by Emma Richardson.
If this is AD, surname should be mapped to sn, not surname.
↧
Re: LDAP users missing surname
↧
OAuth2 integration with Keycloak
by Francesco Sabiu.
Hello,
I am using Moodle 3.6 and I am trying to enable the Oauth2 authentication via Keycloak. I'm using the latter as a portal to distribute the logins and passwords.
Although I have inserted the keycloak base URL in the Service base URL field, once I click on the external login button, the system redirects the user to the /moodle/auth/oauth2 folder, as illustrated in the attached screen capture.
Do you have any suggestions?
Thanks
↧
↧
Re: OAuth2 integration with Keycloak
by Leon Stringer.
If you've set the Service base URL and this happens then presumably the OAuth 2 issuer, i.e. Keycloak, doesn't support endpoint discovery. In which case you'll need to configure the endpoints manually, this post includes information on this.
↧
LDAP Authantication sync risk?
by Asiye Bayrak.
Hello,
I successfully set up LDAP authentication connection of my AD Server. But before set up the LDAP sync task, I want to learn, what is the risk of synchronization. Because there is a note which makes me afraid on Moodle Docs page that says
"Warning: It is important to make sure that all LDAP settings are working properly before enabling the LDAP users sync job (as well as backing up your database and moodledata folders), since incorrect LDAP configuration can result in users being wrongly deleted!"
Is not synchronization one way: from LDAP to Moodle? What is the risk for my AD users data?
↧
Re: LDAP Authantication sync risk?
by Emma Richardson.
It depends on how you set up your data mapping. However, I have never seen Moodle delete a user on AD - I do not believe that is possible. I am not really sure why that message comes up - it would be very hard for the ldap sync to delete users unless you have already switched your existing users over to ldap authentication method. However, if you select the wrong ou for syncing, you could end up deleting users on your moodle site but you can also undelete them pretty easily if you have database access.
↧
↧
Re: Differentiating allowed email domains with same @domain.com but different prefix
by Dirk Meyer.
Thank you for having taken the time to respond.
The site is a course sharing site and we want only confirmed educators to have access to answer keys, questions banks, quizzes etc. The custom role would be applied to users having a pre-approved email format. The process should be automated so when educators with an email address that follows a previously pre-approved email domain come to the site for the first time, a custom role is applied to those accounts giving them access to keys, exams etc. on all courses of the site. Moodle's allowed and denied email domain feature comes close but does not allow for filtering based on what is in front of the @ sign.
The site is a course sharing site and we want only confirmed educators to have access to answer keys, questions banks, quizzes etc. The custom role would be applied to users having a pre-approved email format. The process should be automated so when educators with an email address that follows a previously pre-approved email domain come to the site for the first time, a custom role is applied to those accounts giving them access to keys, exams etc. on all courses of the site. Moodle's allowed and denied email domain feature comes close but does not allow for filtering based on what is in front of the @ sign.
↧
Ynt: Re: LDAP Authantication sync risk?
by Asiye Bayrak.
Thank you, Emma,
Is it possible to log in with AD user information without the synchronization if the LDAP connection is successfull?
Is it possible to log in with AD user information without the synchronization if the LDAP connection is successfull?
↧
Re: External Database Authentication
by johan ericka.
i have similar issue but with PostgreSQL (our academic system is using PostgreSQL and moodle is using MySQL)
since there are different table structure between what moodle external database need and our academic system, then i have to pre-processing the data a little bit (doing some table joins).
my workaround for this is make some MySQL tables that meet moodle external database need and make some little PHP script to pull the data (and pre-process it) from our academic system database (PostgreSQL). then i run the script periodically (using crontab).
hope this help
since there are different table structure between what moodle external database need and our academic system, then i have to pre-processing the data a little bit (doing some table joins).
my workaround for this is make some MySQL tables that meet moodle external database need and make some little PHP script to pull the data (and pre-process it) from our academic system database (PostgreSQL). then i run the script periodically (using crontab).
hope this help
↧
Alternate Login URL for administrator
by johan ericka.
hi,
i have a plan to integrate moodle login to academic system using alternate login URL.
my question is how can i login to moodle as administrator by using alternate login URL when it integrate to academic system ? because in my academic system i was registered as a teacher.
or
is it possible to activate default login page and alternate login URL at the same time ? so users can login to moodle either using moodle login page or from academic system ?
any clue will be appreciated
↧
↧
Re: Alternate Login URL for administrator
by Emma Richardson.
You should be able to set up the connection to the new login database before setting the url. Then just make you academic system account an admin. Make sure that you can log in with those credentials and have full admin access. Only then switch the login page...
↧
Re: Ynt: Re: LDAP Authantication sync risk?
by Emma Richardson.
Yes, if you set it to be able to create new users in Moodle.
↧
Re: Confirmation of Operation of the OpenID Connect and Oauth2 authentication and multi-tenancy
by Chris Swinney.
I suspect that the lack of response means that no-one is able to answer, but we need to somehow get this working in the next week or two. If anyone can confirm my understanding, then that would be awesome.
↧
Re: Login to my webiste using moodle (like google/facebook)
by Luke Carr.
I'd take a look at the OAuth2 Server Plugin for Moodle. After installing the plugin, you can use your Moodle instance as an OAuth2 identity provider for other clients (the site where you want to have a 'Login with Moodle' button).
Obviously you'll need to know how to implement the client-side logic of the OAuth2 flow on your own site, but there's plenty of resources online for that, and if you're using a web framework, there's probably a plugin/addon you can find that does the nitty-gritty stuff for you.
↧
↧
Moodle logout redirect not working
by Ricardo Wallace.
Moodle version: 3.9.2
Hello!
I hope everyone is doing well, the issue that I'm having is that when I log out of moodle it redirects to a path that is not in the server
I tried this post : https://moodle.org/mod/forum/discuss.php?d=244757
But still redirects to the same path, I don't know what's going on, any help would be greatly appreciated.
Thanks in advance!
↧
Re: Moodle logout redirect not working
by Leon Stringer.
Has the source code been modified? The logout page, login/logout.php, which controls this redirection says:
33 $login = optional_param('loginpage', 0, PARAM_BOOL);
34
35 // can be overridden by auth plugins
36 if ($login) {
37 $redirect = get_login_url();
38 } else {
39 $redirect = $CFG->wwwroot.'/';
40 }So by default it redirect to https://academia.esdila.com assuming that's the value of $CFG->wwwroot in config.php.
Also check which authentication plugins are enabled as the comment above on line 35 suggests plugins can alter the behaviour. You can share a screenshot of this list if you want us to help check.
↧
Re: Moodle logout redirect not working
by Ricardo Wallace.
Thanks for the reply!
I only did the changes that are mentioned in the post that I linked on my first post nothing more, I did revert them since it seems not to be working, it weird because I did follow step by step what they say in that post.
These are my files that are right now on the moodle folder.
↧
LDAP sync_roles stopped with update
by Jarrad Giskard.
Hi there,
Strange one here. I've just updated from 3.8.4+ (build 20200723) to 3.8.6+ (build 20201224), and LDAP sync_roles seems to have stopped working properly.
After doing the update, all looked good. I then ran the CRON job and afterwards noticed a few 'role unassigned' events like this in the logs:
The user with id '2' unassigned the role with id '1' from the user with id '825'.
User id 2 is the manual sysamin account created when I first installed Moodle, role id 1 is the manager role, and user id 825 is a manager that's in the 'Moodle Managers' security group on our AD that's been configured for system role mapping to 'managers' (we also have a 'Moodle Course Creators' security group for syncing to the 'course creators' role).
On checking the assigned system roles, all users had been dropped from both managers and course creators.
Checking the sync_roles logs before and after looks the same and no errors are raised, though the log doesn't seem to have much detail:
Execute scheduled task: Synchronise system roles from LDAP (auth_ldap\task\sync_roles)
... started 14:30:06. Current memory use 9.8MB.
... used 2465 dbqueries
... used 5.4084599018097 seconds
Scheduled task complete: Synchronise system roles from LDAP (auth_ldap\task\sync_roles)
No changes have been made to the system role sync setup. Here's what I have plugged into the managercontext as example (anonymised our org name with xxx):
CN=Moodle Managers,OU=SGs,OU=Administration,DC=xxx,DC=org,DC=uk
I've tried removing users from the security groups, re-running the CRON, adding them back in, and re-running again; as well as clearing managercontext and coursecreator context, running CRON, adding reconfiguring, and re-running CRON again. But still the users aren't syncing to the roles.
ldap sync of general users continues to work.
I've manually added the managers and course creators for now, but am troubled that I can't work out what's wrong.
Is there a new ldap setting that's been introduced between 3.8.4+ and 3.8.6+ that I've missed? Any other ideas?
nb - The Moodle server is running on Windows Server 2012 R2 and php 7.3.25.
↧
↧
Re: Moodle logout redirect not working
by Leon Stringer.
And the authentication plugins, which ones are enabled on the site? E.g.:
Lines 21-28 of config.php use code to generate $CFG->wwwroot which the documentation says should not be done. Instead there should be a single line:
$CFG->wwwroot = 'https://academia.esdila.com';
If it's still not working then maybe you could add some debug output which would be sent to the web server's error log, e.g. in login/logout.php add these error_reporting() and error_log() lines:
36 if ($login) {
37 $redirect = get_login_url();
38 } else {
39 $redirect = $CFG->wwwroot.'/';
40 }
41 error_reporting(E_ALL);
42 error_log("1: \$redirect == \"$redirect\"");
⋮
64 require_logout();
65
66 error_log("2: \$redirect == \"$redirect\"");
67 redirect($redirect);You'd then need to know where the web server error logs are (on my server they're in /var/log/php-fpm/www-error.log, yours may be different) and I get this debug output which shows that URL in $redirect is the one expected:
[07-Jan-2021 16:20:57 Europe/London] 1: $redirect == "https://moodle.example.com/"
[07-Jan-2021 16:20:57 Europe/London] 2: $redirect == "https://moodle.example.com/"
Hopefully it will help determine why the URL on your site is being changed.
↧
Re: LDAP sync_roles stopped with update
by Emma Richardson.
Can you turn full debugging on and then run the system role sync?
↧
Re: LDAP sync_roles stopped with update
by Jarrad Giskard.
Ok, I think it has to do with the LDAP setting: Member attribute uses dn
This setting seems to have been around for awhile and was currently set to 'no'. After setting to 'yes' and re-running CRON the users are put back into the system roles.
This setting seems to have been around for awhile and was currently set to 'no'. After setting to 'yes' and re-running CRON the users are put back into the system roles.
I've very little programming experience, so take this with a grain of salt, but looking at source code changes here it looks like this setting has been changed from a text field to a pick list with yes and no options.
Checking backups, it looks like this was previously left blank:
id plugin name value
-------------------- --------------- --------------------------------- ---------
1749 auth_ldap memberattribute_isdn
Whereas after the update it went to 0:
id plugin name value
-------------------- --------------- --------------------------------- ---------
1749 auth_ldap memberattribute_isdn 0
The setting itself says, 'Overrides handling of member attribute values' and the kb on the setting says, 'Whether the member attribute contains distinguished names (1) or not (0).This option takes a default value based on the User type value you choosed above. So unless you need something special, you don't need to fill this in.'
But my 'member attribute' setting is blank and the default is 'empty', so I'd think this shouldn't do anything....
Feels like a bug and I'm hesistant to set this to 'yes'.
Any thoughts?
↧
