LDAP error for a few users

LDAP error for a few users

by andrew dixon -
Number of replies: 9

I am running Moodle 3.7.4+ on Ubuntu 16.04, authenticating against MS AD. I have two teachers that are unable to log in using their LDAP username/password.  I have verified that the user/pass combination is correct and that the accounts are in the correct ou in active directory. Both of the accounts in question are able to log in to the two other services that we have set up to authenticate against LDAP with no issues what so ever. Additionally, I can connect to the domain with AD Explorer using the user/pass combinations in question. Neither account has expired.


If I rename the accounts in AD I am then able to log into Moodle with the LDAP credentials, I do not want this to be a the permanent fix as that would leave the users in question with non-standard usernames.


So far, I have restarted the Moodle server, purged the all cache's through server administration as well as deleted the cache and local_cache directories in /moodledata. 

Running out of ideas here. Any suggestions?

Average of ratings: -
In reply to andrew dixon

Re: LDAP error for a few users

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
Are there non-standard characters in their usernames? Have you enabled non-standard characters in the Moodle? What is the error message you get when they try to log in? Can other users in the same ou log in successfully?
Average of ratings: -
In reply to Emma Richardson

Re: LDAP error for a few users

by andrew dixon -
There are no non-standard characters in the username. Many other users in the same ou can log in. In fact, at one point these users were able to log in with LDAP.

The error message that appears in the logs is "moodle login failed error id '3'"
Average of ratings: -
In reply to andrew dixon

Re: LDAP error for a few users

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
Ok, so that is normally a failed password but here are some things that I have found will also interfere with logins - check the following:
1. Is password change required checked in AD? Turn this off.
2. Are all the required fields filled out in their profile? I have found a missing Display Name will stop a log in.
However, you said if you change the username in AD, then the login works (it is creating a new account when you do that I suspect). So, in that case, it about has to be an issue in the Moodle side.
3. Is the account suspended in Moodle for some reason? Check the user profile in Moodle and see if it is suspended.
4. Check the authentication type in Moodle - is it possible this got changed to manual and Moodle does not have a password recorded for the user?
5. Make sure something is not locked in their profile, preventing an update of their account.
Report back!!
Average of ratings: -
In reply to Emma Richardson

Re: LDAP error for a few users

by andrew dixon -
1. No password change is not required.
2. Yes, all of the required fields are there. Simply switching the account to manual and setting a password allows the account to log in. Yes, when I change the AD account name it creates a new account on Moodle the first time that account logs on.
3.No, the account is not suspended.
4. Authentication type is set to LDAP
5.I find no difference in AD attributes between the affected user accounts and working accounts. Creating a new account with the same username does not fix the issue.

I strongly suspect the issue is on the Moodle side of the equation.
Average of ratings: -
In reply to andrew dixon

Re: LDAP error for a few users

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
When you created a new account was it in AD or moodle? Does the moodle account have data attached that you need to save or can you delete out the account on the moodle side? It definitely sounds like it is on the moodle side - have you looked at the user in the database to see if anything looks out of the ordinary there? Maybe clear the password field...
Average of ratings: -
In reply to Emma Richardson

Re: LDAP error for a few users

by andrew dixon -
The new account was created on the AD side.

The user has data that I would rather not lose. Setting the account to manual log in, and changing the account name in moodle still does not allow the user to log in with the correct AD username.

I have looked at the user table in the database, and nothing seems out of the ordinary. I have cleared the password field.
Average of ratings: -
In reply to andrew dixon

Re: LDAP error for a few users

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
Do you want to connect over video quickly? I am pretty sure some field is out of wack somewhere but it would be a lot quicker to just talk it through or have you show me - no charge! Email me at emmar@ecboces.org - I am sure we can figure this out...
Average of ratings: -
In reply to andrew dixon

Re: LDAP error for a few users

by andrew dixon -

Still stuck on this issue. Entering an incorrect user password does not change the Badpassword attribute in Active Directory for the two users in question. Entering an incorrect password on another ldap enabled site updates the bad password attribute for the users.

Also, entering a bad password for a working ldap account on the site updates the attribute in AD.


It does not appear that Moodle is sending auth requests to ldap for these accounts, even though they are both set to LDAP in their profiles. If is sending to ldap, it is not using the username stored in the mdl_user table.

Average of ratings: -
In reply to andrew dixon

Re: LDAP error for a few users

by andrew dixon -

I have even gone so far as to delete one of the offending accounts, and try to log in (creating a new account in the process.) I still receive invalid account id '3'

Average of ratings: -