## General plugins (Local): LDAP syncing scripts

local_ldap
Maintained by Charles Fulton, Andrew Zito
This plugin synchronizes Moodle cohorts against an LDAP directory using either group memberships or attribute values.
388 sites
16 fans
Current versions available: 5

This plugin synchronizes Moodle cohorts against an LDAP directory using either group memberships or attribute values. This is a continuation of Patrick Pollet's local_ldap plugin, which in turn was inspired by MDL-25011 and MDL-25054.

This plugin requires that you have either CAS or LDAP enabled as an authentication method. It officially supports OpenLDAP and Active Directory. Both have unit test coverage.

The synchronization tasks are managed as scheduled tasks and are disabled by default.

### Contributors

• Wed, Aug 22, 2018, 3:48 AM
Hi Charles. I have a similar issue to guybrush. When i run the scheduled task i get the same output but no cohorts are synced.
I guess the issue appeared since upgrade to Moodle 3.5 but we haven‘t made any change to the configuration since then, except we changed the ldap username attribute to UPN. I already tried changing it back to samAccount name but it still doesn‘t work.

Any ideas to trace that issue?

Simon
• Thu, Aug 23, 2018, 5:10 AM
Hi Charles, since upgrade to 3.5 no cohorts updates and no cohorts creation. Same issues.

Thank you
• Thu, Aug 23, 2018, 5:23 AM
Folks, I'm not sure what to suggest. My institution is running on 3.5.1 and the plugin works. Our backend is OpenLDAP. I don't have an Active Directory environment to test against. If I had to venture a guess, the paged user queries to AD either aren't returning users or are returning them in an unexpected way.
• Thu, Aug 23, 2018, 8:00 PM
I was able to track down the issue on our side, and it was indeed NOT related to the Plugin, sorry for the confusion. Instead we had two different Problems with the Moodle LDAP Config and inconsistent Groups in Active Directory. Also since Moodle 3.5, only 100 cohorts are listed in the dropdown menu, which made our teachers first think, the cohorts where not created.

Anyway on thing i thought would be great to have, was a debug parameter for the CLI Script sync_cohorts.php to display the results, that are fetched from LDAP. Since i had no clue what the plugin does in the background, i tried to output contents of variables by placing print_r() in different places in the code of the plugin. That's how i finally figured out, that the plugin was actually working correctly ...

Once again thanks for your work!
• Fri, Aug 31, 2018, 11:26 PM
Brief update: I've obtained access to an Active Directory test environment. I've identified at least one bug which affect attribute synchronization with large environments. I hope to release an update in the next few days which corrects this problem. I appreciate everyone's patience and I'm sorry that it's taken so long to resolve this issue.
• Thu, Sep 6, 2018, 4:03 AM
I've identified and fixed a couple bugs in the Active Directory code related to pagination. I can't say for sure that these changes will resolve the issues folks are seeing, but they might. The code is available here: https://github.com/LafColITS/moodle-local_ldap/releases/tag/v3.4.1-rc.1. I'd love to hear from folks on Active Directory before I publish a formal release.

Thanks,

Charles
• Thu, Sep 6, 2018, 11:30 PM
I've updated the plugin and a lot of cohorts are add / updated! thanks a lot.
• Fri, Nov 23, 2018, 3:52 AM
Hi Charles, I have tested v3.4.1 (2018090700) just today against an AD. It does attribute-based sync but no group-based sync. See the details here: https://moodle.org/mod/forum/discuss.php?d=378935. The test system is still open, I can do more tests, if you could guide me.
• Wed, Nov 28, 2018, 4:03 AM
Hi Charles,
I succeed in synchronize group-based AD with v3.4.1 (2018090700) but I had to change line 391 in locallib.php :
- $filter = '(&('.$this->config->user_attribute.'=*)'.$this->config->objectclass.')'; +$filter = '(&('.\$this->config->user_attribute.'=*))';
Otherwise I had an error for bad syntax in ldap search query.

Moreover some lines of codes intrigates me. For example, why are there thoses 2 lines 366 & 367?! Only line 367 is useful, isn't it?!

Despite this half-success I want to synchronize a cohort with a group that is member of an OU. I didn't succeed so far... I activated 'Nested Group' option but nothing happens.

Regards,
Patrick
• Sun, Apr 7, 2019, 5:44 PM
Hi, I have a question, if someone can help me, I would be very grateful.

When groups of the active directory are synchronized as cohorts, are the users associated with each group also associated with each cohort?

thank you!!
• Sat, Sep 7, 2019, 1:50 PM
Hi Charles, the plugin works as it should lächelnd THX I would like to add a comma separated list in the field local_ldap | passed cohort_synching_ldap_attribute_attribute to include not only in the class group but also in the school group. Under no circumstances should all existing groups in the AD be synchronized. Therefore the way over the attribute. I could put a test environment . Regards
• Wed, Sep 11, 2019, 7:30 PM
Hi Charles and Andrew,
In our site the authentication is managed with the LDAP server plugin (Sync Plus) and is synchronized with Acrive Directory.
We would like to use your plugin, but having many groups in AD, we would like to import only the Organizational Units that interest us. It's possible to do it?
Thank you
• Sat, Sep 14, 2019, 2:41 AM
Hi Stefano, there's an active proposal or OU filtering: https://github.com/LafColITS/moodle-local_ldap/issues/16. We're working on it but don't have a code solution yet.
• Sat, Sep 14, 2019, 2:51 AM
Hi Uwe, we don't have plans to support multiple attributes, and it might require some major restructuring of the code to achieve that outcome (like what to do if two attributes have similar values). Please consider filing an issue at https://github.com/LafColITS/moodle-local_ldap/issues for review.
• Wed, Feb 5, 2020, 6:47 PM
Hey guys, i dont know if i am right here but in case not, just delete the post.

Does the plugin consider configurated filters in the ldap authentification and if not how is the best practices then to enroll only a few seperated groups in the moodle?