LDAP authentication and changing passwords via Moodle

LDAP authentication and changing passwords via Moodle

by Dave Shearan -
Number of replies: 8

We have LDAP authentication working with our Moodle 1.9.3 installation. We are a WAMP installation with an Active Directory network. What we can't get working is the ability for users to change their AD passwords from inside Moodle.

I have read, researched and tested pretty thoroughly but now I'm stuck.

When we attempt a password change we see the following error:

Warning: ldap_modify() [function.ldap-modify]: Modify: Server is unwilling to perform in D:\VLE\moodle\auth\ldap\auth.php on line 1299

Our network guy created a new bind-user for this purpose but we have also tried it using an admin account with exactly the same result.

There are some references in the documentation to using the LDAPS protocol but they don't make it clear whether this is actually a requirement. Our network guy says that there are know problems using this protocol with Windows 2003 servers and I don't know any different - any clues here?

Also there is a wooly reference in the documentation to making sure that LDAP will allow Moodle to change passwords. I didn't understand that at all.

Any help would be appreciated.

Average of ratings: -
In reply to Dave Shearan

Re: LDAP authentication and changing passwords via Moodle

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

There are some references in the documentation to using the LDAPS protocol but they don't make it clear whether this is actually a requirement

Yes, this is a requirement. Active Directory refuses to do any modifications on non-encrypted connections.

Our network guy says that there are know problems using this protocol with Windows 2003 servers and I don't know any different - any clues here?

I did all the development using a Windows 2003 server, so as far as I know it works as expected smile

Saludos. Iñaki.

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP authentication and changing passwords via Moodle

by Dave Shearan -

Saludos Iñaki - I will get back to the network guy/guru and hopefully convince him that we should be able to do this.

I appreciate your very quick response. Muchas gracias

Dave

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP authentication and changing passwords via Moodle

by Dave Shearan -

OK Iñaki - the immediate response from our network guy (let's call him Buck) is shown below - can you point me/him in the right direction?

"I have attempted to use LDAPS with no avail. There is a test you can do that checks the availability of LDAPS via the DC - this test failed using a Moodle forum suggested Windows support tool to check the connection was possible. This is positive as it narrows down the potential of the issue.

Perhaps post a follow up mentioning that currently the DC wont accept SSL connections on port 636, and ask what prep is required for the DC for this to work? "

Average of ratings: -
In reply to Dave Shearan

Re: LDAP authentication and changing passwords via Moodle

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

I'm pretty sure this is documented in the MS Technet (but don't have a link at hand), but you need to install Certificate Services first.

You've got all the details at http://docs.moodle.org/en/LDAP_authentication#Using_LDAPS_.28LDAP_.2B_SSL.29 and the links available there.

Saludos. Iñaki.

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP authentication and changing passwords via Moodle

by Dave Shearan -

Thank you again Iñaki. Do you know that if one follows instructions carefully that it is possible to make something work?wink

A little bit of persistence with our network team and 'hey presto' it works.

However since getting that working we have now hit a different problem which again I have not been able to find an answer for on the forums. This problem only occurs when using Moodle from the outside world.

Users are being redirected to HTPPS:// equivalents of the Moodle pages instead of to HTTP:// pages. We are only configured to use HTTPS:// for the login process. The effects are pretty weird and cause displacement of some of the objects on the screen (I think caused becase the CSS can't be accessed but I'm not sure).

All external access is via an ISA server whereas on the internal network the proxy server is bypassed. Do you have any solution to this?

Hopefully, Dave

Average of ratings: -
In reply to Dave Shearan

Re: LDAP authentication and changing passwords via Moodle

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
I'm afraid ISA Server is a black hole for me. I've never used it, but I've seen a couple or three posts in the forums with a similar problem, and all of them mentionned ISA server.

Maybe you should find some ISA Server guru that can help you with this.

Saludos. Iñaki.
Average of ratings: -
In reply to Dave Shearan

Re: LDAP authentication and changing passwords via Moodle

by Guy Thomas -
Picture of Core developers Picture of Plugin developers
Hi Dave.

I've tried to do this with active directory myself and it has never worked for me.

I just came across this PHP code to do it. It may be worth your while to see if you can get it to work outside of moodle with this code:

http://snippets.dzone.com/posts/show/4059

Guy
Average of ratings: -
In reply to Guy Thomas

Re: LDAP authentication and changing passwords via Moodle

by Dave Shearan -

Thanks Guy,

That was an area I was going to explore. I may give that a try when my current line of enquiry breaks down - watch this space anyway because if we do get this working it may help you?

I know that it will work but I'm stuck in the middle because the problems seem to be at the network configuration end and I don't have the experience or the access rights to get into that.

Cheers

Dave

Average of ratings: -