Note: You are currently viewing documentation for Moodle 3.8. Up-to-date documentation for the latest stable version of Moodle may be available here: Authentication FAQ.

Authentication FAQ: Difference between revisions

From MoodleDocs
No edit summary
 
(35 intermediate revisions by 5 users not shown)
Line 13: Line 13:
=== Can I have more than one authentication method? ===
=== Can I have more than one authentication method? ===


Yes, you can enable and configure as many methods as you need for your users in ''Site administration > Plugins > Authentication > Manage authentication''. Note that the order of processing on this page does matter and after manual and nologin, you should next put the method that most users will have?
Yes, you can enable and configure as many methods as you need for your users in ''Site administration > Plugins > Authentication > Manage authentication''. Note that the order of processing on this page does matter and after manual and nologin, you should next put the method that most users will have. See [[Managing_authentication|Managing Authentication]] for details.


=== Can a user have more than one authentication method? ===
=== Can a user have more than one authentication method? ===
Line 27: Line 27:
# Select the self-registration plugin in the Common  settings.
# Select the self-registration plugin in the Common  settings.


Warning: Enabling self registration results in the possibility of spammers creating accounts in order to use forum posts, blog entries etc. for spam. See [[Reducing spam in Moodle]] for ways of minimizing the risk.
Warning: Enabling Self-registration results in the possibility of spammers creating accounts in order to use forum posts, blog entries etc. for spam. See [[Reducing spam in Moodle]] for ways of minimizing the risk.


===How can I change the "Is this your first time here?" instructions?===
===How can I change the "Is this your first time here?" instructions?===


This message can be customized in ''Site administration > Plugins > Authentication > Manage authentication > Common Settings > Instructions.''
See the section 'Is this your first time here?' instructions in [[Managing authentication]].


Note that this message only applies to certain Authentication methods, such as Manual and Self-registration, and not all. It does not apply to most external methods that pull users from external lists (LDAP, etc.).
===What is the difference between enabling the email-based self-registration auth plugin and selecting it as the self-registration method?===


'''Multiple languages'''
The difference is that self-registration is the general term for having a user create an account themselves. There could be many ways to do that, for instance to allow users to sign up with no email at all. Almost all web applications these days, however, require users to first confirm their email address. This is to prevent spam accounts and other security issues. Moodle has only one type on self-registration currently, which is email-based.
 
If you need to provide custom instructions in more than one language, then you should use the older method of setting this, by editing each language pack using ''Site administration > Language > Language customisation''.
 
There are two strings you can edit:
{| class="wikitable"
|-
! String
! Standard text
|-
| firsttime
| Is this your first time here?
|-
| loginsteps
| Hi! For full access to courses you'll need to take a minute to create a new account ...
|}
 
See https://docs.moodle.org/38/en/Language_customisation for more information.
 
===What is the difference between enabling the email-based self-registration auth plugin and selecting it as the self registration method?===
 
The difference is that self-registration is the general term for having a user create an account themselves. There could be many ways to do that, for instance to allow users to sign up with no email at all. Almost all web applications theses days, however, require users to first confirm their email address. This is to prevent spam accounts and other security issues. Moodle has only one type on self-registration currently, which is email-based.


Therefore: to allow users to create self-registered accounts, you must do two things:
Therefore: to allow users to create self-registered accounts, you must do two things:
Line 67: Line 46:
You could do this in a case where you may wish to allow signup for a limited period (a day, week, month) to allow users to self-create their accounts, then Disable creating new accounts while allowing the already created users to log in.
You could do this in a case where you may wish to allow signup for a limited period (a day, week, month) to allow users to self-create their accounts, then Disable creating new accounts while allowing the already created users to log in.


'''Spam and Spambots'''
=== How can I prevent spam accounts if I use self-registration?===
 
Warning: Enabling self-registration results in the possibility of spammers creating accounts in order to use forum posts, blog entries etc. for spam. This risk can be minimized by limiting self registration to particular email domains with the allowed email domains setting in ''Site administration > Plugins> Authentication > [[Authentication|Manage authentication]]''. Alternatively, self-registration may be enabled for a short period of time to allow users to create accounts, and then later disabled.
Warning: Enabling self registration results in the possibility of spammers creating accounts in order to use forum posts, blog entries etc. for spam. This risk can be minimized by limiting self registration to particular email domains with the allowed email domains setting in ''Site administration > Plugins> Authentication > [[Authentication|Manage authentication]]''. Alternatively, self registration may be enabled for a short period of time to allow users to create accounts, and then later disabled.


See also: [[Reducing_spam_in_Moodle]]
See also: [[Reducing_spam_in_Moodle|Reducing Spam in Moodle]]


===Why isn't the Email-Based Self-Registration sending emails?===
===Why isn't the Email-Based Self-Registration sending emails?===
Line 77: Line 55:
Email based sends out an email with a message and confirmation link to users when they sign up. Possible reason why this make not be working, and also a useful order to troubleshoot this, is:
Email based sends out an email with a message and confirmation link to users when they sign up. Possible reason why this make not be working, and also a useful order to troubleshoot this, is:


# Is email working at all from Moodle for other features such as forum posts? If not, check that you have [[Messaging]] enabled and that your [[Email_settings]] are set.
# Is email working at all from Moodle for other features such as forum posts? If not, check that you have [[Messaging]] enabled and that your [[Email_settings|Email Settings]] are set.
# Is email for new sign ups working? You can test this yourself by signing up with a dummy test user and a valid email.
# Is email for new sign ups working? You can test this yourself by signing up with a dummy test user and a valid email.
# Has the user checked their spam or junk folder? The email comes by default from your Moodle administrator account, and it is not uncommon for that to be flagged by some systems as potential spam.
# Has the user checked their spam or junk folder? The email comes by default from your Moodle administrator account, and it is not uncommon for that to be flagged by some systems as potential spam.
# Did the user make a typo or other error in their email address or are they using the wrong account?
# Did the user make a typo or other error in their email address or are they using the wrong account?


Some good troubleshooting advice is here: [https://moodle.org/mod/forum/discuss.php?d=271188#p1170455]
Some good troubleshooting advice on the [https://moodle.org/mod/forum/discuss.php?d=271188#p1170455| Community Forums]


===Can you arrange for Admins to be notified of new self registrations===
===Can you arrange for Admins to be notified of new self registrations===
Line 92: Line 70:
* See discussion http://moodle.org/mod/forum/discuss.php?d=117005
* See discussion http://moodle.org/mod/forum/discuss.php?d=117005


Bulk upload can be set up to send e-mails: see the discussion here: http://moodle.org/mod/forum/discuss.php?d=85333 (Which includes a code hack to do this as well. (Also http://moodle.org/mod/forum/discuss.php?d=125000)
Bulk upload can be set up to send e-mails. See the discussion here: http://moodle.org/mod/forum/discuss.php?d=85333 (which includes a code hack to do this as well). Also see http://moodle.org/mod/forum/discuss.php?d=125000.


== Other authentication methods ==
== Other authentication methods ==
Line 109: Line 87:
# Access the user's profile page.
# Access the user's profile page.
# In the Settings block, click "Edit profile".
# In the Settings block, click "Edit profile".
# Select "No login" as the authentication method. (If the setting isn't shown, click the "Show advanced" button to reveal it.)
# Select "No login" as the authentication method (if the setting isn't shown, click the "Show advanced" button to reveal it).
# Click the "Update profile" button at the bottom of the page.
# Click the "Update profile" button at the bottom of the page.


Line 118: Line 96:
You can set this manually for each user in their user profile by changing the "Authentication" field. This can also be changed en masse for many users by using the User file upload tool [[Upload_users]] and changing the field called "auth".
You can set this manually for each user in their user profile by changing the "Authentication" field. This can also be changed en masse for many users by using the User file upload tool [[Upload_users]] and changing the field called "auth".


See this blog post on [http://www.schoolanywhere.co.uk/blog/how-to-change-manual-user-accounts-to-ldap/#more-828 Changing manual accounts to LDAP] using MySQL database and this ad-hoc query https://docs.moodle.org/38/en/ad-hoc_contributed_reports#List_of_users_with_Authentication.
See this blog post on [http://www.scoop.it/t/moodle-lms-m-ms/p/4013595490/2014/01/03/how-to-change-manual-user-accounts-to-ldap Changing manual accounts to LDAP] using MySQL database and this ad-hoc query https://docs.moodle.org/38/en/ad-hoc_contributed_reports#List_of_users_with_Authentication.
 
===How can I allow users to bypass NTML SSO?===
 
When NTLM SSO is enabled on a Moodle site the SSO function always logs the user who is logged into the computer into Moodle. Sometimes you may need to override this feature and login to Moodle as another user. Example: when a teacher or site administrator needs to login to the students computer to troubleshoot a problem. Or the teacher simply needs to access functionality that is not available to the student and the teacher is not anywhere near her own computer.
 
The problem is that the Moodle logout option is not available when SSO is enabled - the user simply gets logged back into Moodle. To bypass the SSO you can add this to the url:
 
<code>/login/index.php?authldap_skipntlmsso=1</code>
 
Example: http://yourschool.com/login/index.php?authldap_skipntlmsso=1
 
The NTLM SSO will be disabled (for this login only) and you will get the regular Moodle login page.
 
{{warning|message=This bypass won't work if you have the [[Site policies#Force users to login|''Force users to login'' site policy]] enabled. In that case, SSO is applied to all pages on the site, including the log in and log out pages.}}
 
See the Using Moodle [http://moodle.org/mod/forum/discuss.php?d=200641 Bypass NTML SSO for Moode 2.2] forum discussion for details.


== Other Questions ==  
== Other Questions ==  


==How can young students or other users without email addresses create new Moodle accounts?==
===How can young students or other users without email addresses create new Moodle accounts?===


You can either use a fake email address when you upload the CSV file of your young students - or - you can use the [[Upload_users]]  file upload tool to get around this, as follows
You can either use a fake email address when you upload the CSV file of your young students - or - you can use the [[Upload_users]]  file upload tool to get around this, as follows
Line 132: Line 126:
See also [[No Email]].
See also [[No Email]].


 
===Where are users' details stored?===
==Where are users' details stored?==


Basic user account information, the required fields of username, first name, last name, and email address, which allow a user to be known to Moodle and are stored in the Moodle database. How much other user profile information is stored depends on the authentication method used for that user, and whether that information is stored externally to Moodle in another system. All user activity done in Moodle, e.g., course enrollments, grades, and so forth are stored in Moodle.
Basic user account information, the required fields of username, first name, last name, and email address, which allow a user to be known to Moodle and are stored in the Moodle database. How much other user profile information is stored depends on the authentication method used for that user, and whether that information is stored externally to Moodle in another system. All user activity done in Moodle, e.g., course enrollments, grades, and so forth are stored in Moodle.
Line 141: Line 134:
"External" users are those whose user account information is based in another system and is synchronzied or referenced by Moodle when needed. LPAD, External database, CAS, Shibboleth, etc. are examples of external methods.
"External" users are those whose user account information is based in another system and is synchronzied or referenced by Moodle when needed. LPAD, External database, CAS, Shibboleth, etc. are examples of external methods.


 
===How can I have users logging in with their email address?===
==How can I have users logging in with their email address?==


This is set in ''Site administration > Plugins > Authentication > Manage authentication > Common settings > Allow login via email.'' This feature was added in Moodle 2.7.
This is set in ''Site administration > Plugins > Authentication > Manage authentication > Common settings > Allow login via email.'' This feature was added in Moodle 2.7.


==How can I allow users to bypass NTML SSO?==
===How can I create an authentication plugin?===
 
When NTLM SSO is enabled on a Moodle site the SSO function always logs the user who is logged into the computer into Moodle. Sometimes you may need to override this feature and login to Moodle as another user. Example: when a teacher or site administrator needs to login to the students computer to troubleshoot a problem. Or the teacher simply needs to access functionality that is not available to the student and the teacher is not anywhere near her own computer.
 
The problem is that the Moodle logout option is not available when SSO is enabled - the user simply gets logged back into Moodle. To bypass the SSO you can add this to the url:
 
<code>/login/index.php?authldap_skipntlmsso=1</code>
 
Example: http://yourschool.com/login/index.php?authldap_skipntlmsso=1
 
The NTLM SSO will be disabled (for this login only) and you will get the regular Moodle login page.
 
{{warning|message=This bypass won't work if you have the [[Site policies#Force users to login|''Force users to login'' site policy]] enabled. In that case, SSO is applied to all pages on the site, including the log in and log out pages.}}
 
See the Using Moodle [http://moodle.org/mod/forum/discuss.php?d=200641 Bypass NTML SSO for Moode 2.2] forum discussion for details.
 
 
==How can I create an authentication plugin?==


See [[Development:Authentication plugins]].
See [[Development: Authentication plugins]].


==Any further questions?==


Please post in the [http://moodle.org/mod/forum/view.php?id=42 Authentication forum] on moodle.org.


==See also==
==See also==


* Using Moodle [http://moodle.org/mod/forum/view.php?id=42 User authentication forum]
* [[Accounts FAQ]]
* [[Accounts FAQ]]


Line 178: Line 154:


[[de:Authentifizierung FAQ]]
[[de:Authentifizierung FAQ]]
[[es:Autenticación FAQ]]
[[fr:FAQ d'authentification]]

Latest revision as of 11:18, 13 May 2019


General Questions

What is an authentication plugin?

An authentication plugin is a method of handling user authentication to Moodle when users log into your site. This means, in the most usual practice, matching a user's username with their password.

You can have one or more methods as the same time enabled on your site, but each user can only use one method of authentication at a time. So, you may have manual authentication for some users, LDAP for others, Shibboleth for others, but each user authenticates with only one of those.

See Authentication for the list of these various methods and their use and settings.

Can I have more than one authentication method?

Yes, you can enable and configure as many methods as you need for your users in Site administration > Plugins > Authentication > Manage authentication. Note that the order of processing on this page does matter and after manual and nologin, you should next put the method that most users will have. See Managing Authentication for details.

Can a user have more than one authentication method?

No, a user account has only one authentication method at a time. You can can change this method for a user, but you will also need to handle issues such as passwords, etc. that arise from this.

Manual and Self-registration Questions

How do I enable the "Create new account" button on the login page?

To display the "Is this your first time here?" instructions and the "Create new account" button:

  1. Make sure that the email-based self-registration plugin (or any other plugin that can support self-registration, such as LDAP) is enabled in Site administration > Plugins > Authentication > Manage authentication.
  2. Select the self-registration plugin in the Common settings.

Warning: Enabling Self-registration results in the possibility of spammers creating accounts in order to use forum posts, blog entries etc. for spam. See Reducing spam in Moodle for ways of minimizing the risk.

How can I change the "Is this your first time here?" instructions?

See the section 'Is this your first time here?' instructions in Managing authentication.

What is the difference between enabling the email-based self-registration auth plugin and selecting it as the self-registration method?

The difference is that self-registration is the general term for having a user create an account themselves. There could be many ways to do that, for instance to allow users to sign up with no email at all. Almost all web applications these days, however, require users to first confirm their email address. This is to prevent spam accounts and other security issues. Moodle has only one type on self-registration currently, which is email-based.

Therefore: to allow users to create self-registered accounts, you must do two things:

  1. Enable email-based self-registration authentication plugin to allow such users to be able to log in.
  2. Set Site administration > Plugins > Authentication > Managing authentication > Common settings > Self registration from Disable to Email-based self-registration to allow potential users to create their accounts.

This division of labor into two settings means that it is possible to Disable Self-registration to prevent accounts, but as long as the Authentication method Email-self registration is still enabled, users will still be able to login and use their accounts.

You could do this in a case where you may wish to allow signup for a limited period (a day, week, month) to allow users to self-create their accounts, then Disable creating new accounts while allowing the already created users to log in.

How can I prevent spam accounts if I use self-registration?

Warning: Enabling self-registration results in the possibility of spammers creating accounts in order to use forum posts, blog entries etc. for spam. This risk can be minimized by limiting self registration to particular email domains with the allowed email domains setting in Site administration > Plugins> Authentication > Manage authentication. Alternatively, self-registration may be enabled for a short period of time to allow users to create accounts, and then later disabled.

See also: Reducing Spam in Moodle

Why isn't the Email-Based Self-Registration sending emails?

Email based sends out an email with a message and confirmation link to users when they sign up. Possible reason why this make not be working, and also a useful order to troubleshoot this, is:

  1. Is email working at all from Moodle for other features such as forum posts? If not, check that you have Messaging enabled and that your Email Settings are set.
  2. Is email for new sign ups working? You can test this yourself by signing up with a dummy test user and a valid email.
  3. Has the user checked their spam or junk folder? The email comes by default from your Moodle administrator account, and it is not uncommon for that to be flagged by some systems as potential spam.
  4. Did the user make a typo or other error in their email address or are they using the wrong account?

Some good troubleshooting advice on the Community Forums

Can you arrange for Admins to be notified of new self registrations

If you are creating ONE manual account, then no.

Bulk upload can be set up to send e-mails. See the discussion here: http://moodle.org/mod/forum/discuss.php?d=85333 (which includes a code hack to do this as well). Also see http://moodle.org/mod/forum/discuss.php?d=125000.

Other authentication methods

How do I set up LDAP authentication?

See LDAP authentication for full instructions.

How is the "No login" authentication plugin used?

The No login authentication plugin can be used to suspend particular user accounts. This means the user will not be able to log into Moodle, but their account is otherwise unchanged.

Note: Users will not receive any error or other message when they try to log in but it simply will not allow them in. So it will appear as though their password was incorrect and they may attempt to reset it. Consider this issue when using No login, in order to reduce support issues.

To do so:

  1. Access the user's profile page.
  2. In the Settings block, click "Edit profile".
  3. Select "No login" as the authentication method (if the setting isn't shown, click the "Show advanced" button to reveal it).
  4. Click the "Update profile" button at the bottom of the page.

Can I change manual accounts to LDAP?

Yes. You can change any user account from one authentication method to another in Moodle, but you are of course responsible for making sure that the information matches and is valid in the new method.

You can set this manually for each user in their user profile by changing the "Authentication" field. This can also be changed en masse for many users by using the User file upload tool Upload_users and changing the field called "auth".

See this blog post on Changing manual accounts to LDAP using MySQL database and this ad-hoc query https://docs.moodle.org/38/en/ad-hoc_contributed_reports#List_of_users_with_Authentication.

How can I allow users to bypass NTML SSO?

When NTLM SSO is enabled on a Moodle site the SSO function always logs the user who is logged into the computer into Moodle. Sometimes you may need to override this feature and login to Moodle as another user. Example: when a teacher or site administrator needs to login to the students computer to troubleshoot a problem. Or the teacher simply needs to access functionality that is not available to the student and the teacher is not anywhere near her own computer.

The problem is that the Moodle logout option is not available when SSO is enabled - the user simply gets logged back into Moodle. To bypass the SSO you can add this to the url:

/login/index.php?authldap_skipntlmsso=1

Example: http://yourschool.com/login/index.php?authldap_skipntlmsso=1

The NTLM SSO will be disabled (for this login only) and you will get the regular Moodle login page.

warning.png Warning: This bypass won't work if you have the Force users to login site policy enabled. In that case, SSO is applied to all pages on the site, including the log in and log out pages.

See the Using Moodle Bypass NTML SSO for Moode 2.2 forum discussion for details.

Other Questions

How can young students or other users without email addresses create new Moodle accounts?

You can either use a fake email address when you upload the CSV file of your young students - or - you can use the Upload_users file upload tool to get around this, as follows

  1. Upload a CSV file without an email field.
  2. When previewing the accounts, set "Prevent email address duplicates" to No.
  3. In "Default values", type in an email address.
  4. When the users are uploaded, they will all have the same email address. (It will say "duplicated" but the accounts will work)

See also No Email.

Where are users' details stored?

Basic user account information, the required fields of username, first name, last name, and email address, which allow a user to be known to Moodle and are stored in the Moodle database. How much other user profile information is stored depends on the authentication method used for that user, and whether that information is stored externally to Moodle in another system. All user activity done in Moodle, e.g., course enrollments, grades, and so forth are stored in Moodle.

"Internal" users are those who are created directly in Moodle and whose information is not directly linked to or synchronized with any other system. Manual and self-registration authentication methods are internal.

"External" users are those whose user account information is based in another system and is synchronzied or referenced by Moodle when needed. LPAD, External database, CAS, Shibboleth, etc. are examples of external methods.

How can I have users logging in with their email address?

This is set in Site administration > Plugins > Authentication > Manage authentication > Common settings > Allow login via email. This feature was added in Moodle 2.7.

How can I create an authentication plugin?

See Development: Authentication plugins.

Any further questions?

Please post in the Authentication forum on moodle.org.

See also