I've been struggling with this setup for a week now trying to figure out a way to ensure that Moodle enrollments can easily be handled as part of a student body setup. Upon reviewing the different options the idea of having LDAP auth and LDAP auto enroll really appeals. And Im sure there are people out there that have gotten this working. I've managed to get the LDAP auth piece working flawlessly in a lab but the Enrol piece completely eludes me. My general hope is that I can use the UPN (userprincipalname) as the login value (and I have this working for Auth) this would simplify our students login requirements as they all use this account value all the time, so would be a simple extension of their normal login process, and down the road could look to implement SSO using SSL certs, (which is likely going to be my next post.. )
Anyway I was hoping that someone smarter than I that has managed to get this working could review this config and discourse and let me know where I messed up. Once I have the thing working I will post the configuration files as all the readme/faq's and documentation I have found are either for older versions or translated (badly) from alternate languages.
In my lab I have a single Moodle Server running on win2k8, its using the simple basic package download that includes MYSQL and PHP, nothing fancy has been added or done, a very vanilla install, save some hostname file changes to make it more presentable than just http://localhost. Its talking to a windows 2k12/2k8 Domain.
Said Domain has two OU's in the root of the LDAP tree, inside the student OU is a group, the group matches a sample course that was created in Moodle, and a user has been added to that group. The user has no issues at all logging into moodle, sees the courses in question and can manually (inside Moodle) be added to the course in question and view the content. However when I try to use the LDAP Enrollment though the user is authenticated and created I get: "You can not enrol yourself in this course."
LDAP Auth and LDAP Enroll are both enabled and the default for that plugin series at the top of the processing stack.
Here are some detailed listings from the setup from both AD And the Moodle side of things:
User Data from Moodle after successful login:
username: moodle1@mydomain.com
Authentication Method: LDAP
ID Number: moodle1@mydomain.com
User Data from AD:
CN=Moodle1
Distinguished Name: CN=Moodle1,CN=Users,DC=mydomain,dc=com
UserPrincipalName: Moodle1@mydomain.com
Group Membership LDAP Path and data from AD
Mydomain.com\EnrollmentStudents\
Group Name: Med101
CN= Med101
Distinguished Name: CN=Med101,OU=EnrollmentStudents,DC=mydomain,DC=com
User Moodle1 is a member of Group Med101
Course in Moodle:
Full name Medication Assistance Competency
Short name: Med Asssist
ID number Med101
Role Assignments: CHW: 1
Enrolment Methods: Manual Enrolments.
LDAP Auth Plugin Settings: - and this works just fine.
host URL: ldap://svr-ad-001.mydomain.com
version: 3
TLS: no
LDAP Encoding: utf-8
Page Size: 250
Bind Settings
Hide Passwords: Yes
Distinguishedname: administrator@mydomain.com
Password: *********
User Lookup Settings
User Type: MS ActiveDirectory
contexts: cn=users,dc=mydomain,dc=com
Search Sub: Yes
Dereferece: No
user attribute: UserPrincipalName
Member Attribute: UserPrincipalName
Force Change Password - left at default
LDAP Password Expiration - left at default
Enable User Creation - No
Course Creator - empty
Cron Synch Script - Keep Internal
NTLM SSO - left at default.
Data Mapping - updates on login so AD is the master record holder any changes reflect in Moodle.
Firstname - givenName
Surname - sn
Email Address - mail
City - LocalityName
Country - CountryName
Language - preferredLanguage
Description - description
Id Number - userPrincipalName
Enrollment
Host URL: ldap://svr-ad-001.mydomain.com
TLS: No
Version: 3
LDAP Encoding: utf-8
Page Size 250
Bind Settings
Bind Distinguised name: cn=administrator,ou=users,dc=mydomain,dc=com
password: ********
Role Mapping
Teacher: OU=administrator,ou=users,dc=mydomain,dc=com
LDAP Member: userprincipalname
Student: OU=EnrollmentStudents,DC=mydomain,dc=com
LDAP Member: userprincipalname
Search Subcontexts: Yes
Member Attribute: Yes
Contexts: OU=users,dc=mydomain,dc=com
Search Subcontexts: Yes
User Type: MS ActiveDirectory
Dereference Alias: No
ID number attribute: empty
Course Enrolment Settings
Class: (objectClass=group)
id number: cn
Short name: cn
Full name: cn
Summary: empty
ignore hidden courses: unchecked
EXternal unenrol: empty
Automatic Course Creation Settings
NO
Automatic Course Update
NO
Nested Groups
NO
End Result
You can not enrol yourself in this course.
When I try to think this through logically. User authenticates, and their Id Number maps to their userPrincipalName, I see this in the properties of the users listed inside Moodle that successfully login. So something (enroll?) is not processing against that data and the groups that I have in play under the OU's. Ive checked and changed DN's for CN's removed entries where there is no data in case lack of data causes errors (example being course short name in Course Enrolment settings) I can see that the CN for the course in AD's Group matches the Course ID in Moodle. Ive checked with LDP and can navigate to all the contexts ive used... at a loss.
Does anyone know
1) are there any logs for the enrollment options chosen? I cant find anything or any documentation on where to go look for errors in authentication or issues with the connectivity back to AD for group membership etc.
and
2) can anyone see anything apparent in what I have configured here that would cause the Enrol plugin to simply do nothing.
I think the log will likely tell me whats going on but who knows where the log is ? I certainly don't.
Anyway any help appreciated and as soon as I get it working I will post the final solution so others can play.
Cheers