LDAP Enrollment - Role Mapping not happening

LDAP Enrollment - Role Mapping not happening

by a fischer -
Number of replies: 4

I am authenticating against my AD via the global catalog (two domains). It works every time.

It gathers the fields that are mapped and puts them in the user profile, including the dN in the idnumber field. It updates changes to the user records made in the AD in moodle. The users in the group spelled out in the course creator role in the ldap auth are in fact made course creators automagically.

I want to map the roles based on groups using the ldap enrollment plugin. I do not care about enrolling classes or creating them based on the AD, only on getting the correct role for users based on their groups in the AD. I have increased the idnumber field in mdl_user and in the corresponding array in the php file to 255.

I am using the same settings for ldap enrollment as for auth, but just not getting anything.

I am reasonably sure it is something small and straightforward, but have been banging my head against it for too long.

Suggestions greatly appreciated.

Oh yes, win2k3, latest stable moodle, php, MySQL.

Average of ratings: -
In reply to a fischer

Re: LDAP Enrollment - Role Mapping not happening

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
The problem is the Global Catalog doesn't hold a copy of the group membership (as it could be too costly). So while you can query the catalog for the group DN and get some attributes, you don't get the 'member' attribute, which is what you need to make LDAP enrolment work.

While you can modify the schema to add/remove specific attributes to the Global Catalog replication, I'm not sure if you can add the member attribute to it (never tried it myself).

Saludos. Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP Enrollment - Role Mapping not happening

by a fischer -
Thank you very much for your reply. Your replies to others have been a big help for me in getting up and running.

I wondered if that was an issue, so i started querying the GC to see if my GC contained the information I was looking for. I got replies that seemed to indicate that it did (please see below). Also, in the LDAP auth part of things, it is using a group in the GC for the designation of coursecreator role, which seems to be working. I'd appreciate any other thoughts you have. In the ldap enrollment, it is looking for the member in the group's AD record, right? As opposed to the memberof in the user's record?

To get the information below, I queried with the GC port and the titlebar of the ldp window says gc://servername.kent-school.edu/dc=students/dc=kent-school/dc=edu, so I think it is the GC I am talking to not the AD right? I am using the same user to bind as through moodle.

here's one of the not working groups in the GC from the ldp tool in win2k3 server (I ***** out the user's name):
Expanding base 'CN=Year2008,OU=Groups,DC=students,DC=kent-school,DC=edu'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=Year2008,OU=Groups,DC=students,DC=kent-school,DC=edu
2> objectClass: top; group;
1> cn: Year2008;
1> description: Class of 2008;
190> member: CN=Car***\, N*** 08,OU=Class2008,OU=Students,DC=students,DC=kent-school,DC=edu; CN=Car***\, M*** 08,OU=Class2008,OU=Students,DC=students,DC=kent-school,DC=edu; CN=A*****, S**** 08,OU=Class2008,OU=Students,DC=students,DC=kent-school,DC=edu;

Here's the one that works in the LDAP auth course creator (I masked the names with ****, the first two are test accounts copied from actual faculty)

Expanding base 'CN=Faculty,OU=UserGroups,DC=kent-school,DC=edu'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=Faculty,OU=UserGroups,DC=kent-school,DC=edu
2> objectClass: top; group;
1> cn: Faculty;
98> member: CN=Moodle\, Fa2,OU=EMPLOYEES,DC=kent-school,DC=edu; CN=Moodle\, Fac,OU=EMPLOYEES,DC=kent-school,DC=edu; CN=Wa***\, M*******,OU=EMPLOYEES,DC=kent-school,DC=edu; CN=De*******\, H******,OU=EMPLOYEES,DC=kent-school,DC=edu;


thank you
Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP Enrollment - Role Mapping not happening

by a fischer -
Hello, I have more information on this. There are groups that are not listed in the GC, as you suggest. Universal groups, however, are listed and the ones I am trying to hit are universal groups.
other ideas much appreciated.

Average of ratings: -
In reply to a fischer

Re: LDAP Enrollment - Role Mapping not happening

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
What LDAP contexts are you using in the role mapping section for the roles you want to map? And the values for the 'Course enrolment settings'?

Saludos. Iñaki.
Average of ratings: -