MNET authentication generates identity theft problem

MNET authentication generates identity theft problem

by David Bogner -
Number of replies: 5
Picture of Core developers Picture of Plugin developers

We have got the following configuration for our Moodle installations. We use one Moodle installation as Identity Provider (IdP). This instance is just used for storing all the user profiles. Then we have several remote instances. These are connected to the IdP instance.

Right now everything is fine, because on the IdP we use only manual authentication and e-mail based self registration. So all users stored in mdl_user have a unique username.

But that will change. We are going to activate an LDAP user authentication on the IdP. That has as consequence: the field username in mdl_user will not be unique anymore. Still no problem, because Moodle can handle that (identifying users with combining username and mnethostid or auth method).

But now to the problem: Having the same username for different users on the IdP will result in the following problem on remote hosts: In order to identify a user, Moodle uses 2 things


  • username

  • mnethostid


But there will now be different users, that fulfill these criteria. Example:


User A: username = myusername, authentication: LDAP

User B: username = myusername, authentication: local


These 2 users are still identified as 2 different users on the IdP, but will share a user account on the remote platform. Users who find out the username of an admin can now easily gain admin rights too.


We have about 25.000 users on our platform and the additional LDAP authentication will add 3000 more users. Any solution or workaround for this problem is highly appreciated. Link to the Moodle installation (IdP): http://onlinecampus-profil.virtuelle-ph.at/

Average of ratings: -
In reply to David Bogner

Re: MNET authentication generates identity theft problem

by gabriel rosset -

Hi David,

I'm afraid you need to develop a patch for now.

Even if there is an event fired when an account is duplicated by MNet into a remote moodle site (only in recent Moodle version, see : https://tracker.moodle.org/browse/MDL-53401), this will not be enough to completely handle the MNet landing process.

Average of ratings: -
In reply to David Bogner

Re: MNET authentication generates identity theft problem

by David Mudrák -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

Still no problem, because Moodle can handle that (identifying users with combining username and mnethostid or auth method).

I don't think this is a right assumption. Moodle relies on "mnethostid + username" be unique. There is even a unique index in the users table created like that. The mnethostid is an identifier of the user's home server, a server acting as the user's IdP. So in your case all your LDAP users will have the same mnethostid so they all have to have unique username.

Average of ratings: -
In reply to David Mudrák

Re: MNET authentication generates identity theft problem

by David Bogner -
Picture of Core developers Picture of Plugin developers
Thank you David and Gabriel. So the real problem will be combining LDAP authentication with exisiting e-mail based self registration and manual accounts. It is very likely, that the newly connected LDAP system contains usernames which are identical to already existing usernames in Moodle.
So I will try to outline what happens, when we activate the LDAP authentication, where some of the usernames are the same.

  • Existing user in Moodle has auth method manual, username: myusername
  • LDAP user: does not have a Moodle account yet, as LDAP was activated later on and accounts are not synced
2 scenarios:
  1. Manual login is on top of the list in "Manage authentication" and will be used first for auth process
  2. LDAP login is used on top of the list in "Manage authentication" and will be used first for auth process

The result of the authentication process for these 2 scenarios would be

  1. User with manual login can log in. The LDAP user with the same username will never be able to log in.
  2. When the LDAP-user tries to log in, credentials will be checked on the LDAP server, or will there be first a lookup in mdl_user, if the user already has an account created in mdl_user? In that case this will not be different than 1.)
    If the auth process is checking first credentials on LDAP and then tries to move the user data from LDAP to Moodle, then either the existing manual account will be overwritten, or ther will be a conflict between the auth method from the manual user and the LDAP user.
So coming to a conclusion:
Activating LDAP after already having created Moodle internal accounts, is not possible without having potentially conflicting (identical) usernames
What to do in such a situation?

The problem is, that the additional users connected via LDAP are users from a teachers network, that should use their LDAP accounts for authentication against a new Moodle instance, ideally connected to the existing IdP.

Right now I only see 2 solutions:

  1. Not connect LDAP and require all the users to create yet another account for Moodle
  2. Activate LDAP only on the Moodle platform the teachers network will use and not on the Moodle instance used as IdP (That will probably result in confused users, authenticating once with the IdP, another time with LDAP and then wondering where all the course enrollments have gone....)
  3. Not provide SSO for the new Moodle instance of the teachers network.
  4. Program some sort of workaround (username prefix, etc.)

Any other solution would be highly appreciated.


Kind regards,

David

Average of ratings: -
In reply to David Bogner

Re: MNET authentication generates identity theft problem

by gabriel rosset -

Hi David,

I'm in a case quite close than yours, personnaly I would recommend you to make a little local plugin which pre-synchronize all your LDAP users in your Moodle IdP. Like this you could be able to completely define your user federetion policy (merge manual account with LDAP account if necessary or update manual account username, etc.)

By this way all your LDAP users will be pre-recorded in your IdP and for example you could consider to forbid some of them to jump over MNet (see admin menu > Moodle Network > SSO access).

Hope this helps.

Average of ratings: -
In reply to gabriel rosset

Re: MNET authentication generates identity theft problem

by David Bogner -
Picture of Core developers Picture of Plugin developers

Hi Gabriel,

thank you for that advice. In fact I have discovered, that it will be easier to manage: All the users of the LDP-authentication use the following username:

firstname.lastname@example.com

There are no currently no users with a username containing @example.com. So the challenge will be to prevent manual accounts and e-mail based self registration accounts to use @example.com in their usernames. This guarantees unique usernames.

I just have to look, if we modify the moodle core a little bit or if the validation of newly created usernames can be overriden via a local plugin.

Kind regards,

David

Average of ratings: -