https://docs.moodle.org/37/en/api.php?action=feedcontributions&user=Rboyce&feedformat=atomMoodleDocs - User contributions [en]2024-03-28T19:03:00ZUser contributionsMediaWiki 1.39.6https://docs.moodle.org/37/en/index.php?title=Installing_Moodle&diff=25563Installing Moodle2007-08-02T14:21:53Z<p>Rboyce: /* Using the command line */</p>
<hr />
<div>'''Firstly don't panic! :-)'''<br />
<br />
This guide explains how to install Moodle for the first time. For some of these steps it goes into a lot of detail to try and cover the majority of possible web server setups, so this page may look long and complicated. Don't panic, once you know how to do it you can install Moodle in minutes!<br />
<br />
If you have problems please read this page carefully - most common issues are answered in here. If you still have trouble, you can seek help from the Moodle community via [http://moodle.org/course/view.php?id=5 moodle.org Using Moodle].<br />
<br />
Another option is to contact a [http://moodle.com/hosting/ Moodle Partner providing Moodle hosting] who can completely maintain Moodle for you, so that you can ignore all this and get straight into educating! A Moodle partner is the preferred option but if you decide to choose a hosting company that has cpanel then [http://otaru-jc.ac.jp/hagley/settingupmoodleonhostingwithcpanel.swf this tutorial will guide you] through the process of choosing a host and setting up moodle via cpanel. <br />
<br />
If you want to run Moodle on your own computer and this page looks a bit daunting, then please see our guides: [[Installing AMP |Installing Apache, MySQL and PHP(AMP)]] or [[Complete install packages| how to install one of Moodle's complete packages]]. They provide alternative instructions to install all this on most popular platforms.<br />
<br />
==Requirements==<br />
<br />
Moodle is primarily developed in Linux using [[Apache]], [[MySQL]] and [[PHP]] (also sometimes known as the LAMP platform), but is also regularly tested with Windows XP/2000/2003 (WAMP), Solaris 10 (Sparc and x64), Mac OS X and Netware 6 operating systems. Support for PostgreSQL, Oracle and Microsoft SQL Server is also available.<br />
<br />
'''Note if you are using a hosted account''': Most web hosts support all of these requirements by default. You should contact your web host's support desk to check that this is the case '''before''' signing-up with them. It is especially important to ask about any PHP memory limits or MySQL question limits. If your prospective host does not provide a service which meets these requirements, or you are already signed up with them, ask them why and consider taking your business elsewhere if they do not change.<br />
<br />
The requirements for Moodle are as follows:<br />
<br />
'''Hardware''' (unless you are using a hosted server). <br />
* Disk space: 160MB free (min). You will require more free space to store your teaching materials.<br />
* Memory: 256MB (min), 1GB (recommended). The general rule of thumb is that Moodle can support 50 ''concurrent'' users for every 1GB of RAM, but this will vary depending on your specific hardware and software combination. <br />
'''Software'''<br />
* Web server software. Most people use [[Apache]], but Moodle should work fine under any web server that supports [[PHP]], such as [[IIS]] on Windows platforms. PHP does impose requirements on versions of web servers, however these are complex and the general advice is to use the newest version possible of your chosen web server. <br />
* PHP scripting language. (Please note that there have been issues installing Moodle with [http://www.php-accelerator.co.uk PHP-Accelerator]). There are currently two versions (or branches) of PHP available: PHP4 and PHP5 and the version requirements are listed below.<br />
** For Moodle version 1.4 or later: PHP4 (version 4.1.0 or later) or PHP5 (version 5.1.0 or later) are supported.<br />
** For Moodle version 1.6 or later: the PHP4 (version 4.3.0 or later) or PHP5 (version 5.1.0 or later) are supported. <br />
** Future Moodle versions 2.0 or later will not support PHP4 and will require PHP5 (version 5.2.0 or later).<br />
** PHP Settings<br />
*** ''safe_mode'' needs to be OFF (check in your php.ini or Apache configuration file).<br />
*** ''memory_limit'' should be at least 40M (Moodle versions prior to 1.8 require less memory). Large sites may need more than 128M. PHP 5.2.x requires higher memory_limit values than previous versions of PHP. 64bit operation systems require even more memory.<br />
*** ''session.save_handler'' needs to be set to files. <br />
** PHP Extensions and libraries<br />
*** The mbstring extension is recommended for Moodle 1.6 or later.<br />
*** The iconv extension is recommended for Moodle 1.6 or later.<br />
*** [http://www.libgd.org/ GD library] and the [http://www.freetype.org/ FreeType 2] library and extensions are needed to be able to look at the dynamic graphs that the logs pages make.<br />
*** The mysql extension is required if you are using the MySQL database. Note that in some Linux distributions (notably Red Hat) this is an optional installation.<br />
*** The pgsql extension is required if you are using the PostgreSQL database.<br />
*** The zlib extension is required for zip/unzip functionality.<br />
*** The curl extension is recommended for Moodle 1.8 or later.<br />
*** The tokenizer extension is recommended for Moodle 1.8 or later.<br />
*** The curl and openssl extensions are required for the Moodle network functionality (Moodle 1.8 or later).<br />
*** Other PHP extensions may be required to support optional Moodle functionality, especially external authentication and/or enrolment (e.g. LDAP extension for LDAP authentication and the sockets extension for Chat server).<br />
* A working database server: [[MySQL]] or [[PostgreSQL]] are completely supported and recommended for use with any version of Moodle. Support for Microsoft SQL Server and Oracle has been added in Moodle 1.7. MySQL is ''the'' choice for many people because it is very popular, but there are some [[Arguments in favour of PostgreSQL|arguments in favour of PostgreSQL]], especially if you are planning a large deployment. <br />
** For Moodle 1.5 or later, MySQL (version 3.23 or later) or PostgreSQL (7.4 or later). <br />
** For Moodle 1.6 or later, MySQL (version 4.1.12 or later) or PostgreSQL (7.4 or later).<br />
** For Moodle 1.7 or later, MySQL (version 4.1.12 or later), PostgreSQL (7.4 or later) or Microsoft SQL Server 2005 (version 9 or [http://moodle.org/mod/forum/discuss.php?d=59284 SQL Server Express 2005])<br />
: MySQL Notes: For Moodle 1.6 or later, If you use latin languages only you can use MySQL 4.1.12. If you are using non-latin languages you require MySQL 4.1.16 or later. Currently the MySQL setting "strict mode" must be OFF (set to "" or "MYSQL40") in the MySQL configuration file. <br />
: PostgreSQL Notes: The minimum version of PostgreSQL is 7.4 and Moodle is widely used with 8.0 and 8.1.<br />
<br />
== How many users? ==<br />
<br />
In addition to the hardware and software requirements, you will also need to think about the capacity of your Moodle installation in terms of the number of users it can handle. There are two numbers to plan for:<br />
<br />
* '''Browsing users''': the maximum number of users able to browse your Moodle site. This is the number of computers in your organization or on your course (whichever is greater).<br />
* '''Concurrent database users''': the maximum number of concurrent database users (needed for Moodle activities such as quizzes). This is the number of users who will be using Moodle at the same time. In an educational institution, use your timetable/roster to obtain this figure.<br />
<br />
Once you know these figures for your users, you can start work out if your Moodle installation can support this capacity. The exact number of users depends on your hardware/software/network combination. Usually the amount of memory installed (RAM) is the deciding factor but a faster overall processor speed will also help in reducing waiting times for pages to load. <br />
<br />
The general rule of thumb for a single server is that the approx max concurrent users = RAM (GB) * 50 and the approx max browsing users = Approx max concurrent users * 5. As an example, a university with 500 total computers on campus and 100 concurrent users at any time will need approx 2GB of RAM on the one server to support the number of concurrent users.<br />
<br />
'''Note if you are using a hosted account''': Ask your provider what limits are placed on the number of concurrent database connections and the processor load. This will give a good estimate of the number of users your Moodle install can manage.<br />
<br />
== Download and copy files into place ==<br />
<br />
There are two ways to get Moodle, either as a compressed package or via CVS. <br />
* There are two types of compressed packages on the [http://download.moodle.org/ download page: http://download.moodle.org/], the standard distribution with Moodle only files and the [[Complete install packages|complete install]], which contains programs to operate Moodle in a web environment. <br />
* To use CVS, helpful instructions are available at the [[CVS_for_Administrators | CVS for Administrators]] page. The full [http://moodle.cvs.sourceforge.net/moodle/moodle/ Moodle Sourceforge CVS repository] is also available for browsing. <br />
<br />
After downloading, unpack the archive using either <br />
tar -zxvf [filename]<br />
or<br />
unzip [filename]<br />
as appropriate. <br />
<br />
If using CVS, run the CVS Checkout command.<br />
<br />
You will now be left with a directory called "moodle", containing a number of files and folders.<br />
<br />
You can either place the whole folder in your web server documents directory, in which case the site will be located at '''<nowiki>http://yourwebserver.com/moodle</nowiki>''', or you can copy all the contents straight into the main web server documents directory, in which case the site will be simply '''<nowiki>http://yourwebserver.com</nowiki>'''.<br />
<br />
If you are downloading Moodle to your local computer and then uploading it to your web site, it is usually better to upload the whole archive as one file, and then do the unpacking on the server. Even web hosting interfaces like cPanel allow you to uncompress archives in the "File Manager".<br />
<br />
=== Structure of moodle directory ===<br />
<br />
You can safely skip this section, but here is a quick summary of the contents of the Moodle folder, to help get you oriented:<br />
<br />
:''config.php'' - contains basic settings. This file does not come with Moodle - you will create it.<br />
:''install.php'' - the script you will run to create config.php<br />
:''version.php'' - defines the current version of Moodle code<br />
:''index.php'' - the front page of the site<br />
:''admin/'' - code to administrate the whole server<br />
:''auth/'' - plugin modules to authenticate users<br />
:''blocks/'' - plugin modules for the little side blocks on many pages<br />
:''calendar/'' - all the code for managing and displaying calendars<br />
:''course/'' - code to display and manage courses<br />
:''doc/'' - help documentation for Moodle (eg this page)<br />
:''files/'' - code to display and manage uploaded files<br />
:''lang/'' - texts in different languages, one directory per language<br />
:''lib/'' - libraries of core Moodle code<br />
:''login/'' - code to handle login and account creation<br />
:''mod/'' - all the main Moodle course modules are in here<br />
:''pix/'' - generic site graphics<br />
:''theme/'' - theme packs/skins to change the look of the site.<br />
:''user/'' - code to display and manage users<br />
<br />
== Setting-up your system==<br />
To ensure that Moodle will install successfully, you need to check that the web server settings are correct, then create a blank database for Moodle to use and finally create a directory on your hard disk for Moodle to save your materials and other files you upload into your courses.<br />
<br />
=== Check web server settings ===<br />
<br />
*Firstly, make sure that your web server is set up to use index.php as a default page (perhaps in addition to index.html, default.htm and so on). In Apache, this is done using a DirectoryIndex parameter in your httpd.conf file. Mine usually looks like this:<br />
<br />
'''DirectoryIndex''' index.php index.html index.htm<br />
<br />
:Just make sure index.php is in the list (and preferably towards the start of the list, for efficiency).<br />
<br />
*Secondly, '''if you are using Apache 2''', then you should turn on the ''AcceptPathInfo'' variable, which allows scripts to be passed arguments like <nowiki>http://server/file.php/arg1/arg2</nowiki>. This is essential to allow relative links between your resources, and also provides a performance boost for people using your Moodle web site. You can turn this on by adding these lines to your httpd.conf file.<br />
<br />
'''AcceptPathInfo''' on<br />
<br />
=== Check PHP settings ===<br />
Moodle requires a number of PHP settings to be active for it to work. '''On most servers these will already be the default settings'''. However, some PHP servers (and some of the more recent PHP versions) may have things set differently. These are defined in PHP's configuration file (usually called '''php.ini'''):<br />
<br />
magic_quotes_gpc = 1 (preferred but not necessary)<br />
magic_quotes_runtime = 0 (necessary)<br />
file_uploads = 1<br />
session.auto_start = 0<br />
session.bug_compat_warn = 0<br />
<br />
:You may also want to set other, optional php.ini file settings while you are already editing it. For instance, you may want to reset the maximum upload size of file attachments, which usually defaults to 2M(egabytes). For instance, to set these to 16 Megabytes:<br />
<br />
post_max_size = 16M<br />
upload_max_filesize = 16M<br />
<br />
<br />
=== Using a .htaccess file for webserver and PHP settings ===<br />
<br />
Use the above if you can directly edit your server's files, but if you are setting-up Moodle on a webhost, or don't have access to '''httpd.conf''' or '''php.ini''' on your server, or you have Moodle on a server with other applications that require different settings, then don't worry, you can often still override the default settings. This only works on Apache servers and only when Overrides have been allowed in the main Apache configuration.<br />
<br />
* Create a file called '''.htaccess''' in Moodle's main directory that contains lines like the following. <br />
<br />
DirectoryIndex index.php index.html index.htm<br />
<br />
<IfDefine APACHE2><br />
'''AcceptPathInfo''' on<br />
</IfDefine><br />
<br />
php_flag magic_quotes_gpc 1<br />
php_flag magic_quotes_runtime 0<br />
php_flag file_uploads 1<br />
php_flag session.auto_start 0<br />
php_flag session.bug_compat_warn 0<br />
<br />
* Optionally, you can also do things like define the maximum size for uploaded files:<br />
<br />
LimitRequestBody 0<br />
php_value upload_max_filesize 2M<br />
php_value post_max_size 2M<br />
<br />
* The easiest thing to do is just copy the sample file from lib/htaccess and edit it to suit your needs. It contains further instructions. For example, in a Unix shell:<br />
<br />
cp lib/htaccess .htaccess<br />
<br />
=== Creating an empty database ===<br />
<br />
You need to create an empty database (eg "''moodle''") in your database system along with a special user (eg "moodleuser") that has access to that database (and that database only). You could use the "root" user if you wanted to for a test server, but this is not recommended for a production system: if hackers manage to discover the password then your whole database system would be at risk, rather than just one database.<br />
<br />
::'''Warning''': Bear in mind that, as of Moodle version 1.5.x, Moodle doesn't work with MySQL 5.x's strict mode setting (STRICT_TRANS_TABLES and/or STRICT_ALL_TABLES) -- see [http://moodle.org/mod/forum/discuss.php?d=58552 forum discussion]. So if you are using MySQL 5.x, edit MySQL's configuration file (called "my.ini" in Windows and "my.cnf" on Unix/Linux) and comment out that option or set it to <code>sql-mode=<nowiki>''</nowiki></code>. You have to restart MySQL after changing this setting. <br><br> If you do not have access to your server, use PHPMyAdmin (or another MySQL client) and enter the command <code>SET @@global.sql_mode=<nowiki>''</nowiki>;</code> (be sure to use single quotes, and don't forget the semicolon).<br />
<br />
====Using a hosted server====<br />
If you are using a webhost, they will probably have a control panel web interface for you to create your database.<br />
<br />
The '''[http://www.cpanel.com/ cPanel]''' system is one of the most popular of these. To create a database in cPanel,<br />
<br />
# Click on the "'''MySQL Databases'''" icon.<br />
# Type "moodle" in the database field and click "'''Add Database'''".<br />
# Type a username and password (not one you use elsewhere) in the respective fields and click "'''Add User'''".<br />
# Now use the "'''Add User to Database'''" button to give this new user account "'''ALL'''" rights to the new database.<br />
# Note that the username and database names may be prefixed by your cPanel account name. When entering this information into the Moodle installer - use the full names.<br />
<br />
====Using the command line====<br />
<br />
If you have access to Unix or Windows command lines then you can do the same sort of thing by typing commands. You should do this using the MySQL Client program<br />
<br />
Here are some example MySQL client command lines (the red part is for Moodle 1.6 and later, leave it out for Moodle 1.5.x or earlier):<br />
<br />
# mysql -u root -p<br />
> CREATE DATABASE moodle; <br />
> <font color="red">ALTER DATABASE moodle DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci</font>; <br />
> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,INDEX,ALTER ON moodle.*<br />
TO moodleuser@localhost IDENTIFIED BY 'yourpassword'; <br />
> quit <br />
# mysqladmin -u root -p reload<br />
<br />
If you are using MySQL 4.0.2 or later, you need to specify CREATE TEMPORARY TABLES as well in the GRANT statement:<br />
<br />
> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,'''CREATE TEMPORARY TABLES''',<br />
DROP,INDEX,ALTER ON moodle.* <br />
TO moodleuser@localhost IDENTIFIED BY 'yourpassword'; <br />
<br />
There are step by step instructions on [https://docs.moodle.org/en/Step-by-step_Install_Guide_for_Ubuntu#Install_MySQL_.28skip_Postgresql.29 MySQL installation for Ubuntu(Debian)] available.<br />
<br />
And some example command lines for PostgreSQL:<br />
<br />
# su - postgres<br />
> psql -c "create user moodleuser createdb;" template1<br />
> psql -c "create database moodle <font color="red">with encoding 'unicode'</font>;" -U moodleuser template1<br />
> psql -c "alter user moodleuser nocreatedb;" template1<br />
> psql -c "alter user moodleuser with encrypted password 'yourpassword';" template1<br />
> su - root<br />
# /etc/init.d/postgresql reload<br />
<br />
If the Postgres create database command above (>psql -c "create database moodle...") gives an error message you may want to try:<br />
psql -c "create database moodle with template=template1 encoding = 'unicode' owner = moodleuser <br> location = '/var/mydata';"<br />
<br />
If the create database command asks you for a password, run the line containing 'encrypted password' first before proceeding.<br />
<br />
There are step by step instructions on [https://docs.moodle.org/en/Step-by-step_Install_Guide_for_Ubuntu#Install_Postgresql_.28skip_MySQL.29 Postgresql installation for Ubuntu(Debian)] available.<br />
<br />
=== Creating the data directory (moodledata) ===<br />
<br />
Moodle will also need some space on your server's hard disk to store uploaded files, such as course documents and user pictures. The Moodle installer tries hard to create this directory for you but if it fails then you will have to create a directory for this purpose manually.<br />
<br />
'''Security warning''': For security purposes, it's best that this directory is NOT accessible directly via the web. The easiest way to do this is to simply locate it OUTSIDE the web directory, but if you must have it in the web directory (and you are using Apache) then protect it by creating a file in the data directory called '''.htaccess''', containing this line:<br />
<br />
deny from all<br />
<br />
'''Ownership & Permissions''': To make sure that Moodle can save uploaded files in this directory, check that the web server software has permission to read, write and execute in this directory. On Unix machines, this means setting the owner of the directory to be something like "nobody" or "apache", and then giving that user read, write and execute permissions. As an example, to change the owner to "nobody" you could use:<br />
<br />
chown -R nobody:nobody moodledata<br />
<br />
To change the permissions so that the owner has read,write and execute permissions, use something like this:<br />
<br />
chmod -R 0770 moodledata<br />
<br />
'''Note''': If you are receiving permission denied messages, try ''chmod -R 0770 moodledata'' and then adjust the settings so that they are more secure. A more secure setting is ''chmod -R 0750 moodledata''. According to the comments in config-dist.php, "On hosting systems you might need to make sure that your group has no permissions at all while others have full permissions." To do this you could use ''chmod -R 707 moodledata''. See also the [[Security | security page]].<br />
<br />
Remember that by default moodle will issue a warning about moodle data directories created inside the web directory, but otherwise this directory can be located where you wish. You can later move or change the location of this directory, but if you do, be sure to edit the setting in the '''config.php''' file that sets this; e.g. if moodledata is under a directory called data, then it would look like this:<br />
<br />
$CFG->dataroot = '/data/moodledata';<br />
<br />
'''CPanel and webhosts''': On cPanel systems you can use the "File Manager" to find the folder, click on it, then choose "Change Permissions". On many shared hosting servers, you will probably need to restrict all file access to your "group" (to prevent other webhost customers from looking at or changing your files), but provide full read/write access to everyone else (which will allow the web server to access your files). Speak to your server administrator if you are having trouble setting this up securely. In particular it will not be possible to create a usable data directory on sites that use a PHP feature known as "'''Safe Mode'''".<br />
<br />
== Run the installer script to create config.php ==<br />
<br />
To run the installer script (install.php), just try to access your Moodle main URL using a web browser, or access '''<nowiki>http://yourserver/install.php</nowiki>''' directly.<br />
<br />
(The Installer will try to set a session cookie. If you get a popup warning in your browser make sure you accept that cookie!)<br />
<br />
Moodle will detect that configuration is necessary and will lead you through some screens to help you create a new configuration file called '''config.php'''. At the end of the process Moodle will try and write the file into the right location, otherwise you can press a button to download it from the installer and then upload '''config.php''' into the main Moodle directory on the server.<br />
<br />
Along the way the installer will test your server environment and give you suggestions about how to fix any problems. For most common issues these suggestions should be sufficient, but if you get stuck, check in the Installation Forum for more help. <br />
<br />
== Go to the admin page to continue configuration ==<br />
<br />
Once the basic config.php has been correctly created in the previous step, trying to access the front page of your site will take you the "admin" page for the rest of the configuration.<br />
<br />
The first time you access this admin page, you will be presented with a GPL "shrink wrap" agreement with which you must agree before you can continue with the setup.<br />
<br />
Now Moodle will start setting up your database and creating tables to store data. Firstly, the main database tables are created. You should see a number of SQL statements followed by status messages that look like this:<br />
<br />
CREATE TABLE course (<br />
id int(10) unsigned NOT NULL auto_increment,<br />
category int(10) unsigned NOT NULL default '0',<br />
password varchar(50) NOT NULL default <nowiki>''</nowiki>,<br />
fullname varchar(254) NOT NULL default <nowiki>''</nowiki>,<br />
shortname varchar(15) NOT NULL default <nowiki>''</nowiki>,<br />
summary text NOT NULL,<br />
format tinyint(4) NOT NULL default '1',<br />
teacher varchar(100) NOT NULL default 'Teacher',<br />
startdate int(10) unsigned NOT NULL default '0',<br />
enddate int(10) unsigned NOT NULL default '0',<br />
timemodified int(10) unsigned NOT NULL default '0',<br />
PRIMARY KEY (id)<br />
) TYPE=MyISAM;<br />
<br />
<font color="green">SUCCESS</font><br />
<br />
...and so on, followed by: <font color="green">Main databases set up successfully.</font><br />
<br />
If you don't see these, then there must have been some problem with the database or the configuration settings you defined in config.php. Check that PHP isn't in a restricted "Safe Mode" (commercial web hosts sometimes have safe mode turned on). You can check PHP variables by creating a little file containing '''<?php phpinfo() ?>''' and looking at it through a browser. Check all these and try this page again.<br />
<br />
Scroll down the very bottom of the page and press the "Continue" link.<br />
<br />
You should now see a form where you can define more configuration variables for your installation, such as the default language, SMTP hosts and so on. Don't worry too much about getting everything right just now - you can always come back and edit these later on using the admin interface. The defaults are designed to be useful and secure for most sites. Scroll down to the bottom and click "Save changes".<br />
<br />
If (and only if) you find yourself getting stuck on this page, unable to continue, then your server probably has what I call the "buggy referrer" problem. This is easy to fix: just turn off the "secureforms" setting, then try to continue again.<br />
<br />
Next you will see more pages that print lots of status messages as they set up all the tables required by the various Moodle module. As before, they should all be <font color="green">green</font>.<br />
<br />
Scroll down the very bottom of the page and press the "Continue" link.<br />
<br />
The next page is a form where you can define parameters for your Moodle site and the front page, such as the name, format, description and so on. Fill this out (you can always come back and change these later) and then press "Save changes".<br />
<br />
Finally, you will then be asked to create a top-level administration user for future access to the admin pages. Fill out the details with your own name, email etc and then click "Save changes". Not all the fields are required, but if you miss any important fields you'll be re-prompted for them.<br />
<br />
'''Make sure you remember the username and password you chose for the administration user account, as they will be necessary to access the administration page in future.'''<br />
<br />
(If for any reason your install is interrupted, or there is a system error of some kind that prevents you from logging in using the admin account, you can usually log in using the default username of "'''admin'''", with password "'''admin'''".)<br />
<br />
Once successful, you will be returned to the home page of your new site! Note the administration links that appear down the left hand side of the page (these items also appear on a separate Admin page) - these items are only visible to you because you are logged in as the admin user. All your further administration of Moodle can now be done using this menu, such as:<br />
<br />
* creating and deleting courses<br />
* creating and editing user accounts<br />
* administering teacher accounts<br />
* changing site-wide settings like themes etc<br />
<br />
But you are not done installing yet! There is one very important thing still to do (see the next section on cron).<br />
<br />
== Set up cron ==<br />
<br />
Please refer to the [[Cron|Cron instructions]].<br />
<br />
== Set up backups ==<br />
<br />
Please refer to the [[Backup (administrator)| Backup instructions]].<br />
<br />
== Create a new course ==<br />
<br />
Now that Moodle is running properly, you can try creating a new course to play with.<br />
<br />
Select "Create a new course" from the Admin page (or the admin links on the home page).<br />
<br />
Fill out the form, paying special attention to the course format. You don't have to worry about the details too much at this stage, as everything can be changed later by the teacher. Note that the yellow help icons are everywhere to provide contextual help on any aspect.<br />
<br />
Press "Save changes", and you will be taken to a new form where you can assign teachers to the course. You can only add existing user accounts from this form - if you want to create a new teacher account then either ask the teacher to create one for themselves (see the login page), or create one for them using the "Add a new user" on the Admin page.<br />
<br />
Once done, the course is ready to customize, and is accessible via the "Courses" link on the home page.<br />
<br />
==See also==<br />
<br />
* [[Installation FAQ]]<br />
*[[Complete install packages]] might be an easier first time installs on some systems<br />
* [[Installing Apache, MySQL and PHP]] - Open source programs that can run Moodle on the web or on a desktop<br />
* [[Upgrading Moodle]]<br />
* Using Moodle [http://moodle.org/mod/forum/discuss.php?d=42688 Selecting a web host for Moodle] forum discussion<br />
* [[masquerading|Masquerading]] - Running Moodle behind a masquerading/NAT firewall<br />
<br />
[[Category:Installation]]<br />
<br />
[[cs:Instalace]]<br />
[[de:Installieren von Moodle]]<br />
[[es:Instalación de moodle]]<br />
[[fr:Installation de Moodle]]<br />
[[ja:Moodleのインストール]]<br />
[[nl:Installatiegids]]<br />
[[ru:Установка Moodle]]<br />
[[zh:安装Moodlezh:]]</div>Rboycehttps://docs.moodle.org/37/en/index.php?title=LDAP_authentication&diff=13651LDAP authentication2006-07-31T21:28:24Z<p>Rboyce: /* Enabling the Global Catalog */</p>
<hr />
<div>This document describes how to set up LDAP authentication in Moodle. You can find a [[#Basic Scenario|Basic Scenario]], where everything is simple and straightforward, and that should be enough for most installations. If your installation is a little bigger and you are using multiple LDAP servers, or multiple locations (contexts) for your users in your LDAP tree, then have a look at the [[#Advanced Scenarios|Advanced Scenarios]].<br />
<br />
==Basic Scenario==<br />
<br />
===Assumptions===<br />
<br />
# Your Moodle site is located at '''http://your.moodle.site/'''<br />
# You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to '''http://your.moodle.site/admin/phpinfo.php''' (logged in as user 'admin').<br />
# Your LDAP server has '''192.168.1.100''' as its IP address.<br />
# You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.<br />
# You don't want your users to change their passwords the first time they log in into Moodle.<br />
# You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).<br />
# You are using a top level distinguished name (DN) of '''dc=my,dc=organization,dc=domain''' as the root of your LDAP tree. <br />
# You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure '''this account and its password don't expire''', and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of '''cn=ldap-user,dc=my,dc=organization,dc=domain''', and password '''hardtoguesspassword'''.<br />
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.<br />
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.<br />
<br />
===Configuring Moodle authentication===<br />
<br />
Log in as an admin user and go to Administration >> Users >> Authentication. In the drop down listbox titled "Choose an authentication method" select "Use an LDAP Server". You will get a page similar to this one:<br />
<br />
<br><br />
::: [[Image:auth_ldap_config_screenshot.jpg]]<br />
<br><br />
<br />
Now, you just have to fill in the values. Let's go step by step.<br />
<br><br />
<br><br />
<br />
{| border="1" cellspacing="0" cellpadding="5"<br />
! Field name<br />
! Value to fill in<br />
|-<br />
| ldap_host_url<br />
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes).<br />
|-<br />
| ldap_version<br />
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.<br />
|-<br />
| ldap_preventpassindb<br />
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.<br />
|-<br />
| ldap_bind_dn<br />
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).<br />
|-<br />
| ldap_bind_pw<br />
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).<br />
|-<br />
| ldap_user_type<br />
| Choose: <br />
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.<br />
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP).<br />
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.<br />
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.<br />
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)<br />
|-<br />
| ldap_contexts<br />
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.<br />
|-<br />
| ldap_search_sub<br />
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.<br />
|-<br />
| ldap_opt_deref<br />
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.<br />
|-<br />
| ldap_user_attribute<br />
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in</u>.<br />
<br />
By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.<br />
|-<br />
| ldap_memberattribute<br />
| The attribute used to list the members of a given group. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
<br />
By the way, the usual value is '''member'''.<br />
|-<br />
| ldap_objectclass<br />
| The type of LDAP object used to search for users. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
<br />
Here are the default values for each of the ''ldap_user_type'' values:<br />
* '''User''' for Novel eDirectory<br />
* '''posixAccount''' for RFC-2037 and RFC-2037bis<br />
* '''sambaSamAccount''' for SAMBA 3.0.x LDAP extension<br />
* '''user''' for MS-AD<br />
|-<br />
| Force change password<br />
| Set this to ''Yes'' if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to ''no''. Bear in mind the password they are forced to change is the one stored in your LDAP server.<br />
<br />
<u>As you don't want your users to change their passwords in their first login, leave this set to ''No''</u><br />
|-<br />
| Use standard Change Password Page<br />
|<br />
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.<br />
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Change password URL" (at the bottom of the configuration page).<br />
<br />
Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is true at least for MS-AD).<br />
<br />
Also, code for changing passwords from Moodle for anything but Novell eDirectory is almost not tested, so this may or may not work for other LDAP servers.<br />
|-<br />
| ldap_expiration<br />
| <br />
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.<br />
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.<br />
<br />
Current code only deals with Novell eDirectory LDAP server, but there is a patch floating around to make it work with MS-AD too (search in the authentication forum).<br />
<br />
<u>So unless you have Novell eDirectory server (or use the patch), choose ''No'' here.</u><br />
|-<br />
| ldap_expiration_warning<br />
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.<br />
|-<br />
| ldap_exprireattr<br />
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
|-<br />
| ldap_gracelogins<br />
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.<br />
<br />
<u>So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.</u><br />
|-<br />
| ldap_graceattr<br />
| This setting is currently not used in the code (and is specific to Novell eDirectory). <br />
<br />
<u>So you don't need to fill this in.</u><br />
|-<br />
| ldap_create_context<br />
|<br />
|-<br />
| ldap_creators<br />
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').<br />
<br />
In eDirectory, the objectClass for a group is (by default) not '''posixGroup''' but '''groupOfNames,''' whose member attribute is '''member,''' not '''memberUid,''' and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new '''objectClass''' attribute of '''posixGroup''' to your creators group and put the CNs for each creator in a '''memberUid''' attribute.<br />
<br />
In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.<br />
|-<br />
| First name<br />
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Surname<br />
| The name of the attribute that holds the surname of your users in your LDAP server. This is usually '''sn'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Email address<br />
| The name of the attribute that holds the email address of your users in your LDAP server. This is usually '''mail'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Phone 1<br />
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Phone 2<br />
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Department<br />
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Address<br />
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| City/town<br />
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).<br />
<br />
<u>This setting is optional</u> <br />
|-<br />
| Country<br />
| The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Description<br />
| '''description'''<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| ID Number<br />
| <br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Language<br />
| '''preferredLanguage'''<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Instructions<br />
| <br />
|}<br />
<br />
The rest of the fields are common to all authentication methods and will not be discussed here.<br />
<br />
==Advanced Scenarios==<br />
<br />
===Using multiple LDAP Servers===<br />
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :<br />
ldap://my.first.server ; ldap//my.second.server ; ...<br />
<br />
Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.<br />
<br />
There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.<br />
<br />
===Using multiple user locations (contexts) in your LDAP tree===<br />
There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a '''ou=people,dc=my,dc=organization,dc=domain''' or '''ou=people,o=myorg''' container. <br />
<br />
At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like '''ou=students,ou=dept1,o=myorg''' and '''ou=students,ou=dept2,o=myorg''' ...<br />
<br />
Then there is an alternative :<br />
* Look at the '''o=myorg''' level with the ldap_search_sub attribute set to '''yes'''.<br />
* Set the ldap_context to '''ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg'''.<br />
<br />
Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).<br />
<br />
===Using LDAPS (LDAP + SSL)===<br />
<br />
==Appendices==<br />
<br />
===Child Domains and the Global Catalog in MS Active Directory===<br />
<br />
Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.<br />
<br />
For example your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)<br />
<br />
To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.<br />
<br />
You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.<br />
<br />
Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes.<br />
<br />
In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.<br />
<br />
====Enabling the Global Catalog====<br />
<br />
The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.<br />
If your organisation uses Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)<br />
<br />
==See also==<br />
<br />
*[http://moodle.org/mod/forum/view.php?id=42 Using Moodle: User authentication] forum<br />
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion<br />
<br />
[[Category:Administrator]]<br />
[[Category:Authentication]]</div>Rboycehttps://docs.moodle.org/37/en/index.php?title=LDAP_authentication&diff=13650LDAP authentication2006-07-31T21:26:50Z<p>Rboyce: /* Enabling the Global Catalog */</p>
<hr />
<div>This document describes how to set up LDAP authentication in Moodle. You can find a [[#Basic Scenario|Basic Scenario]], where everything is simple and straightforward, and that should be enough for most installations. If your installation is a little bigger and you are using multiple LDAP servers, or multiple locations (contexts) for your users in your LDAP tree, then have a look at the [[#Advanced Scenarios|Advanced Scenarios]].<br />
<br />
==Basic Scenario==<br />
<br />
===Assumptions===<br />
<br />
# Your Moodle site is located at '''http://your.moodle.site/'''<br />
# You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to '''http://your.moodle.site/admin/phpinfo.php''' (logged in as user 'admin').<br />
# Your LDAP server has '''192.168.1.100''' as its IP address.<br />
# You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.<br />
# You don't want your users to change their passwords the first time they log in into Moodle.<br />
# You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).<br />
# You are using a top level distinguished name (DN) of '''dc=my,dc=organization,dc=domain''' as the root of your LDAP tree. <br />
# You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure '''this account and its password don't expire''', and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of '''cn=ldap-user,dc=my,dc=organization,dc=domain''', and password '''hardtoguesspassword'''.<br />
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.<br />
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.<br />
<br />
===Configuring Moodle authentication===<br />
<br />
Log in as an admin user and go to Administration >> Users >> Authentication. In the drop down listbox titled "Choose an authentication method" select "Use an LDAP Server". You will get a page similar to this one:<br />
<br />
<br><br />
::: [[Image:auth_ldap_config_screenshot.jpg]]<br />
<br><br />
<br />
Now, you just have to fill in the values. Let's go step by step.<br />
<br><br />
<br><br />
<br />
{| border="1" cellspacing="0" cellpadding="5"<br />
! Field name<br />
! Value to fill in<br />
|-<br />
| ldap_host_url<br />
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes).<br />
|-<br />
| ldap_version<br />
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.<br />
|-<br />
| ldap_preventpassindb<br />
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.<br />
|-<br />
| ldap_bind_dn<br />
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).<br />
|-<br />
| ldap_bind_pw<br />
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).<br />
|-<br />
| ldap_user_type<br />
| Choose: <br />
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.<br />
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP).<br />
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.<br />
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.<br />
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)<br />
|-<br />
| ldap_contexts<br />
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.<br />
|-<br />
| ldap_search_sub<br />
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.<br />
|-<br />
| ldap_opt_deref<br />
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.<br />
|-<br />
| ldap_user_attribute<br />
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in</u>.<br />
<br />
By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.<br />
|-<br />
| ldap_memberattribute<br />
| The attribute used to list the members of a given group. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
<br />
By the way, the usual value is '''member'''.<br />
|-<br />
| ldap_objectclass<br />
| The type of LDAP object used to search for users. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
<br />
Here are the default values for each of the ''ldap_user_type'' values:<br />
* '''User''' for Novel eDirectory<br />
* '''posixAccount''' for RFC-2037 and RFC-2037bis<br />
* '''sambaSamAccount''' for SAMBA 3.0.x LDAP extension<br />
* '''user''' for MS-AD<br />
|-<br />
| Force change password<br />
| Set this to ''Yes'' if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to ''no''. Bear in mind the password they are forced to change is the one stored in your LDAP server.<br />
<br />
<u>As you don't want your users to change their passwords in their first login, leave this set to ''No''</u><br />
|-<br />
| Use standard Change Password Page<br />
|<br />
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.<br />
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Change password URL" (at the bottom of the configuration page).<br />
<br />
Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is true at least for MS-AD).<br />
<br />
Also, code for changing passwords from Moodle for anything but Novell eDirectory is almost not tested, so this may or may not work for other LDAP servers.<br />
|-<br />
| ldap_expiration<br />
| <br />
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.<br />
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.<br />
<br />
Current code only deals with Novell eDirectory LDAP server, but there is a patch floating around to make it work with MS-AD too (search in the authentication forum).<br />
<br />
<u>So unless you have Novell eDirectory server (or use the patch), choose ''No'' here.</u><br />
|-<br />
| ldap_expiration_warning<br />
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.<br />
|-<br />
| ldap_exprireattr<br />
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
|-<br />
| ldap_gracelogins<br />
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.<br />
<br />
<u>So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.</u><br />
|-<br />
| ldap_graceattr<br />
| This setting is currently not used in the code (and is specific to Novell eDirectory). <br />
<br />
<u>So you don't need to fill this in.</u><br />
|-<br />
| ldap_create_context<br />
|<br />
|-<br />
| ldap_creators<br />
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').<br />
<br />
In eDirectory, the objectClass for a group is (by default) not '''posixGroup''' but '''groupOfNames,''' whose member attribute is '''member,''' not '''memberUid,''' and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new '''objectClass''' attribute of '''posixGroup''' to your creators group and put the CNs for each creator in a '''memberUid''' attribute.<br />
<br />
In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.<br />
|-<br />
| First name<br />
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Surname<br />
| The name of the attribute that holds the surname of your users in your LDAP server. This is usually '''sn'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Email address<br />
| The name of the attribute that holds the email address of your users in your LDAP server. This is usually '''mail'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Phone 1<br />
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Phone 2<br />
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Department<br />
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Address<br />
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| City/town<br />
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).<br />
<br />
<u>This setting is optional</u> <br />
|-<br />
| Country<br />
| The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Description<br />
| '''description'''<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| ID Number<br />
| <br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Language<br />
| '''preferredLanguage'''<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Instructions<br />
| <br />
|}<br />
<br />
The rest of the fields are common to all authentication methods and will not be discussed here.<br />
<br />
==Advanced Scenarios==<br />
<br />
===Using multiple LDAP Servers===<br />
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :<br />
ldap://my.first.server ; ldap//my.second.server ; ...<br />
<br />
Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.<br />
<br />
There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.<br />
<br />
===Using multiple user locations (contexts) in your LDAP tree===<br />
There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a '''ou=people,dc=my,dc=organization,dc=domain''' or '''ou=people,o=myorg''' container. <br />
<br />
At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like '''ou=students,ou=dept1,o=myorg''' and '''ou=students,ou=dept2,o=myorg''' ...<br />
<br />
Then there is an alternative :<br />
* Look at the '''o=myorg''' level with the ldap_search_sub attribute set to '''yes'''.<br />
* Set the ldap_context to '''ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg'''.<br />
<br />
Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).<br />
<br />
===Using LDAPS (LDAP + SSL)===<br />
<br />
==Appendices==<br />
<br />
===Child Domains and the Global Catalog in MS Active Directory===<br />
<br />
Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.<br />
<br />
For example your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)<br />
<br />
To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.<br />
<br />
You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.<br />
<br />
Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes.<br />
<br />
In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.<br />
<br />
====Enabling the Global Catalog====<br />
<br />
The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ MMC (Microsoft Management Console) snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.<br />
If your organisation used Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)<br />
<br />
==See also==<br />
<br />
*[http://moodle.org/mod/forum/view.php?id=42 Using Moodle: User authentication] forum<br />
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion<br />
<br />
[[Category:Administrator]]<br />
[[Category:Authentication]]</div>Rboycehttps://docs.moodle.org/37/en/index.php?title=LDAP_authentication&diff=13649LDAP authentication2006-07-31T21:24:01Z<p>Rboyce: /* Child Domains and the Global Catalog in MS Active Directory */</p>
<hr />
<div>This document describes how to set up LDAP authentication in Moodle. You can find a [[#Basic Scenario|Basic Scenario]], where everything is simple and straightforward, and that should be enough for most installations. If your installation is a little bigger and you are using multiple LDAP servers, or multiple locations (contexts) for your users in your LDAP tree, then have a look at the [[#Advanced Scenarios|Advanced Scenarios]].<br />
<br />
==Basic Scenario==<br />
<br />
===Assumptions===<br />
<br />
# Your Moodle site is located at '''http://your.moodle.site/'''<br />
# You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to '''http://your.moodle.site/admin/phpinfo.php''' (logged in as user 'admin').<br />
# Your LDAP server has '''192.168.1.100''' as its IP address.<br />
# You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.<br />
# You don't want your users to change their passwords the first time they log in into Moodle.<br />
# You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).<br />
# You are using a top level distinguished name (DN) of '''dc=my,dc=organization,dc=domain''' as the root of your LDAP tree. <br />
# You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure '''this account and its password don't expire''', and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of '''cn=ldap-user,dc=my,dc=organization,dc=domain''', and password '''hardtoguesspassword'''.<br />
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.<br />
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.<br />
<br />
===Configuring Moodle authentication===<br />
<br />
Log in as an admin user and go to Administration >> Users >> Authentication. In the drop down listbox titled "Choose an authentication method" select "Use an LDAP Server". You will get a page similar to this one:<br />
<br />
<br><br />
::: [[Image:auth_ldap_config_screenshot.jpg]]<br />
<br><br />
<br />
Now, you just have to fill in the values. Let's go step by step.<br />
<br><br />
<br><br />
<br />
{| border="1" cellspacing="0" cellpadding="5"<br />
! Field name<br />
! Value to fill in<br />
|-<br />
| ldap_host_url<br />
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes).<br />
|-<br />
| ldap_version<br />
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.<br />
|-<br />
| ldap_preventpassindb<br />
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.<br />
|-<br />
| ldap_bind_dn<br />
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).<br />
|-<br />
| ldap_bind_pw<br />
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).<br />
|-<br />
| ldap_user_type<br />
| Choose: <br />
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.<br />
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP).<br />
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.<br />
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.<br />
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)<br />
|-<br />
| ldap_contexts<br />
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.<br />
|-<br />
| ldap_search_sub<br />
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.<br />
|-<br />
| ldap_opt_deref<br />
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.<br />
|-<br />
| ldap_user_attribute<br />
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in</u>.<br />
<br />
By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.<br />
|-<br />
| ldap_memberattribute<br />
| The attribute used to list the members of a given group. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
<br />
By the way, the usual value is '''member'''.<br />
|-<br />
| ldap_objectclass<br />
| The type of LDAP object used to search for users. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
<br />
Here are the default values for each of the ''ldap_user_type'' values:<br />
* '''User''' for Novel eDirectory<br />
* '''posixAccount''' for RFC-2037 and RFC-2037bis<br />
* '''sambaSamAccount''' for SAMBA 3.0.x LDAP extension<br />
* '''user''' for MS-AD<br />
|-<br />
| Force change password<br />
| Set this to ''Yes'' if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to ''no''. Bear in mind the password they are forced to change is the one stored in your LDAP server.<br />
<br />
<u>As you don't want your users to change their passwords in their first login, leave this set to ''No''</u><br />
|-<br />
| Use standard Change Password Page<br />
|<br />
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.<br />
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Change password URL" (at the bottom of the configuration page).<br />
<br />
Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is true at least for MS-AD).<br />
<br />
Also, code for changing passwords from Moodle for anything but Novell eDirectory is almost not tested, so this may or may not work for other LDAP servers.<br />
|-<br />
| ldap_expiration<br />
| <br />
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.<br />
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.<br />
<br />
Current code only deals with Novell eDirectory LDAP server, but there is a patch floating around to make it work with MS-AD too (search in the authentication forum).<br />
<br />
<u>So unless you have Novell eDirectory server (or use the patch), choose ''No'' here.</u><br />
|-<br />
| ldap_expiration_warning<br />
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.<br />
|-<br />
| ldap_exprireattr<br />
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
|-<br />
| ldap_gracelogins<br />
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.<br />
<br />
<u>So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.</u><br />
|-<br />
| ldap_graceattr<br />
| This setting is currently not used in the code (and is specific to Novell eDirectory). <br />
<br />
<u>So you don't need to fill this in.</u><br />
|-<br />
| ldap_create_context<br />
|<br />
|-<br />
| ldap_creators<br />
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').<br />
<br />
In eDirectory, the objectClass for a group is (by default) not '''posixGroup''' but '''groupOfNames,''' whose member attribute is '''member,''' not '''memberUid,''' and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new '''objectClass''' attribute of '''posixGroup''' to your creators group and put the CNs for each creator in a '''memberUid''' attribute.<br />
<br />
In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.<br />
|-<br />
| First name<br />
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Surname<br />
| The name of the attribute that holds the surname of your users in your LDAP server. This is usually '''sn'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Email address<br />
| The name of the attribute that holds the email address of your users in your LDAP server. This is usually '''mail'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Phone 1<br />
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Phone 2<br />
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Department<br />
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Address<br />
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| City/town<br />
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).<br />
<br />
<u>This setting is optional</u> <br />
|-<br />
| Country<br />
| The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Description<br />
| '''description'''<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| ID Number<br />
| <br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Language<br />
| '''preferredLanguage'''<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Instructions<br />
| <br />
|}<br />
<br />
The rest of the fields are common to all authentication methods and will not be discussed here.<br />
<br />
==Advanced Scenarios==<br />
<br />
===Using multiple LDAP Servers===<br />
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :<br />
ldap://my.first.server ; ldap//my.second.server ; ...<br />
<br />
Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.<br />
<br />
There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.<br />
<br />
===Using multiple user locations (contexts) in your LDAP tree===<br />
There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a '''ou=people,dc=my,dc=organization,dc=domain''' or '''ou=people,o=myorg''' container. <br />
<br />
At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like '''ou=students,ou=dept1,o=myorg''' and '''ou=students,ou=dept2,o=myorg''' ...<br />
<br />
Then there is an alternative :<br />
* Look at the '''o=myorg''' level with the ldap_search_sub attribute set to '''yes'''.<br />
* Set the ldap_context to '''ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg'''.<br />
<br />
Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).<br />
<br />
===Using LDAPS (LDAP + SSL)===<br />
<br />
==Appendices==<br />
<br />
===Child Domains and the Global Catalog in MS Active Directory===<br />
<br />
Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.<br />
<br />
For example your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if, for example, you need redundancy / load balancing.)<br />
<br />
To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.<br />
<br />
You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.<br />
<br />
Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes.<br />
<br />
In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.<br />
<br />
====Enabling the Global Catalog====<br />
<br />
The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.<br />
If your organisation used Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)<br />
<br />
==See also==<br />
<br />
*[http://moodle.org/mod/forum/view.php?id=42 Using Moodle: User authentication] forum<br />
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion<br />
<br />
[[Category:Administrator]]<br />
[[Category:Authentication]]</div>Rboycehttps://docs.moodle.org/37/en/index.php?title=LDAP_authentication&diff=13647LDAP authentication2006-07-31T21:22:27Z<p>Rboyce: /* Child Domains and the Global Catalog in MS Active Directory */</p>
<hr />
<div>This document describes how to set up LDAP authentication in Moodle. You can find a [[#Basic Scenario|Basic Scenario]], where everything is simple and straightforward, and that should be enough for most installations. If your installation is a little bigger and you are using multiple LDAP servers, or multiple locations (contexts) for your users in your LDAP tree, then have a look at the [[#Advanced Scenarios|Advanced Scenarios]].<br />
<br />
==Basic Scenario==<br />
<br />
===Assumptions===<br />
<br />
# Your Moodle site is located at '''http://your.moodle.site/'''<br />
# You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to '''http://your.moodle.site/admin/phpinfo.php''' (logged in as user 'admin').<br />
# Your LDAP server has '''192.168.1.100''' as its IP address.<br />
# You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.<br />
# You don't want your users to change their passwords the first time they log in into Moodle.<br />
# You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).<br />
# You are using a top level distinguished name (DN) of '''dc=my,dc=organization,dc=domain''' as the root of your LDAP tree. <br />
# You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure '''this account and its password don't expire''', and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of '''cn=ldap-user,dc=my,dc=organization,dc=domain''', and password '''hardtoguesspassword'''.<br />
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.<br />
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.<br />
<br />
===Configuring Moodle authentication===<br />
<br />
Log in as an admin user and go to Administration >> Users >> Authentication. In the drop down listbox titled "Choose an authentication method" select "Use an LDAP Server". You will get a page similar to this one:<br />
<br />
<br><br />
::: [[Image:auth_ldap_config_screenshot.jpg]]<br />
<br><br />
<br />
Now, you just have to fill in the values. Let's go step by step.<br />
<br><br />
<br><br />
<br />
{| border="1" cellspacing="0" cellpadding="5"<br />
! Field name<br />
! Value to fill in<br />
|-<br />
| ldap_host_url<br />
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes).<br />
|-<br />
| ldap_version<br />
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.<br />
|-<br />
| ldap_preventpassindb<br />
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.<br />
|-<br />
| ldap_bind_dn<br />
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).<br />
|-<br />
| ldap_bind_pw<br />
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).<br />
|-<br />
| ldap_user_type<br />
| Choose: <br />
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.<br />
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP).<br />
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.<br />
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.<br />
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)<br />
|-<br />
| ldap_contexts<br />
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.<br />
|-<br />
| ldap_search_sub<br />
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.<br />
|-<br />
| ldap_opt_deref<br />
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.<br />
|-<br />
| ldap_user_attribute<br />
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in</u>.<br />
<br />
By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.<br />
|-<br />
| ldap_memberattribute<br />
| The attribute used to list the members of a given group. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
<br />
By the way, the usual value is '''member'''.<br />
|-<br />
| ldap_objectclass<br />
| The type of LDAP object used to search for users. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
<br />
Here are the default values for each of the ''ldap_user_type'' values:<br />
* '''User''' for Novel eDirectory<br />
* '''posixAccount''' for RFC-2037 and RFC-2037bis<br />
* '''sambaSamAccount''' for SAMBA 3.0.x LDAP extension<br />
* '''user''' for MS-AD<br />
|-<br />
| Force change password<br />
| Set this to ''Yes'' if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to ''no''. Bear in mind the password they are forced to change is the one stored in your LDAP server.<br />
<br />
<u>As you don't want your users to change their passwords in their first login, leave this set to ''No''</u><br />
|-<br />
| Use standard Change Password Page<br />
|<br />
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.<br />
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Change password URL" (at the bottom of the configuration page).<br />
<br />
Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is true at least for MS-AD).<br />
<br />
Also, code for changing passwords from Moodle for anything but Novell eDirectory is almost not tested, so this may or may not work for other LDAP servers.<br />
|-<br />
| ldap_expiration<br />
| <br />
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.<br />
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.<br />
<br />
Current code only deals with Novell eDirectory LDAP server, but there is a patch floating around to make it work with MS-AD too (search in the authentication forum).<br />
<br />
<u>So unless you have Novell eDirectory server (or use the patch), choose ''No'' here.</u><br />
|-<br />
| ldap_expiration_warning<br />
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.<br />
|-<br />
| ldap_exprireattr<br />
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
|-<br />
| ldap_gracelogins<br />
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.<br />
<br />
<u>So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.</u><br />
|-<br />
| ldap_graceattr<br />
| This setting is currently not used in the code (and is specific to Novell eDirectory). <br />
<br />
<u>So you don't need to fill this in.</u><br />
|-<br />
| ldap_create_context<br />
|<br />
|-<br />
| ldap_creators<br />
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').<br />
<br />
In eDirectory, the objectClass for a group is (by default) not '''posixGroup''' but '''groupOfNames,''' whose member attribute is '''member,''' not '''memberUid,''' and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new '''objectClass''' attribute of '''posixGroup''' to your creators group and put the CNs for each creator in a '''memberUid''' attribute.<br />
<br />
In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.<br />
|-<br />
| First name<br />
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Surname<br />
| The name of the attribute that holds the surname of your users in your LDAP server. This is usually '''sn'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Email address<br />
| The name of the attribute that holds the email address of your users in your LDAP server. This is usually '''mail'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Phone 1<br />
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Phone 2<br />
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Department<br />
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Address<br />
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| City/town<br />
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).<br />
<br />
<u>This setting is optional</u> <br />
|-<br />
| Country<br />
| The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Description<br />
| '''description'''<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| ID Number<br />
| <br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Language<br />
| '''preferredLanguage'''<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Instructions<br />
| <br />
|}<br />
<br />
The rest of the fields are common to all authentication methods and will not be discussed here.<br />
<br />
==Advanced Scenarios==<br />
<br />
===Using multiple LDAP Servers===<br />
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :<br />
ldap://my.first.server ; ldap//my.second.server ; ...<br />
<br />
Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.<br />
<br />
There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.<br />
<br />
===Using multiple user locations (contexts) in your LDAP tree===<br />
There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a '''ou=people,dc=my,dc=organization,dc=domain''' or '''ou=people,o=myorg''' container. <br />
<br />
At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like '''ou=students,ou=dept1,o=myorg''' and '''ou=students,ou=dept2,o=myorg''' ...<br />
<br />
Then there is an alternative :<br />
* Look at the '''o=myorg''' level with the ldap_search_sub attribute set to '''yes'''.<br />
* Set the ldap_context to '''ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg'''.<br />
<br />
Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).<br />
<br />
===Using LDAPS (LDAP + SSL)===<br />
<br />
==Appendices==<br />
<br />
===Child Domains and the Global Catalog in MS Active Directory===<br />
<br />
Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a read-only, partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.<br />
<br />
For example your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if your example you need redundancy / load balancing.)<br />
<br />
To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the ''''ldap_host_url'''' would be ''ldap://dc01.example.org:3268''. The rest of the settings are the same as for other MS-AS Auth setups.<br />
<br />
You should use the ''''ldap_contexts'''' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the'' 'Users' ''OU, in the staff.example.org domain users are in two OUs at the root of the domain,'' 'Support Staff' ''and'' 'Teaching Staff' '', and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the'' 'Students' ''OU. As a result our ''''ldap_contexts'''' setting may look a little like this:'' 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org''.' The ''''ldap_search_sub'''' option should be set to'' 'Yes' ''to allow moodle to search within the child OUs.<br />
<br />
Its worth noting that the Global Catalog only contains a partial representation of the attributes of each object, as defined in the Partial Attribute Set supplied by Microsoft. However common information likely to be of use to a general Moodle installation (Forename, Surname, Email Address, sAMAccountName etc) is included in the set. For specific needs the schema can be altered to remove or add various attributes.<br />
<br />
In most cases the Global Catalog is read-only, update queries must be made over the standard LDAP ports to the domain controller that holds the object in question (in our example, updating a student's details would require an LDAP query to the students.example.org domain controller - dc03, it would not be possible to update details by querying the Global Catalog.) The exception to this would be in an environment where there is only a single domain in the active directory forest; in this case the Global Catalog holds a writable full set of attributes for each object in the domain. However, for the purposes of Moodle authorisation, there would be no need to use the Global Catalog in this case.<br />
<br />
====Enabling the Global Catalog====<br />
<br />
The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.<br />
If your organisation used Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)<br />
<br />
==See also==<br />
<br />
*[http://moodle.org/mod/forum/view.php?id=42 Using Moodle: User authentication] forum<br />
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion<br />
<br />
[[Category:Administrator]]<br />
[[Category:Authentication]]</div>Rboycehttps://docs.moodle.org/37/en/index.php?title=LDAP_authentication&diff=13639LDAP authentication2006-07-31T20:59:59Z<p>Rboyce: /* Appendices */</p>
<hr />
<div>This document describes how to set up LDAP authentication in Moodle. You can find a [[#Basic Scenario|Basic Scenario]], where everything is simple and straightforward, and that should be enough for most installations. If your installation is a little bigger and you are using multiple LDAP servers, or multiple locations (contexts) for your users in your LDAP tree, then have a look at the [[#Advanced Scenarios|Advanced Scenarios]].<br />
<br />
==Basic Scenario==<br />
<br />
===Assumptions===<br />
<br />
# Your Moodle site is located at '''http://your.moodle.site/'''<br />
# You have configured your PHP installation with the LDAP extension. It is loaded and activated, and it shows when you go to '''http://your.moodle.site/admin/phpinfo.php''' (logged in as user 'admin').<br />
# Your LDAP server has '''192.168.1.100''' as its IP address.<br />
# You are not using LDAP with SSL (also known as LDAPS) in your settings. This might prevent certain operations from working (e.g., you cannot update data if you are using MS Active Directory -- MS-AD from here on --), but should be OK if you just want to authenticate your users.<br />
# You don't want your users to change their passwords the first time they log in into Moodle.<br />
# You are using a single domain as the source of your authentication data in case you are using MS-AD (more on this in the Appendices).<br />
# You are using a top level distinguished name (DN) of '''dc=my,dc=organization,dc=domain''' as the root of your LDAP tree. <br />
# You have a non-privileged LDAP user account you will use to bind to the LDAP server. This is not necessary with certain LDAP servers, but MS-AD requires this and it won't hurt if you use it even if your LDAP server doesn't need it. Make sure '''this account and its password don't expire''', and make this password as strong as possible. Remember you only need to type this password once, when configuring Moodle, so don't be afraid of making it as hard to guess as possible. Let's say this user account has a DN of '''cn=ldap-user,dc=my,dc=organization,dc=domain''', and password '''hardtoguesspassword'''.<br />
# All of your Moodle users are in an organizational unit (OU) called '''moodleusers''', which is right under your LDAP root. That OU has a DN of '''ou=moodleusers,dc=my,dc=organization,dc=domain'''.<br />
# You '''don't''' want your LDAP users' passwords to be stored in Moodle at all.<br />
<br />
===Configuring Moodle authentication===<br />
<br />
Log in as an admin user and go to Administration >> Users >> Authentication. In the drop down listbox titled "Choose an authentication method" select "Use an LDAP Server". You will get a page similar to this one:<br />
<br />
<br><br />
::: [[Image:auth_ldap_config_screenshot.jpg]]<br />
<br><br />
<br />
Now, you just have to fill in the values. Let's go step by step.<br />
<br><br />
<br><br />
<br />
{| border="1" cellspacing="0" cellpadding="5"<br />
! Field name<br />
! Value to fill in<br />
|-<br />
| ldap_host_url<br />
| As the IP of your LDAP server is 192.168.1.100, type "'''ldap://192.168.1.100'''" (without the quotes).<br />
|-<br />
| ldap_version<br />
| Unless you are using a really old LDAP server, '''version 3''' is the one you should choose.<br />
|-<br />
| ldap_preventpassindb<br />
| As you '''don't''' want to store the users's password in Moodle's database, choose '''Yes''' here.<br />
|-<br />
| ldap_bind_dn<br />
| This is the distinguished name of the bind user defined above. Just type "'''cn=ldap-user,dc=my,dc=organization,dc=domain'''" (without the quotes).<br />
|-<br />
| ldap_bind_pw<br />
| This is the bind user password defined above. Type "'''hardtoguesspassword'''" (without the quotes).<br />
|-<br />
| ldap_user_type<br />
| Choose: <br />
* '''Novel Edirectory''' if your LDAP server is running Novell's eDdirectory.<br />
* '''posixAccount (rfc2307)''' if your LDAP server is running a RFC-2307 compatible LDAP server (choose this is your server is running OpenLDAP).<br />
* '''posixAccount (rfc2307bis)''' if your LDAP server is running a RFC-2307bis compatible LDAP server.<br />
* '''sambaSamAccount (v.3.0.7)''' if your LDAP server is running with SAMBA's 3.x LDAP schema extension and you want to use it.<br />
* '''MS ActiveDirectory''' if your LDAP server is running Microsoft's Active Directory (MS-AD)<br />
|-<br />
| ldap_contexts<br />
| The DN of the context (container) where all of your Moodle users are found. Type '''ou=moodleusers,dc=my,dc=organization,dc=domain''' here.<br />
|-<br />
| ldap_search_sub<br />
| If you have any sub organizational units (subcontexts) hanging from '''ou=moodleusers,dc=my,dc=organization,dc=domain''' and you want Moodle to search there too, set this to '''yes'''. Otherwise, set this to '''no'''.<br />
|-<br />
| ldap_opt_deref<br />
| Sometimes your LDAP server will tell you that the real value you are searching for is in fact in another part of the LDAP tree (this is called an alias). If you want Moodle to 'dereference' the alias and fetch the real value from the original location, set this to '''yes'''. If you don't want Moodle to dereference it, set this to '''no'''. If you are using MS-AD, set this to '''no'''.<br />
|-<br />
| ldap_user_attribute<br />
| The attribute used to name/search users in your LDAP tree. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in</u>.<br />
<br />
By the way, it's usually '''cn''' (Novell eDirectory and MS-AD) or '''uid''' (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could use '''sAMAccountName''' (the pre-Windows 2000 logon account name) if you need too.<br />
|-<br />
| ldap_memberattribute<br />
| The attribute used to list the members of a given group. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
<br />
By the way, the usual value is '''member'''.<br />
|-<br />
| ldap_objectclass<br />
| The type of LDAP object used to search for users. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
<br />
Here are the default values for each of the ''ldap_user_type'' values:<br />
* '''User''' for Novel eDirectory<br />
* '''posixAccount''' for RFC-2037 and RFC-2037bis<br />
* '''sambaSamAccount''' for SAMBA 3.0.x LDAP extension<br />
* '''user''' for MS-AD<br />
|-<br />
| Force change password<br />
| Set this to ''Yes'' if you want to force your users to change their password on the first login into Moodle. Otherwise, set this to ''no''. Bear in mind the password they are forced to change is the one stored in your LDAP server.<br />
<br />
<u>As you don't want your users to change their passwords in their first login, leave this set to ''No''</u><br />
|-<br />
| Use standard Change Password Page<br />
|<br />
* Setting this to ''Yes'' makes Moodle use it's own standard password change page, everytime users want to change their passwords.<br />
* Setting this to ''No'' makes Moodle use the the page specified in the field called "Change password URL" (at the bottom of the configuration page).<br />
<br />
Bear in mind that changing your LDAP passwords from Moodle might require a LDAPS connection (this is true at least for MS-AD).<br />
<br />
Also, code for changing passwords from Moodle for anything but Novell eDirectory is almost not tested, so this may or may not work for other LDAP servers.<br />
|-<br />
| ldap_expiration<br />
| <br />
* Setting this to ''No'' will make Moodle not to check if the password of the user has expired or not.<br />
* Setting this to ''LDAP'' will make Moodle check if the LDAP password of the user has expired or not, and warn her a number of days before the password expires.<br />
<br />
Current code only deals with Novell eDirectory LDAP server, but there is a patch floating around to make it work with MS-AD too (search in the authentication forum).<br />
<br />
<u>So unless you have Novell eDirectory server (or use the patch), choose ''No'' here.</u><br />
|-<br />
| ldap_expiration_warning<br />
| This value sets how many days in advance of password expiration the user is warned that her password is about to expire.<br />
|-<br />
| ldap_exprireattr<br />
| The LDAP user attribute used to check password expiration. This option takes a default value based on the ''ldap_user_type'' value you choosed above. <u>So unless you need something special, you don't need to fill this in.</u><br />
|-<br />
| ldap_gracelogins<br />
| This setting is specific to Novell eDirectory. If set to ''Yes'', enable LDAP gracelogin support. After password has expired the user can login until gracelogin count is 0.<br />
<br />
<u>So unless you have Novell eDirectory server and want to allow gracelogin support, choose ''No'' here.</u><br />
|-<br />
| ldap_graceattr<br />
| This setting is currently not used in the code (and is specific to Novell eDirectory). <br />
<br />
<u>So you don't need to fill this in.</u><br />
|-<br />
| ldap_create_context<br />
|<br />
|-<br />
| ldap_creators<br />
| The DN of the group that contains all of your Moodle creators. This is typically a posixGroup with a "memberUid" attribute for each user you want to be a creator. If your group is called ''creators'', type '''cn=creators,ou=moodleusers,dc=my,dc=organization,dc=domain''' here. Each memberUid attribute contains the CN of a user who is authorized to be a creator. Do not use the user's full DN (e.g., not '''memberUid: cn=JoeTeacher,ou=moodleusers,dc-my,dc=organizations,dc=domain''', but rather '''memberUid: JoeTeacher''').<br />
<br />
In eDirectory, the objectClass for a group is (by default) not '''posixGroup''' but '''groupOfNames,''' whose member attribute is '''member,''' not '''memberUid,''' and whose value is the full DN of the user in question. Although you can probably modify Moodle's code to use this field, a better solution is just to add a new '''objectClass''' attribute of '''posixGroup''' to your creators group and put the CNs for each creator in a '''memberUid''' attribute.<br />
<br />
In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all. If your ldap context above is 'ou=staff,dc=my,dc=org' then your group should then be 'cn=creators,ou=staff,dc=my,dc=org'. If some of the users are from other contexts and have been added to the same security group, you'll have to add these as separate contexts after the first one using the same format.<br />
|-<br />
| First name<br />
| The name of the attribute that holds the first name of your users in your LDAP server. This is usually '''givenName'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Surname<br />
| The name of the attribute that holds the surname of your users in your LDAP server. This is usually '''sn'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Email address<br />
| The name of the attribute that holds the email address of your users in your LDAP server. This is usually '''mail'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Phone 1<br />
| The name of the attribute that holds the telephone number of your users in your LDAP server. This is usually '''telephoneNumber'''.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Phone 2<br />
| The name of the attribute that holds an additional telephone number of your users in your LDAP server. This can be '''homePhone''', '''mobile''', '''pager''', '''facsimileTelephoneNumber''' or even others.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Department<br />
| The name of the attribute that holds the department name of your users in your LDAP server. This is usully '''departmentNumber''' (for posixAccount and maybe eDirectory) or '''department''' (for MS-AD).<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Address<br />
| The name of the attribute that holds the street address of your users in your LDAP server. This is usully '''streetAddress''' or '''street'.<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| City/town<br />
| The name of the attribute that holds the city/town of your users in your LDAP server. This is usully '''l''' (lowercase L) or '''localityName''' (not valid in MS-AD).<br />
<br />
<u>This setting is optional</u> <br />
|-<br />
| Country<br />
| The name of the attribute that holds the couuntry of your users in your LDAP server. This is usully '''c''' or '''countryName''' (not valid in MS-AD).<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Description<br />
| '''description'''<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| ID Number<br />
| <br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Language<br />
| '''preferredLanguage'''<br />
<br />
<u>This setting is optional</u><br />
|-<br />
| Instructions<br />
| <br />
|}<br />
<br />
The rest of the fields are common to all authentication methods and will not be discussed here.<br />
<br />
==Advanced Scenarios==<br />
<br />
===Using multiple LDAP Servers===<br />
Entering more than one name in the ldap_host_url field can provide some sort of resilience to your system. Simply use the syntax :<br />
ldap://my.first.server ; ldap//my.second.server ; ...<br />
<br />
Of course, this will only work if all the servers share the same directory information, using a replication or synchronization mecanism once introduced in eDirectory and now generalized to the main LDAP-compatible directories.<br />
<br />
There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one.<br />
<br />
===Using multiple user locations (contexts) in your LDAP tree===<br />
There is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a '''ou=people,dc=my,dc=organization,dc=domain''' or '''ou=people,o=myorg''' container. <br />
<br />
At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like '''ou=students,ou=dept1,o=myorg''' and '''ou=students,ou=dept2,o=myorg''' ...<br />
<br />
Then there is an alternative :<br />
* Look at the '''o=myorg''' level with the ldap_search_sub attribute set to '''yes'''.<br />
* Set the ldap_context to '''ou=students,ou=dept1,o=myorg ; ou=students,ou=dept2,o=myorg'''.<br />
<br />
Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree '''and''' on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same ''common name'' (cn), while having different ''distinguished names''. Then only the second solution will have a deterministic result (returning allways the same user).<br />
<br />
===Using LDAPS (LDAP + SSL)===<br />
<br />
==Appendices==<br />
<br />
===Child Domains and the Global Catalog in MS Active Directory===<br />
<br />
Moodle currently only has limited support for multiple domain controllers; specifically it expects each of the LDAP servers listed to contain identical sets of information. If you have users in multiple domains this presents an issue. One solution when working with MS-AD is to use the Global Catalog. The Global Catalog is designed to be a partial representation of an entire MS-AD forest, designed for searching the entire directory when the domain of the required object is not known.<br />
<br />
For example your organisation has a main domain example.org, staff and students are contained in two child domains staff.example.org and students.example.org. The 3 domains (example.org, staff.example.org and students.example.org) each have a domain controller (dc01, dc02 and dc03 respectively.) Each domain controller contains a full, writable, representation of only the objects that belong to its domain. However, assuming that the Global Catalog has been enabled (see below) on one of the domain controllers (for example dc01) a query to the Global Catalog would reveal matching objects from all three domains. The Global Catalog is automatically maintained through replication across the active directory forest, it can also be enabled on multiple servers (if your example you need redundancy / load balancing.)<br />
<br />
To make use of this in Moodle to allow logins from multiple domains is simple. The Global Catalog runs on port 3268 as opposed to 389 for standard LDAP queries. As a result, still assuming the Global Catalog is running on dc01, the 'ldap_host_url' would be ldap://dc01.example.org:3268. The rest of the settings are the same as for other MS-AS Auth setups.<br />
<br />
You should use the 'ldap_contexts' setting to indicate the locations of individuals you wish to grant access. To extend the example above a little: In the example.org domain users are all in the 'Users' OU, in the staff.example.org domain users are in two OUs at the root of the domain, Support Staff and Teaching Staff, and in the students.example.org domain students are in an OU indicating the year that they enrolled, all of which are under the 'Students' OU. As a result our 'ldap_contexts' setting may look a little like this: 'OU=Users,DC=example,DC=org; OU=Support Staff,DC=staff,DC=example,DC=org; OU=Teaching Staff,DC=staff,DC=example,DC=org; OU=Students,DC=students,DC=example,DC=org'. The 'ldap_search_sub' option should be set to 'Yes' to allow moodle to search within the child OUs.<br />
<br />
====Enabling the Global Catalog====<br />
<br />
The Global Catalog is available on Windows 2000 and Windows 2003 Active Directory servers. To enable, open the ‘Active Directory Sites and Services’ snap-in. Extend ‘Sites’ and then the name of the Site containing the active directory forest you wish to use. Expand the server you wish to enable the Global Catalog on, right click ‘NTDS settings’ and select the ‘Properties’ tab. To enable, simply click the ‘Global Catalog’ checkbox. Under a Windows 2000 server it is necessary to restart the server (although it won’t prompt you to); under Windows 2003 server it is not necessary to restart the server. In either case you will generally have to wait for the AD forest to replicate before the Global Catalog offers a representation of the entire AD forest. Changes made in Active Directory will also be subject to a short delay due to the latency involved with replication. If your AD servers are firewalled port 3268 will need to be opened for Global Catalog servers.<br />
If your organisation used Microsoft Exchange then it its highly likely that at least one Domain Controller will already have Global Catalog enabled – Exchange 2000 and 2003 rely on the Global Catalog for address information, users also access the Global Catalog when using the GAL (Global Address List)<br />
<br />
==See also==<br />
<br />
*[http://moodle.org/mod/forum/view.php?id=42 Using Moodle: User authentication] forum<br />
*Using Moodle [http://moodle.org/mod/forum/discuss.php?d=32168 PHP LDAP module does not seem to be present] forum discussion<br />
<br />
[[Category:Administrator]]<br />
[[Category:Authentication]]</div>Rboyce