i.e. Student1 is a member of a group in AD called "Moodleusers"
he is allowed to log into moodle
i.e. Student2 (in the same ou on AD) is not a member of "Moodleusers"
he is NOT allowed to log into moodle
Maybe thats the point of a security group in AD, but there are other LDAP servers and environments out there and Moodle tries to play with them too
Anyway, if you use a recent version of Moodle (1.8.x or 1.9.x newer than 2008.08.25) you should be able to specify a full LDAP filter in the objectClass field. For example, you could specify something like:
and only the users belonging to that particular security group (make sure you write the full distinguished name of the group, as Active Directory requires it) should be able to login into Moodle. This filter can be extended to specify any number of additional conditions.
By the way, the LDAP filter feature is not specific to Active Directory.
Edit: I have just checked this and it seems the filter is only used for bulk user operations (syncing, etc.) but not for individual logins. I'll see if I can come up with a patch for this case too...
The attached patch covers the normal logins too. Can you please test it?
I have something like:
How would I specify cn's for Students-2009, Students-2010 and Students-2011?
Probably "cn" would be "cn" (common name) for all students.
Something like this should do it (everything in a single line, it might appear wrapped here):