Active Directory Users can't log in

Active Directory Users can't log in

by Mark walsh -
Number of replies: 9

Hi

Got Moodle up and running and adn log in with the Admin users.  Also configured fo use with LDAP (Windows 2003, IIS6) but each time a user from the Active Direcotry tries to log on, get the error message:

Invalid login, please try again

Anyone got any ideas???

Thanks

 

Average of ratings: -
In reply to Mark walsh

Re: Active Directory Users can't log in

by Heather P -
Did you use one of those tools to confirm that you are using an account to bind with that actually  does have access to your active directory. Depending upon your set up, did you choose the right option -like search sub directories. Did you remember to enable the LDAP option in the php.ini file and copy the php_ldap.dll file from the php folder to the windows folder?

Regards
Heather
Average of ratings: -
In reply to Mark walsh

Re: Active Directory Users can't log in

by Scott Nixon -
I was having the same problem. If I used the root of Active Directory it would not work. e.g. ldap_contexts: dc=academic,dc=domain,dc=com

When I switched to ldap_contexts: ou=tech,dc=academic,dc=domain,dc=com

Add a colon for multiple contexts.
Average of ratings: -
In reply to Mark walsh

Re: Active Directory Users can't log in

by Bill Wellington -
I too am having an issue with authenticating against Active Directory.

I believe I am binding to the directory correctly, but if I have anything enteres in the ldap_contexts field I get the following errors at the top of my page.


Warning: ldap_search(): Search: Bad search filter in /WebServer/MrWellington/web/moodle/auth/ldap/lib.php on line 1378

Warning: ldap_first_entry(): supplied argument is not a valid ldap result resource in /WebServer/MrWellington/web/moodle/auth/ldap/lib.php on line 1385

If there is nothing in the ldap_contexts field I simply get "Invalid login, please try again"

I don't really know where to to from here... I feel like I am so close!

Thanks for your help...
Bill
Average of ratings: -
In reply to Bill Wellington

Re: Active Directory Users can't log in

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Without having a look at the values you have configured in the LDAP authentication page, it's quite difficult the diagnose the root of the problem smile

Saludos. Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: Active Directory Users can't log in

by Kieran Denny -

I feel like the same information is being repeated again. Anyway...

the following assumes that your ldap_host_url. this should be the fully qualified domain name of the server preceeded by 'ldap://'. i am also assuming that PHP LDAP module is correctly working [or at least loaded awaiting configuration].

After that, you will need to test your configuration. the following is the steps i would use when setting up LDAP authentication for the first time:

Install the windows server support tools [contains the ldp.exe tool]

  • run this utility. you will need to 'bind' to the domain you are wishing to connect to. once you are bound to the [AD] LDAP server, some information will be displayed in the right-hand window. you are looking for 'rootDomainNamingContext'. currently this line for me reads: '1> rootDomainNamingContext: DC=domain,DC=local;'
  • use this information after selecting 'view' => 'tree'. you should enter the obtained info in the following way: Base DN = DC=domain,DC=local
  • click 'ok' and this you should be shown a collapsed tree in the left-hand window. once expanded [by double-clicking], the tree should look similar to the root object you see when using 'Active Directory Users and Computers' snap-in.
  • once this is visible, simply double-clicking an object in the left-and window will expand its children [this will work until 'no children' is displayed as the child object].

Find the details for the account you will use to 'bind' to the server

  • use the final step in the previous section, drill down initially to where the account that you are going to use within Moodle to 'bind' to the LDAP server is. once you find where that object is within the ldp.exe tool, double click it. this will retrieve all of its information as stored in the AD LDAP server. the first few lines returned for my user object reads:
    Expanding base 'CN=DENNY. Kieran,OU=InfoTech,OU=Support,OU=Campus1,OU=Staff,OU=School,DC=domain,DC=local'...
    Result <0>: (null)
    Matched DNs:
    Getting 1 entries:
    >> Dn: CN=DENNY. Kieran,OU=InfoTech,OU=Support,OU=St Pauls,OU=Staff,OU=Lavalla,DC=lavalla,DC=local
  • you will need to copy out the information following '>> DN: ' and paste it into the 'ldap_bind_dn:' section of the LDAP config page in Moodle. you will need to enter the correct password for this account. that should then do for the bind account.

find the correct details for the rest of your users

  • similar to the previous step, except you are now looking for the Organizational Unit [OU] containing your users.
  • our AD server is broken down by staff vs. student, then by campus, then department [or in the case of students, by year level]. some of the OUs have around 300-400 students in it, and overall, the users OU has about 2500 objects in it [this does not include any groups as these are stored in a separate OU]
  • as part of the Moodle config, i have used four distinct OU's in the ldap_contexts entry. two for each of our campus', and then broken apart into staff and students. this setup allows me to easily remove access to students by simply modifying the ldap contexts Moodle config entry.
  • currently, on the Moodle LDAP Authentication config page, my ldap_contexts entry reads: "OU=Campus1,OU=Staff,OU=School,DC=domain,DC=local;
    OU=Campus2,OU=Staff,OU=School,DC=domain,DC=local;
    OU=Campus1,OU=Students,OU=School,DC=domain,DC=local;
    OU=Campus2,OU=Students,OU=School,DC=domain,DC=local;"
  • all of this depends on your personal preference and/or AD setup. one restraining factor is that somewhere along the line, you are limited to 1000 entries per context lookup [i think this i correct, though i'm not too sure where the limitation is enforced].

some other things that can affect connecting to the AD LDAP server:

  • SSL requirement being enforced [though i have not seen this in place]
  • incorrect access permissions for the user binding to LDAP [ie. using a disabled user, or one who does not have lookup & password checking rights].
  • there are prob lost more issues that can occur, but i dont have time to work them out, let alone list them here...

well, that took a good half hour to write [and i'm sure that there are a few spelling mistooks in there]. just rambling, but someone may want to add this to the Wiki/help page for LDAP configuration [specific to Active Directory].

i REALLY hope that helps somewhat...

regards,

Kieran

Average of ratings: Useful (1)
In reply to Kieran Denny

Re: Active Directory Users can't log in

by Red Morris -

Kieran you are a star! VERY helpful guide that helped me track down one bug and helped me correct a couple of other bits of wrong info.

I still haven't got it working, but I feel I'm closer thanks to your help.

Definitely worth adding to the Wiki

Average of ratings: -
In reply to Kieran Denny

Re: Active Directory Users can't log in

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
> one restraining factor is that somewhere along the line, you are limited to 1000 entries per context lookup [i think this i correct, though i'm not too sure where the limitation is enforced].

Active Directory enforces the limit by default. You can raise the limit at the cost of using more memory on the server to answer the queries, as described here: http://www.microsoft.com/technet/prodtechnol/exchange/Analyzer/ef05b737-0a94-49ab-8deb-5acf91865531.mspx

Saludos. Iñaki.
Average of ratings: -
In reply to Mark walsh

Re: Active Directory Users can't log in

by Lael ... -

Hi Mark,

ok - so I was having a similar issue.. ldap would bind just fine, but I couldn't logon with any of the existing accounts, except some test accounts. It took a long time to figure out - but the canonical name of the existing users is currently different from their logon names (the test accounts created have CN and logon the same.

For me at this point, Moodle will allow the users to login using canonical, but not their user/logon names (unless they are the same [for me cn seems atm to be 'First name'space'Last Name' ). (ps - thanks Kieran Denny for showing how to use ldp.exe!) 

hth - Lael

ps - does anyone have a clue if this is a AD problem or a Moodle one? (ie - how to get students able to login with their logon names?) Thanks! smile 

Edit: solved: change "ldap_user_attribute" to 'sAMAccountName' ... lol, blush just found that it says that in the wiki instructions... (so much pain... so little need for it)

Average of ratings: -
In reply to Lael ...

Re: Active Directory Users can't log in

by R Thomas -

YOU ARE THE MAN!!!!

Thank you thank you thank you!

Average of ratings: -