LDAP Connection issues Resource ID #44

LDAP Connection issues Resource ID #44

by Christopher England -
Number of replies: 7

Dear All

I have been trying unsuccesfully to perform LDAP Authentication from a moddle instance (Server 2008R2) to an AD-LDS instance.

The full error is as follows:

LDAP-module cannot connect to any servers: Server: 'Ldaps://server.domain.com/', Connection: 'Resource id #44', Bind result: ''

I have tried the Host URL both with and without ldap:// and ldaps:// without change. I have used ldp and ldapbrowser to confirm bind details and contexts and similar and these all work correctly.

It 'appears' that the moodle server is just not binding correctly but i have no idea where to go from here so any help would be appreciated.

Kind Regards

Average of ratings: -
In reply to Christopher England

Re: LDAP Connection issues Resource ID #44

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Hi,

did you use ldp and ldapbrowser from the Moodle server itself? This is just to rule out any connectivity problems between Moodle and the LDAP service (routing, firewalls, antivirus, connection policies in the AD-LDS instance server, etc.).

Saludos. Iñaki.

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP Connection issues Resource ID #44

by Christopher England -

Hi

Thanks for responding.

Yes I did indeed make the connections from the moodle server itself. LDP was pretty simple and worked immmediately, while LDAPBrowser took a little more configuration as it initially complained about secured connections so required me to enable SSL and alter the port to 636. I tried copy/pasting setting from LDAP Browser but sadly this didnt seem to help.

On a side note I have successfully connected to a different AD as a test but sadly (typically?) the one with all the students populated is still failing.

Thanks 

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP Connection issues Resource ID #44

by Christopher England -

Reading around some more I've seen a few things which mention LDAP Authentication against servers in the same domain - the ldap server itself exists in a different domain : should that matter? do i need to do anything different when this is the case?

I've also noted mention of an 'ldap test' file within moodle. Does this exist? as it would be interesting to see where it is failing (it appears to be the bind but i cannot see why).

Any other avenues to see what may be happening please?

Thanks

Average of ratings: -
In reply to Christopher England

Re: LDAP Connection issues Resource ID #44

by Christopher England -

Just to update on this.

We have now been sniffing packets at the ldap server end and no traffic appears (well one packet) so it would seem that the moodle server is not sending the AuthN request for some reason.

I've tried using IP and fqdn without difference .. could it be a problem with the module or do i need to do something special for ldaps connections please?

Thanks

Average of ratings: -
In reply to Christopher England

Re: LDAP Connection issues Resource ID #44

by Josh Straughn -

Hi, are you making your connection to a Global Catalogue Server?  (I'm sorry if this sounds basic, I am just trying to get a clearer mental image)

Average of ratings: -
In reply to Josh Straughn

Re: LDAP Connection issues Resource ID #44

by Christopher England -

Hi Josh

The setup is:

Moodle server in DomainA, ForestA (moodle.domaina.com)

LDAP (AD-LDS) server in DomainB, ForestB. LDAP server requires secured connection (ldap.domainb.local

In the URL I have tried all the variations of fqdn and ip address, both with and without the ldaps:// , both with and without the :636 , and both without and without the :636/DC=DomainB,DC=Local as per the Softerra LDAP Browser connection on the moodle server which does connect.

Hopefully that helps?

Thank you

Average of ratings: -
In reply to Christopher England

Re: LDAP Connection issues Resource ID #44

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Hi again,

I had neved used AD-LDS before (just AD-DS) but reading about it and setting up a test install taught me two or three things:

  • It's not Active Directory Services and doesn't need it (tough it can be integrated with it), which means there are several differences among them.
  • The first one is that it can use completely different service ports (and it does by default). In fact, the installation wizard explicitly warms about not using standard ports (389 and 636) unless you are pretty sure you are not (and won't be) running AD-DS and uses ports from 50000 on to setup the instances.
  • The second one is that your application (Moodle in this case) has to specify/use it's own AD-LDS application partition, which you have to name using a distinguised name.
  • The thirdone is that it uses different LDAP schemas. You can choose among several of them (even can have several of them at the same time), but as far as I've gathered, none of them is the same as the one used by AD-DS.

What this means in practice is that you'd need to check with your AD-LDS server administrator which specific ports your Moodle LDS instance is listening on (both with and without SSL), which application partition your Moodle LDS instance is using (you'll need the distinguished name as the search base in Moodle) and which specific LDAP schema(s) your Moodle application partition is using. Oh, and you'd need the credentials of a user that has at least read permissions on that AD-LDS instance and application partition.

And if you plan to use SSL, make sure you read this: http://docs.moodle.org/24/en/LDAP_authentication#Using_LDAPS_.28LDAP_over_SSL.29

Final note: this is just from reading some documentation and playing a bit with a test install of AD-LDS. I haven't tried to configure Moodle in such a setup and tested it.

Saludos. Iñaki.

Average of ratings: -