LDAP authentication (AD) - Only allow users if they are a member of a group
i.e. Student1 is a member of a group in AD called "Moodleusers"
he is allowed to log into moodle
i.e. Student2 (in the same ou on AD) is not a member of "Moodleusers"
he is NOT allowed to log into moodle
Any thoughts?
Re: LDAP authentication (AD) - Only allow users if they are a member of a group
Re: LDAP authentication (AD) - Only allow users if they are a member of a group
Maybe thats the point of a security group in AD, but there are other LDAP servers and environments out there and Moodle tries to play with them too
Anyway, if you use a recent version of Moodle (1.8.x or 1.9.x newer than 2008.08.25) you should be able to specify a full LDAP filter in the objectClass field. For example, you could specify something like:
(&(objectClass=user)(memberOf=cn=my-security-group,cn=users,dc=my,dc=domain,dc=com))
and only the users belonging to that particular security group (make sure you write the full distinguished name of the group, as Active Directory requires it) should be able to login into Moodle. This filter can be extended to specify any number of additional conditions.
By the way, the LDAP filter feature is not specific to Active Directory.
Edit: I have just checked this and it seems the filter is only used for bulk user operations (syncing, etc.) but not for individual logins. I'll see if I can come up with a patch for this case too...
Saludos. Iñaki.
Re: LDAP authentication (AD) - Only allow users if they are a member of a group
The attached patch covers the normal logins too. Can you please test it?
Saludos. Iñaki.
Re: LDAP authentication (AD) - Only allow users if they are a member of a group
I have something like:
(&(objectClass=user)(memberOf=cn=Students-2009,ou=xxx,dc=xxx,dc=xxx))
How would I specify cn's for Students-2009, Students-2010 and Students-2011?
Re: LDAP authentication (AD) - Only allow users if they are a member of a group
Probably "cn" would be "cn" (common name) for all students.
Cheers
kieran :0)
Re: LDAP authentication (AD) - Only allow users if they are a member of a group
Something like this should do it (everything in a single line, it might appear wrapped here):
(&(objectClass=user)(|(memberOf=cn=Students-2009,ou=xxx,dc=xxx,dc=xxx)(memberOf=cn=Students-2010,ou=xxx,dc=xxx,dc=xxx)(memberOf=cn=Students-2011,ou=xxx,dc=xxx,dc=xxx)))
Saludos. Iñaki.