Will the sync task of LDAP mark the disable users of Microsoft AD as suspended users in moodle?
or does it only mark deleted AD users as suspended?
Thanks,
Marking disabled MS-AD users as suspended users on moodle
Number of replies: 9
In reply to Nadirshah Ferozepurwalla
Re: Marking disabled MS-AD users as suspended users on moodle
by Emma Richardson -
I think it just does deleted but not totally sure.
I use an AD group to sync with my Moodle database - that way it is easy for me to move people in out and out of the group which effectively removes them or suspends them in Moodle depending on how you have it set.
In reply to Emma Richardson
Re: Marking disabled MS-AD users as suspended users on moodle
Dear Emma,
Can you please with your thoughts on the below points explain me the concept of AD group? From what I am being told AD is divided and sub-divided into domains demanding on area and department and country.
Thanks for your reply, yes it would be easy if I had the option of syncing all the users with Moodle. The scenario.
- 10K or more users since LDAP came into existence.
- No users deleted, Users only Disabled.
- Cannot allow syncing of all users to moodle Database, for which i am altering the code in LDAP where it forms a Temp table, such that it only sends present moodle users data to the temp table. (https://moodle.org/mod/forum/discuss.php?d=352296) (yes there is LDAP advance sync plugin available but its only for moodle3.2 and higher) I have moodle2.9
- When the sync script runs, it should suspend those users in moodle which are disabled in LDAP
In reply to Nadirshah Ferozepurwalla
Re: Marking disabled MS-AD users as suspended users on moodle
by Emma Richardson -
In my AD, I have created a group called MoodleUser. If a member of the AD should have access to Moodle, I add them to the group. If they are not in the group, Moodle treats them as a deleted user.
In the object class entry in the LDAP settings, you would then add a line such as below referencing the group you make. If you make it a global group, you should be able to put all your AD users in it.
(|(&(objectClass=user)(!(objectClass=computer))(memberOf=cn=MoodleUser,ou=people ,dc=yourdomain,dc=com)))
If you truly have separate domains you will need to clone the LDAP plugin for each domain. Google clone LDAP to find the post where Inaki posts the patches to do this easily.
In reply to Emma Richardson
Re: Marking disabled MS-AD users as suspended users on moodle
Dear Emma,
Thankyou for the explanation, so if i have a group thing seems very logical, but i cannot implement it because any user from the complete domain can login to moodle for the first time and have his/her account created.
We donot want and have no control over who can join moodle by login. So cannot implement the group limitation
Referring to above points of scenario, can you please help out, complete thread is on this post
In reply to Emma Richardson
Re: Marking disabled MS-AD users as suspended users on moodle
Dear Emma,
how can I modify the script to check for active users only and not retrieve the disable users in AD?
In reply to Nadirshah Ferozepurwalla
Re: Marking disabled MS-AD users as suspended users on moodle
by Emma Richardson -
I am not a coder.
The group can still work - just add the whole domain to the group. Then, when the user is disabled, remove them from the group.
In reply to Emma Richardson
Re: Marking disabled MS-AD users as suspended users on moodle
Dear Emma,
The limitation is any user can just sign in, and the account be created on moodle (just add the whole domain to the group) will work but
(Then, when the user is disabled, remove them from the group.)
I dont have access to AD, that is a completely branch. It will not be feasible to keep on requesting removal of users from group.
AD is the master, users are disabled on AD moodleLDAP has to adjust according.
I just check LDAP extracts all the users disabled or not! Can you please tag some coders or move this to the programmers section of the forum.
I really need a way to achieve this. Any thoughts keeping the limitations in mind?
Thankyou
In reply to Nadirshah Ferozepurwalla
Re: Marking disabled MS-AD users as suspended users on moodle
by Emma Richardson -
I think you could use the object class to only select active users...that should do it right?
Check out this post for ideas:
In reply to Emma Richardson
Re: Marking disabled MS-AD users as suspended users on moodle
Thankyou! this worked,
solution found is:
(&(objectCategory=person)(objectClass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))