active directory/samba ldap login

Hi there,
Our school is investigating gibbon. We are using a samba 4 active directory server. for teachers, we'd like to have them login using the same username/password from samba.

I am wondering whether it's possible to use LDAP php module to write a gibbon module so that it would query samba server when a user logs in, and create a teacher account using info from AD (if the user does not already exist).

I found the following which shows basically what I want to do:
https://www.exchangecore.com/blog/how-use-ldap-active-directory-authentication-php/

could you give me some pointers on whether this is possible and how should I try to implement this please?

thanks

Comments

  • more specifically, I'd like to know whether it's possible to create a module which would add this kind of AD/Samba login support
  • Great question. This is something that @george worked on at last year's Hackathon, and then backed off. I wonder if he can tell us what went wrong.

    One approach, which is module based, would be to create a "headless" module (like the Moodle one) which does not appear in any menus, and has no permissions, but which includes a CLI script that periodically syncs from LDAP. Another approach would be to add an option to the Third Party Settings section of Admin > System Admin in order to enable this to happen.

    Is this something you think you might be able to code up?

    Ross
  • yes, I can do the development.

    I don't think a sync with LDAP is necessary. What I am thinking is: when a teacher logs in using ldap, we will query AD to see whether the user is valid, if so, check whether the user is already present in gibbon, if not, query user info from AD and create such a user. (no periodical sync is needed)

    I tend to think this module should provide a UI, probably a link on the login page, when user clicks this link, they will see a form to fill with username/password, and upon submitting of this form, the AD module would query LDAP and do the procedure outlined in the first paragraph.

    alternatively, this module could add a checkbox to the existing login form, and if this checkbox is checked, the module will handle the form submission and follow the procedure in the first paragraph.

    I am also open to just modify core to add this AD login support (if you are open to accept that)
  • I think modifying the core would be easier, and your approach sounds great. Do you have a github.com username? If so, I can add you to the team so you can push code to use for testing and merging, as and when you feel you have things ready.

    Thanks : )
  • I do have github.com username (I was posting some comments there too), it's liucougar

    could you point me at which file I shall try to modify please?
  • That is right, we did communicate via GitHub. I have added you to the relevant team in the Gibbon Core repository.

    I would start by looking to add the relevant server setting fields to Third Party Settings in Admin > System Admin, and the look at the login.php script to read these settings and decide whom to authenticate against the LDAP server and who to authenticate against gibbonPerson.

    Settings are stored in the database and can be created in CHANGEDB.php. Plenty of examples in there to follow.

    Good luck!
  • It's been a while and I kind of lost track of Gibbon and the progress of this project. Is there any news on Gibbon getting LDAP/AD support?
    I wasn't able to find anything on github that points into that direction....
    Still looking for a good opensource student management tool and Gibbon might do the trick _if_ it was possible to authenticate against LDAP and/or AD.
  • Hi Robb, welcome back, and sorry to say no progress has been made on this. Our core team have been busy on a massive codebase refactor, and so no time to pursue anything like this. I think that if it happens it will have to come from the community. We'd happily test and integrate. Thanks, Ross.
  • Hi Ross,
    Maybe I can initiate some effort to get some kind of sync mechanism realized. Is there a (documented) API that makes it possible to import user information from any kind of source in Gibbon?
    Or maybe even an option to import users from a csv file? Maybe we can come to some kind of export from Active Directory or LDAP and import that in Gibbon?
  • Hi Ross,
    I was just thinking.... You say that there is a feature to import Gibbon users in Moodle. My question is: would there be possible to have that the other way around: let Gibbon import users from Moodle.
    Moodle is AD/LDAP aware and imports the users in the local user database with an option to sync every so many times.
    If Moodle has the userbase, it would be great if Gibbon gets them from Moodle.... Would that be an option to start from?
  • On the other way, there is a php-ldap module available. I am far from a dev and have no idea what it would take to add that to Gibbon....
  • @admin @sandra : could you share some info how usermanagement is done in Gibbon. How could I start working towards an external userdatabase (either AD, Samba4 or OpenLDAP)?
  • Hi Robb, thanks for your posts and willingness to get involved, and apologies for the delay in replying.

    The Moodle module creates a set of MySQL views (like fake tables, which can be created from a range of real tables, giving lots of flexibility) which present Moodle with the data in the form it needs. There is no reason something like this could not work in reverse, but it can be a challenge syncing password, as Gibbon and Moodle use different standards.

    Two two options I would consider are adjusting Gibbon's login method to be able to check for users on an LDAP server on log in. This would be nice, but would present problems in terms of Gibbon not knowing who all the users are until they sign in one-by-one. Another would be to have a nightly cron script that uses php-ldap to suck in and sync all of the users from a specified LDAP server. Of course, these two could be combined into a complete solution, time permitting.

    The difficulty will be finding a coder with the time, interest and skills to take this on. We simply don't have the manpower at this time I'm afraid...even though it is a feature we would definitely value.

    Cheers,

    Ross
Sign In or Register to comment.