2.5. Authentication ¶
OnTask comes with the following authentication mechanisms: IMS-LTI,
REMOTE_USER
variable, basic authentication, and LDAP. The first three
(IMS-LTI,
REMOTE_USER
and basic authentication) are enabled by default and used in that order whenever an unauthenticated request is received. It follows a brief description of how to configure them.
-
IMS Learning Tools Interoperability (IMS-LTI) . LTI is a standard developed by the IMS Global Learning Consortium to integrate multiple tools within a learning environment. In LTI terms, OnTask is configured to behave as a tool provider and assumes a tool consumer such as a Learning Management System to invoke its functionality. Any URL in OnTask can be given to the LTI consumer as the point of access.
Ontask only provides two points of access for LTI requests coming from the consumer. One is the URL with suffix
/lti_entry
and the second is the URL provided by the actions to serve the personalized content (accessible through theActions
menu.To allow LTI access you need:
-
A tool consumer that can be configured to connect with OnTask. This type of configuration is beyond the scope of this manual.
-
A set of pairs key,value in OnTask to be given to the tool consumers so that together with the URL, they are ready to send the requests. The key/value pairs need to be included as an additional variables in the file
local.env
in the foldersettings
together with other local configuration variables. For example,LTI_OAUTH_CREDENTIALS=key1=secret1,key2=secret2
-
OnTask needs to identify those roles from the external tool mapped to the instructor role. This mapping is provided through a list of those roles in the following configuration variable:
LTI_INSTRUCTOR_GROUP_ROLES=Instructor
If you change the values of these variables, you need to restart the server so that the new values are in effect. This authentication has only basic functionality and it is assumed to be used only for learners (not for instructors).
-
-
REMOTE_USER
. The second method uses the variable REMOTE_USER that is assumed to be defined by an external application. This method is ideal for environments in which users are already authenticated and are redirected to the OnTask pages (for example, using SAML). If OnTask receives a request from a non-existent user through this channel, it automatically and transparently creates a new user in the platform with the user name stored in theREMOTE_USER
variable. OnTask relies on emails to identify different user names, so if you plan to use this authentication method make sure the value ofREMOTE_USER
is the email.Additionally, this mode of authentication will be enforced in all requests reaching OnTask. However, this configuration prevents the recording of email reads. Read the section Email Configuration to configure the server to allow such functionality to be properly configured.
-
Basic authentication. If the variable
REMOTE_USER
is not set in the internal environment of Django where the web requests are served, OnTask resorts to conventional authentication requiring email and password. These credentials are stored in the internal database managed by OnTask.
The API can be accessed using through token authentication. The token can be generated manually through the user profile page. This type of authentication may need some special configuration in the web server (Apache or similar) so that the
HTTP_AUTHORIZATION
header is not removed.
2.5.1. LDAP Authentication ¶
OnTask may also be configured to use LDAP to authenticate users. This is done through the external package django-auth-ldap . In its current version, this authentication mode cannot be combined with the previous ones (this requires some non-trivial code changes). The following instructions describe the basic configuration to enable LDAP authentication. For more details check the documentation of the django-auth-ldap module .
-
Stop OnTask (if it is running)
-
Make sure your server has installed the development files for OpenLDAP. In Debian/Ubuntu, the required packages are:
libsasl2-dev python-dev libldap2-dev libssl-dev
In RedHat/CentOS:
python-devel openldap-devel
-
Install the module
django-auth-ldap
-
Edit the configuration file
local.env
and add the following two variable definitions:LDAP_AUTH_SERVER_URI=[uri pointing to your ldap server] LDAP_AUTH_PASSWORD=[Password to connect to the server]
-
Edit the file
settings/base.py
and uncomment the lines that import theldap
library (import ldap
) and the lines that import three methods from thedjango_auth_ldap.config
module (LDAPSearch
,GroupOfNamesType
andLDAPGroupQuery
) -
Locate the section in the file
settings/base.py
that contains the variables to configure LDAP AUTHENTICATION . -
Uncomment the ones needed for your configuration. Make sure all the information is included to connect to the server, perform the binding, search, and if needed, assign fields to user and group attributes.
-
Locate the variable
AUTHENTICATION_BACKENDS
in the same file. -
Comment the lines referring to the back-ends
LTIAuthBackend
andRemoteUserBackend
. -
Uncomment the line referring to
LDAPBackend
. -
Make sure the LDAP server contains the data about the users in the right format
-
Start the OnTask server.