Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

  • Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
  • Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
  • PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.

Differences Between: [Versions 39 and 401]

   1  <?php
   2  // This file is part of Moodle - http://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * Admin settings and defaults.
  19   *
  20   * @package auth_ldap
  21   * @copyright  2017 Stephen Bourget
  22   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  23   */
  24  
  25  defined('MOODLE_INTERNAL') || die;
  26  
  27  if ($ADMIN->fulltree) {
  28  
  29      if (!function_exists('ldap_connect')) {
  30          $notify = new \core\output\notification(get_string('auth_ldap_noextension', 'auth_ldap'),
  31              \core\output\notification::NOTIFY_WARNING);
  32          $settings->add(new admin_setting_heading('auth_ldap_noextension', '', $OUTPUT->render($notify)));
  33      } else {
  34  
  35          // We use a couple of custom admin settings since we need to massage the data before it is inserted into the DB.
  36          require_once($CFG->dirroot.'/auth/ldap/classes/admin_setting_special_lowercase_configtext.php');
  37          require_once($CFG->dirroot.'/auth/ldap/classes/admin_setting_special_contexts_configtext.php');
  38          require_once($CFG->dirroot.'/auth/ldap/classes/admin_setting_special_ntlm_configtext.php');
  39  
  40          // We need to use some of the Moodle LDAP constants / functions to create the list of options.
  41          require_once($CFG->dirroot.'/auth/ldap/auth.php');
  42  
  43          // Introductory explanation.
  44          $settings->add(new admin_setting_heading('auth_ldap/pluginname', '',
  45                  new lang_string('auth_ldapdescription', 'auth_ldap')));
  46  
  47          // LDAP server settings.
  48          $settings->add(new admin_setting_heading('auth_ldap/ldapserversettings',
  49                  new lang_string('auth_ldap_server_settings', 'auth_ldap'), ''));
  50  
  51          // Host.
  52          $settings->add(new admin_setting_configtext('auth_ldap/host_url',
  53                  get_string('auth_ldap_host_url_key', 'auth_ldap'),
  54                  get_string('auth_ldap_host_url', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
  55  
  56          // Version.
  57          $versions = array();
  58          $versions[2] = '2';
  59          $versions[3] = '3';
  60          $settings->add(new admin_setting_configselect('auth_ldap/ldap_version',
  61                  new lang_string('auth_ldap_version_key', 'auth_ldap'),
  62                  new lang_string('auth_ldap_version', 'auth_ldap'), 3, $versions));
  63  
  64          // Start TLS.
  65          $yesno = array(
  66              new lang_string('no'),
  67              new lang_string('yes'),
  68          );
  69          $settings->add(new admin_setting_configselect('auth_ldap/start_tls',
  70                  new lang_string('start_tls_key', 'auth_ldap'),
  71                  new lang_string('start_tls', 'auth_ldap'), 0 , $yesno));
  72  
  73  
  74          // Encoding.
  75          $settings->add(new admin_setting_configtext('auth_ldap/ldapencoding',
  76                  get_string('auth_ldap_ldap_encoding_key', 'auth_ldap'),
  77                  get_string('auth_ldap_ldap_encoding', 'auth_ldap'), 'utf-8', PARAM_RAW_TRIMMED));
  78  
  79          // Page Size. (Hide if not available).
  80          $settings->add(new admin_setting_configtext('auth_ldap/pagesize',
  81                  get_string('pagesize_key', 'auth_ldap'),
  82                  get_string('pagesize', 'auth_ldap'), '250', PARAM_INT));
  83  
  84          // Bind settings.
  85          $settings->add(new admin_setting_heading('auth_ldap/ldapbindsettings',
  86                  new lang_string('auth_ldap_bind_settings', 'auth_ldap'), ''));
  87  
  88          // Store Password in DB.
  89          $settings->add(new admin_setting_configselect('auth_ldap/preventpassindb',
  90                  new lang_string('auth_ldap_preventpassindb_key', 'auth_ldap'),
  91                  new lang_string('auth_ldap_preventpassindb', 'auth_ldap'), 0 , $yesno));
  92  
  93          // User ID.
  94          $settings->add(new admin_setting_configtext('auth_ldap/bind_dn',
  95                  get_string('auth_ldap_bind_dn_key', 'auth_ldap'),
  96                  get_string('auth_ldap_bind_dn', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
  97  
  98          // Password.
  99          $settings->add(new admin_setting_configpasswordunmask('auth_ldap/bind_pw',
 100                  get_string('auth_ldap_bind_pw_key', 'auth_ldap'),
 101                  get_string('auth_ldap_bind_pw', 'auth_ldap'), ''));
 102  
 103          // User Lookup settings.
 104          $settings->add(new admin_setting_heading('auth_ldap/ldapuserlookup',
 105                  new lang_string('auth_ldap_user_settings', 'auth_ldap'), ''));
 106  
 107          // User Type.
 108          $settings->add(new admin_setting_configselect('auth_ldap/user_type',
 109                  new lang_string('auth_ldap_user_type_key', 'auth_ldap'),
 110                  new lang_string('auth_ldap_user_type', 'auth_ldap'), 'default', ldap_supported_usertypes()));
 111  
 112          // Contexts.
 113          $settings->add(new auth_ldap_admin_setting_special_contexts_configtext('auth_ldap/contexts',
 114                  get_string('auth_ldap_contexts_key', 'auth_ldap'),
 115                  get_string('auth_ldap_contexts', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
 116  
 117          // Search subcontexts.
 118          $settings->add(new admin_setting_configselect('auth_ldap/search_sub',
 119                  new lang_string('auth_ldap_search_sub_key', 'auth_ldap'),
 120                  new lang_string('auth_ldap_search_sub', 'auth_ldap'), 0 , $yesno));
 121  
 122          // Dereference aliases.
 123          $optderef = array();
 124          $optderef[LDAP_DEREF_NEVER] = get_string('no');
 125          $optderef[LDAP_DEREF_ALWAYS] = get_string('yes');
 126  
 127          $settings->add(new admin_setting_configselect('auth_ldap/opt_deref',
 128                  new lang_string('auth_ldap_opt_deref_key', 'auth_ldap'),
 129                  new lang_string('auth_ldap_opt_deref', 'auth_ldap'), LDAP_DEREF_NEVER , $optderef));
 130  
 131          // User attribute.
 132          $settings->add(new auth_ldap_admin_setting_special_lowercase_configtext('auth_ldap/user_attribute',
 133                  get_string('auth_ldap_user_attribute_key', 'auth_ldap'),
 134                  get_string('auth_ldap_user_attribute', 'auth_ldap'), '', PARAM_RAW));
 135  
 136          // Suspended attribute.
 137          $settings->add(new auth_ldap_admin_setting_special_lowercase_configtext('auth_ldap/suspended_attribute',
 138                  get_string('auth_ldap_suspended_attribute_key', 'auth_ldap'),
 139                  get_string('auth_ldap_suspended_attribute', 'auth_ldap'), '', PARAM_RAW));
 140  
 141          // Member attribute.
 142          $settings->add(new auth_ldap_admin_setting_special_lowercase_configtext('auth_ldap/memberattribute',
 143                  get_string('auth_ldap_memberattribute_key', 'auth_ldap'),
 144                  get_string('auth_ldap_memberattribute', 'auth_ldap'), '', PARAM_RAW));
 145  
 146          // Member attribute uses dn.
 147          $settings->add(new admin_setting_configselect('auth_ldap/memberattribute_isdn',
 148                  get_string('auth_ldap_memberattribute_isdn_key', 'auth_ldap'),
 149                  get_string('auth_ldap_memberattribute_isdn', 'auth_ldap'), 0, $yesno));
 150  
 151          // Object class.
 152          $settings->add(new admin_setting_configtext('auth_ldap/objectclass',
 153                  get_string('auth_ldap_objectclass_key', 'auth_ldap'),
 154                  get_string('auth_ldap_objectclass', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
 155  
 156          // Force Password change Header.
 157          $settings->add(new admin_setting_heading('auth_ldap/ldapforcepasswordchange',
 158                  new lang_string('forcechangepassword', 'auth'), ''));
 159  
 160          // Force Password change.
 161          $settings->add(new admin_setting_configselect('auth_ldap/forcechangepassword',
 162                  new lang_string('forcechangepassword', 'auth'),
 163                  new lang_string('forcechangepasswordfirst_help', 'auth'), 0 , $yesno));
 164  
 165          // Standard Password Change.
 166          $settings->add(new admin_setting_configselect('auth_ldap/stdchangepassword',
 167                  new lang_string('stdchangepassword', 'auth'), new lang_string('stdchangepassword_expl', 'auth') .' '.
 168                  get_string('stdchangepassword_explldap', 'auth'), 0 , $yesno));
 169  
 170          // Password Type.
 171          $passtype = array();
 172          $passtype['plaintext'] = get_string('plaintext', 'auth');
 173          $passtype['md5']       = get_string('md5', 'auth');
 174          $passtype['sha1']      = get_string('sha1', 'auth');
 175  
 176          $settings->add(new admin_setting_configselect('auth_ldap/passtype',
 177                  new lang_string('auth_ldap_passtype_key', 'auth_ldap'),
 178                  new lang_string('auth_ldap_passtype', 'auth_ldap'), 'plaintext', $passtype));
 179  
 180          // Password change URL.
 181          $settings->add(new admin_setting_configtext('auth_ldap/changepasswordurl',
 182                  get_string('auth_ldap_changepasswordurl_key', 'auth_ldap'),
 183                  get_string('changepasswordhelp', 'auth'), '', PARAM_URL));
 184  
 185          // Password Expiration Header.
 186          $settings->add(new admin_setting_heading('auth_ldap/passwordexpire',
 187                  new lang_string('auth_ldap_passwdexpire_settings', 'auth_ldap'), ''));
 188  
 189          // Password Expiration.
 190  
 191          // Create the description lang_string object.
 192          $strno = get_string('no');
 193          $strldapserver = get_string('pluginname', 'auth_ldap');
 194          $langobject = new stdClass();
 195          $langobject->no = $strno;
 196          $langobject->ldapserver = $strldapserver;
 197          $description = new lang_string('auth_ldap_expiration_desc', 'auth_ldap', $langobject);
 198  
 199          // Now create the options.
 200          $expiration = array();
 201          $expiration['0'] = $strno;
 202          $expiration['1'] = $strldapserver;
 203  
 204          // Add the setting.
 205          $settings->add(new admin_setting_configselect('auth_ldap/expiration',
 206                  new lang_string('auth_ldap_expiration_key', 'auth_ldap'),
 207                  $description, 0 , $expiration));
 208  
 209          // Password Expiration warning.
 210          $settings->add(new admin_setting_configtext('auth_ldap/expiration_warning',
 211                  get_string('auth_ldap_expiration_warning_key', 'auth_ldap'),
 212                  get_string('auth_ldap_expiration_warning_desc', 'auth_ldap'), '', PARAM_RAW));
 213  
 214          // Password Expiration attribute.
 215          $settings->add(new auth_ldap_admin_setting_special_lowercase_configtext('auth_ldap/expireattr',
 216                  get_string('auth_ldap_expireattr_key', 'auth_ldap'),
 217                  get_string('auth_ldap_expireattr_desc', 'auth_ldap'), '', PARAM_RAW));
 218  
 219          // Grace Logins.
 220          $settings->add(new admin_setting_configselect('auth_ldap/gracelogins',
 221                  new lang_string('auth_ldap_gracelogins_key', 'auth_ldap'),
 222                  new lang_string('auth_ldap_gracelogins_desc', 'auth_ldap'), 0 , $yesno));
 223  
 224          // Grace logins attribute.
 225          $settings->add(new auth_ldap_admin_setting_special_lowercase_configtext('auth_ldap/graceattr',
 226                  get_string('auth_ldap_gracelogin_key', 'auth_ldap'),
 227                  get_string('auth_ldap_graceattr_desc', 'auth_ldap'), '', PARAM_RAW));
 228  
 229          // User Creation.
 230          $settings->add(new admin_setting_heading('auth_ldap/usercreation',
 231                  new lang_string('auth_user_create', 'auth'), ''));
 232  
 233          // Create users externally.
 234          $settings->add(new admin_setting_configselect('auth_ldap/auth_user_create',
 235                  new lang_string('auth_ldap_auth_user_create_key', 'auth_ldap'),
 236                  new lang_string('auth_user_creation', 'auth'), 0 , $yesno));
 237  
 238          // Context for new users.
 239          $settings->add(new admin_setting_configtext('auth_ldap/create_context',
 240                  get_string('auth_ldap_create_context_key', 'auth_ldap'),
 241                  get_string('auth_ldap_create_context', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
 242  
 243          // System roles mapping header.
 244          $settings->add(new admin_setting_heading('auth_ldap/systemrolemapping',
 245                                          new lang_string('systemrolemapping', 'auth_ldap'), ''));
 246  
 247          // Create system role mapping field for each assignable system role.
 248          $roles = get_ldap_assignable_role_names();
 249          foreach ($roles as $role) {
 250              // Before we can add this setting we need to check a few things.
 251              // A) It does not exceed 100 characters otherwise it will break the DB as the 'name' field
 252              //    in the 'config_plugins' table is a varchar(100).
 253              // B) The setting name does not contain hyphens. If it does then it will fail the check
 254              //    in parse_setting_name() and everything will explode. Role short names are validated
 255              //    against PARAM_ALPHANUMEXT which is similar to the regex used in parse_setting_name()
 256              //    except it also allows hyphens.
 257              // Instead of shortening the name and removing/replacing the hyphens we are showing a warning.
 258              // If we were to manipulate the setting name by removing the hyphens we may get conflicts, eg
 259              // 'thisisashortname' and 'this-is-a-short-name'. The same applies for shortening the setting name.
 260              if (core_text::strlen($role['settingname']) > 100 || !preg_match('/^[a-zA-Z0-9_]+$/', $role['settingname'])) {
 261                  $url = new moodle_url('/admin/roles/define.php', array('action' => 'edit', 'roleid' => $role['id']));
 262                  $a = (object)['rolename' => $role['localname'], 'shortname' => $role['shortname'], 'charlimit' => 93,
 263                      'link' => $url->out()];
 264                  $settings->add(new admin_setting_heading('auth_ldap/role_not_mapped_' . sha1($role['settingname']), '',
 265                      get_string('cannotmaprole', 'auth_ldap', $a)));
 266              } else {
 267                  $settings->add(new admin_setting_configtext('auth_ldap/' . $role['settingname'],
 268                      get_string('auth_ldap_rolecontext', 'auth_ldap', $role),
 269                      get_string('auth_ldap_rolecontext_help', 'auth_ldap', $role), '', PARAM_RAW_TRIMMED));
 270              }
 271          }
 272  
 273          // User Account Sync.
 274          $settings->add(new admin_setting_heading('auth_ldap/syncusers',
 275                  new lang_string('auth_sync_script', 'auth'), ''));
 276  
 277          // Remove external user.
 278          $deleteopt = array();
 279          $deleteopt[AUTH_REMOVEUSER_KEEP] = get_string('auth_remove_keep', 'auth');
 280          $deleteopt[AUTH_REMOVEUSER_SUSPEND] = get_string('auth_remove_suspend', 'auth');
 281          $deleteopt[AUTH_REMOVEUSER_FULLDELETE] = get_string('auth_remove_delete', 'auth');
 282  
 283          $settings->add(new admin_setting_configselect('auth_ldap/removeuser',
 284                  new lang_string('auth_remove_user_key', 'auth'),
 285                  new lang_string('auth_remove_user', 'auth'), AUTH_REMOVEUSER_KEEP, $deleteopt));
 286  
 287          // Sync Suspension.
 288          $settings->add(new admin_setting_configselect('auth_ldap/sync_suspended',
 289                  new lang_string('auth_sync_suspended_key', 'auth'),
 290                  new lang_string('auth_sync_suspended', 'auth'), 0 , $yesno));
 291  
 292          // NTLM SSO Header.
 293          $settings->add(new admin_setting_heading('auth_ldap/ntlm',
 294                  new lang_string('auth_ntlmsso', 'auth_ldap'), ''));
 295  
 296          // Enable NTLM.
 297          $settings->add(new admin_setting_configselect('auth_ldap/ntlmsso_enabled',
 298                  new lang_string('auth_ntlmsso_enabled_key', 'auth_ldap'),
 299                  new lang_string('auth_ntlmsso_enabled', 'auth_ldap'), 0 , $yesno));
 300  
 301          // Subnet.
 302          $settings->add(new admin_setting_configtext('auth_ldap/ntlmsso_subnet',
 303                  get_string('auth_ntlmsso_subnet_key', 'auth_ldap'),
 304                  get_string('auth_ntlmsso_subnet', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
 305  
 306          // NTLM Fast Path.
 307          $fastpathoptions = array();
 308          $fastpathoptions[AUTH_NTLM_FASTPATH_YESFORM] = get_string('auth_ntlmsso_ie_fastpath_yesform', 'auth_ldap');
 309          $fastpathoptions[AUTH_NTLM_FASTPATH_YESATTEMPT] = get_string('auth_ntlmsso_ie_fastpath_yesattempt', 'auth_ldap');
 310          $fastpathoptions[AUTH_NTLM_FASTPATH_ATTEMPT] = get_string('auth_ntlmsso_ie_fastpath_attempt', 'auth_ldap');
 311  
 312          $settings->add(new admin_setting_configselect('auth_ldap/ntlmsso_ie_fastpath',
 313                  new lang_string('auth_ntlmsso_ie_fastpath_key', 'auth_ldap'),
 314                  new lang_string('auth_ntlmsso_ie_fastpath', 'auth_ldap'),
 315                  AUTH_NTLM_FASTPATH_ATTEMPT, $fastpathoptions));
 316  
 317          // Authentication type.
 318          $types = array();
 319          $types['ntlm'] = 'NTLM';
 320          $types['kerberos'] = 'Kerberos';
 321  
 322          $settings->add(new admin_setting_configselect('auth_ldap/ntlmsso_type',
 323                  new lang_string('auth_ntlmsso_type_key', 'auth_ldap'),
 324                  new lang_string('auth_ntlmsso_type', 'auth_ldap'), 'ntlm', $types));
 325  
 326          // Remote Username format.
 327          $settings->add(new auth_ldap_admin_setting_special_ntlm_configtext('auth_ldap/ntlmsso_remoteuserformat',
 328                  get_string('auth_ntlmsso_remoteuserformat_key', 'auth_ldap'),
 329                  get_string('auth_ntlmsso_remoteuserformat', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
 330      }
 331  
 332      // Display locking / mapping of profile fields.
 333      $authplugin = get_auth_plugin('ldap');
 334      $help  = get_string('auth_ldapextrafields', 'auth_ldap');
 335      $help .= get_string('auth_updatelocal_expl', 'auth');
 336      $help .= get_string('auth_fieldlock_expl', 'auth');
 337      $help .= get_string('auth_updateremote_expl', 'auth');
 338      $help .= '<hr />';
 339      $help .= get_string('auth_updateremote_ldap', 'auth');
 340      display_auth_lock_options($settings, $authplugin->authtype, $authplugin->userfields,
 341              $help, true, true, $authplugin->get_custom_user_profile_fields());
 342  }