I'm new to moodle and am trying to get Active Directory authenitcation working in any way shape or form. We have a single domain setup running on Server 2000. Moodle is version 1.5.2+ running on the moodle for windows install which uses php 5, apache, and mysql.
Right now I get this message:
LDAP-module cannot connect any LDAP servers:
I guess I need to know exactly how the ldap_host_url: field should be formatted to connect to a server 2000 domain controler.
Thanks,
Mike
Hi,
I just ran into the very same problem on our Win2003 Domains:
ldap_host_url: stud_srv.stud.ournet -> Works fine, but only stud-accounts can log in
ldap_host_url: staff_srv.staff.ournet -> Works fine, but only staff-accounts can log in
ldap_host_url: globalCat_srv.ournet -> ERROR LDAP-module cannot connect any LDAP servers
ldap_host_url: globalCat_srv.ournet:3268 -> LDAP-module cannot connect any LDAP servers
When I use the ldp.exe utility on the moodle server, I can get every LDAP information I want with all three mentioned servers and Ports.
So what is wrong in that moodle-LDAP-Module? Or maybe in my Setup?
Ok, I'm back again and finished my tests. Replication did not solve the problem, so I have to keep the strange configuration I mentioned. What I wrote in my first post is still valid.
Our configuration:
- classic MS Active Directory forest with three-domain model: one root-domain and two child-domains, one for students and one for staff employees
- so the root-domain can be used as global catalog on port 3268, as already mentioned in this thread
- the moodle server itself is a member-server of the stud-domain, running on win2003 server
ldap_host_url: root_srv.ournet:3268 -> Works fine as global catalog
ldap_bind_dn: cn=LDAPuser,ou=Users,dc=stud_domain,dc=ournet
ldap_bind_pw: LDAPuser-pw on stud_srv
ldap_user_type: MS ActiveDirectory
ldap_contexts: ou=OurUsers,dc=staff_domain,dc=ournet;ou=OurUsers,dc=stud_domain,dc=ournet
ldap_search_sub: YES
ldap_opt_deref: NO
ldap_user_attribute: sAMAccountName
ldap_memberattribute:
ldap_objectclass: ObjectClass=Person
- note that 'ournet' can be splitted in more sub dc-components
What I called 'strange' is the fact that I get an Error if I use a BIND account on the global-catalog-server (root_srv) itself. If I use an account either on stud_domain or staff_domain, everything works fine now. First I thought that replication had possibly not finished when I wanted to use the freshly created LDAPuser on the root_domain. But this morning the error continued to appear. So I decided to use definitely the LDAPuser on our stud_domain.
DO NOT forget to remove the LDAPuser out of the Domain-Users Group, to be shure, this account has only few privileges. You have to add it to the group of Domain Guests first, and make this group the primary group of the account, otherwise you are not able to remove the account from the Domain-Users Group. Interactive Logon should also be DENIED for this user, but I do not know to do this. Maybe in a user or group policy.
Despite the fact that I use LDAPuser on the students_domain for the BIND, even staff_domain accounts can log into moodle. Which was not possible with the settings in my first post.
If anybody has further suggestions, I'll be glad to know them.
Hello.
This is it!
Thank you very much Arvind.
For anyone who need detailed info, take note for LDAP setup on Moodle:
1. ldap_host_url: yourActiveDirectoryMainDomainServer:3268
"yourActiveDirectoryMainDomainServer" can be the IP address or the host name (192.x.y.z or myADserver.myDomain.bla; I prefer IP address). You do not have to write "ldap://" to get it working. No need to write multiple servers (like 1.x.y.z;2.x.y.t;4.x.z.a) only the primary one.
2. ldap_bind_dn: ADuser
"ADuser" can be like cn=ldapuser,ou=public,o=org (like Moodle help says) or AnUser@myADserver.myDomain.bla (I use last one).
3. ldap_contexts: ADMainDomainRoot
"ADMainDomainRoot" can be DC=myDomain,DC=bla (according to my example). In other words, can be root on Main Domain. No need to include several contexts where users live.
4. ldap_search_sub: YES (off course, so a deep search can be done).
5. ldap_opt_deref: NO (I think it is not relevant; I tried YES and NO without changes).
6. Finally, for those with Firewall and Internet environments you HAVE to open port 3268 ONLY from Moodle server to yourActiveDirectoryMainDomainServer. No need to open 389, 636 nor 3269.
Enjoy your LDAP login!
6. Finally, for those with Firewall and Internet environments you HAVE to open port 3268 ONLY from Moodle server to yourActiveDirectoryMainDomainServer. No need to open 389, 636 nor 3269.
In fact, this is only true if you are connecting to the domain controller (DC) that has the Global Catalog (GC) role. If you have multiple DCs in your domain, then only one of them will have the GC role (in fact, there is only one GC per AD Forest, so watch out).I have a concern which i would appreciate you help me solve.
In the company I work with Moodle 1.9.8, which uses authentication through Active Directory (LDAP). Due to the growth of the company some users are required to enter from Mexico they used to Active Directory to authenticate its own which is totally independent of the above, is it possible to authenticate through LDAP's two simultaneously being fully independent?
Thanks?
Norman.
