automatic logon into awarenet from installations where the user has its own computer profile

[GoogleCodeExporter]

Let's take a school like Kingswood that has a sophisticated school network 
setup where a stundent has to logon onto the machine in order to have access.

The school therefore takes over the authentication issue and vouches for the 
user logged on.

What I propose we do is in such a case is to take the logged in username and if 
available in the awarenet database, automatically logon this user to awarenet. 
This means if the user accesses awarenet on the school's network, then instead 
of landing on the login/home page, he lands directly on his personal 
notification page.

Strix has discussed the matter already with Matthew Ridgeway from Kingswood and 
there are various technical possibilities to do so. I will do a quick research 
as well in order to identify the simplest, least intrusive way of accessing the 
machine's logged on user information in order to collect the logged on username.

Original issue reported on code.google.com by appiapp...@gmail.com on 12 Mar 2014 at 9:38

[GoogleCodeExporter]

Having had a moment to think about this - I'd like to place a vote for identd - 
it's not as sophisticated as NT Domain/Windows Forms or Active Directory 
methods, but much more general.  The server works on Windows/OSX/iOS/Android, 
and the client will run easily in PHP on all server platforms.

Has downsides too, only good for managed devices where we can trust the ident 
(more or less), but the same is true Microsofty solutions.  Cheap because all 
the parts already exist.

Original comment by awarenet...@gmail.com on 12 Mar 2014 at 12:53

[GoogleCodeExporter]

If this will finally make the Kingswood learners use awarenet, I would be 
happy! :-)

Original comment by a...@villagescribe.org on 12 Mar 2014 at 8:22

[GoogleCodeExporter]

I first was looking at something more archaic, for example a Java Application 
that reveals the System.getProperties("user.name"). This Java Application would 
be started when the user logs in onto the machine. A client side Javascript on 
the homepage then could contact that Application (localhost:port socket call 
for example) and get the logged in username from it. This would work on all 
Operaring Systems that support Java I think?

What we would need in terms of distribution is to install this Java Application 
on all client machines within that protected/organised/managed School Network 
that wants to use automatic login into awarenet.

Is this too messi? Any suggestions in this regard or is it better to drop this 
idea completely?

Original comment by appiapp...@gmail.com on 13 Mar 2014 at 11:05

[GoogleCodeExporter]

Hmm... it would be ideal for deployment if a Java applet could get the username 
in the browser, then pass it to JS.  Unfortunately, I think this call is 
blocked by the browser sandbox in any sane configuration:

  http://docs.oracle.com/javase/tutorial/deployment/doingMoreWithRIA/properties.html

Extracting the user.name system property with an independent application and 
then sending it over a TCP connection for use by the server sounds exactly like 
what identd does.  So, I'm not seeing the advantage of making our own identd 
protocol/server, maybe I have misunderstood?

I have some misgivings about Java, requiring it to use this feature with 
awarenet introduces a great deal of bloat in deployment (hundreds of MB and 
constant updates for lab machines) as well as very negative security 
implications for school networks (0-day every day).  On the other hand, 
Kingswood already have it deployed.

Original comment by awarenet...@gmail.com on 13 Mar 2014 at 11:48

[GoogleCodeExporter]

Something else to consider is ActiveX, I think the system username can be 
loaded like so:

    <script language="JavaScript" type="text/javascript">
    function findUserName() {
         var wshell=new ActiveXObject ("wscript.shell");
         var username=wshell.ExpandEnvironmentStrings("%username%");
         return username;
    }
    </script>

For this to work in Firefox or Chrome one needs a plugin, which again 
complicates deployment.  Not very cross platform though...

Original comment by awarenet...@gmail.com on 13 Mar 2014 at 11:52

[GoogleCodeExporter]

Hang on, just thought of something.  Windows sessions are served from a central 
server which holds user home directories, etc.  Each user has their own 
(default) Firefox/Chrome/IE profile.  We could keep the user credentials in 
localStorage, and log in automatically that way:

  http://diveintohtml5.info/storage.html

Each user gets their username and a random password on a slip of paper, they 
enter that once, and the browser stores their credentials for all future 
sessions.  Would work for IE8+ and all modern and mobile browsers:

  http://caniuse.com/#search=localstorage

Original comment by awarenet...@gmail.com on 13 Mar 2014 at 12:01

[GoogleCodeExporter]

In addition to the above, we could avoid the inital account step by 
authenticating users against ActiveDirectory, looks pretty simple to do:

  http://stackoverflow.com/questions/171519/authenticating-in-php-using-ldap-through-active-directory

So the first time a user visits awarenet they can log in with the same 
credentials they use to log in to Windows, an awarenet account is automatically 
created where the password is a hash of the ActiveDirectory password (ie, 
hashed twice).  Their username and hashed password are stored in the browser's 
localStorage, and it automatically logs them in in the future.

How do you feel about this approach?

Original comment by awarenet...@gmail.com on 13 Mar 2014 at 12:22

[GoogleCodeExporter]

Wonderful research and yes, the approach of using the browser's local storage 
looks like a very elegant solution. The combination with having a one time 
manual login that cross checks the credentials with the Active Directory does 
make the solution complete. I will start with this, as soon as I have completed 
the moving of KaLite integration code into the new structure if this is ok?

Good is also that I have no fuss access to Kingswood and its network and can 
test the Active Directory calls first hand. 

Original comment by appiapp...@gmail.com on 14 Mar 2014 at 11:01

[GoogleCodeExporter]

How far are you with this issue?

Original comment by a...@villagescribe.org on 28 Mar 2014 at 12:58

[GoogleCodeExporter]

Nothing done yet, first need to fix KhanLite and then integrate the new login 
into the other logon pages ...

Original comment by appiapp...@gmail.com on 28 Mar 2014 at 2:42

[GoogleCodeExporter]

Original comment by a...@villagescribe.org on 1 Apr 2014 at 7:36

• Added labels: Priority-Critical
• Removed labels: Priority-High

[GoogleCodeExporter]

Starting with this today ... am busy reading and thinking myself into local 
storage and active directory information forwarded by Strix above.

Original comment by appiapp...@gmail.com on 5 May 2014 at 7:49

• Changed state: Started

[GoogleCodeExporter]

I have a question, which is similar to the one I posed in Kalite.

How do we cater for Multi-school awarenet set ups? When a user registers with 
awarenet, he/she has a selection field "school" where the newly created user 
account will be associated with. At the awarenet login we do not have a 
"school" field. So this suggests that a user name has to be unique within the 
whole awarenet set up, so there cannot be a user name "sipho" in school a and 
in school b. It rather would be sipho.a and sipho.b in order to identify them 
properly.

Can I assume, for the automatic login, that there is only one school in the 
whole awarenet installation? I am asking this because I probably have to assign 
a school to the user account when I create it and I do not have this 
information present at the current awarenet login.

Original comment by appiapp...@gmail.com on 5 May 2014 at 8:32

[GoogleCodeExporter]

The way I will go about this is as follows:
1) I will create automaticlogin package that can be added to awarenet 
installation
2) I will insert into home.page.php a javascript that executes automatically 
after 
   page is loaded that checks if 
     a) this automaticlogin package is installed and (check for this done in 
        home.act.php) 
     b) if we have user id / password stored in local storage of browser.
     c) if local storage credentials available, we will automatically login and user
        ends up in the /notifications area - this means that such a user will never 
        see the landing page!
3) I will insert code into users/login.act.php that checks in the case of 
awarenet 
   user credentials not available if
     a) automaticlogin package is installed 
     b) if it is it will crosscheck provided login details with ldap, create awarenet 
        account and stores these newly created awarenet user credentials in the local 
        storage of the browser using code from that package (javascript to store 
        local data will be running in a new automatic login page).
     c) the code then calls users/login again using the newly created awarenet 
        credentials to automatically login.

Hope that will work ...

Original comment by appiapp...@gmail.com on 5 May 2014 at 10:30

[GoogleCodeExporter]

after the meeting with Strix the following applies:
1) name of package to be created will be ldaplogin
2) javascript to deal with local storage will be inserted into header section 
of home.page.php
3) uid of created awarenet user will be a hash of username.regshortname for 
school i,e. KC) length 18
4) name of school, shortname and ldap location will be stored in registry. 
5) an awarenet installation using ldaplogin can only link up to the single ldap 
location stored in registry.

Original comment by appiapp...@gmail.com on 6 May 2014 at 1:50

[GoogleCodeExporter]

Implemented automatic login part where user gets automatically logged in if 
user and password are stored in local storage of the browser.

Original comment by appiapp...@gmail.com on 9 May 2014 at 2:29

[GoogleCodeExporter]

Implemented ldap access, registry settings, automatic awarenet user account 
creation.

Am busy organising access onto Kingswood College Network so that I can test it 
in this real world environment. Have met initial resistance from Dom though and 
am trying to push through it...

Original comment by appiapp...@gmail.com on 28 May 2014 at 12:43

[GoogleCodeExporter]

OK, be gentle - I know you are. :-) Good luck!

Original comment by a...@villagescribe.org on 30 May 2014 at 7:28

[GoogleCodeExporter]

Kingswood IT is in the middle of a management change (Dom is leaving in 2 
weeks) and so things are hanging in the air a bit. I hope that I will get a go 
ahead from Kingswood within the next 4 weeks to test and finish this. Code is 
finished in its rough form and checked into SVN but needs testing in the real 
environment.

Original comment by appiapp...@gmail.com on 12 Jun 2014 at 7:14

[GoogleCodeExporter]

Ok, so this seems to be a task that will run alongside other tasks. Good luck 
with the new person in charge! I hope he is interested and not too skeptical...

Original comment by a...@villagescribe.org on 12 Jun 2014 at 7:29

[GoogleCodeExporter]

Original comment by a...@villagescribe.org on 27 Jun 2014 at 10:51

• Added labels: Priority-Medium
• Removed labels: Priority-Critical

[GoogleCodeExporter]

Original comment by a...@villagescribe.org on 23 Feb 2015 at 7:40

• Added labels: Priority-Low
• Removed labels: Priority-Medium

[awarenetdev]

Closing, no current plans for integration with any LDAP systems.