Forums | Mahara Community

Mahara/Moodle integration /
SSO doesn' work


anonymous profile picture
Account deleted
Posts: 7

07 October 2009, 10:06

I face the same problem and same error message when I try to enter Mahara at http://localhost/mahara  mahara server gives me same message :

Sorry, we could not log you into Mahara at this time. Please try again shortly, and if the problem persists, contact your administrator

my environment is as follows:

1) Windows 7 Ultimate

2) Moodle & Mahara are both on local host

3) Zend Server with PHP 5.3 & MySql 5.1

4) both versions of Moodle (1.9.5+) & Mahara (1.1.6) are running without any other problems

5) I have openSSL and libxml (2.7.3) both installed and running on my machine.

6) I finisehd up all required steps (in the mahoodle pdf document) for SSO from Moodle to Mahara and all steps were successfull.

7) Moodle database encoding (utf8_general_ci) & Mahara database encoding (utf8).

8)  :(  the result was the error message I posted above; here is the server log :

-----------------------------------------------------------------------------------------

[07-Oct-2009 13:54:20] [WAR] 59 (C:\Program Files\Zend\Apache2\htdocs\mahara\api\xmlrpc\client.php:115) An error occured while decrypting a message sent by http://localhost/moodle. Unable to authenticate the user.
[07-Oct-2009 13:54:20] Call stack (most recent first):
[07-Oct-2009 13:54:20]   * Client->send("http://localhost/moodle") at C:\Program Files\Zend\Apache2\htdocs\mahara\auth\xmlrpc\lib.php:117
[07-Oct-2009 13:54:20]   * AuthXmlrpc->request_user_authorise("4c8183e7e797d289f2f79596e480b3e52e6b31ac", "http://localhost/moodle") at C:\Program Files\Zend\Apache2\htdocs\mahara\auth\xmlrpc\land.php:95
[07-Oct-2009 13:54:20]

----------------------------------------------------------------------------------------

9) I opened the mentioned above (client.php) file, scrolled down to line # 115 and I found this  try-catch block that is throwing that exception:

-----------------------------------------------------------------------------------------------------

try {

if ($xml->getName() == 'encryptedMessage') {

$payload_encrypted = true; $wwwroot = (string)$xml->wwwroot;

// Strip encryption, using an older code is OK, because we're the client.

// The server is able to respond with the correct key, be we're not

$payload = xmlenc_envelope_strip($xml, true);

}

 

if ($xml->getName() == 'signedMessage') {

$payload_signed = true;

$remote_timestamp = $xml->timestamp;$payload = xmldsig_envelope_strip($xml);

}

}

catch (CryptException $e) { throw new XmlrpcClientException("An error occured while decrypting a message sent by $wwwroot. Unable to authenticate the user.");

}

-----------------------------------------------------------------------------------------------------

then I searched a lot on google, and found out that the problem is caused by a bug in libxml2 php extension accoding to Mr. Dan's post here:

http://moodle.org/mod/forum/discuss.php?d=101459#p577035

 

I tried to downgrade my libxml2.7.3 version to libxml2.6.x, i.e. I grabbed the libxml2.dll file (that belongs to version 2.6) and replaced it with the one located under C:\Program Files\Zend\ZendServer\bin

restarted my Zend Server, still getting the same error.

I really tried everything possible to solve such problem, but without any positive result.

so, I'd be so grateful to enyone  helps me with that.

thank you a million in advance.

P.S. i will copy this post to MOODLE support too (@ http://moodle.org/mod/forum/discuss.php?d=101459) .

anonymous profile picture
Account deleted
Posts: 1643

07 October 2009, 18:14

Hi - looks like you've tried a lot of things! I can't see anything too wrong with your setup. Something you might want to try is getting the exception message and seeing what it says. I mean the CryptException, rather than the XMLRPC exception that is thrown. To do this, change this bit:

catch (CryptException $e) { throw new XmlrpcClientException("An error occured while decrypting a message sent by $wwwroot. Unable to authenticate the user.");

To say this:

catch (CryptException $e) { throw new XmlrpcClientException("An error occured while decrypting a message sent by $wwwroot. Unable to authenticate the user. Message is: " . $e->getMessage());

Note the new bit I put on the end of the message. Then try again. That way you should get a different message that might have more hints as to what is wrong. 

anonymous profile picture
Account deleted
Posts: 7

10 October 2009, 2:09

Hi Nigel,

thank you a lot for your valuable reply.

I did what you wrote above, and got this line in the server log:

[WAR] 1b (C:\Program Files\Zend\Apache2\htdocs\mahara\api\xmlrpc\client.php:115) An error occured while decrypting a message sent by http://localhost/moodle. Unable to authenticate the user. Message is: We know nothing about the key used to encrypt this message

I can understand from this log, that the XML parser is not working properly, this is a huge bug in the last 3 versions of libxml, and still cannot find any tutorial on how to downgrade my libxml version step by step on windows platform.

do you have any ideas to rescue me ?

anonymous profile picture
Account deleted
Posts: 7

10 October 2009, 4:04

Hi again Mr. Nigel,

I went through the code even further, and found out that the above mentioned (client.php) file has an include statement at its begining for lib.php, opened lib.php, and found the following function that produces the $e->getMessage() output above:

--------------------------------------------------------------------------------------------------------------------

public function openssl_open($data, $key, $oldkeyok=false) {

$payload = '';

$isOpen = openssl_open($data, $payload, $key, $this->keypair['privatekey']);

 

if (!empty($isOpen)) {

return $payload;}

else {

// Decryption failed... let's try our archived keys

$openssl_history = $this->get_history();

foreach($openssl_history as $keyset) {

$keyresource = openssl_pkey_get_private($keyset['keypair_PEM']);

$isOpen = openssl_open($data, $payload, $key, $keyresource);

if ($isOpen) {

// It's an older code, sir, but it checks out

if ($oldkeyok) {return $payload;

}

else {

// We notify the remote host that the key has changed

throw new CryptException($this->keypair['certificate'], 7025);

}

}

}

}

throw new CryptException('We know nothing about the key used to encrypt this message', 7025);

}

--------------------------------------------------------------------------------------------------------------------

have a look at the yellow shadowed line, here is where the problem comes from. the description of function openssl_open is : Decrypt some data using our private key and an auxiliary symmetric key

so the function uses the private key $key (which is listed in the parameters list to decrypt the data $data, as far as I can understand from this function, it fails to decrypt the data because the function does not know anything about the key ($key) used to encrypt the data ($data)  i.e. the function cannot understand the key $key structure.

the function openssl_open is being called from another function, and here it is :

-----------------------------------------------------------------------------------------------------------

function xmlenc_envelope_strip(&$xml, $oldkeyok=false) {

$openssl = OpenSslRepo::singleton();

$payload_encrypted = true;

$data = base64_decode($xml->EncryptedData->CipherData->CipherValue); $key = base64_decode($xml->EncryptedKey->CipherData->CipherValue);

$payload = ''; // Initialize payload var

$payload = $openssl->openssl_open($data, $key, $oldkeyok);

$xml = parse_payload($payload);

return $payload;

}

----------------------------------------------------------------------------------------------------------

please look at the $key line ....

Nigel, did i provide enough data to help me out to get rid of the error i face when i sso into Mahara ??

 

P.S. I have a feeling that it's the libxml problem ...

anonymous profile picture
Account deleted
Posts: 1643

11 October 2009, 19:28

Hi - no, in fact it has nothing to do with libxml at all.

It's to do with the public/private keys used to encrypt MNET traffic. There's no bug in the PHP from what I can tell - instead, it looks like your Mahara never imported the Moodle public key properly (or at all?). Or maybe you changed Moodle's key (perhaps by deleting the old Moodle key), and didn't tell the Mahara that it had changed.

At this point, I think your solution is going to involve either a little bit of database hacking, or just deleting and re-refreshing the keys.

I think what you might have to do is:

  • Delete the XMLRPC auth instance you created on the Mahara side
  • Go into the database (using phpmyadmin or whatever), and delete all rows from the "host" table (you should see one row for your Moodle, don't be alarmed if there are no rows in there already though)
  •  Try setting up the XMLRPC authinstance again.
 
These steps should grab you the new Moodle public key into Mahara, and hopefully that should allow your MNET to work. 

 

anonymous profile picture
Account deleted
Posts: 7

12 October 2009, 9:20

Hi Nigel,

I've just done what you exactly told me, but still getting the same error message:

Sorry, we could not log you into Mahara at this time. Please try again shortly, and if the problem persists, contact your administrator

anyway, I enabled full debugging on Moodle side, then i navigated to : site administration block -> networking -> peers then I chose the Mahara peer (which I've added previously), then from the tabs above I chose "services" ,  at this point the debugger prints 6 lines above the page, the lines are:

----------------------------------------------------------------------------------------------------------------------------------
Warning: openssl_sign() [function.openssl-sign]: supplied key param cannot be coerced into a private key in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\lib.php on line 172

Warning: openssl_open() [function.openssl-open]: unable to coerce parameter 4 into a private key in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\xmlrpc\client.php on line 216

Warning: openssl_open() [function.openssl-open]: unable to coerce parameter 4 into a private key in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\xmlrpc\client.php on line 229

Warning: openssl_open() [function.openssl-open]: unable to coerce parameter 4 into a private key in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\xmlrpc\client.php on line 229

Warning: openssl_open() [function.openssl-open]: unable to coerce parameter 4 into a private key in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\xmlrpc\client.php on line 229

Notice: None of our keys could open the payload from host http://localhost/mahara with id 4. in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\xmlrpc\client.php on line 238
-------------------------------------------------------------------------------------------------------------------------------------

here're lines 163-172 in lib.php :

// If the user hasn't supplied a private key (for example, one of our older,

// expired private keys, we get the current default private key and use that.

if ($privatekey == null) {$privatekey = $MNET->get_private_key();

}

 

// The '$sig' value below is returned by reference.

// We initialize it first to stop my IDE from complaining.

$sig = '';

$bool = openssl_sign($message, $sig, $privatekey); // TODO: On failure?

 

and here're lines 212-216 in client.php :

// Initialize payload var

$payload = '';

//                                                                     &$payload

$isOpen = openssl_open(base64_decode($data), $payload, base64_decode($key), $MNET->get_private_key());

 

and here're lines 228-229 in client.php:

$keyresource = openssl_pkey_get_private($keyset['keypair_PEM']); $isOpen = openssl_open(base64_decode($data), $payload, base64_decode($key), $keyresource);

 

and here're lines 237-241 in client.php file:

if (!$isOpen) {

trigger_error("None of our keys could open the payload from host {$mnet_peer->wwwroot} with id {$mnet_peer->id}.");

$this->error[] = '3:No key match'; return false;

}

I think these lines will provide extra important information. what do you think ?

 

anonymous profile picture
Account deleted
Posts: 1643

12 October 2009, 15:58

I think that you have managed to somehow mess up your SSL keys for both the Moodle and the Mahara Wink

You might have to also delete your Mahara key and re-create it, as well as deleting and adding the Mahara peer on the Moodle side again.

Try this:

  • On the Moodle, delete the Mahara peer
  • In the moodle database, have a look in the mdl_mnet_host table, and see if there's a Mahara record. If there is, delete it (leave the other records alone)
  • In the mahara database, go to the config table, and delete all the entries that have a name that starts with openssl_. In SQL terms: DELETE FROM config WHERE field LIKE 'openssl_%';
  • In Mahara, visit the networking page in the admin section. That should give you a new key, which you can verify by looking in the config table (some of those openssl_ vars will be back).
  • In Moodle, add the Mahara peer again.

Hopefully, that should clear out the dodgy key. If you followed my instructions in the last post, that means both sides should now have new keys and they should be cycled properly. 
anonymous profile picture
Account deleted
Posts: 7

13 October 2009, 3:39

LoL  :) Nigel I didn't manage to mess up my keys ...

I did exactly what you told me above, and of course in the same order, but the same error message still shows when I try to SSO into mahara:

Sorry, we could not log you into Mahara at this time. Please try again shortly, and if the problem persists, contact your administrator

believe me, it's nothing to do with refreshing the keys ...

However, I noticed couple of things in your last scenario (Moodle full debugging is turned on):

 

the first thing:

when I try to delete the entry of Mahara from mdl_mnet_host table (in Moodle database), it will be deleted successfully but the debugger shows the following message at the top of the deletion confirmation page :

---------------------------------------------------------------------------------------------------

Table 'moodle.mdl_mnet_rpc2host' doesn't exist

DELETE FROM mdl_mnet_rpc2host WHERE host_id = '4'

--------------------------------------------------------------------------------------------------- 

 

the second thing:

each time i try to sso into Mahara and get the error message, I return back to Moodle (by pressing the browser's back button) , and at that point when i try to log out, the debugger shows the following lines (which I told you about in my last post above):

--------------------------------------------------------------------------------------------------------------------------

 Warning: openssl_sign() [function.openssl-sign]: supplied key param cannot be coerced into a private key in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\lib.php on line 172

Warning: openssl_open() [function.openssl-open]: unable to coerce parameter 4 into a private key in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\xmlrpc\client.php on line 216

Warning: openssl_open() [function.openssl-open]: unable to coerce parameter 4 into a private key in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\xmlrpc\client.php on line 229

Warning: openssl_open() [function.openssl-open]: unable to coerce parameter 4 into a private key in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\xmlrpc\client.php on line 229

Warning: openssl_open() [function.openssl-open]: unable to coerce parameter 4 into a private key in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\xmlrpc\client.php on line 229

Notice: None of our keys could open the payload from host http://localhost/mahara with id 6. in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\xmlrpc\client.php on line 238

Server side error has occured on host 6: 3:No key match
  • line 1130 of auth\mnet\auth.php: call to debugging()
  • line 1020 of auth\mnet\auth.php: call to auth_plugin_mnet->kill_children()
  • line 2138 of lib\moodlelib.php: call to auth_plugin_mnet->prelogout_hook()
  • line 29 of login\logout.php: call to require_logout()

-------------------------------------------------------------------------------------------------------------------------

and then I log out without other errors by pressing the (continue) button (because the debugger disabled the automatic redirection due to warnings). But if i log in again (with the same user or other user) and I don't attempt to sso into Mahara, after that if i try to log out, the Moodle logs me out successfully without displaying any error. so the above warning lines  shows only when I try to sso into mahara then try to log out from Moodle.

 

the third thing:

After I delete the Mahara peer from Moodle, and then try to SSO into mahara for the first time  I still get the same (famous :) ) error message, then I go back to Moodle, and try to log out the debugger shows the mentioned above warning lines with the following additional notice lines:

-------------------------------------------------------------------------------------------------------------------------------

 Notice: Undefined property: mnet_peer::$application in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\xmlrpc\client.php on line 127

Notice: Trying to get property of non-object in C:\Program Files\Zend\Apache2\htdocs\moodle\mnet\xmlrpc\client.php on line 127

Server side error has occured on host 5: 7:User with ID 2 attempted to call unauthorised method auth/mnet/auth.php/kill_child on host

-------------------------------------------------------------------------------------------------------------------------------

 I ONLY get this notice only once and after ONLY the first time I try to sso into Mahara and then log out from Moodle; that means, if i log into Moodle again (with the same user or other user), try to sso into Mahara, then return back to Moodle, then log out, I will get only the warning lines mentioned above (at the begining of this post) and i don't get the notice lines.

I hope you got what I mean.

The question is why I still get :

Sorry, we could not log you into Mahara at this time. Please try again shortly, and if the problem persists, contact your administrator

:(

anonymous profile picture
Account deleted
Posts: 1643

13 October 2009, 18:23

Hi - well I'm not surprised at your third point, if you delete the peer then your system isn't configured to allow you to jump to the Mahara Wink. The errors aren't that great, but then neither is the MNET code I'm afraid..

I wonder if attempting to jump when you don't have a Mahara peer would cause keyswap to attempt to happen again, and after that you have a record in the host table for the Mahara so you don't see so many errors.

Regarding your "first thing" - I recall seeing a bug on the Moodle tracker - http://tracker.moodle.org/ - about that. I think it can be safely ignored, but you might want to try find the bug and see what it says.

Your second problem is weird. You're on windows, right? I see you have another thread over on moodle.org, did you manage to get the path to openssl.cnf specified on the Mahara side as well? 

anonymous profile picture
Account deleted
Posts: 7

14 October 2009, 2:45

oops, I forgot to mention in the third point above, that when i delete Mahara peer, then re-add it again, then I try to sso .. blah blah blah .. ya i know it won't SSO me into mahara if there is no mahara peer :)

im sorry for the mistake ...

about "first thing" .. it's not with high importance... so, let's forget it ...

about "second thing" : yes it's weird ... I'm on Windows operating system, I configured both Moodle & Mahara to point to the path of openssl.cnf file...

I made everything possible, but i don't know what's really going on ... anyone can rescue me please ??