Now after you get rid of the first nightmare, you'll get another one!Only now its...
I am setting up Moodle enrollment using LDAP. However its not working
and accroding to http://moodle.org/mod/forum/discuss.php?d=39549#188057
and http://moodle.org/mod/forum/discuss.php?d=39549#186178 we wont go
far with LDAP and AD? What is the way around it? I need to edit certain
code? I prefer editing a code be the last resort.
Thank you for your help in advance
There is no error message what so ever. LDAP authentication is already up and running.LDAP server settings are both the same in authenticaion and enrollment.
I have the correct path for the enrol_ldap_student_contexts for students and teachers.
For enrol_ldap_teacher_memberattribute, i am using "member"
enrol_ldap_objectclass : group
enrol_ldap_course_idnumber: cn.
What i did is created a group in the active directory under the student OU and called it "course1".I added a student in it.
Same done under the teacher OU.
I login using the student id, when i find the course and click on the course, it says:
Manual enrolments are currently not enabled.
Step 2 was:
I created the course manually on Moodle. Then i logged in again, same message as above.
So i think the problem is that either LDAP and Moodle not communicating concerning enrollment OR something wrong going on when moodle is checking the user logging in against the user found inside the group.
Any hints?I am unable to progress at all.
Thank you for your help.
I have the correct path for the enrol_ldap_student_contexts for students and teachers.
For enrol_ldap_teacher_memberattribute, i am using "member"
enrol_ldap_objectclass : group
enrol_ldap_course_idnumber: cn.
What i did is created a group in the active directory under the student OU and called it "course1".I added a student in it.
Same done under the teacher OU.
I login using the student id, when i find the course and click on the course, it says:
Manual enrolments are currently not enabled.
Step 2 was:
I created the course manually on Moodle. Then i logged in again, same message as above.
So i think the problem is that either LDAP and Moodle not communicating concerning enrollment OR something wrong going on when moodle is checking the user logging in against the user found inside the group.
Any hints?I am unable to progress at all.
Thank you for your help.
Hello.
I have not enrolment setup overhere, but I have read some posts from Iñaki Arenaza about it. He really knows what we are talking about.
Use advanced search here at Using Moodle and search for Iñaki's posts including word LDAP. I think Iñaki explain pretty well how you can reach such goal.
Good luck.
P.D.: Write down every step you make. It can be invaluable if you add them to MoodleDocs' LDAP enrolment page 
I notice you are not pointing to the LDAP port - there are a number but pointing to the Global Catalog allows the whole tree in.
Eg at my site ldap_host_url: is ldap://staffsvr.sacs.nsw.edu.au:3268;ldap://studentsvr.sacs.nsw.edu.au:3268
- the second one is backup
As I say here (http://moodle.org/mod/forum/discuss.php?d=39549#186185), the only way to make it work without editing the code, is mapping Moodle's ID number field to Active Directory's distinguishedName attribute.
But this will only work if all of your distinguishedNames are <= 64 characters.
And don't use this trick if you are using auth_ldap_sync.php or enrol_ldap_sync.php, as your users will be deleted and re-added each time you run the first, and un-enrolled and re-enrolled each time you run the second.
You have been warned
Saludos. Iñaki.
But this will only work if all of your distinguishedNames are <= 64 characters.
And don't use this trick if you are using auth_ldap_sync.php or enrol_ldap_sync.php, as your users will be deleted and re-added each time you run the first, and un-enrolled and re-enrolled each time you run the second.
You have been warned
Saludos. Iñaki.
Hi Inaki,
Please have a look at my settings. Authentication is working, but enrollment is not. I really appreciate your help. I've been stuck here for more than a month now! It should be working asap. Thank you alot in advance.
Amer
Authentication settings:
Enrollment settings:
Please have a look at my settings. Authentication is working, but enrollment is not. I really appreciate your help. I've been stuck here for more than a month now! It should be working asap. Thank you alot in advance.
Amer
Authentication settings:
LDAP server settings | |||
| ldap_host_url: | Specify LDAP host in URL-form like 'ldap://ldap.myorg.com/' or 'ldaps://ldap.myorg.com/' Separate multipleservers with ';' to get failover support. | ||
| ldap_version: | 2 3 | The version of the LDAP protocol your server is using. | |
Bind settings | |||
| ldap_preventpassindb: | No Yes | Select yes to prevent passwords from being stored in Moodle's DB. | |
| ldap_bind_dn: | If you want to use bind-user to search users, specify it here. Someting like 'cn=ldapuser,ou=public,o=org' | ||
| ldap_bind_pw: | Password for bind-user. | ||
User lookup settings | |||
| ldap_user_type: | Novell Edirectory posixAccount (rfc2307) posixAccount (rfc2307bis) sambaSamAccount (v.3.0.7) MS ActiveDirectory | Select how users are stored in LDAP. This setting also specifies how login expiration, grace logins and user creation will work. | |
| ldap_contexts: | List of contexts where users are located. Separate different contexts with ';'. For example: 'ou=users,o=org; ou=others,o=org' | ||
| ldap_search_sub: | No Yes | Search users from subcontexts. | |
| ldap_opt_deref: | Choose... No Yes | Determines how aliases are handled during search. Select one of the following values: "No" (LDAP_DEREF_NEVER) or "Yes" (LDAP_DEREF_ALWAYS) | |
| ldap_user_attribute: | Optional: Overrides the attribute used to name/search users. Usually 'cn'. | ||
| ldap_memberattribute: | Optional: Overrides user member attribute, when users belongs to a group. Usually 'member' | ||
| ldap_objectclass: | Optional: Overrides objectClass used to name/search users on ldap_user_type. Usually you dont need to chage this. | ||
Force change password | |||
| Force change password: | No Yes |
Force users to change password on their first login to Moodle. | |
| Use standard Change Password Page: | No Yes |
If the external authentication system allows password changes through Moodle, switch this to Yes. This setting overrides 'Change Password URL'. NOTE: It is recommended that you use LDAP over an SSL encrypted tunnel (ldaps://) if the LDAP server is remote. | |
LDAP password expiration settings. | |||
| ldap_expiration: | No LDAP | Select No to disable expired password checking or LDAP to read passwordexpiration time directly from LDAP | |
| ldap_expiration_warning: | Number of days before password expiration warning is issued. | ||
| ldap_exprireattr: | Optional: overrides ldap-attribute what stores password expiration time passwordExpirationTime | ||
| ldap_gracelogins: | No Yes | Enable LDAP gracelogin support. After password has expired user can login until gracelogin count is 0. Enabling this setting displays grace login message if password is exprired. | |
| ldap_graceattr: | Optional: Overrides gracelogin attribute | ||
Enable user creation | |||
| ldap_create_context: | If you enable user creation with email confirmation, specify the context
where users are created. This context should be different from other users to
prevent security issues. You don't need to add this context to
ldap_context-variable, Moodle will search for users from this context
automatically. Note! You have to modify function auth_user_create() in file auth/ldap/lib.php to make user creation work | ||
Course creators | |||
| ldap_creators: | List of groups whose members are allowed to create new courses. Separate multiple groups with ';'. Usually something like 'cn=teachers,ou=staff,o=myorg' | ||
Data mapping | |||
| First name |
Update local On
creation On every
login Update external Never On update Lock value Unlocked Unlocked if empty Locked |
These fields are optional. You can choose to pre-fill some Moodle
user fields with information from the LDAP fields that you specify here.
If you leave these fields blank, then nothing will be transferred from LDAP and Moodle defaults will be used instead. In either case, the user will be able to edit all of these fields after they log in. Update local: If enabled, the field will be updated (from external auth) every time the user logs in or there is a user synchronization. Fields set to update locally should be locked. Lock value: If enabled, will prevent Moodle users and admins from editing the field directly. Use this option if you are maintaining this data in the external auth system. Update external: If enabled, the external auth will be updated when the user record is updated. Fields should be unlocked to allow edits. Note: Updating external LDAP data requires that you set binddn and bindpw to a bind-user with editing privileges to all the user records. It currently does not preserve multi-valued attributes, and will remove extra values on update. | |
| Surname |
Update local On
creation On every
login Update external Never On update Lock value Unlocked Unlocked if empty Locked | ||
| Email address |
Update local On
creation On every login
Update external Never On update Lock value Unlocked Unlocked if empty Locked | ||
| Phone 1 |
Update local On
creation On every
login Update external Never On update Lock value Unlocked Unlocked if empty Locked | ||
| Phone 2 |
Update local On
creation On every login
Update external Never On update Lock value Unlocked Unlocked if empty Locked | ||
| Department |
Update local On creation On every
login Update external Never On update Lock value Unlocked Unlocked if empty Locked | ||
| Address |
Update local On
creation On every login
Update external Never On update Lock value Unlocked Unlocked if empty Locked | ||
| City/town |
Update local On
creation On every login
Update external Never On update Lock value Unlocked Unlocked if empty Locked | ||
| Country |
Update local On
creation On every login
Update external Never On update Lock value Unlocked Unlocked if empty Locked | ||
| Description |
Update local On creation On every
login Update external Never On update Lock value Unlocked Unlocked if empty Locked | ||
| ID number |
Update local On
creation On every login
Update external Never On update Lock value Unlocked Unlocked if empty Locked | ||
| Language |
Update local On
creation On every login
Update external Never On update Lock value Unlocked Unlocked if empty Locked | ||
| Instructions: | Moodle site is password protected. Instructors only have access to their own courses. Students only have access to courses they are registered to. To open a course, type your Username and Password (the same as your AUBnet ID) and then click on "Login". Forgot your password? Follow the instructions at http://www.aub.edu.lb/services/newuserid.html. Some courses may allow guest access. To view these courses, click on the tab "Login as a guest". Then, click on a Course Category that allows guest access and click on a course name to open it. | Here you can provide instructions for your users, so they know which
username and password they should be using. The text you enter here will appear
on the login page. If you leave this blank then no instructions will be printed.
 | |
Common settings | |||
| Change password URL: | Here you can specify a location at which your users can recover or change their username/password if they've forgotten it. This will be provided to users as a button on the login page and their user page. if you leave this blank the button will not be printed. | ||
| Guest login button: | Hide Show | You can hide or show the guest login button on the login page. | |
| Enable user creation: | No Yes | New (anonymous) users can create user accounts on the external authentication source and confirmed via email. If you enable this , remember to also configure module-specific options for user creation. | |
| Alternate Login URL | If you enter a URL here, it will be used as the login page for this site.
The page should contain a form which has the action property set to
'http://193.188.130.25/login/index.php' and return fields
username and password. Be careful not to enter an incorrect URL as you may lock yourself out of this site. Leave this setting blank to use the default login page. | ||
Enrollment settings:
| enrol_ldap_host_url: | Specify LDAP host in URL-form like 'ldap://ldap.myorg.com/' or 'ldaps://ldap.myorg.com/' | |
| enrol_ldap_version: | 2 3 | The version of the LDAP protocol your server is using. |
| enrol_ldap_bind_dn: | If you want to use bind-user to search users, specify it here. Someting like 'cn=ldapuser,ou=public,o=org' | |
| ldap_bind_pw: | Password for bind-user. | |
| ldap_search_sub: | No Yes | Search group memberships from subcontexts. |
Student enrolment settings | ||
| enrol_ldap_student_contexts: | List of contexts where groups with student enrolments are located. Separate different contexts with ';'. For example: 'ou=courses,o=org; ou=others,o=org' | |
| enrol_ldap_student_memberattribute: | Member attribute, when users belongs (is enrolled) to a group. Usually 'member' or 'memberUid'. | |
Teacher enrolment settings | ||
| enrol_ldap_teacher_contexts: | List of contexts where groups with teacher enrolments are located. Separate different contexts with ';'. For example: 'ou=courses,o=org; ou=others,o=org' | |
| enrol_ldap_teacher_memberattribute: | Member attribute, when users belongs (is enrolled) to a group. Usually 'member' or 'memberUid'. | |
Course enrolment settings | ||
| enrol_ldap_objectclass: | objectClass used to search courses. Usually 'posixGroup'. | |
| enrol_ldap_course_idnumber: |
Update local data No Yes Lock value No Yes |
Map to the unique identifier in LDAP, usually cn or uid. It is recommended to lock the value if you are using automatic course creation. |
| enrol_ldap_course_shortname: |
Update local data No Yes Lock value No Yes |
Optional: LDAP field to get the shortname from. |
| enrol_ldap_course_fullname: |
Update local data No Yes Lock value No Yes |
Optional: LDAP field to get the full name from. |
| enrol_ldap_course_summary: |
Update local data No
Yes Lock value No Yes |
Optional: LDAP field to get the summary from. |
Automatic course creation settings | ||
| enrol_ldap_autocreate: | no yes | Courses can be created automatically if there are enrolments to a course that doesn't yet exist in Moodle. |
| enrol_ldap_category: | ACC Office test | The category for auto-created courses. |
| enrol_ldap_template: | Optional: auto-created courses can copy their settings from a template course. | |
General Options | ||
| enrol_allowinternal: | Allow internal methods as well | |
Sorry for the above missing settings but i edited my post and it didnt update, here they are again
LDAP server settings |
|||
|
ldap_host_url: |
ldap://win2k.aub.edu.lb |
||
|
ldap_version: |
3 |
||
Bind settings |
|||
|
ldap_preventpassindb: |
yes |
||
|
ldap_bind_dn: |
cn=moodle1,ou=Special Users,ou=AllUsers,dc=win2k,dc=aub,dc=edu,dc=lb |
||
|
ldap_bind_pw: |
|
||
User lookup settings |
|||
|
ldap_user_type: |
MS ActiveDirectory |
||
|
ldap_contexts: |
ou=allUsers,dc=win2k,dc=aub,dc=edu,dc=lb |
||
|
ldap_search_sub: |
yes |
||
|
ldap_opt_deref: |
yes |
||
|
ldap_user_attribute: |
cn |
||
|
ldap_memberattribute: |
member |
||
|
ldap_objectclass: |
|
||
Force change password |
|||
|
Force change password: |
yes |
||
|
Use standard Change Password Page: |
yes |
||
LDAP password expiration settings. |
|||
|
ldap_expiration: |
No |
||
|
ldap_expiration_warning: |
10 |
||
|
ldap_exprireattr: |
|
||
|
ldap_gracelogins: |
no |
||
|
ldap_graceattr: |
|
||
Enable user creation |
|||
|
ldap_create_context: |
|
||
Course creators |
|||
|
ldap_creators: |
|
||
|
|
|||
|
First name |
givenNAME Update local On
creation On every login |
|
|
|
Surname |
sn Update local On
creation On every login |
|
|
|
Email address |
altSecurityIdentities Update local On
creation On every login |
|
|
|
Phone 1 |
telephoneNumber Update local On
creation On every login |
|
|
|
Phone 2 |
Update local On
creation On every login |
|
|
|
Department |
Update local On
creation On every login |
|
|
|
Address |
Update local On
creation On every login |
|
|
|
City/town |
Update local On
creation On every login |
|
|
|
Country |
Update local On
creation On every login |
|
|
|
Description |
description Update local On
creation On every login |
|
|
|
ID number |
distinguishedName Update local On
creation On every login |
|
|
|
Language |
Update local On creation
On every login |
|
|
|
Instructions: |
|
|
|
|
|
|||
|
Change password URL: |
|
|
|
|
Guest login button: |
Hide Show |
|
|
|
Enable user creation: |
No Yes |
|
|
|
Alternate Login URL |
|
|
|
Enrollment settings:
|
enrol_ldap_host_url: |
ldap://win2k.aub.edu.lb |
|
enrol_ldap_version: |
3 |
|
enrol_ldap_bind_dn: |
cn=moodle1,ou=ACC_test_Student,ou=CNS,dc=win2k,dc=aub,dc=edu,dc=lb |
|
ldap_bind_pw: |
|
|
ldap_search_sub: |
Yes |
Student enrolment settings |
|
|
enrol_ldap_student_contexts: |
ou=ACC_test_Student,ou=CNS,dc=win2k,dc=aub,dc=edu,dc=lb |
|
enrol_ldap_student_memberattribute: |
member |
Teacher enrolment settings |
|
|
enrol_ldap_teacher_contexts: |
ou=ACC_test_Teacher,ou=CNS,dc=win2k,dc=aub,dc=edu,dc=lb |
|
enrol_ldap_teacher_memberattribute: |
member |
Course enrolment settings |
|
|
enrol_ldap_objectclass: |
group |
|
enrol_ldap_course_idnumber: |
distinguishedName Update local data No
Yes |
|
enrol_ldap_course_shortname: |
Update local data No
Yes |
|
enrol_ldap_course_fullname: |
Update local data No
Yes |
|
enrol_ldap_course_summary: |
Update local data No
Yes |
Automatic course creation settings |
|
|
enrol_ldap_autocreate: |
yes |
|
enrol_ldap_category: |
test |
|
enrol_ldap_template: |
|
General Options |
|
|
enrol_allowinternal: |
|
I guess te problem is in these three fields:
The first one should be 'cn' if the name of the groups matches the ID Number of your courses (and it should). The second and third one could be any attribute you want, but I usually set them to 'cn' too.
On the other hand, you have this in your authentication settings:
which should be:
for Active Directory.
By the way, make REALLY SURE your distinguishedNames are not longer than 64 characters, or enlarge the idnumber field in the mdl_user table. Otherwise you'll have lots of problems with your enrolments.
Saludos. Iñaki.
enrol_ldap_course_idnumber: distinguishedName
enrol_ldap_course_shortname:
enrol_ldap_course_fullname:
enrol_ldap_course_shortname:
enrol_ldap_course_fullname:
The first one should be 'cn' if the name of the groups matches the ID Number of your courses (and it should). The second and third one could be any attribute you want, but I usually set them to 'cn' too.
On the other hand, you have this in your authentication settings:
ldap_opt_deref: yes
which should be:
ldap_opt_deref: no
for Active Directory.
By the way, make REALLY SURE your distinguishedNames are not longer than 64 characters, or enlarge the idnumber field in the mdl_user table. Otherwise you'll have lots of problems with your enrolments.
Saludos. Iñaki.
Dear sir,
Still no progress.
My username as a teacher is ah70. this is being authenticated against active directory on ldap. this usename is also inside a group in the teacher's ou. when i check the id number of the user after i login, i get this: id number = CN=ah70,OU=N and you cant insert any character more.
PS: i changed the idnumber field in the table from 64 characters to 255.
Any new hints?
Still no progress.
My username as a teacher is ah70. this is being authenticated against active directory on ldap. this usename is also inside a group in the teacher's ou. when i check the id number of the user after i login, i get this: id number = CN=ah70,OU=N and you cant insert any character more.
PS: i changed the idnumber field in the table from 64 characters to 255.
Any new hints?
OK, let's do it step by step.
1.- Make sure you map Moodle's ID Number field to AD's distinguishedName attribute in your authentication setup. Make sure users have their ID Number field updated every time they log in (to make sure they have a value there).
2.- Make sure you set enrol_ldap_course_idnumber, enrol_ldap_course_shortname and enrol_ldap_course_fullname to 'cn' (just to make it easier).
Leave the rest of the configuration values as you have them now.
Now in Moodle create a course called 'Math-101'. Make sure the ID of the course is 'Math-101' too (you can set the shortname to 'Math-101' too, if you want).
Now go to your AD Users and Domains administration console, and under the Student Context (ou=ACC_test_Student,ou=CNS,dc=win2k,dc=aub,dc=edu,dc=lb in your case) create a Global Security Group called 'Math-101', and make the relevant students part of it.
Now under the Teachers Context (ou=ACC_test_Teacher,ou=CNS,dc=win2k,dc=aub,dc=edu,dc=lb in your case), create a Global Security Group called 'Math-101' too. Make sure you use a different 'pre-Windows 2000 name' for it, or you'll get an error otherwise. Make the relevant teachers part of it.
Now login with one of the students you added to the group, and you should see the student is enrolled to that course. Same for a teacher.
If you don't see it, have a look at your PHP logs (usually part of the webserver logs if you are using Apache) and see if there are any error messages there telling what is going on.
Saludos. Iñaki.
1.- Make sure you map Moodle's ID Number field to AD's distinguishedName attribute in your authentication setup. Make sure users have their ID Number field updated every time they log in (to make sure they have a value there).
2.- Make sure you set enrol_ldap_course_idnumber, enrol_ldap_course_shortname and enrol_ldap_course_fullname to 'cn' (just to make it easier).
Leave the rest of the configuration values as you have them now.
Now in Moodle create a course called 'Math-101'. Make sure the ID of the course is 'Math-101' too (you can set the shortname to 'Math-101' too, if you want).
Now go to your AD Users and Domains administration console, and under the Student Context (ou=ACC_test_Student,ou=CNS,dc=win2k,dc=aub,dc=edu,dc=lb in your case) create a Global Security Group called 'Math-101', and make the relevant students part of it.
Now under the Teachers Context (ou=ACC_test_Teacher,ou=CNS,dc=win2k,dc=aub,dc=edu,dc=lb in your case), create a Global Security Group called 'Math-101' too. Make sure you use a different 'pre-Windows 2000 name' for it, or you'll get an error otherwise. Make the relevant teachers part of it.
Now login with one of the students you added to the group, and you should see the student is enrolled to that course. Same for a teacher.
If you don't see it, have a look at your PHP logs (usually part of the webserver logs if you are using Apache) and see if there are any error messages there telling what is going on.
Saludos. Iñaki.
Guess what, the settings were correct from the begining. Now I am reading your reply but Enrolment is already working. The users i was testing with have write priv. on the active directory. So although it is not logical to me, we used another user id of a staff here who has only read priv. We added him to one of the groups, and he saw the course when he logged in. But when i add my user id which has write access to the ldap AD, i cant see the course in my account!
I really thank you for your replies. I appreciate your help and support. Hope you can update me concerning the above issue which i dont see logical.
Thank you alot
Amer
I really thank you for your replies. I appreciate your help and support. Hope you can update me concerning the above issue which i dont see logical.
Thank you alot
Amer
Dear All,
Ldap enrollment is working fine, but if my students are stored inside second level OU and more(meaning 2 or more nested OUs), they will be able to authenticate but not to enroll in the course.
Any function I need to edit?
Thanks for help.
Mostafa
I would like to start off by saying how excited I am in the potential to have our students authenticate to our LDAP server which is AD. That being said I am having one heck of a time. I can not get authentication to work and obviously if that doesn't auto enroll won't so here is where I am at:
I downloaded LDAP browser and checked all my paths.
I changed my ldap_bind_dn to incorrect information to see if I would get an error and I would so I assume that is working correctly??
I double checked all my authentication and mapping setting based on some other posts and common sense. Still no authentication.
I edited my php.ini to log errors, but it seems only tell me the login failed with the username, IP, and browser info.
So I am at a stand still and was hoping one of you wonderful, helpful people could throw me a bone. 
I could post my config but thats a tons to post. Let me know what u want and I'll get it to you, either by posting or sending it to you directly.
Thank you advance.
Rob - spathi73@yahoo.com
I too am having a similar problem.
My LDAP authentication using Active Directory is working fine (used user@domain.local instead of cn=user,DC=domain,DC=local) and enrolment is working up to a point.
My students and teachers are located in an OU called People. The staff are then in an OU called staff and students are in an OU called students. However students are further broken down into OUs for intake year.
My staff when they login are enrolled correctly but my students aren't.
I suspect this is to do with having nested OUs, but can't really see how to get round this.
Anyone got any ideas??
Thanks!
Ok, I have been working to try and figure why it hasn't been working and have found the source of the problem, but not the solution yet!
It seems that when the students login and their idnumber is set to their distinguishedName it is trimmed in the database to only 64 characters. This effectively trims off the last three chars of my user's idnumber. I have changed the idnumber to be a VARCHAR of length 250 but for some reason despite setting the correct value manually in the database, when the user logs in it is trimmed back to 64 chars!!
Anyone any ideas please?!?!
Is this a problem when moodle converts the distinguishedName to a UTF-8 string??
Ok finally figured it out!
It is an issue in the truncate_userinfo function moodlelib.
There is an array that has the default sizes for the user table fields. Simply change the 'idnumber'=>64 to 'idnumber'=>200 or whatever!
Moodle LDAP authentication and enrolment now working using Active Directory like a dream!!
Hi there
I'm a new one. José Cruz from Portugal.
(sory my english)
My situation: LDAP Windows Server 2003. Moodle 1.8
I have a OU container (schoolserver), with subOUs (students and teachers).
I have a OU (moodle) with subOUs (students and teachers) for moodle groups.
I have LDAP authentication like that and working.
LDAP server settings
Host URL: ldap://minhaescola.servidorescola.local
Version : 3
LDAP encoding : utf-8
Bind Settings
Hide passwords: yes
Distinguished Name: CN=moodle esmcastilho,CN=Users,DC=minhaescola,DC=servidorescola,DC=local
password.
User lookup settingsUser type: MS ActiveDirectory
Contexts: OU=SchoolServer,DC=minhaescola,DC=servidorescola,DC=local
search sub: yes
dereference alias: no
user attribute: sAMAccountName
Member attribute:
Member attribute uses dn:
Object class: user
Force change password
force: no
use standard: no
LDAP password expiration settings
expiration: LDAP
Enable user creation
create user externally: no
course creators
creators:
Cron synchronization script
Removed ext user: Full delete internal
first name: givenName
ID number: sAMAccountName
I can't say the same about enrol and i don't know why.
Here are my settings:
LDAP Server Settings
enrol_ldap_host_url: ldap://minhaescola.servidorescola.local
enrol_ldap_version: 3
enrol_ldap_bind_dn: CN=moodle esmcastilho,CN=Users,DC=minhaescola,DC=servidorescola,DC=local
ldap_bind_pw: *********
ldap_search_sub: yes
Role mapping
Teacher
LDAP contexts: OU=profs,OU=Moodle,DC=minhaescola,DC=servidorescola,DC=local
LDAP member attribute: member
students
LDAP contexts: OU=alunos,OU=Moodle,DC=minhaescola,DC=servidorescola,DC=local
LDAP member attribute: member
Course enrolment settings
enrol_ldap_objectclass: group
enrol_ldap_course_idnumber: cn, no, no
enrol_ldap_course_shortname: cn, no, no
enrol_ldap_course_shortname: cn, no, no
Automatic course creation settings
enrol_ldap_autocreate: yes
enrol_ldap_category: Geral
If anyone can help, please...
Best wishes from Portugal
Stephen,
I am struggling with the same issue. I have ldap authentication to MSAD working for quite some time and I am trying to set up ldap enrollment. All of it works fine as long and the distinguishedName is less than 64. I've followed the instructions here and modified the database field user.idnumber to varchar(255) and I've modified the method truncate_userinfo to truncated the field idnumber to 255 characters. However when the DN is greater than 64 chars the id number field is no longer getting updated.
Is there something else that I am missing?
Thanks,
Peter
Turns out there are two user tables; user and mdl_user. I had modified the wrong table "user". After changing mdl_user everything works like a charm.
It seems there have been a couple of changes on the way LDAP authentication syncing is done (see MDL-5823), which is good news for LDAP enrolment if you are using Active Directory.
Instead of using the 'idnumber' field of the user's table, it's now using the 'username' field to keep users in sync. Which frees the 'idnumber' field to be used by the enrolment code without trouble.
So if you are using Moodle 1.8.1+ (from 2007.03.01 or later) with Active Directoy and want to use LDAP enrolment, you can now safely use auth_ldap_sync_users.php and enrol_ldap_sync.php without your users being deleted and re-added every time you run them.
Saludos. Iñaki.
Instead of using the 'idnumber' field of the user's table, it's now using the 'username' field to keep users in sync. Which frees the 'idnumber' field to be used by the enrolment code without trouble.
So if you are using Moodle 1.8.1+ (from 2007.03.01 or later) with Active Directoy and want to use LDAP enrolment, you can now safely use auth_ldap_sync_users.php and enrol_ldap_sync.php without your users being deleted and re-added every time you run them.
Saludos. Iñaki.
Hi Inaki Arenaza,
First of all thanks for all the support that you are giving for the community.
I'm troubling with the LDAP enrolment, i'm using openldap where i have two subtrees ou= moodleusers and ou=moodle (where i have the groups using groupOfNames and cn==Course ID) , i also use objectClass=inetOrgPerson for the user lookup..my settings are:
User lookup settings |
||
| User type | Default | Select how users are stored in LDAP. This setting also specifies how login expiration, grace logins and user creation will work. |
| Contexts | ou=moodleusers,dc=epict,dc=it | List of contexts where users are located. Separate different contexts with ';'. For example: 'ou=users,o=org; ou=others,o=org' |
| Search subcontexts | Yes | Search users from subcontexts. |
| Dereference aliases | Yes | Determines how aliases are handled during search. Select one of the following values: "No" (LDAP_DEREF_NEVER) or "Yes" (LDAP_DEREF_ALWAYS) |
| User attribute | Optional: Overrides the attribute used to name/search users. Usually 'cn'. | |
| Member attribute | member | Optional: Overrides user member attribute, when users belongs to a group. Usually 'member' |
| Member attribute uses dn | 1 | Optional: Overrides handling of member attribute values, either 0 or 1 |
| Object class | (objectClass=inetOrgPerson) | Optional: Overrides objectClass used to name/search users on ldap_user_type. Usually you dont need to chage this. |
Force change password |
||
| Force change password | No |
Force users to change password on their first login to Moodle. |
| Use standard page for changing password | No |
If the external authentication system allows password changes through Moodle, switch this to Yes. This setting overrides 'Change Password URL'. NOTE: It is recommended that you use LDAP over an SSL encrypted tunnel (ldaps://) if the LDAP server is remote. |
| Password format | Plain textMD5 hashSHA-1 hash | Specify the format of new or changed passwords in LDAP server. |
| Password-change URL | Here you can specify a location at which your users can recover or change their username/password if they've forgotten it. This will be provided to users as a button on the login page and their user page. If you leave this blank the button will not be printed. | |
LDAP password expiration settings. |
||
| Expiration | no | Select No to disable expired password checking or LDAP to read passwordexpiration time directly from LDAP |
| Expiration warning | 10 | Number of days before password expiration warning is issued. |
| Expiration attribute | Optional: overrides ldap-attribute that stores password expiration time | |
| Grace logins | No | Enable LDAP gracelogin support. After password has expired user can login until gracelogin count is 0. Enabling this setting displays grace login message if password is expired. |
| Grace login attribute | Optional: Overrides gracelogin attribute | |
Enable user creation |
||
| Create users externally | No | New (anonymous) users can create user accounts on the external authentication source and confirmed via email. If you enable this , remember to also configure module-specific options for user creation. |
| Context for new users | If you enable user creation with email confirmation, specify the context where users are created. This context should be different from other users to prevent security issues. You don't need to add this context to ldap_context-variable, Moodle will search for users from this context automatically. Note! You have to modify the method user_create() in file auth/ldap/auth.php to make user creation work |
|
Course creator |
||
| Creators | List of groups or contexts whose members are allowed to create new courses. Separate multiple groups with ';'. Usually something like 'cn=teachers,ou=staff,o=myorg' | |
Cron synchronization script |
||
| Removed ext user | Keep internalSuspend internalFull delete internal | Specify what to do with internal user account during mass synchronization when user was removed from external source. Only suspended users are automatically revived if they reappear in ext source. |
NTLM SSO |
||
| Enable | No | Set to yes to attempt Single Sign On with the NTLM domain. Note: this requires additional setup on the webserver to work, see http://docs.moodle.org/en/NTLM_authentication |
| Subnet | If set, it will only attempt SSO with clients in this subnet. Format: xxx.xxx.xxx.xxx/bitmask. Separate multiple subnets with ',' (comma). | |
| MS IE fast path? | No | Set to yes to enable the NTLM SSO fast path (bypasses certain steps and only works if the client's browser is MS Internet Explorer). |
| Authentication type | NTLM | The authentication method configured in the web server to authenticate the users (if in doubt, choose NTLM) |
Data mapping |
||
| First name |
givenName
On every login
Never Unlocked |
These fields are optional. You can choose to pre-fill some Moodle user fields with information from the LDAP fields that you specify here.
If you leave these fields blank, then nothing will be transferred from LDAP and Moodle defaults will be used instead. In either case, the user will be able to edit all of these fields after they log in. Update local: If enabled, the field will be updated (from external auth) every time the user logs in or there is a user synchronization. Fields set to update locally should be locked. Lock value: If enabled, will prevent Moodle users and admins from editing the field directly. Use this option if you are maintaining this data in the external auth system. Update external: If enabled, the external auth will be updated when the user record is updated. Fields should be unlocked to allow edits. Note: Updating external LDAP data requires that you set binddn and bindpw to a bind-user with editing privileges to all the user records. It currently does not preserve multi-valued attributes, and will remove extra values on update. |
| Surname |
sn On every login |
|
| Email address |
On every login |
|
| City/town |
l On every login |
|
| Country |
c On every login |
|
| Language |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| Description |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| Web page |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| ID number |
dn On every login |
|
| Institution |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| Department |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| Phone 1 |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| Phone 2 |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| Address |
Update local On creationOn every login
Update external NeverOn update Lock value |
|
Role mapping
Map roles from LDAPenrol_ldap | role_mapping
Roles
Manager
Course creator
Teacher ou=Facilitatore,ou=Moodle,dc=epict,dc=it member
Non-editing teacher
Student ou=Studente,ou=Moodle,dc=epict,dc=it member
Guest
Authenticated user
Authenticated user on frontpage
Search subcontextsenrol_ldap | course_search_sub
Yes
Search group memberships from subcontexts
Member attribute uses dnenrol_ldap | memberattribute_isdn
Yes
If the group membership contains distinguised names, you need to specify it here. If it does, you also need to configure the remaining settings of this section
Contextsenrol_ldap | user_contexts: ou=moodleusers,dc=epict,dc=it
If the group membership contains distinguised names, specify the list of contexts where users are located. Separate different contexts with ';'. For example: 'ou=users,o=org; ou=others,o=org'
Search subcontextsenrol_ldap | user_search_sub
Yes
If the group membership contains distinguised names, specify if the search for users is done in subcontexts too
User typeenrol_ldap | user_type
Default
If the group membership contains distinguished names, specify how users are stored in LDAP
Dereference aliasesenrol_ldap | opt_deref
No
If the group membership contains distinguised names, specify how aliases are handled during search. Select one of the following values: 'No' (LDAP_DEREF_NEVER) or 'Yes' (LDAP_DEREF_ALWAYS)
ID number attributeenrol_ldap | idnumber_attribute : dn
If the group membership contains distinguised names, specify the same attribute you have used for the user 'ID Number' mapping in the LDAP authentication settings
Course enrolment settings
Object classenrol_ldap | objectclass
Default: Empty
objectClass used to search courses. Usually 'group' or 'posixGroup'
ID numberenrol_ldap | course_idnumber
(objectClass=groupOfNames)
LDAP attribute to get the course ID number from. Usually 'cn' or 'uid'.
Short nameenrol_ldap | course_shortname : cn
Full nameenrol_ldap | course_fullname : cn
Summaryenrol_ldap | course_summary : cn
Ignore hidden coursesenrol_ldap | ignorehiddencourses
No
If enabled users will not be enrolled on courses that are set to be unavailable to students.
External unenrol actionenrol_ldap | unenrolaction
Unenrol user from courseKeep user enrolledDisable course enrolmentDisable course enrolment and remove roles
Default: Unenrol user from course
Select action to carry out when user enrolment disappears from external enrolment source. Please note that some user data and settings are purged from course during course unenrolment.
Automatic course creation settings
Auto createenrol_ldap | autocreate
NoYes
Default: No
Courses can be created automatically if there are enrolments to a course that doesn't yet exist in Moodle
If you are using automatic course creation, it is recommended that you remove the following capabilities: moodle/course:changeidnumber, moodle/course:changeshortname, moodle/course:changefullname and moodle/course:changesummary, from the relevant roles to prevent modifications of the four course fields specified above (ID number, shortname, fullname and summary).
Categoryenrol_ldap | category
Miscellaneous
Default: Miscellaneous
The category for auto-created courses
Templateenrol_ldap | template
Default: Empty
Optional: auto-created courses can copy their settings from a template course
Nested groups settings
Nested groupsenrol_ldap | nested_groups
NoYes
Default: No
Do you want to use nested groups (groups of groups) for enrolment?
'Member of' attributeenrol_ldap | group_memberofattribute
Default: Empty
Name of the attribute that specifies which groups a given user or group belongs to (e.g., memberOf, groupMembership, etc.)
I'll be really greatfull for any help. thanks in advance