LDAP Server Forest

LDAP Server Forest

by Alexander Döh -
Number of replies: 10

Hi,


I have an Question.

In our Company we have an AD with LDAP.

I can bind all Users from 1 single Domain. Like Germany.

We have 30 different Countrys with different LDAP Servers.

No i want bind all Users from the whole Company via gc. Its about 30 Countrys.

Is this possible? 

What changes must i do to get it work? Or isnt it possible via Moodle?

Atm we use following LDAP Settings: ldap://xxxx.net; ldap://Serverxxx.germany.net; (its examples) this is only for Germany and works well.

But we need alle other Countrys via SPN connected. So the string gc://xxxx.net as example doesnt work.


Thx for any help

Average of ratings: -
In reply to Alexander Döh

Re: LDAP Server Forest

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

If you have a global domain that oversees all the other domains, you can sync from there but it will be read only.

Otherwise, you need to clone the ldap plugin for each ldap server.  See this post for details and scripts for creating the clones.

https://moodle.org/mod/forum/discuss.php?d=74279

 

Average of ratings: -
In reply to Emma Richardson

Re: LDAP Server Forest

by Alexander Döh -
Hi,

An clone is no Option for us.
The ServerAdmins ays that we need an global cataloge for Moodle.
We have an global Domain over all others.
So we tryed ist with gc://ldapserver:3268 but this didnt work. We get an connection Error back.

Thank you
Average of ratings: -
In reply to Alexander Döh

Re: LDAP Server Forest

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
You just change the port - so ldap://yourserver:3268 or ldaps://yourserver:3269
Average of ratings: -
In reply to Emma Richardson

Re: LDAP Server Forest

by Alexander Döh -
Doesnt work sad Try both Ports
The AD Admin means it will only work with the gc. Is there a Plugin für GC LDAP?

Our Main Domain had the name xxxx.net
We made in the context following changes: dc=xxxx,dc=net (is this right), in the german we use ou=de,dc=itgr,dc=net

And we try SSO. But it doesnt work. We go trought the Site https://docs.moodle.org/24/en/NTLM_authentication
Is the moodle.example.ac.uk@EXAMPLE.AC.UK the website? or which Data are be needed?

Thx for your help
Average of ratings: -
In reply to Alexander Döh

Re: LDAP Server Forest

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
If you are not even connecting to the ldap server, then sso obviously is not going to work. You should probably start with installing ldap-utils on your server and start trying to get connected to the server - I think you get some better logging through that for trying to isolate where your problem is. I am presuming you can reach your ldap server from the moodle server. If your server needs gc I guess try that. For the contexts you list them all, separated by semi colons. At least that is what I did. What error do you get when you try the test connection? No connection or bind error?
Average of ratings: -
In reply to Emma Richardson

Re: LDAP Server Forest

by Alexander Döh -
No connection.
But it works fine when we use it only for Germany. Then all Users have access to Moodle.
But when we want to change it to gloabl it doesnt work anymore..

SSO would be fine if its work for Germany first. There is our Main Headquarter.
Average of ratings: -
In reply to Alexander Döh

Re: LDAP Server Forest

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
So you need to have your server admin check the firewall, help you figure out why the connection is not working. Do they have the necessary ports open? I would post separately for SSO - I have never seriously tried to set that up.
Average of ratings: -
In reply to Emma Richardson

Re: LDAP Server Forest

by Alexander Döh - 
Hi Emma,
Sorry for the late answer.
Is it possible from Moodle to connect an global Domain with 20 Subdomains?
The Admin says that Moodle cannot connect to more than one Domain without Subdomains.
I dont think so. it must be possible to connect to the global Domain.
Like so:
global.domain
     -domain1
     -domain2
    -domain3
We connect domain1 without any Problems. LDAP is working fine.
But when we try to connect global.domain as domain it doesnt work anymore. He didnt get domain1,domain2,domain3
So thats the Question what is going wrong then :)

Thx

Average of ratings: -
In reply to Alexander Döh

Re: LDAP Server Forest

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
Yes, it is possible. I have moodle connected to a global domain.
You need to get a utility that will help you trouble shoot the connection. Is the port open? Does your bind user have the necessary permissions on the global domain? Are you putting the correct url in?
Just telling us you can't connect doesn't mean much, you need to start trying to isolate where the connection is going wrong -this is where the ldap utilities will help.
Have you tried connecting from the server (not through Moodle) directly to global domain...it should just be the different port to access it. Once you make the connection, you need to add a context for each subdomain separated by semi colons as I wrote before.
I did not have to specify gc in the url - I just used ldap with the global domain port (3268) and it worked fine - have you tried that? I don't know what you mean by you didn't get domain1, domain2 etc - where are you expecting to see that because you will not see it anywhere...once it is working, they will just be able to log in..
Average of ratings: -
In reply to Alexander Döh

Re: LDAP Server Forest

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators
Just a quick sanity check - is it locally hosted AD, or are you using Azure AD? - if you're using Azure AD you could just be using oauth and whitelist your specific domains.
Average of ratings: -