MoodleDocs - Wkład użytkownika [pl]

Active Directory

2010-09-22T16:49:41Z

Minkus: Renamed the title of the section to make it clearer as well - it has nothing to do with Group Policy

Microsoft's Active Directory (AD) provides a variety of network directory services including Lightweight Directory Access Protocol (LDAP) like functions. It is included in Windows 2000 Server and later versions of their operating system. The focus of this page will be with the [[LDAP authentication]] functions.

==Trouble shooting AD and LDAP authentication==
===Warning: The PHP LDAP module does not seem to be present. Please ensure it is installed and enabled.===
This usually means that the main ldap dll or one of the supporting dlls are missing.
Let's start with the main one itself.
Browse to <nowiki>http://(moodleserver)/admin/phpinfo.php</nowiki> and examine the "Configuration File (php.ini) Path" field to determine which php.ini is being used and open it with an editor. Find the line 'extension=php_ldap.dll' and take out the semi-colon if it is there. That semi-colon will stop it loading the module all together!
While you have that file open, search for 'extension_dir' and note which folder it is set to. Open that folder and ensure the php_ldap.dll file is in there. If it isn't then put it in there.
If that still hasn't fixed it you are missing a supporting dll, but you don't get told that. To see what dlls are missing open the Command Prompt and navigate to the php directory and execute the following line 'php -m'. You should get some error messages now. Ugly, but at least they give you information! Find the dlls listed and copy them to the php directory. You may now need to restart the apache/httpd service. Run 'php -m' again and you should be error free and the message in Moodle should be gone now.

===LDAP-module cannot connect any LDAP servers===
LDAP-module cannot connect any LDAP servers:
Server: 'ldap://my.ldap.server/'
Connection: 'Resource id #26' Bind result: ''
Getting this message when you are trying to log in is a result of incorrect details for the Bind user, or the user account having insufficient permissions in Active Directory. The best way to test and resolve this is use ldp.exe to test binding until it suceeds. There are instructions on installing ldp.exe below.
Open the program and Connect to AD, giving the server name, then from the Connection menu choose Bind. Enter the details you think are correct and you will probably find that an error is returned. Try adjusting the accounts priveleges or another account until you are returned an "Authenticated as" message.
Once you are sure your account can be used to bind to AD, check that the DN of that users name is correct. Expand the tree on the left until you find the user you used to bind. Right click on that item and choose Copy DN. Go to the User Authentication page in Moodle and paste the value into the ldap_bind_dn field. Add the password and you can now feel safe your user is binding sucessfully.

===Getting correct CNs for Contexts and Creators===
For those not familiar with AD this could be very confusing, and not that easy for some who are familiar with it. Again, ldp.exe is your friend. There are instructions on installing ldp.exe below.
Open it up and expand the tree on the left until you find the group or user you want to use and right click on it and select Copy DN. Go back to the Moodle User Authentication page and paste that value into either ldap_contexts or ldap_creators.

===Getting the right user_attribute===
By default, Moodle uses an accounts cn (full name) to verify against, but most networks don't use a full given name for logon as it's too easy to guess and you can easily have two people with the same name. If this is the case for you too you need to tell Moodle to look at another field for the logon id.
In ldp.exe navigate the tree on the left to find a user account, preferably your own. Double-click the item in the tree and full-details will be loaded into the screen on the right. Look down the details until you find your logon id and note the item listed against it. For me, and a lot of people, it is sAMAccountName. Copy this name and paste it into the ldap_user_attribute on the Moodle User Authentication page.
There are instructions on installing ldp.exe below.

===Installing ldp.exe Server Tool===
ldp.exe comes as part of the Server Tools on most versions of Windows Server. Find your Windows Server installation disc and find a folder on it called Support\Tools. In there will be a SupTools.msi which will install the server tools if run. You should now have a folder under Program Files called Support Tools, in which will be ldp.exe. ldp.exe is also available in the Windows XP Support Tools, which you can download from Microsoft [http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en here]. Alternatively, a single download of ldp.exe is available [http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm here].

===Example Active Directory Configuration===
Below is an example configuration for Active Directory. As detailed above, the values may vary based on your local Active Directory configuration, but should provide a good starting point for most cases.

ldap_host_url = ldap://ads.example.com
ldap_version = 3
ldap_preventpassindb = yes
ldap_bind_dn = bind-user@example.com
ldap_bind_pw = bind-password
ldap_user_type = MS ActiveDirectory
ldap_contexts = ou=moodleusers,dc=example,dc=com
ldap_user_attribute = sAMAccountName

Note that the ldap_bind_dn value should work in either the CN=bin-user,CN=Users,DC=example,DC=com format as shown in the main instructions or the bind-user@example.com format shown in this example.

==Global Catalogs==
Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.

===Enabling the Global Catalog===

The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.
If your organisation uses Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)

===Child Domains===
If your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)

To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.

You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.

Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes - see Microsoft [http://support.microsoft.com/kb/248717 KB248717] for more information.

In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.

===MaxPageSize setting===
Modifying the number of Active Directory objects to search:

By default Active Directory only allows searches returning a limited number of objects per search. Since there is currently no Page control support in PHP 5.2.x which would enable smaller page searches you may need to modify your MaxPageSize setting to make sure LDAP Client searches can return enough user objects to support the number of authenticating users.

If you find that the script is not running through all of your users properly and you have MS Active Directory + over 1000 users, follow the instructions [http://support.microsoft.com/kb/315071 here] to set the MaxPageSize setting to a number higher than your total number of users (both now and in future) to fix it. This is a forest-wide setting.

== Active Directory with Moodle 1.8==
There is an issue with the PHP ldap options that are required for Active Directory access in version 1.8 of Moodle.

Using moodle on a LAMP platform with authentication to Active Directory may give some errors.

Check this bug [http://tracker.moodle.org/browse/MDL-10921 MDL-10921] or this post http://moodle.org/mod/forum/discuss.php?d=78316 for further information.

==MS Active Directory + SSL ==

If the Certificate Authority is not installed you'll have to install it first as follows:
# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove programs.'''
# Click '''Add/Remove Windows Components''' and select '''Certificate Services.'''
# Follow the procedure provided to install the '''Certificate Authority'''. Enterprise level is a good choice.

Verify that SSL has been enabled on the server by installing suptools.msi from Windows installation cd's \Support\tools directory. After support tools installation:
# Select '''Start''' -> '''Run''', write '''ldp''' in the Open field.
# From the ldp window select '''Connection''' -> '''Connect''' and supply valid hostname and port number '''636'''. Also select the SSL check box.

If successful, you should get information about the connection.

See [[LDAP_authentication#Enabling_LDAPS_on_the_client_side_.28Moodle_server.29|Enabling LDAPS on the client side (Moodle server)]] for details on the client side configuration.

==See also==
*[[LDAP authentication]] in Moodle
*[http://en.wikipedia.org/wiki/Directory_service Directory services] overview in Wikipedia
*[http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] in Wikipedia

[[ja:Active Directory]]

LDAP authentication

2010-09-22T16:48:18Z

Minkus: Added forest-wide note

{{Moodle 1.9}}
Location: Settings link in ''Administration > Users > [[Authentication]] > LDAP Server''

This document describes how to set up Lightweight Directory Access Protocol (LDAP) authentication in Moodle. We cover the basic, advanced and some trouble shooting sections to assist the user in the installation and administrating LDAP in Moodle.
==Table of Contents==
__TOC__
==Basic Scenario==
The simple and straightforward approach for most installations.

===Assumptions===

# Your Moodle site is located at '''http://your.moodle.site/'''
# You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to '''http://your.moodle.site/admin/phpinfo.php''' (logged in as user 'admin').
# Your LDAP server has '''192.168.1.100''' as its IP address.
# You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.
# You don't want your users to change their passwords the first time they log in into Moodle.
# You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).
# You are using a top level distinguished name (DN) of '''dc=my,dc=organization,dc=domain''' as the root of your LDAP tree.
# You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure '''this account and its password don't expire''', and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of '''cn=ldap-user,dc=my,dc=organization,dc=domain''', and password '''hardtoguesspassword'''.
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.

[[LDAP_authentication#Table of Contents|Table of Contents]]

===Configuring Moodle authentication===

Log in as an admin user and go to Administration >> Users >> Authentication >> Manage authentication. In the table that appears, enable the "LDAP Server" authentication option (click on the closed eye to make it open) and then click on the associated 'Settings' link. You will get a page similar to this one:

[[Image:auth_ldap_config_screenshot.jpg|center]]

Now, you just have to fill in the values. Let's go step by step.

[[LDAP_authentication#Table of Contents|Table of Contents]]

====LDAP Server Settings====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| Host URL
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes), or just "'''192.168.1.100'''" (some people have trouble connecting with the first syntax, specially on MS Windows servers).
|-
| Version
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.
|-
| LDAP Encoding
| Specify encoding used by LDAP server. Most probably utf-8.
|}

[[LDAP_authentication#Table of Contents|Table of Contents]]

====Bind settings====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| Hide passwords
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.
|-
| Distinguished Name
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).
|-
| Password
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).
|}

[[LDAP_authentication#Table of Contents|Table of Contents]]

====User lookup settings====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| User type
| Choose:
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP, including Mac OS X server).
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)
|-
| Contexts
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.

On a Mac OS X Server, this is usually '''cn=users,dc=my,dc=organization,dc=domain'''.
|-
| Search subcontexts
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.
|-
| Dereference aliases
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.
|-
| User attribute
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''User type'' value you chose above. So unless you need something special, you don't need to fill this in.

By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.
|-
| Member attribute
| The attribute used to list the members of a given group. This option takes a default value based on the ''User type'' value you choosed above. So unless you need something special, you don't need to fill this in.

By the way, the usual values are '''member''' and '''memberUid'''.
|-
| Member attribute uses dn
| Whether the member attribute contains distinguished names (1) or not (0).This option takes a default value based on the ''User type'' value you choosed above. So unless you need something special, you don't need to fill this in.
|-
| Object class
| The type of LDAP object used to search for users. This option takes a default value based on the ''User type'' value you chose above. So unless you need something special, you don't need to fill this in.
* If you leave it blank, the filter "(objectClass=*)" will be used.
* If you provide "objectClass=some-string", then it will provide "(objectClass=some-string)" as the filter.
* If you provide a value that does not start with "(", it is assumed to be a value that should be set to "objectClass". So if you provide "some-string", then it will provide "(objectClass=some-string)" as the filter.
* If you provide a string that starts with a "(", then it will pass that as is. So if you provide "(&(objectClass=user)(enabledMoodleUser=1))", then it will pass that as the filter.

Here are the default values for each of the ''ldap_user_type'' values:
* '''User''' for Novel eDirectory
* '''posixAccount''' for RFC-2037 and RFC-2037bis
* '''sambaSamAccount''' for SAMBA 3.0.x LDAP extension
* '''user''' for MS-AD
If you get an error about a problem with updating the ldap server (even if you have specified not to write changes back to the ldap server) try setting the ldap object class to * - see http://moodle.org/mod/forum/discuss.php?d=70566 for a discussion on this problem
|}

[[LDAP_authentication#Table of Contents|Table of Contents]]

====Force change password====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| Force change password
| Set this to ''Yes'' if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to ''no''. Bear in mind the password they are forced to change is the one stored in your LDAP server.

As you don't want your users to change their passwords in their first login, leave this set to ''No''
|-
| Use standard Change Password Page
|
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Password change URL" (see below).

Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is actually a requirement for MS-AD). In addition to that, the bind user specified above must have the rights needed to change other users' passwords.

Also, code for changing passwords from Moodle for anything but Novell eDirectory and Active Directory is almost not tested, so this may or may not work for other LDAP servers.
|-
| Password Format
| Specify how the new password is encrypted before sending it to the LDAP server: Plain text, MD5 hash or SHA-1 hash. MS-AD uses plain text, for example.
|-
| Password change URL
| Here you can specify a location at which your users can recover or change their username/password if they've forgotten it. This will be provided to users as a button on the login page and their user page. if you leave this blank the button will not be printed.
|}

[[LDAP_authentication#Table of Contents|Table of Contents]]

====LDAP password expiration settings====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| Expiration
|
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.

Current code only deals with Novell eDirectory LDAP server and MS-AD.

So unless you have Novell eDirectory server or MS-AD, choose ''No'' here.
|-
| Expiration warning
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.
|-
| Expiration attribute.
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''User type'' value you choosed above. So unless you need something special, you don't need to fill this in.
|-
| Grace logins
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.

So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.
|-
| Grace login attribute
| This setting is currently not used in the code (and is specific to Novell eDirectory).

So you don't need to fill this in.
|}

[[LDAP_authentication#Table of Contents|Table of Contents]]

====Enable user creation====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| Create users externally
| New (anonymous) users can self-create user accounts on the external LDAP server and confirm them via email. If you enable this, remember to also configure module-specific options for user creation and to fill in some instructions in ''auth_instructions'' field in Administration >> Users >> Authentication >> Manage authentication. Otherwise the new users won't be able to self-create new accounts.

As of now, only Novell eDirectory and MS-AD can create users externally.
|-
| Context for new users
| Specify the context where users are created. This context should be different from other users' contexts to prevent security issues.
|}

[[LDAP_authentication#Table of Contents|Table of Contents]]

====Course creation====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| Creators
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').

In eDirectory, the objectClass for a group is (by default) not '''posixGroup''' but '''groupOfNames,''' whose member attribute is '''member,''' not '''memberUid,''' and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new '''objectClass''' attribute of '''posixGroup''' to your creators group and put the CNs for each creator in a '''memberUid''' attribute.

In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.
|}

[[LDAP_authentication#Table of Contents|Table of Contents]]

====Cron synchronization script====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| Removed ext user
| Specify what to do with internal user account during mass synchronization when user was removed from external source. Only suspended users are automatically revived if they reappear in ext source.
|}

[[LDAP_authentication#Table of Contents|Table of Contents]]

====NTLM SSO====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| Enable
| If you want to use NTLM SSO (see details at [[NTLM_authentication]]), choose ''Yes'' here. Otherwise, choose ''No''.
|-
| Subnet
| Specify the subnets of the clients that will use NTLM SSO (see details at [[NTLM_authentication]]).
|-
| MS IE Fast Path?
| If all of you clients (or most of them) are using MS Internet Explorer, you can set this option to bypasses certain steps of the SSO login and speed up login times. This only works with MS Internet Explorer, but deals with other browsers in a sensible way (they are automatically sent to the plain login page).
|}

[[LDAP_authentication#Table of Contents|Table of Contents]]

====Data Mapping====
{| border="1" cellspacing="0" cellpadding="5"
! Field name
! Value to fill in
|-
| First name
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName''' or '''displayName'''

This setting is optional
|-
| Surname
| The name of the attribute that holds the surname of your users in your LDAP server. This is usually '''sn'''.

This setting is optional
|-
| Email address
| The name of the attribute that holds the email address of your users in your LDAP server. This is usually '''mail'''.

This setting is optional
|-
| City/town
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).

This setting is optional
|-
| Country
| The name of the attribute that holds the country of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).

This setting is optional
|-
| Language
| '''preferredLanguage'''

This setting is optional
|-
| Description
| '''description'''

This setting is optional
|-
| Webpage
| This setting is optional
|-
| ID Number
|

This setting is optional
|-
| Institution
|

This setting is optional
|-
| Department
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).

This setting is optional
|-
| Phone 1
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.

This setting is optional
|-
| Phone 2
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.

This setting is optional
|-
| Address
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.

This setting is optional
|}

[[LDAP_authentication#Table of Contents|Table of Contents]]

===Setting up regular automatic synchronisation using cron===
There is a script located at /auth/ldap/auth_ldap_sync_users.php which will create or suspend/delete (see the setting above) all LDAP accounts automatically. Ideally, this is called from the command line once a day during a quiet time using exactly the same procedure as the standard [[Cron|cron]] job (so you will end up with two cron entries). It is important, however, to make sure that all of the above LDAP settings are working properly before you try this, as well as backing up your database and moodledata folders. Poor LDAP configuration could lead to users being wrongly deleted.

If you find that the script is not running through all of your users properly and you have MS Active Directory + over 1000 users, this is because by default, MS AD only sends back 1000 users at a time. Follow the instructions [http://support.microsoft.com/kb/315071 here] to set the MaxPageSize setting to a number higher than your total number of users (both now and in future) to fix it. This is a forest-wide setting.

[[LDAP_authentication#Table of Contents|Table of Contents]]

==Active Directory help==
[[Active Directory]] is Microsoft's directory service. It is included in Windows 2000 Server and later versions of their operating system. For more information about subjects below, '''[[Active Directory|please go here]]'''.

*Warning: The PHP LDAP module does not seem to be present
*LDAP-module cannot connect any LDAP servers
*Getting correct CNs for Contexts and Creators
*Getting the right user_attribute
*Installing ldp.exe Server Tool
*Example Active Directory Configuration
*Child Domains and the Global Catalog in MS Active Directory
*Enabling the Global Catalog
*Active Directory with Moodle 1.8
*MS Active Directory + SSL

==Advanced Scenarios - Multiple servers or locations==
For larger installations with multiple LDAP servers, or multiple locations (contexts) in a LDAP tree.

===Using multiple LDAP Servers===
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :
ldap://my.first.server ; ldap://my.second.server ; ...

Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.

There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.

===Using multiple user locations (contexts) in your LDAP tree===
There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a '''ou=people,dc=my,dc=organization,dc=domain''' or '''ou=people,o=myorg''' container.

At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like '''ou=students,ou=dept1,o=myorg''' and '''ou=students,ou=dept2,o=myorg''' ...

Then there is an alternative :
* Look at the '''o=myorg''' level with the ldap_search_sub attribute set to '''yes'''.
* Set the ldap_context to '''ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg'''.

Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).

===Using LDAPS (LDAP + SSL)===
====Enabling LDAPS on the LDAP server side====

* [[Active_Directory#MS_Active_Directory_.2B_SSL|Enabling LDAPS on MS Active Directory ]]

====Enabling LDAPS on the client side (Moodle server)====

* If you are running Moodle on MS Windows, you need to tell PHP's OpenLDAP extension to disable SSL server certificate checking. You must create a directory called ''C:\OpenLDAP\sysconf''. In this directory, create a file called ''ldap.conf'' with the following content (If you are using certain versions of PHP 5.3.x you may need to place the file at other locations, [http://bugs.php.net/bug.php?id=48866 see PHP bug #48866]):

TLS_REQCERT never

* If you are running Moodle on Linux or any other Unix-like operating system, and you want to disable SSL server certificate checking, you need to edit the OpenLDAP client configuration file (usually /etc/ldap.conf or /etc/ldap/ldap.conf or even /etc/openldap/ldap.conf) and make sure you have a line like the following one:

TLS_REQCERT never

Now you should be able to use '''ldaps://''' when connecting to your LDAP server.

If you have the certificate of the LDAPS server as a file and want to check the certificate for the connection, copy the certificate file to an arbitary directory (e.g. /etc/ldap/certificate.pem) on your client and change the content of the ''ldap.conf'' as follows:

TLS_REQCERT demand
TLS_CACERT /etc/ldap/certificate.pem

When the requested server certificate is bad or not provided, the connection to the LDAPS server is immediately terminated.

[[LDAP_authentication#Table of Contents|Table of Contents]]

==Appendices==
===ldap auth_user_create() only suports Novell===

After configuring user authentication with ldap I realized ldap only support edir (Novell) when combining ldap an email user confirmation. For example in my case (I use openldap) I have the following error after filling the user form:

auth: ldap auth_user_create() does not support selected usertype:"rfc2307" (..yet)

=== Setting Resource Limits RedHat Directory Server ===

Operational attributes can be set for the bind user DN using the command-line.
One can simply use ldapmodify to add the following attributes:

{| border="1" cellspacing="0" cellpadding="5"
! Attribute Name
! Description
|-
| nsLookThroughLimit
| Specifies how many entries are examined for a search operation. Giving this attribute a value of -1 indicates that there is no limit.
|-
| nsSizeLimit
| Specifies the maximum number of entries the server returns to a client application in response to a search operation. Giving this attribute a value of -1 indicates that there is no limit.
|-
| nsTimeLimit
| Specifies the maximum time the server spends processing a search operation. Giving this attribute a value of -1 indicates that there is no time limit.
|-
| nsIdleTimeout
| Specifies the time a connection to the server can be idle before the connection is dropped. The value is given in seconds. Giving this attribute a value of -1 indicates that there is no limit.
|}

<pre> LDAP Console Command-Line

ldapmodify -h redhat_dir_server -p 389 -D "cn=directory manager" -w secretpwd

dn: uid=MoodleAdmin,ou=system,dc=myschool,dc=edu
changetype: modify
add:nsSizeLimit
nsSizeLimit: 1000
</pre>

[[LDAP_authentication#Table of Contents|Table of Contents]]

==See also==

* [[NTLM_authentication]]
* [[Active_Directory]]
* [[LDAP enrolment]]
* [http://download.moodle.org/download.php/docs/en/how-to_guides/ldap_auth_and_enrolment_set-up.pdf LDAP auth and enrolment set-up guide] (PDF 227KB)

Using Moodle:
* [http://moodle.org/mod/forum/view.php?id=42 User authentication forum]
* [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion
* [http://moodle.org/mod/forum/discuss.php?d=140901 Syncronisation with AUTH_LDAP_SYNC_USERS.PHP produces fewer accounts than it should] forum discussion
* [http://moodle.org/mod/forum/discuss.php?d=17198 Using multiple LDAP servers] forum discussion

[[Category:Authentication]]

[[es:LDAP_authentication]]
[[fr:Utiliser un serveur LDAP]]
[[ja:LDAP認証]]
[[zh:LDAP认证]]
[[de:Authentifizierung über LDAP]]

Active Directory

2010-09-22T16:47:20Z

Minkus: Old instructions for updating MaxPageSize were incorrect - updated with details from 'LDAP Authentication' page instead

Microsoft's Active Directory (AD) provides a variety of network directory services including Lightweight Directory Access Protocol (LDAP) like functions. It is included in Windows 2000 Server and later versions of their operating system. The focus of this page will be with the [[LDAP authentication]] functions.

==Trouble shooting AD and LDAP authentication==
===Warning: The PHP LDAP module does not seem to be present. Please ensure it is installed and enabled.===
This usually means that the main ldap dll or one of the supporting dlls are missing.
Let's start with the main one itself.
Browse to <nowiki>http://(moodleserver)/admin/phpinfo.php</nowiki> and examine the "Configuration File (php.ini) Path" field to determine which php.ini is being used and open it with an editor. Find the line 'extension=php_ldap.dll' and take out the semi-colon if it is there. That semi-colon will stop it loading the module all together!
While you have that file open, search for 'extension_dir' and note which folder it is set to. Open that folder and ensure the php_ldap.dll file is in there. If it isn't then put it in there.
If that still hasn't fixed it you are missing a supporting dll, but you don't get told that. To see what dlls are missing open the Command Prompt and navigate to the php directory and execute the following line 'php -m'. You should get some error messages now. Ugly, but at least they give you information! Find the dlls listed and copy them to the php directory. You may now need to restart the apache/httpd service. Run 'php -m' again and you should be error free and the message in Moodle should be gone now.

===LDAP-module cannot connect any LDAP servers===
LDAP-module cannot connect any LDAP servers:
Server: 'ldap://my.ldap.server/'
Connection: 'Resource id #26' Bind result: ''
Getting this message when you are trying to log in is a result of incorrect details for the Bind user, or the user account having insufficient permissions in Active Directory. The best way to test and resolve this is use ldp.exe to test binding until it suceeds. There are instructions on installing ldp.exe below.
Open the program and Connect to AD, giving the server name, then from the Connection menu choose Bind. Enter the details you think are correct and you will probably find that an error is returned. Try adjusting the accounts priveleges or another account until you are returned an "Authenticated as" message.
Once you are sure your account can be used to bind to AD, check that the DN of that users name is correct. Expand the tree on the left until you find the user you used to bind. Right click on that item and choose Copy DN. Go to the User Authentication page in Moodle and paste the value into the ldap_bind_dn field. Add the password and you can now feel safe your user is binding sucessfully.

===Getting correct CNs for Contexts and Creators===
For those not familiar with AD this could be very confusing, and not that easy for some who are familiar with it. Again, ldp.exe is your friend. There are instructions on installing ldp.exe below.
Open it up and expand the tree on the left until you find the group or user you want to use and right click on it and select Copy DN. Go back to the Moodle User Authentication page and paste that value into either ldap_contexts or ldap_creators.

===Getting the right user_attribute===
By default, Moodle uses an accounts cn (full name) to verify against, but most networks don't use a full given name for logon as it's too easy to guess and you can easily have two people with the same name. If this is the case for you too you need to tell Moodle to look at another field for the logon id.
In ldp.exe navigate the tree on the left to find a user account, preferably your own. Double-click the item in the tree and full-details will be loaded into the screen on the right. Look down the details until you find your logon id and note the item listed against it. For me, and a lot of people, it is sAMAccountName. Copy this name and paste it into the ldap_user_attribute on the Moodle User Authentication page.
There are instructions on installing ldp.exe below.

===Installing ldp.exe Server Tool===
ldp.exe comes as part of the Server Tools on most versions of Windows Server. Find your Windows Server installation disc and find a folder on it called Support\Tools. In there will be a SupTools.msi which will install the server tools if run. You should now have a folder under Program Files called Support Tools, in which will be ldp.exe. ldp.exe is also available in the Windows XP Support Tools, which you can download from Microsoft [http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en here]. Alternatively, a single download of ldp.exe is available [http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm here].

===Example Active Directory Configuration===
Below is an example configuration for Active Directory. As detailed above, the values may vary based on your local Active Directory configuration, but should provide a good starting point for most cases.

ldap_host_url = ldap://ads.example.com
ldap_version = 3
ldap_preventpassindb = yes
ldap_bind_dn = bind-user@example.com
ldap_bind_pw = bind-password
ldap_user_type = MS ActiveDirectory
ldap_contexts = ou=moodleusers,dc=example,dc=com
ldap_user_attribute = sAMAccountName

Note that the ldap_bind_dn value should work in either the CN=bin-user,CN=Users,DC=example,DC=com format as shown in the main instructions or the bind-user@example.com format shown in this example.

==Global Catalogs==
Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.

===Enabling the Global Catalog===

The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.
If your organisation uses Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)

===Child Domains===
If your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)

To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.

You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.

Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes - see Microsoft [http://support.microsoft.com/kb/248717 KB248717] for more information.

In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.

===Group Policy Objects===
Modifying the number of Active Directory objects to search:

By default most Active Directory Lightweight Directory Service (ADLS) only allows searches returning a limited number of objects per search. Since there is currently no Page control support in PHP 5.2.x which would enable smaller page searches you may need to modify your MaxPageSize setting to make sure LDAP Client searches can return enough user objects to support the number of authenticating users.

If you find that the script is not running through all of your users properly and you have MS Active Directory + over 1000 users, follow the instructions [http://support.microsoft.com/kb/315071 here] to set the MaxPageSize setting to a number higher than your total number of users (both now and in future) to fix it.

== Active Directory with Moodle 1.8==
There is an issue with the PHP ldap options that are required for Active Directory access in version 1.8 of Moodle.

Using moodle on a LAMP platform with authentication to Active Directory may give some errors.

Check this bug [http://tracker.moodle.org/browse/MDL-10921 MDL-10921] or this post http://moodle.org/mod/forum/discuss.php?d=78316 for further information.

==MS Active Directory + SSL ==

If the Certificate Authority is not installed you'll have to install it first as follows:
# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove programs.'''
# Click '''Add/Remove Windows Components''' and select '''Certificate Services.'''
# Follow the procedure provided to install the '''Certificate Authority'''. Enterprise level is a good choice.

Verify that SSL has been enabled on the server by installing suptools.msi from Windows installation cd's \Support\tools directory. After support tools installation:
# Select '''Start''' -> '''Run''', write '''ldp''' in the Open field.
# From the ldp window select '''Connection''' -> '''Connect''' and supply valid hostname and port number '''636'''. Also select the SSL check box.

If successful, you should get information about the connection.

See [[LDAP_authentication#Enabling_LDAPS_on_the_client_side_.28Moodle_server.29|Enabling LDAPS on the client side (Moodle server)]] for details on the client side configuration.

==See also==
*[[LDAP authentication]] in Moodle
*[http://en.wikipedia.org/wiki/Directory_service Directory services] overview in Wikipedia
*[http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] in Wikipedia

[[ja:Active Directory]]

Upgrading

2010-06-11T13:46:59Z

Minkus: Changed around the order of the installation instructions. Pretty sure this is correct now

Moodle is designed to upgrade cleanly from one version to the next. Please refer to [[Upgrading to Moodle 1.6]], [[Upgrading to Moodle 1.8]], [[Upgrading to Moodle 1.9]] or [[Upgrading to Moodle 2.0]] for particular considerations related to the upgraded version.
Changes that have been made to the original code, such as installing a contributed module (non-standard module) or a site edit of a php file, may not upgrade. This includes modifications to standard themes that might be overwritten during an upgrade.

* For those using cpanel, you can use [http://ic.eflclasses.org/tutorials/howtoupgrademoodlewithcpanel.swf this tutorial]. It is a bit rough around the edges and is a little dated, but you should get the idea.

* For those who have installed the package version of Moodle using an Ubuntu/Kubuntu/Debian package manager, upgrade instructions can be found [[Ubuntu_Debian_Upgrades|here]].

__TOC__

When upgrading a Moodle installation you should follow these steps:

==Check the requirements==
Spend some time re-reading the [[Installing Moodle | installation documentation]] and documentation for the new version. Check the system requirements for the target version you want to upgrade-to in ''Administration > Server > [[Environment]]''.
==Put your Site into Maintenance Mode==
Before you begin upgrading your site, you should put it into [[Maintenance_mode | Maintenance Mode]] to stop any non-admin users from logging in.

== Backup important data ==
There are three areas that need backing up:
#Moodle software directory/folder (For example, everything in server/htdocs/moodle)
#Moodle data (For example, server/moodledata)
#Moodle SQL database

Experienced site administrators know that it is a best practice (a very good idea) to make a backup of any production system before a major upgrade. In fact, it is a good idea to automate your server to backup your Moodle installation daily. Most upgrades on sites that have used the standard Moodle packages (no contributed code and no little tweaks to the php files), will not have any major issue.

:''TIP:'' One more time, "do not risk what you can not afford to lose": do regular backups, make sure it backed up and know how to restore it!

=== Moodle software directory ===
Make a separate copy of these files before the upgrade, so that you can retrieve your config.php and any modules you have added like themes, and languages.

The best way is to rename the current Moodle directory to something else, then unpack the new Moodle archive into the old location.

=== Moodle data directory ===
The default name for this folder is moodledata. This is where uploaded content resides (such as course resources and student assignments). It is very important to have a backup of these files on a regular basis as a best practice. Sometimes upgrades may move or rename directories within your data directory.

In Linux you can use the cp (copy) command to make a temporary copy of the moodledata. example:
====Linux====
mkdir /var/moodledata_backup
cp -rv /var/moodledata/* /var/moodledata_backup

=== SQL database ===
Most Moodle upgrades will alter the SQL database tables, adding or changing fields. Each SQL server program (for example,MySQL, Postgresql, Oracle) has different ways to backup. In a MySQL server, one way of backing up is to 'dump' it to a single SQL file. The following example shows Unix commands to dump the database called "moodle":

mysqldump -u username -p -C -Q -e --create-options moodle > moodle-backup-2007-04-01.sql

Substitute your database user account for username. The -p flag will prompt you for the password for the username specified by -u.

If your database host is different from the host you want to execute the backup command (usually the web server), you have to specify it with the -h option to mysqldump:

mysqldump -u username -p -h databasehost -C -Q -e --create-options moodle > moodle-backup-2007-04-01.sql

You can also use the "Export" feature in Moodle's optional "MySQL Admin" web interface to do the same thing on all platforms. In Moodle v1.9 and greater, this is located in '''Site Administration''' -> '''Server''' -> '''Database'''. This interface can also be downloaded from http://moodle.org/mod/data/view.php?d=13&rid=448. It is an integration of PHPMyAdmin for the Moodle administration interface.

==== SQL dump caveats ====
There are a '''MANY''' options possible for mysqldump.
*Please talk with your Systems Administrator (if you have one) or similar to see if there are site-specific flags you should use for your SQL dump.
** For example, if your local installation is running MySQL 5.2 and you are moving to a system running MySQL 5.0 or 4.1, you really ought to use the "--compat=mysql40" flag. (This is not too uncommon of a situation given the nature of ISP hosting as compared to local user Moodle setups)
* This seems obvious, but should be said outright: These instructions only work for dumping from MySQL! Postgresql, Oracle, and other database servers have different tools to dump databases.
* Given the example mysql import lines, above, you really should use the --no-create-db flag. If your database locally is named something differently from the migration site, not including this flag could cause problems.

== Install the new Moodle software ==
Upgrading can be a simple process or a more complicated process. Sites that have not used contributed code and are migrating from say Moodle 1.x.1 to 1.x.3 '''should''' not have a problem. However, we still recommend that with any production server that you have made a successful backup of the MySQL database, the moodledata directory and the moodle program folders and files.

*Do not overwrite an old installation unless you know what you are doing ... sometimes old files can cause problems in new installations. Review the backup section above.

=== Standard install package ===
Having read the cautions about backups, download a copy of the standard install package. Here is a set of simple instructions for an average site.
*It is probably a good idea to use the site administration block>Server>Maintenance mode to prevent user activity as the site upgrades.
*Having moved your old Moodle software program files to another location, unzip or unpack the upgrade file so that all new the Moodle software program files are in the location the old files used to be in on the server. Moodle will adjust SQL and moodledata if it needs to in the upgrade.
*Copy your old config.php file back to the new Moodle directory, along with any custom themes, blocks or files you have in your old version.
*Use the notification link in the site administration to start the upgrade process. You will see a series of lines indicating progress.
*After a successful upgrade, turn off the maintenance mode for your users.

=== Using a downloaded archive ===
*Do not overwrite an old installation unless you know what you are doing ... sometimes old files can cause problems in new installations. The best way is to rename the current Moodle directory to something else, then unpack the new Moodle archive into the old location.

====Linux====
mv moodle moodle.backup
tar xvzf moodle-1.1.tgz

Next, copy across your config.php, any other plugins such as custom themes, and your .htaccess file if you created one:

cp moodle.backup/config.php moodle
cp -pr moodle.backup/theme/mytheme moodle/theme/mytheme
cp -pr moodle.backup/mod/mymod moodle/mod/mymod

Don't forget to

sudo chown www-data moodle/config.php

if necessary.

where www-data is whatever user the Apache user is on your system. This is often 'apache' or 'www'.
You can find out by doing 'ls -l' in your /var/www/moodle folder (or wherever your moodle site is)
and then looking at the owner and group.

so you may see something like

ls -l
...lots of lines...
-rw-r--r-- 1 apache system 784 Jun 28 2007 config.php
...lots more lines...

so the owner is apache and the group is system.

To replicate this on your new system you can do 'chown apache:system config.php'

or to do a whole group do

chown apache:system ./*

and recursively

chown -R apache:system ./*

=== Using CVS ===

You can use CVS for updating or upgrading your Moodle.
First you need to do a CVS checkout in your (empty) Moodle root directory.

You can use any of our [[CVS_for_Administrators#CVS_Servers|CVS Mirror servers]]. Just replace '''SERVER.cvs.moodle.org''' in the instructions below with the name of the mirror server you chose!.

====For Linux servers====

To do a CVS checkout of Moodle, you first have to logon to the Moodle CVS server.

<nowiki>cvs -d:pserver:anonymous@SERVER.cvs.moodle.org:/cvsroot/moodle login</nowiki>
No password for anonymous, so just hit the Enter button.

Go to the directory where you want the Moodle root to come and type

<nowiki>cvs -z3 -d:pserver:anonymous@SERVER.cvs.moodle.org:/cvsroot/moodle co -r MOODLE_18_STABLE moodle</nowiki>
(where MOODLE_18_STABLE is the desired version)

To update, just go into the Moodle root directory and update to the new files:

cvs update -dP
To update to a new version type in the following and change 18 to whatever newest version upgrade number is
cvs -Q update -dP -r MOODLE_18_STABLE

Make sure you use the "d" parameter to create new directories if necessary, and the "P" parameter to prune empty directories.

====For Windows servers====

You can use Tortoise CVS to do the initial checkout and the updates.

If you have been editing Moodle files, watch the messages very closely for possible conflicts. All your customised themes and non-standard plugins will be untouched.

Do not forget to trigger the install process in the site administration block (see below).

== Finishing the upgrade ==

The last step is to trigger the upgrade processes within Moodle.

To do this just visit the site administration block admin page (or ''<nowiki>http://example.com/moodle/admin</nowiki>'') and the "Notifications" link.

Moodle will automatically detect the new version and perform all the SQL database or file system upgrades that are necessary. If there is anything it can't do itself (very rare) then you will see messages telling you what you need to do.

Assuming all goes well (no error messages) then you can start using your new version of Moodle and enjoy the new features!

:''TIP:'' Use the site administration block>Server>Maintenance mode to prevent users from changing data during the upgrade.
:''TIP:'' If you are running a large scale Moodle site (e.g. have more tha 10,000+ courses and 40,000+ users), make sure that you do your own performance profiling testing. Post a thread or check the [http://moodle.org/mod/forum/view.php?id=28 Installation problems forum] and check [[Tracker]] for potential issues.

== Verify the upgrade (optional) ==

If you wish to confirm that the database definitions in the upgraded database match the definitions of a new, clean install (which they should) you might like to look at [[Verify Database Schema]].

==Upgrading more than one version==

In general, it is recommended to upgrade via each version of Moodle, for example 1.7 -> 1.9. An exception to this is when upgrading from 1.5 or 1.6, when it is recommended that 1.7 and 1.8 are skipped, in other words upgrade 1.5 -> 1.6 -> 1.9. (The main reason for this recommendation is that the default roles settings obtained when upgrading to 1.7 are not ideal for 1.8 onwards, 1.8 has problems with groups, etc.)

==See also==

*[[Installing Moodle]]
*[[Installation FAQ]]
*[[Upgrading to Moodle 1.6]]
*[[Upgrading to Moodle 1.8]]
*[[Upgrading to Moodle 1.9]]
*[[Upgrading to Moodle 2.0]]
*[[Environment]]
*[[Git]] Version control and upgrading
*Moodle.org [http://moodle.org/mod/forum/view.php?id=28 Installation problems forum]
*[http://ic.eflclasses.org/tutorials/howtoupgrademoodlewithcpanel.swf How to upgrade Moodle with cpanel tutorial] - screencasts of older Moodle/Cpanel install but useful (also, a very large file that will take some time to load).

Using Moodle.org forum discussions:
*[http://moodle.org/mod/forum/discuss.php?d=26731&parent=125858 Using cvs]
*[http://moodle.org/mod/forum/discuss.php?d=56915 Upgrading from 1.5.2 to 1.7]
*[http://moodle.org/mod/forum/discuss.php?d=56991 Upgrade nightmares.... any help appreciated]
*[http://moodle.org/mod/forum/discuss.php?d=62463 After upgrading i get "Your site may not be secure." msg]
*[http://moodle.org/mod/forum/discuss.php?d=104887 Best practices for QA]

[[Category:Installation]]

[[es:Actualización de moodle]]
[[fr:Mise à jour]]
[[ja:アップグレード]]
[[nl:Upgraden]]
[[zh:升级]]
[[pl:Aktualizacja]]
[[de:Aktualisierung von Moodle]]
[[ru:Обновление]]

LDAP enrolment

2010-05-24T15:07:03Z

Minkus: Added mention of distinguishedName for AD

Location: LDAP edit settings link in ''Administration > Courses > [[Enrolment plugins|Enrolments]]''

== How to set up LDAP enrollment==
This describes how to set up Lightweight Directory Access Protocol (LDAP) enrollment in Moodle (first written by Lars Jensen). [[LDAP enrolment]] works best in Moodle when used in conjunction with [[LDAP authentication]], and we're going to assume that you have already set Moodle up for LDAP authentication.

=== Assumptions ===

# You are running a recent version of Moodle. We have tested the setup presented here on versions 1.5.2+ and 1.6dev. It is likely to work on Moodle 1.4.5 as well.
# You are using LDAP authentication as your primary authentication method.
# Each user in has a uid attribute in the users LDAP record, that matches the ID number in the same users Moodle profile (this can easily be arranged with a mapping on the Moodle LDAP Authentication setup page - for Active Directory, use 'distinguishedName', without the quotes)

=== The Course Setup ===

Our setup involves the following course and user definitions:

* Two courses, '''Math101''' and '''Eng201'''.
* Two teachers, '''TeacherA''' and '''TeacherB'''.
* Three students, '''StudentD''', '''StudentE''', and '''StudentF'''.
* StudentD and StudentE are enrolled as students in Math101, and TeacherA is enrolled as teacher of Math101. StudentE and StudentF are enrolled as students in Eng201, and TeacherA and TeacherB are both enrolled as teachers of Eng201.

=== The LDAP Container Setup ===

# Define two LDAP containers ou=StudentEnrollment and ou=TeacherEnrollment
# For each course we define an LDAP group entry (e.g a posixGroup entry) in the StudentEnrollment and TeacherEnrollment containers. Thus, we define a Math101 posixGroup under StudentEnrollment, and we define a Math101 posixGroup under TeacherEnrollment. We define the two Eng201 groups in a similar way. Be careful, '''the name of the posixGroup has to match the Course ID number of the Moodle course.''' Do not use the course short name, it will not work.
# Enroll students and teachers as members of in the LDAP-groups we just defined. This is done by entering the users uid attribute (idnumber) in the memberUid attribute of the relevant group:
#* TeacherA is a member of the Math101 group under TeacherEnrollment.
#* StudentD and StudentE are a members of the Math101 group under StudentEnrollment.
#* TeacherA and TeacherB are members of the Eng201 group under TeacherEnrollment
#* StudentE and StudentF are a members of the Eng201 group under StudentEnrollment.

=== The LDAP Enrollment Configuration in Moodle ===

The LDAP enrollment settings in Moodle corresponding to the above setup are as follows:

{| cellspacing="0" cellpadding="5" border="1"
! LDAP Enrollment Variable:
! Value:
|-
| enrol_ldap_student_contexts:
| ou=StudentEnrollment,dc=ldapserver,dc=tmcc,dc=edu
|-
| enrol_ldap_student_memberattribute:
| memberUid (use 'member' -without the quotes- for Active Directory)
|-
| enrol_ldap_teacher_contexts:
| ou=TeacherEnrollment,dc=ldapserver,dc=tmcc,dc=edu
|-
| enrol_ldap_teacher_memberattribute:
| memberUid (use 'member' -without the quotes- for Active Directory)
|-
| enrol_ldap_objectclass:
| posixGroup (use 'group' -without the quotes- for Active Directory)
|-
| enrol_ldap_course_idnumber:
| cn
|-
| enrol_ldap_course_shortname:
| cn
|-
| enrol_ldap_course_fullname:
| cn
|-
| enrol_ldap_autocreate:
| Yes
|-
|}

Additionally, since you are using LDAP authentication, you should also map the Moodle "ID number" of users to the "uid" in the ldap entry of the user. This is done on the Moodle LDAP Authentication page (not the LDAP Enrollment page).

=== Automatic course creation ===

Courses can be created automatically if there are LDAP enrolments to a course that doesn't yet exist in Moodle. To enable this, set '''enrol_ldap_autocreate''' to '''Yes'''.

'''enrol_ldap_category''' field sets the category for the automatically created courses.

'''enrol_ldap_template''' field can contain the ''shortname'' of a course that is used as a template in the automatic course creation.

=== Notes: ===

# You do not need to create the courses manually in Moodle. If they don't exist, they will be created when the first enrolled user login.
# We are using the same string cn and uid in a users LDAP record. This is not necessary, I believe. However, if you use different values, you will need to define the ldap_user_attribute to uid in the LDAP authentication setup.
# The value of the group id number (gidNumber) defined for the groups in step 2 of the LDAP Container Setup above is not critical. It is not used in this setup.
# The attached .ldif file assumes that users are in the ou=People container in LDAP. You will need to configure your LDAP Authentication setup to reflect this (ldap_contexts variable).
# User passwords for this setup are defined in the attached .ldif file.
# If you use the attached .ldif file, you'll need to edit the ldap server information (the "dn=" lines).

==Other LDAP Layout==

I do suggest to create a new LDAP object, say <TT>moodleCourse</TT>, which contains all information,& members of the course, including teachers, students a.s.o. For instance (OpenLDAP):
<pre>
attributetype ( oidAttrBase:44 NAME ( 'teacherUid' ) SUP memberUid
DESC 'which person is a teacher of this course'
)

objectclass ( oidObjRoot:14 NAME 'moodleCourse' SUP top STRUCTURAL
DESC 'course available in Moodle'
MUST ( cn )
MAY ( owner $ gn $ sn $ seeAlso $ description $ memberUid $ teacherUid )
)

Note: Openldap 2.x will need something like:

attributetype ( 1.2.1.1.1.1.2.1 NAME 'teacherUid'
SUP memberUid
DESC 'which person is a teacher of this course'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.2.1.1.1.1.1.1
NAME 'moodleCourse'
SUP top STRUCTURAL
DESC 'course available in Moodle'
MUST ( cn )
MAY ( owner $ gn $ sn $ seeAlso $ description $ memberUid $ teacherUid )
)
</pre>

The configuration is like this, in bold you see required changes, in italic you see
useful changes.

{| cellspacing="0" cellpadding="5" border="1"
! LDAP Enrollment Variable:
! Value:
|-
| enrol_ldap_student_contexts:
| ou=moodle,ou=groups,dc=ldapserver,dc=tmcc,dc=edu
|-
| enrol_ldap_student_memberattribute:
| memberUid
|-
| enrol_ldap_teacher_contexts:
| ou=moodle,ou=groups,dc=ldapserver,dc=tmcc,dc=edu
|-
| enrol_ldap_teacher_memberattribute:
| teacherUid
|-
| enrol_ldap_objectclass:
| moodleGroup
|-
| enrol_ldap_course_idnumber:
| cn
|-
| enrol_ldap_course_shortname:
| givenname
|-
| enrol_ldap_course_fullname:
| sn
|-
| enrol_ldap_course_summary:
| description
|-
| enrol_ldap_autocreate:
| Yes
|-
|}

Note: The <TT>enrol_ldap_course_idnumber</TT> (<TT>cn</TT> in my setup) is used to identify the course by the LDAP enrolment script and the database uses an <TT>INTEGER</TT> numeric here, in Moodle v1.8 anyway. When you
call <CODE>cd enrol/ldap/ && php -f enrol_ldap_sync.php</CODE> any course with the same idnumber is updated, hence,
it is quite important for the LDAP synchronisation and needs to be unique.

Sample of an moodleCourse LDAP object:
<pre>dn: cn=851,ou=moodle,ou=groups,dc=ldapserver,dc=tmcc,dc=edu
objectClass: moodleCourse
cn: 851
givenName: LV851
sn: 2007S/Introduction to Moodle
description: Jahr: 2007 Sommer, <A TARGET=_blank HREF="https://other_server/display/851">Announcement</A>
teacherUid: userA
memberUid: user1</pre>

In the same fashion one can add all the other role mappings.

==See also==

* [http://download.moodle.org/download.php/docs/en/how-to_guides/ldap_auth_and_enrolment_set-up.pdf LDAP auth and enrolment set-up guide] (PDF 227KB)

Using Moodle forum discussions:
*[http://moodle.org/mod/forum/discuss.php?d=31761 LDAP Enrollment HOWTO] with Lars Jensen's 2005 post
*[http://moodle.org/mod/forum/discuss.php?d=39549 LDAP Auto enrollment]
*[http://moodle.org/mod/forum/discuss.php?d=41829 LDAP nightmare Part II]
*[http://moodle.org/mod/forum/discuss.php?d=56198 Moodle + AD + LDAP = Confusion - Help Required and Provided]

* [http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol Wikipedia on LDAP:] a great deal of information beyond the context of Moodle

[[Category:Administrator]]
[[Category:Enrolment]]

[[fr:Inscription par LDAP]]
[[ja:LDAPユーザ登録]]

Active Directory

2009-11-18T15:31:29Z

Minkus: Added link for adding attributes to the Global Catalog

Microsoft's Active Directory (AD) provides a variety of network directory services including Lightweight Directory Access Protocol (LDAP) like functions. It is included in Windows 2000 Server and later versions of their operating system. The focus of this page will be with the [[LDAP authentication]] functions.

==Trouble shooting AD and LDAP authentication==
===Warning: The PHP LDAP module does not seem to be present. Please ensure it is installed and enabled.===
This usually means that the main ldap dll or one of the supporting dlls are missing.
Let's start with the main one itself.
Browse to <nowiki>http://(moodleserver)/admin/phpinfo.php</nowiki> and examine the "Configuration File (php.ini) Path" field to determine which php.ini is being used and open it with an editor. Find the line 'extension=php_ldap.dll' and take out the semi-colon if it is there. That semi-colon will stop it loading the module all together!
While you have that file open, search for 'extension_dir' and note which folder it is set to. Open that folder and ensure the php_ldap.dll file is in there. If it isn't then put it in there.
If that still hasn't fixed it you are missing a supporting dll, but you don't get told that. To see what dlls are missing open the Command Prompt and navigate to the php directory and execute the following line 'php -m'. You should get some error messages now. Ugly, but at least they give you information! Find the dlls listed and copy them to the php directory. You may now need to restart the apache/httpd service. Run 'php -m' again and you should be error free and the message in Moodle should be gone now.

===LDAP-module cannot connect any LDAP servers===
LDAP-module cannot connect any LDAP servers:
Server: 'ldap://my.ldap.server/'
Connection: 'Resource id #26' Bind result: ''
Getting this message when you are trying to log in is a result of incorrect details for the Bind user, or the user account having insufficient permissions in Active Directory. The best way to test and resolve this is use ldp.exe to test binding until it suceeds. There are instructions on installing ldp.exe below.
Open the program and Connect to AD, giving the server name, then from the Connection menu choose Bind. Enter the details you think are correct and you will probably find that an error is returned. Try adjusting the accounts priveleges or another account until you are returned an "Authenticated as" message.
Once you are sure your account can be used to bind to AD, check that the DN of that users name is correct. Expand the tree on the left until you find the user you used to bind. Right click on that item and choose Copy DN. Go to the User Authentication page in Moodle and paste the value into the ldap_bind_dn field. Add the password and you can now feel safe your user is binding sucessfully.

===Getting correct CNs for Contexts and Creators===
For those not familiar with AD this could be very confusing, and not that easy for some who are familiar with it. Again, ldp.exe is your friend. There are instructions on installing ldp.exe below.
Open it up and expand the tree on the left until you find the group or user you want to use and right click on it and select Copy DN. Go back to the Moodle User Authentication page and paste that value into either ldap_contexts or ldap_creators.

===Getting the right user_attribute===
By default, Moodle uses an accounts cn (full name) to verify against, but most networks don't use a full given name for logon as it's too easy to guess and you can easily have two people with the same name. If this is the case for you too you need to tell Moodle to look at another field for the logon id.
In ldp.exe navigate the tree on the left to find a user account, preferably your own. Double-click the item in the tree and full-details will be loaded into the screen on the right. Look down the details until you find your logon id and note the item listed against it. For me, and a lot of people, it is sAMAccountName. Copy this name and paste it into the ldap_user_attribute on the Moodle User Authentication page.
There are instructions on installing ldp.exe below.

===Installing ldp.exe Server Tool===
ldp.exe comes as part of the Server Tools on most versions of Windows Server. Find your Windows Server installation disc and find a folder on it called Support\Tools. In there will be a SupTools.msi which will install the server tools if run. You should now have a folder under Program Files called Support Tools, in which will be ldp.exe. ldp.exe is also available in the Windows XP Support Tools, which you can download from Microsoft [http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en here]. Alternatively, a single download of ldp.exe is available [http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm here].

===Example Active Directory Configuration===
Below is an example configuration for Active Directory. As detailed above, the values may vary based on your local Active Directory configuration, but should provide a good starting point for most cases.

ldap_host_url = ldap://ads.example.com
ldap_version = 3
ldap_preventpassindb = yes
ldap_bind_dn = bind-user@example.com
ldap_bind_pw = bind-password
ldap_user_type = MS ActiveDirectory
ldap_contexts = ou=moodleusers,dc=example,dc=com
ldap_user_attribute = sAMAccountName

Note that the ldap_bind_dn value should work in either the CN=bin-user,CN=Users,DC=example,DC=com format as shown in the main instructions or the bind-user@example.com format shown in this example.

==Global Catalogs==
Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.

===Enabling the Global Catalog===

The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.
If your organisation uses Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)

===Child Domains===
If your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)

To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.

You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.

Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes - see Microsoft [http://support.microsoft.com/kb/248717 KB248717] for more information.

In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.

===Group Policy Objects===
Modifying the number of Active Directory objects to search:

By default most Active Directory Lightweight Directory Service (ADLS) only allows searches returning a limited number of objects per search. Since there is currently no Page control support in PHP 5.2.x which would enable smaller page searches you may need to check and verify you MaxPageSize settings to make sure LDAP Client searches can return enough user objects to support the number of authenticating users.

As your organization grows, you might need to change the number of objects to search
at some point in time. A simple rule of thumb is to maintain a MaxPageSize which is at least equal to the number of users being
searched in an average organizational Unit or Group DN.

Setting the number for a group policy object (MaxPageSize):

1. Start the MMC Active Directory Users and Computers snap-in. (Select Programs, Administrative Tools,
Active Directory Users and Computers from the Start menu.)
2. Right-click the container, and select Properties.
3. Select the Group Policy tab.
4. Select the Group Policy Object, and select Edit.
5. Select the User Configuration branch, and expand Administrative Templates, Desktop, Active Directory.
6. Double-click Maximum size of Active Directory searches.
7. Select Enabled, and set the number (e.g.,1000)
Click Apply.
8. Click OK.
9. Close the Group Policy Editor.

MaxPageSize - This value controls the maximum number of objects that are
returned in a single search result, independent of how large each returned object is.
To perform a search where the result might exceed this number of objects, the client
must specify the paged search control. This is to group the returned results in
groups that are no larger than the MaxPageSize value.

To summarize, MaxPageSize controls the number of objects that are returned
in a single search result.

== Active Directory with Moodle 1.8==
There is an issue with the PHP ldap options that are required for Active Directory access in version 1.8 of Moodle.

Using moodle on a LAMP platform with authentication to Active Directory may give some errors.

Check this bug [http://tracker.moodle.org/browse/MDL-10921 MDL-10921] or this post http://moodle.org/mod/forum/discuss.php?d=78316 for further information.

==MS Active Directory + SSL ==

If the Certificate Authority is not installed you'll have to install it first as follows:
# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove programs.'''
# Click '''Add/Remove Windows Components''' and select '''Certificate Services.'''
# Follow the procedure provided to install the '''Certificate Authority'''. Enterprise level is a good choice.

Verify that SSL has been enabled on the server by installing suptools.msi from Windows installation cd's \Support\tools directory. After support tools installation:
# Select '''Start''' -> '''Run''', write '''ldp''' in the Open field.
# From the ldp window select '''Connection''' -> '''Connect''' and supply valid hostname and port number '''636'''. Also select the SSL check box.

If successful, you should get information about the connection.

See [[LDAP_authentication#Enabling_LDAPS_on_the_client_side_.28Moodle_server.29|Enabling LDAPS on the client side (Moodle server)]] for details on the client side configuration.

==See also==
*[[LDAP authentication]] in Moodle
*[http://en.wikipedia.org/wiki/Directory_service Directory services] overview in Wikipedia
*[http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] in Wikipedia

[[ja:Active Directory]]

Integrate Moodle, LDAP and SIMS.net

2009-11-18T15:27:29Z

Minkus: /* Introduction */

=Integrate SIMS.net and LDAP (SIMS2AD)=
==Introduction==
For SIMS2AD and SIMS2MOODLE modules to work every student and teacher's LDAP account MUST have the employeeID field set. These need to be set to the following.
#Students = UPN
#Staff = SIMS.net Teacher Code

Please note that if the account that you configure under Bind Settings/Distinguished Name does NOT have admin privileges on the domain (as best practise suggests), you may need to perform the following changes on your domain as well:

*Load Active Directory Users and Computers
*Right click on the domain itself (domain.com), select 'Delegate Control...'
*Click 'Next', and then select the LDAP user that is configured under Bind Settings/Distinguished Name
*Under 'Delegate the following common tasks', click 'Read all user information'
*Click 'Finish'

This will allow the user account to read the employeeID attribute, which by default can only be read by domain admins.

==SIMS2AD - Account Creator (Unpublished)==
===Introduction===
----
SIMS2AD - Account Creator is a moodle block that administers the process of LDAP account creation automatically.
===IMPORTANT - Please Read===
----
SIMS2AD Vbscript has been retired. It is in the process of being converted to a moodle block. The main aim of this is to improve configuration and quality.

==SIMS2AD - Access Manager==
===Introduction===
----
SIMS2AD - Access Manager allows non technical members of staff to control student access to an education establishments computer network via SIMS.net.
 
===Script Usage Details===
The Vbscript will run every 5 minutes, every day 
A log file is created in the same folder as the script, this hold a log of all processed changes.
 
===Add a new view to MS SQL Server===
----
#Open SQL Server Management Studio
#Use the Object Explorer window to browse to the database and the folder called ‘Views’.
#*[Server]\[Instance] -> Database -> sims -> Views
#Right-click the ‘Views’ folder and select ‘New View’.
#Close the Add Table dialog box – Copy and Paste the query below into the Query box
#Save the View via File, Save [the temporary name of the view] .
#Enter the above name for the new ‘View’ and click ‘OK’.
#If you refresh the list of views by right-clicking the ‘Views’ folder you will see the new view near the top of the list.
#Close SQL Server management Studio.
 

===MS SQL 2005 Server View===
----
<pre>
Name: vbs_admanager
</pre>
Query to paste in:
<pre>
SELECT TOP (100) PERCENT sims.stud_via_student_browse.unique_pupil_no, sims.stud_via_student_browse.forename,
sims.stud_via_student_browse.surname, sims.udf_field.description AS type, sims.udf_lookup_value.description
FROM sims.udf_value INNER JOIN
sims.udf_field ON sims.udf_value.field_id = sims.udf_field.field_id INNER JOIN
sims.stud_via_student_browse ON sims.udf_value.entity_id = sims.stud_via_student_browse.person_id INNER JOIN
sims.udf_lookup_value ON sims.udf_value.lookup_value_id = sims.udf_lookup_value.lookup_value_id
WHERE (sims.udf_field.active = 'T')
</pre>
'''Script'''
----
The [https://docs.moodle.org/en/SIMS2AD_access_manager.vbs SIMS2AD Access Manager] script needs to copied to D:\SIMS2AD on the SIMS Server. 
The latest version of the script is available from:-
<Pre>
https://docs.moodle.org/en/SIMS2AD_access_manager.vbs
</Pre>
 
===Setting Up a Scheduled Task===
----
A scheduled task needs to be created to run the SIMS2AD Access Manager Script. 
This Task will need to run every 5 minutes from 08:00 AM to 20:00 PM
 
#Open Control Panel
#Open Scheduled Tasks
#*This will open the Schedule Task Windows
#Add Scheduled Task
#*This will open the Schedule Task Wizard
#Click Next
#Click Browse and Navigate to D:\SIMS2AD Folder
#Select SIMS2AD_Access_Manager.vbs
#Give the the name "SIMS2AD Access Manager"
#Select Daily
#Click Next
#Click Next as these Settings will be modified later.
#Enter the user account details that will be used to run the script
#Click Next
#Tick the box
#*This will open Advance Properties Window
#Click Finish
#Click the Schedule Tab
#Set the Start Time 08:00 AM
#Click the Advance Button
#*This will open an Advance Settings Window
#Set a Start date
#Tick Repeat Task
#Set it to repeat every 5 minutes
#Select Duration and set at 12 hours
#Click OK
#Click Apply
#Click OK
 
===Required Logon Script Changes===
----
The below code needs to be added to the beginning of the Kixtart Logon Script. 
This will check the current time and see if the user belongs to a group that has restricted computer access. 
If the user has logged on during a restricted time a message box will be displayed informing of this and then forcefully log them off. 
<pre>
IF ((@time > "20:00:00") AND (@time < "08:50:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "11:15:00") AND (@time < "11:35:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "12:35:00") AND (@time < "13:35:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "13:35:00") AND (@time < "14:35:00"))
If InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "16:35:00") AND (@time < "18:00:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "18:00:00") AND (@time < "20:00:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif

</pre>
----

=Integrate Moodle and LDAP (MOODLE2LDAP)=
==Introduction==
MOODLE2LDAP is the process of linking moodle to LDAP, this will allow users to authenticate and underpin SIMS2AD - Account Creator Moodle Block.
==Setting up LDAP Authentication==
#Login to moodle as the admin user.
#Under Site Administration
#*Users - > Authentication -> LDAP Server
#Set the Following Fields as follows
#*'''LDAP server settings'''
#**Host Url = ldap://server.domain.com/
#**Version = 3
#**LDAP encoding = utf-8
#*'''Bind settings'''
#**Hide passwords = Yes
#**Distinguished Name = cn=LDAP Guest,cn=Users,dc=domain,dc=com
#**Password = Password of LDAP Guest Account
#*'''User lookup settings'''
#**User type = MS Active Directory
#**Contexts = cn=LDAP Guest,cn=Users,dc=domain,dc=com
#**Search subcontexts = Yes
#**Dereference aliases = Yes
#**User attribute = sAMAccountName
#**Member attribute = member
#*'''Force change password'''
#**Force change password = No
#**Use standard Change Password Page = No
#*'''LDAP password expiration settings'''
#**Expiration = No
#*'''Enable user creation'''
#**Create users externally = No
#*'''Data Mapping'''
#**First Name = givenName
#**Surname = sn
#**Email address = mail
#**Description = description
#**ID number = employeeID
#**Department = department
#Click Save
 

=Integrate Moodle and SIMS.net (SIMS2MOODLE)=
==Prerequisite==
Moodle requires FreeTDS to be installed for it to work with MS SQL 2005.
#[https://docs.moodle.org/en/Installing_MSSQL_for_PHP#Using_FreeTDS_on_Unix Install FreeTDS on Linux]
#[https://docs.moodle.org/en/Installing_MSSQL_for_PHP#Using_FreeTDS_on_Windows Install FreeTDS on Windows]

==SIMS2Moodle - Enrolment Plug-in==
===Introduction===
SIMS2Moodle - Enrolment Plug-in is a part preconfigured version of moodle's external database plug-in tailored for use with SIMS.net.

===Create Moodle SIMS.net Course Template===
----
Before the plug-in is installed it is best to create a template from which moodle will create any new SIMS.net courses

#Login to moodle as the admin user.
#Under Site Administration
#*Courses - > Add/Edit Courses
#Click Miscellaneous
#Click New Course Button
#Set the Following Fields as follows
#*'''General'''
#**Full name = SIMS Template Course
#**Short name = simstemplate
#**Course ID number = simstemplate
#**Format = Topics Format
#**Number of weeks/topics = 10
#**Course Start Date = 1st Sept
#**Hidden sections = Hidden sections are shown in collapsed form
#**News Items to show = 5
#**Show gradebook to students = Yes
#**Show activity reports = No
#**Maximum upload size = [Maximum Size Allowed]
#**Is this a meta course? = No
#*'''Enrolments'''
#**Enrolment Plugins = Site Default (Internal Enrolment)
#**Default role = Site Default (Student)
#**Course enrollable = Yes
#**Start date = Disabled
#**End date = Disabled
#**Enrolment duration = Unlimited
#*'''Enrolment expiry notification'''
#**Notify = No
#**Notify Students = No
#**Threshold = 10 days
#*'''Groups'''
#**Group mode = No Groups
#**Force = No
#**Default grouping = No
#*'''Availability'''
#**Availability = This course is avaliable to students
#**Enrolment key = [Blank]
#**Guest access = Do Not Allow Guest In
#*'''Language'''
#**Force language = No
#*'''Role renaming'''
#**[All Fields are Blank]

===Download===
----
The [http://www.uctc.e-sussex.sch.uk/moodle_sims.net_enrolment_plugin.zip SIMS.net Enrolment Plug-in] files needs to copied to the 'moodle\enrol' folder on the Moodle server. 
The latest version of the files are available from:-
<Pre>
http://www.uctc.e-sussex.sch.uk/moodle_sims.net_enrolment_plugin.zip
</Pre>

===Moodle Settings===
----

On the plug-in have been downloaded and installed.

#Login to moodle as the admin user.
#Under Site Administration
#*Courses - > Add/Edit Courses
#Click Add New Category
#*Parent Category = Top
#*Category Name = SIMS Courses
#Click Save
#Under Site Administration
#*Courses - > Enrolments
#Enable SIMS.net
#Click Edit
#Set the Following Fields as follows
#*'''SIMS.net Server Settings'''
#**enrol_dbtype = mssql
#**enrol_dbhost = sims.school.lan
#**enrol_dbport = 1427 (1427 is default for MS SQL 2005)
#**enrol_dbuser = sa
#**enrol_dbpass = [SA Password]

#*'''Academic Setting'''
#**enrol_dbacyear = 2009 (or current academic year)
#Click Save

==SIMS2MOODLE - SIMS.net Timetable Block ==
===Introduction===
----
SIMS2MOODLE - SIMS.net Timetable Block V1.2 now has ability to auto install, upgrade and remove views on Microsoft SQL Server 2005. 

===Prerequisite===
----
SIMS2MOODLE - Timetable block requires SIMS2MOODLE - Enrolment Plug-in to be installed and configured. SIMS2MOODLE - Enrolment Plug-in does not have to be enabled if auto enrolment is not needed.
====IMPORTANT: IF UPGRADING====
----
If you are upgrading from a version before the release of 1.0, please do the following:-

#Uninstall the SIMS.net Timetable block from moodle.
#Delete the folders \blocks\simstimetable and \mod\simstimtable
#Delete the view mdl_student_timetable from SQL Server Management Studio

If you are upgrading from release of 1.1, please do the following:-

#Please install SIMS.net Enrolment Plug-in.

===Download the Block===
----
The [http://www.uctc.e-sussex.sch.uk/moodle_sims.net_timetable_block.zip SIMS.net Timetable Block] files needs to copied to the 'moodle\blocks' folder on the Moodle server. 
The latest version of the files are available from:-
<Pre>
http://www.uctc.e-sussex.sch.uk/moodle_sims.net_timetable_block.zip
</Pre>

===Install SIMS.net Timetable Block for Moodle===
----
#Copy simstimetable folder to the blocks folder in moodle
#Login to moodle as the admin account
#Click on Notifications
#*A message should state that the block has been successfully installed.
#Click Modules -> Blocks -> SIMS.net Timetable to configure the block. (You will have to configure the 'Lesson Labels' field at the very least for your school's timetable).

===Configure SIMS.net Timetable Block for Moodle===
----
Every schools timetable is slightly different, so the block will need to be configured.

Block Title: This text will be displayed as the block title. 
Link Text: This is the text of the timetable url. 
No. Weeks: Number of weeks timetabled in SIMS.net. (Only 1 or 2 supported) 
Seperator: The separator is the character using in the SIMS.net to separate the day from the period name eg Fri:1, so the separator will be ":" 
Lesson Labels: These are the names all there periods that are timetabled in SIMS.net seperated with a "," 

[[Category: Administrator]]

Integrate Moodle, LDAP and SIMS.net

2009-11-18T15:26:57Z

Minkus: /* Introduction */

=Integrate SIMS.net and LDAP (SIMS2AD)=
==Introduction==
For SIMS2AD and SIMS2MOODLE modules to work every student and teacher's LDAP account MUST have the employeeID field set. These need to be set to the following.
#Students = UPN
#Staff = SIMS.net Teacher Code

Please note that if the account that you configure under Bind Settings/Distinguished Name does NOT have admin privileges on the domain (as best practise suggests), you may need to perform the following changes on your domain as well:

*Load Active Directory Users and Computers
*Right click on the domain itself (domain.com), select 'Delegate Control...'
*Click 'Next', and then select the LDAP user that is configured under Bind Settings/Distinguished Name
*Under 'Delegate the following common tasks', click 'Read all user information'
*Click 'Finish'

This will allow the user account to read the employeeID attribute, which by default can only be read by domain admins

==SIMS2AD - Account Creator (Unpublished)==
===Introduction===
----
SIMS2AD - Account Creator is a moodle block that administers the process of LDAP account creation automatically.
===IMPORTANT - Please Read===
----
SIMS2AD Vbscript has been retired. It is in the process of being converted to a moodle block. The main aim of this is to improve configuration and quality.

==SIMS2AD - Access Manager==
===Introduction===
----
SIMS2AD - Access Manager allows non technical members of staff to control student access to an education establishments computer network via SIMS.net.
 
===Script Usage Details===
The Vbscript will run every 5 minutes, every day 
A log file is created in the same folder as the script, this hold a log of all processed changes.
 
===Add a new view to MS SQL Server===
----
#Open SQL Server Management Studio
#Use the Object Explorer window to browse to the database and the folder called ‘Views’.
#*[Server]\[Instance] -> Database -> sims -> Views
#Right-click the ‘Views’ folder and select ‘New View’.
#Close the Add Table dialog box – Copy and Paste the query below into the Query box
#Save the View via File, Save [the temporary name of the view] .
#Enter the above name for the new ‘View’ and click ‘OK’.
#If you refresh the list of views by right-clicking the ‘Views’ folder you will see the new view near the top of the list.
#Close SQL Server management Studio.
 

===MS SQL 2005 Server View===
----
<pre>
Name: vbs_admanager
</pre>
Query to paste in:
<pre>
SELECT TOP (100) PERCENT sims.stud_via_student_browse.unique_pupil_no, sims.stud_via_student_browse.forename,
sims.stud_via_student_browse.surname, sims.udf_field.description AS type, sims.udf_lookup_value.description
FROM sims.udf_value INNER JOIN
sims.udf_field ON sims.udf_value.field_id = sims.udf_field.field_id INNER JOIN
sims.stud_via_student_browse ON sims.udf_value.entity_id = sims.stud_via_student_browse.person_id INNER JOIN
sims.udf_lookup_value ON sims.udf_value.lookup_value_id = sims.udf_lookup_value.lookup_value_id
WHERE (sims.udf_field.active = 'T')
</pre>
'''Script'''
----
The [https://docs.moodle.org/en/SIMS2AD_access_manager.vbs SIMS2AD Access Manager] script needs to copied to D:\SIMS2AD on the SIMS Server. 
The latest version of the script is available from:-
<Pre>
https://docs.moodle.org/en/SIMS2AD_access_manager.vbs
</Pre>
 
===Setting Up a Scheduled Task===
----
A scheduled task needs to be created to run the SIMS2AD Access Manager Script. 
This Task will need to run every 5 minutes from 08:00 AM to 20:00 PM
 
#Open Control Panel
#Open Scheduled Tasks
#*This will open the Schedule Task Windows
#Add Scheduled Task
#*This will open the Schedule Task Wizard
#Click Next
#Click Browse and Navigate to D:\SIMS2AD Folder
#Select SIMS2AD_Access_Manager.vbs
#Give the the name "SIMS2AD Access Manager"
#Select Daily
#Click Next
#Click Next as these Settings will be modified later.
#Enter the user account details that will be used to run the script
#Click Next
#Tick the box
#*This will open Advance Properties Window
#Click Finish
#Click the Schedule Tab
#Set the Start Time 08:00 AM
#Click the Advance Button
#*This will open an Advance Settings Window
#Set a Start date
#Tick Repeat Task
#Set it to repeat every 5 minutes
#Select Duration and set at 12 hours
#Click OK
#Click Apply
#Click OK
 
===Required Logon Script Changes===
----
The below code needs to be added to the beginning of the Kixtart Logon Script. 
This will check the current time and see if the user belongs to a group that has restricted computer access. 
If the user has logged on during a restricted time a message box will be displayed informing of this and then forcefully log them off. 
<pre>
IF ((@time > "20:00:00") AND (@time < "08:50:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "11:15:00") AND (@time < "11:35:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "12:35:00") AND (@time < "13:35:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "13:35:00") AND (@time < "14:35:00"))
If InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "16:35:00") AND (@time < "18:00:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "18:00:00") AND (@time < "20:00:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif

</pre>
----

=Integrate Moodle and LDAP (MOODLE2LDAP)=
==Introduction==
MOODLE2LDAP is the process of linking moodle to LDAP, this will allow users to authenticate and underpin SIMS2AD - Account Creator Moodle Block.
==Setting up LDAP Authentication==
#Login to moodle as the admin user.
#Under Site Administration
#*Users - > Authentication -> LDAP Server
#Set the Following Fields as follows
#*'''LDAP server settings'''
#**Host Url = ldap://server.domain.com/
#**Version = 3
#**LDAP encoding = utf-8
#*'''Bind settings'''
#**Hide passwords = Yes
#**Distinguished Name = cn=LDAP Guest,cn=Users,dc=domain,dc=com
#**Password = Password of LDAP Guest Account
#*'''User lookup settings'''
#**User type = MS Active Directory
#**Contexts = cn=LDAP Guest,cn=Users,dc=domain,dc=com
#**Search subcontexts = Yes
#**Dereference aliases = Yes
#**User attribute = sAMAccountName
#**Member attribute = member
#*'''Force change password'''
#**Force change password = No
#**Use standard Change Password Page = No
#*'''LDAP password expiration settings'''
#**Expiration = No
#*'''Enable user creation'''
#**Create users externally = No
#*'''Data Mapping'''
#**First Name = givenName
#**Surname = sn
#**Email address = mail
#**Description = description
#**ID number = employeeID
#**Department = department
#Click Save
 

=Integrate Moodle and SIMS.net (SIMS2MOODLE)=
==Prerequisite==
Moodle requires FreeTDS to be installed for it to work with MS SQL 2005.
#[https://docs.moodle.org/en/Installing_MSSQL_for_PHP#Using_FreeTDS_on_Unix Install FreeTDS on Linux]
#[https://docs.moodle.org/en/Installing_MSSQL_for_PHP#Using_FreeTDS_on_Windows Install FreeTDS on Windows]

==SIMS2Moodle - Enrolment Plug-in==
===Introduction===
SIMS2Moodle - Enrolment Plug-in is a part preconfigured version of moodle's external database plug-in tailored for use with SIMS.net.

===Create Moodle SIMS.net Course Template===
----
Before the plug-in is installed it is best to create a template from which moodle will create any new SIMS.net courses

#Login to moodle as the admin user.
#Under Site Administration
#*Courses - > Add/Edit Courses
#Click Miscellaneous
#Click New Course Button
#Set the Following Fields as follows
#*'''General'''
#**Full name = SIMS Template Course
#**Short name = simstemplate
#**Course ID number = simstemplate
#**Format = Topics Format
#**Number of weeks/topics = 10
#**Course Start Date = 1st Sept
#**Hidden sections = Hidden sections are shown in collapsed form
#**News Items to show = 5
#**Show gradebook to students = Yes
#**Show activity reports = No
#**Maximum upload size = [Maximum Size Allowed]
#**Is this a meta course? = No
#*'''Enrolments'''
#**Enrolment Plugins = Site Default (Internal Enrolment)
#**Default role = Site Default (Student)
#**Course enrollable = Yes
#**Start date = Disabled
#**End date = Disabled
#**Enrolment duration = Unlimited
#*'''Enrolment expiry notification'''
#**Notify = No
#**Notify Students = No
#**Threshold = 10 days
#*'''Groups'''
#**Group mode = No Groups
#**Force = No
#**Default grouping = No
#*'''Availability'''
#**Availability = This course is avaliable to students
#**Enrolment key = [Blank]
#**Guest access = Do Not Allow Guest In
#*'''Language'''
#**Force language = No
#*'''Role renaming'''
#**[All Fields are Blank]

===Download===
----
The [http://www.uctc.e-sussex.sch.uk/moodle_sims.net_enrolment_plugin.zip SIMS.net Enrolment Plug-in] files needs to copied to the 'moodle\enrol' folder on the Moodle server. 
The latest version of the files are available from:-
<Pre>
http://www.uctc.e-sussex.sch.uk/moodle_sims.net_enrolment_plugin.zip
</Pre>

===Moodle Settings===
----

On the plug-in have been downloaded and installed.

#Login to moodle as the admin user.
#Under Site Administration
#*Courses - > Add/Edit Courses
#Click Add New Category
#*Parent Category = Top
#*Category Name = SIMS Courses
#Click Save
#Under Site Administration
#*Courses - > Enrolments
#Enable SIMS.net
#Click Edit
#Set the Following Fields as follows
#*'''SIMS.net Server Settings'''
#**enrol_dbtype = mssql
#**enrol_dbhost = sims.school.lan
#**enrol_dbport = 1427 (1427 is default for MS SQL 2005)
#**enrol_dbuser = sa
#**enrol_dbpass = [SA Password]

#*'''Academic Setting'''
#**enrol_dbacyear = 2009 (or current academic year)
#Click Save

==SIMS2MOODLE - SIMS.net Timetable Block ==
===Introduction===
----
SIMS2MOODLE - SIMS.net Timetable Block V1.2 now has ability to auto install, upgrade and remove views on Microsoft SQL Server 2005. 

===Prerequisite===
----
SIMS2MOODLE - Timetable block requires SIMS2MOODLE - Enrolment Plug-in to be installed and configured. SIMS2MOODLE - Enrolment Plug-in does not have to be enabled if auto enrolment is not needed.
====IMPORTANT: IF UPGRADING====
----
If you are upgrading from a version before the release of 1.0, please do the following:-

#Uninstall the SIMS.net Timetable block from moodle.
#Delete the folders \blocks\simstimetable and \mod\simstimtable
#Delete the view mdl_student_timetable from SQL Server Management Studio

If you are upgrading from release of 1.1, please do the following:-

#Please install SIMS.net Enrolment Plug-in.

===Download the Block===
----
The [http://www.uctc.e-sussex.sch.uk/moodle_sims.net_timetable_block.zip SIMS.net Timetable Block] files needs to copied to the 'moodle\blocks' folder on the Moodle server. 
The latest version of the files are available from:-
<Pre>
http://www.uctc.e-sussex.sch.uk/moodle_sims.net_timetable_block.zip
</Pre>

===Install SIMS.net Timetable Block for Moodle===
----
#Copy simstimetable folder to the blocks folder in moodle
#Login to moodle as the admin account
#Click on Notifications
#*A message should state that the block has been successfully installed.
#Click Modules -> Blocks -> SIMS.net Timetable to configure the block. (You will have to configure the 'Lesson Labels' field at the very least for your school's timetable).

===Configure SIMS.net Timetable Block for Moodle===
----
Every schools timetable is slightly different, so the block will need to be configured.

Block Title: This text will be displayed as the block title. 
Link Text: This is the text of the timetable url. 
No. Weeks: Number of weeks timetabled in SIMS.net. (Only 1 or 2 supported) 
Seperator: The separator is the character using in the SIMS.net to separate the day from the period name eg Fri:1, so the separator will be ":" 
Lesson Labels: These are the names all there periods that are timetabled in SIMS.net seperated with a "," 

[[Category: Administrator]]

Integrate Moodle, LDAP and SIMS.net

2009-11-18T15:08:45Z

Minkus: /* Install SIMS.net Timetable Block for Moodle */

=Integrate SIMS.net and LDAP (SIMS2AD)=
==Introduction==
For SIMS2AD and SIMS2MOODLE modules to work every student and teacher's LDAP account MUST have the employeeID field set. These need to be set to the following.
#Students = UPN
#Staff = SIMS.net Teacher Code
 
==SIMS2AD - Account Creator (Unpublished)==
===Introduction===
----
SIMS2AD - Account Creator is a moodle block that administers the process of LDAP account creation automatically.
===IMPORTANT - Please Read===
----
SIMS2AD Vbscript has been retired. It is in the process of being converted to a moodle block. The main aim of this is to improve configuration and quality.

==SIMS2AD - Access Manager==
===Introduction===
----
SIMS2AD - Access Manager allows non technical members of staff to control student access to an education establishments computer network via SIMS.net.
 
===Script Usage Details===
The Vbscript will run every 5 minutes, every day 
A log file is created in the same folder as the script, this hold a log of all processed changes.
 
===Add a new view to MS SQL Server===
----
#Open SQL Server Management Studio
#Use the Object Explorer window to browse to the database and the folder called ‘Views’.
#*[Server]\[Instance] -> Database -> sims -> Views
#Right-click the ‘Views’ folder and select ‘New View’.
#Close the Add Table dialog box – Copy and Paste the query below into the Query box
#Save the View via File, Save [the temporary name of the view] .
#Enter the above name for the new ‘View’ and click ‘OK’.
#If you refresh the list of views by right-clicking the ‘Views’ folder you will see the new view near the top of the list.
#Close SQL Server management Studio.
 

===MS SQL 2005 Server View===
----
<pre>
Name: vbs_admanager
</pre>
Query to paste in:
<pre>
SELECT TOP (100) PERCENT sims.stud_via_student_browse.unique_pupil_no, sims.stud_via_student_browse.forename,
sims.stud_via_student_browse.surname, sims.udf_field.description AS type, sims.udf_lookup_value.description
FROM sims.udf_value INNER JOIN
sims.udf_field ON sims.udf_value.field_id = sims.udf_field.field_id INNER JOIN
sims.stud_via_student_browse ON sims.udf_value.entity_id = sims.stud_via_student_browse.person_id INNER JOIN
sims.udf_lookup_value ON sims.udf_value.lookup_value_id = sims.udf_lookup_value.lookup_value_id
WHERE (sims.udf_field.active = 'T')
</pre>
'''Script'''
----
The [https://docs.moodle.org/en/SIMS2AD_access_manager.vbs SIMS2AD Access Manager] script needs to copied to D:\SIMS2AD on the SIMS Server. 
The latest version of the script is available from:-
<Pre>
https://docs.moodle.org/en/SIMS2AD_access_manager.vbs
</Pre>
 
===Setting Up a Scheduled Task===
----
A scheduled task needs to be created to run the SIMS2AD Access Manager Script. 
This Task will need to run every 5 minutes from 08:00 AM to 20:00 PM
 
#Open Control Panel
#Open Scheduled Tasks
#*This will open the Schedule Task Windows
#Add Scheduled Task
#*This will open the Schedule Task Wizard
#Click Next
#Click Browse and Navigate to D:\SIMS2AD Folder
#Select SIMS2AD_Access_Manager.vbs
#Give the the name "SIMS2AD Access Manager"
#Select Daily
#Click Next
#Click Next as these Settings will be modified later.
#Enter the user account details that will be used to run the script
#Click Next
#Tick the box
#*This will open Advance Properties Window
#Click Finish
#Click the Schedule Tab
#Set the Start Time 08:00 AM
#Click the Advance Button
#*This will open an Advance Settings Window
#Set a Start date
#Tick Repeat Task
#Set it to repeat every 5 minutes
#Select Duration and set at 12 hours
#Click OK
#Click Apply
#Click OK
 
===Required Logon Script Changes===
----
The below code needs to be added to the beginning of the Kixtart Logon Script. 
This will check the current time and see if the user belongs to a group that has restricted computer access. 
If the user has logged on during a restricted time a message box will be displayed informing of this and then forcefully log them off. 
<pre>
IF ((@time > "20:00:00") AND (@time < "08:50:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "11:15:00") AND (@time < "11:35:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "12:35:00") AND (@time < "13:35:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "13:35:00") AND (@time < "14:35:00"))
If InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "16:35:00") AND (@time < "18:00:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "18:00:00") AND (@time < "20:00:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif

</pre>
----

=Integrate Moodle and LDAP (MOODLE2LDAP)=
==Introduction==
MOODLE2LDAP is the process of linking moodle to LDAP, this will allow users to authenticate and underpin SIMS2AD - Account Creator Moodle Block.
==Setting up LDAP Authentication==
#Login to moodle as the admin user.
#Under Site Administration
#*Users - > Authentication -> LDAP Server
#Set the Following Fields as follows
#*'''LDAP server settings'''
#**Host Url = ldap://server.domain.com/
#**Version = 3
#**LDAP encoding = utf-8
#*'''Bind settings'''
#**Hide passwords = Yes
#**Distinguished Name = cn=LDAP Guest,cn=Users,dc=domain,dc=com
#**Password = Password of LDAP Guest Account
#*'''User lookup settings'''
#**User type = MS Active Directory
#**Contexts = cn=LDAP Guest,cn=Users,dc=domain,dc=com
#**Search subcontexts = Yes
#**Dereference aliases = Yes
#**User attribute = sAMAccountName
#**Member attribute = member
#*'''Force change password'''
#**Force change password = No
#**Use standard Change Password Page = No
#*'''LDAP password expiration settings'''
#**Expiration = No
#*'''Enable user creation'''
#**Create users externally = No
#*'''Data Mapping'''
#**First Name = givenName
#**Surname = sn
#**Email address = mail
#**Description = description
#**ID number = employeeID
#**Department = department
#Click Save
 

=Integrate Moodle and SIMS.net (SIMS2MOODLE)=
==Prerequisite==
Moodle requires FreeTDS to be installed for it to work with MS SQL 2005.
#[https://docs.moodle.org/en/Installing_MSSQL_for_PHP#Using_FreeTDS_on_Unix Install FreeTDS on Linux]
#[https://docs.moodle.org/en/Installing_MSSQL_for_PHP#Using_FreeTDS_on_Windows Install FreeTDS on Windows]

==SIMS2Moodle - Enrolment Plug-in==
===Introduction===
SIMS2Moodle - Enrolment Plug-in is a part preconfigured version of moodle's external database plug-in tailored for use with SIMS.net.

===Create Moodle SIMS.net Course Template===
----
Before the plug-in is installed it is best to create a template from which moodle will create any new SIMS.net courses

#Login to moodle as the admin user.
#Under Site Administration
#*Courses - > Add/Edit Courses
#Click Miscellaneous
#Click New Course Button
#Set the Following Fields as follows
#*'''General'''
#**Full name = SIMS Template Course
#**Short name = simstemplate
#**Course ID number = simstemplate
#**Format = Topics Format
#**Number of weeks/topics = 10
#**Course Start Date = 1st Sept
#**Hidden sections = Hidden sections are shown in collapsed form
#**News Items to show = 5
#**Show gradebook to students = Yes
#**Show activity reports = No
#**Maximum upload size = [Maximum Size Allowed]
#**Is this a meta course? = No
#*'''Enrolments'''
#**Enrolment Plugins = Site Default (Internal Enrolment)
#**Default role = Site Default (Student)
#**Course enrollable = Yes
#**Start date = Disabled
#**End date = Disabled
#**Enrolment duration = Unlimited
#*'''Enrolment expiry notification'''
#**Notify = No
#**Notify Students = No
#**Threshold = 10 days
#*'''Groups'''
#**Group mode = No Groups
#**Force = No
#**Default grouping = No
#*'''Availability'''
#**Availability = This course is avaliable to students
#**Enrolment key = [Blank]
#**Guest access = Do Not Allow Guest In
#*'''Language'''
#**Force language = No
#*'''Role renaming'''
#**[All Fields are Blank]

===Download===
----
The [http://www.uctc.e-sussex.sch.uk/moodle_sims.net_enrolment_plugin.zip SIMS.net Enrolment Plug-in] files needs to copied to the 'moodle\enrol' folder on the Moodle server. 
The latest version of the files are available from:-
<Pre>
http://www.uctc.e-sussex.sch.uk/moodle_sims.net_enrolment_plugin.zip
</Pre>

===Moodle Settings===
----

On the plug-in have been downloaded and installed.

#Login to moodle as the admin user.
#Under Site Administration
#*Courses - > Add/Edit Courses
#Click Add New Category
#*Parent Category = Top
#*Category Name = SIMS Courses
#Click Save
#Under Site Administration
#*Courses - > Enrolments
#Enable SIMS.net
#Click Edit
#Set the Following Fields as follows
#*'''SIMS.net Server Settings'''
#**enrol_dbtype = mssql
#**enrol_dbhost = sims.school.lan
#**enrol_dbport = 1427 (1427 is default for MS SQL 2005)
#**enrol_dbuser = sa
#**enrol_dbpass = [SA Password]

#*'''Academic Setting'''
#**enrol_dbacyear = 2009 (or current academic year)
#Click Save

==SIMS2MOODLE - SIMS.net Timetable Block ==
===Introduction===
----
SIMS2MOODLE - SIMS.net Timetable Block V1.2 now has ability to auto install, upgrade and remove views on Microsoft SQL Server 2005. 

===Prerequisite===
----
SIMS2MOODLE - Timetable block requires SIMS2MOODLE - Enrolment Plug-in to be installed and configured. SIMS2MOODLE - Enrolment Plug-in does not have to be enabled if auto enrolment is not needed.
====IMPORTANT: IF UPGRADING====
----
If you are upgrading from a version before the release of 1.0, please do the following:-

#Uninstall the SIMS.net Timetable block from moodle.
#Delete the folders \blocks\simstimetable and \mod\simstimtable
#Delete the view mdl_student_timetable from SQL Server Management Studio

If you are upgrading from release of 1.1, please do the following:-

#Please install SIMS.net Enrolment Plug-in.

===Download the Block===
----
The [http://www.uctc.e-sussex.sch.uk/moodle_sims.net_timetable_block.zip SIMS.net Timetable Block] files needs to copied to the 'moodle\blocks' folder on the Moodle server. 
The latest version of the files are available from:-
<Pre>
http://www.uctc.e-sussex.sch.uk/moodle_sims.net_timetable_block.zip
</Pre>

===Install SIMS.net Timetable Block for Moodle===
----
#Copy simstimetable folder to the blocks folder in moodle
#Login to moodle as the admin account
#Click on Notifications
#*A message should state that the block has been successfully installed.
#Click Modules -> Blocks -> SIMS.net Timetable to configure the block. (You will have to configure the 'Lesson Labels' field at the very least for your school's timetable).

===Configure SIMS.net Timetable Block for Moodle===
----
Every schools timetable is slightly different, so the block will need to be configured.

Block Title: This text will be displayed as the block title. 
Link Text: This is the text of the timetable url. 
No. Weeks: Number of weeks timetabled in SIMS.net. (Only 1 or 2 supported) 
Seperator: The separator is the character using in the SIMS.net to separate the day from the period name eg Fri:1, so the separator will be ":" 
Lesson Labels: These are the names all there periods that are timetabled in SIMS.net seperated with a "," 

[[Category: Administrator]]

Integrate Moodle, LDAP and SIMS.net

2009-11-18T15:07:01Z

Minkus: Updated the location where the files need to be copied to make it clearer

=Integrate SIMS.net and LDAP (SIMS2AD)=
==Introduction==
For SIMS2AD and SIMS2MOODLE modules to work every student and teacher's LDAP account MUST have the employeeID field set. These need to be set to the following.
#Students = UPN
#Staff = SIMS.net Teacher Code
 
==SIMS2AD - Account Creator (Unpublished)==
===Introduction===
----
SIMS2AD - Account Creator is a moodle block that administers the process of LDAP account creation automatically.
===IMPORTANT - Please Read===
----
SIMS2AD Vbscript has been retired. It is in the process of being converted to a moodle block. The main aim of this is to improve configuration and quality.

==SIMS2AD - Access Manager==
===Introduction===
----
SIMS2AD - Access Manager allows non technical members of staff to control student access to an education establishments computer network via SIMS.net.
 
===Script Usage Details===
The Vbscript will run every 5 minutes, every day 
A log file is created in the same folder as the script, this hold a log of all processed changes.
 
===Add a new view to MS SQL Server===
----
#Open SQL Server Management Studio
#Use the Object Explorer window to browse to the database and the folder called ‘Views’.
#*[Server]\[Instance] -> Database -> sims -> Views
#Right-click the ‘Views’ folder and select ‘New View’.
#Close the Add Table dialog box – Copy and Paste the query below into the Query box
#Save the View via File, Save [the temporary name of the view] .
#Enter the above name for the new ‘View’ and click ‘OK’.
#If you refresh the list of views by right-clicking the ‘Views’ folder you will see the new view near the top of the list.
#Close SQL Server management Studio.
 

===MS SQL 2005 Server View===
----
<pre>
Name: vbs_admanager
</pre>
Query to paste in:
<pre>
SELECT TOP (100) PERCENT sims.stud_via_student_browse.unique_pupil_no, sims.stud_via_student_browse.forename,
sims.stud_via_student_browse.surname, sims.udf_field.description AS type, sims.udf_lookup_value.description
FROM sims.udf_value INNER JOIN
sims.udf_field ON sims.udf_value.field_id = sims.udf_field.field_id INNER JOIN
sims.stud_via_student_browse ON sims.udf_value.entity_id = sims.stud_via_student_browse.person_id INNER JOIN
sims.udf_lookup_value ON sims.udf_value.lookup_value_id = sims.udf_lookup_value.lookup_value_id
WHERE (sims.udf_field.active = 'T')
</pre>
'''Script'''
----
The [https://docs.moodle.org/en/SIMS2AD_access_manager.vbs SIMS2AD Access Manager] script needs to copied to D:\SIMS2AD on the SIMS Server. 
The latest version of the script is available from:-
<Pre>
https://docs.moodle.org/en/SIMS2AD_access_manager.vbs
</Pre>
 
===Setting Up a Scheduled Task===
----
A scheduled task needs to be created to run the SIMS2AD Access Manager Script. 
This Task will need to run every 5 minutes from 08:00 AM to 20:00 PM
 
#Open Control Panel
#Open Scheduled Tasks
#*This will open the Schedule Task Windows
#Add Scheduled Task
#*This will open the Schedule Task Wizard
#Click Next
#Click Browse and Navigate to D:\SIMS2AD Folder
#Select SIMS2AD_Access_Manager.vbs
#Give the the name "SIMS2AD Access Manager"
#Select Daily
#Click Next
#Click Next as these Settings will be modified later.
#Enter the user account details that will be used to run the script
#Click Next
#Tick the box
#*This will open Advance Properties Window
#Click Finish
#Click the Schedule Tab
#Set the Start Time 08:00 AM
#Click the Advance Button
#*This will open an Advance Settings Window
#Set a Start date
#Tick Repeat Task
#Set it to repeat every 5 minutes
#Select Duration and set at 12 hours
#Click OK
#Click Apply
#Click OK
 
===Required Logon Script Changes===
----
The below code needs to be added to the beginning of the Kixtart Logon Script. 
This will check the current time and see if the user belongs to a group that has restricted computer access. 
If the user has logged on during a restricted time a message box will be displayed informing of this and then forcefully log them off. 
<pre>
IF ((@time > "20:00:00") AND (@time < "08:50:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "11:15:00") AND (@time < "11:35:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "12:35:00") AND (@time < "13:35:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "13:35:00") AND (@time < "14:35:00"))
If InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "16:35:00") AND (@time < "18:00:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "18:00:00") AND (@time < "20:00:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif

</pre>
----

=Integrate Moodle and LDAP (MOODLE2LDAP)=
==Introduction==
MOODLE2LDAP is the process of linking moodle to LDAP, this will allow users to authenticate and underpin SIMS2AD - Account Creator Moodle Block.
==Setting up LDAP Authentication==
#Login to moodle as the admin user.
#Under Site Administration
#*Users - > Authentication -> LDAP Server
#Set the Following Fields as follows
#*'''LDAP server settings'''
#**Host Url = ldap://server.domain.com/
#**Version = 3
#**LDAP encoding = utf-8
#*'''Bind settings'''
#**Hide passwords = Yes
#**Distinguished Name = cn=LDAP Guest,cn=Users,dc=domain,dc=com
#**Password = Password of LDAP Guest Account
#*'''User lookup settings'''
#**User type = MS Active Directory
#**Contexts = cn=LDAP Guest,cn=Users,dc=domain,dc=com
#**Search subcontexts = Yes
#**Dereference aliases = Yes
#**User attribute = sAMAccountName
#**Member attribute = member
#*'''Force change password'''
#**Force change password = No
#**Use standard Change Password Page = No
#*'''LDAP password expiration settings'''
#**Expiration = No
#*'''Enable user creation'''
#**Create users externally = No
#*'''Data Mapping'''
#**First Name = givenName
#**Surname = sn
#**Email address = mail
#**Description = description
#**ID number = employeeID
#**Department = department
#Click Save
 

=Integrate Moodle and SIMS.net (SIMS2MOODLE)=
==Prerequisite==
Moodle requires FreeTDS to be installed for it to work with MS SQL 2005.
#[https://docs.moodle.org/en/Installing_MSSQL_for_PHP#Using_FreeTDS_on_Unix Install FreeTDS on Linux]
#[https://docs.moodle.org/en/Installing_MSSQL_for_PHP#Using_FreeTDS_on_Windows Install FreeTDS on Windows]

==SIMS2Moodle - Enrolment Plug-in==
===Introduction===
SIMS2Moodle - Enrolment Plug-in is a part preconfigured version of moodle's external database plug-in tailored for use with SIMS.net.

===Create Moodle SIMS.net Course Template===
----
Before the plug-in is installed it is best to create a template from which moodle will create any new SIMS.net courses

#Login to moodle as the admin user.
#Under Site Administration
#*Courses - > Add/Edit Courses
#Click Miscellaneous
#Click New Course Button
#Set the Following Fields as follows
#*'''General'''
#**Full name = SIMS Template Course
#**Short name = simstemplate
#**Course ID number = simstemplate
#**Format = Topics Format
#**Number of weeks/topics = 10
#**Course Start Date = 1st Sept
#**Hidden sections = Hidden sections are shown in collapsed form
#**News Items to show = 5
#**Show gradebook to students = Yes
#**Show activity reports = No
#**Maximum upload size = [Maximum Size Allowed]
#**Is this a meta course? = No
#*'''Enrolments'''
#**Enrolment Plugins = Site Default (Internal Enrolment)
#**Default role = Site Default (Student)
#**Course enrollable = Yes
#**Start date = Disabled
#**End date = Disabled
#**Enrolment duration = Unlimited
#*'''Enrolment expiry notification'''
#**Notify = No
#**Notify Students = No
#**Threshold = 10 days
#*'''Groups'''
#**Group mode = No Groups
#**Force = No
#**Default grouping = No
#*'''Availability'''
#**Availability = This course is avaliable to students
#**Enrolment key = [Blank]
#**Guest access = Do Not Allow Guest In
#*'''Language'''
#**Force language = No
#*'''Role renaming'''
#**[All Fields are Blank]

===Download===
----
The [http://www.uctc.e-sussex.sch.uk/moodle_sims.net_enrolment_plugin.zip SIMS.net Enrolment Plug-in] files needs to copied to the 'moodle\enrol' folder on the Moodle server. 
The latest version of the files are available from:-
<Pre>
http://www.uctc.e-sussex.sch.uk/moodle_sims.net_enrolment_plugin.zip
</Pre>

===Moodle Settings===
----

On the plug-in have been downloaded and installed.

#Login to moodle as the admin user.
#Under Site Administration
#*Courses - > Add/Edit Courses
#Click Add New Category
#*Parent Category = Top
#*Category Name = SIMS Courses
#Click Save
#Under Site Administration
#*Courses - > Enrolments
#Enable SIMS.net
#Click Edit
#Set the Following Fields as follows
#*'''SIMS.net Server Settings'''
#**enrol_dbtype = mssql
#**enrol_dbhost = sims.school.lan
#**enrol_dbport = 1427 (1427 is default for MS SQL 2005)
#**enrol_dbuser = sa
#**enrol_dbpass = [SA Password]

#*'''Academic Setting'''
#**enrol_dbacyear = 2009 (or current academic year)
#Click Save

==SIMS2MOODLE - SIMS.net Timetable Block ==
===Introduction===
----
SIMS2MOODLE - SIMS.net Timetable Block V1.2 now has ability to auto install, upgrade and remove views on Microsoft SQL Server 2005. 

===Prerequisite===
----
SIMS2MOODLE - Timetable block requires SIMS2MOODLE - Enrolment Plug-in to be installed and configured. SIMS2MOODLE - Enrolment Plug-in does not have to be enabled if auto enrolment is not needed.
====IMPORTANT: IF UPGRADING====
----
If you are upgrading from a version before the release of 1.0, please do the following:-

#Uninstall the SIMS.net Timetable block from moodle.
#Delete the folders \blocks\simstimetable and \mod\simstimtable
#Delete the view mdl_student_timetable from SQL Server Management Studio

If you are upgrading from release of 1.1, please do the following:-

#Please install SIMS.net Enrolment Plug-in.

===Download the Block===
----
The [http://www.uctc.e-sussex.sch.uk/moodle_sims.net_timetable_block.zip SIMS.net Timetable Block] files needs to copied to the 'moodle\blocks' folder on the Moodle server. 
The latest version of the files are available from:-
<Pre>
http://www.uctc.e-sussex.sch.uk/moodle_sims.net_timetable_block.zip
</Pre>

===Install SIMS.net Timetable Block for Moodle===
----
#Copy simstimetable folder to the blocks folder in moodle
#Login to moodle as the admin account
#Click on Notifications
#*A message should state that the block has been successfully installed.
#Click Modules -> Blocks -> SIMS.net Timetable to configure the block.

===Configure SIMS.net Timetable Block for Moodle===
----
Every schools timetable is slightly different, so the block will need to be configured.

Block Title: This text will be displayed as the block title. 
Link Text: This is the text of the timetable url. 
No. Weeks: Number of weeks timetabled in SIMS.net. (Only 1 or 2 supported) 
Seperator: The separator is the character using in the SIMS.net to separate the day from the period name eg Fri:1, so the separator will be ":" 
Lesson Labels: These are the names all there periods that are timetabled in SIMS.net seperated with a "," 

[[Category: Administrator]]

Integrate Moodle, LDAP and SIMS.net

2009-11-18T15:05:52Z

Minkus: Fixed the name of the enrollment plugin to reflect the latest version, updated academic year

=Integrate SIMS.net and LDAP (SIMS2AD)=
==Introduction==
For SIMS2AD and SIMS2MOODLE modules to work every student and teacher's LDAP account MUST have the employeeID field set. These need to be set to the following.
#Students = UPN
#Staff = SIMS.net Teacher Code
 
==SIMS2AD - Account Creator (Unpublished)==
===Introduction===
----
SIMS2AD - Account Creator is a moodle block that administers the process of LDAP account creation automatically.
===IMPORTANT - Please Read===
----
SIMS2AD Vbscript has been retired. It is in the process of being converted to a moodle block. The main aim of this is to improve configuration and quality.

==SIMS2AD - Access Manager==
===Introduction===
----
SIMS2AD - Access Manager allows non technical members of staff to control student access to an education establishments computer network via SIMS.net.
 
===Script Usage Details===
The Vbscript will run every 5 minutes, every day 
A log file is created in the same folder as the script, this hold a log of all processed changes.
 
===Add a new view to MS SQL Server===
----
#Open SQL Server Management Studio
#Use the Object Explorer window to browse to the database and the folder called ‘Views’.
#*[Server]\[Instance] -> Database -> sims -> Views
#Right-click the ‘Views’ folder and select ‘New View’.
#Close the Add Table dialog box – Copy and Paste the query below into the Query box
#Save the View via File, Save [the temporary name of the view] .
#Enter the above name for the new ‘View’ and click ‘OK’.
#If you refresh the list of views by right-clicking the ‘Views’ folder you will see the new view near the top of the list.
#Close SQL Server management Studio.
 

===MS SQL 2005 Server View===
----
<pre>
Name: vbs_admanager
</pre>
Query to paste in:
<pre>
SELECT TOP (100) PERCENT sims.stud_via_student_browse.unique_pupil_no, sims.stud_via_student_browse.forename,
sims.stud_via_student_browse.surname, sims.udf_field.description AS type, sims.udf_lookup_value.description
FROM sims.udf_value INNER JOIN
sims.udf_field ON sims.udf_value.field_id = sims.udf_field.field_id INNER JOIN
sims.stud_via_student_browse ON sims.udf_value.entity_id = sims.stud_via_student_browse.person_id INNER JOIN
sims.udf_lookup_value ON sims.udf_value.lookup_value_id = sims.udf_lookup_value.lookup_value_id
WHERE (sims.udf_field.active = 'T')
</pre>
'''Script'''
----
The [https://docs.moodle.org/en/SIMS2AD_access_manager.vbs SIMS2AD Access Manager] script needs to copied to D:\SIMS2AD on the SIMS Server. 
The latest version of the script is available from:-
<Pre>
https://docs.moodle.org/en/SIMS2AD_access_manager.vbs
</Pre>
 
===Setting Up a Scheduled Task===
----
A scheduled task needs to be created to run the SIMS2AD Access Manager Script. 
This Task will need to run every 5 minutes from 08:00 AM to 20:00 PM
 
#Open Control Panel
#Open Scheduled Tasks
#*This will open the Schedule Task Windows
#Add Scheduled Task
#*This will open the Schedule Task Wizard
#Click Next
#Click Browse and Navigate to D:\SIMS2AD Folder
#Select SIMS2AD_Access_Manager.vbs
#Give the the name "SIMS2AD Access Manager"
#Select Daily
#Click Next
#Click Next as these Settings will be modified later.
#Enter the user account details that will be used to run the script
#Click Next
#Tick the box
#*This will open Advance Properties Window
#Click Finish
#Click the Schedule Tab
#Set the Start Time 08:00 AM
#Click the Advance Button
#*This will open an Advance Settings Window
#Set a Start date
#Tick Repeat Task
#Set it to repeat every 5 minutes
#Select Duration and set at 12 hours
#Click OK
#Click Apply
#Click OK
 
===Required Logon Script Changes===
----
The below code needs to be added to the beginning of the Kixtart Logon Script. 
This will check the current time and see if the user belongs to a group that has restricted computer access. 
If the user has logged on during a restricted time a message box will be displayed informing of this and then forcefully log them off. 
<pre>
IF ((@time > "20:00:00") AND (@time < "08:50:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "11:15:00") AND (@time < "11:35:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "12:35:00") AND (@time < "13:35:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "13:35:00") AND (@time < "14:35:00"))
If InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "16:35:00") AND (@time < "18:00:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "18:00:00") AND (@time < "20:00:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif

</pre>
----

=Integrate Moodle and LDAP (MOODLE2LDAP)=
==Introduction==
MOODLE2LDAP is the process of linking moodle to LDAP, this will allow users to authenticate and underpin SIMS2AD - Account Creator Moodle Block.
==Setting up LDAP Authentication==
#Login to moodle as the admin user.
#Under Site Administration
#*Users - > Authentication -> LDAP Server
#Set the Following Fields as follows
#*'''LDAP server settings'''
#**Host Url = ldap://server.domain.com/
#**Version = 3
#**LDAP encoding = utf-8
#*'''Bind settings'''
#**Hide passwords = Yes
#**Distinguished Name = cn=LDAP Guest,cn=Users,dc=domain,dc=com
#**Password = Password of LDAP Guest Account
#*'''User lookup settings'''
#**User type = MS Active Directory
#**Contexts = cn=LDAP Guest,cn=Users,dc=domain,dc=com
#**Search subcontexts = Yes
#**Dereference aliases = Yes
#**User attribute = sAMAccountName
#**Member attribute = member
#*'''Force change password'''
#**Force change password = No
#**Use standard Change Password Page = No
#*'''LDAP password expiration settings'''
#**Expiration = No
#*'''Enable user creation'''
#**Create users externally = No
#*'''Data Mapping'''
#**First Name = givenName
#**Surname = sn
#**Email address = mail
#**Description = description
#**ID number = employeeID
#**Department = department
#Click Save
 

=Integrate Moodle and SIMS.net (SIMS2MOODLE)=
==Prerequisite==
Moodle requires FreeTDS to be installed for it to work with MS SQL 2005.
#[https://docs.moodle.org/en/Installing_MSSQL_for_PHP#Using_FreeTDS_on_Unix Install FreeTDS on Linux]
#[https://docs.moodle.org/en/Installing_MSSQL_for_PHP#Using_FreeTDS_on_Windows Install FreeTDS on Windows]

==SIMS2Moodle - Enrolment Plug-in==
===Introduction===
SIMS2Moodle - Enrolment Plug-in is a part preconfigured version of moodle's external database plug-in tailored for use with SIMS.net.

===Create Moodle SIMS.net Course Template===
----
Before the plug-in is installed it is best to create a template from which moodle will create any new SIMS.net courses

#Login to moodle as the admin user.
#Under Site Administration
#*Courses - > Add/Edit Courses
#Click Miscellaneous
#Click New Course Button
#Set the Following Fields as follows
#*'''General'''
#**Full name = SIMS Template Course
#**Short name = simstemplate
#**Course ID number = simstemplate
#**Format = Topics Format
#**Number of weeks/topics = 10
#**Course Start Date = 1st Sept
#**Hidden sections = Hidden sections are shown in collapsed form
#**News Items to show = 5
#**Show gradebook to students = Yes
#**Show activity reports = No
#**Maximum upload size = [Maximum Size Allowed]
#**Is this a meta course? = No
#*'''Enrolments'''
#**Enrolment Plugins = Site Default (Internal Enrolment)
#**Default role = Site Default (Student)
#**Course enrollable = Yes
#**Start date = Disabled
#**End date = Disabled
#**Enrolment duration = Unlimited
#*'''Enrolment expiry notification'''
#**Notify = No
#**Notify Students = No
#**Threshold = 10 days
#*'''Groups'''
#**Group mode = No Groups
#**Force = No
#**Default grouping = No
#*'''Availability'''
#**Availability = This course is avaliable to students
#**Enrolment key = [Blank]
#**Guest access = Do Not Allow Guest In
#*'''Language'''
#**Force language = No
#*'''Role renaming'''
#**[All Fields are Blank]

===Download===
----
The [http://www.uctc.e-sussex.sch.uk/moodle_sims.net_enrolment_plugin.zip SIMS.net Enrolment Plug-in] files needs to copied to the 'moodle\enrol' folder on the Moodle server. 
The latest version of the files are available from:-
<Pre>
http://www.uctc.e-sussex.sch.uk/moodle_sims.net_enrolment_plugin.zip
</Pre>

===Moodle Settings===
----

On the plug-in have been downloaded and installed.

#Login to moodle as the admin user.
#Under Site Administration
#*Courses - > Add/Edit Courses
#Click Add New Category
#*Parent Category = Top
#*Category Name = SIMS Courses
#Click Save
#Under Site Administration
#*Courses - > Enrolments
#Enable SIMS.net
#Click Edit
#Set the Following Fields as follows
#*'''SIMS.net Server Settings'''
#**enrol_dbtype = mssql
#**enrol_dbhost = sims.school.lan
#**enrol_dbport = 1427 (1427 is default for MS SQL 2005)
#**enrol_dbuser = sa
#**enrol_dbpass = [SA Password]

#*'''Academic Setting'''
#**enrol_dbacyear = 2009 (or current academic year)
#Click Save

==SIMS2MOODLE - SIMS.net Timetable Block ==
===Introduction===
----
SIMS2MOODLE - SIMS.net Timetable Block V1.2 now has ability to auto install, upgrade and remove views on Microsoft SQL Server 2005. 

===Prerequisite===
----
SIMS2MOODLE - Timetable block requires SIMS2MOODLE - Enrolment Plug-in to be installed and configured. SIMS2MOODLE - Enrolment Plug-in does not have to be enabled if auto enrolment is not needed.
====IMPORTANT: IF UPGRADING====
----
If you are upgrading from a version before the release of 1.0, please do the following:-

#Uninstall the SIMS.net Timetable block from moodle.
#Delete the folders \blocks\simstimetable and \mod\simstimtable
#Delete the view mdl_student_timetable from SQL Server Management Studio

If you are upgrading from release of 1.1, please do the following:-

#Please install SIMS.net Enrolment Plug-in.

===Download the Block===
----
The [http://www.uctc.e-sussex.sch.uk/moodle_sims.net_timetable_block.zip SIMS.net Timetable Block] files needs to copied to the html folder on the Moodle server. 
The latest version of the files are available from:-
<Pre>
http://www.uctc.e-sussex.sch.uk/moodle_sims.net_timetable_block.zip
</Pre>

===Install SIMS.net Timetable Block for Moodle===
----
#Copy simstimetable folder to the blocks folder in moodle
#Login to moodle as the admin account
#Click on Notifications
#*A message should state that the block has been successfully installed.
#Click Modules -> Blocks -> SIMS.net Timetable to configure the block.

===Configure SIMS.net Timetable Block for Moodle===
----
Every schools timetable is slightly different, so the block will need to be configured.

Block Title: This text will be displayed as the block title. 
Link Text: This is the text of the timetable url. 
No. Weeks: Number of weeks timetabled in SIMS.net. (Only 1 or 2 supported) 
Seperator: The separator is the character using in the SIMS.net to separate the day from the period name eg Fri:1, so the separator will be ":" 
Lesson Labels: These are the names all there periods that are timetabled in SIMS.net seperated with a "," 

[[Category: Administrator]]

Integrate Moodle, LDAP and SIMS.net

2009-11-18T15:04:29Z

Minkus: Fixed the place where you have to copy the files - was unclear before

=Integrate SIMS.net and LDAP (SIMS2AD)=
==Introduction==
For SIMS2AD and SIMS2MOODLE modules to work every student and teacher's LDAP account MUST have the employeeID field set. These need to be set to the following.
#Students = UPN
#Staff = SIMS.net Teacher Code
 
==SIMS2AD - Account Creator (Unpublished)==
===Introduction===
----
SIMS2AD - Account Creator is a moodle block that administers the process of LDAP account creation automatically.
===IMPORTANT - Please Read===
----
SIMS2AD Vbscript has been retired. It is in the process of being converted to a moodle block. The main aim of this is to improve configuration and quality.

==SIMS2AD - Access Manager==
===Introduction===
----
SIMS2AD - Access Manager allows non technical members of staff to control student access to an education establishments computer network via SIMS.net.
 
===Script Usage Details===
The Vbscript will run every 5 minutes, every day 
A log file is created in the same folder as the script, this hold a log of all processed changes.
 
===Add a new view to MS SQL Server===
----
#Open SQL Server Management Studio
#Use the Object Explorer window to browse to the database and the folder called ‘Views’.
#*[Server]\[Instance] -> Database -> sims -> Views
#Right-click the ‘Views’ folder and select ‘New View’.
#Close the Add Table dialog box – Copy and Paste the query below into the Query box
#Save the View via File, Save [the temporary name of the view] .
#Enter the above name for the new ‘View’ and click ‘OK’.
#If you refresh the list of views by right-clicking the ‘Views’ folder you will see the new view near the top of the list.
#Close SQL Server management Studio.
 

===MS SQL 2005 Server View===
----
<pre>
Name: vbs_admanager
</pre>
Query to paste in:
<pre>
SELECT TOP (100) PERCENT sims.stud_via_student_browse.unique_pupil_no, sims.stud_via_student_browse.forename,
sims.stud_via_student_browse.surname, sims.udf_field.description AS type, sims.udf_lookup_value.description
FROM sims.udf_value INNER JOIN
sims.udf_field ON sims.udf_value.field_id = sims.udf_field.field_id INNER JOIN
sims.stud_via_student_browse ON sims.udf_value.entity_id = sims.stud_via_student_browse.person_id INNER JOIN
sims.udf_lookup_value ON sims.udf_value.lookup_value_id = sims.udf_lookup_value.lookup_value_id
WHERE (sims.udf_field.active = 'T')
</pre>
'''Script'''
----
The [https://docs.moodle.org/en/SIMS2AD_access_manager.vbs SIMS2AD Access Manager] script needs to copied to D:\SIMS2AD on the SIMS Server. 
The latest version of the script is available from:-
<Pre>
https://docs.moodle.org/en/SIMS2AD_access_manager.vbs
</Pre>
 
===Setting Up a Scheduled Task===
----
A scheduled task needs to be created to run the SIMS2AD Access Manager Script. 
This Task will need to run every 5 minutes from 08:00 AM to 20:00 PM
 
#Open Control Panel
#Open Scheduled Tasks
#*This will open the Schedule Task Windows
#Add Scheduled Task
#*This will open the Schedule Task Wizard
#Click Next
#Click Browse and Navigate to D:\SIMS2AD Folder
#Select SIMS2AD_Access_Manager.vbs
#Give the the name "SIMS2AD Access Manager"
#Select Daily
#Click Next
#Click Next as these Settings will be modified later.
#Enter the user account details that will be used to run the script
#Click Next
#Tick the box
#*This will open Advance Properties Window
#Click Finish
#Click the Schedule Tab
#Set the Start Time 08:00 AM
#Click the Advance Button
#*This will open an Advance Settings Window
#Set a Start date
#Tick Repeat Task
#Set it to repeat every 5 minutes
#Select Duration and set at 12 hours
#Click OK
#Click Apply
#Click OK
 
===Required Logon Script Changes===
----
The below code needs to be added to the beginning of the Kixtart Logon Script. 
This will check the current time and see if the user belongs to a group that has restricted computer access. 
If the user has logged on during a restricted time a message box will be displayed informing of this and then forcefully log them off. 
<pre>
IF ((@time > "20:00:00") AND (@time < "08:50:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "11:15:00") AND (@time < "11:35:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "12:35:00") AND (@time < "13:35:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "13:35:00") AND (@time < "14:35:00"))
If InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "16:35:00") AND (@time < "18:00:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4") or InGroup("SIMS2AD_Lesson_Evening_Only_E4")
or InGroup("SIMS2AD_Lesson_Evening_Only_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif
IF ((@time > "18:00:00") AND (@time < "20:00:00"))
If InGroup("SIMS2AD_LessonOnly_E4") or InGroup("SIMS2AD_LessonOnly_L4")

MESSAGEBOX ("Your Computer Access Been Restricted, For More Information Please Speak To Your Director Of Year",
"IT SERVICES", 16, 15)
$RC = LogOff(0)
endif
endif

</pre>
----

=Integrate Moodle and LDAP (MOODLE2LDAP)=
==Introduction==
MOODLE2LDAP is the process of linking moodle to LDAP, this will allow users to authenticate and underpin SIMS2AD - Account Creator Moodle Block.
==Setting up LDAP Authentication==
#Login to moodle as the admin user.
#Under Site Administration
#*Users - > Authentication -> LDAP Server
#Set the Following Fields as follows
#*'''LDAP server settings'''
#**Host Url = ldap://server.domain.com/
#**Version = 3
#**LDAP encoding = utf-8
#*'''Bind settings'''
#**Hide passwords = Yes
#**Distinguished Name = cn=LDAP Guest,cn=Users,dc=domain,dc=com
#**Password = Password of LDAP Guest Account
#*'''User lookup settings'''
#**User type = MS Active Directory
#**Contexts = cn=LDAP Guest,cn=Users,dc=domain,dc=com
#**Search subcontexts = Yes
#**Dereference aliases = Yes
#**User attribute = sAMAccountName
#**Member attribute = member
#*'''Force change password'''
#**Force change password = No
#**Use standard Change Password Page = No
#*'''LDAP password expiration settings'''
#**Expiration = No
#*'''Enable user creation'''
#**Create users externally = No
#*'''Data Mapping'''
#**First Name = givenName
#**Surname = sn
#**Email address = mail
#**Description = description
#**ID number = employeeID
#**Department = department
#Click Save
 

=Integrate Moodle and SIMS.net (SIMS2MOODLE)=
==Prerequisite==
Moodle requires FreeTDS to be installed for it to work with MS SQL 2005.
#[https://docs.moodle.org/en/Installing_MSSQL_for_PHP#Using_FreeTDS_on_Unix Install FreeTDS on Linux]
#[https://docs.moodle.org/en/Installing_MSSQL_for_PHP#Using_FreeTDS_on_Windows Install FreeTDS on Windows]

==SIMS2Moodle - Enrolment Plug-in==
===Introduction===
SIMS2Moodle - Enrolment Plug-in is a part preconfigured version of moodle's external database plug-in tailored for use with SIMS.net.

===Create Moodle SIMS.net Course Template===
----
Before the plug-in is installed it is best to create a template from which moodle will create any new SIMS.net courses

#Login to moodle as the admin user.
#Under Site Administration
#*Courses - > Add/Edit Courses
#Click Miscellaneous
#Click New Course Button
#Set the Following Fields as follows
#*'''General'''
#**Full name = SIMS Template Course
#**Short name = simstemplate
#**Course ID number = simstemplate
#**Format = Topics Format
#**Number of weeks/topics = 10
#**Course Start Date = 1st Sept
#**Hidden sections = Hidden sections are shown in collapsed form
#**News Items to show = 5
#**Show gradebook to students = Yes
#**Show activity reports = No
#**Maximum upload size = [Maximum Size Allowed]
#**Is this a meta course? = No
#*'''Enrolments'''
#**Enrolment Plugins = Site Default (Internal Enrolment)
#**Default role = Site Default (Student)
#**Course enrollable = Yes
#**Start date = Disabled
#**End date = Disabled
#**Enrolment duration = Unlimited
#*'''Enrolment expiry notification'''
#**Notify = No
#**Notify Students = No
#**Threshold = 10 days
#*'''Groups'''
#**Group mode = No Groups
#**Force = No
#**Default grouping = No
#*'''Availability'''
#**Availability = This course is avaliable to students
#**Enrolment key = [Blank]
#**Guest access = Do Not Allow Guest In
#*'''Language'''
#**Force language = No
#*'''Role renaming'''
#**[All Fields are Blank]

===Download===
----
The [http://www.uctc.e-sussex.sch.uk/moodle_sims.net_enrolment_plugin.zip SIMS.net Enrolment Plug-in] files needs to copied to the 'moodle\enrol' folder on the Moodle server. 
The latest version of the files are available from:-
<Pre>
http://www.uctc.e-sussex.sch.uk/moodle_sims.net_enrolment_plugin.zip
</Pre>

===Moodle Settings===
----

On the plug-in have been downloaded and installed.

#Login to moodle as the admin user.
#Under Site Administration
#*Courses - > Add/Edit Courses
#Click Add New Category
#*Parent Category = Top
#*Category Name = SIMS Courses
#Click Save
#Under Site Administration
#*Courses - > Enrolments
#Enable External Database
#Click Edit
#Set the Following Fields as follows
#*'''SIMS.net Server Settings'''
#**enrol_dbtype = mssql
#**enrol_dbhost = sims.school.lan
#**enrol_dbport = 1427 (1427 is default for MS SQL 2005)
#**enrol_dbuser = sa
#**enrol_dbpass = [SA Password]

#*'''Academic Setting'''
#**enrol_dbacyear = 2008 (or current academic year)
#Click Save

==SIMS2MOODLE - SIMS.net Timetable Block ==
===Introduction===
----
SIMS2MOODLE - SIMS.net Timetable Block V1.2 now has ability to auto install, upgrade and remove views on Microsoft SQL Server 2005. 

===Prerequisite===
----
SIMS2MOODLE - Timetable block requires SIMS2MOODLE - Enrolment Plug-in to be installed and configured. SIMS2MOODLE - Enrolment Plug-in does not have to be enabled if auto enrolment is not needed.
====IMPORTANT: IF UPGRADING====
----
If you are upgrading from a version before the release of 1.0, please do the following:-

#Uninstall the SIMS.net Timetable block from moodle.
#Delete the folders \blocks\simstimetable and \mod\simstimtable
#Delete the view mdl_student_timetable from SQL Server Management Studio

If you are upgrading from release of 1.1, please do the following:-

#Please install SIMS.net Enrolment Plug-in.

===Download the Block===
----
The [http://www.uctc.e-sussex.sch.uk/moodle_sims.net_timetable_block.zip SIMS.net Timetable Block] files needs to copied to the html folder on the Moodle server. 
The latest version of the files are available from:-
<Pre>
http://www.uctc.e-sussex.sch.uk/moodle_sims.net_timetable_block.zip
</Pre>

===Install SIMS.net Timetable Block for Moodle===
----
#Copy simstimetable folder to the blocks folder in moodle
#Login to moodle as the admin account
#Click on Notifications
#*A message should state that the block has been successfully installed.
#Click Modules -> Blocks -> SIMS.net Timetable to configure the block.

===Configure SIMS.net Timetable Block for Moodle===
----
Every schools timetable is slightly different, so the block will need to be configured.

Block Title: This text will be displayed as the block title. 
Link Text: This is the text of the timetable url. 
No. Weeks: Number of weeks timetabled in SIMS.net. (Only 1 or 2 supported) 
Seperator: The separator is the character using in the SIMS.net to separate the day from the period name eg Fri:1, so the separator will be ":" 
Lesson Labels: These are the names all there periods that are timetabled in SIMS.net seperated with a "," 

[[Category: Administrator]]