MDL-9399 auth/ldap: Add NTLM SSO pages

These pages control the process of attempting an NTLM SSO login safely. This is very draft and needs real-world testing and polish. And string localisation too ;-) * If NTLM SSO is enabled, and the user's IP addr is in the right subnet, the loginpage_hook() of auth/ldap redirects to ntlmsso_attempt.php * ntlmsso_attempt.php will display a "redirect" msg with an img tag pointing to ntlmsso_magic.php, a 3s wait, and a redirect to ntlmsso_finish.php * ntlmsso_magic.php should be configured to have "Integrated Windows Authentication". If it does, it will serve a spacer gif and call ntlmsso_magic() * ntlmsso_finish.php calls ntlmsso_finish() to complete the SSO and handles failures.
moodle · Nov 14, 2007 · bdadff3 · bdadff3
1 parent 94beeb7
commit bdadff3
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 0 deletions.
diff --git a/auth/ldap/ntlmsso_attempt.php b/auth/ldap/ntlmsso_attempt.php
@@ -0,0 +1,34 @@
+<?php
+
+require_once("../../config.php");
+
+//HTTPS is potentially required in this page
+httpsrequired();
+
+/// Define variables used in page
+if (!$site = get_site()) {
+    error("No site found!");
+}
+
+$authsequence = get_enabled_auth_plugins(true); // auths, in sequence
+if (!in_array('ldap',$authsequence,true)) {
+    print_error('ldap_isdisabled','auth');
+}
+
+$authplugin = get_auth_plugin('ldap');
+if (empty($authplugin->config->ntlmsso_enabled)) {
+    print_error('ntlmsso_isdisabled','auth');
+}
+
+$sesskey = sesskey();
+
+//print_header("$site->fullname: $loginsite", $site->fullname, $loginsite, $focus, '', true);
+$msg = '<p>Attempting SSO...</p>'
+    . '<img width="1", height="1" '
+    . ' src="' . $CFG->wwwroot . '/auth/ldap/ntlmsso_magic.php?sesskey='
+    . $sesskey . '" />';
+redirect($CFG->wwwroot . '/auth/ldap/ntlmsso_finish.php', $msg, 3);
+
+
+
+?>
diff --git a/auth/ldap/ntlmsso_finish.php b/auth/ldap/ntlmsso_finish.php
@@ -0,0 +1,30 @@
+<?php
+
+require_once("../../config.php");
+
+//HTTPS is potentially required in this page
+httpsrequired();
+
+/// Define variables used in page
+if (!$site = get_site()) {
+    error("No site found!");
+}
+
+$authsequence = get_enabled_auth_plugins(true); // auths, in sequence
+if (!in_array('ldap',$authsequence,true)) {
+    print_error('ldap_isdisabled','auth');
+}
+
+$authplugin = get_auth_plugin('ldap');
+if (empty($authplugin->config->ntlmsso_enabled)) {
+    print_error('ntlmsso_isdisabled','auth');
+}
+
+// If ntlmsso_finish() succeeds, then the code never returns,
+// so we only worry about failure.
+if (!$authplugin->ntlmsso_finish()) {
+    // Redirect to login, saying "don't try again!"
+    redirect($CFG->wwwroot . '/login/index.php?authldap_skipntlmsso=1', 
+             "Single Sign On failed, proceed to normal login", 3);
+}
+?>
diff --git a/auth/ldap/ntlmsso_magic.php b/auth/ldap/ntlmsso_magic.php
@@ -0,0 +1,38 @@
+<?php
+
+// Disable session handling here?
+require_once("../../config.php");
+session_write_close();
+
+//HTTPS is potentially required in this page
+httpsrequired();
+
+$authsequence = get_enabled_auth_plugins(true); // auths, in sequence
+if (!in_array('ldap',$authsequence,true)) {
+    print_error('ldap_isdisabled','auth');
+}
+
+$authplugin = get_auth_plugin('ldap');
+if (empty($authplugin->config->ntlmsso_enabled)) {
+    print_error('ntlmsso_isdisabled','auth');
+}
+
+$sesskey = required_param('sesskey', PARAM_RAW);
+if ($authplugin->ntlmsso_magic($sesskey)) {
+    // Serve GIF
+    $file = $CFG->dirroot . '/pix/spacer.gif';
+
+    // Type
+    header('Content-Type: image/gif');
+    header('Content-Length: '.filesize($file));
+
+    // Output file
+    $handle=fopen($file,'r');
+    fpassthru($handle);
+    fclose($handle);
+    exit;
+} else {
+    print_error('ntlmsso_iwamagicnotenabled','auth');
+}
+
+?>