Hi Inaki Arenaza,
First of all thanks for all the support that you are giving for the community.
I'm troubling with the LDAP enrolment, i'm using openldap where i have two subtrees ou= moodleusers and ou=moodle (where i have the groups using groupOfNames and cn==Course ID) , i also use objectClass=inetOrgPerson for the user lookup..my settings are:
User lookup settings |
||
| User type | Default | Select how users are stored in LDAP. This setting also specifies how login expiration, grace logins and user creation will work. |
| Contexts | ou=moodleusers,dc=epict,dc=it | List of contexts where users are located. Separate different contexts with ';'. For example: 'ou=users,o=org; ou=others,o=org' |
| Search subcontexts | Yes | Search users from subcontexts. |
| Dereference aliases | Yes | Determines how aliases are handled during search. Select one of the following values: "No" (LDAP_DEREF_NEVER) or "Yes" (LDAP_DEREF_ALWAYS) |
| User attribute | Optional: Overrides the attribute used to name/search users. Usually 'cn'. | |
| Member attribute | member | Optional: Overrides user member attribute, when users belongs to a group. Usually 'member' |
| Member attribute uses dn | 1 | Optional: Overrides handling of member attribute values, either 0 or 1 |
| Object class | (objectClass=inetOrgPerson) | Optional: Overrides objectClass used to name/search users on ldap_user_type. Usually you dont need to chage this. |
Force change password |
||
| Force change password | No |
Force users to change password on their first login to Moodle. |
| Use standard page for changing password | No |
If the external authentication system allows password changes through Moodle, switch this to Yes. This setting overrides 'Change Password URL'. NOTE: It is recommended that you use LDAP over an SSL encrypted tunnel (ldaps://) if the LDAP server is remote. |
| Password format | Plain textMD5 hashSHA-1 hash | Specify the format of new or changed passwords in LDAP server. |
| Password-change URL | Here you can specify a location at which your users can recover or change their username/password if they've forgotten it. This will be provided to users as a button on the login page and their user page. If you leave this blank the button will not be printed. | |
LDAP password expiration settings. |
||
| Expiration | no | Select No to disable expired password checking or LDAP to read passwordexpiration time directly from LDAP |
| Expiration warning | 10 | Number of days before password expiration warning is issued. |
| Expiration attribute | Optional: overrides ldap-attribute that stores password expiration time | |
| Grace logins | No | Enable LDAP gracelogin support. After password has expired user can login until gracelogin count is 0. Enabling this setting displays grace login message if password is expired. |
| Grace login attribute | Optional: Overrides gracelogin attribute | |
Enable user creation |
||
| Create users externally | No | New (anonymous) users can create user accounts on the external authentication source and confirmed via email. If you enable this , remember to also configure module-specific options for user creation. |
| Context for new users | If you enable user creation with email confirmation, specify the context where users are created. This context should be different from other users to prevent security issues. You don't need to add this context to ldap_context-variable, Moodle will search for users from this context automatically. Note! You have to modify the method user_create() in file auth/ldap/auth.php to make user creation work |
|
Course creator |
||
| Creators | List of groups or contexts whose members are allowed to create new courses. Separate multiple groups with ';'. Usually something like 'cn=teachers,ou=staff,o=myorg' | |
Cron synchronization script |
||
| Removed ext user | Keep internalSuspend internalFull delete internal | Specify what to do with internal user account during mass synchronization when user was removed from external source. Only suspended users are automatically revived if they reappear in ext source. |
NTLM SSO |
||
| Enable | No | Set to yes to attempt Single Sign On with the NTLM domain. Note: this requires additional setup on the webserver to work, see http://docs.moodle.org/en/NTLM_authentication |
| Subnet | If set, it will only attempt SSO with clients in this subnet. Format: xxx.xxx.xxx.xxx/bitmask. Separate multiple subnets with ',' (comma). | |
| MS IE fast path? | No | Set to yes to enable the NTLM SSO fast path (bypasses certain steps and only works if the client's browser is MS Internet Explorer). |
| Authentication type | NTLM | The authentication method configured in the web server to authenticate the users (if in doubt, choose NTLM) |
Data mapping |
||
| First name |
givenName
On every login
Never Unlocked |
These fields are optional. You can choose to pre-fill some Moodle user fields with information from the LDAP fields that you specify here.
If you leave these fields blank, then nothing will be transferred from LDAP and Moodle defaults will be used instead. In either case, the user will be able to edit all of these fields after they log in. Update local: If enabled, the field will be updated (from external auth) every time the user logs in or there is a user synchronization. Fields set to update locally should be locked. Lock value: If enabled, will prevent Moodle users and admins from editing the field directly. Use this option if you are maintaining this data in the external auth system. Update external: If enabled, the external auth will be updated when the user record is updated. Fields should be unlocked to allow edits. Note: Updating external LDAP data requires that you set binddn and bindpw to a bind-user with editing privileges to all the user records. It currently does not preserve multi-valued attributes, and will remove extra values on update. |
| Surname |
sn On every login |
|
| Email address |
On every login |
|
| City/town |
l On every login |
|
| Country |
c On every login |
|
| Language |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| Description |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| Web page |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| ID number |
dn On every login |
|
| Institution |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| Department |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| Phone 1 |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| Phone 2 |
Update local On creationOn every login
Update external NeverOn update Lock value UnlockedUnlocked if emptyLocked |
|
| Address |
Update local On creationOn every login
Update external NeverOn update Lock value |
|
Role mapping
Search group memberships from subcontexts
If the group membership contains distinguised names, you need to specify it here. If it does, you also need to configure the remaining settings of this section
If the group membership contains distinguised names, specify the list of contexts where users are located. Separate different contexts with ';'. For example: 'ou=users,o=org; ou=others,o=org'
If the group membership contains distinguised names, specify if the search for users is done in subcontexts too
If the group membership contains distinguished names, specify how users are stored in LDAP
If the group membership contains distinguised names, specify how aliases are handled during search. Select one of the following values: 'No' (LDAP_DEREF_NEVER) or 'Yes' (LDAP_DEREF_ALWAYS)
If the group membership contains distinguised names, specify the same attribute you have used for the user 'ID Number' mapping in the LDAP authentication settings
Course enrolment settings
objectClass used to search courses. Usually 'group' or 'posixGroup'
LDAP attribute to get the course ID number from. Usually 'cn' or 'uid'.
Full nameenrol_ldap | course_fullname : cn
If enabled users will not be enrolled on courses that are set to be unavailable to students.
Select action to carry out when user enrolment disappears from external enrolment source. Please note that some user data and settings are purged from course during course unenrolment.
Automatic course creation settings
Courses can be created automatically if there are enrolments to a course that doesn't yet exist in Moodle
If you are using automatic course creation, it is recommended that you remove the following capabilities: moodle/course:changeidnumber, moodle/course:changeshortname, moodle/course:changefullname and moodle/course:changesummary, from the relevant roles to prevent modifications of the four course fields specified above (ID number, shortname, fullname and summary).
The category for auto-created courses
Optional: auto-created courses can copy their settings from a template course
Nested groups settings
Do you want to use nested groups (groups of groups) for enrolment?
Name of the attribute that specifies which groups a given user or group belongs to (e.g., memberOf, groupMembership, etc.)
I'll be really greatfull for any help. thanks in advance