Home
Welcome to the moodle_local_ldap wiki!
This plugin, that install itself as a local plugin (see http://docs.moodle.org/dev/Local_plugins ) will allow you to keep Moodle cohorts in synchronization with groups of users defined on a LDAP directory. Groups can be real LDAP groups or users having some values in an LDAP attribute. Coupled with cohort enrollments plugins in various courses, it will keep in sync course registrations with LDAP data. Starting at Moodle 2.4 (see https://tracker.moodle.org/browse/MDL-31437), cohort enrollment plugin has an optional setting for the group name in the course to keep in sync with the cohort. Thus the course groups (and groupings) will be also automatically in sync with LDAP.
After installing it and visiting as usual Site Administration / Notifications, you should see the new settings screen where you can adjust it behavior.
The only commun setting is 'verbode mode'. In this mode, the scripts will output extensive debug informations about data retrieved from LDAP and Moodle database ; it is obviously the mode to activate in case something goes wrong in your first tests.
This script reuse many settings from the LDAP or CAS authentication plugins such as the LDAP hostname, contexts, search scope, member attribute, member is dn...(see http://docs.moodle.org/22/en/LDAP_authentication#User_lookup_settings) and has some specific settings that can be altered as follow :
-
Group attribute : by default groups are expected to be named cn=group name, ou=xxxx, dc= yyyy, dc= zzzz. If it is not the case in your place, replace the default value 'cn'.
-
Group class : LDAP groups are expected to be of class groupOfUniqueNames ; if in you place you use group or groupOfNames ..., adjust this value.
-
Real user class : In Moodle, user class defined for LDAP or CAS authentication can be in lower case or mixed case, since LDAP search as case insensitive ; however when members of groups are listed in LDAP, it is quite common to see the user DN with class in mixed case , for example sAMAccountName=jdoe,ou=students,dc=... If the script does create cohorts but do not add any members to it, you may consider setting this value to the correct case ; alternatively, you may modify the user class in CAS/LDAP settings to match the exact case.
-
Process nested groups : In some LDAP directories, groups contains as members some other groups DN. If this is the case, you may consider enabling this option. To avoid infinite loops, a mechanism has been added to the code to avoid the case when group A contains Group B and group B contains Group A.
-
Autocreate cohorts : When not enabled, this option will force the script to consider cohorts already created in Moodle having an id number (_and not a name _) identical to the common name of the LDAP group found. Thus admin must first create these cohorts for them to be synchronized with LDAP group. You may enable this option to have the script autocreate missing Moodle cohorts with name and id number identical to the found LDAP group. Cohorts are autocreated at system level, not at any category level. If you have many LDAP groups, a good strategy could to to enable autocreation of cohorts, run the script , then disable autocreation and delete any cohorts that you do not want to see anymore in your Moodle. Note that the script does not create a cohort if the corresponding LDAP group is empty ; and do not delete an existing Moodle cohort if it get empty.
This script reuse many settings from the LDAP or CAS authentication plugins such as the LDAP hostname, contexts, search scope ...(see http://docs.moodle.org/22/en/LDAP_authentication#User_lookup_settings ) and has some specific settings that can be altered as follow :
-
Attribute name to search : This is definitively the first setting you will change if you are planning to create cohorts based of the different values of another LDAP attribute. Please do respect the exact case when providing the name of the attribute.
-
Target cohorts id numbers : By default, if autocreation is on, all different values of the target attribute will produce a synchronized Moodle cohorts whose id number (and not the name) is identical to the found value. Alternatively you may type here a comma separated list of values to consider. For example if you have a multivalued attribute named eduPersonAffiliation for all your users with as possible values member, staff|student|faculty, affiliate, retired, off ... in automatic mode you will get seven cohorts named from these seven values. You may want to restrict to student and faculty by typing student,faculty in this area. Of course it is also possible for the admin to create these two cohorts beforehand and to turn off autocreation of cohorts.
-
User class : If empty, the script reuse to user class as defined in LDAP/CAS settings (see http://docs.moodle.org/22/en/LDAP_authentication#User_lookup_settings) to search for LDAP users to add/remove from cohorts. If you want to restrict cohort synching to some category of users (say students) you may type in an RFC2254 compliant filter that can be a simple name of the target LDAP class or a more complex filter such as this one (&(objectClass=insaPerson)(|(edupersonaffiliation=member)(edupersonaffiliation=affiliate)))
-
Autocreate missing cohorts : Same behavior as the synching based on LDAP groups described above.
See the sh scripts in local/ldap/cli . These scripts are in use in some of our production servers ; before using them, adjust the path SYNC_DIR to you Moodle installation (/var/www/mmodle/local/ldap/cli) and LOG_DIR to the path of your Moodledata directory (/work/moodledata.20/sync). they are crafted to be run by a Unix cronjob every night, and they produce in moodledata/sync directory a log file tagged with the date of execution for later inspection.
Currently the cohort-group synching script use Moodle's LDAP settings for the list of contexts to search. If you want to restrict LDAP group searching to some contexts (eventually different of the contexts where you users are), add the following line to config.php file
$CFG->cohort_synching_ldap_groups_contexts='ou1;ou2';
If present the script will now use ONLY the contexts ou1 ou2 to search for LDAP groups to be synched. In a future version, this may be added to the configuration screen of this extension. Thanks to Stephan Göldi from Switzerland for the suggestion.