I have successfully installed Moodle and got it authenticating with Active Directory (AD). Has anyone gotten it so only members of a user group are allowed to authenticate?
i.e. Student1 is a member of a group in AD called "Moodleusers"
he is allowed to log into moodle
i.e. Student2 (in the same ou on AD) is not a member of "Moodleusers"
he is NOT allowed to log into moodle
Any thoughts?
In reply to J Handler
Re: LDAP authentication (AD) - Only allow users if they are a member of a group
by jake king -
This is exactly my problem. Is there no soultion for this? We have completely configured an active directory server and have hundreds of sub OU's and we need moodle to search a AD group for suthentication because we can not consolidate down to all moodleusers in one OU. Isnt this the point of a security group anyway??
In reply to jake king
Re: LDAP authentication (AD) - Only allow users if they are a member of a group
by Iñaki Arenaza -
Maybe thats the point of a security group in AD, but there are other LDAP servers and environments out there and Moodle tries to play with them too
Anyway, if you use a recent version of Moodle (1.8.x or 1.9.x newer than 2008.08.25) you should be able to specify a full LDAP filter in the objectClass field. For example, you could specify something like:
(&(objectClass=user)(memberOf=cn=my-security-group,cn=users,dc=my,dc=domain,dc=com))
and only the users belonging to that particular security group (make sure you write the full distinguished name of the group, as Active Directory requires it) should be able to login into Moodle. This filter can be extended to specify any number of additional conditions.
By the way, the LDAP filter feature is not specific to Active Directory.
Edit: I have just checked this and it seems the filter is only used for bulk user operations (syncing, etc.) but not for individual logins. I'll see if I can come up with a patch for this case too...
Saludos. Iñaki.
In reply to Iñaki Arenaza
Re: LDAP authentication (AD) - Only allow users if they are a member of a group
by Iñaki Arenaza -
The attached patch covers the normal logins too. Can you please test it?
Saludos. Iñaki.
In reply to Iñaki Arenaza
Re: LDAP authentication (AD) - Only allow users if they are a member of a group
by Janet Smith -
This logic above is super helpful. I have a number of different security groups - one for each year of students. Is there a way I can specify multiple groups within this logic? I've done some testing and couldn't quite figure it out.
I have something like:
(&(objectClass=user)(memberOf=cn=Students-2009,ou=xxx,dc=xxx,dc=xxx))
How would I specify cn's for Students-2009, Students-2010 and Students-2011?
I have something like:
(&(objectClass=user)(memberOf=cn=Students-2009,ou=xxx,dc=xxx,dc=xxx))
How would I specify cn's for Students-2009, Students-2010 and Students-2011?
In reply to Janet Smith
Re: LDAP authentication (AD) - Only allow users if they are a member of a group
by Tech 8055 -
Probably "cn" would be "cn" (common name) for all students.
Cheers
kieran :0)
In reply to Janet Smith
Re: LDAP authentication (AD) - Only allow users if they are a member of a group
by Iñaki Arenaza -
Something like this should do it (everything in a single line, it might appear wrapped here):
(&(objectClass=user)(|(memberOf=cn=Students-2009,ou=xxx,dc=xxx,dc=xxx)(memberOf=cn=Students-2010,ou=xxx,dc=xxx,dc=xxx)(memberOf=cn=Students-2011,ou=xxx,dc=xxx,dc=xxx)))
Saludos. Iñaki.