Re: LDAP sync_roles stopped with update

January 7, 2021, 8:52 am

≫ Next: Re: LDAP sync_roles stopped with update

≪ Previous: Re: LDAP sync_roles stopped with update

by Jarrad Giskard.

Hi Emma,

Thanks. I had tried that, but no additional information appeared in the log. I did find what I think seems to be the issue, but I don't know if this is a bug or working as intended... :/

↧

Re: LDAP sync_roles stopped with update

January 7, 2021, 9:42 am

≫ Next: Re: LDAP sync_roles stopped with update

≪ Previous: Re: LDAP sync_roles stopped with update

by Emma Richardson.

Try setting it to no and rerun - maybe it was actually empty before and needed some sort of entry in there to complete. Mine is set to no.

↧

Re: LDAP sync_roles stopped with update

January 7, 2021, 10:16 am

≫ Next: Re: LDAP sync_roles stopped with update

≪ Previous: Re: LDAP sync_roles stopped with update

by Jarrad Giskard.

Unfortunately I did - when I put it back to 'no' and reran, it removed the users from the system roles again.

Can I ask - which version of Moodle are you running, is your 'member attribute' setting empty or does it have a value, and are you using MS Active Directory?

I'm not working just now, but I'm curious tomorrow to try a SQL UPDATE to set that value back to empty in the database and see if it works again.

↧

Re: LDAP sync_roles stopped with update

January 7, 2021, 1:00 pm

≫ Next: Pop up Cookies Blocked - Moodle 3.0 Plugins

≪ Previous: Re: LDAP sync_roles stopped with update

by Emma Richardson.

I am using MSAD. Currently on 3.9. Member attribute is empty. I sync an OU so I point directly to the OU.

↧

Pop up Cookies Blocked - Moodle 3.0 Plugins

January 7, 2021, 8:22 pm

≫ Next: Re: LDAP sync_roles stopped with update

≪ Previous: Re: LDAP sync_roles stopped with update

by Umair Hafeez.

I am trying to find pop up window open - Moodle plugins. Please let me know if you or how to do it.

↧

Re: LDAP sync_roles stopped with update

January 8, 2021, 1:36 am

≫ Next: Scheduled LDAP failed with Duplicate key error

≪ Previous: Pop up Cookies Blocked - Moodle 3.0 Plugins

by Jarrad Giskard.

Hmm... I think we might be talking slightly different things here. When you say you, 'sync an OU so I point directly to the OU', I'm guessing you mean the 'Contexts' box in the User lookup settings section for syncing users? We have that set to an OU, too, and that's working ok.

It's the sync of users to system roles that's broken. I.e., in the System role mapping section, the 'Manager context' and 'Course creator context' settings. The instructions say 'In MS Active Directory, you will need to create a security group for your creators to be part of and then add them all', which is why I'm guessing you're talking about the 'Contexts' box instead, as these don't take OUs?

So I'm guessing you're not using the 'Manager context' and/or 'Course creator context' settings? If you can give it a test by temporarily adding a security group, I'd be curious whether that works for you with the 'Member attribute uses dn' set to 'no'.

I'll do a bit more reading on the settings, but it feels to me that that setting should only come into play if the 'Member attribute' setting actually has a value; it doesn't for me, so I wouldn't think it should matter whether it's set to yes or no.

↧

Scheduled LDAP failed with Duplicate key error

January 8, 2021, 6:59 am

≫ Next: Re: LDAP sync_roles stopped with update

≪ Previous: Re: LDAP sync_roles stopped with update

by Rey Ong.

Hi there,

Whenever I run the cron job on ldap sync task, following error message came out:

Scheduled task failed: LDAP users sync job (auth_ldap\task\sync_task),Error writing to database

Debug info:

Duplicate entry '1-nb08615$' for key 'mdl_tmpextu_mneuse_uix'

INSERT INTO mdl_tmp_extuser (username,mnethostid) VALUES(?,?)

[array (

0 => 'nb08615$',

1 => '1',

)]

Backtrace:

* line 1357 of /lib/dml/mysqli_native_moodle_database.php: call to moodle_database->query_end()

* line 994 of /auth/ldap/auth.php: call to mysqli_native_moodle_database->insert_record_raw()

* line 771 of /auth/ldap/auth.php: call to auth_plugin_ldap->ldap_bulk_insert()

* line 50 of /auth/ldap/classes/task/sync_task.php: call to auth_plugin_ldap->sync_users()

* line 248 of /lib/cronlib.php: call to auth_ldap\task\sync_task->execute()

* line 150 of /admin/cli/scheduled_task.php: call to cron_run_inner_scheduled_task()

Potential coding error - existing temptables found when disposing database. Must be dropped!

I have checked this 1-nb08615$' and its pointing back to my own profile/guest user. (either admin or my own normal user login)
Environment:
Moodle 3.9+

PHP 7.3+

MariaDB 10.3+

Centos 7

Auth method: LDAP with MS AD

All the solutions I found online seems point to a certain duplicated users ID clearly, but not applicable to this issue. Been pulling my hair out for this, please help. THank you.

↧

Re: LDAP sync_roles stopped with update

January 8, 2021, 7:57 am

≫ Next: Moodle Custom Oauth2 Provider Configuration

≪ Previous: Scheduled LDAP failed with Duplicate key error

by Jarrad Giskard.

Ok, so I used Wireshark and understand better what's happening now as well as the point of this setting.

When 'Member attribute uses dn' is set to no, the LDAP search uses the user's 'undistinguished' username in the filter, as seen in this example:

Lightweight Directory Access Protocol
    LDAPMessage searchRequest(2) "cn=Moodle Managers,ou=SGs,ou=Administration,dc=xxx,dc=org,dc=uk" baseObject
        messageID: 2
        protocolOp: searchRequest (3)
            searchRequest
                baseObject: cn=Moodle Managers,ou=SGs,ou=Administration,dc=xxx,dc=org,dc=uk
                scope: baseObject (0)
                derefAliases: neverDerefAliases (0)
                sizeLimit: 0
                timeLimit: 0
                typesOnly: False
                Filter: (member= yyyz)
                    filter: equalityMatch (3)
                        equalityMatch
                            attributeDesc: member
                            assertionValue: yyyz
                attributes: 1 item
                    AttributeDescription: member

This returns no matches, even though this user is in the Moodle Managers group.

But when 'Member attribute uses dn' is set to 'yes', it first runs a search to get the user's distinguished name and then uses that in the filter, as seen in this example:

Lightweight Directory Access Protocol
    LDAPMessage searchRequest(1225) "cn=Moodle Managers,ou=SGs,ou=Administration,dc=xxx=org,dc=uk" baseObject
        messageID: 1225
        protocolOp: searchRequest (3)
            searchRequest
                baseObject: cn=Moodle Managers,ou=SGs,ou=Administration,dc=xxx,dc=org,dc=uk
                scope: baseObject (0)
                derefAliases: neverDerefAliases (0)
                sizeLimit: 0
                timeLimit: 0
                typesOnly: False
                Filter: (member=CN=yyy zzz,OU=ITE,OU=Resources,OU=THT,DC= xxx,DC=org,DC=uk)
                    filter: equalityMatch (3)
                        equalityMatch
                            attributeDesc: member
                            assertionValue: CN=yyy zzz,OU=ITE,OU=Resources,OU=THT,DC= xxx,DC=org,DC=uk
                attributes: 1 item
                    AttributeDescription: member

Which does find the user is in the group, as expected.

So it seems that MS Active Directory does need the member attribute to be passed with the distinguished name.

--BUT--

Checking the mdl_config_log table, the only entry for this setting was when we first installed, and it was set to an empty string:

SELECT TOP (1000) [id]
      ,[userid]
      ,DATEADD(second,[timemodified], CAST('1970-01-01 00:00:00' AS datetime)) timemodified
      ,[plugin]
      ,[name]
      ,[value]
      ,[oldvalue]
  FROM [Moodle].[dbo].[mdl_config_log]
  WHERE plugin = 'auth_ldap'
AND name = 'memberattribute_isdn'


id    userid   timemodified            plugin    name                 value   oldvalue
----- -------- ----------------------- --------- -------------------- ------- --------
1087  2       2018-05-18 13:25:54.000 auth_ldap memberattribute_isdn         NULL

(1 row affected)

And the update changed it to 0 (without a log entry of the change):

SELECT TOP (1000) [id]
      ,[plugin]
      ,[name]
      ,[value]
  FROM [Moodle].[dbo].[mdl_config_plugins]
  WHERE plugin = 'auth_ldap'
AND name = 'memberattribute_isdn'


id    plugin    name                 value
----- --------- -------------------- -------
1403  auth_ldap memberattribute_isdn 0

The instruction for the 'Member attribute uses dn' setting says: Whether the member attribute contains distinguished names (1) or not (0).This option takes a default value based on the User type value you choosed above. So unless you need something special, you don't need to fill this in.

That is, the default value is NOT 0 or 1, but based on the 'User type' you set.

So, the implication is this setting should be OPTIONAL; if you leave it blank, Moodle will itself decide whether the member attribute contains DNs or not based on the 'User type' setting.

We have 'User type' set to 'MS ActiveDirectory', so my guess is prior to the upgrade, when 'Member attribute uses dn' could be left blank, Moodle knew the member attribute would contain DNs based on our 'User type' being set to 'MS Active Directory', so ran as if we set the value to '1'. But with the update, this setting is no longer optional - it's a pick list that must be set to yes or no, so it would seem Moodle isn't being given the opportunity to do this automatically based on the 'User type'

This would seem to be a bug - 'Member attribute uses dn' should be allowed to be left blank so Moodle can decide for itself whether the member attribute contains DNs based on the 'User type' set. Only in special circumstances should it be explicitly set to 0 or 1.

For now, I can set to 'yes' and at least I now know why it needs to be 'yes', when it previously worked with this left blank. But I'll log this as a bug, as I think we should be able to leave this setting blank.

↧

Moodle Custom Oauth2 Provider Configuration

January 8, 2021, 9:48 am

≫ Next: Re: Moodle Custom Oauth2 Provider Configuration

≪ Previous: Re: LDAP sync_roles stopped with update

by Terry David.

I am working on an urgent (aren' t they all?) implementation that requires Moodle to use a custom Oauth2 provider. Unfortunately, I have been unable, due to a lack of discovered documentation or the ability to trace entire oauth negotiation sequences, to get this to work.

I am currently stuck at an error that reports:

error/Could not upgrade oauth token

More information about this error

The included link results in a non-existant page:

error/moodle/Could not upgrade oauth token

This page does not exist yet. You can search for this page title in other pages, or let us know by posting about it in one of the Moodle community forums.

3.10 docs

Navigation

Tools

From there, the articles that are accessible do not seem to have any information on this error.

I am looking for -ANY- useful help available.

Terry David

terry.david@540.co; tdavid99@gmail.com

TYIA.

↧

Re: Moodle Custom Oauth2 Provider Configuration

January 8, 2021, 1:36 pm

≫ Next: Authentication email not using language setting

≪ Previous: Moodle Custom Oauth2 Provider Configuration

by Leon Stringer.

"Could not upgrade oauth token" means that the request to the OAuth 2 provider's token_endpoint didn't get a 200 OK response, either the provider returned a status other than 200 OK which might be in the provider's logs if you have access, or Moodle's network connection attempt to the provider failed.

There's a pending change to include more detail in this error: MDL-70282. You could merge in the proposed changes or see here for a change to just one file. Then with debugging enabled hopefully you'll then see details about why this isn't working.

↧

Authentication email not using language setting

January 8, 2021, 4:45 pm

≫ Next: Ang: Authentication email not using language setting

≪ Previous: Re: Moodle Custom Oauth2 Provider Configuration

by Jakob Rasmussen.

When i add a user, the authentication email is sent in english, even though I have installed language pack danish(da) and selected this as the default language. I have tried setting the default language in site admin -> language settings as well as in config.php with $CFG->lang='da';. I have also checked the language pack string 'newusernewpasswordtext' - it does contain a valid danish text.

I am running a registered moodle 3.10 moodle installation on a bitnami google cloud stack.

How can i enforce the language setting on the autentication email?

Best regards

Jakob

↧

Ang: Authentication email not using language setting

January 8, 2021, 5:06 pm

≫ Next: Setting up Oauth2 service Google

≪ Previous: Authentication email not using language setting

by Jakob Rasmussen.

Sorry. Maybe I was rushing to post my problem. Solved by changing admin preferred language to danish. User confirmation email is now sent in danish smile

↧

Setting up Oauth2 service Google

January 14, 2021, 1:30 am

≫ Next: Re: Setting up Oauth2 service Google

≪ Previous: Ang: Authentication email not using language setting

by Richard van Iwaarden.

I have set up Google Oauth 2 in the past several times. However, I wanted to do this again today and could not do it.

Reason is mainly that the documentation is to old. Everything at Google has changed. I used this documentation: https://docs.moodle.org/39/en/OAuth_2_Google_service

Would anyone be willing to update this? Does anyone know a step-by step procedure for setting this up?

Hope this documentation can be updated so it's useful again.

↧

Re: Setting up Oauth2 service Google

January 14, 2021, 7:12 am

≫ Next: Re: Setting up Oauth2 service Google

≪ Previous: Setting up Oauth2 service Google

by Emma Richardson.

Well, if you figure it out, you could update it!!! I did not think it had changed that much - where are you getting stuck?

↧

Re: Setting up Oauth2 service Google

January 14, 2021, 8:47 am

≫ Next: Re: Setting up Oauth2 service Google

≪ Previous: Re: Setting up Oauth2 service Google

by Richard van Iwaarden.

Hi Emma!
Have you checked Google yet? Everything, every screen, every step is completely changed. Also you need to supply a lot more information now (like privacy statements of your organisation etc.)
I have not yet succeeded in setting this up. It also seems Google needs to manually verify steps which will take time.
Just have a look at it. Take a new Moodle and set it up from scratch... you will see the documentation is for about 10% correct.

And how about this from Google?

Security Checkup

Security Checkup might show your app as risky and unverified. When an app is “unverified,” it has not fully completed the OAuth app verification. Depending on the sensitivity of the data being requested, verification might require several months for the app to complete.

↧

Re: Setting up Oauth2 service Google

January 14, 2021, 10:09 am

≫ Next: Re: Setting up Oauth2 service Google

≪ Previous: Re: Setting up Oauth2 service Google

by Ken Task.

Would think one needs to get the web interface working first before testing with the moodle app.

Yes, it's a little different ... there are 3 tabs across the set up of Google IAM. All three must be completed. You mentioned terms of service and privacy statement. I have made those static web pages (.html) and use the same ones for the sandbox sites (3.5->310) all of them have Google working. I cheated there and 'borrowed' a tos.html and privacy.html page from a organization for education ... changing the appropriate names/references in the borrowed pages to mine.

One of the tabs has to do with verifying that you own the server/domain via DNS. They offer adding a txt record to your DNS for the moodle or, perhaps easier and don't have to include DNS server admin, is the option to verfiy ownership via an HTML file at the root of the site ... ie, moodle code.

They don't provide the HTML file ... just describe ... like name it with 'stringname.html' and contained therein a one liner with what appears to be the same verification string.

The other thing I do which in docs say isn't necessary, I have a Google System account to use with IAM. In the checks for setup, 'System Account Connected' ... which has to be the same one used when first setup.

In versions of Moodle <-310 I have such a system account. On a 310 I don't have that setup and it works anyway.

Do you get the login screen that comes from Google? (that shows something like the following)

The SOSSIG in above screen clip is the name of the IAM I am using.

Can PM you some links to these sandbox sites so you can try them out just to see how they work. I'll remove your test accounts after you let me know. ;)

As far as keeping docs up to date ... one can edit them. Will say that I'm not gonna volunteer to do that ... besides ... Google has been known to change things. :| I already have a job and enough to do. smile

'SoS', Ken

↧

Re: Setting up Oauth2 service Google

January 14, 2021, 10:12 am

≫ Next: Re: Setting up Oauth2 service Google

≪ Previous: Re: Setting up Oauth2 service Google

by Emma Richardson.

Oh I do remember all that now. It did take time for Google to verify but it did work in the meantime (just unverified).

↧

Re: Setting up Oauth2 service Google

January 14, 2021, 10:55 am

≫ Next: Re: Setting up Oauth2 service Google

≪ Previous: Re: Setting up Oauth2 service Google

by Richard van Iwaarden.

Thanks again Ken for all your useful information.

I have set it up this far:

When clicking on 'advanced' I can continu, but unverified.

I do not understand the message: the title says 'Google did not verify this app'. However, the text below says that I have not verified the app. So which one is it?

And how do I verify the app?

As for documentation: I'm not native English. The language used by Google is not the easiest English for non-natives. When translated to Dutch it reads like a bad Google translate language.

And furthermore: I'm extremely impatient and after a second of 30 reading hard-to-understand-English I loose patience and start clicking away. Trial and error. That makes a very bad manual for someone to follow.

↧