WeBWorK Main Forum

LTI and LDAP together ??

LTI and LDAP together ??

by Lars Jensen -
Number of replies: 7
Dear Colleagues,

We have been unable to make LDAP work together with LTI authentication. It it possible on webwork to make both work?

With authen_ldap disabled in localOverrides.conf, and authen_LTI configured and enabled, students can properly login through the LMS to webwork and accounts are correctly created in webwork.

and conversely....

With authen_LTI disabled in localOverrides.conf, and authen_ldap configured and enabled and student accounts pre-created, students can properly login to webwork from the regular webwork login page.

But if we configure and enable both authen_ldap and authen_LTI, student login breaks and they can no longer login through the LMS....

Lars.
In reply to Lars Jensen

Re: LTI and LDAP together ??

by Nathan Wallach -
It is supposed to be possible. In the Wiki there are instructions for using both together. See the item about "LDAP Logins" in the section Additional Authentication Setups. The instructions require making small changes to both config files. (I did not test this.)

Nathan
In reply to Lars Jensen

Re: LTI and LDAP together ??

by Andras Balogh -
I think I had the same problem because I did not understand how the different authentication configurations follow/overwrite each other:
http://webwork.maa.org/moodle/mod/forum/discuss.php?d=4098

In our localOverrides.conf we have
include("conf/authen_LTI.conf");
include("conf/authen_ldap.conf");

and also

$authen{user_module} = [
{ "*" => "WeBWorK::Authen::LTIAdvanced", }, #preferred authorization method
{ "*" => "WeBWorK::Authen::LDAP",}, #fallback authorization method 1
{ "*" => "WeBWorK::Authen::Basic_TheLastOption",} #fallback authorization method 2
];

Andras
In reply to Lars Jensen

Re: LTI and LDAP together ??

by Lars Jensen -
Hi Nathan and Andras,

Your reply and the link to the Additional Authentication Setup helped me getting this working. Thanks!

An alternate, but less flexible setup I discovered while working on this, is to use LTI authentication on a course-by-course basis. This can be done by using the standard configuration of authen_LTI.conf and of authen_ldap.conf, and then using

#include("conf/authen_LTI.conf"); #disabled
include("conf/authen_ldap.conf"); #enabled

in localOverrides.conf. this will make LDAP authentication the default authentication for a course. For courses where the instructor wants students to authenticate students via the LMS the instructor can simply add

include("conf/authen_LTI.conf");

to their course.conf.

Lars.
In reply to Lars Jensen

Re: LTI and LDAP together ??

by Lars Jensen -
Hi again,

One issue I encountered in setting up LDAP+LTI as described in the Additional Authentication Setup, is with the username assignment by the LMS into webwork.

We use Active Directory, which doesn't care about case. In webwork the case of usernams matters. Students who login to the LMS can use any upper/lowercase combination and AD will let them in. If LDAP+LTI is enabled together, a student typically won't know what case combination of their username has been transferred to webwork, and hence is unlikely to be able to login to webwork through the webwork login page. This could be taken care of is we had an all lower case option of the username, something like:

$preferred_source_of_username = "lis_person_contact_email_primary_lowercase";

Can we possible get a lis_person_contact_email_primary_lowercase option included with the LTI setup?

Then one can at least tell students, and perhaps more importantly instructors, who often already have a webwork login, to use all lower case when logging in from the webwork login page.

Lars.
In reply to Lars Jensen

Re: LTI and LDAP together ??

by Danny Glin -
The $preferred_source_of_username variable has to be set to an attribute that is sent by your LMS. WeBWorK has no control over what information it receives from the LMS, so the code is written to simply allow you to name which parameter should be used as the user ID.

Unfortunately the different LMSs are not consistent about what information they send, and what the parameters are named. The only one that seems to be pretty consistent is that the email is sent as "lis_person_contact_email_primary". I know in D2L I can view a sample LTI request which shows me all of the parameters it is sending and their corresponding values. If your LMS allows something similar then you can check to see if an all lowercase version of the email is sent under a different parameter.

An alternative would be to edit the LTI authentication code in WeBWorK and have it convert the email address to all lowercase once it gets it from the LTI request. I would expect this to be a one-line change to the code.
In reply to Lars Jensen

Re: LTI and LDAP together ??

by Nathan Wallach -
I'm not sure that modifying the string from LTI is wise, but if it is done, it would need to be done in a manner where the change is made after the LTI authentication is verified (on untampered data) and done in a manner so that all further use of the string will use the version forced into the desired all-lowercase format.

It might be far simpler to just send an automatic email when a new account is created via LTI listing the case-sensitive version of the email sent by the LMS and used as the local WW login name.

The Automatic Student Account Management section of the same Wiki page mentions that there is a hook for a function called $LTI_modify_user which can be set in authen_LTI.conf (or probably at the course level in course.conf) and used to modify a user account LTI is about to create before it is created. I would guess that that is the best place to convert the desired string to all lowercase for account creation, (but other code in the mail LTI Perl files would also need moficiations). This local function is also probably a reasonable location to to trigger an automatic email notice as suggested above.

See also the comment to turn off $LMSManageUserData if a $LTI_modify_user local subroutine is used to modify the raw LMS user data.
In reply to Nathan Wallach

Re: LTI and LDAP together ??

by Danny Glin -
This would not be modifying the string from LTI. The first thing WW does is authenticates the package passed from LTI. Once the package is confirmed WW is free to use that information however it is needed. For example, there is an option for WW to strip the domain off the email address and use that as the username. It wouldn't be hard to add another option to force the email address to be lowercase.

I don't know that using $LTI_modify_user would work in this scenario. I believe it could be used to force the username to be stored in WW in lowercase, but will this cause LTI authentication to fail next time since the username won't match what the LMS is sending?