LDAP and security

LDAP and security

by Jedidiah Rex -
Number of replies: 2

I have some questions about authentication/user management and security in Moodle. I apologize in advance for the length of this message.

We are currently running the latest CLAMP 1.9 release (1.9.19+LAE 1.7.1) We use a php script (autouploaduser.php) to upload users from a CSV file. This is only compatible with Moodle 1.x however. We are currently running a Moodle 2.3 pilot with hopes of going live next fall.

We are investigating how to use LDAP to create/manage the user accounts (http://docs.moodle.org/22/en/LDAP_enrolment) and have some questions related to this.

  1. Is it possible to create accounts in 2.x from the command line? Does anyone know of a working script?  
  2. Can one use the ldap host attribute as an authorized automatic enrollement opton?  If so, where and how to configure it?
  3. What is the best practice for archiving and deleting non active users?

Related to security, what is the best/most appropriate owner, group, and permission for Moodle files?
Currently, the owner and group appears to be apache.apache for most of the binaries.  Given that apache is owned and grouped by apache.apache, what is the best recommended owner and group of the files in the installed directories?
What are your recommendations regarding permissions?  Should the files be 775, 755, etc?

Any help would be greatly appreciated. 

Average of ratings: -
In reply to Jedidiah Rex

Re: LDAP and security

by Mike Sangray -

1. I'm running CentOS and I use sync_users.php as a cron job to do the LDAP (MS-AD) sync.

2. Go here to configure LDAP: Site administration -> Plugins -> Authentication -> LDAP server

3. That's up to you and your policy.

Here's an article on Security Recommendations that includes file permissions.

http://docs.moodle.org/23/en/Security_recommendations

Average of ratings: -
In reply to Jedidiah Rex

Re: LDAP and security

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
Hi

LDAP is not my dept., so be warned! Then, why don't you ask in the "User authentication" forum http://moodle.org/mod/forum/view.php?id=42 ?

> 1. Is it possible to create accounts in 2.x from the command line? Does anyone know of a working script?

Never seen one. The usual technique is through CSV files: http://docs.moodle.org/en/Upload_users. May be there are ways of combining that with http://docs.moodle.org/en/Administration_via_command_line.

What is your exact plan? To create the users in the Moodle database first and then LDAP importing them?

> 3. What is the best practice for archiving and deleting non active users?

I got that clarified once, see 'LDAP: "Removed ext user", clarification needed' http://moodle.org/mod/forum/discuss.php?d=201783.

> what is the best/most appropriate owner, group, and permission for Moodle files?

For the security concerned: http://docs.moodle.org/en/Security_recommendations#Most_secure.2Fparanoid_file_permissions.
Average of ratings: -