PageRenderTime 28ms CodeModel.GetById 24ms RepoModel.GetById 0ms app.codeStats 1ms

/auth/ldap/auth.php

http://github.com/moodle/moodle
PHP | 2282 lines | 1372 code | 257 blank | 653 comment | 307 complexity | 3a42e7be2a7e0b55cf1d4f5293cb9f3c MD5 | raw file
Possible License(s): MIT, AGPL-3.0, MPL-2.0-no-copyleft-exception, LGPL-3.0, GPL-3.0, Apache-2.0, LGPL-2.1, BSD-3-Clause

Large files files are truncated, but you can click here to view the full file

    

  1. <?php
    2. 

  2. // This file is part of Moodle - http://moodle.org/
    3. 

  3. //
    4. 

  4. // Moodle is free software: you can redistribute it and/or modify
    5. 

  5. // it under the terms of the GNU General Public License as published by
    6. 

  6. // the Free Software Foundation, either version 3 of the License, or
    7. 

  7. // (at your option) any later version.
    8. 

  8. //
    9. 

  9. // Moodle is distributed in the hope that it will be useful,
    10. 

  10. // but WITHOUT ANY WARRANTY; without even the implied warranty of
    11. 

  11. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    12. 

  12. // GNU General Public License for more details.
    13. 

  13. //
    14. 

  14. // You should have received a copy of the GNU General Public License
    15. 

  15. // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
    16. 

  16. 

  17. /**
    18. 

  18.  * Authentication Plugin: LDAP Authentication
    19. 

  19.  * Authentication using LDAP (Lightweight Directory Access Protocol).
    20. 

  20.  *
    21. 

  21.  * @package auth_ldap
    22. 

  22.  * @author Martin Dougiamas
    23. 

  23.  * @author Iñaki Arenaza
    24. 

  24.  * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
    25. 

  25.  */
    26. 

  26. 

  27. defined('MOODLE_INTERNAL') || die();
    28. 

  28. 

  29. // See http://support.microsoft.com/kb/305144 to interprete these values.
    30. 

  30. if (!defined('AUTH_AD_ACCOUNTDISABLE')) {
    31. 

  31.     define('AUTH_AD_ACCOUNTDISABLE', 0x0002);
    32. 

  32. }
    33. 

  33. if (!defined('AUTH_AD_NORMAL_ACCOUNT')) {
    34. 

  34.     define('AUTH_AD_NORMAL_ACCOUNT', 0x0200);
    35. 

  35. }
    36. 

  36. if (!defined('AUTH_NTLMTIMEOUT')) {  // timewindow for the NTLM SSO process, in secs...
    37. 

  37.     define('AUTH_NTLMTIMEOUT', 10);
    38. 

  38. }
    39. 

  39. 

  40. // UF_DONT_EXPIRE_PASSWD value taken from MSDN directly
    41. 

  41. if (!defined('UF_DONT_EXPIRE_PASSWD')) {
    42. 

  42.     define ('UF_DONT_EXPIRE_PASSWD', 0x00010000);
    43. 

  43. }
    44. 

  44. 

  45. // The Posix uid and gid of the 'nobody' account and 'nogroup' group.
    46. 

  46. if (!defined('AUTH_UID_NOBODY')) {
    47. 

  47.     define('AUTH_UID_NOBODY', -2);
    48. 

  48. }
    49. 

  49. if (!defined('AUTH_GID_NOGROUP')) {
    50. 

  50.     define('AUTH_GID_NOGROUP', -2);
    51. 

  51. }
    52. 

  52. 

  53. // Regular expressions for a valid NTLM username and domain name.
    54. 

  54. if (!defined('AUTH_NTLM_VALID_USERNAME')) {
    55. 

  55.     define('AUTH_NTLM_VALID_USERNAME', '[^/\\\\\\\\\[\]:;|=,+*?<>@"]+');
    56. 

  56. }
    57. 

  57. if (!defined('AUTH_NTLM_VALID_DOMAINNAME')) {
    58. 

  58.     define('AUTH_NTLM_VALID_DOMAINNAME', '[^\\\\\\\\\/:*?"<>|]+');
    59. 

  59. }
    60. 

  60. // Default format for remote users if using NTLM SSO
    61. 

  61. if (!defined('AUTH_NTLM_DEFAULT_FORMAT')) {
    62. 

  62.     define('AUTH_NTLM_DEFAULT_FORMAT', '%domain%\\%username%');
    63. 

  63. }
    64. 

  64. if (!defined('AUTH_NTLM_FASTPATH_ATTEMPT')) {
    65. 

  65.     define('AUTH_NTLM_FASTPATH_ATTEMPT', 0);
    66. 

  66. }
    67. 

  67. if (!defined('AUTH_NTLM_FASTPATH_YESFORM')) {
    68. 

  68.     define('AUTH_NTLM_FASTPATH_YESFORM', 1);
    69. 

  69. }
    70. 

  70. if (!defined('AUTH_NTLM_FASTPATH_YESATTEMPT')) {
    71. 

  71.     define('AUTH_NTLM_FASTPATH_YESATTEMPT', 2);
    72. 

  72. }
    73. 

  73. 

  74. // Allows us to retrieve a diagnostic message in case of LDAP operation error
    75. 

  75. if (!defined('LDAP_OPT_DIAGNOSTIC_MESSAGE')) {
    76. 

  76.     define('LDAP_OPT_DIAGNOSTIC_MESSAGE', 0x0032);
    77. 

  77. }
    78. 

  78. 

  79. require_once($CFG->libdir.'/authlib.php');
    80. 

  80. require_once($CFG->libdir.'/ldaplib.php');
    81. 

  81. require_once($CFG->dirroot.'/user/lib.php');
    82. 

  82. require_once($CFG->dirroot.'/auth/ldap/locallib.php');
    83. 

  83. 

  84. /**
    85. 

  85.  * LDAP authentication plugin.
    86. 

  86.  */
    87. 

  87. class auth_plugin_ldap extends auth_plugin_base {
    88. 

  88. 

  89.     /**
    90. 

  90.      * Init plugin config from database settings depending on the plugin auth type.
    91. 

  91.      */
    92. 

  92.     function init_plugin($authtype) {
    93. 

  93.         $this->pluginconfig = 'auth_'.$authtype;
    94. 

  94.         $this->config = get_config($this->pluginconfig);
    95. 

  95.         if (empty($this->config->ldapencoding)) {
    96. 

  96.             $this->config->ldapencoding = 'utf-8';
    97. 

  97.         }
    98. 

  98.         if (empty($this->config->user_type)) {
    99. 

  99.             $this->config->user_type = 'default';
    100. 

  100.         }
    101. 

  101. 

  102.         $ldap_usertypes = ldap_supported_usertypes();
    103. 

  103.         $this->config->user_type_name = $ldap_usertypes[$this->config->user_type];
    104. 

  104.         unset($ldap_usertypes);
    105. 

  105. 

  106.         $default = ldap_getdefaults();
    107. 

  107. 

  108.         // Use defaults if values not given
    109. 

  109.         foreach ($default as $key => $value) {
    110. 

  110.             // watch out - 0, false are correct values too
    111. 

  111.             if (!isset($this->config->{$key}) or $this->config->{$key} == '') {
    112. 

  112.                 $this->config->{$key} = $value[$this->config->user_type];
    113. 

  113.             }
    114. 

  114.         }
    115. 

  115. 

  116.         // Hack prefix to objectclass
    117. 

  117.         $this->config->objectclass = ldap_normalise_objectclass($this->config->objectclass);
    118. 

  118.     }
    119. 

  119. 

  120.     /**
    121. 

  121.      * Constructor with initialisation.
    122. 

  122.      */
    123. 

  123.     public function __construct() {
    124. 

  124.         $this->authtype = 'ldap';
    125. 

  125.         $this->roleauth = 'auth_ldap';
    126. 

  126.         $this->errorlogtag = '[AUTH LDAP] ';
    127. 

  127.         $this->init_plugin($this->authtype);
    128. 

  128.     }
    129. 

  129. 

  130.     /**
    131. 

  131.      * Old syntax of class constructor. Deprecated in PHP7.
    132. 

  132.      *
    133. 

  133.      * @deprecated since Moodle 3.1
    134. 

  134.      */
    135. 

  135.     public function auth_plugin_ldap() {
    136. 

  136.         debugging('Use of class name as constructor is deprecated', DEBUG_DEVELOPER);
    137. 

  137.         self::__construct();
    138. 

  138.     }
    139. 

  139. 

  140.     /**
    141. 

  141.      * Returns true if the username and password work and false if they are
    142. 

  142.      * wrong or don't exist.
    143. 

  143.      *
    144. 

  144.      * @param string $username The username (without system magic quotes)
    145. 

  145.      * @param string $password The password (without system magic quotes)
    146. 

  146.      *
    147. 

  147.      * @return bool Authentication success or failure.
    148. 

  148.      */
    149. 

  149.     function user_login($username, $password) {
    150. 

  150.         if (! function_exists('ldap_bind')) {
    151. 

  151.             print_error('auth_ldapnotinstalled', 'auth_ldap');
    152. 

  152.             return false;
    153. 

  153.         }
    154. 

  154. 

  155.         if (!$username or !$password) {    // Don't allow blank usernames or passwords
    156. 

  156.             return false;
    157. 

  157.         }
    158. 

  158. 

  159.         $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding);
    160. 

  160.         $extpassword = core_text::convert($password, 'utf-8', $this->config->ldapencoding);
    161. 

  161. 

  162.         // Before we connect to LDAP, check if this is an AD SSO login
    163. 

  163.         // if we succeed in this block, we'll return success early.
    164. 

  164.         //
    165. 

  165.         $key = sesskey();
    166. 

  166.         if (!empty($this->config->ntlmsso_enabled) && $key === $password) {
    167. 

  167.             $sessusername = get_cache_flag($this->pluginconfig.'/ntlmsess', $key);
    168. 

  168.             // We only get the cache flag if we retrieve it before
    169. 

  169.             // it expires (AUTH_NTLMTIMEOUT seconds).
    170. 

  170.             if (empty($sessusername)) {
    171. 

  171.                 return false;
    172. 

  172.             }
    173. 

  173. 

  174.             if ($username === $sessusername) {
    175. 

  175.                 unset($sessusername);
    176. 

  176. 

  177.                 // Check that the user is inside one of the configured LDAP contexts
    178. 

  178.                 $validuser = false;
    179. 

  179.                 $ldapconnection = $this->ldap_connect();
    180. 

  180.                 // if the user is not inside the configured contexts,
    181. 

  181.                 // ldap_find_userdn returns false.
    182. 

  182.                 if ($this->ldap_find_userdn($ldapconnection, $extusername)) {
    183. 

  183.                     $validuser = true;
    184. 

  184.                 }
    185. 

  185.                 $this->ldap_close();
    186. 

  186. 

  187.                 // Shortcut here - SSO confirmed
    188. 

  188.                 return $validuser;
    189. 

  189.             }
    190. 

  190.         } // End SSO processing
    191. 

  191.         unset($key);
    192. 

  192. 

  193.         $ldapconnection = $this->ldap_connect();
    194. 

  194.         $ldap_user_dn = $this->ldap_find_userdn($ldapconnection, $extusername);
    195. 

  195. 

  196.         // If ldap_user_dn is empty, user does not exist
    197. 

  197.         if (!$ldap_user_dn) {
    198. 

  198.             $this->ldap_close();
    199. 

  199.             return false;
    200. 

  200.         }
    201. 

  201. 

  202.         // Try to bind with current username and password
    203. 

  203.         $ldap_login = @ldap_bind($ldapconnection, $ldap_user_dn, $extpassword);
    204. 

  204. 

  205.         // If login fails and we are using MS Active Directory, retrieve the diagnostic
    206. 

  206.         // message to see if this is due to an expired password, or that the user is forced to
    207. 

  207.         // change the password on first login. If it is, only proceed if we can change
    208. 

  208.         // password from Moodle (otherwise we'll get stuck later in the login process).
    209. 

  209.         if (!$ldap_login && ($this->config->user_type == 'ad')
    210. 

  210.             && $this->can_change_password()
    211. 

  211.             && (!empty($this->config->expiration) and ($this->config->expiration == 1))) {
    212. 

  212. 

  213.             // We need to get the diagnostic message right after the call to ldap_bind(),
    214. 

  214.             // before any other LDAP operation.
    215. 

  215.             ldap_get_option($ldapconnection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $diagmsg);
    216. 

  216. 

  217.             if ($this->ldap_ad_pwdexpired_from_diagmsg($diagmsg)) {
    218. 

  218.                 // If login failed because user must change the password now or the
    219. 

  219.                 // password has expired, let the user in. We'll catch this later in the
    220. 

  220.                 // login process when we explicitly check for expired passwords.
    221. 

  221.                 $ldap_login = true;
    222. 

  222.             }
    223. 

  223.         }
    224. 

  224.         $this->ldap_close();
    225. 

  225.         return $ldap_login;
    226. 

  226.     }
    227. 

  227. 

  228.     /**
    229. 

  229.      * Reads user information from ldap and returns it in array()
    230. 

  230.      *
    231. 

  231.      * Function should return all information available. If you are saving
    232. 

  232.      * this information to moodle user-table you should honor syncronization flags
    233. 

  233.      *
    234. 

  234.      * @param string $username username
    235. 

  235.      *
    236. 

  236.      * @return mixed array with no magic quotes or false on error
    237. 

  237.      */
    238. 

  238.     function get_userinfo($username) {
    239. 

  239.         $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding);
    240. 

  240. 

  241.         $ldapconnection = $this->ldap_connect();
    242. 

  242.         if(!($user_dn = $this->ldap_find_userdn($ldapconnection, $extusername))) {
    243. 

  243.             $this->ldap_close();
    244. 

  244.             return false;
    245. 

  245.         }
    246. 

  246. 

  247.         $search_attribs = array();
    248. 

  248.         $attrmap = $this->ldap_attributes();
    249. 

  249.         foreach ($attrmap as $key => $values) {
    250. 

  250.             if (!is_array($values)) {
    251. 

  251.                 $values = array($values);
    252. 

  252.             }
    253. 

  253.             foreach ($values as $value) {
    254. 

  254.                 if (!in_array($value, $search_attribs)) {
    255. 

  255.                     array_push($search_attribs, $value);
    256. 

  256.                 }
    257. 

  257.             }
    258. 

  258.         }
    259. 

  259. 

  260.         if (!$user_info_result = ldap_read($ldapconnection, $user_dn, '(objectClass=*)', $search_attribs)) {
    261. 

  261.             $this->ldap_close();
    262. 

  262.             return false; // error!
    263. 

  263.         }
    264. 

  264. 

  265.         $user_entry = ldap_get_entries_moodle($ldapconnection, $user_info_result);
    266. 

  266.         if (empty($user_entry)) {
    267. 

  267.             $this->ldap_close();
    268. 

  268.             return false; // entry not found
    269. 

  269.         }
    270. 

  270. 

  271.         $result = array();
    272. 

  272.         foreach ($attrmap as $key => $values) {
    273. 

  273.             if (!is_array($values)) {
    274. 

  274.                 $values = array($values);
    275. 

  275.             }
    276. 

  276.             $ldapval = NULL;
    277. 

  277.             foreach ($values as $value) {
    278. 

  278.                 $entry = $user_entry[0];
    279. 

  279.                 if (($value == 'dn') || ($value == 'distinguishedname')) {
    280. 

  280.                     $result[$key] = $user_dn;
    281. 

  281.                     continue;
    282. 

  282.                 }
    283. 

  283.                 if (!array_key_exists($value, $entry)) {
    284. 

  284.                     continue; // wrong data mapping!
    285. 

  285.                 }
    286. 

  286.                 if (is_array($entry[$value])) {
    287. 

  287.                     $newval = core_text::convert($entry[$value][0], $this->config->ldapencoding, 'utf-8');
    288. 

  288.                 } else {
    289. 

  289.                     $newval = core_text::convert($entry[$value], $this->config->ldapencoding, 'utf-8');
    290. 

  290.                 }
    291. 

  291.                 if (!empty($newval)) { // favour ldap entries that are set
    292. 

  292.                     $ldapval = $newval;
    293. 

  293.                 }
    294. 

  294.             }
    295. 

  295.             if (!is_null($ldapval)) {
    296. 

  296.                 $result[$key] = $ldapval;
    297. 

  297.             }
    298. 

  298.         }
    299. 

  299. 

  300.         $this->ldap_close();
    301. 

  301.         return $result;
    302. 

  302.     }
    303. 

  303. 

  304.     /**
    305. 

  305.      * Reads user information from ldap and returns it in an object
    306. 

  306.      *
    307. 

  307.      * @param string $username username (with system magic quotes)
    308. 

  308.      * @return mixed object or false on error
    309. 

  309.      */
    310. 

  310.     function get_userinfo_asobj($username) {
    311. 

  311.         $user_array = $this->get_userinfo($username);
    312. 

  312.         if ($user_array == false) {
    313. 

  313.             return false; //error or not found
    314. 

  314.         }
    315. 

  315.         $user_array = truncate_userinfo($user_array);
    316. 

  316.         $user = new stdClass();
    317. 

  317.         foreach ($user_array as $key=>$value) {
    318. 

  318.             $user->{$key} = $value;
    319. 

  319.         }
    320. 

  320.         return $user;
    321. 

  321.     }
    322. 

  322. 

  323.     /**
    324. 

  324.      * Returns all usernames from LDAP
    325. 

  325.      *
    326. 

  326.      * get_userlist returns all usernames from LDAP
    327. 

  327.      *
    328. 

  328.      * @return array
    329. 

  329.      */
    330. 

  330.     function get_userlist() {
    331. 

  331.         return $this->ldap_get_userlist("({$this->config->user_attribute}=*)");
    332. 

  332.     }
    333. 

  333. 

  334.     /**
    335. 

  335.      * Checks if user exists on LDAP
    336. 

  336.      *
    337. 

  337.      * @param string $username
    338. 

  338.      */
    339. 

  339.     function user_exists($username) {
    340. 

  340.         $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding);
    341. 

  341. 

  342.         // Returns true if given username exists on ldap
    343. 

  343.         $users = $this->ldap_get_userlist('('.$this->config->user_attribute.'='.ldap_filter_addslashes($extusername).')');
    344. 

  344.         return count($users);
    345. 

  345.     }
    346. 

  346. 

  347.     /**
    348. 

  348.      * Creates a new user on LDAP.
    349. 

  349.      * By using information in userobject
    350. 

  350.      * Use user_exists to prevent duplicate usernames
    351. 

  351.      *
    352. 

  352.      * @param mixed $userobject  Moodle userobject
    353. 

  353.      * @param mixed $plainpass   Plaintext password
    354. 

  354.      */
    355. 

  355.     function user_create($userobject, $plainpass) {
    356. 

  356.         $extusername = core_text::convert($userobject->username, 'utf-8', $this->config->ldapencoding);
    357. 

  357.         $extpassword = core_text::convert($plainpass, 'utf-8', $this->config->ldapencoding);
    358. 

  358. 

  359.         switch ($this->config->passtype) {
    360. 

  360.             case 'md5':
    361. 

  361.                 $extpassword = '{MD5}' . base64_encode(pack('H*', md5($extpassword)));
    362. 

  362.                 break;
    363. 

  363.             case 'sha1':
    364. 

  364.                 $extpassword = '{SHA}' . base64_encode(pack('H*', sha1($extpassword)));
    365. 

  365.                 break;
    366. 

  366.             case 'plaintext':
    367. 

  367.             default:
    368. 

  368.                 break; // plaintext
    369. 

  369.         }
    370. 

  370. 

  371.         $ldapconnection = $this->ldap_connect();
    372. 

  372.         $attrmap = $this->ldap_attributes();
    373. 

  373. 

  374.         $newuser = array();
    375. 

  375. 

  376.         foreach ($attrmap as $key => $values) {
    377. 

  377.             if (!is_array($values)) {
    378. 

  378.                 $values = array($values);
    379. 

  379.             }
    380. 

  380.             foreach ($values as $value) {
    381. 

  381.                 if (!empty($userobject->$key) ) {
    382. 

  382.                     $newuser[$value] = core_text::convert($userobject->$key, 'utf-8', $this->config->ldapencoding);
    383. 

  383.                 }
    384. 

  384.             }
    385. 

  385.         }
    386. 

  386. 

  387.         //Following sets all mandatory and other forced attribute values
    388. 

  388.         //User should be creted as login disabled untill email confirmation is processed
    389. 

  389.         //Feel free to add your user type and send patches to paca@sci.fi to add them
    390. 

  390.         //Moodle distribution
    391. 

  391. 

  392.         switch ($this->config->user_type)  {
    393. 

  393.             case 'edir':
    394. 

  394.                 $newuser['objectClass']   = array('inetOrgPerson', 'organizationalPerson', 'person', 'top');
    395. 

  395.                 $newuser['uniqueId']      = $extusername;
    396. 

  396.                 $newuser['logindisabled'] = 'TRUE';
    397. 

  397.                 $newuser['userpassword']  = $extpassword;
    398. 

  398.                 $uadd = ldap_add($ldapconnection, $this->config->user_attribute.'='.ldap_addslashes($extusername).','.$this->config->create_context, $newuser);
    399. 

  399.                 break;
    400. 

  400.             case 'rfc2307':
    401. 

  401.             case 'rfc2307bis':
    402. 

  402.                 // posixAccount object class forces us to specify a uidNumber
    403. 

  403.                 // and a gidNumber. That is quite complicated to generate from
    404. 

  404.                 // Moodle without colliding with existing numbers and without
    405. 

  405.                 // race conditions. As this user is supposed to be only used
    406. 

  406.                 // with Moodle (otherwise the user would exist beforehand) and
    407. 

  407.                 // doesn't need to login into a operating system, we assign the
    408. 

  408.                 // user the uid of user 'nobody' and gid of group 'nogroup'. In
    409. 

  409.                 // addition to that, we need to specify a home directory. We
    410. 

  410.                 // use the root directory ('/') as the home directory, as this
    411. 

  411.                 // is the only one can always be sure exists. Finally, even if
    412. 

  412.                 // it's not mandatory, we specify '/bin/false' as the login
    413. 

  413.                 // shell, to prevent the user from login in at the operating
    414. 

  414.                 // system level (Moodle ignores this).
    415. 

  415. 

  416.                 $newuser['objectClass']   = array('posixAccount', 'inetOrgPerson', 'organizationalPerson', 'person', 'top');
    417. 

  417.                 $newuser['cn']            = $extusername;
    418. 

  418.                 $newuser['uid']           = $extusername;
    419. 

  419.                 $newuser['uidNumber']     = AUTH_UID_NOBODY;
    420. 

  420.                 $newuser['gidNumber']     = AUTH_GID_NOGROUP;
    421. 

  421.                 $newuser['homeDirectory'] = '/';
    422. 

  422.                 $newuser['loginShell']    = '/bin/false';
    423. 

  423. 

  424.                 // IMPORTANT:
    425. 

  425.                 // We have to create the account locked, but posixAccount has
    426. 

  426.                 // no attribute to achive this reliably. So we are going to
    427. 

  427.                 // modify the password in a reversable way that we can later
    428. 

  428.                 // revert in user_activate().
    429. 

  429.                 //
    430. 

  430.                 // Beware that this can be defeated by the user if we are not
    431. 

  431.                 // using MD5 or SHA-1 passwords. After all, the source code of
    432. 

  432.                 // Moodle is available, and the user can see the kind of
    433. 

  433.                 // modification we are doing and 'undo' it by hand (but only
    434. 

  434.                 // if we are using plain text passwords).
    435. 

  435.                 //
    436. 

  436.                 // Also bear in mind that you need to use a binding user that
    437. 

  437.                 // can create accounts and has read/write privileges on the
    438. 

  438.                 // 'userPassword' attribute for this to work.
    439. 

  439. 

  440.                 $newuser['userPassword']  = '*'.$extpassword;
    441. 

  441.                 $uadd = ldap_add($ldapconnection, $this->config->user_attribute.'='.ldap_addslashes($extusername).','.$this->config->create_context, $newuser);
    442. 

  442.                 break;
    443. 

  443.             case 'ad':
    444. 

  444.                 // User account creation is a two step process with AD. First you
    445. 

  445.                 // create the user object, then you set the password. If you try
    446. 

  446.                 // to set the password while creating the user, the operation
    447. 

  447.                 // fails.
    448. 

  448. 

  449.                 // Passwords in Active Directory must be encoded as Unicode
    450. 

  450.                 // strings (UCS-2 Little Endian format) and surrounded with
    451. 

  451.                 // double quotes. See http://support.microsoft.com/?kbid=269190
    452. 

  452.                 if (!function_exists('mb_convert_encoding')) {
    453. 

  453.                     print_error('auth_ldap_no_mbstring', 'auth_ldap');
    454. 

  454.                 }
    455. 

  455. 

  456.                 // Check for invalid sAMAccountName characters.
    457. 

  457.                 if (preg_match('#[/\\[\]:;|=,+*?<>@"]#', $extusername)) {
    458. 

  458.                     print_error ('auth_ldap_ad_invalidchars', 'auth_ldap');
    459. 

  459.                 }
    460. 

  460. 

  461.                 // First create the user account, and mark it as disabled.
    462. 

  462.                 $newuser['objectClass'] = array('top', 'person', 'user', 'organizationalPerson');
    463. 

  463.                 $newuser['sAMAccountName'] = $extusername;
    464. 

  464.                 $newuser['userAccountControl'] = AUTH_AD_NORMAL_ACCOUNT |
    465. 

  465.                                                  AUTH_AD_ACCOUNTDISABLE;
    466. 

  466.                 $userdn = 'cn='.ldap_addslashes($extusername).','.$this->config->create_context;
    467. 

  467.                 if (!ldap_add($ldapconnection, $userdn, $newuser)) {
    468. 

  468.                     print_error('auth_ldap_ad_create_req', 'auth_ldap');
    469. 

  469.                 }
    470. 

  470. 

  471.                 // Now set the password
    472. 

  472.                 unset($newuser);
    473. 

  473.                 $newuser['unicodePwd'] = mb_convert_encoding('"' . $extpassword . '"',
    474. 

  474.                                                              'UCS-2LE', 'UTF-8');
    475. 

  475.                 if(!ldap_modify($ldapconnection, $userdn, $newuser)) {
    476. 

  476.                     // Something went wrong: delete the user account and error out
    477. 

  477.                     ldap_delete ($ldapconnection, $userdn);
    478. 

  478.                     print_error('auth_ldap_ad_create_req', 'auth_ldap');
    479. 

  479.                 }
    480. 

  480.                 $uadd = true;
    481. 

  481.                 break;
    482. 

  482.             default:
    483. 

  483.                print_error('auth_ldap_unsupportedusertype', 'auth_ldap', '', $this->config->user_type_name);
    484. 

  484.         }
    485. 

  485.         $this->ldap_close();
    486. 

  486.         return $uadd;
    487. 

  487.     }
    488. 

  488. 

  489.     /**
    490. 

  490.      * Returns true if plugin allows resetting of password from moodle.
    491. 

  491.      *
    492. 

  492.      * @return bool
    493. 

  493.      */
    494. 

  494.     function can_reset_password() {
    495. 

  495.         return !empty($this->config->stdchangepassword);
    496. 

  496.     }
    497. 

  497. 

  498.     /**
    499. 

  499.      * Returns true if plugin can be manually set.
    500. 

  500.      *
    501. 

  501.      * @return bool
    502. 

  502.      */
    503. 

  503.     function can_be_manually_set() {
    504. 

  504.         return true;
    505. 

  505.     }
    506. 

  506. 

  507.     /**
    508. 

  508.      * Returns true if plugin allows signup and user creation.
    509. 

  509.      *
    510. 

  510.      * @return bool
    511. 

  511.      */
    512. 

  512.     function can_signup() {
    513. 

  513.         return (!empty($this->config->auth_user_create) and !empty($this->config->create_context));
    514. 

  514.     }
    515. 

  515. 

  516.     /**
    517. 

  517.      * Sign up a new user ready for confirmation.
    518. 

  518.      * Password is passed in plaintext.
    519. 

  519.      *
    520. 

  520.      * @param object $user new user object
    521. 

  521.      * @param boolean $notify print notice with link and terminate
    522. 

  522.      * @return boolean success
    523. 

  523.      */
    524. 

  524.     function user_signup($user, $notify=true) {
    525. 

  525.         global $CFG, $DB, $PAGE, $OUTPUT;
    526. 

  526. 

  527.         require_once($CFG->dirroot.'/user/profile/lib.php');
    528. 

  528.         require_once($CFG->dirroot.'/user/lib.php');
    529. 

  529. 

  530.         if ($this->user_exists($user->username)) {
    531. 

  531.             print_error('auth_ldap_user_exists', 'auth_ldap');
    532. 

  532.         }
    533. 

  533. 

  534.         $plainslashedpassword = $user->password;
    535. 

  535.         unset($user->password);
    536. 

  536. 

  537.         if (! $this->user_create($user, $plainslashedpassword)) {
    538. 

  538.             print_error('auth_ldap_create_error', 'auth_ldap');
    539. 

  539.         }
    540. 

  540. 

  541.         $user->id = user_create_user($user, false, false);
    542. 

  542. 

  543.         user_add_password_history($user->id, $plainslashedpassword);
    544. 

  544. 

  545.         // Save any custom profile field information
    546. 

  546.         profile_save_data($user);
    547. 

  547. 

  548.         $userinfo = $this->get_userinfo($user->username);
    549. 

  549.         $this->update_user_record($user->username, false, false, $this->is_user_suspended((object) $userinfo));
    550. 

  550. 

  551.         // This will also update the stored hash to the latest algorithm
    552. 

  552.         // if the existing hash is using an out-of-date algorithm (or the
    553. 

  553.         // legacy md5 algorithm).
    554. 

  554.         update_internal_user_password($user, $plainslashedpassword);
    555. 

  555. 

  556.         $user = $DB->get_record('user', array('id'=>$user->id));
    557. 

  557. 

  558.         \core\event\user_created::create_from_userid($user->id)->trigger();
    559. 

  559. 

  560.         if (! send_confirmation_email($user)) {
    561. 

  561.             print_error('noemail', 'auth_ldap');
    562. 

  562.         }
    563. 

  563. 

  564.         if ($notify) {
    565. 

  565.             $emailconfirm = get_string('emailconfirm');
    566. 

  566.             $PAGE->set_url('/auth/ldap/auth.php');
    567. 

  567.             $PAGE->navbar->add($emailconfirm);
    568. 

  568.             $PAGE->set_title($emailconfirm);
    569. 

  569.             $PAGE->set_heading($emailconfirm);
    570. 

  570.             echo $OUTPUT->header();
    571. 

  571.             notice(get_string('emailconfirmsent', '', $user->email), "{$CFG->wwwroot}/index.php");
    572. 

  572.         } else {
    573. 

  573.             return true;
    574. 

  574.         }
    575. 

  575.     }
    576. 

  576. 

  577.     /**
    578. 

  578.      * Returns true if plugin allows confirming of new users.
    579. 

  579.      *
    580. 

  580.      * @return bool
    581. 

  581.      */
    582. 

  582.     function can_confirm() {
    583. 

  583.         return $this->can_signup();
    584. 

  584.     }
    585. 

  585. 

  586.     /**
    587. 

  587.      * Confirm the new user as registered.
    588. 

  588.      *
    589. 

  589.      * @param string $username
    590. 

  590.      * @param string $confirmsecret
    591. 

  591.      */
    592. 

  592.     function user_confirm($username, $confirmsecret) {
    593. 

  593.         global $DB;
    594. 

  594. 

  595.         $user = get_complete_user_data('username', $username);
    596. 

  596. 

  597.         if (!empty($user)) {
    598. 

  598.             if ($user->auth != $this->authtype) {
    599. 

  599.                 return AUTH_CONFIRM_ERROR;
    600. 

  600. 

  601.             } else if ($user->secret == $confirmsecret && $user->confirmed) {
    602. 

  602.                 return AUTH_CONFIRM_ALREADY;
    603. 

  603. 

  604.             } else if ($user->secret == $confirmsecret) {   // They have provided the secret key to get in
    605. 

  605.                 if (!$this->user_activate($username)) {
    606. 

  606.                     return AUTH_CONFIRM_FAIL;
    607. 

  607.                 }
    608. 

  608.                 $user->confirmed = 1;
    609. 

  609.                 user_update_user($user, false);
    610. 

  610.                 return AUTH_CONFIRM_OK;
    611. 

  611.             }
    612. 

  612.         } else {
    613. 

  613.             return AUTH_CONFIRM_ERROR;
    614. 

  614.         }
    615. 

  615.     }
    616. 

  616. 

  617.     /**
    618. 

  618.      * Return number of days to user password expires
    619. 

  619.      *
    620. 

  620.      * If userpassword does not expire it should return 0. If password is already expired
    621. 

  621.      * it should return negative value.
    622. 

  622.      *
    623. 

  623.      * @param mixed $username username
    624. 

  624.      * @return integer
    625. 

  625.      */
    626. 

  626.     function password_expire($username) {
    627. 

  627.         $result = 0;
    628. 

  628. 

  629.         $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding);
    630. 

  630. 

  631.         $ldapconnection = $this->ldap_connect();
    632. 

  632.         $user_dn = $this->ldap_find_userdn($ldapconnection, $extusername);
    633. 

  633.         $search_attribs = array($this->config->expireattr);
    634. 

  634.         $sr = ldap_read($ldapconnection, $user_dn, '(objectClass=*)', $search_attribs);
    635. 

  635.         if ($sr)  {
    636. 

  636.             $info = ldap_get_entries_moodle($ldapconnection, $sr);
    637. 

  637.             if (!empty ($info)) {
    638. 

  638.                 $info = $info[0];
    639. 

  639.                 if (isset($info[$this->config->expireattr][0])) {
    640. 

  640.                     $expiretime = $this->ldap_expirationtime2unix($info[$this->config->expireattr][0], $ldapconnection, $user_dn);
    641. 

  641.                     if ($expiretime != 0) {
    642. 

  642.                         $now = time();
    643. 

  643.                         if ($expiretime > $now) {
    644. 

  644.                             $result = ceil(($expiretime - $now) / DAYSECS);
    645. 

  645.                         } else {
    646. 

  646.                             $result = floor(($expiretime - $now) / DAYSECS);
    647. 

  647.                         }
    648. 

  648.                     }
    649. 

  649.                 }
    650. 

  650.             }
    651. 

  651.         } else {
    652. 

  652.             error_log($this->errorlogtag.get_string('didtfindexpiretime', 'auth_ldap'));
    653. 

  653.         }
    654. 

  654. 

  655.         return $result;
    656. 

  656.     }
    657. 

  657. 

  658.     /**
    659. 

  659.      * Syncronizes user fron external LDAP server to moodle user table
    660. 

  660.      *
    661. 

  661.      * Sync is now using username attribute.
    662. 

  662.      *
    663. 

  663.      * Syncing users removes or suspends users that dont exists anymore in external LDAP.
    664. 

  664.      * Creates new users and updates coursecreator status of users.
    665. 

  665.      *
    666. 

  666.      * @param bool $do_updates will do pull in data updates from LDAP if relevant
    667. 

  667.      */
    668. 

  668.     function sync_users($do_updates=true) {
    669. 

  669.         global $CFG, $DB;
    670. 

  670. 

  671.         require_once($CFG->dirroot . '/user/profile/lib.php');
    672. 

  672. 

  673.         print_string('connectingldap', 'auth_ldap');
    674. 

  674.         $ldapconnection = $this->ldap_connect();
    675. 

  675. 

  676.         $dbman = $DB->get_manager();
    677. 

  677. 

  678.     /// Define table user to be created
    679. 

  679.         $table = new xmldb_table('tmp_extuser');
    680. 

  680.         $table->add_field('id', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, XMLDB_SEQUENCE, null);
    681. 

  681.         $table->add_field('username', XMLDB_TYPE_CHAR, '100', null, XMLDB_NOTNULL, null, null);
    682. 

  682.         $table->add_field('mnethostid', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, null, null);
    683. 

  683.         $table->add_key('primary', XMLDB_KEY_PRIMARY, array('id'));
    684. 

  684.         $table->add_index('username', XMLDB_INDEX_UNIQUE, array('mnethostid', 'username'));
    685. 

  685. 

  686.         print_string('creatingtemptable', 'auth_ldap', 'tmp_extuser');
    687. 

  687.         $dbman->create_temp_table($table);
    688. 

  688. 

  689.         ////
    690. 

  690.         //// get user's list from ldap to sql in a scalable fashion
    691. 

  691.         ////
    692. 

  692.         // prepare some data we'll need
    693. 

  693.         $filter = '(&('.$this->config->user_attribute.'=*)'.$this->config->objectclass.')';
    694. 

  694.         $servercontrols = array();
    695. 

  695. 

  696.         $contexts = explode(';', $this->config->contexts);
    697. 

  697. 

  698.         if (!empty($this->config->create_context)) {
    699. 

  699.             array_push($contexts, $this->config->create_context);
    700. 

  700.         }
    701. 

  701. 

  702.         $ldappagedresults = ldap_paged_results_supported($this->config->ldap_version, $ldapconnection);
    703. 

  703.         $ldapcookie = '';
    704. 

  704.         foreach ($contexts as $context) {
    705. 

  705.             $context = trim($context);
    706. 

  706.             if (empty($context)) {
    707. 

  707.                 continue;
    708. 

  708.             }
    709. 

  709. 

  710.             do {
    711. 

  711.                 if ($ldappagedresults) {
    712. 

  712.                     // TODO: Remove the old branch of code once PHP 7.3.0 becomes required (Moodle 4.1).
    713. 

  713.                     if (version_compare(PHP_VERSION, '7.3.0', '<')) {
    714. 

  714.                         // Before 7.3, use this function that was deprecated in PHP 7.4.
    715. 

  715.                         ldap_control_paged_result($ldapconnection, $this->config->pagesize, true, $ldapcookie);
    716. 

  716.                     } else {
    717. 

  717.                         // PHP 7.3 and up, use server controls.
    718. 

  718.                         $servercontrols = array(array(
    719. 

  719.                             'oid' => LDAP_CONTROL_PAGEDRESULTS, 'value' => array(
    720. 

  720.                                 'size' => $this->config->pagesize, 'cookie' => $ldapcookie)));
    721. 

  721.                     }
    722. 

  722.                 }
    723. 

  723.                 if ($this->config->search_sub) {
    724. 

  724.                     // Use ldap_search to find first user from subtree.
    725. 

  725.                     // TODO: Remove the old branch of code once PHP 7.3.0 becomes required (Moodle 4.1).
    726. 

  726.                     if (version_compare(PHP_VERSION, '7.3.0', '<')) {
    727. 

  727.                         $ldapresult = ldap_search($ldapconnection, $context, $filter, array($this->config->user_attribute));
    728. 

  728.                     } else {
    729. 

  729.                         $ldapresult = ldap_search($ldapconnection, $context, $filter, array($this->config->user_attribute),
    730. 

  730.                             0, -1, -1, LDAP_DEREF_NEVER, $servercontrols);
    731. 

  731.                     }
    732. 

  732.                 } else {
    733. 

  733.                     // Search only in this context.
    734. 

  734.                     // TODO: Remove the old branch of code once PHP 7.3.0 becomes required (Moodle 4.1).
    735. 

  735.                     if (version_compare(PHP_VERSION, '7.3.0', '<')) {
    736. 

  736.                         $ldapresult = ldap_list($ldapconnection, $context, $filter, array($this->config->user_attribute));
    737. 

  737.                     } else {
    738. 

  738.                         $ldapresult = ldap_list($ldapconnection, $context, $filter, array($this->config->user_attribute),
    739. 

  739.                             0, -1, -1, LDAP_DEREF_NEVER, $servercontrols);
    740. 

  740.                     }
    741. 

  741.                 }
    742. 

  742.                 if (!$ldapresult) {
    743. 

  743.                     continue;
    744. 

  744.                 }
    745. 

  745.                 if ($ldappagedresults) {
    746. 

  746.                     // Get next server cookie to know if we'll need to continue searching.
    747. 

  747.                     $ldapcookie = '';
    748. 

  748.                     // TODO: Remove the old branch of code once PHP 7.3.0 becomes required (Moodle 4.1).
    749. 

  749.                     if (version_compare(PHP_VERSION, '7.3.0', '<')) {
    750. 

  750.                         // Before 7.3, use this function that was deprecated in PHP 7.4.
    751. 

  751.                         $pagedresp = ldap_control_paged_result_response($ldapconnection, $ldapresult, $ldapcookie);
    752. 

  752.                         // Function ldap_control_paged_result_response() does not overwrite $ldapcookie if it fails, by
    753. 

  753.                         // setting this to null we avoid an infinite loop.
    754. 

  754.                         if ($pagedresp === false) {
    755. 

  755.                             $ldapcookie = null;
    756. 

  756.                         }
    757. 

  757.                     } else {
    758. 

  758.                         // Get next cookie from controls.
    759. 

  759.                         ldap_parse_result($ldapconnection, $ldapresult, $errcode, $matcheddn,
    760. 

  760.                             $errmsg, $referrals, $controls);
    761. 

  761.                         if (isset($controls[LDAP_CONTROL_PAGEDRESULTS]['value']['cookie'])) {
    762. 

  762.                             $ldapcookie = $controls[LDAP_CONTROL_PAGEDRESULTS]['value']['cookie'];
    763. 

  763.                         }
    764. 

  764.                     }
    765. 

  765.                 }
    766. 

  766.                 if ($entry = @ldap_first_entry($ldapconnection, $ldapresult)) {
    767. 

  767.                     do {
    768. 

  768.                         $value = ldap_get_values_len($ldapconnection, $entry, $this->config->user_attribute);
    769. 

  769.                         $value = core_text::convert($value[0], $this->config->ldapencoding, 'utf-8');
    770. 

  770.                         $value = trim($value);
    771. 

  771.                         $this->ldap_bulk_insert($value);
    772. 

  772.                     } while ($entry = ldap_next_entry($ldapconnection, $entry));
    773. 

  773.                 }
    774. 

  774.                 unset($ldapresult); // Free mem.
    775. 

  775.             } while ($ldappagedresults && $ldapcookie !== null && $ldapcookie != '');
    776. 

  776.         }
    777. 

  777. 

  778.         // If LDAP paged results were used, the current connection must be completely
    779. 

  779.         // closed and a new one created, to work without paged results from here on.
    780. 

  780.         if ($ldappagedresults) {
    781. 

  781.             $this->ldap_close(true);
    782. 

  782.             $ldapconnection = $this->ldap_connect();
    783. 

  783.         }
    784. 

  784. 

  785.         /// preserve our user database
    786. 

  786.         /// if the temp table is empty, it probably means that something went wrong, exit
    787. 

  787.         /// so as to avoid mass deletion of users; which is hard to undo
    788. 

  788.         $count = $DB->count_records_sql('SELECT COUNT(username) AS count, 1 FROM {tmp_extuser}');
    789. 

  789.         if ($count < 1) {
    790. 

  790.             print_string('didntgetusersfromldap', 'auth_ldap');
    791. 

  791.             $dbman->drop_table($table);
    792. 

  792.             $this->ldap_close();
    793. 

  793.             return false;
    794. 

  794.         } else {
    795. 

  795.             print_string('gotcountrecordsfromldap', 'auth_ldap', $count);
    796. 

  796.         }
    797. 

  797. 

  798. 

  799. /// User removal
    800. 

  800.         // Find users in DB that aren't in ldap -- to be removed!
    801. 

  801.         // this is still not as scalable (but how often do we mass delete?)
    802. 

  802. 

  803.         if ($this->config->removeuser == AUTH_REMOVEUSER_FULLDELETE) {
    804. 

  804.             $sql = "SELECT u.*
    805. 

  805.                       FROM {user} u
    806. 

  806.                  LEFT JOIN {tmp_extuser} e ON (u.username = e.username AND u.mnethostid = e.mnethostid)
    807. 

  807.                      WHERE u.auth = :auth
    808. 

  808.                            AND u.deleted = 0
    809. 

  809.                            AND e.username IS NULL";
    810. 

  810.             $remove_users = $DB->get_records_sql($sql, array('auth'=>$this->authtype));
    811. 

  811. 

  812.             if (!empty($remove_users)) {
    813. 

  813.                 print_string('userentriestoremove', 'auth_ldap', count($remove_users));
    814. 

  814.                 foreach ($remove_users as $user) {
    815. 

  815.                     if (delete_user($user)) {
    816. 

  816.                         echo "\t"; print_string('auth_dbdeleteuser', 'auth_db', array('name'=>$user->username, 'id'=>$user->id)); echo "\n";
    817. 

  817.                     } else {
    818. 

  818.                         echo "\t"; print_string('auth_dbdeleteusererror', 'auth_db', $user->username); echo "\n";
    819. 

  819.                     }
    820. 

  820.                 }
    821. 

  821.             } else {
    822. 

  822.                 print_string('nouserentriestoremove', 'auth_ldap');
    823. 

  823.             }
    824. 

  824.             unset($remove_users); // Free mem!
    825. 

  825. 

  826.         } else if ($this->config->removeuser == AUTH_REMOVEUSER_SUSPEND) {
    827. 

  827.             $sql = "SELECT u.*
    828. 

  828.                       FROM {user} u
    829. 

  829.                  LEFT JOIN {tmp_extuser} e ON (u.username = e.username AND u.mnethostid = e.mnethostid)
    830. 

  830.                      WHERE u.auth = :auth
    831. 

  831.                            AND u.deleted = 0
    832. 

  832.                            AND u.suspended = 0
    833. 

  833.                            AND e.username IS NULL";
    834. 

  834.             $remove_users = $DB->get_records_sql($sql, array('auth'=>$this->authtype));
    835. 

  835. 

  836.             if (!empty($remove_users)) {
    837. 

  837.                 print_string('userentriestoremove', 'auth_ldap', count($remove_users));
    838. 

  838. 

  839.                 foreach ($remove_users as $user) {
    840. 

  840.                     $updateuser = new stdClass();
    841. 

  841.                     $updateuser->id = $user->id;
    842. 

  842.                     $updateuser->suspended = 1;
    843. 

  843.                     user_update_user($updateuser, false);
    844. 

  844.                     echo "\t"; print_string('auth_dbsuspenduser', 'auth_db', array('name'=>$user->username, 'id'=>$user->id)); echo "\n";
    845. 

  845.                     \core\session\manager::kill_user_sessions($user->id);
    846. 

  846.                 }
    847. 

  847.             } else {
    848. 

  848.                 print_string('nouserentriestoremove', 'auth_ldap');
    849. 

  849.             }
    850. 

  850.             unset($remove_users); // Free mem!
    851. 

  851.         }
    852. 

  852. 

  853. /// Revive suspended users
    854. 

  854.         if (!empty($this->config->removeuser) and $this->config->removeuser == AUTH_REMOVEUSER_SUSPEND) {
    855. 

  855.             $sql = "SELECT u.id, u.username
    856. 

  856.                       FROM {user} u
    857. 

  857.                       JOIN {tmp_extuser} e ON (u.username = e.username AND u.mnethostid = e.mnethostid)
    858. 

  858.                      WHERE (u.auth = 'nologin' OR (u.auth = ? AND u.suspended = 1)) AND u.deleted = 0";
    859. 

  859.             // Note: 'nologin' is there for backwards compatibility.
    860. 

  860.             $revive_users = $DB->get_records_sql($sql, array($this->authtype));
    861. 

  861. 

  862.             if (!empty($revive_users)) {
    863. 

  863.                 print_string('userentriestorevive', 'auth_ldap', count($revive_users));
    864. 

  864. 

  865.                 foreach ($revive_users as $user) {
    866. 

  866.                     $updateuser = new stdClass();
    867. 

  867.                     $updateuser->id = $user->id;
    868. 

  868.                     $updateuser->auth = $this->authtype;
    869. 

  869.                     $updateuser->suspended = 0;
    870. 

  870.                     user_update_user($updateuser, false);
    871. 

  871.                     echo "\t"; print_string('auth_dbreviveduser', 'auth_db', array('name'=>$user->username, 'id'=>$user->id)); echo "\n";
    872. 

  872.                 }
    873. 

  873.             } else {
    874. 

  874.                 print_string('nouserentriestorevive', 'auth_ldap');
    875. 

  875.             }
    876. 

  876. 

  877.             unset($revive_users);
    878. 

  878.         }
    879. 

  879. 

  880. 

  881. /// User Updates - time-consuming (optional)
    882. 

  882.         if ($do_updates) {
    883. 

  883.             // Narrow down what fields we need to update
    884. 

  884.             $updatekeys = $this->get_profile_keys();
    885. 

  885. 

  886.         } else {
    887. 

  887.             print_string('noupdatestobedone', 'auth_ldap');
    888. 

  888.         }
    889. 

  889.         if ($do_updates and !empty($updatekeys)) { // run updates only if relevant
    890. 

  890.             $users = $DB->get_records_sql('SELECT u.username, u.id
    891. 

  891.                                              FROM {user} u
    892. 

  892.                                             WHERE u.deleted = 0 AND u.auth = ? AND u.mnethostid = ?',
    893. 

  893.                                           array($this->authtype, $CFG->mnet_localhost_id));
    894. 

  894.             if (!empty($users)) {
    895. 

  895.                 print_string('userentriestoupdate', 'auth_ldap', count($users));
    896. 

  896. 

  897.                 $transaction = $DB->start_delegated_transaction();
    898. 

  898.                 $xcount = 0;
    899. 

  899.                 $maxxcount = 100;
    900. 

  900. 

  901.                 foreach ($users as $user) {
    902. 

  902.                     echo "\t"; print_string('auth_dbupdatinguser', 'auth_db', array('name'=>$user->username, 'id'=>$user->id));
    903. 

  903.                     $userinfo = $this->get_userinfo($user->username);
    904. 

  904.                     if (!$this->update_user_record($user->username, $updatekeys, true,
    905. 

  905.                             $this->is_user_suspended((object) $userinfo))) {
    906. 

  906.                         echo ' - '.get_string('skipped');
    907. 

  907.                     }
    908. 

  908.                     echo "\n";
    909. 

  909.                     $xcount++;
    910. 

  910. 

  911.                     // Update system roles, if needed.
    912. 

  912.                     $this->sync_roles($user);
    913. 

  913.                 }
    914. 

  914.                 $transaction->allow_commit();
    915. 

  915.                 unset($users); // free mem
    916. 

  916.             }
    917. 

  917.         } else { // end do updates
    918. 

  918.             print_string('noupdatestobedone', 'auth_ldap');
    919. 

  919.         }
    920. 

  920. 

  921. /// User Additions
    922. 

  922.         // Find users missing in DB that are in LDAP
    923. 

  923.         // and gives me a nifty object I don't want.
    924. 

  924.         // note: we do not care about deleted accounts anymore, this feature was replaced by suspending to nologin auth plugin
    925. 

  925.         $sql = 'SELECT e.id, e.username
    926. 

  926.                   FROM {tmp_extuser} e
    927. 

  927.                   LEFT JOIN {user} u ON (e.username = u.username AND e.mnethostid = u.mnethostid)
    928. 

  928.                  WHERE u.id IS NULL';
    929. 

  929.         $add_users = $DB->get_records_sql($sql);
    930. 

  930. 

  931.         if (!empty($add_users)) {
    932. 

  932.             print_string('userentriestoadd', 'auth_ldap', count($add_users));
    933. 

  933. 

  934.             $transaction = $DB->start_delegated_transaction();
    935. 

  935.             foreach ($add_users as $user) {
    936. 

  936.                 $user = $this->get_userinfo_asobj($user->username);
    937. 

  937. 

  938.                 // Prep a few params
    939. 

  939.                 $user->modified   = time();
    940. 

  940.                 $user->confirmed  = 1;
    941. 

  941.                 $user->auth       = $this->authtype;
    942. 

  942.                 $user->mnethostid = $CFG->mnet_localhost_id;
    943. 

  943.                 // get_userinfo_asobj() might have replaced $user->username with the value
    944. 

  944.                 // from the LDAP server (which can be mixed-case). Make sure it's lowercase
    945. 

  945.                 $user->username = trim(core_text::strtolower($user->username));
    946. 

  946.                 // It isn't possible to just rely on the configured suspension attribute since
    947. 

  947.                 // things like active directory use bit masks, other things using LDAP might
    948. 

  948.                 // do different stuff as well.
    949. 

  949.                 //
    950. 

  950.                 // The cast to int is a workaround for MDL-53959.
    951. 

  951.                 $user->suspended = (int)$this->is_user_suspended($user);
    952. 

  952.                 if (empty($user->lang)) {
    953. 

  953.                     $user->lang = $CFG->lang;
    954. 

  954.                 }
    955. 

  955.                 if (empty($user->calendartype)) {
    956. 

  956.                     $user->calendartype = $CFG->calendartype;
    957. 

  957.                 }
    958. 

  958. 

  959.                 $id = user_create_user($user, false);
    960. 

  960.                 echo "\t"; print_string('auth_dbinsertuser', 'auth_db', array('name'=>$user->username, 'id'=>$id)); echo "\n";
    961. 

  961.                 $euser = $DB->get_record('user', array('id' => $id));
    962. 

  962. 

  963.                 if (!empty($this->config->forcechangepassword)) {
    964. 

  964.                     set_user_preference('auth_forcepasswordchange', 1, $id);
    965. 

  965.                 }
    966. 

  966. 

  967.                 // Save custom profile fields.
    968. 

  968.                 $this->update_user_record($user->username, $this->get_profile_keys(true), false);
    969. 

  969. 

  970.                 // Add roles if needed.
    971. 

  971.                 $this->sync_roles($euser);
    972. 

  972. 

  973.             }
    974. 

  974.             $transaction->allow_commit();
    975. 

  975.             unset($add_users); // free mem
    976. 

  976.         } else {
    977. 

  977.             print_string('nouserstobeadded', 'auth_ldap');
    978. 

  978.         }
    979. 

  979. 

  980.         $dbman->drop_table($table);
    981. 

  981.         $this->ldap_close();
    982. 

  982. 

  983.         return true;
    984. 

  984.     }
    985. 

  985. 

  986.     /**
    987. 

  987.      * Bulk insert in SQL's temp table
    988. 

  988.      */
    989. 

  989.     function ldap_bulk_insert($username) {
    990. 

  990.         global $DB, $CFG;
    991. 

  991. 

  992.         $username = core_text::strtolower($username); // usernames are __always__ lowercase.
    993. 

  993.         $DB->insert_record_raw('tmp_extuser', array('username'=>$username,
    994. 

  994.                                                     'mnethostid'=>$CFG->mnet_localhost_id), false, true);
    995. 

  995.         echo '.';
    996. 

  996.     }
    997. 

  997. 

  998.     /**
    999. 

  999.      * Activates (enables) user in external LDAP so user can login
    1000. 

  1000.      *
    1001. 

  1001.      * @param mixed $username
    1002. 

  1002.      * @return boolean result
    1003. 

  1003.      */
    1004. 

  1004.     function user_activate($username) {
    1005. 

  1005.         $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding);
    1006. 

  1006. 

  1007.         $ldapconnection = $this->ldap_connect();
    1008. 

  1008. 

  1009.         $userdn = $this->ldap_find_userdn($ldapconnection, $extusername);
    1010. 

  1010.         switch ($this->config->user_type)  {
    1011. 

  1011.             case 'edir':
    1012. 

  1012.                 $newinfo['loginDisabled'] = 'FALSE';
    1013. 

  1013.                 break;
    1014. 

  1014.             case 'rfc2307':
    1015. 

  1015.             case 'rfc2307bis':
    1016. 

  1016.                 // Remember that we add a '*' character in front of the
    1017. 

  1017.                 // external password string to 'disable' the account. We just
    1018. 

  1018.                 // need to remove it.
    1019. 

  1019.                 $sr = ldap_read($ldapconnection, $userdn, '(objectClass=*)',
    1020. 

  1020.                                 array('userPassword'));
    1021. 

  1021.                 $info = ldap_get_entries($ldapconnection, $sr);
    1022. 

  1022.                 $info[0] = array_change_key_case($info[0], CASE_LOWER);
    1023. 

  1023.                 $newinfo['userPassword'] = ltrim($info[0]['userpassword'][0], '*');
    1024. 

  1024.                 break;
    1025. 

  1025.             case 'ad':
    1026. 

  1026.                 // We need to unset the ACCOUNTDISABLE bit in the
    1027. 

  1027.                 // userAccountControl attribute ( see
    1028. 

  1028.                 // http://support.microsoft.com/kb/305144 )
    1029. 

  1029.                 $sr = ldap_read($ldapconnection, $userdn, '(objectClass=*)',
    1030. 

  1030.                                 array('userAccountControl'));
    1031. 

  1031.                 $info = ldap_get_entries($ldapconnection, $sr);
    1032. 

  1032.                 $info[0] = array_change_key_case($info[0], CASE_LOWER);
    1033. 

  1033.                 $newinfo['userAccountControl'] = $info[0]['useraccountcontrol'][0]
    1034. 

  1034.                                                  & (~AUTH_AD_ACCOUNTDISABLE);
    1035. 

  1035.                 break;
    1036. 

  1036.             default:
    1037. 

  1037.                 print_error('user_activatenotsupportusertype', 'auth_ldap', '', $this->config->user_type_name);
    1038. 

  1038.         }
    1039. 

  1039.         $result = ldap_modify($ldapconnection, $userdn, $newinfo);
    1040. 

  1040.         $this->ldap_close();
    1041. 

  1041.         return $result;
    1042. 

  1042.     }
    1043. 

  1043. 

  1044.     /**
    1045. 

  1045.      * Returns true if user should be coursecreator.
    1046. 

  1046.      *
    1047. 

  1047.      * @param mixed $username    username (without system magic quotes)
    1048. 

  1048.      * @return mixed result      null if course creators is not configured, boolean otherwise.
    1049. 

  1049.      *
    1050. 

  1050.      * @deprecated since Moodle 3.4 MDL-30634 - please do not use this function any more.
    1051. 

  1051.      */
    1052. 

  1052.     function iscreator($username) {
    1053. 

  1053.         debugging('iscreator() is deprecated. Please use auth_plugin_ldap::is_role() instead.', DEBUG_DEVELOPER);
    1054. 

  1054. 

  1055.         if (empty($this->config->creators) or empty($this->config->memberattribute)) {
    1056. 

  1056.             return null;
    1057. 

  1057.         }
    1058. 

  1058. 

  1059.         $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding);
    1060. 

  1060. 

  1061.         $ldapconnection = $this->ldap_connect();
    1062. 

  1062. 

  1063.         if ($this->config->memberattribute_isdn) {
    1064. 

  1064.             if(!($userid = $this->ldap_find_userdn($ldapconnection, $extusername))) {
    1065. 

  1065.                 return false;
    1066. 

  1066.             }
    1067. 

  1067.         } else {
    1068. 

  1068.             $userid = $extusername;
    1069. 

  1069.         }
    1070. 

  1070. 

  1071.         $group_dns = explode(';', $this->config->creators);
    1072. 

  1072.         $creator = ldap_isgroupmember($ldapconnection, $userid, $group_dns, $this->config->memberattribute);
    1073. 

  1073. 

  1074.         $this->ldap_close();
    1075. 

  1075. 

  1076.         return $creator;
    1077. 

  1077.     }
    1078. 

  1078. 

  1079.     /**
    1080. 

  1080.      * Check if user has LDAP group membership.
    1081. 

  1081.      *
    1082. 

  1082.      * Returns true if user should be assigned role.
    1083. 

  1083.      *
    1084. 

  1084.      * @param mixed $username username (without system magic quotes).
    1085. 

  1085.      * @param array $role Array of role's shortname, localname, and settingname for the config value.
    1086. 

  1086.      * @return mixed result null if role/LDAP context is not configured, boolean otherwise.
    1087. 

  1087.      */
    1088. 

  1088.     private function is_role($username, $role) {
    1089. 

  1089.         if (empty($this->config->{$role['settingname']}) or empty($this->config->memberattribute)) {
    1090. 

  1090.             return null;
    1091. 

  1091.         }
    1092. 

  1092. 

  1093.         $extusername = core_text::convert($username, 'utf-8', $this->config->ldapencoding);
    1094. 

  1094. 

  1095.         $ldapconnection = $this->ldap_connect();
    1096. 

  1096. 

  1097.         if ($this->config->memberattribute_isdn) {
    1098. 

  1098.             if (!($userid = $this->ldap_find_userdn($ldapconnection, $extusername))) {
    1099. 

  1099.                 return false;
    1100. 

  1100.             }
    1101. 

  1101.         } else {
    1102. 

  1102.             $userid = $extusername;
    1103. 

  1103.         }
    1104. 

  1104. 

  1105.         $groupdns = explode(';', $this->config->{$role['settingname']});
    1106. 

  1106.         $isrole = ldap_isgroupmember($ldapconnection, $userid, $groupdns, $this->config->memberattribute);
    1107. 

  1107. 

  1108.         $this->ldap_close();
    1109. 

  1109. 

  1110.         return $isrole;
    1111. 

  1111.     }
    1112. 

  1112. 

  1113.     /**
    1114. 

  1114.      * Called when the user record is updated.
    1115. 

  1115.      *
    1116. 

  1116.      * Modifies user in external LDAP server. It takes olduser (before
    1117. 

  1117.      * changes) and newuser (after changes) compares information and
    1118. 

  1118.      * saves modified information to external LDAP server.
    1119. 

  1119.      *
    1120. 

  1120.      * @param mixed $olduser     Userobject before modifications    (without system magic quotes)
    1121. 

  1121.      * @param mixed $newuser     Userobject new modified userobject (without system magic quotes)
    1122. 

  1122.      * @return boolean result
    1123. 

  1123.      *
    1124. 

  1124.      */
    1125. 

  1125.     function user_update($olduser, $newuser) {
    1126. 

  1126.         global $CFG;
    1127. 

  1127. 

  1128.         require_once($CFG->dirroot . '/user/profile/lib.php');
    1129. 

  1129. 

  1130.         if (isset($olduser->username) and isset($newuser->username) and $olduser->username != $newuser->username) {
    1131. 

  1131.             error_log($this->errorlogtag.get_string('renamingnotallowed', 'auth_ldap'));
    1132. 

  1132.             return false;
    1133. 

  1133.         }
    1134. 

  1134. 

  1135.         if (isset($olduser->auth) and $olduser->auth != $this->authtype) {
    1136. 

  1136.             return true; // just change auth and skip update
    1137. 

  1137.         }
    1138. 

  1138. 

  1139.         $attrmap = $this->ldap_attributes();
    1140. 

  1140.         // Before doing anything else, make sure we really need to update anything
    1141. 

  1141.         // in the external LDAP server.
    1142. 

  1142.         $update_external = false;
    1143. 

  1143.         foreach ($attrmap as $key => $ldapkeys) {
    1144. 

  1144.             if (!empty($this->config->{'field_updateremote_'.$key})) {
    1145. 

  1145.                 $update_external = true;
    1146. 

  1146.                 break;
    1147. 

  1147.             }
    1148. 

  1148.         }
    1149. 

  1149.         if (!$update_external) {
    1150. 

  1150.             return true;
    1151. 

  1151.         }
    1152. 

  1152. 

  1153.         $extoldusername = core_text::convert($olduser->username, 'utf-8', $this->config->ldapencoding);
    1154. 

  1154. 

  1155.         $ldapconnection = $this->ldap_connect();
    1156. 

  1156. 

  1157.         $search_attribs = array();
    1158. 

  1158.         foreach ($attrmap as $key => $values) {
    1159. 

  1159.             if (!is_array($values)) {
    1160. 

  1160.                 $values = array($values);
    1161. 

  1161.             }
    1162. 

  1162.             foreach ($values as $value) {
    1163. 

  1163.                 if (!in_array($value, $search_attribs)) {
    1164. 

  1164.                     array_push($search_attribs, $value);
    1165. 

  1165.                 }
    1166. 

  1166.             }
    1167. 

  1167.         }
    1168. 

  1168. 

  1169.         if(!($user_dn = $this->ldap_find_userdn($ldapconnection, $extoldusername))) {
    1170. 

  1170.             return false;
    1171. 

  1171.         }
    1172. 

  1172. 

  1173.         // Load old custom fields.
    1174. 

  1174.         $olduserprofilefields = (array) profile_user_record($olduser->id, false);
    1175. 

  1175. 

  1176.         $fields = array();
    1177. 

  1177.         foreach (profile_get_custom_fields(false) as $field) {
    1178. 

  1178.             $fields[$field->shortname] = $field;
    1179. 

  1179.         }
    1180. 

  1180. 

  1181.         $success = true;
    1182. 

  1182.         $user_info_result = ldap_read($ldapconnection, $user_dn, '(objectClass=*)', $search_attribs);
    1183. 

  1183.         if ($user_info_result) {
    1184. 

  1184.             $user_entry = ldap_get_entries_moodle($ldapconnection, $user_info_result);
    1185. 

  1185.             if (empty($user_entry)) {
    1186. 

  1186.                 $attribs = join (', ', $search_attribs);
    1187. 

  1187.                 error_log($this->errorlogtag.get_string('updateusernotfound', 'auth_ldap',
    1188. 

  1188.                                                           array('userdn'=>$user_dn,
    1189. 

  1189.                                                                 'attribs'=>$attribs)));
    1190. 

  1190.                 return false; // old user not found!
    1191. 

  1191.             } else if (count($user_entry) > 1) {
    1192. 

  1192.                 error_log($this->errorlogtag.get_string('morethanoneuser', 'auth_ldap'));
    1193. 

  1193.                 return false;
    1194. 

  1194.             }
    1195. 

  1195. 

  1196.             $user_entry = $user_entry[0];
    1197. 

  1197. 

  1198.             foreach ($attrmap as $key => $ldapkeys) {
    1199. 

  1199.                 if (preg_match('/^profile_field_(.*)$/', $key, $match)) {
    1200. 

  1200.                     // Custom field.
    1201. 

  1201.                     $fieldname = $match[1];
    1202. 

  1202.                     if (isset($fields[$fieldname])) {
    1203. 

  1203.                         $class = 'profile_field_' . $fields[$fieldname]->datatype;
    1204. 

  1204.                         $formfield = new $class($fields[$fieldname]->id, $olduser->id);
    1205. 

  1205.                         $oldvalue = isset($olduserprofilefields[$fieldname]) ? $olduserprofilefields[$fieldname] : null;
    1206. 

  1206.                     } else {
    1207. 

  1207.                         $oldvalue = null;
    1208. 

  1208.                     }
    1209. 

  1209.                     $newvalue = $
    1210.

Large files files are truncated, but you can click here to view the full file