Enrolment

 
 
Picture of Seb Harrington
LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

Dear All,

I hope you can help me with an issue I'm experiencing at the moment with Moodle and LDAP enrolment.

I have set up LDAP authentication and LDAP Enrolment. LDAP Authentication works fine and LDAP Enrolment enrols the users into to correct courses and creates courses that don't exist. This is all fine until the users come to login.

Once a user logs in the LDAP enrolled courses are stripped from the user and they are only left with courses that have been enrolled manually.

I notice that there are a couple of similar threads on this forum but they are from 2006 and 2008 so I assume a different cause.

Could someone direct me to what to check?

I'm on the latest build of moodle (pulled from git)

 
Average of ratings: -
Picture of Seb Harrington
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

Sorry I also forgot to mention we are using Active Directory (2008R2 functional level)

 
Average of ratings: -
Picture of Seb Harrington
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

Even more information:

It seems setting 'External unenrol action' to 'Keep user enrolled' allows a user to log on and keep their courses.

The only issue with this is I now have no way of managing unenrollment via LDAP.

Seems to me the problem must be to do with the group check in ldap when the user logs on.

Does anyone know of a way to debug this further?

 
Average of ratings: -
Picture of Iñaki Arenaza
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers
I'm afraid you'll need to touch the code a bit, to get useful debugging information.

If you edit enrol/ldap/lib.php, you should find function sync_user_enrolments() around line 130. A bit further down, around line line 172 you will see these three lines:

 
$ignorehidden = $this->get_config('ignorehiddencourses');
$courseidnumber = $this->get_config('course_idnumber');
foreach($roles as $role) {
 


just _before_ those lines, add the following code:

 
$trace->output('Dumping external current (internal) and ext (LDAP) enrolment information');
foreach($roles as $role) {
    $trace->output('Current (internal) enrolment information for user id "'.$user->id.'", rol "' . $role->shortname . '"');
    $trace->output(print_r($enrolments[$role->id]['current'], true), 8);
    $trace->output('Ext (ldap) enrolment information for rol "' . $role->shortname . '"');
    $trace->output(print_r($enrolments[$role->id]['ext'], true), 8);
}
 


When each user logs in, this will send to your PHP error logs a dump of the current (internal to) Moodle enrolment information for each rol for the given user id, and the same information according to the LDAP server (ext enrolment).

For any course that is present in current enrolment information but not in the external enrolment information, Moodle will unenrol the user from that course.

Have a look at the generated traces, and check that the curren enrolment information is accurate (i.e., all the courses where the student should already be enrolled from the previous run actually are), and that the external information is accurate too (i.e., all the course where the user is supposed to be enrolled into in the external LDAP server appear in the correspondin traces).

Saludos.
Iñaki.
 
Average of ratings:Useful (1)
Picture of Seb Harrington
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

Hi Iñaki,

Thanks for the code.

I've given it a try and as I suspected the external ldap enrolment when a user logs on is returning an empty set.

So my next question is what's the difference between running the cli script (which picks up enrolments from LDAP perfectly and enrols them in the correct courses with the correct roles) and when a user logs on?

I've tried running the cli script as different users (root and www-data) to make sure it wasn't a permissions issue but I can't seem to replicate the unenrollment with the cli that I'm seeing when a user logs on to moodle.

Thanks,

Seb

 
Average of ratings: -
Picture of Seb Harrington
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

Hi Iñaki,

The results of the code you gave me can be seen below:

[ENROL LDAP] Dumping external current (internal) and ext (LDAP) enrolment information, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Current (internal) enrolment information for user id "1347", role "manager", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Ext (ldap) enrolment information for role "manager", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Current (internal) enrolment information for user id "1347", role "coursecreator", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Ext (ldap) enrolment information for role "coursecreator", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Current (internal) enrolment information for user id "1347", role "editingteacher", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
[794] => stdClass Object
(
[courseid] => 794
[status] => 0
[enrolid] => 3538
[shortname] => Year 10 - Maths
)
[795] => stdClass Object
(
[courseid] => 795
[status] => 0
[enrolid] => 3540
[shortname] => Year 8 - Maths
)
[796] => stdClass Object
(
[courseid] => 796
[status] => 0
[enrolid] => 3542
[shortname] => Year 9 - Maths
)
[797] => stdClass Object
(
[courseid] => 797
[status] => 0
[enrolid] => 3544
[shortname] => Year 11 - Maths
)
[798] => stdClass Object
(
[courseid] => 798
[status] => 0
[enrolid] => 3546
[shortname] => Year 7 - Maths
)
[814] => stdClass Object
(
[courseid] => 814
[status] => 0
[enrolid] => 3578
[shortname] => Year 7 -
)
[867] => stdClass Object
(
[courseid] => 867
[status] => 0
[enrolid] => 3684
[shortname] => Year 10 - Core support
)
[881] => stdClass Object
(
[courseid] => 881
[status] => 0
[enrolid] => 3731
[shortname] => Year 11 - Additional Maths
)
[884] => stdClass Object
(
[courseid] => 884
[status] => 0
[enrolid] => 3737
[shortname] => Staff Sand Pit
)
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Ext (ldap) enrolment information for role "editingteacher", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Current (internal) enrolment information for user id "1347", role "teacher", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Ext (ldap) enrolment information for role "teacher", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Current (internal) enrolment information for user id "1347", role "student", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
[794] => stdClass Object
(
[courseid] => 794
[status] => 0
[enrolid] => 3538
[shortname] => Year 10 - Maths
)
[796] => stdClass Object
(
[courseid] => 796
[status] => 0
[enrolid] => 3542
[shortname] => Year 9 - Maths
)
[797] => stdClass Object
(
[courseid] => 797
[status] => 0
[enrolid] => 3544
[shortname] => Year 11 - Maths
)
[798] => stdClass Object
(
[courseid] => 798
[status] => 0
[enrolid] => 3546
[shortname] => Year 7 - Maths
)
[814] => stdClass Object
(
[courseid] => 814
[status] => 0
[enrolid] => 3578
[shortname] => Year 7 -
)
[867] => stdClass Object
(
[courseid] => 867
[status] => 0
[enrolid] => 3684
[shortname] => Year 10 - Core support
)
[591] => stdClass Object
(
[courseid] => 591
[status] => 0
[enrolid] => 3723
[shortname] => Information for Staff
)
[885] => stdClass Object
(
[courseid] => 885
[status] => 0
[enrolid] => 3739
[shortname] => Staff Notices
)
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Ext (ldap) enrolment information for role "student", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Current (internal) enrolment information for user id "1347", role "guest", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Ext (ldap) enrolment information for role "guest", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Current (internal) enrolment information for user id "1347", role "user", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Ext (ldap) enrolment information for role "user", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Current (internal) enrolment information for user id "1347", role "frontpage", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Ext (ldap) enrolment information for role "frontpage", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Current (internal) enrolment information for user id "1347", role "mrbsviewer", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Ext (ldap) enrolment information for role "mrbsviewer", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Current (internal) enrolment information for user id "1347", role "mrbseditor", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Ext (ldap) enrolment information for role "mrbseditor", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Current (internal) enrolment information for user id "1347", role "mrbsadmin", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Ext (ldap) enrolment information for role "mrbsadmin", referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Array
(
)
, referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 10 - Maths' (id 794), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 8 - Maths' (id 795), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 9 - Maths' (id 796), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 11 - Maths' (id 797), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 7 - Maths' (id 798), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 7 -' (id 814), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 10 - Core support' (id 867), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 11 - Additional Maths' (id 881), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Staff Sand Pit' (id 884), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 10 - Maths' (id 794), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 9 - Maths' (id 796), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 11 - Maths' (id 797), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 7 - Maths' (id 798), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 7 -' (id 814), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Year 10 - Core support' (id 867), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Information for Staff' (id 591), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'ldapuser' from course 'Staff Notices' (id 885), referer: https://moodle-test.somewhere.co.uk/user/profile.php?id=1347

Is there anything else you can suggest in order to find out what's going on? As I mentioned in an earlier post, enrolment from the cli script works perfectly so I'm really unsure about what is going on here.

Thanks,

Seb
 
Average of ratings: -
Picture of Iñaki Arenaza
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers
Hi Seb,

thanks for the detailed debug information. The thing is cli script synchronisation and interactive login synchronisation run different code in order to do their work. It looks like interactive login code is not getting any external enrolments from LDAP server. This can be due to different things, so I propose that you add some debugging statements to function find_ext_enrolments() in the same file (and remove the previous debugging statements now that we know where things are falling apart).

I don't know which Moodle version you are using, so I'm going to use Moodle 2.5.3+ (Build 20131213) line numbers in my code samples below.

Function find_ext_enrolments() is defined around line 677. You need to add the lines marked with "// ***** Add this line here ******" below:

 
     protected function find_ext_enrolments($memberuid, $role) {
         global $CFG;
         require_once($CFG->libdir.'/ldaplib.php');

         $trace = new error_log_progress_trace($this->errorlogtag);  // ***** Add this line here ******
         if (empty($memberuid)) {
             $trace->output('find_ext_enrolments: memberuid is empty.');  // ***** Add this line here ******
             // No "idnumber" stored for this user, so no LDAP enrolments
             return array();
         }

         $ldap_contexts = trim($this->get_config('contexts_role'.$role->id));
         if (empty($ldap_contexts)) {
             $trace->output('find_ext_enrolments: ldap_contexts is empty.');  // ***** Add this line here ******
             // No role contexts, so no LDAP enrolments
             return array();
         }
 


Also, around line 693:

 
          if($this->get_config('memberattribute_isdn')) {
             if (!($extmemberuid = $this->ldap_find_userdn($extmemberuid))) {
                 $trace->output('find_ext_enrolments: extmemberuid is empty.');  // ***** Add this line here ******
                 return array();
             }
         }
 


Also, around line 767:

 
                 }

                 if (!$ldap_result) {
                     $trace->output('find_ext_enrolments: ldap_result is empty (context: '.$context.').');  // ***** Add this line here ******
                     continue;
                 }
 


Also, around line 778
 
                 // lowercases the attribute index, so there's no need to
                 // use array_change_key_case() later.
                 $records = ldap_get_entries($this->ldapconnection, $ldap_result);
                 $trace->output('find_ext_enrolments: '.$records['count'].' records (context: '.$context.').');  // ***** Add this line here ******

                 // LDAP libraries return an odd array, really. Fix it.
                 for ($c = 0; $c < $records['count']; $c++) {
 


Let's see what we get from these debugging statements.

Saludos.
Iñaki.
 
Average of ratings:Useful (2)
Picture of Seb Harrington
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

Thanks for the code!

 

I have run the code three times, once as me, once as a student and once as a member of staff. It produces the following output:

==Me==
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: 4 records (context: ou=TeacherGroups,ou=Moodle,ou=Groups,ou=x,dc=x,dc=local)., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: 2 records (context: ou=StudentGroups,ou=Moodle,ou=Groups,ou=x,dc=x,dc=local)., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/login/index.php

==Student==
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: 0 records (context: ou=TeacherGroups,ou=Moodle,ou=Groups,ou=x,dc=x,dc=local)., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: 14 records (context: ou=StudentGroups,ou=Moodle,ou=Groups,ou=x,dc=x,dc=local)., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=6

==Staff==
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_result is empty (context: ou=TeacherGroups,ou=Moodle,ou=Groups,ou=x,dc=x,dc=local)., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_result is empty (context: ou=StudentGroups,ou=Moodle,ou=Groups,ou=x,dc=x,dc=local)., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 10 - Maths' (id 794), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 8 - Maths' (id 795), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 9 - Maths' (id 796), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 11 - Maths' (id 797), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 7 - Maths' (id 798), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 7 -' (id 814), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 10 - Core support' (id 867), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 11 - Additional Maths' (id 881), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Staff Sand Pit' (id 884), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 10 - Maths' (id 794), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 9 - Maths' (id 796), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 11 - Maths' (id 797), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 7 - Maths' (id 798), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 7 -' (id 814), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Year 10 - Core support' (id 867), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Information for Staff' (id 591), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347
[ENROL LDAP] Unenrol user 'x' from course 'Staff Notices' (id 885), referer: https://moodle-test.x.co.uk/user/profile.php?id=1347

It looks as if the problem is only affecting members of Staff. The only difference between members of staff are they are assigned multiple roles in each course they teach (editingteacher and student) this is due to the way the groups are made up. However I have just tried to add a student as a editingteacher and a student to a course and the roles and enrolment work as expected:

[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: 1 records (context: ou=TeacherGroups,ou=Moodle,ou=Groups,ou=x,dc=x,dc=local)., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: 1 records (context: ou=StudentGroups,ou=Moodle,ou=Groups,ou=x,dc=x,dc=local)., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
[ENROL LDAP] find_ext_enrolments: ldap_contexts is empty., referer: https://moodle-test.x.co.uk/user/profile.php?id=1858
 
Average of ratings: -
Picture of Seb Harrington
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

I've also just thought of something else that separates the staff from the other users; the number of groups they area member of.

The two test members of staff I selected at random are members of 119 and 146 groups respectively. Would this have any impact on moodle's querys? (maxiumum query length for LDAP etc?

 
Average of ratings: -
Picture of Seb Harrington
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

Just looking a little further into this and I think this indeed may be the issue. When I use the following code:

if (!$ldap_result) {
$trace->output("find_ext_enrolments: ldap_result is empty (context: $context, LDAP Search: $ldap_search_pattern, $ldap_fields_wanted)"); // ***** Add this line here ******
continue;
}

The output from the string starting with LDAP Search stops halfway through the DN of a group. for example:

LDAP Search: (&(objectClass=group)(|(member=CN=AnotherGroup,OU=Groups,OU=x,DC=x,DC=local)..... (member=CN=AnotherGroup,OU=Groups,OU=x,DC=x,DC=local)(member=CN=GroupName,OU=Groups

If this is the issue, is there way of increasing the size of $ldap_search_pattern or is it set to php limit for string size?

 
Average of ratings: -
Picture of Iñaki Arenaza
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers
Hi Seb,

as far as I know, there's no size limit on PHP strings (other than the PHP global memory limit).

Can you add these additional debugging lines (I know the debugging output is getting a bit unwieldy, but I'd rather have the whole picture to try and make sense of what's going on):

Around line 702 (in a clean file, so it should be a few lines later with the previous debugging lines added):

 
             $usergroups = $this->ldap_find_user_groups($extmemberuid);
             if(count($usergroups) > 0) {
                 foreach ($usergroups as $group) {
                    $trace->output('find_ext_enrolments: adding group '.var_export($group, true).' to the search pattern');   // ****** Add this line *******
                     $ldap_search_pattern .= '('.$this->get_config('memberattribute_role'.$role->id).'='.$group.')';
                    $trace->output('find_ext_enrolments: new intermediate search pattern '.var_export($ldap_search_pattern, true));   // ****** Add this line *******
                 }
             }
         }
        $trace->output('find_ext_enrolments: search pattern after processing groups: '.var_export($ldap_search_pattern, true));   // ****** Add this line *******

         // Default return value
         $courses = array();
 

Around lines 734:
                             '('.$this->get_config('memberattribute_role'.$role->id).'='.ldap_filter_addslashes($extmemberuid).')' .
                                    ')';
         }
        $trace->output('find_ext_enrolments: pre-final search pattern '.var_export($ldap_search_pattern, true));   // ****** Add this line *******
         $ldap_search_pattern='(&'.$this->get_config('objectclass').$ldap_search_pattern.')';
        $trace->output('find_ext_enrolments: final search pattern '.var_export($ldap_search_pattern, true));   // ****** Add this line *******

         // Get all contexts and look for first matching user
         $ldap_contexts = explode(';', $ldap_contexts);
 

Around line 846:
 
      *                        groups.
      */
     protected function ldap_find_user_groups_recursively($memberdn, &$membergroups) {
        $trace = new error_log_progress_trace($this->errorlogtag);   // ****** Add this line *******
        $trace->output('find_user_groups_recursively: memberdn: '.var_export($memberdn, true));   // ****** Add this line *******
         $result = @ldap_read($this->ldapconnection, $memberdn, '(objectClass=*)', array($this->get_config('group_memberofattribute')));
         if (!$result) {
            $trace->output('find_user_groups_recursively: result is empty/false');   // ****** Add this line *******
             return;
         }
 

Around line 856:
 
                 $attributes = ldap_get_attributes($this->ldapconnection, $entry);
                 for ($j = 0; $j < $attributes['count']; $j++) {
                     $groups = ldap_get_values_len($this->ldapconnection, $entry, $attributes[$j]);
                    $trace->output('find_user_groups_recursively: '.count($groups) - 1.' groups found');   // ****** Add this line *******
                     foreach ($groups as $key => $group) {
                         if ($key === 'count') {  // Skip the entries count
                             continue;
                         }
                        $trace->output('find_user_groups_recursively: processing group '.var_export($group, true));   // ****** Add this line *******
                         if(!in_array($group, $membergroups)) {
                            $trace->output('find_user_groups_recursively: adding group '.var_export($group, true));   // ****** Add this line *******
                             // Only push and recurse if we haven't 'seen' this group before
                             // to prevent loops (MS Active Directory allows them!!).
                             array_push($membergroups, $group);
 

Around line 871:
 
             }
             while ($entry = ldap_next_entry($this->ldapconnection, $entry));
         }
    else {   // ****** Add this line *******
            $trace->output('find_user_groups_recursively: entry is empty/false');   // ****** Add this line *******
        }   // ****** Add this line *******
     }

     /**


Let's see what we get out of this.

Saludos.
Iñaki.
 
Average of ratings:Useful (1)
Picture of Seb Harrington
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

Hi Inaki,

I've PM'd you the output of the above code, but to keep everyone else on the thread in the loop it appears the group names are just too long. The outputs or the groups often finish half way through a dn when echoed to the error log. An example can be seen here:

(member=CN=Teaching Group,OU=MIS2AD,OU=Groups,OU=Somewhere,DC=Somewhere,DC=local)(member=CN=Year 10 - Maths,OU=StudentGroups,OU=Moodle,OU=Groups,OU=Somewhere,DC=Somewhere,DC=local)(member=CN=Teaching Group,OU=MIS2AD,OU=Groups,OU=Somewhere,DC=Somewhere,DC=local)(member=CN=Teaching Group,OU=MIS2AD,OU=Gro

Any ideas?

Thanks,

Seb

 
Average of ratings: -
Picture of Steven Church
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

Hi, We are the same issues you have here however I have just checked our Linux server times and they are both 11 minutes out from the LDAP server, do run a windows L DAP server as this may be the cause. If the server times are more than 5 minutes out LDAP will refuse to provide results. 

 

I have updated out server times using ntpdate and it is now working.. For now! smile 

 
Average of ratings: -
Picture of Steven Church
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

I take it back, we still have this issue sad - More research

 
Average of ratings: -
Picture of Seb Harrington
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

HI Steven,

Sorry to hear you're having the same issues.

Perhaps you could provide some debug info for me to perhaps indicate what is common between our installations?

  • Is the unenrolment happening for every 'type' of user (editingteacher, student etc.)
  • For the users that unenrolment is an issue for, are they are member of a large number of groups?

For me the unenrolment only affects staff and they are a member of a large number of groups

Thanks,

Seb

 
Average of ratings: -
Picture of Steven Church
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

Hi Seb,

It is only effecting 2 of my users, they are teachers on courses and have roughly 55 and 35 security groups each, of which 10 of these are courses. They do not have any familiar course security groups. 

They are teachers on these courses, it does not affect students from what I can tell and no students have reported issues. 

I have arrived at the college last week and they have had the issue since November during which time the college was using 2.4 they are now running 2.6 with the same issue.

I have removed one of the teachers from all groups apart from 1 and the issue remains. If I run the script they enrol, as soon as they log in my PHP/ APACHE log shows them being removed from the course. 

It is very very frustrating, I have done all of the debugging as mentioned above and I see the same results you see. 

Im interested in your PHP configuration theory, what would you suggest, MAX POST SIZE? 

If you would like to talk on the phone regarding this send me a message, alternativly I can send you my email. 

Regards,

Steve

 

 
Average of ratings: -
Picture of Steven Church
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

Just to keep you in the loop,

I am about to create a whole new staff Active Directory account, I will then start adding all of the security groups including distribution groups identical to the staff who have issues until I find a problem. 

at first I was thinking it may be something to do with nested groupings creating some form of loop so hopefully this will identify any security group issues. 

 
Average of ratings: -
Picture of Steven Church
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

RESULT!

Oh my god, a lot of process of elimination, I created a second account associated all security groups, dist groups etc to the user and removed them one by one until it worked again and guess what. The issue was with a security group which is used for group policies which has parentheses in the game it was called XXXX (XXXX) - Removed this group and everything is working for that user! 

I hope this helps you. 

 
Average of ratings:Useful (2)
Picture of Seb Harrington
Re: LDAP Enrolment - Users are unenroling from all LDAP courses on login
 

Haha! Excellent, well spotted! Exactly the same issue here - I'll update the bug tracker with your findings. Staff where the only people who were members of groups with parenthesis in the name

I literally am chuckling in response to how frustrating this was and how simple the solution was.

Absolutely brilliant. Thanks Steve I'm sure this is going to help a lot of people!! I don't know how useful it would be for you as you sound like you have things sorted your end - I'm going to put a post out very shortly on how to get courses (subjects) our from a School Management System into moodle automated style!

Do you think you could add a 'me too' to the bug tracker: https://tracker.moodle.org/browse/MDL-43430 that way hopefully the devs can get this issue fixed and we can have groups with parenthesis in! As the vast majority of my 2000 groups + have parenthesis in!

Also thanks Inaki for all your help and code!

 

 
Average of ratings: -