Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-31968

Apache mod_ntlm login doesn't work

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.3, 2.2.5, 2.3.1, 2.4
    • Fix Version/s: 2.4
    • Component/s: Authentication
    • Environment:
      Ubuntu 10.4.3 using apache2-prefork with winbind and auth_ntlm module
    • Database:
      Any
    • Testing Instructions:
      Hide

      These testing instructions assume that you already have configure NTLM SSO and have it working (if not, see http://docs.moodle.org/en/NTLM_authentication ).

      0. Determine the format of $_SERVER['REMOTE_USER'] for your setup. The default for MS Windows LDAP servers is DOMAIN\username, which would need to be configured as %domain%%username%. Let's assume that your setup uses a non-standard format like %domain%+%username% (e.g., windows2003+iarenaza).
      1. Login as moodle admin
      2. Go to Administration >> Plugins >> Authentication >> LDAP server
      2.1 Set "Remote username format" to %domain% (or anything that doesnt't contain the string %username%) and save the settings.
      2.2 Moodle should stay in the settings page, and if you scroll down until the "Remote username format" setting, you should see an error message saying "You need to specify at least %username% in the remote username format".
      3. Clear the "Remote username format" setting (to test the default value, which is %domain%%username%) and save the settings.
      4. Using a second browser, try to login with a valid NTLM SSO user by clicking on the 'Login' link.
      4.1 As the $_SERVER['REMOTE_USER'] format for your setup doesn't match the default format, you should see a failure message and be redirected to the regular login page.
      5. Go back to the moodle admin browser and edit the LDAP Server settings again.
      6. Set "Remote username format" to %domain%+%username%
      7. Using the second browser, try to login with a valid NTLM SSO user again.
      7.1 As this time the $_SERVER['REMOTE_USER'] format matches the configured format, you should be automaticatlly logged on using NTLM SSO.

      Show
      These testing instructions assume that you already have configure NTLM SSO and have it working (if not, see http://docs.moodle.org/en/NTLM_authentication ). 0. Determine the format of $_SERVER ['REMOTE_USER'] for your setup. The default for MS Windows LDAP servers is DOMAIN\username, which would need to be configured as %domain%%username%. Let's assume that your setup uses a non-standard format like %domain%+%username% (e.g., windows2003+iarenaza). 1. Login as moodle admin 2. Go to Administration >> Plugins >> Authentication >> LDAP server 2.1 Set "Remote username format" to %domain% (or anything that doesnt't contain the string %username%) and save the settings. 2.2 Moodle should stay in the settings page, and if you scroll down until the "Remote username format" setting, you should see an error message saying "You need to specify at least %username% in the remote username format". 3. Clear the "Remote username format" setting (to test the default value, which is %domain%%username%) and save the settings. 4. Using a second browser, try to login with a valid NTLM SSO user by clicking on the 'Login' link. 4.1 As the $_SERVER ['REMOTE_USER'] format for your setup doesn't match the default format, you should see a failure message and be redirected to the regular login page. 5. Go back to the moodle admin browser and edit the LDAP Server settings again. 6. Set "Remote username format" to %domain%+%username% 7. Using the second browser, try to login with a valid NTLM SSO user again. 7.1 As this time the $_SERVER ['REMOTE_USER'] format matches the configured format, you should be automaticatlly logged on using NTLM SSO.
    • Workaround:
      Hide

      The DOMAIN part should only be stripped of from the REMOTE_USER value when a \ occurs inside the string. In any other case the username will get invalid.

      File: auth/ldap/auth.php Line 1583

      if (strrchr($username,'\\')==true)
          $username = substr(strrchr($username, '\\'), 1);

      Show
      The DOMAIN part should only be stripped of from the REMOTE_USER value when a \ occurs inside the string. In any other case the username will get invalid. File: auth/ldap/auth.php Line 1583 if (strrchr($username,'\\')==true) $username = substr(strrchr($username, '\\'), 1);
    • Affected Branches:
      MOODLE_20_STABLE, MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
    • Fixed Branches:
      MOODLE_24_STABLE
    • Pull Master Branch:
      wip_mdl-31968_mdl-23011_master

      Description

      When using Apache2 Winbind auth_ntml module I'm experiencing issues in login to moodle using NTML authentication. This is caused by the username handed over to the moodle platform from apache.
      It is caused by the code which splits up the username from DOMAIN\username NTLM-Format. By default no DOMAIN part is present at my REMOTE_USER value. The domainpart only shows up when logging in with a user from a different domain inside the active directory forest.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            skodak Petr Skoda added a comment -

            Reassigning to our expert, thanks for the report.

            Show
            skodak Petr Skoda added a comment - Reassigning to our expert, thanks for the report.
            Hide
            salvetore Michael de Raadt added a comment -

            Yes, it would be good to get your opinion, Inaki.

            Show
            salvetore Michael de Raadt added a comment - Yes, it would be good to get your opinion, Inaki.
            Hide
            iarenaza Iñaki Arenaza added a comment -

            Hi Michael,

            this is one of those things that depend on your "environment" configuration. Depending on how you configure samba/winbind (and probably to a lesser extend, mod_auth_ntlm), you can get a completely different REMOTE_USER value.

            The canonical form is "DOMAIN\username", but you can configure samba/winbind to make it "DOMAIN+username" (see MDL-23011), "DOMAIN/username", just username, etc. I've seen several variants at different places.

            The change you propose is better than leaving it like it is now. The real fix would be to make it configurable at the user level though (in the LDAP settings screen, as MDL-23011 suggets), but that entails more work.

            Saludos.
            Iñaki.

            Show
            iarenaza Iñaki Arenaza added a comment - Hi Michael, this is one of those things that depend on your "environment" configuration. Depending on how you configure samba/winbind (and probably to a lesser extend, mod_auth_ntlm), you can get a completely different REMOTE_USER value. The canonical form is "DOMAIN\username", but you can configure samba/winbind to make it "DOMAIN+username" (see MDL-23011 ), "DOMAIN/username", just username, etc. I've seen several variants at different places. The change you propose is better than leaving it like it is now. The real fix would be to make it configurable at the user level though (in the LDAP settings screen, as MDL-23011 suggets), but that entails more work. Saludos. Iñaki.
            Hide
            iarenaza Iñaki Arenaza added a comment -

            Hi Petr, Michael

            here's a proposal to make the NTLM REMOTE_USER configurable by the admin (what MDL-23011 asks for). You can view the proposed changes at https://github.com/iarenaza/moodle/compare/master...wip_mdl-31968_mdl-23011_master

            What do you think about it?

            Saludos.
            Iñaki.

            Show
            iarenaza Iñaki Arenaza added a comment - Hi Petr, Michael here's a proposal to make the NTLM REMOTE_USER configurable by the admin (what MDL-23011 asks for). You can view the proposed changes at https://github.com/iarenaza/moodle/compare/master...wip_mdl-31968_mdl-23011_master What do you think about it? Saludos. Iñaki.
            Hide
            tmuras Tomasz Muras added a comment -

            I'm affected by the same issue. I have read the code from Inaki from the comment above - and it looks good (didn't test it).
            +1 for integrating it, it's a big improvement over the current implementation.

            Show
            tmuras Tomasz Muras added a comment - I'm affected by the same issue. I have read the code from Inaki from the comment above - and it looks good (didn't test it). +1 for integrating it, it's a big improvement over the current implementation.
            Hide
            skodak Petr Skoda added a comment -

            seems ok, +1

            Show
            skodak Petr Skoda added a comment - seems ok, +1
            Hide
            iarenaza Iñaki Arenaza added a comment - - edited

            I never know which "Fix Version/s" to specify. Integrators plase fix it if it's not right

            Saludos.
            Iñaki.

            Show
            iarenaza Iñaki Arenaza added a comment - - edited I never know which "Fix Version/s" to specify. Integrators plase fix it if it's not right Saludos. Iñaki.
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            Integrated (22, 23 & master), thanks!

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - Integrated (22, 23 & master), thanks!
            Hide
            iarenaza Iñaki Arenaza added a comment -

            A note for the testers:

            In step 3 of the testing instructions, we should type "%domain% \ %username%" (without the quotes and removing the empty spaces before and after the backslash character). It seems that the markup used by Jira makes it impossible to type the right syntax without it being mangled.

            Saludos.
            Iñaki.

            Show
            iarenaza Iñaki Arenaza added a comment - A note for the testers: In step 3 of the testing instructions, we should type "%domain% \ %username%" (without the quotes and removing the empty spaces before and after the backslash character). It seems that the markup used by Jira makes it impossible to type the right syntax without it being mangled. Saludos. Iñaki.
            Hide
            phalacee Jason Fowler added a comment -

            Michael was unable to get through this test in today, if no one is able to complete it, I will try to finish it tomorrow.

            Show
            phalacee Jason Fowler added a comment - Michael was unable to get through this test in today, if no one is able to complete it, I will try to finish it tomorrow.
            Hide
            nebgor Aparup Banerjee added a comment -

            stopping this test for Jason. He is concentrating on testing MDL-34819.

            Show
            nebgor Aparup Banerjee added a comment - stopping this test for Jason. He is concentrating on testing MDL-34819 .
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            Oki. In order to roll weeklies I'm about to:

            • revert this in stable branches (safety principle).
            • keep this in master branch.
            • keep this under "waiting for testing status".

            So TODO will be:

            • test this under master and close it.
            • backport to stables (new issue MDL-31968) once this has been closed properly.
            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - Oki. In order to roll weeklies I'm about to: revert this in stable branches (safety principle). keep this in master branch. keep this under "waiting for testing status". So TODO will be: test this under master and close it. backport to stables (new issue MDL-31968 ) once this has been closed properly.
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            Done, this change has been delete from 22 and 23 stable branches.

            Now:

            • This needs testing and closing.
            • Then MDL-31968 will be in charge of backporting (it applies cleanly right now).

            Ciao

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - Done, this change has been delete from 22 and 23 stable branches. Now: This needs testing and closing. Then MDL-31968 will be in charge of backporting (it applies cleanly right now). Ciao
            Hide
            phalacee Jason Fowler added a comment - - edited

            I do not have the software available to test this, as no one else in HQ has it, I have been told to pass it by Michael

            Show
            phalacee Jason Fowler added a comment - - edited I do not have the software available to test this, as no one else in HQ has it, I have been told to pass it by Michael
            Hide
            phalacee Jason Fowler added a comment -

            test passed after the discussion I had with Eloy and Sam

            Show
            phalacee Jason Fowler added a comment - test passed after the discussion I had with Eloy and Sam
            Hide
            nebgor Aparup Banerjee added a comment -

            Your issue has dug up some gold.
            It works great i've been told.
            Go forth, be brave, be bold.

            yay! "All your thoughts are belong to everyone."

            Thanks and ciao!

            Show
            nebgor Aparup Banerjee added a comment - Your issue has dug up some gold. It works great i've been told. Go forth, be brave, be bold. yay! "All your thoughts are belong to everyone." Thanks and ciao!
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            Dear watchers, could you confirm your experiences with this fix? Did it solve your life?

            Note we are considering to backport it @ MDL-36043 and any feedback here or there would be really welcome.

            TIA and ciao

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - Dear watchers, could you confirm your experiences with this fix? Did it solve your life? Note we are considering to backport it @ MDL-36043 and any feedback here or there would be really welcome. TIA and ciao
            Hide
            mcwoods Michael Woods added a comment -

            Hi Eloy,

            Yes, all fixed! Thanks.

            Michael

            Show
            mcwoods Michael Woods added a comment - Hi Eloy, Yes, all fixed! Thanks. Michael
            Hide
            marycooch Mary Cooch added a comment -

            (Housekeeping)Removing docs_required label but if anyone feels there is a important need to document please do so or explain to me what should be added.

            Show
            marycooch Mary Cooch added a comment - (Housekeeping)Removing docs_required label but if anyone feels there is a important need to document please do so or explain to me what should be added.

              People

              • Votes:
                3 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  3/Dec/12