LDAP authentication troubleshooting

LDAP authentication troubleshooting

by Fran Johnson -
Number of replies: 5

Greetings,

I’m working with Moodle version 3.7.1, Windows web server 2016 and Microsoft SQL server 2016. I’m trying to set up LDAP synced to AD. I’ve gone through settings many times and think it is correct, and when I hit ‘test settings’, I get ‘Connecting to your LDAP server was successful’. However, I’m not able to login using a network account.

I’ve run ‘LDAP users sync job’ with varying results. Usually exits before completing but once loaded usernames into Users table in incorrect format. This caused Cron to hang up the site each time it ran and I eventually had to delete those users out of the Users table to get Cron working again.

I spoke with a fellow Moodle admin yesterday who didn’t use the sync job and recommended going the User attribute route. I’ve been experimenting with those settings all morning but still no luck.

Any ideas?

Thanks!!


Average of ratings: -
In reply to Fran Johnson

Re: LDAP authentication troubleshooting

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
My starting point with LDAP problems is to (temporarily) forget Moodle. Find an LDAP client that will run on the same server as Moodle and do some queries using that. They generally provide much better error handling than Moodle will.

I'm not a Windows user so I'm not able to recommend a particular application.
Average of ratings: Useful (1)
In reply to Fran Johnson

Re: LDAP authentication troubleshooting

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

What have you got in the User attribute field (on the LDAP server settings page)? For AD this would normally be either sAMAccountName (the NT4-style username without the DOMAIN\ prefix) or userPrincipalName (the Win2000-style username, e.g. username@domain.ext). The username needed in Moodle for AD users will vary depending on the user attribute value.

As Howard suggests, an LDAP browser allows you to test values Moodle will use for connecting to the AD server and allow you see what's returned, i.e. which users and their attribute values.

(For next time: there's a forum specifically for authentication such as LDAP).


Average of ratings: -
In reply to Leon Stringer

Re: LDAP authentication troubleshooting

by Fran Johnson -
@Howard Miller,thanks for the suggestion! I've setup Softerra on my computer and the web server to view AD settings. It's been very insightful but seems to be connecting to AD, no problem. On the site, I've played with the Distinguished name and Contexts settings, even trying to use a privileged account - no luck yet. When I run test settings, it always connects but I can't log a user into the site.
@Leon Stringer - I've mostly been keeping sAMAccountName in the User Attribute field but also experiments with userPrincipalName at your suggestion and logging in via email addresses; no luck.

On more piece of the puzzle: when I run the LDAP sync job using Cron under scheduled tasks, I get the following:
Execute scheduled task: LDAP users sync job (auth_ldap\task\sync_task)
... started 08:02:18. Current memory use 20.2MB.
Connecting to LDAP server...
Creating temporary table tmp_extuser
Did not get any users from LDAP -- error? -- exiting
... used 8 dbqueries
... used 0.13186001777649 seconds
Scheduled task complete: LDAP users sync job (auth_ldap\task\sync_task)

Thanks for the suggestions!
Average of ratings: -
In reply to Fran Johnson

Re: LDAP authentication troubleshooting

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

The simplest explanation for the "Did not get any users from LDAP" message is that the configuration in Moodle doesn't return any users from LDAP, and the two settings that come to mind are:

  1. Contexts – this contains one or more points in the AD tree where users are to be read from, e.g. cn=Users,dc=example,dc=corp. What do you have for this? (You can hide/change names you don't want to post publicly). You normally want this to be a container or OU with human users only, otherwise the sync script will create Moodle accounts for administrator or service accounts.
  2. Object class – the documentation says "unless you need something special, you don't need to fill this in". Is this blank or something else?

Just a note that using userPrincipalName isn't the email address, it's the Windows 2000-style username which is normally different. You can use the email address if this is an attribute in your AD, this may be mail, Softerra should help you find this attribute if you did want use this.

You may want to try turning debugging on in Moodle and re-running the sync job just in case this reports any errors.

If it's still not working maybe you could share the LDAP settings page in Moodle with us? Again, hide any information you don't want to be publicly available.

Average of ratings: Useful (2)
In reply to Leon Stringer

Re: LDAP authentication troubleshooting

by Fran Johnson -
Oh my gosh -
For Object Class, I had listed 'users' - I had seen that somewhere while troubleshooting. I removed that, reran scheduled task and boom - users loaded into database!! Just tested login and it worked.
Thank you!!
Average of ratings: -