Ok, I'm back again and finished my tests. Replication did not solve the problem, so I have to keep the strange configuration I mentioned. What I wrote in my first post is still valid.
- classic MS Active Directory forest with three-domain model: one root-domain and two child-domains, one for students and one for staff employees
- so the root-domain can be used as global catalog on port 3268, as already mentioned in this thread
- the moodle server itself is a member-server of the stud-domain, running on win2003 server
ldap_host_url: root_srv.ournet:3268 -> Works fine as global catalog
ldap_bind_pw: LDAPuser-pw on stud_srv
ldap_user_type: MS ActiveDirectory
- note that 'ournet' can be splitted in more sub dc-components
What I called 'strange' is the fact that I get an Error if I use a BIND account on the global-catalog-server (root_srv) itself. If I use an account either on stud_domain or staff_domain, everything works fine now. First I thought that replication had possibly not finished when I wanted to use the freshly created LDAPuser on the root_domain. But this morning the error continued to appear. So I decided to use definitely the LDAPuser on our stud_domain.
DO NOT forget to remove the LDAPuser out of the Domain-Users Group, to be shure, this account has only few privileges. You have to add it to the group of Domain Guests first, and make this group the primary group of the account, otherwise you are not able to remove the account from the Domain-Users Group. Interactive Logon should also be DENIED for this user, but I do not know to do this. Maybe in a user or group policy.
Despite the fact that I use LDAPuser on the students_domain for the BIND, even staff_domain accounts can log into moodle. Which was not possible with the settings in my first post.
If anybody has further suggestions, I'll be glad to know them.