LDAP authentication is importing users, but not letting me sign in.

LDAP authentication is importing users, but not letting me sign in.

by Joshua Mayes -
Number of replies: 26

Hi guys,

This is a brand new installation on CentOS 7.  Binding LDAP to a MS-AD server.  After a few hours of trying to figure it out I finally have the users imported from LDAP.  The scheduled task seems to run fine.  If I disable the task and run "php /var/www/html/auth/ldap/cli/sync_users.php" I get the following result.

[AUTH LDAP] The users sync cron has been deprecated. Please use the scheduled task instead.

Connecting to LDAP server...

Creating temporary table tmp_extuser

.......................................................................................................................................................................................Got 183 records from LDAP

No user entries to be removed

No user entries to be revived

No updates to be done


However when I go to the home page and try to login with my account (verified that the username imported is what i'm using) I'm met with the following:

LDAP-module cannot connect to any servers:  Connection: 'Resource id #79', Bind result: ''


According to this page that means that my bind account is wrong.  But it's obviously not since it's working for the sync portion.


This issue has me really confused so any light you guys can shine would be awesome!

Average of ratings: -
In reply to Joshua Mayes

Re: LDAP authentication is importing users, but not letting me sign in.

by Ken Task -
Picture of Particularly helpful Moodlers

LDAP auth has always been ... shall we say 'ticky'? :\

You must be running version 3 of Moodle ...

This line:

AUTH LDAP] The users sync cron has been deprecated. Please use the scheduled task instead

Go to moodlecode/admin/tool/task/cli/ and execute:

php schedule_task.php

That will bring up help

php schedule_task.php --list

should show all the scheduled task.

There should be one in there for LDAP sync.

Haven't moved to 3 yet to know for sure ... ldap task is missing in 2.9.5

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: LDAP authentication is importing users, but not letting me sign in.

by Joshua Mayes -

Hi Ken,

Yeah it's the newer version of Moodle smile  I know that the cli command was deprecated.  It actually refuses to run if you have the scheduled task enabled, which I thought was nice.  The only reason I was using that method was to test my settings manually instead of waiting for the scheduled task (I couldn't find a documented way to manually kick off a scheduled task.)


Before I posted, however, I did let the scheduled task run (it was successful) and tested login again.  Unfortunately it didn't change the result sad

Average of ratings: -
In reply to Joshua Mayes

Re: LDAP authentication is importing users, but not letting me sign in.

by Ken Task -
Picture of Particularly helpful Moodlers

Well, I found a sandbox 3.highest that was using LDAP.

Ran the old sync ... worked.

and tried out the task script.   It did work from command line. 

But, am not in that Networks LDAP so don't know if the logins actually work - they've never given me a test account in LDAP. sad

There's an edit icon in the screen for Schedules and think you can enable/disable set time to run, etc..

The task I did not enable/disable ... it was disabled by default.   Disable it and run from command line again ... 

Got anything else on the server to browse the LDAP tree?   I use an LDAP browser tool in Webmin.  If I can browse the tree, I can make sure am pointed to the right OU's etc. for student/teacher accounts and am not picking up junk machine accounts, etc..

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: LDAP authentication is importing users, but not letting me sign in.

by Joshua Mayes -

Hi Ken,

I also tested the schedule_task.php --execute and that worked.  (Deleted my account and added it using that tool.)


I've been using ldp.exe, and as far as I can tell my settings are correct.  Syncing works well.  It's just on the actual login screen that I get the error.

Average of ratings: -
In reply to Joshua Mayes

Re: LDAP authentication is importing users, but not letting me sign in.

by Ken Task -
Picture of Particularly helpful Moodlers

Am having issues responding to this with some info ... getting CloudFlare blocking ...

CloudFlare Ray ID: 292ab5d7e3771fdc

When I run either script, I see notifications about working with a temp table first, and then, when it begins syncing, a listing of user accounts that are are either deleted, modified, etc.

Clips of screens I see via command line ...

Connecting to LDAP server...
Creating temporary table tmp_extuser
..................
Then I see a:

PHP Warning:  ldap_search(): Search:
No such object in /var / www/ html/ sandbox/ auth/ ldap/auth.php on line 733

How about you?

Then it begins ...

.... Got 841 records from LDAP

No user entries to be removed
No user entries to be revived

Then ....

User entries to be updated: 1053
    Updating user - id 5
    Updating user - id 6
    Updating user - id 7

Occassional skipped lines for a user

At the very end ...

No user entries to be added... used 6275 dbqueries
... used 19.715590953827 seconds
Scheduled task complete: LDAP users sync job (auth_ldap\task\sync_task)

Are you getting activity like that?

Think your posting shows no activity between the 'informational' displays to screen.

Guess I need to track down the error am getting.

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: LDAP authentication is importing users, but not letting me sign in.

by Joshua Mayes -

Here's my output.  No errors.


[root@training cli]# php schedule_task.php --execute=\\auth_ldap\\task\\sync_task

Execute scheduled task: LDAP users sync job (auth_ldap\task\sync_task)

Connecting to LDAP server...

Creating temporary table tmp_extuser

.......................................................................................................................................................................................Got 183 records from LDAP

No user entries to be removed

No user entries to be revived

No updates to be done

No user entries to be added... used 192 dbqueries

... used 0.17960286140442 seconds

Scheduled task complete: LDAP users sync job (auth_ldap\task\sync_task)

[root@training cli]# 


Edit:


I'm also dropping my current configuration here, in case you didn't see it in my reply to emma.

Average of ratings: -
In reply to Joshua Mayes

Re: LDAP authentication is importing users, but not letting me sign in.

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

So, are you the users actually in Moodle?  Start by checking your user accounts and see if they did actually import.

Does you bind user have the correct permissions?  Perhaps it can read but cannot write and if you have your settings where it needs to update information from Moodle to LDAP it will need the write permission.

Once you get it working, you can add a task to automatically sync your users but until the task is added,  you can still run from CLI.  However, as I mentioned before, this is not necessary to log in.  When it is set up correctly, it will just query ldap for the user and then create the moodle account.

You might try using the ldap.exe to verify settings and then re-enter in Moodle.  There is a link from the LDAP docs to the utility.

Shouldn't make any difference, but on my setup, I have deference alias to No.

Average of ratings: -
In reply to Emma Richardson

Re: LDAP authentication is importing users, but not letting me sign in.

by Joshua Mayes -

Hi Emma, thank you for the reply.

Yes the users do successfully import into moodle.  They even repopulate with the scheduled task if I delete them.

I've attached my settings to this post.  There isn't anything set that would try to update the LDAP server.  However,  I made the user account a domain admin temporarily to troubleshoot permissions (no luck) just to be sure.


The problem I'm having is specifically on the login page, when I attempt to login as one of the users from the import.


Average of ratings: -
In reply to Joshua Mayes

Re: LDAP authentication is importing users, but not letting me sign in.

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

If this isn't a production site try enabling the debug options (Debug messages: Developer, Display debug messages: Yes) and trying the login as the messages may give a clue as to what's going on.

Also, could you try running the sync script as the Apache user (sudo -u apache php schedule_task.php --execute=\\auth_ldap\\task\\sync_task) and seeing if that works? It's possible that either user has some specific LDAP setting affecting the behaviour. (If you're not using Apache, you'll need to determine what user account is in use for this).

Average of ratings: -
In reply to Leon Stringer

Re: LDAP authentication is importing users, but not letting me sign in.

by Joshua Mayes -

Can you help me make sense of the debug stack trace?

LDAP-module cannot connect to any servers: Server: 'ldap://rvaadc01.<redacted>.net', Connection: 'Resource id #93', Bind result: ''


More information about this error


Debug info: 

Error code: auth_ldap_noconnect_all

Stack trace:

line 488 of /lib/setuplib.php: moodle_exception thrown

line 2161 of /auth/ldap/auth.php: call to print_error()

line 215 of /auth/ldap/auth.php: call to auth_plugin_ldap->ldap_connect()

line 4180 of /lib/moodlelib.php: call to auth_plugin_ldap->user_login()

line 154 of /login/index.php: call to authenticate_user_login()


I was hoping you were on to something with the apache permissions, but it looks like apache can run it fine.


[root@training html]# sudo -u apache php /var/www/html/admin/tool/task/cli/sche

dule_task.php --execute=\\auth_ldap\\task\\sync_task

Execute scheduled task: LDAP users sync job (auth_ldap\task\sync_task)

Connecting to LDAP server...

Creating temporary table tmp_extuser

.......................................................................................................................................................................................Got 183 records from LDAP

No user entries to be removed

No user entries to be revived

No updates to be done

User entries to be added: 1

        Inserted user jmayes id 188

... used 206 dbqueries

... used 0.20555400848389 seconds

Scheduled task complete: LDAP users sync job (auth_ldap\task\sync_task)

[root@training html]#



Average of ratings: -
In reply to Joshua Mayes

Re: LDAP authentication is importing users, but not letting me sign in.

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

Bind result error normally means your bind user login is incorrect or does not have the necessary permissions.

Average of ratings: -
In reply to Joshua Mayes

Re: LDAP authentication is importing users, but not letting me sign in.

by Ken Task -
Picture of Particularly helpful Moodlers

Emma is correct .. the Bind user credentials are suspect.   That's what the error was.  However, it did acquire what appears to be your account ... jmayes

Use a mysql query to see account info for all accounts.

Execute this from moodlecode/auth/ldap/cli/

mysql -u [dbuser] -p[password] -e "use [moodledb];select id,auth,username,firstname,lastname,email,password from mdl_user where auth='ldap'"> ldapaccounts.txt;cat ldapaccounts.txt

replace the []'s above

That will create a ldapaccounts.txt file in directory where it's executed.   Could be a large .txt file and the script could take a long time .... if you think it's taking too long, [ctrl][c] cancel and then:

ls ldapaccounts.txt

to see if there are any bytes

nano ldapaccounts.txt will bring it up in an editor.

Can then see if the script to sync is pulling passwords as well.  Me thinks it shouldn't.   Passwords in Moodle are different than in LDAP.   For users that authenticate via LDAP the password field should say:

not cached

Not an LDAP admin person but maybe M$ LDAP is positioning itself to be used or more compatible with things like syncing with Google domains - or Facebook - or whatever biggy is out here.

Have seen this in one ISD and there is a another forum posting in here somewhere that suggest what I said above is true.

Change the Bind user from a CN reference to an email address ... binduser@rvaadc01.<redacted>.net

or binduser@real-internet-domain.net

The 'binduser' above I could not tell you which user but it's an account that has the ability to make queries on the entire tree.

Always an adventure. :\

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: LDAP authentication is importing users, but not letting me sign in.

by Joshua Mayes -

Solved.


The issue was SELinux was blocking the process.  (First I've ever heard of SELinux to be honest)


Checking /var/log/messages showed "Apr 13 12:09:14 localhost python: SELinux is preventing /usr/sbin/httpd from name_connect access on the tcp_socket port 389.#012#012*****"

To check if SELinux is running on your server run "getenforce".  If it returns "Enforcing" that means SELinux is running.

Now we want to check your SELinux settings. Run the following command:  "getsebool -a".  This is a list of all the switches in SELinux.  To narrow it down run "getsebool -a |grep ldap" which should return the following output:

authlogin_nsswitch_use_ldap --> off

dhcpd_use_ldap --> off

httpd_can_connect_ldap --> off


Now, to turn that setting to on simply run " setsebool -P httpd_can_connect_ldap on".  The -P is important.. this means we want this setting to persists after the system reboots.


Run "getsebool -a |grep ldap" again and you should see that httpd_can_connect_ldap is set to on.


Edit:  Sorry I forgot to thank you.  How rude of me.  

Thank you, Ken for taking the time and putting so much effort into helping me with my issue.  I can definitely tell that the "Particularly hepful moodler" badge was well earned.

Average of ratings: -
In reply to Joshua Mayes

Re: LDAP authentication is importing users, but not letting me sign in.

by Ken Task -
Picture of Particularly helpful Moodlers

Forgot about SELinux! :\

But glad you finally found the issue and have it resolved.

More than welcome!  "We" are all in this together and 'we' *ALL* need help from time to time ... I include myself in that!   Life long learning = technology, today.

'spirit of sharing', Ken

Average of ratings: -
In reply to Joshua Mayes

Re: LDAP authentication is importing users, but not letting me sign in.

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

Oh, you don't happen to have Force Password change checked in AD do you?  That seems to stall out the logins.

Average of ratings: -
In reply to Joshua Mayes

Re: LDAP authentication is importing users, but not letting me sign in.

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

Try switching your bind name to the DN=Moodle Sync (or whatever the DN is), OU=bindusersOU, DC=yourdomain, DC=net

In my installation, I have left member attribute and uses dn clear.  Unless there is some specific reason for those settings in your environment, try clearing them out.

Password format for MSAD is normally plain text but again dependent on your environment and shouldn't matter because you are not allowing changes. 



Average of ratings: -
In reply to Emma Richardson

Re: LDAP authentication is importing users, but not letting me sign in.

by Joshua Mayes -

Hi Emma,


Changing the bind name to CN=Moodle Sync Engine,OU=AD Synchronization,OU=Service,OU=Users,OU=<redacted>,DC=<redacted>,DC=net give the same result.

I tried clearing the Member attribute and Member uses dn setting.  Same result.


The reason I have Member attribute and Member uses dn set is because I would like for users in a group called "Moodle contributors" to be added to the appropriate role to be able to create and edit courses.  Obviously that's not doing anything right now so it's fine for me to clear the configuration for now.


Regarding your earlier reply that the error message means It doesn't have permissions.. but unless I'm missing something, the fact that it syncs without error means that I have given the bind users the correct permissions.  Am I wrong about this?

Average of ratings: -
In reply to Joshua Mayes

Re: LDAP authentication is importing users, but not letting me sign in.

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

Honestly, I am not exactly sure if the sync is running through some different processes than the log in.  But the bind error definitely seems to be telling you that there is an issue with the bind user.  Reading the database and actually allowing the login might involve different permissions I guess.  

Does your bind user have full permissions on the AD containing your users?  Try adding that user to the following groups:  Domain Admins, Schema Admin, Enterprise Admin.  See if that fixes it - if it does then you can start tightening up permissions one by one, testing along the way...

Also, make sure that users in AD have the Display Name filled out and Force Password change unchecked.  I would also clear out a lot of your data mappings in case something there is causing the issue.  Just leave firstname, lastname and email for now.  Again, once we get it working, you can add one at a time and make sure that something there is not causing the issue.  

You are close...hopefully we will get it figured out!

Average of ratings: -
In reply to Emma Richardson

Re: LDAP authentication is importing users, but not letting me sign in.

by Joshua Mayes -

HI Emma,


Thank you again for your time.  It turned out to be SELinux (from what I can tell it's like a firewall but works more like an Anti-virus) which is enabled by default on CentOS 7.


https://moodle.org/mod/forum/discuss.php?d=331358#p1334470  - link to solution.

Average of ratings: -
In reply to Joshua Mayes

Re: LDAP authentication is importing users, but not letting me sign in.

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

Sorry we missed that but sure glad that you got it working!

Average of ratings: -
In reply to Joshua Mayes

Re: LDAP authentication is importing users, but not letting me sign in.

by Mariam SABIL -

Hi everyone, I have a similar problem but LDAP doesnt even import the users, here are the errors that I get: 

Debug info: 
Error code: auth_ldap_noconnect_all
Stack trace:
  • line 488 of /lib/setuplib.php: moodle_exception thrown
  • line 2161 of /auth/ldap/auth.php: call to print_error()
  • line 215 of /auth/ldap/auth.php: call to auth_plugin_ldap->ldap_connect()
  • line 4180 of /lib/moodlelib.php: call to auth_plugin_ldap->user_login()
  • line 154 of /login/index.php: call to authenticate_user_login()
I tested the host (without ldap:// only the address),  DN and the password in apache directory studio and it works so they are correct but I'm not sure of the permission because the account I'm using is a "read only" which makes me think that it is the source of the problem.

Thank you in advance smile

Average of ratings: -
In reply to Mariam SABIL

Re: LDAP authentication is importing users, but not letting me sign in.

by Ken Task -
Picture of Particularly helpful Moodlers

Official docs on the issue:

https://docs.moodle.org/30/en/error/auth/auth_ldap_noconnect_all

Did you do your testing from the Moodle server itself or from another workstation?

Dunno apache directory studio - does that use PHP?  I use Webmin's tool for LDAP which is perl based.   IF I can get that to work, I know, then, what to plugin to Moodle to get it to work.

Getting NO data back at all does indicate it's the initial connection to with a user that can query the entire tree of LDAP.   Since Moodle is essentially a bunch of php scripts, there needs to be supports for php-ldap.

Running php -m do you see ldap in the list?

Did you try turning on debugging to see what you get?

There is command line sync script in moodlecode/auth/ldap/cli/ called sync_users.php.  It reads the config of LDAP in Moodle ... ie, Bind user, etc.. and it has debugging turned on by default.   Might see something there to help determine the problem.

'spirit of sharing', Ken



Average of ratings: Useful (1)
In reply to Ken Task

Re: LDAP authentication is importing users, but not letting me sign in.

by Mariam SABIL -

Hello Ken, I'm sorry for the late answer.

To make it clear (I'm sorry I did'nt have enough time to do it in my fisrt question) and I am a real newbie in moodle so I'm really sorry if you find my questions obvious..

1) The moodle is installed in VM (ubuntu server) and I test it from my computer (windows) but I'm on VPN so I think that it means the moodle and the test are in the same server..

2) Apache Directory Studio is a plugin added to eclipse in order to test the connection with the LDAP using login and password and when I test it I get the entire tree of LDAP (I have to mention that the account I'm using is a "read only" account I don't know if it can create a problem or not because I see in an other discussion https://moodle.org/mod/forum/discuss.php?d=133486#p585234 that Admin user is recommanded)

3) While running php -m I found ldap 

4) When I turned on debugging here is what I see:

Le module LDAP ne peut pas se connecter à aucun des serveurs Server: 'the host of my LDAP', Connection: 'Resource id #30', Bind result: ''

Plus d'informations sur cette erreur

Debug info: 
Error code: auth_ldap_noconnect_all
Stack trace:
  • line 488 of /lib/setuplib.php: moodle_exception thrown
  • line 2161 of /auth/ldap/auth.php: call to print_error()
  • line 215 of /auth/ldap/auth.php: call to auth_plugin_ldap->ldap_connect()
  • line 4180 of /lib/moodlelib.php: call to auth_plugin_ldap->user_login()
  • line 154 of /login/index.php: call to authenticate_user_login()
5) For the last thing, I did'nt really understand what you ask me to do but here is what in the file /auth/ldap/cli/sync_users.php ( in the annex)


Thank you so much for your help smile


Attachment ldap.PNG
Average of ratings: -
In reply to Mariam SABIL

Re: LDAP authentication is importing users, but not letting me sign in.

by Mariam SABIL -

Hi again, 

I tested with an online LDAP test server using a read only account and it gives me Invalid Login, it means that my configuration of LDAP is not correct (since it works with the test server even if the login is invalid but I read somewhere that this error means that the configuration is set correctly).

I really don't know how to proceed now.. 

PS: I'm using OpenLdap (posixAccount rfc 2307)

Thank you smile

PS: I tested connexion with ldp.exe and it allows me to see the whole tree of LDAP so I don't think it's problem of DN nor the host url :/

Average of ratings: -
In reply to Mariam SABIL

Re: LDAP authentication is importing users, but not letting me sign in.

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

The idea was that you should run this file, not just show us the contents!  Run the file from cli.  cd to the folder and then php sync_users.php.  This will give you an error. 

You say that the online test did not connect but ldp.exe did connect?  Is moodle on the same network as the ldap server?  On the same network that you ran ldp.exe from?

Bind result error however normally states that your bind user does not have the necessary permissions.  Your bind user needs to have full access to the ldap tree - is that the case?  Double check that you do not have a typo somewhere...

Can you post a screenshot of your settings?  (Remove any sensitive info first)

Average of ratings: Useful (1)
In reply to Emma Richardson

Re: LDAP authentication is importing users, but not letting me sign in.

by Mariam SABIL -

Thank you so much Emma and Ken, I figured it out, it's just like you said both of you the problem is that the moodle is not at the same network as the ldap server (I used to know that they do are in the same network but while testing in my local machine which is connected with a vpn, it works not like in the hosted site) 

Thank you again for your help smile

Average of ratings: -