+ Post New Thread
Results 1 to 9 of 9
Virtual Learning Platforms Thread, Moodle - LDAP Authentication in Technical; We use LDAP for Moodle logins here, and it works a treat. Thing is, if our LDAP server fails (like ...
  1. #1

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242

    Moodle - LDAP Authentication

    We use LDAP for Moodle logins here, and it works a treat. Thing is, if our LDAP server fails (like it did this weekend due to power failure) our students can't logon to Moodle.

    Does anything exist where Moodle uses LDAP to authenticate, but if LDAP fails it checks for the user/password combination in its own database - a kind of failsafe solution?

    Any ideas?

  2. #2

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    246
    Quote Originally Posted by Hightower View Post
    Does anything exist where Moodle uses LDAP to authenticate, but if LDAP fails it checks for the user/password combination in its own database - a kind of failsafe solution?
    That would imply storing the user's password in a local database. What authentication method do you use - if you're using Active Directory style authentication-by-bind the whole idea is that you don't know the user's password, you simply pass it on to the authentication server. You would need a bit of code that sat in between the get-password-from-input-form and send-password-to-LDAP-server operations that wrote out the password to a local (secure, encrypted, of course) database or file of some kind. You would need to only store the password if authentication was succesful - not much point in storing incorrect passwords, and anyone who changed their password at school and then expected to log in with that new password via Moodle with the LDAP server down is going to get confused.

    --
    David Hicks

  3. #3

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    Quote Originally Posted by dhicks View Post
    That would imply storing the user's password in a local database. What authentication method do you use - if you're using Active Directory style authentication-by-bind the whole idea is that you don't know the user's password, you simply pass it on to the authentication server. You would need a bit of code that sat in between the get-password-from-input-form and send-password-to-LDAP-server operations that wrote out the password to a local (secure, encrypted, of course) database or file of some kind. You would need to only store the password if authentication was succesful - not much point in storing incorrect passwords, and anyone who changed their password at school and then expected to log in with that new password via Moodle with the LDAP server down is going to get confused.

    --
    David Hicks
    Yeah - this is how it would work in my head too. Anything like this exist or is it a case of digging into the code myself?

  4. #4
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    897
    Thank Post
    84
    Thanked 235 Times in 194 Posts
    Rep Power
    83
    Guy Thomas from Ossett School wrote a wrapper for Moodle's LDAP Auth called "LDAP Capture", which gives you a pair of variables containing the password (encrypted & decrypted) so that you can write it back to wherever you like: Moodle.org: Modules and plugins

    If you read it's accompanying documentation there's a section in there on using it to pass credentials around using PHP... in either encrypted or decrypted form.

    But logic to me would say the better solution is to get a slave clone of the LDAP server for if the main server goes down...

    We authenticate against ALL our domain controllers, so we only need 1 of the 4 to be up and accessible and users will still get auth'd. If one fails, it just moves on to the next.

  5. #5

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    Quote Originally Posted by Marci View Post
    We authenticate against ALL our domain controllers, so we only need 1 of the 4 to be up and accessible and users will still get auth'd. If one fails, it just moves on to the next.
    That's a better option - care to explain how this is achieved?

  6. #6
    gaz350's Avatar
    Join Date
    Jul 2007
    Location
    Rutland, east.leicestershire :P
    Posts
    579
    Thank Post
    47
    Thanked 49 Times in 41 Posts
    Rep Power
    29
    if you have more than 1 DC, just seperate the LDAP://address with ; for each server

  7. Thanks to gaz350 from:

    Hightower (25th January 2010)

  8. #7

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    I realised when I set Moodle up it was possible to set multiple contexts, but I never realised it did this. It has the text "To setup failover seperate multiple ldap addresses with ;".

    Just never noticed it before.

  9. #8

    Join Date
    Jun 2008
    Location
    Kensington, London
    Posts
    372
    Thank Post
    59
    Thanked 36 Times in 32 Posts
    Rep Power
    32
    hmm so does that work for multiple radius servers?

  10. #9
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    897
    Thank Post
    84
    Thanked 235 Times in 194 Posts
    Rep Power
    83
    Nope...

    Clearly states you can add a list in the LDAP servers field, whereas RADIUS servers field refers to everything in the singular.

    First solution that I can think of is round-robin... use DNS name in RADIUS server field, then assign multiple IPs to the entry in DNS. Most DNS servers will then round-robin the target IP for the DNS entry. You then write a script automated via cron to run every 30 seconds (or whatever figure suits you) to check upstate of required servers in your IP list, and remove IPs from the list when they're detected as down, and readd them back in when they're detected as up. The script would also need to restart DNS service whenever an alteration was made.

    See [ame]http://en.wikipedia.org/wiki/Round_robin_DNS[/ame] for an overview.

    Other alternative would be to find out what the PHP variable within moodle is for the RADIUS server, and add a step into the auth/radius/auth.php functions that checks a list of servers, and first one to reply gets set as the variable...
    Last edited by Marci; 25th January 2010 at 07:08 PM.



SHARE:
+ Post New Thread

Similar Threads

  1. Moodle LDAP authentication stopped working for new users?
    By reggiep in forum Virtual Learning Platforms
    Replies: 2
    Last Post: 5th January 2010, 09:33 PM
  2. IPCOP - ldap authentication?
    By spacehopper in forum How do you do....it?
    Replies: 2
    Last Post: 23rd September 2009, 12:00 PM
  3. Moodle LDAP authentication
    By FN-GM in forum Virtual Learning Platforms
    Replies: 10
    Last Post: 25th May 2008, 12:58 PM
  4. e107 - LDAP authentication
    By alan-d in forum Web Development
    Replies: 11
    Last Post: 28th February 2007, 07:21 PM
  5. MediaWiki LDAP AD authentication
    By plexer in forum How do you do....it?
    Replies: 7
    Last Post: 22nd February 2007, 09:54 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •