Moodle

Hi All

I have put the 1.8 NTLM on to the 1.9 HEAD (as of yesterday - 18/04/07) but came up with the following problems...
If the user already exists in the user database, NTLM login works perfectly but if the user is logging in for the first time, then they receive a NTLM has not been enabled on this page.

The solution I have found to this is to login the user first on the offcampuslogin page and then get them to re-login via the NTLM page.

To ensure this was the case, I have deleted (via SQL) all NTLM users between tests and also the session2 table.

In addition to this, I also noticed a problem when you go back in to edit the details, the user fields are not recalled from the DB. Although all the LDAP settings are present the actual user fields (e.g. givenName, sn, mail etc) do not get re-displayed.

Hope some of this helps.

Ian

Hi Ian,

thanks for the details - I haven't forgotten about it! - I think it's because the password is blank when using the oncampus page, so some of the processes don't run...

I'm stuck in Peoplesoft Training with oracle over the next couple of weeks - but I've got a big list of things I'm trying to cover off after-hours!

Dan

Hi Ian,

should be fixed now - I've patched HEAD - will probably take a while for the files to get updated in the zip downloads....

Thanks!

Dan

Hi Skodak,

you're the maintainer for the auth stuff aren't you? - any objections with this going in HEAD sometime next week?

Dan

I have quickly looked at the code, it might be better to alter normal ldap first and make it reusable - both cas and ntlm could IMHO use it without code duplication.
The idea is to use $this->authtype everywhere in ldap plugin and then just wrap it in cas or ntlm == have it initialized in one private property and call its methods as needed.

Could you have a look at it?

you're right - it would make more sense like that...... - I don't think I'll have time to redevelop it and test it extensively enough for 1.9 though, - I wouldn't want it to hold up the 1.9 release!

I'm thinking the logical place for the ip address stuff won't be in the ldap module itself, but the global auth settings, - eg where we currently set an alt login screen - that way all modules could make use of the IP address stuff.

I'm not all that familiar with CAS and how it uses LDAP - I'll have to have a good look at it, to see how LDAP would need to be modified to allow it to be reused.

I'll get onto this sometime soon.....

thanks,

Dan

I keep on intending to refactor all the LDAP-based plugins in Moodle since nearly a year, but I never start doing it . CAS, NTLM and LDAP auth and enrol share (or should share) most of the LDAP core functions and kowledge (like defaults for all the different LDAP servers). All of them could go into .../lib/ldaplib.php and be user everywhere you need them. Just one place to fix and add new features, unlike the current 'mess'

Saludos. Iñaki.

It seems there is a small bug in the 1.8 code (haven't tested 1.9dev yet). I have tested the .zip from the modules donwload page, not the CVS version (although the date of the last CVS modification on the 1.8 branch is the same of the .zip file) and a seconf more serious bug.

The small bug is config.html uses $CFG but the variable is undefined. We need to define $CFG as a global variable in auth_plugin_ntlm::config_form before including config.html. That fixes the issue.

The second one is more serious as it wipes your NTLM data mappings everytime you save the NTLM configuration. This happes because near the end of config.html we have a line that reads:

print_auth_lock_options('ldap', $user_fields, $help, true, true);

that should read:

print_auth_lock_options('ntlm', $user_fields, $help, true, true);

to use the NTLM data mappings, instead of the LDAP ones.

With this to fixes I've been able to use the plugin without problems in my test environment.

Saludos. Iñaki.

Thanks Iñaki!

I've got a big list of stuff that I planned to do over the past month - including work on the ntlm module - but our family have all ended up being hit at some point with "bugs" - (I'm just coming out of Influenza A) - If you get a chance, could you commit the changes to CVS? - it will be a problem with 1.9 code as well.

thanks!

Dan

Uh! I don't have a CVS account, so I'm afraid I won't be able to do it. Maybe I should ask for one...

Saludos. Iñaki.

My +1 for that Iñaki

wow! - I think it would be a great idea! - your contributions are much appreciated, and it would be even more efficient if you had the ability to do it yourself! - I've really appreciated a lot of the patches you have made available in the forums - esp the LDAP stuff! - your knowledge in this area seems to be pretty impressive!

thanks!

Dan

not going to make it into 1.9 - will aim for 2.0 (as long as the family doesn't get sick again!)

Dan

Hi Dan,

I have commited my fixes and a couple of others from Rod Ward (from the end of this thread).

This is the first time I mess with Moodle's CVS so I hope I didn't break anything

Saludos. Iñaki.

Hi! I'm taking this tracker item over to land the code we've been cooking in http://moodle.org/mod/forum/discuss.php?d=80104

I have it ready to merge at http://repo.or.cz/w/moodle-pu.git?a=shortlog;h=mdl19-authldap-3

Could you please post one-file-patch in unified format as attachment? I am still not able to get it from that git link, sorry

I've attached the whole patch for review

In reviewing it earlier today I noticed there's a small refactor it needs around the process that happens when a user logs in. There was a big chunk repeated in login/index and in every bit of code that did SSO of any kind. I've refactored into a new function called complete_user_login() that deals with session setup.

repost the comment so it goes out to watchers...

==-
I've attached the whole patch for review

In reviewing it earlier today I noticed there's a small refactor it needs around the process that happens when a user logs in. There was a big chunk repeated in login/index and in every bit of code that did SSO of any kind. I've refactored into a new function called complete_user_login() that deals with session setup.

Also updated http://docs.moodle.org/en/NTLM_authentication

Landed in HEAD and MOODLE_19_STABLE – now time for the testeeeeerrrrrrs...!

Patches for a couple of typos, and user_login() not being converted to use the get_cache_flags() thing (it was still using get_config()).

With those patches, it works with all the combinations of:

• IIS 6.0 running on W2003
• Apache 2.2.4 running on W2003

and:

• IE 7.0 (W2003)
• Firefox 2.0.4 (W2003)
• Firefox 2.0.9 (Debian etch).

I'll give it a go with Apache 2.x on Ubuntu 7.10 in a few minutes, just to make sure it works there to.

Saludos. Iñaki.

Beauty - thanks I~naki for the extra pair of eyes and apologies - I think you caught something I had as a "stashed" incomplete commit in my repo (blush!). Reviewed and committed. 1.9, wohoo!

Add kerberos based authentication support. With a really few minor changes you'll be able to support kerberos based authentication ( apache, mod_auth_kerb ).

Needed stuff to add kerberos based authentication support.

Is that all that's needed? - Cool! -

As it's such a minor change, we should be able to get this in 1.9 and 2.0 - Martín?

Dan - I think we're in deep freeze mode

Janne - the patch changes the username unconditionally, even if kerberos is not expected/enabled? Why?

Well, here's flipped one...

ntlm is now part of LDAP Auth - closing this bug