die('Direct access to this script is forbidden.'); /// It must be included from a Moodle page
}
+// See http://support.microsoft.com/kb/305144 to interprete these values.
+if (!defined('AUTH_AD_ACCOUNTDISABLE')) {
+ define('AUTH_AD_ACCOUNTDISABLE', 0x0002);
+}
+if (!defined('AUTH_AD_NORMAL_ACCOUNT')) {
+ define('AUTH_AD_NORMAL_ACCOUNT', 0x0200);
+}
+
require_once($CFG->libdir.'/authlib.php');
/**
$newuser['uniqueId'] = $extusername;
$newuser['logindisabled'] = "TRUE";
$newuser['userpassword'] = $extpassword;
+ $uadd = $this->ldap_add($ldapconnection, $this->config->user_attribute.'="'.$this->ldap_addslashes($userobject->username).','.$this->config->create_context.'"', $newuser);
+ break;
+ case 'ad':
+ // User account creation is a two step process with AD. First you
+ // create the user object, then you set the password. If you try
+ // to set the password while creating the user, the operation
+ // fails.
+
+ // Passwords in Active Directory must be encoded as Unicode
+ // strings (UCS-2 Little Endian format) and surrounded with
+ // double quotes. See http://support.microsoft.com/?kbid=269190
+ if (!function_exists('mb_convert_encoding')) {
+ print_error ('auth_ldap_no_mbstring', 'auth');
+ }
+
+ // First create the user account, and mark it as disabled.
+ $newuser['objectClass'] = array('top','person','user','organizationalPerson');
+ $newuser['sAMAccountName'] = $extusername;
+ $newuser['userAccountControl'] = AUTH_AD_NORMAL_ACCOUNT |
+ AUTH_AD_ACCOUNTDISABLE;
+ $userdn = 'cn=' . $this->ldap_addslashes($extusername) .
+ ',' . $this->config->create_context;
+ if (!ldap_add($ldapconnection, $userdn, $newuser)) {
+ print_error ('auth_ldap_ad_create_req', 'auth');
+ }
+
+ // Now set the password
+ unset($newuser);
+ $newuser['unicodePwd'] = mb_convert_encoding('"' . $extpassword . '"',
+ "UCS-2LE", "UTF-8");
+ if(!ldap_modify($ldapconnection, $userdn, $newuser)) {
+ // Something went wrong: delete the user account and error out
+ ldap_delete ($ldapconnection, $userdn);
+ print_error ('auth_ldap_ad_create_req', 'auth');
+ }
+ $uadd = true;
break;
default:
print_error('auth_ldap_unsupportedusertype','auth','',$this->config->user_type);
}
- $uadd = $this->ldap_add($ldapconnection, $this->config->user_attribute.'="'.$this->ldap_addslashes($userobject->username).','.$this->config->create_context.'"', $newuser);
ldap_close($ldapconnection);
return $uadd;
case 'edir':
$newinfo['loginDisabled']="FALSE";
break;
+ case 'ad':
+ // We need to unset the ACCOUNTDISABLE bit in the
+ // userAccountControl attribute ( see
+ // http://support.microsoft.com/kb/305144 )
+ $sr = ldap_read($ldapconnection, $userdn, '(objectClass=*)',
+ array('userAccountControl'));
+ $info = ldap_get_entries($ldapconnection, $sr);
+ $newinfo['userAccountControl'] = $info[0]['userAccountControl'][0]
+ & (~AUTH_AD_ACCOUNTDISABLE);
+ break;
default:
error ('auth: ldap user_activate() does not support selected usertype:"'.$this->config->user_type.'" (..yet)');
}
case 'edir':
$newinfo['loginDisabled']="TRUE";
break;
+ case 'ad':
+ // We need to set the ACCOUNTDISABLE bit in the
+ // userAccountControl attribute ( see
+ // http://support.microsoft.com/kb/305144 )
+ $sr = ldap_read($ldapconnection, $userdn, '(objectClass=*)',
+ array('userAccountControl'));
+ $info = auth_ldap_get_entries($ldapconnection, $sr);
+ $newinfo['userAccountControl'] = $info[0]['userAccountControl'][0]
+ | AUTH_AD_ACCOUNTDISABLE;
+ break;
default:
error ('auth: ldap user_disable() does not support selected usertype (..yet)');
}
$string['auth_imapchangepasswordurl_key'] = 'Password-change URL';
// LDAP plugin
+$string['auth_ldap_ad_create_req'] = 'Cannot create the new account in Active Directory. Make sure you meet all the requirements for this to work (LDAPS connection, bind user with adequate rights, etc.)';
$string['auth_ldap_bind_dn'] = 'If you want to use bind-user to search users, specify it here. Something like \'cn=ldapuser,ou=public,o=org\'';
$string['auth_ldap_bind_pw'] = 'Password for bind-user.';
$string['auth_ldap_bind_settings'] = 'Bind settings';
$string['auth_ldap_login_settings'] = 'Login settings';
$string['auth_ldap_memberattribute'] = 'Optional: Overrides user member attribute, when users belongs to a group. Usually \'member\'';
$string['auth_ldap_memberattribute_isdn'] = 'Optional: Overrides handling of member attribute values, either 0 or 1';
+$string['auth_ldap_no_mbstring'] = 'You need the mbstring extension to create users in Active Directory.';
$string['auth_ldap_objectclass'] = 'Optional: Overrides objectClass used to name/search users on ldap_user_type. Usually you dont need to chage this.';
$string['auth_ldap_opt_deref'] = 'Determines how aliases are handled during search. Select one of the following values: \"No\" (LDAP_DEREF_NEVER) or \"Yes\" (LDAP_DEREF_ALWAYS)';
$string['auth_ldap_passtype'] = 'Specify the format of new or changed passwords in LDAP server.';
projects / moodle.git / commitdiff