Authentication

 
 
Picture of Andranik Sharabchian
Re: Migration of passwords from Active Directory to Moodle
 

Sarah,

Sorry, I don't know is it possible. But I can't understand, why you don't want to reset password. If you force your users to change password after logging in by their username and your unique password, they can change it to their old password (I hope all users know their passwords in Active Directory).

I don't understand the problem.

 
Average of ratings: -
Picture of Ravi Alamuri
Re: Migration of passwords from Active Directory to Moodle
 

Hello,

 

I am not sure I quite understand the issue. We were using LDAP with eDirectory and we migrated over to active Directory after 2 years. We didn't need to get the users to change their passwords. We simply changed the settings for the Moodle LDAP plugin to look at the new Active Directory tree and everything was ok. Moodle doesn't need to know the user's password. It is completely transparent. AD tells Moodle whether a user's password is valid or not. Moodle might choose to store the password locally in the Users table (depending on the configuration) and update it periodically but it certainly won't force the users to change their passwords unless AD asks them to.

 

 

Regards

 

Ravi

 
Average of ratings: -
Picture of Sarah Barker
Re: Migration of passwords from Active Directory to Moodle
 

Hi Ravi

We are moving away from Active Directory to a solution just involving Moodle, as a standalone application. So, Moodle will need to know passwords to authenticate.

When you migrated to Active Directory, did you need to migrate the usernames and passwords out of eDirectory and into Active Directory? If so, how did you do that?

Thanks
Sarah.

 
Average of ratings: -
Picture of Ravi Alamuri
Re: Migration of passwords from Active Directory to Moodle
 

Hello Sarah,

 

My apologies! Well at the moment the way our Moodle instance is configured, it saves the passwords of the student after a successful authentication through LDAP (either eDirectory or Active Directory) (Hide Password setting under Bind Settings in the LDAP Server configuration). As such, if need be, we could change the authentication plugin for all students to manual and in theory this will work fine as the passwords should be up to date anyway (Running a "update MDL_USERS set auth='manual' where auth='ldap'" query on the Moodle database should do it)

 

I seriously doubt that you could import Active Directory passwords into Moodle. Active Directory passwords are usually stored in the UnicodePwd attribute (don't quote me on that - I am not really an Active Directory Specialist). When you create the password for a new user that is less than 15 characters, Windows creates a Lan Manager Hash (LM Hash) and a NT Hash both of which are then stored either in the AD attribute UnicodePwd or the local Security Accounts Manager (SAM). The UnicodePwd can only be modifed and not read due to security restrictions and even that can only be done using a 128K SSL connection to AD. As far as I know NTLMv1 uses MD4 unsalted hashes and NTLMv2 uses MD5 hashes and the newer builds use a custom hashing algorithm (Again please don't quote me on this). I believe the passwords cannot be retrieved out of AD in anyway as hashing algorithms are usually one way algorithms (i.e. you can encode a string to a hash but you cannot unencode a hash back to a string. Every string encoded through a hashing algorithm produces a unique hash - and the algorithm will reproduce the same hash for the same string). 

Moodle I believe makes use of a salted hashing technique. A salt is a random string  - kind of like a secret password. This is then combined with the actual password and a combined hash is produced. This makes the authentication process more secure.

So simply copying or importing the passwords just might not work. You will need to have a clear text password for every user. Then using the Moodle bulk import functionality you might be able to import the passwords and allow moodle to create the required password hash.

As far as my limited knowledge of AD goes, I don't think this is possible.  I know you can migrate passwords from one version of AD to another, and one implementation of LDAP to other through 3rd Party tools. There is a way to force AD and Windows to store passwords created using a reversible encryption process but this is usually disabled by default and it is universally considered a bad idea and I don't personally know of anyone who has ever implemented this. I have also never known anyone to export out cleartext passwords out of AD. Unless your AD setup has had a custom profile attribute, I don't think this is even possible,

My advice would be to turn off the Hide Passwords setting in the LDAP server and contact all your users to login to their account atleast once before a certain deadline. Warn them that their accounts might become unavailable if they fail to login before the above mentioned date, The first time they login successfully, Moodle will store their passwords in the database and then 1when you do disable AD, you can run a query on the database and switch everyones accounts to Manual Authentication. Problem Solved!

As I mentioned, my knowledge of AD and LDAP is limited and I know more about Moodle than I do about AD.If I were in a similar situation, this is what I would do. That said, the beauty of being part of an active Moodle community is that, there are loads of other users and experts out there who probably have had similar experiences and could ptrobably give you much better advice. It's only a matter of time ... smile

 

 

Regards

 

Ravi

 

 
Average of ratings: -
Picture of Visvanath Ratnaweera
Re: Migration of passwords from Active Directory to Moodle
Group Particularly helpful Moodlers
Hi

> My advice would be to turn off the Hide Passwords setting in the LDAP server and contact all your users to login to their account atleast once before a certain deadline. Warn them that their accounts might become unavailable if they fail to login before the above mentioned date, The first time they login successfully, Moodle will store their passwords in the database and ...

I wonder whether running auth/ldap/auth_ldap_sync_users.php will do that in one batch.
 
Average of ratings: -
Picture of Sarah Barker
Re: Migration of passwords from Active Directory to Moodle
 

Hi Visvanath

Thanks - we do plan to set Hide Passwords = No to pick up as many passwords as possible before the cutover.

Regarding auth_ldap_sync_users.php, I wondered that as well =) Does anyone know if this script can somehow bring passwords across as well as other user information?

Regs
Sarah.

 
Average of ratings: -
Picture of Iñaki Arenaza
Re: Migration of passwords from Active Directory to Moodle
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers

Regarding auth_ldap_sync_users.php, I wondered that as well =) Does anyone know if this script can somehow bring passwords across as well as other user information?

I'm afraid that's not possible. As far as I know, you can't get passwords out of Active Directory, unless they are stored using reversible encryption, and even then it's quite complex (see http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html and http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html )

Saludos. Iñaki.

 
Average of ratings:Useful (1)
Picture of Sarah Barker
Re: Migration of passwords from Active Directory to Moodle
 

Hi Iñaki

Thanks very much for the confirmation - much appreciated. Saves me a lot of investigation (and disappointment)!

Regs
Sarah.

 
Average of ratings: -
Picture of Sarah Barker
Re: Migration of passwords from Active Directory to Moodle
 

Hi Ravi

Thanks very much for the detailed and considered response (and no apologies necessary!).

We do plan to take your advice and set Hide Passwords = 'No' on the live site, to capture passwords for users that log in between now and the migration. At least for very active users through this period this will avoid their passwords being impacted. We have limited staff support over Christmas so we'll probably defer the migration to mid January anyway, which will allow a bit more time for users to log in.

In the meantime I'll keep exploring some technical options.. it appears the only two routes left available are:

- AD migration tool
- The use of auth_ldap_sync_users.php to sync credentials. Do you know if this might be an option?

Thanks again
Sarah.

 
Average of ratings: -
Picture of Ravi Alamuri
Re: Migration of passwords from Active Directory to Moodle
 

Hey Sarah,

 

Having looked at the code for Sync_users function ( I am looking at Moodle 2.3.3) the function does not seem to actually copy across the passwords. Again unless there was a particular attribute which was storing the cleartext password I don't think that this would be of any help. But I might be wrong about that.

 

Regards

 

Ravi

 
Average of ratings: -
Picture of Sarah Barker
Re: Migration of passwords from Active Directory to Moodle
 

Hi Ravi

Thanks very much for the investigation and for confirming back.

We set Hide Passwords = 'No' on Friday so we are now capturing passwords for users logging in over the next couple of weeks. Now we'll concentrate on a communications and support plan to deal with password resets for the rest of our users.

Thanks again
Sarah.

 
Average of ratings: -
Picture of Sarah Barker
Re: Migration of passwords from Active Directory to Moodle
 

Hi Andranik

We are an international NGO, and have several thousand users across different locations, and in many different professions (health, education, advocacy, ...). We'd prefer not to impact their ability to log in particularly if they are in the middle of taking a course, or looking up medical information whilst on placement.

Also, we have limited capacity to support the queries that will arise.

Thanks

Sarah.

 
Average of ratings: -