Moodle & ldap enrollment

[Oops_my_bad]

Has anyone got ldap enrollment working properly with active directory?

All my groups are setup in AD and populated with members. Whilst I can authenticate using ldap, I am still unable to get moodle to enroll users to courses automatically/create courses etc based on these groups

Could anyone who is using moodle/ldap/AD enrollment post their config if they don't mind!?

I've checked moodledocs and here etc, surely someone has it going?

Thanks

[ckuntz01]

I have it running after many hours of playing. What do you mean by "config"

If you can tell me what it is that you are looking for i can prolly get something for you. I can tell you a few tricks though:

You said you got logged in and the issue you are having comes from the enrolling part. The trick to the enrolling is that you need to call the group the same thing as the name of the class. I am not recalling which names needs to be the same (Full,Short,Course ID Number). I think it is the Short name or the Course ID Number that needs to be identical as the Group Name. The Pre 2000 Name DOES NOT have the be the same. When creating the group you need 2 OUS is AD. One for Student and one for Teachers. Then Under Courses-> enrollments Enable LDAP and click Edit.

In the LDAP Server Settings point to a valid account. For the Enrol_Ldap_bind_dn you need to give it the cn style.

Then in Rol mapping put the LDAP Contexts to the OUs created earlier for the Teacher and Students and the LDAP member Attribute is member.

I am attaching a screenshot of my course enrollment settings. And I have AutoCreate courses turned off.

Hope this helps. If not let me know and I can try to help you some more.

[Oops_my_bad]

Thanks ckuntz,

I have followed your advise which is consistent with what everyone else is saying, however my enrollment still fails. If you wouldn't mind, could you cast an eye over my configs?

LDAP server settings(ldap auth works fine)
Host URL: ldap://dc1.domain.internal;ldap://dc2.domain.internal
Version: 3
LDAP Encoding: utf-8

Bind settings
Hide Passwords: Yes
Distinguised name: CN=LDAP Bind Account,OU=Service Accounts,DC=domain,DC=internal
Password: <a very secure password>

User lookup settings
User type: MS ActiveDirectory
Contexts: OU=Students,DC=domain,DC=internal;OU=Staff,DC=doma in,DC=internal
Search Subcontexts:Yes
Dereference Aliases: No
user attribute: cn
member attribute: member
member attribute uses dn: <not set>
Object class: user

Force change password
Force change password: No
Use standard change password page: yes
Password format: plain text (for now)
Password change URL: <not set>

LDAP password expiration settings
Expiration: no
Expiration warning: 10
Expiration attribute: <not set>
Grace logins: no
Grace login attribute: <not set>

Enable user creation
Create users externally: No
Context for new users: <not set>

Course creator
Creators: Not set

<few bits from SSO omitted - not used>

Data mapping
First Name: givenName
Surname: sn
idnumber: cn

<LDAP Course Enrollment settings>

LDAP Server Settings
enrol_ldap_host_url: ldap://dc1.domain.internal;ldap://dc2.domain.internal
enrol_ldap_version: 3
enrol_ldap_bind_dn: CN=LDAP Bind Account,OU=Service Accounts,DC=domain,DC=internal
ldap_bind_pw: <very strong password>
ldap_search_sub: Yes

Role Mapping
Roles LDAP Contexts LDAP Member attribute
Teacher OU=staff,DC=domain,DC=internal member
Student OU=student,DC=domain,DC=internal member

Course enrolment settings
enrol_ldap_objectclass: group
enrol_ldap_course_idnumber: cn
enrol_ldap_course_shortname: cn
enrol_ldap_course_fullname: cn

Automatic course creation settings
enrol_ldap_autocreate: Yes
enrol_ldap_category: Miscellaneous
enrol_ldap_template: <not set>

Thanks

[ckuntz01]

The only thing I see different really from my config is the User Attribute in the User Lookup Settings on mine is sAMAccountName not cn. I could not get it to work with cn.

The only other thing I can think of is that I know that the enrollment happens when that user logs into moodle, it will not happen before then, but I am assuming that you know that

[allan67]

Can i just double check your LDAP setup, from what i can see you have 1 domain with 2 OU's in it?
The reason i ask is i have got this working in my set up but the student domain is a child of the staff domain so in order for it to work we had to tell authentication to look specifically at the global catalogue server (and port) and use universal groups in the staff domain which we could list the students in

[ckuntz01]

That is how mine is setup, 1 domain 2 OUs

[allan67]

did you run the ldap sync to get all the groups created as classes in Moodle

If you go into the autoenrolment section and read the blurb in the box at the top it talks about a link.

When you copy and paste this link a script runs which goes to LDAP, looks in the OU's with the groups and creates the courses.
Can i just check before you do this, you have defined a teacher and student OU. These OU's contain groups for example

Teacher OU
class1
Student OU
class1

[Oops_my_bad]

did you run the ldap sync to get all the groups created as classes in Moodle

If you go into the autoenrolment section and read the blurb in the box at the top it talks about a link.

When you copy and paste this link a script runs which goes to LDAP, looks in the OU's with the groups and creates the courses.
Can i just check before you do this, you have defined a teacher and student OU. These OU's contain groups for example

Teacher OU
class1
Student OU
class1

Hmmm, I have read about the ldap sync script. However as I understand it I dont need this if I am checking groups/memberships each time the person logs onto moodle!?

Thanks for the ideas anyway guys, plenty of fodder here to have a good crack at it this weekend, free from distractions

[allan67]

how did you get on with the auto enrollment?
I remeber every time we added a new group we had to run this script to populate moodle with the course. I think if you run this and try and logon as a student it should work

[Oops_my_bad]

well, I made some progress, not as much as I would have liked though

Figured out I needed to run the auth_ldap_sync_users.php and enrol_ldap_sync.php scripts on the server - d'oh however at first they weren't picking up the users (complained about not being able to find users in the tree despite it displaying the full distinguished name in the script output) so instead of using "cn" for the userid atribute in moodle I changed this to distinguisedNames - bingo, picks up all the staff and students now. I've only tried it with Teachers so far but when I logon to moodle now it does actually have that teacher assigned to that course, that's about as far as I got. Although I did notice when logged in as a teacher for that course, and clicking on the course, it still asks me "do I want to enroll on this course?".

I'm documenting all this together with a standard setup guide for IIS7.5/SQL express 2008 for those users who have Microsoft imposed on them, i'll be posting it on the wiki once it's done. There is very limited documentation for those of us using anything other than Apache/MySQL