LDAP Enrolments request. Does this exist?

LDAP Enrolments request. Does this exist?

by Brian Jones -
Number of replies: 11
I am a moodle administrator in support of several professors, who each use moodle for several classes.

Here's what I'd like to see from an LDAP Enrolment plugin - it's a bit different from what happens now, but I wonder if what I want maybe exists elsewhere? Here goes:

As administrator, I want to point my entire moodle installation at an ldap server which holds generic LDAP information about every single user on campus. When my moodle installation looks to grab a list of "potential students", I want that list to come from the LDAP server. Just list all of the users in there.

What this essentially accomplishes is:

1. Gets me out of the job of maintaining a very large text file on behalf of the professors, who really should be able to do this themselves on a per-course basis.

2. Keeps professors from having to give out an enrollment key which is not unique to any one user, and thus can be handed out randomly without any way of knowing who handed out their key.

3. Allows profs to go to the "Enrol Students" page, and see all users in the ldap server in the "potential students" box. Then they can add students to their courses without my being involved whatsoever, and they don't have to send me email for any of this smile

I realize this feature wouldn't be useful for many online sites and other places, but if you're at a university and all of the possible students are in one place, it would seem that we should be able to use it! wink

thanks.
Average of ratings: -
In reply to Brian Jones

Re: LDAP Enrolments request. Does this exist?

by Martín Langhoff -
This is actually available in Moodle -- just use the Auth/LDAP plugin for user authentication. Make sure you run auth_ldap_sync.php which will populate all the user accounts.

You don't need to use enrol/ldap after that, as LDAP does't contain enrolment info.
Average of ratings: -
In reply to Martín Langhoff

Re: LDAP Enrolments request. Does this exist?

by Brian Jones -
Thanks, Martin. However, in my 1.5.2 installation, I can't find a file by that name, and see no reference to that script in the LDAP authentication config screen. Can you tell me where this is, how to run it?

thanks.
brian.
Average of ratings: -
In reply to Brian Jones

Re: LDAP Enrolments request. Does this exist?

by Martín Langhoff -
It's definitely there in the auth/ldap directory. There's also a README... Read the source of the script for invocation instructions. Browsing through the source of auth/ldap/lib.php is also recommended wink
Average of ratings: -
In reply to Martín Langhoff

Re: LDAP Enrolments request. Does this exist?

by Rory Allford -
I have a general question about how moodle keeps its records synchronised with the LDAP server. I have set up the auth_ldap_sync_users to run with the cron, but what frequency would you suggest is "healthy" for both moodle and the target server, considering we have quite a large directory? Also, it appears data pulled from LDAP such as profile fields automatically populated with container tuples such as surname only seem to update when the user himself authenticates (i.e. simply viewing the profile page or even clicking the "login as" button does not) - is this correct or symptomatic of a misconfiguration. Finally I have noticed that ldap fields do not seem to be properly escaped: we have had several problems with users having apostrophes in their username, password and even firstname/lastname ldap fields used to automatically fill the profile (error along the lines of badly formatted ldap query string) - again is this a configuration problem (magic_quotes which I have been hesitent to turn on)?

Many thanks,
Rory Allford
Average of ratings: -
In reply to Rory Allford

Re: LDAP Enrolments request. Does this exist?

by Brian Jones -
I found the script using clues found here, thanks.

smile
Average of ratings: -
In reply to Rory Allford

Re: LDAP Enrolments request. Does this exist?

by Martín Langhoff -

Rory,

you can run it "never" and that's really healthy big grin

This script is quite aggressive with the LDAP server and the Moodle DB, so I'd use it sparingly. We actually run it daily on our main install right after the LDAP directory gets updated --- there's a batch job that updates LDAP, and then calls auth_ldap_sync_users and enrol_ldap_sync.

The main benefit of this script is that user accounts are generated now instead of waiting until users login.

You say:

  Also, it appears data pulled from LDAP such as profile
  fields automatically populated with container tuples such
  as surname only seem to update when the user himself
  authenticates (i.e. simply viewing the profile page or
  even clicking the "login as" button does not) - is this
  correct or symptomatic of a misconfiguration.

This shouldn't happen. It's either a bug or a misconfiguration. I've fixed some stuff yesterday in 1.5.2+, can you update to it? If you file a bug and assign it to me (With a lot of detail on your config) or just post a new thread in this forum, we'll get it resolved.

  Finally I
  have noticed that ldap fields do not seem to be properly
  escaped: we have had several problems with users having
  apostrophes in their username, password and even
  firstname/lastname ldap fields used to automatically fill
  the profile (error along the lines of badly formatted ldap
  query string) - again is this a configuration problem
  (magic_quotes which I have been hesitent to turn on)?

Also possible bug somewhere. They should be escaped, and they are, as far as I can see. But good quality bug reports are always welcome. Remember to try with the latest 1.5.2+ (soon to be 1.5.3!)

Average of ratings: -
In reply to Martín Langhoff

Re: LDAP Enrolments request. Does this exist?

by Rory Allford -
Thank you very much; I will upgrade to the latest in cvs (which may be painful as our hacked-together SIMS enrolment plugin _will_ break big grin), as well as to the latest php ldap plugin and see if I can isolate the problem if it recurs, and file a bug report as necessary.

As an aside, whilst we use LDAP for authentication, our enrolment system adds a separate form onto the user/edit page so that the user can select a corresponding record in an external database (SIMS for schools) upon which their enrolments will occur and other profile data is filled in (including mugshot of the student!). This is because the lookup fields in SIMS are firstname/lastname and there's the very high likelihood of multiple records being returned (Joe Bloggs syndrome), and then fills in data contained only in SIMS and not in LDAP such as picture, department etc in the profile based on the record selected.

My question is: does or will the new enrolments system provide the possibility for a plugin to display a page/box on (first time) user login for interaction on more complex enrolment systems?

Also is there the possibility of "chaining" enrolment systems (or inheriting from standard enrolment classes) to produce custom setups such as for profile information where different fields come from different sources (e.g. to use LDAP for username/password authentication but then an external database for fields such as house address)? Just a thought!
Average of ratings: -
In reply to Rory Allford

Re: LDAP Enrolments request. Does this exist?

by Martín Langhoff -
The enrolment plugin API allows you to present a screen to users when they are trying to access a course they are not enrolled in. Create a new enrolment plugin and use that screen to collect the SIMS number -- you can put it in the users 'user_preferences' table (see the get_pref() set_pref() calls).

You only need to ask for it once for each user -- after that, your enrolment plugin can resolve enrolments on initial login. Sorted ;)
Average of ratings: -
In reply to Martín Langhoff

Re: LDAP Enrolments request. Does this exist?

by Rory Allford -
Thanks! Then I'd only need to hook the enrolment if $COURSE->id==SITEID, and that'd give me the first time logon screen. Thanks again. big grin
Average of ratings: -
In reply to Martín Langhoff

Re: LDAP Enrolments request. Does this exist?

by Michael Johnson -
To everyone out there that wants to rely solely on LDAP for enrolments... There's a few things to keep in mind. If you followed the install instructions to the 'T' then you'll get some database errors when running the auth/ldap script. The default permissions for MOODLEUSER in the documentation does not have the "CREATE TEMPORARY TABLE" permission, so the script will fail. I now run:

"php /var/www/moodle/auth/ldap/auth_ldap_sync_users.php && php /var/www/moodle/enrol/ldap/enrol_ldap_sync.php"
each night, this syncs up with LDAP nicely once your DB permissions are correct. I was pulling my hair out over this, so I hope this helps someone.
Average of ratings: -
In reply to Michael Johnson

Re: LDAP Enrolments request. Does this exist?

by Mostafa Itani -

Hi All,

I do have the following settings, and I am still stuck. Do you have any way around this or point for me where is my error?

enrol_ldap_version:3

enrol_ldap_bind_dn:moodle1@win2k.aub.edu.lb

ldap_bind_pw: test

enrol_ldap_student_contexts:ou=allgroups,ou=security groups,ou=resource groups,ou=aub resources groups,ou=aubrg-acc,dc=win2k,dc=aub,dc=edu,dc=lb

enrol_ldap_student_memberattribute:memberUid

Course enrolment settings

enrol_ldap_objectclass: Group

enrol_ldap_course_idnumber:cn

enrol_ldap_autocreate: Yes

More over the authentication is working fine with "enrol_ldap_bind_dn:moodle1@win2k.aub.edu.lb", I have also tested using the absolute path "cn=moodle1,ou=allusers,dc=win2k,dc=aub,dc=edu,dc=lb" and I am still stuck.

Any suggestions for the above?

Martin do I need to run certain scripts after that?

Anyone with a documentation around that?

Mostafa Itani

Average of ratings: -