mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-21 00:12:56 +02:00
Code Issues Projects Releases Wiki Activity

Merging authentication changes back to head

Browse Source
This commit is contained in:
exe-cutor 2007-03-09 13:20:55 +00:00
parent 0e9d0c0b85
commit 3ea28768af
4 changed files with 85 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
auth/shibboleth/README.txt
View File

@ -15,7 +15,7 @@ Changes:
- 02. 2006: Simplified authentication so that authorization works properly
Added instructions for IIS
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+
- 03. 2007: Adapted authentication method to Moodle 1.8
Moodle Configuration with Dual login
-------------------------------------------------------------------------------
@ -36,10 +36,11 @@ Moodle Configuration with Dual login
For IIS you have protect the auth/shibboleth directory directly in the
RequestMap of the Shibboleth configuration file (shibboleth.xml). See
https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/xmlaccesscontrol?topic=XMLAccessControl
https://spaces.internet2.edu/display/SHIB/xmlaccesscontrol?topic=XMLAccessControl
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication
Options' and select the 'Shibboleth' authentication method from the pop-up.
Options' and click on the the 'Shibboleth' settings.
3. Fill in the fields of the form. The fields 'Username', 'First name',
'Surname', etc should contain the name of the environment variables of the
@ -60,30 +61,30 @@ Moodle Configuration with Dual login
lengths for each field in the user profile.
#############################################################################
4. The large text field 'Instructions' must contain a link to the
moodle/auth/shibboleth/index.php file which is protected by
Shibboleth (see step 1) and causes the Shibboleth login procedure to start.
You could also use HTML code in that field, e.g. to create your own
Shibboleth login button.
4. Save the changes for the 'Shibboleth settings'.
5. Save the changes for the Shibboleth authentication method.
5.a If you want Shibboleth as your only authentication method, set the
'Alternate Login URL' in the 'Common settings' in
'Administrations >> Users >> Authentication Options' to the the URL of the
file 'moodle/auth/shibboleth/index.php'. This will enforce Shibboleth login.
Moodle Configuration with Shibboleth only login
-------------------------------------------------------------------------------
If you want Shibboleth as your only authentication method, configure Moodle as
described in the dual login section above and do the following steps:
6.b If you want to use another authentication method together with Shibboleth,
in parallel, change the 'Instructions' in the 'Common settings' of the
'Administrations >> Users >> Authentication Options' to contain a link to the
moodle/auth/shibboleth/index.php file which is protected by
Shibboleth (see step 1) and causes the Shibboleth login procedure to start.
You can also use HTML code in that field, e.g. to include an image as a
Shibboleth login button.
4.a On the Moodle Shibboleth settings page, set the 'Alternate Login URL' to
the URL of the file 'moodle/auth/shibboleth/index.php'
This will enforce Shibboleth login.
7. Save the changes for the 'Common settings'.
How the Shibboleth authentication works
--------------------------------------------------------------------------------
To get Shibboleth authenticated in Moodle a user basically must access the
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only
authentication method (see 4.a), this happens automatically when a user wants to
authentication method (see 5.a), this happens automatically when a user wants to
login in Moodle. Otherwise, the user has to click on the link on the login page
you provided in step 4.
you provided in step 5.b.
Moodle basically checks whether the Shibboleth attribute that you mapped
as the username is present. This attribute should only be present if a user is

51
auth/shibboleth/auth.php
View File

@ -1,6 +1,7 @@
<?php
/**
* @author Martin Dougiamas
* @author Lukas Haemmerle
* @license http://www.gnu.org/copyleft/gpl.html GNU Public License
* @package moodle multiauth
*
@ -8,14 +9,15 @@
*
* Authentication using Shibboleth.
*
* 10.2004 SHIBBOLETH Authentication functions v.0.1
* 05.2005 Various extensions and fixes by Lukas Haemmerle
* 10.2005 Added better error messags
* 05.2006 Added better handling of mutli-valued attributes
* Distributed under GPL (c)Markus Hagman 2004-2006
*
* 10.2004 SHIBBOLETH Authentication functions v.0.1
* 05.2005 Various extensions and fixes by Lukas Haemmerle
* 10.2005 Added better error messags
* 05.2006 Added better handling of mutli-valued attributes
* 2006-08-28 File created, code imported from lib.php
* 2006-10-27 Upstream 1.7 changes merged in, added above credits from lib.php :-)
* 2007-03-09 Fixed authentication but may need some other changes
*/
if (!defined('MOODLE_INTERNAL')) {
@ -48,9 +50,10 @@ class auth_plugin_shibboleth {
* @return bool Authentication success or failure.
*/
function user_login($username, $password) {
// If we are in the shibboleth directory then we trust the server var
if (!empty($_SERVER[$config->user_attribute])) {
return ($_SERVER[$config->user_attribute] == $username);
if (!empty($_SERVER[$this->config->user_attribute])) {
return ($_SERVER[$this->config->user_attribute] == $username);
} else {
// If we are not, the user has used the manual login and the login name is
// unknown, so we return false.
@ -58,18 +61,26 @@ class auth_plugin_shibboleth {
}
}
/**
* Returns the user information for 'external' users. In this case the
* attributes provided by Shibboleth
*
* @return array $result Associative array of user data
*/
function get_userinfo($username) {
// reads user information from shibboleth attributes and return it in array()
global $CFG;
// Check whether we have got all the essential attributes
if (
empty($_SERVER[$config->user_attribute])
|| empty($_SERVER[$config->field_map_firstname])
|| empty($_SERVER[$config->field_map_lastname])
|| empty($_SERVER[$config->field_map_email])
empty($_SERVER[$this->config->user_attribute])
|| empty($_SERVER[$this->config->field_map_firstname])
|| empty($_SERVER[$this->config->field_map_lastname])
|| empty($_SERVER[$this->config->field_map_email])
) {
error(get_string( 'shib_not_all_attributes_error', 'auth' , "'".$config->user_attribute."' ('".$_SERVER[$config->user_attribute]."'), '".$config->field_map_firstname."' ('".$_SERVER[$config->field_map_firstname]."'), '".$config->field_map_lastname."' ('".$_SERVER[$config->field_map_lastname]."') and '".$config->field_map_email."' ('".$_SERVER[$config->field_map_email]."')"));
error(get_string( 'shib_not_all_attributes_error', 'auth' , "'".$this->config->user_attribute."' ('".$_SERVER[$this->config->user_attribute]."'), '".$this->config->field_map_firstname."' ('".$_SERVER[$this->config->field_map_firstname]."'), '".$this->config->field_map_lastname."' ('".$_SERVER[$this->config->field_map_lastname]."') and '".$this->config->field_map_email."' ('".$_SERVER[$this->config->field_map_email]."')"));
}
$attrmap = $this->get_attributes();
@ -84,14 +95,14 @@ class auth_plugin_shibboleth {
// Provide an API to modify the information to fit the Moodle internal
// data representation
if (
$config->convert_data
&& $config->convert_data != ''
&& is_readable($config->convert_data)
$this->config->convert_data
&& $this->config->convert_data != ''
&& is_readable($this->config->convert_data)
) {
// Include a custom file outside the Moodle dir to
// modify the variable $moodleattributes
include($config->convert_data);
include($this->config->convert_data);
}
return $result;
@ -151,6 +162,9 @@ class auth_plugin_shibboleth {
/**
* Processes and stores configuration data for this authentication plugin.
*
*
* @param object $config Configuration object
*/
function process_config($config) {
// set to defaults if undefined
@ -173,11 +187,18 @@ class auth_plugin_shibboleth {
set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth');
set_config('changepasswordurl', $config->changepasswordurl, 'auth/shibboleth');
// Check values and return false if something is wrong
if (!file_exists($config->convert_data) || !is_readable($config->convert_data)){
return false;
}
return true;
}
/**
* Cleans and returns first of potential many values (multi-valued attributes)
*
* @param string $string Possibly multi-valued attribute from Shibboleth
*/
function get_first_string($string) {
$list = split( ';', $string);

10
auth/shibboleth/config.html
View File

@ -27,6 +27,12 @@
<td><?php print_string("auth_shib_username_description", "auth") ?></td>
</tr>
<!--
This is kind of obsolete because the login instructions are now centralized
On the other hand it would be great for Shibboleth to have seperate login
instructions
-->
<!--
<tr valign="top">
<td align="right"><?php print_string("instructions", "auth") ?>:</td>
<td>
@ -34,13 +40,14 @@
</td>
<td>
<?php
print_string("auth_shib_instructions_help", "auth", htmlspecialchars($CFG->wwwroot.'/auth/shibboleth/index.php'));
helpbutton("text", get_string("helptext"));
?>
</td>
</tr>
-->
<tr valign="top">
<td align="right"><?php print_string("auth_shib_convert_data", "auth") ?>:</td>
@ -59,6 +66,7 @@
<td><?php print_string("auth_shib_convert_data_description", "auth") ?></td>
</tr>
<tr valign="top">
<td align="right"><?php print_string('auth_shib_changepasswordurl', 'auth') ?>: </td>
<td>

31
auth/shibboleth/index.php
View File

@ -2,7 +2,6 @@
// Designed to be redirected from moodle/login/index.php
require('../../config.php');
require('lib.php');
if (isloggedin() && $USER->username != 'guest') { // Nothing to do
if (isset($SESSION->wantsurl) and (strpos($SESSION->wantsurl, $CFG->wwwroot) === 0)) {
@ -18,7 +17,8 @@
}
$pluginconfig = get_config('auth/shibboleth');
$shibbolethauth = get_auth_plugin('shibboleth');
// Check whether Shibboleth is configured properly
if (empty($pluginconfig->user_attribute)) {
error(get_string( 'shib_not_set_up_error', 'auth'));
@ -33,17 +33,22 @@
/// Check if the user has actually submitted login data to us
if ($user = authenticate_user_login($frm->username, $frm->password)) {
// Let's get them all set up.
$USER = $user;
add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID, $USER->id, 0, $USER->id);
if ($shibbolethauth->user_login($frm->username, $frm->password)) {
$USER = authenticate_user_login($frm->username, $frm->password);
$USER->loggedin = true;
$USER->site = $CFG->wwwroot; // for added security, store the site in the
update_user_login_times();
set_moodle_cookie($USER->username);
set_login_session_preferences();
unset($SESSION->lang);
$SESSION->justloggedin = true;
add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID, $USER->id, 0, $USER->id);
if (user_not_fully_set_up($USER)) {
$urltogo = $CFG->wwwroot.'/user/edit.php?id='.$USER->id.'&amp;course='.SITEID;
// We don't delete $SESSION->wantsurl yet, so we get there later
@ -67,6 +72,12 @@
load_all_capabilities(); /// This is what lets the user do anything on the site :-)
redirect($urltogo);
exit;
}
else {
// For some weird reason the Shibboleth user couldn't be authenticated
}
}