Moodle in English: LDAP sync unenrols users from classes

Hello all:

I have a moodle test (almost production) installation using LDAP authentication with MS Active Directory.

The problem is when a new user is recluted, I'll first have to create an AD user account, but most users don't login to the moodle site as their first task, and the training people wants the user active in moodle to enrol him to courses. At this point, I run the auth_ldap_sync_users.php script, but when I do it, this unenrols all users from courses, and even the ldap admins I had assigned dissapear.

What can I do to preserve the current enrols of users and admins?

Saludos!

Average of ratings: -

Re: LDAP sync unenrols users from classes

by Iñaki Arenaza - Sunday, 19 February 2006, 7:52 PM

auth_ldap_sync_users.php only unenrols users (students and/or teachers) when the internal Moodle users that are flagged as 'ldap' users are not present in the external LDAP context you specified for the user search.

Are you using multiple search contexts?

Saludos. Iñaki.

Average of ratings: -

Re: LDAP sync unenrols users from classes

by Jose Orozco - Monday, 20 February 2006, 11:32 AM

I use 3 diferent search contexts in LDAP, but a few minutes ago I made some tests with only 1 search context and the result is the same: all users all unenroled (teachers and students).

My moodle version is: Moodle 1.5.3+ (2005060230)
The enrolment configuration I'm using is Internal.

By the way, if someone has a functional auth_ldap_sync_users.php and lib.php please post it to compare with mine.

Saludos!

Average of ratings: -

Re: LDAP sync unenrols users from classes

by Martín Langhoff - Monday, 20 February 2006, 1:36 PM

By the way, if someone has a functional auth_ldap_sync_users.php and lib.php please post it to compare with mine.

The copies in 1.5.3+ are correct. If you have any concerns that your files are broken, get a new download and compare it with what you have installed using a diff program (diff on linux, windiff or winmerge on windows).

There must be something odd in your configuration. Tell us more about how auth/ldap is configured...

Hmmm.

When you run auth_ldap_synch it will produce a lot of output. Capture it doing

    php4 /path/to/mooodle/auth_ldap_synch.php > logfile.txt

Now open logfile.txt. What does it say? If auth/ldap is misconfigured just-the-right-way, it could be deleting all the users and creating them again.

Average of ratings: -

Re: LDAP sync unenrols users from classes

by Steve Power - Monday, 20 February 2006, 9:41 PM

I had similar grief when I ran the auth_ldap_synch.php. It deleted all my active users, but did not recreate them. Fortunately I only had about 20 active at the time so I was able to edit the database to re-enable them and re assign them as teachers fairly easily. Since then I have not had the time to investigate this further and as my site has got busier I have not been brave enough to try again.

Steve

Average of ratings: -

Re: LDAP sync unenrols users from classes

by Jose Orozco - Tuesday, 21 February 2006, 3:27 AM

In fact Martín, that's exactly happening here. All the user's are being deleted and then re-created, this is part of the logfile:

Configuring temp table

connecting to ldap

+ 377 users

+ 15 users

+ 94 users

User entries to remove: 301

<div class="notifyproblem" align="center">Se ha borrado </div><br /> //Deleted ;)

.... ....

User entries to add: 486

Revived user somuser with idnumber 1103 id 3

... ...

<div class="notifyproblem" align="center">Error: Turn off debugging to hide this error.</div><br />

<div class="notifyproblem" align="center">SELECT * FROM exp_user WHERE idnumber = '' AND deleted = '1'</div><br />

<div class="notifyproblem" align="center">Found more than one record in get_record_sql !</div><br />

<pre>Array

(

[17] => Array

(

[id] => 17

[0] => ldap

[auth] => ldap

[1] => 1

[confirmed] => 1

[2] => 0

[policyagreed] => 0

[3] => 1

[deleted] => 1

[4] => ALM-WKST01$

[username] => ALM-WKST01$

.....

ldap_host_url: dyg-dply02

ldap_version: 3

_________

ldap_preventpassindb: Yes

ldap_bind_dn: cn=Auditor,ou=Services Accounts,dc=yakult,dc=com,dc=mx

ldap_bind_pw: *********

_________

ldap_user_type: MS ActiveDirectory

ldap_contexts: ou=Matriz,ou=DYG,dc=yakult,dc=com,dc=mx;ou=Atencion a Clientes,ou=DYG,dc=yakult,dc=com,dc=mx;ou=Sucursales,ou=DYG,dc=yakult,dc=com,dc=mx

ldap_search_sub: Yes

ldap_opt_deref: No

ldap_user_attribute: sAMAccountName

ldap_memberattribute:

ldap_objectclass: Person (I use this to look only for users and not computers in the AD contexts)

_________

Force change password: No

User standard Change Password Page: No

_________

ldap_expiration: LDAP

ldap_expiration_warning: 10

ldap_exprireattr:

ldap_gacelogins: No

ldap_graceattr:

_________

ldap_create_context:

_________

ldap_creators:

_________

All data mappings are:

Update local: On every login

Update external: Never

Lock value: locked

First name: fivenName

Last name: sn

Email address: userPrincipalName

Phone 1: telephoneNumber

Departament: ou

Description: description

ID number: physicalDeliveryOfficeName (internally in the AD we use this field to store user id's)

Language: es_mx (I know this isn't an AD field, just a test to set all users language to es_mx)

_________

Instructions:

_________

Change password URL:

Ghest login button: Hide

Enable user creation: No

Alternate Login URL:

Average of ratings: -

Re: LDAP sync unenrols users from classes

by Iñaki Arenaza - Tuesday, 21 February 2006, 6:22 AM

ldap_objectclass: Person (I use this to look only for users and not computers in the AD contexts)

We are currently using 'user' for this, which does the Right Thing(tm).

ID number: physicalDeliveryOfficeName (internally in the AD we use this field to store user id's)

Why don't you use 'employeeNumber'? This is an standard AD field specifically created for storing 'employee' (user) IDs. The only drawback is you cannot fill this in from the 'Active Directoy Users and Computers' MMC snap-in, but you can add it with ldifde, using LDIF files or automate it with VBScript or something similar (we are using perl scripts with ADSI automation interface).

Saludos. Iñaki.

Average of ratings: -

Re: LDAP sync unenrols users from classes

by Jose Orozco - Tuesday, 21 February 2006, 6:52 AM

Ok, I'll give a shot to the 'user' object.

With the 'physicalDeliveryOfficeName' there's nothing I can do, because all the internal software development that points to userid in AD use that object.

So, the one million dollar question: what's the cursed configuration that is deleting all the users every time I run the sync script?

Thank you

Saludos!

Average of ratings: -

Re: LDAP sync unenrols users from classes

by Iñaki Arenaza - Thursday, 23 February 2006, 6:17 AM

I think I have the answer, but I'm not sure whether this is a bug in the code or a configuration error on your part (if I've read the code correctly).

The problem is, the code uses 'ldap_user_attribute' to search for users, when running the sync code. And then creates a temporary table where it stores all the values it get from LDAP. In your config, this is the sAMAccountName. So you only have sAMAccountName's in your temporary table.

But then, when comparing existing Moodle users when the users in the temporary table, it uses the idnumber field for the existing Moodle users. And then, unless you have mapped sAMAccountName onto the ID Number field for users, kaboom!, all your Moodle users are no longer found in the temporary table and are marked for deletion (and subsequently deleted).

As I say, I'm not sure if this in an error in the code, or in your configuration (that doesn't match what the sync code is doing/expecting).

Saludos. Iñaki.

Average of ratings: -

Re: LDAP sync unenrols users from classes

by Martín Langhoff - Thursday, 23 February 2006, 8:49 AM

Iñaki is right, the code expects to have idnumber pointing to the unique field in LDAP. It was a bit like that before, and I made it more so when I worked on the sync code.

It allows (or should allow) username to be mapped from another LDAP field, something that in practice isn't very useful. At least the use of idnumber as the main key should be optional.

Long term the use of idnumber vs username needs to be reviewed. I suspect we went astray at some point, and things aren't 100% consistent. With the current code, as long as idnumber is populated everything works correctly.

Average of ratings: -

Re: LDAP sync unenrols users from classes

by Steve Power - Friday, 24 February 2006, 1:14 AM

That all makes sense now. The problem I have is that I am trying to use ID number to hold staff and student ID numbers but our implementation of AD is a real mess and not under my control. Staff detail is fairly accurately stored in AD and nowhere else so I was trying to use auth_ldap_synch.php to pre-load the moodle database but since ID number is not in AD I missed it out.

From a student perspective it is even worse since we do not have their names properly in AD just a mixture of their initials and their ID number. As a result I have had to pre-load student data from a data warehouse which is fed by all college systems and which in turn feeds AD. Unfortunately there is no staff data in the warehouse.

Thanks anyway as now I can at least see a way around the problem even if it means loading ID number with the login name (sAMAccountName).

Average of ratings: -

Re: LDAP sync unenrols users from classes

by Iñaki Arenaza - Saturday, 25 February 2006, 1:04 AM

Well, this can a bit of a problem for us, as we store student's ID in that field, to later use it with en database enrollment system. Given that our students' ID has nothing to do with their LDAP usernames (the former is a pure number), we would be in trouble if we used the auth_ldap_sync.php script (we currently don't).

I may have a look at it when I have time (not much spare time recently, and I would like to push the multi-auth code first).

Saludos. Iñaki.

Average of ratings: -

Authentication

LDAP sync unenrols users from classes

LDAP sync unenrols users from classes

Re: LDAP sync unenrols users from classes

Re: LDAP sync unenrols users from classes

Re: LDAP sync unenrols users from classes

Re: LDAP sync unenrols users from classes

Re: LDAP sync unenrols users from classes

Re: LDAP sync unenrols users from classes

Re: LDAP sync unenrols users from classes

Re: LDAP sync unenrols users from classes

Re: LDAP sync unenrols users from classes

Re: LDAP sync unenrols users from classes

Re: LDAP sync unenrols users from classes

Empowering educators to improve our world

Moodle

Support

Get Involved

Contributions

Downloads

Tracker

Development

Empowering educators to improve our world