Using multiple LDAP servers - Our students are on separate domain
or list the contexts separated by semicolons, like the instructions say ;)
Currently the LDAP server on the Parent Domain is at LDAP://mail.stisd.net/
I then have context(s) for that and all works fine. Only staff are on this domain (stisd.net)
When I review the Active Directory Schema, I see that the students each are on a separate LDAP server. For instance, the Science Academy child domain is called sastudentdom.stisd.net. There is only one domain controller, sa_stud_dc.sastudentdom.stisd.net. The LDAP server is therefore LDAP://sa_stud_dc.sastudentdom.stisd.net/DC=sastudentdom,DC=stisd,DC=net
So, I think I would need the capability to use mulitple LDAP servers, right? OR can the LDAP server on the top level domain access information on the LDAP servers in the child domain?
I would try it, but this is a production server and I don't currently have one I can test on. I appreciate any insight you can give me.
In a nutshell, an LDAP server can be configured to be "at the top" and resolve/delegate for the child domains. Moodle has limited support for 'multiple LDAP servers' but it assumes they all have the same data.
This sounds great from Microsoft, but it is not working for us right now. Moodle authenticates fine against the top level domain, but the child domains aren't being seen. We are trying to figure out how to manually create a cross-reference thereby allowing the top level domain to refer LDAP queries to lower level (child) AD's.
if you solved this problem, please post a note.
just add port to the ldap_server field: ldap://www.mydomain.com:3268
no need to configure for multiple servers.
It does a good job of explaining why using port 389 restricts you to one domain, while using port 3268 (global catalog) allows you access to the entire tree. The documentation suggests that using port 389 should give you child domain referrals, but that didn't seem to work for me.
I'm new to moodle and am trying to get Active Directory authenitcation working in any way shape or form. We have a single domain setup running on Server 2000. Moodle is version 1.5.2+ running on the moodle for windows install which uses php 5, apache, and mysql.
Right now I get this message:
LDAP-module cannot connect any LDAP servers:
I guess I need to know exactly how the ldap_host_url: field should be formatted to connect to a server 2000 domain controler.
I just ran into the very same problem on our Win2003 Domains:
ldap_host_url: stud_srv.stud.ournet -> Works fine, but only stud-accounts can log in
ldap_host_url: staff_srv.staff.ournet -> Works fine, but only staff-accounts can log in
ldap_host_url: globalCat_srv.ournet -> ERROR LDAP-module cannot connect any LDAP servers
ldap_host_url: globalCat_srv.ournet:3268 -> LDAP-module cannot connect any LDAP servers
When I use the ldp.exe utility on the moodle server, I can get every LDAP information I want with all three mentioned servers and Ports.
So what is wrong in that moodle-LDAP-Module? Or maybe in my Setup?
Ok, I'm back again and finished my tests. Replication did not solve the problem, so I have to keep the strange configuration I mentioned. What I wrote in my first post is still valid.
- classic MS Active Directory forest with three-domain model: one root-domain and two child-domains, one for students and one for staff employees
- so the root-domain can be used as global catalog on port 3268, as already mentioned in this thread
- the moodle server itself is a member-server of the stud-domain, running on win2003 server
ldap_host_url: root_srv.ournet:3268 -> Works fine as global catalog
ldap_bind_pw: LDAPuser-pw on stud_srv
ldap_user_type: MS ActiveDirectory
- note that 'ournet' can be splitted in more sub dc-components
What I called 'strange' is the fact that I get an Error if I use a BIND account on the global-catalog-server (root_srv) itself. If I use an account either on stud_domain or staff_domain, everything works fine now. First I thought that replication had possibly not finished when I wanted to use the freshly created LDAPuser on the root_domain. But this morning the error continued to appear. So I decided to use definitely the LDAPuser on our stud_domain.
DO NOT forget to remove the LDAPuser out of the Domain-Users Group, to be shure, this account has only few privileges. You have to add it to the group of Domain Guests first, and make this group the primary group of the account, otherwise you are not able to remove the account from the Domain-Users Group. Interactive Logon should also be DENIED for this user, but I do not know to do this. Maybe in a user or group policy.
Despite the fact that I use LDAPuser on the students_domain for the BIND, even staff_domain accounts can log into moodle. Which was not possible with the settings in my first post.
If anybody has further suggestions, I'll be glad to know them.
Sorry by mi english.
I have two different LDAP and I have modified my moodle and I can authenticate without problem. I don't matter if the person is in the MAIN LDAP or in the AUXILIAR LDAP.
The MAIN LDAP has a referral to AUXILIAR LDAP.
Firstly I search the person by LDAP and get the DN, distinguished name, of the person and later I do bind against MAIN LDAP. If the authethicated is OK retun true if it is false i try against AUXILAR LDAP. If the authenthicated is OK return true if it is false i return false.
I have modified the auth/ldap/lib.php and auth/ldap/config.html by to read config both LDAP
See you, Rafael
PD. I post the code
This is it!
Thank you very much Arvind.
For anyone who need detailed info, take note for LDAP setup on Moodle:
1. ldap_host_url: yourActiveDirectoryMainDomainServer:3268
"yourActiveDirectoryMainDomainServer" can be the IP address or the host name (192.x.y.z or myADserver.myDomain.bla; I prefer IP address). You do not have to write "ldap://" to get it working. No need to write multiple servers (like 1.x.y.z;2.x.y.t;4.x.z.a) only the primary one.
2. ldap_bind_dn: ADuser
"ADuser" can be like cn=ldapuser,ou=public,o=org (like Moodle help says) or AnUser@myADserver.myDomain.bla (I use last one).
3. ldap_contexts: ADMainDomainRoot
"ADMainDomainRoot" can be DC=myDomain,DC=bla (according to my example). In other words, can be root on Main Domain. No need to include several contexts where users live.
4. ldap_search_sub: YES (off course, so a deep search can be done).
5. ldap_opt_deref: NO (I think it is not relevant; I tried YES and NO without changes).
6. Finally, for those with Firewall and Internet environments you HAVE to open port 3268 ONLY from Moodle server to yourActiveDirectoryMainDomainServer. No need to open 389, 636 nor 3269.
Enjoy your LDAP login!
If you have only one AD domain with just one DC, then the above makes sense (it will have de GC role). In any other situation, you have to make sure you are really talking to your GC. Otherwise you won't get any responses back unless you connect to port 389 (LDAP) or 636 (LDAPS).
I did as you said: ldap://www.mydomain.com:3268 but i am still unable to search second level OUs. Users who belong to these OUs login but do not get enrolled! How did you solve this?
Thank you lots
I have a concern which i would appreciate you help me solve.
In the company I work with Moodle 1.9.8, which uses authentication through Active Directory (LDAP). Due to the growth of the company some users are required to enter from Mexico they used to Active Directory to authenticate its own which is totally independent of the above, is it possible to authenticate through LDAP's two simultaneously being fully independent?