MoodleDocs - User contributions [en]

Upgrading

2009-04-01T14:49:41Z

Acacha:

Moodle is designed to upgrade cleanly from one version to the next. Please refer to [[Upgrading to Moodle 1.6]], [[Upgrading to Moodle 1.8]] or [[Upgrading to Moodle 1.9]] for particular considerations related to the upgraded version.

Changes that have been made to the original code, such as installing a contributed module (non-standard module) or a site edit of a php file, may not upgrade. This includes modifications to standard themes, that will be overwritten during an upgrade.

For those using cpanel, you can use [http://ic.eflclasses.org/tutorials/howtoupgrademoodlewithcpanel.swf this tutorial]. It is a bit rough around the edges and is a little dated, but you should get the idea.

__TOC__

When upgrading a Moodle installation you should follow these steps:

==Check the requirements==
Spend some time re-reading the [[Installing Moodle | installation documentation]] and documentation for the new version. Check the system requirements for the target version you want to upgrade-to in ''Administration > Server > [[Environment]]''.

== Backup important data ==

Although it is not strictly necessary, it is always a good idea to make a backup of any production system before a major upgrade, just in case you need to revert back to the older version for some reason. In fact, it's a good idea to automate your server to backup your Moodle installation daily, so that you can skip this step.

There are three areas that need backing up:

=== 1. The Moodle software directory itself ===

Make a separate copy of these files before the upgrade, so that you can retrieve your config.php and any modules you have added like themes, languages etc

=== 2. Your data directory ===

This is where uploaded content resides (such as course resources and student assignments) so it is very important to have a backup of these files anyway. Sometimes upgrades may move or rename directories within your data directory.

=== 3. Your database ===

Most Moodle upgrades will alter the database tables, adding or changing fields. Each database has different ways to backup. One way of backing up a MySQL database is to 'dump' it to a single SQL file. The following example shows Unix commands to dump the database called "moodle":

mysqldump -u username -p -C -Q -e -a moodle > moodle-backup-2007-04-01.sql
(The "-a" switch is deprecated and should be replaced by "--create-options")

Substitute your database user account for username. The -p flag will prompt you for the password for the username specified by -u.

If your database host is different from the host you want to execute the backup command (usually the web server), you have to specify it with the -h option to mysqldump:

mysqldump -u username -p -h databasehost -C -Q -e -a moodle > moodle-backup-2007-04-01.sql

You can also use the "Export" feature in Moodle's optional "MySQL Admin" web interface to do the same thing on all platforms. In Moodle v1.9 and greater, this is located in '''Site Administration''' -> '''Server''' -> '''Database'''. This interface can also be downloaded from http://download.moodle.org/modules/integrations.php. It is an integration of PHPMyAdmin for the Moodle administration interface.

==== SQL dump caveats ====

* Please note that there are a '''LOT''' of options possible for mysqldump. Please talk with your Systems Administrator (if you have one) or similar to see if there are site-specific flags you should use for your SQL dump.
** For example, if your local installation is running MySQL 5.2 and you are moving to a system running MySQL 5.0 or 4.1, you really ought to use the "--compat=mysql40" flag. (This is not too uncommon of a situation given the nature of ISP hosting as compared to local user Moodle setups)
* This seems obvious, but should be said outright: These instructions only work for dumping from MySQL! Postgresql, Oracle, and other database servers have different tools to dump databases.
* Given the example mysql import lines, above, you really should use the --no-create-db flag. If your database locally is named something differently from the migration site, not including this flag could cause problems.

== Install the new Moodle software ==

=== Using a downloaded archive ===

@Do not overwrite an old installation unless you know what you are doing ... sometimes old files can cause problems in new installations. The best way is to rename the current Moodle directory to something else, then unpack the new Moodle archive into the old location.

Linux
mv moodle moodle.backup
tar xvzf moodle-1.1.tgz

Next, copy across your config.php, any other plugins such as custom themes, and your .htaccess file if you created one:

cp moodle.backup/config.php moodle
cp -pr moodle.backup/theme/mytheme moodle/theme/mytheme

Don't forget to

sudo chown www-data moodle/config.php

if necessary.

where www-data is whatever user the Apache user is on your system. This is often 'apache' or 'www'.
You can find out by doing 'ls -l' in your /var/www/moodle folder (or wherever your moodle site is)
and then looking at the owner and group.

so you may see something like

ls -l
...lots of lines...
-rw-r--r-- 1 apache system 784 Jun 28 2007 config.php
...lots more lines...

so the owner is apache and the group is system.

To replicate this on your new system you can do 'chown apache:system config.php'

or to do a whole group do

chown apache:system ./*

and recursively

chown -R apache:system ./*

=== Using CVS ===

You can use CVS for updating or upgrading your Moodle.
First you need to do a CVS checkout in your (empty) Moodle root directory.

You can use any of our [[CVS_for_Administrators#CVS_Servers|CVS Mirror servers]]. Just replace '''SERVER.cvs.moodle.org''' in the instructions below with the name of the mirror server you chose!.

'''For Linux servers'''

To do a CVS checkout of Moodle, you first have to logon to the Moodle CVS server.

<nowiki>cvs -d:pserver:anonymous@SERVER.cvs.moodle.org:/cvsroot/moodle login</nowiki>
No password for anonymous, so just hit the Enter button.

Go to the directory where you want the Moodle root to come and type

<nowiki>cvs -z3 -d:pserver:anonymous@SERVER.cvs.moodle.org:/cvsroot/moodle co -r MOODLE_18_STABLE moodle</nowiki>
(where MOODLE_18_STABLE is the desired version)

To update, just go into the Moodle root directory and update to the new files:

cvs update -dP
To update to a new version type in the following and change 18 to whatever newest version upgrade number is
cvs -Q update -dP -r MOODLE_18_STABLE

Make sure you use the "d" parameter to create new directories if necessary, and the "P" parameter to prune empty directories.

'''For Windows servers'''

You can use Tortoise CVS to do the initial checkout and the updates.

If you have been editing Moodle files, watch the messages very closely for possible conflicts. All your customised themes and non-standard plugins will be untouched.

Don't forget to visit the admin page after the CVS update process has completed.

== Finishing the upgrade ==

The last step is to trigger the upgrade processes within Moodle.

To do this just visit the admin page of your installation e.g. ''<nowiki>http://example.com/moodle/admin</nowiki>''

It doesn't matter if you are logged in as admin or not. If you are upgrading from some older versions you would not be able to login before the upgrade anyway.

Moodle will automatically detect the new version and perform all the database or filesystem upgrades that are necessary. If there is anything it can't do itself (very rare) then you will see messages telling you what you need to do.

Assuming all goes well (no error messages) then you can start using your new version of Moodle and enjoy the new features!

Please note that if you are running a large scale of moodle site (e.g. have more tha 10,000+ courses and 40,000+ users), make sure that you do your own performance profiling testing before you upgrade to Moodle 1.8.x, as there are still quite a few outstanding (unresolved) performance issues in 1.8.x for large user base installations.

== Verify the upgrade (optional) ==

If you wish to confirm that the database definitions in the upgraded database match the definitions of a new, clean install (which they should) you might like to look at [[Verify Database Schema]].

==Upgrading more than one version==

In general, it is recommended to upgrade via each version of Moodle, for example 1.7 -> 1.8 -> 1.9. An exception to this is when upgrading from 1.5 or 1.6, when it is recommended that 1.7 is skipped, in other words upgrade 1.5 -> 1.6 -> 1.8 -> 1.9. (The main reason for this recommendation is that the default roles settings obtained when upgrading to 1.7 are not ideal for 1.8 onwards.)

==See also==

*[[Installing Moodle]]
*[[Installation FAQ]]
*[[Upgrading to Moodle 1.6]]
*[[Upgrading to Moodle 1.8]]
*[[Upgrading to Moodle 1.9]]
*[[Upgrading to Moodle 2.0]]
*[[Environment]]
*Using Moodle [http://moodle.org/mod/forum/view.php?id=28 Installation problems] forum
*[http://otaru-jc.ac.jp/hagley/howtoupgrademoodlewithcpanel.swf How to upgrade Moodle with cpanel tutorial]

Using Moodle forum discussions:
*[http://moodle.org/mod/forum/discuss.php?d=26731&parent=125858 Using cvs]
*[http://moodle.org/mod/forum/discuss.php?d=56915 Upgrading from 1.5.2 to 1.7]
*[http://moodle.org/mod/forum/discuss.php?d=56991 Upgrade nightmares.... any help appreciated]
*[http://moodle.org/mod/forum/discuss.php?d=62463 After upgrading i get "Your site may not be secure." msg]
*[http://moodle.org/mod/forum/discuss.php?d=104887 Best practices for QA]

[[Category:Installation]]

[[es:Actualización de moodle]]
[[fr:Mise à jour]]
[[ja:アップグレード]]
[[nl:Upgraden]]
[[zh:升级]]
[[pl:Aktualizacja]]
[[de:Aktualisierung von Moodle]]

LDAP authentication

2006-09-27T09:46:16Z

Acacha: /* ldap auth_user_create() only suports Novell */

This document describes how to set up LDAP authentication in Moodle. You can find a [[#Basic Scenario|Basic Scenario]], where everything is simple and straightforward, and that should be enough for most installations. If your installation is a little bigger and you are using multiple LDAP servers, or multiple locations (contexts) for your users in your LDAP tree, then have a look at the [[#Advanced Scenarios|Advanced Scenarios]].

==Basic Scenario==

===Assumptions===

# Your Moodle site is located at '''http://your.moodle.site/'''
# You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to '''http://your.moodle.site/admin/phpinfo.php''' (logged in as user 'admin').
# Your LDAP server has '''192.168.1.100''' as its IP address.
# You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.
# You don't want your users to change their passwords the first time they log in into Moodle.
# You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).
# You are using a top level distinguished name (DN) of '''dc=my,dc=organization,dc=domain''' as the root of your LDAP tree.
# You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure '''this account and its password don't expire''', and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of '''cn=ldap-user,dc=my,dc=organization,dc=domain''', and password '''hardtoguesspassword'''.
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.

===Configuring Moodle authentication===

Log in as an admin user and go to Administration >> Users >> Authentication. In the drop down listbox titled "Choose an authentication method" select "Use an LDAP Server". You will get a page similar to this one:

 
::: [[Image:auth_ldap_config_screenshot.jpg]]
 

Now, you just have to fill in the values. Let's go step by step.
 
 

{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| ldap_host_url
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes).
|-
| ldap_version
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.
|-
| ldap_preventpassindb
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.
|-
| ldap_bind_dn
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).
|-
| ldap_bind_pw
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).
|-
| ldap_user_type
| Choose:
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP).
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)
|-
| ldap_contexts
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.
|-
| ldap_search_sub
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.
|-
| ldap_opt_deref
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.
|-
| ldap_user_attribute
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.
|-
| ldap_memberattribute
| The attribute used to list the members of a given group. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, the usual values are '''member''' and '''memberUid'''.
|-
| ldap_objectclass
| The type of LDAP object used to search for users. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

Here are the default values for each of the ''ldap_user_type'' values:
* '''User''' for Novel eDirectory
* '''posixAccount''' for RFC-2037 and RFC-2037bis
* '''sambaSamAccount''' for SAMBA 3.0.x LDAP extension
* '''user''' for MS-AD
|-
| Force change password
| Set this to ''Yes'' if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to ''no''. Bear in mind the password they are forced to change is the one stored in your LDAP server.

As you don't want your users to change their passwords in their first login, leave this set to ''No''
|-
| Use standard Change Password Page
|
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Change password URL" (at the bottom of the configuration page).

Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is true at least for MS-AD).

Also, code for changing passwords from Moodle for anything but Novell eDirectory is almost not tested, so this may or may not work for other LDAP servers.
|-
| ldap_expiration
|
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.

Current code only deals with Novell eDirectory LDAP server, but there is a patch floating around to make it work with MS-AD too (search in the authentication forum).

So unless you have Novell eDirectory server (or use the patch), choose ''No'' here.
|-
| ldap_expiration_warning
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.
|-
| ldap_exprireattr
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.
|-
| ldap_gracelogins
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.

So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.
|-
| ldap_graceattr
| This setting is currently not used in the code (and is specific to Novell eDirectory).

So you don't need to fill this in.
|-
| ldap_create_context
|
|-
| ldap_creators
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').

In eDirectory, the objectClass for a group is (by default) not '''posixGroup''' but '''groupOfNames,''' whose member attribute is '''member,''' not '''memberUid,''' and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new '''objectClass''' attribute of '''posixGroup''' to your creators group and put the CNs for each creator in a '''memberUid''' attribute.

In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.
|-
| First name
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName'''.

This setting is optional
|-
| Surname
| The name of the attribute that holds the surname of your users in your LDAP server. This is usually '''sn'''.

This setting is optional
|-
| Email address
| The name of the attribute that holds the email address of your users in your LDAP server. This is usually '''mail'''.

This setting is optional
|-
| Phone 1
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.

This setting is optional
|-
| Phone 2
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.

This setting is optional
|-
| Department
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).

This setting is optional
|-
| Address
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.

This setting is optional
|-
| City/town
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).

This setting is optional
|-
| Country
| The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).

This setting is optional
|-
| Description
| '''description'''

This setting is optional
|-
| ID Number
|

This setting is optional
|-
| Language
| '''preferredLanguage'''

This setting is optional
|-
| Instructions
|
|}

The rest of the fields are common to all authentication methods and will not be discussed here.

==Advanced Scenarios==

===Using multiple LDAP Servers===
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :
ldap://my.first.server ; ldap://my.second.server ; ...

Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.

There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.

===Using multiple user locations (contexts) in your LDAP tree===
There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a '''ou=people,dc=my,dc=organization,dc=domain''' or '''ou=people,o=myorg''' container.

At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like '''ou=students,ou=dept1,o=myorg''' and '''ou=students,ou=dept2,o=myorg''' ...

Then there is an alternative :
* Look at the '''o=myorg''' level with the ldap_search_sub attribute set to '''yes'''.
* Set the ldap_context to '''ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg'''.

Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).

===Using LDAPS (LDAP + SSL)===
====MS Active Directory + SSL ====

If the Certificate Authority is not installed you'll have to install it first as follows:
# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove programs.'''
# Click '''Add/Remove Windows Components''' and select '''Certificate Services.'''
# Follow the procedure provided to install the '''Certificate Authority'''. Enterprise level is a good choice.

Verify that SSL has been enabled on the server by installing suptools.msi from Windows installation cd's \Support\tools directory. After support tools installation:
# Select '''Start''' -> '''Run''', write '''ldp''' in the Open field.
# From the ldp window select '''Connection''' -> '''Connect''' and supply valid hostname and port number '''636'''. Also select the SSL check box.

If successful, you should get information about the connection.

Next step is to tell PHP's OpenLDAP extension to disable SSL certificate checking. On Windows servers you're most likely using pre-compiled PHP version, where you must create a path ''C:\OpenLDAP\sysconf''. In this path create a file called "ldap.conf" with content:

TLS_REQCERT never.

Now you should be able to use '''ldaps://''' when connecting to MS-AD.

==Appendices==

===Child Domains and the Global Catalog in MS Active Directory===

Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.

For example your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)

To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.

You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.

Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes.

In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.

====Enabling the Global Catalog====

The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.
If your organisation uses Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)

====ldap auth_user_create() only suports Novell====

After configuring user authentication with ldap I realized ldap only support edir (Novell) when combining ldap an email user confirmation. For example in my case (I use openldap) I have the following error after filling the user form:

auth: ldap auth_user_create() does not support selected usertype:"rfc2307" (..yet)

==See also==

*[http://moodle.org/mod/forum/view.php?id=42 Using Moodle: User authentication] forum
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion
* [[LDAP enrolment]]

[[Category:Administrator]]
[[Category:Authentication]]

LDAP authentication

2006-09-27T09:41:23Z

Acacha: /* Appendices */

This document describes how to set up LDAP authentication in Moodle. You can find a [[#Basic Scenario|Basic Scenario]], where everything is simple and straightforward, and that should be enough for most installations. If your installation is a little bigger and you are using multiple LDAP servers, or multiple locations (contexts) for your users in your LDAP tree, then have a look at the [[#Advanced Scenarios|Advanced Scenarios]].

==Basic Scenario==

===Assumptions===

# Your Moodle site is located at '''http://your.moodle.site/'''
# You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to '''http://your.moodle.site/admin/phpinfo.php''' (logged in as user 'admin').
# Your LDAP server has '''192.168.1.100''' as its IP address.
# You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.
# You don't want your users to change their passwords the first time they log in into Moodle.
# You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).
# You are using a top level distinguished name (DN) of '''dc=my,dc=organization,dc=domain''' as the root of your LDAP tree.
# You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure '''this account and its password don't expire''', and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of '''cn=ldap-user,dc=my,dc=organization,dc=domain''', and password '''hardtoguesspassword'''.
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.

===Configuring Moodle authentication===

Log in as an admin user and go to Administration >> Users >> Authentication. In the drop down listbox titled "Choose an authentication method" select "Use an LDAP Server". You will get a page similar to this one:

 
::: [[Image:auth_ldap_config_screenshot.jpg]]
 

Now, you just have to fill in the values. Let's go step by step.
 
 

{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| ldap_host_url
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes).
|-
| ldap_version
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.
|-
| ldap_preventpassindb
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.
|-
| ldap_bind_dn
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).
|-
| ldap_bind_pw
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).
|-
| ldap_user_type
| Choose:
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP).
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)
|-
| ldap_contexts
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.
|-
| ldap_search_sub
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.
|-
| ldap_opt_deref
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.
|-
| ldap_user_attribute
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.
|-
| ldap_memberattribute
| The attribute used to list the members of a given group. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, the usual values are '''member''' and '''memberUid'''.
|-
| ldap_objectclass
| The type of LDAP object used to search for users. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

Here are the default values for each of the ''ldap_user_type'' values:
* '''User''' for Novel eDirectory
* '''posixAccount''' for RFC-2037 and RFC-2037bis
* '''sambaSamAccount''' for SAMBA 3.0.x LDAP extension
* '''user''' for MS-AD
|-
| Force change password
| Set this to ''Yes'' if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to ''no''. Bear in mind the password they are forced to change is the one stored in your LDAP server.

As you don't want your users to change their passwords in their first login, leave this set to ''No''
|-
| Use standard Change Password Page
|
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Change password URL" (at the bottom of the configuration page).

Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is true at least for MS-AD).

Also, code for changing passwords from Moodle for anything but Novell eDirectory is almost not tested, so this may or may not work for other LDAP servers.
|-
| ldap_expiration
|
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.

Current code only deals with Novell eDirectory LDAP server, but there is a patch floating around to make it work with MS-AD too (search in the authentication forum).

So unless you have Novell eDirectory server (or use the patch), choose ''No'' here.
|-
| ldap_expiration_warning
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.
|-
| ldap_exprireattr
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.
|-
| ldap_gracelogins
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.

So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.
|-
| ldap_graceattr
| This setting is currently not used in the code (and is specific to Novell eDirectory).

So you don't need to fill this in.
|-
| ldap_create_context
|
|-
| ldap_creators
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').

In eDirectory, the objectClass for a group is (by default) not '''posixGroup''' but '''groupOfNames,''' whose member attribute is '''member,''' not '''memberUid,''' and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new '''objectClass''' attribute of '''posixGroup''' to your creators group and put the CNs for each creator in a '''memberUid''' attribute.

In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.
|-
| First name
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName'''.

This setting is optional
|-
| Surname
| The name of the attribute that holds the surname of your users in your LDAP server. This is usually '''sn'''.

This setting is optional
|-
| Email address
| The name of the attribute that holds the email address of your users in your LDAP server. This is usually '''mail'''.

This setting is optional
|-
| Phone 1
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.

This setting is optional
|-
| Phone 2
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.

This setting is optional
|-
| Department
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).

This setting is optional
|-
| Address
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.

This setting is optional
|-
| City/town
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).

This setting is optional
|-
| Country
| The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).

This setting is optional
|-
| Description
| '''description'''

This setting is optional
|-
| ID Number
|

This setting is optional
|-
| Language
| '''preferredLanguage'''

This setting is optional
|-
| Instructions
|
|}

The rest of the fields are common to all authentication methods and will not be discussed here.

==Advanced Scenarios==

===Using multiple LDAP Servers===
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :
ldap://my.first.server ; ldap://my.second.server ; ...

Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.

There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.

===Using multiple user locations (contexts) in your LDAP tree===
There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a '''ou=people,dc=my,dc=organization,dc=domain''' or '''ou=people,o=myorg''' container.

At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like '''ou=students,ou=dept1,o=myorg''' and '''ou=students,ou=dept2,o=myorg''' ...

Then there is an alternative :
* Look at the '''o=myorg''' level with the ldap_search_sub attribute set to '''yes'''.
* Set the ldap_context to '''ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg'''.

Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).

===Using LDAPS (LDAP + SSL)===
====MS Active Directory + SSL ====

If the Certificate Authority is not installed you'll have to install it first as follows:
# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove programs.'''
# Click '''Add/Remove Windows Components''' and select '''Certificate Services.'''
# Follow the procedure provided to install the '''Certificate Authority'''. Enterprise level is a good choice.

Verify that SSL has been enabled on the server by installing suptools.msi from Windows installation cd's \Support\tools directory. After support tools installation:
# Select '''Start''' -> '''Run''', write '''ldp''' in the Open field.
# From the ldp window select '''Connection''' -> '''Connect''' and supply valid hostname and port number '''636'''. Also select the SSL check box.

If successful, you should get information about the connection.

Next step is to tell PHP's OpenLDAP extension to disable SSL certificate checking. On Windows servers you're most likely using pre-compiled PHP version, where you must create a path ''C:\OpenLDAP\sysconf''. In this path create a file called "ldap.conf" with content:

TLS_REQCERT never.

Now you should be able to use '''ldaps://''' when connecting to MS-AD.

==Appendices==

===Child Domains and the Global Catalog in MS Active Directory===

Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.

For example your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)

To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.

You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.

Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes.

In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.

====Enabling the Global Catalog====

The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.
If your organisation uses Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)

====ldap auth_user_create() only suports Novell====

After configuring user authentification with ldap I realized ldap only support edir (Novell) when combining ldap an email user confirmation. For example in my case (I use openldap) I have the following error after filling the user form:

auth: ldap auth_user_create() does not support selected usertype:"rfc2307" (..yet)

==See also==

*[http://moodle.org/mod/forum/view.php?id=42 Using Moodle: User authentication] forum
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion
* [[LDAP enrolment]]

[[Category:Administrator]]
[[Category:Authentication]]