Skip to content

Commit

Permalink
MDL-15799 LDAP - user data mapping doesn't work.
Browse files Browse the repository at this point in the history 
The Right Way(tm) to write a LDAP filter is enclosing it in parentheses (see
RFC 4515/2254).
  • Loading branch information
iarenaza committed Aug 24, 2008
1 parent 105eb2d commit 0d47daf
Showing 1 changed file with 38 additions and 13 deletions.
51 changes: 38 additions & 13 deletions auth/ldap/auth.php
View file
Expand Up @@ -45,11 +45,36 @@ function auth_plugin_ldap() {
$this->config->{$key} = $value[$this->config->user_type];
}
}
//hack prefix to objectclass
if (empty($this->config->objectclass)) { // Can't send empty filter
$this->config->objectclass='objectClass=*';
} else if (stripos($this->config->objectclass, 'objectClass=') !== 0) {
$this->config->objectclass = 'objectClass='.$this->config->objectclass;

// Hack prefix to objectclass
if (empty($this->config->objectclass)) {
// Can't send empty filter
$this->config->objectclass='(objectClass=*)';
} else if (stripos($this->config->objectclass, 'objectClass=') === 0) {
// Value is 'objectClass=some-string-here', so just add ()
// around the value (filter _must_ have them).
$this->config->objectclass = '('.$this->config->objectclass.')';
} else if (stripos($this->config->objectclass, '(') !== 0) {
// Value is 'some-string-not-starting-with-left-parentheses',
// which is assumed to be the objectClass matching value.
// So build a valid filter with it.
$this->config->objectclass = '(objectClass='.$this->config->objectclass.')';
} else {
// There is an additional possible value
// '(some-string-here)', that can be used to specify any
// valid filter string, to select subsets of users based
// on any criteria. For example, we could select the users
// whose objectClass is 'user' and have the
// 'enabledMoodleUser' attribute, with something like:
//
// (&(objectClass=user)(enabledMoodleUser=1))
//
// This is only used in the functions that deal with the
// whole potential set of users (currently sync_users()
// and get_user_list() only).
//
// In this particular case we don't need to do anything,
// so leave $this->config->objectclass as is.
}

}
Expand Down Expand Up @@ -303,7 +328,7 @@ function password_expire($username) {
$ldapconnection = $this->ldap_connect();
$user_dn = $this->ldap_find_userdn($ldapconnection, $extusername);
$search_attribs = array($this->config->expireattr);
$sr = ldap_read($ldapconnection, $user_dn, 'objectclass=*', $search_attribs);
$sr = ldap_read($ldapconnection, $user_dn, '(objectClass=*)', $search_attribs);
if ($sr) {
$info = $this->ldap_get_entries($ldapconnection, $sr);
if (!empty ($info) and !empty($info[0][$this->config->expireattr][0])) {
Expand Down Expand Up @@ -400,7 +425,7 @@ function sync_users ($bulk_insert_records = 1000, $do_updates = true) {
//// get user's list from ldap to sql in a scalable fashion
////
// prepare some data we'll need
$filter = "(&(".$this->config->user_attribute."=*)(".$this->config->objectclass."))";
$filter = '(&('.$this->config->user_attribute.'=*)'.$this->config->objectclass.')';

$contexts = explode(";",$this->config->contexts);

Expand Down Expand Up @@ -1042,7 +1067,7 @@ function user_update_password($user, $newpassword) {
}
//Update password expiration time, grace logins count
$search_attribs = array($this->config->expireattr, 'passwordExpirationInterval','loginGraceLimit' );
$sr = ldap_read($ldapconnection, $user_dn, 'objectclass=*', $search_attribs);
$sr = ldap_read($ldapconnection, $user_dn, '(objectClass=*)', $search_attribs);
if ($sr) {
$info=$this->ldap_get_entries($ldapconnection, $sr);
$newattrs = array();
Expand Down Expand Up @@ -1480,7 +1505,7 @@ function ldap_get_userlist($filter="*") {
$ldapconnection = $this->ldap_connect();

if ($filter=="*") {
$filter = "(&(".$this->config->user_attribute."=*)(".$this->config->objectclass."))";
$filter = '(&('.$this->config->user_attribute.'=*)'.$this->config->objectclass.')';
}

$contexts = explode(";",$this->config->contexts);
Expand Down Expand Up @@ -1693,7 +1718,7 @@ function process_config($config) {
set_config('bind_dn', $config->bind_dn, 'auth/ldap');
set_config('bind_pw', $config->bind_pw, 'auth/ldap');
set_config('version', $config->version, 'auth/ldap');
set_config('objectclass', $config->objectclass, 'auth/ldap');
set_config('objectclass', trim($config->objectclass), 'auth/ldap');
set_config('memberattribute', $config->memberattribute, 'auth/ldap');
set_config('memberattribute_isdn', $config->memberattribute_isdn, 'auth/ldap');
set_config('creators', $config->creators, 'auth/ldap');
Expand Down Expand Up @@ -1760,7 +1785,7 @@ function ldap_get_ad_pwdexpire($pwdlastset, $ldapconn, $user_dn){

// If UF_DONT_EXPIRE_PASSWD flag is set in user's
// userAccountControl attribute, the password doesn't expire.
$sr = ldap_read($ldapconn, $user_dn, 'objectclass=*',
$sr = ldap_read($ldapconn, $user_dn, '(objectClass=*)',
array('userAccountControl'));
if (!$sr) {
error_log("ldap: error getting userAccountControl for $user_dn");
Expand Down Expand Up @@ -1806,7 +1831,7 @@ function ldap_get_ad_pwdexpire($pwdlastset, $ldapconn, $user_dn){
// details below).
// ----------------------------------------------------------------

$sr = ldap_read($ldapconn, ROOTDSE, 'objectclass=*',
$sr = ldap_read($ldapconn, ROOTDSE, '(objectClass=*)',
array('defaultNamingContext'));
if (!$sr) {
error_log("ldap: error querying rootDSE for Active Directory");
Expand All @@ -1816,7 +1841,7 @@ function ldap_get_ad_pwdexpire($pwdlastset, $ldapconn, $user_dn){
$info = $this->ldap_get_entries($ldapconn, $sr);
$domaindn = $info[0]['defaultNamingContext'][0];

$sr = ldap_read ($ldapconn, $domaindn, 'objectclass=*',
$sr = ldap_read ($ldapconn, $domaindn, '(objectClass=*)',
array('maxPwdAge'));
$info = $this->ldap_get_entries($ldapconn, $sr);
$maxpwdage = $info[0]['maxPwdAge'][0];
Expand Down

0 comments on commit 0d47daf

Please sign in to comment.