From: skodak Date: Wed, 30 May 2007 08:47:00 +0000 (+0000) Subject: MDL-9626 Enable user signup with Active Directory (via LDAP); patch by Iñaki Arenaza... X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=81fb221d313af96fbaec4798842631640507faf9;p=moodle.git MDL-9626 Enable user signup with Active Directory (via LDAP); patch by Iñaki Arenaza - thanks! --- diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php index 395cd7e7d2..c91590ad55 100644 --- a/auth/ldap/auth.php +++ b/auth/ldap/auth.php @@ -16,6 +16,14 @@ if (!defined('MOODLE_INTERNAL')) { die('Direct access to this script is forbidden.'); /// It must be included from a Moodle page } +// See http://support.microsoft.com/kb/305144 to interprete these values. +if (!defined('AUTH_AD_ACCOUNTDISABLE')) { + define('AUTH_AD_ACCOUNTDISABLE', 0x0002); +} +if (!defined('AUTH_AD_NORMAL_ACCOUNT')) { + define('AUTH_AD_NORMAL_ACCOUNT', 0x0200); +} + require_once($CFG->libdir.'/authlib.php'); /** @@ -271,11 +279,46 @@ class auth_plugin_ldap extends auth_plugin_base { $newuser['uniqueId'] = $extusername; $newuser['logindisabled'] = "TRUE"; $newuser['userpassword'] = $extpassword; + $uadd = $this->ldap_add($ldapconnection, $this->config->user_attribute.'="'.$this->ldap_addslashes($userobject->username).','.$this->config->create_context.'"', $newuser); + break; + case 'ad': + // User account creation is a two step process with AD. First you + // create the user object, then you set the password. If you try + // to set the password while creating the user, the operation + // fails. + + // Passwords in Active Directory must be encoded as Unicode + // strings (UCS-2 Little Endian format) and surrounded with + // double quotes. See http://support.microsoft.com/?kbid=269190 + if (!function_exists('mb_convert_encoding')) { + print_error ('auth_ldap_no_mbstring', 'auth'); + } + + // First create the user account, and mark it as disabled. + $newuser['objectClass'] = array('top','person','user','organizationalPerson'); + $newuser['sAMAccountName'] = $extusername; + $newuser['userAccountControl'] = AUTH_AD_NORMAL_ACCOUNT | + AUTH_AD_ACCOUNTDISABLE; + $userdn = 'cn=' . $this->ldap_addslashes($extusername) . + ',' . $this->config->create_context; + if (!ldap_add($ldapconnection, $userdn, $newuser)) { + print_error ('auth_ldap_ad_create_req', 'auth'); + } + + // Now set the password + unset($newuser); + $newuser['unicodePwd'] = mb_convert_encoding('"' . $extpassword . '"', + "UCS-2LE", "UTF-8"); + if(!ldap_modify($ldapconnection, $userdn, $newuser)) { + // Something went wrong: delete the user account and error out + ldap_delete ($ldapconnection, $userdn); + print_error ('auth_ldap_ad_create_req', 'auth'); + } + $uadd = true; break; default: print_error('auth_ldap_unsupportedusertype','auth','',$this->config->user_type); } - $uadd = $this->ldap_add($ldapconnection, $this->config->user_attribute.'="'.$this->ldap_addslashes($userobject->username).','.$this->config->create_context.'"', $newuser); ldap_close($ldapconnection); return $uadd; @@ -843,6 +886,16 @@ class auth_plugin_ldap extends auth_plugin_base { case 'edir': $newinfo['loginDisabled']="FALSE"; break; + case 'ad': + // We need to unset the ACCOUNTDISABLE bit in the + // userAccountControl attribute ( see + // http://support.microsoft.com/kb/305144 ) + $sr = ldap_read($ldapconnection, $userdn, '(objectClass=*)', + array('userAccountControl')); + $info = ldap_get_entries($ldapconnection, $sr); + $newinfo['userAccountControl'] = $info[0]['userAccountControl'][0] + & (~AUTH_AD_ACCOUNTDISABLE); + break; default: error ('auth: ldap user_activate() does not support selected usertype:"'.$this->config->user_type.'" (..yet)'); } @@ -868,6 +921,16 @@ class auth_plugin_ldap extends auth_plugin_base { case 'edir': $newinfo['loginDisabled']="TRUE"; break; + case 'ad': + // We need to set the ACCOUNTDISABLE bit in the + // userAccountControl attribute ( see + // http://support.microsoft.com/kb/305144 ) + $sr = ldap_read($ldapconnection, $userdn, '(objectClass=*)', + array('userAccountControl')); + $info = auth_ldap_get_entries($ldapconnection, $sr); + $newinfo['userAccountControl'] = $info[0]['userAccountControl'][0] + | AUTH_AD_ACCOUNTDISABLE; + break; default: error ('auth: ldap user_disable() does not support selected usertype (..yet)'); } diff --git a/lang/en_utf8/auth.php b/lang/en_utf8/auth.php index a4af4bfaa5..ba77942941 100644 --- a/lang/en_utf8/auth.php +++ b/lang/en_utf8/auth.php @@ -150,6 +150,7 @@ $string['auth_imapport_key'] = 'Port'; $string['auth_imapchangepasswordurl_key'] = 'Password-change URL'; // LDAP plugin +$string['auth_ldap_ad_create_req'] = 'Cannot create the new account in Active Directory. Make sure you meet all the requirements for this to work (LDAPS connection, bind user with adequate rights, etc.)'; $string['auth_ldap_bind_dn'] = 'If you want to use bind-user to search users, specify it here. Something like \'cn=ldapuser,ou=public,o=org\''; $string['auth_ldap_bind_pw'] = 'Password for bind-user.'; $string['auth_ldap_bind_settings'] = 'Bind settings'; @@ -167,6 +168,7 @@ $string['auth_ldap_ldap_encoding'] = 'Specify encoding used by LDAP server. Most $string['auth_ldap_login_settings'] = 'Login settings'; $string['auth_ldap_memberattribute'] = 'Optional: Overrides user member attribute, when users belongs to a group. Usually \'member\''; $string['auth_ldap_memberattribute_isdn'] = 'Optional: Overrides handling of member attribute values, either 0 or 1'; +$string['auth_ldap_no_mbstring'] = 'You need the mbstring extension to create users in Active Directory.'; $string['auth_ldap_objectclass'] = 'Optional: Overrides objectClass used to name/search users on ldap_user_type. Usually you dont need to chage this.'; $string['auth_ldap_opt_deref'] = 'Determines how aliases are handled during search. Select one of the following values: \"No\" (LDAP_DEREF_NEVER) or \"Yes\" (LDAP_DEREF_ALWAYS)'; $string['auth_ldap_passtype'] = 'Specify the format of new or changed passwords in LDAP server.';