Authentication

Overview - Authentication

Are you sure you want to remove this component?

Schoolbox's security is not complex, but is secure.

  1. User arrives at Schoolbox and we check for a valid cookie.  This is checked against the session key and expiry time.  The user must provide a session key when they arrive if not we send them through the authentication process. 
  2. If no valid session is found the user is sent to the login form to provide a username and password, in the case of SAML this is normally external to us.
  3. The user submits credentials and we then proceed to validate those credentials.  Firstly we check the username and password against LDAP by searching for the users DN, then attempting to bind to that DN.  If not successful we check the username and password against the schoolbox database.  If these all fail the user is returned to the login screen with a Invalid Credentials error.  
  4. If the credentials are successfully validated, we create a session cookie, assign it a unique key, store it in the server memory and tell the user the key.  The user is then forwarded to the homepage.


With SAML disabled there really is only two ways to authenticate, either the user is found in LDAP or the user is found in Schoolbox.

Occasionally there can be issues with authenticating, these are usually related to;

  • There could be a problem if the usernames are similar the system may not be able to determine the correct user.  So for example You may have a student ssmith and a teacher ssmith.  In AD they are in different contexts so it allows them to have the same username, but in Schoolbox you cannot have two people with the same username.  It will then authenticate you with the first user of that name it finds.  It may also find the other user in AD thus allowing the password authentication to succeed.  All this is pretty rare though. 

 

  • We have heavy caching on the mobile system, to reduce data transfers.  This includes information that is related to a session.  So it is possible that if a user earlier logged in on a mobile device, it would have traces of that users session on the device, long after its use.  Generally this is not an issue as a mobile is a personal device so caching sensitive session information is sort of expected.  But other than that, mobile uses the same authentication routines as the rest of the system and the above points apply.

 

  • Proxy issues - It is entirely possible that something outside of Schoolbox has played with the transactions.  A proxy may just replies with content its cached for the student, even though it should be responding with fresh non-cached content for the staff member  (i am going to investigate the headers we append to ensure we are telling the proxies the correct caching information ie do not cache, we might be lax on this due to the need to allow mobiles to cache as much as possible).


Alternatively a proxy or NAT firewall may get confused and return the wrong data.  So for example, two users logging in at the same time, if the server responses with the session keys are swapped you could end up with another users session key.

LDAP

Are you sure you want to remove this component?

How it works

The LDAP Integration process enables passwords to be stored centrally in an existing user directory. When a user logs on, Schoolbox will first bind and search for the user in the LDAP tree. Upon finding the users CN the system will attempt to rebind to the LDAP server with the users CN and password. Currrently the user must exist in Schoolbox before they can login to the system, just adding the user into LDAP is not enough for the user to login to Schoolbox.

 

Compatibility

LDAP Integration for Schoolbox is compatible with the following LDAP servers

  • Microsoft's Active Directory
  • Novell eDirectory
  • OpenLDAP

LDAPS is also supported.

 

Requirements

For Schoolbox to be successfully integrated with an existing LDAP Server, the following needs to be completed:

  • LDAP User created with Read only access to the users/groups that will be utilised within the Schoolbox System to bind to the LDAP server, with a complex password (as this user will never be used by anything other than the server), the Username and Password for the LDAP binding account provided to Alaress.
  • LDAP Base for all Users of Schoolbox be provided to Alaress. I.e (OU=Schoolbox Accounts,DC=YourSchoolname,DC=com,DC=au)
  • LDAP Server Hostname and IP Address provided to Alaress (if using a non-standard LDAP port number, the hostname must be in protocol://host:customport format. E.g. ldap://my.ldap.server:1234)
  • A List of Usernames and Student Names Provided to Alaress to bulk load stub record accounts into Schoolbox (This is to have a basic user record even though passwords are never stored in schoolbox for LDAP Authenticated accounts).

NOTE: The LDAP authentication is completed before the Schoolbox authentication. If a user exists in both LDAP and Schoolbox it will attempt the LDAP password first. If this fails, it will fallback to Schoolbox. If no password is stored in Schoolbox, the login will be denied. For this reason it is strongly recommended that there be at least one superuser that has a password stored locally on Schoolbox.

 

Network Configuration

LDAP Authentication functionality will operate successfully provided that the LDAP and schoolbox server are on the Same LAN, or that the ports are forwarded through a firewall to allow full LDAP communication if schoolbox is stored in the DMZ. If the LDAP server is to be accessed via a DNS name ensure that the Schoolbox server can resolve and ping the name before continuing.

 

Debugging

To debug issues with LDAP authentication ldapsearch should be installed on the console and the user should attempt to bind and search the LDAP tree.

 

apt-get install ldap-utils

ldapsearch -H ldap://LDAP_HOSTNAME -D 'LDAP_USERNAME' -w LDAP_PASSWORD -b LDAP_SEARCHBASE "(userObject=*)" dn


If this is able to authenticate you should then attempt to search for the a user. This should query should return an entire list of all the users that can be seen via ldap with the given search base.

Proxy Issues

Are you sure you want to remove this component?

If you are running a proxy in front of your Schoolbox installation, you may experience errors with some of the functionality.

Fixes

To work around this issue, please configure the following paths on each of the Schoolbox domains to be accessed without authentication.

  • /cms/fileForm.php
  • /submission/fileForm.php
  • /service/plagscan.php