Quick Menu

Moodle SSO NTLM

The are several ways to do SSO, check moodle documentation on this matter: https://docs.moodle.org/311/en/NTLM_authentication

Also check Ldap Server documentation: https://docs.moodle.org/311/en/LDAP_authentication

Instalation and Configuration

The following describes the instalation and a configuration using Kerberos Auth Module for Apache on a CentOS server.

Check thi sparticular configuration on Moodle Documentation

You can also check our documentation for using Kerberos on SGI

Install the packages: yum install krb5-server krb5-libs krb5-workstation mod_auth_kerb

During the install 2 files are created, /etc/krb5.conf and /etc/krb5.keytab

The krb5.conf has the kerberos configuration, open it and confirgure it accordingly. Something like this

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = DOMAIN
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

 DOMAIN = {
        kdc = adserver.domain
        admin_server = adserver.domain
 }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 domain = DOMAIN
 .domain = DOMAIN

Be carefull about letter case, because some configuration are case sensitive.

The file krb5.keytab ia keytab file. This file contains pairs of Kerberos principals and encrypted keys. You will need this file for the Apache configuration.

This file should be readable by Apache: chgrp apache /etc/krb5.keytab && chmod g+r /etc/krb5.keytab

You can test the Kerberos configuration, by executing the comand kinit and loging with a valid LDAP account, if logged successfully you shouls have a kerbero ticket on the server, check by running klist

Apache configuration

Open the moodle apache configuration and add the following

    <Directory /path/to/moodle/auth/ldap/>
        <Files ntlmsso_magic.php>
            AuthName "Moodle"
            AuthType Kerberos
            KrbAuthRealms DOMAIN
            KrbServiceName Any
            Krb5Keytab /etc/krb5.keytab
            KrbMethodNegotiate on
            KrbMethodK5Passwd on
            KrbAuthoritative on
            Require valid-user
        </Files>
    </Directory>

Moodle configuration

Go to Site administration > Plugins > Authentication > LDAP server and configure the NTLM SSO section

Field Value
Enable Yes
Subnet Fill as needed. If any, then put 0.0.0.0/0 don't leave this fields blank
MS IE fast path? Default
Authentication type Kerberos
Remote username format Leave it blank

Currently the version of Ldap Server plugin has a bug that doesen't allow you to logout. The solution is to edit the file /path/to/moodle/auth/ldap/auth.php and add the following method to the auth_plugin_ldap class

    function logoutpage_hook() {
        global $redirect;
        if (!empty($this->config->ntlmsso_enabled)) {
            $redirect = get_login_url().'?authldap_skipntlmsso=1';
        }
    }

Found errors? Think you can improve this documentation? Simply click the Edit link at the top of the page, and then the icon on Github to make your changes.