Authentication

Hello Sarah,

My apologies! Well at the moment the way our Moodle instance is configured, it saves the passwords of the student after a successful authentication through LDAP (either eDirectory or Active Directory) (Hide Password setting under Bind Settings in the LDAP Server configuration). As such, if need be, we could change the authentication plugin for all students to manual and in theory this will work fine as the passwords should be up to date anyway (Running a "update MDL_USERS set auth='manual' where auth='ldap'" query on the Moodle database should do it)

I seriously doubt that you could import Active Directory passwords into Moodle. Active Directory passwords are usually stored in the UnicodePwd attribute (don't quote me on that - I am not really an Active Directory Specialist). When you create the password for a new user that is less than 15 characters, Windows creates a Lan Manager Hash (LM Hash) and a NT Hash both of which are then stored either in the AD attribute UnicodePwd or the local Security Accounts Manager (SAM). The UnicodePwd can only be modifed and not read due to security restrictions and even that can only be done using a 128K SSL connection to AD. As far as I know NTLMv1 uses MD4 unsalted hashes and NTLMv2 uses MD5 hashes and the newer builds use a custom hashing algorithm (Again please don't quote me on this). I believe the passwords cannot be retrieved out of AD in anyway as hashing algorithms are usually one way algorithms (i.e. you can encode a string to a hash but you cannot unencode a hash back to a string. Every string encoded through a hashing algorithm produces a unique hash - and the algorithm will reproduce the same hash for the same string). 

Moodle I believe makes use of a salted hashing technique. A salt is a random string  - kind of like a secret password. This is then combined with the actual password and a combined hash is produced. This makes the authentication process more secure.

So simply copying or importing the passwords just might not work. You will need to have a clear text password for every user. Then using the Moodle bulk import functionality you might be able to import the passwords and allow moodle to create the required password hash.

As far as my limited knowledge of AD goes, I don't think this is possible.  I know you can migrate passwords from one version of AD to another, and one implementation of LDAP to other through 3rd Party tools. There is a way to force AD and Windows to store passwords created using a reversible encryption process but this is usually disabled by default and it is universally considered a bad idea and I don't personally know of anyone who has ever implemented this. I have also never known anyone to export out cleartext passwords out of AD. Unless your AD setup has had a custom profile attribute, I don't think this is even possible,

My advice would be to turn off the Hide Passwords setting in the LDAP server and contact all your users to login to their account atleast once before a certain deadline. Warn them that their accounts might become unavailable if they fail to login before the above mentioned date, The first time they login successfully, Moodle will store their passwords in the database and then 1when you do disable AD, you can run a query on the database and switch everyones accounts to Manual Authentication. Problem Solved!

As I mentioned, my knowledge of AD and LDAP is limited and I know more about Moodle than I do about AD.If I were in a similar situation, this is what I would do. That said, the beauty of being part of an active Moodle community is that, there are loads of other users and experts out there who probably have had similar experiences and could ptrobably give you much better advice. It's only a matter of time ...

Regards

Ravi