LDAP URL SSO 'ldapsso' Autentication Plugin README
Created by John T. Macklin (viperf117a@yahoo.com) (C) 2009
Extends LDAP authentication plugin auth/ldap
for Pass-Through Security Authentication.
Version .9 Beta Release Revised 11/12/2009 22:13 CST
Description:
Authenticate Remote and local users via standard Moodle login or URL based SSO Form (POST)
Pass-Through Security Authentication from a remote Portal Page.
Supports Cron Sync via auth_ldapsso_sync_users.php
This Moodle 1.9 Authentication plug-in enables LDAP single sign-on's from web portal SSL forms and uses a modified
standalone version of the core LDAP Authentication Plug-in. Currently supports MS-ADLS (AD), and
OpenLDAP (RFC2307 compliant) Server back ends. Implements Pass-Through Security Authentication for Moodle,
which utilizes an HTTPS POST web transaction to send user credentials along with a hash value
(private key+FQDN+credentials ) to the Moodle API. The plug-in automatically creates the required hash
(private key) upon installation. During authentication if the passed portal forms key (private key)
matches the LDAPSSO private key, and the traffic is from the designated portal FQDN the plugin will
attempt to authenticate the user's login credentials via the specified LDAP Host Server.
Requires Moodle 1.9.5 or above currently no 1.8 version planned!
Notes:
This is a stand alone plugin which does not require auth/ldapsso to be enabled!
PHP-ldap Extension (ldap.so) is required to be installed and configured via your
servers php.ini (http://www.php.net/manual/en/ldap.setup.php)
Recommend Web Form calling via HTTP/TLS SSL and will work over standard http!
When using plain text passwords SSL is recommended.
Example Portal Login form for LDAP URL SSO
https POST Params: ?username=johndoe1&passwd=pass123&email=johndoe1@mail.myschool.edu&firstName=John&lastName=Doe&institution=MySchool&key=sdRYx23xcvFx72xJ
<form id="LDAPSSO_LOGIN"
action="https://moodle.mydomain.edu/auth/ldapsso/index.php" method="post" id="login">
<div align="center">
<p class="SSOLoginText">Please login to Moodle. </p>
<p>
<input type="HIDDEN" name ="username" value="KMT\65" /> <!-- required -->
<input type="PASSWORD" name="passwd" value="pass123" SIZE=15/> <!-- required -->
<input type="TEXT" name="firstName" value="" SIZE=35/> <!-- optional -->
<input type="TEXT" name="lastName" value="" SIZE=35/> <!-- optional -->
<input type="TEXT" name ="email" value="" SIZE=15/> <!-- required to enable create New Users in Ext Auth -->
<input type="HIDDEN" name ="institution" value="MySchool" /> <!-- optional -->
<input type="HIDDEN" name="key" value="sdRYx23xcvFx72xJ" /> <!-- required Salt (ldapsso_auth_key) Generated by LDAP URL SSO Setup -->
<input name="submit" type= submit class="blueButton" title="submit" value="Login">
</p>
</div>
</form>
Simple quick and dirty Test SSO Login Form for testing ./auth/ldapsso/test.php
User Creation and Create users externally (via LDAP Ext Auth)
LDAP Server bind user must have write permissions to LDAP Ext Auth DIT's context for new users.
Context for new users must be set which is where new users will be created.
slapd.access.conf sample for DIT bind user access
access to dn.base="cn=Subschema"
by * read
access to dn.base="dc=rl,dc=kota,dc=net"
by self write
by dn.regex="^uid=\w+,ou=admins,dc=rl,dc=kota,dc=net$" write
by * read
access to attrs=userPassword
by dn="cn=admin,dc=rl,dc=kota,dc=net" write
by dn="uid=ldapadmin,ou=admins,dc=rl,dc=kota,dc=net" write
by self write
by * read
access to dn.regex="uid=*,ou=admins,dc=rl,dc=kota,dc=net"
by dn.regex="uid=*,ou=users,dc=rl,dc=kota,dc=net" none
by self write
by * read
access to dn.regex="uid=*,ou=users,dc=rl,dc=kota,dc=net"
by dn="cn=admin,dc=rl,dc=kota,dc=net" write
by dn.regex="uid=*,ou=admins,dc=rl,dc=kota,dc=net" write
by self write
by * read
# The admin dn has full write access, everyone else
# can read everything. Required for SASL/SSL/TLS
access to *
by dn="cn=admin,dc=rl,dc=kota,dc=net" write
by dn="uid=ldapadmin,ou=admins,dc=rl,dc=kota,dc=net" write
by * read
Required tweak to enable create New Users in Ext Auth:
Add these lines to $CFG->wwwroot/config.php to enable user email registration if creating users external
$CFG->registerauth = 'ldapsso'; // use $CFG->wwwroot/auth/ldapsso/auth.php functions to confirm users.
This will allow all anonymous users via SSO to create a new account if
Enable user creation: Create users externally is enabled [Yes]
Create LDAP Users Internally - LDAP User has no account in Moodle
Existing LDAP users creates a new local account upon login If Set to 'Yes' if set to 'No'
users will be redirected to failed login URL.
Make sure value 'key' is set to the URL Random SALT (ldapsso_auth_key) found in the LDAP URL SSO Settings Page.
ldapsso_portal FQDN must be set to the FQDN of the remote Portal host.
Cron Sync via auth_ldapsso_sync_users.php
This script is meant to be called from a cronjob to sync moodle with the LDAP DIT
from CLI use: nice php auth_ldapsso_sync_users.php
Recommended cron entry (crontab -u <user> -e):
# 1 AM
0 1 * * * /usr/bin/php -c /etc/php5/cli/php.ini /var/www/moodle/auth/ldapsso/auth_ldapsso_sync_users.php
History:
11/11/2009 22:22 CST - Added LDAP URL SSO Capability
11/12/2009 18:20 CST - Added Create User in Ext Auth & email confirmation
11/12/2009 22:13 CST - Improved LDAP sync_users() function
Reference:
http://moodle.org/mod/forum/discuss.php?d=104827
http://moodle.org/mod/forum/discuss.php?d=69277
http://tracker.moodle.org/browse/MDL-13458
http://tracker.moodle.org/browse/MDL-16153
http://tracker.moodle.org/browse/MDL-19779
Download Latest Version
ldapsso-v1.1.zip (33.8 kB)
