Not able to enable LDAP Authentication

Not able to enable LDAP Authentication

by Boris Stankov -
Number of replies: 2

HI guys,


I am installing test machine to see all the possibilities for the Moodle software. 

I deplooyed the machine pretty easy and everything is running OK (by my opinion) but part of the test and for possible moving to production I have to enable LDAP plug-in. I am trying to add MS AD authentication. However I am getting errors when I try to test the connection:
"

Test authentication settings - LDAP server

LDAP-module cannot connect to any servers: Server: 'ldap://IP_address_of_Domain_controller:389', Connection: 'Resource id #574', Bind result: 
"

The same error appears whatever I try to do. If I try to switch to LDAPs it is the same, or the id changes from time to time to #572 without changing any configuration.

I tested my bind credentials with ldp.exe from the DC and it works fine. 

I am not able to find any error message anywhere else: nor in the php_error.log, nor in the DB, as link suggests if I try to login anywhere with AD account to the web:

"LDAP-module cannot connect to any servers: Server: 'ldap://IP_address_of_Domain_controller:389', Connection: 'Resource id #18', Bind result: ''

More information about this error"



Could you please help me troubleshoot this issue?

Regards!



Attachment Moodle_LDAP_Plugin_ErrorLDAPs.jpg
Attachment Moodle_LDAP_Plugin_Settings.jpg
Average of ratings: -
In reply to Boris Stankov

Re: Not able to enable LDAP Authentication

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers
If the Moodle server is Linux and the web server is Apache, check SELinux isn't enforcing with the command getenforce. If so try setsebool -P httpd_can_network_connect 1 to allow Apache to make the LDAP connection.

The domain controller will use a certificate signed by its own authority which the Moodle server can't verify. Try adding TLS_REQCERT ALLOW to ldap.conf (in /etc/openldap/ldap.conf on CentOS, C:\openldap\sysconf\ldap.conf on Microsoft Windows).

If I may, some further advice:

  1. I think Use TLS: Yes + ldap://… (not ldaps://…) is preferred over Use TLS: No + ldaps://…. I normally put the AD domain name, e.g. domain.int, in the Host URL field (no ldap:// or ldaps://) and leave it up to AD's DNS to return a domain controller.
  2. LDAP encoding should be "utf-8", cp1250, etc. is only used if Version is "2".
  3. I think Member attribute and Object class should both be blank. They'll then use defaults based on the User type setting. An Object class of "*" could potentially return computer accounts which you definitely don't want.
If there are still issues getting this to work, please let us know more about the environment: Moodle version, web server type (e.g. Apache, Nginx, IIS), server operating system, PHP version.


Average of ratings: Useful (1)
In reply to Leon Stringer

Re: Not able to enable LDAP Authentication

by Boris Stankov -
Hi Leon,

Thanks a lot for the notes!
I managed to make it worked. I forgot about the SELinux which turns out was the problem in my case. I disabled it for my test env and I put hte full DN for the Bind user, then it worked. Now I am able to login with MS AD to the system.
Average of ratings: -