Will the sync task of LDAP mark the disable users of Microsoft AD as suspended users in moodle?
or does it only mark deleted AD users as suspended?
Thanks,
I think it just does deleted but not totally sure.
I use an AD group to sync with my Moodle database - that way it is easy for me to move people in out and out of the group which effectively removes them or suspends them in Moodle depending on how you have it set.
Dear Emma,
Can you please with your thoughts on the below points explain me the concept of AD group? From what I am being told AD is divided and sub-divided into domains demanding on area and department and country.
Thanks for your reply, yes it would be easy if I had the option of syncing all the users with Moodle. The scenario.
In my AD, I have created a group called MoodleUser. If a member of the AD should have access to Moodle, I add them to the group. If they are not in the group, Moodle treats them as a deleted user.
In the object class entry in the LDAP settings, you would then add a line such as below referencing the group you make. If you make it a global group, you should be able to put all your AD users in it.
(|(&(objectClass=user)(!(objectClass=computer))(memberOf=cn=MoodleUser,ou=people ,dc=yourdomain,dc=com)))
If you truly have separate domains you will need to clone the LDAP plugin for each domain. Google clone LDAP to find the post where Inaki posts the patches to do this easily.
Dear Emma,
Thankyou for the explanation, so if i have a group thing seems very logical, but i cannot implement it because any user from the complete domain can login to moodle for the first time and have his/her account created.
We donot want and have no control over who can join moodle by login. So cannot implement the group limitation
Referring to above points of scenario, can you please help out, complete thread is on this post
Dear Emma,
how can I modify the script to check for active users only and not retrieve the disable users in AD?
I am not a coder.
The group can still work - just add the whole domain to the group. Then, when the user is disabled, remove them from the group.
Dear Emma,
The limitation is any user can just sign in, and the account be created on moodle (just add the whole domain to the group) will work but
(Then, when the user is disabled, remove them from the group.)
I dont have access to AD, that is a completely branch. It will not be feasible to keep on requesting removal of users from group.
AD is the master, users are disabled on AD moodleLDAP has to adjust according.
I just check LDAP extracts all the users disabled or not! Can you please tag some coders or move this to the programmers section of the forum.
I really need a way to achieve this. Any thoughts keeping the limitations in mind?
Thankyou
I think you could use the object class to only select active users...that should do it right?
Check out this post for ideas:
Thankyou! this worked,
solution found is:
(&(objectCategory=person)(objectClass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))