Hi and thanks for pointing out again that sadly we don't have a privileged bind user account.
We assumed that if we leave the bind settings blank then Moodle will use the credentials that the user just entered in order to authenticate against the LDAP server. I just investigated the code and I guess we were wrong: When no bind settings are specified, Moodle tries to authenticate anonymously against the LDAP server (which also doesn't work for us since we need to authenticate via LDAP with the credentials that the user just entered).
I was looking for the code that performs the LDAP bind. I found the call in auth/ldap/auth.php in line 1987.php. There Moodle only passes some arguments, including $this->config->bind_dn and $this->config->bind_pw to ldap_connect_moodle().
ldap_connect_moodle is defined in lib/ldaplib.php there's in line 182:
function ldap_connect_moodle($host_url, $ldap_version, $user_type, $bind_dn, $bind_pw, $opt_deref, &$debuginfo, $start_tls=false) {
//...
// Beginning in line 216, Moodle switches to an anonymous login if no bind_dn is provided:
if (!empty($bind_dn)) {
$bindresult = @ldap_bind($connresult, $bind_dn, $bind_pw);
} else {
// Bind anonymously
$bindresult = @ldap_bind($connresult);
}
if ($bindresult) {
return $connresult;
}
$debuginfo .= "Server: '$server', Connection: '$connresult', Bind result: '$bindresult'\n";
}
Can someone confirm that the Moodle's LDAP authentication plugin either requires a privileged user or anonymous access to the LDAP server?