Single Sign On with Novell eDirectory.

Single Sign On with Novell eDirectory.

by Peter Atalla -
Number of replies: 14

Hi Everyone,

I know that this is an obscure request and I'm not expecting much but here goes.

We are using LDAP Authentication back to a Novell Server and it is working great but we would really really like to do away with the moodle login screen.  Is there some secure way to verify who is logged into the workstation and log them into moodle in a Novell environment?

I have been searching the forums for days and have only been able to find the Active Directory/NTLM solution and was wondering if anyone has been able to achieve this with Netware.

Cheers,

Peter.

Average of ratings: -
In reply to Peter Atalla

Re: Single Sign On with Novell eDirectory.

by Andy Diament -

Hi

These are our settings, for LDAP

Settings

LDAP server settings

ldap_host_url: Specify LDAP host in URL-form like 'ldap://ldap.myorg.com/' or 'ldaps://ldap.myorg.com/' Separate multipleservers with ';' to get failover support.
ldap_version: 2 3 The version of the LDAP protocol your server is using.

Bind settings

ldap_preventpassindb: No Yes Select yes to prevent passwords from being stored in Moodle's DB.
ldap_bind_dn: If you want to use bind-user to search users, specify it here. Someting like 'cn=ldapuser,ou=public,o=org'
ldap_bind_pw: Password for bind-user.

User lookup settings

ldap_user_type: Novell Edirectory posixAccount (rfc2307) posixAccount (rfc2307bis) sambaSamAccount (v.3.0.7) MS ActiveDirectory Select how users are stored in LDAP. This setting also specifies how login expiration, grace logins and user creation will work.
ldap_contexts: List of contexts where users are located. Separate different contexts with ';'. For example: 'ou=users,o=org; ou=others,o=org'
ldap_search_sub: No Yes Search users from subcontexts.
ldap_opt_deref: Choose... No Yes Determines how aliases are handled during search. Select one of the following values: "No" (LDAP_DEREF_NEVER) or "Yes" (LDAP_DEREF_ALWAYS)
ldap_user_attribute: Optional: Overrides the attribute used to name/search users. Usually 'cn'.
ldap_memberattribute: Optional: Overrides user member attribute, when users belongs to a group. Usually 'member'
ldap_objectclass: Optional: Overrides objectClass used to name/search users on ldap_user_type. Usually you dont need to chage this.

Force change password

Force change password: No Yes

Force users to change password on their first login to Moodle.
Use standard Change Password Page: No Yes

If the external authentication system allows password changes through Moodle, switch this to Yes. This setting overrides 'Change Password URL'.

NOTE: It is recommended that you use LDAP over an SSL encrypted tunnel (ldaps://) if the LDAP server is remote.

LDAP password expiration settings.

ldap_expiration: No LDAP Select No to disable expired password checking or LDAP to read passwordexpiration time directly from LDAP
ldap_expiration_warning: Number of days before password expiration warning is issued.
ldap_exprireattr: Optional: overrides ldap-attribute what stores password expiration time passwordExpirationTime
ldap_gracelogins: No Yes Enable LDAP gracelogin support. After password has expired user can login until gracelogin count is 0. Enabling this setting displays grace login message if password is exprired.

We couldn't have got working without help in these forums - I know it has been discussed.

Works very well for us.

Andy D

Average of ratings: -
In reply to Andy Diament

Re: Single Sign On with Novell eDirectory.

by Peter Atalla -

Andy,

Thanks so much for the reply.  I am having trouble reading the settings on your post, there doesnt appear to be any settings listed just the settings page.  Not sure what has happened here.

Also, do these settings enable automatic login to your moodle site without having to enter a username and password at the moodle login screen if they are already logged into Novell on the computer?  I.e. if they login to the computer with their Novell credentials and click on the moodle internet shortcut, will it automatically log them into moodle without them having to type a username and password again?

LDAP is working fine here its just that we want Single Sign On functionality.

Thanks again,

Peter.

Average of ratings: -
In reply to Peter Atalla

Re: Single Sign On with Novell eDirectory.

by Andy Diament -
Sorry, misread what you wanted, these were meant to be the settings for ldap, but we are not using a single sign on, just normal ldap authetication

Andy D
Average of ratings: -
In reply to Peter Atalla

Re: Single Sign On with Novell eDirectory.

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

Hi Peter,

Might be a hard one to solve! - you don't have an NT domain that you could synch to that is running a copy of your Novell tree do you?

My guess is for this to work the web server must be running under Novell and the client must have the Novell Client installed..  - there may be a DLL around somewhere that will interrogate the Client on a workstation and pass that info to the server!...maybe.....even if there is, good luck finding the documentation!

let us know if you find anything interesting! - there are a few people here with Novell environments!

smile

Dan

Average of ratings: -
In reply to Dan Marsden

Re: Single Sign On with Novell eDirectory.

by Peter Atalla -

Dan,

Thanks for the reply.

It is going to be a hard one to solve but would make a world of difference if I can get it to work.

I will attack this in a little while when I get some free time and hopefully come up with something.

Regards,

Peter.

Average of ratings: -
In reply to Peter Atalla

Re: Single Sign On with Novell eDirectory.

by Martín Langhoff -
Hi Peter,

this depends on the authentication scheme that your desktop OS is using. We have done this for some clients in the NZ govt space that use eDirectory and Windows clients. Catalyst IT might be able to help (and possibly come up with a generic solution we can put in auth/ldap).
Average of ratings: -
In reply to Martín Langhoff

Re: Single Sign On with Novell eDirectory.

by Peter Atalla -

Hi  Martin,

That sounds promising as we are using windows clients here with eDirectory.  Any chance you can elaborate on how you achieved the single on functionality? 

Any information would be greatly appreciated.

Peter.

Average of ratings: -
In reply to Peter Atalla

Re: Single Sign On with Novell eDirectory.

by Martín Langhoff -
If I recall correctly, the NN client includes a service that behaves like an oldstyle unix ident service. We read login info from it via tcp, and then made the corresponding LDAP lookups.

You have to trust your network security though wide eyes It is a pretty weak scheme unless you are prepared to glue the RJ45 sockets and prevent your users from running any non-sanctioned software.

What we could do is (a) check that this approach will work in your network, (b) tell you all you need to know about the level of security it provides (so we can sleep at night) and (c) extract the the code we have from an old custom moodle and port it to 1.7 or whatever it is you are using wink
Average of ratings: -
In reply to Martín Langhoff

Re: Single Sign On with Novell eDirectory.

by Peter Atalla -

Martin,

This sounds very reasonable and thank you for your time on this.

(a) check that this approach will work in your network

If you can provide some information on the service that is required I can check that it is there and make a test php page to extract the login information.

(b) tell you all you need to know about the level of security it provides

We are very serious about network security here and have taken all reasonable precautions to ensure that our network is secure.  When we have more info regarding this method we can decide whether the security risk is acceptable.

(c) extract the the code we have from an old custom moodle and port it to 1.7 or whatever it is you are using

Obviously if the code is written then it would be a lot easier for us to use that but we are just as happy to investigate and develop our own solution with the guidance of more experienced programmers.  We are using version 1.6.3.

Kind Regards,

Peter.

Average of ratings: -
In reply to Peter Atalla

Re: Single Sign On with Novell eDirectory.

by Peter Worrall -
Hi Peter,

Did you get anywhere with the Single Sign On in a Windows client/NetWare network environment? We would really like to do the same as you, as it would enable us to bring the student intranet inside Moodle, without requiring already-authenticated users to log into moodle.

It would be great if you could provide any information, assuming you have got somewhere with this.

Thanks -
Peter
Average of ratings: -
In reply to Peter Worrall

Re: Single Sign On with Novell eDirectory.

by Simon Bilton -
Hello All,

It is most definitely possible to single-sign-on to Moodle within a Novell environment, but you need to look outside Moodle itself. (Assumption: you are already successfully using Novell eDirectory as the LDAP authentication source).

There are two approaches: use another product from Novell, such as iChain (now Access Manager) or consider SecureLogin (although I wouldn't advocate this an a schools environment). Either way, this is a cost option.

However, if you have Novell's IDM 3.0 or 3.5, there is a "portal" application - inventively named the "User Application" - which I have successfully modified to provide SSO to Moodle.
I will pin the code to a reply later this week as I don't have access to my test environment just now......
If anyone would like further information on this, please post back and I can expand more.....

Simon Bilton
Salford Software
"The Identity Specialists"

Average of ratings: -
In reply to Simon Bilton

Re: Single Sign On with Novell eDirectory.

by Umar Akram -
Hi simon,
We also run Novell Netware in the college and are struggling to figure out how to single-sign-on to moodle when users login to their computers. Any help or details of your modified code for "User Application" would be a great help.
Thanks
Umar - Hereward College, Coventry
Average of ratings: -
In reply to Peter Worrall

Re: Single Sign On with Novell eDirectory.

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

Hi Peter - just to check - are your machines in the Domain? - or are you purely novell based - If your users log into the domain and Novell at the same time during login (like we do here!) then you can just use the NTLM solution as is! - otherwise I don't think there is anything currently available (although if you were interested in putting some $$ towards this I'm sure Catalyst might be able to help!)

good luck!

smile

Dan

Average of ratings: -
In reply to Peter Atalla

Re: Single Sign On with Novell eDirectory.

by Andrew T -
I believe what you should be looking at ( besides what has already been mentioned and costs money - although IDM Starter Pack does come free with OES but IMO it is an overkill and adds another point of failure - a couple of, in fact ) is ActiveX NDAP control from Novell NDK.

http://developer.novell.com/wiki/index.php/ActiveX_NDAP_Controls

That would be the "DLL" to go onto a client side that checks with Client32 running on that client machine ( assuming user is already logged in to eDirectory ) and talks to the script on server side. That would be Moodle - modified to work with those controls. I believe you would have to change scripts in order for this to work. I have seen this done for DotNetNuke and it works Ok with this ActiveX control ( don't ask - I did not code it, I am just using the final product but I imagine it would not be anything difficult for a programmer to implement ).

That would make a nice addition to Moodle I have to say. NDK and samples are available for free so it is just a matter of a right person to get it done.
Average of ratings: -