Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-51723

Users are unenrolled on login under LDAP auth with Active Directory

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Unit tests cover several aspects of this change, including ensuring that the new normalisation (in master only) spits out the expected results.

      In addition to this, you'll need to configure both auth_ldap and enrol_ldap and run some tests.

      Configuring your own LDAP server

      I've provided instructions for both Active Directory, and OpenLDAP

      Active Infectory
      1. Create some new Organisational Units (OU/containers) under moodle.test.com:

        -> moodle.test.com
        --> Builtin
        --> Computers
        --> Domain Controllers
        --> Foreign Security Principals
        --> Users
        --> Service    <-- ********
        --> Accounts   <-- ********
        --> Groups     <-- ********
        ---> 2016      <-- ********
        ----> Students <-- ********
        ----> Teachers <-- ********
        

      2. Under 'Service' create a new 'moodle' account. Give it a password which does not expire and cannot be changed. Uncheck the force password reset flag.
      3. Under 'Accounts' create a number of new accounts. Give them a password which does not expire but can be changed. Uncheck the force password reset flag.
      4. Set an e-mail address for all of the users
      5. Under 'Groups/2016/Students' create some new Groups:
        1. 2016-ECON101 (pre-Windows 2000 name = 2016-STUD-ECON101)
        2. 2016-MATH101 (pre-Windows 2000 name = 2016-STUD-MATH101)
      6. Under 'Groups/2016/Teachers' create some new Groups:
        1. 2016-ECON101 (pre-Windows 2000 name = 2016-TEAC-ECON101)
        2. 2016-MATH101 (pre-Windows 2000 name = 2016-TEAC-MATH101)
      7. Place several users in each of the subject groups (ECON101/MATH101)
      OpenLDAP
      1. Set up OpenLDAP as per https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-a-basic-ldap-server-on-an-ubuntu-12-04-vps
      2. Create a structure as follows:

        -> dc=yourhost,dc=per,dc=in,dc=moodle,dc=com
        --> ou=service    <-- ********
        --> ou=accounts   <-- ********
        --> ou=groups     <-- ********
        ---> ou=2016      <-- ********
        ----> ou=students <-- ********
        ----> ou=teachers <-- ********
        

      3. Under 'service' create a new 'moodle' account. Give it a password which does not expire and cannot be changed. Uncheck the force password reset flag.
      4. Under 'accounts' create a number of new accounts. Give them a password which does not expire but can be changed. Uncheck the force password reset flag.
      5. Set an e-mail address for all of the users
      6. Under 'groups/2016/students' create some new Groups:
        1. 2016-ECON101
        2. 2016-MATH101
      7. Under 'groups/2016/teachers' create some new Groups:
        1. 2016-ECON101
        2. 2016-MATH101
      8. Under each of the groups (ECON101/MATH101) add members using their dn, e.g.

        cn=springer,ou=Accounts,dc=auth,dc=banana,dc=per,dc=in,dc=moodle,dc=com
        

      Moodle setup

      Various things differ between AD and LDAP. Here are a few:

      1. bindDN:
        1. AD: moodle@moodle.test.com
        2. LDAP: cn=moodle,ou=Service,dc=auth,dc=banana,dc=per,dc=in,dc=moodle,dc=com
      2. Encoding:
        1. AD: cp1252
        2. LDAP: utf-8
      3. User type:
        1. AD: MS ActiveDirectory
        2. LDAP: posixAccount
      4. ID Number Attribute
        1. AD: sAMAccountName
        2. LDAP: entryDn
      5. member attribute (enrol role mappings)
        1. AD: member
        2. LDAP: memberuid

      The following instructions were made using AD. Refer to the above if using OpenLDAP

      1. Open auth_ldap settings and set:
        1. LDAP server settings:
          1. host URL: IP of your LDAP server
          2. Use TLS: No
          3. Encoding: cp1252
        2. Bind settings:
          1. Distinguished name: moodle@moodle.test.com
          2. Password: (the password you set)
        3. User lookup settings:
          1. User type: MS ActiveDirectory or `posixAccount`
          2. Contexts: ou=accounts,dc=moodle,dc=test,dc=com
          3. Search subcontexts: Yes
        4. User attribute: sAMAccountName
          1. Data mapping:
          2. First name: givenName
          3. Surname: sn
          4. Email address: mail
          5. ID number; sAMAccountName
          6. ^^^ For each of the above set the update time to 'on every login'
      2. Open enrol_ldap settings and set:
        1. LDAP server settings:
          1. host URL: IP of your LDAP server
          2. Use TLS: No
          3. Encoding: cp1252
        2. Bind settings:
          1. Distinguished name: moodle@moodle.test.com
          2. Password: (the password you set)
        3. Role mapping:
          1. Teacher:
            1. Context: OU=Teachers,OU=2016,OU=Groups,DC=moodle,DC=test,DC=com
            2. attribute: member
          2. Student:
            1. Context: OU=Student,OU=2016,OU=Groups,DC=moodle,DC=test,DC=com
            2. attribute: member
          3. Member attribute uses dn: Yes
          4. User type: MS ActiveDirectory or `posixAccount`
          5. Id number attribute: sAMAccountName
        4. Course enrolment settings
          1. Object class: (objectClass=group)
          2. ID number: cn
          3. Short name: cn
          4. Full name: cn
          5. Summary: cn
        5. Autmatic course creation settings
          1. Auto create: Yes

      Using Andrew's AD server

      1. Run the attached config script (mdl51723.php)
      2. run an auth sync:

        php admin/tool/task/cli/schedule_task.php  --execute="\auth_ldap\task\sync_task"
        

        1. Check for errors
      3. run it again as the logic changes between creating and update users
        1. Check for errors
      4. Run the ldap CLI sync too:

        php enrol/ldap/cli/sync.php
        

        1. Check for errors
      5. Rerun
        1. Check for errors
      6. Open up your DB, find the users who were created, grab their IDs an enter them into a search such as:

        SELECT * FROM mdl_role_assignments WHERE userid IN (<list of ids here>);
        

      7. Make a note of the results
      8. Log into your site using the following credentials:
        username: springer
        password: Password1!
      9. Attempt to access one of the courses MATH101, ECON101
      10. Rerun your DB query
        1. Confirm that the results have not changed
      11. Edit settings for enrol_ldap and change

        nested_groups = false
        user_type = Default
        

        #Â Re-run the CLI sync

      12. Re-run the SQL query and note the results
      13. Login again as our Jerry Springer again
      14. Re-run the SQL query
        1. no change in result count
      Show
      Unit tests cover several aspects of this change, including ensuring that the new normalisation (in master only) spits out the expected results. In addition to this, you'll need to configure both auth_ldap and enrol_ldap and run some tests. Configuring your own LDAP server I've provided instructions for both Active Directory, and OpenLDAP Active Infectory Create some new Organisational Units (OU/containers) under moodle.test.com: -> moodle.test.com --> Builtin --> Computers --> Domain Controllers --> Foreign Security Principals --> Users --> Service <-- ******** --> Accounts <-- ******** --> Groups <-- ******** ---> 2016 <-- ******** ----> Students <-- ******** ----> Teachers <-- ******** Under 'Service' create a new 'moodle' account. Give it a password which does not expire and cannot be changed. Uncheck the force password reset flag. Under 'Accounts' create a number of new accounts. Give them a password which does not expire but can be changed. Uncheck the force password reset flag. Set an e-mail address for all of the users Under 'Groups/2016/Students' create some new Groups: 2016-ECON101 (pre-Windows 2000 name = 2016-STUD-ECON101) 2016-MATH101 (pre-Windows 2000 name = 2016-STUD-MATH101) Under 'Groups/2016/Teachers' create some new Groups: 2016-ECON101 (pre-Windows 2000 name = 2016-TEAC-ECON101) 2016-MATH101 (pre-Windows 2000 name = 2016-TEAC-MATH101) Place several users in each of the subject groups (ECON101/MATH101) OpenLDAP Set up OpenLDAP as per https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-a-basic-ldap-server-on-an-ubuntu-12-04-vps Create a structure as follows: -> dc=yourhost,dc=per,dc=in,dc=moodle,dc=com --> ou=service <-- ******** --> ou=accounts <-- ******** --> ou=groups <-- ******** ---> ou=2016 <-- ******** ----> ou=students <-- ******** ----> ou=teachers <-- ******** Under 'service' create a new 'moodle' account. Give it a password which does not expire and cannot be changed. Uncheck the force password reset flag. Under 'accounts' create a number of new accounts. Give them a password which does not expire but can be changed. Uncheck the force password reset flag. Set an e-mail address for all of the users Under 'groups/2016/students' create some new Groups: 2016-ECON101 2016-MATH101 Under 'groups/2016/teachers' create some new Groups: 2016-ECON101 2016-MATH101 Under each of the groups (ECON101/MATH101) add members using their dn, e.g. cn=springer,ou=Accounts,dc=auth,dc=banana,dc=per,dc=in,dc=moodle,dc=com Moodle setup Various things differ between AD and LDAP. Here are a few: bindDN: AD: moodle@moodle.test.com LDAP: cn=moodle,ou=Service,dc=auth,dc=banana,dc=per,dc=in,dc=moodle,dc=com Encoding: AD: cp1252 LDAP: utf-8 User type: AD: MS ActiveDirectory LDAP: posixAccount ID Number Attribute AD: sAMAccountName LDAP: entryDn member attribute (enrol role mappings) AD: member LDAP: memberuid The following instructions were made using AD. Refer to the above if using OpenLDAP Open auth_ldap settings and set: LDAP server settings: host URL: IP of your LDAP server Use TLS: No Encoding: cp1252 Bind settings: Distinguished name: moodle@moodle.test.com Password: (the password you set) User lookup settings: User type: MS ActiveDirectory or `posixAccount` Contexts: ou=accounts,dc=moodle,dc=test,dc=com Search subcontexts: Yes User attribute: sAMAccountName Data mapping: First name: givenName Surname: sn Email address: mail ID number; sAMAccountName ^^^ For each of the above set the update time to 'on every login' Open enrol_ldap settings and set: LDAP server settings: host URL: IP of your LDAP server Use TLS: No Encoding: cp1252 Bind settings: Distinguished name: moodle@moodle.test.com Password: (the password you set) Role mapping: Teacher: Context: OU=Teachers,OU=2016,OU=Groups,DC=moodle,DC=test,DC=com attribute: member Student: Context: OU=Student,OU=2016,OU=Groups,DC=moodle,DC=test,DC=com attribute: member Member attribute uses dn: Yes User type: MS ActiveDirectory or `posixAccount` Id number attribute: sAMAccountName Course enrolment settings Object class: (objectClass=group) ID number: cn Short name: cn Full name: cn Summary: cn Autmatic course creation settings Auto create: Yes Using Andrew's AD server Run the attached config script (mdl51723.php) run an auth sync: php admin/tool/task/cli/schedule_task.php --execute="\auth_ldap\task\sync_task" Check for errors run it again as the logic changes between creating and update users Check for errors Run the ldap CLI sync too: php enrol/ldap/cli/sync.php Check for errors Rerun Check for errors Open up your DB, find the users who were created, grab their IDs an enter them into a search such as: SELECT * FROM mdl_role_assignments WHERE userid IN (<list of ids here>); Make a note of the results Log into your site using the following credentials: username: springer password: Password1! Attempt to access one of the courses MATH101, ECON101 Rerun your DB query Confirm that the results have not changed Edit settings for enrol_ldap and change nested_groups = false user_type = Default #Â Re-run the CLI sync Re-run the SQL query and note the results Login again as our Jerry Springer again Re-run the SQL query no change in result count
    • Affected Branches:
      MOODLE_29_STABLE, MOODLE_30_STABLE
    • Fixed Branches:
      MOODLE_29_STABLE, MOODLE_30_STABLE
    • Pull Master Branch:
      MDL-51723-master
    • Sprint:
      3.1 Sprint 4

      Description

      LDAP auth and sync worked perfectly in 2.8.6+, now users are unenrolled when they login on 2.9.2+. No changes to the config from 2.8.6+ to 2.9.2+.

      Forum posts
      https://moodle.org/mod/forum/discuss.php?d=314011
      https://moodle.org/mod/forum/discuss.php?d=320164

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                3 Vote for this issue
                Watchers:
                15 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  14/Mar/16