I am establishing a new Moodle implementation where we want to employ single sign-on. We want the user accounts created in AD to be able to be used to log into Moodle without having to create and maintain moodle user accounts and passwords.
After configuring Moodle for LDAP Authentication, I am unable to log into Moodle using an Active Directory account.
The following is a description of my environment and settings. I would like to know if I've missed something, or if there are additional configuration steps not addressed.
Here is a list of the sources I've used thus far:
http://docs.moodle.org/26/en/LDAP_authentication
http://docs.moodle.org/24/en/Active_Directory
http://www.php.net/manual/en/function.ldap-bind.php
1. Environment:
Servers: Ubuntu 12.04LTS with Moodle 2.6+ (Build: 20131122); Windows Server 2008R2 Domain Controller
PHP: PHP Version 5.3.10-1ubuntu3.8 (http://myserver.mydomain.local/admin/phpinfo.php)
AD: Moodle Users are placed into a separate OU (moodleusers) directly below the domain root & this is a single domain in the forest.
2. Ldap bind account permissions = copy of default administrator (domain admin, enterprise admin, schema admin)
NOTE: I have tried 2 different tests using the bind acount with regular domain user permissions for one test & domain administrator permissions for the second test, the result is the same regardless of permission levels
3. Observation: on the LDAP server screen in Moodle, I receive the following message on screen:
"LDAP paged results not supported (either your PHP version lacks support or you have configured Moodle to use LDAP protocol version 2)"
4. LDAP server Settings:
Host URL: xxx.xxx.xxx.xxx
Version: 3
Use TLS: NO
LDAP encoding: utf-8
Page Size: 250
Hide Passwords: YES
Distinguised name: cn=ldap-bind-user,ou=moodleusers,dc=mydomain,dc=local
Search subcontexts: NO
Deference aliases: NO
user attribute: BLANK
member attribute: BLANK
member attribute uses dn: BLANK
object class: BLANK
Force Change password: NO
Use standard page for changing password: NO
Password format: Plain text
All remaining settings are left blank or default setting.
5. Manual test of PHP LDAP bind
I performed a manual test to confirm the ldap-user account would successfully bind using the following code from php.net:
<?php
// using ldap bind
$ldaprdn = 'uname'; // ldap rdn or dn
$ldappass = 'password'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldap.example.com")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
?>
The test result was successful.
6. Moodle login results
When attempting to log into Moodle using an Active Directory user account, the result on screen is "Invalid login, please try again"
Please help.
Thank you.
configure active directory using Moodle 2.6+, Ubuntu 12.04LTS & Windows Server 2008 R2
Re: configure active directory using Moodle 2.6+, Ubuntu 12.04LTS & Windows Server 2008 R2
I'm no ActiveDirecoty guru, so the easier ones:
> 3. Observation: on the LDAP server screen in Moodle, I receive the following message on screen:
"LDAP paged results not supported (either your PHP version lacks support or you have configured Moodle to use LDAP protocol version 2)"
Shouldn't be a problem for a single user. See the details here: "Re: Current status of the ActiveDirectory MaxPageSize limitation (reconstructed)" https://moodle.org/mod/forum/discuss.php?d=244340&parent=1059952.
> 4. LDAP server Settings:
> Host URL: xxx.xxx.xxx.xxx
> Version: 3
> Use TLS: NO
> LDAP encoding: utf-8
> Page Size: 250
> Hide Passwords: YES
> Distinguised name: cn=ldap-bind-user,ou=moodleusers,dc=mydomain,dc=local
> Search subcontexts: NO
> Deference aliases: NO
> user attribute: BLANK
> member attribute: BLANK
> member attribute uses dn: BLANK
> object class: BLANK
> Force Change password: NO
> Use standard page for changing password: NO
> Password format: Plain text
>
> All remaining settings are left blank or default setting.
What about http://docs.moodle.org/26/en/LDAP_authentication#Data_Mapping -> ID Number? Should be 'uid' in some cases.
> 5. Manual test of PHP LDAP bind
The script you've used just say "It works" or not. Try a LDAP;browser like 'ldapsearch' to dump the whole set of data (for the bind user).
Re: configure active directory using Moodle 2.6+, Ubuntu 12.04LTS & Windows Server 2008 R2
1. The bind user doesn't need special permissions at all. Any regular domain user account will do (read permissions on regular AD objects is enough, which is granted by default to regular domain user accounts; unless you tighten your AD security by removing permissions this should work ok).
2. In the LDAP server settings, you need to configure the user attribute (i.e., don't leave it blank). If you leave it blank Moodle will use the 'cn' attribute (what AD calls the 'Display Name') to identify users. Which is probably not what you want in 99% of the cases. You will probably want to use the 'samaccountname' attribute (what AD calls the 'pre-Windows 2000 account name').
3. You _have to_ specify the context(s) for the user accounts (I don't see this setting anywhere in your original post; did you forget to copy it?) That's where Moodle will look for your users. If you don't set any context, Moodle won't find the users and won't let them log in.
Hope that helps.
Saludos.
Iñaki.
Re: configure active directory using Moodle 2.6+, Ubuntu 12.04LTS & Windows Server 2008 R2
Thank you for the feedback. I had missed entering the context info in my original post. Here is what I have currently (including context, user attribute & object class). I'm still receiving invalid login as the response to logging into moodle using an Active Directory account after adding samaccountname to the User context & user to the object class:
LDAP server Settings:
Host URL: xxx.xxx.xxx.xxx
Version: 3
Use TLS: NO
LDAP encoding: utf-8
Page Size: 250
Bind Settings:
Hide Passwords: YES
Distinguised name: cn=ldap-bind-user,ou=moodleusers,dc=mydomain,dc=local
Password: <hardtoguesspassword>
User lookup settings:
User Type: MS Active Directory
Contexts: ou=moodleusers,dc=mydomain,dc=local
Search subcontexts: NO
Deference aliases: NO
user attribute: samaccountname
member attribute: BLANK
member attribute uses dn: BLANK
object class: user
Force change password:
Force Change password: NO
Use standard page for changing password: NO
Password format: Plain text
Password-change url: BLANK
LDAP password expiration settings:
Expiration: NO
Expiration waring 10
Expiration attribute: BLANK
Enable user creation:
Create users externally: NO
Context for new users: BLANK
NTLM SSO:
Enable: NO
(All fields default values - BLANK)
Data mapping:
All fields: BLANK
Re: configure active directory using Moodle 2.6+, Ubuntu 12.04LTS & Windows Server 2008 R2
apparently your settings are ok. I even set them on my test setup (using W2012R2 instead) and they work as expected. I suspect the context search might not be correctly configured or that we are hitting a rather unusual bug.
In other to diagnose it, I propose you apply the attached patch to your Moodle site. It just adds three additional debugging lines to the LDAP login code to see where things 'go wrong'. In addition to applying the patch, you should set your debugging level to at least NORMAL. Then you can try to log in with a LDAP user. You should get some debugging lines (starting with '>>>>>' to make looking for them easier) in your PHP error logs (or on your login page, if you enable 'Display debug messages').
Put the attached patch inside .../auth/ldap/ directory, and then apply it with:
patch -p1 < ldap-login-debug.patch
Saludos.
Iñaki.
Re: configure active directory using Moodle 2.6+, Ubuntu 12.04LTS & Windows Server 2008 R2
Thank you for posting the debugging patch. I installed and ran the patch. Here are the results that display on screen after I enabled Debugging (Normal) & selected to display debug messages on screen:
logging into Moodle as a Windows domain user:
>>>>>> ldap_user_dn is empty, user does not exist
line 214 of /auth/ldap/auth.php: call to debugging()
line 4403 of /lib/moodlelib.php: call to auth_plugin_ldap->user_login()
line 140 of /login/index.php: call to authenticate_user_login()
logging into Moodle as a Windows domain administrator:
>>>>>> ldap_login: 1
line 221 of /auth/ldap/auth.php: call to debugging()
line 4403 of /lib/moodlelib.php: call to auth_plugin_ldap->user_login()
line 140 of /login/index.php: call to authenticate_user_login()
I am still using the settings in Moodle as previously described above. I opened the referenced files to the given line numbers and tried to investigate code immediately above those lines. However I'm not a PHP expert by any means, and was not able to determine what the problem might be. I'm not sure as to the cause of different lines referenced in auth.php when using a regular user versus an administrator user.
Re: configure active directory using Moodle 2.6+, Ubuntu 12.04LTS & Windows Server 2008 R2
Check that you are in fact using the dn of the bind user and not the user name. Mine for example is Moodle Connect - you might check case, sometimes it is case specific. All your other settings look ok as long as your search context ou isn't actually in another ou like Users or People. I am presuming that you do have ldap:// at the beginning of your server name.
Re: configure active directory using Moodle 2.6+, Ubuntu 12.04LTS & Windows Server 2008 R2
I got it working. After performing a system reboot I discovered that now the AD account user profile page would display in moodle upon log in, requiring the user to complete their profile information (First Name, Last Name & email address). I entered the attribute names for these values from ADSI Edit and now it works fine. I found it misleading that the data mapping fields are listed as being optional, when in reality they are mandatory if you want the user to simply be able to log in without any account profile interaction.
I'm still not sure why a system reboot would have been required, but that's the only explanation I can come up with. The LDAP authentication had not been working immediately upon configuration, but did start working after a reboot.
Thank you all for the help!
Re: configure active directory using Moodle 2.6+, Ubuntu 12.04LTS & Windows Server 2008 R2
I'm having pretty much the exact same issue you were having, would you mind breaking it down on the necessary steps to fix it? Every time I attempt to log in with a domain account, it comes back with "invalid user".
Re: configure active directory using Moodle 2.6+, Ubuntu 12.04LTS & Windows Server 2008 R2
Hello Matt,
i have the same issue, and i checked all the configuration fields. did you perform a reboot for the AD server or the Moodle server.
a Moodle server reboot did not work.