This page requires updating. Please do so and remove this template when finished. Show
Basic ScenarioThe simple and straightforward approach for most installations. AssumptionsMoodle supports several types of LDAP servers which have different directory structures, special configuration settings, etc. Even if using the same LDAP server type (e.g., MS Active Directory), each site could use a completely different directory structure to hold its user accounts, groups, etc. In order to be able to show example configuration settings in the sections below, we are going to assume a hypothetical Moodle site and LDAP server with the characteristics listed below. IMPORTANT NOTICE: be sure to check your Moodle site and LDAP server details (including its directory structure,) and adjust the settings to reflect your own setup.
Enabling LDAP authenticationAn administrator can enable LDAP authentication as follows:
Now, you just have to fill in the values. Let's go step by step. LDAP Server Settings
Table of Contents Bind settings
Table of Contents User lookup settings
Force change password
LDAP password expiration settings
Enable user creation
Assign system roles
User account synchronisation
NTLM SSO
Data Mapping
Custom User profile fieldsAny user profile fields created in Site administration > Users > Accounts > User profile fields should now automatically show up at the end of the Data mapping field list after the Address field. See example: Enabling the LDAP users sync jobThe LDAP users sync job (\auth_ldap\task\sync_task) scheduled task (new in Moodle 3.0; previously there was a CLI script, see MDL-51824 for more info) is responsible for creating and updating user information, and suspending and deleting LDAP accounts. After enabling LDAP server authentication, an administrator needs to enable and configure the LDAP users sync job as follows:
Warning: It is important to make sure that all LDAP settings are working properly before enabling the LDAP users sync job (as well as backing up your database and moodledata folders), since incorrect LDAP configuration can result in users being wrongly deleted! If you find that the script is not running through all of your users properly and you have over 1000 users in each LDAP container, this is because by default some LDAP stores such as MS AD only send back 1000 users at a time and PHP versions prior to 5.4 did not implement paged support for LDAP results. If you upgrade to PHP 5.4 or higher than Moodle will obtain all your users correctly. If you can't upgrade to PHP 5.4 you may be able to follow the instructions in http://support.microsoft.com/kb/315071 to set the Active Directory MaxPageSize setting to a number higher than your total number of users (both now and in future) to fix it. This is a forest-wide setting. Active Directory helpActive Directory is Microsoft's directory service. It is included in Windows 2000 Server and later versions of their operating system. For more information about subjects below, please go here.
Advanced Scenarios - Multiple servers or locationsFor larger installations with multiple LDAP servers, or multiple locations (contexts) in a LDAP tree. Making your LDAP directory connection resilient
ldap://my.first.server; ldap://my.second.server; ... Of course, this will only work if all the servers share the same directory information, if using eDirectory you would need to ensure your servers have viability of all relevant tree partitions, or if using Active Directory the servers are holding the same information you need though replication - see notes on a multi-domain environment if this applies. There is one drawback in Moodle 1.5 - 1.6 implementation of LDAP authentication : the auth_ldap_connect() function processes the servers sequentially, not in a round robin mode. Thus, if the primary server fails, you will have to wait for the connection to time out before switching to the following one. See also: Using multiple LDAP servers - Our students are on separate domain forum discussion Using a multi-domain AD environment
my.domain.ca (Root AD Domain) | - dc1.my.domain.ca (Domain Controller) | - dc2.my.domain.ca (Domain Controller) | | - - students.my.domain.ca (Sub AD Domain) | - - - dc1.students.my.domain.ca (Domain Controller) | - - - dc2.students.my.domain.ca (Domain Controller) | | - - faculty.my.domain.ca (Sub AD Domain) | - - - dc1.faculty.my.domain.ca (Domain Controller) | - - - dc2.faculty.my.domain.ca (Domain Controller) In this example we have our top level domain (my.domain.ca) and two sub-domains. One sub-domain is for faculty accounts (faculty.my.domain.ca) and the other is for student accounts (students.my.domain.ca). Listed under each of those are two domain controllers. Using the above example you'll want to use the following for accessing the Global Catalog over SSL: ldaps://my.domain.ca:3269/ If you prefer to access your global catalog over a non-SSL connection you'll want to use: ldap://my.domain.ca:3268/ We found if you didn't configure things this way you'd get errors like: [Thu May 26 15:23:53 2011] [error] [client 192.168.xxx.xxx] PHP Warning: ldap_search() [<a href='function.ldap-search'>function.ldap-search</a>]: Search: Partial results and referral received in /xxx/xxx/moodle20/lib/ldaplib.php on line 241, referer: http://moodle.my.domain.ca/moodle20/login/index.php [Thu May 26 15:23:53 2011] [error] [client 192.168.xxx.xxx] PHP Warning: ldap_first_entry(): supplied argument is not a valid ldap result resource in /xxx/xxx/moodle20/lib/ldaplib.php on line 248, referer: http://moodle.my.domain.ca/moodle20/login/index.php Using multiple user locations (contexts) in your LDAP treeThere is no need to use multiple user locations if your directory tree is flat, i.e. if all user accounts reside in a ou=people,dc=my,dc=organization,dc=domain or ou=people,o=myorg container. At the opposite, if you use the ACL mecanism to delegate user management, there are chances that your users will be stored in containers like ou=students,ou=dept1,o=myorg and ou=students,ou=dept2,o=myorg ... Then there is an alternative :
Choosing between these two solutions supposes some sort of benchmarking, as the result depends heavily on the structure of your directory tree and on your LDAP software indexing capabilities. Simply note that there is a probability in such deep trees that two users share the same common name (cn), while having different distinguished names. Then only the second solution will have a deterministic result (returning always the same user). Using LDAPS (LDAP over SSL)Enabling LDAPS on your directory server
Enabling LDAPS on your Moodle serverEnabling LDAPS on your server can be tricky and often it is hard to pinpoint where things are going wrong. There are also differences between Windows and Linux and even different versions and distributions of Linux. If you have not done so already you will need to decide upon your approach to establishing an SSL connection to your directory server:
You can generate your own SSL certificate, and then instruct your Moodle server to ignore the fact that it is not valid. This setup is not as secure as others since you cannot be sure the server you are connecting to is not fake.
You can generate your own SSL certificate on your directory server, and then specifically trust this certificate by installing it on your Moodle server.
In this approach the LDAP server has an installed certificate from an Internet-based CA, this means that your directory server would have an Internet address & host name. Your Moodle server must be trusting the certificate authority and have Internet access. This approach is not often used as it usually incurs a cost for the certificate, and it requires your directory server and Moodle server to be exposed to the Internet. Linux serversThese instructions are for establishing a link using a trusted self-signed certificate. Note: written for a Red Hat Enterprise Linux 6 server, other Linux distributions may differ, especially in the location of the SSL certificates and OpenLdap config files, but the core principals are the same. To check that your directory server is online and accepting SSL connections on your LDAPS port (636), you can use try: openssl s_client –connect <ldap server ip address>:636 Get your directory server’s certificate (.crt) and upload to Moodle server's ssl certificate directory, on RHEL6 this is at /etc/ssl/certs Convert your ‘DER’ X509 certificate into a ‘PEM’ public key certificate. openssl x509 -in my_server_certificate.cer -inform DER -out my_server_certificate.pem -outform PEM Create certificate hashes using c_rehash c_rehash If c_rehash is not installed install with: yum install /usr/bin/c_rehash Ensure you are able to access your LDAPS server by a DNS name, this may mean adding an entry to your host file (/etc/hosts) <ldap server ip address> my_server.mydomain.school Verify your certificate to check that it is installed correctly openssl verify -verbose -CApath /etc/ssl/certs /etc/ssl/certs/my_server_certificate.pem /etc/ssl/certs/my_server_certificate.pem: OK You should now be able to connect to your LDAPS server over SSL without any errors openssl s_client –connect <ldap server DNS name>:636 Edit your OpenLDAP config, on RHEL6 this is located at /etc/openldap/ldap.conf # Define location of a CA Cert TLS_CACERT /etc/ssl/certs/my_server_certificate.pem TLS_CACERTDIR /etc/ssl/certs Finally, you may or may not need to restart Apache, before configuring Moodle to use ldaps://<server DNS name> httpd -k restart Windows serversThese instructions are for establishing a link using an unverified self-signed certificate. You can tell PHP's OpenLDAP extension to disable SSL server certificate checking to do this you must create a directory called 'C:\OpenLDAP\sysconf\' In this directory, create a file called ldap.conf with the following content: TLS_REQCERT never (If you are using certain versions of PHP 5.3.x you may need to place the file at other locations, see PHP bug #48866) Now you should be able to use ldaps:// when connecting to your LDAP server. AppendicesSetting Resource Limits RedHat Directory ServerOperational attributes can be set for the bind user DN using the command-line. One can simply use ldapmodify to add the following attributes:
LDAP Console Command-Line ldapmodify -h redhat_dir_server -p 389 -D "cn=directory manager" -w secretpwd dn: uid=MoodleAdmin,ou=system,dc=myschool,dc=edu changetype: modify add:nsSizeLimit nsSizeLimit: 1000 Any questions?Please post in the Authentication forum on moodle.org. See also
Forum discussions:
What is it called if we use multiple types of authentication?Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user's identity for a login or other transaction.
What are the 3 types of authentication?Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.
What term is used for a means of authentication based on what the users have?Inherence factors authenticate access credentials based on factors that are unique to the user. These include fingerprints, thumbprints, and palm or handprints. Voice and facial recognition and retina or iris scans are also types of inherent authentication factors.
What are the three 3 main types of authentication techniques?5 Common Authentication Types. Password-based authentication. Passwords are the most common methods of authentication. ... . Multi-factor authentication. ... . Certificate-based authentication. ... . Biometric authentication. ... . Token-based authentication.. |