Search moodle.org's
Developer Documentation
Developer Documentation
- Bug fixes for general core bugs in 4.0.x will end 8 May 2023 (12 months).
- Bug fixes for security issues in 4.0.x will end 13 November 2023 (18 months).
- PHP version: minimum PHP 7.3.0 Note: the minimum PHP version has increased since Moodle 3.10. PHP 7.4.x is also supported.
/auth/ldap/ -> auth.php (source)
Differences Between: [Versions 310 and 400] [Versions 311 and 400] [Versions 39 and 400] [Versions 400 and 401] [Versions 400 and 402] [Versions 400 and 403]
Authentication Plugin: LDAP Authentication Authentication using LDAP (Lightweight Directory Access Protocol).
| Author: | Martin Dougiamas |
| Author: | IƱaki Arenaza |
| License: | http://www.gnu.org/copyleft/gpl.html GNU Public License |
| File Size: | 2238 lines (96 kb) |
| Included or required: | 0 times |
| Referenced: | 1 time |
| Includes or requires: | 0 files |
Defines 2 classes
auth_plugin_ldap:: (3 methods):
init_plugin()
__construct()
auth_plugin_ldap()
name:: (42 methods):
user_login()
get_userinfo()
get_userinfo_asobj()
get_userlist()
user_exists()
user_create()
can_reset_password()
can_be_manually_set()
can_signup()
user_signup()
can_confirm()
user_confirm()
password_expire()
sync_users()
ldap_bulk_insert()
user_activate()
iscreator()
is_role()
user_update()
user_update_password()
ldap_expirationtime2unix()
ldap_unix2expirationtime()
ldap_attributes()
ldap_get_userlist()
prevent_local_passwords()
is_internal()
can_change_password()
change_password_url()
loginpage_hook()
ntlmsso_magic()
ntlmsso_finish()
sync_roles()
ldap_get_ad_pwdexpire()
ldap_connect()
ldap_close()
ldap_find_userdn()
get_ntlm_remote_user()
ldap_ad_pwdexpired_from_diagmsg()
is_user_suspended()
test_dn()
test_settings()
get_profile_keys()
Class: auth_plugin_ldap - X-Ref
LDAP authentication plugin.| init_plugin($authtype) X-Ref |
| Init plugin config from database settings depending on the plugin auth type. |
| __construct() X-Ref |
| Constructor with initialisation. |
| auth_plugin_ldap() X-Ref |
| Old syntax of class constructor. Deprecated in PHP7. |
| user_login($username, $password) X-Ref |
| Returns true if the username and password work and false if they are wrong or don't exist. return: bool Authentication success or failure. param: string $username The username (without system magic quotes) param: string $password The password (without system magic quotes) |
| get_userinfo($username) X-Ref |
| Reads user information from ldap and returns it in array() Function should return all information available. If you are saving this information to moodle user-table you should honor syncronization flags return: mixed array with no magic quotes or false on error param: string $username username |
| get_userinfo_asobj($username) X-Ref |
| Reads user information from ldap and returns it in an object return: mixed object or false on error param: string $username username (with system magic quotes) |
| get_userlist() X-Ref |
| Returns all usernames from LDAP get_userlist returns all usernames from LDAP return: array |
| user_exists($username) X-Ref |
| Checks if user exists on LDAP param: string $username |
| user_create($userobject, $plainpass) X-Ref |
| Creates a new user on LDAP. By using information in userobject Use user_exists to prevent duplicate usernames param: mixed $userobject Moodle userobject param: mixed $plainpass Plaintext password |
| can_reset_password() X-Ref |
| Returns true if plugin allows resetting of password from moodle. return: bool |
| can_be_manually_set() X-Ref |
| Returns true if plugin can be manually set. return: bool |
| can_signup() X-Ref |
| Returns true if plugin allows signup and user creation. return: bool |
| user_signup($user, $notify=true) X-Ref |
| Sign up a new user ready for confirmation. Password is passed in plaintext. return: boolean success param: object $user new user object param: boolean $notify print notice with link and terminate |
| can_confirm() X-Ref |
| Returns true if plugin allows confirming of new users. return: bool |
| user_confirm($username, $confirmsecret) X-Ref |
| Confirm the new user as registered. param: string $username param: string $confirmsecret |
| password_expire($username) X-Ref |
| Return number of days to user password expires If userpassword does not expire it should return 0. If password is already expired it should return negative value. return: integer param: mixed $username username |
| sync_users($do_updates=true) X-Ref |
| Syncronizes user fron external LDAP server to moodle user table Sync is now using username attribute. Syncing users removes or suspends users that dont exists anymore in external LDAP. Creates new users and updates coursecreator status of users. param: bool $do_updates will do pull in data updates from LDAP if relevant |
| ldap_bulk_insert($username) X-Ref |
| Bulk insert in SQL's temp table |
| user_activate($username) X-Ref |
| Activates (enables) user in external LDAP so user can login return: boolean result param: mixed $username |
| iscreator($username) X-Ref |
| Returns true if user should be coursecreator. return: mixed result null if course creators is not configured, boolean otherwise. param: mixed $username username (without system magic quotes) |
| is_role($username, $role) X-Ref |
| Check if user has LDAP group membership. Returns true if user should be assigned role. return: mixed result null if role/LDAP context is not configured, boolean otherwise. param: mixed $username username (without system magic quotes). param: array $role Array of role's shortname, localname, and settingname for the config value. |
| user_update($olduser, $newuser) X-Ref |
| Called when the user record is updated. Modifies user in external LDAP server. It takes olduser (before changes) and newuser (after changes) compares information and saves modified information to external LDAP server. return: boolean result param: mixed $olduser Userobject before modifications (without system magic quotes) param: mixed $newuser Userobject new modified userobject (without system magic quotes) |
| user_update_password($user, $newpassword) X-Ref |
| Changes userpassword in LDAP Called when the user password is updated. It assumes it is called by an admin or that you've otherwise checked the user's credentials return: boolean result param: object $user User table object param: string $newpassword Plaintext password (not crypted/md5'ed) |
| ldap_expirationtime2unix($time, $ldapconnection, $user_dn) X-Ref |
| Take expirationtime and return it as unix timestamp in seconds Takes expiration timestamp as read from LDAP and returns it as unix timestamp in seconds Depends on $this->config->user_type variable return: timestamp param: mixed time Time stamp read from LDAP as it is. param: string $ldapconnection Only needed for Active Directory. param: string $user_dn User distinguished name for the user we are checking password expiration (only needed for Active Directory). |
| ldap_unix2expirationtime($time) X-Ref |
| Takes unix timestamp and returns it formated for storing in LDAP param: integer unix time stamp |
| ldap_attributes() X-Ref |
| Returns user attribute mappings between moodle and LDAP return: array |
| ldap_get_userlist($filter='*') X-Ref |
| Returns all usernames from LDAP return: array of LDAP user names converted to UTF-8 param: $filter An LDAP search filter to select desired users |
| prevent_local_passwords() X-Ref |
| Indicates if password hashes should be stored in local moodle database. return: bool true means flag 'not_cached' stored instead of password hash |
| is_internal() X-Ref |
| Returns true if this authentication plugin is 'internal'. return: bool |
| can_change_password() X-Ref |
| Returns true if this authentication plugin can change the user's password. return: bool |
| change_password_url() X-Ref |
| Returns the URL for changing the user's password, or empty if the default can be used. return: moodle_url |
| loginpage_hook() X-Ref |
| Will get called before the login page is shownr. Ff NTLM SSO is enabled, and the user is in the right network, we'll redirect to the magic NTLM page for SSO... |
| ntlmsso_magic($sesskey) X-Ref |
| To be called from a page running under NTLM's "Integrated Windows Authentication". If successful, it will set a special "cookie" (not an HTTP cookie!) in cache_flags under the $this->pluginconfig/ntlmsess "plugin" and return true. The "cookie" will be picked up by ntlmsso_finish() to complete the process. On failure it will return false for the caller to display an appropriate error message (probably saying that Integrated Windows Auth isn't enabled!) NOTE that this code will execute under the OS user credentials, so we MUST avoid dealing with files -- such as session files. (The caller should define('NO_MOODLE_COOKIES', true) before including config.php) |
| ntlmsso_finish() X-Ref |
| Find the session set by ntlmsso_magic(), validate it and call authenticate_user_login() to authenticate the user through the auth machinery. It is complemented by a similar check in user_login(). If it succeeds, it never returns. |
| sync_roles($user) X-Ref |
| Sync roles for this user. param: object $user The user to sync (without system magic quotes). |
| ldap_get_ad_pwdexpire($pwdlastset, $ldapconn, $user_dn) X-Ref |
| Get password expiration time for a given user from Active Directory return: string $unixtime param: string $pwdlastset The time last time we changed the password. param: resource $lcapconn The open LDAP connection. param: string $user_dn The distinguished name of the user we are checking. |
| ldap_connect() X-Ref |
| Connect to the LDAP server, using the plugin configured settings. It's actually a wrapper around ldap_connect_moodle() return: resource A valid LDAP connection (or dies if it can't connect) |
| ldap_close($force=false) X-Ref |
| Disconnects from a LDAP server param: force boolean Forces closing the real connection to the LDAP server, ignoring any |
| ldap_find_userdn($ldapconnection, $extusername) X-Ref |
| Search specified contexts for username and return the user dn like: cn=username,ou=suborg,o=org. It's actually a wrapper around ldap_find_userdn(). return: mixed the user dn (external LDAP encoding) or false param: resource $ldapconnection a valid LDAP connection param: string $extusername the username to search (in external LDAP encoding, no db slashes) |
| get_ntlm_remote_user($remoteuser) X-Ref |
| When using NTLM SSO, the format of the remote username we get in $_SERVER['REMOTE_USER'] may vary, depending on where from and how the web server gets the data. So we let the admin configure the format using two place holders (%domain% and %username%). This function tries to extract the username (stripping the domain part and any separators if they are present) from the value present in $_SERVER['REMOTE_USER'], using the configured format. return: string The remote username (without domain part or param: string $remoteuser The value from $_SERVER['REMOTE_USER'] (converted to UTF-8) |
| ldap_ad_pwdexpired_from_diagmsg($diagmsg) X-Ref |
| Check if the diagnostic message for the LDAP login error tells us that the login is denied because the user password has expired or the password needs to be changed on first login (using interactive SMB/Windows logins, not LDAP logins). return: bool true if the password has expired or the password must be changed on first login param: string the diagnostic message for the LDAP login error |
| is_user_suspended($user) X-Ref |
| Check if a user is suspended. This function is intended to be used after calling get_userinfo_asobj. This is needed because LDAP doesn't have a notion of disabled users, however things like MS Active Directory support it and expose information through a field. return: boolean param: object $user the user object returned by get_userinfo_asobj |
| test_dn($ldapconn, $dn, $message, $a = null) X-Ref |
| Test a DN return: true or a message in case of error param: resource $ldapconn param: string $dn The DN to check for existence param: string $message The identifier of a string as in get_string() param: string|object|array $a An object, string or number that can be used |
| test_settings() X-Ref |
| Test if settings are correct, print info to output. |
| get_profile_keys($fetchall = false) X-Ref |
| Get the list of profile fields. return: array param: bool $fetchall Fetch all, not just those for update. |
