We have got the following configuration for our Moodle installations. We use one Moodle installation as Identity Provider (IdP). This instance is just used for storing all the user profiles. Then we have several remote instances. These are connected to the IdP instance.
Right now everything is fine, because on the IdP we use only manual authentication and e-mail based self registration. So all users stored in mdl_user have a unique username.
But that will change. We are going to activate an LDAP user authentication on the IdP. That has as consequence: the field username in mdl_user will not be unique anymore. Still no problem, because Moodle can handle that (identifying users with combining username and mnethostid or auth method).
But now to the problem: Having the same username for different users on the IdP will result in the following problem on remote hosts: In order to identify a user, Moodle uses 2 things
-
username
-
mnethostid
But there will now be different users, that fulfill these criteria. Example:
User A: username = myusername, authentication: LDAP
User B: username = myusername, authentication: local
These 2 users are still identified as 2 different users on the IdP, but will share a user account on the remote platform. Users who find out the username of an admin can now easily gain admin rights too.
We have about 25.000
users on our platform and the additional LDAP authentication will add
3000 more users. Any solution or workaround for this problem is
highly appreciated. Link to the Moodle installation (IdP): http://onlinecampus-profil.virtuelle-ph.at/