-

Note: You are currently viewing documentation for Moodle 3.10. Up-to-date documentation for the latest stable version of Moodle may be available here: Active Directory.

Active Directory: Difference between revisions

From MoodleDocs
(→‎Trouble shooting: copy from LDAP auth page)
(edit intro)
Line 1: Line 1:
Microsoft's Active Directory provides a variety of network directory services including Lightweight Directory Access Protocol (LDAP) like functions.  This focus of this page will be with the [[LDAP authentication]] functions.
Microsoft's Active Directory provides a variety of network directory services including Lightweight Directory Access Protocol (LDAP) like functions.  It is included in Windows 2000 Server and later versions of their operating system.  This focus of this page will be with the [[LDAP authentication]] functions.  


==Trouble shooting help==
==Trouble shooting help==

Revision as of 13:04, 15 December 2008

Microsoft's Active Directory provides a variety of network directory services including Lightweight Directory Access Protocol (LDAP) like functions. It is included in Windows 2000 Server and later versions of their operating system. This focus of this page will be with the LDAP authentication functions.

Trouble shooting help

Active Directory is Microsoft's directory service. It is included in Windows 2000 Server and later versions of their operating system.

Warning: The PHP LDAP module does not seem to be present. Please ensure it is installed and enabled.

This usually means that the main ldap dll or one of the supporting dlls are missing. Let's start with the main one itself. Browse to http://(moodleserver)/admin/phpinfo.php and examine the "Configuration File (php.ini) Path" field to determine which php.ini is being used and open it with an editor. Find the line 'extension=php_ldap.dll' and take out the semi-colon if it is there. That semi-colon will stop it loading the module all together! While you have that file open, search for 'extension_dir' and note which folder it is set to. Open that folder and ensure the php_ldap.dll file is in there. If it isn't then put it in there. If that still hasn't fixed it you are missing a supporting dll, but you don't get told that. To see what dlls are missing open the Command Prompt and navigate to the php directory and execute the following line 'php -m'. You should get some error messages now. Ugly, but at least they give you information! Find the dlls listed and copy them to the php directory. You may now need to restart the apache/httpd service. Run 'php -m' again and you should be error free and the message in Moodle should be gone now.

LDAP-module cannot connect any LDAP servers : Server: 'ldap://my.ldap.server/' Connection: 'Resource id #26' Bind result:

Getting this message when you are trying to log in is a result of incorrect details for the Bind user, or the user account having insufficient permissions in Active Directory. The best way to test and resolve this is use ldp.exe to test binding until it suceeds. There are instructions on installing ldp.exe below. Open the program and Connect to AD, giving the server name, then from the Connection menu choose Bind. Enter the details you think are correct and you will probably find that an error is returned. Try adjusting the accounts priveleges or another account until you are returned an "Authenticated as" message. Once you are sure your account can be used to bind to AD, check that the DN of that users name is correct. Expand the tree on the left until you find the user you used to bind. Right click on that item and choose Copy DN. Go to the User Authentication page in Moodle and paste the value into the ldap_bind_dn field. Add the password and you can now feel safe your user is binding sucessfully.

Getting correct CNs for Contexts and Creators

For those not familiar with AD this could be very confusing, and not that easy for some who are familiar with it. Again, ldp.exe is your friend. There are instructions on installing ldp.exe below. Open it up and expand the tree on the left until you find the group or user you want to use and right click on it and select Copy DN. Go back to the Moodle User Authentication page and paste that value into either ldap_contexts or ldap_creators.

Getting the right user_attribute

By default, Moodle uses an accounts cn (full name) to verify against, but most networks don't use a full given name for logon as it's too easy to guess and you can easily have two people with the same name. If this is the case for you too you need to tell Moodle to look at another field for the logon id. In ldp.exe navigate the tree on the left to find a user account, preferably your own. Double-click the item in the tree and full-details will be loaded into the screen on the right. Look down the details until you find your logon id and note the item listed against it. For me, and a lot of people, it is sAMAccountName. Copy this name and paste it into the ldap_user_attribute on the Moodle User Authentication page. There are instructions on installing ldp.exe below.

Installing ldp.exe Server Tool

ldp.exe comes as part of the Server Tools on most versions of Windows Server. Find your Windows Server installation disc and find a folder on it called Support\Tools. In there will be a SupTools.msi which will install the server tools if run. You should now have a folder under Program Files called Support Tools, in which will be ldp.exe. ldp.exe is also available in the Windows XP Support Tools, which you can download from Microsoft here. Alternatively, a single download of ldp.exe is available here.

Example Active Directory Configuration

Below is an example configuration for Active Directory. As detailed above, the values may vary based on your local Active Directory configuration, but should provide a good starting point for most cases.

ldap_host_url = ldap://ads.example.com
ldap_version = 3
ldap_preventpassindb = yes
ldap_bind_dn = bind-user@example.com
ldap_bind_pw = bind-password
ldap_user_type = MS ActiveDirectory
ldap_contexts = ou=moodleusers,dc=example,dc=com
ldap_user_attribute = sAMAccountName


Note that the ldap_bind_dn value should work in either the CN=bin-user,CN=Users,DC=example,DC=com format as shown in the main instructions or the bind-user@example.com format shown in this example.

See also