moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-04 08:26:37 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-9626 Enable user signup with Active Directory (via LDAP); patch by Iñaki Arenaza - thanks!

Browse source
This commit is contained in:
skodak 2007-05-30 08:47:00 +00:00
parent ca9cd23cf9
commit 81fb221d31
2 changed files with 66 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

65
auth/ldap/auth.php
View file

@ -16,6 +16,14 @@ if (!defined('MOODLE_INTERNAL')) {
die('Direct access to this script is forbidden.'); /// It must be included from a Moodle page die('Direct access to this script is forbidden.'); /// It must be included from a Moodle page
} }
// See http://support.microsoft.com/kb/305144 to interprete these values.
if (!defined('AUTH_AD_ACCOUNTDISABLE')) {
define('AUTH_AD_ACCOUNTDISABLE', 0x0002);
}
if (!defined('AUTH_AD_NORMAL_ACCOUNT')) {
define('AUTH_AD_NORMAL_ACCOUNT', 0x0200);
}
require_once($CFG->libdir.'/authlib.php'); require_once($CFG->libdir.'/authlib.php');
/** /**
@ -271,11 +279,46 @@ class auth_plugin_ldap extends auth_plugin_base {
$newuser['uniqueId'] = $extusername; $newuser['uniqueId'] = $extusername;
$newuser['logindisabled'] = "TRUE"; $newuser['logindisabled'] = "TRUE";
$newuser['userpassword'] = $extpassword; $newuser['userpassword'] = $extpassword;
$uadd = $this->ldap_add($ldapconnection, $this->config->user_attribute.'="'.$this->ldap_addslashes($userobject->username).','.$this->config->create_context.'"', $newuser);
break;
case 'ad':
// User account creation is a two step process with AD. First you
// create the user object, then you set the password. If you try
// to set the password while creating the user, the operation
// fails.
// Passwords in Active Directory must be encoded as Unicode
// strings (UCS-2 Little Endian format) and surrounded with
// double quotes. See http://support.microsoft.com/?kbid=269190
if (!function_exists('mb_convert_encoding')) {
print_error ('auth_ldap_no_mbstring', 'auth');
}
// First create the user account, and mark it as disabled.
$newuser['objectClass'] = array('top','person','user','organizationalPerson');
$newuser['sAMAccountName'] = $extusername;
$newuser['userAccountControl'] = AUTH_AD_NORMAL_ACCOUNT |
AUTH_AD_ACCOUNTDISABLE;
$userdn = 'cn=' . $this->ldap_addslashes($extusername) .
',' . $this->config->create_context;
if (!ldap_add($ldapconnection, $userdn, $newuser)) {
print_error ('auth_ldap_ad_create_req', 'auth');
}
// Now set the password
unset($newuser);
$newuser['unicodePwd'] = mb_convert_encoding('"' . $extpassword . '"',
"UCS-2LE", "UTF-8");
if(!ldap_modify($ldapconnection, $userdn, $newuser)) {
// Something went wrong: delete the user account and error out
ldap_delete ($ldapconnection, $userdn);
print_error ('auth_ldap_ad_create_req', 'auth');
}
$uadd = true;
break; break;
default: default:
print_error('auth_ldap_unsupportedusertype','auth','',$this->config->user_type); print_error('auth_ldap_unsupportedusertype','auth','',$this->config->user_type);
} }
$uadd = $this->ldap_add($ldapconnection, $this->config->user_attribute.'="'.$this->ldap_addslashes($userobject->username).','.$this->config->create_context.'"', $newuser);
ldap_close($ldapconnection); ldap_close($ldapconnection);
return $uadd; return $uadd;
@ -843,6 +886,16 @@ class auth_plugin_ldap extends auth_plugin_base {
case 'edir': case 'edir':
$newinfo['loginDisabled']="FALSE"; $newinfo['loginDisabled']="FALSE";
break; break;
case 'ad':
// We need to unset the ACCOUNTDISABLE bit in the
// userAccountControl attribute ( see
// http://support.microsoft.com/kb/305144 )
$sr = ldap_read($ldapconnection, $userdn, '(objectClass=*)',
array('userAccountControl'));
$info = ldap_get_entries($ldapconnection, $sr);
$newinfo['userAccountControl'] = $info[0]['userAccountControl'][0]
& (~AUTH_AD_ACCOUNTDISABLE);
break;
default: default:
error ('auth: ldap user_activate() does not support selected usertype:"'.$this->config->user_type.'" (..yet)'); error ('auth: ldap user_activate() does not support selected usertype:"'.$this->config->user_type.'" (..yet)');
} }
@ -868,6 +921,16 @@ class auth_plugin_ldap extends auth_plugin_base {
case 'edir': case 'edir':
$newinfo['loginDisabled']="TRUE"; $newinfo['loginDisabled']="TRUE";
break; break;
case 'ad':
// We need to set the ACCOUNTDISABLE bit in the
// userAccountControl attribute ( see
// http://support.microsoft.com/kb/305144 )
$sr = ldap_read($ldapconnection, $userdn, '(objectClass=*)',
array('userAccountControl'));
$info = auth_ldap_get_entries($ldapconnection, $sr);
$newinfo['userAccountControl'] = $info[0]['userAccountControl'][0]
| AUTH_AD_ACCOUNTDISABLE;
break;
default: default:
error ('auth: ldap user_disable() does not support selected usertype (..yet)'); error ('auth: ldap user_disable() does not support selected usertype (..yet)');
} }

2
lang/en_utf8/auth.php
View file

@ -150,6 +150,7 @@ $string['auth_imapport_key'] = 'Port';
$string['auth_imapchangepasswordurl_key'] = 'Password-change URL'; $string['auth_imapchangepasswordurl_key'] = 'Password-change URL';
// LDAP plugin // LDAP plugin
$string['auth_ldap_ad_create_req'] = 'Cannot create the new account in Active Directory. Make sure you meet all the requirements for this to work (LDAPS connection, bind user with adequate rights, etc.)';
$string['auth_ldap_bind_dn'] = 'If you want to use bind-user to search users, specify it here. Something like \'cn=ldapuser,ou=public,o=org\''; $string['auth_ldap_bind_dn'] = 'If you want to use bind-user to search users, specify it here. Something like \'cn=ldapuser,ou=public,o=org\'';
$string['auth_ldap_bind_pw'] = 'Password for bind-user.'; $string['auth_ldap_bind_pw'] = 'Password for bind-user.';
$string['auth_ldap_bind_settings'] = 'Bind settings'; $string['auth_ldap_bind_settings'] = 'Bind settings';
@ -167,6 +168,7 @@ $string['auth_ldap_ldap_encoding'] = 'Specify encoding used by LDAP server. Most
$string['auth_ldap_login_settings'] = 'Login settings'; $string['auth_ldap_login_settings'] = 'Login settings';
$string['auth_ldap_memberattribute'] = 'Optional: Overrides user member attribute, when users belongs to a group. Usually \'member\''; $string['auth_ldap_memberattribute'] = 'Optional: Overrides user member attribute, when users belongs to a group. Usually \'member\'';
$string['auth_ldap_memberattribute_isdn'] = 'Optional: Overrides handling of member attribute values, either 0 or 1'; $string['auth_ldap_memberattribute_isdn'] = 'Optional: Overrides handling of member attribute values, either 0 or 1';
$string['auth_ldap_no_mbstring'] = 'You need the mbstring extension to create users in Active Directory.';
$string['auth_ldap_objectclass'] = 'Optional: Overrides objectClass used to name/search users on ldap_user_type. Usually you dont need to chage this.'; $string['auth_ldap_objectclass'] = 'Optional: Overrides objectClass used to name/search users on ldap_user_type. Usually you dont need to chage this.';
$string['auth_ldap_opt_deref'] = 'Determines how aliases are handled during search. Select one of the following values: \"No\" (LDAP_DEREF_NEVER) or \"Yes\" (LDAP_DEREF_ALWAYS)'; $string['auth_ldap_opt_deref'] = 'Determines how aliases are handled during search. Select one of the following values: \"No\" (LDAP_DEREF_NEVER) or \"Yes\" (LDAP_DEREF_ALWAYS)';
$string['auth_ldap_passtype'] = 'Specify the format of new or changed passwords in LDAP server.'; $string['auth_ldap_passtype'] = 'Specify the format of new or changed passwords in LDAP server.';