LDAP access for AD security group

LDAP access for AD security group

by Jayamurugan Ravichandran -
Number of replies: 8

Hi,

I have managed to make my newly installed Moodle do authentication using our Active Directory. Moodle (v.3.10) is running on Redhat 7.9 server, and the MS AD.

I have managed to set multiple "Contexts" in "User Lookup Settings" using "OU=MAIL,OU=SW5,DC=company,DC=domain,DC=sg,DC=com; OU=POSIX,OU=SW2,DC=company,DC=domain,DC=sg,DC=com; "  and the accounts get synch'ed, but I need to benefit from the SecurityGroups of AD.

I tried using in context the security group DN like CN=OSUX_SG_LMS,OU=OSUX-LMS,OU=APPS,DC=company,DC=domain,DC=sg,DC=com but the login through LDAP is failing saying invalid user/login details.

Any help is appreciated.


Average of ratings: -
In reply to Jayamurugan Ravichandran

Re: LDAP access for AD security group

by Jayamurugan Ravichandran -
Experts, kindly advise on this topic as it is required for my current setup.

Thanks in advance
Average of ratings: -
In reply to Jayamurugan Ravichandran

Re: LDAP access for AD security group

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

If you're looking to filter by group membership then you could set the Object class field, for example for users who are members of AD group group1 in OU trainer:

(&(objectClass=user)(!(objectClass=computer))(memberOf=cn=group1,ou=trainer,dc=domain,dc=local))

There's some information about filters in the first part of this reply which may help.

Average of ratings: -
In reply to Leon Stringer

Re: LDAP access for AD security group

by Jayamurugan Ravichandran -
Thanks Leon for the input.

I have tried putting the object class as mentioned but still the login failing as invalid user.
(&(objectClass=user)(!(objectClass=computer))(memberOf=CN=OSUX_SG_LMS,OU=OSUX-LMS,OU=APPS,DC=company,DC=domain,DC=sg,DC=com))

Along with object class, can you please advise what should be the value for other fields like
Context: DN of Security group or OU ?
User Attribute:
Member Attribute:

Kindly advise. Thanks in advance.
Average of ratings: -
In reply to Jayamurugan Ravichandran

Re: LDAP access for AD security group

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

Try leaving Object class blank until logins are working. When they are you can try restricting who can log in by adding the filter for security groups.

Other fields:

  • Contexts: should be the DN of the OUs containing the users who should have access to Moodle.
  • User attribute: should be "sAMAccountName" as stated in the documentation.
  • Member attribute: leave this blank.

Presumably you've used the Test settings link and enabled the plugin:

Cropped screenshot of Manage Authentication page showing auth_ldap with enable/disable and "Test settings" highlighted.

If you know PHP I wrote a command line script, ldap_test.php, to help troubleshoot these settings. You need to set the following values (see lines 41-53):

define('HOST_URL', 'example.com');
define('BIND_DN', 'service-acct@example.com');
define('BIND_PW', 'password');
define('CONTEXTS', 'dc=example,dc=com');
define('FILTERS', '(objectClass=user)');
define('ATTRIBUTES', 'sAMAccountName, givenName, sn, mail');

If Use TLS is off change line 53 to:

define('STARTTLS', false);

Run it with php ldap_test.php, it should return the accounts from AD if these settings are correct. It may help determine the settings needed for Moodle (more information). Alternatively you can use ldapsearch.

Average of ratings: -
In reply to Leon Stringer

Re: LDAP access for AD security group

by Jayamurugan Ravichandran -
Thanks Leon for the prompt response.
I will test based on above script and come back with results.

Meanwhile I test, could you please advise on this statement you mentioned:

Contexts: should be the DN of the OUs containing the users who should have access to Moodle.

What I am trying to put in context is the DN of the security group (containing restricted users) for moodle access.
CN=OSUX_SG_LMS,OU=OSUX-LMS,OU=APPS,DC=company,DC=domain,DC=sg,DC=com

Is that correct ?

Thanks in advance.
Average of ratings: -
In reply to Jayamurugan Ravichandran

Re: LDAP access for AD security group

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

The Context field contains "the DN of the context (container) where all of your Moodle users are found". So this field must contain the DN of at least one OU or container containing the users who can access Moodle. It never contains the DN of a group. If you want to restrict users by group membership this can be done with a filter as explained previously. When using a filter for group membership then allowed users are those who are both in the specified context and in the group.

Average of ratings: -
In reply to Leon Stringer

Re: LDAP access for AD security group

by Jayamurugan Ravichandran -
Noted with thanks Leon.

I will test and come back on the status.
Average of ratings: -
In reply to Jayamurugan Ravichandran

Re: LDAP access for AD security group

by Jayamurugan Ravichandran -
Thanks a lot Leon.
The issue is resolved.

I have used the script you shared and identified where is the problem. Updated the same in Moodle which resolved security group based ldap authentication.

Thanks again👍🏻
Average of ratings: -