- 1 Default CAS Plugin
- 2 Custom CAS Plugin with Attribute Support
Default CAS Plugin
The latest version of Moodle, 1.9, comes packaged with an authentication plugin for CAS. This authentication plugin should work for connecting Moodle to Middlebury's CAS server, but relies on an LDAP server for attribute lookup. While not ideal, this configuration should work with a few caveats that are listed in our CAS documentation.
Advantages of direct LDAP
Using the default CAS plugin rather than LDAP directly has the following advantages:
- Moodle will use the same 'web-id' for uniquely identifying users
- Once a custom CAS plugin is created, the user-id ('user' table, 'username' column in the Moodle database) will stay the same, hopefully preventing any need for user-mapping or making that job much easier if it is needed.
- Users will not have to enter their credentials again if they have already logged into another application via CAS.
- Because groups in our LDAP server (Active Directory) may be members of groups themselves, your application will need to manually traverse the group hierarchy in order to get a full list of groups.
Example: A class-group does not directly have any members, but rather is a container for three groups (instructors, students, audits) that each directly contain members.
- We may run multiple LDAP servers in the future to hold information on visitors and other constituent groups. At that time you may encounter users who can authenticate via CAS, but are not listed in our primary LDAP server.
Configuration in Moodle
After enabling the CAS module, use the following configuration settings:
CAS server configuration
LDAP server configuration
|LDAP Encoding||utf-8 (I think, I haven't been able to test on names containing non-ASCII chars)|
User lookup settings
|User type||MS ActiveDirectory|
|Dereference aliases||No (not sure what this does)|
|Member attribute uses dn||1|
|Attribute creators||CN=All Faculty,OU=General,OU=Groups,DC=middlebury,DC=edu;CN=All Staff,OU=General,OU=Groups,DC=middlebury,DC=edu;CN=MIIS Faculty,OU=Groups,OU=MIIS,DC=middlebury,DC=edu;CN=MIIS Staff,OU=Groups,OU=MIIS,DC=middlebury,DC=edu;|
|Group creators||CN=All Faculty,OU=General,OU=Groups,DC=middlebury,DC=edu;CN=All Staff,OU=General,OU=Groups,DC=middlebury,DC=edu;CN=MIIS Faculty,OU=Groups,OU=MIIS,DC=middlebury,DC=edu;CN=MIIS Staff,OU=Groups,OU=MIIS,DC=middlebury,DC=edu;|
Cron synchronization script
|Removed ext user||Optional|
The fields that are mapped should probably be set to Update local "On every login" and Lock value "Locked", but for some you might want to have them pre-populated on creation and then allow user-editing of the value. Update external should always be "Never".
|Language||(msExchUserCulture might work, but returns values with a hyphen rather than an underscore: en-US rather than en_US. Haven't been able to test if this works or not.)|
Custom CAS Plugin with Attribute Support
We plan to create a customized CAS plugin that makes use of the user attributes returned in the CAS response. This page will be updated once such a custom plugin has been developed.
Using a custom CAS plugin has the following advantages over the default CAS plugin:
- When implemented, visitor accounts will be available in Moodle
- A full list of groups (including parent groups) are available