I can access my moodle instance with ldap users. But I want to sync ldap users to restrict courses before they login. So, I try to use scheduled tasks for syncing LDAP user accounts.
I believe LDAP users sync ( \auth_ldap\task\sync_task) task doesn't work and I cannot not understand why. Last run is always "Never" and Next run is always "ASAP". What may have gone wrong? Is there any log for it?
Moodle 3.1.2+ (Build: 20161020) on Windows.
Is it enabled? What time frame is it set for? Is cron running?
After making sure the task is turned on and cron is set up as Emma suggests, you can try running it manually. (If you have console access)
php admin/tool/task/cli/schedule_task.php --execute="\auth_ldap\task\sync_task"
And view the output
@Emma Richardson i tried to configured every day / every hour, nothing happened.
@John Okely that was what I was looking for, thanks! now i could understand db configuration error, now ldap sync worked via console (with error)
I'm trying to solve "Scheduled task failed: LDAP users sync job (auth_ldap\task\sync_task),The given username contains invalid characters" . Is there a way to see which "user name" causes this problem?
Normally it is the name just before the error but that does not always show. If you can download your users to a csv file that is often a good way to find it.
The other thing you can do is to go into your settings and allow additional characters in your usernames. That might resolve it too though I normally find I have an errant space in an username which would still prompt the error.
I went through Dashboard > Site administration > Security > Site policies and I set "Allow extended characters in usernames" to true, but still getting same error. It would be nice to see the user causing this problem on console.
Unfortunately, current code doesn't show the problematic user name (in fact, doesn't show any user detail at all). The last name you get in the execution output is the last known good user, not the problematic one. If you want to get the details of the "faulty user", you need to modify the code a bit. Look for a line like this in auth/ldap/auth.php, around line 950 (in Moodle 3.2.1):
$id = user_create_user($user, false);
Then change it to look like this:
try {
$id = user_create_user($user, false);
} catch (Exception $e) {
echo "!!!! Could not add user. Exception details: ".print_r($e, true);
echo "\n!!!! Stopping so you can fix the problematic user...\n\n\n";
die();
}
That should display all the user details, plus the exception details (so you know why Moodle didn't like it), and then stops processing the rest of the users so you can try and fix the problematic user..
Saludos. Iñaki.
Thanks Iñaki Arenaza! I found that some of SYSTEM/SERVICE users have $ in username.
It seems I cannot allow $ with site policy, so I need to skip those usernames to sync, is it possible also? I'm not very familiar with LDAP and I'm not the admin of AD, is there way to use some configuration in "User lookup settings" section (to filter out some users)?
Hi Gun,
you can use an LDAP filter to only get a particular set of users. You have to specify what properties the users you are interested in must have. For example, let's say the users you are interested in actual user accounts (i.e, users, not contacts or computer accounts). That means that the users you are interested in must have the value "person" for the attribute "objectCategory" AND the value "user" for the "objectClass" attribute (see the page below for additional details on this).
Let's say you also want to limit those users to those whose user account names (what Windows calls the sAMAccountName) DON'T start with 'SYSTEM'. That means that the sAMAccount attribute should not have the value "SYSTEM" ( is the wildcard for 'anything else can go here').
Putting it all together, it means you want to have a specific value for the first attribute (objectCategory) AND a specific value for the second attribute (objectClass) AND NOT having a specific value for the third attribute (sAMAccountNamE). LDAP filters use prefix notation, so any AND, OR, NOT etc conditions must be specified before the values they apply to. LDAP filters use '&' for AND and '!' for NOT, so you could use a filter like this one:
(&(objectCategory=person)(objectClass=user)(!(sAMAccountName=SYSTEM*)))
The same filter with some extra white space so you can see the structure would be:
(&
(objectCategory=person)
(objectClass=user)
(!
(sAMAccountName=SYSTEM*)
)
)
You can have a look at this page for some additional details and examples: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
Saludos. Iñaki.
Hello Iñaki,
your filter tip sounds really good. We have usernames in our Ldap which unfortunately start with a "$" and the cronjob does't accept that. Is there a chance to apply such a filter in Moodle and where is the place in Moodle to declare such filters? Is this in plugin site administration > authentication > LDAP > (which field?) ?
Thanks in advance!
Claus
There is a setting in Moodle under Security that you can check to allow special characters in usernames. That should fix your $ character issue.
The filters that Inaki is referring to does not remove the character, it just limits the accounts that moodle will sync. If that is what you are wanting to do, then the string go in the ldap settings under Object Class.
This fixed the issue, thank you!
This really should be built into core! Do we have a tracker for this?
I searched and couldn't find it, so I created https://tracker.moodle.org/browse/MDL-58395
Feel free to vote and comment there, all
