Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-60666

LDAP Sync (auth/ldap) - prevents access to site as transaction blocks writes to mdl_user

XMLWordPrintable

    • MOODLE_27_STABLE, MOODLE_30_STABLE, MOODLE_311_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE, MOODLE_33_STABLE, MOODLE_37_STABLE, MOODLE_400_STABLE
    • MOODLE_311_STABLE, MOODLE_400_STABLE
    • mdl-60666-one-user-per-transaction
    • Hide

      Start LDAP Server

      $ docker run --rm --env LDAP_USERS=user01 --env LDAP_PASSWORDS=user01 -p 1389:1389 bitnami/openldap

      1. Configure Moodle
      2. Log in as admin
      3. Navigate to Plugins > Authentication > Manage authentication in site administration
      4. Ensure Prevent account creation when authenticating is not enabled
      5. Enable LDAP server
      6. Press Settings to configure LDAP server
        Set the following values:
        Host URL: ldap://localhost:1389 (or the IP address of the Docker container if not localhost)
        Distinguished name: cn=admin,dc=example,dc=org
        Password (Password for bind-user): adminpassword
        Contexts: ou=users,dc=example,dc=org
      7. Save changes
      8. Use Test settings from the Manage authentication page to confirm connection succeeds

      Test 1

      1. In LDAP auth settings (in Moodle) specify to match those fields to fields in your LDAP.
        Notes:
      2. For the standard profile fields, make sure to map at least the firstname, lastname and email. You can use following mapping for this test: Data mapping (First name) -> cn, Data mapping (Surname) -> sn, Data mapping (Email address)
        -> mail
      3. Make sure that for each of these mapped fields, "Update local" is set to "On every login".
      4. Create some users in LDAP with data in those fields (inside LDAP container).
      5. Create a ldif file to create a user such as useradd.ldif:

        # Add John Smith to the organization
        dn: uid=jsmith,ou=users,dc=example,dc=org
        changetype: add
        objectClass: inetOrgPerson
        cn: JohnSmith
        sn: Smith
        uid: jsmith
        mail: jsmith@example.com
        

      6. Run `ldapadd -x -H ldap://localhost:1389 -D "cn=admin,dc=example,dc=org" -w adminpassword -f useradd.ldif` on the ldap server
      7. Run `ldappasswd -H ldap://localhost:1389 -x -D "cn=admin,dc=example,dc=org" -W -S "uid=jsmith,ou=users,dc=example,dc=org"`
        You will be prompted for password - type it, confirm (make sure to remember it - you will need it for login with LDAP users). Use adminpassword when prompted for LDAP password
      8. Repeat above steps to have multiples users (make sure changing uid, email, cn, sn)
      9. Run LDAP sync: `php admin/tool/task/cli/schedule_task.php --execute=\\auth_ldap\\task
        sync_task`
      10. Confirm users are created in Moodle and profile fields are filled.
      11. Change a user's field value in LDAP by creating a usermodify.ldif file e.g.:

         # Change John Smith to the organization
        dn: uid=jsmith,ou=users,dc=example,dc=org
        changetype: modify
        replace: mail
        mail: jsmith1234@example.com
        

      12. Run `ldapmodify -x -H ldap://localhost:1389 -D "cn=admin,dc=example,dc=org" -w adminpassword -f usermodify.ldif` on the ldap server
      13. Repeat for other users as well
      14. Modify auth/ldap/auth.php and add sleep(30); after line 880 so it looks like this:

                            $this->sync_roles($user);
                            sleep(15);

      15. Run the LDAP sync again: `php admin/tool/task/cli/schedule_task.php --execute=\\auth_ldap\\task
        sync_task`
      16. When seeing output like

        Updating user johnsmith3 id 127
        

        Try to login as that user to Moodle

      17. Ensure you can't login - browser will keep loading
      18. Once next user started to process, i.e. when you see next record

        Updating user johnsmith4 id 127
        

        Make sure you can login as user johnsmith3

      19. Confirm users are updated in Moodle and profile fields reflect new value.
      Show
      Start LDAP Server $ docker run --rm --env LDAP_USERS=user01 --env LDAP_PASSWORDS=user01 -p 1389 : 1389 bitnami/openldap Configure Moodle Log in as admin Navigate to Plugins > Authentication > Manage authentication in site administration Ensure Prevent account creation when authenticating is not enabled Enable LDAP server Press Settings to configure LDAP server Set the following values: Host URL: ldap://localhost:1389 (or the IP address of the Docker container if not localhost) Distinguished name: cn=admin,dc=example,dc=org Password (Password for bind-user): adminpassword Contexts: ou=users,dc=example,dc=org Save changes Use Test settings from the Manage authentication page to confirm connection succeeds Test 1 In LDAP auth settings (in Moodle) specify to match those fields to fields in your LDAP. Notes: For the standard profile fields, make sure to map at least the firstname, lastname and email. You can use following mapping for this test: Data mapping (First name) -> cn, Data mapping (Surname) -> sn, Data mapping (Email address) -> mail Make sure that for each of these mapped fields, "Update local" is set to "On every login". Create some users in LDAP with data in those fields (inside LDAP container). Create a ldif file to create a user such as useradd.ldif: # Add John Smith to the organization dn: uid=jsmith,ou=users,dc=example,dc=org changetype: add objectClass: inetOrgPerson cn: JohnSmith sn: Smith uid: jsmith mail: jsmith @example .com Run `ldapadd -x -H ldap://localhost:1389 -D "cn=admin,dc=example,dc=org" -w adminpassword -f useradd.ldif` on the ldap server Run `ldappasswd -H ldap://localhost:1389 -x -D "cn=admin,dc=example,dc=org" -W -S "uid=jsmith,ou=users,dc=example,dc=org"` You will be prompted for password - type it, confirm (make sure to remember it - you will need it for login with LDAP users). Use adminpassword when prompted for LDAP password Repeat above steps to have multiples users (make sure changing uid, email, cn, sn) Run LDAP sync: `php admin/tool/task/cli/schedule_task.php --execute=\\auth_ldap\\task sync_task` Confirm users are created in Moodle and profile fields are filled. Change a user's field value in LDAP by creating a usermodify.ldif file e.g.: # Change John Smith to the organization dn: uid=jsmith,ou=users,dc=example,dc=org changetype: modify replace: mail mail: jsmith1234 @example .com Run `ldapmodify -x -H ldap://localhost:1389 -D "cn=admin,dc=example,dc=org" -w adminpassword -f usermodify.ldif` on the ldap server Repeat for other users as well Modify auth/ldap/auth.php and add sleep(30); after line 880 so it looks like this: $ this ->sync_roles($user); sleep( 15 ); Run the LDAP sync again: `php admin/tool/task/cli/schedule_task.php --execute=\\auth_ldap\\task sync_task` When seeing output like Updating user johnsmith3 id 127 Try to login as that user to Moodle Ensure you can't login - browser will keep loading Once next user started to process, i.e. when you see next record Updating user johnsmith4 id 127 Make sure you can login as user johnsmith3 Confirm users are updated in Moodle and profile fields reflect new value.

      As reported by other users (e.g. https://moodle.org/mod/forum/discuss.php?d=278900), users are unable to log in to the site while the LDAP sync task is running. The complete_user_login() method fails when attempting to update the last login timestamp.

      Access to the site also fails when trying to update the last access timestamp via user_accesstime_log().

       

      Leads to dml_write_exception error

        1. auth.php
          96 kB
        2. image-2020-05-21-03-06-34-040.png
          image-2020-05-21-03-06-34-040.png
          28 kB
        3. image-2020-05-22-02-20-34-359.png
          image-2020-05-22-02-20-34-359.png
          23 kB
        4. MDL-60666_master_1.webm
          357 kB
        5. MDL-60666_master_2.webm
          4.19 MB
        6. MDL-60666_v311_1.webm
          444 kB
        7. MDL-60666_v311_2.webm
          4.63 MB
        8. MDL-60666_v400_1.webm
          345 kB
        9. MDL-60666_v400_2.webm
          4.98 MB

            psistrom Peter Sistrom
            rhjcape Joseph Cape
            Brendan Heywood Brendan Heywood
            Ilya Tregubov Ilya Tregubov
            Angelia Dela Cruz Angelia Dela Cruz
            Votes:
            7 Vote for this issue
            Watchers:
            17 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 40 minutes
                1d 40m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.