MoodleDocs - Contribucions de l'usuari [ca]

Installation FAQ

2007-09-28T19:22:03Z

Julmis: /* Error: database connection failed */

{{FAQ}}

==PHP - is it installed and what version do I have?==

Make a new file on your web site called ''info.php'', containing the following text, and call it from your browser:

<?PHP phpinfo() ?>

If nothing happens then you don't have PHP installed or your webserver is not configured to handle .php files properly. See the installation docs for some information about where to download it for your computer. See the [[phpinfo]] page for details about the content of this page.

== System information needed for Installation Forum ==
When posting questions to the installation forum, try to provide as much background information as possible about your moodle system. Use this template to copy and paste into your post:
* Server Operating System name (version also if possible):
* Browser name (version also if possible):
* Moodle version:
* Moodle install type? (New/Upgrade):
* Moodle config.php attached?(Y/N):
* Phpinfo attached? (Y/N):

For the last two items, try to include the following in your post as an attachment:
* A copy of your phpinfo output as shown in your browser (see the instructions above for an explanation of how to obtain this).
* A copy of the Moodle configuration file. This is located in the directory moodle and is named config.php

Copy and paste both of these into a single text file (using vi, Notepad, etc) and attach this to your post.

If you cannot provide your phpinfo, try to copy & paste and complete these in your post:
* Webserver (e.g. Apache/IIS) version:
* Database server (e.g. MySQL, PostgreSQL) version:
* PHP version:

For installation on web hosting accounts: contact your support desk who should be able to tell you this information.

: '''Security Warning''': Make sure you edit any files and delete any passwords before posting onto the forum.

==What & where are Moodle's configuration settings stored?==
Configuration settings are stored in the config.php file stored in your moodle folder. This file is created during the installation process. If there is a problem and the installation cannot create the file, you can try creating it manually from the [[Configuration file]] docs. Please remember that manually editing the file is not recommended and may lead to blank pages, especially if there are additional spaces and/or lines after the final php closing tag "?>".

==Running a health check==
Moodle contains a script that will help identify common php and webserver configuration problems as well as configuration problems. It is a good idea to run this script to check if you are having post-installation problems. Use your browser to run this file:

http://www.mymoodle.com/moodle/admin/health.php

Change the above line if you have installed moodle in the webroot instead of a folder inside the webroot.

==Downloading previous releases of Moodle==
* '''Generic Packages''': If your server does not meet the [[Installing_Moodle#Requirements | requirements]] for the current version of Moodle, you can download previous releases by using wget, lynx or curl with this URL:
<nowiki>http://download.moodle.org/stable[version_number]</nowiki>
:For example: to download Moodle version 1.5, use http://download.moodle.org/stable15. You'll see a directory tree with the files displayed. Click on the one you want and download as normal - if you require the latest update of the version, scroll to the end of the list and download the "moodle-latest" file, or alternatively use these URLs for zip or tgz downloads:
<nowiki>http://download.moodle.org/stable[version_number]/moodle-latest-[version_number].zip</nowiki>
<nowiki>http://download.moodle.org/stable[version_number]/moodle-latest-[version_number].tgz</nowiki>

:Changes made in the version in the last month are listed in the "CHANGES" file in the directory listing. The files you download contain Moodle code and are not the Windows or Mac packages - so you need to have a webserver, a database server and PHP already installed. The earliest version available is Moodle 1.3.
* '''Windows Packages''': To download previous releases of the Moodle packages for Windows, use this URL:
<nowiki>http://download.moodle.org/windows/MoodleWindowsInstaller-latest-[version_number].zip</nowiki>
* '''Mac Packages''': To download previous releases of the Mac pacakges, use either of these URLs (depending on whether you need the Intel or PPC package):
<nowiki>http://download.moodle.org/macosx/Moodle4Mac-Intel-[version_number].dmg</nowiki>
<nowiki>http://download.moodle.org/macosx/Moodle4Mac-PPC-[version_number}.dmg</nowiki>
* '''Using CVS''': You can also use CVS to download older releases and incremental releases of the Moodle generic packages, e.g. Moodle 1.5.4 - see the [[CVS_for_Administrators | CVS documentation]].

== How to enable and check PHP error logs==
PHP can be set up to log errors in a variety of different ways: two of these involve the use of the php.ini file and the ini_set command.
* '''Using the php.ini file''': The log settings are contained in the php.ini file stored on the server. If you don't know where that is, edit your Moodle ''config.php'' and add the following as the second line

phpinfo();

:then reload the web page. Look for the entry '''Configuration File (php.ini) Path'''.

:When you have located php.ini open it in your favorite text editor. Find the '''Error handling and logging''' section of the php.ini file. Make sure that both '''display_errors = On''', '''display_startup_errors = On''' and '''log_errors = On''' are present and uncommented. Check the value of '''error_log''' - this tells you the location of the file errors are logged to. If it is commented out then errors will be sent to the web server error log file. Remember, if you make any changes to this file you will need to restart the web server (or just reboot the server).

* '''Using ini_set commands''': If you are using Moodle 1.8 or higher, the previous steps are not enough. In those versions error logging parameters are dependant on certain administrative settings that you specify in the debugging section. The problem is that if you can't access the administrative pages, you can't set the debugging options. So the only way to modify them is by adding the following lines to your config.php file, just before the last line (the one containing a single'?>' only):

ini_set ('display_errors', 'on');
ini_set ('log_errors', 'on');
ini_set ('display_startup_errors', 'on');

:This will enable the same settings specified above even if Moodle sets them otherwise.
:'''Important''': Remember to put them just before the last line of config.php.

==Any text I add with an apostrophe (') or a quote (") causes errors or comes up with a slash added==

Problems caused by apostrophes are caused by incorrect "magic quotes" settings. Moodle requires the following settings in the php.ini file (which are usually the default):

magic_quotes_gpc = On
magic_quotes_runtime = Off

Please see [[Installing Moodle]] for more details.

==Email copies are not being sent from my forums==

You ''must'' set up cron properly if you want Moodle to send out automatic email from forums, assignments etc. This same process also performs a number of clean-up tasks such as deleting old unconfirmed users, unenrolling old students and so on.

Basically, you need to set up a process to regularly call the script <code><nowiki>http://yoursite/admin/cron.php</nowiki></code>. Please refer to the [[Cron|cron instructions]].

'''Tip:''' Try the default setting in Moodle variables page. Leave the smtphost blank. This will be acceptable for the majority of users.

'''Tip:''' Make sure that allowuseremailcharset in Administration > Configuration > Variables > Mail is set to No. Setting this to Yes might cause this problem in some versions of Moodle.

==Error: database connection failed==

If you get errors like "database connection failed" or "could not connect to the database you specified", here are some possible reasons and some possible solutions.

* Your '''database server''' isn't installed or running. To check this for MySQL try typing the following command line
$telnet database_host_name 3306
:You should get a cryptic response which includes the version number of the MySQL server.
* If you are attempting to run '''two instances of Moodle on different ports''', use the ip address of the host (not localhost) in the $CFG->dbhost setting, e.g. $CFG->dbhost = 127.0.0.1:3308.
* You don't have the '''PHP mysql or postgresql extensions''' installed (please refer to FAQ re. whether PHP is installed).
* You haven't created a '''Moodle database and assigned a user''' with the correct privileges to access it.
* The '''Moodle database settings''' are incorrect. The database name, database user or database user password in your Moodle configuration file ''config.php'' are incorrect. Use phpMyAdmin to set up and check your MySQL installation.
* Check that there are '''no apostrophes or non-alphabetic letters''' in your MySQL username or password.
* You are using MySQL version 4.1 or higher but the PHP MySQL extension is pre-4.1 (check in your phpinfo output). In this case the '''default password hashing algorithm''' is incompatible with that available in the PHP mysql extension versions 4.x.x. Use these MySQL commands to change the passwords to the old format:

mysql>SET PASSWORD FOR 'root'@'localhost' = OLD_PASSWORD('password');
mysql>SET PASSWORD FOR 'moodleuser'@'localhost' = OLD_PASSWORD('password');

:Also, consider upgrading your PHP MySQL extension. See [http://dev.mysql.com/doc/mysql/en/old-client.html this MySQL document] for further information on how to deal with this problem.
* You are using Fedora core 3 or some other Linux system with '''SELinux installed''' and enabled. See the following URL for information on how to disable SELinux: http://fedora.redhat.com/projects/selinux/ If you don't want to disable SELinux, you have to allow httpd process to create network connections:

setsebool httpd_can_network_connect true

* Mac OSX users -- if you are running MySQL on a Mac OSX, try changing '''$CFG->dbhost''' from 'localhost' to '127.0.0.1'
'''See also''': MySQL page on [http://dev.mysql.com/doc/refman/5.0/en/common-errors.html common errors] which lists several possible scenarios for connection failure, with advice on how to fix the problems.

==I can't log in - I just stay stuck on the login screen==

The most common cause for this is that your own computer (not your Moodle server) has a firewall that is stripping referrer information from the browser. Here are some instructions for fixing [http://service1.symantec.com/SUPPORT/nip.nsf/46f26a2d6dafb0a788256bc7005c3fa3/b9b47ad7eddd343b88256c6b006a85a8?OpenDocument&src=bar_sch_nam Norton firewall products].

The server admin can also fix this for everyone by changing the ''secureforms'' variable to 'No' in the security section of Administration >> Configuration >> [[admin/config|Variables]].

Another possible cause of this problem is that sessions are not configured properly on the server. You can test this by calling the script <nowiki>http://yourserver/moodle/lib/session-test.php</nowiki>.

If you are still having problems, read the [[Can_not_log_in | Cannot log in]] page.

==I can't log in with message "Please verify that the current setting of session.save_path is correct" ==

This error occurs when PHP is having problems saving its session files. You may also see these other error messages displayed on the screen or in your log files:

Warning: Unknown: open(some-path/sessions/sess_acbf942a7399db3489ffa910e35d5242, O_RDWR)
failed: Permission denied (13) in Unknown on line 0

Warning: Unknown(): open(some-path/sessions/sess_acbf942a7399db3489ffa910e35d5242, O_RDWR)
failed: No space left on device (28) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current
setting of session.save_path is correct (some-path/sessions) in Unknown on line 0

To temporarily bypass these errors, '''use database sessions''' by editing your [[Configuration_file | moodle configuration file]] and adding this line:

$CFG->dbsessions = true;

Database sessions may overload your mysql database and are not ideal in a shared hosting environment, so if this solves the problem, you can start fixing the problem as follows:
* Check '''access rights'''. The session.save_path should be accessible by the apache user. Try this command:

chown -R apache:apache some-path/sessions

:This assumes that 'apache' is the name of the user your webserver runs under - it could also be 'nobody'.
* Check the '''permissions''' to the directory that PHP is trying to save to (session.save_path = some-path/sessions). Set the permissions initially to 0777 (everyone read, write, execute) with this command:

chmod -R 0777 some-path/sessions

:If this fixes the problem, reduce the permissions (700 is recommended).

'''See also''': Session problems can be specific to your server environment. As an example, see [http://moodle.org/mod/forum/discuss.php?d=55925#254596 this forum discussion] about session problems with Lycos hosting.

==I log in but the login link doesn't change. I am logged in and can navigate freely.==

Make sure the URL in your <code>$CFG->wwwroot</code> setting is exactly the same as the one you are actually using to access the site.

==I keep getting this error: A server error that affects your login session was detected.==

Please refer to the Using Moodle forum discussion [http://moodle.org/mod/forum/discuss.php?d=73716 A server error that affects your login session was detected. Please login again or restart your browser.].

==I keep getting this error: Failed opening required '/web/moodle/lib/setup.php'==

In your ''config.php'', the setting that you use for the dirroot variable must be the complete path from the root of your server's hard drive.

Sometimes people only use the path from their home directory, or relative to the root of the web server directory.

==My pages show fatal errors such as : Parse error, call to undefined function: get_string()==

If you see errors like:

Parse error: parse error, unexpected T_VARIABLE in /path/to/moodle/config.php on line 94
Fatal error: Call to undefined function: get_string() in /path/to/moodle/mod/resource/lib.php
on line 11

then you have probably left out a semi-colon or closing quote from a line in ''config.php'' (previous to line 94).

Another possibility is that you edited ''config.php'' in a program like Word and saved it as a HTML web page, instead of using a plain text editor like Notepad.

Another thing to check, particularly if you are using 3rd party modules or plugins, is whether any of the php scripts use short open tags (<? ?>) instead of proper ones (<?php ?>). Short tags are bad for various reasons, so first contact the author of that extension to tell them about the problem. Then either replace short tags with conventional ones, or set this line in php.ini:

short_open_tag = On

You should never find short tags in core moodle code. If you do, please file a bug in the bug tracker.

==Serious Error! Could not set up the site!==

Please refer to the Using Moodle forum discussion [http://moodle.org/mod/forum/discuss.php?d=32071 Serious Error! Could not set up the site!].

==Uploaded files give "File not found"==

For example: Not Found: The requested URL /moodle/file.php/2/myfile.jpg was not found on this server.

Your web server needs to be configured to allow the part of the URL after a script name to be passed directly to the script. This is usually enabled in Apache 1, but is usually disabled by default in Apache 2. To turn it on, add this line to your ''httpd.conf'', or to a ''.htaccess'' file in your local directory (see [[Installing Moodle]] for more details):

'''AcceptPathInfo''' on

Note, this will ONLY work for Apache versions 2.x.

If you are not using Apache 2 and you still have this problem (unlikely) then you can switch Moodle to use an alternative method. The disadvantages are a slight loss of performance for your users and you won't be able to use relative links within HTML resources.

To use this alternative method, you should change the ''slasharguments'' variable in the Operating System section of Administration >> Configuration >> [[admin/config|Variables]]. You should now be able to access your uploaded files.

==When I go to the admin page, I get told to make dirroot blank!==

If you see errors like this:

Please fix your settings in config.php:
You have: $CFG->dirroot = "/home/users/fred/public_html/moodle";
but it should be: $CFG->dirroot = "";

then you have encountered a small bug that occurs on some servers. The problem is with the error-checking mechanism, not with your actual path. To fix it, find this line (line 66) in the file ''admin/index.php'':

if ($dirroot != $CFG->dirroot) {

and change it to this:

if (!empty($dirroot) and $dirroot != $CFG->dirroot) {

==When trying to add a resource I receive error messages==

Assuming you are using Apache, then it's quite likely that your setting in ''config.php'' for <code>$CFG->wwwroot</code> is different from the actual URL you are using to access the site. Also try turning off the ''secureforms'' variable in the security section of Administration >> Configuration >> [[admin/config|Variables]].

==Why are all my pages blank?==

Check the dirroot variable in ''config.php''. You must use complete, absolute pathnames e.g.

$CFG->dirroot = "d:\inetpub\sites\www.yoursite.com\web\moodle";

Another reason might be that PHP has not been configured to support MySQL. This is common on Redhat and OpenBSD installations. In this case, an error is generated, but since error displays are often disabled by default, all that is seen on the browser is a blank screen. To enable PHP error displays, set these lines in your ''php.ini'' file and reload the web page.

display_errors = On
display_startup_errors = On

To determine if MySQL support is your problem, insert this as the second line in your ''config.php'' file

phpinfo();

then reload the web page. Examine the output closely to see if MySQL is supported. If not look for a package you are missing.

== Why is a particular page blank or incomplete? ==

*'''Check your web server log files!!'''
:If a particular page is blank or incomplete (it doesn't display the footer), before you do anything else [[Installation_FAQ#How_to_enable_and_check_PHP_error_logs | check your error logs]]. Having established that PHP error logging is working, reproduce the error. Immediately check the error log file right at the end. Hopefully you will see a PHP error message at or very near the end of the file. This may solve your problem directly or makes it a lot easier to diagnose the problem in the Moodle forums.

*If you are '''upgrading to a new version of Moodle''', check that you do not have an old version of a non-standard block or module installed. Remove any such blocks or modules installed remove them using the admin settings page and start the install process again. However, do also make sure that you have included all required optional plugins that were required by your courses.

*If you '''do not see any blocks listed''', turn editing on and remove any blocks that you have added to that page and try reloading.

==Installation hangs when setting-up database tables==
*Sometimes the installation will hang when setting up tables. This will be an abrupt hang with half the page displayed in the browser and/or other outputs removed, e.g. the “Scroll to continue” link is displayed but no “Continue” button is there. If this is the case, it is usually a mysql error and not a php error. Check that there is no limit placed on your mysql database, e.g. a "questions" limit.

*If the install is on a webhost, adding the following line to the .htaccess file in the moodle directory has been known to solve the problem.
AddType x-mapp-php5 .php

*Try also renaming the .htaccess file so that it is disabled.

*You may also want to look and see if you've customized any of your code. Look at the last successful table, and then look at the block, mod, or other code that is referenced by that table. For example, if your install hangs and continues to say that the forum tables were successful as the last message, look at /mod/forum/ for any custom code. If you have customized code, backup those files and replace with the correct files. You can then restart the install by renaming config.php or reinstalling your database from the backup. If your install is successful, you can make your code changes back into the stock Moodle code.

*It may also be that the "memory_limit" in your php.ini is set too low. Please check your php.ini file and allocate the recommended amount (see [https://docs.moodle.org/en/Installing_Moodle#Requirements Moodle requirements]). For Moodle version 1.8 and above at least 40MB is recommended.

*A work-around to this problem is to setup a working Moodle system on your local PC or server using the [http://download.moodle.org Moodle Packages]. Once you have a running Moodle, [https://docs.moodle.org/en/Upgrading_Moodle#Backup_important_data backup the database] and import to your webhost. Then backup the Moodle code itself (the "moodle" directory on your PC) and copy this to your webhost using (for example) FTP. Finally, edit the moodle/config.php file for the new settings that have to be changed for the webhost.

*To avoid this problem when upgrading, prefer to upgrade incrementally. For example: upgrade from 1.6.* to 1.7.* and then to 1.8.* rather than straight from 1.6.* to 1.8.*

'''Note''': When upgrading an existing database, the installation may appear to hang at the roles generation phase. This process can take a very long time - so please be patient.

==Why can't I upload a new image into my profile?==

If you don't see anything on your user profile pages to let you upload user images then it's usually because GD is not enabled on your server. GD is a library that allows image processing.

1. Make sure '''GD has been included in your PHP installation'''. You can check this by going into Administration >> Configuration >> [[Variables]] and looking for the gdversion setting. This setting is chosen automatically every time you visit that page. If it shows GD version 1 or version 2 then everything should be fine. Save that configuration page and go back to your user profile.

2. If Moodle thinks GD is not installed, then you will need to '''install the GD library'''.
*On Unix you may need to re-compile PHP with arguments something like this:

./configure --with-apxs=/usr/local/apache/bin/apxs --with-xml --with-gd
--with-jpeg-dir=/usr/local --with-png-dir=/usr --with-ttf --enable-gd-native-ttf
--enable-magic-quotes --with-mysql --enable-sockets --enable-track-vars
--enable-versioning --with-zlib

* On Windows this is usually a matter of "turning on" the extension in PHP by editing your php.ini file. To do this remove the semicolon for the php_gd2.dll extension - check that this file is actually present in your php extensions folder first (search your php.ini for extension_dir to determine where this points to on your hard disk). You should then have a line that looks like this:
extension=php_gd2.dll

:Windows users should see the [[Installing AMP|installation instructions]] for further help.

3. Remember to '''restart your webserver''' (if possible) and re-visit the Moodle configuration page after making any changes to PHP so it can pick up the correct version of GD.

'''See also''': Using Moodle forum discussion [http://moodle.org/mod/forum/discuss.php?d=44271 Profile pictures] for additional information.

==Why do I keep getting error messages about "headers already sent"?==

If you see errors like this:

Warning: Cannot add header information - headers already sent by
(output started at /webs/moodle/config.php:87) in /webs/moodle/lib/moodlelib.php
on line 1322

Warning: Cannot add header information - headers already sent by
(output started at /webs/moodle/config.php:87) in /webs/moodle/lib/moodlelib.php
on line 1323

Warning: Cannot add header information - headers already sent by
(output started at /webs/moodle/config.php:87) in /webs/moodle/login/index.php
on line 54

you have blank lines or spaces after the final <code>?></code> in your ''config.php'' file. Sometimes text editors add these - for example Notepad on Windows - so you may have to try a different text editor to remove these spaces or blank lines completely.

== Why doesn't my Moodle site display the time and date correctly? ==

Each language requires a specific language code (called a '''locale''' code) to allow dates to be displayed correctly. The language packs contain default standard codes, but sometimes these don't work on Windows servers.

You can find the correct locale codes for Windows on these two pages: [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vclib/html/_crt_language_strings.asp Language codes] and [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vclib/html/_crt_country_strings.asp Country/region] codes (e.g. "esp_esp" for spanish)

These new locale codes can be entered on the Administration >> Configuration >> [[admin/config|Variables]] page, where they override the ones in the currently chosen language pack.

==I receive this error "500:Internal Server Error"==
You'll get this error message if there is a syntax error in your .htaccess or httpd.conf files. You will also see this error if your server does not support .htaccess files, especially if it is running PHPsuexec. Also, you may have a directive in your .htaccess or httpd.conf files which are not compatible with your web server version.

==How do I uninstall Moodle?==
'''Moodle package installation''': If you have downloaded a Moodle package, simply uninstall using your system commands. On Windows PCs, you should access the Control Panel -> Add/Remove Programs. Select the package name and click Change or Remove Programs.

'''Webhost/manual installation''': If you have installed Moodle manually or have installed onto a webhost, follow these steps:
*Delete the moodle database using this mysql command (or delete using your mysql client, e.g. PHPMyAdmin):
<pre>sql>DROP DATABASE moodle;</pre>
:In the above example replace 'moodle' with the name of the moodle database you created when installing.
*Delete the moodledata directory. If you, or your users, have uploaded materials into this directory take a copy of these before deleting this directory.
*Delete the moodle directory itself. This will delete all of the moodle PHP script files.

==How do I upgrade Moodle? Do I just overwrite the files?==
Do not overwrite files, it may cause strange errors. You should read the [[Upgrade]] documentation before proceeding.

==Migrating Moodle to a new site or server==
Migrating Moodle means that you have to move the current installation to a new server, and so may have to change IP addresses or DNS entries. To do this you will need to change the $CFG->wwwroot value in the config.php on the new server. You will also have to change any absolute links stored in the database backup file (before restoring the file on the new server) either using the admin/replace.php script, your text editor or another "search and replace" tool, e.g. sed. For more details see the [[Moodle_migration | Moodle Migration]] page.

==Fatal error allowed memory size exhausted. How do I increase my php memory limit?==
You will sometimes see an error message something like this:
Fatal error: Allowed memory size of 67108864 bytes exhausted
(tried to allocate xx bytes) in /var/www/moodle/yyyy.php
This error means that the php memory_limit value is not enough for the php script. The memory_limit value is the "allowed memory size" - 64M in the example above (67108864 bytes / 1024 = 65536 KB. 65536 KB / 1024 = 64 MB). You will need to increase the php memory_limit value until this message is not shown anymore. There are two methods of doing this.
*On a hosted installation, add the following line to your .htaccess file (or create one in the moodle directory if it does not already exist):
php_value memory_limit <value>M
Example: php_value memory_limit 40M
*If you have your own server with shell access, edit your php.ini file (make sure it's the correct one by checking in your phpinfo output) as follows:
memory_limit <value>M
Example: memory_limit 40M
Remember that you need to restart your web server to make changes to php.ini effective. An alternative is to disable the memory_limit by using the command ''memory_limit 0''.

----
==Why does my new installation display correctly on the server, but when I view it from a different machine, styles and images are missing?==
In the installation instructions, one of the suggested settings for 'webroot' is 'localhost'. This is fine if all you want to do is some local testing of your new Moodle installation. If, however, you want to view your new installation from another machine on the same local area network, or view your site on the internet, you will have to change this setting:
*For local testing, 'localhost' is fine for the webroot.
*If you want to test your site from other machines on the same local area network (LAN), then you will have to use the private ip address of the serving machine, (e.g. 192.168.1.2/moodle) or the network name of the serving computer (e.g. network_name_of_serving_machine/moodle) as the web root. Depening on your LAN setup, it may be better to use the network name of the computer rather than its (private) ip address, because the ip address can and will change from time to time. If you don't want to use the network name, then you will have to speak to your network administrator and have them assign a permanent ip address to the serving machine.
*Finally, if you want to test your new installation across the internet, you will have to use either a domain name or a permanent (public) ip address/moodle as your web root.

[[Category:FAQ]]
[[Category:Installation]]

[[es:FAQ Instalación]]
[[fr:FAQ d'installation]]
[[nl:Installatie FAQ]]
[[ja:インストールFAQ]]
[[ru:Установка FAQ]]

LDAP authentication

2006-08-29T23:11:47Z

Julmis: /* MS Active Directory + SSL */

This document describes how to set up LDAP authentication in Moodle. You can find a [[#Basic Scenario|Basic Scenario]], where everything is simple and straightforward, and that should be enough for most installations. If your installation is a little bigger and you are using multiple LDAP servers, or multiple locations (contexts) for your users in your LDAP tree, then have a look at the [[#Advanced Scenarios|Advanced Scenarios]].

==Basic Scenario==

===Assumptions===

# Your Moodle site is located at '''http://your.moodle.site/'''
# You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to '''http://your.moodle.site/admin/phpinfo.php''' (logged in as user 'admin').
# Your LDAP server has '''192.168.1.100''' as its IP address.
# You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.
# You don't want your users to change their passwords the first time they log in into Moodle.
# You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).
# You are using a top level distinguished name (DN) of '''dc=my,dc=organization,dc=domain''' as the root of your LDAP tree.
# You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure '''this account and its password don't expire''', and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of '''cn=ldap-user,dc=my,dc=organization,dc=domain''', and password '''hardtoguesspassword'''.
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.

===Configuring Moodle authentication===

Log in as an admin user and go to Administration >> Users >> Authentication. In the drop down listbox titled "Choose an authentication method" select "Use an LDAP Server". You will get a page similar to this one:

 
::: [[Image:auth_ldap_config_screenshot.jpg]]
 

Now, you just have to fill in the values. Let's go step by step.
 
 

{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| ldap_host_url
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes).
|-
| ldap_version
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.
|-
| ldap_preventpassindb
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.
|-
| ldap_bind_dn
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).
|-
| ldap_bind_pw
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).
|-
| ldap_user_type
| Choose:
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP).
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)
|-
| ldap_contexts
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.
|-
| ldap_search_sub
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.
|-
| ldap_opt_deref
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.
|-
| ldap_user_attribute
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.
|-
| ldap_memberattribute
| The attribute used to list the members of a given group. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, the usual values are '''member''' and '''memberUid'''.
|-
| ldap_objectclass
| The type of LDAP object used to search for users. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

Here are the default values for each of the ''ldap_user_type'' values:
* '''User''' for Novel eDirectory
* '''posixAccount''' for RFC-2037 and RFC-2037bis
* '''sambaSamAccount''' for SAMBA 3.0.x LDAP extension
* '''user''' for MS-AD
|-
| Force change password
| Set this to ''Yes'' if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to ''no''. Bear in mind the password they are forced to change is the one stored in your LDAP server.

As you don't want your users to change their passwords in their first login, leave this set to ''No''
|-
| Use standard Change Password Page
|
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Change password URL" (at the bottom of the configuration page).

Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is true at least for MS-AD).

Also, code for changing passwords from Moodle for anything but Novell eDirectory is almost not tested, so this may or may not work for other LDAP servers.
|-
| ldap_expiration
|
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.

Current code only deals with Novell eDirectory LDAP server, but there is a patch floating around to make it work with MS-AD too (search in the authentication forum).

So unless you have Novell eDirectory server (or use the patch), choose ''No'' here.
|-
| ldap_expiration_warning
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.
|-
| ldap_exprireattr
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.
|-
| ldap_gracelogins
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.

So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.
|-
| ldap_graceattr
| This setting is currently not used in the code (and is specific to Novell eDirectory).

So you don't need to fill this in.
|-
| ldap_create_context
|
|-
| ldap_creators
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').

In eDirectory, the objectClass for a group is (by default) not '''posixGroup''' but '''groupOfNames,''' whose member attribute is '''member,''' not '''memberUid,''' and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new '''objectClass''' attribute of '''posixGroup''' to your creators group and put the CNs for each creator in a '''memberUid''' attribute.

In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.
|-
| First name
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName'''.

This setting is optional
|-
| Surname
| The name of the attribute that holds the surname of your users in your LDAP server. This is usually '''sn'''.

This setting is optional
|-
| Email address
| The name of the attribute that holds the email address of your users in your LDAP server. This is usually '''mail'''.

This setting is optional
|-
| Phone 1
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.

This setting is optional
|-
| Phone 2
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.

This setting is optional
|-
| Department
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).

This setting is optional
|-
| Address
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.

This setting is optional
|-
| City/town
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).

This setting is optional
|-
| Country
| The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).

This setting is optional
|-
| Description
| '''description'''

This setting is optional
|-
| ID Number
|

This setting is optional
|-
| Language
| '''preferredLanguage'''

This setting is optional
|-
| Instructions
|
|}

The rest of the fields are common to all authentication methods and will not be discussed here.

==Advanced Scenarios==

===Using multiple LDAP Servers===
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :
ldap://my.first.server ; ldap//my.second.server ; ...

Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.

There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.

===Using multiple user locations (contexts) in your LDAP tree===
There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a '''ou=people,dc=my,dc=organization,dc=domain''' or '''ou=people,o=myorg''' container.

At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like '''ou=students,ou=dept1,o=myorg''' and '''ou=students,ou=dept2,o=myorg''' ...

Then there is an alternative :
* Look at the '''o=myorg''' level with the ldap_search_sub attribute set to '''yes'''.
* Set the ldap_context to '''ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg'''.

Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).

===Using LDAPS (LDAP + SSL)===
====MS Active Directory + SSL ====

If the Certificate Authority is not installed you'll have to install it first as follows:
# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove programs.'''
# Click '''Add/Remove Windows Components''' and select '''Certificate Services.'''
# Follow the prosedure provided to install the '''Certificate Authority'''. Enterprise level is a good choice.

Verify that SSL has been enabled on the server by installing suptools.msi from Windows installation cd's \Support\tools directory. After support tools installation:
# Select '''Start''' -> '''Run''', write '''ldp''' in the Open field.
# From the ldp window select '''Connection''' -> '''Connect''' and supply valid hostname and port number '''636'''. Also select the SSL check box.

If successful, you should get information about the connection.

Next step is to tell PHP's OpenLDAP extension to disable SSL certificate checking. On Windows servers you're most likely using pre-compiled PHP version, where you must create a path ''C:\OpenLDAP\sysconf''. In this path create a file called "ldap.conf" with content:

TLS_REQCERT never.

Now you should be able to use '''ldaps://''' when connecting to MS-AD.

==Appendices==

===Child Domains and the Global Catalog in MS Active Directory===

Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.

For example your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)

To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.

You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.

Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes.

In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.

====Enabling the Global Catalog====

The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.
If your organisation uses Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)

==See also==

*[http://moodle.org/mod/forum/view.php?id=42 Using Moodle: User authentication] forum
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion

[[Category:Administrator]]
[[Category:Authentication]]

LDAP authentication

2006-08-29T23:10:25Z

Julmis: /* MS Active Directory + SSL */

This document describes how to set up LDAP authentication in Moodle. You can find a [[#Basic Scenario|Basic Scenario]], where everything is simple and straightforward, and that should be enough for most installations. If your installation is a little bigger and you are using multiple LDAP servers, or multiple locations (contexts) for your users in your LDAP tree, then have a look at the [[#Advanced Scenarios|Advanced Scenarios]].

==Basic Scenario==

===Assumptions===

# Your Moodle site is located at '''http://your.moodle.site/'''
# You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to '''http://your.moodle.site/admin/phpinfo.php''' (logged in as user 'admin').
# Your LDAP server has '''192.168.1.100''' as its IP address.
# You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.
# You don't want your users to change their passwords the first time they log in into Moodle.
# You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).
# You are using a top level distinguished name (DN) of '''dc=my,dc=organization,dc=domain''' as the root of your LDAP tree.
# You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure '''this account and its password don't expire''', and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of '''cn=ldap-user,dc=my,dc=organization,dc=domain''', and password '''hardtoguesspassword'''.
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.

===Configuring Moodle authentication===

Log in as an admin user and go to Administration >> Users >> Authentication. In the drop down listbox titled "Choose an authentication method" select "Use an LDAP Server". You will get a page similar to this one:

 
::: [[Image:auth_ldap_config_screenshot.jpg]]
 

Now, you just have to fill in the values. Let's go step by step.
 
 

{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| ldap_host_url
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes).
|-
| ldap_version
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.
|-
| ldap_preventpassindb
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.
|-
| ldap_bind_dn
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).
|-
| ldap_bind_pw
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).
|-
| ldap_user_type
| Choose:
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP).
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)
|-
| ldap_contexts
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.
|-
| ldap_search_sub
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.
|-
| ldap_opt_deref
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.
|-
| ldap_user_attribute
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.
|-
| ldap_memberattribute
| The attribute used to list the members of a given group. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, the usual values are '''member''' and '''memberUid'''.
|-
| ldap_objectclass
| The type of LDAP object used to search for users. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

Here are the default values for each of the ''ldap_user_type'' values:
* '''User''' for Novel eDirectory
* '''posixAccount''' for RFC-2037 and RFC-2037bis
* '''sambaSamAccount''' for SAMBA 3.0.x LDAP extension
* '''user''' for MS-AD
|-
| Force change password
| Set this to ''Yes'' if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to ''no''. Bear in mind the password they are forced to change is the one stored in your LDAP server.

As you don't want your users to change their passwords in their first login, leave this set to ''No''
|-
| Use standard Change Password Page
|
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Change password URL" (at the bottom of the configuration page).

Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is true at least for MS-AD).

Also, code for changing passwords from Moodle for anything but Novell eDirectory is almost not tested, so this may or may not work for other LDAP servers.
|-
| ldap_expiration
|
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.

Current code only deals with Novell eDirectory LDAP server, but there is a patch floating around to make it work with MS-AD too (search in the authentication forum).

So unless you have Novell eDirectory server (or use the patch), choose ''No'' here.
|-
| ldap_expiration_warning
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.
|-
| ldap_exprireattr
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.
|-
| ldap_gracelogins
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.

So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.
|-
| ldap_graceattr
| This setting is currently not used in the code (and is specific to Novell eDirectory).

So you don't need to fill this in.
|-
| ldap_create_context
|
|-
| ldap_creators
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').

In eDirectory, the objectClass for a group is (by default) not '''posixGroup''' but '''groupOfNames,''' whose member attribute is '''member,''' not '''memberUid,''' and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new '''objectClass''' attribute of '''posixGroup''' to your creators group and put the CNs for each creator in a '''memberUid''' attribute.

In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.
|-
| First name
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName'''.

This setting is optional
|-
| Surname
| The name of the attribute that holds the surname of your users in your LDAP server. This is usually '''sn'''.

This setting is optional
|-
| Email address
| The name of the attribute that holds the email address of your users in your LDAP server. This is usually '''mail'''.

This setting is optional
|-
| Phone 1
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.

This setting is optional
|-
| Phone 2
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.

This setting is optional
|-
| Department
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).

This setting is optional
|-
| Address
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.

This setting is optional
|-
| City/town
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).

This setting is optional
|-
| Country
| The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).

This setting is optional
|-
| Description
| '''description'''

This setting is optional
|-
| ID Number
|

This setting is optional
|-
| Language
| '''preferredLanguage'''

This setting is optional
|-
| Instructions
|
|}

The rest of the fields are common to all authentication methods and will not be discussed here.

==Advanced Scenarios==

===Using multiple LDAP Servers===
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :
ldap://my.first.server ; ldap//my.second.server ; ...

Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.

There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.

===Using multiple user locations (contexts) in your LDAP tree===
There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a '''ou=people,dc=my,dc=organization,dc=domain''' or '''ou=people,o=myorg''' container.

At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like '''ou=students,ou=dept1,o=myorg''' and '''ou=students,ou=dept2,o=myorg''' ...

Then there is an alternative :
* Look at the '''o=myorg''' level with the ldap_search_sub attribute set to '''yes'''.
* Set the ldap_context to '''ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg'''.

Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).

===Using LDAPS (LDAP + SSL)===
====MS Active Directory + SSL ====

If the Certificate Authority is not installed you'll have to install it first as follows:
# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove programs.'''
# Click '''Add/Remove Windows Components''' and select '''Certificate Services.'''
# Follow the prosedure provided to install the '''Certificate Authority'''. Enterprise level is a good choice.

Verify that SSL has been enabled on the server by installing suptools.msi from Windows installation cd's \Support\tools directory.
# Select '''Start''' -> '''Run''', write '''ldp''' in the Open field.
# From the ldp window select '''Connection''' -> '''Connect''' and supply valid hostname and port number '''636'''. Also select the SSL check box.

If successful, you should get information about the connection.

Next step is to tell PHP's OpenLDAP extension to disable SSL certificate checking. On Windows servers you're most likely using pre-compiled PHP version, where you must create a path ''C:\OpenLDAP\sysconf''. In this path create a file called "ldap.conf" with content:

TLS_REQCERT never.

Now you should be able to use '''ldaps://''' when connecting to MS-AD.

==Appendices==

===Child Domains and the Global Catalog in MS Active Directory===

Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.

For example your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)

To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.

You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.

Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes.

In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.

====Enabling the Global Catalog====

The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.
If your organisation uses Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)

==See also==

*[http://moodle.org/mod/forum/view.php?id=42 Using Moodle: User authentication] forum
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion

[[Category:Administrator]]
[[Category:Authentication]]

LDAP authentication

2006-08-29T23:08:52Z

Julmis: /* MS Active Directory + SSL */

This document describes how to set up LDAP authentication in Moodle. You can find a [[#Basic Scenario|Basic Scenario]], where everything is simple and straightforward, and that should be enough for most installations. If your installation is a little bigger and you are using multiple LDAP servers, or multiple locations (contexts) for your users in your LDAP tree, then have a look at the [[#Advanced Scenarios|Advanced Scenarios]].

==Basic Scenario==

===Assumptions===

# Your Moodle site is located at '''http://your.moodle.site/'''
# You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to '''http://your.moodle.site/admin/phpinfo.php''' (logged in as user 'admin').
# Your LDAP server has '''192.168.1.100''' as its IP address.
# You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.
# You don't want your users to change their passwords the first time they log in into Moodle.
# You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).
# You are using a top level distinguished name (DN) of '''dc=my,dc=organization,dc=domain''' as the root of your LDAP tree.
# You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure '''this account and its password don't expire''', and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of '''cn=ldap-user,dc=my,dc=organization,dc=domain''', and password '''hardtoguesspassword'''.
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.

===Configuring Moodle authentication===

Log in as an admin user and go to Administration >> Users >> Authentication. In the drop down listbox titled "Choose an authentication method" select "Use an LDAP Server". You will get a page similar to this one:

 
::: [[Image:auth_ldap_config_screenshot.jpg]]
 

Now, you just have to fill in the values. Let's go step by step.
 
 

{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| ldap_host_url
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes).
|-
| ldap_version
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.
|-
| ldap_preventpassindb
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.
|-
| ldap_bind_dn
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).
|-
| ldap_bind_pw
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).
|-
| ldap_user_type
| Choose:
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP).
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)
|-
| ldap_contexts
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.
|-
| ldap_search_sub
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.
|-
| ldap_opt_deref
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.
|-
| ldap_user_attribute
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.
|-
| ldap_memberattribute
| The attribute used to list the members of a given group. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, the usual values are '''member''' and '''memberUid'''.
|-
| ldap_objectclass
| The type of LDAP object used to search for users. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

Here are the default values for each of the ''ldap_user_type'' values:
* '''User''' for Novel eDirectory
* '''posixAccount''' for RFC-2037 and RFC-2037bis
* '''sambaSamAccount''' for SAMBA 3.0.x LDAP extension
* '''user''' for MS-AD
|-
| Force change password
| Set this to ''Yes'' if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to ''no''. Bear in mind the password they are forced to change is the one stored in your LDAP server.

As you don't want your users to change their passwords in their first login, leave this set to ''No''
|-
| Use standard Change Password Page
|
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Change password URL" (at the bottom of the configuration page).

Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is true at least for MS-AD).

Also, code for changing passwords from Moodle for anything but Novell eDirectory is almost not tested, so this may or may not work for other LDAP servers.
|-
| ldap_expiration
|
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.

Current code only deals with Novell eDirectory LDAP server, but there is a patch floating around to make it work with MS-AD too (search in the authentication forum).

So unless you have Novell eDirectory server (or use the patch), choose ''No'' here.
|-
| ldap_expiration_warning
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.
|-
| ldap_exprireattr
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.
|-
| ldap_gracelogins
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.

So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.
|-
| ldap_graceattr
| This setting is currently not used in the code (and is specific to Novell eDirectory).

So you don't need to fill this in.
|-
| ldap_create_context
|
|-
| ldap_creators
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').

In eDirectory, the objectClass for a group is (by default) not '''posixGroup''' but '''groupOfNames,''' whose member attribute is '''member,''' not '''memberUid,''' and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new '''objectClass''' attribute of '''posixGroup''' to your creators group and put the CNs for each creator in a '''memberUid''' attribute.

In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.
|-
| First name
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName'''.

This setting is optional
|-
| Surname
| The name of the attribute that holds the surname of your users in your LDAP server. This is usually '''sn'''.

This setting is optional
|-
| Email address
| The name of the attribute that holds the email address of your users in your LDAP server. This is usually '''mail'''.

This setting is optional
|-
| Phone 1
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.

This setting is optional
|-
| Phone 2
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.

This setting is optional
|-
| Department
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).

This setting is optional
|-
| Address
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.

This setting is optional
|-
| City/town
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).

This setting is optional
|-
| Country
| The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).

This setting is optional
|-
| Description
| '''description'''

This setting is optional
|-
| ID Number
|

This setting is optional
|-
| Language
| '''preferredLanguage'''

This setting is optional
|-
| Instructions
|
|}

The rest of the fields are common to all authentication methods and will not be discussed here.

==Advanced Scenarios==

===Using multiple LDAP Servers===
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :
ldap://my.first.server ; ldap//my.second.server ; ...

Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.

There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.

===Using multiple user locations (contexts) in your LDAP tree===
There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a '''ou=people,dc=my,dc=organization,dc=domain''' or '''ou=people,o=myorg''' container.

At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like '''ou=students,ou=dept1,o=myorg''' and '''ou=students,ou=dept2,o=myorg''' ...

Then there is an alternative :
* Look at the '''o=myorg''' level with the ldap_search_sub attribute set to '''yes'''.
* Set the ldap_context to '''ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg'''.

Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).

===Using LDAPS (LDAP + SSL)===
====MS Active Directory + SSL ====

If the Certificate Authority is not installed you'll have to install it first as follows:
# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove programs.'''
# Click '''Add/Remove Windows Components''' and select '''Certificate Services.'''
# Follow the prosedure provided to install the '''Certificate Authority'''. Enterprise level is a good choice.

Verify that SSL has been enabled on the server by installing suptools.msi from Windows installation cd's \Support\tools directory.
# Select '''Start''' -> '''Run''', write '''ldp''' in the Open field.
# From the ldp window select '''Connection''' -> '''Connect''' and supply valid hostname and port number '''636'''. Also select the SSL check box.

If successful, you'll get information about the connection.

Next step is to tell PHP's OpenLDAP extension to disable SSL certificate checking. On Windows servers you're most likely using pre-compiled PHP version, where you must create a path ''C:\OpenLDAP\sysconf''. In this path create a file called "ldap.conf" with content:

TLS_REQCERT never.

Now you should be able to use '''ldaps://''' when connecting to MS-AD.

==Appendices==

===Child Domains and the Global Catalog in MS Active Directory===

Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.

For example your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)

To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.

You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.

Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes.

In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.

====Enabling the Global Catalog====

The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.
If your organisation uses Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)

==See also==

*[http://moodle.org/mod/forum/view.php?id=42 Using Moodle: User authentication] forum
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion

[[Category:Administrator]]
[[Category:Authentication]]

LDAP authentication

2006-08-29T23:08:07Z

Julmis: /* MS Active Directory */

This document describes how to set up LDAP authentication in Moodle. You can find a [[#Basic Scenario|Basic Scenario]], where everything is simple and straightforward, and that should be enough for most installations. If your installation is a little bigger and you are using multiple LDAP servers, or multiple locations (contexts) for your users in your LDAP tree, then have a look at the [[#Advanced Scenarios|Advanced Scenarios]].

==Basic Scenario==

===Assumptions===

# Your Moodle site is located at '''http://your.moodle.site/'''
# You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to '''http://your.moodle.site/admin/phpinfo.php''' (logged in as user 'admin').
# Your LDAP server has '''192.168.1.100''' as its IP address.
# You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.
# You don't want your users to change their passwords the first time they log in into Moodle.
# You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).
# You are using a top level distinguished name (DN) of '''dc=my,dc=organization,dc=domain''' as the root of your LDAP tree.
# You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure '''this account and its password don't expire''', and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of '''cn=ldap-user,dc=my,dc=organization,dc=domain''', and password '''hardtoguesspassword'''.
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.

===Configuring Moodle authentication===

Log in as an admin user and go to Administration >> Users >> Authentication. In the drop down listbox titled "Choose an authentication method" select "Use an LDAP Server". You will get a page similar to this one:

 
::: [[Image:auth_ldap_config_screenshot.jpg]]
 

Now, you just have to fill in the values. Let's go step by step.
 
 

{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| ldap_host_url
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes).
|-
| ldap_version
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.
|-
| ldap_preventpassindb
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.
|-
| ldap_bind_dn
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).
|-
| ldap_bind_pw
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).
|-
| ldap_user_type
| Choose:
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP).
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)
|-
| ldap_contexts
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.
|-
| ldap_search_sub
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.
|-
| ldap_opt_deref
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.
|-
| ldap_user_attribute
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.
|-
| ldap_memberattribute
| The attribute used to list the members of a given group. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, the usual values are '''member''' and '''memberUid'''.
|-
| ldap_objectclass
| The type of LDAP object used to search for users. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

Here are the default values for each of the ''ldap_user_type'' values:
* '''User''' for Novel eDirectory
* '''posixAccount''' for RFC-2037 and RFC-2037bis
* '''sambaSamAccount''' for SAMBA 3.0.x LDAP extension
* '''user''' for MS-AD
|-
| Force change password
| Set this to ''Yes'' if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to ''no''. Bear in mind the password they are forced to change is the one stored in your LDAP server.

As you don't want your users to change their passwords in their first login, leave this set to ''No''
|-
| Use standard Change Password Page
|
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Change password URL" (at the bottom of the configuration page).

Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is true at least for MS-AD).

Also, code for changing passwords from Moodle for anything but Novell eDirectory is almost not tested, so this may or may not work for other LDAP servers.
|-
| ldap_expiration
|
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.

Current code only deals with Novell eDirectory LDAP server, but there is a patch floating around to make it work with MS-AD too (search in the authentication forum).

So unless you have Novell eDirectory server (or use the patch), choose ''No'' here.
|-
| ldap_expiration_warning
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.
|-
| ldap_exprireattr
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.
|-
| ldap_gracelogins
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.

So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.
|-
| ldap_graceattr
| This setting is currently not used in the code (and is specific to Novell eDirectory).

So you don't need to fill this in.
|-
| ldap_create_context
|
|-
| ldap_creators
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').

In eDirectory, the objectClass for a group is (by default) not '''posixGroup''' but '''groupOfNames,''' whose member attribute is '''member,''' not '''memberUid,''' and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new '''objectClass''' attribute of '''posixGroup''' to your creators group and put the CNs for each creator in a '''memberUid''' attribute.

In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.
|-
| First name
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName'''.

This setting is optional
|-
| Surname
| The name of the attribute that holds the surname of your users in your LDAP server. This is usually '''sn'''.

This setting is optional
|-
| Email address
| The name of the attribute that holds the email address of your users in your LDAP server. This is usually '''mail'''.

This setting is optional
|-
| Phone 1
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.

This setting is optional
|-
| Phone 2
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.

This setting is optional
|-
| Department
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).

This setting is optional
|-
| Address
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.

This setting is optional
|-
| City/town
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).

This setting is optional
|-
| Country
| The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).

This setting is optional
|-
| Description
| '''description'''

This setting is optional
|-
| ID Number
|

This setting is optional
|-
| Language
| '''preferredLanguage'''

This setting is optional
|-
| Instructions
|
|}

The rest of the fields are common to all authentication methods and will not be discussed here.

==Advanced Scenarios==

===Using multiple LDAP Servers===
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :
ldap://my.first.server ; ldap//my.second.server ; ...

Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.

There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.

===Using multiple user locations (contexts) in your LDAP tree===
There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a '''ou=people,dc=my,dc=organization,dc=domain''' or '''ou=people,o=myorg''' container.

At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like '''ou=students,ou=dept1,o=myorg''' and '''ou=students,ou=dept2,o=myorg''' ...

Then there is an alternative :
* Look at the '''o=myorg''' level with the ldap_search_sub attribute set to '''yes'''.
* Set the ldap_context to '''ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg'''.

Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).

===Using LDAPS (LDAP + SSL)===
====MS Active Directory + SSL ====

If the Certificate Authority is not installed you'll have to install it first as follows:
# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove programs.'''
# Click '''Add/Remove Windows Components''' and select '''Certificate Services.'''
# Follow the prosedure provided to install the '''Certificate Authority'''. Enterprice level is a good choice.

Verify that SSL has been enabled on the server by installing suptools.msi from Windows installation cd's \Support\tools directory.
# Select '''Start''' -> '''Run''', write '''ldp''' in the Open field.
# From the ldp window select '''Connection''' -> '''Connect''' and supply valid hostname and port number '''636'''. Also select the SSL check box.

If successful, you'll get information about the connection.

Next step is to tell PHP's OpenLDAP extension to disable SSL certificate checking. On Windows servers you're most likely using pre-compiled PHP version, where you must create a path ''C:\OpenLDAP\sysconf''. In this path create a file called "ldap.conf" with content:

TLS_REQCERT never.

Now you should be able to use '''ldaps://''' when connecting to MS-AD.

==Appendices==

===Child Domains and the Global Catalog in MS Active Directory===

Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.

For example your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)

To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.

You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.

Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes.

In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.

====Enabling the Global Catalog====

The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.
If your organisation uses Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)

==See also==

*[http://moodle.org/mod/forum/view.php?id=42 Using Moodle: User authentication] forum
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion

[[Category:Administrator]]
[[Category:Authentication]]

LDAP authentication

2006-08-29T23:07:18Z

Julmis: /* Using LDAPS (LDAP + SSL) */

This document describes how to set up LDAP authentication in Moodle. You can find a [[#Basic Scenario|Basic Scenario]], where everything is simple and straightforward, and that should be enough for most installations. If your installation is a little bigger and you are using multiple LDAP servers, or multiple locations (contexts) for your users in your LDAP tree, then have a look at the [[#Advanced Scenarios|Advanced Scenarios]].

==Basic Scenario==

===Assumptions===

# Your Moodle site is located at '''http://your.moodle.site/'''
# You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to '''http://your.moodle.site/admin/phpinfo.php''' (logged in as user 'admin').
# Your LDAP server has '''192.168.1.100''' as its IP address.
# You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.
# You don't want your users to change their passwords the first time they log in into Moodle.
# You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).
# You are using a top level distinguished name (DN) of '''dc=my,dc=organization,dc=domain''' as the root of your LDAP tree.
# You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure '''this account and its password don't expire''', and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of '''cn=ldap-user,dc=my,dc=organization,dc=domain''', and password '''hardtoguesspassword'''.
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.

===Configuring Moodle authentication===

Log in as an admin user and go to Administration >> Users >> Authentication. In the drop down listbox titled "Choose an authentication method" select "Use an LDAP Server". You will get a page similar to this one:

 
::: [[Image:auth_ldap_config_screenshot.jpg]]
 

Now, you just have to fill in the values. Let's go step by step.
 
 

{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| ldap_host_url
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes).
|-
| ldap_version
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.
|-
| ldap_preventpassindb
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.
|-
| ldap_bind_dn
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).
|-
| ldap_bind_pw
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).
|-
| ldap_user_type
| Choose:
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP).
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)
|-
| ldap_contexts
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.
|-
| ldap_search_sub
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.
|-
| ldap_opt_deref
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.
|-
| ldap_user_attribute
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.
|-
| ldap_memberattribute
| The attribute used to list the members of a given group. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, the usual values are '''member''' and '''memberUid'''.
|-
| ldap_objectclass
| The type of LDAP object used to search for users. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.

Here are the default values for each of the ''ldap_user_type'' values:
* '''User''' for Novel eDirectory
* '''posixAccount''' for RFC-2037 and RFC-2037bis
* '''sambaSamAccount''' for SAMBA 3.0.x LDAP extension
* '''user''' for MS-AD
|-
| Force change password
| Set this to ''Yes'' if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to ''no''. Bear in mind the password they are forced to change is the one stored in your LDAP server.

As you don't want your users to change their passwords in their first login, leave this set to ''No''
|-
| Use standard Change Password Page
|
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Change password URL" (at the bottom of the configuration page).

Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is true at least for MS-AD).

Also, code for changing passwords from Moodle for anything but Novell eDirectory is almost not tested, so this may or may not work for other LDAP servers.
|-
| ldap_expiration
|
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.

Current code only deals with Novell eDirectory LDAP server, but there is a patch floating around to make it work with MS-AD too (search in the authentication forum).

So unless you have Novell eDirectory server (or use the patch), choose ''No'' here.
|-
| ldap_expiration_warning
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.
|-
| ldap_exprireattr
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''ldap_user_type'' value you choosed above. So unless you need something special, you don't need to fill this in.
|-
| ldap_gracelogins
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.

So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.
|-
| ldap_graceattr
| This setting is currently not used in the code (and is specific to Novell eDirectory).

So you don't need to fill this in.
|-
| ldap_create_context
|
|-
| ldap_creators
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').

In eDirectory, the objectClass for a group is (by default) not '''posixGroup''' but '''groupOfNames,''' whose member attribute is '''member,''' not '''memberUid,''' and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new '''objectClass''' attribute of '''posixGroup''' to your creators group and put the CNs for each creator in a '''memberUid''' attribute.

In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.
|-
| First name
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName'''.

This setting is optional
|-
| Surname
| The name of the attribute that holds the surname of your users in your LDAP server. This is usually '''sn'''.

This setting is optional
|-
| Email address
| The name of the attribute that holds the email address of your users in your LDAP server. This is usually '''mail'''.

This setting is optional
|-
| Phone 1
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.

This setting is optional
|-
| Phone 2
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.

This setting is optional
|-
| Department
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).

This setting is optional
|-
| Address
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.

This setting is optional
|-
| City/town
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).

This setting is optional
|-
| Country
| The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).

This setting is optional
|-
| Description
| '''description'''

This setting is optional
|-
| ID Number
|

This setting is optional
|-
| Language
| '''preferredLanguage'''

This setting is optional
|-
| Instructions
|
|}

The rest of the fields are common to all authentication methods and will not be discussed here.

==Advanced Scenarios==

===Using multiple LDAP Servers===
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :
ldap://my.first.server ; ldap//my.second.server ; ...

Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.

There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.

===Using multiple user locations (contexts) in your LDAP tree===
There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a '''ou=people,dc=my,dc=organization,dc=domain''' or '''ou=people,o=myorg''' container.

At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like '''ou=students,ou=dept1,o=myorg''' and '''ou=students,ou=dept2,o=myorg''' ...

Then there is an alternative :
* Look at the '''o=myorg''' level with the ldap_search_sub attribute set to '''yes'''.
* Set the ldap_context to '''ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg'''.

Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).

===Using LDAPS (LDAP + SSL)===
====MS Active Directory====

If the Certificate Authority is not installed you'll have to install it first as follows:
# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove programs.'''
# Click '''Add/Remove Windows Components''' and select '''Certificate Services.'''
# Follow the prosedure provided to install the '''Certificate Authority'''. Enterprice level is a good choice.

Verify that SSL has been enabled on the server by installing suptools.msi from Windows installation cd's \Support\tools directory.
# Select '''Start''' -> '''Run''', write '''ldp''' in the Open field.
# From the ldp window select '''Connection''' -> '''Connect''' and supply valid hostname and port number '''636'''. Also select the SSL check box.

If successful, you'll get information about the connection.

Next step is to tell PHP's OpenLDAP extension to disable SSL certificate checking. On Windows servers you're most likely using pre-compiled PHP version, where you must create a path ''C:\OpenLDAP\sysconf''. In this path create a file called "ldap.conf" with content:

TLS_REQCERT never.

Now you should be able to use '''ldaps://''' when connecting to MS-AD.

==Appendices==

===Child Domains and the Global Catalog in MS Active Directory===

Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.

For example your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)

To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.

You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.

Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes.

In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.

====Enabling the Global Catalog====

The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.
If your organisation uses Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)

==See also==

*[http://moodle.org/mod/forum/view.php?id=42 Using Moodle: User authentication] forum
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion

[[Category:Administrator]]
[[Category:Authentication]]