LDAP Sync Error when changing AD OU

LDAP Sync Error when changing AD OU

by Mark Rice -
Number of replies: 13

When I set up my server I had my moodle server just synchronizing my teachers so when I set up the context for the user search for my AD I had it checking OU=Staff,DC=xx,DC=xx,DC=oh,DC=xx .According to the setup instructions on the website for ldap synch_plus  I should be able to add additional OU's by inserting a ";" between contexts.  This would not work.  My next thought was to just add all of the groups I want to sync into a moodleusers OU I made in my AD.  When I put that inplace and run the sync I get the following output:


Creating temporary table tmp_extuser

Did not get any users from LDAP -- error? -- exiting

Potential coding error - existing temptables found when disposing database. Must be dropped!

I am not sure what I need to do at this point as I can't get any of the student groups into my server.  I couldn't find the temp table in the database to drop.  I have read a lot of posts about this error but not seen any fix or work around.  Any help is appreciated.

Moodle 2.8.1 + build 20150903


Thanks,

Mark

Average of ratings: -
In reply to Mark Rice

Re: LDAP Sync Error when changing AD OU

by Mark Rice -

sorry, that is Moodle 2.9.1+build 20150903

Average of ratings: -
In reply to Mark Rice

Re: LDAP Sync Error when changing AD OU

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
What I do is just go further up in the chain - but then both my teachers and students are in the people ou.  I then limit to a specific security group under object class.
Try turning debugging on before you run the sync.  It might give you a better idea of where the problem is.
Average of ratings: -
In reply to Emma Richardson

Re: LDAP Sync Error when changing AD OU

by Mark Rice -

I was wanting to do that and so I put my teachers and grade levels of students I wanted to enroll into a OU called "moodleusers" then changed my contexts from ou=staff,dc=xxxx,dc=xxxx,dc=xx,dc=xx  to ou=moodleusers,dc=xxxx,dc=xxxx,dc=xx,dc=xx .  When I do that, I get the Output:



Creating temporary table tmp_extuser

PHP Warning:  ldap_search(): Search: No such object in /var/www/html/moodle/auth /ldap_syncplus/auth.php on line 102c
Did not get any users from LDAP -- error? -- exiting

Potential coding error - existing temptables found when disposing database. Must be dropped!


Not sure what to do at that point.  I enabled debugging but saw no errors there on the ldap sync excep[t for the above.


Thanks for sparing your time with this.



Average of ratings: -
In reply to Mark Rice

Re: LDAP Sync Error when changing AD OU

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

What is the ldap_syncplus module it is referring to?  Is that a plugin?  Normally it is just ldap...

Are you running the sync from cli?

Is the moodleusers ou at the same level in your domain as your staff one?  Are you sure the path is correct?

Does you bind user have the necessary permissions?  Did you move your bind user when you moved the users?  If so, you need to update the location of your bind user...



Average of ratings: -
In reply to Emma Richardson

Re: LDAP Sync Error when changing AD OU

by Mark Rice -

LDAP_SyncPlus is a plugin like ldap_sync, it just has the feature of specifying how long to keep accounts before they should expire.  All  the settings are the same as for ldap sync.  The bind user has domain privilege's and has not been moved .  OU=Moodleusers is in the same level and domain as the OU=staff .. I am running the sync from the cli folder as well.


Not sure what I should do at this point. Maybe delete all of the users and redo the whole thing for ground up?  if so How do I drop that info from the msql data base,  that seems to be where the issue is.


Thanks,

Average of ratings: -
In reply to Mark Rice

Re: LDAP Sync Error when changing AD OU

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

Try turning on full developer debugging and then run the sync again.  I just ran into an issue like this and it turned out it was actually a course format of all things that was causing the issue (yes, it made no sense to me either!). 

See if it shows up another error.  What does the line in the code point to? 

Average of ratings: -
In reply to Mark Rice

Re: LDAP Sync Error when changing AD OU

by Sam Stevens -

Almost seems too simple but you do have "Search subcontexts" set to yes?

If you have made a new OU with OUs in it that you want to sync if this is set to no it won't pick up any of the users.

Average of ratings: -
In reply to Sam Stevens

Re: LDAP Sync Error when changing AD OU

by Mark Rice -

I checked it and it is set to yes, Thanks for looking.



Average of ratings: -
In reply to Mark Rice

Re: LDAP Sync Error when changing AD OU

by Ken Task -
Picture of Particularly helpful Moodlers

Pardon this intrusion, but am having a similar issue with a school and have come to the following conclusion (I use the command line sync from a Linux server):

The command line sync reads the LDAP server and config for OU's from the DB but doesn't really check for validity of the Person/Internet Schema (which is what you are after with Moodle).   The CLI script, just hits the OU(s) and ask for ALL objects and within context IF you have the box checked.

So, IF, the OU's are not really pointed to say staff and student in such a fashion that the objects seen are the Person/Internet Schema objects, one gets tons of junk.   No names, no email addresses, etc. ... and maybe 10's of thousands of records when the student/teacher population is under 9000.

You really need an additional tool to browse LDAP tree/forest whever the heck M$ folks call it.

With that tool and making queries of OU=student,DC=xxx,DC=xx,DC=xx does one see the objects you've mapped in Moodle (might not have those mappings locked to start with, BTW).

So, basically, I'd really check the configuration of LDAP ...

Here's an example (changed some things to obsecure the entity site).  This is an example, and like web sites, there isn't really ONE way to do things.  This one, however, works like a champ for the single Moodle instance the ISD has for all their Elementary Schools (4).

OU=_Elementary_Schools,OU=someisd,DC=someisd,DC=net

Has Child Objects (4 - one for each elementary school)
One of them is:
OU=102_Cline,OU=_Elementary_Schools,OU=someisd,DC=someisd,DC=net

Taking just the one for Cline above:

OU=102_Staff,OU=102_Cline,OU=_Elementary_Schools,OU=someisd,DC=someisd,DC=net
OU=102_Students,OU=102_Cline,OU=_Elementary_Schools,OU=someisd,DC=someisd,DC=net
OU=102_Teachers,OU=102_Cline,OU=_Elementary_Schools,OU=someisd,DC=someisd,DC=net

So if I point Moodle to:

OU=_Elementary_Schools,OU=someisd,DC=someisd,DC=net
I'll get back ALL Elem campuses and their respective child objects
for Staff, Students, Teachers.

And in each of those one will see:
sAMAccountName, sn, st, name, mail, givenname
etc. ... i.e., those fields you've mapped in the mdl_user table.

And a 'discalmer' ... nope, spelled it right ... I'm NOT an LDAP admin person but have to collaborate with the person who is to get Moodles to find what it needs and NOT a bunch of junk.

Hoping this helps!

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: LDAP Sync Error when changing AD OU

by Mark Rice -

I checked all that you wrote and verified in my ldap that I can query the correct users within my moodleusers OU.  I guess the bottom line is that I am unable to change the OU from OU=staff to OU=Moodleusers  or anything for that matter without generating the condition in my original post about the potential coding error and dropping the table.  So my issue may be more of a coding issue in MySQL or elsewhere.


I appreciate your post / time and learned some things about ldap and my current directory.



Average of ratings: -
In reply to Mark Rice

Re: LDAP Sync Error when changing AD OU

by Mark Rice -

I figured out that I was trying to use a user group, not an organizational unit, once I corrected that, I was able to pull the correct information out of the ldap.  I appreciate everyone that worked on this with me.


Many Thanks,


Average of ratings: -
In reply to Mark Rice

Re: LDAP Sync Error when changing AD OU

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

If you want to limit to a group (once you have your OU setup correctly) you add something similar to this in the Object class field:

(|(&(objectClass=user)(!(objectClass=computer))(memberOf=cn=YOURGROUPNAME,ou=staff,dc=yourdomain,dc=com)))

Works great!

Average of ratings: Useful (1)