Moodle in English: LDAP authentication issues

Hi,

First post in any moodle forums

I am hopefull that someone can maybe help me out. I am also a new user to moodle administration and after a degree of success getting it running, my next task was to authenticate our users via MS AD.

This is were my problems begun, I have read the docs regarding LDAP here and while found them very useful, still find my self with "Invalid login, please try again" every time I try a AD user.

Ok more info about what I have:

Moodle Web Server:

Moodle 1.8.2+ (2007021520), Fedora Core 7, Apache version 2.2.4, PHP V 5.2.2

AD Authentication Server:

Windows 2003 Server, single domain, multiple OUs

LDAP Config:

LDAP server settings

Host URL: pcname.domain.ac.uk

Version: 3

LDAP encoding: utf-8

Bind settings

Hide passwords: Yes

Distinguished Name: CN=ldap,OU=Accounts,DC=domain,DC=ac,DC=uk (gathered using ldp.exe)

Password: Bindpassword

User lookup settings

User type: MS AD

Contexts: DC=domain,DC=ac,DC=uk

Search subcontexts: Yes

Dereference aliases: No

User attribute: (blank)

Member attribute: (blank)

All other config paramaters were left as the defualt.

---

Little more info, I have been browsing around the forums finding similar issues, in fact at first my server was for sure not sending any LDAP packets to the domain controller. Using tcpdump -npi dest servip I could see no packets being sent at the time. From another users post the recommendation to change the host url from ldap://address to just the servers FQDN seem to resolve at least this issue. As now tcpdump reports ldap packets being sent and recieved from the DC.

Thanks in advance any comments regarding this issue. If I discover first where im going wrong, ill be sure to post the completed solution.

Average of ratings: -

Re: LDAP authentication issues

by Jan Müller - Thursday, 6 September 2007, 10:00 PM

Hi Robert

I'm not sure, if this one really addresses your problem. But try to set

"User attribute: (blank)" to "sAMAccountName"

This one (and some other tuning) helped here. Hope, this works for you too!

Good luck! (you will need it, with AD

)

cu
Jan

Average of ratings: -

Re: LDAP authentication issues

by Robert Ray - Thursday, 6 September 2007, 11:13 PM

Thanks Jan.

I have set User Attribute as you suggested to sAMAccountName.

Again im not getting logged in.

I believe unless im mistaken that sAMAccountName, means users should be able to enter their username without the @domain.ac.uk suffix so for instance in my case username rray.

Further basic analysis of our domain controller indeed confirms the conversation between the webserver and DC is taking place:

Using ethereal i have captured a tcp stream and here is the ascii, perhaps someone with a better understanding can maybe use some of this info to help:

<<<< Web Server >>>>

0<...`7....'CN=ldap,OU=Accounts,DC=domain,DC=ac,DC=uk..ldappassword........a.....
......0S...cN..DC=domain,DC=ac,DC=uk
..
...............sAMAccountName..rray0...sAMAccountName

<< DC Server >>>

0....p...d....g.=CN=Robert Ray,OU=ICT,OU=Staff,OU=Accounts,DC=domain,DC=ac,DC=uk0...."0.......sAMAccountName1.......rray0....Q...s....H.Fldap://ForestDnsZones.domain.ac.uk/DC=ForestDnsZones,DC=domain,DC=ac,DC=uk0....Q...s....H.Fldap://DomainDnsZones.domain.ac.uk/DC=DomainDnsZones,DC=domain,DC=ac,DC=uk0....A...s....8.6ldap://domain.ac.uk/CN=Configuration,DC=domain,DC=ac,DC=uk0........e.....
......0....B.

If anyone has any more comments or feel they can contact me to offer some help Id be gratefull.

Average of ratings: -

Re: LDAP authentication issues

by Iñaki Arenaza - Friday, 7 September 2007, 12:29 AM

In addition to the change proposed by Jan Müller, I'd change the:

Contexts: DC=domain,DC=ac,DC=uk

to:

Contexts: OU=Accounts,DC=domain,DC=ac,DC=uk

and try. I seem to remember that specifiying the domain root and doing subsearches could do strange things depending on your domain/forest structure.

Saludos. Iñaki.

Average of ratings: -

Re: LDAP authentication issues

by Robert Ray - Friday, 7 September 2007, 6:06 PM

Thanks for the additional information.

OU=Accounts,DC=domain,DC=ac,DC=uk

Seems to let me in!

Thanks all for your input.

Cant wait to tackle the next issues !

Average of ratings: -

Re: LDAP authentication issues

by Dan Trockman - Tuesday, 11 September 2007, 5:32 AM

Is the bind function necessary for LDAP/AD? I am not successful at all in using it so far. The Firstclass authentication bug has us in a real hurry to get LDAP working. We use it for all kinds of other authentication on campus with no issues but cannot get it working for moodle. I'll try to send more information. What information would you like to see?

If we can do it in a less generic way, Please email me for specifics.

dtrockman at blakeschool.org

Average of ratings: -

Re: LDAP authentication issues

by Iñaki Arenaza - Tuesday, 11 September 2007, 5:54 AM

Is the bind function necessary for LDAP/AD?

As far as I know, you need to bind with a username/password before being able to search/read from Active Directory.

Any non-privileged user will do it (that's what we use). Just make sure the bind user is enabled (in AD) and can login from a Windows workstation (just to make sure of it). Beware of expirable passwords too. We use a very strong password and set it to never expire.

What information would you like to see?

Other than the exact Moodle version (see version.php) and the usual LDAP settings (sanitize your username and passwords if you want), your domain/forest setup (just to check if you are using the Global Catalog or not, and things like that), and if you are using LDAP+SSL or not (to check that you have all you need in place).

If you are getting any errors on screen or in the logs (make sure you enable debugging settings in Moodle first ) that helps too.

Saludos. Iñaki.

Average of ratings: -

Re: LDAP authentication issues

by Rod Ward - Tuesday, 11 September 2007, 9:00 AM

Dan,

I was having all kinds of problems achieving a bind with my LDAP server until yesterday when I tried omitting the ldap:// off the front of the URL in the LDAP Host field. I know it says in the notes beside that field that you should have it there but I noticed that the LDAP Admin guy had given me the original settings without this, so I tried it, and it worked! (He'd also given me an address with a spelling mistake in it, so make sure to double check all values you are given.)

To test the LDAP settings, I made up a little PHP page (attached in the zip file for you. This page allows you to verify that you are getting first of all an LDAP connection, and then a successful bind. Put this file into your site in the same folder where with the other LDAP files. I turned on PHP errors to see which of the two functions (connect or bind) was failing.

I also downloaded a free program called LDAP Browser off the net that allowed me to connect to the LDAP database with the same settings and have a look around.

Either way, you should be able to confirm whether or not you can connect with your current settings.

test_ldap.zip

Average of ratings: -

Re: LDAP authentication issues

by Helen Rayet - Monday, 15 September 2008, 8:42 PM

Hello,

I am having LDAP problems: when I use the ldp.exe LDAP browser I can connect and bind successfully, although Moodle is still not working properly and users cannot log in. I have copied the DN's from here directly into the relevant sections is Moodle. When I use your 'test ldap' php file I get the following error:

Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server in D:\Xampplite\moodle\test_ldap.php on line 34

ldapconn = Resource id #2 - Connected to LDAP successfully!

LDAP bind failed!

Any ideas on where I am going wrong?

Average of ratings: -

Re: LDAP authentication issues

by Marco Rojas - Saturday, 11 October 2008, 3:59 AM

This question might be off topic a little bit, but is it possible to make users authenticate using their e-mail addresses from the LDAP server?

like user@company.com

Thanks.

Average of ratings: -

Re: LDAP authentication issues

by Iñaki Arenaza - Monday, 13 October 2008, 4:25 AM

You can use any LDAP attribute you want to authenticate users. But bear in mind the attribute you use will be considered the username in Moodle.

Saludos. Iñaki.

Average of ratings: -

Re: LDAP authentication issues

by Chris Goralski - Monday, 2 March 2009, 3:08 PM

Hi all,

I'm having similar troubles getting moodle to auth against my ldap server. I've used the ldp.exe tool to confirm my ability to bind to the ldap server, and even as far as searching a given ou... but when i apply the settings in moodle, i get the error stating that bind result was ""

Can anybody help? Either that, or can someone help / give instructions on installing the radius module under a windows server 2003 install (IIS and MySQL)...

These are my current settings:

LDAP Config: