Moodle + AD + LDAP = Confusion - Help Required and Provided

Moodle + AD + LDAP = Confusion - Help Required and Provided

by Red Morris -
Number of replies: 8

I have tried my best to resolve this without calling "Help!" but I see defeat on the horizon so here I am. I've looked at a lot of posts on and off this forum and some have helped me get closer to the goal, but I'm still not there. I apologise for what will be a long post, but the more info I give the more likely someone will be able to point out my mistake. Once there, I intend to update the Wiki with some of the great help I've found. At the moment it's not that great if you don't know the ins and outs of AD and LDAP.

So, here's what I'm aiming for:
- Auto-login to Moodle, or login automatic when clicking on the Login link.
- No big re-arrangement of AD. We're a fairly big college and that wouldn't fly too well. Adding a group for Moodle Admins etc would be OK though.
- No kind of profile management from Moodle. Just using it to auto-login

Here's the system setup details that will make or break it. I'll expand to give those in my shoes some help and those trying to help me some more info.
- Domain name: midkent
- External name: midkent.ac.uk
- Moodle Server: Name = s-moodle1, Setup = Windows 2003, Apache 2.2.2.0, MySQL 5.0.21, PHP 5.1.44

Now for the fun story of everything I've tried.
I used the "Configuration File (php.ini) Path" field on http://s-moodle1/admin/phpinfo.php to determine which php.ini was being used. I deleted the others to save confusion and uncommented the extension=php_ldap.dll line. I then logged on to Moodle as Admin and went to Users>User Authentication to set up LDAP.
I set up all the variables as best as I could, using this page to help me, but I kept getting an error "LDAP-module cannot connect any LDAP servers : Server: 'ldap://my.ldap.server/' Connection: 'Resource id #26' Bind result: '' ".
This one took me a while, but by using the Command Prompt on the Moodle Server and navigating to the moodle/php directory and running "php -m" I got an error message telling me two dlls were missing. They were elsewhere on the machine and copying them to the moodle/php directory stopped the error messages with "php -m" and got rid of the red error message.
NB: I also added the moodle/php directory to the windows PATH, but I've removed this now and it doesn't seem to have affected anything, so I don't think it's needed, but worth a shot if you're having trouble.

This all helped, but I still wasn't there. Then I stumbled across a great post by Kieran Denny in this thread helped a LOT. I dug out the Server 2003 CD and installed the Server Tools and ran ldap.exe.
After much fun, I discovered that the user account I was using to Bind to the AD server didn't have the right access. We have an account for this kind of access where you don't want the password to expire, etc, but apparently it needs more rights. The Admin account worked though, which allowed me to change a few things.
I drilled down the tree to find the Admin account. Double-clicked it to get the accounts details up and scanned the top few lines and picked out the DN line. ldap_bind_dn became "CN=Adminstrator,OU=Unique,OU=Users OU,DC=midkent,DC=ac,DC=uk".
I also used the tree to find the DNs of the groups to search for user accounts. So ldap_contexts became "OU=Staff,OU=Users OU,DC=midkent,DC=ac,DC=uk;OU=Site One,OU=Students,OU=Users OU,DC=midkent,DC=ac,DC=uk;OU=Site Two,OU=Students,OU=Users OU,DC=midkent,DC=ac,DC=uk;OU=Site Three,OU=Students,OU=Users OU,DC=midkent,DC=ac,DC=uk;"

I logged in as Admin and realised I needed to edit the user accounts to change the Authentication Method from manual to Use an LDAP server.
All this resulted in nicer error messages. Instead of a spartan page with an LDAP error I now got an Invalid Login one. *sigh*

The Eureka moment was changing the ldap_user_attribute field. I went back to the ldap.exe on the Moodle server and double-clicked my own user account. I looked down the list of data until I found my login id, as this is what I'm expecting Moodle to verify against. The field name for me is sAMAccountName, not cn which is the Moodle default, or so it says on the Authtication settings page. It worked! I can now log in!

My final hurdle is working out how to get Moodle to try to log in automatically or at the click of the Login button as it currently does with Blackboard.

I hope this helps a few more struggling souls. Once I have the login working I will see what I can add to the Wiki. Cribbing a lot from Kierans very helpful post I imagine. The forum desperately needs Sticky posts so good ones like that don't slip down and people need to ask over and over again.

Average of ratings: -
In reply to Red Morris

Re: Moodle + AD + LDAP = Confusion - Help Required and Provided

by Steve Power -

Red

Well done for getting so far. Can I suggest using Dan Marsden's NTLM plugin to automate your login. This is an extension of LDAP it and more information can be found here.

We switched from LDAP to NTLM recently and so far I am very happy with the results.

Regards
Steve

Average of ratings: Useful (1)
In reply to Steve Power

Re: Moodle + AD + LDAP = Confusion - Help Required and Provided

by Red Morris -

I have now updated the Wiki to add Troubleshooting for AD. Hopefully a few people will save some folicles by reading it.

Still having trouble with NTLM though. Mainly because I'm running the rather odd WAMP combination, and there's not a lot of help out there for setting up Apache authentication on a Windows server.

Has anyone managed this?

Average of ratings: -
In reply to Red Morris

Re: Moodle + AD + LDAP = Confusion - Help Required and Provided

by Alastair Hole -
We have the setup you describe.
Our users simply visit our Moodle in IE and they are automatically logged in as they have already logged into Windows with their Active Directory credentials.
We are also using Apache2 on Windows.
mod_auth_sspi is what you need:
http://moodle.org/mod/forum/discuss.php?d=56565

P.S. Obviously you still need Moodle's NTLM add on module in addition to mod_auth_sspi for Apache2
Average of ratings: -
In reply to Alastair Hole

Re: Moodle + AD + LDAP = Confusion - Help Required and Provided

by Michael Tudor -

These are my settings for LDAP authentication and LDAP enrollment, at this stage I have chossen not to use NTLM authentication. We are running Windows Server 2003 and our moodle server is running on Fedora within VMWare (yaa virtual moodle  ). Sorry the instructions for changing the database for LDAP enrollment are for linux not Windows.

LDAP Authentication

LDAP server settings
ldap_host_url: ldap://primarydomaincontroler.domain.ac.nz;ldap://secondarydomaincontroler.domain.ac.nz
ldap_version: 3

Bind settings
ldap_preventpassindb: yes
ldap_bind_dn: CN=user,OU=Staff,DC=domain,DC=ac,DC=nz
ldap_bind_pw: password


User lookup settings
ldap_user_type: MS Active Directory
ldap_contexts: OU=Staff,DC=domain,DC=ac,DC=nz;
OU=Year 1 Students,OU=Students,DC=domain,DC=ac,DC=nz;
OU=Year 2 Students,OU=Students,DC=domain,DC=ac,DC=nz;
OU=Year 3 Students,OU=Students,DC=domain,DC=ac,DC=nz;
OU=Degree Students,OU=Students,DC=domain,DC=ac,DC=nz;
OU=PG Students,DC=domain,DC=ac,DC=nz;
OU=Users,DC=domain,DC=ac,DC=nz;
OU=Students,DC=domain,DC=ac,DC=nz

Settings
ldap_search_sub: yes
ldap_opt_deref: no
ldap_user_attribute: sAMAccountName


Course creators
ldap_creators: CN=moodle-creators,OU=Staff,DC=domain,DC=ac,DC=nz


Data mapping
First name: givenName
  Update local: On Every login
  Update external: never
  Lock value: Locked
Surname: sn
  Update local: On Every login
  Update external: never
  Lock value: Locked
Email address: mail
  Update local: On Every login
  Update external: never
  Lock value: Locked
Phone 1: telephoneNumber  <== probably not required?
  Update local: On creation
  Update external: never
  Lock value: unlocked
Phone 2: mobile   <== probably not required?
  Update local: On Creation
  Update external: never
  Lock value: unlocked
Address: streetAddress   <== probably not required?
  Update local: On Creation
  Update external: never
  Lock value: unlocked
Country: co   <== probably not required?
  Update local: On Creation
  Update external: never
  Lock value: unlocked
ID number: distinguishedName <== this is needed for the ldap enrollment, you need to adjust the databases table for this record from 64 characters to enough to handle the fully qualified domain name, 255 should be enough.
  Update local: On Every login
  Update external: never
  Lock value: locked


LDAP Enrollment Plugin

LDAP Server Settings
enroll_ldap_host_url: ldap://primarydomaincontroller.domain.ac.nz
enrol_ldap_version: 3
enrol_ldap_bind_dn: CN=user,OU=Staff,DC=domain,DC=ac,DC=nz
ldap_bind_pw: password
ldap_search_sub: Yes

Student enrolment settings
enrol_ldap_student_contexts: OU=EnrollmentStudents,DC=domain,DC=ac,DC=nz <== I made a new OU called 'EnrollmentStudents'
enrol_ldap_student_memberattribute: member


Teacher enrolment settings
enrol_ldap_student_contexts: OU=EnrollmentLecturers,DC=domain,DC=ac,DC=nz <== I made a new OU called 'EnrollmentStaff'
enrol_ldap_student_memberattribute: member


Course enrolment settings
enrol_ldap_objectclass: group
enrol_ldap_course_idnumber: cn
enrol_ldap_course_shortname: cn
enrol_ldap_course_shortname: cn


MySQL Database Adjustments

Open this file /var/www/html/moodle/lib/moodlelib.php
Change this value ‘idnumber’ => 64 (change this value of ‘64’ to ‘255’)

Open up a console and type:  mysql -u root -p moodle


You will be prompted for the 'root' password (this is the MySQL root user, not the operating system root user). If the mysql root user doesn't have a password just press ENTER. 'moodle' is the name of your Moodle database.


Once you are in, type the following: ALTER TABLE mdl_user CHANGE COLUMN idnumber idnumber VARCHAR(255);
(if you want to widen the idnumber field to 255 characters).

Average of ratings: Useful (1)
In reply to Michael Tudor

Re: Moodle + AD + LDAP = Confusion - Help Required and Provided

by Michael Tudor -

MS Active Directory Setup

Within AD you need to make two “Organisational Units” where the enrollment groups will be stored, the LDAP authentication will only enroll students by the groups that are in these OUs. This is desired because you do not want moodle to try and auto-create a new course called ‘Domain Users’.

Create the following two OUs at the domain level, you can have a different name as long as the names match what you entered in the LDAP Enrollment plug-in.

- EnrollmentStudents (add the students you want enrolled in each course into the corresponding group)

- EnrollmentStaff (add the lecturers you want to teach each course into the corresponding group)

You need to create a two groups for each course in moodle, one in the ‘EnrollmentStudents’ OU and the other in the ‘EnrollmentStaff’. Both groups must have the same name as the course ID specified within the moodle course, since you can not have two objects within Active directory with the same pre-w2k name, you must specify a different pre-w2k name for each group but the same display name. I have found it convenient to add the suffix of –s (for the student group) and –l (for the Lecturers group). The following example would be for a course with the id number of ‘math101’

 

Group Name Pre-W2k name
Student OU: math101 math101-s
Staff OU: math101 math101-l
Average of ratings: Useful (1)
In reply to Red Morris

Re: Moodle + AD + LDAP = Confusion - Help Required and Provided

by chhivhorng ly -

Dear Red,

Can you tell me so clear about solution of error: LDAP-module cannot connect any LDAP servers : Server: 'ldap://my.ldap.server/' Connection: 'Resource id #26' Bind result: ''.

 because I have the problem. I use Moodle1.7.1++ but when I configure LDAP authentication.

best regards,

____________________

Chhivhorng

Average of ratings: -
In reply to chhivhorng ly

Re: Moodle + AD + LDAP = Confusion - Help Required and Provided

by chhivhorng ly -
Dear all,

Now LDAP that I configured, it already done.

cheers
_______________
Chhivhorng
Average of ratings: -
In reply to Red Morris

Re: Moodle + AD + LDAP = Confusion - Help Required and Provided

by joel mathia -
Thanks Red Morris, 9 years later your post has helped me sort out the issue. Remaining bit is having moodle fetch details from AD without need for registration. 
Average of ratings: -