Difference between revisions of "Cool Solution - Install Moodle/LDAP authentication"

From Univention Wiki

Jump to: navigation, search
(Replaced content with "This page has been moved to the Knowledge Base Cool Solutions in the Forum. [https://help.univention.com/t/cool-solution-install-moodle-ldap-authentication/12297/4 Cool S...")
Tag: Replaced
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Version|UCS=4.3}}
+
This page has been moved to the Knowledge Base Cool Solutions in the Forum.
{{Version|school=4.3}}
 
{{Cool Solutions Disclaimer|Repository=no}}
 
{{#seo:
 
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}}
 
<!--|description=-->
 
}}
 
  
We will now connect Moodle with our LDAP Server(s). Moodle will be able to create and map all it's users based on the ones inside our LDAP given context(s).
+
[https://help.univention.com/t/cool-solution-install-moodle-ldap-authentication/12297/4 Cool Solution - Install Moodle / LDAP authentication]
 
 
This article is based on a successful installation of Moodle accomplished by following our [[Cool Solution - Install Moodle|Cool Solution "Install Moodle"]].
 
 
 
== Prerequisites ==
 
 
 
After the Moodle basic configuration is done, the option '''Email-based self-registration''' should be deactivated and '''LDAP server (pre installed Plugin)''' should be activated inside the web configuration site '''Site Administration''' -> '''Plugins''' -> '''Authentication''' -> '''Manage authentication'''. Please confirm that the '''SAML2''' Plugin is disabled, if installed. We don't recommend having both authentication services enabled.
 
 
 
Next, a simple authentication account should be created using the UDM. This account can then be used for an authenticated bind. Follow the [https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user LDAP search user] Cool Solution to create one. <br>
 
To find the needed DN of the account, issue the following command on the command line after your successful creation:
 
<pre>
 
udm users/ldap list --filter username=<NAME_OF_THE_ACCOUNT> | grep DN
 
</pre>
 
 
 
Now the LDAP connection can be configured. You can either use the webbrowser or use the command line as described below.
 
 
 
== LDAP configuration from the Command Line ==
 
 
 
Use the following script to automatically configure the LDAP authentication plugin through the command line. You can optionally use your web browser further down:<br>
 
(Note: Don't forget to set the variables on the script top first)
 
 
 
<syntaxhighlight lang="bash">
 
# Please set the data of an simple authentication account here. Instructions how one is created can be found here: https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user
 
ldap_search_user="uid=moodle-search,cn=users,<YOUR_LDAP_BASE>"
 
ldap_search_password="<YOUR_LDAP_SEARCH_PASSWORD>"
 
ldap_contexts="cn=users,ou=<school>,<YOUR_LDAP_BASE>" # Multiple separated with semicolons (';')
 
ldap_manager_contexts="cn=admins,cn=users,ou=<school>,<YOUR_LDAP_BASE>" # Multiple separated with semicolons (';')
 
ldap_course_creator_contexts="cn=mitarbeiter,cn=users,ou=<school>,<YOUR_LDAP_BASE>" # Multiple separated with semicolons (';')
 
 
 
# Obtain global domain configuration data
 
eval "$(ucr --shell search domainname \
 
ldap/base \
 
ldap/server/name \
 
ldap/server/addition
 
)"
 
 
 
ldap_server_name=$(echo "$ldap_server_name" | sed "s/'\|\"//g")
 
ldap_server_addition=$(echo "$ldap_server_addition" | sed "s/'\|\"//g")
 
ldap_hosts=$(echo "ldaps://$ldap_server_name:7636")
 
if [ -n "$ldap_server_addition" ]; then
 
    for host in $ldap_server_addition; do
 
        ldap_hosts="$ldap_hosts;ldaps://$host:7636"
 
    done
 
fi
 
 
 
# Configure the LDAP Plugin
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="host_url" --set="$ldap_hosts"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="ldap_version" --set="3"
 
 
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="bind_dn" --set="$ldap_search_user"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="bind_pw" --set="$ldap_search_password"
 
 
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="contexts" --set="$ldap_contexts"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="managercontext" --set="$ldap_manager_contexts"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="coursecreatorcontext" --set="$ldap_course_creator_contexts"
 
 
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="search_sub" --set="1"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="removeuser" --set="2"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="user_attribute" --set="uid"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="memberattribute" --set="memberof"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="memberattribute_isdn" --set="1"
 
 
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_address" --set="locked"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_city" --set="locked"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_country" --set="locked"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_department" --set="locked"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_description" --set="locked"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_email" --set="locked"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_firstname" --set="locked"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_idnumber" --set="locked"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_institution" --set="locked"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_lastname" --set="locked"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_phone1" --set="locked"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_phone2" --set="locked"
 
 
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_address" --set="street"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_city" --set="l"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_country" --set="c"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_department" --set="departmentNumber"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_description" --set="description"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_email" --set="mailPrimaryAddress"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_firstname" --set="givenName"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_idnumber" --set="uidNumber"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_institution" --set="o"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_lastname" --set="sn"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_phone1" --set="telephoneNumber"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_phone2" --set="mobile"
 
 
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_address" --set="onlogin"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_city" --set="onlogin"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_country" --set="onlogin"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_department" --set="onlogin"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_descriptiont" --set="onlogin"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_email" --set="onlogin"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_firstname" --set="onlogin"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_idnumber" --set="onlogin"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_institution" --set="onlogin"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_lastname" --set="onlogin"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_phone1" --set="onlogin"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_phone2" --set="onlogin"
 
 
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_address" --set="0"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_city" --set="0"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_country" --set="0"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_department" --set="0"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_description" --set="0"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_email" --set="0"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_firstname" --set="0"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_idnumber" --set="0"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_institution" --set="0"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_lastname" --set="0"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_phone1" --set="0"
 
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_phone2" --set="0"
 
</syntaxhighlight>
 
 
 
You should now be able to login as any user below your set ''ldap_contexts'' containers. Note that some attributes like Email address are mandatory for moodle. Users without valid email addresses inside UCS won't be able to leave their profile settings page, so you should make sure that all moodle users own a valid email.
 
 
 
=== Alternative: LDAP configuration using the web browser ===
 
 
 
Change the following values under the web page '''Site Administration''' -> '''Plugins''' -> '''Authentication''' -> '''Manage authentication''' -> '''LDAP Server''' -> '''Settings''' to successfully configure the LDAP plugin.
 
[[File:Moodle_ldap_server_settings.png|400px|thumb|right|LDAP server settings]]
 
[[File:Moodle_ldap_bind_settings.png|400px|thumb|right|Bind settings]]
 
[[File:Moodle_ldap_user_lookup_settings.png|400px|thumb|right|User lookup Settings]]
 
[[File:Moodle_ldap_system_role_mapping.png|400px|thumb|right|System role mapping]]
 
[[File:Moodle_ldap_data_mapping.png|400px|thumb=Moodle_ldap_data_mapping_thumb.png|right|Data mapping]]
 
 
 
''Hint:'' To obtain the LDAP Host URLs, execute the following code on your school server:
 
<pre>
 
ldap_hosts="ldaps://$(ucr get ldap/server/name):7636"
 
if [ -n "$(ucr get ldap/server/addition)" ]; then
 
    for host in $(ucr get ldap/server/addition); do
 
        ldap_hosts="$ldap_hosts;ldaps://$host:7636"
 
    done
 
fi
 
echo $ldap_hosts
 
</pre>
 
''Hint:'' To obtain the LDAP base, execute the following command on any UCS server:
 
<pre>
 
ucr get ldap/base
 
</pre>
 
 
 
After obtaining the needed data, use the following settings to configure the plugin:
 
{|class="wikitable"
 
!Key
 
!Value
 
|-
 
!colspan="2"| LDAP server settings
 
|-
 
| Host URL
 
| ldaps://<YOUR_LDAP_SERVER_FQDN>:7636
 
|-
 
| Version
 
| 3
 
|-
 
| Use TLS
 
| No
 
|-
 
| LDAP encoding
 
| utf-8
 
|-
 
!colspan="2"| Bind settings
 
|-
 
| Distinguished name
 
| uid=moodle-search,cn=users,<YOUR_LDAP_BASE>
 
|-
 
| Password
 
| <YOUR_LDAP_SEARCH_PASSWORD>
 
|-
 
!colspan="2"| User lookup settings
 
|-
 
| User type
 
| Default
 
|-
 
| Contexts
 
| cn=users,ou=<school>,<YOUR_LDAP_BASE>
 
|-
 
| Search subcontexts
 
| Yes
 
|-
 
| User attribute
 
| uid
 
|-
 
| Member attribute
 
| memberOf
 
|-
 
| Member attribute uses dn
 
| 1
 
|-
 
!colspan="2"| System role mapping
 
|-
 
| Manager context
 
| cn=admins,cn=users,ou=<school>,<YOUR_LDAP_BASE>
 
|-
 
| Course creator context
 
| cn=mitarbeiter,cn=users,ou=<school>,<YOUR_LDAP_BASE>
 
|-
 
!colspan="2"| User account synchronisation
 
|-
 
| Removed ext user
 
| Full delete internal
 
|-
 
!colspan="2"| Data mapping (for all entries)
 
|-
 
| Update local
 
| On Every Login
 
|-
 
| Update external
 
| Never
 
|-
 
| Lock value
 
| Locked
 
|-
 
!colspan="2"| Data mapping attributes
 
|-
 
| First name
 
| givenName
 
|-
 
| Surname
 
| sn
 
|-
 
| Email address
 
| mailPrimaryAddress
 
|-
 
| City/town
 
| l
 
|-
 
| Country
 
| c
 
|-
 
| Description
 
| description
 
|-
 
| ID number
 
| uidNumber
 
|-
 
| Institution
 
| o
 
|-
 
| Department
 
| departmentNumber
 
|-
 
| Phone
 
| telephoneNumber
 
|-
 
| Mobile phone
 
| mobile
 
|-
 
| Address
 
| street
 
|}
 
 
 
You should now be able to login as any user below your set ''Contexts'' containers. Note that some attributes like Email address are mandatory for moodle. Users without valid email addresses inside UCS won't be able to leave their profile settings page, so you should make sure that all moodle users own a valid email.
 
<br clear=all>
 
 
 
== Restrictions ==
 
 
 
* '''Class mapping''': These articles do not handle mappings between UCS@School classes and Moodle groups at this moment. If you need assistance to create the respective mapping or would like to have the setup packaged, feel free to contact Univention for an offer to create either.
 
 
 
== References ==
 
 
 
* Moodle LDAP - https://docs.moodle.org/35/en/LDAP_authentication
 
* Moodle LDAP Enrolment - https://docs.moodle.org/35/en/LDAP_enrolment
 
 
 
== Archive ==
 
 
 
* There is a version of this article for [https://wiki.univention.de/index.php?title=Cool_Solution_-_Install_Moodle_and_setup_ldap_authentication&oldid=13479 UCS 4.2].
 
  
 
[[Category:EN]]
 
[[Category:EN]]
 +
[[Category:Howtos]]

Latest revision as of 11:39, 11 June 2019

This page has been moved to the Knowledge Base Cool Solutions in the Forum.

Cool Solution - Install Moodle / LDAP authentication

Personal tools