MS AD LDAP auth help please

Re: MS AD LDAP auth help please

by Leon Stringer -
Number of replies: 6
Picture of Core developers Picture of Particularly helpful Moodlers

Yes, run it on the Moodle web server. Just put it somewhere like /tmp or in your home directory. Then define the constants HOST_URL, BIND_DN, BIND_PW, CONTEXTS, FILTERS and ATTRIBUTES, these are the equivalents of the settings in Moodle. You might want to change define('STARTTLS', true); to be false to turn off Start TLS for now.

Then run it, e.g. php ldap_test.php and it should either list users from AD or give you an error.

Average of ratings: Useful (1)
In reply to Leon Stringer

Re: MS AD LDAP auth help please

by Alain Raap -
Picture of Particularly helpful Moodlers
@Tyson, you can also try the command ldapsearch to test the connection with the LDAP server on your Moodle webserver:

ldapsearch -H "ldap://your-ldap-server-hostname/" -b "OU=UID,DC=your-organization,DC=country" -D "CN=..,OU=..,OU=..,OU=..,DC=..,DC=your-organization,DC=country" -w[bind user password] -s sub "cn="your-name-or-userid"
Average of ratings: Useful (1)
In reply to Leon Stringer

Re: MS AD LDAP auth help please

by Tyson Parker -
Sorry for the delay. I was able to get the test to run and the script to run. The two issues that helped were creating another bind account in domain admin. That is terrible but it works were the delegation version doesn't. The other issue was case sensitivity in the BIND_DN.

Now I'm trying to figure out why users can't authenticate. Is there some sort of sync that needs to occur or is it real-time authenticating against ldap? I'm more familiar with realtime from doing wireless auth and such.
Average of ratings: -
In reply to Tyson Parker

Re: MS AD LDAP auth help please

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

The sync script is only needed if you want the users to exist in Moodle before they log in, useful if you want to enrol them on courses beforehand. Otherwise the accounts get created in Moodle if the user successfully authenticates via LDAP.

The authentication is real-time, so they should log in using their sAMAccountName (i.e. NT4-style username without the domain name prefix) and AD password in the Moodle username and password fields. If I remember correctly Moodle will then use the configured bind account to retrieve the user's distinguished name, i.e. that corresponding to the entered sAMAccountName and then try to bind using this DN and the submitted password. If this is successful then the user has successfully authenticated.

If the sync script is not being run, i.e. the user account doesn't already exist in Moodle, make sure Prevent account creation when authenticating isn't enabled.

If it's still not working, let us know what messages appear when attempting to authenticate.

Average of ratings: Useful (1)
In reply to Leon Stringer

Re: MS AD LDAP auth help please

by Tyson Parker -
Thank you. I do actually need to load all the faculty and students into their classes in advance. So I'll need to try that script out.
I was able to get a test faculty to authenticate, however I couldn't change the password... which is a big thing. I got LDAPS enabled on the Windows AD server via the enterprise CA route. Tested it with LDP. That works. Now I can't get moodle to connect over ldaps again, probably a self signed cert thing. I am unclear reading the various other posts about this how to make that work. Linux is not one of my skill sets, I end up googling every step.

So I'm hoping there is a clear way to allow the moodle server on ubuntu to ignore the self signed cert now?
Average of ratings: -
In reply to Tyson Parker

Re: MS AD LDAP auth help please

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
Yes, there is - I have had to use the "TLS_REQCERT never" setting on my linux servers to.
Average of ratings: Useful (1)
In reply to Emma Richardson

Re: MS AD LDAP auth help please

by Tyson Parker -
Emma, thank you, I modified ldap.conf with TLS_REQCERT allow. I also had to change the Bind_DN to fqdn vs ip. Due to the odd way our network was I had to fix some DNS as well.

So I was able to get it working.
To quickly summarize all the fixes for others...
Linux to Microsoft AD required:
Adding an enterprise CA to the microsoft domain controller to support LDAPS.
DNS had to resolve name correctly (Seams obvious but not everyone uses DNS behind the scenes)
BIND DN in moodle had to use FQDN.
Case sensitive entries for all the ldap configuration on the moodle side.
On the domain controller when I loaded all the names, the passwords you load must meet complexity requirements, and in my case would not work if I had the change on first sign on checked.
Had to have a bind account on microsoft dc with domain admin (probably way to high, but to far behind to figure out what was missing).
Modify ldap.conf in /etc/ldap/ on the moodle server to deal with self signed cert on the microsoft server.

Now I have moodle talking to ldap, users can change their passwords.
Thank you for all of your help! Really appreciate this!
Average of ratings: Useful (1)