+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 27
Virtual Learning Platforms Thread, Moodle LDAP/NTLM/SSO ok for some? in Technical; Ok, I know you guys are probably fed up with questions re NTLM/SSO/LDAP but I have tried everything I know ...
  1. #1

    Join Date
    Oct 2009
    Posts
    35
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Moodle LDAP/NTLM/SSO ok for some?

    Ok, I know you guys are probably fed up with questions re NTLM/SSO/LDAP but I have tried everything I know to get this to work properly.



    If a student logs on to a machine and logs on, first time it asks for some extra details and works fine. Then when they log on again everything is fine.

    Same machine logged on as a member of staff, auto logon does not work, they click login and they are not authenticated. They enter their domain credentials in the login prompt and they are rejected as Invalid Users.

    I logged on as a member of staff added the moodle site to the intranet sites, still no joy.

    Running Moodle 1.9.5 on Server 2003 with IIs 6. Clients XP pro & IE8.

    I simply have no idea why it would work for a student and not a member of staff. I enabled/disabled any GP for the users.

    Please, for the sake of the rest of my hair, does anyone have any ideas?

  2. #2
    alan-d's Avatar
    Join Date
    Aug 2005
    Location
    Sutton Coldfield
    Posts
    2,414
    Thank Post
    359
    Thanked 256 Times in 187 Posts
    Rep Power
    75
    I think it should be;

    ou=STM Users,dc=sstthomasmore,dc=local;ou=Pupils,dc=sstth omasmore,dc=local;ou=Staff,dc=sstthomasmore,dc=loc al

    I could be wrong - it's one of those days!

  3. #3

    Join Date
    Oct 2009
    Posts
    35
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    No, I changed that and it still does not work.

    I am sure it is one of the settings or something to do with the LDAP lookup. As though it can not find the user I want. (I have tried a few!)

    All students work.

    NO staff work, except one account, rangermanager.

    The thing is, even when I go to log on, if I type the username and password in of the account that I want to use it says invalid user.

    I have absolutely no idea as to why this is failing for staff.

  4. #4


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,687
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346
    It's not something daft like the ldap bind user you are using is a delegated role which can only see student users?

    Seeing the whole ldap config page from your moodle would be helpful.

  5. #5

    Join Date
    Oct 2009
    Posts
    35
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    LDAP Server Settings
    Host URL: 172.16.0.2
    Version: 3
    LDAP Encoding: utf-8

    Bind Settings
    Hide Passwords: Yes
    Bind User: CN=Moodle_Bind,OU=STM Users,DC=Stthomasmore,DC=local
    Password: sethttp://www.edugeek.net/forums/images/smilies/smilies/censored.gif

    User Lookup Settings
    User Type: MS Active Directory
    Contexts: ou=STM Users,dc=stthomasmore,dc=local;ou=Pupils,dc=stthom asmore,dc=local;ou=STM_Staff,dc=stthomasmore,dc=lo cal
    Search Subcontexts: Yes
    Deference Aliases: No

    NTLM SSO
    Enabled: Yes
    Subnet: 172.16.0.0/16
    MS IE fast path?: Yes

    All other settings are left as presented.

    Strange that even if I enter the username, NTLM is failing for staff.

  6. #6
    alan-d's Avatar
    Join Date
    Aug 2005
    Location
    Sutton Coldfield
    Posts
    2,414
    Thank Post
    359
    Thanked 256 Times in 187 Posts
    Rep Power
    75
    Just looked at yours compared to ours and the only real difference is that we have set the IE Fastpath to No.

    Have you tried that?

  7. #7

    Join Date
    Oct 2009
    Posts
    35
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Tried that, other than presenting a new screen that says "Attempting to login using NTLM SSO" it still fails.

    Really strange, but I am sure a Sessionkey is being generated.

  8. #8
    alan-d's Avatar
    Join Date
    Aug 2005
    Location
    Sutton Coldfield
    Posts
    2,414
    Thank Post
    359
    Thanked 256 Times in 187 Posts
    Rep Power
    75
    Do all the users have email addresses?

    What are the extra details being asked for? That sounds like it's using the local user db and not LDAP.

  9. #9

    Join Date
    Oct 2009
    Posts
    35
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    ALL users have an e-mail address.

    The extra fields it asks for are First Name, Last Name, Town, Country.

  10. #10

    Join Date
    Oct 2009
    Posts
    35
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I even created a NEW user for the BIND account and checked it with LDP.exe

    The account is fine and I can see all the details for any of the users that would want to logon with it.

    This is really strange, Like I said I have tried this on a michine with NO GPO's attached. Everything.

  11. #11
    alan-d's Avatar
    Join Date
    Aug 2005
    Location
    Sutton Coldfield
    Posts
    2,414
    Thank Post
    359
    Thanked 256 Times in 187 Posts
    Rep Power
    75
    OK can you check the following;
    DATA MAPPING
    First Name = givenName, Update local = on every login, Update external = Never, Lock value = locked

    Surname = sn, Update local = on every login, Update external = Never, Lock value = locked

    Email address = mail, Update local = on every login, Update external = Never, Lock value = locked

    City/town = (enter your details), Update local = on creation login, Update external = Never, Lock value = locked

    Country = UK, Update local = on creation, Update external = Never, Lock value = locked

    All the others in mine are
    ### = blank, Update local = on creation, Update external = Never, Lock value = locked

    Can you also confirm that the module is enabled in Apache
    (LoadModule ldap_module modules/mod_ldap.so)

    Oh - is the LDAP bind user a member of the administrators OU?

    Just trying the obvious things first

  12. #12

    Join Date
    Oct 2009
    Posts
    35
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    We are not using APACHE, using IIS

    I have set the mappings as you suggested.

    I have also checked and the BIND user is a member of Administrators, pupils and staff groups.

  13. #13
    alan-d's Avatar
    Join Date
    Aug 2005
    Location
    Sutton Coldfield
    Posts
    2,414
    Thank Post
    359
    Thanked 256 Times in 187 Posts
    Rep Power
    75
    Quote Originally Posted by stm-tech View Post
    We are not using APACHE, using IIS
    oops - my mistake

    In the Active authentication plugins, is the LDAP server the only one enabled?

    If you delete the users from moodle and they log on again does it still ask for any information?

    I'm just trying to see whether its only using LDAP or some other authentication.

    You've probably guessed - I running out of ideas!!

  14. #14

    Join Date
    Oct 2009
    Posts
    35
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I have just looked in the IIS logs,

    The user is being AUTHENTICATED in IIS,

    Staff Account:

    2009-10-12 07:02:09 172.16.0.2 GET /moodle/login/index.php - 80 STTHOMASMORE\cover 172.16.1.5
    2009-10-12 07:02:09 172.16.0.2 GET /moodle/auth/ldap/ntlmsso_magic.php sesskey=TWQBWbDE4s 80 STTHOMASMORE\cover 172.16.1.5
    2009-10-12 07:02:09 172.16.0.2 GET /moodle/auth/ldap/ntlmsso_finish.php - 80 STTHOMASMORE\cover 172.16.1.5
    2009-10-12 07:02:14 172.16.0.2 GET /moodle/login/index.php authldap_skipntlmsso=1 80 STTHOMASMORE\cover 172.16.1.5

    Pupil Account:
    2009-10-12 09:53:42 172.16.0.2 GET /moodle/auth/ldap/ntlmsso_attempt.php - 80 STTHOMASMORE\form8a 172.16.1.5
    2009-10-12 09:53:42 172.16.0.2 GET /moodle/auth/ldap/ntlmsso_magic.php sesskey=DiOHHPbGhf 80 STTHOMASMORE\form8a 172.16.1.5
    2009-10-12 09:53:46 172.16.0.2 GET /moodle/auth/ldap/ntlmsso_finish.php - 80 STTHOMASMORE\form8a 172.16.1.5


    As you can see, two users from the same machine, Cover does not work, and yet Form8a does work.

  15. #15

    Join Date
    Oct 2009
    Posts
    35
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    We are only using LDAP authentication.

    Yes, If we delete a user from Moodle, it asks for the details again. (which I would expect)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. NTLM, Samba, LDAP and SSO on Moodle
    By Mintsoft in forum Virtual Learning Platforms
    Replies: 2
    Last Post: 4th July 2011, 06:52 PM
  2. Moodle & NTLM Authentication
    By alan-d in forum Virtual Learning Platforms
    Replies: 12
    Last Post: 15th December 2009, 02:19 PM
  3. Moodle - NTLM Authentication Clarification
    By FN-GM in forum Virtual Learning Platforms
    Replies: 13
    Last Post: 28th July 2009, 03:11 PM
  4. Getting NTLM SSO to work with Moodle - Apache issue?
    By TheFopp in forum Virtual Learning Platforms
    Replies: 4
    Last Post: 3rd April 2009, 10:17 AM
  5. SSO NTLM RADIUS???
    By PWright in forum Wireless Networks
    Replies: 0
    Last Post: 3rd March 2009, 11:52 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •