We have around 2,000 users connected to our Moodle, which is currently sitting at version 1.5.3 and connected to our Win2k3 Active Directory. I am in the process of testing 1.7 on a parallel install and finding that roles, while very powerful and obviously built on the sweat and caffeinated/sleepless nights of the developers, doesn't permit the automatic access that previous versions have permitted when tied to LDAP.
In previous versions, LDAP integration allowed you to specify which OUs could login (students) and which OUs could create courses (teachers). Teachers could only administer their own courses. In 1.7, when using LDAP, the roles system throws a bit of a wrench into this system. You can still specify which OUs can login (students), and you simply need to define the default role as "student." You can still specify when OUs can create courses (teachers), with their role automatically assigned as "course creator". However, in my reading and tinkering, I can't seem to find out how to keep these automatically created "course creators" from having access to all courses (I really need them tied to just those that they create). It seems that the ability to confine a teacher to a particular course category introduced by roles has a trade-off in that auto-created LDAP users get "global edit" capability. Am I missing something, or do I understand this correctly?
If I understand this correctly, this puts me in a quandry. Moodle has always run "transparently" for us...teachers and students get an Active Directory account upon hire/enrollment in the district, which automatically gives the teachers the ability to login and create/run their own classes (only) and students the ability to login and enroll in classes for which they have the key. While roles offers some really great granular control of users, it takes away this automation by ironically weakening the security of the system. The only seeming way to fix this is to create a course category for every teacher, login as that teacher (to autocreate the account in Moodle), logout and back in as administrator, and then assign the teacher course creator rights only on this individual course category. I think, for simplicity's sake, I might be better upgrading to 1.6 and avoiding 1.7.
Any comments, clarifications, or (hopefully) corrections would be much appreciated.
I totally agree. We have just about half as much users as you, about 200 of them being teachers. These are too much to handle "by hand". In addition, the course_creators also can change your frontpage and that is really not intended behavior. Roles are really neat, but at the current implementation they unfortunately block moodle 1.7 at our site.
I also have the problem... but on Debian Sarge with ldap.
I have partially resolve it. Try this:
1. Enter as admin
2. Access the Administration->Users->Authentication parameter page
3. Clear the field ldap_memberattribute
4. Save
5. Set the field ldap_memberattribute to right LDAP value: for me memberUid
6. Save
Now if a new user in the ldap group teachers login, he's automatically enrolled as EditingTeacher...but a problem remain: he's EditingTeacher in ALL courses!!!
cheers
Max
I have partially resolve it. Try this:
1. Enter as admin
2. Access the Administration->Users->Authentication parameter page
3. Clear the field ldap_memberattribute
4. Save
5. Set the field ldap_memberattribute to right LDAP value: for me memberUid
6. Save
Now if a new user in the ldap group teachers login, he's automatically enrolled as EditingTeacher...but a problem remain: he's EditingTeacher in ALL courses!!!
cheers
Max