Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-52386

LDAP syncs AD disabled users as active in Moodle

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Prerequisites

      1. A MS Active Directory set up. Referred to as AD from hereon.
      2. A user in the Active Directory. Referred to as "the user" from hereon.

      Testing the default configuration

      1. Browse to "Site administration" > "Plugins" > "Authentication" > "Manage authentication"
      2. Enable the LDAP server plugin, and configure it with the following settings (leave anything not mentioned at its default setting):
        • Host URL: whatever the IP of your AD server is
        • LDAP encoding: cp1252
        • Distinguished name: should be something like administrator@activedirectory.domain.com
        • Password: AD administrator account password.
        • User type: "MS ActiveDirectory"
        • Contexts: cn=users,dc=activedirectory,dc=domain,dc=com
        • Search subcontexts: Yes
        • User attribute: samaccountname
      3. Run the LDAP synchronisation script:

        php admin/tool/task/cli/schedule_task.php --execute=\\auth_ldap\\task\\sync_task

      4. Verify there are no errors, and check that you see some new users created at "Site administration" > "Users" > "Accounts" > "Browse a list of users".
        • The users (there may be more than just the one you created in the prerequisites) will most likely not have names or emails, but just be blank entries. That's fine.
      5. Verify none of the users are suspended (the eye should not be crossed out). Confirm that in the users database table none of the new users have the suspended flag set.
      6. Enable the user on the Active Directory server, sync again, verify the user is still not suspended.
      7. Disable the user on the Active Directory server, sync again, verify the user is still not suspended.
      8. Delete the newly created users.
      9. Set the AD user to disabled.
      10. Run the sync script
      11. Ensure the user is not suspended in moodle.

      Testing the Suspend attribute field

      These instructions carry on from the previous ones (i.e., settings should be the same as in the last step of the previous instructions).

      1. Delete all the newly created users.
      2. Browse to "Site administration" > "Plugins" > "Authentication" > "LDAP Server"
      3. Set "Suspended attribute" to "useraccountcontrol".
      4. Make sure the user is disabled on the Active Directory.
      5. Run the sync script
      6. Verify the user is created with the suspended flag set (I find it easiest to just check the database).
      7. Enable the user on Active Directory, resync.
      8. Verify they are still marked as suspended in moodle.
      9. Delete the newly created users.
      10. Run the sync script, ensure the user is created without the suspended flag set.
      11. Disable the user in AD, resync.
      12. Ensure they are still not suspended.

      Testing the Synchronize local user suspension status field

      These instructions carry on from the previous ones (i.e., settings should be the same as in the last step of the previous instructions).

      1. Delete all the newly created users.
      2. Browse to "Site administration" > "Plugins" > "Authentication" > "LDAP Server"
      3. Set "Synchronize local user suspension status" to "Yes".
      4. Set the user to disabled in AD.
      5. Run the sync script.
      6. Verify they are suspended in moodle.
      7. Set them to enabled in AD.
      8. Verify they are no longer suspended in moodle.
      9. Set them back to disabled.
      10. Verify they are suspended in moodle.
      11. Delete the newly created users.
      12. Set the user to enabled in AD.
      13. Run the sync script.
      14. Verify they are not suspended in moodle.

      Also test that when "Synchronize local user suspension status" is set to "Yes" but "Suspended attribute" is empty, the behaviour is the same as in the first set of instructions.

      Show
      Prerequisites A MS Active Directory set up. Referred to as AD from hereon. A user in the Active Directory. Referred to as "the user" from hereon. Testing the default configuration Browse to "Site administration" > "Plugins" > "Authentication" > "Manage authentication" Enable the LDAP server plugin, and configure it with the following settings (leave anything not mentioned at its default setting): Host URL: whatever the IP of your AD server is LDAP encoding: cp1252 Distinguished name: should be something like administrator@activedirectory.domain.com Password: AD administrator account password. User type: "MS ActiveDirectory" Contexts: cn=users,dc=activedirectory,dc=domain,dc=com Search subcontexts: Yes User attribute: samaccountname Run the LDAP synchronisation script: php admin/tool/task/cli/schedule_task.php --execute=\\auth_ldap\\task\\sync_task Verify there are no errors, and check that you see some new users created at "Site administration" > "Users" > "Accounts" > "Browse a list of users". The users (there may be more than just the one you created in the prerequisites) will most likely not have names or emails, but just be blank entries. That's fine. Verify none of the users are suspended (the eye should not be crossed out). Confirm that in the users database table none of the new users have the suspended flag set. Enable the user on the Active Directory server, sync again, verify the user is still not suspended. Disable the user on the Active Directory server, sync again, verify the user is still not suspended. Delete the newly created users. Set the AD user to disabled. Run the sync script Ensure the user is not suspended in moodle. Testing the Suspend attribute field These instructions carry on from the previous ones (i.e., settings should be the same as in the last step of the previous instructions). Delete all the newly created users. Browse to "Site administration" > "Plugins" > "Authentication" > "LDAP Server" Set "Suspended attribute" to "useraccountcontrol". Make sure the user is disabled on the Active Directory. Run the sync script Verify the user is created with the suspended flag set (I find it easiest to just check the database). Enable the user on Active Directory, resync. Verify they are still marked as suspended in moodle. Delete the newly created users. Run the sync script, ensure the user is created without the suspended flag set. Disable the user in AD, resync. Ensure they are still not suspended. Testing the Synchronize local user suspension status field These instructions carry on from the previous ones (i.e., settings should be the same as in the last step of the previous instructions). Delete all the newly created users. Browse to "Site administration" > "Plugins" > "Authentication" > "LDAP Server" Set "Synchronize local user suspension status" to "Yes". Set the user to disabled in AD. Run the sync script. Verify they are suspended in moodle. Set them to enabled in AD. Verify they are no longer suspended in moodle. Set them back to disabled. Verify they are suspended in moodle. Delete the newly created users. Set the user to enabled in AD. Run the sync script. Verify they are not suspended in moodle. Also test that when "Synchronize local user suspension status" is set to "Yes" but "Suspended attribute" is empty, the behaviour is the same as in the first set of instructions.
    • Affected Branches:
      MOODLE_29_STABLE, MOODLE_31_STABLE
    • Fixed Branches:
      MOODLE_31_STABLE
    • Pull Master Branch:
      MDL-52386-master
    • Sprint:
      3.1 Sprint 5

      Description

      Users in Active Directory that are set to disabled status (userAccountControl:1.2.840.113556.1.4.803:=2) are created in Moodle through the use of the LDAP plugin as active and should be created with the suspended flag set.

      While the disabled users cannot log in to Moodle, this issue leads to reporting errors. When all users are auto-enrolled in a course and a course completion report is generated all of these disabled users appear as active and not started. This artificially skews the numbers on the report (which for us is a problem since this is legally mandated security training for all active accounts).

      To reproduce this issue create a Moodle implementation that utilizes LDAP to connect to Active Directory, and under the plugin configuration, Cron synchronization script, set the Add new users option to yes and either manually or via cron execute the sync_users.php script. Make sure there is at least one user in AD within the base DN (or below if search subordinate is set to yes) with a disabled account. Once replicated, this disabled account will appear in Moodle as a regular active account without the suspended user flag set. The user will not be able to log in, but may be enrolled in courses and will appear as incomplete.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  23/May/16