I was reviewing the documentation required to configure my Moodle to use Active Directory for authentication and noticed several labels
(i.e. field_updateremote_firstname) below each of the options as you can see in the attached picture and was wondering what are they for.
For each field there are four settings, e.g. for the user's first name:
- auth_ldap | field_map_firstname: The LDAP attribute to map to the Moodle user's first name. With Active Directory this is normally givenName for the first name.
- auth_ldap | field_updatelocal_firstname: When to read the Moodle user's first name from the LDAP server: when the user is created only, or every time the user logs in.
- auth_ldap | field_updateremote_firstname: Whether or not Moodle should update the LDAP server if the first name is changed in Moodle. This requires the LDAP server to support this operation. I don't know if Active Directory supports this.
- auth_ldap | field_lock_firstname: Whether this field can be updated in Moodle. If the fields are being obtained from LDAP you may want to prevent changing them in Moodle. I normally set this to "Locked" so that the fields are managed on the LDAP server only.
I tried the instructions but although the connection test to the LDAP server worked I couldn't manage to authenticate any login.
What may I have missed?
It's important to get Atributo de usuario (auth_ldap | user_attribute) correct, this is the AD username used as the username when logging into Moodle. For AD this is typically sAMAccountName which is the NT-style username (e.g. fred not DOMAIN\fred). What attribute are you using?
You also need to ensure that the user is within the context (or contexts) provided for Contextos (auth_ldap | contexts).
If this still isn't working, tell us what happens when authentication fails. And it would be helpful to know what settings you have changed from the default on the Moodle LDAP Server configuration page. If you need to hide or remove anything you don't want to post on the Internet please provide an example value.
The error message was that the username couldn't be authenticated
Looking further information I found this video and after viewing it I was wondering if I made any error regarding mapping fields ***
BTW Do you know if if Moodle register any message regarding these problems in its log files ?
At login, field mapping does not occur until after the user has been authenticated so even if these were wrong login should still occur.
I don't think there's any specific details in Moodle's logging for LDAP authentication. However, it's worth checking the web site error log to see if there are any errors with the PHP LDAP calls. Change Debug messages to DEVELOPER, attempt an LDAP login and check the logs.
If you know a little PHP I wrote a command line script, ldap_test.php, to help troubleshoot these settings. You need to set the following values (see lines 41-53):
define('HOST_URL', 'ldap://example.corp'); // Change to your URL del host (auth_ldap | host_url)
define('BIND_DN', 'cn=ldapuser,dc=example,dc=corp'); // Change to your Nombre distinguido (auth_ldap | bind_dn)
define('BIND_PW', 'password for BIND_DN'); // Change to your Contraseña (auth_ldap | bind_pw)
define('CONTEXTS', 'cn=Users,dc=example,dc=corp'); // Change to your Contextos (auth_ldap | contexts)
define('FILTERS', '(objectClass=user)'); // Don't change this.
define('ATTRIBUTES', 'sAMAccountName, givenName, sn, mail'); // Don't change this.
If Usar TLS (auth_ldap | start_tls) is "No" change:
Then run the script from the Moodle server with php ldap_test.php. It's designed to list the users from AD or give more details if the settings are wrong.
but now I am getting this error message https://www.dropbox.com/s/c4kmut4x073u7rd/moodle-ldap-0.PNG?dl=0
After further Googling I found these tutorial https://techexpert.tips/moodle/moodle-ldap-authentication-active-directory/
and was wondering if I am missing the configuration of this part https://www.dropbox.com/s/ybr9c1bw16684je/moodle-2.PNG?dl=0
Both Gestor context (auth_ldap | managercontext) and Creador de curso context (auth_ldap | coursecreatorcontext) map LDAP users to Moodle system roles, it won't prevent authentication. I've always left these blank. (Of course you should fill this in if you want to use this feature).
I don't think I've seen the "Operations error" message before however a search suggests this may be because the context is at the root of the tree. Is there an OU (or multiple OUs) containing users within this context, e.g. "OU=users,DC=food,DC=local"? Or maybe you need to change Buscar subcontextos (auth_ldap | search_sub) to "Sí". (I admit I'm guessing a bit here).
If this still doesn't work can you tell us more about the structure of the Active Directory domain: is it a single domain tree or is DC=food,DC=local part of a forest?
If the ldap_test.php script didn't help, try downloading a GUI LDAP browser as this will let you try these settings out and see the results.
With Active Directory Nombre distinguido (auth_ldap | bind_dn) and Contraseña (auth_ldap | bind_pw) are mandatory (some other LDAP services do not require this). These settings specify the account details for the user Moodle will use to perform the first authentication step. Nombre distinguido can be specified as an LDAP distinguished name (e.g. cn=ldapuser,dc=example,dc=corp) or using the AD userPrincipalName (the Win2000-format name, e.g firstname.lastname@example.org). Contraseña is the password for this account.
Again, you can test that you have valid settings for these two fields with a GUI LDAP browser: this will allow you to use these credentials to see if you can look up details of AD users that you want to authenticate in Moodle.
I finally managed to make the LDAP authentication work with the Windows Active Directory Server
with these settings https://www.dropbox.com/s/ca9q8iiv71wdc1g/moodle-ldap-5.PNG?dl=0
however I have noticed that Moodle is not pulling the information from the name, lastname and email LDAP fields despite using the labels givenName, sn and mail as you can see in this picture