Note: You are currently viewing documentation for Moodle 2.6. Up-to-date documentation for the latest stable version of Moodle may be available here: LDAP authentication.
The explanation in the User attribute section below is a bit confusing:
User lookup settings
|Field name||Value to fill in|
|User attribute|| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the User type value you chose above. So unless you need something special, you don't need to fill this in.
By the way, it's usually cn (Novell eDirectory and MS-AD) or uid (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could (and have to, if you intend to use NTLM SSO) use sAMAccountName (the pre-Windows 2000 logon account name) if you need too.
First it says, "unless you need something special, you don't need to fill this in". Then that statement is slightly contradicted by "but if you are using MS-AD you could (and have to, if you intend to use NTLM SSO) use sAMAccountName (the pre-Windows 2000 logon account name) if you need too"
So, if you're using MS-AD and you want to use NTLM SSO do you have to use sAMAccountName?
In the LDAP Authentication Problem Using Moodle forum message Iñaki says "you should set 'userattribute' setting to 'samaccountname' if you want to use the Windows account name to log in". What should you do if you DON'T want to use the Windows account name to log in?
What will happen if you specify cn instad of sAMAccountName in that User attribute field?
Can we clarify here when you should and should not use samaccountname and cn with MS-AD?
--Luis de Vasconcelos 20:45, 25 April 2012 (WST)
- Hi Luis, I know it's a bit late to answer this, but I didn't notice your comment when you wrote it.
- I would say that using NTLM SSO is "needing something special", so I wouldn't say the statement is contraditing itself. But it the wording is confusing, let's just change it :-)
- On the other hand, if you specify cn instead of sAMAccountName in the User attribute field, the only thing that happens is that you need to type a (potentially) different value to identify yourself, and that NTLM SSO can't work (see below). But if you are not using NTLM SSO, it's ok to use any of them.
- I say pontentially different because that depends on the way you administer/configure your user accounts in MS AD. Some people use the same value for the cn and sAMAccountName attributes (they simply fill in the same value in both places). Other people use the real name (e.g. 'Iñaki Arenaza') for the cn and a short username (e.g. 'iarenaza') for the sAMAccountName. So depending on how you administer your users and what you want them to type in Moodle to log in, you could use one or the other. Moodle doesn't really care as long as the attribute you choose is unique among your users.
- Regarding the NTLM SSO issue, if you need/want to use it you have to use sAMAccountName (if you are using Kerberos-based NTLM SSO, then you probably have to use userPrincipalName, but that can depend on how you configure the whole thing). Because that's the attribute that's passed to the web server when the client (browser) does the authentication. And that's what Moodle gets from the web server when trying to authenticate the user.