Moodle

LDAP enrollment when users and groups are in seperate OU's

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Not a bug
  • Affects Version/s: 1.8
  • Fix Version/s: None
  • Component/s: Enrolments
  • Labels:
    None
  • Environment:
    Not applicable
  • Database:
    Microsoft SQL
  • Affected Branches:
    MOODLE_18_STABLE

Description

I am working with getting LDAP enrollment in my company and I think i am hitting a limitation of the LDAP enrollment. Correct me if I am wrong but does Active Directory need to be structured in a way that the groups tied to courses and the users who can potentially be enrolled are in the same OU for it to enroll them in those courses?

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Robert Lamaster added a comment -

If I understand correctly, the short answer is no.

We have recently set up LDAP Authentication and LDAP Enrolment with Active Directory.

For LDAP Authentication, your users can be spread-out in many OU's as long as those OU's (or their parent OU's if you have "search subcontexts" turned on) are listed in the "contexts" field in LDAP authentication. One little problem... if you have many things to enter in contexts, you may need to edit this field directly in phpMyAdmin (mdl_config_plugins / contexts) to avoid the size limitation.

For LDAP Enrolment, you can create separate OU's for Teacher Enrolment and Student Enrolment elsewhere in your AD structure. Create group names in these two OU's and name them identically, except for the Windows 2000 name, which must be unique. The membership in these groups can then be manipulated (manually, by scripting, etc) to put your users in the appropriate groups.

So... Authentication looks in OU's for accounts. Enrolment looks at groups and group membership. You will need to create a structure for an Enrolment OU, but your existing account OUs remain unchanged.

Hope this helps.

Show
Robert Lamaster added a comment - If I understand correctly, the short answer is no. We have recently set up LDAP Authentication and LDAP Enrolment with Active Directory. For LDAP Authentication, your users can be spread-out in many OU's as long as those OU's (or their parent OU's if you have "search subcontexts" turned on) are listed in the "contexts" field in LDAP authentication. One little problem... if you have many things to enter in contexts, you may need to edit this field directly in phpMyAdmin (mdl_config_plugins / contexts) to avoid the size limitation. For LDAP Enrolment, you can create separate OU's for Teacher Enrolment and Student Enrolment elsewhere in your AD structure. Create group names in these two OU's and name them identically, except for the Windows 2000 name, which must be unique. The membership in these groups can then be manipulated (manually, by scripting, etc) to put your users in the appropriate groups. So... Authentication looks in OU's for accounts. Enrolment looks at groups and group membership. You will need to create a structure for an Enrolment OU, but your existing account OUs remain unchanged. Hope this helps.
Hide
Permalink
tim rhymer added a comment -

Thanks, I am just now seeing that i can leave comments on this issue, I should have posted that I had resolved this. Thanks for your response though. In a related topic to LDAP enrollment, is it possible to put groups inside of my teacher and student groups for enrollment. We are using our moodle site for training and this training may come to the point where we need to enroll just people in specific departments. In AD they are in groups by those departments, but it would be nice if we could just make those groups members of the moodle class student group. I guess right now a quick fix for us would be to just run a script that copies all the users from the department group into that class's student group.

Show
tim rhymer added a comment - Thanks, I am just now seeing that i can leave comments on this issue, I should have posted that I had resolved this. Thanks for your response though. In a related topic to LDAP enrollment, is it possible to put groups inside of my teacher and student groups for enrollment. We are using our moodle site for training and this training may come to the point where we need to enroll just people in specific departments. In AD they are in groups by those departments, but it would be nice if we could just make those groups members of the moodle class student group. I guess right now a quick fix for us would be to just run a script that copies all the users from the department group into that class's student group.
Hide
Permalink
Dan Marsden added a comment -

closing as reporter has stated this is resolved.

Show
Dan Marsden added a comment - closing as reporter has stated this is resolved.

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.