Oauth2 delete users disabled in AD

Oauth2 delete users disabled in AD

by Mikhail Paulse -
Number of replies: 6

Hello,

I am in the process of moving from LDAP to Oauth2 (Microsoft).

I have managed to migrate the users using a flat file and all has gone well. I initially tried to use OIDC, but that failed dismally.

The last challenge I have is that my company needs me to implement a user retention policy, and it requires that a user's data is deleted when they leave the company. In the Idp, the user is disabled, and thus they would not be able to log in.


___>>> How do I have moodle sync with whats in our AD so that it will delete a disabled user after x days?


Please help. this is driving me crazy.

Average of ratings: -
In reply to Mikhail Paulse

Re: Oauth2 delete users disabled in AD

by Anton Tremetzberger -
Picture of Particularly helpful Moodlers
Dear Mikhail,

even if you failed at it: if you are using the OIDC-Plugin set https://moodle.org/plugins/auth_oidc you can set a "delete/disable"-status in Moodle for users which are disabled in the Azure AD. Have a look at some issues on https://github.com/microsoft/o365-moodle:
https://github.com/microsoft/o365-moodle/issues/1685
https://github.com/microsoft/o365-moodle/issues/1318

If you are using LDAP you can use such a plugin like LDAP server (Sync Plus) https://moodle.org/plugins/auth_ldap_syncplus which disable users in Moodle which are removed from the AD group. You have to delete users manually but you can filter this user accounts (suspended account y/n in site administration - users)

And some other plugins could help - Clean Up Users Plugin: https://github.com/learnweb/moodle-tool_cleanupusers

hope to help
br, Anton
Average of ratings: Useful (1)
In reply to Anton Tremetzberger

Re: Oauth2 delete users disabled in AD

by Mikhail Paulse -
Thank you for the response, before I switch from Oauth2 to OIDC, is there any option for Oauth2 to sync?
Average of ratings: -
In reply to Mikhail Paulse

Re: Oauth2 delete users disabled in AD

by Anton Tremetzberger -
Picture of Particularly helpful Moodlers
sorry, I don't have any experiences with oauth2 and synchronising.
br, Anton
Average of ratings: Useful (1)
In reply to Mikhail Paulse

Re: Oauth2 delete users disabled in AD

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
So the disabling of the account would come from your ldap settings. Oauth authentication normally runs simulateneously with your ldap account so you do not need to change anything. The syncing, etc comes from the ldap side.
Average of ratings: Useful (1)
In reply to Emma Richardson

Re: Oauth2 delete users disabled in AD

by Mikhail Paulse -
Hi Emma, thanks for your response.

We are migrating to a cloud hosted configuration. So moodle will no longer access our LDAP server, but rather authenticate against Azure AD either via OIDC or OAuth 2. For compliance purposes, I need the users and their data to be deleted let's say 1 year after they leave the company.

I tried switching some users back to OIDC and I got the same error as before:

"Invalid login: User not found in Moodle"
Average of ratings: -
In reply to Mikhail Paulse

Re: Oauth2 delete users disabled in AD

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
So, when the user is set to ldap, you can login? But when you switch to OIDC, you get user not found? Are you using the plugin or just the basic oidc?
So you have setup OIDC and have successfully connected OIDC to your Azure AD?
User not found does not make sense to me...
Average of ratings: -