CASifying Moodle

Revision as of 16:21, 11 August 2009 by Adam Franco (talk | contribs) (Note about update sequence)

Default CAS Plugin

The latest version of Moodle, 1.9, comes packaged with an authentication plugin for CAS. This authentication plugin should work for connecting Moodle to Middlebury's CAS server, but relies on an LDAP server for attribute lookup. While not ideal, this configuration should work with a few caveats that are listed in our CAS documentation.

Advantages of direct LDAP

Using the default CAS plugin rather than LDAP directly has the following advantages:

  • Moodle will use the same 'web-id' for uniquely identifying users
  • Once a custom CAS plugin is created, the user-id ('user' table, 'username' column in the Moodle database) will stay the same, hopefully preventing any need for user-mapping or making that job much easier if it is needed.
  • Users will not have to enter their credentials again if they have already logged into another application via CAS.


  • Because groups in our LDAP server (Active Directory) may be members of groups themselves, your application will need to manually traverse the group hierarchy in order to get a full list of groups.
    Example: A class-group does not directly have any members, but rather is a container for three groups (instructors, students, audits) that each directly contain members.
  • We may run multiple LDAP servers in the future to hold information on visitors and other constituent groups. At that time you may encounter users who can authenticate via CAS, but are not listed in our primary LDAP server.

Configuration in Moodle

After enabling the CAS module, use the following configuration settings:

CAS server configuration

Base URI
Proxy mode
Logout CAS

LDAP server configuration

Setting Value
Host URL ldap://middlebury.edu
Version 2
LDAP Encoding utf-8 (I think, I haven't been able to test on names containing non-ASCII chars)

Bind settings

Setting Value
Distinguished Name CN=********,CN=Users,DC=middlebury,DC=edu
Password ********

User lookup settings

Setting Value
User type MS ActiveDirectory
Contexts DC=middlebury,DC=edu
Search subcontexts Yes
Dereference aliases No (not sure what this does)
User attribute MiddleburyCollegeUID
Member attribute member
Member attribute uses dn 1
Object class

Course creator

Setting Value
Attribute creators CN=All Faculty,OU=General,OU=Groups,DC=middlebury,DC=edu;CN=All Staff,OU=General,OU=Groups,DC=middlebury,DC=edu;CN=MIIS Faculty,OU=Groups,OU=MIIS,DC=middlebury,DC=edu;CN=MIIS Staff,OU=Groups,OU=MIIS,DC=middlebury,DC=edu;
Group creators CN=All Faculty,OU=General,OU=Groups,DC=middlebury,DC=edu;CN=All Staff,OU=General,OU=Groups,DC=middlebury,DC=edu;CN=MIIS Faculty,OU=Groups,OU=MIIS,DC=middlebury,DC=edu;CN=MIIS Staff,OU=Groups,OU=MIIS,DC=middlebury,DC=edu;

Cron synchronization script

Setting Value
Removed ext user Optional

Data mapping

The fields that are mapped should probably be set to Update local "On every login" and Lock value "Locked", but for some you might want to have them pre-populated on creation and then allow user-editing of the value. Update external should always be "Never".

Setting Value
First name givenName
Surname sn
Email address mail
Language (msExchUserCulture might work, but returns values with a hyphen rather than an underscore: en-US rather than en_US. Haven't been able to test if this works or not.)
Description title
Web page
ID number
Institution company
Department department
Phone 1 telephoneNumber
Phone 2
Address extensionAttribute3

Custom CAS Plugin with Attribute Support

We plan to create a customized CAS plugin that makes use of the user attributes returned in the CAS response. This page will be updated once such a custom plugin has been developed.

Using a custom CAS plugin has the following advantages over the default CAS plugin:

  • When implemented, visitor accounts will be available in Moodle
  • A full list of groups (including parent groups) are available

Updating User Records

If Moodle has been in use previously, users will not be able to access their existing courses when they log-in via CAS as duplicate accounts will be created. To fix this the Moodle user table must be updated to change the auth column values from 'ldap' to 'cas' and the username column from the sAMAccountName (e.g. afranco) to the MiddleburyCollegeUID (e.g. B0F836FCDB74DDFF7A17C02C62CDB227). Once this change has been made for all users, logins that occur via CAS will retain their internal priviliges and associations to courses.

After updating the user records in this way, it is important to disable LDAP authentication so that duplicate accounts to not get created again.

Example Update Script

Note, the script will fail to update LDAP user records to CAS user records if the user has already logged in via CAS. A duplicate key exception on the username column will prevent update, so run this before users log in via CAS.


$ldapHost = 'ldap://middlebury.edu';
$ldapUser = '******';
$ldapPass = '******';
$ldapBase = 'dc=middlebury,dc=edu';

$dsn = 'mysql:host=localhost;dbname=afranco_moodle';
$dbUser = '******';
$dbPass = '******';
$dbTablePrefix = 'mdl_';

$db = new PDO($dsn, $dbUser, $dbPass);

$ldapLink = ldap_connect($ldapHost);

if (!$ldapLink)
throw new Exception('Could not connect to the ldap server');

if (!ldap_bind($ldapLink, $ldapUser, $ldapPass))
throw new Exception('Could not bind to the ldap server');

$updateStmt = $db->prepare("UPDATE ".$dbTablePrefix."user SET auth='cas', username=:uid WHERE id=:id LIMIT 1");

foreach ($db->query("SELECT id, username FROM ".$dbTablePrefix."user WHERE auth='ldap';") as $row) {
$id = $row['id'];
$username = $row['username'];

// Look up the user in LDAP
$results = ldap_search($ldapLink, $ldapBase, "(sAMAccountName=".$username.")", array("MiddleburyCollegeUID"), 0, 1);

// Just skip if the user in no longer in LDAP, i.e. alumni
if (!$results) {
print "Could not find $username in LDAP\n";

$info = ldap_get_entries($ldapLink, $results);

// Just skip if the user in no longer in LDAP, i.e. alumni
if (!$info['count']) {
print "Could not find $username in LDAP\n";

// if they don't have a MiddleburyCollegeUID (i.e. some vendors), there is nothing we can do, skip
if (!isset($info[0]['middleburycollegeuid']) || !$info[0]['middleburycollegeuid']['count'] || !strlen($info[0]['middleburycollegeuid'][0]))

$uid = $info[0]['middleburycollegeuid'][0];

print "Updating $username\tto\t$uid";

$num = $updateStmt->execute(array(':uid' => $uid, ':id' => $id));
if ($num)
print "\t ==> Success";
print "\t ==> Failed";

print "\n";