LDAP Authentication Problem

LDAP Authentication Problem

per Anuj Barthwal -
Nombre de respostes: 5

Hi,

I have configured my LDAP, Only one user is login using ldap, which i created and other users are not login using LDAP authentication, Even i have changed the authentication from manual to ldap, Please suggest a solution, It's been more than 2 weeks and i didn't find the solution, please find the attachement of ldap config. 

My email: anuj.barthwal@gmail.com

 Moodle version 2.1

 

Note:

All the users are in same OU, still only one user  is working(test) and rest is not, when i create a new account with ldap authentication, In database it stores password but when i did create the test user, which is able to login using ldap authentication, In the password field not cached is written. Please suggest me

 

 

Fitxer adjunt Moodle JIRA.PNG
Mitjana de qualificacions: -
En resposta a Anuj Barthwal

Re: LDAP Authentication Problem

per Iñaki Arenaza -
Imatge Core developers Imatge Documentation writers Imatge Particularly helpful Moodlers Imatge Peer reviewers Imatge Plugin developers
Hi Anuj,

you should set 'userattribute' setting to 'samaccountname' (without the quotes) if you want to use the Windows account name (what Microsoft calls the pre-Windows 2000 account name) to log in. See http://docs.moodle.org/22/en/LDAP_authentication for more details.

Saludos.
Iñaki.
Mitjana de qualificacions:Useful (1)
En resposta a Iñaki Arenaza

Re: LDAP Authentication Problem

per Luis de Vasconcelos -
Imatge Particularly helpful Moodlers

Iñaki, what do you do if you DON'T want to SSO the user into Moodle with the Windows account name?

When using MS-AD, what will Moodle do if you don't set 'samaccountname' as the 'userattribute'? Will it prevent to SSO from working?

Thanks.

Mitjana de qualificacions: -
En resposta a Luis de Vasconcelos

Re: LDAP Authentication Problem

per Iñaki Arenaza -
Imatge Core developers Imatge Documentation writers Imatge Particularly helpful Moodlers Imatge Peer reviewers Imatge Plugin developers

Luis, are you talking about NTLM SSO? (I suppose so, just want to be sure we are not talking about CAS, Shibboleth, etc.)

Saludos.
Iñaki.

Mitjana de qualificacions: -
En resposta a Iñaki Arenaza

Re: LDAP Authentication Problem

per Luis de Vasconcelos -
Imatge Particularly helpful Moodlers

Yes, I'm referring to NTLM SSO. Thanks.

Mitjana de qualificacions: -
En resposta a Luis de Vasconcelos

Re: LDAP Authentication Problem

per Iñaki Arenaza -
Imatge Core developers Imatge Documentation writers Imatge Particularly helpful Moodlers Imatge Peer reviewers Imatge Plugin developers
I would need to check the code more thoroughly, but at first glance I would say that not using 'samaccountname' as the 'user attribute' would break NTLM SSO (I'm strictly talking about NTLM SSO, I'm not 100% sure about Kerberos SSO).

The reason is that, as far as I've able to check, when authenticating via IIS or Apache against a DC, you can only use NTLM or Kerberos (I'm excluding Basic and Digest Authentication here). NTLM is always a netbios-domainname\samaccountname value, and Kerberos is a (this is where I'm only 90% sure) samaccountname@dns-domainname value. So it's always samaccountname plus some extra details (and we strip those extra details in Moodle, as they are not relevant)

Which means that in Moodle we need to work out who the user is from the samaccountname. And we work out who the user is by searching in the LDAP directory an entry whose 'user attribute' value matches the value we get from the web server (i.e., the samaccountname). So if we don't use samaccountname as the 'user attribute' in Moodle, unless the attribute we use holds exactly the same value as the samaccount attribute, we are not going to find the user in the LDAP directory. Which in turn means the SSO login process is going to return with a fail, and we are not going to let the user in via SSO.

At least this is my understanding of the issue Somrient

Saludos.
Iñaki.
Mitjana de qualificacions: -