LDAP Enrollment HOWTO

LDAP Enrollment HOWTO

by Lars Jensen -
Number of replies: 51

Moodle LDAP Enrollment HOWTO

This howto describes how to set up LDAP enrollment in moodle. A minimal .ldif-file that can be imported into your LDAP server for testing of the setup presented here, is attached. LDAP enrollment works best in moodle when used in conjunction with LDAP authentication, and we're going to assume that you have already set moodle up for LDAP authentication.

Assumptions

  1. You are running a recent version of moodle. We have tested the setup presented here on versions 1.5.2+ and 1.6dev. It is likely to work on moodle 1.4.5 as well.

  2. You are using LDAP authentication as your primary authentication method.

  3. Each user in has a uid attribute in the users LDAP record, that matches the ID number in the same users moodle profile (this can easily be arranged with a mapping on the moodle LDAP Authentication setup page).

The Course Setup

Our setup involves the following course- and user definitions:

  • Two courses, Math101 and Eng201.

  • Two teachers, teachera and teacherb.

  • Three students, studentd, studente, and studentf.

  • studentd and studente are enrolled as students in Math101, and teachera is enrolled as teacher of Math101. studente and studentf are enrolled as students in Eng201, and teachera and teacherb are both enrolled as teachers of Eng201.

The LDAP Container Setup

  1. Define two LDAP containers ou=StudentEnrollment and ou=TeacherEnrollment

  2. For each course we define an LDAP group entry (e.g a posixGroup entry) in the StudentEnrollment and TeacherEnrollment containers. Thus, we define a Math101 posixGroup under StudentEnrollment, and we define a Math101 posixGroup under TeacherEnrollment. We define the two Eng201 groups in a similar way.

  3. Enroll students and teachers as members of in the LDAP-groups we just defined. This is done by entering the users uid attribute in the memberUid attribute of the relevant group:

  • teachera is a member of the Math101 group under TeacherEnrollment.
  • studentd and studente are a members of the Math101 group under StudentEnrollment.
  • teachera and teacherb are members of the Eng201 group under TeacherEnrollment
  • studente and studentf are a members of the Eng201 group under StudentEnrollment.

The LDAP Enrollment Configuration in Moodle

The LDAP enrollment settings in moodle corresponding to the above setup are as follows:

LDAP Enrollment Variable:

Value:

enrol_ldap_student_contexts:

ou=StudentEnrollment,dc=ldapserver,dc=tmcc,dc=edu

enrol_ldap_student_memberattribute:

memberUid

enrol_ldap_teacher_contexts:

ou=TeacherEnrollment,dc=ldapserver,dc=tmcc,dc=edu

enrol_ldap_teacher_memberattribute:

memberUid

enrol_ldap_objectclass:

posixGroup

enrol_ldap_course_idnumber:

cn

enrol_ldap_course_shortname:

cn

enrol_ldap_course_fullname:

cn

enrol_ldap_autocreate:

Yes


Additionally, since you are using LDAP authentication, you should also map the moodle "ID number" of users to the "uid" in the ldap entry of the user. This is done on the moodle LDAP Authentication page (not the LDAP Enrollment page).

Notes:

  1. You do not need to create the courses manually in moodle. If they don't exist, they will be created when the first enrolled user login.

  2. We are using the same string cn and uid in a users LDAP record. This is not necessary, I believe. However, if you use different values, you will need to define the ldap_user_attribute to uid in the LDAP authentication setup.

  3. The value of the group id number (gidNumber) defined for the groups in step 2 of the LDAP Container Setup above is not critical. It is not used in this setup.

  4. The attached .ldif file assumes that users are in the ou=People container in LDAP. You will need to configure your LDAP Authentication setup to reflect this (ldap_contexts variable).

  5. User passwords for this setup are defined in the attached .ldif file.

  6. If you use the attached .ldif file, you'll need to edit the ldap server information (the "dn=" lines).
Average of ratings: Useful (3)
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by Martín Langhoff -
This document is just excellent. Thanks a lot for putting it together, Lars! Should it go into the wiki too? Even if it says developer wiki, it houses many other bits and pieces, and this would be a good "seed" document where people can edit and add content.

Ideally, it should be paired with an Auth/LDAP Howto ;)
Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by Robert Sexton -

Excellent document!  So can I just get some clarification on 2 things. 

1.  LDAP authentication must point to the OU where ALL your users are or multiple OUs.  Groups are NOT an option for authentication only autoenrolment.

2.  Autoenrolment is based on group membership from a group you have in the OU you designate??

I would love to do ALL my authentication based on group membership if possible.  If so please share your wisdom.  Thanks

 

Rob

 

Average of ratings: -
In reply to Robert Sexton

Re: LDAP Enrollment HOWTO

by Kent Villard -
Is there anyway to get the effects of the couse creation for non-existing courses in the enrol_ldap_users.php script without syncing users? I just want to create all the courses listed in LDAP but not enrol any users yet?

Any ideas?
Average of ratings: -
In reply to Kent Villard

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Not that I know of sad

Saludos. Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP Enrollment HOWTO

by Ulrich Wolf -
First, thanks for this tutorial, clarified a lot for a LDAP noob like me... but... ;)

...I'd like to give every authenticated user the student's role on the front page (but not system-wide student's role). The authentication is done with LDAP (works).
In enrolment i understand, that the context mapping is done via the idnumber of a course. But what name should I give to the posix group in the respective Enrolment container? I can't find a idnumber for the frontpage context, and system is 1, or am i wrong? Any help appreciated.

Uli
Average of ratings: -
In reply to Ulrich Wolf

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers

If you are using 1.9, you can set this from the Front Page settings page (which is the official way of doing it). Just go to Administration >> Front Page >> Front Page Settings and scroll down to the "Default Front Page role" setting. Set it to 'student' and voila! smile

Saludos. Iñaki.

Average of ratings: Useful (1)
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by sigillo francesco -
Hello Lars,

I understand your howto but what I don't understands it is  necessary to create 2 identical groups Math101 or Eng201 in 2  differents OU?

In the AD MS, it is not possible to create 2 groups in 2 OU different with 2 identical names.

Your directory is not une MS AD, isn't it ??

How make this howto in a MS AD environnement ?

Thanks a lot !!
Ceco
Average of ratings: -
In reply to sigillo francesco

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
In the AD MS, it is not possible to create 2 groups in 2 OU different with 2 identical names.

Yes you can smile, provieded they have a different pre-Windows 2000 name (a different sAMAccountName).

Saludos. Iñaki.
Average of ratings: Useful (1)
In reply to Iñaki Arenaza

Re: LDAP Enrollment HOWTO

by Michael Tudor -

Okay, I've tried everything I can find on how to set this up bu tI havent had any joy.

We are running Windows Server 2003 Active Directory and we have been successfully using LDAP authentication for the last few months (since we first installed moodle).

Anyway I've been unable to get the LDAP enrollment to work, I cant even get LDAP to show up as an option for course enrollment in the course settings.

Has anyone been able to get LDAP Enrollment working for Microsoft Active Directory? If so could you please psot your configuration for this.

Average of ratings: -
In reply to Michael Tudor

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Here are a set of configuration values that make it work. It's very important to set ID Number mapped to 'distinguishedName' in the LDAP authentication settings for this to work.

Also bear in mind that doing the above completely breaks auth_ldap_sync_users.php script. So right now it's one (LDAP enrolment with AD) or the other (user account syncrhonization with AD), but not both.

Also make sure your distinguishedName values are shorter than 64 characters. Otherwise you'll need to widen the idnumber field in your mdl_user table, and also the trim limit in truncate_userinfo() function (in .../lib/moodlelib.php).

Saludos. Iñaki.
Average of ratings: Useful (1)
In reply to Iñaki Arenaza

Re: LDAP Enrollment HOWTO

by Ryan Thomas -
I'm confused by your statement about either/or, Inaki.

I do both ldap auth and ldap enrollment *and* I use distinguishedName (with >64 characters).

I do not, however, use auth_ldap_sync_users.php. Is that what doesn't work with distinguishedName?

Average of ratings: -
In reply to Ryan Thomas

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers

I do not, however, use auth_ldap_sync_users.php. Is that what doesn't work with distinguishedName?

Yep, that is.

Saludos. Iñaki.

Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by sofia cardita -
Hi

I'm trying to get ldap enrolment working. Authentication works fine. After reading through the docs and forum posts i still can't get it to work.

Here's my setup
dc=moodleldap (base dn)
cn=StudentEnrolment(posixGroup)
cn=aStudent(userAccount; has attribute uid which is used for login, eg MOODLE101-hbarrado)

In Authentication, i set ldap_user_attribute to uid.

In Enrolment-enrol_ldap_roles i have

Student->enrol_ldap_contexts = 'cn=StudentEnrolment,dc=moodleldap'
and memberattribute = memberUid (also tried uid).

enrol_ldap_objectclass = posixGroup
enrol_ldap_course_idnumber = cn

Am i missing something?

Thanks

Sofia Cardita
Average of ratings: -
In reply to sofia cardita

Re: LDAP Enrollment HOWTO

by sofia cardita -
All solved now.

I hadn't defined when i created the courses the Course ID number, so of course it didn't map to my PosixGroup Course in the ldap tree.

Best,

Sofia
Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by Sakis Zafeiropoulos -

Is it possible to use other field than 'userid' (attribute used for login) to designate members in the group member attribute  for LDAP enrollment;

We already have  an LDAP server with many (~2400) groups  in wich members are added using the dn. We tried to use these groups instead of creating new ones (with the userid attribute in the member attribute) but didn't work.

a group looks like the following:

dn: CN=PLI10,O=StudentEnrollment
grouptype: 0
description: TEST MOODLE
objectclass: groupOfNames
objectclass: top
grouptitle: 0
listcategory: 3333
member: CN=ZAFEIROPOULOS DIONYSIS,O=directory

Can moodle retrieve the dn and query the ldap with it, or uses only the login attribute 'userid' for memberships searching;

thanks in advance

Dionysis

 

 

Average of ratings: -
In reply to Sakis Zafeiropoulos

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Moodle currently uses the 'ID Number' field of the Moodle user. If you map that field to your LDAP's userid or distinguishedName attribute is up to you.

In your example, you'll need to map it to the distinguishedName attribute for enrolments to work. Please, note that this would break auth_ldap_sync_users.php as stated above.

Saludos. Iñaki.
Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by Colin McQueen -

Hi

Good grief LDAP integration has moved on since I last used it in 2004.

Is it possible to get LDAP enrollment and course creation working with moodle groups as well as courses? This would be so a single course in Moodle (created automatically as the first participant logs in) would host several groups based on classes from the MIS system. I guess it depends on both the MIS and Moodle using AD groups that are structured in this way?

Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by Jeff Davis -
Is it necessary to create separate ou's for moodle enrollment? I guess I was hoping to leverage my existing "groups" ou, which of course would make it simpler in some ways. Perhaps I'm just being lazy...
Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by José Cruz -

Hi there

I'm a new one. José Cruz from Portugal.

(sory my english)

My situation: LDAP Windows Server 2003. Moodle 1.8

I have a OU container (schoolserver), with subOUs (students and teachers).

I have a OU (moodle) with subOUs (students and teachers) for moodle groups.

I have LDAP authentication like that and working.

LDAP server settings

Host URL: ldap://minhaescola.servidorescola.local

Version : 3

LDAP encoding : utf-8

Bind Settings

Hide passwords: yes

Distinguished Name: CN=moodle esmcastilho,CN=Users,DC=minhaescola,DC=servidorescola,DC=local

password.

User lookup settings

User type: MS ActiveDirectory

Contexts: OU=SchoolServer,DC=minhaescola,DC=servidorescola,DC=local

search sub: yes

dereference alias: no

user attribute: sAMAccountName

Member attribute:

Member attribute uses dn:

Object class: user

Force change password

force: no

use standard: no

LDAP password expiration settings

expiration: LDAP

Enable user creation

create user externally: no

course creators

creators:

Cron synchronization script

Removed ext user: Full delete internal

first name: givenName

ID number: sAMAccountName

 

I can't say the same about enrol and i don't know why.

Here are my settings:

LDAP Server Settings

enrol_ldap_host_url: ldap://minhaescola.servidorescola.local

enrol_ldap_version: 3

enrol_ldap_bind_dn: CN=moodle esmcastilho,CN=Users,DC=minhaescola,DC=servidorescola,DC=local

ldap_bind_pw: *********

ldap_search_sub: yes

Role mapping

Teacher

LDAP contexts: OU=profs,OU=Moodle,DC=minhaescola,DC=servidorescola,DC=local

LDAP member attribute: member

students

LDAP contexts: OU=alunos,OU=Moodle,DC=minhaescola,DC=servidorescola,DC=local

LDAP member attribute: member

Course enrolment settings

enrol_ldap_objectclass: group

enrol_ldap_course_idnumber: cn, no, no

enrol_ldap_course_shortname: cn, no, no

enrol_ldap_course_shortname: cn, no, no

Automatic course creation settings

enrol_ldap_autocreate: yes

enrol_ldap_category: Geral

 

If anyone can help, please...

Best wishes from Portugal

Average of ratings: -
In reply to José Cruz

Re: LDAP Enrollment HOWTO

by Rob Duncan -

Hi Jose,

Your configuration looks all good to me, but I had a similar problem and couldn't understand as my enrolement config was the very same as the authentication config. Finally I just tried different variations of the same thing. i.e I changed LDAP bind user contexts to the email format so your user would be mesmcastilho@minhaescola.servidorescola.local. (in enrol_ldap_bind_dn)

I also changed the contexts to omit the OU's and left in just the DC's.

I opened the global schema port on 3268.(should already be open)

and then it worked, I know it's stupid but i did all of this at the one time so I don't know what worked. But i now have authentication and auto course creation and enrolement working.

One last thing that you don't want to overlook is to make sure that your bind users' account is not locked out.

Finally you can use LDAP browser to make sure of your contexts,

enter the same bind user details to see if the browser connects ok

(http://www.ldapadministrator.com/)

Good luck!

Rob

Average of ratings: -
In reply to José Cruz

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
For LDAP enrolment to work with Active Directory, you __hava to__ to map Moodle's 'User ID' to AD 'distinguishedName' like I say here: http://moodle.org/mod/forum/discuss.php?d=31761#p304705

Bear in mind that this __completely__ breaks auth_ldap_sync_users.php as I say there.

Saludos. Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers

Bear in mind that this completely breaks auth_ldap_sync_users.php as I say there.

This is no longer true if you are using Moodle 1.8.1+ from 2007.03.01 or later smile

Saludos. Iñaki.

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP Enrollment HOWTO

by Clinton Graham -
Solve both problems quickly.

We have enrol/ldap and auth/ldap using more convenient idnumbers for us (not the DN) by the easy fix of changing enrol/ldap to get the idnumber field specified in auth/ldap. Just add the following code at enrol/ldap/enrol.php:253.

// LOCAL: get appropriate ID number from auth/ldap
$idnumber_field = get_config('auth/ldap', 'field_map_idnumber');
if (!empty($idnumber_field) && strtolower($idnumber_field) != "dn") {
$tempmembers = array();
$ldap_fields_wanted = array('dn', $idnumber_field);
foreach($ldapmembers as $ldapmember) {
$ldap_result = @ldap_read($ldap_connection, $ldapmember, '(objectclass=*)', $ldap_fields_wanted);
$record = $ldap_result ? ldap_get_entries($ldap_connection,$ldap_result) : array('count' => 0);
$tempmembers[] = $record[0][strtolower($idnumber_field)][0];
}
$ldapmembers = $tempmembers;
}
// END LOCAL

 We did this as part of a larger fix to:
  • Get auth/ldap to interact with enrol/ldap
  • Get enrol/ldap to not break enrol/database
  • Get enrol/ldap to handle large course memberships (at least in MS-AD).
I've attached the whole diff (still a work in progress).

Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by David Barber -
Hi all,

I think I'm just way too far behind on this. Can someone answer some really basic questions for me?

When a user authenticates and I have LDAP enrollment set up, does moodle get -all- of their courses from LDAP, or is LDAP simply allowing me to, for example, ensure that certain groups get put in certain courses?

If -all- of a person's courses are coming from LDAP, how does that information get from Moodle back to the LDAP server?

Sorry for my n00bness.
David
Average of ratings: -
In reply to David Barber

Re: LDAP Enrollment HOWTO

by Rob Duncan -

Hi Dave,

When a user authenticates and I have LDAP enrollment set up, does moodle get -all- of their courses from LDAP, or is LDAP simply allowing me to, for example, ensure that certain groups get put in certain courses?

When LDAP enrolement is setup and working then when u user logs in, Moodle checks to see what groups (as in Active Directory groups for example) the user is a member of. Moodle then enroles that user in a corrosponding 'Course' in Moodle. If the course does not exist in Moodle when the user logs in the Moodle creates the course.

If -all- of a person's courses are coming from LDAP, how does that information get from Moodle back to the LDAP server?

Actually it works the other way round, Moodle collects data from an LDAP server to populate its own DB.

Average of ratings: -
In reply to Rob Duncan

Re: LDAP Enrollment HOWTO

by David Barber -
Hi Rob, and thanks for replying.

A follow up question: our example person logged in, and LDAP told moodle that because they were in group X they should be in course X. Now we have removed their LDAP membership in group X. Will moodle unenrol them from course X?

Thanks again for any assistance!
David

Average of ratings: -
In reply to David Barber

Re: LDAP Enrollment HOWTO

by Rob Duncan -

Hi Dave,

Glad I can be of some help.

yes your senario above in LDAP would be reflected in Moodle, this would be true for changing the course fullname, id number, short name and summary too, Students in Moodle would see the effect the next time they log in. Once the LDAP enrolement page has the 'update local' element set to yes- meaning that Moodle will update its local DB on every log in.

so removing a student from group x and then placing them in group y in LDAP would have a knock on effect in Moodle- student no longer enrolled in course x, now has student access to course y

 If you removed all of your LDAP members from any given group, would Moodle delete the course?- I don't think so, most likely you'd be left with an empty course with nobody enrolled.

Hope that clears it up somewhat.

Rob

Average of ratings: -
In reply to Rob Duncan

Re: LDAP Enrollment HOWTO

by Kev Gilbert -
The initial post states it works best with ldap authentication but is it possible to use Ldap enrolment with ntlm auth instead?
Average of ratings: -
In reply to Kev Gilbert

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Sure. NTLM is just a souped-up LDAP authentication smile

Saludos. Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP Enrollment HOWTO

by Marcel Alemany -
Hi all!

My problem seems simple,

a) I login with LDAP in a Active Directory successfully.
b) I autoenrol student or teacher successfully, too.
c) But don't add user in a course. only enrol student or teacher.

my configuration (simple version):

teachers:
OU: OU=EnrollmentStaff,DC=euetii,DC=upc,DC=es
GROUP: CN=11001-GM,OU=EnrollmentStaff,DC=euetii,DC=upc,DC=es
(pre-w2k: 11001-GM-t)

students:
OU: OU=EnrollmentStudents,DC=euetii,DC=upc,DC=es
GROUP: CN=11001-GM,OU=EnrollmentStaff,DC=euetii,DC=upc,DC=es
(pre-w2k: 11001-GM-s)


I change 64 charcters to 255, I put map idnumber, etc.

This method, don't add user into courses?

Thanks a lot,

MCL.

Average of ratings: -
In reply to Marcel Alemany

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Sorry for the delay in answering. Did you finally resolve this issue?

Saludos. Iñaki.
Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by Matthew Rigdon -
I have a weird issue and I am not sure how to solve this problem. I recently setup a new moodle site for online learning management. I use LDAP authentication and LDAP auto enrollment. I want to be able to use the LDAP User Sync and LDAP Enrol Sync. The User's Sync works great, no issues there, however when I run the LDAP Enrol Sync it creates courses for all of my groups in active directory. Does anyone know how to keep that from happening? What do I need to modify to change that.

Moodle 1.8.4+, MSSQL2005, PHP5, IIS6, Win2K3 Server

Matt
Average of ratings: -
In reply to Matthew Rigdon

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers

Make sure you put the groups you use for enrolment (not your security groups) inside an OU, and the point Moodle to that OU for enrolment, instead of to the root of your Active Directory.

Saludos. Iñaki.

Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by Kent Villard -
Hi folks.

I'm using Moodle 1.9 and have ldap authentication already running. I'm just testing this out so I 'm using OpenLDAP with the LDIF file that was originally attached. While authentication works fine, courses are not created upon login and of course students/teachers are not enrolled upon login (can't be if courses aren't created).

I have this setup:

under Role mapping:

teacher LDAP Context -> ou=TeacherEnrollment,dc=server,dc=name
teacher LDAP member attribute -> memberUid
student LDAP Context-> ou=StudentEnrollment,dc=server,dc=name
student LDAP member attribute -> memberUid
(dc=server,dc=name actually reflect my server name in the setup ;)

and in settings:
enrol_ldap_objectclass -> posixGroup
enrol_ldap_course_id -> cn
enrol_ldap_course_shortname -> cn
enrol_ldap_course_fullname -> cn

The update local data options for all of those are set to no (when I set to yes and save changes and then go back in and look they are set to 'no' again).

And of course I have "enrol_ldap_autocreate" set to 'yes'

I do not get any errors or anyting it just logs me in as the correct user but no courses are created or enrollments completed. Does anyone have any ideas or suggestions. Thanks in advance!


Average of ratings: -
In reply to Kent Villard

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers

While there is a small buglet in the LDAP enrolment code that I've found trying to reproduce your problem (see MDL-15182), I suspect this is mainly due to a misconfiguration of your Moodle site.

You need to make sure you map 'cn' to 'ID Number' in the LDAP authentication plugin, if you are using OpenLDAP (or any other RFC2307 compliant LDAP server). This is different from Active Directory (which currently needs 'distinguishedName').

Saludos. Iñaki.

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP Enrollment HOWTO

by Vitor Sakaguti -
Hello Iñaki,
I have the same problem as Kent (and same config too, but on 1.9.5+), and indeed I had distiguishedName instead of cn, but fixing that did not change anything.
Do you have some other idea?
Thanks!

EDIT: so you don't have to look for Kent Villard's post, here it is

Hi folks.

I'm using Moodle 1.9 and have ldap authentication already running. I'm just testing this out so I 'm using OpenLDAP with the LDIF file that was originally attached. While authentication works fine, courses are not created upon login and of course students/teachers are not enrolled upon login (can't be if courses aren't created).

I have this setup:

under Role mapping:

teacher LDAP Context -> ou=TeacherEnrollment,dc=server,dc=name
teacher LDAP member attribute -> memberUid
student LDAP Context-> ou=StudentEnrollment,dc=server,dc=name
student LDAP member attribute -> memberUid
(dc=server,dc=name actually reflect my server name in the setup ;)

and in settings:
enrol_ldap_objectclass -> posixGroup
enrol_ldap_course_id -> cn
enrol_ldap_course_shortname -> cn
enrol_ldap_course_fullname -> cn

The update local data options for all of those are set to no (when I set to yes and save changes and then go back in and look they are set to 'no' again).

And of course I have "enrol_ldap_autocreate" set to 'yes'

I do not get any errors or anyting it just logs me in as the correct user but no courses are created or enrollments completed. Does anyone have any ideas or suggestions. Thanks in advance!
Average of ratings: -
In reply to Vitor Sakaguti

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
It seems I was wrong sad. You need to map 'ID number' to 'uid' if you are using OpenLDAP with posixAccount user objects and posixGroup group objects.

I was mistaken because I usually create users with 'cn' matching to 'uid', but most people don't. And groups actually point to the 'uid' value, not the 'cn' value.

Hope this helps.

Saludos,
Iñaki.
Average of ratings: -
In reply to Kent Villard

Re: LDAP Enrollment HOWTO

by Jean-Paul Bachmann -
Hi!
I have the same problem with the auto-enrollment function and the same set-up.
Moodle 1.9.5, Openldap and PosixAccount. Everything seems right but I don't see any ldap request occuring for the TeacherEnrollment ou studentenrollment context.

Have-you already got a right answer to solve this problem?
Thanks
Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment - failure to bind ldap anonymously

by Neil Spurgeon -

All manual staff and student account creation is working perfectly however with the automated account creation we have a problem.

  • we’ve checked the Users-Authentication-LDAP server and the settings are exactly the same as the old ones we have always used.
  • Even though a large portion of the users have the error messages (x7) Error: could not bind ldap anonymously which reports seven times they can click on the CONTINUE button to actually login correctly.
  • All use LDAP server authentication, and the error message wouldn’t go away even though you login again….

any ideas please ???

Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO - Possix

by antonis tzounis -
Hello,
I have installed moodle, LDAP authentication works but there is a slight problem. I have no admin rights on LDAP server and there are no groups. All users are under "People" group and possix groups are used for user grouping - for instance every staff member has "gidNumber=0000"
Can i use possix groups to set enrollement?
Thanks in advance,
A.

Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by John Rickard -
Hi Everyone,

I have just completed setting up the LDAP enrolment...

Could you tell me - should it appear in the drop down for enrolments when setting up a course?




Thanks
John
Average of ratings: -
In reply to John Rickard

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers

No, it shouldn't.

Have a look at http://docs.moodle.org/en/Enrolment_plugins specially at points 4 and 5 smile

Saludos. Iñaki.

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP Enrollment HOWTO

by Henry Burroughs -
I am running Active Directory and have configured the LDAP authentication plugins to work correctly. My issue now is with LDAP Enrollments. I'm running 1.9.4 at the moment.

I am using distinguishedName as my id for all users and I have the groups setup in AD using pre-win2k names apparently functioning. It will load students and teachers when I run the command line php enrol_ldap_sync.php Those users show up as being enrolled in the classes appropriately. However, when those users log in, it kicks them out of being enrolled in the classes. When debug is turned on, it is kicking up ldap filter errors in moodle/enrol/ldap/enrol.php. But why is it working when the command line/cron is run but erroring on a user login? Using someone elses debug code, I can dump out this along with the error:

connection:Resource id #54
context:ou=TeacherEnrollment,ou=MoodleEnrollment,ou=Prep,dc=HHP,dc=HHPREP,dc=ORG
ldap_searchsad&(objectclass=group)(member=CN=Cliffe\, Sam,OU=Classof2010,OU=Students,OU=Prep,DC=hhp,DC=hhprep,DC=org))
ldap_fields:Array
Warning: ldap_list() [function.ldap-list]: Search: Bad search filter in /var/www/hhprep/moodle/enrol/ldap/enrol.php on line 535

Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /var/www/hhprep/moodle/enrol/ldap/enrol.php on line 539

connection:Resource id #54
context:ou=StudentEnrollment,ou=MoodleEnrollment,ou=Prep,dc=HHP,dc=HHPREP,dc=ORG
ldap_searchsad&(objectclass=group)(member=CN=Cliffe\, Sam,OU=Classof2010,OU=Students,OU=Prep,DC=hhp,DC=hhprep,DC=org))
ldap_fields:Array
Warning: ldap_list() [function.ldap-list]: Search: Bad search filter in /var/www/hhprep/moodle/enrol/ldap/enrol.php on line 535

Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /var/www/hhprep/moodle/enrol/ldap/enrol.php on line 539


Of course I have to get this working for August. Thanks for your help!
Average of ratings: -
In reply to Henry Burroughs

Re: LDAP Enrollment HOWTO

by Gordon Falk -

It looks like you are having the same problem with the lastname, firstname format that I and others have had.  I discussed it here... http://moodle.org/mod/forum/discuss.php?d=123418

The short answer is apply patch 0002 and 0005 from this thread... http://moodle.org/mod/forum/discuss.php?d=102718.  That will correct the handling of the backslashes needed to escape the comma in the distinguishedName field for Active Directory.

Later,

Gord

Average of ratings: -
In reply to Gordon Falk

Re: LDAP Enrollment HOWTO

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers

By the way, those patches are already applied in CVS, so they are part of the WEEKLY Moodle 1.9.5 downloads smile

Saludos. Iñaki.

Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by Alfie Punnoose -
Hi Lars, I am pretty new to LDAP. To my understanding moodle is supposed to add a new user to LDAP server when he/she logs in the first time.
I have an openLDAP set up which I have tested with PHP code, to read and add entries. With PHP, everything works fine. I added the same information to the moodle LDAP settings but I can't login as the user (auth=ldap). It doesn't create a user in LDAP server.
My only requirement is to have the user authenticated from LDAP server. I have tried different settings for 'Object Class' and 'User attribute'.

Please see the settings screen snapshot here

Any one is free to help me out
Thank you.
Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by Paula Dom -

Lars,

I have a problems when I use LDAP Enrollment the error is:

== Synching course 'XX' for role 'student'
Empty enrolment for role 'student' in course 'XX'

Do yo know what is the problem?

Thks!!

 

 

Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by Emy Samir -

after enabling the ldap enrollment and everything is working just fine , then after a while when I change anything in the moodle configuration nothing wants to be changed

e.g.I tried to disable the LDAP enrollment plugins ..nothing happens and the page is not even changed and there are no errors

when I tried to change the theme nothing is changed I'm stuck , and donn know what to do ...

I'm using moodle 2.5 with remote mysql database and remote shared moodle and moodledata directories and full permission are given on the db and the moodle dirs.

any help will be really appreciated.

Thanks in advance.

Average of ratings: -
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by Matt Morrison -

LDAP Enrolment:

problem statement: I was expecting a course to be automatically created within Moodle upon the first login of a LDAP user
that belongs to the LDAP security group that is mapped to the Course ID of the desired course & for
that user to be automatically enrolled in the course during their log on to Moodle.

The result is that the LDAP user successfully logs into Moodle, but the course that coincides with their
security group membership does not get created within Moodle, hence the user has no course to join. I have
provided environment & configuration settings below, and have tried several permutations of configuration
settings after reading the following resources, but have not been successful. Please Help.

used references:
http://docs.moodle.org/22/en/LDAP_enrolment
https://moodle.org/mod/forum/discuss.php?d=31761
http://download.moodle.org/docs/en/how-to_guides/ldap_auth_and_enrolment_set-up.pdf


Environment:
Application Server: Ubuntu 12.04LTS
Windows Server: Server 2008 R2
Moodle Version: 2.6+
Moodle LDAP authentication: configured & operational

Moodle AD Structure: OU=moodleusers,dc=mydomain,dc=local
                                  OU=instructorEnrollment,OU=moodleusers,dc=mydomain,dc=local
                                  OU=studentEnrollment,OU=moodleusers,dc=mydomain,dc=local

AD Security groups: COURSENAMEASID (pre-Windows 2000 name COURSENAMEASID-i in the instructorEnrollment OU)
                                COURSENAMEASID (pre-Windows 2000 name COURSENAMEASID-s in the studentEnrollment OU)

TEST Users: jimmy.page instructor user account inside the instructorEnrollment OU;
                   eddie.vanhalen student user account inside the studentEnrollement OU.

Group Membership: jimmy.page is a member of COURSENAMEASID (pre-2000 COURSENAMEASID-i)
                                eddie.vanhalen is a member of COURSENAMEASID (pre-2000 COURSENAMEASID-s)

Moodle Category Structure: top level categories with 1 level of nested subcategories within each top level

NOTE: The category structure also includes a hidden top level category course archive into which completed courses are
transfered after the course of instruction is complete to prevent continued student access while retaining course
records that would be damaged by unenrolling students. There is also a hidden category for the Template Course.
For Testing purposes the Template Course category is NOT hidden.

 


LDAP Authentication Settings:

LDAP Server settings:
Host url: ldap://x.x.x.x
Version : 3
Use TLS : NO
LDAP encoding: utf-8
Page Size: 250

Bind Settings:
Hide Passwords: YES
Distinguished Name: cn=bind-user,ou=moodleusers,dc=mydomain,dc=local
Password: hardtoguesspassword

User Lookup settings:
User type: MS ActiveDirectory
contexts: ou=studentenrollment,ou=moodleusers,dc=mydomain,dc=local;                     ou=instructorenrollment,ou=moodleusers,dc=mydomain,dc=local
Search subcontexts: YES
Deference aliases: NO
User attribute: samaccountname
member attribute: member
member attribute uses dn: BLANK
object class: user

Force change password:
Force change password: NO
Use standard page for changing password: NO
password format: PLAIN TEXT
password change URL: BLANK

Enable User Creation: NO
NTLM SSO:
enable: NO

Data Mapping
Firstname: givenName
Surname: Sn
Email address: userPrincipalName
ID Number: distinguishedName

 


LDAP Enrolments:

LDAP Server settings:
Host url: ldap://x.x.x.x
Use TLS : NO
Version : 3
LDAP encoding: utf-8
Page Size: 250

Bind Settings:
Bind User distinguished Name: cn=bind-user,ou=moodleusers,dc=mydomain,dc=local
Password: hardtoguesspassword

Role Mapping:
Teacher: "LDAP contexts": ou=instructorEnrollment,ou=moodleusers,dc=mydomain,dc=local "LDAP member attribute": member
Student: "LDAP contexts": ou=studentEnrollment,ou=moodleusers,dc=mydomain,dc=local "LDAP member attribute": member
Search subcontexts: YES
Member attribute uses dn: YES
Contexts: ou=moodleusers,dc=mydomain,dc=local
Search subcontexts: YES
User type: MS ActiveDirectory
Deference Aliases: NO
ID number attribute: CN

Course enrolment settings:
Object class: (objectClass=group) <NOTE: just entering group, & save settings navigate away from page & return results in the
exact value I provided>
ID number: CN
Short name: CN
FullName: CN
Summary: BLANK
Ignore hidden courses: Box IS checked
External unerol action: Unenrol user from course

Automatic course creation settings:
Auto create: YES
Category: Template Category
Template: Template_Category_ID <the same value is used for course full name, short name, & ID>
Update shortname: YES
update full name: YES
update summary: NO

Nested group settings:
Nested groups: NO
Member of attribute: BLANK

 

Average of ratings: Useful (1)
In reply to Lars Jensen

Re: LDAP Enrollment HOWTO

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

Is there anyway to add the same group of users to a different role.  For example, I have an OU of Moodle teachers but some of them are Non-editing teachers in another course.  Is this possible?

Average of ratings: -