Syncing Active Directory Groups as Moodle Cohorts

We had a situation that required us to synchronize certain active directory groups with enrollment in a moodle course. The way we accomplished this was to use a moodle userscript that synced active directory groups as cohorts. Then we assigned the cohorts to the course using the "cohort-sync" enrollment type.

The following steps assume you already have moodle LDAP auth configured and are running the /auth/ldap/cli/sync_users.php to sync LDAP users to moodle.

1. Obtain the sync_cohorts.php script from https://tracker.moodle.org/browse/MDL-25011?attachmentOrder=desc and place it in /auth/ldap/cli/

2. Add the following lines to moodle's config.php

$CFG->ldap_group_class='group';
$CFG->ldap_process_nested_groups=1;
$CFG->ldap_real_user_attribute='sAMAccountName';

ldap_group_class - needs to be set to 'group' for active directory in order to match user groups
ldap_process_nested_groups - set this to 1 if you have groups as members of your groups in order to locate the actual users
ldap_real_user_attribute - this is probably whatever you have "User attribute" set to in moodle's LDAP settings. Also note that it is CASE SENSITIVE (that one gave me some trouble until I realized what the issue was).

3. Add the sync_cohorts.php scrip to your webserver user's crontab to be run sometime after the ldap sync_users.php finishes.

4. Add the newly created cohort to your course using the cohort-sync enrollment type.

Converting from Hyper-V using VMWare Converter: Take 2

I ran into another cause of the dreaded “Unable to obtain hardware information” when trying to convert some VMs from a Hyper-V 2012 server. Turns out that VMware Converter will throw this error if the VM is using the newer .vhdx virtual disk format instead of .vhd.

To get around it, convert the disks to .vhd (because Hyper-V server is a core server, I used the PowerShell cmdlet "Convert-VHD".

Power down the VM

Convert the vhdx to vhd using the command: Convert-VHD - Path C:\Path\To\Virtual\Drive\VMname.vhdx -DestinationPath C:\Path\To\Virtual\Drive\VMname.vhd

Reconfigure the VM. Detach the old vhdx drive, attach the vhd drive.

Run converter again.

Presto!

Converting from Hyper-V using VMWare Converter

Ran into this very issue that was blogged about here: http://www.techromeo.com/?p=115

Lots of head scratching on this one.  As usual, I took the long way around so I figured I had to share it.
Problem:  When using the new VMware Converter Standalone, running on Windows 2008R2, to convert Hyper-V machines, I would receive the error “Unable to obtain hardware information”.
Solution:  On the folder on the Hyper-V host that contains the vhd’s, set the NTFS permissions so that the local Users group has full control, rather than the default read permissions.
Background:  It appears that VMware converter creates a local account on the machine it is installed on.  I tried running Converter locally on the Hyper-V host and setting explicit permissions to that local account.  Also keep in mind that Converter will ask you for credential to connect to the Hyper-V host and will not work without them.  I also tried to set the permissions to the machine account to that of the machine running converter.

 Good to know!

Syncing Moodle Users from Active Directory

I've been working a lot lately on automating user creation in moodle. We already have LDAP auth against our Active Directory server, but that only creates users when they log in. Also, because we are using Mnet to handle logins to two other servers, accounts weren't getting pre-populated there.

I came across a great powershell script by David Wiseman that I could adapt to query our student information system to create accounts in active directory. You can check it out here: http://www.wisesoft.co.uk/scripts/powershell_create_ad_user_accounts_from_sql_server_database.aspx

Once I had my accounts being created, I could use moodle's sync_users.php script running as a cron job to pre-populate our main moodle server. Some caveats though. Make sure you modify your objectclass filter in moodle to be (&(objectClass=user)(!(objectClass=computer))) otherwise you'll also get computer accounts as well as user accounts. You'll also either need to patch sync_users.php to allow paginated results from LDAP or increase the MaxPagesize variable for your active directory install to be able to return all the users in a single page using ndsutil (the default is 1000 results per page). There's some relevant moodle discussion here.

The last bit was to be able to pre-populate the linked mnet servers with the proper accounts. Which I did using the following SQL query

INSERT INTO moodle_db2.mdl_user (auth, confirmed, policyagreed, mnethostid, username, password, idnumber, firstname, lastname, email, institution, city, country)
SELECT 'mnet', mdl_user.confirmed, mdl_user.policyagreed, '5', mdl_user.username, mdl_user.password, mdl_user.idnumber, mdl_user.firstname, mdl_user.lastname, mdl_user.email, mdl_user.institution, mdl_user.city, mdl_user.country
FROM moodle_db1.mdl_user
WHERE institution = 'Mnet Institution Name'
ON DUPLICATE KEY UPDATE auth='mnet', confirmed=moodle_db1.mdl_user.confirmed, policyagreed=moodle_db1.mdl_user.policyagreed, mnethostid='5'

This lets me select just the users who should be on the federated mnet server and create their accounts, if the user already exists, it updates a few fields. mnethostid will vary by installation, in my case it was 5 but you should be able to query the database easily to find out what it should be in your specific installation.