Hi All,
our Active Directory server is on remote server in same Lan and moodle uses the LDAPS to connect to ldap server. I have used port number to connect to the LDAP server and I have checked the server connections with ldp.exe. It can connect to the ldap over ssl but unable to change password.
I have used Ca certificates for SSl connection. I am not sure is there any truststore for moodle?
Moodle's Ldap settings:
Host URL: serverName.domain, 636 (it dose not work with ldaps://serverName.domain)
| Host URL | Specify LDAP host in URL-form like 'ldap://ldap.myorg.com/' or 'ldaps://ldap.myorg.com/' Separate multipleservers with ';' to get failover support. | |
| Version | 23 | The version of the LDAP protocol your server is using. |
| LDAP encoding | Specify encoding used by LDAP server. Most probably utf-8, MS AD v2 uses default platform encoding such as cp1252, cp1250, etc. | |
Bind settings |
||
| Hide passwords | NoYes | Select yes to prevent passwords from being stored in Moodle's DB. |
| Distinguished name | If you want to use bind-user to search users, specify it here. Something like 'cn=ldapuser,ou=public,o=org' | |
| Password | Password for bind-user. | |
User lookup settings |
||
| User type | Novell EdirectoryposixAccount (rfc2307)posixAccount (rfc2307bis)sambaSamAccount (v.3.0.7)MS ActiveDirectoryDefault | Select how users are stored in LDAP. This setting also specifies how login expiration, grace logins and user creation will work. |
| Contexts | List of contexts where users are located. Separate different contexts with ';'. For example: 'ou=users,o=org; ou=others,o=org' | |
| Search subcontexts | NoYes | Search users from subcontexts. |
| Dereference aliases | NoYes | Determines how aliases are handled during search. Select one of the following values: "No" (LDAP_DEREF_NEVER) or "Yes" (LDAP_DEREF_ALWAYS) |
| User attribute | Optional: Overrides the attribute used to name/search users. Usually 'cn'. | |
| Member attribute | Optional: Overrides user member attribute, when users belongs to a group. Usually 'member' | |
| Member attribute uses dn | Optional: Overrides handling of member attribute values, either 0 or 1 | |
| Object class | Optional: Overrides objectClass used to name/search users on ldap_user_type. Usually you dont need to chage this. | |
Force change password |
||
| Force change password | NoYes |
Force users to change password on their first login to Moodle. |
| Use standard page for changing password | NoYes |
If the external authentication system allows password changes through Moodle, switch this to Yes. This setting overrides 'Change Password URL'. NOTE: It is recommended that you use LDAP over an SSL encrypted tunnel (ldaps://) if the LDAP server is remote. |
| Password format | Plain textMD5 hashSHA-1 hash | Specify the format of new or changed passwords in LDAP server. Ihave tried Md5 and plain text as well |
| Password-change URL | Here you can specify a location at which your users can recover or change their username/password if they've forgotten it. This will be provided to users as a button on the login page and their user page. If you leave this blank the button will not be printed. | |
LDAP password expiration settings. |
||
| Expiration | noLDAP | Select No to disable expired password checking or LDAP to read passwordexpiration time directly from LDAP |
| Expiration warning | Number of days before password expiration warning is issued. | |
| Expiration attribute | Optional: overrides ldap-attribute that stores password expiration time | |
| Grace logins | NoYes | Enable LDAP gracelogin support. After password has expired user can login until gracelogin count is 0. Enabling this setting displays grace login message if password is expired. |
| Grace login attribute | ||
users with LDAP authentication settings can not change thire password, they get bellow error:
Error code: errorpasswordupdate
- line 467 of \lib\setuplib.php: moodle_exception thrown
- line 110 of \login\change_password.php: call to print_error()