Thanks Iñaki Arenaza! I found that some of SYSTEM/SERVICE users have $ in username.
It seems I cannot allow $ with site policy, so I need to skip those usernames to sync, is it possible also? I'm not very familiar with LDAP and I'm not the admin of AD, is there way to use some configuration in "User lookup settings" section (to filter out some users)?
Hi Gun,
you can use an LDAP filter to only get a particular set of users. You have to specify what properties the users you are interested in must have. For example, let's say the users you are interested in actual user accounts (i.e, users, not contacts or computer accounts). That means that the users you are interested in must have the value "person" for the attribute "objectCategory" AND the value "user" for the "objectClass" attribute (see the page below for additional details on this).
Let's say you also want to limit those users to those whose user account names (what Windows calls the sAMAccountName) DON'T start with 'SYSTEM'. That means that the sAMAccount attribute should not have the value "SYSTEM" ( is the wildcard for 'anything else can go here').
Putting it all together, it means you want to have a specific value for the first attribute (objectCategory) AND a specific value for the second attribute (objectClass) AND NOT having a specific value for the third attribute (sAMAccountNamE). LDAP filters use prefix notation, so any AND, OR, NOT etc conditions must be specified before the values they apply to. LDAP filters use '&' for AND and '!' for NOT, so you could use a filter like this one:
(&(objectCategory=person)(objectClass=user)(!(sAMAccountName=SYSTEM*)))
The same filter with some extra white space so you can see the structure would be:
(&
(objectCategory=person)
(objectClass=user)
(!
(sAMAccountName=SYSTEM*)
)
)
You can have a look at this page for some additional details and examples: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
Saludos. Iñaki.
Hello Iñaki,
your filter tip sounds really good. We have usernames in our Ldap which unfortunately start with a "$" and the cronjob does't accept that. Is there a chance to apply such a filter in Moodle and where is the place in Moodle to declare such filters? Is this in plugin site administration > authentication > LDAP > (which field?) ?
Thanks in advance!
Claus
There is a setting in Moodle under Security that you can check to allow special characters in usernames. That should fix your $ character issue.
The filters that Inaki is referring to does not remove the character, it just limits the accounts that moodle will sync. If that is what you are wanting to do, then the string go in the ldap settings under Object Class.
This fixed the issue, thank you!
