Authentication

Using multiple LDAP servers - Our students are on separate domain

 
Dallas Ray Smetter
Using multiple LDAP servers - Our students are on separate domain
Moodle Course Creator Certificate holders

In our active directory, staff are on the stisd.net domain. Students are at their respective campus' child domains.

mtstudentdom.stisd.net
betastudentdom.stisd.net
mhstudentdom.stisd.net
sastudentdom.stisd.net

Can I somehow add LDAP information for all of these?

 
Average of ratings: -
Martin Langhoff - Sailing
Re: Using multiple LDAP servers - Our students are on separate domain
 
Yep, you have two options:

ldap_contexts stisd.net
ldap_search_sub 1

or list the contexts separated by semicolons, like the instructions say ;)

ldap_contexts mtstudentdom.stisd.net;betastudentdom.stisd.net;mhstudentdom.stisd.net;sastudentdom.stisd.net

cheers.
 
Average of ratings: Useful (1)
Dallas Ray Smetter
Re: Using multiple LDAP servers - Our students are on separate domain
Moodle Course Creator Certificate holders
I had read that, but I think I would need to add multiple LDAP servers, not multiple contexts.

Currently the LDAP server on the Parent Domain is at LDAP://mail.stisd.net/
I then have context(s) for that and all works fine. Only staff are on this domain (stisd.net)

When I review the Active Directory Schema, I see that the students each are on a separate LDAP server. For instance, the Science Academy child domain is called sastudentdom.stisd.net. There is only one domain controller, sa_stud_dc.sastudentdom.stisd.net. The LDAP server is therefore LDAP://sa_stud_dc.sastudentdom.stisd.net/DC=sastudentdom,DC=stisd,DC=net

So, I think I would need the capability to use mulitple LDAP servers, right? OR can the LDAP server on the top level domain access information on the LDAP servers in the child domain?

I would try it, but this is a production server and I don't currently have one I can test on. I appreciate any insight you can give me.

 
Average of ratings: -
Martin Langhoff - Sailing
Re: Using multiple LDAP servers - Our students are on separate domain
 
Oh, you have the contexts split in many servers? See http://moodle.org/mod/forum/discuss.php?d=8508#94017

In a nutshell, an LDAP server can be configured to be "at the top" and resolve/delegate for the child domains. Moodle has limited support for 'multiple LDAP servers' but it assumes they all have the same data.
 
Average of ratings: -
Picture of arvind grover
Re: Using multiple LDAP servers - Our students are on separate domain
 
With Windows 2000 domains, LDAP servers should be able to search up and down the tree, including child domains because internal cross-references are set up by the system. "...any domain controller can generate referrals to any other domain in the forest, as well as to the scheme and configuration directory paritions" (from: Finding Information in Active Directory, see LDAP referrals on the left)
This sounds great from Microsoft, but it is not working for us right now. Moodle authenticates fine against the top level domain, but the child domains aren't being seen. We are trying to figure out how to manually create a cross-reference thereby allowing the top level domain to refer LDAP queries to lower level (child) AD's.

if you solved this problem, please post a note.
 
Average of ratings: -
Picture of arvind grover
Re: Using multiple LDAP servers - Our students are on separate domain
 
ok, i figured out how to do this with active directory. instead of using a ldap or ldaps port, use port 3268, which is active directory's port for the global catalog. this will allow moodle to see all of the domains in the tree, and run an ldap query to the correct child domain.

just add port to the ldap_server field: ldap://www.mydomain.com:3268

no need to configure for multiple servers.
 
Average of ratings: Useful (3)
Martin Langhoff - Sailing
Re: Using multiple LDAP servers - Our students are on separate domain
 
Really interesting! Is there documentation for this somewhere? Whre did you learn about it?
 
Average of ratings: -
Picture of arvind grover
Re: Using multiple LDAP servers - Our students are on separate domain
 
Take a look at the first couple sections of the Microsoft documentation Finding Information in Active Directory - http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbc_nar_bsad.asp

It does a good job of explaining why using port 389 restricts you to one domain, while using port 3268 (global catalog) allows you access to the entire tree. The documentation suggests that using port 389 should give you child domain referrals, but that didn't seem to work for me.

 
Average of ratings: Useful (1)
Picture of Mike Tupker
Re: Using multiple LDAP servers - Our students are on separate domain
 

I'm new to moodle and am trying to get Active Directory authenitcation working in any way shape or form. We have a single domain setup running on Server 2000. Moodle is version 1.5.2+ running on the moodle for windows install which uses php 5, apache, and mysql.

Right now I get this message:
LDAP-module cannot connect any LDAP servers:

I guess I need to know exactly how the ldap_host_url: field should be formatted to connect to a server 2000 domain controler.

Thanks,
Mike

 
Average of ratings: -
Picture of Crafton Williams
Re: Using multiple LDAP servers - Our students are on separate domain
Core developers
Wow! very interesting, and it actually works great!
 
Average of ratings: -
Dallas Ray Smetter
Re: Using multiple LDAP servers - Our students are on separate domain
Moodle Course Creator Certificate holders
Perfect! Thank you!
 
Average of ratings: -
Picture of Dick Tao
Re: Using multiple LDAP servers - Our students are on separate domain
 
Looks like it is a happy ending but I run into a strange problem in my windows 2000 multi-domain environment. Instead of all the accounts in the child domains being able to log in, the accounts only in the root domain and the first child domain can log in. Anybody knows why?
 
Average of ratings: -
Picture of Mark Fritz
Re: Using multiple LDAP servers - Our students are on separate domain
 
This might not be it but is the primary server that you are authenticating against a global catalogue server? The GC server should store basic login attributes for the child domains as well.
 
Average of ratings: -
Rosario playing soccer
Re: Using multiple LDAP servers - Our students are on separate domain
Plugin developers

Hi,

I just ran into the very same problem on our Win2003 Domains:

ldap_host_url: stud_srv.stud.ournet -> Works fine, but only stud-accounts can log in

ldap_host_url: staff_srv.staff.ournet -> Works fine, but only staff-accounts can log in

ldap_host_url: globalCat_srv.ournet -> ERROR LDAP-module cannot connect any LDAP servers

ldap_host_url: globalCat_srv.ournet:3268 -> LDAP-module cannot connect any LDAP servers

When I use the ldp.exe utility on the moodle server, I can get every LDAP information I want with all three mentioned servers and Ports.

So what is wrong in that moodle-LDAP-Module? Or maybe in my Setup?

 
Average of ratings: -
Rosario playing soccer
Re: Using multiple LDAP servers - Our students are on separate domain
Plugin developers
I must apologize, I just gave it another chance and test and found a strange combination that works. Maybe this is due to the delay in AD replication. So I will post my settings tomorrow, when replication is shurely finished.
 
Average of ratings: -
Rosario playing soccer
Re: Using multiple LDAP servers - Our students are on separate domain
Plugin developers

Ok, I'm back again and finished my tests. Replication did not solve the problem, so I have to keep the strange configuration I mentioned. What I wrote in my first post is still valid.

Our configuration:

- classic MS Active Directory forest with three-domain model: one root-domain and two child-domains, one for students and one for staff employees

- so the root-domain can be used as global catalog on port 3268, as already mentioned in this thread

- the moodle server itself is a member-server of the stud-domain, running on win2003 server

ldap_host_url: root_srv.ournet:3268 -> Works fine as global catalog

ldap_bind_dn: cn=LDAPuser,ou=Users,dc=stud_domain,dc=ournet

ldap_bind_pw: LDAPuser-pw on stud_srv

ldap_user_type: MS ActiveDirectory

ldap_contexts: ou=OurUsers,dc=staff_domain,dc=ournet;ou=OurUsers,dc=stud_domain,dc=ournet

ldap_search_sub: YES

ldap_opt_deref: NO

ldap_user_attribute: sAMAccountName

ldap_memberattribute:

ldap_objectclass: ObjectClass=Person

- note that 'ournet' can be splitted in more sub dc-components

What I called 'strange' is the fact that I get an Error if I use a BIND account on the global-catalog-server (root_srv) itself. If I use an account either on stud_domain or staff_domain, everything works fine now. First I thought that replication had possibly not finished when I wanted to use the freshly created LDAPuser on the root_domain. But this morning the error continued to appear. So I decided to use definitely the LDAPuser on our stud_domain.

DO NOT forget to remove the LDAPuser out of the Domain-Users Group, to be shure, this account has only few privileges. You have to add it to the group of Domain Guests first, and make this group the primary group of the account, otherwise you are not able to remove the account from the Domain-Users Group. Interactive Logon should also be DENIED for this user, but I do not know to do this. Maybe in a user or group policy.

Despite the fact that I use LDAPuser on the students_domain for the BIND, even staff_domain accounts can log into moodle. Which was not possible with the settings in my first post.

If anybody has further suggestions, I'll be glad to know them.

 
Average of ratings: -
Picture of Rafael Alvarez Garcia
Re: Using multiple LDAP servers - Our students are on separate domain
 
Hi

Sorry by mi english.

I have two different LDAP and I have modified my moodle and I can authenticate without problem. I don't matter if the person is in the MAIN LDAP or in the AUXILIAR LDAP.

The MAIN LDAP has a referral to AUXILIAR LDAP.

Firstly I search the person by LDAP and get the DN, distinguished name, of the person and later I do bind against MAIN LDAP. If the authethicated is OK retun true if it is false i try against AUXILAR LDAP. If the authenthicated is OK return true if it is false i return false.

I have modified the auth/ldap/lib.php and auth/ldap/config.html by to read config both LDAP

See you, Rafael

PD. I post the code
 
Average of ratings: -
Picture of Juan David Martínez Pavony
Re: Using multiple LDAP servers - Our students are on separate domain
 

Hello.

This is it!

Thank you very much Arvind.

For anyone who need detailed info, take note for LDAP setup on Moodle:

1. ldap_host_url: yourActiveDirectoryMainDomainServer:3268

"yourActiveDirectoryMainDomainServer" can be the IP address or the host name (192.x.y.z or myADserver.myDomain.bla; I prefer IP address). You do not have to write "ldap://" to get it working. No need to write multiple servers (like 1.x.y.z;2.x.y.t;4.x.z.a) only the primary one.

2. ldap_bind_dn: ADuser

"ADuser" can be like cn=ldapuser,ou=public,o=org (like Moodle help says) or AnUser@myADserver.myDomain.bla (I use last one).

3. ldap_contexts: ADMainDomainRoot

"ADMainDomainRoot" can be DC=myDomain,DC=bla (according to my example). In other words, can be root on Main Domain. No need to include several contexts where users live.

4. ldap_search_sub: YES (off course, so a deep search can be done).

5. ldap_opt_deref: NO (I think it is not relevant; I tried YES and NO without changes).

6. Finally, for those with Firewall and Internet environments you HAVE to open port 3268 ONLY from Moodle server to yourActiveDirectoryMainDomainServer. No need to open 389, 636 nor 3269.

Enjoy your LDAP login!

 
Average of ratings: -
Picture of Iñaki Arenaza
Re: Using multiple LDAP servers - Our students are on separate domain
Core developersDocumentation writersParticularly helpful MoodlersPlugin developers

6. Finally, for those with Firewall and Internet environments you HAVE to open port 3268 ONLY from Moodle server to yourActiveDirectoryMainDomainServer. No need to open 389, 636 nor 3269.

In fact, this is only true if you are connecting to the domain controller (DC) that has the Global Catalog (GC) role. If you have multiple DCs in your domain, then only one of them will have the GC role (in fact, there is only one GC per AD Forest, so watch out).

If you have only one AD domain with just one DC, then the above makes sense (it will have de GC role). In any other situation, you have to make sure you are really talking to your GC. Otherwise you won't get any responses back unless you connect to port 389 (LDAP) or 636 (LDAPS).

Sauldos. Iñaki.
 
Average of ratings: Useful (1)
Picture of Amer Hamade
Re: Using multiple LDAP servers - Our students are on separate domain
 
Arvind
I did as you said: ldap://www.mydomain.com:3268 but i am still unable to search second level OUs. Users who belong to these OUs login but do not get enrolled! How did you solve this?

Thank you lots
 
Average of ratings: -
Norman Reyes
Re: Using multiple LDAP servers - Our students are on separate domain
 

I have a concern which i would appreciate you help me solve.

In the company I work with Moodle 1.9.8, which uses authentication through Active Directory (LDAP). Due to the growth of the company  some users are required to enter from Mexico they used to Active Directory to authenticate its own which is totally independent of the above, is it possible to authenticate through LDAP's two simultaneously being fully independent?

Thanks?

Norman.

 

 
Average of ratings: -