From 6626b9ab48016f129924d730dafac98a1fc404d8 Mon Sep 17 00:00:00 2001 From: martinlanghoff Date: Wed, 14 Nov 2007 22:23:45 +0000 Subject: [PATCH] MDL-12178 auth/ldap: "creators" role assignment now also supports contexts Now the DNs that indicate a course-creator role can also be contexts. This way we support one more widely used practice in the weird and wonderful LDAP world... --- auth/ldap/auth.php | 14 +++++++++++++- lang/en_utf8/auth.php | 2 +- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php index b677981714..c6e651cabb 100644 --- a/auth/ldap/auth.php +++ b/auth/ldap/auth.php @@ -1443,8 +1443,11 @@ class auth_plugin_ldap extends auth_plugin_base { /** * checks if user belong to specific group(s) + * or is in a subtree. * - * Returns true if user belongs group in grupdns string. + * Returns true if user belongs group in grupdns string OR + * if the DN of the user is in a subtree pf the DN provided + * as "group" * * @param mixed $username username * @param mixed $groupdns string of group dn separated by ; @@ -1478,6 +1481,15 @@ class auth_plugin_ldap extends auth_plugin_base { if (empty($group)) { continue; } + + // check cheaply if the user's DN sits in a subtree + // of the "group" DN provided. Granted, this isn't + // a proper LDAP group, but it's a popular usage. + if (strpos(strrev($memberuser), strrev($group))===0) { + $result = true; + break; + } + //echo "Checking group $group for member $username\n"; $search = ldap_read($ldapconnection, $group, '('.$this->config->memberattribute.'='.$this->filter_addslashes($memberuser).')', array($this->config->memberattribute)); if (!empty($search) and ldap_count_entries($ldapconnection, $search)) { diff --git a/lang/en_utf8/auth.php b/lang/en_utf8/auth.php index 6837ba1e26..04e43a7d56 100644 --- a/lang/en_utf8/auth.php +++ b/lang/en_utf8/auth.php @@ -159,7 +159,7 @@ $string['auth_ldap_bind_settings'] = 'Bind settings'; $string['auth_ldap_contexts'] = 'List of contexts where users are located. Separate different contexts with \';\'. For example: \'ou=users,o=org; ou=others,o=org\''; $string['auth_ldap_create_context'] = 'If you enable user creation with email confirmation, specify the context where users are created. This context should be different from other users to prevent security issues. You don\'t need to add this context to ldap_context-variable, Moodle will search for users from this context automatically.
Note! You have to modify the method user_create() in file auth/ldap/auth.php to make user creation work'; $string['auth_ldap_create_error'] = 'Error creating user in LDAP.'; -$string['auth_ldap_creators'] = 'List of groups whose members are allowed to create new courses. Separate multiple groups with \';\'. Usually something like \'cn=teachers,ou=staff,o=myorg\''; +$string['auth_ldap_creators'] = 'List of groups or contexts whose members are allowed to create new courses. Separate multiple groups with \';\'. Usually something like \'cn=teachers,ou=staff,o=myorg\''; $string['auth_ldap_expiration_desc'] = 'Select No to disable expired password checking or LDAP to read passwordexpiration time directly from LDAP'; $string['auth_ldap_expiration_warning_desc'] = 'Number of days before password expiration warning is issued.'; $string['auth_ldap_expireattr_desc'] = 'Optional: overrides ldap-attribute that stores password expiration time'; -- 2.39.5