Search moodle.org's
Developer Documentation
Developer Documentation
- Bug fixes for general core bugs in 4.0.x will end 8 May 2023 (12 months).
- Bug fixes for security issues in 4.0.x will end 13 November 2023 (18 months).
- PHP version: minimum PHP 7.3.0 Note: the minimum PHP version has increased since Moodle 3.10. PHP 7.4.x is also supported.
/auth/ldap/ -> auth.php (source)
Differences Between: [Versions 310 and 400] [Versions 311 and 400] [Versions 39 and 400] [Versions 400 and 401] [Versions 400 and 402] [Versions 400 and 403]
1 <?php 2 // This file is part of Moodle - http://moodle.org/ 3 // 4 // Moodle is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // Moodle is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License 15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>. 16 17 /** 18 * Authentication Plugin: LDAP Authentication 19 * Authentication using LDAP (Lightweight Directory Access Protocol). 20 * 21 * @package auth_ldap 22 * @author Martin Dougiamas 23 * @author IƱaki Arenaza 24 * @license http://www.gnu.org/copyleft/gpl.html GNU Public License 25 */ 26 27 defined('MOODLE_INTERNAL') || die(); 28 29 // See http://support.microsoft.com/kb/305144 to interprete these values. 30 if (!defined('AUTH_AD_ACCOUNTDISABLE')) { 31 define('AUTH_AD_ACCOUNTDISABLE', 0x0002); 32 } 33 if (!defined('AUTH_AD_NORMAL_ACCOUNT')) { 34 define('AUTH_AD_NORMAL_ACCOUNT', 0x0200); 35 } 36 if (!defined('AUTH_NTLMTIMEOUT')) { // timewindow for the NTLM SSO process, in secs... 37 define('AUTH_NTLMTIMEOUT', 10); 38 } 39 40 // UF_DONT_EXPIRE_PASSWD value taken from MSDN directly 41 if (!defined('UF_DONT_EXPIRE_PASSWD')) { 42 define ('UF_DONT_EXPIRE_PASSWD', 0x00010000); 43 } 44 45 // The Posix uid and gid of the 'nobody' account and 'nogroup' group. 46 if (!defined('AUTH_UID_NOBODY')) { 47 define('AUTH_UID_NOBODY', -2); 48 } 49 if (!defined('AUTH_GID_NOGROUP')) { 50 define('AUTH_GID_NOGROUP', -2); 51 } 52 53 // Regular expressions for a valid NTLM username and domain name. 54 if (!defined('AUTH_NTLM_VALID_USERNAME')) { 55 define('AUTH_NTLM_VALID_USERNAME', '[^/\\\\\\\\\[\]:;|=,+*?<>@"]+'); 56 } 57 if (!defined('AUTH_NTLM_VALID_DOMAINNAME')) { 58 define('AUTH_NTLM_VALID_DOMAINNAME', '[^\\\\\\\\\/:*?"<>|]+'); 59 } 60 // Default format for remote users if using NTLM SSO 61 if (!defined('AUTH_NTLM_DEFAULT_FORMAT')) { 62 define('AUTH_NTLM_DEFAULT_FORMAT', '%domain%\\%username%'); 63 } 64 if (!defined('AUTH_NTLM_FASTPATH_ATTEMPT')) { 65 define('AUTH_NTLM_FASTPATH_ATTEMPT', 0); 66 } 67 if (!defined('AUTH_NTLM_FASTPATH_YESFORM')) { 68 define('AUTH_NTLM_FASTPATH_YESFORM', 1); 69 } 70 if (!defined('AUTH_NTLM_FASTPATH_YESATTEMPT')) { 71 define('AUTH_NTLM_FASTPATH_YESATTEMPT', 2); 72 } 73 74 // Allows us to retrieve a diagnostic message in case of LDAP operation error 75 if (!defined('LDAP_OPT_DIAGNOSTIC_MESSAGE')) { 76 define('LDAP_OPT_DIAGNOSTIC_MESSAGE', 0x0032); 77 } 78 79 require_once($CFG->libdir.'/authlib.php'); 80 require_once($CFG->libdir.'/ldaplib.php'); 81 require_once($CFG->dirroot.'/user/lib.php'); 82 require_once($CFG->dirroot.'/auth/ldap/locallib.php'); 83 84 /** 85 * LDAP authentication plugin. 86 */ 87 class auth_plugin_ldap extends auth_plugin_base { 88 89 /** 90 * Init plugin config from database settings depending on the plugin auth type. 91 */ 92 function init_plugin($authtype) { 93 $this->pluginconfig = 'auth_'.$authtype; 94 $this->config = get_config($this->pluginconfig); 95 if (empty($this->config->ldapencoding)) { 96 $this->config->ldapencoding = 'utf-8'; 97 } 98 if (empty($this->config->user_type)) { 99 $this->config->user_type = 'default'; 100 } 101 102 $ldap_usertypes = ldap_supported_usertypes(); 103 $this->config->user_type_name = $ldap_usertypes[$this->config->user_type]; 104 unset($ldap_usertypes); 105 106 $default = ldap_getdefaults(); 107 108 // Use defaults if values not given 109 foreach ($default as $key => $value) { 110 // watch out - 0, false are correct values too 111 if (!isset($this->config->{$key}) or $this->config->{$key} == '') { 112 $this->config->{$key} = $value[$this->config->user_type]; 113 } 114 } 115 116 // Hack prefix to objectclass 117 $this->config->objectclass = ldap_normalise_objectclass($this->config->objectclass); 118 } 119 120 /** 121 * Constructor with initialisation. 122 */ 123 public function __construct() { 124 $this->authtype = 'ldap'; 125 $this->roleauth = 'auth_ldap'; 126 $this->errorlogtag = '[AUTH LDAP] '; 127 $this->init_plugin($this->authtype); 128 } 129 130 /** 131 * Old syntax of class constructor. Deprecated in PHP7. 132 * 133 * @deprecated since Moodle 3.1 134 */ 135 public function auth_plugin_ldap() { 136 debugging('Use of class name as constructor is deprecated', DEBUG_DEVELOPER); 137 self::__construct(); 138 } 139 140 /** 141 * Returns true if the username and password work and false if they are 142 * wrong or don't exist. 143 * 144 * @param string $username The username (without system magic quotes) 145 * @param string $password The password (without system magic quotes) 146 * 147 * @return bool Authentication success or failure. 148 */ 149 function user_login($username, $password) { 150 if (! function_exists('ldap_bind')) { 151 print_error('auth_ldapnotinstalled', 'auth_ldap'); 152 return false; 153 } 154 155 if (!$username or !$password) { // Don't allow blank usernames or passwords 156 return false; 157 } 158 159 $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding); 160 $extpassword = core_text::convert($password, 'utf-8', $this->config->ldapencoding); 161 162 // Before we connect to LDAP, check if this is an AD SSO login 163 // if we succeed in this block, we'll return success early. 164 // 165 $key = sesskey(); 166 if (!empty($this->config->ntlmsso_enabled) && $key === $password) { 167 $sessusername = get_cache_flag($this->pluginconfig.'/ntlmsess', $key); 168 // We only get the cache flag if we retrieve it before 169 // it expires (AUTH_NTLMTIMEOUT seconds). 170 if (empty($sessusername)) { 171 return false; 172 } 173 174 if ($username === $sessusername) { 175 unset($sessusername); 176 177 // Check that the user is inside one of the configured LDAP contexts 178 $validuser = false; 179 $ldapconnection = $this->ldap_connect(); 180 // if the user is not inside the configured contexts, 181 // ldap_find_userdn returns false. 182 if ($this->ldap_find_userdn($ldapconnection, $extusername)) { 183 $validuser = true; 184 } 185 $this->ldap_close(); 186 187 // Shortcut here - SSO confirmed 188 return $validuser; 189 } 190 } // End SSO processing 191 unset($key); 192 193 $ldapconnection = $this->ldap_connect(); 194 $ldap_user_dn = $this->ldap_find_userdn($ldapconnection, $extusername); 195 196 // If ldap_user_dn is empty, user does not exist 197 if (!$ldap_user_dn) { 198 $this->ldap_close(); 199 return false; 200 } 201 202 // Try to bind with current username and password 203 $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, $extpassword); 204 205 // If login fails and we are using MS Active Directory, retrieve the diagnostic 206 // message to see if this is due to an expired password, or that the user is forced to 207 // change the password on first login. If it is, only proceed if we can change 208 // password from Moodle (otherwise we'll get stuck later in the login process). 209 if (!$ldap_login && ($this->config->user_type == 'ad') 210 && $this->can_change_password() 211 && (!empty($this->config->expiration) and ($this->config->expiration == 1))) { 212 213 // We need to get the diagnostic message right after the call to ldap_bind(), 214 // before any other LDAP operation. 215 ldap_get_option($ldapconnection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $diagmsg); 216 217 if ($this->ldap_ad_pwdexpired_from_diagmsg($diagmsg)) { 218 // If login failed because user must change the password now or the 219 // password has expired, let the user in. We'll catch this later in the 220 // login process when we explicitly check for expired passwords. 221 $ldap_login = true; 222 } 223 } 224 $this->ldap_close(); 225 return $ldap_login; 226 } 227 228 /** 229 * Reads user information from ldap and returns it in array() 230 * 231 * Function should return all information available. If you are saving 232 * this information to moodle user-table you should honor syncronization flags 233 * 234 * @param string $username username 235 * 236 * @return mixed array with no magic quotes or false on error 237 */ 238 function get_userinfo($username) { 239 $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding); 240 241 $ldapconnection = $this->ldap_connect(); 242 if(!($user_dn = $this->ldap_find_userdn($ldapconnection, $extusername))) { 243 $this->ldap_close(); 244 return false; 245 } 246 247 $search_attribs = array(); 248 $attrmap = $this->ldap_attributes(); 249 foreach ($attrmap as $key => $values) { 250 if (!is_array($values)) { 251 $values = array($values); 252 } 253 foreach ($values as $value) { 254 if (!in_array($value, $search_attribs)) { 255 array_push($search_attribs, $value); 256 } 257 } 258 } 259 260 if (!$user_info_result = ldap_read($ldapconnection, $user_dn, '(objectClass=*)', $search_attribs)) { 261 $this->ldap_close(); 262 return false; // error! 263 } 264 265 $user_entry = ldap_get_entries_moodle($ldapconnection, $user_info_result); 266 if (empty($user_entry)) { 267 $this->ldap_close(); 268 return false; // entry not found 269 } 270 271 $result = array(); 272 foreach ($attrmap as $key => $values) { 273 if (!is_array($values)) { 274 $values = array($values); 275 } 276 $ldapval = NULL; 277 foreach ($values as $value) { 278 $entry = $user_entry[0]; 279 if (($value == 'dn') || ($value == 'distinguishedname')) { 280 $result[$key] = $user_dn; 281 continue; 282 } 283 if (!array_key_exists($value, $entry)) { 284 continue; // wrong data mapping! 285 } 286 if (is_array($entry[$value])) { 287 $newval = core_text::convert($entry[$value][0], $this->config->ldapencoding, 'utf-8'); 288 } else { 289 $newval = core_text::convert($entry[$value], $this->config->ldapencoding, 'utf-8'); 290 } 291 if (!empty($newval)) { // favour ldap entries that are set 292 $ldapval = $newval; 293 } 294 } 295 if (!is_null($ldapval)) { 296 $result[$key] = $ldapval; 297 } 298 } 299 300 $this->ldap_close(); 301 return $result; 302 } 303 304 /** 305 * Reads user information from ldap and returns it in an object 306 * 307 * @param string $username username (with system magic quotes) 308 * @return mixed object or false on error 309 */ 310 function get_userinfo_asobj($username) { 311 $user_array = $this->get_userinfo($username); 312 if ($user_array == false) { 313 return false; //error or not found 314 } 315 $user_array = truncate_userinfo($user_array); 316 $user = new stdClass(); 317 foreach ($user_array as $key=>$value) { 318 $user->{$key} = $value; 319 } 320 return $user; 321 } 322 323 /** 324 * Returns all usernames from LDAP 325 * 326 * get_userlist returns all usernames from LDAP 327 * 328 * @return array 329 */ 330 function get_userlist() { 331 return $this->ldap_get_userlist("({$this->config->user_attribute}=*)"); 332 } 333 334 /** 335 * Checks if user exists on LDAP 336 * 337 * @param string $username 338 */ 339 function user_exists($username) { 340 $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding); 341 342 // Returns true if given username exists on ldap 343 $users = $this->ldap_get_userlist('('.$this->config->user_attribute.'='.ldap_filter_addslashes($extusername).')'); 344 return count($users); 345 } 346 347 /** 348 * Creates a new user on LDAP. 349 * By using information in userobject 350 * Use user_exists to prevent duplicate usernames 351 * 352 * @param mixed $userobject Moodle userobject 353 * @param mixed $plainpass Plaintext password 354 */ 355 function user_create($userobject, $plainpass) { 356 $extusername = core_text::convert($userobject->username, 'utf-8', $this->config->ldapencoding); 357 $extpassword = core_text::convert($plainpass, 'utf-8', $this->config->ldapencoding); 358 359 switch ($this->config->passtype) { 360 case 'md5': 361 $extpassword = '{MD5}' . base64_encode(pack('H*', md5($extpassword))); 362 break; 363 case 'sha1': 364 $extpassword = '{SHA}' . base64_encode(pack('H*', sha1($extpassword))); 365 break; 366 case 'plaintext': 367 default: 368 break; // plaintext 369 } 370 371 $ldapconnection = $this->ldap_connect(); 372 $attrmap = $this->ldap_attributes(); 373 374 $newuser = array(); 375 376 foreach ($attrmap as $key => $values) { 377 if (!is_array($values)) { 378 $values = array($values); 379 } 380 foreach ($values as $value) { 381 if (!empty($userobject->$key) ) { 382 $newuser[$value] = core_text::convert($userobject->$key, 'utf-8', $this->config->ldapencoding); 383 } 384 } 385 } 386 387 //Following sets all mandatory and other forced attribute values 388 //User should be creted as login disabled untill email confirmation is processed 389 //Feel free to add your user type and send patches to paca@sci.fi to add them 390 //Moodle distribution 391 392 switch ($this->config->user_type) { 393 case 'edir': 394 $newuser['objectClass'] = array('inetOrgPerson', 'organizationalPerson', 'person', 'top'); 395 $newuser['uniqueId'] = $extusername; 396 $newuser['logindisabled'] = 'TRUE'; 397 $newuser['userpassword'] = $extpassword; 398 $uadd = ldap_add($ldapconnection, $this->config->user_attribute.'='.ldap_addslashes($extusername).','.$this->config->create_context, $newuser); 399 break; 400 case 'rfc2307': 401 case 'rfc2307bis': 402 // posixAccount object class forces us to specify a uidNumber 403 // and a gidNumber. That is quite complicated to generate from 404 // Moodle without colliding with existing numbers and without 405 // race conditions. As this user is supposed to be only used 406 // with Moodle (otherwise the user would exist beforehand) and 407 // doesn't need to login into a operating system, we assign the 408 // user the uid of user 'nobody' and gid of group 'nogroup'. In 409 // addition to that, we need to specify a home directory. We 410 // use the root directory ('/') as the home directory, as this 411 // is the only one can always be sure exists. Finally, even if 412 // it's not mandatory, we specify '/bin/false' as the login 413 // shell, to prevent the user from login in at the operating 414 // system level (Moodle ignores this). 415 416 $newuser['objectClass'] = array('posixAccount', 'inetOrgPerson', 'organizationalPerson', 'person', 'top'); 417 $newuser['cn'] = $extusername; 418 $newuser['uid'] = $extusername; 419 $newuser['uidNumber'] = AUTH_UID_NOBODY; 420 $newuser['gidNumber'] = AUTH_GID_NOGROUP; 421 $newuser['homeDirectory'] = '/'; 422 $newuser['loginShell'] = '/bin/false'; 423 424 // IMPORTANT: 425 // We have to create the account locked, but posixAccount has 426 // no attribute to achive this reliably. So we are going to 427 // modify the password in a reversable way that we can later 428 // revert in user_activate(). 429 // 430 // Beware that this can be defeated by the user if we are not 431 // using MD5 or SHA-1 passwords. After all, the source code of 432 // Moodle is available, and the user can see the kind of 433 // modification we are doing and 'undo' it by hand (but only 434 // if we are using plain text passwords). 435 // 436 // Also bear in mind that you need to use a binding user that 437 // can create accounts and has read/write privileges on the 438 // 'userPassword' attribute for this to work. 439 440 $newuser['userPassword'] = '*'.$extpassword; 441 $uadd = ldap_add($ldapconnection, $this->config->user_attribute.'='.ldap_addslashes($extusername).','.$this->config->create_context, $newuser); 442 break; 443 case 'ad': 444 // User account creation is a two step process with AD. First you 445 // create the user object, then you set the password. If you try 446 // to set the password while creating the user, the operation 447 // fails. 448 449 // Passwords in Active Directory must be encoded as Unicode 450 // strings (UCS-2 Little Endian format) and surrounded with 451 // double quotes. See http://support.microsoft.com/?kbid=269190 452 if (!function_exists('mb_convert_encoding')) { 453 print_error('auth_ldap_no_mbstring', 'auth_ldap'); 454 } 455 456 // Check for invalid sAMAccountName characters. 457 if (preg_match('#[/\\[\]:;|=,+*?<>@"]#', $extusername)) { 458 print_error ('auth_ldap_ad_invalidchars', 'auth_ldap'); 459 } 460 461 // First create the user account, and mark it as disabled. 462 $newuser['objectClass'] = array('top', 'person', 'user', 'organizationalPerson'); 463 $newuser['sAMAccountName'] = $extusername; 464 $newuser['userAccountControl'] = AUTH_AD_NORMAL_ACCOUNT | 465 AUTH_AD_ACCOUNTDISABLE; 466 $userdn = 'cn='.ldap_addslashes($extusername).','.$this->config->create_context; 467 if (!ldap_add($ldapconnection, $userdn, $newuser)) { 468 print_error('auth_ldap_ad_create_req', 'auth_ldap'); 469 } 470 471 // Now set the password 472 unset($newuser); 473 $newuser['unicodePwd'] = mb_convert_encoding('"' . $extpassword . '"', 474 'UCS-2LE', 'UTF-8'); 475 if(!ldap_modify($ldapconnection, $userdn, $newuser)) { 476 // Something went wrong: delete the user account and error out 477 ldap_delete ($ldapconnection, $userdn); 478 print_error('auth_ldap_ad_create_req', 'auth_ldap'); 479 } 480 $uadd = true; 481 break; 482 default: 483 print_error('auth_ldap_unsupportedusertype', 'auth_ldap', '', $this->config->user_type_name); 484 } 485 $this->ldap_close(); 486 return $uadd; 487 } 488 489 /** 490 * Returns true if plugin allows resetting of password from moodle. 491 * 492 * @return bool 493 */ 494 function can_reset_password() { 495 return !empty($this->config->stdchangepassword); 496 } 497 498 /** 499 * Returns true if plugin can be manually set. 500 * 501 * @return bool 502 */ 503 function can_be_manually_set() { 504 return true; 505 } 506 507 /** 508 * Returns true if plugin allows signup and user creation. 509 * 510 * @return bool 511 */ 512 function can_signup() { 513 return (!empty($this->config->auth_user_create) and !empty($this->config->create_context)); 514 } 515 516 /** 517 * Sign up a new user ready for confirmation. 518 * Password is passed in plaintext. 519 * 520 * @param object $user new user object 521 * @param boolean $notify print notice with link and terminate 522 * @return boolean success 523 */ 524 function user_signup($user, $notify=true) { 525 global $CFG, $DB, $PAGE, $OUTPUT; 526 527 require_once($CFG->dirroot.'/user/profile/lib.php'); 528 require_once($CFG->dirroot.'/user/lib.php'); 529 530 if ($this->user_exists($user->username)) { 531 print_error('auth_ldap_user_exists', 'auth_ldap'); 532 } 533 534 $plainslashedpassword = $user->password; 535 unset($user->password); 536 537 if (! $this->user_create($user, $plainslashedpassword)) { 538 print_error('auth_ldap_create_error', 'auth_ldap'); 539 } 540 541 $user->id = user_create_user($user, false, false); 542 543 user_add_password_history($user->id, $plainslashedpassword); 544 545 // Save any custom profile field information 546 profile_save_data($user); 547 548 $userinfo = $this->get_userinfo($user->username); 549 $this->update_user_record($user->username, false, false, $this->is_user_suspended((object) $userinfo)); 550 551 // This will also update the stored hash to the latest algorithm 552 // if the existing hash is using an out-of-date algorithm (or the 553 // legacy md5 algorithm). 554 update_internal_user_password($user, $plainslashedpassword); 555 556 $user = $DB->get_record('user', array('id'=>$user->id)); 557 558 \core\event\user_created::create_from_userid($user->id)->trigger(); 559 560 if (! send_confirmation_email($user)) { 561 print_error('noemail', 'auth_ldap'); 562 } 563 564 if ($notify) { 565 $emailconfirm = get_string('emailconfirm'); 566 $PAGE->set_url('/auth/ldap/auth.php'); 567 $PAGE->navbar->add($emailconfirm); 568 $PAGE->set_title($emailconfirm); 569 $PAGE->set_heading($emailconfirm); 570 echo $OUTPUT->header(); 571 notice(get_string('emailconfirmsent', '', $user->email), "{$CFG->wwwroot}/index.php"); 572 } else { 573 return true; 574 } 575 } 576 577 /** 578 * Returns true if plugin allows confirming of new users. 579 * 580 * @return bool 581 */ 582 function can_confirm() { 583 return $this->can_signup(); 584 } 585 586 /** 587 * Confirm the new user as registered. 588 * 589 * @param string $username 590 * @param string $confirmsecret 591 */ 592 function user_confirm($username, $confirmsecret) { 593 global $DB; 594 595 $user = get_complete_user_data('username', $username); 596 597 if (!empty($user)) { 598 if ($user->auth != $this->authtype) { 599 return AUTH_CONFIRM_ERROR; 600 601 } else if ($user->secret === $confirmsecret && $user->confirmed) { 602 return AUTH_CONFIRM_ALREADY; 603 604 } else if ($user->secret === $confirmsecret) { // They have provided the secret key to get in 605 if (!$this->user_activate($username)) { 606 return AUTH_CONFIRM_FAIL; 607 } 608 $user->confirmed = 1; 609 user_update_user($user, false); 610 return AUTH_CONFIRM_OK; 611 } 612 } else { 613 return AUTH_CONFIRM_ERROR; 614 } 615 } 616 617 /** 618 * Return number of days to user password expires 619 * 620 * If userpassword does not expire it should return 0. If password is already expired 621 * it should return negative value. 622 * 623 * @param mixed $username username 624 * @return integer 625 */ 626 function password_expire($username) { 627 $result = 0; 628 629 $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding); 630 631 $ldapconnection = $this->ldap_connect(); 632 $user_dn = $this->ldap_find_userdn($ldapconnection, $extusername); 633 $search_attribs = array($this->config->expireattr); 634 $sr = ldap_read($ldapconnection, $user_dn, '(objectClass=*)', $search_attribs); 635 if ($sr) { 636 $info = ldap_get_entries_moodle($ldapconnection, $sr); 637 if (!empty ($info)) { 638 $info = $info[0]; 639 if (isset($info[$this->config->expireattr][0])) { 640 $expiretime = $this->ldap_expirationtime2unix($info[$this->config->expireattr][0], $ldapconnection, $user_dn); 641 if ($expiretime != 0) { 642 $now = time(); 643 if ($expiretime > $now) { 644 $result = ceil(($expiretime - $now) / DAYSECS); 645 } else { 646 $result = floor(($expiretime - $now) / DAYSECS); 647 } 648 } 649 } 650 } 651 } else { 652 error_log($this->errorlogtag.get_string('didtfindexpiretime', 'auth_ldap')); 653 } 654 655 return $result; 656 } 657 658 /** 659 * Syncronizes user fron external LDAP server to moodle user table 660 * 661 * Sync is now using username attribute. 662 * 663 * Syncing users removes or suspends users that dont exists anymore in external LDAP. 664 * Creates new users and updates coursecreator status of users. 665 * 666 * @param bool $do_updates will do pull in data updates from LDAP if relevant 667 */ 668 function sync_users($do_updates=true) { 669 global $CFG, $DB; 670 671 require_once($CFG->dirroot . '/user/profile/lib.php'); 672 673 print_string('connectingldap', 'auth_ldap'); 674 $ldapconnection = $this->ldap_connect(); 675 676 $dbman = $DB->get_manager(); 677 678 /// Define table user to be created 679 $table = new xmldb_table('tmp_extuser'); 680 $table->add_field('id', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, XMLDB_SEQUENCE, null); 681 $table->add_field('username', XMLDB_TYPE_CHAR, '100', null, XMLDB_NOTNULL, null, null); 682 $table->add_field('mnethostid', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, null, null); 683 $table->add_key('primary', XMLDB_KEY_PRIMARY, array('id')); 684 $table->add_index('username', XMLDB_INDEX_UNIQUE, array('mnethostid', 'username')); 685 686 print_string('creatingtemptable', 'auth_ldap', 'tmp_extuser'); 687 $dbman->create_temp_table($table); 688 689 //// 690 //// get user's list from ldap to sql in a scalable fashion 691 //// 692 // prepare some data we'll need 693 $filter = '(&('.$this->config->user_attribute.'=*)'.$this->config->objectclass.')'; 694 $servercontrols = array(); 695 696 $contexts = explode(';', $this->config->contexts); 697 698 if (!empty($this->config->create_context)) { 699 array_push($contexts, $this->config->create_context); 700 } 701 702 $ldappagedresults = ldap_paged_results_supported($this->config->ldap_version, $ldapconnection); 703 $ldapcookie = ''; 704 foreach ($contexts as $context) { 705 $context = trim($context); 706 if (empty($context)) { 707 continue; 708 } 709 710 do { 711 if ($ldappagedresults) { 712 $servercontrols = array(array( 713 'oid' => LDAP_CONTROL_PAGEDRESULTS, 'value' => array( 714 'size' => $this->config->pagesize, 'cookie' => $ldapcookie))); 715 } 716 if ($this->config->search_sub) { 717 // Use ldap_search to find first user from subtree. 718 $ldapresult = ldap_search($ldapconnection, $context, $filter, array($this->config->user_attribute), 719 0, -1, -1, LDAP_DEREF_NEVER, $servercontrols); 720 } else { 721 // Search only in this context. 722 $ldapresult = ldap_list($ldapconnection, $context, $filter, array($this->config->user_attribute), 723 0, -1, -1, LDAP_DEREF_NEVER, $servercontrols); 724 } 725 if (!$ldapresult) { 726 continue; 727 } 728 if ($ldappagedresults) { 729 // Get next server cookie to know if we'll need to continue searching. 730 $ldapcookie = ''; 731 // Get next cookie from controls. 732 ldap_parse_result($ldapconnection, $ldapresult, $errcode, $matcheddn, 733 $errmsg, $referrals, $controls); 734 if (isset($controls[LDAP_CONTROL_PAGEDRESULTS]['value']['cookie'])) { 735 $ldapcookie = $controls[LDAP_CONTROL_PAGEDRESULTS]['value']['cookie']; 736 } 737 } 738 if ($entry = @ldap_first_entry($ldapconnection, $ldapresult)) { 739 do { 740 $value = ldap_get_values_len($ldapconnection, $entry, $this->config->user_attribute); 741 $value = core_text::convert($value[0], $this->config->ldapencoding, 'utf-8'); 742 $value = trim($value); 743 $this->ldap_bulk_insert($value); 744 } while ($entry = ldap_next_entry($ldapconnection, $entry)); 745 } 746 unset($ldapresult); // Free mem. 747 } while ($ldappagedresults && $ldapcookie !== null && $ldapcookie != ''); 748 } 749 750 // If LDAP paged results were used, the current connection must be completely 751 // closed and a new one created, to work without paged results from here on. 752 if ($ldappagedresults) { 753 $this->ldap_close(true); 754 $ldapconnection = $this->ldap_connect(); 755 } 756 757 /// preserve our user database 758 /// if the temp table is empty, it probably means that something went wrong, exit 759 /// so as to avoid mass deletion of users; which is hard to undo 760 $count = $DB->count_records_sql('SELECT COUNT(username) AS count, 1 FROM {tmp_extuser}'); 761 if ($count < 1) { 762 print_string('didntgetusersfromldap', 'auth_ldap'); 763 $dbman->drop_table($table); 764 $this->ldap_close(); 765 return false; 766 } else { 767 print_string('gotcountrecordsfromldap', 'auth_ldap', $count); 768 } 769 770 771 /// User removal 772 // Find users in DB that aren't in ldap -- to be removed! 773 // this is still not as scalable (but how often do we mass delete?) 774 775 if ($this->config->removeuser == AUTH_REMOVEUSER_FULLDELETE) { 776 $sql = "SELECT u.* 777 FROM {user} u 778 LEFT JOIN {tmp_extuser} e ON (u.username = e.username AND u.mnethostid = e.mnethostid) 779 WHERE u.auth = :auth 780 AND u.deleted = 0 781 AND e.username IS NULL"; 782 $remove_users = $DB->get_records_sql($sql, array('auth'=>$this->authtype)); 783 784 if (!empty($remove_users)) { 785 print_string('userentriestoremove', 'auth_ldap', count($remove_users)); 786 foreach ($remove_users as $user) { 787 if (delete_user($user)) { 788 echo "\t"; print_string('auth_dbdeleteuser', 'auth_db', array('name'=>$user->username, 'id'=>$user->id)); echo "\n"; 789 } else { 790 echo "\t"; print_string('auth_dbdeleteusererror', 'auth_db', $user->username); echo "\n"; 791 } 792 } 793 } else { 794 print_string('nouserentriestoremove', 'auth_ldap'); 795 } 796 unset($remove_users); // Free mem! 797 798 } else if ($this->config->removeuser == AUTH_REMOVEUSER_SUSPEND) { 799 $sql = "SELECT u.* 800 FROM {user} u 801 LEFT JOIN {tmp_extuser} e ON (u.username = e.username AND u.mnethostid = e.mnethostid) 802 WHERE u.auth = :auth 803 AND u.deleted = 0 804 AND u.suspended = 0 805 AND e.username IS NULL"; 806 $remove_users = $DB->get_records_sql($sql, array('auth'=>$this->authtype)); 807 808 if (!empty($remove_users)) { 809 print_string('userentriestoremove', 'auth_ldap', count($remove_users)); 810 811 foreach ($remove_users as $user) { 812 $updateuser = new stdClass(); 813 $updateuser->id = $user->id; 814 $updateuser->suspended = 1; 815 user_update_user($updateuser, false); 816 echo "\t"; print_string('auth_dbsuspenduser', 'auth_db', array('name'=>$user->username, 'id'=>$user->id)); echo "\n"; 817 \core\session\manager::kill_user_sessions($user->id); 818 } 819 } else { 820 print_string('nouserentriestoremove', 'auth_ldap'); 821 } 822 unset($remove_users); // Free mem! 823 } 824 825 /// Revive suspended users 826 if (!empty($this->config->removeuser) and $this->config->removeuser == AUTH_REMOVEUSER_SUSPEND) { 827 $sql = "SELECT u.id, u.username 828 FROM {user} u 829 JOIN {tmp_extuser} e ON (u.username = e.username AND u.mnethostid = e.mnethostid) 830 WHERE (u.auth = 'nologin' OR (u.auth = ? AND u.suspended = 1)) AND u.deleted = 0"; 831 // Note: 'nologin' is there for backwards compatibility. 832 $revive_users = $DB->get_records_sql($sql, array($this->authtype)); 833 834 if (!empty($revive_users)) { 835 print_string('userentriestorevive', 'auth_ldap', count($revive_users)); 836 837 foreach ($revive_users as $user) { 838 $updateuser = new stdClass(); 839 $updateuser->id = $user->id; 840 $updateuser->auth = $this->authtype; 841 $updateuser->suspended = 0; 842 user_update_user($updateuser, false); 843 echo "\t"; print_string('auth_dbreviveduser', 'auth_db', array('name'=>$user->username, 'id'=>$user->id)); echo "\n"; 844 } 845 } else { 846 print_string('nouserentriestorevive', 'auth_ldap'); 847 } 848 849 unset($revive_users); 850 } 851 852 853 /// User Updates - time-consuming (optional) 854 if ($do_updates) { 855 // Narrow down what fields we need to update 856 $updatekeys = $this->get_profile_keys(); 857 858 } else { 859 print_string('noupdatestobedone', 'auth_ldap'); 860 } 861 if ($do_updates and !empty($updatekeys)) { // run updates only if relevant 862 $users = $DB->get_records_sql('SELECT u.username, u.id 863 FROM {user} u 864 WHERE u.deleted = 0 AND u.auth = ? AND u.mnethostid = ?', 865 array($this->authtype, $CFG->mnet_localhost_id)); 866 if (!empty($users)) { 867 print_string('userentriestoupdate', 'auth_ldap', count($users)); 868 869 foreach ($users as $user) { 870 $transaction = $DB->start_delegated_transaction(); 871 echo "\t"; print_string('auth_dbupdatinguser', 'auth_db', array('name'=>$user->username, 'id'=>$user->id)); 872 $userinfo = $this->get_userinfo($user->username); 873 if (!$this->update_user_record($user->username, $updatekeys, true, 874 $this->is_user_suspended((object) $userinfo))) { 875 echo ' - '.get_string('skipped'); 876 } 877 echo "\n"; 878 879 // Update system roles, if needed. 880 $this->sync_roles($user); 881 $transaction->allow_commit(); 882 } 883 unset($users); // free mem 884 } 885 } else { // end do updates 886 print_string('noupdatestobedone', 'auth_ldap'); 887 } 888 889 /// User Additions 890 // Find users missing in DB that are in LDAP 891 // and gives me a nifty object I don't want. 892 // note: we do not care about deleted accounts anymore, this feature was replaced by suspending to nologin auth plugin 893 $sql = 'SELECT e.id, e.username 894 FROM {tmp_extuser} e 895 LEFT JOIN {user} u ON (e.username = u.username AND e.mnethostid = u.mnethostid) 896 WHERE u.id IS NULL'; 897 $add_users = $DB->get_records_sql($sql); 898 899 if (!empty($add_users)) { 900 print_string('userentriestoadd', 'auth_ldap', count($add_users)); 901 $errors = 0; 902 903 foreach ($add_users as $user) { 904 $transaction = $DB->start_delegated_transaction(); 905 $user = $this->get_userinfo_asobj($user->username); 906 907 // Prep a few params 908 $user->modified = time(); 909 $user->confirmed = 1; 910 $user->auth = $this->authtype; 911 $user->mnethostid = $CFG->mnet_localhost_id; 912 // get_userinfo_asobj() might have replaced $user->username with the value 913 // from the LDAP server (which can be mixed-case). Make sure it's lowercase 914 $user->username = trim(core_text::strtolower($user->username)); 915 // It isn't possible to just rely on the configured suspension attribute since 916 // things like active directory use bit masks, other things using LDAP might 917 // do different stuff as well. 918 // 919 // The cast to int is a workaround for MDL-53959. 920 $user->suspended = (int)$this->is_user_suspended($user); 921 922 if (empty($user->calendartype)) { 923 $user->calendartype = $CFG->calendartype; 924 } 925 926 // $id = user_create_user($user, false); 927 try { 928 $id = user_create_user($user, false); 929 } catch (Exception $e) { 930 print_string('invaliduserexception', 'auth_ldap', print_r($user, true) . $e->getMessage()); 931 $errors++; 932 continue; 933 } 934 echo "\t"; print_string('auth_dbinsertuser', 'auth_db', array('name'=>$user->username, 'id'=>$id)); echo "\n"; 935 $euser = $DB->get_record('user', array('id' => $id)); 936 937 if (!empty($this->config->forcechangepassword)) { 938 set_user_preference('auth_forcepasswordchange', 1, $id); 939 } 940 941 // Save custom profile fields. 942 $this->update_user_record($user->username, $this->get_profile_keys(true), false); 943 944 // Add roles if needed. 945 $this->sync_roles($euser); 946 $transaction->allow_commit(); 947 } 948 949 // Display number of user creation errors, if any. 950 if ($errors) { 951 print_string('invalidusererrors', 'auth_ldap', $errors); 952 } 953 954 unset($add_users); // free mem 955 } else { 956 print_string('nouserstobeadded', 'auth_ldap'); 957 } 958 959 $dbman->drop_table($table); 960 $this->ldap_close(); 961 962 return true; 963 } 964 965 /** 966 * Bulk insert in SQL's temp table 967 */ 968 function ldap_bulk_insert($username) { 969 global $DB, $CFG; 970 971 $username = core_text::strtolower($username); // usernames are __always__ lowercase. 972 $DB->insert_record_raw('tmp_extuser', array('username'=>$username, 973 'mnethostid'=>$CFG->mnet_localhost_id), false, true); 974 echo '.'; 975 } 976 977 /** 978 * Activates (enables) user in external LDAP so user can login 979 * 980 * @param mixed $username 981 * @return boolean result 982 */ 983 function user_activate($username) { 984 $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding); 985 986 $ldapconnection = $this->ldap_connect(); 987 988 $userdn = $this->ldap_find_userdn($ldapconnection, $extusername); 989 switch ($this->config->user_type) { 990 case 'edir': 991 $newinfo['loginDisabled'] = 'FALSE'; 992 break; 993 case 'rfc2307': 994 case 'rfc2307bis': 995 // Remember that we add a '*' character in front of the 996 // external password string to 'disable' the account. We just 997 // need to remove it. 998 $sr = ldap_read($ldapconnection, $userdn, '(objectClass=*)', 999 array('userPassword')); 1000 $info = ldap_get_entries($ldapconnection, $sr); 1001 $info[0] = array_change_key_case($info[0], CASE_LOWER); 1002 $newinfo['userPassword'] = ltrim($info[0]['userpassword'][0], '*'); 1003 break; 1004 case 'ad': 1005 // We need to unset the ACCOUNTDISABLE bit in the 1006 // userAccountControl attribute ( see 1007 // http://support.microsoft.com/kb/305144 ) 1008 $sr = ldap_read($ldapconnection, $userdn, '(objectClass=*)', 1009 array('userAccountControl')); 1010 $info = ldap_get_entries($ldapconnection, $sr); 1011 $info[0] = array_change_key_case($info[0], CASE_LOWER); 1012 $newinfo['userAccountControl'] = $info[0]['useraccountcontrol'][0] 1013 & (~AUTH_AD_ACCOUNTDISABLE); 1014 break; 1015 default: 1016 print_error('user_activatenotsupportusertype', 'auth_ldap', '', $this->config->user_type_name); 1017 } 1018 $result = ldap_modify($ldapconnection, $userdn, $newinfo); 1019 $this->ldap_close(); 1020 return $result; 1021 } 1022 1023 /** 1024 * Returns true if user should be coursecreator. 1025 * 1026 * @param mixed $username username (without system magic quotes) 1027 * @return mixed result null if course creators is not configured, boolean otherwise. 1028 * 1029 * @deprecated since Moodle 3.4 MDL-30634 - please do not use this function any more. 1030 */ 1031 function iscreator($username) { 1032 debugging('iscreator() is deprecated. Please use auth_plugin_ldap::is_role() instead.', DEBUG_DEVELOPER); 1033 1034 if (empty($this->config->creators) or empty($this->config->memberattribute)) { 1035 return null; 1036 } 1037 1038 $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding); 1039 1040 $ldapconnection = $this->ldap_connect(); 1041 1042 if ($this->config->memberattribute_isdn) { 1043 if(!($userid = $this->ldap_find_userdn($ldapconnection, $extusername))) { 1044 return false; 1045 } 1046 } else { 1047 $userid = $extusername; 1048 } 1049 1050 $group_dns = explode(';', $this->config->creators); 1051 $creator = ldap_isgroupmember($ldapconnection, $userid, $group_dns, $this->config->memberattribute); 1052 1053 $this->ldap_close(); 1054 1055 return $creator; 1056 } 1057 1058 /** 1059 * Check if user has LDAP group membership. 1060 * 1061 * Returns true if user should be assigned role. 1062 * 1063 * @param mixed $username username (without system magic quotes). 1064 * @param array $role Array of role's shortname, localname, and settingname for the config value. 1065 * @return mixed result null if role/LDAP context is not configured, boolean otherwise. 1066 */ 1067 private function is_role($username, $role) { 1068 if (empty($this->config->{$role['settingname']}) or empty($this->config->memberattribute)) { 1069 return null; 1070 } 1071 1072 $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding); 1073 1074 $ldapconnection = $this->ldap_connect(); 1075 1076 if ($this->config->memberattribute_isdn) { 1077 if (!($userid = $this->ldap_find_userdn($ldapconnection, $extusername))) { 1078 return false; 1079 } 1080 } else { 1081 $userid = $extusername; 1082 } 1083 1084 $groupdns = explode(';', $this->config->{$role['settingname']}); 1085 $isrole = ldap_isgroupmember($ldapconnection, $userid, $groupdns, $this->config->memberattribute); 1086 1087 $this->ldap_close(); 1088 1089 return $isrole; 1090 } 1091 1092 /** 1093 * Called when the user record is updated. 1094 * 1095 * Modifies user in external LDAP server. It takes olduser (before 1096 * changes) and newuser (after changes) compares information and 1097 * saves modified information to external LDAP server. 1098 * 1099 * @param mixed $olduser Userobject before modifications (without system magic quotes) 1100 * @param mixed $newuser Userobject new modified userobject (without system magic quotes) 1101 * @return boolean result 1102 * 1103 */ 1104 function user_update($olduser, $newuser) { 1105 global $CFG; 1106 1107 require_once($CFG->dirroot . '/user/profile/lib.php'); 1108 1109 if (isset($olduser->username) and isset($newuser->username) and $olduser->username != $newuser->username) { 1110 error_log($this->errorlogtag.get_string('renamingnotallowed', 'auth_ldap')); 1111 return false; 1112 } 1113 1114 if (isset($olduser->auth) and $olduser->auth != $this->authtype) { 1115 return true; // just change auth and skip update 1116 } 1117 1118 $attrmap = $this->ldap_attributes(); 1119 // Before doing anything else, make sure we really need to update anything 1120 // in the external LDAP server. 1121 $update_external = false; 1122 foreach ($attrmap as $key => $ldapkeys) { 1123 if (!empty($this->config->{'field_updateremote_'.$key})) { 1124 $update_external = true; 1125 break; 1126 } 1127 } 1128 if (!$update_external) { 1129 return true; 1130 } 1131 1132 $extoldusername = core_text::convert($olduser->username, 'utf-8', $this->config->ldapencoding); 1133 1134 $ldapconnection = $this->ldap_connect(); 1135 1136 $search_attribs = array(); 1137 foreach ($attrmap as $key => $values) { 1138 if (!is_array($values)) { 1139 $values = array($values); 1140 } 1141 foreach ($values as $value) { 1142 if (!in_array($value, $search_attribs)) { 1143 array_push($search_attribs, $value); 1144 } 1145 } 1146 } 1147 1148 if(!($user_dn = $this->ldap_find_userdn($ldapconnection, $extoldusername))) { 1149 return false; 1150 } 1151 1152 // Load old custom fields. 1153 $olduserprofilefields = (array) profile_user_record($olduser->id, false); 1154 1155 $fields = array(); 1156 foreach (profile_get_custom_fields(false) as $field) { 1157 $fields[$field->shortname] = $field; 1158 } 1159 1160 $success = true; 1161 $user_info_result = ldap_read($ldapconnection, $user_dn, '(objectClass=*)', $search_attribs); 1162 if ($user_info_result) { 1163 $user_entry = ldap_get_entries_moodle($ldapconnection, $user_info_result); 1164 if (empty($user_entry)) { 1165 $attribs = join (', ', $search_attribs); 1166 error_log($this->errorlogtag.get_string('updateusernotfound', 'auth_ldap', 1167 array('userdn'=>$user_dn, 1168 'attribs'=>$attribs))); 1169 return false; // old user not found! 1170 } else if (count($user_entry) > 1) { 1171 error_log($this->errorlogtag.get_string('morethanoneuser', 'auth_ldap')); 1172 return false; 1173 } 1174 1175 $user_entry = $user_entry[0]; 1176 1177 foreach ($attrmap as $key => $ldapkeys) { 1178 if (preg_match('/^profile_field_(.*)$/', $key, $match)) { 1179 // Custom field. 1180 $fieldname = $match[1]; 1181 if (isset($fields[$fieldname])) { 1182 $class = 'profile_field_' . $fields[$fieldname]->datatype; 1183 $formfield = new $class($fields[$fieldname]->id, $olduser->id); 1184 $oldvalue = isset($olduserprofilefields[$fieldname]) ? $olduserprofilefields[$fieldname] : null; 1185 } else { 1186 $oldvalue = null; 1187 } 1188 $newvalue = $formfield->edit_save_data_preprocess($newuser->{$formfield->inputname}, new stdClass); 1189 } else { 1190 // Standard field. 1191 $oldvalue = isset($olduser->$key) ? $olduser->$key : null; 1192 $newvalue = isset($newuser->$key) ? $newuser->$key : null; 1193 } 1194 1195 if ($newvalue !== null and $newvalue !== $oldvalue and !empty($this->config->{'field_updateremote_' . $key})) { 1196 // For ldap values that could be in more than one 1197 // ldap key, we will do our best to match 1198 // where they came from 1199 $ambiguous = true; 1200 $changed = false; 1201 if (!is_array($ldapkeys)) { 1202 $ldapkeys = array($ldapkeys); 1203 } 1204 if (count($ldapkeys) < 2) { 1205 $ambiguous = false; 1206 } 1207 1208 $nuvalue = core_text::convert($newvalue, 'utf-8', $this->config->ldapencoding); 1209 empty($nuvalue) ? $nuvalue = array() : $nuvalue; 1210 $ouvalue = core_text::convert($oldvalue, 'utf-8', $this->config->ldapencoding); 1211 foreach ($ldapkeys as $ldapkey) { 1212 // If the field is empty in LDAP there are two options: 1213 // 1. We get the LDAP field using ldap_first_attribute. 1214 // 2. LDAP don't send the field using ldap_first_attribute. 1215 // So, for option 1 we check the if the field is retrieve it. 1216 // And get the original value of field in LDAP if the field. 1217 // Otherwise, let value in blank and delegate the check in ldap_modify. 1218 if (isset($user_entry[$ldapkey][0])) { 1219 $ldapvalue = $user_entry[$ldapkey][0]; 1220 } else { 1221 $ldapvalue = ''; 1222 } 1223 1224 if (!$ambiguous) { 1225 // Skip update if the values already match 1226 if ($nuvalue !== $ldapvalue) { 1227 // This might fail due to schema validation 1228 if (@ldap_modify($ldapconnection, $user_dn, array($ldapkey => $nuvalue))) { 1229 $changed = true; 1230 continue; 1231 } else { 1232 $success = false; 1233 error_log($this->errorlogtag.get_string ('updateremfail', 'auth_ldap', 1234 array('errno'=>ldap_errno($ldapconnection), 1235 'errstring'=>ldap_err2str(ldap_errno($ldapconnection)), 1236 'key'=>$key, 1237 'ouvalue'=>$ouvalue, 1238 'nuvalue'=>$nuvalue))); 1239 continue; 1240 } 1241 } 1242 } else { 1243 // Ambiguous. Value empty before in Moodle (and LDAP) - use 1244 // 1st ldap candidate field, no need to guess 1245 if ($ouvalue === '') { // value empty before - use 1st ldap candidate 1246 // This might fail due to schema validation 1247 if (@ldap_modify($ldapconnection, $user_dn, array($ldapkey => $nuvalue))) { 1248 $changed = true; 1249 continue; 1250 } else { 1251 $success = false; 1252 error_log($this->errorlogtag.get_string ('updateremfail', 'auth_ldap', 1253 array('errno'=>ldap_errno($ldapconnection), 1254 'errstring'=>ldap_err2str(ldap_errno($ldapconnection)), 1255 'key'=>$key, 1256 'ouvalue'=>$ouvalue, 1257 'nuvalue'=>$nuvalue))); 1258 continue; 1259 } 1260 } 1261 1262 // We found which ldap key to update! 1263 if ($ouvalue !== '' and $ouvalue === $ldapvalue ) { 1264 // This might fail due to schema validation 1265 if (@ldap_modify($ldapconnection, $user_dn, array($ldapkey => $nuvalue))) { 1266 $changed = true; 1267 continue; 1268 } else { 1269 $success = false; 1270 error_log($this->errorlogtag.get_string ('updateremfail', 'auth_ldap', 1271 array('errno'=>ldap_errno($ldapconnection), 1272 'errstring'=>ldap_err2str(ldap_errno($ldapconnection)), 1273 'key'=>$key, 1274 'ouvalue'=>$ouvalue, 1275 'nuvalue'=>$nuvalue))); 1276 continue; 1277 } 1278 } 1279 } 1280 } 1281 1282 if ($ambiguous and !$changed) { 1283 $success = false; 1284 error_log($this->errorlogtag.get_string ('updateremfailamb', 'auth_ldap', 1285 array('key'=>$key, 1286 'ouvalue'=>$ouvalue, 1287 'nuvalue'=>$nuvalue))); 1288 } 1289 } 1290 } 1291 } else { 1292 error_log($this->errorlogtag.get_string ('usernotfound', 'auth_ldap')); 1293 $success = false; 1294 } 1295 1296 $this->ldap_close(); 1297 return $success; 1298 1299 } 1300 1301 /** 1302 * Changes userpassword in LDAP 1303 * 1304 * Called when the user password is updated. It assumes it is 1305 * called by an admin or that you've otherwise checked the user's 1306 * credentials 1307 * 1308 * @param object $user User table object 1309 * @param string $newpassword Plaintext password (not crypted/md5'ed) 1310 * @return boolean result 1311 * 1312 */ 1313 function user_update_password($user, $newpassword) { 1314 global $USER; 1315 1316 $result = false; 1317 $username = $user->username; 1318 1319 $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding); 1320 $extpassword = core_text::convert($newpassword, 'utf-8', $this->config->ldapencoding); 1321 1322 switch ($this->config->passtype) { 1323 case 'md5': 1324 $extpassword = '{MD5}' . base64_encode(pack('H*', md5($extpassword))); 1325 break; 1326 case 'sha1': 1327 $extpassword = '{SHA}' . base64_encode(pack('H*', sha1($extpassword))); 1328 break; 1329 case 'plaintext': 1330 default: 1331 break; // plaintext 1332 } 1333 1334 $ldapconnection = $this->ldap_connect(); 1335 1336 $user_dn = $this->ldap_find_userdn($ldapconnection, $extusername); 1337 1338 if (!$user_dn) { 1339 error_log($this->errorlogtag.get_string ('nodnforusername', 'auth_ldap', $user->username)); 1340 return false; 1341 } 1342 1343 switch ($this->config->user_type) { 1344 case 'edir': 1345 // Change password 1346 $result = ldap_modify($ldapconnection, $user_dn, array('userPassword' => $extpassword)); 1347 if (!$result) { 1348 error_log($this->errorlogtag.get_string ('updatepasserror', 'auth_ldap', 1349 array('errno'=>ldap_errno($ldapconnection), 1350 'errstring'=>ldap_err2str(ldap_errno($ldapconnection))))); 1351 } 1352 // Update password expiration time, grace logins count 1353 $search_attribs = array($this->config->expireattr, 'passwordExpirationInterval', 'loginGraceLimit'); 1354 $sr = ldap_read($ldapconnection, $user_dn, '(objectClass=*)', $search_attribs); 1355 if ($sr) { 1356 $entry = ldap_get_entries_moodle($ldapconnection, $sr); 1357 $info = $entry[0]; 1358 $newattrs = array(); 1359 if (!empty($info[$this->config->expireattr][0])) { 1360 // Set expiration time only if passwordExpirationInterval is defined 1361 if (!empty($info['passwordexpirationinterval'][0])) { 1362 $expirationtime = time() + $info['passwordexpirationinterval'][0]; 1363 $ldapexpirationtime = $this->ldap_unix2expirationtime($expirationtime); 1364 $newattrs['passwordExpirationTime'] = $ldapexpirationtime; 1365 } 1366 1367 // Set gracelogin count 1368 if (!empty($info['logingracelimit'][0])) { 1369 $newattrs['loginGraceRemaining']= $info['logingracelimit'][0]; 1370 } 1371 1372 // Store attribute changes in LDAP 1373 $result = ldap_modify($ldapconnection, $user_dn, $newattrs); 1374 if (!$result) { 1375 error_log($this->errorlogtag.get_string ('updatepasserrorexpiregrace', 'auth_ldap', 1376 array('errno'=>ldap_errno($ldapconnection), 1377 'errstring'=>ldap_err2str(ldap_errno($ldapconnection))))); 1378 } 1379 } 1380 } 1381 else { 1382 error_log($this->errorlogtag.get_string ('updatepasserrorexpire', 'auth_ldap', 1383 array('errno'=>ldap_errno($ldapconnection), 1384 'errstring'=>ldap_err2str(ldap_errno($ldapconnection))))); 1385 } 1386 break; 1387 1388 case 'ad': 1389 // Passwords in Active Directory must be encoded as Unicode 1390 // strings (UCS-2 Little Endian format) and surrounded with 1391 // double quotes. See http://support.microsoft.com/?kbid=269190 1392 if (!function_exists('mb_convert_encoding')) { 1393 error_log($this->errorlogtag.get_string ('needmbstring', 'auth_ldap')); 1394 return false; 1395 } 1396 $extpassword = mb_convert_encoding('"'.$extpassword.'"', "UCS-2LE", $this->config->ldapencoding); 1397 $result = ldap_modify($ldapconnection, $user_dn, array('unicodePwd' => $extpassword)); 1398 if (!$result) { 1399 error_log($this->errorlogtag.get_string ('updatepasserror', 'auth_ldap', 1400 array('errno'=>ldap_errno($ldapconnection), 1401 'errstring'=>ldap_err2str(ldap_errno($ldapconnection))))); 1402 } 1403 break; 1404 1405 default: 1406 // Send LDAP the password in cleartext, it will md5 it itself 1407 $result = ldap_modify($ldapconnection, $user_dn, array('userPassword' => $extpassword)); 1408 if (!$result) { 1409 error_log($this->errorlogtag.get_string ('updatepasserror', 'auth_ldap', 1410 array('errno'=>ldap_errno($ldapconnection), 1411 'errstring'=>ldap_err2str(ldap_errno($ldapconnection))))); 1412 } 1413 1414 } 1415 1416 $this->ldap_close(); 1417 return $result; 1418 } 1419 1420 /** 1421 * Take expirationtime and return it as unix timestamp in seconds 1422 * 1423 * Takes expiration timestamp as read from LDAP and returns it as unix timestamp in seconds 1424 * Depends on $this->config->user_type variable 1425 * 1426 * @param mixed time Time stamp read from LDAP as it is. 1427 * @param string $ldapconnection Only needed for Active Directory. 1428 * @param string $user_dn User distinguished name for the user we are checking password expiration (only needed for Active Directory). 1429 * @return timestamp 1430 */ 1431 function ldap_expirationtime2unix ($time, $ldapconnection, $user_dn) { 1432 $result = false; 1433 switch ($this->config->user_type) { 1434 case 'edir': 1435 $yr=substr($time, 0, 4); 1436 $mo=substr($time, 4, 2); 1437 $dt=substr($time, 6, 2); 1438 $hr=substr($time, 8, 2); 1439 $min=substr($time, 10, 2); 1440 $sec=substr($time, 12, 2); 1441 $result = mktime($hr, $min, $sec, $mo, $dt, $yr); 1442 break; 1443 case 'rfc2307': 1444 case 'rfc2307bis': 1445 $result = $time * DAYSECS; // The shadowExpire contains the number of DAYS between 01/01/1970 and the actual expiration date 1446 break; 1447 case 'ad': 1448 $result = $this->ldap_get_ad_pwdexpire($time, $ldapconnection, $user_dn); 1449 break; 1450 default: 1451 print_error('auth_ldap_usertypeundefined', 'auth_ldap'); 1452 } 1453 return $result; 1454 } 1455 1456 /** 1457 * Takes unix timestamp and returns it formated for storing in LDAP 1458 * 1459 * @param integer unix time stamp 1460 */ 1461 function ldap_unix2expirationtime($time) { 1462 $result = false; 1463 switch ($this->config->user_type) { 1464 case 'edir': 1465 $result=date('YmdHis', $time).'Z'; 1466 break; 1467 case 'rfc2307': 1468 case 'rfc2307bis': 1469 $result = $time ; // Already in correct format 1470 break; 1471 default: 1472 print_error('auth_ldap_usertypeundefined2', 'auth_ldap'); 1473 } 1474 return $result; 1475 1476 } 1477 1478 /** 1479 * Returns user attribute mappings between moodle and LDAP 1480 * 1481 * @return array 1482 */ 1483 1484 function ldap_attributes () { 1485 $moodleattributes = array(); 1486 // If we have custom fields then merge them with user fields. 1487 $customfields = $this->get_custom_user_profile_fields(); 1488 if (!empty($customfields) && !empty($this->userfields)) { 1489 $userfields = array_merge($this->userfields, $customfields); 1490 } else { 1491 $userfields = $this->userfields; 1492 } 1493 1494 foreach ($userfields as $field) { 1495 if (!empty($this->config->{"field_map_$field"})) { 1496 $moodleattributes[$field] = core_text::strtolower(trim($this->config->{"field_map_$field"})); 1497 if (preg_match('/,/', $moodleattributes[$field])) { 1498 $moodleattributes[$field] = explode(',', $moodleattributes[$field]); // split ? 1499 } 1500 } 1501 } 1502 $moodleattributes['username'] = core_text::strtolower(trim($this->config->user_attribute)); 1503 $moodleattributes['suspended'] = core_text::strtolower(trim($this->config->suspended_attribute)); 1504 return $moodleattributes; 1505 } 1506 1507 /** 1508 * Returns all usernames from LDAP 1509 * 1510 * @param $filter An LDAP search filter to select desired users 1511 * @return array of LDAP user names converted to UTF-8 1512 */ 1513 function ldap_get_userlist($filter='*') { 1514 $fresult = array(); 1515 1516 $ldapconnection = $this->ldap_connect(); 1517 1518 if ($filter == '*') { 1519 $filter = '(&('.$this->config->user_attribute.'=*)'.$this->config->objectclass.')'; 1520 } 1521 $servercontrols = array(); 1522 1523 $contexts = explode(';', $this->config->contexts); 1524 if (!empty($this->config->create_context)) { 1525 array_push($contexts, $this->config->create_context); 1526 } 1527 1528 $ldap_cookie = ''; 1529 $ldap_pagedresults = ldap_paged_results_supported($this->config->ldap_version, $ldapconnection); 1530 foreach ($contexts as $context) { 1531 $context = trim($context); 1532 if (empty($context)) { 1533 continue; 1534 } 1535 1536 do { 1537 if ($ldap_pagedresults) { 1538 $servercontrols = array(array( 1539 'oid' => LDAP_CONTROL_PAGEDRESULTS, 'value' => array( 1540 'size' => $this->config->pagesize, 'cookie' => $ldap_cookie))); 1541 } 1542 if ($this->config->search_sub) { 1543 // Use ldap_search to find first user from subtree. 1544 $ldap_result = ldap_search($ldapconnection, $context, $filter, array($this->config->user_attribute), 1545 0, -1, -1, LDAP_DEREF_NEVER, $servercontrols); 1546 } else { 1547 // Search only in this context. 1548 $ldap_result = ldap_list($ldapconnection, $context, $filter, array($this->config->user_attribute), 1549 0, -1, -1, LDAP_DEREF_NEVER, $servercontrols); 1550 } 1551 if(!$ldap_result) { 1552 continue; 1553 } 1554 if ($ldap_pagedresults) { 1555 // Get next server cookie to know if we'll need to continue searching. 1556 $ldap_cookie = ''; 1557 // Get next cookie from controls. 1558 ldap_parse_result($ldapconnection, $ldap_result, $errcode, $matcheddn, 1559 $errmsg, $referrals, $controls); 1560 if (isset($controls[LDAP_CONTROL_PAGEDRESULTS]['value']['cookie'])) { 1561 $ldap_cookie = $controls[LDAP_CONTROL_PAGEDRESULTS]['value']['cookie']; 1562 } 1563 } 1564 $users = ldap_get_entries_moodle($ldapconnection, $ldap_result); 1565 // Add found users to list. 1566 for ($i = 0; $i < count($users); $i++) { 1567 $extuser = core_text::convert($users[$i][$this->config->user_attribute][0], 1568 $this->config->ldapencoding, 'utf-8'); 1569 array_push($fresult, $extuser); 1570 } 1571 unset($ldap_result); // Free mem. 1572 } while ($ldap_pagedresults && !empty($ldap_cookie)); 1573 } 1574 1575 // If paged results were used, make sure the current connection is completely closed 1576 $this->ldap_close($ldap_pagedresults); 1577 return $fresult; 1578 } 1579 1580 /** 1581 * Indicates if password hashes should be stored in local moodle database. 1582 * 1583 * @return bool true means flag 'not_cached' stored instead of password hash 1584 */ 1585 function prevent_local_passwords() { 1586 return !empty($this->config->preventpassindb); 1587 } 1588 1589 /** 1590 * Returns true if this authentication plugin is 'internal'. 1591 * 1592 * @return bool 1593 */ 1594 function is_internal() { 1595 return false; 1596 } 1597 1598 /** 1599 * Returns true if this authentication plugin can change the user's 1600 * password. 1601 * 1602 * @return bool 1603 */ 1604 function can_change_password() { 1605 return !empty($this->config->stdchangepassword) or !empty($this->config->changepasswordurl); 1606 } 1607 1608 /** 1609 * Returns the URL for changing the user's password, or empty if the default can 1610 * be used. 1611 * 1612 * @return moodle_url 1613 */ 1614 function change_password_url() { 1615 if (empty($this->config->stdchangepassword)) { 1616 if (!empty($this->config->changepasswordurl)) { 1617 return new moodle_url($this->config->changepasswordurl); 1618 } else { 1619 return null; 1620 } 1621 } else { 1622 return null; 1623 } 1624 } 1625 1626 /** 1627 * Will get called before the login page is shownr. Ff NTLM SSO 1628 * is enabled, and the user is in the right network, we'll redirect 1629 * to the magic NTLM page for SSO... 1630 * 1631 */ 1632 function loginpage_hook() { 1633 global $CFG, $SESSION; 1634 1635 // HTTPS is potentially required 1636 //httpsrequired(); - this must be used before setting the URL, it is already done on the login/index.php 1637 1638 if (($_SERVER['REQUEST_METHOD'] === 'GET' // Only on initial GET of loginpage 1639 || ($_SERVER['REQUEST_METHOD'] === 'POST' 1640 && (get_local_referer() != strip_querystring(qualified_me())))) 1641 // Or when POSTed from another place 1642 // See MDL-14071 1643 && !empty($this->config->ntlmsso_enabled) // SSO enabled 1644 && !empty($this->config->ntlmsso_subnet) // have a subnet to test for 1645 && empty($_GET['authldap_skipntlmsso']) // haven't failed it yet 1646 && (isguestuser() || !isloggedin()) // guestuser or not-logged-in users 1647 && address_in_subnet(getremoteaddr(), $this->config->ntlmsso_subnet)) { 1648 1649 // First, let's remember where we were trying to get to before we got here 1650 if (empty($SESSION->wantsurl)) { 1651 $SESSION->wantsurl = null; 1652 $referer = get_local_referer(false); 1653 if ($referer && 1654 $referer != $CFG->wwwroot && 1655 $referer != $CFG->wwwroot . '/' && 1656 $referer != $CFG->wwwroot . '/login/' && 1657 $referer != $CFG->wwwroot . '/login/index.php') { 1658 $SESSION->wantsurl = $referer; 1659 } 1660 } 1661 1662 // Now start the whole NTLM machinery. 1663 if($this->config->ntlmsso_ie_fastpath == AUTH_NTLM_FASTPATH_YESATTEMPT || 1664 $this->config->ntlmsso_ie_fastpath == AUTH_NTLM_FASTPATH_YESFORM) { 1665 if (core_useragent::is_ie()) { 1666 $sesskey = sesskey(); 1667 redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_magic.php?sesskey='.$sesskey); 1668 } else if ($this->config->ntlmsso_ie_fastpath == AUTH_NTLM_FASTPATH_YESFORM) { 1669 redirect($CFG->wwwroot.'/login/index.php?authldap_skipntlmsso=1'); 1670 } 1671 } 1672 redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_attempt.php'); 1673 } 1674 1675 // No NTLM SSO, Use the normal login page instead. 1676 1677 // If $SESSION->wantsurl is empty and we have a 'Referer:' header, the login 1678 // page insists on redirecting us to that page after user validation. If 1679 // we clicked on the redirect link at the ntlmsso_finish.php page (instead 1680 // of waiting for the redirection to happen) then we have a 'Referer:' header 1681 // we don't want to use at all. As we can't get rid of it, just point 1682 // $SESSION->wantsurl to $CFG->wwwroot (after all, we came from there). 1683 if (empty($SESSION->wantsurl) 1684 && (get_local_referer() == $CFG->wwwroot.'/auth/ldap/ntlmsso_finish.php')) { 1685 1686 $SESSION->wantsurl = $CFG->wwwroot; 1687 } 1688 } 1689 1690 /** 1691 * To be called from a page running under NTLM's 1692 * "Integrated Windows Authentication". 1693 * 1694 * If successful, it will set a special "cookie" (not an HTTP cookie!) 1695 * in cache_flags under the $this->pluginconfig/ntlmsess "plugin" and return true. 1696 * The "cookie" will be picked up by ntlmsso_finish() to complete the 1697 * process. 1698 * 1699 * On failure it will return false for the caller to display an appropriate 1700 * error message (probably saying that Integrated Windows Auth isn't enabled!) 1701 * 1702 * NOTE that this code will execute under the OS user credentials, 1703 * so we MUST avoid dealing with files -- such as session files. 1704 * (The caller should define('NO_MOODLE_COOKIES', true) before including config.php) 1705 * 1706 */ 1707 function ntlmsso_magic($sesskey) { 1708 if (isset($_SERVER['REMOTE_USER']) && !empty($_SERVER['REMOTE_USER'])) { 1709 1710 // HTTP __headers__ seem to be sent in ISO-8859-1 encoding 1711 // (according to my reading of RFC-1945, RFC-2616 and RFC-2617 and 1712 // my local tests), so we need to convert the REMOTE_USER value 1713 // (i.e., what we got from the HTTP WWW-Authenticate header) into UTF-8 1714 $username = core_text::convert($_SERVER['REMOTE_USER'], 'iso-8859-1', 'utf-8'); 1715 1716 switch ($this->config->ntlmsso_type) { 1717 case 'ntlm': 1718 // The format is now configurable, so try to extract the username 1719 $username = $this->get_ntlm_remote_user($username); 1720 if (empty($username)) { 1721 return false; 1722 } 1723 break; 1724 case 'kerberos': 1725 // Format is username@DOMAIN 1726 $username = substr($username, 0, strpos($username, '@')); 1727 break; 1728 default: 1729 error_log($this->errorlogtag.get_string ('ntlmsso_unknowntype', 'auth_ldap')); 1730 return false; // Should never happen! 1731 } 1732 1733 $username = core_text::strtolower($username); // Compatibility hack 1734 set_cache_flag($this->pluginconfig.'/ntlmsess', $sesskey, $username, AUTH_NTLMTIMEOUT); 1735 return true; 1736 } 1737 return false; 1738 } 1739 1740 /** 1741 * Find the session set by ntlmsso_magic(), validate it and 1742 * call authenticate_user_login() to authenticate the user through 1743 * the auth machinery. 1744 * 1745 * It is complemented by a similar check in user_login(). 1746 * 1747 * If it succeeds, it never returns. 1748 * 1749 */ 1750 function ntlmsso_finish() { 1751 global $CFG, $USER, $SESSION; 1752 1753 $key = sesskey(); 1754 $username = get_cache_flag($this->pluginconfig.'/ntlmsess', $key); 1755 if (empty($username)) { 1756 return false; 1757 } 1758 1759 // Here we want to trigger the whole authentication machinery 1760 // to make sure no step is bypassed... 1761 $reason = null; 1762 $user = authenticate_user_login($username, $key, false, $reason, false); 1763 if ($user) { 1764 complete_user_login($user); 1765 1766 // Cleanup the key to prevent reuse... 1767 // and to allow re-logins with normal credentials 1768 unset_cache_flag($this->pluginconfig.'/ntlmsess', $key); 1769 1770 // Redirection 1771 if (user_not_fully_set_up($USER, true)) { 1772 $urltogo = $CFG->wwwroot.'/user/edit.php'; 1773 // We don't delete $SESSION->wantsurl yet, so we get there later 1774 } else if (isset($SESSION->wantsurl) and (strpos($SESSION->wantsurl, $CFG->wwwroot) === 0)) { 1775 $urltogo = $SESSION->wantsurl; // Because it's an address in this site 1776 unset($SESSION->wantsurl); 1777 } else { 1778 // No wantsurl stored or external - go to homepage 1779 $urltogo = $CFG->wwwroot.'/'; 1780 unset($SESSION->wantsurl); 1781 } 1782 // We do not want to redirect if we are in a PHPUnit test. 1783 if (!PHPUNIT_TEST) { 1784 redirect($urltogo); 1785 } 1786 } 1787 // Should never reach here. 1788 return false; 1789 } 1790 1791 /** 1792 * Sync roles for this user. 1793 * 1794 * @param object $user The user to sync (without system magic quotes). 1795 */ 1796 function sync_roles($user) { 1797 global $DB; 1798 1799 $roles = get_ldap_assignable_role_names(2); // Admin user. 1800 1801 foreach ($roles as $role) { 1802 $isrole = $this->is_role($user->username, $role); 1803 if ($isrole === null) { 1804 continue; // Nothing to sync - role/LDAP contexts not configured. 1805 } 1806 1807 // Sync user. 1808 $systemcontext = context_system::instance(); 1809 if ($isrole) { 1810 // Following calls will not create duplicates. 1811 role_assign($role['id'], $user->id, $systemcontext->id, $this->roleauth); 1812 } else { 1813 // Unassign only if previously assigned by this plugin. 1814 role_unassign($role['id'], $user->id, $systemcontext->id, $this->roleauth); 1815 } 1816 } 1817 } 1818 1819 /** 1820 * Get password expiration time for a given user from Active Directory 1821 * 1822 * @param string $pwdlastset The time last time we changed the password. 1823 * @param resource $lcapconn The open LDAP connection. 1824 * @param string $user_dn The distinguished name of the user we are checking. 1825 * 1826 * @return string $unixtime 1827 */ 1828 function ldap_get_ad_pwdexpire($pwdlastset, $ldapconn, $user_dn){ 1829 global $CFG; 1830 1831 if (!function_exists('bcsub')) { 1832 error_log($this->errorlogtag.get_string ('needbcmath', 'auth_ldap')); 1833 return 0; 1834 } 1835 1836 // If UF_DONT_EXPIRE_PASSWD flag is set in user's 1837 // userAccountControl attribute, the password doesn't expire. 1838 $sr = ldap_read($ldapconn, $user_dn, '(objectClass=*)', 1839 array('userAccountControl')); 1840 if (!$sr) { 1841 error_log($this->errorlogtag.get_string ('useracctctrlerror', 'auth_ldap', $user_dn)); 1842 // Don't expire password, as we are not sure if it has to be 1843 // expired or not. 1844 return 0; 1845 } 1846 1847 $entry = ldap_get_entries_moodle($ldapconn, $sr); 1848 $info = $entry[0]; 1849 $useraccountcontrol = $info['useraccountcontrol'][0]; 1850 if ($useraccountcontrol & UF_DONT_EXPIRE_PASSWD) { 1851 // Password doesn't expire. 1852 return 0; 1853 } 1854 1855 // If pwdLastSet is zero, the user must change his/her password now 1856 // (unless UF_DONT_EXPIRE_PASSWD flag is set, but we already 1857 // tested this above) 1858 if ($pwdlastset === '0') { 1859 // Password has expired 1860 return -1; 1861 } 1862 1863 // ---------------------------------------------------------------- 1864 // Password expiration time in Active Directory is the composition of 1865 // two values: 1866 // 1867 // - User's pwdLastSet attribute, that stores the last time 1868 // the password was changed. 1869 // 1870 // - Domain's maxPwdAge attribute, that sets how long 1871 // passwords last in this domain. 1872 // 1873 // We already have the first value (passed in as a parameter). We 1874 // need to get the second one. As we don't know the domain DN, we 1875 // have to query rootDSE's defaultNamingContext attribute to get 1876 // it. Then we have to query that DN's maxPwdAge attribute to get 1877 // the real value. 1878 // 1879 // Once we have both values, we just need to combine them. But MS 1880 // chose to use a different base and unit for time measurements. 1881 // So we need to convert the values to Unix timestamps (see 1882 // details below). 1883 // ---------------------------------------------------------------- 1884 1885 $sr = ldap_read($ldapconn, ROOTDSE, '(objectClass=*)', 1886 array('defaultNamingContext')); 1887 if (!$sr) { 1888 error_log($this->errorlogtag.get_string ('rootdseerror', 'auth_ldap')); 1889 return 0; 1890 } 1891 1892 $entry = ldap_get_entries_moodle($ldapconn, $sr); 1893 $info = $entry[0]; 1894 $domaindn = $info['defaultnamingcontext'][0]; 1895 1896 $sr = ldap_read ($ldapconn, $domaindn, '(objectClass=*)', 1897 array('maxPwdAge')); 1898 $entry = ldap_get_entries_moodle($ldapconn, $sr); 1899 $info = $entry[0]; 1900 $maxpwdage = $info['maxpwdage'][0]; 1901 if ($sr = ldap_read($ldapconn, $user_dn, '(objectClass=*)', array('msDS-ResultantPSO'))) { 1902 if ($entry = ldap_get_entries_moodle($ldapconn, $sr)) { 1903 $info = $entry[0]; 1904 $userpso = $info['msds-resultantpso'][0]; 1905 1906 // If a PSO exists, FGPP is being utilized. 1907 // Grab the new maxpwdage from the msDS-MaximumPasswordAge attribute of the PSO. 1908 if (!empty($userpso)) { 1909 $sr = ldap_read($ldapconn, $userpso, '(objectClass=*)', array('msDS-MaximumPasswordAge')); 1910 if ($entry = ldap_get_entries_moodle($ldapconn, $sr)) { 1911 $info = $entry[0]; 1912 // Default value of msds-maximumpasswordage is 42 and is always set. 1913 $maxpwdage = $info['msds-maximumpasswordage'][0]; 1914 } 1915 } 1916 } 1917 } 1918 // ---------------------------------------------------------------- 1919 // MSDN says that "pwdLastSet contains the number of 100 nanosecond 1920 // intervals since January 1, 1601 (UTC), stored in a 64 bit integer". 1921 // 1922 // According to Perl's Date::Manip, the number of seconds between 1923 // this date and Unix epoch is 11644473600. So we have to 1924 // substract this value to calculate a Unix time, once we have 1925 // scaled pwdLastSet to seconds. This is the script used to 1926 // calculate the value shown above: 1927 // 1928 // #!/usr/bin/perl -w 1929 // 1930 // use Date::Manip; 1931 // 1932 // $date1 = ParseDate ("160101010000 UTC"); 1933 // $date2 = ParseDate ("197001010000 UTC"); 1934 // $delta = DateCalc($date1, $date2, \$err); 1935 // $secs = Delta_Format($delta, 0, "%st"); 1936 // print "$secs \n"; 1937 // 1938 // MSDN also says that "maxPwdAge is stored as a large integer that 1939 // represents the number of 100 nanosecond intervals from the time 1940 // the password was set before the password expires." We also need 1941 // to scale this to seconds. Bear in mind that this value is stored 1942 // as a _negative_ quantity (at least in my AD domain). 1943 // 1944 // As a last remark, if the low 32 bits of maxPwdAge are equal to 0, 1945 // the maximum password age in the domain is set to 0, which means 1946 // passwords do not expire (see 1947 // http://msdn2.microsoft.com/en-us/library/ms974598.aspx) 1948 // 1949 // As the quantities involved are too big for PHP integers, we 1950 // need to use BCMath functions to work with arbitrary precision 1951 // numbers. 1952 // ---------------------------------------------------------------- 1953 1954 // If the low order 32 bits are 0, then passwords do not expire in 1955 // the domain. Just do '$maxpwdage mod 2^32' and check the result 1956 // (2^32 = 4294967296) 1957 if (bcmod ($maxpwdage, 4294967296) === '0') { 1958 return 0; 1959 } 1960 1961 // Add up pwdLastSet and maxPwdAge to get password expiration 1962 // time, in MS time units. Remember maxPwdAge is stored as a 1963 // _negative_ quantity, so we need to substract it in fact. 1964 $pwdexpire = bcsub ($pwdlastset, $maxpwdage); 1965 1966 // Scale the result to convert it to Unix time units and return 1967 // that value. 1968 return bcsub( bcdiv($pwdexpire, '10000000'), '11644473600'); 1969 } 1970 1971 /** 1972 * Connect to the LDAP server, using the plugin configured 1973 * settings. It's actually a wrapper around ldap_connect_moodle() 1974 * 1975 * @return resource A valid LDAP connection (or dies if it can't connect) 1976 */ 1977 function ldap_connect() { 1978 // Cache ldap connections. They are expensive to set up 1979 // and can drain the TCP/IP ressources on the server if we 1980 // are syncing a lot of users (as we try to open a new connection 1981 // to get the user details). This is the least invasive way 1982 // to reuse existing connections without greater code surgery. 1983 if(!empty($this->ldapconnection)) { 1984 $this->ldapconns++; 1985 return $this->ldapconnection; 1986 } 1987 1988 if($ldapconnection = ldap_connect_moodle($this->config->host_url, $this->config->ldap_version, 1989 $this->config->user_type, $this->config->bind_dn, 1990 $this->config->bind_pw, $this->config->opt_deref, 1991 $debuginfo, $this->config->start_tls)) { 1992 $this->ldapconns = 1; 1993 $this->ldapconnection = $ldapconnection; 1994 return $ldapconnection; 1995 } 1996 1997 print_error('auth_ldap_noconnect_all', 'auth_ldap', '', $debuginfo); 1998 } 1999 2000 /** 2001 * Disconnects from a LDAP server 2002 * 2003 * @param force boolean Forces closing the real connection to the LDAP server, ignoring any 2004 * cached connections. This is needed when we've used paged results 2005 * and want to use normal results again. 2006 */ 2007 function ldap_close($force=false) { 2008 $this->ldapconns--; 2009 if (($this->ldapconns == 0) || ($force)) { 2010 $this->ldapconns = 0; 2011 @ldap_close($this->ldapconnection); 2012 unset($this->ldapconnection); 2013 } 2014 } 2015 2016 /** 2017 * Search specified contexts for username and return the user dn 2018 * like: cn=username,ou=suborg,o=org. It's actually a wrapper 2019 * around ldap_find_userdn(). 2020 * 2021 * @param resource $ldapconnection a valid LDAP connection 2022 * @param string $extusername the username to search (in external LDAP encoding, no db slashes) 2023 * @return mixed the user dn (external LDAP encoding) or false 2024 */ 2025 function ldap_find_userdn($ldapconnection, $extusername) { 2026 $ldap_contexts = explode(';', $this->config->contexts); 2027 if (!empty($this->config->create_context)) { 2028 array_push($ldap_contexts, $this->config->create_context); 2029 } 2030 2031 return ldap_find_userdn($ldapconnection, $extusername, $ldap_contexts, $this->config->objectclass, 2032 $this->config->user_attribute, $this->config->search_sub); 2033 } 2034 2035 /** 2036 * When using NTLM SSO, the format of the remote username we get in 2037 * $_SERVER['REMOTE_USER'] may vary, depending on where from and how the web 2038 * server gets the data. So we let the admin configure the format using two 2039 * place holders (%domain% and %username%). This function tries to extract 2040 * the username (stripping the domain part and any separators if they are 2041 * present) from the value present in $_SERVER['REMOTE_USER'], using the 2042 * configured format. 2043 * 2044 * @param string $remoteuser The value from $_SERVER['REMOTE_USER'] (converted to UTF-8) 2045 * 2046 * @return string The remote username (without domain part or 2047 * separators). Empty string if we can't extract the username. 2048 */ 2049 protected function get_ntlm_remote_user($remoteuser) { 2050 if (empty($this->config->ntlmsso_remoteuserformat)) { 2051 $format = AUTH_NTLM_DEFAULT_FORMAT; 2052 } else { 2053 $format = $this->config->ntlmsso_remoteuserformat; 2054 } 2055 2056 $format = preg_quote($format); 2057 $formatregex = preg_replace(array('#%domain%#', '#%username%#'), 2058 array('('.AUTH_NTLM_VALID_DOMAINNAME.')', '('.AUTH_NTLM_VALID_USERNAME.')'), 2059 $format); 2060 if (preg_match('#^'.$formatregex.'$#', $remoteuser, $matches)) { 2061 $user = end($matches); 2062 return $user; 2063 } 2064 2065 /* We are unable to extract the username with the configured format. Probably 2066 * the format specified is wrong, so log a warning for the admin and return 2067 * an empty username. 2068 */ 2069 error_log($this->errorlogtag.get_string ('auth_ntlmsso_maybeinvalidformat', 'auth_ldap')); 2070 return ''; 2071 } 2072 2073 /** 2074 * Check if the diagnostic message for the LDAP login error tells us that the 2075 * login is denied because the user password has expired or the password needs 2076 * to be changed on first login (using interactive SMB/Windows logins, not 2077 * LDAP logins). 2078 * 2079 * @param string the diagnostic message for the LDAP login error 2080 * @return bool true if the password has expired or the password must be changed on first login 2081 */ 2082 protected function ldap_ad_pwdexpired_from_diagmsg($diagmsg) { 2083 // The format of the diagnostic message is (actual examples from W2003 and W2008): 2084 // "80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece" (W2003) 2085 // "80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 773, vece" (W2003) 2086 // "80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1771" (W2008) 2087 // "80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 773, v1771" (W2008) 2088 // We are interested in the 'data nnn' part. 2089 // if nnn == 773 then user must change password on first login 2090 // if nnn == 532 then user password has expired 2091 $diagmsg = explode(',', $diagmsg); 2092 if (preg_match('/data (773|532)/i', trim($diagmsg[2]))) { 2093 return true; 2094 } 2095 return false; 2096 } 2097 2098 /** 2099 * Check if a user is suspended. This function is intended to be used after calling 2100 * get_userinfo_asobj. This is needed because LDAP doesn't have a notion of disabled 2101 * users, however things like MS Active Directory support it and expose information 2102 * through a field. 2103 * 2104 * @param object $user the user object returned by get_userinfo_asobj 2105 * @return boolean 2106 */ 2107 protected function is_user_suspended($user) { 2108 if (!$this->config->suspended_attribute || !isset($user->suspended)) { 2109 return false; 2110 } 2111 if ($this->config->suspended_attribute == 'useraccountcontrol' && $this->config->user_type == 'ad') { 2112 return (bool)($user->suspended & AUTH_AD_ACCOUNTDISABLE); 2113 } 2114 2115 return (bool)$user->suspended; 2116 } 2117 2118 /** 2119 * Test a DN 2120 * 2121 * @param resource $ldapconn 2122 * @param string $dn The DN to check for existence 2123 * @param string $message The identifier of a string as in get_string() 2124 * @param string|object|array $a An object, string or number that can be used 2125 * within translation strings as in get_string() 2126 * @return true or a message in case of error 2127 */ 2128 private function test_dn($ldapconn, $dn, $message, $a = null) { 2129 $ldapresult = @ldap_read($ldapconn, $dn, '(objectClass=*)', array()); 2130 if (!$ldapresult) { 2131 if (ldap_errno($ldapconn) == 32) { 2132 // No such object. 2133 return get_string($message, 'auth_ldap', $a); 2134 } 2135 2136 $a = array('code' => ldap_errno($ldapconn), 'subject' => $a, 'message' => ldap_error($ldapconn)); 2137 return get_string('diag_genericerror', 'auth_ldap', $a); 2138 } 2139 2140 return true; 2141 } 2142 2143 /** 2144 * Test if settings are correct, print info to output. 2145 */ 2146 public function test_settings() { 2147 global $OUTPUT; 2148 2149 if (!function_exists('ldap_connect')) { // Is php-ldap really there? 2150 echo $OUTPUT->notification(get_string('auth_ldap_noextension', 'auth_ldap'), \core\output\notification::NOTIFY_ERROR); 2151 return; 2152 } 2153 2154 // Check to see if this is actually configured. 2155 if (empty($this->config->host_url)) { 2156 // LDAP is not even configured. 2157 echo $OUTPUT->notification(get_string('ldapnotconfigured', 'auth_ldap'), \core\output\notification::NOTIFY_ERROR); 2158 return; 2159 } 2160 2161 if ($this->config->ldap_version != 3) { 2162 echo $OUTPUT->notification(get_string('diag_toooldversion', 'auth_ldap'), \core\output\notification::NOTIFY_WARNING); 2163 } 2164 2165 try { 2166 $ldapconn = $this->ldap_connect(); 2167 } catch (Exception $e) { 2168 echo $OUTPUT->notification($e->getMessage(), \core\output\notification::NOTIFY_ERROR); 2169 return; 2170 } 2171 2172 // Display paged file results. 2173 if (!ldap_paged_results_supported($this->config->ldap_version, $ldapconn)) { 2174 echo $OUTPUT->notification(get_string('pagedresultsnotsupp', 'auth_ldap'), \core\output\notification::NOTIFY_INFO); 2175 } 2176 2177 // Check contexts. 2178 foreach (explode(';', $this->config->contexts) as $context) { 2179 $context = trim($context); 2180 if (empty($context)) { 2181 echo $OUTPUT->notification(get_string('diag_emptycontext', 'auth_ldap'), \core\output\notification::NOTIFY_WARNING); 2182 continue; 2183 } 2184 2185 $message = $this->test_dn($ldapconn, $context, 'diag_contextnotfound', $context); 2186 if ($message !== true) { 2187 echo $OUTPUT->notification($message, \core\output\notification::NOTIFY_WARNING); 2188 } 2189 } 2190 2191 // Create system role mapping field for each assignable system role. 2192 $roles = get_ldap_assignable_role_names(); 2193 foreach ($roles as $role) { 2194 foreach (explode(';', $this->config->{$role['settingname']}) as $groupdn) { 2195 if (empty($groupdn)) { 2196 continue; 2197 } 2198 2199 $role['group'] = $groupdn; 2200 $message = $this->test_dn($ldapconn, $groupdn, 'diag_rolegroupnotfound', $role); 2201 if ($message !== true) { 2202 echo $OUTPUT->notification($message, \core\output\notification::NOTIFY_WARNING); 2203 } 2204 } 2205 } 2206 2207 $this->ldap_close(true); 2208 // We were able to connect successfuly. 2209 echo $OUTPUT->notification(get_string('connectingldapsuccess', 'auth_ldap'), \core\output\notification::NOTIFY_SUCCESS); 2210 } 2211 2212 /** 2213 * Get the list of profile fields. 2214 * 2215 * @param bool $fetchall Fetch all, not just those for update. 2216 * @return array 2217 */ 2218 protected function get_profile_keys($fetchall = false) { 2219 $keys = array_keys(get_object_vars($this->config)); 2220 $updatekeys = []; 2221 foreach ($keys as $key) { 2222 if (preg_match('/^field_updatelocal_(.+)$/', $key, $match)) { 2223 // If we have a field to update it from and it must be updated 'onlogin' we update it on cron. 2224 if (!empty($this->config->{'field_map_'.$match[1]})) { 2225 if ($fetchall || $this->config->{$match[0]} === 'onlogin') { 2226 array_push($updatekeys, $match[1]); // the actual key name 2227 } 2228 } 2229 } 2230 } 2231 2232 if ($this->config->suspended_attribute && $this->config->sync_suspended) { 2233 $updatekeys[] = 'suspended'; 2234 } 2235 2236 return $updatekeys; 2237 } 2238 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
