Don't Feed the TechnicianMoodle

Moodle MS-AD LDAP Authentication and NTLM SSO

In this guide i will show you how to setup Microsoft Active Directory LDAP authentication for Moodle 2.6 to enable onsite single sign-on.

 

Prerequisites

  • Working Moodle 2.6 Server Joined to your domain.
  • At Least one Domain Controller.

 

Download

LDAP.zip

 

  • Once you have downloaded the ldp.zip file extract to c:\LDAP on your Moodle server.
  • Run the ldp.exe
1 - Connect LDAP
Connect to AD Server
  • Once open, click on Connection at the top then click Connect.
  • Input the server you wish to test LDAP is working with. (If you are unsure what server name to put here try running the following in command prompt: nltest /dclist:yourdomain.name.com that will show you a list of domain controllers on your network.) then click OK.
  • If everything is ok it will connect and it will display all the LDAP server settings/version for that server.
2 - LDAP Connected
Successful Connection
  • Now we just need to make the connection to the server.
  • Click Connection then Bind…
  • It will prompt for a username, password and domain. Input an administrator username and password and the domain name of that user.
  • If that works it will have Authenticated as dn:’username’. If not check the username, password and domain name are correct and that that user has domain admin privileges.
  • Once connected we can view what LDAP can access by clicking View then Tree.
  • Use the dropdown menu and select the BaseDN for your domain. Should look something like:
5 - Tree Settings
BaseDN
  • Now you can see on the left your domain, from here you can drill down into all the OU and CN your active directory has and see the full path of a user within your network.
  • Now we know what Server we can have out Moodle LDAP connect to and we can copy the paths needed to configure Moodle, so lets make a start.

 

Enable Moodle LDAP

  • First off we need to enable LDAP plugin.
  • Logged in to Moodle as an admin, Click: Site administration, Plugins, Authentication then click Manage authentication.
  • From the list of available authentication types click the eye next to LDAP Server to enable.
Enable LDAP Server
Enable LDAP Server

 

  • Hit F5 on your keyboard to refresh your page, now if you drill back down to Site administrationPluginsAuthentication you will have LDAP Server. Click on LDAP Server to access the settings page. 

New we need to populate the required fields to connect to Active Directory and the fields to the users information can be found and pulled into moodle.

Configure Moodle LDAP

The below settings are for my organization layout and not to be copied verbatim for your setup.

LDAP Server Settings 

  • Host URL: ldap://10.66.28.42 (This is the IP/v4 of my domain controller i want moodle to use) you can have more than one LDAP connection as backups just put a ; between each address e.g ldap://10.66.28.42;ldap://10.66.28.43
  • Version: 3  (Unless you are using a really old LDAP server, version 3 is the one you should choose, to check go through the Check LDAP section above and when you first connect the your DC it will have version numbers it will support.) 
  • Use TLS: No (Up to you i guess)
  • LDAP encoding: ulf-8 (Most cases ulf-8 will be correct, if not you will have to investigate your server setup or try the others.)

Bind Settings

  • Hide password: yes (As its a domain username and password best not to store the password within the Moodle database.)
  • Distinguished Name: CN=LDAP,OU=Other,OU=Admin,OU=School Users,DC=********,DC=*****,DC=sch,DC=uk (Quickest way to get this is to run ldp.exe drill down until you find the user then right click on user and copy DN, then paste into the box).
7 - Copy DN
Quick way to get path
  • Password: ******** (password for the Bind account)

User Lookup Settings

  • User Type: MS ActiveDirectory (This is an LDAP AD user guide so would expect you to use this)
  • Context: OU=school users,DC=********,DC=*****,DC=sch,DC=uk (Again best to use the ldp.exe program to get this and copy the path to the OU where the users are stored that you want to use single sign-on are).
  • Search Subcontext: Yes (This settings is needed if you have layers of OU under the Context. i,e School Users OU may have OU’s for each year group).
  • User Attribute: samaccountname (The attribute used to name/search users in your LDAP tree. This option takes a default value based on the User type value you chose above. So unless you need something special, you don’t need to fill this in.) it’s usually cn (Novell eDirectory and MS-AD) or uid (RFC-2037, RFC-2037bis and SAMBA 3.x LDAP extension), but if you are using MS-AD you could (and have to, if you intend to use NTLM SSO) use sAMAccountName (the pre-Windows 2000 logon account name) if you need to.)

Force Change Password

  • Force Change Password: no (As we don’t want moodle to update AD, users can change their passwords for logging on using Ctrl+Alt+Del).

LDAP password expiration Settings

  • Expiration: no (as the users will be logging on to the network computer then access Moodle if they don’t know their passwords they have bigger issues then logging onto moodle at this point).
  • Grace Login: no (if they can’t log onto the network  they have no need to log into Moodle in my setup).

Enable User Creation

  • Create User Externally: no (The only users we want to have access to this moodle are ones with an account in active directory).

Course Creator

  • Creators: OU=Staff,OU=School Users,DC=********,DC=*****,DC=sch,DC=uk (Again quicker to use the ldp.exe program to get this address. Copy the path to the OU where your staff users are stored that you want to use have this privilege).

NTLM SSO (Some configuration is required for this, and i will go though that after this settings section, we just need to enable it for now)

  • Enable: yes (This will make the Moodle single sign-on).
  • Subnet: 10.66.28.0/22 (This is the IP Subnet address used to determin if to attempt NTML SSO single sign-on, basecly checking if they are on a school computer or not).
  • MS IE fast path: Yes, attempt NTLM other Browsers (Covers all bases for this setup, users primarily use IE to browse the net but occasionally Chrome can be used. It also makes it a little more seamless when using IE).
  • Authentication Type: NTLM (Only other option is Kerberos, and if you’re using that then select it otherwise its NTLM).
  • Remote Username Format: %domain%\%username% (default)

Data Mapping

  • First Name: givenname
  • Sure Name: sn
  • Email Address: mail

A list of available user attributes usable for pulling in users information can be found HERE

9 - Moodle LDAP Settings
Settings 1
Settings 2
Settings 2

SAVE CHANGES

 

Configure NTLM

The auth/ldap/ntlmsso_magic.php file MUST have NTLM/Integrated Authentication enabled on the server or the authentication will not work.

IIS Configuration

Open the IIS Management Console and navigate to the auth/ldap/ntlmsso_magic.php file.

IIS 6.0

  • right click on the file, choose properties
  • under the “file security” tab, click on the Authentication and Access control “edit” button
  • untick “Enable Anonymous Access” and tick “Integrated Windows Authentication”

IIS 7.x

  • After navigating to the ‘auth/ldap’ folder, switch to Content View
  • right click on the file, choose “Switch to Features View”
  • click on the Authentication icon on the right
  • select ‘Anonymous Authentication’ and click the ‘Disable’ button
  • select ‘Windows Authentication’ and click the ‘Enable’ button

If you are using IIS 7.5  you have to select ‘Windows Authentication’ and click on ‘Providers’. This shows a list of enabled providers Negotiate and NTLM. Change the order so that NTLM is at the top of the list.

 

Test

  • Log onto a computer with any account under the OU set under User Lookup Settings, Context. 
  • Open IE and go to your moodle home page. It wont log you in from here you still have to click Log in found in the upper right corner.
  • Once clicked and if you set MS IE fast path: Yes, attempt NTLM other Browsers it will seamlessly log the user in.

Now try this using another web browser such as Google Chrome. This time when you click login it will take you to another page and display Attempting Single Sign On via NTLM… and all is well will log you in. If not account is found or the user is not within the context OU defined it will then present them with a standard login page. This will also be the page users will have to input username and password when access outside the school or outside the subnet range.

Useful Tip

One other thing, if you wish for your users to be forced logged in then as an admin go to: Site Administration, Security then click Site Policies. Under there you just need to tick: Force users to log in Forcelogin. Now this will slow the loading of the home page by a few seconds but now the user will not have to click login.