Middlebury

Difference between revisions of "CASifying Moodle"

(New page: {{stub}} = Default CAS Plugin = The latest version of Moodle, 1.9, comes packaged with an authentication plugin for CAS. This authentication plugin should work for connecting Moodle to M...)
 
(Default CAS Plugin: Added tested configuration.)
Line 2: Line 2:
 
= Default CAS Plugin  =
 
= Default CAS Plugin  =
  
The latest version of Moodle, 1.9, comes packaged with an authentication plugin for CAS. This authentication plugin should work for connecting Moodle to Middlebury's CAS server, but relies on an LDAP server for attribute lookup. While not ideal, this configuration should work with a few caveats that are listed in our [[CAS#Protocol_Extension:_Attributes|CAS documentation]].
+
The latest version of Moodle, 1.9, comes packaged with an authentication plugin for CAS. This authentication plugin should work for connecting Moodle to Middlebury's CAS server, but relies on an LDAP server for attribute lookup. While not ideal, this configuration should work with a few caveats that are listed in our [[CAS#Protocol_Extension:_Attributes|CAS documentation]].  
  
Using the default CAS plugin rather than LDAP directly has the following advantages:
+
Using the default CAS plugin rather than LDAP directly has the following advantages:  
  
*Moodle will use the same 'web-id' for uniquely identifying users
+
*Moodle will use the same 'web-id' for uniquely identifying users  
 +
*Once a custom CAS plugin is created, the user-id ('user' table, 'username' column in the Moodle database) will stay the same, hopefully preventing any need for user-mapping or making that job much easier if it is needed.
 
*Users will not have to enter their credentials again if they have already logged into another application via CAS.
 
*Users will not have to enter their credentials again if they have already logged into another application via CAS.
  
 
== Configuration in Moodle  ==
 
== Configuration in Moodle  ==
  
After enabling the CAS module, use the following configuration settings:
+
After enabling the CAS module, use the following configuration settings:  
  
 
=== CAS server configuration  ===
 
=== CAS server configuration  ===
  
{| cellspacing="1" cellpadding="1" border="1"
+
{| width="500" cellspacing="1" cellpadding="1" border="1"
 
|-
 
|-
! scope="col" | Setting<br>
+
! width="150" scope="col" | Setting<br>  
 
! scope="col" | Value<br>
 
! scope="col" | Value<br>
 
|-
 
|-
! scope="row" | Hostname<br>
+
! scope="row" | Hostname<br>  
 
| login.middlebury.edu<br>
 
| login.middlebury.edu<br>
 
|-
 
|-
! scope="row" | Base URI<br>
+
! scope="row" | Base URI<br>  
 
| cas/<br>
 
| cas/<br>
 
|-
 
|-
! scope="row" | Port<br>
+
! scope="row" | Port<br>  
 
| 443<br>
 
| 443<br>
 
|-
 
|-
! scope="row" | Version<br>
+
! scope="row" | Version<br>  
| 2,0<br>
+
| 2.0<br>
 
|-
 
|-
! scope="row" | Proxy mode<br>
+
! scope="row" | Proxy mode<br>  
 
| No<br>
 
| No<br>
 
|-
 
|-
! scope="row" | Logout CAS<br>
+
! scope="row" | Logout CAS<br>  
| Optional<br>
+
| ''Optional''<br>
 
|-
 
|-
! scope="row" | Multi-authentication<br>
+
! scope="row" | Multi-authentication<br>  
| Optional<br>
+
| ''Optional''<br>
 
|}
 
|}
  
 
=== LDAP server configuration  ===
 
=== LDAP server configuration  ===
  
{| cellspacing="1" cellpadding="1" border="1"
+
{| width="500" cellspacing="1" cellpadding="1" border="1"
 
|-
 
|-
! scope="col" | Setting<br>
+
! width="150" scope="col" | Setting  
! scope="col" | Value<br>
+
! scope="col" | Value
 
|-
 
|-
! scope="row" | Host URL<br>
+
! scope="row" | Host URL  
| ldap://middlebury.edu<br>
+
| ldap://middlebury.edu
 
|-
 
|-
! scope="row" | Version<br>
+
! scope="row" | Version  
| &nbsp;?<br>
+
| 2
 
|-
 
|-
! scope="row" | LDAP Encoding<br>
+
! scope="row" | LDAP Encoding  
| &nbsp;?<br>
+
| utf-8 (I think, I haven't been able to test on names containing non-ASCII chars)
 
|}
 
|}
  
 
==== Bind settings  ====
 
==== Bind settings  ====
  
{| cellspacing="1" cellpadding="1" border="1"
+
{| width="500" cellspacing="1" cellpadding="1" border="1"
 
|-
 
|-
! scope="col" | Setting
+
! width="150" scope="col" | Setting  
 
! scope="col" | Value
 
! scope="col" | Value
 
|-
 
|-
! scope="row" |
+
! scope="row" | Distinguished Name
|
+
| CN=********,CN=Users,DC=middlebury,DC=edu
|-
 
! scope="row" |
 
|
 
 
|-
 
|-
! scope="row" |
+
! scope="row" | Password
|
+
| ********
 
|}
 
|}
  
 
==== User lookup settings  ====
 
==== User lookup settings  ====
  
{| cellspacing="1" cellpadding="1" border="1"
+
{| width="500" cellspacing="1" cellpadding="1" border="1"
 
|-
 
|-
! scope="col" | Setting
+
! width="150" scope="col" | Setting  
 
! scope="col" | Value
 
! scope="col" | Value
 
|-
 
|-
! scope="row" |
+
! scope="row" | User type
|
+
| MS ActiveDirectory
 +
|-
 +
! scope="row" | Contexts
 +
| DC=middlebury,DC=edu
 +
|-
 +
! scope="row" | Search subcontexts
 +
| Yes
 +
|-
 +
! scope="row" | Dereference aliases
 +
| No (not sure what this does)
 +
|-
 +
! scope="row" | User attribute
 +
| MiddleburyCollegeUID
 
|-
 
|-
! scope="row" |
+
! scope="row" | Member attribute
|
+
| member
 
|-
 
|-
! scope="row" |
+
! scope="row" | Member attribute uses dn
|
+
| 1
 +
|-
 +
! scope="row" | Object class
 +
|  
 
|}
 
|}
  
 
==== Course creator  ====
 
==== Course creator  ====
  
{| cellspacing="1" cellpadding="1" border="1"
+
{| width="500" cellspacing="1" cellpadding="1" border="1"
 
|-
 
|-
! scope="col" | Setting
+
! scope="col" | Setting  
 
! scope="col" | Value
 
! scope="col" | Value
 
|-
 
|-
! scope="row" |
+
! width="150" nowrap="nowrap" scope="row" | Attribute creators
|
+
| CN=All Faculty,OU=General,OU=Groups,DC=middlebury,DC=edu;CN=All Staff,OU=General,OU=Groups,DC=middlebury,DC=edu;
|-
 
! scope="row" |
 
|
 
 
|-
 
|-
! scope="row" |
+
! scope="row" | Group creators
|
+
| CN=All Faculty,OU=General,OU=Groups,DC=middlebury,DC=edu;CN=All Staff,OU=General,OU=Groups,DC=middlebury,DC=edu;
 
|}
 
|}
  
 
==== Cron synchronization script  ====
 
==== Cron synchronization script  ====
  
{| cellspacing="1" cellpadding="1" border="1"
+
{| width="500" cellspacing="1" cellpadding="1" border="1"
 
|-
 
|-
! scope="col" | Setting
+
! width="150" scope="col" | Setting  
 
! scope="col" | Value
 
! scope="col" | Value
 
|-
 
|-
! scope="row" |
+
! scope="row" | Removed ext user
|
+
| ''Optional''
|-
 
! scope="row" |
 
|
 
|-
 
! scope="row" |
 
|
 
 
|}
 
|}
  
 
=== Data mapping  ===
 
=== Data mapping  ===
  
{| cellspacing="1" cellpadding="1" border="1"
+
The fields that are mapped should probably be set to '''Update local''' "On every login" and '''Lock value''' "Locked", but for some you might want to have them pre-populated on creation and then allow user-editing of the value. '''Update external''' should always be "Never".
 +
 
 +
{| width="500" cellspacing="1" cellpadding="1" border="1"
 
|-
 
|-
! scope="col" | Setting
+
! width="150" scope="col" | Setting  
 
! scope="col" | Value
 
! scope="col" | Value
 
|-
 
|-
! scope="row" |
+
! scope="row" | First name
|
+
| givenName
 +
|-
 +
! scope="row" | Surname
 +
| sn
 +
|-
 +
! scope="row" | Email address
 +
| mail
 +
|-
 +
! scope="row" | City/town
 +
|
 +
|-
 +
! scope="row" | Country
 +
|
 +
|-
 +
! scope="row" | Language
 +
| (msExchUserCulture might work, but returns values with a hyphen rather than an underscore: en-US rather than en_US. Haven't been able to test if this works or not.)
 +
|-
 +
! scope="row" | Description
 +
| title
 +
|-
 +
! scope="row" | Web page
 +
|
 +
|-
 +
! scope="row" | ID number
 +
|
 +
|-
 +
! scope="row" | Institution
 +
| company
 +
|-
 +
! scope="row" | Department
 +
| department
 +
|-
 +
! scope="row" | Phone 1
 +
| telephoneNumber
 
|-
 
|-
! scope="row" |
+
! scope="row" | Phone 2
|
+
|  
 
|-
 
|-
! scope="row" |
+
! scope="row" | Address
|
+
| extensionAttribute3
 
|}
 
|}
  

Revision as of 11:29, 11 August 2009

Default CAS Plugin

The latest version of Moodle, 1.9, comes packaged with an authentication plugin for CAS. This authentication plugin should work for connecting Moodle to Middlebury's CAS server, but relies on an LDAP server for attribute lookup. While not ideal, this configuration should work with a few caveats that are listed in our CAS documentation.

Using the default CAS plugin rather than LDAP directly has the following advantages:

  • Moodle will use the same 'web-id' for uniquely identifying users
  • Once a custom CAS plugin is created, the user-id ('user' table, 'username' column in the Moodle database) will stay the same, hopefully preventing any need for user-mapping or making that job much easier if it is needed.
  • Users will not have to enter their credentials again if they have already logged into another application via CAS.

Configuration in Moodle

After enabling the CAS module, use the following configuration settings:

CAS server configuration

Setting
Value
Hostname
login.middlebury.edu
Base URI
cas/
Port
443
Version
2.0
Proxy mode
No
Logout CAS
Optional
Multi-authentication
Optional

LDAP server configuration

Setting Value
Host URL ldap://middlebury.edu
Version 2
LDAP Encoding utf-8 (I think, I haven't been able to test on names containing non-ASCII chars)

Bind settings

Setting Value
Distinguished Name CN=********,CN=Users,DC=middlebury,DC=edu
Password ********

User lookup settings

Setting Value
User type MS ActiveDirectory
Contexts DC=middlebury,DC=edu
Search subcontexts Yes
Dereference aliases No (not sure what this does)
User attribute MiddleburyCollegeUID
Member attribute member
Member attribute uses dn 1
Object class

Course creator

Setting Value
Attribute creators CN=All Faculty,OU=General,OU=Groups,DC=middlebury,DC=edu;CN=All Staff,OU=General,OU=Groups,DC=middlebury,DC=edu;
Group creators CN=All Faculty,OU=General,OU=Groups,DC=middlebury,DC=edu;CN=All Staff,OU=General,OU=Groups,DC=middlebury,DC=edu;

Cron synchronization script

Setting Value
Removed ext user Optional

Data mapping

The fields that are mapped should probably be set to Update local "On every login" and Lock value "Locked", but for some you might want to have them pre-populated on creation and then allow user-editing of the value. Update external should always be "Never".

Setting Value
First name givenName
Surname sn
Email address mail
City/town
Country
Language (msExchUserCulture might work, but returns values with a hyphen rather than an underscore: en-US rather than en_US. Haven't been able to test if this works or not.)
Description title
Web page
ID number
Institution company
Department department
Phone 1 telephoneNumber
Phone 2
Address extensionAttribute3


Custom CAS Plugin with Attribute Support

We plan to create a customized CAS plugin that makes use of the user attributes returned in the CAS response. This page will be updated once such a custom plugin has been developed.

Using a custom CAS plugin has the following advantages over the default CAS plugin:

  • When implemented, visitor accounts will be available in Moodle
  • A full list of groups (including parent groups) are available