LDAP Authentication Problem

LDAP Authentication Problem

by Anuj Barthwal -
Number of replies: 5

Hi,

I have configured my LDAP, Only one user is login using ldap, which i created and other users are not login using LDAP authentication, Even i have changed the authentication from manual to ldap, Please suggest a solution, It's been more than 2 weeks and i didn't find the solution, please find the attachement of ldap config. 

My email: anuj.barthwal@gmail.com

 Moodle version 2.1

 

Note:

All the users are in same OU, still only one user  is working(test) and rest is not, when i create a new account with ldap authentication, In database it stores password but when i did create the test user, which is able to login using ldap authentication, In the password field not cached is written. Please suggest me

 

 

Attachment Moodle JIRA.PNG
Average of ratings: -
In reply to Anuj Barthwal

Re: LDAP Authentication Problem

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Hi Anuj,

you should set 'userattribute' setting to 'samaccountname' (without the quotes) if you want to use the Windows account name (what Microsoft calls the pre-Windows 2000 account name) to log in. See http://docs.moodle.org/22/en/LDAP_authentication for more details.

Saludos.
Iñaki.
Average of ratings: Useful (1)
In reply to Iñaki Arenaza

Re: LDAP Authentication Problem

by Luis de Vasconcelos -

Iñaki, what do you do if you DON'T want to SSO the user into Moodle with the Windows account name?

When using MS-AD, what will Moodle do if you don't set 'samaccountname' as the 'userattribute'? Will it prevent to SSO from working?

Thanks.

Average of ratings: -
In reply to Luis de Vasconcelos

Re: LDAP Authentication Problem

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Luis, are you talking about NTLM SSO? (I suppose so, just want to be sure we are not talking about CAS, Shibboleth, etc.)

Saludos.
Iñaki.

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP Authentication Problem

by Luis de Vasconcelos -

Yes, I'm referring to NTLM SSO. Thanks.

Average of ratings: -
In reply to Luis de Vasconcelos

Re: LDAP Authentication Problem

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
I would need to check the code more thoroughly, but at first glance I would say that not using 'samaccountname' as the 'user attribute' would break NTLM SSO (I'm strictly talking about NTLM SSO, I'm not 100% sure about Kerberos SSO).

The reason is that, as far as I've able to check, when authenticating via IIS or Apache against a DC, you can only use NTLM or Kerberos (I'm excluding Basic and Digest Authentication here). NTLM is always a netbios-domainname\samaccountname value, and Kerberos is a (this is where I'm only 90% sure) samaccountname@dns-domainname value. So it's always samaccountname plus some extra details (and we strip those extra details in Moodle, as they are not relevant)

Which means that in Moodle we need to work out who the user is from the samaccountname. And we work out who the user is by searching in the LDAP directory an entry whose 'user attribute' value matches the value we get from the web server (i.e., the samaccountname). So if we don't use samaccountname as the 'user attribute' in Moodle, unless the attribute we use holds exactly the same value as the samaccount attribute, we are not going to find the user in the LDAP directory. Which in turn means the SSO login process is going to return with a fail, and we are not going to let the user in via SSO.

At least this is my understanding of the issue smile

Saludos.
Iñaki.
Average of ratings: -