Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-31968

Apache mod_ntlm login doesn't work

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.3, 2.2.5, 2.3.1, 2.4
    • Fix Version/s: 2.4
    • Component/s: Authentication
    • Environment:
      Ubuntu 10.4.3 using apache2-prefork with winbind and auth_ntlm module
    • Database:
      Any
    • Testing Instructions:
      Hide

      These testing instructions assume that you already have configure NTLM SSO and have it working (if not, see http://docs.moodle.org/en/NTLM_authentication ).

      0. Determine the format of $_SERVER['REMOTE_USER'] for your setup. The default for MS Windows LDAP servers is DOMAIN\username, which would need to be configured as %domain%%username%. Let's assume that your setup uses a non-standard format like %domain%+%username% (e.g., windows2003+iarenaza).
      1. Login as moodle admin
      2. Go to Administration >> Plugins >> Authentication >> LDAP server
      2.1 Set "Remote username format" to %domain% (or anything that doesnt't contain the string %username%) and save the settings.
      2.2 Moodle should stay in the settings page, and if you scroll down until the "Remote username format" setting, you should see an error message saying "You need to specify at least %username% in the remote username format".
      3. Clear the "Remote username format" setting (to test the default value, which is %domain%%username%) and save the settings.
      4. Using a second browser, try to login with a valid NTLM SSO user by clicking on the 'Login' link.
      4.1 As the $_SERVER['REMOTE_USER'] format for your setup doesn't match the default format, you should see a failure message and be redirected to the regular login page.
      5. Go back to the moodle admin browser and edit the LDAP Server settings again.
      6. Set "Remote username format" to %domain%+%username%
      7. Using the second browser, try to login with a valid NTLM SSO user again.
      7.1 As this time the $_SERVER['REMOTE_USER'] format matches the configured format, you should be automaticatlly logged on using NTLM SSO.

      Show
      These testing instructions assume that you already have configure NTLM SSO and have it working (if not, see http://docs.moodle.org/en/NTLM_authentication ). 0. Determine the format of $_SERVER ['REMOTE_USER'] for your setup. The default for MS Windows LDAP servers is DOMAIN\username, which would need to be configured as %domain%%username%. Let's assume that your setup uses a non-standard format like %domain%+%username% (e.g., windows2003+iarenaza). 1. Login as moodle admin 2. Go to Administration >> Plugins >> Authentication >> LDAP server 2.1 Set "Remote username format" to %domain% (or anything that doesnt't contain the string %username%) and save the settings. 2.2 Moodle should stay in the settings page, and if you scroll down until the "Remote username format" setting, you should see an error message saying "You need to specify at least %username% in the remote username format". 3. Clear the "Remote username format" setting (to test the default value, which is %domain%%username%) and save the settings. 4. Using a second browser, try to login with a valid NTLM SSO user by clicking on the 'Login' link. 4.1 As the $_SERVER ['REMOTE_USER'] format for your setup doesn't match the default format, you should see a failure message and be redirected to the regular login page. 5. Go back to the moodle admin browser and edit the LDAP Server settings again. 6. Set "Remote username format" to %domain%+%username% 7. Using the second browser, try to login with a valid NTLM SSO user again. 7.1 As this time the $_SERVER ['REMOTE_USER'] format matches the configured format, you should be automaticatlly logged on using NTLM SSO.
    • Workaround:
      Hide

      The DOMAIN part should only be stripped of from the REMOTE_USER value when a \ occurs inside the string. In any other case the username will get invalid.

      File: auth/ldap/auth.php Line 1583

      if (strrchr($username,'\\')==true)
          $username = substr(strrchr($username, '\\'), 1);

      Show
      The DOMAIN part should only be stripped of from the REMOTE_USER value when a \ occurs inside the string. In any other case the username will get invalid. File: auth/ldap/auth.php Line 1583 if (strrchr($username,'\\')==true) $username = substr(strrchr($username, '\\'), 1);
    • Affected Branches:
      MOODLE_20_STABLE, MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
    • Fixed Branches:
      MOODLE_24_STABLE
    • Pull Master Branch:
      wip_mdl-31968_mdl-23011_master

      Description

      When using Apache2 Winbind auth_ntml module I'm experiencing issues in login to moodle using NTML authentication. This is caused by the username handed over to the moodle platform from apache.
      It is caused by the code which splits up the username from DOMAIN\username NTLM-Format. By default no DOMAIN part is present at my REMOTE_USER value. The domainpart only shows up when logging in with a user from a different domain inside the active directory forest.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  3 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    3/Dec/12