Authentifizierung über LDAP

Diese Seite ist noch nicht vollständig übersetzt.

Diese Seite wird derzeit von Gisela Hillenbrand bearbeitet. Bei Änderungsvorschlägen nehmen Sie bitte direkt Diskussion.

Diese Authentifizierungsmethode verwendet einen LDAP-Server, um zu prüfen, ob die Anmeldedaten eines Nutzers (Anmeldename / Kennwort) gültig sind.

Dieser Artikel beschreibt, wie die Authentifizierung über LDAP konfiguriert wird. Wir gehen zunächst von einem Basisszenario aus, betrachten dann ein erweitertes Szenario und zeigen abschließend, wie man mit möglichen Fehlerfällen umgehen kann.

Aktivierung

Die Aktivierung der Authentifizierung über einen LDAP-Server erfolgt auf der Seite

Website-Administration > Nutzer/innen > Authentifizierung > Übersicht (ab Moodle 1.9)
Website-Administration > Nutzer/innen > Authentifizierung (bis Moodle 1.9)

Klicken Sie in der Liste auf das geschlossene Auge-Symbol in der Zeile LDAP-Server.

Spezifische Einstellungen

Spezifische Einstellungen für die Authentifizierung über LDAP nehmen Sie auf folgender Seite vor:

Website-Administration > Nutzer/innen > Authentifizierung > Übersicht > LDAP-Server > Einstellungen (ab Moodle 1.9)
Website-Administration > Nutzer/innen > Authentifizierung > LDAP-Server > Einstellungen (bis Moodle 1.9)

Das folgende Basisszenario entspricht einer einfachen Grundkonfiguration, die für die meisten Installation geeignet ist. Nehmen wir beispielhaft folgende Voraussetzungen an: Ihre Moodle-Installation ist über http://your.moodle.site/ erreichbar.

Sie haben auf dem Moodle-Server PHP inklusive der LDAP-Erweiterung installiert und aktiviert, und dies wird unter http://your.moodle.site/admin/phpinfo.php angezeigt, wenn Sie sich als Administrator in Moodle anmelden.
Ihr LDAP-Server hat die IP-Adresse 192.168.1.100.
Sie verwenden kein LDAP mit SSL (auch bekannt als ldaps).
Sie möchten nicht, dass Nutzer beim ersten Login in Moodle ihr Kennwort ändern.
Sie verwenden eine einzige Domain als Quelle für ihre Authentifizierungsdaten im Fall, dass Sie das MS Active Directory verwenden.
Sie verwenden den DN-Namen dc=my,dc=organization,dc=domain als Wurzel Ihres LDAP-Baums.
Sie haben einen Bind-Nutzer, der die Verbindung zum LDAP-Server aufnimmt. Stellen Sie sicher, das Nutzername und Kennwort dieses Bind-Nutzers dauerhaft gültig sind, und verwendet Sie ein möglichst starkes Kennwort. Sie müssen dieses Kennwort nur einmal bei der Konfiguration der LDAP-Authentifizierung angeben. Der Anmeldename dieses Bind-Nutzers sei in unserem Basisszenario cn=ldap-user,dc=my,dc=organization,dc=domain, und das Kennwort sei ein_ganz_starkes_Kennwort.
Alle Moodle-Nutzer gehören zu einer Organisationseinheit (OU), die moodleusers heißt und direkt unterhalb der Wurzel des LDAP-Baums liegt. Diese Organsiationseinheit hat den DN-Namen ou=moodleusers,dc=my,dc=organization,dc=domain.
Sie möchten nicht, dass die LDAP-Kennwörter Ihrer Nutzer in der Moodle-Datenbank gespeichert werden.

Im folgenden beschreiben wir, welche spezifischen Einstellungen Sie für dieses Basisszenario vornehmen müssen.

LDAP Server-Einstellungen

Host URL

Wenn die IP-Adresse Ihres LDAP-Servers 192.168.1.100 ist, geben Sie folgendes ein: "ldap://192.168.1.100" (ohne Anführungszeichen) oder einfach "192.168.1.100" (manche Nutzer haben Probleme mit der ersten Variante, insbesondere bei MS Windows Servern).

Version

Normalerweise ist die Version 3 die richtige, es sei denn, Sie verwenden einen uralten LDAP-Server.

LDAP Codierung

Geben Sie die Kodierung des LDAP-Servers an. Meistens ist das utf-8.

Bind-Einstellungen

Kennwörter verbergen

Wenn keine Nutzerkennwörter in der Moodle-Datenbank gespeichert werden sollen, dann wählen Sie hier Ja.

Gekennzeichneter Name

Geben Sie hier den Namen des oben definierten Bind-Nutzers ein, z.B. cn=ldap-user,dc=my,dc=organization,dc=domain'" (ohne Anführungszeichen).

Kennwort

Geben Sie hier das Passwort des Bind-Nutzers ein. Verwenden Sie ein starkes Passwort (mindestens 8 Zeichen, 1 Ziffer, 1 Großbuchstabe, 1 Kleinbuchstabe, 1 Sonderzeichen)!

Einstellungen zur Nutzerüberprüfung

Nutzertyp

Novell Edirectory - wenn Ihr LDAP-Server Novell's eDirectory verwendet
posixAccount (rfc2307) - wenn Ihr LDAP-Server einen RFC-2307-kompatiblen LDAP-Server verwendet (wählen Sie diese Einstellung, wenn Ihr Server OpenLDAP verwendet)
posixAccount (rfc2307bis) - wenn Ihr LDAP-Server einen RFC-2307bis-kompatiblen LDAP-Server verwendet
sambaSamAccount (v.3.0.7) - wenn Ihr LDAP-Server mit der SAMBA 3.x LDAP Schema Erweiterung läuft und Sie diese verwenden wollen
MS ActiveDirectory wenn Ihr LDAP-Server das Microsoft Active Directory (MS-AD) verwendet

Kontexte

DN-Angabe des Kontexts (der Umgebung, des Containers), wo Ihre Moodle-Nutzer abgelegt sind. Geben Sie etwa folgendes ein: ou=moodleusers,dc=my,dc=organization,dc=domain.

Subkontexte suchen

Wenn Sie Unterorganisationseinheiten (Subkontexte) unterhalb von ou=moodleusers,dc=my,dc=organization,dc=domain haben und Moodle diese durchsuchen soll, dann wählen Sie hier Ja. Andernfalls wählen Sie Nein.

Alias berücksichtigen

Manchmal teilt Ihnen Ihr LDAP-Server mit, das der tatsächliche Wert, nach dem Sie suchen, in einem anderen Zweig des LDAP-Baumes liegt (das nennt man Alias). Wenn Sie möchten, dass Moodle diesen Alias auflöst und den Wert aus dem tatsächlichen Ort innerhalb des LDAP-Baumes abruft, dann wählen Sie Ja. Andernfalls wählen Sie Nein. Wenn Sie das Microsoft Active Directory (MS-AD) verwenden, wählen Sie ebenfalls Nein.

Nutzerattribute

Geben Sie hier das Attribut an, das Ihr LDAP-Baum verwendet, um Nutzer zu benennen oder zu suchen. Moodle verwendet einen Standardwert, basierend auf dem Nutzertyp, den Sie weiter oben angegeben haben. Normalerweise ist der Wert cn (Novell eDirectory und MS-AD) oder uid (RFC-2037, RFC-2037bis und SAMBA 3.x LDAP Erweiterung). Wenn Sie MS-AD verwenden, können Sie auch sAMAccountName (der Vor-Windows_2000-Loginname) eintragen.

Mitgliedsattribut

Das ist das Attribut, um Nutzer einer gegebenen Gruppe zu kennzeichnen. Moodle verwendet einen Standardwert, basierend auf dem Nutzertyp, den Sie weiter oben angegeben haben. Normalerweise ist der Wert member oder memberUid.

Mitgliedsattribut nutzt dn

| Whether the member attribute contains distinguished names (1) or not (0).This option takes a default value based on the User type value you choosed above. So unless you need something special, you don't need to fill this in. |- | Objekt Class | The type of LDAP object used to search for users. This option takes a default value based on the User type value you choosed above. So unless you need something special, you don't need to fill this in.

Here are the default values for each of the ldap_user_type values:

User for Novel eDirectory
posixAccount for RFC-2037 and RFC-2037bis
sambaSamAccount for SAMBA 3.0.x LDAP extension
user for MS-AD

If you get an error about a problem with updating the ldap server (even if you have specified not to write changes back to the ldap server) try setting the ldap object class to * - see http://moodle.org/mod/forum/discuss.php?d=70566 for a discussion on this problem |}

Verbindliche Änderung des Passwortes

Name	Wert
Verbindliche Änderung des Passwortes	Set this to Yes if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to no. Bear in mind the password they are forced to change is the one stored in your LDAP server. As you don't want your users to change their passwords in their first login, leave this set to No
Standardseite zur Passwortänderung nutzen	Setting this to Yes makes Moodle use it's own standard password change page, everytime users want to change their passwords. Setting this to No makes Moodle use the the page specified in the field called "Password change URL" (see below). Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is actually a requirement for MS-AD). In addition to that, the bind user specified above must have the rights needed to change other users' passwords. Also, code for changing passwords from Moodle for anything but Novell eDirectory and Active Directory is almost not tested, so this may or may not work for other LDAP servers.
Passwortformat	Specify how the new password is encrypted before sending it to the LDAP server: Plain text, MD5 hash or SHA-1 hash. MS-AD uses plain text, for example.
URL zur Kennwortänderung	Here you can specify a location at which your users can recover or change their username/password if they've forgotten it. This will be provided to users as a button on the login page and their user page. if you leave this blank the button will not be printed.

LDAP Passwortablaufeinstellung

Name	Wert
Ablauf	Setting this to No will make Moodle not to check if the password of the user has expired or not. Setting this to LDAP will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires. Current code only deals with Novell eDirectory LDAP server and MS-AD. So unless you have Novell eDirectory server or MS-AD, choose No here.
Ablaufhinweis	This value sets how many days in advance of password expiration the user is warned that her password is about to expire.
Ablauf-Attribut	The LDAP user attribute used to check password expiration. This option takes a default value based on the User type value you choosed above. So unless you need something special, you don't need to fill this in.
Grace Login	This setting is specific to Novell eDirectory. If set to Yes, enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0. So unless you have Novell eDirectory server and want to allow gracelogin support, choose No here.
grace Login Attribute	This setting is currently not used in the code (and is specific to Novell eDirectory). So you don't need to fill this in.

Nutzer-Erstellung aktivieren

Name

Wert

Nutzer extern anlegen

New (anonymous) users can self-create user accounts on the external LDAP server and confirm them via email. If you enable this, remember to also configure module-specific options for user creation and to fill in some instructions in auth_instructions field in Administration >> Users >> Authentication >> Manage authentication. Otherwise the new users won't be able to self-create new accounts.

As of now, only Novell eDirectory and MS-AD can create users externally.

Kontext für neue Nutzer

Specify the context where users are created. This context should be different from other users' contexts to prevent security issues.

Kursverwalter/in

Name

Wert

Kursverwalter/innen

The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called creators, type cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain, but rather memberUid: JoeTeacher).

In eDirectory, the objectClass for a group is (by default) not posixGroup but groupOfNames, whose member attribute is member, not memberUid, and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new objectClass attribute of posixGroup to your creators group and put the CNs for each creator in a memberUid attribute.

In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.

Cron-Synchronisierungsskript

Name	Wert
Entfernte externe Nutzer	Specify what to do with internal user account during mass synchronization when user was removed from external source. Only suspended users are automatically revived if they reappear in ext source.

NTLM SSO

Name	Wert
Aktivieren	If you want to use NTLM SSO (see details at NTLM_authentication), choose Yes here. Otherwise, choose No.
Subnet	Specify the subnets of the clients that will use NTLM SSO (see details at NTLM_authentication).

Data Mapping

Name	Wert
Vorname	The name of the attribute that holds the first name of your users in your LDAP server. This is usually givenName. This setting is optional
Nachname	The name of the attribute that holds the surname of your users in your LDAP server. This is usually sn. This setting is optional
E-Mail-Adresse	The name of the attribute that holds the email address of your users in your LDAP server. This is usually mail. This setting is optional
Stadt/Ort	The name of the attribute that holds the city/town of your users in your LDAP server. This is usully l (lowercase L) or localityName (not valid in MS-AD). This setting is optional
Land	The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully c or countryName (not valid in MS-AD). This setting is optional
Sprache	preferredLanguage This setting is optional
Beschreibung	description This setting is optional
Webseite	This setting is optional
ID-Nummer	This setting is optional
Institution	This setting is optional
Abteilung	The name of the attribute that holds the department name of your users in your LDAP server. This is usully departmentNumber (for posixAccount and maybe eDirectory) or department (for MS-AD). This setting is optional
Telefon 1	The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually telephoneNumber. This setting is optional
Telefon 2	The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be homePhone, mobile, pager, facsimileTelephoneNumber or even others. This setting is optional
Adresse	The name of the attribute that holds the street address of your users in your LDAP server. This is usully streetAddress or street'. This setting is optional

Setting up regular automatic synchronisation using cron

There is a script located at /auth/ldap/auth_ldap_sync_users.php which will create or suspend/delete (see the setting above) all LDAP accounts automatically. Ideally, this is called from the command line once a day during a quiet time using exactly the same procedure as the standard cron job (so you will end up with two cron entries). It is important, however, to make sure that all of the above LDAP settings are working properly before you try this, as well as backing up your database and moodledata folders. Poor LDAP configuration could lead to users being wrongly deleted.

If you find that the script is not running through all of your users properly and you have MS Active Directory + over 1000 users, this is because by default, MS AD only sends back 1000 users at a time. Follow the instructions here to set the MaxPageSize setting to a number higher than your total number of users (both now and in future) to fix it.

Active Directory help

Active Directory is Microsoft's directory service. It is included in Windows 2000 Server and later versions of their operating system. For more information about subjects below, please go here.

Warning: The PHP LDAP module does not seem to be present
LDAP-module cannot connect any LDAP servers
Getting correct CNs for Contexts and Creators
Getting the right user_attribute
Installing ldp.exe Server Tool
Example Active Directory Configuration
Child Domains and the Global Catalog in MS Active Directory
Enabling the Global Catalog
Active Directory with Moodle 1.8
MS Active Directory + SSL

Advanced Scenarios - Multiple servers or locations

For larger installations with multiple LDAP servers, or multiple locations (contexts) in a LDAP tree.

Using multiple LDAP Servers

Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax : ldap://my.first.server ; ldap://my.second.server ; ...

Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.

There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.

Using multiple user locations (contexts) in your LDAP tree

There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a ou=people,dc=my,dc=organization,dc=domain or ou=people,o=myorg container.

At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like ou=students,ou=dept1,o=myorg and ou=students,ou=dept2,o=myorg ...

Then there is an alternative :

Look at the o=myorg level with the ldap_search_sub attribute set to yes.
Set the ldap_context to ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg.

Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree and on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same common name (cn), while having different distinguished names. Then only the second solution will have a deterministic result (returning allways the same user).

Using LDAPS (LDAP + SSL)

Enabling LDAPS on the LDAP server side

Enabling LDAPS on MS Active Directory

Enabling LDAPS on the client side (Moodle server)

If you are running Moodle on MS Windows, you need to tell PHP's OpenLDAP extension to disable SSL server certificate checking. You must create a directory called C:\OpenLDAP\sysconf. In this directory, create a file called ldap.conf with the following content:

TLS_REQCERT never

If you are running Moodle on Linux or any other Unix-like operating system, and you want to disable SSL server certificate checking, you need to edit the OpenLDAP client configuration file (usually /etc/ldap.conf or /etc/ldap/ldap.conf or even /etc/openldap/ldap.conf) and make sure you have a line like the following one:

TLS_REQCERT never

Now you should be able to use ldaps:// when connecting to your LDAP server.

If you have the certificate of the LDAPS server as a file and want to check the certificate for the connection, copy the certificate file to an arbitary directory (e.g. /etc/ldap/certificate.pem) on your client and change the content of the ldap.conf as follows:

TLS_REQCERT demand
TLS_CACERT  /etc/ldap/certificate.pem

When the requested server certificate is bad or not provided, the connection to the LDAPS server is immediately terminated.

Table of Contents

Appendices

ldap auth_user_create() only suports Novell

After configuring user authentication with ldap I realized ldap only support edir (Novell) when combining ldap an email user confirmation. For example in my case (I use openldap) I have the following error after filling the user form:

auth: ldap auth_user_create() does not support selected usertype:"rfc2307" (..yet)

Setting Resource Limits RedHat Directory Server

Operational attributes can be set for the bind user DN using the command-line. One can simply use ldapmodify to add the following attributes:

Attribute Name	Description
nsLookThroughLimit	Specifies how many entries are examined for a search operation. Giving this attribute a value of -1 indicates that there is no limit.
nsSizeLimit	Specifies the maximum number of entries the server returns to a client application in response to a search operation. Giving this attribute a value of -1 indicates that there is no limit.
nsTimeLimit	Specifies the maximum time the server spends processing a search operation. Giving this attribute a value of -1 indicates that there is no time limit.
nsIdleTimeout	Specifies the time a connection to the server can be idle before the connection is dropped. The value is given in seconds. Giving this attribute a value of -1 indicates that there is no limit.

 LDAP Console Command-Line

 ldapmodify -h redhat_dir_server -p 389 -D "cn=directory manager" -w secretpwd

 dn: uid=MoodleAdmin,ou=system,dc=myschool,dc=edu
 changetype: modify
 add:nsSizeLimit
 nsSizeLimit: 1000