Cool Solution - Install Moodle/LDAP authentication

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 4.3
Produktlogo UCS@School Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

We will now connect Moodle with our LDAP Server(s). Moodle will be able to create and map all it's users based on the ones inside our LDAP given context(s).

This article is based on a successful installation of Moodle accomplished by following our Cool Solution "Install Moodle".

Prerequisites

After the Moodle basic configuration is done, the option Email-based self-registration should be deactivated and LDAP server (pre installed Plugin) should be activated inside the web configuration site Site Administration -> Plugins -> Authentication -> Manage authentication. Please confirm that the SAML2 Plugin is disabled, if installed. We don't recommend having both authentication services enabled.

Next, a simple authentication account should be created using the UDM. This account can then be used for an authenticated bind. Follow the LDAP search user Cool Solution to create one.
To find the needed DN of the account, issue the following command on the command line after your successful creation:

udm users/ldap list --filter username=<NAME_OF_THE_ACCOUNT> | grep DN

Now the LDAP connection can be configured. You can either use the webbrowser or use the command line as described below.

LDAP configuration from the Command Line

Use the following script to automatically configure the LDAP authentication plugin through the command line. You can optionally use your web browser further down:
(Note: Don't forget to set the variables on the script top first)

# Please set the data of an simple authentication account here. Instructions how one is created can be found here: https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user
ldap_search_user="uid=moodle-search,cn=users,<YOUR_LDAP_BASE>"
ldap_search_password="<YOUR_LDAP_SEARCH_PASSWORD>"
ldap_contexts="cn=users,ou=<school>,<YOUR_LDAP_BASE>" # Multiple separated with semicolons (';')
ldap_manager_contexts="cn=admins,cn=users,ou=<school>,<YOUR_LDAP_BASE>" # Multiple separated with semicolons (';')
ldap_course_creator_contexts="cn=mitarbeiter,cn=users,ou=<school>,<YOUR_LDAP_BASE>" # Multiple separated with semicolons (';')

# Obtain global domain configuration data
eval "$(ucr --shell search domainname \
ldap/base \
ldap/server/name \
ldap/server/addition
)"

ldap_server_name=$(echo "$ldap_server_name" | sed "s/'\|\"//g")
ldap_server_addition=$(echo "$ldap_server_addition" | sed "s/'\|\"//g")
ldap_hosts=$(echo "ldaps://$ldap_server_name:7636")
if [ -n "$ldap_server_addition" ]; then 
    for host in $ldap_server_addition; do
        ldap_hosts="$ldap_hosts;ldaps://$host:7636"
    done
fi

# Configure the LDAP Plugin
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="host_url" --set="$ldap_hosts"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="ldap_version" --set="3"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="bind_dn" --set="$ldap_search_user"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="bind_pw" --set="$ldap_search_password"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="contexts" --set="$ldap_contexts"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="managercontext" --set="$ldap_manager_contexts"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="coursecreatorcontext" --set="$ldap_course_creator_contexts"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="search_sub" --set="1"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="removeuser" --set="2"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="user_attribute" --set="uid"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="memberattribute" --set="memberof"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="memberattribute_isdn" --set="1"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_address" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_city" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_country" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_department" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_description" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_email" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_firstname" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_idnumber" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_institution" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_lastname" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_phone1" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_phone2" --set="locked"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_address" --set="street"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_city" --set="l"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_country" --set="c"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_department" --set="departmentNumber"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_description" --set="description"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_email" --set="mailPrimaryAddress"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_firstname" --set="givenName"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_idnumber" --set="uidNumber"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_institution" --set="o"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_lastname" --set="sn"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_phone1" --set="telephoneNumber"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_phone2" --set="mobile"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_address" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_city" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_country" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_department" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_descriptiont" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_email" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_firstname" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_idnumber" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_institution" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_lastname" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_phone1" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_phone2" --set="onlogin"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_address" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_city" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_country" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_department" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_description" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_email" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_firstname" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_idnumber" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_institution" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_lastname" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_phone1" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_phone2" --set="0"

You should now be able to login as any user below your set ldap_contexts containers. Note that some attributes like Email address are mandatory for moodle. Users without valid email addresses inside UCS won't be able to leave their profile settings page, so you should make sure that all moodle users own a valid email.

Alternative: LDAP configuration using the web browser

Change the following values under the web page Site Administration -> Plugins -> Authentication -> Manage authentication -> LDAP Server -> Settings to successfully configure the LDAP plugin.

LDAP server settings
Bind settings
User lookup Settings
System role mapping
Data mapping

Hint: To obtain the LDAP Host URLs, execute the following code on your school server:

ldap_hosts="ldaps://$(ucr get ldap/server/name):7636"
if [ -n "$(ucr get ldap/server/addition)" ]; then 
    for host in $(ucr get ldap/server/addition); do
        ldap_hosts="$ldap_hosts;ldaps://$host:7636"
    done
fi
echo $ldap_hosts

Hint: To obtain the LDAP base, execute the following command on any UCS server:

ucr get ldap/base

After obtaining the needed data, use the following settings to configure the plugin:

Key Value
LDAP server settings
Host URL ldaps://<YOUR_LDAP_SERVER_FQDN>:7636
Version 3
Use TLS No
LDAP encoding utf-8
Bind settings
Distinguished name uid=moodle-search,cn=users,<YOUR_LDAP_BASE>
Password <YOUR_LDAP_SEARCH_PASSWORD>
User lookup settings
User type Default
Contexts cn=users,ou=<school>,<YOUR_LDAP_BASE>
Search subcontexts Yes
User attribute uid
Member attribute memberOf
Member attribute uses dn 1
System role mapping
Manager context cn=admins,cn=users,ou=<school>,<YOUR_LDAP_BASE>
Course creator context cn=mitarbeiter,cn=users,ou=<school>,<YOUR_LDAP_BASE>
User account synchronisation
Removed ext user Full delete internal
Data mapping (for all entries)
Update local On Every Login
Update external Never
Lock value Locked
Data mapping attributes
First name givenName
Surname sn
Email address mailPrimaryAddress
City/town l
Country c
Description description
ID number uidNumber
Institution o
Department departmentNumber
Phone telephoneNumber
Mobile phone mobile
Address street

You should now be able to login as any user below your set Contexts containers. Note that some attributes like Email address are mandatory for moodle. Users without valid email addresses inside UCS won't be able to leave their profile settings page, so you should make sure that all moodle users own a valid email.

Restrictions

  • Class mapping: These articles do not handle mappings between UCS@School classes and Moodle groups at this moment. If you need assistance to create the respective mapping or would like to have the setup packaged, feel free to contact Univention for an offer to create either.

References

Archive

  • There is a version of this article for UCS 4.2.
Personal tools