LDAP User Account Filtering in Moodle

Setting up LDAP in Moodle? Once you have configured the LDAP authentication plugin and it is working (you can log in), don't forget to also enable LDAP User Sync to keep your account status in sync. When first setting LDAP up, you may not realize it but you may be getting more accounts than you expected. The trick is to limit user accounts to just persons of class users.

You can limit synchronization to just user objects in Active Directory (AD) by completing the following steps:

1. Go to Site Administration > Plugins > Authentication > LDAP Server.
2. Scroll down to the User Lookup Settings section.
3. Set User Attribute to: sAMAccountName
4. Set Object class to: (&(objectCategory=person)(objectClass=user))
5. Save.

The Object class field name is a little misleading. One might initially think it that you should use it to just give Object class a value, when in fact is it actually more of filter field. In this case, specifying an object category of person and an object class of user will filter out non-user accounts like workstations, printers and other devices which may be attached and logged into your network through AD.

If you are using AD, account usernames coming though LDAP allow more types of characters than Moodle does by default. For example, you may also have AD usernames that start with a "$" (dollar sign) or "#" (hash tag/pound sign) which simply should not be there for valid usernames. You can add more filters to the the Object Class setting. For example, we can fix the above mentioned issues :

(&(objectCategory=person)(objectClass=user)(!(sAMAccountName=$*))(!(sAMAccountName=#*))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(userAccountControl:1.2.840.113556.1.4.803:=32))(!(userAccountControl:1.2.840.113556.1.4.803:=65536)))

Broken down, this says:

  • (& means all of the following must match (AND them together).
  • (objectCategory=person) : The object category must be a "person"; AND
  • (objectClass=user) : The object class must be a "user"; AND
  • (!(sAMAccountName=$*)) : The sAMAAccountName (the username) must not (!) start with a dollar ($) symbol followed by any number of characters (*); AND
  • (!(sAMAccountName=#*)) : The sAMAAccountName (the username) must not (!) start with a hash tag (#) symbol followed by any number of characters (*) ; AND
  • (!(userAccountControl:1.2.840.113556.1.4.803:=2)) : The userAccountControl:1.2.840.113556.1.4.803 (user account) must not (!) be disabled (:=2); AND
  • (userAccountControl:1.2.840.113556.1.4.803:=32)) : The userAccountControl:1.2.840.113556.1.4.803 (user account) must not (!) not be required to have a password (:=32); AND
  • (userAccountControl:1.2.840.113556.1.4.803:=32)) : The userAccountControl:1.2.840.113556.1.4.803 (user account) must not (!) be set to Password does not expire (:=65536);
  • ) is to close the initial (&.

Feel free to modify this to suit your organizations password policy. If you run into problems, it will often be the result of unbalanced parentheses (the round brackets). It may also be that you are trying to filter out a character with a special meaning in which case you will need to escape the character by preceding it with a back slash (\).

For more information about the types and syntax of filters that you can use, see Active Directory: LDAP Syntax Filters.

The end result is that the filter will exclude user accounts that do not meet the filter's criteria. If you set the Removed ext user LDAP setting in Moodle to Suspend internal, Moodle will automatically suspend any user accounts which have been filtered out by the LDAP synchronization process thanks to the additional filters.

WARNING: Your site may become less or non-responsive during the synchronization process. Do this off hours or or work this out on a different instance of Moodle.

You should be able to run the synchronization process manually by going to Site Administration > Server > Scheduled Tasks. Scroll down to LDAP users sync job. You should see a small link called "Run now". Click this link to run the synchronization process manually. If you don't see the link, you will need to go to Site Administration > Server > System Paths and set the Path to PHP CLI field in order to enable the Run Now link.

If your legitimate user account names include characters with accents or Asian characters, you will also need to tell Moodle to allow special characters outside the normal a-z, A-Z range. You can do this by navigating to Site Administration > Security > Site Policies and enabling Allow extended characters in usernames. This should only be done if you are sure that accounts in AD which contain special characters are valid active user accounts. I've seen some Active Directory administrators rename users to johndoe(old) instead of disabling the account. By allowing extended characters in usernames, you could be propagating a security risk to your Moodle site and possibly inadvertently creating enabled user accounts that should not actually exist in Moodle

Unfortunately Moodle currently aborts the synchronization process on the first synchronization failure, regardless of the reason. A patch described in MDL-58395 will hopefully be adopted (vote for it) which does 3 very important things to help you troubleshooting sync issues:

  1. It displays the users information for the account that are causing LDAP sync issues.
  2. It changes the script behaviour to continue the process if there is a problem with a particular account so that, at least the rest of the accounts are hopefully properly synchronized.
  3. It provides a summary at the end to let you know if there was a problem so that you don't need to scroll through the whole list of accounts being created/synchronized to find the odd ones that didn't work -- if there are any. As you might imagine, failing to sync all accounts if the first in the list fails could result in serious security issue.

Hope you found this information helpful. Share your experience in implementing Moodle in the comments below.

Michael Milette


Leave a Reply

Your email address will not be published. Required fields are marked *