MDL-20867 LDAP NTLM fast path - allow FF to use NTLM when fastpath

enabled
2025-01-17 21:49:15 +01:00 · 2013-02-14 14:33:56 +13:00 · 2013-02-14 14:33:56 +13:00 · d962e8143d
commit d962e8143d
parent f8e6e5bc30
3 changed files with 23 additions and 7 deletions
--- a/auth/ldap/auth.php
+++ b/auth/ldap/auth.php
@ -61,6 +61,15 @@ if (!defined('AUTH_NTLM_VALID_DOMAINNAME')) {
 if (!defined('AUTH_NTLM_DEFAULT_FORMAT')) {
    define('AUTH_NTLM_DEFAULT_FORMAT', '%domain%\\%username%');
 }
+if (!defined('AUTH_NTLM_FASTPATH_ATTEMPT')) {
+    define('AUTH_NTLM_FASTPATH_ATTEMPT', 0);
+}
+if (!defined('AUTH_NTLM_FASTPATH_YESFORM')) {
+    define('AUTH_NTLM_FASTPATH_YESFORM', 1);
+}
+if (!defined('AUTH_NTLM_FASTPATH_YESATTEMPT')) {
+    define('AUTH_NTLM_FASTPATH_YESATTEMPT', 2);
+}

 // Allows us to retrieve a diagnostic message in case of LDAP operation error
 if (!defined('LDAP_OPT_DIAGNOSTIC_MESSAGE')) {
@ -1606,17 +1615,17 @@ class auth_plugin_ldap extends auth_plugin_base {
            }

            // Now start the whole NTLM machinery.
-            if(!empty($this->config->ntlmsso_ie_fastpath)) {
-                // Shortcut for IE browsers: skip the attempt page
+            if($this->config->ntlmsso_ie_fastpath == AUTH_NTLM_FASTPATH_YESATTEMPT ||
+                $this->config->ntlmsso_ie_fastpath == AUTH_NTLM_FASTPATH_YESFORM) {
+
                if(check_browser_version('MSIE')) {
                    $sesskey = sesskey();
                    redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_magic.php?sesskey='.$sesskey);
-                } else {
+                } else if ($this->config->ntlmsso_ie_fastpath == AUTH_NTLM_FASTPATH_YESFORM) {
                    redirect($CFG->httpswwwroot.'/login/index.php?authldap_skipntlmsso=1');
                }
-            } else {
-                redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_attempt.php');
            }
+            redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_attempt.php');
        }

        // No NTLM SSO, Use the normal login page instead.
--- a/auth/ldap/config.html
+++ b/auth/ldap/config.html
@ -106,6 +106,10 @@ if (!isset($config->ntlmsso_remoteuserformat)) {

 $yesno = array(get_string('no'), get_string('yes'));

+$fastpathoptions = array(AUTH_NTLM_FASTPATH_YESFORM => get_string('auth_ntlmsso_ie_fastpath_yesform', 'auth_ldap'),
+                         AUTH_NTLM_FASTPATH_YESATTEMPT => get_string('auth_ntlmsso_ie_fastpath_yesattempt', 'auth_ldap'),
+                         AUTH_NTLM_FASTPATH_ATTEMPT => get_string('auth_ntlmsso_ie_fastpath_attempt', 'auth_ldap'));
+
 $disabled = '';
 if (!ldap_paged_results_supported($config->ldap_version)) {
    $disabled = ' disabled="disabled"';
@ -562,7 +566,7 @@ if (!ldap_paged_results_supported($config->ldap_version)) {
        <label for="menuntlmsso_ie_fastpath"><?php print_string('auth_ntlmsso_ie_fastpath_key', 'auth_ldap') ?></label>
    </td>
    <td>
-        <?php echo html_writer::select($yesno, 'ntlmsso_ie_fastpath', $config->ntlmsso_ie_fastpath, false); ?>
+        <?php echo html_writer::select($fastpathoptions, 'ntlmsso_ie_fastpath', $config->ntlmsso_ie_fastpath, false); ?>
    </td>
    <td>
    <?php print_string('auth_ntlmsso_ie_fastpath', 'auth_ldap') ?>
--- a/auth/ldap/lang/en/auth_ldap.php
+++ b/auth/ldap/lang/en/auth_ldap.php
@ -98,8 +98,11 @@ $string['auth_ldap_version_key'] = 'Version';
 $string['auth_ntlmsso'] = 'NTLM SSO';
 $string['auth_ntlmsso_enabled'] = 'Set to yes to attempt Single Sign On with the NTLM domain. <strong>Note:</strong> this requires additional setup on the webserver to work, see <a href="http://docs.moodle.org/en/NTLM_authentication">http://docs.moodle.org/en/NTLM_authentication</a>';
 $string['auth_ntlmsso_enabled_key'] = 'Enable';
-$string['auth_ntlmsso_ie_fastpath'] = 'Set to yes to enable the NTLM SSO fast path (bypasses certain steps and only works if the client\'s browser is MS Internet Explorer).';
+$string['auth_ntlmsso_ie_fastpath'] = 'Set to enable the NTLM SSO fast path (bypasses certain steps if the client\'s browser is MS Internet Explorer).';
 $string['auth_ntlmsso_ie_fastpath_key'] = 'MS IE fast path?';
+$string['auth_ntlmsso_ie_fastpath_yesform'] = 'Yes, all other browsers use standard login form';
+$string['auth_ntlmsso_ie_fastpath_yesattempt'] = 'Yes, attempt NTLM other browsers';
+$string['auth_ntlmsso_ie_fastpath_attempt'] = 'Attempt NTLM with all browsers';
 $string['auth_ntlmsso_maybeinvalidformat'] = 'Unable to extract the username from the REMOTE_USER header. Is the configured format right?';
 $string['auth_ntlmsso_missing_username'] = 'You need to specify at least %username% in the remote username format';
 $string['auth_ntlmsso_remoteuserformat_key'] = 'Remote username format';