MDL-12178 auth/ldap: "creators" role assignment now also supports contexts

Now the DNs that indicate a course-creator role can also be contexts.
This way we support one more widely used practice in the weird and
wonderful LDAP world...

diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php
index b677981714d514a492e410d3ee5db9ff37adc9bb..c6e651cabb6131d662310f04c496dbd1bab2cfdb 100644 (file)
--- a/auth/ldap/auth.php
+++ b/auth/ldap/auth.php
@@ -1443,8 +1443,11 @@ class auth_plugin_ldap extends auth_plugin_base {
 
     /**
      * checks if user belong to specific group(s)
+     * or is in a subtree.
      *
-     * Returns true if user belongs group in grupdns string.
+     * Returns true if user belongs group in grupdns string OR
+     * if the DN of the user is in a subtree pf the DN provided
+     * as "group"
      *
      * @param mixed $username    username
      * @param mixed $groupdns    string of group dn separated by ;
@@ -1478,6 +1481,15 @@ class auth_plugin_ldap extends auth_plugin_base {
             if (empty($group)) {
                 continue;
             }
+
+            // check cheaply if the user's DN sits in a subtree
+            // of the "group" DN provided. Granted, this isn't
+            // a proper LDAP group, but it's a popular usage.
+            if (strpos(strrev($memberuser), strrev($group))===0) {
+                $result = true;
+                break;
+            }
+
             //echo "Checking group $group for member $username\n";
             $search = ldap_read($ldapconnection, $group,  '('.$this->config->memberattribute.'='.$this->filter_addslashes($memberuser).')', array($this->config->memberattribute));
             if (!empty($search) and ldap_count_entries($ldapconnection, $search)) {

diff --git a/lang/en_utf8/auth.php b/lang/en_utf8/auth.php
index 6837ba1e2613dcbeee689be73dd0d7fa7f1607b9..04e43a7d568968994c93328ddd677aef2e42cbae 100644 (file)
--- a/lang/en_utf8/auth.php
+++ b/lang/en_utf8/auth.php
@@ -159,7 +159,7 @@ $string['auth_ldap_bind_settings'] = 'Bind settings';
 $string['auth_ldap_contexts'] = 'List of contexts where users are located. Separate different contexts with \';\'. For example: \'ou=users,o=org; ou=others,o=org\'';
 $string['auth_ldap_create_context'] = 'If you enable user creation with email confirmation, specify the context where users are created. This context should be different from other users to prevent security issues. You don\'t need to add this context to ldap_context-variable, Moodle will search for users from this context automatically.<br /><b>Note!</b> You have to modify the method user_create() in file auth/ldap/auth.php to make user creation work';
 $string['auth_ldap_create_error'] = 'Error creating user in LDAP.';
-$string['auth_ldap_creators'] = 'List of groups whose members are allowed to create new courses. Separate multiple groups with \';\'. Usually something like \'cn=teachers,ou=staff,o=myorg\'';
+$string['auth_ldap_creators'] = 'List of groups or contexts whose members are allowed to create new courses. Separate multiple groups with \';\'. Usually something like \'cn=teachers,ou=staff,o=myorg\'';
 $string['auth_ldap_expiration_desc'] = 'Select No to disable expired password checking or LDAP to read passwordexpiration time directly from LDAP';
 $string['auth_ldap_expiration_warning_desc'] = 'Number of days before password expiration warning is issued.';
 $string['auth_ldap_expireattr_desc'] = 'Optional: overrides ldap-attribute that stores password expiration time';