LDAP, Active Directory, and Missing Info

LDAP, Active Directory, and Missing Info

by Kyle Jones -
Number of replies: 19

Hi All,

I've got Moodle up-and-running in terms of authenticating back to Active Directory, so I'm all set on that front.

However, there's an issue that I'm running into with the initial setup of the user profile.  In the Authentication Options screen, there are optional fields to have information such as first name, last name, email, etc. pre-filled out for the user.  I'm running under Active Directory, so I set the option for first name to givenName, the last name to sn, and the email to userPrincipalName, all of which seem to be the Microsoft equivalents for the requested information (or are at least close to an equivalent).

Well, the last name seems to pull into Moodle just fine, but the first name (givenName) and the email (userPrincipalName) do not.

Any ideas on what's happening?

Thanks,

Kyle

Average of ratings: -
In reply to Kyle Jones

Re: LDAP, Active Directory, and Missing Info

by Mark Tyers -

Are just about to make a decision re Moodle for our college. We have two issues, SCORM and Active Directory. Looking at the feature list for version 2 it looks like SCORM is covered so this just leaves Active Directory.

Its sounds like you have active directory sussed. May I be so bold as to ask how you achieved this?shy.gif

Average of ratings: -
In reply to Mark Tyers

Re: LDAP, Active Directory, and Missing Info

by Kyle Jones -

Hi Mark,

Yes, with a little bit of effort, I was able to accomplish Active Directory-Moodle integration.  Here's how to do it . . .

  • Under "Administration," choose "Authentication."  In the "Choose an authentication method:" drop-down, choose "Use an LDAP Server."  The settings will then appear.  Next, you need to fill out these Settings.
  • In the "ldap_host_url:" field, enter in the fully-qualified domain name of your server with Active Directory installed on it, proceeding it with "ldap://".  For example, if the name of your server was "myserver," and your domain was "myorganization.com," then this blank would read: ldap://myserver.myorganization.com
  • In the "ldap_contexts:" field, you need to enter in the locations of where you stored all of your users in LDAP-style format.  Let's say that you had, for example, created an organizational unit called "Students" and an organizational unit called "Teachers" at the root level of your Active Directory tree.  (In other words, at the same depth as the "Users" folder.)  Then, let's say that you also had users in the "Users" folder.  Your "ldap_contexts:" field, carrying forward the previous "myorganization.com" example, would be: ou=Students,dc=myorganization,dc=com;ou=Teachers,dc=myorganization,dc=com;cn=Users,dc=myorganization,dc=com

Note that the "Users" folder is prefaced with "cn=" and that all organization units you have created are prefaced with "ou="

  • In the "ldap_user_attribute:" field, you are entering in the specific attribute in the LDAP server that matches up with the username.  If you want your users to type in their first name and last name to login, you should be able to input "cn" if you've got their first and last names entered into Active Directory.  Chances are, though, that you want them to use their Windows username to login.  So, in this field, enter: sAMAccountName
  • The "ldap_search_sub:" field controls whether you want to search subcontexts for the user.  If you're like me, your organizational unit called "Students" has sub-organizational units corresponding to each class.  So, for example, I have a "Students" organizational unit inside Active Directory, and, inside that, I have another organizational unit called "Class of 2006."  If you want to search such sub-organizational units for users, set the value of "ldap_search_sub:" to anything other than zero.  (1 is a good choice.)
  • In order for you to search Active Directory via LDAP, you must login using a username and password.  This is called "binding" to the LDAP server.  So, create a user that you wish to use for binding.  This user does NOT have to be a Domain Admin.  For example, you could create a user with firstname MoodleUser and lastname MoodleUser.  Then, enter this username into the "ldap_bind_dn:" blank in LDAP format.  For example: cn=MoodleUser MoodleUser,cn=Users,dc=myorganization,dc=com
  • In the next blank, "ldap_bind_pw:", enter in the password for the MoodleUser you just created.
  • In the next blank, "ldap_memberattribute:", you are telling Moodle the name of the attribute in the LDAP server where it can find group membership information.  In Active Directory, this is: memberOf
  • The next blank is "ldap_creators:".  In this blank, enter in the Active Directory groups (in LDAP style, of course) who should be imbued with the power to create courses.  If you're like me, all of the groups are located in the "Users" folder.  So, for example, to give your teachers who are members of the "Teachers" group the power to create courses, you would enter: cn=Teachers,cn=Users,dc=myorganization,dc=com
  • I have left "ldap_create_context:" blank.  From my reading, Moodle can create users via LDAP in a particular location you specify here.  Since I want to do all user account creation myself in Active Directory, I've left this blank
  • The next series of optional blanks involve inputting the name of the attribute in LDAP corresponding to the information requested.  If you put these in with the proper capitalization that's in Active Directory, it doesn't seem to work.  It appears that they need to be lowercase.  So, that said, they are:

Firstname: givenname
Lastname: sn
Email address: userprincipalname or mail
Phone 1: telephonenumber
Phone 2: othertelephone
Address: streetaddress
City/town: l (that's the letter l)
Countery: c
Description: description
ID number: useraccountcontrol

I don't see anywhere in Active Directory where language is stored, so I just typed "English" in the blank.  For the email address, if your Active Directory domain matches your email address, you can just use userprincipalname.  For example, if your Active Directory is myorganization.com and your email addresses are username@myorganization.com, then userprincipal name will be fine.  If they're not the same, then enter the email addresses into the "E-mail:" blank on the "General" tab of the user's "Properties," and you should be set.

Also, I don't store ID numbers in Active Directory, so I just set it to useraccountcontrol, which, I think, is a unique number given to each user account.  You could just as well leave that blank uncompleted.

With all of this, I have noticed something . . . whether it's a bug or a "behaves as expected," I'm not sure.  If you enter in the data in the various fields (I think particularly the email field), the user is not prompted to edit his/her profile as under the email confirmation method.  The user is simply logged in and whatever information in Active Directory is transferred.

Give it a shot and see if it works!

Kyle

Average of ratings: -
In reply to Kyle Jones

Re: LDAP, Active Directory, and Missing Info

by Chris Weber -
Thanks for this extremely helpful guide to using LDAP and AD. Eventhough it explains how to get it to work specifically for moodle, it has helped me understand LDAP greatly.

In addition to what's posted above, I offer more tips and tricks.

1. ADSI: Active Directory Service Interface, It can be used to inspect your active directory domain controller to look up the exact LDAP location of a particular Organizational unit, folder, user, or any other LDAP (AD) object.

To get it just install all of the Windows 2000 Support tools that come with the Windows 2000 installation disk. I think they can be found in the Support/Tools folder.

After you install them you can open an mmc with the ADSI edit module in place and connect to your domain controller using the . format that Kyle spells out above.

Once connected you should be albe to see the Domain NC that contains all active directory objects. You'll be able to find what your looking for in there, open the properties of that object and copy its LDAP location so that you can paste it into the authentication configuration page.

For example:
I needed to copy three locations into my ldap_contexts box. I used the ADSI Edit mmc to find them and right-clicked them to get to their properties. The first one two organization units deep. Its path was LDAP://./OU=Staff,OU=Alton,DC=alton,DC=calc4it,DC=com. I copied everything after the LDAP://./ which was OU=Staff,OU=Alton,DC=alton,DC=calc4it,DC=com and pasted it into the box, appended a semicolon and found the other two locations I needed.

Is that helpful?
Average of ratings: -
In reply to Kyle Jones

Re: LDAP, Active Directory, and Missing Info

by Ian Scott -

Thanks Kyle - great info.

I can now verify against AD but I run a parent domain (for staff) and a child domain (for students) - has anyone got this working?

I can verify against staff domain or against child domain but not both at the same time.

I have been running AUC and a program called Samba but staff have to put in their domain before their name eg staff-aname and student have to do the same thing student-aname and this works. I fear that Moodle will only work in one domain which has student and staff in different OUs.

Cheers Ian

Average of ratings: -
In reply to Kyle Jones

Another LDAP, Active Directory installation...

by Bobby Hendricks -

Greetings from The American School of The Hague. I just completed a new Moodle installation on Windows 2003 Server. All seems well except for user authentication against one of our two our active directory domain controllers (clustered into one vertual server so I'm pointing toward an actual controller rather thna the virtual domain controller). Any help appreciated.

Error received:
Fatal error: Call to undefined function: ldap_connect() in c:\program files\easyphp1-7\www\auth\ldap\lib.php on line 412
(Luckily I can still get in through my moodle admin credentials)

I am eager and excited to get this installation one up and running as it will replace our MS Class Server installation (our first pilot program for MS - flopped due to MS pulling out) .

********** Settings details********
Note: All AD values obtained using ADSI Edit utility to avoid errors from my clumsy fingers :>)
Also, I could attach a screen-grab of our Active Directory schema if helpful.

ldap_host_url: ldap://ash02.ash.nl

ldap_version: 3

ldap_contexts: OU=Teachers,OU=Staff,OU=ASH,DC=ash,DC=int;OU=IT

epartment,OU=Staff,OU=ASH,DC=ash,DC=int;OU=Students,DC=ash,DC=int

ldap_user_attribute: sAMAccountName

ldap_objectclass: *

ldap_search_sub: 2

ldap_bind_dn: CN=Moodle Binder,CN=Users,DC=ash,DC=int

ldap_bind_pw: (valid password)

ldap_memberattribute: memberOf

ldap_creators: CN=Teachers,OU=Security groups,OU=ASH,DC=ash,DC=int;CN=HS_Teachers,OU=Security groups,OU=ASH,DC=ash,DC=int;CN=ES_teachers,OU=Security groups,OU=ASH,DC=ash,DC=int;OU=IT Department,OU=Staff,OU=ASH,DC=ash,DC=int;OU=Teachers,OU=Staff,OU=ASH,DC=ash,DC=int

**note: I wasn't sure if these needed to be security groups or not so I included security and other groups where teachers and IT staff are members)

ldap_create_context: (left blank)

Average of ratings: -
In reply to Bobby Hendricks

Re: Another LDAP, Active Directory installation...

by Chris Thompson -

hello i am getting the same problem.

i am using the easyphp package and i have read some of the other forms and they just say edit the php.ini file and it will work.

WELL IT DOESN'T. very frustrating as i would really like it to tie in with my active directory for the school network.

Please HELP?

Average of ratings: -
In reply to Bobby Hendricks

Re: Another LDAP, Active Directory installation...

by Martín Langhoff -
"Call to undefined function: ldap_connect()"

This means the ldap php extension is not there, or is not configured in php.ini. Talk to your sysadmin.
Average of ratings: -
In reply to Martín Langhoff

Re: Another LDAP, Active Directory installation...

by Bobby Hendricks -
>>"Call to undefined function: ldap_connect()" >>This means the ldap php extension is not there, or is not configured in php.ini. >>Talk to your sysadmin Thanks for your post. The sysadmin is me. While I'm certainly not a UNIX or PERL coder (even by a loose definition) I can usually wade through code slowly and carefully provided I have some idea of what I should be looking for. If you could give me a few tips I would be happy to undertake this safari. FYI: I installed this system via EasyPHP on top of Windows 2003 Server. Any help very much appreciated :>) Thanks
Average of ratings: -
In reply to Martín Langhoff

Re: Another LDAP, Active Directory installation...

by Chris Thompson -

Yes im the sysadmin, im using easyphp and i've edited the php.ini and ive taken the ; out for the file for the php_ldap.dll.

Average of ratings: -
In reply to Chris Thompson

Re: Another LDAP, Active Directory installation...

by Chris Thompson -
all sorted, after a few hours work i have found out that i had to copy the libeay32.dll and ssleay32.dll into the system folder.
Average of ratings: -
In reply to Chris Thompson

Re: Another LDAP, Active Directory installation...

by Bobby Hendricks -

Thanks for your post.

Like you mentioned, I edited the PHP.INI and removed the ; before the php_ldap.dll and then I copied the files libeay32.dll and ssleay32.dll into the system folder of the server (C:\windows\system32)

Still receiving the same error as below...

Fatal error

Well, that's me and I'm hoping to find out how to tell if the php.ini is configured porperly.

Thanks for any help :>)

Show parent | Reply to forum  

 

: Call to undefined function: ldap_connect() in c:\program files\easyphp1-7\www\auth\ldap\lib.php on line 412"Call to undefined function: ldap_connect()"

Another user (Martin) posted:
"This means the ldap php extension is not there, or is not configured in php.ini. Talk to your sysadmin."
Average of ratings: -
In reply to Martín Langhoff

Re: Another LDAP, Active Directory installation...

by Sean Keogh -
You did restart the web server, yes?  If not, PHP won't pick up the change.  Well, that's the way it works with Apache anyway...


Sean K Beardie
Average of ratings: -
In reply to Sean Keogh

I got those "moodle ain't workin' wid my Active Directory LDAP bluuuuues...."

by Bobby Hendricks -
Thanks for your post.

I did restart Apache as well as EasyPHP, et al. No joy :>(

About ready to just implement e-mail authentication (need to get up and going). Also, I (think?) I understand that the LDAP authentication is simply for first-time user creation and after that all users will be authenticated against Moodle database. If this is indeed the case then user changes of pwd in Active Directory (my LDAP) will not be reflected in moodle and, if so, then what's the point? Without implementing a zone integration server and not knowing if moodle is supports schools interoperability framework (SIF) then I may just be spinning my wheels when I really need to 'get movin'.

Even so...moodle via e-mail authentication is still an improvement over my previous trial edition of MS Class Server. I think we'll just get going and see what this beast can do before I try any further with the LDAP authentication. I have some teachers eager to put this into their students' hands ASAP. I don't want to lose their enthusiasm for the sake of having LDAP authentication.

Any other tips on LDAP authentication (or the purpose of life in general) are much appreciated...

Bobby
The Hague
Average of ratings: -
In reply to Bobby Hendricks

Re: I got those "moodle ain't workin' wid my Active Directory LDAP bluuuuues...."

by Petri Asikainen -
Thats not true, passwords are always checked against LDAP.


Cheers,
Petri

---
If you like use commerical support to get you enviroment LDAP-working, please contact me. petri.asikainen at moodlepalvelut.fi
---
Average of ratings: -
In reply to Martín Langhoff

Re: Another LDAP, Active Directory installation...

by arvind grover -
I am trying to work through the same thing right now. I read on PHP.net that this can be caused because LDAP was not compiled with the version of PHP that you are running. Take a look at their documentation for help, particulary the "Requirements" section.

Average of ratings: -
In reply to Bobby Hendricks

Re: Another LDAP, Active Directory installation...

by Chris Thompson -

Do a search for these files, libeay32.dll and ssleay32.dll, in your c:\program files\easyphp1-7\   folder.

when found copy them into the system or system32 folder.

Average of ratings: -
In reply to Chris Thompson

Re: Another LDAP, Active Directory installation...

by Bob McLellan -

I had similar problems with this. We are using xammp from apache friends rather than easyphp but it seems pretty similar. After a lot of messing around i ran a script with phpinfo() in it and found the path to the correct php.ini file. For some reason there was more than one of these and i had been changing the wrong one. Also there is a file php_ldap.dll which needs to be in your win\system32 folder.

Hope this is of use.

Average of ratings: Useful (1)
In reply to Kyle Jones

Re: LDAP, Active Directory, and Missing Info

by Barney Grice -
Great howto; very useful.

I have Moodle set up on Linux (Apache 2.0, PHP4, MySQL) with a Windows 2000 AD. Following the directions given allowed me to get authentication to my AD up and running in next to no time.

However, the ldap_creators field does not seem to be working as it should; nobody can create courses, even if they are in the appropriate AD group.

I have used ADSI edit to validate my LDAP paths, and have even created a new group "Teachers" in the "users" container in AD to match Kyle's setup exactly, to no avail.

Does anybody have any idea how to troubleshoot this?

Many Thanks,

Barney.
Average of ratings: -
In reply to Barney Grice

Re: LDAP, Active Directory, and Missing Info

by Barney Grice -
So, I thought I'd reply to myself as I have some more information and no longer require a response, but the info might be useful to someone.

My first attempt was in a simplified lab, where my AD and Exchange (both 2000) were all running on a single server. This is not best practice, but hey, it's a lab. Anyway, I just couldn't get the ldap_creators working.

I have subsequently tried this in a much more extensive lab, with multiple Windows 2003 DC's and multiple domain member Exchange 2003 servers, and ldap_creators works just fine.

Now, that's all I have to go on, and am speculating wildly, but maybe there's an issue with ldap_creators or even ldap_memberattribute if Exchange is running on the DC?

Anyway, as I said, I thought it might help someone, someday!

Barney.
Average of ratings: -