As I mentioned in another post, my system administrator and I configured LTI, WebWork, and Moodle to work together today. The other post talks about how we configured LTI to work (spoiler alert: use https, not http in configuration files and URLs, and follow Geoff Goehle's LTI-Advanced documentation and LTI-Advanced grading documentation). In this post, I would like to talk about getting LTI and LDAP to work together.
Here's the tl;dr version:
Copy the code block below into your authen_LTI.conf file (overwriting the existing $authen{user_module} lines) and set $external_auth = 0.
Here's the long version:
In our case, we had previously been using LDAP authentication for our WebWork server, so the LDAP setup was already done (and I won't address it here). To get LTI and LDAP to play nicely with each other, we needed to add WeBWorK::Authen::LDAP as the middle item in $authen{user_module} in the authen_LTI.conf file:
The scalar $external_auth in the file authen_LTI.conf controls what happens when both the LTIAdvanced and LDAP authentication methods have failed to log in to WebWork, and thus the fallback method Basic_TheLastOption has been reached. Setting $external_auth = 1 requires WebWork to use external authentication. If $external_auth = 0 and the authentication method is Basic_TheLastOption, then a webwork login screen will appear and people can log in to webwork manually by typing in their username and password. When $external_auth = 1 and the authentication method is Basic_TheLastOption, then in place of a login screen, the users are given a short message that says they need to go somewhere else to log in (I forget the specific message, but it is cryptic and unhelpful). So, $external_auth = 0 is a good fallback to have if you want students to be able to log in to WebWork directly. But, there's a potential problem with this -- if the user account was created by the LMS (Moodle, Blackboard, or Canvas), then the WebWork database has no passwords in it since the authentication is being done outside of WebWork! So, your users might get a WebWork log in screen, but not be able to log in because their password is not in WebWork's database!$authen{user_module} = [{ "*" => "WeBWorK::Authen::LTIAdvanced", }, #preferred authorization method{ "*" => "WeBWorK::Authen::LDAP",}, #fallback authorization method 1{ "*" => "WeBWorK::Authen::Basic_TheLastOption",} #fallback authorization method 2];
So, what to do -- should $external_auth be 0 or 1? I would say that if you do not have LDAP configured, then set $external_auth = 1 (freeze out users since they don't have a password in WebWork's database). If you do have LDAP configured, then set $external_auth = 0 so that if a user tries to log in at a webwork log in screen, the LTIAdvanced authentication will fail, but the LDAP authentication will succeed (and Basic_TheLastOption will not be reached), so the user will be able to log in.
Thank you to Geoff Goehle for all of his hard work on WebWork 2.12 and, in particular, getting LTI to work. Also, thanks to Geoff for the WebWork IRC chat that helped us get LTI, Moodle, and WebWork to work together today on our server!
Take care,
Paul Pearson