LDAP trouble.

LDAP trouble.

by Dan Marsden -
Number of replies: 12
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

I'm having a bit of trouble with the Ldap enrolment using NDS - any tips Martin L?

I'm getting the following errors which I'm guessing has something to do with the enrol_ldap_student_contexts

Warning: ldap_list():Search No such object in e:\...\enrol\ldap\enrol.php on line 524

Warning: ldap_get_entries(): supplied argument is not a valid ldap resource in e:\...\enrol\ldap\enrol.php on line 528

Warning: ldap_list():Search Bad search filter in e:\...\enrol\ldap\enrol.php on line 524

Warning: ldap_get_entries(): supplied argument is not a valid ldap resource in e:\...\enrol\ldap\enrol.php on line 528

I am using the following settings:

enrol_ldap_student_contexts:

enrol_ldap_student_memberattribute:

enrol_ldap_objectclass:

enrol_ldap_course_idnumber:
Update local data No Yes
Lock value No Yes

An example of a course in nds is:
ACCT101.Courses.Student.dom

can anyone see anything that might be tripping me up?

thanks,

Dan

Average of ratings: -
In reply to Dan Marsden

Re: LDAP trouble.

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

I've got a bit of debug info - I was trying to see if I could guess the problem - but I'm still none the wiser - I also notice the actual settings I used didn't show in the post above, so I'll post those details as well.

enrol_ldap_host_url: ldap://mydomain.com
enrol_ldap_student_contexts: ou=Courses,ou=student,o=dom
enrol_ldap_student_memberattribute: groupMembership
enrol_ldap_objectclass: groupOfNames
enrol_ldap_course_idnumber: cn

I used this code for debug around line 510 enrol.php
foreach ($ldap_contexts as $context) {
$context == trim($context);
echo "<br>connection:";
echo $ldap_connection;
echo "<br>context:";
echo $context;
echo "<br>ldap_search:";
echo $ldap_search_pattern;
echo "<br>ldap_fields:";
echo $ldap_fields_wanted;

And I got this debug:
connection:Resource id #29
context:ou=Courses,ou=student,o=lu
ldap_search: (&(objectclass=groupOfNames)(groupMembership=))
ldap_fields:Array
connection:Resource id #33
context:
ldap_search: (&(objectclass=groupOfNames)(=))
ldap_fields:Array

Average of ratings: -
In reply to Dan Marsden

Re: LDAP trouble.

by Martín Langhoff -
I can already spot a few problems:

ldap_search: (&(objectclass=groupOfNames)(groupMembership=))

this is an invalid search (groupMembership=) needs something after the equal. In fac, it shouldn't be there at all. Hmmm.

context: (why is this empty!?)

ldap_search: (&(objectclass=groupOfNames)(=))

The lonely = sign is a problem. Sounds like you are missing fields.

What do your users have in the idnumber field?
Average of ratings: -
In reply to Dan Marsden

Re: LDAP trouble.

by Martín Langhoff -
Dan,

I'm not familiar with NDS, so I have no idea what the tree looks like, and what a user record looks like. Can you give me a few hints, for instances where the users are, and a couple of example records?

Petri has, in 1.5, committed a series of "meta-configurations" that contain the correct values for a series of setups, including NDS. Perhaps you could take a look at the 1.5 code and see what the suggested config looks like.
Average of ratings: -
In reply to Dan Marsden

Update on LDAP Enrolment with NDS

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

After some off-line conversations with Martin L, we have discovered that this plug-in isn't really ready to use with NDS yet.

the idnumber field inside the Mdl_user database needs to be populated with the full context of a user - eg:
"cn=user,ou=student,o=domain"
There are a couple of problems with this: - the field itself has a size of 12 in the db, so for it to be used in this way, you must change the allowed size of the field to a higher value. There also isn't an easy way of getting the full context of a user and then storing it in the field above when the user logs on (using the LDAP auth module) - if anyone has a "lightbulb" on this one, let me know!

another issue is that the idnumber field is no longer able to store a student id number or actual "number" it is now storing a "context" instead. - This could be fixed by creating a new field in the user_db called something like "context" - but this field shouldn't really be necessary - the ldap Enrol module should be able to run a query without having to know the context of a user.....

hopefully the module will be improved at some point to work with NDS!

smile

Dan

Average of ratings: -
In reply to Dan Marsden

Re: Update on LDAP Enrolment with NDS

by Martín Langhoff -
Dan, to follow up on yesterday's thread, if you are using the LDAP Auth module, it should work by pointing idnumber (in auth) to cn. As you say, idnumber is relatively short, feel free to ALTER your table to fit your needs (and update truncate_userinfo() in moodlelib to match).

Does that help?
Average of ratings: -
In reply to Martín Langhoff

Re: Update on LDAP Enrolment with NDS

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

Hi Martin,

pointing idnumber to cn doesn't work, as cn returns "user", what seems to be required in the idnumber field is the full context, eg: "cn=user,ou=group,o=organisation" - as this is what is stored in each group inside NDS - not just "user"

smile

Dan

Average of ratings: -
In reply to Dan Marsden

Re: Update on LDAP Enrolment with NDS

by Martín Langhoff -
Sorry, I should have said "dn". Does DN work?
Average of ratings: -
In reply to Martín Langhoff

Re: Update on LDAP Enrolment with NDS

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

DN returns "c"  - so nope, it doesn't work......

smile

Dan

Average of ratings: -
In reply to Dan Marsden

Re: Update on LDAP Enrolment with NDS

by Martín Langhoff -
Then something is broken, it seems.

I am not familiar with NDS and its schemas, but the one thing that the LDAP standard defines is that DN is the Distinguished Name and should give you a string that is unique, and will retrieve the record inequivocally.

Other fields are left to any schemas you may want to use, but DN should be there. Hey, it's there in AD! ;)
Average of ratings: -
In reply to Martín Langhoff

Re: Update on LDAP Enrolment with NDS

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators
Dn seems to be there - this line from auth/ldpap/lib.php runs fine and returns the context of the user correctly:
$user_dn = auth_ldap_find_userdn($ldap_connection, $username);
print $user_dn; //dansdebug
- it prints out:  cn=marsded3,ou=MQ,ou=student,o=domain

...but when it comes to these lines:

$user_info_result = ldap_read($ldap_connection,$user_dn,$CFG->ldap_objectclass, $search_attribs);

if ($user_info_result) {
    $user_entry = ldap_get_entries($ldap_connection, $user_info_result);
    foreach ($attrmap as $key=>$value){
        if(isset($user_entry[0][strtolower($value)][0])){
           $result[$key]=$user_entry[0][strtolower($value)][0];
           print $result[$key] . ":" . $value ."<br>"; //dansdebug
       }
   }
}
it prints out:
Daniel:givenName
Marsden:sn
marsded3@domain.com:mail
Student group:ou
c:dn
marsded3:cn

-note "dn" is returned as "c"

any ideas?

smile

Dan


Average of ratings: -
In reply to Dan Marsden

Re: Update on LDAP Enrolment with NDS

by Martín Langhoff -
Try replacing your 'debug' line with:

print "$key:$results[$key]
";

or, even better, do error_log() instead of print (and check your error_log). Does it work better?

Using print at that stage will probably break session management, and other cookie-setting activities. A PHP artifact I don't particularly like ;)
Average of ratings: -
In reply to Martín Langhoff

Re: Update on LDAP Enrolment with NDS

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

Hi Martin,

both still return idnumber/dn  = "c"

sad

Average of ratings: -