". 

Is there something special for fixing Chrome and SSO? We are having REHL7 as server. 


Thanks. 


S. 

Average of ratings: -