Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

MDL-15799 LDAP - user data mapping doesn't work.

The Right Way(tm) to write a LDAP filter is enclosing it in parentheses (see
RFC 4515/2254).
  • Loading branch information...
commit 0d47dafb08daee415e9d1605695eb613c2905654 1 parent 105eb2d
iarenaza authored
Showing with 38 additions and 13 deletions.
  1. +38 −13 auth/ldap/auth.php
View
51 auth/ldap/auth.php
@@ -45,11 +45,36 @@ function auth_plugin_ldap() {
$this->config->{$key} = $value[$this->config->user_type];
}
}
- //hack prefix to objectclass
- if (empty($this->config->objectclass)) { // Can't send empty filter
- $this->config->objectclass='objectClass=*';
- } else if (stripos($this->config->objectclass, 'objectClass=') !== 0) {
- $this->config->objectclass = 'objectClass='.$this->config->objectclass;
+
+ // Hack prefix to objectclass
+ if (empty($this->config->objectclass)) {
+ // Can't send empty filter
+ $this->config->objectclass='(objectClass=*)';
+ } else if (stripos($this->config->objectclass, 'objectClass=') === 0) {
+ // Value is 'objectClass=some-string-here', so just add ()
+ // around the value (filter _must_ have them).
+ $this->config->objectclass = '('.$this->config->objectclass.')';
+ } else if (stripos($this->config->objectclass, '(') !== 0) {
+ // Value is 'some-string-not-starting-with-left-parentheses',
+ // which is assumed to be the objectClass matching value.
+ // So build a valid filter with it.
+ $this->config->objectclass = '(objectClass='.$this->config->objectclass.')';
+ } else {
+ // There is an additional possible value
+ // '(some-string-here)', that can be used to specify any
+ // valid filter string, to select subsets of users based
+ // on any criteria. For example, we could select the users
+ // whose objectClass is 'user' and have the
+ // 'enabledMoodleUser' attribute, with something like:
+ //
+ // (&(objectClass=user)(enabledMoodleUser=1))
+ //
+ // This is only used in the functions that deal with the
+ // whole potential set of users (currently sync_users()
+ // and get_user_list() only).
+ //
+ // In this particular case we don't need to do anything,
+ // so leave $this->config->objectclass as is.
}
}
@@ -303,7 +328,7 @@ function password_expire($username) {
$ldapconnection = $this->ldap_connect();
$user_dn = $this->ldap_find_userdn($ldapconnection, $extusername);
$search_attribs = array($this->config->expireattr);
- $sr = ldap_read($ldapconnection, $user_dn, 'objectclass=*', $search_attribs);
+ $sr = ldap_read($ldapconnection, $user_dn, '(objectClass=*)', $search_attribs);
if ($sr) {
$info = $this->ldap_get_entries($ldapconnection, $sr);
if (!empty ($info) and !empty($info[0][$this->config->expireattr][0])) {
@@ -400,7 +425,7 @@ function sync_users ($bulk_insert_records = 1000, $do_updates = true) {
//// get user's list from ldap to sql in a scalable fashion
////
// prepare some data we'll need
- $filter = "(&(".$this->config->user_attribute."=*)(".$this->config->objectclass."))";
+ $filter = '(&('.$this->config->user_attribute.'=*)'.$this->config->objectclass.')';
$contexts = explode(";",$this->config->contexts);
@@ -1042,7 +1067,7 @@ function user_update_password($user, $newpassword) {
}
//Update password expiration time, grace logins count
$search_attribs = array($this->config->expireattr, 'passwordExpirationInterval','loginGraceLimit' );
- $sr = ldap_read($ldapconnection, $user_dn, 'objectclass=*', $search_attribs);
+ $sr = ldap_read($ldapconnection, $user_dn, '(objectClass=*)', $search_attribs);
if ($sr) {
$info=$this->ldap_get_entries($ldapconnection, $sr);
$newattrs = array();
@@ -1480,7 +1505,7 @@ function ldap_get_userlist($filter="*") {
$ldapconnection = $this->ldap_connect();
if ($filter=="*") {
- $filter = "(&(".$this->config->user_attribute."=*)(".$this->config->objectclass."))";
+ $filter = '(&('.$this->config->user_attribute.'=*)'.$this->config->objectclass.')';
}
$contexts = explode(";",$this->config->contexts);
@@ -1693,7 +1718,7 @@ function process_config($config) {
set_config('bind_dn', $config->bind_dn, 'auth/ldap');
set_config('bind_pw', $config->bind_pw, 'auth/ldap');
set_config('version', $config->version, 'auth/ldap');
- set_config('objectclass', $config->objectclass, 'auth/ldap');
+ set_config('objectclass', trim($config->objectclass), 'auth/ldap');
set_config('memberattribute', $config->memberattribute, 'auth/ldap');
set_config('memberattribute_isdn', $config->memberattribute_isdn, 'auth/ldap');
set_config('creators', $config->creators, 'auth/ldap');
@@ -1760,7 +1785,7 @@ function ldap_get_ad_pwdexpire($pwdlastset, $ldapconn, $user_dn){
// If UF_DONT_EXPIRE_PASSWD flag is set in user's
// userAccountControl attribute, the password doesn't expire.
- $sr = ldap_read($ldapconn, $user_dn, 'objectclass=*',
+ $sr = ldap_read($ldapconn, $user_dn, '(objectClass=*)',
array('userAccountControl'));
if (!$sr) {
error_log("ldap: error getting userAccountControl for $user_dn");
@@ -1806,7 +1831,7 @@ function ldap_get_ad_pwdexpire($pwdlastset, $ldapconn, $user_dn){
// details below).
// ----------------------------------------------------------------
- $sr = ldap_read($ldapconn, ROOTDSE, 'objectclass=*',
+ $sr = ldap_read($ldapconn, ROOTDSE, '(objectClass=*)',
array('defaultNamingContext'));
if (!$sr) {
error_log("ldap: error querying rootDSE for Active Directory");
@@ -1816,7 +1841,7 @@ function ldap_get_ad_pwdexpire($pwdlastset, $ldapconn, $user_dn){
$info = $this->ldap_get_entries($ldapconn, $sr);
$domaindn = $info[0]['defaultNamingContext'][0];
- $sr = ldap_read ($ldapconn, $domaindn, 'objectclass=*',
+ $sr = ldap_read ($ldapconn, $domaindn, '(objectClass=*)',
array('maxPwdAge'));
$info = $this->ldap_get_entries($ldapconn, $sr);
$maxpwdage = $info[0]['maxPwdAge'][0];
Please sign in to comment.
Something went wrong with that request. Please try again.