Search moodle.org's
Developer Documentation
Developer Documentation
- Bug fixes for general core bugs in 4.3.x will end 7 October 2024 (12 months).
- Bug fixes for security issues in 4.3.x will end 21 April 2025 (18 months).
- PHP version: minimum PHP 8.0.0 Note: minimum PHP version has increased since Moodle 4.1. PHP 8.2.x is supported too.
/auth/ldap/ -> auth.php (source)
Differences Between: [Versions 310 and 403] [Versions 311 and 403] [Versions 39 and 403] [Versions 400 and 403] [Versions 401 and 403]
Authentication Plugin: LDAP Authentication Authentication using LDAP (Lightweight Directory Access Protocol).
| Author: | Martin Dougiamas |
| Author: | IƱaki Arenaza |
| License: | http://www.gnu.org/copyleft/gpl.html GNU Public License |
| File Size: | 2250 lines (96 kb) |
| Included or required: | 0 times |
| Referenced: | 4 times |
| Includes or requires: | 0 files |
Defines 2 classes
auth_plugin_ldap:: (3 methods):
init_plugin()
__construct()
auth_plugin_ldap()
name:: (42 methods):
user_login()
get_userinfo()
get_userinfo_asobj()
get_userlist()
user_exists()
user_create()
can_reset_password()
can_be_manually_set()
can_signup()
user_signup()
can_confirm()
user_confirm()
password_expire()
sync_users()
ldap_bulk_insert()
user_activate()
iscreator()
is_role()
user_update()
user_update_password()
ldap_expirationtime2unix()
ldap_unix2expirationtime()
ldap_attributes()
ldap_get_userlist()
prevent_local_passwords()
is_internal()
can_change_password()
change_password_url()
loginpage_hook()
ntlmsso_magic()
ntlmsso_finish()
sync_roles()
ldap_get_ad_pwdexpire()
ldap_connect()
ldap_close()
ldap_find_userdn()
get_ntlm_remote_user()
ldap_ad_pwdexpired_from_diagmsg()
is_user_suspended()
test_dn()
test_settings()
get_profile_keys()
Class: auth_plugin_ldap - X-Ref
LDAP authentication plugin.| init_plugin($authtype) X-Ref |
| Init plugin config from database settings depending on the plugin auth type. |
| __construct() X-Ref |
| Constructor with initialisation. |
| auth_plugin_ldap() X-Ref |
| Old syntax of class constructor. Deprecated in PHP7. |
| user_login($username, $password) X-Ref |
| Returns true if the username and password work and false if they are wrong or don't exist. param: string $username The username (without system magic quotes) param: string $password The password (without system magic quotes) return: bool Authentication success or failure. |
| get_userinfo($username) X-Ref |
| Reads user information from ldap and returns it in array() Function should return all information available. If you are saving this information to moodle user-table you should honor syncronization flags param: string $username username return: mixed array with no magic quotes or false on error |
| get_userinfo_asobj($username) X-Ref |
| Reads user information from ldap and returns it in an object param: string $username username (with system magic quotes) return: mixed object or false on error |
| get_userlist() X-Ref |
| Returns all usernames from LDAP get_userlist returns all usernames from LDAP return: array |
| user_exists($username) X-Ref |
| Checks if user exists on LDAP param: string $username |
| user_create($userobject, $plainpass) X-Ref |
| Creates a new user on LDAP. By using information in userobject Use user_exists to prevent duplicate usernames param: mixed $userobject Moodle userobject param: mixed $plainpass Plaintext password |
| can_reset_password() X-Ref |
| Returns true if plugin allows resetting of password from moodle. return: bool |
| can_be_manually_set() X-Ref |
| Returns true if plugin can be manually set. return: bool |
| can_signup() X-Ref |
| Returns true if plugin allows signup and user creation. return: bool |
| user_signup($user, $notify=true) X-Ref |
| Sign up a new user ready for confirmation. Password is passed in plaintext. param: object $user new user object param: boolean $notify print notice with link and terminate return: boolean success |
| can_confirm() X-Ref |
| Returns true if plugin allows confirming of new users. return: bool |
| user_confirm($username, $confirmsecret) X-Ref |
| Confirm the new user as registered. param: string $username param: string $confirmsecret |
| password_expire($username) X-Ref |
| Return number of days to user password expires If userpassword does not expire it should return 0. If password is already expired it should return negative value. param: mixed $username username return: integer |
| sync_users($do_updates=true) X-Ref |
| Syncronizes user fron external LDAP server to moodle user table Sync is now using username attribute. Syncing users removes or suspends users that dont exists anymore in external LDAP. Creates new users and updates coursecreator status of users. param: bool $do_updates will do pull in data updates from LDAP if relevant |
| ldap_bulk_insert($username) X-Ref |
| Bulk insert in SQL's temp table |
| user_activate($username) X-Ref |
| Activates (enables) user in external LDAP so user can login param: mixed $username return: boolean result |
| iscreator($username) X-Ref |
| Returns true if user should be coursecreator. param: mixed $username username (without system magic quotes) return: mixed result null if course creators is not configured, boolean otherwise. |
| is_role($username, $role) X-Ref |
| Check if user has LDAP group membership. Returns true if user should be assigned role. param: mixed $username username (without system magic quotes). param: array $role Array of role's shortname, localname, and settingname for the config value. return: mixed result null if role/LDAP context is not configured, boolean otherwise. |
| user_update($olduser, $newuser) X-Ref |
| Called when the user record is updated. Modifies user in external LDAP server. It takes olduser (before changes) and newuser (after changes) compares information and saves modified information to external LDAP server. param: mixed $olduser Userobject before modifications (without system magic quotes) param: mixed $newuser Userobject new modified userobject (without system magic quotes) return: boolean result |
| user_update_password($user, $newpassword) X-Ref |
| Changes userpassword in LDAP Called when the user password is updated. It assumes it is called by an admin or that you've otherwise checked the user's credentials param: object $user User table object param: string $newpassword Plaintext password (not crypted/md5'ed) return: boolean result |
| ldap_expirationtime2unix($time, $ldapconnection, $user_dn) X-Ref |
| Take expirationtime and return it as unix timestamp in seconds Takes expiration timestamp as read from LDAP and returns it as unix timestamp in seconds Depends on $this->config->user_type variable param: mixed time Time stamp read from LDAP as it is. param: string $ldapconnection Only needed for Active Directory. param: string $user_dn User distinguished name for the user we are checking password expiration (only needed for Active Directory). return: timestamp |
| ldap_unix2expirationtime($time) X-Ref |
| Takes unix timestamp and returns it formated for storing in LDAP param: integer unix time stamp |
| ldap_attributes() X-Ref |
| Returns user attribute mappings between moodle and LDAP return: array |
| ldap_get_userlist($filter='*') X-Ref |
| Returns all usernames from LDAP param: $filter An LDAP search filter to select desired users return: array of LDAP user names converted to UTF-8 |
| prevent_local_passwords() X-Ref |
| Indicates if password hashes should be stored in local moodle database. return: bool true means flag 'not_cached' stored instead of password hash |
| is_internal() X-Ref |
| Returns true if this authentication plugin is 'internal'. return: bool |
| can_change_password() X-Ref |
| Returns true if this authentication plugin can change the user's password. return: bool |
| change_password_url() X-Ref |
| Returns the URL for changing the user's password, or empty if the default can be used. return: moodle_url |
| loginpage_hook() X-Ref |
| Will get called before the login page is shownr. Ff NTLM SSO is enabled, and the user is in the right network, we'll redirect to the magic NTLM page for SSO... |
| ntlmsso_magic($sesskey) X-Ref |
| To be called from a page running under NTLM's "Integrated Windows Authentication". If successful, it will set a special "cookie" (not an HTTP cookie!) in cache_flags under the $this->pluginconfig/ntlmsess "plugin" and return true. The "cookie" will be picked up by ntlmsso_finish() to complete the process. On failure it will return false for the caller to display an appropriate error message (probably saying that Integrated Windows Auth isn't enabled!) NOTE that this code will execute under the OS user credentials, so we MUST avoid dealing with files -- such as session files. (The caller should define('NO_MOODLE_COOKIES', true) before including config.php) |
| ntlmsso_finish() X-Ref |
| Find the session set by ntlmsso_magic(), validate it and call authenticate_user_login() to authenticate the user through the auth machinery. It is complemented by a similar check in user_login(). If it succeeds, it never returns. |
| sync_roles($user) X-Ref |
| Sync roles for this user. param: object $user The user to sync (without system magic quotes). |
| ldap_get_ad_pwdexpire($pwdlastset, $ldapconn, $user_dn) X-Ref |
| Get password expiration time for a given user from Active Directory param: string $pwdlastset The time last time we changed the password. param: resource $lcapconn The open LDAP connection. param: string $user_dn The distinguished name of the user we are checking. return: string $unixtime |
| ldap_connect() X-Ref |
| Connect to the LDAP server, using the plugin configured settings. It's actually a wrapper around ldap_connect_moodle() return: resource A valid LDAP connection (or dies if it can't connect) |
| ldap_close($force=false) X-Ref |
| Disconnects from a LDAP server param: force boolean Forces closing the real connection to the LDAP server, ignoring any |
| ldap_find_userdn($ldapconnection, $extusername) X-Ref |
| Search specified contexts for username and return the user dn like: cn=username,ou=suborg,o=org. It's actually a wrapper around ldap_find_userdn(). param: resource $ldapconnection a valid LDAP connection param: string $extusername the username to search (in external LDAP encoding, no db slashes) return: mixed the user dn (external LDAP encoding) or false |
| get_ntlm_remote_user($remoteuser) X-Ref |
| When using NTLM SSO, the format of the remote username we get in $_SERVER['REMOTE_USER'] may vary, depending on where from and how the web server gets the data. So we let the admin configure the format using two place holders (%domain% and %username%). This function tries to extract the username (stripping the domain part and any separators if they are present) from the value present in $_SERVER['REMOTE_USER'], using the configured format. param: string $remoteuser The value from $_SERVER['REMOTE_USER'] (converted to UTF-8) return: string The remote username (without domain part or |
| ldap_ad_pwdexpired_from_diagmsg($diagmsg) X-Ref |
| Check if the diagnostic message for the LDAP login error tells us that the login is denied because the user password has expired or the password needs to be changed on first login (using interactive SMB/Windows logins, not LDAP logins). param: string the diagnostic message for the LDAP login error return: bool true if the password has expired or the password must be changed on first login |
| is_user_suspended($user) X-Ref |
| Check if a user is suspended. This function is intended to be used after calling get_userinfo_asobj. This is needed because LDAP doesn't have a notion of disabled users, however things like MS Active Directory support it and expose information through a field. param: object $user the user object returned by get_userinfo_asobj return: boolean |
| test_dn($ldapconn, $dn, $message, $a = null) X-Ref |
| Test a DN param: resource $ldapconn param: string $dn The DN to check for existence param: string $message The identifier of a string as in get_string() param: string|object|array $a An object, string or number that can be used return: true or a message in case of error |
| test_settings() X-Ref |
| Test if settings are correct, print info to output. |
| get_profile_keys($fetchall = false) X-Ref |
| Get the list of profile fields. param: bool $fetchall Fetch all, not just those for update. return: array |
