Hi,
I'm using LDAP for authentication and want to use autoenrollment. I think I have a grasp of the basics but I am having a problem with the terminology. The uid for MS active directory that must match moodles uid-can these be directly identified. I think uid for ms active directory would be samacountname? what would be the moodle uid. If users are auto enrolled isn't moodle id taken from active directory?
Chet
Hi,
I have couple of questions though is a posixGroup a security or distribution group?
Active directory only lets me create one group with the same name. Can't create math101 twice in two seperate ou's.
Thanks for your help.
Chet
I have couple of questions though is a posixGroup a security or distribution group?
Active directory only lets me create one group with the same name. Can't create math101 twice in two seperate ou's.
Thanks for your help.
Chet
I guess the problem is the Enrol LDAP Howto is not using MS AD objects and names, but POSIX ones (OpenLDAP et al.).
So you have to use 'member' (instead of memberUid) for any *_memberattribute that appears in the Howto, and use 'group' (instead of posixGroup) for the objectclass values.
You can create the same group in different OUs as long as they have a different pre-Windows 2000 name (their saMAccountName).
Saludos. Iñaki.
So you have to use 'member' (instead of memberUid) for any *_memberattribute that appears in the Howto, and use 'group' (instead of posixGroup) for the objectclass values.
You can create the same group in different OUs as long as they have a different pre-Windows 2000 name (their saMAccountName).
Saludos. Iñaki.
Thanks for the info. I made the changes that you recommened but courses are still not being created. Not sure were my misktake is any suggestions?
Chet
Chet
Are you running moodle/enrol/ldap/enrol_ldap_sync.php from the command line? If not so, courses will be created when users log in and their enrolled courses don't exist.
Saludos. Iñaki.
Saludos. Iñaki.
Hi. Thanks for your help. When I run the enrol_ldap_sync.php from the command line I get the following errors:
line 1 ?php: No such file or directory (I am in the ldap directory with execute rights)
line 3: syntax error near unexpected token '_SERVER['GATEWAY_INTERFACE']'
line 3: 'if(empty($_SERVER['GATEWAY_INTERFACE'])){'
Any ideas?
Chet
line 1 ?php: No such file or directory (I am in the ldap directory with execute rights)
line 3: syntax error near unexpected token '_SERVER['GATEWAY_INTERFACE']'
line 3: 'if(empty($_SERVER['GATEWAY_INTERFACE'])){'
Any ideas?
Chet
How do you run that file? You should run like this:
php -f enrol_ldap_sync.php
(assuming php.exe is in your execution path, and that your working directory is ...moodle/enrol/ldap/).
Saludos. Iñaki.
php -f enrol_ldap_sync.php
(assuming php.exe is in your execution path, and that your working directory is ...moodle/enrol/ldap/).
Saludos. Iñaki.
I wasn't running it properly. When I ran as stated above the courses were created but no students or teachers were enrolled. Error was could not find user then CN=userid, OU=Name of ou, DC= name, DC= name, skipping for all students and teachers. But if I log in when student or teacher using ldap auth the users are created but not enrolled. One other thing is I tried to change the bind user and it keeps going back to the original.
Thanks for all your help.
Chet
Thanks for all your help.
Chet
Maybe you should tell us your LDAP setup for the courses (which OUs do yo use, which groups, etc). You can mask your data in the examples, but put the real structure here.
Then paste your LDAP enrolmente configuration settings, and a few of the errors you get when you run the sync script. Again, mask your data as much as you want, but keep the syntax and structure of it, so we can make sense of it
Saludos. Iñaki.
Then paste your LDAP enrolmente configuration settings, and a few of the errors you get when you run the sync script. Again, mask your data as much as you want, but keep the syntax and structure of it, so we can make sense of it
Saludos. Iñaki.
Sorry I had to do this directly couldn't cut and paste in reply.
I am trying to run a test of the ldap howto. The OU's are the same as
the example, studentEnrollment, teacherEnrollment with groups for Math
and english in each. Test teachers and students as per the ldap
autoenrol howto.
*LDAP** server
ldap_host url: ldap://server ip
ldap_version: 3
ldap_preventpassindb: yes
ldap_bind_dn: CN=user,ou=TestMoodle,DC=domain,DC=local
ldap_bind_pw: *******
ldap_user_type: MS ActiveDirectory
ldap_contexts: OU=TeacherEnrollment,DC=domainDC=local;OU=StudentEnrollment,DC=domain,DC=local
ldap_search_sub: Yes
ldap_opt_deref: NO
ldap_user_attribute: sAMAccountName
ldap_memberattribute:
ldap_objectclass:
DataMapping
First Name: givenName
Last Name: sn
ID number: SAMAccountName
Enrollment settings
LDAP Server
enrol_ldap_host
ldap://ipaddress_of_LDAP_Server
enrol_ldap_version: 3
enrol_ldap_bind_dn: cn=username,OU=container,DC=domain,DC=local
ldap_bind_pw: *************
ldap_search_sub: Yes
Student enrolment settings
enrol_ldap_student_contexts: ou=StudentEnrollment,DC=domain,DC=local;ou=TeacherEnrollment,DC=domain,DC=local
enrol_ldap_student_memberattribute: member
Teacher enrolment settings
enrol_ldap_teacher_contexts: ou=TeacherEnrollment,DC=domain,DC=local
enrol_ldap_teacher_memberattribute: member
Course enrolment settings
enrol_ldap_objectclass: group
enrol_ldap_course_idnumber: cn
Update local data Yes
Lock value Yes
enrol_ldap_course_shortname: cn
Update local data Yes
Lock value Yes
enrol_ldap_course_fullname: description
Update local data Yes
Lock value Yes
enrol_ldap_course_summary: description
Update local data Yes
Lock value Yes
Automatic course creation settings
enrol_ldap_autocreate: Yes
enrol_ldap_category: AutoEnrol
enrol_ldap_template:
General Options
enrol_allowinternal: not checked
I am trying to run a test of the ldap howto. The OU's are the same as
the example, studentEnrollment, teacherEnrollment with groups for Math
and english in each. Test teachers and students as per the ldap
autoenrol howto.
*LDAP** server
ldap_host url: ldap://server ip
ldap_version: 3
ldap_preventpassindb: yes
ldap_bind_dn: CN=user,ou=TestMoodle,DC=domain,DC=local
ldap_bind_pw: *******
ldap_user_type: MS ActiveDirectory
ldap_contexts: OU=TeacherEnrollment,DC=domainDC=local;OU=StudentEnrollment,DC=domain,DC=local
ldap_search_sub: Yes
ldap_opt_deref: NO
ldap_user_attribute: sAMAccountName
ldap_memberattribute:
ldap_objectclass:
DataMapping
First Name: givenName
Last Name: sn
ID number: SAMAccountName
Enrollment settings
LDAP Server
enrol_ldap_host
ldap://ipaddress_of_LDAP_Server
enrol_ldap_version: 3
enrol_ldap_bind_dn: cn=username,OU=container,DC=domain,DC=local
ldap_bind_pw: *************
ldap_search_sub: Yes
Student enrolment settings
enrol_ldap_student_contexts: ou=StudentEnrollment,DC=domain,DC=local;ou=TeacherEnrollment,DC=domain,DC=local
enrol_ldap_student_memberattribute: member
Teacher enrolment settings
enrol_ldap_teacher_contexts: ou=TeacherEnrollment,DC=domain,DC=local
enrol_ldap_teacher_memberattribute: member
Course enrolment settings
enrol_ldap_objectclass: group
enrol_ldap_course_idnumber: cn
Update local data Yes
Lock value Yes
enrol_ldap_course_shortname: cn
Update local data Yes
Lock value Yes
enrol_ldap_course_fullname: description
Update local data Yes
Lock value Yes
enrol_ldap_course_summary: description
Update local data Yes
Lock value Yes
Automatic course creation settings
enrol_ldap_autocreate: Yes
enrol_ldap_category: AutoEnrol
enrol_ldap_template:
General Options
enrol_allowinternal: not checked
Sorry I had to do this directly couldn't cut and paste in reply.
I am trying to run a test of the ldap howto. The OU's are the same as
the example, studentEnrollment, teacherEnrollment with groups for Math
and english in each. Test teachers and students as per the ldap
autoenrol howto.
*LDAP** Auth Settings
ldap_host url: ldap://server ip
ldap_version: 3
ldap_preventpassindb: yes
ldap_bind_dn: CN=user,ou=TestMoodle,DC=domain,DC=local
ldap_bind_pw: *******
ldap_user_type: MS ActiveDirectory
ldap_contexts: OU=TeacherEnrollment,DC=domainDC=local;OU=StudentEnrollment,DC=domain,DC=local
ldap_search_sub: Yes
ldap_opt_deref: NO
ldap_user_attribute: sAMAccountName
ldap_memberattribute:
ldap_objectclass:
DataMapping
First Name: givenName
Last Name: sn
ID number: SAMAccountName
Enrollment settings
LDAP Server
enrol_ldap_host
ldap://ipaddress_of_LDAP_Server
enrol_ldap_version: 3
enrol_ldap_bind_dn: cn=username,OU=container,DC=domain,DC=local
ldap_bind_pw: *************
ldap_search_sub: Yes
Student enrolment settings
enrol_ldap_student_contexts: ou=StudentEnrollment,DC=domain,DC=local;ou=TeacherEnrollment,DC=domain,DC=local
enrol_ldap_student_memberattribute: member
Teacher enrolment settings
enrol_ldap_teacher_contexts: ou=TeacherEnrollment,DC=domain,DC=local
enrol_ldap_teacher_memberattribute: member
Course enrolment settings
enrol_ldap_objectclass: group
enrol_ldap_course_idnumber: cn
Update local data Yes
Lock value Yes
enrol_ldap_course_shortname: cn
Update local data Yes
Lock value Yes
enrol_ldap_course_fullname: description
Update local data Yes
Lock value Yes
enrol_ldap_course_summary: description
Update local data Yes
Lock value Yes
Automatic course creation settings
enrol_ldap_autocreate: Yes
enrol_ldap_category: AutoEnrol
enrol_ldap_template:
General Options
enrol_allowinternal: not checked
I am trying to run a test of the ldap howto. The OU's are the same as
the example, studentEnrollment, teacherEnrollment with groups for Math
and english in each. Test teachers and students as per the ldap
autoenrol howto.
*LDAP** Auth Settings
ldap_host url: ldap://server ip
ldap_version: 3
ldap_preventpassindb: yes
ldap_bind_dn: CN=user,ou=TestMoodle,DC=domain,DC=local
ldap_bind_pw: *******
ldap_user_type: MS ActiveDirectory
ldap_contexts: OU=TeacherEnrollment,DC=domainDC=local;OU=StudentEnrollment,DC=domain,DC=local
ldap_search_sub: Yes
ldap_opt_deref: NO
ldap_user_attribute: sAMAccountName
ldap_memberattribute:
ldap_objectclass:
DataMapping
First Name: givenName
Last Name: sn
ID number: SAMAccountName
Enrollment settings
LDAP Server
enrol_ldap_host
ldap://ipaddress_of_LDAP_Server
enrol_ldap_version: 3
enrol_ldap_bind_dn: cn=username,OU=container,DC=domain,DC=local
ldap_bind_pw: *************
ldap_search_sub: Yes
Student enrolment settings
enrol_ldap_student_contexts: ou=StudentEnrollment,DC=domain,DC=local;ou=TeacherEnrollment,DC=domain,DC=local
enrol_ldap_student_memberattribute: member
Teacher enrolment settings
enrol_ldap_teacher_contexts: ou=TeacherEnrollment,DC=domain,DC=local
enrol_ldap_teacher_memberattribute: member
Course enrolment settings
enrol_ldap_objectclass: group
enrol_ldap_course_idnumber: cn
Update local data Yes
Lock value Yes
enrol_ldap_course_shortname: cn
Update local data Yes
Lock value Yes
enrol_ldap_course_fullname: description
Update local data Yes
Lock value Yes
enrol_ldap_course_summary: description
Update local data Yes
Lock value Yes
Automatic course creation settings
enrol_ldap_autocreate: Yes
enrol_ldap_category: AutoEnrol
enrol_ldap_template:
General Options
enrol_allowinternal: not checked
Ok, the problem's in the code. I've just setup a test environment and tested it a bit, dumping some information on the screen.
The problem is the find_ext_enrolments() function. It receives a $memberuid parameter with the idnumber of the user, and uses it to search the groups where a member of the groups matches that idnumber value. But is uses the value as is, which in the case of Active Directory doesn't work, because AD uses the full DN of the user in the member attribute, and not just the CN.
So unless you patch ldap/enrol.php, you won't go very far with Active Directory and LDAP enrollment.
Saludos. Iñaki.
The problem is the find_ext_enrolments() function. It receives a $memberuid parameter with the idnumber of the user, and uses it to search the groups where a member of the groups matches that idnumber value. But is uses the value as is, which in the case of Active Directory doesn't work, because AD uses the full DN of the user in the member attribute, and not just the CN.
So unless you patch ldap/enrol.php, you won't go very far with Active Directory and LDAP enrollment.
Saludos. Iñaki.
Hummm, there is a workaround for this, but I'm not sure about the consequences if you use auth_ldap_sync.php and/or enrol_ldap_sync.php (I haven't had a look at them).
You can map Moodle's ID number field to AD's 'distinguishedName' attribute. This way, you have a fully qualified DN value in Moodle, and the search works.
One note though: ID Number is just 64 characters wide, so if your AD users' 'distinguishedName' s are longer than that, you'll be in trouble.
Big Red Warning: I haven't tested all this with auth_ldap_sync.php and/or enrol_ldap_sync.php, so I offer no warranty at all.
Saludos. Iñaki.
You can map Moodle's ID number field to AD's 'distinguishedName' attribute. This way, you have a fully qualified DN value in Moodle, and the search works.
One note though: ID Number is just 64 characters wide, so if your AD users' 'distinguishedName' s are longer than that, you'll be in trouble.
Big Red Warning: I haven't tested all this with auth_ldap_sync.php and/or enrol_ldap_sync.php, so I offer no warranty at all.
Saludos. Iñaki.
Well i fell in the problem 
. Any one was in this situation before? I changed the idnumber field in the database to 255 instead of 64 but even though, it is only being filled by 64 characters. Is the problem in the function filling this field?
Thank you for any help!
amer
. Any one was in this situation before? I changed the idnumber field in the database to 255 instead of 64 but even though, it is only being filled by 64 characters. Is the problem in the function filling this field?Thank you for any help!
amer
hi there,
you will also need to change it in lib\moodlelib.php
Mdl_user -> idnumber varchar(64) to varchar(255)
Dan
you will also need to change it in lib\moodlelib.php
Mdl_user -> idnumber varchar(64) to varchar(255)
Dan
Thank you Dan. I also did the same in the following file: auth ->ldap->lib.php
amer
amer
I am trying to get LDAP enrolment to work in 1.6+ with AD but having problems.
Is it still the case that I have to either hack the find_ext_enrolments() function or extend the fieldlength in the database and hack two lib.php files?
Regards
Steve
All I had to do was implement the one line hack/patch suggested here:
http://moodle.org/bugs/bug.php?op=show&bugid=5882
It's a single line in the file course/enrol.php.
But beware the warning in the comments.
I did extend the length of my idnumber field (and the two lib php files), but, looking at my idnumber column, I don't think I needed it. None of my idnumber values are greater than 64.
http://moodle.org/bugs/bug.php?op=show&bugid=5882
It's a single line in the file course/enrol.php.
But beware the warning in the comments.
I did extend the length of my idnumber field (and the two lib php files), but, looking at my idnumber column, I don't think I needed it. None of my idnumber values are greater than 64.
Thanks for this. I will have to extend mine as our values gou beyond 127 chars.
Regards
Steve
Ryan
I have a problem now when I run auth_ldap_sync_users.php. All of my users are deleted and then revived. This does not cause too much problem for students as running enrol_ldap_sync.php re-enrols them in their courses. Unfortunately I cannot use the same enrolment process to assign teachers so the net result is that all my teachers are removed. Do you see this problem in your setup?
Iñaki has identified the problem as being related to the non use of sAMAccountName in this post http://moodle.org/mod/forum/discuss.php?d=40111&parent=185569.
Overall this leaves me wondering if anyone is actually using LDAP authentication and enrolment with Microsoft Active Directory as the process does not seem to match AD fields and is prescriptive of the way data is stored in AD.
I will keep puzzling to see if I can work out a way to resolve this
Regards
Steve
Unfortunately I cannot use the same enrolment process to assign teachers so the net result is that all my teachers are removed.
Why not? If I remember correctly, enrol_ldap_sync.php assigns both students and teachers.
On the other hand, the "trick" to use LDAP enrolment with Active Directory (using the distinguishedName as the ID number of the users) breaks auth_ldap_sync.php, as you have already seen. I warned about this (in big red bold face) in a couple of the threads (and this is one of them), but it seems nobody noticed
Currently the LDAP enrolment code only works for rfc2307 compatible LDAP servers (Novell eDir and OpenLDAP, where it was developed, AFAIK) and the trick mentionned above is just a "dirty hack" to make it work. But it's not a real fix, as it breaks other things (the *_ldap_sync.php scripts).
Saludos. Iñakil
Iñaki
Thank you for this reply. I did see the big red warning so I am only experimenting on my development server at the moment.
I cannot use the enrolment for teachers since it requires a group with the same name as the student group but in a different OU. Our AD is already well established and all groups are stored in a single OU with different names for staff groups and student groups. Unfortunately the configuration settings within Moodle do not have sufficient flexibility to fit in with an established directory system that cannot be changed to suit one element of our complete MLE, network telephone system etc.
I am now looking into rewriting the enrol_ldap_sync.php matches to see if I can match distinguished name as returned by AD for group membership to another field in mdl_users so that I can keep sAMAcountName in idnumber. A rather challenging first PHP project
Regards
Steve
I had seen this with the students, but hadn't noticed with teachers -- I am not using LDAP for teacher assignment...though I hope to eventually.
Not pretty. :\ (The distinguishedName v sAMAccountName issue.)
For now, I will try to use the sync script only between semesters to clear out the old accounts.
As always, thanks to Inaki, Martin and other PHP programmers (not me) for all their efforts in development and assistance.
Not pretty. :\ (The distinguishedName v sAMAccountName issue.)
For now, I will try to use the sync script only between semesters to clear out the old accounts.
As always, thanks to Inaki, Martin and other PHP programmers (not me) for all their efforts in development and assistance.
Is it still the case that I have to either hack the find_ext_enrolments() function or extend the fieldlength in the database and hack two lib.php files?
I'm afraid it is.
Saludos. Iñaki.
Just a thought, I have not tried it, but could you map Moodles ID number to Microsofts objectGUID, that should be unique, and small enough to use without having to tweak/hack the other files (it's a binary rather than a text string - that might cause other issues I guess)
Kevin
Hi, Iñaki Arenaza
Is that quite safe to run moodle/enrol/ldap/enrol_ldap_sync.php at any time? Even it is on the busy time?
Hi all,
So what i understand is that I should create 2 different ou, 1 for teacher and 1 for student and create inside each ou the courses. I will end up having same group names. You say this can be done if they have a pre windows 2000 name.
My question:
Can someone just check if what i understood is correct coz i want to face the person responsible for ldap and i wanna be sure i am on the right track.
Thank you all for your help and wish me luck
So what i understand is that I should create 2 different ou, 1 for teacher and 1 for student and create inside each ou the courses. I will end up having same group names. You say this can be done if they have a pre windows 2000 name.
My question:
Can someone just check if what i understood is correct coz i want to face the person responsible for ldap and i wanna be sure i am on the right track.
Thank you all for your help and wish me luck
I will
end up having same group names. You say this can be done if they have a
pre windows 2000 name
They need to have a different pre-windows 2000 name (sAMAccountName attribute). Just like the examples in the image.
Saludos. Iñaki.
Thank you alot,this made things very clear.
I have another question:
Every course has around 30 students and only 1 teacher. Is it logical to create 1 group having 1 teacher's name only? This is what Moodle requires? There's no other way?Thank you for reply and advice.
This is what Moodle requires? There's no other way?
Yes, this is what Moodle requires. I don't know another way to do it.
Saludos. Iñaki.
I have done everything you clarified. I added a demo student to a demo course. When i logged in using the student account, and clicked the course's name, it says: This course doesnt allow internal enrollment. So i think the connection between moodle and ldap is still not there yet. Any hints?
Please correct me if i am wrong:
if a student is already added inside a group which is in this case the course, once he login he should see the course's title right?
Thank you in advance
It should, but have a look at what I say here http://moodle.org/mod/forum/discuss.php?d=39549#186178 and here http://moodle.org/mod/forum/discuss.php?d=39549#186185
Saludos. Iñaki.
Saludos. Iñaki.
Hi Inaki,
I do have the following settings, and I am still stuck. Do you have any way around this or point for me where is my error?
enrol_ldap_version:3
enrol_ldap_bind_dn:moodle1@win2k.aub.edu.lb
ldap_bind_pw: test
enrol_ldap_student_contexts:ou=allgroups,ou=security groups,ou=resource groups,ou=aub resources groups,ou=aubrg-acc,dc=win2k,dc=aub,dc=edu,dc=lb
enrol_ldap_student_memberattribute:memberUid
Course enrolment settings
enrol_ldap_objectclass: Group
enrol_ldap_course_idnumber:cn
enrol_ldap_autocreate: Yes
More over the authentication is working fine with "enrol_ldap_bind_dn:moodle1@win2k.aub.edu.lb", I have also tested using the absolute path "cn=moodle1,ou=allusers,dc=win2k,dc=aub,dc=edu,dc=lb" and I am still stuck.
Any suggestions for the above?
Mostafa Itani
so the solution is to edit the php code? no other way?i should edit enrol_ldap_sync.php?
Here are my test server's settings (working ones, looong list sorry 
)
LDAP Auth settings:
ldap_host_url: ldap://server.janne.com
ldap_version: 3
ldap_preventpassindb: yes
ldap_bind_dn: cn=Ldap Browser,cn=Users,dc=janne,dc=com
ldap_bind_pw: ***********
ldap_user_type: MS ActiveDirectory
ldap_contexts: ou=opettajat,dc=janne,dc=com;ou=oppilaat,dc=janne,dc=com
ldap_search_sub: no
ldap_opt_deref: no
ldap_user_attribute: sAMAccountName
ldap_memberattribute: member
ldap_objectclass:
force change password: no
use standard... : no
ldap_expiration: no
ldap_expiration_warning: 10
ldap_expireattr:
ldap_gracelogins: no
ldap_greceattr:
ldap_create_context:
ldap_creators:
First name: givenName
Update local: On creation
Update external: never
Lock value: locked
Surname: sn
Update local: On creation
Update external: never
Lock value: locked
Email address: mail
Update local: On creation
Update external: never
Lock value: Unlocked
Phone1: telephoneNumber
Update local: On creation
Update external: never
Lock value: Unlocked
Phone2: mobile
Update local: On creation
Update external: never
Lock value: Unlocked
ID number: distinguishedName
Update local: On every login
Update external: never
Lock value: locked
LDAP enrolments settings:
enrol_ldap_host_url: ldap://server.janne.com
enrol_ldap_version: 3
enrol_ldap_bind_dn: cn=Ldap Browser,cn=Users,dc=janne,dc=com
enrol_ldap_bind_pw: **********
ldap_search_sub: no
enrol_ldap_student_contexts: ou=oppilaat,dc=janne,dc=com
enrol_ldap_student_memeberattribute: member
enrol_ldap_teacher_contexts: ou=opettajat,dc=janne,dc=com
enrol_ldap_teacher_memeberattribute: member
enrol_ldap_objectclass: group
enrol_ldap_course_idnumber: cn
update local data: no
lock value: no
enrol_ldap_course_shortname: cn
update local data: no
lock value: no
enrol_ldap_course_fullname: description
update local data: no
lock value: no
enrol_ldap_course_summary: info
update local data: no
lock value: no
enrol_ldap_autocreate: yes
enrol_ldap_category: misc
enrol_ldap_template:
enrol_allowinternal: checked
Only hack that I did was change database user table's idnumber field length to 255 nothing else ( if you manage with that default length 64 then you don't have to hack that either).
I'm using same value in course shortname and idnumber.
- Janne -
LDAP Auth settings:
ldap_host_url: ldap://server.janne.com
ldap_version: 3
ldap_preventpassindb: yes
ldap_bind_dn: cn=Ldap Browser,cn=Users,dc=janne,dc=com
ldap_bind_pw: ***********
ldap_user_type: MS ActiveDirectory
ldap_contexts: ou=opettajat,dc=janne,dc=com;ou=oppilaat,dc=janne,dc=com
ldap_search_sub: no
ldap_opt_deref: no
ldap_user_attribute: sAMAccountName
ldap_memberattribute: member
ldap_objectclass:
force change password: no
use standard... : no
ldap_expiration: no
ldap_expiration_warning: 10
ldap_expireattr:
ldap_gracelogins: no
ldap_greceattr:
ldap_create_context:
ldap_creators:
First name: givenName
Update local: On creation
Update external: never
Lock value: locked
Surname: sn
Update local: On creation
Update external: never
Lock value: locked
Email address: mail
Update local: On creation
Update external: never
Lock value: Unlocked
Phone1: telephoneNumber
Update local: On creation
Update external: never
Lock value: Unlocked
Phone2: mobile
Update local: On creation
Update external: never
Lock value: Unlocked
ID number: distinguishedName
Update local: On every login
Update external: never
Lock value: locked
LDAP enrolments settings:
enrol_ldap_host_url: ldap://server.janne.com
enrol_ldap_version: 3
enrol_ldap_bind_dn: cn=Ldap Browser,cn=Users,dc=janne,dc=com
enrol_ldap_bind_pw: **********
ldap_search_sub: no
enrol_ldap_student_contexts: ou=oppilaat,dc=janne,dc=com
enrol_ldap_student_memeberattribute: member
enrol_ldap_teacher_contexts: ou=opettajat,dc=janne,dc=com
enrol_ldap_teacher_memeberattribute: member
enrol_ldap_objectclass: group
enrol_ldap_course_idnumber: cn
update local data: no
lock value: no
enrol_ldap_course_shortname: cn
update local data: no
lock value: no
enrol_ldap_course_fullname: description
update local data: no
lock value: no
enrol_ldap_course_summary: info
update local data: no
lock value: no
enrol_ldap_autocreate: yes
enrol_ldap_category: misc
enrol_ldap_template:
enrol_allowinternal: checked
Only hack that I did was change database user table's idnumber field length to 255 nothing else ( if you manage with that default length 64 then you don't have to hack that either).
I'm using same value in course shortname and idnumber.
- Janne -
I have the same setting as you have. LDAP authentication is already
up and running.LDAP server settings are both the same in authenticaion
and enrollment.
I have the correct path for the enrol_ldap_student_contexts for students and teachers.
For enrol_ldap_teacher_memberattribute, i am using "member"
enrol_ldap_objectclass : group
enrol_ldap_course_idnumber: cn.
What i did is created a group in the active directory under the student OU and called it "course1".I added a student in it.
Same done under the teacher OU.
I login using the student id, when i find the course and click on the course, it says:
Manual enrolments are currently not enabled.
Step 2 was:
I created the course manually on Moodle. Then i logged in again, same message as above.
So i think the problem is that either LDAP and Moodle not communicating concerning enrollment OR something wrong going on when moodle is checking the user logging in against the user found inside the group.
Any hints?I am unable to progress at all.
Thank you for your help.
I have the correct path for the enrol_ldap_student_contexts for students and teachers.
For enrol_ldap_teacher_memberattribute, i am using "member"
enrol_ldap_objectclass : group
enrol_ldap_course_idnumber: cn.
What i did is created a group in the active directory under the student OU and called it "course1".I added a student in it.
Same done under the teacher OU.
I login using the student id, when i find the course and click on the course, it says:
Manual enrolments are currently not enabled.
Step 2 was:
I created the course manually on Moodle. Then i logged in again, same message as above.
So i think the problem is that either LDAP and Moodle not communicating concerning enrollment OR something wrong going on when moodle is checking the user logging in against the user found inside the group.
Any hints?I am unable to progress at all.
Thank you for your help.
Did you create this course manually? If you did, then you'll have to provide "idnumber" in course settings too ( under shortname there is a field for it and this should be same what LDAP is searching for which in your case is "course1").
- Janne -
- Janne -
Yes Janne. I created the course with the same id and everything. Its just that i have a feeling that moodle and ldap are not communicating on the enrollment level. I have a group having a user. The group's name is exactly the same name of the course i created on moodle. the only thing that i am waiting to happen is see the user inside the course on moodle!!! this is not happening. Any hints?
Thank you for your help. I appreciate your support
Thank you for your help. I appreciate your support
Just one thing for those of you running into ldap enrolment issues on v1.6. If you've got LDAP authentication working and enrolment is eluding you, this bug set me back and the proposed "improper" fix resolved the issue for me. http://moodle.org/bugs/bug.php?op=show&bugid=5882
I had tried everything in the above thread before finally trying this. Hopefully, there'll be a "proper" fix soon.
Distilling all of the wisdom above has worked great for me with the latest release (1.6.1) and MS AD.
None of my distinguished names are over 63 characters (wow that was close) so I haven't had to hack any files.
Auto enrollment with LDAP including course creation works fine and when logging in as a user with LDAP I don't get asked to confirm enrolment as well.
It might be worth udating the HOWTO to reflect these changes (and also putting a note against the ID Number field in LDAP authentication to tell AD users to use distinguishedName and watch for the 64 char limit)
Colin
None of my distinguished names are over 63 characters (wow that was close) so I haven't had to hack any files.
Auto enrollment with LDAP including course creation works fine and when logging in as a user with LDAP I don't get asked to confirm enrolment as well.
It might be worth udating the HOWTO to reflect these changes (and also putting a note against the ID Number field in LDAP authentication to tell AD users to use distinguishedName and watch for the 64 char limit)
Colin
Hola Iñaki,
Al parecer creo que manejas un poco el tema de matriculación con LDAP, tengo unas dudas al respecto.
Tengo un moodle que esta funcionan con la autentificación LDAP para el ingreso de los estudiantes a la plataforma.
Ahora mi duda es que si ya tengo creado los cursos bajo una codificación que los identifique, tengo entendido por lo que he leido en los foros que la matricula de los alumnos seria identificando algun campo en la BD de LDAP que coincida con la codificación del curso, es decir, si el curso como identificador posee un codigo 001, el alumno dentro de los datos que entrega la BD LDAP, deberia traer algun campo identificatorio igual a 001, con lo cual el alumno quedaria matriculado en ese curso.
De esa forma funciona la automatricula por LDAP.
agradeciendo tu ayuda
saludos desde Chile
Hi Nicole,
things are a bit more complicated than what you say. You need a very specific LDAP structure to represent teacher enrolments and student enrolments, using LDAP groups.
Have a look at this page for the specific details: http://docs.moodle.org/22/en/LDAP_enrolment
(Now in Spanish)
Hola Nicole,
las cosas son un poco más complicadas de lo que indicas. Necesitas una estructura determinada en tu LDAP para representar las matriculaciones de los profesores y las matriculaciones de los alumnos, usando grupos de LDAP para ello.
Echa una ojeada a esta página para detalles más concretos: http://docs.moodle.org/22/en/LDAP_enrolment
Saludos.
Iñaki.
things are a bit more complicated than what you say. You need a very specific LDAP structure to represent teacher enrolments and student enrolments, using LDAP groups.
Have a look at this page for the specific details: http://docs.moodle.org/22/en/LDAP_enrolment
(Now in Spanish)
Hola Nicole,
las cosas son un poco más complicadas de lo que indicas. Necesitas una estructura determinada en tu LDAP para representar las matriculaciones de los profesores y las matriculaciones de los alumnos, usando grupos de LDAP para ello.
Echa una ojeada a esta página para detalles más concretos: http://docs.moodle.org/22/en/LDAP_enrolment
Saludos.
Iñaki.
Hola Iñaki,
Gracias por la respuesta, en realidad ya había visto el enlaces.
Pero , si en el caso que el LDAP lo configurara para entregar el código de la carrera, y en mi moodle tuviera un curso por cada carrera con ese código de identificación del curso que me esta entregando el LDAP, con eso bastaría para configurar el moodle para que recibiera ese dato y dejara matriculado al alumno en ese curso.
Ahora lo otro es necesario indicar el profesor, o no es necesario si solo quieres matricular al alumno en el curso.
Agradeciendo tu respuesta,
Saludos desde Chile
Nicole
Had many proplems with auto enrollment, but it just about works now.
The problem i am having is that the user is assigned to all courses as a teacher, even if they're not in the group for that course.
Any suggestions?
How do I change the field size for my MySQL database?
*EDIT*
I have opened up the moodle database using Webmin but it says there are too many tables to display, what is the table I need to open that has the ID field that needs to be changed to more than 64 characters?
The table in question is 'mdl_user', and the field is called 'idnumber';
Saludos. Iñaki.
Saludos. Iñaki.
Thanks, being somewhat of a Linux and MYSQL noob how do I change the field in the table, do I need to install the MYSQL admin gui or can this be done from the consol (and what would be the consol command?)
Open up a console and type:
mysql -u root -p moodledb
You'll be prompted for the 'root' password (this is the MySQL root user, not the operating system root user). If the mysql root user doesn't have a password just press ENTER. 'moodledb' is the name of your Moodle database.
Once you are in, type the following query:
ALTER TABLE mdl_user CHANGE COLUMN idnumber idnumber VARCHAR(255);
(if you want to widen the idnumber field to 255 characters).
Saludos. Iñaki.
Has this change been made in the latest release of 1.8?
As far as I know, it hasn't.
Saludos. Iñaki.
Saludos. Iñaki.
Do you know is this bug has been in the latest release?
Eric
Eric
Do you know if this bug has been fixed in the latest release?
Eric
Eric
Yes, 1.9.x already has the idnumber field 255 characters wide.
Saludos. Iñaki.
Hi there
I'm a new one. José Cruz from Portugal.
(sory my english)
My situation: LDAP Windows Server 2003. Moodle 1.8
I have a OU container (schoolserver), with subOUs (students and teachers).
I have a OU (moodle) with subOUs (students and teachers) for moodle groups.
I have LDAP authentication like that and working.
LDAP server settings
Host URL: ldap://minhaescola.servidorescola.local
Version : 3
LDAP encoding : utf-8
Bind Settings
Hide passwords: yes
Distinguished Name: CN=moodle esmcastilho,CN=Users,DC=minhaescola,DC=servidorescola,DC=local
password.
User lookup settingsUser type: MS ActiveDirectory
Contexts: OU=SchoolServer,DC=minhaescola,DC=servidorescola,DC=local
search sub: yes
dereference alias: no
user attribute: sAMAccountName
Member attribute:
Member attribute uses dn:
Object class: user
Force change password
force: no
use standard: no
LDAP password expiration settings
expiration: LDAP
Enable user creation
create user externally: no
course creators
creators:
Cron synchronization script
Removed ext user: Full delete internal
first name: givenName
ID number: sAMAccountName
I can't say the same about enrol and i don't know why.
Here are my settings:
LDAP Server Settings
enrol_ldap_host_url: ldap://minhaescola.servidorescola.local
enrol_ldap_version: 3
enrol_ldap_bind_dn: CN=moodle esmcastilho,CN=Users,DC=minhaescola,DC=servidorescola,DC=local
ldap_bind_pw: *********
ldap_search_sub: yes
Role mapping
Teacher
LDAP contexts: OU=profs,OU=Moodle,DC=minhaescola,DC=servidorescola,DC=local
LDAP member attribute: member
students
LDAP contexts: OU=alunos,OU=Moodle,DC=minhaescola,DC=servidorescola,DC=local
LDAP member attribute: member
Course enrolment settings
enrol_ldap_objectclass: group
enrol_ldap_course_idnumber: cn, no, no
enrol_ldap_course_shortname: cn, no, no
enrol_ldap_course_shortname: cn, no, no
Automatic course creation settings
enrol_ldap_autocreate: yes
enrol_ldap_category: Geral
If anyone can help, please...
Best wishes from Portugal
It happens to me exactly equally, someone knows of that it can be?
Has anyone ever got LDAP enrollment really working with MS AD? I'm using Moodle 2.02 and still experiencing the same issues described here as far as I can tell. LDAP Authentication works fine, but none of the enrollment data in Active Directory seems to do anything. Auto Course creation doesn't create new courses lited in AD and if the user clicks on a course that matches one in AD, they get a "You can not enrol yourself in this course." message even though they should be enrolled.
I've searched and read all the info I can find on LDAP enrollement here and it all seems rather dated.. circa 2006-2007. Where can I find current documentation for this?
I would also like to know of some current documentation on this. I am going to make a new post about my current situation too, so maybe we can get something going.
Hello,
In line with LDAP auto enrolment, can you also make it so that it unenrols the student when they withdraw? I have posted this question here as well https://moodle.org/mod/forum/discuss.php?d=274073
Would appreciate any suggestions.