Skip to content
Permalink
Browse files

MDL-9399 auth/ldap: Add NTLM SSO pages

These pages control the process of attempting an NTLM SSO login
safely. This is very draft and needs real-world testing and polish.

And string localisation too ;-)

  * If NTLM SSO is enabled, and the user's IP addr is in the right
    subnet, the loginpage_hook() of auth/ldap redirects to
    ntlmsso_attempt.php

  * ntlmsso_attempt.php will display a "redirect" msg with an img tag
    pointing to ntlmsso_magic.php, a 3s wait, and a redirect to
    ntlmsso_finish.php

  * ntlmsso_magic.php should be configured to have "Integrated
    Windows Authentication". If it does, it will serve a spacer gif
    and call ntlmsso_magic()

  * ntlmsso_finish.php calls ntlmsso_finish() to complete the SSO
    and handles failures.
  • Loading branch information...
martinlanghoff
martinlanghoff committed Nov 14, 2007
1 parent 94beeb7 commit bdadff33ff4a0e413a8f6525e168cf53bdd4aa88
Showing with 102 additions and 0 deletions.
  1. +34 −0 auth/ldap/ntlmsso_attempt.php
  2. +30 −0 auth/ldap/ntlmsso_finish.php
  3. +38 −0 auth/ldap/ntlmsso_magic.php
@@ -0,0 +1,34 @@
<?php
require_once("../../config.php");
//HTTPS is potentially required in this page
httpsrequired();
/// Define variables used in page
if (!$site = get_site()) {
error("No site found!");
}
$authsequence = get_enabled_auth_plugins(true); // auths, in sequence
if (!in_array('ldap',$authsequence,true)) {
print_error('ldap_isdisabled','auth');
}
$authplugin = get_auth_plugin('ldap');
if (empty($authplugin->config->ntlmsso_enabled)) {
print_error('ntlmsso_isdisabled','auth');
}
$sesskey = sesskey();
//print_header("$site->fullname: $loginsite", $site->fullname, $loginsite, $focus, '', true);
$msg = '<p>Attempting SSO...</p>'
. '<img width="1", height="1" '
. ' src="' . $CFG->wwwroot . '/auth/ldap/ntlmsso_magic.php?sesskey='
. $sesskey . '" />';
redirect($CFG->wwwroot . '/auth/ldap/ntlmsso_finish.php', $msg, 3);
?>
@@ -0,0 +1,30 @@
<?php
require_once("../../config.php");
//HTTPS is potentially required in this page
httpsrequired();
/// Define variables used in page
if (!$site = get_site()) {
error("No site found!");
}
$authsequence = get_enabled_auth_plugins(true); // auths, in sequence
if (!in_array('ldap',$authsequence,true)) {
print_error('ldap_isdisabled','auth');
}
$authplugin = get_auth_plugin('ldap');
if (empty($authplugin->config->ntlmsso_enabled)) {
print_error('ntlmsso_isdisabled','auth');
}
// If ntlmsso_finish() succeeds, then the code never returns,
// so we only worry about failure.
if (!$authplugin->ntlmsso_finish()) {
// Redirect to login, saying "don't try again!"
redirect($CFG->wwwroot . '/login/index.php?authldap_skipntlmsso=1',
"Single Sign On failed, proceed to normal login", 3);
}
?>
@@ -0,0 +1,38 @@
<?php
// Disable session handling here?
require_once("../../config.php");
session_write_close();
//HTTPS is potentially required in this page
httpsrequired();
$authsequence = get_enabled_auth_plugins(true); // auths, in sequence
if (!in_array('ldap',$authsequence,true)) {
print_error('ldap_isdisabled','auth');
}
$authplugin = get_auth_plugin('ldap');
if (empty($authplugin->config->ntlmsso_enabled)) {
print_error('ntlmsso_isdisabled','auth');
}
$sesskey = required_param('sesskey', PARAM_RAW);
if ($authplugin->ntlmsso_magic($sesskey)) {
// Serve GIF
$file = $CFG->dirroot . '/pix/spacer.gif';
// Type
header('Content-Type: image/gif');
header('Content-Length: '.filesize($file));
// Output file
$handle=fopen($file,'r');
fpassthru($handle);
fclose($handle);
exit;
} else {
print_error('ntlmsso_iwamagicnotenabled','auth');
}
?>

0 comments on commit bdadff3

Please sign in to comment.
You can’t perform that action at this time.