From 81fb221d313af96fbaec4798842631640507faf9 Mon Sep 17 00:00:00 2001 From: skodak Date: Wed, 30 May 2007 08:47:00 +0000 Subject: [PATCH] =?utf8?q?MDL-9626=20Enable=20user=20signup=20with=20Activ?= =?utf8?q?e=20Directory=20(via=20LDAP);=20patch=20by=20I=C3=B1aki=20Arenaz?= =?utf8?q?a=20-=20thanks!?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- auth/ldap/auth.php | 65 ++++++++++++++++++++++++++++++++++++++++++- lang/en_utf8/auth.php | 2 ++ 2 files changed, 66 insertions(+), 1 deletion(-) diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php index 395cd7e7d2..c91590ad55 100644 --- a/auth/ldap/auth.php +++ b/auth/ldap/auth.php @@ -16,6 +16,14 @@ if (!defined('MOODLE_INTERNAL')) { die('Direct access to this script is forbidden.'); /// It must be included from a Moodle page } +// See http://support.microsoft.com/kb/305144 to interprete these values. +if (!defined('AUTH_AD_ACCOUNTDISABLE')) { + define('AUTH_AD_ACCOUNTDISABLE', 0x0002); +} +if (!defined('AUTH_AD_NORMAL_ACCOUNT')) { + define('AUTH_AD_NORMAL_ACCOUNT', 0x0200); +} + require_once($CFG->libdir.'/authlib.php'); /** @@ -271,11 +279,46 @@ class auth_plugin_ldap extends auth_plugin_base { $newuser['uniqueId'] = $extusername; $newuser['logindisabled'] = "TRUE"; $newuser['userpassword'] = $extpassword; + $uadd = $this->ldap_add($ldapconnection, $this->config->user_attribute.'="'.$this->ldap_addslashes($userobject->username).','.$this->config->create_context.'"', $newuser); + break; + case 'ad': + // User account creation is a two step process with AD. First you + // create the user object, then you set the password. If you try + // to set the password while creating the user, the operation + // fails. + + // Passwords in Active Directory must be encoded as Unicode + // strings (UCS-2 Little Endian format) and surrounded with + // double quotes. See http://support.microsoft.com/?kbid=269190 + if (!function_exists('mb_convert_encoding')) { + print_error ('auth_ldap_no_mbstring', 'auth'); + } + + // First create the user account, and mark it as disabled. + $newuser['objectClass'] = array('top','person','user','organizationalPerson'); + $newuser['sAMAccountName'] = $extusername; + $newuser['userAccountControl'] = AUTH_AD_NORMAL_ACCOUNT | + AUTH_AD_ACCOUNTDISABLE; + $userdn = 'cn=' . $this->ldap_addslashes($extusername) . + ',' . $this->config->create_context; + if (!ldap_add($ldapconnection, $userdn, $newuser)) { + print_error ('auth_ldap_ad_create_req', 'auth'); + } + + // Now set the password + unset($newuser); + $newuser['unicodePwd'] = mb_convert_encoding('"' . $extpassword . '"', + "UCS-2LE", "UTF-8"); + if(!ldap_modify($ldapconnection, $userdn, $newuser)) { + // Something went wrong: delete the user account and error out + ldap_delete ($ldapconnection, $userdn); + print_error ('auth_ldap_ad_create_req', 'auth'); + } + $uadd = true; break; default: print_error('auth_ldap_unsupportedusertype','auth','',$this->config->user_type); } - $uadd = $this->ldap_add($ldapconnection, $this->config->user_attribute.'="'.$this->ldap_addslashes($userobject->username).','.$this->config->create_context.'"', $newuser); ldap_close($ldapconnection); return $uadd; @@ -843,6 +886,16 @@ class auth_plugin_ldap extends auth_plugin_base { case 'edir': $newinfo['loginDisabled']="FALSE"; break; + case 'ad': + // We need to unset the ACCOUNTDISABLE bit in the + // userAccountControl attribute ( see + // http://support.microsoft.com/kb/305144 ) + $sr = ldap_read($ldapconnection, $userdn, '(objectClass=*)', + array('userAccountControl')); + $info = ldap_get_entries($ldapconnection, $sr); + $newinfo['userAccountControl'] = $info[0]['userAccountControl'][0] + & (~AUTH_AD_ACCOUNTDISABLE); + break; default: error ('auth: ldap user_activate() does not support selected usertype:"'.$this->config->user_type.'" (..yet)'); } @@ -868,6 +921,16 @@ class auth_plugin_ldap extends auth_plugin_base { case 'edir': $newinfo['loginDisabled']="TRUE"; break; + case 'ad': + // We need to set the ACCOUNTDISABLE bit in the + // userAccountControl attribute ( see + // http://support.microsoft.com/kb/305144 ) + $sr = ldap_read($ldapconnection, $userdn, '(objectClass=*)', + array('userAccountControl')); + $info = auth_ldap_get_entries($ldapconnection, $sr); + $newinfo['userAccountControl'] = $info[0]['userAccountControl'][0] + | AUTH_AD_ACCOUNTDISABLE; + break; default: error ('auth: ldap user_disable() does not support selected usertype (..yet)'); } diff --git a/lang/en_utf8/auth.php b/lang/en_utf8/auth.php index a4af4bfaa5..ba77942941 100644 --- a/lang/en_utf8/auth.php +++ b/lang/en_utf8/auth.php @@ -150,6 +150,7 @@ $string['auth_imapport_key'] = 'Port'; $string['auth_imapchangepasswordurl_key'] = 'Password-change URL'; // LDAP plugin +$string['auth_ldap_ad_create_req'] = 'Cannot create the new account in Active Directory. Make sure you meet all the requirements for this to work (LDAPS connection, bind user with adequate rights, etc.)'; $string['auth_ldap_bind_dn'] = 'If you want to use bind-user to search users, specify it here. Something like \'cn=ldapuser,ou=public,o=org\''; $string['auth_ldap_bind_pw'] = 'Password for bind-user.'; $string['auth_ldap_bind_settings'] = 'Bind settings'; @@ -167,6 +168,7 @@ $string['auth_ldap_ldap_encoding'] = 'Specify encoding used by LDAP server. Most $string['auth_ldap_login_settings'] = 'Login settings'; $string['auth_ldap_memberattribute'] = 'Optional: Overrides user member attribute, when users belongs to a group. Usually \'member\''; $string['auth_ldap_memberattribute_isdn'] = 'Optional: Overrides handling of member attribute values, either 0 or 1'; +$string['auth_ldap_no_mbstring'] = 'You need the mbstring extension to create users in Active Directory.'; $string['auth_ldap_objectclass'] = 'Optional: Overrides objectClass used to name/search users on ldap_user_type. Usually you dont need to chage this.'; $string['auth_ldap_opt_deref'] = 'Determines how aliases are handled during search. Select one of the following values: \"No\" (LDAP_DEREF_NEVER) or \"Yes\" (LDAP_DEREF_ALWAYS)'; $string['auth_ldap_passtype'] = 'Specify the format of new or changed passwords in LDAP server.'; -- 2.39.5