Ok, I know you guys are probably fed up with questions re NTLM/SSO/LDAP but I have tried everything I know to get this to work properly.
If a student logs on to a machine and logs on, first time it asks for some extra details and works fine. Then when they log on again everything is fine.
Same machine logged on as a member of staff, auto logon does not work, they click login and they are not authenticated. They enter their domain credentials in the login prompt and they are rejected as Invalid Users.
I logged on as a member of staff added the moodle site to the intranet sites, still no joy.
Running Moodle 1.9.5 on Server 2003 with IIs 6. Clients XP pro & IE8.
I simply have no idea why it would work for a student and not a member of staff. I enabled/disabled any GP for the users.
Please, for the sake of the rest of my hair, does anyone have any ideas?
I think it should be;
ou=STM Users,dc=sstthomasmore,dc=local;ou=Pupils,dc=sstth omasmore,dc=local;ou=Staff,dc=sstthomasmore,dc=loc al
I could be wrong - it's one of those days!
No, I changed that and it still does not work.
I am sure it is one of the settings or something to do with the LDAP lookup. As though it can not find the user I want. (I have tried a few!)
All students work.
NO staff work, except one account, rangermanager.
The thing is, even when I go to log on, if I type the username and password in of the account that I want to use it says invalid user.
I have absolutely no idea as to why this is failing for staff.
It's not something daft like the ldap bind user you are using is a delegated role which can only see student users?
Seeing the whole ldap config page from your moodle would be helpful.
LDAP Server Settings
Host URL: 172.16.0.2
Version: 3
LDAP Encoding: utf-8
Bind Settings
Hide Passwords: Yes
Bind User: CN=Moodle_Bind,OU=STM Users,DC=Stthomasmore,DC=local
Password: sethttp://www.edugeek.net/forums/images/smilies/smilies/censored.gif
User Lookup Settings
User Type: MS Active Directory
Contexts: ou=STM Users,dc=stthomasmore,dc=local;ou=Pupils,dc=stthom asmore,dc=local;ou=STM_Staff,dc=stthomasmore,dc=lo cal
Search Subcontexts: Yes
Deference Aliases: No
NTLM SSO
Enabled: Yes
Subnet: 172.16.0.0/16
MS IE fast path?: Yes
All other settings are left as presented.
Strange that even if I enter the username, NTLM is failing for staff.
Just looked at yours compared to ours and the only real difference is that we have set the IE Fastpath to No.
Have you tried that?
Tried that, other than presenting a new screen that says "Attempting to login using NTLM SSO" it still fails.
Really strange, but I am sure a Sessionkey is being generated.
Do all the users have email addresses?
What are the extra details being asked for? That sounds like it's using the local user db and not LDAP.
ALL users have an e-mail address.
The extra fields it asks for are First Name, Last Name, Town, Country.
I even created a NEW user for the BIND account and checked it with LDP.exe
The account is fine and I can see all the details for any of the users that would want to logon with it.
This is really strange, Like I said I have tried this on a michine with NO GPO's attached. Everything.
OK can you check the following;
DATA MAPPING
First Name = givenName, Update local = on every login, Update external = Never, Lock value = locked
Surname = sn, Update local = on every login, Update external = Never, Lock value = locked
Email address = mail, Update local = on every login, Update external = Never, Lock value = locked
City/town = (enter your details), Update local = on creation login, Update external = Never, Lock value = locked
Country = UK, Update local = on creation, Update external = Never, Lock value = locked
All the others in mine are
### = blank, Update local = on creation, Update external = Never, Lock value = locked
Can you also confirm that the module is enabled in Apache
(LoadModule ldap_module modules/mod_ldap.so)
Oh - is the LDAP bind user a member of the administrators OU?
Just trying the obvious things first
We are not using APACHE, using IIS
I have set the mappings as you suggested.
I have also checked and the BIND user is a member of Administrators, pupils and staff groups.
Originally Posted by stm-tech
oops - my mistake
In the Active authentication plugins, is the LDAP server the only one enabled?
If you delete the users from moodle and they log on again does it still ask for any information?
I'm just trying to see whether its only using LDAP or some other authentication.
You've probably guessed - I running out of ideas!!
I have just looked in the IIS logs,
The user is being AUTHENTICATED in IIS,
Staff Account:
2009-10-12 07:02:09 172.16.0.2 GET /moodle/login/index.php - 80 STTHOMASMORE\cover 172.16.1.5
2009-10-12 07:02:09 172.16.0.2 GET /moodle/auth/ldap/ntlmsso_magic.php sesskey=TWQBWbDE4s 80 STTHOMASMORE\cover 172.16.1.5
2009-10-12 07:02:09 172.16.0.2 GET /moodle/auth/ldap/ntlmsso_finish.php - 80 STTHOMASMORE\cover 172.16.1.5
2009-10-12 07:02:14 172.16.0.2 GET /moodle/login/index.php authldap_skipntlmsso=1 80 STTHOMASMORE\cover 172.16.1.5
Pupil Account:
2009-10-12 09:53:42 172.16.0.2 GET /moodle/auth/ldap/ntlmsso_attempt.php - 80 STTHOMASMORE\form8a 172.16.1.5
2009-10-12 09:53:42 172.16.0.2 GET /moodle/auth/ldap/ntlmsso_magic.php sesskey=DiOHHPbGhf 80 STTHOMASMORE\form8a 172.16.1.5
2009-10-12 09:53:46 172.16.0.2 GET /moodle/auth/ldap/ntlmsso_finish.php - 80 STTHOMASMORE\form8a 172.16.1.5
As you can see, two users from the same machine, Cover does not work, and yet Form8a does work.
We are only using LDAP authentication.
Yes, If we delete a user from Moodle, it asks for the details again. (which I would expect)
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote