Users are unenrolled on login under LDAP auth with Active Directory

Unit tests cover several aspects of this change, including ensuring that the new normalisation (in master only) spits out the expected results.

In addition to this, you'll need to configure both auth_ldap and enrol_ldap and run some tests.

Configuring your own LDAP server

I've provided instructions for both Active Directory, and OpenLDAP

Active Infectory

1. Create some new Organisational Units (OU/containers) under moodle.test.com:

   -> moodle.test.com

   --> Builtin

   --> Computers

   --> Domain Controllers

   --> Foreign Security Principals

   --> Users

   --> Service <-- ********

   --> Accounts <-- ********

   --> Groups <-- ********

   ---> 2016 <-- ********

   ----> Students <-- ********

   ----> Teachers <-- ********

2. Under 'Service' create a new 'moodle' account. Give it a password which does not expire and cannot be changed. Uncheck the force password reset flag.
3. Under 'Accounts' create a number of new accounts. Give them a password which does not expire but can be changed. Uncheck the force password reset flag.
4. Set an e-mail address for all of the users
5. Under 'Groups/2016/Students' create some new Groups:
   1. 2016-ECON101 (pre-Windows 2000 name = 2016-STUD-ECON101)
   2. 2016-MATH101 (pre-Windows 2000 name = 2016-STUD-MATH101)
6. Under 'Groups/2016/Teachers' create some new Groups:
   1. 2016-ECON101 (pre-Windows 2000 name = 2016-TEAC-ECON101)
   2. 2016-MATH101 (pre-Windows 2000 name = 2016-TEAC-MATH101)
7. Place several users in each of the subject groups (ECON101/MATH101)

OpenLDAP

1. Set up OpenLDAP as per https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-a-basic-ldap-server-on-an-ubuntu-12-04-vps
2. Create a structure as follows:

   -> dc=yourhost,dc=per,dc=in,dc=moodle,dc=com

   --> ou=service <-- ********

   --> ou=accounts <-- ********

   --> ou=groups <-- ********

   ---> ou=2016 <-- ********

   ----> ou=students <-- ********

   ----> ou=teachers <-- ********

3. Under 'service' create a new 'moodle' account. Give it a password which does not expire and cannot be changed. Uncheck the force password reset flag.
4. Under 'accounts' create a number of new accounts. Give them a password which does not expire but can be changed. Uncheck the force password reset flag.
5. Set an e-mail address for all of the users
6. Under 'groups/2016/students' create some new Groups:
   1. 2016-ECON101
   2. 2016-MATH101
7. Under 'groups/2016/teachers' create some new Groups:
   1. 2016-ECON101
   2. 2016-MATH101
8. Under each of the groups (ECON101/MATH101) add members using their dn, e.g.

   cn=springer,ou=Accounts,dc=auth,dc=banana,dc=per,dc=in,dc=moodle,dc=com

Moodle setup

Various things differ between AD and LDAP. Here are a few:

1. bindDN:
   1. AD: moodle@moodle.test.com
   2. LDAP: cn=moodle,ou=Service,dc=auth,dc=banana,dc=per,dc=in,dc=moodle,dc=com
2. Encoding:
   1. AD: cp1252
   2. LDAP: utf-8
3. User type:
   1. AD: MS ActiveDirectory
   2. LDAP: posixAccount
4. ID Number Attribute
   1. AD: sAMAccountName
   2. LDAP: entryDn
5. member attribute (enrol role mappings)
   1. AD: member
   2. LDAP: memberuid

The following instructions were made using AD. Refer to the above if using OpenLDAP

1. Open auth_ldap settings and set:
   1. LDAP server settings:
      1. host URL: IP of your LDAP server
      2. Use TLS: No
      3. Encoding: cp1252
   2. Bind settings:
      1. Distinguished name: moodle@moodle.test.com
      2. Password: (the password you set)
   3. User lookup settings:
      1. User type: MS ActiveDirectory or `posixAccount`
      2. Contexts: ou=accounts,dc=moodle,dc=test,dc=com
      3. Search subcontexts: Yes
   4. User attribute: sAMAccountName
      1. Data mapping:
      2. First name: givenName
      3. Surname: sn
      4. Email address: mail
      5. ID number; sAMAccountName
      6. ^^^ For each of the above set the update time to 'on every login'
2. Open enrol_ldap settings and set:
   1. LDAP server settings:
      1. host URL: IP of your LDAP server
      2. Use TLS: No
      3. Encoding: cp1252
   2. Bind settings:
      1. Distinguished name: moodle@moodle.test.com
      2. Password: (the password you set)
   3. Role mapping:
      1. Teacher:
         1. Context: OU=Teachers,OU=2016,OU=Groups,DC=moodle,DC=test,DC=com
         2. attribute: member
      2. Student:
         1. Context: OU=Student,OU=2016,OU=Groups,DC=moodle,DC=test,DC=com
         2. attribute: member
      3. Member attribute uses dn: Yes
      4. User type: MS ActiveDirectory or `posixAccount`
      5. Id number attribute: sAMAccountName
   4. Course enrolment settings
      1. Object class: (objectClass=group)
      2. ID number: cn
      3. Short name: cn
      4. Full name: cn
      5. Summary: cn
   5. Autmatic course creation settings
      1. Auto create: Yes

Using Andrew's AD server

1. Run the attached config script (mdl51723.php)
2. run an auth sync:

   php admin/tool/task/cli/schedule_task.php --execute="\auth_ldap\task\sync_task"

   1. Check for errors
3. run it again as the logic changes between creating and update users
   1. Check for errors
4. Run the ldap CLI sync too:

   php enrol/ldap/cli/sync.php

   1. Check for errors
5. Rerun
   1. Check for errors
6. Open up your DB, find the users who were created, grab their IDs an enter them into a search such as:

   SELECT * FROM mdl_role_assignments WHERE userid IN (<list of ids here>);

7. Make a note of the results
8. Log into your site using the following credentials:
   username: springer
   password: Password1!
9. Attempt to access one of the courses MATH101, ECON101
10. Rerun your DB query
    1. Confirm that the results have not changed
11. Edit settings for enrol_ldap and change

    nested_groups = false

    user_type = Default

    #Â Re-run the CLI sync

12. Re-run the SQL query and note the results
13. Login again as our Jerry Springer again
14. Re-run the SQL query
    1. no change in result count