Hide
Unit tests cover several aspects of this change, including ensuring that the new normalisation (in master only) spits out the expected results.
In addition to this, you'll need to configure both auth_ldap and enrol_ldap and run some tests.
Configuring your own LDAP server
I've provided instructions for both Active Directory, and OpenLDAP
Active Infectory
- Create some new Organisational Units (OU/containers) under moodle.test.com:
-> moodle.test.com
|
--> Builtin
|
--> Computers
|
--> Domain Controllers
|
--> Foreign Security Principals
|
--> Users
|
--> Service <-- ********
|
--> Accounts <-- ********
|
--> Groups <-- ********
|
---> 2016 <-- ********
|
----> Students <-- ********
|
----> Teachers <-- ********
|
- Under 'Service' create a new 'moodle' account. Give it a password which does not expire and cannot be changed. Uncheck the force password reset flag.
- Under 'Accounts' create a number of new accounts. Give them a password which does not expire but can be changed. Uncheck the force password reset flag.
- Set an e-mail address for all of the users
- Under 'Groups/2016/Students' create some new Groups:
- 2016-ECON101 (pre-Windows 2000 name = 2016-STUD-ECON101)
- 2016-MATH101 (pre-Windows 2000 name = 2016-STUD-MATH101)
- Under 'Groups/2016/Teachers' create some new Groups:
- 2016-ECON101 (pre-Windows 2000 name = 2016-TEAC-ECON101)
- 2016-MATH101 (pre-Windows 2000 name = 2016-TEAC-MATH101)
- Place several users in each of the subject groups (ECON101/MATH101)
OpenLDAP
- Set up OpenLDAP as per https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-a-basic-ldap-server-on-an-ubuntu-12-04-vps
- Create a structure as follows:
-> dc=yourhost,dc=per,dc=in,dc=moodle,dc=com
|
--> ou=service <-- ********
|
--> ou=accounts <-- ********
|
--> ou=groups <-- ********
|
---> ou=2016 <-- ********
|
----> ou=students <-- ********
|
----> ou=teachers <-- ********
|
- Under 'service' create a new 'moodle' account. Give it a password which does not expire and cannot be changed. Uncheck the force password reset flag.
- Under 'accounts' create a number of new accounts. Give them a password which does not expire but can be changed. Uncheck the force password reset flag.
- Set an e-mail address for all of the users
- Under 'groups/2016/students' create some new Groups:
- 2016-ECON101
- 2016-MATH101
- Under 'groups/2016/teachers' create some new Groups:
- 2016-ECON101
- 2016-MATH101
- Under each of the groups (ECON101/MATH101) add members using their dn, e.g.
cn=springer,ou=Accounts,dc=auth,dc=banana,dc=per,dc=in,dc=moodle,dc=com
|
Moodle setup
Various things differ between AD and LDAP. Here are a few:
- bindDN:
- AD: moodle@moodle.test.com
- LDAP: cn=moodle,ou=Service,dc=auth,dc=banana,dc=per,dc=in,dc=moodle,dc=com
- Encoding:
- AD: cp1252
- LDAP: utf-8
- User type:
- AD: MS ActiveDirectory
- LDAP: posixAccount
- ID Number Attribute
- AD: sAMAccountName
- LDAP: entryDn
- member attribute (enrol role mappings)
- AD: member
- LDAP: memberuid
The following instructions were made using AD. Refer to the above if using OpenLDAP
- Open auth_ldap settings and set:
- LDAP server settings:
- host URL: IP of your LDAP server
- Use TLS: No
- Encoding: cp1252
- Bind settings:
- Distinguished name: moodle@moodle.test.com
- Password: (the password you set)
- User lookup settings:
- User type: MS ActiveDirectory or `posixAccount`
- Contexts: ou=accounts,dc=moodle,dc=test,dc=com
- Search subcontexts: Yes
- User attribute: sAMAccountName
- Data mapping:
- First name: givenName
- Surname: sn
- Email address: mail
- ID number; sAMAccountName
- ^^^ For each of the above set the update time to 'on every login'
- Open enrol_ldap settings and set:
- LDAP server settings:
- host URL: IP of your LDAP server
- Use TLS: No
- Encoding: cp1252
- Bind settings:
- Distinguished name: moodle@moodle.test.com
- Password: (the password you set)
- Role mapping:
- Teacher:
- Context: OU=Teachers,OU=2016,OU=Groups,DC=moodle,DC=test,DC=com
- attribute: member
- Student:
- Context: OU=Student,OU=2016,OU=Groups,DC=moodle,DC=test,DC=com
- attribute: member
- Member attribute uses dn: Yes
- User type: MS ActiveDirectory or `posixAccount`
- Id number attribute: sAMAccountName
- Course enrolment settings
- Object class: (objectClass=group)
- ID number: cn
- Short name: cn
- Full name: cn
- Summary: cn
- Autmatic course creation settings
- Auto create: Yes
Using Andrew's AD server
- Run the attached config script (mdl51723.php)
- run an auth sync:
php admin/tool/task/cli/schedule_task.php --execute="\auth_ldap\task\sync_task"
|
- Check for errors
- run it again as the logic changes between creating and update users
- Check for errors
- Run the ldap CLI sync too:
php enrol/ldap/cli/sync.php
|
- Check for errors
- Rerun
- Check for errors
- Open up your DB, find the users who were created, grab their IDs an enter them into a search such as:
SELECT * FROM mdl_role_assignments WHERE userid IN (<list of ids here>);
|
- Make a note of the results
- Log into your site using the following credentials:
username: springer
password: Password1!
- Attempt to access one of the courses MATH101, ECON101
- Rerun your DB query
- Confirm that the results have not changed
- Edit settings for enrol_ldap and change
nested_groups = false
|
user_type = Default
|
#Â Re-run the CLI sync
- Re-run the SQL query and note the results
- Login again as our Jerry Springer again
- Re-run the SQL query
- no change in result count
Show
Unit tests cover several aspects of this change, including ensuring that the new normalisation (in master only) spits out the expected results.
In addition to this, you'll need to configure both auth_ldap and enrol_ldap and run some tests.
Configuring your own LDAP server
I've provided instructions for both Active Directory, and OpenLDAP
Active Infectory
Create some new Organisational Units (OU/containers) under moodle.test.com:
-> moodle.test.com
--> Builtin
--> Computers
--> Domain Controllers
--> Foreign Security Principals
--> Users
--> Service <-- ********
--> Accounts <-- ********
--> Groups <-- ********
---> 2016 <-- ********
----> Students <-- ********
----> Teachers <-- ********
Under 'Service' create a new 'moodle' account. Give it a password which does not expire and cannot be changed. Uncheck the force password reset flag.
Under 'Accounts' create a number of new accounts. Give them a password which does not expire but can be changed. Uncheck the force password reset flag.
Set an e-mail address for all of the users
Under 'Groups/2016/Students' create some new Groups:
2016-ECON101 (pre-Windows 2000 name = 2016-STUD-ECON101)
2016-MATH101 (pre-Windows 2000 name = 2016-STUD-MATH101)
Under 'Groups/2016/Teachers' create some new Groups:
2016-ECON101 (pre-Windows 2000 name = 2016-TEAC-ECON101)
2016-MATH101 (pre-Windows 2000 name = 2016-TEAC-MATH101)
Place several users in each of the subject groups (ECON101/MATH101)
OpenLDAP
Set up OpenLDAP as per https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-a-basic-ldap-server-on-an-ubuntu-12-04-vps
Create a structure as follows:
-> dc=yourhost,dc=per,dc=in,dc=moodle,dc=com
--> ou=service <-- ********
--> ou=accounts <-- ********
--> ou=groups <-- ********
---> ou=2016 <-- ********
----> ou=students <-- ********
----> ou=teachers <-- ********
Under 'service' create a new 'moodle' account. Give it a password which does not expire and cannot be changed. Uncheck the force password reset flag.
Under 'accounts' create a number of new accounts. Give them a password which does not expire but can be changed. Uncheck the force password reset flag.
Set an e-mail address for all of the users
Under 'groups/2016/students' create some new Groups:
2016-ECON101
2016-MATH101
Under 'groups/2016/teachers' create some new Groups:
2016-ECON101
2016-MATH101
Under each of the groups (ECON101/MATH101) add members using their dn, e.g.
cn=springer,ou=Accounts,dc=auth,dc=banana,dc=per,dc=in,dc=moodle,dc=com
Moodle setup
Various things differ between AD and LDAP. Here are a few:
bindDN:
AD: moodle@moodle.test.com
LDAP: cn=moodle,ou=Service,dc=auth,dc=banana,dc=per,dc=in,dc=moodle,dc=com
Encoding:
AD: cp1252
LDAP: utf-8
User type:
AD: MS ActiveDirectory
LDAP: posixAccount
ID Number Attribute
AD: sAMAccountName
LDAP: entryDn
member attribute (enrol role mappings)
AD: member
LDAP: memberuid
The following instructions were made using AD. Refer to the above if using OpenLDAP
Open auth_ldap settings and set:
LDAP server settings:
host URL: IP of your LDAP server
Use TLS: No
Encoding: cp1252
Bind settings:
Distinguished name: moodle@moodle.test.com
Password: (the password you set)
User lookup settings:
User type: MS ActiveDirectory or `posixAccount`
Contexts: ou=accounts,dc=moodle,dc=test,dc=com
Search subcontexts: Yes
User attribute: sAMAccountName
Data mapping:
First name: givenName
Surname: sn
Email address: mail
ID number; sAMAccountName
^^^ For each of the above set the update time to 'on every login'
Open enrol_ldap settings and set:
LDAP server settings:
host URL: IP of your LDAP server
Use TLS: No
Encoding: cp1252
Bind settings:
Distinguished name: moodle@moodle.test.com
Password: (the password you set)
Role mapping:
Teacher:
Context: OU=Teachers,OU=2016,OU=Groups,DC=moodle,DC=test,DC=com
attribute: member
Student:
Context: OU=Student,OU=2016,OU=Groups,DC=moodle,DC=test,DC=com
attribute: member
Member attribute uses dn: Yes
User type: MS ActiveDirectory or `posixAccount`
Id number attribute: sAMAccountName
Course enrolment settings
Object class: (objectClass=group)
ID number: cn
Short name: cn
Full name: cn
Summary: cn
Autmatic course creation settings
Auto create: Yes
Using Andrew's AD server
Run the attached config script (mdl51723.php)
run an auth sync:
php admin/tool/task/cli/schedule_task.php --execute="\auth_ldap\task\sync_task"
Check for errors
run it again as the logic changes between creating and update users
Check for errors
Run the ldap CLI sync too:
php enrol/ldap/cli/sync.php
Check for errors
Rerun
Check for errors
Open up your DB, find the users who were created, grab their IDs an enter them into a search such as:
SELECT * FROM mdl_role_assignments WHERE userid IN (<list of ids here>);
Make a note of the results
Log into your site using the following credentials:
username: springer
password: Password1!
Attempt to access one of the courses MATH101, ECON101
Rerun your DB query
Confirm that the results have not changed
Edit settings for enrol_ldap and change
nested_groups = false
user_type = Default
#Â Re-run the CLI sync
Re-run the SQL query and note the results
Login again as our Jerry Springer again
Re-run the SQL query
no change in result count
Bug
Major
MDL-47004 LDAP defaults the AD objectClass to "user", not the best default conf
