Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 3.11.x will end 14 Nov 2022 (12 months plus 6 months extension).
  • Bug fixes for security issues in 3.11.x will end 13 Nov 2023 (18 months plus 12 months extension).
  • PHP version: minimum PHP 7.3.0 Note: minimum PHP version has increased since Moodle 3.10. PHP 7.4.x is supported too.
/auth/ldap/ -> auth.php (source)

Differences Between: [Versions 310 and 311] [Versions 311 and 400] [Versions 311 and 401] [Versions 311 and 402] [Versions 311 and 403] [Versions 39 and 311]

Authentication Plugin: LDAP Authentication Authentication using LDAP (Lightweight Directory Access Protocol).

Author: Martin Dougiamas
Author: IƱaki Arenaza
License: http://www.gnu.org/copyleft/gpl.html GNU Public License
File Size: 2224 lines (95 kb)
Included or required:0 times
Referenced: 1 time
Includes or requires: 0 files

Defines 2 classes


Class: auth_plugin_ldap  - X-Ref

LDAP authentication plugin.

init_plugin($authtype)   X-Ref
Init plugin config from database settings depending on the plugin auth type.


__construct()   X-Ref
Constructor with initialisation.


auth_plugin_ldap()   X-Ref
Old syntax of class constructor. Deprecated in PHP7.


Class: name  - X-Ref

user_login($username, $password)   X-Ref
Returns true if the username and password work and false if they are
wrong or don't exist.

param: string $username The username (without system magic quotes)
param: string $password The password (without system magic quotes)
return: bool Authentication success or failure.

get_userinfo($username)   X-Ref
Reads user information from ldap and returns it in array()

Function should return all information available. If you are saving
this information to moodle user-table you should honor syncronization flags

param: string $username username
return: mixed array with no magic quotes or false on error

get_userinfo_asobj($username)   X-Ref
Reads user information from ldap and returns it in an object

param: string $username username (with system magic quotes)
return: mixed object or false on error

get_userlist()   X-Ref
Returns all usernames from LDAP

get_userlist returns all usernames from LDAP

return: array

user_exists($username)   X-Ref
Checks if user exists on LDAP

param: string $username

user_create($userobject, $plainpass)   X-Ref
Creates a new user on LDAP.
By using information in userobject
Use user_exists to prevent duplicate usernames

param: mixed $userobject  Moodle userobject
param: mixed $plainpass   Plaintext password

can_reset_password()   X-Ref
Returns true if plugin allows resetting of password from moodle.

return: bool

can_be_manually_set()   X-Ref
Returns true if plugin can be manually set.

return: bool

can_signup()   X-Ref
Returns true if plugin allows signup and user creation.

return: bool

user_signup($user, $notify=true)   X-Ref
Sign up a new user ready for confirmation.
Password is passed in plaintext.

param: object $user new user object
param: boolean $notify print notice with link and terminate
return: boolean success

can_confirm()   X-Ref
Returns true if plugin allows confirming of new users.

return: bool

user_confirm($username, $confirmsecret)   X-Ref
Confirm the new user as registered.

param: string $username
param: string $confirmsecret

password_expire($username)   X-Ref
Return number of days to user password expires

If userpassword does not expire it should return 0. If password is already expired
it should return negative value.

param: mixed $username username
return: integer

sync_users($do_updates=true)   X-Ref
Syncronizes user fron external LDAP server to moodle user table

Sync is now using username attribute.

Syncing users removes or suspends users that dont exists anymore in external LDAP.
Creates new users and updates coursecreator status of users.

param: bool $do_updates will do pull in data updates from LDAP if relevant

ldap_bulk_insert($username)   X-Ref
Bulk insert in SQL's temp table


user_activate($username)   X-Ref
Activates (enables) user in external LDAP so user can login

param: mixed $username
return: boolean result

iscreator($username)   X-Ref
Returns true if user should be coursecreator.

param: mixed $username    username (without system magic quotes)
return: mixed result      null if course creators is not configured, boolean otherwise.

is_role($username, $role)   X-Ref
Check if user has LDAP group membership.

Returns true if user should be assigned role.

param: mixed $username username (without system magic quotes).
param: array $role Array of role's shortname, localname, and settingname for the config value.
return: mixed result null if role/LDAP context is not configured, boolean otherwise.

user_update($olduser, $newuser)   X-Ref
Called when the user record is updated.

Modifies user in external LDAP server. It takes olduser (before
changes) and newuser (after changes) compares information and
saves modified information to external LDAP server.

param: mixed $olduser     Userobject before modifications    (without system magic quotes)
param: mixed $newuser     Userobject new modified userobject (without system magic quotes)
return: boolean result

user_update_password($user, $newpassword)   X-Ref
Changes userpassword in LDAP

Called when the user password is updated. It assumes it is
called by an admin or that you've otherwise checked the user's
credentials

param: object  $user        User table object
param: string  $newpassword Plaintext password (not crypted/md5'ed)
return: boolean result

ldap_expirationtime2unix($time, $ldapconnection, $user_dn)   X-Ref
Take expirationtime and return it as unix timestamp in seconds

Takes expiration timestamp as read from LDAP and returns it as unix timestamp in seconds
Depends on $this->config->user_type variable

param: mixed time   Time stamp read from LDAP as it is.
param: string $ldapconnection Only needed for Active Directory.
param: string $user_dn User distinguished name for the user we are checking password expiration (only needed for Active Directory).
return: timestamp

ldap_unix2expirationtime($time)   X-Ref
Takes unix timestamp and returns it formated for storing in LDAP

param: integer unix time stamp

ldap_attributes()   X-Ref
Returns user attribute mappings between moodle and LDAP

return: array

ldap_get_userlist($filter='*')   X-Ref
Returns all usernames from LDAP

param: $filter An LDAP search filter to select desired users
return: array of LDAP user names converted to UTF-8

prevent_local_passwords()   X-Ref
Indicates if password hashes should be stored in local moodle database.

return: bool true means flag 'not_cached' stored instead of password hash

is_internal()   X-Ref
Returns true if this authentication plugin is 'internal'.

return: bool

can_change_password()   X-Ref
Returns true if this authentication plugin can change the user's
password.

return: bool

change_password_url()   X-Ref
Returns the URL for changing the user's password, or empty if the default can
be used.

return: moodle_url

loginpage_hook()   X-Ref
Will get called before the login page is shownr. Ff NTLM SSO
is enabled, and the user is in the right network, we'll redirect
to the magic NTLM page for SSO...


ntlmsso_magic($sesskey)   X-Ref
To be called from a page running under NTLM's
"Integrated Windows Authentication".

If successful, it will set a special "cookie" (not an HTTP cookie!)
in cache_flags under the $this->pluginconfig/ntlmsess "plugin" and return true.
The "cookie" will be picked up by ntlmsso_finish() to complete the
process.

On failure it will return false for the caller to display an appropriate
error message (probably saying that Integrated Windows Auth isn't enabled!)

NOTE that this code will execute under the OS user credentials,
so we MUST avoid dealing with files -- such as session files.
(The caller should define('NO_MOODLE_COOKIES', true) before including config.php)


ntlmsso_finish()   X-Ref
Find the session set by ntlmsso_magic(), validate it and
call authenticate_user_login() to authenticate the user through
the auth machinery.

It is complemented by a similar check in user_login().

If it succeeds, it never returns.


sync_roles($user)   X-Ref
Sync roles for this user.

param: object $user The user to sync (without system magic quotes).

ldap_get_ad_pwdexpire($pwdlastset, $ldapconn, $user_dn)   X-Ref
Get password expiration time for a given user from Active Directory

param: string $pwdlastset The time last time we changed the password.
param: resource $lcapconn The open LDAP connection.
param: string $user_dn The distinguished name of the user we are checking.
return: string $unixtime

ldap_connect()   X-Ref
Connect to the LDAP server, using the plugin configured
settings. It's actually a wrapper around ldap_connect_moodle()

return: resource A valid LDAP connection (or dies if it can't connect)

ldap_close($force=false)   X-Ref
Disconnects from a LDAP server

param: force boolean Forces closing the real connection to the LDAP server, ignoring any

ldap_find_userdn($ldapconnection, $extusername)   X-Ref
Search specified contexts for username and return the user dn
like: cn=username,ou=suborg,o=org. It's actually a wrapper
around ldap_find_userdn().

param: resource $ldapconnection a valid LDAP connection
param: string $extusername the username to search (in external LDAP encoding, no db slashes)
return: mixed the user dn (external LDAP encoding) or false

get_ntlm_remote_user($remoteuser)   X-Ref
When using NTLM SSO, the format of the remote username we get in
$_SERVER['REMOTE_USER'] may vary, depending on where from and how the web
server gets the data. So we let the admin configure the format using two
place holders (%domain% and %username%). This function tries to extract
the username (stripping the domain part and any separators if they are
present) from the value present in $_SERVER['REMOTE_USER'], using the
configured format.

param: string $remoteuser The value from $_SERVER['REMOTE_USER'] (converted to UTF-8)
return: string The remote username (without domain part or

ldap_ad_pwdexpired_from_diagmsg($diagmsg)   X-Ref
Check if the diagnostic message for the LDAP login error tells us that the
login is denied because the user password has expired or the password needs
to be changed on first login (using interactive SMB/Windows logins, not
LDAP logins).

param: string the diagnostic message for the LDAP login error
return: bool true if the password has expired or the password must be changed on first login

is_user_suspended($user)   X-Ref
Check if a user is suspended. This function is intended to be used after calling
get_userinfo_asobj. This is needed because LDAP doesn't have a notion of disabled
users, however things like MS Active Directory support it and expose information
through a field.

param: object $user the user object returned by get_userinfo_asobj
return: boolean

test_dn($ldapconn, $dn, $message, $a = null)   X-Ref
Test a DN

param: resource $ldapconn
param: string $dn The DN to check for existence
param: string $message The identifier of a string as in get_string()
param: string|object|array $a An object, string or number that can be used
return: true or a message in case of error

test_settings()   X-Ref
Test if settings are correct, print info to output.


get_profile_keys($fetchall = false)   X-Ref
Get the list of profile fields.

param: bool    $fetchall   Fetch all, not just those for update.
return: array