I'm new to moodle and using v2.9.2 on windows 7 and Can’t authenticate LDAP server with windows server 2008 R2
I have used various software like Softera LDAP Adminstrator and LDAP Explorer and they worked fine but when apply the same setting on moodle the authentication fails.
I don’t know where I’m mistaking
https://www.quora.com/unanswered/LDAP-module-cannot-connect-to-any-servers-Server-ldap-192-168-x-x-50000-Connection-Resource-id-14-Bind-result?srid=h21H7In the Distinguished name field (under Bind settings) you've got CN=Users,.... This needs to be an LDAP user account used for queries, but the name Users suggests it's a group. (I say "needs to be", I think some LDAP servers -- not Active Directory -- will allow anonymous queries).
Is the LDAP server an Active Directory domain controller or some other server (e.g. OpenLDAP)? For AD, User type should be set to MS ActiveDirectory (under User lookup settings).
Thanks for replying, you are right it is an MS ActiveDirectory and I did changed in User type but the same problem still there.
If it's AD then the value in the Distinguished name field definitely should not be CN=Users..., then as this will be a container, not a user. (For AD this can be in Windows 2000 format, e.g. username@bopsecurity.com).
Also, port 50000 is unusual. Is that definitely correct? Are you connecting from LDAP Explorer etc., on that port? If you remove the port (i.e. Host URL: ldap://192.168.x.x) it will use the default port.
On server side I sync the ADDS (Active Directory Domain Server) with ADLDS (Active Directory Lightweight Directory Services). The ADDS is on port 389 and ADLDS is on 50000. I tested both on LDP.exe (LDAP explorer) both run fine. But on moodle the error is cannot connect to server (as IP and/or port is wrong).
I have also tried port 389 (which doesn't needs to be entered), but still same error
I tried both simple username and username@bopsecurity.com none of them worked
If the entered user name/password doesn't match the server's data it should have shown invalid username/password but instead it show "cannot connect error"
Maybe the firewall or certificates are not allowing it to connect.
Certificates are only an issue if you're using secure LDAP (so ldaps:// in the moodle settings) - and I don't think you are as you've tried port 389 (default insecure LDAP port) and the ldap:// bit of the address we see in the error message.
I'd consider network/firewall at this point yes.
UNLESS you conducted your LDAP Explorer tests from the moodle server?
If you haven't tested connectivity from the moodle server already, try that or telnetting to the ldap ports you've tried with LDAP explorer.
Can you give us some screenshots of your revised settings page please (with any identifying info removed)?
Screen shots are in the link (also mentioned in question)
Yes, but the distinguished name is wrong in that screenshot and you said you changed it. I suggest looking at your bind user again. There should not be two CN entries - it should look like this - CN=Moodle Bind User, OU=People, DC=yoursite, DC=com.
The error is for your bind entry and the format looks very wrong. What does it look like now?
I changed it too many times, I was just trying every combinations I can think of.
Would please tell me what it should be and I'll try that and tell you
Thank You.
By using the IP=192.168.x.x and Port 389 I got this on LDP.exe
Under Bind settings in the Distinguished name and Password field enter the user name and password of an account to be used for queries. Normally a dedicated account is used for this so create one if necessary. As Emma said, this looked wrong in the screenshot but we can't tell you what this should be as it will be specific to your environment.
Details on troubleshooting this error and determining the correct bind account settings by using ldp.exe to connect as your specific bind account are here: https://docs.moodle.org/31/en/Active_Directory#LDAP-module_cannot_connect_any_LDAP_servers
Hi,
let's say you have that 'CN=Username,CN=Users,DC=Bopsecurity,DC=com' user inside the 'CN=Users,DC=bopsecurity,DC=com' container. Let's further assume that its password is "Pass-Word". And let's also assume that the Group Policies and existing Active Directory permissions let that user query the LDAP objects inside that container. Finally, let's assume that you want your users to use the Windows logon name to log in (i.e., the short username like 'iarenaza', not the long username like 'iarenaza@windows.domain.name'). This short logon name is called the sAMAccountName.
Using the following LDAP settings (you can leave the other settings at their default value, and tweak them later depending on your needs) should let Moodle bind to the LDAP server and query about all those users and groups inside the container:
Have a look at https://docs.moodle.org/en/LDAP_authentication for more details about the rest of the settings, some troubleshooting recommendations, etc.
Saludos. Iñaki.
Hi,
I am getting the below error.
LDAP-module cannot connect to any servers: Server: '192.162.156.3', Connection: 'Resource id #619', Bind result: '
and i cannot fix this.
I am using the bind setting:-
cn=administratorusername,ou=portalusers,dc=domain,dc=ac,dc=ae
Should i have to create a new password for bind settings or i have to give the authentication password.
Thanks
Anjan
You have to enter the password of that particular user. Has the user been created and does that user have the necessary permissions on the ou where your users are?
If the user is correct, this message also appears if you have your context added incorrectly.
Thanks Emma
CN=portausers,CN=Configuration,DC=testuniversity,DC=ac,DC=ae
Is the above bind setting correct or not?
I have no idea. Is portausers an admin account? Did you fill in the password field?
This looks more like an OU. Bind settings needs to refer to a user with permissions on the ou that holds your users. Basic format looks ok.
Context should be something like: OU=moodleusers,OU=people,DC=yourdomain,DC=com
It is working now. Thanks Emma for helping.
Hi Emma,
I have a new problem.
I am using dn:- CN=administrator,CN=Users,DC=suniversity,DC=ac,DC=ae
and password :- adminpassword
And my AD tree is like this:-
suniversity.ac.in >>
Portaluser >>
1. faculty
2. student
I can only access the student login but could not able to login using faculty.
Thanks
Anjan
It sounds like your Contexts only has the student OU. You would either need to change this to a point higher up your tree, or list both student and faculty contexts separated by a semi-colon.
So the setting may be (and you will need to verify these settings):
(I'm not sure if the top level DC value is "ae" or "in", it's "ae" on your bind user but "in" in your tree).
For more information on the Contexts setting see https://docs.moodle.org/en/LDAP_authentication#User_lookup_settings
Kindly check the attachment.
I have used the above context the student can login but the faculty cannot login.
Thanks
Anjan
I would suspect that maybe your bind user does not have the necessary permissions on the faculty ou.
Based on the information shown, I would expect the Contexts field to need to be set to:
Replace ...university as required.
I have already tried this but it is not working.
Context :- OU=Student,OU=PortalSkyUsers,DC=domain,DC=ac,DC=ae;OU=Faculty,OU=PortalSkyUsers,DC=domain,DC=ac,DC=ae
Emma suggests checking the bind user can access the Faculty OU. Does JXplorer let you connect as a specific user? You could try connecting using the bind user's credentials and seeing if it lets you view the contents of the Faculty OU, i.e. can you see the users and their attributes.
In your JXplorer screenshot the distinguished name of the Student OU is shown. You could click on Faculty and confirm the distinguishedName field in case it's something like CN=Faculty,OU=PortalSkyUsers,DC=...university,DC=ac,DC=ae.
Yes, I have checked in my jXplorer it is working. In user DN i used the faculty CN and the student DN both are working.
Its OU=faculty not CN.
OU=Faculty,OU=PortalSkyUsers,DC=...university,DC=ac,DC=ae.
How we can login using the sAMAccountName using LDAP?
This is in the documentation: https://docs.moodle.org/33/en/LDAP_authentication#User_lookup_settings
Set User attribute to sAMAccountName.
I'm running out of things to check. Is Search subcontexts set to yes? You could try turning debugging on for your site to see if there are any errors logged (https://docs.moodle.org/en/Debugging).
Are you sure that it isn't just something with the user you are trying? Are you getting the bind error or just incorrect login? Reset the password, make sure that you don't have something like update password checked in AD, make sure there is a display name for the user.
Hello,
I am new to this, I am trying to connect the moddle to the active directory. I read all post before but some reason I have no idea what is happening. when I try to login I have this message.
"LDAP-module cannot connect to any servers: Server: 'ldaps://10.224.32.50', Connection: 'Resource id #12', STARTTLS failed."
I change the System administrator told me we are using SSL and they give me this ip 10.224.32.50 or 51 for LDAP.
our AD structure is:
Domain=rtios
OU=IT-Users
I set up my settings like this
LDAP server settings section
Host URL: ldap://10.224.32.50 - also try with ldaps and just the IP
Use TLS: YES
Verison: 3
LDAP encoding: utf-8
Bind settings
Don't cache passwords: Yes
Distinguished name: CN=Moodle,OU=IT-Users,DC=rtios,DC=com (taken frrom dsquery)
Password: Password for the serviceaccount
User lookup settings
User Type: MS Active Directory
Contexts: OU=IT-Users,DC=rtios,DC=com
Search subcontexts: Yes
Dereference aliases: No
User attribute: moodlelms
Member attribute uses dn: 1
Force change password
Password format: MD5 Hash (told by system admin)
Turn off TLS.
Now I have this
LDAP-module cannot connect to any servers: Server: 'ldaps://10.224.32.50', Connection: 'Resource id #13', Bind result: ''
Removing the ldaps - have this
LDAP-module cannot connect to any servers: Server: '10.224.32.50', Connection: 'Resource id #13', Bind result: ''
1. Are you bind user settings correct? You say password for service account - I am presuming CN=Moodle is your service account?
2. Does your bind user have the necessary permissions on the OU?
3. Is your context listed correctly?
FYI - unless you have specifically changed something, MSAD user attribute is normally set to samaccountname
hello Emma
1. Yes the Moodle is my service account, the username is moddlelms and the password I check it and is correct
2. the System Administrator assure me they service account has the correct permissions
3. the context is that I am not sure. I took Bind DN and remove the CN=Moodle. how do I get the Base DN
4. Should I change the samaccountname? or leave it empty?
I get the samaccountname from running this command "Get-ADUser username -Properties * | Select-object SamAccountName"
Userattribute should be samaccountname - in your settings you have it as moodlelms
Change that.
The ou needs to be the ou that your users are in (if they are in that ou, you should be ok) - you have checked the box to search subcontexts - that is good - leave that.
Member attribute used DN - try clearing that.
Hello Emma,
Still not working,
is there a way to test. where is the connection get broken?. a plugin or wizard,. My thinking is that there are a lot of setting in one place. So I don't know if the issue is in one of those settings or making the connection the ldap.
I also tried with another service account we have in the company for nextCloud and give me the same error. So I guess is not the service account because for the nextcloud is working.
hello Emma,
thank you very much for your help. I finally get it work last Friday. the issue was not the settings. all that looks like was working. after going back and forward and almost give up, the issue was that the users i had created manually, had to change from manual account to active directory account on the user profile. so was not the settings in the LDAP settings, it just changed that part of the accounts.
No the only issue I have right now is that the user I had created as a course creator lose the ability to edit or create a course. have any idea why this happens?
