** Tags removed: mahara-eduforge-bug ** Description changed:
An example situation: Two Moodles are SSOing into Mahara. They are both set up as XMLRPC with an LDAP parent. This breaks when each Moodle has a user of the same username. For example aaron. Because one is given the name 'aaron' when they SSO in, and the other is given the name 'aaron1' - which will never work for the parent authentication, as it doesn't know about an 'aaron1' user. Therefore, that means either: 1. Only one of the xmlrpc authinstances can have a given LDAP server as parent authentication, across all institutions in Mahara, or 2. Usernames would have to be unique across BOTH Moodles, to prevent this situation occuring, or 3. You need to turn on the usersuniquebyusername configuration setting - which assumes that users with the same name in different moodles are the same person and thus SSO into the same Mahara account. There's no other way around this, as far as I can see. The upshot of this is: - You can't use two parent authentication instances that will answer + You can't use two parent authentication instances that will answer for the same username, unless they're actually the same person in the remote applications. And if that is the case, you have to turn on "usersuniquebyusername". If that is not the case, then the XMLRPC authinstances can't really have parents - users have to sign in through SSO. - If you're only MNETting with one moodle, then the authinstance can + If you're only MNETting with one moodle, then the authinstance can safely have a parent. Richard suggests that we could somehow display to people in Mahara their username (perhaps on first login, sent to them by e-mail and in the profile sideblock), which _might_ work as long as we use the auth_remote_user table to look up what their username in the parent authinstance actually is when trying to sign them on. But it also relies on users understanding when they are using the Mahara login form instead of the Moodle one, and thus that they should use the correct username. So, in short, this bug is about: * Do we change the admin UI somehow based on these limitations? I.e. only allow one authinstance to have a parent unless usersuniquebyusername is on/the admin is given a warning about having more than one parent? * Do we tell users their username in Mahara so they can log in there? Low prio cos I don't think an answer is needed right now, but at least the problem is documented while I have it all in my head :) - - This bug was imported from eduforge.org, see: - https://eduforge.org/tracker/index.php?func=detail&aid=2656&group_id=176&atid=739 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/548061 Title: Multiple authinstances with parents - potentially needs UI work. Status in Mahara ePortfolio: Triaged Bug description: An example situation: Two Moodles are SSOing into Mahara. They are both set up as XMLRPC with an LDAP parent. This breaks when each Moodle has a user of the same username. For example aaron. Because one is given the name 'aaron' when they SSO in, and the other is given the name 'aaron1' - which will never work for the parent authentication, as it doesn't know about an 'aaron1' user. Therefore, that means either: 1. Only one of the xmlrpc authinstances can have a given LDAP server as parent authentication, across all institutions in Mahara, or 2. Usernames would have to be unique across BOTH Moodles, to prevent this situation occuring, or 3. You need to turn on the usersuniquebyusername configuration setting - which assumes that users with the same name in different moodles are the same person and thus SSO into the same Mahara account. There's no other way around this, as far as I can see. The upshot of this is: You can't use two parent authentication instances that will answer for the same username, unless they're actually the same person in the remote applications. And if that is the case, you have to turn on "usersuniquebyusername". If that is not the case, then the XMLRPC authinstances can't really have parents - users have to sign in through SSO. If you're only MNETting with one moodle, then the authinstance can safely have a parent. Richard suggests that we could somehow display to people in Mahara their username (perhaps on first login, sent to them by e-mail and in the profile sideblock), which _might_ work as long as we use the auth_remote_user table to look up what their username in the parent authinstance actually is when trying to sign them on. But it also relies on users understanding when they are using the Mahara login form instead of the Moodle one, and thus that they should use the correct username. So, in short, this bug is about: * Do we change the admin UI somehow based on these limitations? I.e. only allow one authinstance to have a parent unless usersuniquebyusername is on/the admin is given a warning about having more than one parent? * Do we tell users their username in Mahara so they can log in there? Low prio cos I don't think an answer is needed right now, but at least the problem is documented while I have it all in my head :) To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/548061/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
