User not available on this site LDAP Moodle 3.8 Error ID 5???

User not available on this site LDAP Moodle 3.8 Error ID 5???

by Malcolm Beasley -
Number of replies: 1

Hi folks from lock down in Australia. Long time lurker, first time poster.

ContextUbuntu18.04 PHP 7.2 with all necessary mods accessible Moodle 3.8 which returns system environments and processes all working optimally.

LDAP connection between this and Windows AD tested and performing - existing users password changes on AD reflect on Moodle login. Have written another php routine to determine successful ldap_connect(), all fine - Ldap_bind () no problems.

Problem:

Just recently, and of course at the most inconvenient time due to remote learning, we are having new users in our AD not being able to access moodle through ldap. Simply the accounts are not being created in Moodle DB. 

BTW This has worked flawlessly for 5 years.

I originally thought it was me integrating Office 365 using that wonderful block so students could have a SSO sort of experience between Office365 and Moodle and have Moodle in their teams app. All worked great with Azure AD and did NOT use oidc connect authentication, students chose to connect their accounts if they wished. Sounded great and worked on this for a couple days - beautiful, kids loved it.

Then the new users all of a sudden could not log in - coincidence? 

Yes! 

I have completely uninstalled Office365 integration and OIDC authentication plugins but the same problem is in the logs: 

User login failedLogin failed for user 'testmood0001'. User is not authorised (error ID '5').
So Office integration was not the culprit, OIDC uninstalled so not it - only authentication plugins enabled are manual and ldap the latter having 2600 + enabled and successful logins.

I have gone through all the mapping on Moodle LDAP plugin settings: sAMAccountName etc, context all works as passwords update on AD work for ldap authenticated users. I thought that the mail mapping has changed in our AD on Azure/Office365 integration on the Windows side so I have changed that mapping context to userPrincipalName as the email is now null in our Office365/Azure integration. Ready to go... 

Nup, didn't work same log errors. 

New Users on Windows AD exactly mapped as existing users, same Attributes, same ou same dc but will not be authorised. Spent three days now having to create manual accounts for these new AD users as they need to be online and working while trying to debug.

AlsoRun CLI.. 

/usr/bin/php moodle/admin/cli/cron.php

and get fail 

Execute scheduled task: LDAP users sync job (auth_ldap\task\sync_task)

... started 14:30:47. Current memory use 15.2MB.

Connecting to LDAP server...

Default exception handler: Coding error detected, it must be fixed by a programmer: A lock was created but not released at:

[dirroot]/lib/cronlib.php on line 99

etc etc. you know the drill the task as failed. Nothing has changed in any environment. so now I am stumped.

Any help with this mysterious error id 5 "the account is not available" (only reference I can find is in git repositories) and why would be so wonderful.

I thank you in anticipation.

Malcolm Beasley

Average of ratings: Useful (1)
In reply to Malcolm Beasley

Re: User not available on this site LDAP Moodle 3.8 Error ID 5???

by Malcolm Beasley -
So of course its solved , checking the prevent account creation when authenticating to yes.
authpreventaccountcreation
Default: No
When a user authenticates, an account on the site is automatically created if it doesn't yet exist. If an external database, such as LDAP, is used for authentication, but you wish to restrict access to the site to users with an existing account only, then this option should be enabled. New accounts will need to be created manually or via the upload users feature. Note that this setting doesn't apply to MNet authentication.

 I was so worried about corrupting the AD, when integrating Office365, that anything with the words external database or LDAP I said no and went with default (after years of it working fine in a configuration I set up!!)  
Of course as I drilled into it, all a flutter,  ---  did I scroll past ldap or openidconnect and read under all the authentication options??? 
I, of course did not. 
A simple solution and I am kicking myself - it took a fresh pair of eyes from a non Moodle person to see it.
It is a salient lesson that the more sophisticated we get with the innards of this project, the more forest we see, the simpler trees often hide in plain view.
If you have read this and had a laugh please respond, I guess we are feeling all a bit isolated and hugely responsible for others at the moment.
Average of ratings: Useful (1)