Authentication

[this only applies to those running Windows 2003 and Active Directory. If you're a Linux user, this probably won't help...but you're still cool for fighting "the man" and going open source]


Okay --

After about 2 weeks of poring through the forums here, trying various configurations of WAMP (win2k3/apache/mysql/php) and WIMP (win2k3/iis/mysql/php), i finally got Moodle up and running *with* LDAP support.

So, I'd like to save other people the trouble I went through and go over the pitfalls I faced.

This file assumes you are starting from scratch, which might be a good idea. Delete all the old stuff, and start fresh. Then....


1) Get Apache, PHP, and MySQL playing together nicely. I think using an out-of-the-box solution is an extremely easy way to accomplish this, so I used a product called WAMPServer, available at the www.wampserver.com. There are several other products that will do the same thing, so you *do* have a choice. You could use IIS, but I had a horrible time getting PHP going on there, so I scrapped it.


2) Enable LDAP support in PHP by finding your PHP.ini file and uncommenting (getting rid of the ';') the line that says:    
     
;extension=php_ldap.dll


3) Download the LDAP example files from http://adldap.sourceforge.net/ and toss them into a directory on your web server. Take a look at "examples.php" and edit the following near the top of the file:

----------------
//variables, change these
$user="SomeUsername";
$pass="ThePassword";

//some stuff to search for
$lookup_user  = "SomeOtherUsername"; //a user
$lookup_group = "SomeUsergroup"; //a group
----------------

The top two things, the user and password, correspond to what is called a "bind user." To do LDAP Authentication with Active Directory (Windows 2000/2K3), you need to have a valid username/password to access it. Many admins make a bogus account to do this. I did the same. This concept of a "bind user" will present itself later on, when we configure Moodle.

The bottom two things are a User to look up and the corresponsing User Group. The User can be any user in Active Directory. I chose my own account. As for UserGroup, "Users" might not work. I made two new UserGroups in our Active Directory tree -- "Students" and "Teachers." Since I'm a teacher, I put "Teachers" for the group I was searching for.

Save your changes, and then open up the adLDAP.php file. A few lines down, you will see the following:

-------------------------------------------
    // You will need to edit these variables to suit your installation
    var $_account_suffix="@bfsweb.busanforeignschool.org";
    var $_base_dn = "DC=bfsweb,DC=busanforeignschool,DC=org";
   
    // An array of domain controllers. Specify multiple controllers if you
    // would like the class to balance the LDAP queries amongst multiple servers
    var $_domain_controllers = array ("server.bfsweb.busanforeignschool.org");
--------------------------------------------------

Obviously, the Busan Foreign School stuff is specific to my site, so you'll have to supply your own information there. Account Suffix is gonna be whatever the name is at the top of your Active Directory tree -- the name of the domain pretty much. Base DN stands for Base Domain Name, which will be your domain name, again, but with each part between the dots separated out, with DC= in front of it, and each part separated by commas. See the example above, which is much simpler than my explanation sounds.

Lastly, change the domain controllers part to the name of your Domain Server. If your server is called Bob and your domain is called TheZoo.org, then this would be Bob.TheZoo.org . Easy stuff.

Run the examples.php script in your browser, now, and see if it works. If it does, you're good to go. If not, PHP and LDAP aren't playing nice. You'll have to fix your configuration between those programs.


4) Download Moodle.


5) Get another program, which I heard about from another thread on here, called Softerra LDAP Browser, available for free at:

http://www.softerra.com/products/ldapbrowser.php

If you can communicate with your LDAP on here, then you will be able to get it to work with Moodle for sure. Run the program, make a new profile, give in a name, and then type in the name of your LDAP server (the same comp with Active Directory on it), then hit Fetch DNs (and pick the one that looks like something you saw above, when we worked with those PHP scripts). DO NOT click the box for Anonymous Bind. Windows 2003 does not support this, which is why we used the "Bind User" in step 3.

Hit Next.

For User DN, we're gonna put the name of a user (maybe a fake one you created for LDAP purposes). First, let's define some stuff. DN means "distinguished name," which is in the following format:

CN=John Doe,OU=Students,DC=bfsweb,DC=busanforeignschool,DC=org

CN stands for Canonical Name, which is gonna be the name that your users appear with in Active Directory.

This IS *NOT* the name they log in to the domain with.

I didn't realize that, and I banged my head against a wall for weeks trying to figure all this out.

OU is Organization Unit, which is something your Active Directory will have plenty of. As I said before, at my school I used "Students" and "Teachers." You may have something different. This must match the user whom you listed in CN.

We already covered the DC junk...same as before.

Pop all that in, and enter the password of said user.

Hit next.

Hit finish.

If it works, you can see your AD tree pop up, and you can see all kinds of information. If it's not working, make sure your CN, OU, DCs, and Server Name are correct. Mess around with these until you get it right.

6) Finally, go into Moodle. Log in as an admin, and get into your authentication settings. Change it to use LDAP, as opposed to whatever the default is.

Now, the fun part.

As for the settings, only about the top 1/4 of them will apply for us at this juncture. Here's what you should put:

LDAP server settings

ldap_host_url:    ldap://(your server name)   
ldap_version:     3  

Bind settings

ldap_preventpassindb:  Whatever you want      
ldap_bind_dn:    (Distinguished Name [DN] of the Bind User from Step #5)
ldap_bind_pw:   (the password)
      
User lookup settings

ldap_user_type:         MS Active Directory
ldap_contexts:          Where are your users gonna be coming from? What OUs? Remember, I said that at my school I have 2 OUs: "Students" and "Teachers." So, in this box, I put:

ou=Teachers, dc=bfsweb, dc=busanforeignschool, dc=org; ou=Students, dc=bfsweb, dc=busanforeignschool, dc=org

Change this to suit your configuration.


ldap_search_sub:   Yes   (must be changed!)
ldap_opt_deref:       No
ldap_user_attribute:  We talked about the difference between Canonical Names and Login Names before, right? At my school, let's say there's a student named Jane Doe. When she logs into the domain, her Login Name is CrazyMonkey33.

If you put "cn" in the box, or leave it blank, the user will have to type in "Jane Doe" and her password in order to access Moodle.

If you put "SAMAccountName" in the box, the user will have to type in "CrazyMonkey33" and her password in order to access Moodle.

If you play around with the LDAP Browser program we worked with in Step 5, you can find lots of more fun LDAP variables. Ones for givenName, familyName, etc. These will come in handy later on, when you want to automatically fill some of the information fields when the user signs on for the first time. (see the bottom of the Authentication page)

ldap_memberattribute:      (blank) 
ldap_objectclass:  (blank)

Go ahead, save the settings, and try testing a login. It should actually work!

Like I said, it took me about 2 weeks to figure this whole thing out (I was an LDAP virgin), but the sense of accomplishment I felt when actually getting this bad boy to work was something else.



Good luck with your own installations, and thanks for keeping these forums so active. They've been a big help thus far.

Cheers,
-Lou
currently in Busan, South Korea