Now the DNs that indicate a course-creator role can also be contexts.
This way we support one more widely used practice in the weird and
wonderful LDAP world...
cache_flags is now the apropriate way to manage this kind of temp
data. It gives us time expiry and GC for free, so it's a perfect fit
for the job, as it simplifies the code a bit.
From Iñaki Arenaza - fix for
... I forgot to put the textlib conversion
call before the block of code that uses $extusername, so it
completely breaks the user validation process.
Fix a bug in ntlmsso_finish(), and tighten up user_login() to avoid a
pointless DB lookup if the password doesn't match the sesskey.
Hopefully this makes things work again...
(thanks I~naki for the testing!)
Several tidyups:
- use moodle_strtolower() for utf-8 correctness
- use sesskey as the key instead of IP addr to support
proxied users
- clean the sesskey after success!
- pull timeout out to a constant: AUTH_NTLMTIMEOUT
From Iñaki Arenaza...
Right now, if someone logs in via NTLM magic, we don't check if that
user is inside the contexts specified in the LDAP settings. I mean,
if I want to restrict my Moodle site to those users inside a given OU
or subtree of my LDAP directory, with the current code any valid user
in my whole AD domain (and if we are using a GC as the LDAP server,
the whole forest) can log in. We should check that the user is inside
one of the configured contexts before allowing his/her to log in.
Something along the lines of the attached patch could do it.
As Iñaki points out, ntlmsso_finish() needs to do all the setup that
login/index.php would do for a user once auth succeeds. With this
patch, the session setup is complete so the logon is usable.
Use $nomoodlecookie global to avoid session troubles. Also
* Ensure we load the appropriate config.php, even if we are executing
under a strange environment (ie: with a user's credentials!)
* Test we have a spacer gif to open before we open it
These pages control the process of attempting an NTLM SSO login
safely. This is very draft and needs real-world testing and polish.
And string localisation too ;-)
* If NTLM SSO is enabled, and the user's IP addr is in the right
subnet, the loginpage_hook() of auth/ldap redirects to
ntlmsso_attempt.php
* ntlmsso_attempt.php will display a "redirect" msg with an img tag
pointing to ntlmsso_magic.php, a 3s wait, and a redirect to
ntlmsso_finish.php
* ntlmsso_magic.php should be configured to have "Integrated
Windows Authentication". If it does, it will serve a spacer gif
and call ntlmsso_magic()
* ntlmsso_finish.php calls ntlmsso_finish() to complete the SSO
and handles failures.
Flesh out the functions that get the job done. These will be triggered
by PHP files sitting under auth/ldap/ ...
ntlmsso_magic() - here is where the magic happens. Call it serving
something harmless, like a space GIF, from a URL that is blessed with
Integrated Windows Authentication. If the IWA is successful, it will
set a special session cookie in config_plugins table.
It won't complete the job because when we are under IWA magic we
cannot change (even read!) the session data, as the execution happens
under the OS privileges of the actual user acct being logged in (!!!)
ntlmsso_finish() - if it finds the session set by ntlmsso_magic() and
it hasn't expired, it will finish the job of logging in the user, by
calling authenticate_user_login() and exercising the whole auth
machinery.
user_login() - when called by authenticate_user_login() it will check
to see if there's a session setup by ntlmsso_magic() and OK the login
without really asking the AD backend to proof a password we don't have
anyway.
A work in progress -- initial loginpage_hook() and headers for the
remaining functions. One thing to consider here is that this won't
work if there's a proxy in the middle.
Does NTLM auth thingy support proxies?
Most of this code should be replaced with complete_user_login() but it
does a few odd things, so we'll play it safe for now, specially since
I don't have a Shib setup to test...
... where it belongs ;-)
load_all_capabiloties() gets called at several points where we don't
want to be re-querying the enrolment backends. It needs to be called
before load_all_capabilities() and only by callers that are setting up
a logon session.
Those callers need to be calling complete_user_login() anyway, as they
need to set the Moodle cookie, log the logon action, etc. In fact,
those callers duplicate a lot of that code already.
The callers that don't duplicate code for the login are actually the
cases where the backend enrolment plugins should not be queried.
To be followed by callers cleanup...
This is messy because the links are hidden in the configdata column, which is serialized and base64encoded. So we have to untangle that, then ask the block whether there are any bits of $config that need to be fixed, then re-encode it before backup up. And reverse that on restore. It needs to remain base64 encoded in the backup file, so that the file format is backwards compatible.
I disucssed this with Eloy before doing it.
Merged from MOODLE_19_STABLE.
The previous fix for IE left some problems in the FF side of
things because we were trying additions/substractions on
width once its had turned to a string of value + unit.
Do the math before we attach 'px' to it...
