Valery Fremaux

Hi Nigel,

Actually you're right. The Multinode MNET SSO relies on a consistant naming of usernames in all the Network.

We have this kind of control in our 35 Moodle nodes for Pairformance/Intel's TAO implementation. We do not allow having similar usernames, or these users will have a special username form that jumps out of our heuristic (and thus try the default, or just try a local login).

This would actually NOT BE suitable to a multi-institution network that have no consistant policy on user acocunt creation.

Dealing with institutional email address, we could force having a consistant namespace for all our users, and having an exception handling for some very special cases (eg. admin !! or external guests...)

The routing is perfect, in both cases !!

The heuristic requires depositing a REGEX to apply to usernames. This is a very simple approach, and might be extended on use case requests.

say we have a username that is : alain.bolli@ac-libourne.fr (I'm sorry Alain, but the town is bullshit, so no span to fear !!). The regex is : .*@(.*)\.fr that collects the "ac-libourne")

Can alos be entered in the auth plugin settings a replacable pattern to use this recollection back :

<%%HOSTNAME%%>.pairformance.education.fr wich is that actual naming sheme for all the nodes... and guess Alain comes from ac-libourne.pairformance.education.fr !!

Hi guys

We just achieved a small but efficient SSO layer in a full open Moodle Network. A "full open" Moodle Network is a set of moodle connected together in which multiple hops are allowed. In such a network, a user is always known as its username/origjn_mnethostid information pair.

Achieveing this was done by delegating the MNET session jumping to the origin host of the user, when he tries to jump from another node in the network. (Works perfectly, but will need some side effect fix on reports, as Nigel McNie suspected).

I finished the design of a new Auth plugin, that allows SSOing any user of the network, this very simple plusing does the following :

• Capturing (must be set very high in the auth stack) the username/password submission, using login_page_hook loop at start of login/index.php
• Applying an heuristic over the username syntax to check for a probable origin host. (this works fairly well when a moodle node is mapped adminsitratively to an email domain, and the username is the email address).
• Building a redirection to the remote login/index.php, with a required URL that points back the local landing page. (the effect is that the user is actually login on his own origin node, but requiring immediately a jump to where he was supposing going first !!)
• Execute the redirection

If the heuristic fails and there is a default node setup, the login process is delegated to that default Moodle.

If none of the above works, the auth plugin let go through to try a local login (or other pethods in the stack).

The process is completely compatible with a backside LDAP authentication (so we are making it work) and encrypts the login delegation for security, making an SSO ticket encrypted stub with identification data in it (using registered Mnet keys).

I need some feedback upon possible security issues or something to care at that I might have not thought about. Thanks everyone.

The "multimnet" auth plugin is candidate for public publication.

Cheers.

Hi Tim, this was pointed out as many of my custom modules share a set of generic libs such as filesystemlib.php for having abstract high level access to filesystem (that would now obsolete in 2.0 !) , mailtemplatelib.php for simple notification message contruction, and some other.

In such an intermediary situation, (not unitary development, but still not core shared), the solution might be usefull to many customizers...

No problem anyway...

Hi all,

falling on this heavy issue to manage new generic, but non core libraries, and willing to foresee eventual propagation of those libraries to more contral locations, I searched for a "strategized" function for locating and including a library, and didn't find anyone (1.9, not seeked in 2.0) :

Result is a new function that could locate and include a lib, according to a successive guessing strategy :

• The general $CFG->libdir overrides all other locations (core central lib)
  
• The local is seeked for the lib
• The local/lib location is examined
• The local cascade (local, local/local etc.) is seeked while there is some, each time asking second time for embedded "very local" lib subdir.
• Finally, will the path realtively from the location we are be considered as "last chance".
  

This allows proposing very contextual libraries, that might be moved to more central place, up to core libs, without breacking any previous implementation.

There might though be some security considerations that would need some debate. I didn't performed any security focussed brainstorm on it... welcome to volounteers !!

/**
* quite a standard function : allows loading a library from several locations in Moodle
* scans for general libs, local and local cascade locations, and local and cascade "lib" sublocation
* finally, and even if library has backdirs segments (..), tests from actual location.
*
* @param string $library the library filename
* @uses $CFG
*/
function load_library($library){
global $CFG;

if (strstr("..", $library) === false){
if (file_exists($CFG->libdir.'/'.$library)){
include_once($CFG->libdir.'/'.$library);
} else {
$path = 'local';
$increment = '/local';
while (is_dir($CFG->dirroot.'/'.$path)){
if (file_exists($CFG->dirroot.'/'.$path.'/'.$library)){
include_once($CFG->dirroot.'/'.$path.'/'.$library);
return;
} elseif (file_exists($CFG->dirroot.'/'.$path.'/lib/'.$library)){
include_once($CFG->dirroot.'/'.$path.'/lib/'.$library);
return;
}
$path .= $increment;
}
}
}
if(file_exists($library)){
include_once($library);
}
}

Quelle est la version du Phpmyadmin. les versions avant 2.9 étaient assez perturbées par l'UTF8, la 2.10 a été un échec total en essayant de faire supporter au client l'exécution des XSL de styling, la 2.11 donne maintenant des résultats d'import/export UTF8 corrects....