[#MDL-20759] Auto enrolment with eDirectory is broken - Moodle Tracker

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Won't Fix
Affects Version/s: 1.9.4
Fix Version/s: None
Component/s: Enrolments
Labels:
None
Environment:
CentOS 5.3 with standard services and packages

Database:

MySQL
Affected Branches:
MOODLE_19_STABLE

Description

There is a problem with auto enrolment with using eDirectory. after some investigation and finding that other people have this issue - http://moodle.org/mod/forum/discuss.php?d=130647 - I investigated further and I think I found the problem. I was able to successfully setup auto enrolment with openLDAP but not with eDir.

My eDir LDAP Enrolment Setup:

student: ou=Students,ou=Moodle,o=ITS | member (not memberUID)

enrol_ldap_objectclass: groupOfNames
enrol_ldap_course_idnumber: cn
enrol_ldap_course_shortname: cn
enrol_ldap_course_fullname: fullName (field added through console1 under "other")
enrol_ldap_course_summary: description

-~~LDIF of the same record on oLDAP and eDir~~-

OpenLDAP:

dn: cn=ITSBT,ou=Students,ou=Moodle,o=ITS
objectClass: posixGroup
objectClass: top
cn: ITSBT
gidNumber: 1002
memberUid: jbloggs
description: testing stuff

eDirectory:
<irrelevant lines omitted>
dn: cn=ITSBT,ou=Students,ou=Moodle,o=ITS
fullName: ITS Bypass Test
objectClass: groupOfNames
objectClass: Top
member: cn=jbloggs,ou=STUDENTS,ou=USERS,o=ITS
description: testing stuff
cn: ITSBT

The point I noticed was the difference between what is stored in memberUID under OpenLDAP and member under eDirectory. It looks like the data that's being returned is not being parsed properly.

More Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

10006201010s.ldif

12/Jan/10 10:44 PM

0.7 kB

Chris Myers
10006201010t.ldif

12/Jan/10 10:44 PM

0.4 kB

Chris Myers

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Chris Myers added a comment - 08/Jan/10 1:27 AM

At Millikin, we have full course automation set up with our Novell system - it automatically syncs users into Moodle and syncs the courses out of eDirectory groups. If you have any questions about our processes, scripts, etc., please feel free to contact us! Here are the code changes that we made to /enrol/ldap/enrol.php to make this work with eDir:

Find this in the code:
// define the search pattern
if (!empty($CFG->enrol_ldap_objectclass)){ $ldap_search_pattern='(objectclass='.$CFG->enrol_ldap_objectclass.')'; } else { $ldap_search_pattern="(objectclass=*)"; }

And replace it with:
// define the search pattern
$ldap_search_pattern="(cn=Moodle)";

We created a new Moodle OU, with sub-OU's of StudentEnrollment and TeacherEnrollment. All of the groups for the courses are stored in those OU's then. For the groups in eDirectory then, add a "Other Name" attribute to the group of "Moodle". If you omit this change, it'll create Moodle classes for all of your eDirectory groups, which obviously isn't desirable.

This next part is the key thing to make it work with eDirectory:
Also, search for:
// insert current enrolments
// bad we can't do INSERT IGNORE with postgres...
foreach ($ldapmembers as $ldapmember) {
$sql = 'SELECT id,1 FROM '.$CFG->prefix.'user '
." WHERE idnumber='$ldapmember'";
$member = get_record_sql($sql);
// print "sql: $sql \nidnumber = $ldapmember \n" . var_dump($member);
if(empty($member) || empty($member->id)){ print "Could not find user $ldapmember, skipping\n"; continue; }

And replace with:
// insert current enrolments
// bad we can't do INSERT IGNORE with postgres...
foreach ($ldapmembers as $ldapmember) {
$sql = 'SELECT id,1 FROM '.$CFG->prefix.'user '
." WHERE username='" . substr($ldapmember,3,stripos($ldapmember,',')-3) . "'";
$member = get_record_sql($sql);
// print "sql: $sql \nidnumber = " . substr($ldapmember,3,stripos($ldapmember,',')-3) . " \n" . var_dump($member);
if(empty($member) || empty($member->id)){ print "Could not find user " . substr($ldapmember,3,stripos($ldapmember,',')-3) . ", skipping\n"; continue; }

This tells Moodle to search for the username instead of the userid field, which isn't used by edirectory or populated in Moodle when used with eDir.

Show

Chris Myers added a comment - 08/Jan/10 1:27 AM At Millikin, we have full course automation set up with our Novell system - it automatically syncs users into Moodle and syncs the courses out of eDirectory groups. If you have any questions about our processes, scripts, etc., please feel free to contact us! Here are the code changes that we made to /enrol/ldap/enrol.php to make this work with eDir: Find this in the code: // define the search pattern if (!empty($CFG->enrol_ldap_objectclass)){ $ldap_search_pattern='(objectclass='.$CFG->enrol_ldap_objectclass.')'; } else { $ldap_search_pattern="(objectclass=*)"; } And replace it with: // define the search pattern $ldap_search_pattern="(cn=Moodle)"; We created a new Moodle OU, with sub-OU's of StudentEnrollment and TeacherEnrollment. All of the groups for the courses are stored in those OU's then. For the groups in eDirectory then, add a "Other Name" attribute to the group of "Moodle". If you omit this change, it'll create Moodle classes for all of your eDirectory groups, which obviously isn't desirable. This next part is the key thing to make it work with eDirectory: Also, search for: // insert current enrolments // bad we can't do INSERT IGNORE with postgres... foreach ($ldapmembers as $ldapmember) { $sql = 'SELECT id,1 FROM '.$CFG->prefix.'user ' ." WHERE idnumber='$ldapmember'"; $member = get_record_sql($sql); // print "sql: $sql \nidnumber = $ldapmember \n" . var_dump($member); if(empty($member) || empty($member->id)){ print "Could not find user $ldapmember, skipping\n"; continue; } And replace with: // insert current enrolments // bad we can't do INSERT IGNORE with postgres... foreach ($ldapmembers as $ldapmember) { $sql = 'SELECT id,1 FROM '.$CFG->prefix.'user ' ." WHERE username='" . substr($ldapmember,3,stripos($ldapmember,',')-3) . "'"; $member = get_record_sql($sql); // print "sql: $sql \nidnumber = " . substr($ldapmember,3,stripos($ldapmember,',')-3) . " \n" . var_dump($member); if(empty($member) || empty($member->id)){ print "Could not find user " . substr($ldapmember,3,stripos($ldapmember,',')-3) . ", skipping\n"; continue; } This tells Moodle to search for the username instead of the userid field, which isn't used by edirectory or populated in Moodle when used with eDir.

Hide

Permalink

Chris Myers added a comment - 08/Jan/10 1:43 AM

Probably should add in the rest of our LDAP config stuff too:

Enrollments: Enable LDAP. Settings:

LDAP server: ldap://LdapServerName.millikin.edu
version 3
teacher LDAP context: ou=TeacherEnrollment,ou=Moodle,o=MU attribute: member
student LDAP context: ou=StudentEnrollment,ou=Moodle,o=MU attribute: member

enrol object class: posixGroup
course id number: cn
course short name: cn
course full name: description
course summary: description
autocreate: yes

When we run the sync, the group name in eDirectory is the CRN plus term (eg. 10006201010.) The group has an "Other name:" value of Moodle, and the Description is the appropriate course information (in the case of this example, it's "PS 201 01 Statistical Meth.-Beh. Sci. CRN: 10006 (Collinsworth: Fall 2009)".)

Show

Chris Myers added a comment - 08/Jan/10 1:43 AM Probably should add in the rest of our LDAP config stuff too: Enrollments: Enable LDAP. Settings: LDAP server: ldap://LdapServerName.millikin.edu version 3 teacher LDAP context: ou=TeacherEnrollment,ou=Moodle,o=MU attribute: member student LDAP context: ou=StudentEnrollment,ou=Moodle,o=MU attribute: member enrol object class: posixGroup course id number: cn course short name: cn course full name: description course summary: description autocreate: yes When we run the sync, the group name in eDirectory is the CRN plus term (eg. 10006201010.) The group has an "Other name:" value of Moodle, and the Description is the appropriate course information (in the case of this example, it's "PS 201 01 Statistical Meth.-Beh. Sci. CRN: 10006 (Collinsworth: Fall 2009)".)

Hide

Permalink

Phil added a comment - 12/Jan/10 10:31 AM

Thanks heaps for the detailed feedback. We are working on developing a patch to push upstream to make this easier in the future but are struggling on a few points to get this working. Would you be able to submit LDIF output? We would be interested in the entire branch from your ou=Moodle to get info of ou=TeacherEnrollment and cn=10006201010

Thanks,

Phil

Show

Phil added a comment - 12/Jan/10 10:31 AM Thanks heaps for the detailed feedback. We are working on developing a patch to push upstream to make this easier in the future but are struggling on a few points to get this working. Would you be able to submit LDIF output? We would be interested in the entire branch from your ou=Moodle to get info of ou=TeacherEnrollment and cn=10006201010 Thanks, Phil

Hide

Permalink

Chris Myers added a comment - 12/Jan/10 10:44 PM

The file ending in "s" is the group in the "StudentEnrollment" OU; the "t" is in TeacherEnrollment. (Usernames have been changed to protect the innocent )

Is this what you're needing, or do you need something more specific?

On the Student file, you can ignore the attribute DirXML-Associations; that's used because we push stuff from eDir to AD as well through Novell IDM, so that attribute just means that it was synch'd.

Show

Chris Myers added a comment - 12/Jan/10 10:44 PM The file ending in "s" is the group in the "StudentEnrollment" OU; the "t" is in TeacherEnrollment. (Usernames have been changed to protect the innocent

) Is this what you're needing, or do you need something more specific? On the Student file, you can ignore the attribute DirXML-Associations; that's used because we push stuff from eDir to AD as well through Novell IDM, so that attribute just means that it was synch'd.

Hide

Permalink

Michael de Raadt added a comment - 05/Jan/12 1:51 PM

Thanks for reporting this issue.

We have detected that this issue has been inactive for over a year has been recorded as affecting versions that are no longer supported.

If you believe that this issue is still relevant to current versions (2.1 and beyond), please comment on the issue. Issues left inactive for a further month will be closed.

Michael d;

lqjjLKA0p6

Show

Michael de Raadt added a comment - 05/Jan/12 1:51 PM Thanks for reporting this issue. We have detected that this issue has been inactive for over a year has been recorded as affecting versions that are no longer supported. If you believe that this issue is still relevant to current versions (2.1 and beyond), please comment on the issue. Issues left inactive for a further month will be closed. Michael d; lqjjLKA0p6

Hide

Permalink

Michael de Raadt added a comment - 06/Feb/12 4:34 PM

I'm closing this issue as it appears to have become inactive and is probably not relevant to a current supported version. If you are encountering this problem or one similar, please launch a new issue.

Show

Michael de Raadt added a comment - 06/Feb/12 4:34 PM I'm closing this issue as it appears to have become inactive and is probably not relevant to a current supported version. If you are encountering this problem or one similar, please launch a new issue.

People

Assignee:

Nobody

Reporter:

Phil

Participants:

Chris Myers, Michael de Raadt, Nobody, Phil

Vote (1)

Watch (2)

Dates

Created:

06/Nov/09 7:22 AM

Updated:

Monday 4:34 PM

Resolved:

Monday 4:34 PM