My bind settings work with the following information but when I try to log in I recieve "Invalid Login, Please try again"
I will try any changes that anyone recommends.
Environment: Windows Server 2003, Apache 2.2, PHP 5, MYSQL 5, Moodle 1.9
LDAP Settings:
Host URL: xxx.xx.xx.x
Version : 3
LDAP Encoding: utf-8
Hide passwords: yes
Distinguished name: moodleldap@domain.loc
password: **********
UserType: MS Active Directory
Contexts: ou=moodleusers, dc=domain, dc=loc
Search Subcontexts: Yes
User Attribute: sAMAccountName
Firstly a really stupid question.... you *did* enable the LDAP plugin not just edit the settings? I've done it 
Failing that, I would turn up debugging (Site Administration => Server =>Debugging) and see if you can get a better clue about where it's failing.
Failing that, I would turn up debugging (Site Administration => Server =>Debugging) and see if you can get a better clue about where it's failing.
Yes LDAP plugin is enabled and moved to the top.
On our setup distinguished name is something like:
CN=xxxx, OU=xxxx, OU=xxx, OU=xxx,DC=xxxx
not a domain name.
CN=xxxx, OU=xxxx, OU=xxx, OU=xxx,DC=xxxx
not a domain name.
When I try changing it to CN=xxx, OU=xxx, OU=xxx, DC=xxx I get a bind error #48.
if your moodleldap user is in the "Users OU", this is really a CN. So it'd be CN=moodleldap,CN=Users,DC=domain,DC=loc
Made the change and I received a Bind result error #48.
okay.. I'm no means an expert but this is what I would do..
1. step back a bit and take a relaxing breath =)
2. I would start simply by trying using an LDAP browser and connect to the directory
3. Let us know what the complete error message if you cannot connect.
From what you have reported, number 48 means:
ie.
- LDAP_NO_OBJECT_CLASS_MODS (Object class modifications are not allowed.)
- LDAP_OTHER (An unknown error occurred.)
- LDAP_SERVER_DOWN (The LDAP library cannot contact the LDAP server.)
- LDAP_LOCAL_ERROR (Some local error occurred. This is usually a failed malloc().)
- LDAP_ENCODING_ERROR (An error was encountered encoding parameters to send to the LDAP server.)
and so on ...
1. step back a bit and take a relaxing breath =)
2. I would start simply by trying using an LDAP browser and connect to the directory
3. Let us know what the complete error message if you cannot connect.
From what you have reported, number 48 means:
| LDAP_INAPPROPRIATE_AUTH | 48 |
Inappropriate authentication was specified (e.g., LDAP_AUTH_SIMPLE was specified and the entry does not have a userPassword attribute). |
ie.
- LDAP_NO_OBJECT_CLASS_MODS (Object class modifications are not allowed.)
- LDAP_OTHER (An unknown error occurred.)
- LDAP_SERVER_DOWN (The LDAP library cannot contact the LDAP server.)
- LDAP_LOCAL_ERROR (Some local error occurred. This is usually a failed malloc().)
- LDAP_ENCODING_ERROR (An error was encountered encoding parameters to send to the LDAP server.)
and so on ...
What do you mean by an LDAP browser?
Here is the message I receive:
LDAP-module cannot connect to any servers: Server: 'xxx.xx.xx.x' Connection: 'Resource id #48' Bind result: ''
LDAP-module cannot connect to any servers: Server: 'xxx.xx.xx.x' Connection: 'Resource id #48' Bind result: ''
The message is pretty clear that's why I suggest you try the connection to the server outside of Moodle first and try the baby steps first.
Any LDAP browser program would do... You can use Softerra's LDAP Browser 2.6
http://www.ldapbrowser.com/download.htm
try to connect first to your server and see if you could see all your objects. If you can, then we can rule that out
Any LDAP browser program would do... You can use Softerra's LDAP Browser 2.6
http://www.ldapbrowser.com/download.htm
try to connect first to your server and see if you could see all your objects. If you can, then we can rule that out
I downloaded Softerra LDAP admin and i was able to connect to my server and view all my objects.
did you install the browser from where your moodle server is located?
can you ping to the directory server from your moodle server?
trying to establish if they can see each other or not
can you ping to the directory server from your moodle server?
trying to establish if they can see each other or not
Yes, successful reply from the directory server.
Once I have a connection with this tool, I will generally right click on objects and choose properties. From the properties screen you can cut and past properly formated ldap settings. I then paste these into the moodle config strings.
Once I have a successful connection with my bind user credentials to the AD, I can normally get the Moodle connection to work properly with this method.
Once I have a successful connection with my bind user credentials to the AD, I can normally get the Moodle connection to work properly with this method.
HURRRRRRRRAYYYYYYYYYY!!!!!
The best answer is sometimes the one that stares you in the face. Thank you Thank you Thank you!
The best answer is sometimes the one that stares you in the face. Thank you Thank you Thank you!
Glad it worked.
These LDAP setups can be a bear, but once you get it going its well worth the effort.
These LDAP setups can be a bear, but once you get it going its well worth the effort.
Does the moodleldap user have the rights to search for users?
I got the LDAP to work with MS Active Directory by giving my distinguished name admin rights.
I gave the account admin rights and still received the same result.
I am using Linux and not Windows but our host url is ldap://serverFQDN not just the IP.
LDAP Settings:
Host URL: xxx.xx.xx.x
Version : 3
LDAP Encoding: utf-8
Hide passwords: yes
Distinguished name: moodleldap@domain.loc
password: **********
UserType: MS Active Directory
Contexts: ou=moodleusers, dc=domain, dc=loc
Search Subcontexts: Yes
User Attribute: sAMAccountName
I have my contexts as dc=domain,dc=loc
DN for user should be CN=moodleldap,OU=moodleusers,DC=domain,DC=loc if the moodleldap user is in the moodleusers OU.
Rene
I do not want to set my contexts to simply dc=domain, dc=loc because I don't want everyone in the domain to be able to log in to Moodle.
I have tried changing the DN to your suggestion and every time I do I get a bind error.
I have tried changing the DN to your suggestion and every time I do I get a bind error.
Hi Jason
Can you take a screen capture of your LDAP setup? I would like to see all of the settings as they are put in. You can change the domain names and such to stay anonymous if you like.
Thanks,
Rene
I printed the screen to a PDF document (attached) and I blanked out our domain name.
host url should be:
ldap://172.....
?
ldap://172.....
?
Changed to ldap:// and got the same Invalid login, please try again
I can't remember but are you connecting via ldap or ldaps?
What is LDAPS?
similar to https ... do you need a secure connection to your ldap server?
one more thing .. what type of directory is it? active directory, open ldap, edirectory, etc?
one more thing .. what type of directory is it? active directory, open ldap, edirectory, etc?
No, I do not need a secure connection. It is MS Active Directory.
After turning Debugging on I got these two error messages when trying to log in.
Warning: ldap_search() [function.ldap-search]: Search: No such object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\moodle\auth\ldap\auth.php on line 1624
Warning: ldap_first_entry(): supplied argument is not a valid ldap result resource in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\moodle\auth\ldap\auth.php on line 1632
I hope this helps someone figure out my problem.
Warning: ldap_search() [function.ldap-search]: Search: No such object in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\moodle\auth\ldap\auth.php on line 1624
Warning: ldap_first_entry(): supplied argument is not a valid ldap result resource in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\moodle\auth\ldap\auth.php on line 1632
I hope this helps someone figure out my problem.
Jason, Thanks a lot for all the efforts you spend in this issue, I have the same problem as yours but finally I was able to solve the problem. I will put in a simple way,
1 - use ldb.exe tool you find in the official documentation of moodle website, and get the "Distinguished name" which should be only something like this:
"CN=DENNY. Kieran,OU=InfoTech,OU=Support,OU=Campus1,OU=Staff,OU=School,DC=domain,DC=local"
watch for the CN it is different from the logon name. look at this and you will understand easily, http://moodle.org/mod/forum/discuss.php?d=52525 .
2 - Make sure to have "User Attribute: sAMAccountName".
========
from all this my friends we see that the ldap authentication tool used by PHP is differentiating between the CN which the Display name in Active Directory and the logon name we use what I want to say is that in the above example "CN=DENNY. Kieran" and the logon name maybe "denny" like denny@domain.local.
sorry for too much details thats how my lil brain works!!
1 - use ldb.exe tool you find in the official documentation of moodle website, and get the "Distinguished name" which should be only something like this:
"CN=DENNY. Kieran,OU=InfoTech,OU=Support,OU=Campus1,OU=Staff,OU=School,DC=domain,DC=local"
watch for the CN it is different from the logon name. look at this and you will understand easily, http://moodle.org/mod/forum/discuss.php?d=52525 .
2 - Make sure to have "User Attribute: sAMAccountName".
========
from all this my friends we see that the ldap authentication tool used by PHP is differentiating between the CN which the Display name in Active Directory and the logon name we use what I want to say is that in the above example "CN=DENNY. Kieran" and the logon name maybe "denny" like denny@domain.local.
sorry for too much details thats how my lil brain works!!
Ubuntu Man, thanks for the suggestion but when I change the "Distinguished name" to CN=moodle ldap - etc... I get the attached error.
Hi again, What I can advice you is just double check that "moodle ldap" user you got is able to bind to the server and all his DN and password is right. nothing else to do believe me plus the user attribute I told you in my reply.
You don't really need to prefix it with 'ldap://'. In fact, if you are not using OpenLDAP's client library, using the prefix may not work (it' s happened to some in the past).
Saludos. Iñaki.
Jason,
I think you have a typo in your LDAP settings, in your 'Contexts' setting. The screenshot clearly shows 'cn=moodleusers,dc=xxxxx,dc=loc', while you have repeatedly stated that they are inside 'ou=moodleusers,dc=xxxxx,dc=loc' (which makes sense, as you normally create organizational units as containers in AD).
Saludos. Iñaki.
Changed it to OU=moodleusers and I'm still getting the same results.
Ok, two or three additional things to check:
- Is the binding account expired, locked or disabled?
- Is the binding account allowed to log in from the server Moodle is running on?
- do you have anything specified in the 'object class' LDAP setting?
Saludos. Iñaki.
- Is the binding account expired, locked or disabled?
- Is the binding account allowed to log in from the server Moodle is running on?
- do you have anything specified in the 'object class' LDAP setting?
Saludos. Iñaki.
1. Account is not expired, locked or disabled.
2. I am not able to log in to Moodle from the server either
3. Nothing is specified in the 'Object class'
2. I am not able to log in to Moodle from the server either
3. Nothing is specified in the 'Object class'
Make sure you don't have any white spaces at the end of the 'User attribute' value. While trying to debug this issue, I've been able to reproduce it if I add a white space after the 'sAMAccountName' string.
Saludos. Iñaki.
sadly, no luck.
There is no need to give the user admin rigths. Unless you've deployed an enhanced security policy on your domain, any normal user would be allowed to query the fields Moodle needs to perform a successful login.
Saludos. Iñaki.