Note: You are currently viewing documentation for Moodle 2.3. Up-to-date documentation for the latest stable version is available here: LDAP authentication.

LDAP authentication: Difference between revisions

From MoodleDocs
Main pageManaging a Moodle siteAuthenticationLDAP authentication
Authentication
(move banner which is a comment, thanks for raising issue)
(copying changes from 21 wiki)
 
(47 intermediate revisions by 17 users not shown)
Line 1: Line 1:
Location: Settings link in ''Administration > Users > [[Authentication]]''
{{Authentication}}
Location: Settings link in ''Settings > Site administration > Plugins > Authentication > Manage authentication''
 


This document describes how to set up Lightweight Directory Access Protocol (LDAP) authentication in Moodle.  We cover the basic, advanced and some trouble shooting sections to assist the user in the installation and administrating LDAP in Moodle.   
This document describes how to set up Lightweight Directory Access Protocol (LDAP) authentication in Moodle.  We cover the basic, advanced and some trouble shooting sections to assist the user in the installation and administrating LDAP in Moodle.   
 
==Table of Contents==
__TOC__
==Basic Scenario==
==Basic Scenario==
The simple and straightforward approach  for most installations.
The simple and straightforward approach  for most installations.
Line 18: Line 21:
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.
[[LDAP_authentication#Table of Contents|Table of Contents]]


===Configuring Moodle authentication===
===Configuring Moodle authentication===


Log in as an admin user and go to Administration >> Users >> Authentication. In the drop down listbox titled  "Choose an authentication method" select "Use an LDAP Server". You will get a page similar to this one:
Log in as an admin user and go to ''Administration > Plugins > Authentication > Manage authentication''. In the table that appears, enable the "LDAP Server" authentication option (click on the closed eye to make it open) and then click on the associated 'Settings' link. You will get a page similar to this one:


<br>
[[Image:auth_ldap_config_screenshot.jpg|center]]
::: [[Image:auth_ldap_config_screenshot.jpg]]
<br>


Now, you just have to fill in the values. Let's go step by step.
Now, you just have to fill in the values. Let's go step by step.
<br>
<br>


[[LDAP_authentication#Table of Contents|Table of Contents]]
====LDAP Server Settings====
{| border="1" cellspacing="0" cellpadding="5"
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Field name
! Value to fill in
! Value to fill in
|-
|-
| ldap_host_url
| Host URL
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes), or just "'''192.168.1.100'''" (some people have trouble connecting with the first syntax, specially on MS Windows servers).
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes), or just "'''192.168.1.100'''" (some people have trouble connecting with the first syntax, specially on MS Windows servers).
|-
|-
| ldap_version
| Version
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.
|-
|-
| ldap_preventpassindb
| LDAP Encoding
| Specify encoding used by LDAP server. Most probably utf-8.
|}
 
[[LDAP_authentication#Table of Contents|Table of Contents]]
 
====Bind settings====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| Hide passwords
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.
|-
|-
| ldap_bind_dn
| Distinguished Name
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).
|-
|-
| ldap_bind_pw
| Password
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).
|}
[[LDAP_authentication#Table of Contents|Table of Contents]]
====User lookup settings====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
|-
| ldap_user_type
| User type
| Choose:  
| Choose:  
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP).
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP, including Mac OS X server).
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)
|-
|-
| ldap_contexts
| Contexts
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here
 
On a Mac OS X Server, this is usually '''cn=users,dc=my,dc=organization,dc=domain'''.
|-
|-
| ldap_search_sub
| Search subcontexts
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.
|-
|-
| ldap_opt_deref
| Dereference aliases
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.
|-
|-
| ldap_user_attribute
| User attribute
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in</u>.
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''User type'' value you chose above. <u>So unless you need something special, you don't need to fill this in</u>.


By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.
By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could (and have to, if you intend to use NTLM SSO) use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.
|-
|-
| ldap_memberattribute
| Member attribute
| The attribute used to list the members of a given group. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u>
| The attribute used to list the members of a given group. This option takes a default value based on the ''User type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u>


By the way, the usual values are '''member''' and '''memberUid'''.
By the way, the usual values are '''member''' and '''memberUid'''.
|-
|-
| ldap_objectclass
| Member attribute uses dn
| The type of LDAP object used to search for users. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u>
| Whether the member attribute contains distinguished names (1) or not (0).This option takes a default value based on the ''User type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u>
|-
| Object class
| The type of LDAP object used to search for users. This option takes a default value based on the ''User type'' value you chose above. <u>So unless you need something special, you don't need to fill this in.</u>
* If you leave it blank, the filter "(objectClass=*)" will be used.
* If you provide "objectClass=some-string", then it will provide "(objectClass=some-string)" as the filter.
* If you provide a value that does not start with "(", it is assumed to be a value that should be set to "objectClass". So if you provide "some-string", then it will provide "(objectClass=some-string)" as the filter.
* If you provide a string that starts with a "(", then it will pass that as is. So if you provide "(&(objectClass=user)(enabledMoodleUser=1))", then it will pass that as the filter.
 
'''Note''': In the last case, there are two different places where that feature can be used:
* on interactive logins,
* on bulk account syncing, via auth/ldap/cli/sync_users.php
Moodle 1.9 only uses the feature on bulk account syncing, but not on interactive logins. Moodle 2.x uses the feature on both cases.


Here are the default values for each of the ''ldap_user_type'' values:
Here are the default values for each of the ''ldap_user_type'' values:
Line 86: Line 123:
* '''user''' for MS-AD
* '''user''' for MS-AD
If you get an error about a problem with updating the ldap server (even if you have specified not to write changes back to the ldap server) try setting the ldap object class to * - see http://moodle.org/mod/forum/discuss.php?d=70566 for a discussion on this problem
If you get an error about a problem with updating the ldap server (even if you have specified not to write changes back to the ldap server) try setting the ldap object class to * - see http://moodle.org/mod/forum/discuss.php?d=70566 for a discussion on this problem
|}
[[LDAP_authentication#Table of Contents|Table of Contents]]
====Force change password====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
|-
| Force change password
| Force change password
Line 95: Line 140:
|
|
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Change password URL" (at the bottom of the configuration page).
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Password change URL" (see below).


Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is true at least for MS-AD).
Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is actually a requirement for MS-AD). In addition to that, the bind user specified above must have the rights needed to change other users' passwords.


Also, code for changing passwords from Moodle for anything but Novell eDirectory is almost not tested, so this may or may not work for other LDAP servers.
Also, code for changing passwords from Moodle for anything but Novell eDirectory and Active Directory is almost not tested, so this may or may not work for other LDAP servers.
|-
|-
| ldap_expiration
| Password Format
| Specify how the new password is encrypted before sending it to the LDAP server: Plain text, MD5 hash or SHA-1 hash. MS-AD uses plain text, for example.
|-
| Password change URL
| Here you can specify a location at which your users can recover or change their username/password if they've forgotten it. This will be provided to users as a button on the login page and their user page. if you leave this blank the button will not be printed.
|}
 
[[LDAP_authentication#Table of Contents|Table of Contents]]
 
====LDAP password expiration settings====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| Expiration
|  
|  
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.


Current code only deals with Novell eDirectory LDAP server, but there is a patch floating around to make it work with MS-AD too (search in the authentication forum).
Current code only deals with Novell eDirectory LDAP server and MS-AD.


<u>So unless you have Novell eDirectory server (or use the patch), choose ''No'' here.</u>
<u>So unless you have Novell eDirectory server or MS-AD, choose ''No'' here.</u>
|-
|-
| ldap_expiration_warning
| Expiration warning
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.
|-
|-
| ldap_exprireattr
| Expiration attribute.
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u>
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''User type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u>
|-
|-
| ldap_gracelogins
| Grace logins
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.


<u>So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.</u>
<u>So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.</u>
|-
|-
| ldap_graceattr
| Grace login attribute
| This setting is currently not used in the code (and is specific to Novell eDirectory).  
| This setting is currently not used in the code (and is specific to Novell eDirectory).  


<u>So you don't need to fill this in.</u>
<u>So you don't need to fill this in.</u>
|}
[[LDAP_authentication#Table of Contents|Table of Contents]]
====Enable user creation====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
|-
| ldap_create_context
| Create users externally
|
| New (anonymous) users can self-create user accounts on the external LDAP server and confirm them via email. If you enable this, remember to also configure module-specific options for user creation and to fill in some instructions in ''auth_instructions'' field in Administration >> Users >> Authentication >> Manage authentication. Otherwise the new users won't be able to self-create new accounts.
 
Only Novell eDirectory and MS-AD can create users externally (prior to Moodle 2.x). From Moodle 2.0 on, you can also create users in RFC-2307 compliant servers.
|-
| Context for new users
| Specify the context where users are created. This context should be different from other users' contexts to prevent security issues.
|}
 
[[LDAP_authentication#Table of Contents|Table of Contents]]
 
====Course creation====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
|-
| ldap_creators
| Creators
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator.  If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here.  Each memberUid attribute contains the CN of a user who is authorized to be a creator.  Do not use the user's full DN (e.g.,  not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator.  If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here.  Each memberUid attribute contains the CN of a user who is authorized to be a creator.  Do not use the user's full DN (e.g.,  not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').


Line 135: Line 215:


In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.
In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.
|}
[[LDAP_authentication#Table of Contents|Table of Contents]]
====Cron synchronization script====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| Removed ext user
| Specify what to do with internal user account during mass synchronization when user was removed from external source. Only suspended users are automatically revived if they reappear in ext source.
|}
[[LDAP_authentication#Table of Contents|Table of Contents]]
====NTLM SSO====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| Enable
| If you want to use NTLM SSO (see details at [[NTLM_authentication]]), choose ''Yes'' here. Otherwise, choose ''No''.
|-
| Subnet
| Specify the subnets of the clients that will use NTLM SSO (see details at [[NTLM_authentication]]).
|-
| MS IE Fast Path?
| If all of you clients (or most of them) are using MS Internet Explorer, you can set this option to bypasses certain steps of the SSO login and speed up login times. This only works with MS Internet Explorer, but deals with other browsers in a sensible way (they are automatically sent to the plain login page).
|}
[[LDAP_authentication#Table of Contents|Table of Contents]]
====Data Mapping====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
|-
| First name
| First name
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName'''.
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName''' or '''displayName'''


<u>This setting is optional</u>
<u>This setting is optional</u>
Line 151: Line 267:
<u>This setting is optional</u>
<u>This setting is optional</u>
|-
|-
| Phone 1
| City/town
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).
 
<u>This setting is optional</u>
|-
| Country
| The name of the attribute that holds the country of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).


<u>This setting is optional</u>
<u>This setting is optional</u>
|-
|-
| Phone 2
| Language
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.
| '''preferredLanguage'''


<u>This setting is optional</u>
<u>This setting is optional</u>
|-
|-
| Department
| Description
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).
| '''description'''


<u>This setting is optional</u>
<u>This setting is optional</u>
|-
|-
| Address
| Webpage
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.
| <u>This setting is optional</u>
|-
| ID Number
|


<u>This setting is optional</u>
<u>This setting is optional</u>
|-
|-
| City/town
| Institution
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).
|  


<u>This setting is optional</u>  
<u>This setting is optional</u>
|-
|-
| Country
| Department
| The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).


<u>This setting is optional</u>
<u>This setting is optional</u>
|-
|-
| Description
| Phone 1
| '''description'''
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.


<u>This setting is optional</u>
<u>This setting is optional</u>
|-
|-
| ID Number
| Phone 2
|  
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.


<u>This setting is optional</u>
<u>This setting is optional</u>
|-
|-
| Language
| Address
| '''preferredLanguage'''
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.


<u>This setting is optional</u>
<u>This setting is optional</u>
|-
| Instructions
|
|}
|}


The rest of the fields are common to all authentication methods and will not be discussed here..
[[LDAP_authentication#Table of Contents|Table of Contents]]
 
===Setting up regular automatic synchronisation using cron===
There is a script located at /auth/ldap/cli/sync_users.php which will create or suspend/delete (see the setting above) all LDAP accounts automatically. This must be called from the command line, ideally once a day during a quiet time using exactly the same procedure as the standard [[Cron|cron]] job (so you will end up with two cron entries). It is important, however, to make sure that all of the above LDAP settings are working properly before you try this, as well as backing up your database and moodledata folders. Poor LDAP configuration could lead to users being wrongly deleted.
 
If you find that the script is not running through all of your users properly and you have MS Active Directory + over 1000 users, this is because by default, MS AD only sends back 1000 users at a time. Follow the instructions [http://support.microsoft.com/kb/315071 here] to set the MaxPageSize setting to a number higher than your total number of users (both now and in future) to fix it. This is a forest-wide setting.
 
[[LDAP_authentication#Table of Contents|Table of Contents]]
 
==Active Directory help==
[[Active Directory]] is Microsoft's directory service. It is included in Windows 2000 Server and later versions of their operating system. For more information about subjects below, '''[[Active Directory|please go here]]'''.
 
*Warning: The PHP LDAP module does not seem to be present
*LDAP-module cannot connect any LDAP servers
*Getting correct CNs for Contexts and Creators
*Getting the right user_attribute
*Installing ldp.exe Server Tool
*Example Active Directory Configuration
*Child Domains and the Global Catalog in MS Active Directory
*Enabling the Global Catalog
*Active Directory with Moodle 1.8
*MS Active Directory + SSL


==Active Directory Troubleshooting Help==
==Advanced Scenarios - Multiple servers or locations==
For larger installations with  multiple LDAP servers, or multiple locations (contexts) in a LDAP tree.


===Warning: The PHP LDAP module does not seem to be present. Please ensure it is installed and enabled.===
===Making your LDAP directory connection resilient===
This usually means that the main ldap dll or one of the supporting dlls are missing.
* Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax:
Let's start with the main one itself.
Browse to http://(moodleserver)/admin/phpinfo.php and examine the "Configuration File (php.ini) Path" field to determine which php.ini is being used and open it with an editor. Find the line 'extension=php_ldap.dll' and take out the semi-colon if it is there. That semi-colon will stop it loading the module all together!
While you have that file open, search for 'extension_dir' and note which folder it is set to. Open that folder and ensure the php_ldap.dll file is in there. If it isn't then put it in there.
If that still hasn't fixed it you are missing a supporting dll, but you don't get told that. To see what dlls are missing open the Command Prompt and navigate to the php directory and execute the following line 'php -m'. You should get some error messages now. Ugly, but at least they give you information! Find the dlls listed and copy them to the php directory. You may now need to restart the apache/httpd service. Run 'php -m' again and you should be error free and the message in Moodle should be gone now.


===LDAP-module cannot connect any LDAP servers : Server: 'ldap://my.ldap.server/' Connection: 'Resource id #26' Bind result: ''===
ldap://my.first.server; ldap://my.second.server; ...
Getting this message when you are trying to log in is a result of incorrect details for the Bind user, or the user account having insufficient permissions in Active Directory. The best way to test and resolve this is use ldp.exe to test binding until it suceeds. There are instructions on installing ldp.exe below.
Open the program and Connect to AD, giving the server name, then from the Connection menu choose Bind. Enter the details you think are correct and you will probably find that an error is returned. Try adjusting the accounts priveleges or another account until you are returned an "Authenticated as" message.
Once you are sure your account can be used to bind to AD, check that the DN of that users name is correct. Expand the tree on the left until you find the user you used to bind. Right click on that item and choose Copy DN. Go to the User Authentication page in Moodle and paste the value into the ldap_bind_dn field. Add the password and you can now feel safe your user is binding sucessfully.


===Getting correct CNs for Contexts and Creators===
Of course, this will only work if all the servers share the same directory information, if using eDirectory you would need to ensure your servers have viability of all relevant tree partitions, or if using Active Directory the servers are holding the same information you need though replication - see notes on a multi-domain environment if this applies.
For those not familiar with AD this could be very confusing, and not that easy for some who are familiar with it. Again, ldp.exe is your friend. There are instructions on installing ldp.exe below.
Open it up and expand the tree on the left until you find the group or user you want to use and right click on it and select Copy DN. Go back to the Moodle User Authentication page and paste that value into either ldap_contexts or ldap_creators.


===Getting the right user_attribute===
There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.
By default, Moodle uses an accounts cn (full name) to verify against, but most networks don't use a full given name for logon as it's too easy to guess and you can easily have two people with the same name. If this is the case for you too you need to tell Moodle to look at another field for the logon id.
In ldp.exe navigate the tree on the left to find a user account, preferably your own. Double-click the item in the tree and full-details will be loaded into the screen on the right. Look down the details until you find your logon id and note the item listed against it. For me, and a lot of people, it is sAMAccountName. Copy this name and paste it into the ldap_user_attribute on the Moodle User Authentication page.
There are instructions on installing ldp.exe below.


===Installing ldp.exe Server Tool===
See also: [http://moodle.org/mod/forum/discuss.php?d=17198 Using multiple LDAP servers - Our students are on separate domain discussion on the Using Moodle forum.
ldp.exe comes as part of the Server Tools on most versions of Windows Server. Find your Windows Server installation disc and find a folder on it called Support\Tools. In there will be a SupTools.msi which will install the server tools if run. You should now have a folder under Program Files called Support Tools, in which will be ldp.exe. ldp.exe is also available in the Windows XP Support Tools, which you can download from Microsoft [http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en here]. Alternatively, a single download of ldp.exe is available [http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm here].


===Example Active Directory Configuration===
===Using a multi-domain AD environment===
Below is an example configuration for Active Directory. As detailed above, the values may vary based on your local Active Directory configuration, but should provide a good starting point for most cases.
* If you're running Active Directory with multiple domains and you have users in more then one domain you will want to configure Moodle to look at your Global Catalog server. Specifically your top level domain Global Catalog server. Here is a simple example of this kind of Active Directory layout:


  ldap_host_url = ldap://ads.example.com
  my.domain.ca (Root AD Domain)
  ldap_version = 3
| - dc1.my.domain.ca (Domain Controller)
  ldap_preventpassindb = yes
| - dc2.my.domain.ca (Domain Controller)
  ldap_bind_dn = bind-user@example.com
  |
  ldap_bind_pw = bind-password
  | - - students.my.domain.ca (Sub AD Domain)
  ldap_user_type = MS ActiveDirectory
  | - - - dc1.students.my.domain.ca (Domain Controller)
  ldap_contexts = ou=moodleusers,dc=example,dc=com
  | - - - dc2.students.my.domain.ca (Domain Controller)
  ldap_user_attribute = sAMAccountName
  |
  | - - faculty.my.domain.ca (Sub AD Domain)
| - - - dc1.faculty.my.domain.ca (Domain Controller)
| - - - dc2.faculty.my.domain.ca (Domain Controller)
   
In this example we have our top level domain (my.domain.ca) and two sub-domains. One sub-domain is for faculty accounts (faculty.my.domain.ca) and the other is for student accounts (students.my.domain.ca). Listed under each of those are two domain controllers.


Using the above example you'll want to use the following for accessing the Global Catalog over SSL:


Note that the ldap_bind_dn value should work in either the CN=bin-user,CN=Users,DC=example,DC=com format as shown in the main instructions or the bind-user@example.com format shown in this example.
ldaps://my.domain.ca:3269/


==Advanced Scenarios - Multiple servers or locations==
If you prefer to access your global catalog over a non-SSL connection you'll want to use:
For larger installations with  multiple LDAP servers, or multiple locations (contexts) in a LDAP tree.


===Using multiple LDAP Servers===
ldap://my.domain.ca:3268/
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :
ldap://my.first.server ; ldap://my.second.server ; ...
We found if you didn't configure things this way you'd get errors like:


Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.
  [Thu May 26 15:23:53 2011] [error] [client 192.168.xxx.xxx] PHP Warning:  ldap_search() [<a href='function.ldap-search'>function.ldap-search</a>]: Search: Partial results and referral received in /xxx/xxx/moodle20/lib/ldaplib.php on line 241, referer: http://moodle.my.domain.ca/moodle20/login/index.php
  [Thu May 26 15:23:53 2011] [error] [client 192.168.xxx.xxx] PHP Warning:  ldap_first_entry(): supplied argument is not a valid ldap result resource in /xxx/xxx/moodle20/lib/ldaplib.php on line 248, referer: http://moodle.my.domain.ca/moodle20/login/index.php


There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.


===Using multiple user locations (contexts) in your LDAP tree===
===Using multiple user locations (contexts) in your LDAP tree===
Line 265: Line 400:
Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).
Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).


===Using LDAPS (LDAP + SSL)===
===Using LDAPS (LDAP over SSL)===
====MS Active Directory + SSL ====
====Enabling LDAPS on your directory server====
 
* [[Active_Directory#MS_Active_Directory_.2B_SSL|Enabling LDAPS on MS Active Directory ]]
 
====Enabling LDAPS on your Moodle server====
Enabling LDAPS on your server can be tricky and often it is hard to pinpoint where things are going wrong. There are also differences between Windows and Linux and even different versions and distributions of Linux.
 
 
'''If you have not done so already you will need to decide upon your approach to establishing an SSL connection to your directory server:'''
 
 
* SSL connection with unverified self-signed certificate.
 
You can generate your own SSL certificate, and then instruct your Moodle server to ignore the fact that it is not valid. This setup is not as secure as others since you cannot be sure the server you are connecting to is not fake.
 
 
* SSL connection with trusted self-signed certificate.
 
You can generate your own SSL certificate on your directory server, and then specifically trust this certificate by installing it on your Moodle server.
 
 
* SSL connection with verified certificate from Internet-trusted certificate authority (CA)
 
In this approach the LDAP server has an installed certificate from an Internet-based CA, this means that your directory server would have an Internet address & host name. Your Moodle server must be trusting the certificate authority and have Internet access. This approach is not often used as it usually incurs a cost for the certificate, and it requires your directory server and Moodle server to be exposed to the Internet.
 
==Linux servers==
'''These instructions are for establishing a link using a trusted self-signed certificate.'''


If the Certificate Authority is not installed you'll have to install it first as follows:
''Note: written for a Red Hat Enterprise Linux 6 server, other Linux distributions may differ, especially in the location of the SSL certificates and OpenLdap config files, but the core principals are the same.''
# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove programs.'''
# Click '''Add/Remove Windows Components''' and select '''Certificate Services.'''
# Follow the procedure provided to install the '''Certificate Authority'''. Enterprise level is a good choice.


Verify that SSL has been enabled on the server by installing suptools.msi from Windows installation cd's \Support\tools directory. After support tools installation:
# Select '''Start''' -> '''Run''', write '''ldp''' in the Open field.
# From the ldp window select '''Connection''' -> '''Connect''' and supply valid hostname and port number '''636'''. Also select the SSL check box.


If successful, you should get information about the connection.
To check that your directory server is online and accepting SSL connections on your LDAPS port (636), you can use try:
openssl s_client –connect <ldap server ip address>:636


Next step is to tell PHP's OpenLDAP extension to disable SSL certificate checking. On Windows servers you're most likely using pre-compiled PHP version, where you must create a path ''C:\OpenLDAP\sysconf''. In this path create a file called "ldap.conf" with content:
Get your directory server’s certificate (.crt) and upload to Moodle server's ssl certificate directory, on RHEL6 this is at '''/etc/ssl/certs'''


TLS_REQCERT never.


Now you should be able to use '''ldaps://''' when connecting to MS-AD.
Convert your ‘DER’ X509 certificate into a ‘PEM’ public key certificate.
openssl x509 -in my_server_certificate.cer -inform DER -out my_server_certificate.pem -outform PEM


==Appendices==
Create certificate hashes using c_rehash
c_rehash
''If c_rehash is not installed install with: yum install /usr/bin/c_rehash''
 
 
Ensure you are able to access your LDAPS server by a DNS name, this may mean adding an entry to your host file (/etc/hosts)
<ldap server ip address>    my_server.mydomain.school
 
Verify your certificate to check that it is installed correctly
openssl verify -verbose -CApath /etc/ssl/certs /etc/ssl/certs/my_server_certificate.pem
/etc/ssl/certs/my_server_certificate.pem: OK
 
You should now be able to connect to your LDAPS server over SSL without any errors
openssl s_client –connect <ldap server DNS name>:636


===Child Domains and the Global Catalog in MS Active Directory===
Edit your OpenLDAP config, on RHEL6 this is located at '''/etc/openldap/ldap.conf'''
# Define location of a CA Cert
TLS_CACERT /etc/ssl/certs/my_server_certificate.pem
TLS_CACERTDIR /etc/ssl/certs


Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.
Finally, you may or may not need to restart Apache, before configuring Moodle to use ldaps://<server DNS name>
httpd -k restart


For example your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)
==Windows servers==
'''These instructions are for establishing a link using an unverified self-signed certificate'''


To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.


You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.
You can tell PHP's OpenLDAP extension to disable SSL server certificate checking to do this you must create a directory called ''C:\OpenLDAP\sysconf''. In this directory, create a file called ''ldap.conf'' with the following content:


Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes.
TLS_REQCERT never


In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.
''(If you are using certain versions of PHP 5.3.x you may need to place the file at other locations, [http://bugs.php.net/bug.php?id=48866 see PHP bug #48866])''


===Enabling the Global Catalog===
Now you should be able to use '''ldaps://''' when connecting to your LDAP server.


The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.
If your organisation uses Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)


===ldap auth_user_create() only suports Novell===
[[LDAP_authentication#Table of Contents|Table of Contents]]


After configuring user authentication with ldap I realized ldap only support edir (Novell) when combining ldap an email user confirmation. For example in my case (I use openldap) I have the following error after filling the user form:
==Appendices==


auth: ldap auth_user_create() does not support selected usertype:"rfc2307" (..yet)
=== Setting Resource Limits RedHat Directory Server ===


{{Moodle 1.9}}
Operational attributes can be set for the bind user DN using the command-line.
The previous comment only applies to Moodle 1.8 and below. Moodle 1.9 adds support for MS Active Directory too.
One can simply use ldapmodify to add the following attributes:
 
{| border="1" cellspacing="0" cellpadding="5"
! Attribute Name
! Description
|-
| nsLookThroughLimit
| Specifies how many entries are examined for a search operation. Giving this attribute a value of -1 indicates that there is no limit.
|-
| nsSizeLimit
| Specifies the maximum number of entries the server returns to a client application in response to a search operation. Giving this attribute a value of -1 indicates that there is no limit.
|-
| nsTimeLimit
| Specifies the maximum time the server spends processing a search operation. Giving this attribute a value of -1 indicates that there is no time limit.
|-
| nsIdleTimeout        
| Specifies the time a connection to the server can be idle before the connection is dropped. The value is given in seconds. Giving this attribute a value of -1 indicates that there is no limit.
|}


=== Active Directory with Moodle 1.8===
<pre> LDAP Console Command-Line


There is an issue with the PHP ldap options that are required for Active Directory access in version 1.8 of Moodle.
ldapmodify -h redhat_dir_server -p 389 -D "cn=directory manager" -w secretpwd


Using moodle on a LAMP platform with authentication to Active Directory may give some errors.
dn: uid=MoodleAdmin,ou=system,dc=myschool,dc=edu
changetype: modify
add:nsSizeLimit
nsSizeLimit: 1000
</pre>


Check this bug [http://tracker.moodle.org/browse/MDL-10921 MDL-10921] or this post http://moodle.org/mod/forum/discuss.php?d=78316 for further information.
[[LDAP_authentication#Table of Contents|Table of Contents]]


==See also==
==See also==


*[http://moodle.org/mod/forum/view.php?id=42 Using Moodle: User authentication] forum
* [[NTLM_authentication]]
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion
* [[Active_Directory]]
* [[LDAP enrolment]]
* [[LDAP enrolment]]
* [http://download.moodle.org/download.php/docs/en/how-to_guides/ldap_auth_and_enrolment_set-up.pdf LDAP auth and enrolment set-up guide] (PDF 227KB)


[[Category:Authentication]]
Using Moodle:
* [http://moodle.org/mod/forum/view.php?id=42 User authentication forum]
* [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion
* [http://moodle.org/mod/forum/discuss.php?d=140901 Syncronisation with AUTH_LDAP_SYNC_USERS.PHP produces fewer accounts than it should] forum discussion
* [http://moodle.org/mod/forum/discuss.php?d=17198 Using multiple LDAP servers] forum discussion


[[es:LDAP_authentication]]
[[es:LDAP_authentication]]
[[fr:Utiliser un serveur LDAP]]
[[fr:Utiliser un serveur LDAP]]
[[ja:LDAP認証]]
[[ja:LDAP認証]]
[[zh:LDAP认证]]
[[de:LDAP-Server]]

Latest revision as of 12:25, 5 July 2012

Location: Settings link in Settings > Site administration > Plugins > Authentication > Manage authentication


This document describes how to set up Lightweight Directory Access Protocol (LDAP) authentication in Moodle. We cover the basic, advanced and some trouble shooting sections to assist the user in the installation and administrating LDAP in Moodle.

Table of Contents

Basic Scenario

The simple and straightforward approach for most installations.

Assumptions

  1. Your Moodle site is located at http://your.moodle.site/
  2. You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to http://your.moodle.site/admin/phpinfo.php (logged in as user 'admin').
  3. Your LDAP server has 192.168.1.100 as its IP address.
  4. You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.
  5. You don't want your users to change their passwords the first time they log in into Moodle.
  6. You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).
  7. You are using a top level distinguished name (DN) of dc=my,dc=organization,dc=domain as the root of your LDAP tree.
  8. You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure this account and its password don't expire, and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of cn=ldap-user,dc=my,dc=organization,dc=domain, and password hardtoguesspassword.
  9. All of your Moodle users are in an organizational unit (OU) called moodleusers, which is right under your LDAP root. That OU has a DN of ou=moodleusers,dc=my,dc=organization,dc=domain.
  10. You don't want your LDAP users' passwords to be stored in Moodle at all.

Table of Contents

Configuring Moodle authentication

Log in as an admin user and go to Administration > Plugins > Authentication > Manage authentication. In the table that appears, enable the "LDAP Server" authentication option (click on the closed eye to make it open) and then click on the associated 'Settings' link. You will get a page similar to this one:

auth ldap config screenshot.jpg

Now, you just have to fill in the values. Let's go step by step.

Table of Contents

LDAP Server Settings

Field name Value to fill in
Host URL As the IP of your LDAP server is 192.168.1.100, type "ldap://192.168.1.100" (without the quotes), or just "192.168.1.100" (some people have trouble connecting with the first syntax, specially on MS Windows servers).
Version Unless you are using a really old LDAP server, version 3 is the one you should choose.
LDAP Encoding Specify encoding used by LDAP server. Most probably utf-8.

Table of Contents

Bind settings

Field name Value to fill in
Hide passwords As you don't want to store the users's password in Moodle's database, choose Yes here.
Distinguished Name This is the distinguished name of the bind user defined above. Just type "cn=ldap-user,dc=my,dc=organization,dc=domain" (without the quotes).
Password This is the bind user password defined above. Type "hardtoguesspassword" (without the quotes).

Table of Contents

User lookup settings

Field name Value to fill in
User type Choose:
  • Novel Edirectory if your LDAP server is running Novell's eDdirectory.
  • posixAccount (rfc2307) if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP, including Mac OS X server).
  • posixAccount (rfc2307bis) if your LDAP server is running a RFC-2307bis compatible LDAP server.
  • sambaSamAccount (v.3.0.7) if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.
  • MS ActiveDirectory if your LDAP server is running Microsoft's Active Directory (MS-AD)
Contexts The DN of the context (container) where all of your Moodle users are found. Type ou=moodleusers,dc=my,dc=organization,dc=domain here.

On a Mac OS X Server, this is usually cn=users,dc=my,dc=organization,dc=domain.

Search subcontexts If you have any sub organizational units (subcontexts) hanging from ou=moodleusers,dc=my,dc=organization,dc=domain and you want Moodle to search there too, set this to yes. Otherwise, set this to no.
Dereference aliases Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to yes. If you don't want Moodle to dereference it, set this to no. If you are using MS-AD, set this to no.
User attribute The attribute used to name/search users in your LDAP tree. This option takes a default value based on the User type value you chose above. So unless you need something special, you don't need to fill this in.

By the way, it's usually cn (Novell eDirectory and MS-AD) or uid (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could (and have to, if you intend to use NTLM SSO) use sAMAccountName (the pre-Windows 2000 logon account name) if you need too.

Member attribute The attribute used to list the members of a given group. This option takes a default value based on the User type value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, the usual values are member and memberUid.

Member attribute uses dn Whether the member attribute contains distinguished names (1) or not (0).This option takes a default value based on the User type value you choosed above. So unless you need something special, you don't need to fill this in.
Object class The type of LDAP object used to search for users. This option takes a default value based on the User type value you chose above. So unless you need something special, you don't need to fill this in.
  • If you leave it blank, the filter "(objectClass=*)" will be used.
  • If you provide "objectClass=some-string", then it will provide "(objectClass=some-string)" as the filter.
  • If you provide a value that does not start with "(", it is assumed to be a value that should be set to "objectClass". So if you provide "some-string", then it will provide "(objectClass=some-string)" as the filter.
  • If you provide a string that starts with a "(", then it will pass that as is. So if you provide "(&(objectClass=user)(enabledMoodleUser=1))", then it will pass that as the filter.

Note: In the last case, there are two different places where that feature can be used:

  • on interactive logins,
  • on bulk account syncing, via auth/ldap/cli/sync_users.php

Moodle 1.9 only uses the feature on bulk account syncing, but not on interactive logins. Moodle 2.x uses the feature on both cases.

Here are the default values for each of the ldap_user_type values:

  • User for Novel eDirectory
  • posixAccount for RFC-2037 and RFC-2037bis
  • sambaSamAccount for SAMBA 3.0.x LDAP extension
  • user for MS-AD

If you get an error about a problem with updating the ldap server (even if you have specified not to write changes back to the ldap server) try setting the ldap object class to * - see http://moodle.org/mod/forum/discuss.php?d=70566 for a discussion on this problem

Table of Contents

Force change password

Field name Value to fill in
Force change password Set this to Yes if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to no. Bear in mind the password they are forced to change is the one stored in your LDAP server.

As you don't want your users to change their passwords in their first login, leave this set to No

Use standard Change Password Page
  • Setting this to Yes makes Moodle use it's own standard password change page, everytime users want to change their passwords.
  • Setting this to No makes Moodle use the the page specified in the field called "Password change URL" (see below).

Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is actually a requirement for MS-AD). In addition to that, the bind user specified above must have the rights needed to change other users' passwords.

Also, code for changing passwords from Moodle for anything but Novell eDirectory and Active Directory is almost not tested, so this may or may not work for other LDAP servers.

Password Format Specify how the new password is encrypted before sending it to the LDAP server: Plain text, MD5 hash or SHA-1 hash. MS-AD uses plain text, for example.
Password change URL Here you can specify a location at which your users can recover or change their username/password if they've forgotten it. This will be provided to users as a button on the login page and their user page. if you leave this blank the button will not be printed.

Table of Contents

LDAP password expiration settings

Field name Value to fill in
Expiration
  • Setting this to No will make Moodle not to check if the password of the user has expired or not.
  • Setting this to LDAP will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.

Current code only deals with Novell eDirectory LDAP server and MS-AD.

So unless you have Novell eDirectory server or MS-AD, choose No here.

Expiration warning This value sets how many days in advance of password expiration the user is warned that her password is about to expire.
Expiration attribute. The LDAP user attribute used to check password expiration. This option takes a default value based on the User type value you choosed above. So unless you need something special, you don't need to fill this in.
Grace logins This setting is specific to Novell eDirectory. If set to Yes, enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.

So unless you have Novell eDirectory server and want to allow gracelogin support, choose No here.

Grace login attribute This setting is currently not used in the code (and is specific to Novell eDirectory).

So you don't need to fill this in.

Table of Contents

Enable user creation

Field name Value to fill in
Create users externally New (anonymous) users can self-create user accounts on the external LDAP server and confirm them via email. If you enable this, remember to also configure module-specific options for user creation and to fill in some instructions in auth_instructions field in Administration >> Users >> Authentication >> Manage authentication. Otherwise the new users won't be able to self-create new accounts.

Only Novell eDirectory and MS-AD can create users externally (prior to Moodle 2.x). From Moodle 2.0 on, you can also create users in RFC-2307 compliant servers.

Context for new users Specify the context where users are created. This context should be different from other users' contexts to prevent security issues.

Table of Contents

Course creation

Field name Value to fill in
Creators The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called creators, type cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain, but rather memberUid: JoeTeacher).

In eDirectory, the objectClass for a group is (by default) not posixGroup but groupOfNames, whose member attribute is member, not memberUid, and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new objectClass attribute of posixGroup to your creators group and put the CNs for each creator in a memberUid attribute.

In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.

Table of Contents

Cron synchronization script

Field name Value to fill in
Removed ext user Specify what to do with internal user account during mass synchronization when user was removed from external source. Only suspended users are automatically revived if they reappear in ext source.

Table of Contents

NTLM SSO

Field name Value to fill in
Enable If you want to use NTLM SSO (see details at NTLM_authentication), choose Yes here. Otherwise, choose No.
Subnet Specify the subnets of the clients that will use NTLM SSO (see details at NTLM_authentication).
MS IE Fast Path? If all of you clients (or most of them) are using MS Internet Explorer, you can set this option to bypasses certain steps of the SSO login and speed up login times. This only works with MS Internet Explorer, but deals with other browsers in a sensible way (they are automatically sent to the plain login page).

Table of Contents

Data Mapping

Field name Value to fill in
First name The name of the attribute that holds the first name of your users in your LDAP server. This is usually givenName or displayName

This setting is optional

Surname The name of the attribute that holds the surname of your users in your LDAP server. This is usually sn.

This setting is optional

Email address The name of the attribute that holds the email address of your users in your LDAP server. This is usually mail.

This setting is optional

City/town The name of the attribute that holds the city/town of your users in your LDAP server. This is usully l (lowercase L) or localityName (not valid in MS-AD).

This setting is optional

Country The name of the attribute that holds the country of your users in your LDAP server. This is usully c or countryName (not valid in MS-AD).

This setting is optional

Language preferredLanguage

This setting is optional

Description description

This setting is optional

Webpage This setting is optional
ID Number

This setting is optional

Institution

This setting is optional

Department The name of the attribute that holds the department name of your users in your LDAP server. This is usully departmentNumber (for posixAccount and maybe eDirectory) or department (for MS-AD).

This setting is optional

Phone 1 The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually telephoneNumber.

This setting is optional

Phone 2 The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be homePhone, mobile, pager, facsimileTelephoneNumber or even others.

This setting is optional

Address The name of the attribute that holds the street address of your users in your LDAP server. This is usully streetAddress or street'.

This setting is optional

Table of Contents

Setting up regular automatic synchronisation using cron

There is a script located at /auth/ldap/cli/sync_users.php which will create or suspend/delete (see the setting above) all LDAP accounts automatically. This must be called from the command line, ideally once a day during a quiet time using exactly the same procedure as the standard cron job (so you will end up with two cron entries). It is important, however, to make sure that all of the above LDAP settings are working properly before you try this, as well as backing up your database and moodledata folders. Poor LDAP configuration could lead to users being wrongly deleted.

If you find that the script is not running through all of your users properly and you have MS Active Directory + over 1000 users, this is because by default, MS AD only sends back 1000 users at a time. Follow the instructions here to set the MaxPageSize setting to a number higher than your total number of users (both now and in future) to fix it. This is a forest-wide setting.

Table of Contents

Active Directory help

Active Directory is Microsoft's directory service. It is included in Windows 2000 Server and later versions of their operating system. For more information about subjects below, please go here.

  • Warning: The PHP LDAP module does not seem to be present
  • LDAP-module cannot connect any LDAP servers
  • Getting correct CNs for Contexts and Creators
  • Getting the right user_attribute
  • Installing ldp.exe Server Tool
  • Example Active Directory Configuration
  • Child Domains and the Global Catalog in MS Active Directory
  • Enabling the Global Catalog
  • Active Directory with Moodle 1.8
  • MS Active Directory + SSL

Advanced Scenarios - Multiple servers or locations

For larger installations with multiple LDAP servers, or multiple locations (contexts) in a LDAP tree.

Making your LDAP directory connection resilient

  • Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax:
ldap://my.first.server; ldap://my.second.server; ...

Of course, this will only work if all the servers share the same directory information, if using eDirectory you would need to ensure your servers have viability of all relevant tree partitions, or if using Active Directory the servers are holding the same information you need though replication - see notes on a multi-domain environment if this applies.

There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.

See also: [http://moodle.org/mod/forum/discuss.php?d=17198 Using multiple LDAP servers - Our students are on separate domain discussion on the Using Moodle forum.

Using a multi-domain AD environment

  • If you're running Active Directory with multiple domains and you have users in more then one domain you will want to configure Moodle to look at your Global Catalog server. Specifically your top level domain Global Catalog server. Here is a simple example of this kind of Active Directory layout:
my.domain.ca (Root AD Domain)
| - dc1.my.domain.ca (Domain Controller)
| - dc2.my.domain.ca (Domain Controller)
|
| - - students.my.domain.ca (Sub AD Domain)
| - - - dc1.students.my.domain.ca (Domain Controller)
| - - - dc2.students.my.domain.ca (Domain Controller)
|
| - - faculty.my.domain.ca (Sub AD Domain)
| - - - dc1.faculty.my.domain.ca (Domain Controller)
| - - - dc2.faculty.my.domain.ca (Domain Controller)

In this example we have our top level domain (my.domain.ca) and two sub-domains. One sub-domain is for faculty accounts (faculty.my.domain.ca) and the other is for student accounts (students.my.domain.ca). Listed under each of those are two domain controllers.

Using the above example you'll want to use the following for accessing the Global Catalog over SSL: 

ldaps://my.domain.ca:3269/

If you prefer to access your global catalog over a non-SSL connection you'll want to use: 

ldap://my.domain.ca:3268/

We found if you didn't configure things this way you'd get errors like: 

 [Thu May 26 15:23:53 2011] [error] [client 192.168.xxx.xxx] PHP Warning:  ldap_search() [<a href='function.ldap-search'>function.ldap-search</a>]: Search: Partial results and referral received in /xxx/xxx/moodle20/lib/ldaplib.php on line 241, referer: http://moodle.my.domain.ca/moodle20/login/index.php
 [Thu May 26 15:23:53 2011] [error] [client 192.168.xxx.xxx] PHP Warning:  ldap_first_entry(): supplied argument is not a valid ldap result resource in /xxx/xxx/moodle20/lib/ldaplib.php on line 248, referer: http://moodle.my.domain.ca/moodle20/login/index.php


Using multiple user locations (contexts) in your LDAP tree

There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a ou=people,dc=my,dc=organization,dc=domain or ou=people,o=myorg container.

At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like ou=students,ou=dept1,o=myorg and ou=students,ou=dept2,o=myorg ...

Then there is an alternative :

  • Look at the o=myorg level with the ldap_search_sub attribute set to yes.
  • Set the ldap_context to ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg.

Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree and on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same common name (cn), while having different distinguished names. Then only the second solution will have a deterministic result (returning allways the same user).

Using LDAPS (LDAP over SSL)

Enabling LDAPS on your directory server

Enabling LDAPS on your Moodle server

Enabling LDAPS on your server can be tricky and often it is hard to pinpoint where things are going wrong. There are also differences between Windows and Linux and even different versions and distributions of Linux.


If you have not done so already you will need to decide upon your approach to establishing an SSL connection to your directory server:


  • SSL connection with unverified self-signed certificate.

You can generate your own SSL certificate, and then instruct your Moodle server to ignore the fact that it is not valid. This setup is not as secure as others since you cannot be sure the server you are connecting to is not fake.


  • SSL connection with trusted self-signed certificate.

You can generate your own SSL certificate on your directory server, and then specifically trust this certificate by installing it on your Moodle server.


  • SSL connection with verified certificate from Internet-trusted certificate authority (CA)

In this approach the LDAP server has an installed certificate from an Internet-based CA, this means that your directory server would have an Internet address & host name. Your Moodle server must be trusting the certificate authority and have Internet access. This approach is not often used as it usually incurs a cost for the certificate, and it requires your directory server and Moodle server to be exposed to the Internet.

Linux servers

These instructions are for establishing a link using a trusted self-signed certificate.

Note: written for a Red Hat Enterprise Linux 6 server, other Linux distributions may differ, especially in the location of the SSL certificates and OpenLdap config files, but the core principals are the same.


To check that your directory server is online and accepting SSL connections on your LDAPS port (636), you can use try: 

openssl s_client –connect <ldap server ip address>:636

Get your directory server’s certificate (.crt) and upload to Moodle server's ssl certificate directory, on RHEL6 this is at /etc/ssl/certs


Convert your ‘DER’ X509 certificate into a ‘PEM’ public key certificate. 

openssl x509 -in my_server_certificate.cer -inform DER -out my_server_certificate.pem -outform PEM

Create certificate hashes using c_rehash 

c_rehash

If c_rehash is not installed install with: yum install /usr/bin/c_rehash


Ensure you are able to access your LDAPS server by a DNS name, this may mean adding an entry to your host file (/etc/hosts) 

<ldap server ip address>    my_server.mydomain.school

Verify your certificate to check that it is installed correctly 

openssl verify -verbose -CApath /etc/ssl/certs /etc/ssl/certs/my_server_certificate.pem
/etc/ssl/certs/my_server_certificate.pem: OK

You should now be able to connect to your LDAPS server over SSL without any errors 

openssl s_client –connect <ldap server DNS name>:636

Edit your OpenLDAP config, on RHEL6 this is located at /etc/openldap/ldap.conf 

# Define location of a CA Cert
TLS_CACERT /etc/ssl/certs/my_server_certificate.pem
TLS_CACERTDIR /etc/ssl/certs

Finally, you may or may not need to restart Apache, before configuring Moodle to use ldaps://<server DNS name> 

httpd -k restart

Windows servers

These instructions are for establishing a link using an unverified self-signed certificate


You can tell PHP's OpenLDAP extension to disable SSL server certificate checking to do this you must create a directory called C:\OpenLDAP\sysconf. In this directory, create a file called ldap.conf with the following content: 

TLS_REQCERT never

(If you are using certain versions of PHP 5.3.x you may need to place the file at other locations, see PHP bug #48866)

Now you should be able to use ldaps:// when connecting to your LDAP server.


Table of Contents

Appendices

Setting Resource Limits RedHat Directory Server

Operational attributes can be set for the bind user DN using the command-line. One can simply use ldapmodify to add the following attributes:

Attribute Name Description
nsLookThroughLimit Specifies how many entries are examined for a search operation. Giving this attribute a value of -1 indicates that there is no limit.
nsSizeLimit Specifies the maximum number of entries the server returns to a client application in response to a search operation. Giving this attribute a value of -1 indicates that there is no limit.
nsTimeLimit Specifies the maximum time the server spends processing a search operation. Giving this attribute a value of -1 indicates that there is no time limit.
nsIdleTimeout Specifies the time a connection to the server can be idle before the connection is dropped. The value is given in seconds. Giving this attribute a value of -1 indicates that there is no limit. 
 LDAP Console Command-Line

 ldapmodify -h redhat_dir_server -p 389 -D "cn=directory manager" -w secretpwd

 dn: uid=MoodleAdmin,ou=system,dc=myschool,dc=edu
 changetype: modify
 add:nsSizeLimit
 nsSizeLimit: 1000

Table of Contents

See also

Using Moodle:

Retrieved from "https://docs.moodle.org/23/en/index.php?title=LDAP_authentication&oldid=98976"
Powered by MediaWiki