MS AD - LDAP

MS AD - LDAP

by Paul Meulman -
Number of replies: 8

Hello,

I want to enable the login for all the users in our Active Directory. Users are split up in different OU's and are some levels deep.

I can log in as a administrator if I add the context CN=Users,DC=domain,DC=local.  I enabled search subcontext. I am new with the ldap context. Is there a simple method so Moodle can find from the top all the users?

Average of ratings: -
In reply to Paul Meulman

Re: MS AD - LDAP

by Colin Fraser -
Picture of Documentation writers Picture of Testers
<rant class="social_impact">
I am sorry if my comments offend anyone here, but why assume that it is Moodle that will, or even should, be able to solve all such issues? There isn't a network admin that does not get serious issues with getting Moodle to work with LDAP. If Microsoft designed AD properly, and/or were a lot clearer about how it works, then the majority of issues could be resolved easily, or at least considerably more easily than they are now.

Microsoft's inherent arrogance in their assertions they know best and we should not worry about it manifests itself in this kind of nonsense. My recommendation to anyone is to drop Microsoft and use Open Source - even if my own workplace is just as stuck on such issues. I understand the old saying that I should not wish too hard, but reality is that we, as a society, can no longer afford the Western Price model, nor proprietal interests like we have always done. This sort of nonsense is the end result, integration, although never easy, becomes almost impossible without huge, expensive and extremely complex support systems.
</rant>

Sorry.. away for a bit, back again..

The structure of the LDAP does not lend itself easily to resolution of this problem, and I am not sure if there is a single solution that works for everyone. Or rather, if there is, no-one is saying. The information in MoodleDocs seems to be accurate, but it does not always work - which leads me to think one size does not fit all.

At sometime in the next decade or so, I am hoping to get enough time to sort some of these issues through and if I find a resolution, I will post it. In the meantime, please feel free to look at all the documentation and if there is anything there you think wrong, post an alternative in the page comments and invite others to look at it and add to it.

Here is one thread on it that might help.
Average of ratings: -
In reply to Colin Fraser

Re: MS AD - LDAP

by Paul Meulman -

O thanks for your reply, I will test this next week. Although I could do it with out the MS baising. Many organizations work with MS AD so why not work togehter instead off negativsm.

Anyway the thread seems promissing

Average of ratings: -
In reply to Paul Meulman

Re: MS AD - LDAP

by Colin Fraser -
Picture of Documentation writers Picture of Testers
Do not misunderstand I have genuine criticism of Microsoft products - for genuine reasons. This is not blind arrogance, or negativity, of an anti-MS bias, rather the considered position of a concerned Netizen who acknowledges that much of what Microsoft has done is of an excellent standard and they have made great contributions to IT. What does concern me is that Microsoft has also abused its market position, released some seriously deficient products using the "95% Rule" as justification, squelched potential rivals, and has unreasonably garnished a reputation for being a "market leader" while doing so and is clearly not a leader. You only have to read GMs response (if true) to Bill Gate's assertions that the US car industry should adopt similar practices to Microsoft to become a much better industry, to understand the point. Also, more openly and accurately, these things were clearly laid out in the Anti-Trust case brought against Microsoft, even though I understand they are still fighting it.

This forum is about Moodle, not Microsoft and although I am getting off track here, I am seriously concerned that the poor architecture of a major product is having a serious impact on third party developments, and not just Moodle. I come back to my original point, should Moodle, or any other product for that matter, be required to make superhuman efforts to be able to use Microsoft's AD and LDAP? Where does the issue lie? Where does the responsibility lie? Moodle or Microsoft? I suggest the latter, it is their architecture, and their unwillingness to share their full knowledge in this area in any manner other than superficially. No transparency here at all.

As this leaves people like you, with genuine issues, in the difficult position of having to patch stuff up that you should not have to, it is grossly unfair.
Average of ratings: -
In reply to Paul Meulman

Re: MS AD - LDAP

by Jon Witts -
Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Paul,

Can you please explain your AD OU structure in a little more detail? I have all of my users authenticating fine from M$ AD. I am sure we can help you along.

Jon
Average of ratings: -
In reply to Jon Witts

Re: MS AD - LDAP

by Paul Meulman -

OK Jon,

We have the users stored in separate OU's, separated in location (schools) and function.

first Location OU - users OU - function OU (4).

OU=Group,OU=Users,OU=location,DC=domain,DC=local (because of privacy etc. real names have been replaced.

So the users are stored in a 3 level deep OU structure. Not too exiting I thought.

Average of ratings: -
In reply to Paul Meulman

Re: MS AD - LDAP

by Paul Meulman -

Warning: ldap_search() [function.ldap-search]: Search: Operations error in C:\XAMPP\htdocs\moodle\auth\ldap\auth.php on line 1683

Warning: ldap_first_entry() expects parameter 2 to be resource, boolean given in C:\XAMPP\htdocs\moodle\auth\ldap\auth.php on line 1691

Strange, when I change the ldap path to the correct path I receive this error and a login error. When I change this backup to CN=Users,DC=domain,DC=local there is no error. I can login as a domain administrator, because this user can be found in this 'OU'.

Average of ratings: -
In reply to Paul Meulman

Re: MS AD - LDAP

by Paul Meulman -

OK we found the solution.....

CN=USERS,DC=DOMAIN,DC=local;OU=OOP,OU=Gebruikers,OU=LOCATION,DC=DOMAIN,DC=local;

This is possible with the following settings....

'Search Subcontext' = YES

'Dereference Aliases'= YES

'User attribute' = sAMAccountName

'Member attribute' = member

Voila, users found in the OU can login with there AD account

Average of ratings: -
In reply to Paul Meulman

Re: MS AD - LDAP

by Colin Fraser -
Picture of Documentation writers Picture of Testers
OK, the question now has to be, why Xampp? Is this the Xampp-Lite/Moodle installation? Or the Friends of Apache Xampp?

Not really a good idea to be using Xampp-Lite/Moodle package for a production server, if that is what you are doing. This package was, I am given to understand, developed for a simple installation for standalone computers. As a drawback, I have found the Xampp-lite/Moodle installation to be somewhat resource hungry. It is OK for up to about 25 simultaneous users, but performance can degrade after that.

There is no reason why IIS, PHP and MSSQL could not be used on a Windows server, that combination is adequate to the task. The better option is Apache, MySQL and PHP, a WAMP. Not because they are not Microsoft products, but because, as I understand it, Moodle was developed in the Linux-AMP environment, a LAMP. Go with the WAMP, not the Xampp.

Perhaps you might want to look at this document before you go any further.


Average of ratings: -