Josh, Yes, this is, indeed something that I plan to contribute, including the Moodle block. Part of this makes extensive use of the affilValFunc, addUserFunc, and updateUserFunc hooks in conf.php, and I would also like to write up some documentation on how one might implement something of this sort. There isn't any other documentation on these hooks (e.g. what they are and how the work) and they are, in fact, quite useful!
Aaron -- Aaron Coburn Systems Administrator and Programmer Academic Technology Services, Amherst College [email protected]<mailto:[email protected]> On Aug 7, 2012, at 9:54 AM, Josh Thompson wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aaron, I have a memory of somewhere this could have caused a problem, but I can't find anything. I think it was related to determining which skin to display. That code has changed. I looked everywhere $authMechs is used and could not find somewhere that would be a problem. So, I think it is fine to do what you have described. This sounds like it could be useful to others. Is it something you can contribute? Josh On Monday, August 06, 2012 5:54:42 PM Aaron Coburn wrote: When setting up VCL affiliations to use Shibboleth authentication, the conf.php file instructs an admin to set the affiliationid value to zero. For example: $authMechs = array( ... "My Shib Affiliation" => array( "type" => "redirect", "URL" => "...", "affiliationid" => 0), ); Even though, for instance, the corresponding `vcl.affiliation.id` value in the database is some positive integer. In looking through the code, it seems that the only purpose this serves is to block access to the XMLRPC interface: in the utils.php:checkAccess() function (lines 360-365), the loop that compares the $user['affiliationid'] with $authmech['affiliationid'] will never find a match, and so the request is aborted at that point. My interest, however, is precisely to provide access to the XMLRPC interface *on behalf* of shibboleth users. The key point here is *on behalf of*, since neither the VCL nor the application using the remote API knows anything about a user's actual password. The use case is a Moodle block that makes use of this remote API. Using version 2.3, and with minimal modification to utils.php, I am able to allow an admin to define a "proxy authentication handler" in conf.php, limiting access only to certain "trusted" servers and requiring a particular authentication token. This structure, however, depends on configuring $authMechs with the proper "affiliationid" value. My question, though, is whether setting a "correct" affiliationid in conf.php has implications that I haven't considered. Thanks, Aaron -- Aaron Coburn Systems Administrator and Programmer Academic Technology Services, Amherst College [email protected]<mailto:[email protected]><mailto:[email protected]> - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu<http://pgp.mit.edu> All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAlAhHh0ACgkQV/LQcNdtPQO0vQCfeJ6pMHLp/Qkv933e5dZladlS rTUAnjeMRfQOszU2KuCTj0YMVfKOpDLd =x02r -----END PGP SIGNATURE-----
