Migration has caused LDAP to stop updating IDs (only)

Migration has caused LDAP to stop updating IDs (only)

by Leticia Dark-rose -
Number of replies: 16

Hello,

I would really appreciate some advice on this issue.

Our Moodle site (2.8+ UAT and 2.9+ DEV) uses LDAP authentication for our students (staff) to login. The information is taken from the Active Directory database managed by our IT department and then is drawn into Moodle and created/refreshed. We have assigned the ID number field to store their employee number; this is our control point and a necessity for all students. The ID number is also locked from update by students.

Previously this issue occurred sporadically, however we had found that missing employee IDs from AD was the culprit. These were then added, refreshed and on we went.

In January the site was moved from a department housed server to AWS cloud and Github. It is approximately at this time that NONE of the employee IDs are now not being pulled through. All other details are correct and accounted for except these crucial details.

I have checked the contexts of AD and updated as advised by IT. Does anyone have any other idea on how this could be occurring and just for these details? Could it be a change of table name, or permission error?

I would be really grateful for any help.

Thanks in advance J

Leticia

Average of ratings: -
In reply to Leticia Dark-rose

Re: Migration has caused LDAP to stop updating IDs (only)

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

When you migrated, did you also upgrade your moodle instance?  

Are the existing employee ids still present?  Is this just with new users?  Can you post a screenshot of your ldap settings (with sensitive info removed)?

Average of ratings: -
In reply to Emma Richardson

Re: Migration has caused LDAP to stop updating IDs (only)

by Leticia Dark-rose -

Hi Emma,

Please find responses below.

1) We upgraded our DEV site to Moodle 2.9, however our currently 'live' UAT site was not. Neither database had any upgrades applied. However the Employee Ids stopped on both sites about the same time, same profile, same person.

2) Yes the employees who previously logging in still contain their Id numbers. The issue is for new users only

Please see screenshot.

Thanks for your help

LeticiaUploading, please wait...

Attachment ldap1.jpg
Attachment ldap5.jpg
Average of ratings: -
In reply to Leticia Dark-rose

Re: Migration has caused LDAP to stop updating IDs (only)

by Leticia Dark-rose -

In addition to the information provided above, I was wondering if this error message has anything to do with teh LDAP issue.

"Warning: ldap_read(): Search: No such object in /var/www/moodle-uat.8053/moodle/lib/ldaplib.php on line 140"

The script is below.


Thanks again

Leticia

Average of ratings: -
In reply to Leticia Dark-rose

Re: Migration has caused LDAP to stop updating IDs (only)

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

I think that code is just looking to see if you have a filter included to limit to a specific group which I am guessing you do not.  You would have to have something entered in object class to fulfill that.  And it is just a warning, not an error so I don't think that is the issue.

Your issue is limited to that field.  Do you by chance have letters in your employee ids?  I am wondering if Moodle has limited their id field to numeric only?

Average of ratings: -
In reply to Emma Richardson

Re: Migration has caused LDAP to stop updating IDs (only)

by Leticia Dark-rose -

Hi Emma,

No all employee IDs are 6 digit numbers. e.g. 029756

Average of ratings: -
In reply to Leticia Dark-rose

Re: Migration has caused LDAP to stop updating IDs (only)

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
This one has me baffled.  You might look at the moodle database and that specific field and see if it is locked somehow.
Average of ratings: -
In reply to Emma Richardson

Re: Migration has caused LDAP to stop updating IDs (only)

by Leticia Dark-rose -

 smile

Me too! Thanks for your assistance Emma, i will let you know when/if we solve the case.

Leticia

Average of ratings: -
In reply to Emma Richardson

Re: Migration has caused LDAP to stop updating IDs (only)

by Leticia Dark-rose -

Hi Emma,

I am still no closer to solving this one. I have been told the IDnumber is a text field, as are all the others and that the field is not locked. 

I bet this doesn't help but i am still no closer to solving the puzzle. Is there any chance you may have though of anything in the past week or two?

Regards,

Leticia

Average of ratings: -
In reply to Leticia Dark-rose

Re: Migration has caused LDAP to stop updating IDs (only)

by Olumuyiwa Taiwo -
Picture of Plugin developers

Is it possible that other business or IT processes changed at the same time as your move to AWS? Maybe the old problem you had with missing employee numbers has resurfaced as a result of one such process change and that is now manifesting as the data not coming through?

Something to try is to download and install a free LDAP browser (e.g. JXplorer, LDAP Admin, etc.) and use that to look at the LDAP records for users whose ID numbers are not being pulled through, to confirm whether they're actually present in LDAP.

Regarding the warning you're getting (ldap_read()...), that's likely due to incorrect value(s) for your "Creators" setting.

Average of ratings: -
In reply to Olumuyiwa Taiwo

Re: Migration has caused LDAP to stop updating IDs (only)

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
I'm with Olumuyiwa and Visvanath on this: use an LDAP browser or a tool like ldapsearch, from the Moodle server itself.

Given that other attributes are being retrieved, I'd say the most probable cause for this is permissions on the LDAP server. IT people[1] might have changed the permissions on the LDAP schema to prevent any user from reading the employeeNumber attribute.

[1] IT people on purpose, or inadvertently via some group policies, or some Windows security update, etc.

Saludos.
Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: Migration has caused LDAP to stop updating IDs (only)

by Leticia Dark-rose -

Hi Inaki,

Thanks yiu for your input. I will ask them to explore this avenue.

Cheers

Leticia

Average of ratings: -
In reply to Leticia Dark-rose

Re: Migration has caused LDAP to stop updating IDs (only)

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
Wild guess: Could happen if you've chosen an unlucky name for a database entity, like 'table' for a column. Still, since you say the problem appears (appeared) sporadically in the original site, doesn't make sense.

For a systematic approach
- quarry your LDAP from AWS with an interactive program like ldapsearch
- raise the debug level and see whether 'php /path/to/moodle/auth/ldap/cli/sync_users.php' gives more information
- I don't know the AD side, but it might be possible to log the querry Moodle sends when a users logs in
Average of ratings: Useful (1)
In reply to Visvanath Ratnaweera

Re: Migration has caused LDAP to stop updating IDs (only)

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
Another potential unlucky coincidence: Is your ID field called just 'id'? Moodle has the habit of putting a column of the same name in every table - for its own use.
Average of ratings: -
In reply to Visvanath Ratnaweera

Re: Migration has caused LDAP to stop updating IDs (only)

by Jamie Kramer -

I can't recommend ldapsearch highly enough for troubleshooting LDAP issues. ldapsearch his a cli tool, and can be a bit overwhelming the first time. But if you can get help from your AD/LDAP folks to use it, I would recommend:

* use the same bind user/password for ldapsearch tool as you use in Moodle LDAP settings

* run a query with ldap search and inspect the output for a user that isn't getting idnumber field synced

* ensure that the idnumber field is coming through via ldapsearch


This will help to ensure that the ldap user has the correct permissions to "see" the employeeNumber field (which is what your mapping setting shows is mapped to Moodle ID number field). Also will ensure that the attribute still exists on AD/LDAP side.

If the employeeNumber field is not coming through via ldapsearch or another LDAP type of tool, then Moodle isn't seeing this attribute. It would mean that either the attribute name has changed or the LDAP bind user you are using in Moodle doesn't have read permission to that attribute.


Jamie

Average of ratings: Useful (1)
In reply to Leticia Dark-rose

Re: Migration has caused LDAP to stop updating IDs (only)

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
Back to my original thought.  The id in Moodle is an integer field - if yours is a text field that could be why.  Also, did they by chance starting putting non numeric figures in this field?
Average of ratings: -
In reply to Emma Richardson

Re: Migration has caused LDAP to stop updating IDs (only)

by Olumuyiwa Taiwo -
Picture of Plugin developers

I believe Leticia is referring to the 'idnumber' field in Moodle, not the 'id' field. 

The 'idnumber' field in Moodle is actually a text field - varchar(255), according to the database schema. 

Average of ratings: -