by Ganesh Ubhare.
Hello,
Calling all Moodle LDAP experts for help.
-----------------------------
Environment
------------------------------
Moodle : 3.0.2
PHP - 5.5.3
Server - Windows 2012 - IIS 8.5
SSO - Using NTLM
--------------------------
The problem
--------------------------
People from NA (north america) are not able to login using SSO . People from EMEA are able to login when a certain bind DN is used (like shown below)
I have questioned lot of things from IT to annoy them but here's the info I have got. Looks like there are staff in the EMEA region and staff in the NA (north america) region in AD. The hostURL, bind DN provided appears in the following format
Host URL : ldap://xxx.emea.xx.xx.com
Bind settings DN - CN=XXX,OU=XXX,OU=XXX,DC=emea,DC=XX,DC=XX,DC=com
User search context - This specifies all the required OU for the EMEA, NA region - This has been checked and provided by the IT
Since SSO was working I think all other settings for LDAP are correct in Moodle
IT says
1) The host URL is a global catalog server so will have access to both domains (emea, na). It may be that you need to configure the URL differently though when using multiple domains –
2) Subnet IP specified covers all domains so that's not an issue
3) Moodle URL is part of the local intranet zone for everyone
When SSO works the DN is in the following format
Bind settings DN - CN=XXX,OU=XXX,OU=XXX,DC=emea,DC=XX,DC=XX,DC=com
-----------------------------------------------------------------------------
Thing that I have tried but SSO does not work are
-----------------------------------------------------------------------------
1) 1) If I include DC for na
CNBind settings DN - CN=XXX,OU=XXX,OU=XXX,DC=emea,DC=na,DC=XX,DC=XX,DC=com (NA DC included)
2) If I remove the CN and only include DC part like following
DC=na,DC=emea,DC=corp,DC=xxx,DC=com -– SSO does not work
3) If I remove any part of the CN - SSO does not work
-----------------------
My questions
----------------------
1) Can we use multiple DN in the bind settings using ";"? (Have tried that as well but SSO does not work)
2) IT has advised me to find out "It may be that you need to configure the URL differently though when using multiple domains"
Apologies, as this is long winded.
I will appreciate if anyone can put me in the right direction. I am not expecting spoon feeding but generally just give me the right direction so that I can co-ordinate with IT.
Any help much appreciated.
Thanks
Ganesh
