PageRenderTime 53ms CodeModel.GetById 17ms RepoModel.GetById 0ms app.codeStats 0ms

/enrol/ldap/lib.php

https://bitbucket.org/kudutest1/moodlegit
PHP | 992 lines | 649 code | 114 blank | 229 comment | 128 complexity | c8f44b41579f1ce341363caefefd5a88 MD5 | raw file
    

  1. <?php
    2. 

  2. 

  3. // This file is part of Moodle - http://moodle.org/
    4. 

  4. //
    5. 

  5. // Moodle is free software: you can redistribute it and/or modify
    6. 

  6. // it under the terms of the GNU General Public License as published by
    7. 

  7. // the Free Software Foundation, either version 3 of the License, or
    8. 

  8. // (at your option) any later version.
    9. 

  9. //
    10. 

  10. // Moodle is distributed in the hope that it will be useful,
    11. 

  11. // but WITHOUT ANY WARRANTY; without even the implied warranty of
    12. 

  12. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13. 

  13. // GNU General Public License for more details.
    14. 

  14. //
    15. 

  15. // You should have received a copy of the GNU General Public License
    16. 

  16. // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
    17. 

  17. 

  18. /**
    19. 

  19.  * LDAP enrolment plugin implementation.
    20. 

  20.  *
    21. 

  21.  * This plugin synchronises enrolment and roles with a LDAP server.
    22. 

  22.  *
    23. 

  23.  * @package    enrol
    24. 

  24.  * @subpackage ldap
    25. 

  25.  * @author     Iñaki Arenaza - based on code by Martin Dougiamas, Martin Langhoff and others
    26. 

  26.  * @copyright  1999 onwards Martin Dougiamas {@link http://moodle.com}
    27. 

  27.  * @copyright  2010 Iñaki Arenaza <iarenaza@eps.mondragon.edu>
    28. 

  28.  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
    29. 

  29.  */
    30. 

  30. 

  31. defined('MOODLE_INTERNAL') || die();
    32. 

  32. 

  33. class enrol_ldap_plugin extends enrol_plugin {
    34. 

  34.     protected $enrol_localcoursefield = 'idnumber';
    35. 

  35.     protected $enroltype = 'enrol_ldap';
    36. 

  36.     protected $errorlogtag = '[ENROL LDAP] ';
    37. 

  37. 

  38.     /**
    39. 

  39.      * Constructor for the plugin. In addition to calling the parent
    40. 

  40.      * constructor, we define and 'fix' some settings depending on the
    41. 

  41.      * real settings the admin defined.
    42. 

  42.      */
    43. 

  43.     public function __construct() {
    44. 

  44.         global $CFG;
    45. 

  45.         require_once($CFG->libdir.'/ldaplib.php');
    46. 

  46. 

  47.         // Do our own stuff to fix the config (it's easier to do it
    48. 

  48.         // here than using the admin settings infrastructure). We
    49. 

  49.         // don't call $this->set_config() for any of the 'fixups'
    50. 

  50.         // (except the objectclass, as it's critical) because the user
    51. 

  51.         // didn't specify any values and relied on the default values
    52. 

  52.         // defined for the user type she chose.
    53. 

  53.         $this->load_config();
    54. 

  54. 

  55.         // Make sure we get sane defaults for critical values.
    56. 

  56.         $this->config->ldapencoding = $this->get_config('ldapencoding', 'utf-8');
    57. 

  57.         $this->config->user_type = $this->get_config('user_type', 'default');
    58. 

  58. 

  59.         $ldap_usertypes = ldap_supported_usertypes();
    60. 

  60.         $this->config->user_type_name = $ldap_usertypes[$this->config->user_type];
    61. 

  61.         unset($ldap_usertypes);
    62. 

  62. 

  63.         $default = ldap_getdefaults();
    64. 

  64.         // Remove the objectclass default, as the values specified there are for
    65. 

  65.         // users, and we are dealing with groups here.
    66. 

  66.         unset($default['objectclass']);
    67. 

  67. 

  68.         // Use defaults if values not given. Dont use this->get_config()
    69. 

  69.         // here to be able to check for 0 and false values too.
    70. 

  70.         foreach ($default as $key => $value) {
    71. 

  71.             // Watch out - 0, false are correct values too, so we can't use $this->get_config()
    72. 

  72.             if (!isset($this->config->{$key}) or $this->config->{$key} == '') {
    73. 

  73.                 $this->config->{$key} = $value[$this->config->user_type];
    74. 

  74.             }
    75. 

  75.         }
    76. 

  76. 

  77.         if (empty($this->config->objectclass)) {
    78. 

  78.             // Can't send empty filter. Fix it for now and future occasions
    79. 

  79.             $this->set_config('objectclass', '(objectClass=*)');
    80. 

  80.         } else if (stripos($this->config->objectclass, 'objectClass=') === 0) {
    81. 

  81.             // Value is 'objectClass=some-string-here', so just add ()
    82. 

  82.             // around the value (filter _must_ have them).
    83. 

  83.             // Fix it for now and future occasions
    84. 

  84.             $this->set_config('objectclass', '('.$this->config->objectclass.')');
    85. 

  85.         } else if (stripos($this->config->objectclass, '(') !== 0) {
    86. 

  86.             // Value is 'some-string-not-starting-with-left-parentheses',
    87. 

  87.             // which is assumed to be the objectClass matching value.
    88. 

  88.             // So build a valid filter with it.
    89. 

  89.             $this->set_config('objectclass', '(objectClass='.$this->config->objectclass.')');
    90. 

  90.         } else {
    91. 

  91.             // There is an additional possible value
    92. 

  92.             // '(some-string-here)', that can be used to specify any
    93. 

  93.             // valid filter string, to select subsets of users based
    94. 

  94.             // on any criteria. For example, we could select the users
    95. 

  95.             // whose objectClass is 'user' and have the
    96. 

  96.             // 'enabledMoodleUser' attribute, with something like:
    97. 

  97.             //
    98. 

  98.             //   (&(objectClass=user)(enabledMoodleUser=1))
    99. 

  99.             //
    100. 

  100.             // In this particular case we don't need to do anything,
    101. 

  101.             // so leave $this->config->objectclass as is.
    102. 

  102.         }
    103. 

  103.     }
    104. 

  104. 

  105.     /**
    106. 

  106.      * Is it possible to delete enrol instance via standard UI?
    107. 

  107.      *
    108. 

  108.      * @param object $instance
    109. 

  109.      * @return bool
    110. 

  110.      */
    111. 

  111.     public function instance_deleteable($instance) {
    112. 

  112.         if (!enrol_is_enabled('ldap')) {
    113. 

  113.             return true;
    114. 

  114.         }
    115. 

  115. 

  116.         if (!$this->get_config('ldap_host') or !$this->get_config('objectclass') or !$this->get_config('course_idnumber')) {
    117. 

  117.             return true;
    118. 

  118.         }
    119. 

  119. 

  120.         // TODO: connect to external system and make sure no users are to be enrolled in this course
    121. 

  121.         return false;
    122. 

  122.     }
    123. 

  123. 

  124.     /**
    125. 

  125.      * Forces synchronisation of user enrolments with LDAP server.
    126. 

  126.      * It creates courses if the plugin is configured to do so.
    127. 

  127.      *
    128. 

  128.      * @param object $user user record
    129. 

  129.      * @return void
    130. 

  130.      */
    131. 

  131.     public function sync_user_enrolments($user) {
    132. 

  132.         global $DB;
    133. 

  133. 

  134.         // Do not try to print anything to the output because this method is called during interactive login.
    135. 

  135.         $trace = new error_log_progress_trace($this->errorlogtag);
    136. 

  136. 

  137.         if (!$this->ldap_connect($trace)) {
    138. 

  138.             $trace->finished();
    139. 

  139.             return;
    140. 

  140.         }
    141. 

  141. 

  142.         if (!is_object($user) or !property_exists($user, 'id')) {
    143. 

  143.             throw new coding_exception('Invalid $user parameter in sync_user_enrolments()');
    144. 

  144.         }
    145. 

  145. 

  146.         if (!property_exists($user, 'idnumber')) {
    147. 

  147.             debugging('Invalid $user parameter in sync_user_enrolments(), missing idnumber');
    148. 

  148.             $user = $DB->get_record('user', array('id'=>$user->id));
    149. 

  149.         }
    150. 

  150. 

  151.         // We may need a lot of memory here
    152. 

  152.         @set_time_limit(0);
    153. 

  153.         raise_memory_limit(MEMORY_HUGE);
    154. 

  154. 

  155.         // Get enrolments for each type of role.
    156. 

  156.         $roles = get_all_roles();
    157. 

  157.         $enrolments = array();
    158. 

  158.         foreach($roles as $role) {
    159. 

  159.             // Get external enrolments according to LDAP server
    160. 

  160.             $enrolments[$role->id]['ext'] = $this->find_ext_enrolments($user->idnumber, $role);
    161. 

  161. 

  162.             // Get the list of current user enrolments that come from LDAP
    163. 

  163.             $sql= "SELECT e.courseid, ue.status, e.id as enrolid, c.shortname
    164. 

  164.                      FROM {user} u
    165. 

  165.                      JOIN {role_assignments} ra ON (ra.userid = u.id AND ra.component = 'enrol_ldap' AND ra.roleid = :roleid)
    166. 

  166.                      JOIN {user_enrolments} ue ON (ue.userid = u.id AND ue.enrolid = ra.itemid)
    167. 

  167.                      JOIN {enrol} e ON (e.id = ue.enrolid)
    168. 

  168.                      JOIN {course} c ON (c.id = e.courseid)
    169. 

  169.                     WHERE u.deleted = 0 AND u.id = :userid";
    170. 

  170.             $params = array ('roleid'=>$role->id, 'userid'=>$user->id);
    171. 

  171.             $enrolments[$role->id]['current'] = $DB->get_records_sql($sql, $params);
    172. 

  172.         }
    173. 

  173. 

  174.         $ignorehidden = $this->get_config('ignorehiddencourses');
    175. 

  175.         $courseidnumber = $this->get_config('course_idnumber');
    176. 

  176.         foreach($roles as $role) {
    177. 

  177.             foreach ($enrolments[$role->id]['ext'] as $enrol) {
    178. 

  178.                 $course_ext_id = $enrol[$courseidnumber][0];
    179. 

  179.                 if (empty($course_ext_id)) {
    180. 

  180.                     $trace->output(get_string('extcourseidinvalid', 'enrol_ldap'));
    181. 

  181.                     continue; // Next; skip this one!
    182. 

  182.                 }
    183. 

  183. 

  184.                 // Create the course if required
    185. 

  185.                 $course = $DB->get_record('course', array($this->enrol_localcoursefield=>$course_ext_id));
    186. 

  186.                 if (empty($course)) { // Course doesn't exist
    187. 

  187.                     if ($this->get_config('autocreate')) { // Autocreate
    188. 

  188.                         $trace->output(get_string('createcourseextid', 'enrol_ldap', array('courseextid'=>$course_ext_id)));
    189. 

  189.                         if (!$newcourseid = $this->create_course($enrol, $trace)) {
    190. 

  190.                             continue;
    191. 

  191.                         }
    192. 

  192.                         $course = $DB->get_record('course', array('id'=>$newcourseid));
    193. 

  193.                     } else {
    194. 

  194.                         $trace->output(get_string('createnotcourseextid', 'enrol_ldap', array('courseextid'=>$course_ext_id)));
    195. 

  195.                         continue; // Next; skip this one!
    196. 

  196.                     }
    197. 

  197.                 }
    198. 

  198. 

  199.                 // Deal with enrolment in the moodle db
    200. 

  200.                 // Add necessary enrol instance if not present yet;
    201. 

  201.                 $sql = "SELECT c.id, c.visible, e.id as enrolid
    202. 

  202.                           FROM {course} c
    203. 

  203.                           JOIN {enrol} e ON (e.courseid = c.id AND e.enrol = 'ldap')
    204. 

  204.                          WHERE c.id = :courseid";
    205. 

  205.                 $params = array('courseid'=>$course->id);
    206. 

  206.                 if (!($course_instance = $DB->get_record_sql($sql, $params, IGNORE_MULTIPLE))) {
    207. 

  207.                     $course_instance = new stdClass();
    208. 

  208.                     $course_instance->id = $course->id;
    209. 

  209.                     $course_instance->visible = $course->visible;
    210. 

  210.                     $course_instance->enrolid = $this->add_instance($course_instance);
    211. 

  211.                 }
    212. 

  212. 

  213.                 if (!$instance = $DB->get_record('enrol', array('id'=>$course_instance->enrolid))) {
    214. 

  214.                     continue; // Weird; skip this one.
    215. 

  215.                 }
    216. 

  216. 

  217.                 if ($ignorehidden && !$course_instance->visible) {
    218. 

  218.                     continue;
    219. 

  219.                 }
    220. 

  220. 

  221.                 if (empty($enrolments[$role->id]['current'][$course->id])) {
    222. 

  222.                     // Enrol the user in the given course, with that role.
    223. 

  223.                     $this->enrol_user($instance, $user->id, $role->id);
    224. 

  224.                     // Make sure we set the enrolment status to active. If the user wasn't
    225. 

  225.                     // previously enrolled to the course, enrol_user() sets it. But if we
    226. 

  226.                     // configured the plugin to suspend the user enrolments _AND_ remove
    227. 

  227.                     // the role assignments on external unenrol, then enrol_user() doesn't
    228. 

  228.                     // set it back to active on external re-enrolment. So set it
    229. 

  229.                     // unconditionnally to cover both cases.
    230. 

  230.                     $DB->set_field('user_enrolments', 'status', ENROL_USER_ACTIVE, array('enrolid'=>$instance->id, 'userid'=>$user->id));
    231. 

  231.                     $trace->output(get_string('enroluser', 'enrol_ldap',
    232. 

  232.                         array('user_username'=> $user->username,
    233. 

  233.                               'course_shortname'=>$course->shortname,
    234. 

  234.                               'course_id'=>$course->id)));
    235. 

  235.                 } else {
    236. 

  236.                     if ($enrolments[$role->id]['current'][$course->id]->status == ENROL_USER_SUSPENDED) {
    237. 

  237.                         // Reenable enrolment that was previously disabled. Enrolment refreshed
    238. 

  238.                         $DB->set_field('user_enrolments', 'status', ENROL_USER_ACTIVE, array('enrolid'=>$instance->id, 'userid'=>$user->id));
    239. 

  239.                         $trace->output(get_string('enroluserenable', 'enrol_ldap',
    240. 

  240.                             array('user_username'=> $user->username,
    241. 

  241.                                   'course_shortname'=>$course->shortname,
    242. 

  242.                                   'course_id'=>$course->id)));
    243. 

  243.                     }
    244. 

  244.                 }
    245. 

  245. 

  246.                 // Remove this course from the current courses, to be able to detect
    247. 

  247.                 // which current courses should be unenroled from when we finish processing
    248. 

  248.                 // external enrolments.
    249. 

  249.                 unset($enrolments[$role->id]['current'][$course->id]);
    250. 

  250.             }
    251. 

  251. 

  252.             // Deal with unenrolments.
    253. 

  253.             $transaction = $DB->start_delegated_transaction();
    254. 

  254.             foreach ($enrolments[$role->id]['current'] as $course) {
    255. 

  255.                 $context = context_course::instance($course->courseid);
    256. 

  256.                 $instance = $DB->get_record('enrol', array('id'=>$course->enrolid));
    257. 

  257.                 switch ($this->get_config('unenrolaction')) {
    258. 

  258.                     case ENROL_EXT_REMOVED_UNENROL:
    259. 

  259.                         $this->unenrol_user($instance, $user->id);
    260. 

  260.                         $trace->output(get_string('extremovedunenrol', 'enrol_ldap',
    261. 

  261.                             array('user_username'=> $user->username,
    262. 

  262.                                   'course_shortname'=>$course->shortname,
    263. 

  263.                                   'course_id'=>$course->courseid)));
    264. 

  264.                         break;
    265. 

  265.                     case ENROL_EXT_REMOVED_KEEP:
    266. 

  266.                         // Keep - only adding enrolments
    267. 

  267.                         break;
    268. 

  268.                     case ENROL_EXT_REMOVED_SUSPEND:
    269. 

  269.                         if ($course->status != ENROL_USER_SUSPENDED) {
    270. 

  270.                             $DB->set_field('user_enrolments', 'status', ENROL_USER_SUSPENDED, array('enrolid'=>$instance->id, 'userid'=>$user->id));
    271. 

  271.                             $trace->output(get_string('extremovedsuspend', 'enrol_ldap',
    272. 

  272.                                 array('user_username'=> $user->username,
    273. 

  273.                                       'course_shortname'=>$course->shortname,
    274. 

  274.                                       'course_id'=>$course->courseid)));
    275. 

  275.                         }
    276. 

  276.                         break;
    277. 

  277.                     case ENROL_EXT_REMOVED_SUSPENDNOROLES:
    278. 

  278.                         if ($course->status != ENROL_USER_SUSPENDED) {
    279. 

  279.                             $DB->set_field('user_enrolments', 'status', ENROL_USER_SUSPENDED, array('enrolid'=>$instance->id, 'userid'=>$user->id));
    280. 

  280.                         }
    281. 

  281.                         role_unassign_all(array('contextid'=>$context->id, 'userid'=>$user->id, 'component'=>'enrol_ldap', 'itemid'=>$instance->id));
    282. 

  282.                         $trace->output(get_string('extremovedsuspendnoroles', 'enrol_ldap',
    283. 

  283.                             array('user_username'=> $user->username,
    284. 

  284.                                   'course_shortname'=>$course->shortname,
    285. 

  285.                                   'course_id'=>$course->courseid)));
    286. 

  286.                         break;
    287. 

  287.                 }
    288. 

  288.             }
    289. 

  289.             $transaction->allow_commit();
    290. 

  290.         }
    291. 

  291. 

  292.         $this->ldap_close();
    293. 

  293. 

  294.         $trace->finished();
    295. 

  295.     }
    296. 

  296. 

  297.     /**
    298. 

  298.      * Forces synchronisation of all enrolments with LDAP server.
    299. 

  299.      * It creates courses if the plugin is configured to do so.
    300. 

  300.      *
    301. 

  301.      * @param progress_trace $trace
    302. 

  302.      * @param int|null $onecourse limit sync to one course->id, null if all courses
    303. 

  303.      * @return void
    304. 

  304.      */
    305. 

  305.     public function sync_enrolments(progress_trace $trace, $onecourse = null) {
    306. 

  306.         global $CFG, $DB;
    307. 

  307. 

  308.         if (!$this->ldap_connect($trace)) {
    309. 

  309.             $trace->finished();
    310. 

  310.             return;
    311. 

  311.         }
    312. 

  312. 

  313.         $ldap_pagedresults = ldap_paged_results_supported($this->get_config('ldap_version'));
    314. 

  314. 

  315.         // we may need a lot of memory here
    316. 

  316.         @set_time_limit(0);
    317. 

  317.         raise_memory_limit(MEMORY_HUGE);
    318. 

  318. 

  319.         $oneidnumber = null;
    320. 

  320.         if ($onecourse) {
    321. 

  321.             if (!$course = $DB->get_record('course', array('id'=>$onecourse), 'id,'.$this->enrol_localcoursefield)) {
    322. 

  322.                 // Course does not exist, nothing to do.
    323. 

  323.                 $trace->output("Requested course $onecourse does not exist, no sync performed.");
    324. 

  324.                 $trace->finished();
    325. 

  325.                 return;
    326. 

  326.             }
    327. 

  327.             if (empty($course->{$this->enrol_localcoursefield})) {
    328. 

  328.                 $trace->output("Requested course $onecourse does not have {$this->enrol_localcoursefield}, no sync performed.");
    329. 

  329.                 $trace->finished();
    330. 

  330.                 return;
    331. 

  331.             }
    332. 

  332.             $oneidnumber = ldap_filter_addslashes(textlib::convert($course->idnumber, 'utf-8', $this->get_config('ldapencoding')));
    333. 

  333.         }
    334. 

  334. 

  335.         // Get enrolments for each type of role.
    336. 

  336.         $roles = get_all_roles();
    337. 

  337.         $enrolments = array();
    338. 

  338.         foreach($roles as $role) {
    339. 

  339.             // Get all contexts
    340. 

  340.             $ldap_contexts = explode(';', $this->config->{'contexts_role'.$role->id});
    341. 

  341. 

  342.             // Get all the fields we will want for the potential course creation
    343. 

  343.             // as they are light. Don't get membership -- potentially a lot of data.
    344. 

  344.             $ldap_fields_wanted = array('dn', $this->config->course_idnumber);
    345. 

  345.             if (!empty($this->config->course_fullname)) {
    346. 

  346.                 array_push($ldap_fields_wanted, $this->config->course_fullname);
    347. 

  347.             }
    348. 

  348.             if (!empty($this->config->course_shortname)) {
    349. 

  349.                 array_push($ldap_fields_wanted, $this->config->course_shortname);
    350. 

  350.             }
    351. 

  351.             if (!empty($this->config->course_summary)) {
    352. 

  352.                 array_push($ldap_fields_wanted, $this->config->course_summary);
    353. 

  353.             }
    354. 

  354.             array_push($ldap_fields_wanted, $this->config->{'memberattribute_role'.$role->id});
    355. 

  355. 

  356.             // Define the search pattern
    357. 

  357.             $ldap_search_pattern = $this->config->objectclass;
    358. 

  358. 

  359.             if ($oneidnumber !== null) {
    360. 

  360.                 $ldap_search_pattern = "(&$ldap_search_pattern({$this->config->course_idnumber}=$oneidnumber))";
    361. 

  361.             }
    362. 

  362. 

  363.             $ldap_cookie = '';
    364. 

  364.             foreach ($ldap_contexts as $ldap_context) {
    365. 

  365.                 $ldap_context = trim($ldap_context);
    366. 

  366.                 if (empty($ldap_context)) {
    367. 

  367.                     continue; // Next;
    368. 

  368.                 }
    369. 

  369. 

  370.                 $flat_records = array();
    371. 

  371.                 do {
    372. 

  372.                     if ($ldap_pagedresults) {
    373. 

  373.                         ldap_control_paged_result($this->ldapconnection, $this->config->pagesize, true, $ldap_cookie);
    374. 

  374.                     }
    375. 

  375. 

  376.                     if ($this->config->course_search_sub) {
    377. 

  377.                         // Use ldap_search to find first user from subtree
    378. 

  378.                         $ldap_result = @ldap_search($this->ldapconnection,
    379. 

  379.                                                     $ldap_context,
    380. 

  380.                                                     $ldap_search_pattern,
    381. 

  381.                                                     $ldap_fields_wanted);
    382. 

  382.                     } else {
    383. 

  383.                         // Search only in this context
    384. 

  384.                         $ldap_result = @ldap_list($this->ldapconnection,
    385. 

  385.                                                   $ldap_context,
    386. 

  386.                                                   $ldap_search_pattern,
    387. 

  387.                                                   $ldap_fields_wanted);
    388. 

  388.                     }
    389. 

  389.                     if (!$ldap_result) {
    390. 

  390.                         continue; // Next
    391. 

  391.                     }
    392. 

  392. 

  393.                     if ($ldap_pagedresults) {
    394. 

  394.                         ldap_control_paged_result_response($this->ldapconnection, $ldap_result, $ldap_cookie);
    395. 

  395.                     }
    396. 

  396. 

  397.                     // Check and push results
    398. 

  398.                     $records = ldap_get_entries($this->ldapconnection, $ldap_result);
    399. 

  399. 

  400.                     // LDAP libraries return an odd array, really. fix it:
    401. 

  401.                     for ($c = 0; $c < $records['count']; $c++) {
    402. 

  402.                         array_push($flat_records, $records[$c]);
    403. 

  403.                     }
    404. 

  404.                     // Free some mem
    405. 

  405.                     unset($records);
    406. 

  406.                 } while ($ldap_pagedresults && !empty($ldap_cookie));
    407. 

  407. 

  408.                 // If LDAP paged results were used, the current connection must be completely
    409. 

  409.                 // closed and a new one created, to work without paged results from here on.
    410. 

  410.                 if ($ldap_pagedresults) {
    411. 

  411.                     $this->ldap_close();
    412. 

  412.                     $this->ldap_connect($trace);
    413. 

  413.                 }
    414. 

  414. 

  415.                 if (count($flat_records)) {
    416. 

  416.                     $ignorehidden = $this->get_config('ignorehiddencourses');
    417. 

  417.                     foreach($flat_records as $course) {
    418. 

  418.                         $course = array_change_key_case($course, CASE_LOWER);
    419. 

  419.                         $idnumber = $course{$this->config->course_idnumber}[0];
    420. 

  420.                         $trace->output(get_string('synccourserole', 'enrol_ldap', array('idnumber'=>$idnumber, 'role_shortname'=>$role->shortname)));
    421. 

  421. 

  422.                         // Does the course exist in moodle already?
    423. 

  423.                         $course_obj = $DB->get_record('course', array($this->enrol_localcoursefield=>$idnumber));
    424. 

  424.                         if (empty($course_obj)) { // Course doesn't exist
    425. 

  425.                             if ($this->get_config('autocreate')) { // Autocreate
    426. 

  426.                                 $trace->output(get_string('createcourseextid', 'enrol_ldap', array('courseextid'=>$idnumber)));
    427. 

  427.                                 if (!$newcourseid = $this->create_course($course, $trace)) {
    428. 

  428.                                     continue;
    429. 

  429.                                 }
    430. 

  430.                                 $course_obj = $DB->get_record('course', array('id'=>$newcourseid));
    431. 

  431.                             } else {
    432. 

  432.                                 $trace->output(get_string('createnotcourseextid', 'enrol_ldap', array('courseextid'=>$idnumber)));
    433. 

  433.                                 continue; // Next; skip this one!
    434. 

  434.                             }
    435. 

  435.                         }
    436. 

  436. 

  437.                         // Enrol & unenrol
    438. 

  438. 

  439.                         // Pull the ldap membership into a nice array
    440. 

  440.                         // this is an odd array -- mix of hash and array --
    441. 

  441.                         $ldapmembers = array();
    442. 

  442. 

  443.                         if (array_key_exists('memberattribute_role'.$role->id, $this->config)
    444. 

  444.                             && !empty($this->config->{'memberattribute_role'.$role->id})
    445. 

  445.                             && !empty($course[$this->config->{'memberattribute_role'.$role->id}])) { // May have no membership!
    446. 

  446. 

  447.                             $ldapmembers = $course[$this->config->{'memberattribute_role'.$role->id}];
    448. 

  448.                             unset($ldapmembers['count']); // Remove oddity ;)
    449. 

  449. 

  450.                             // If we have enabled nested groups, we need to expand
    451. 

  451.                             // the groups to get the real user list. We need to do
    452. 

  452.                             // this before dealing with 'memberattribute_isdn'.
    453. 

  453.                             if ($this->config->nested_groups) {
    454. 

  454.                                 $users = array();
    455. 

  455.                                 foreach ($ldapmembers as $ldapmember) {
    456. 

  456.                                     $grpusers = $this->ldap_explode_group($ldapmember,
    457. 

  457.                                                                           $this->config->{'memberattribute_role'.$role->id});
    458. 

  458. 

  459.                                     $users = array_merge($users, $grpusers);
    460. 

  460.                                 }
    461. 

  461.                                 $ldapmembers = array_unique($users); // There might be duplicates.
    462. 

  462.                             }
    463. 

  463. 

  464.                             // Deal with the case where the member attribute holds distinguished names,
    465. 

  465.                             // but only if the user attribute is not a distinguished name itself.
    466. 

  466.                             if ($this->config->memberattribute_isdn
    467. 

  467.                                 && ($this->config->idnumber_attribute !== 'dn')
    468. 

  468.                                 && ($this->config->idnumber_attribute !== 'distinguishedname')) {
    469. 

  469.                                 // We need to retrieve the idnumber for all the users in $ldapmembers,
    470. 

  470.                                 // as the idnumber does not match their dn and we get dn's from membership.
    471. 

  471.                                 $memberidnumbers = array();
    472. 

  472.                                 foreach ($ldapmembers as $ldapmember) {
    473. 

  473.                                     $result = ldap_read($this->ldapconnection, $ldapmember, '(objectClass=*)',
    474. 

  474.                                                         array($this->config->idnumber_attribute));
    475. 

  475.                                     $entry = ldap_first_entry($this->ldapconnection, $result);
    476. 

  476.                                     $values = ldap_get_values($this->ldapconnection, $entry, $this->config->idnumber_attribute);
    477. 

  477.                                     array_push($memberidnumbers, $values[0]);
    478. 

  478.                                 }
    479. 

  479. 

  480.                                 $ldapmembers = $memberidnumbers;
    481. 

  481.                             }
    482. 

  482.                         }
    483. 

  483. 

  484.                         // Prune old ldap enrolments
    485. 

  485.                         // hopefully they'll fit in the max buffer size for the RDBMS
    486. 

  486.                         $sql= "SELECT u.id as userid, u.username, ue.status,
    487. 

  487.                                       ra.contextid, ra.itemid as instanceid
    488. 

  488.                                  FROM {user} u
    489. 

  489.                                  JOIN {role_assignments} ra ON (ra.userid = u.id AND ra.component = 'enrol_ldap' AND ra.roleid = :roleid)
    490. 

  490.                                  JOIN {user_enrolments} ue ON (ue.userid = u.id AND ue.enrolid = ra.itemid)
    491. 

  491.                                  JOIN {enrol} e ON (e.id = ue.enrolid)
    492. 

  492.                                 WHERE u.deleted = 0 AND e.courseid = :courseid ";
    493. 

  493.                         $params = array('roleid'=>$role->id, 'courseid'=>$course_obj->id);
    494. 

  494.                         $context = context_course::instance($course_obj->id);
    495. 

  495.                         if (!empty($ldapmembers)) {
    496. 

  496.                             list($ldapml, $params2) = $DB->get_in_or_equal($ldapmembers, SQL_PARAMS_NAMED, 'm', false);
    497. 

  497.                             $sql .= "AND u.idnumber $ldapml";
    498. 

  498.                             $params = array_merge($params, $params2);
    499. 

  499.                             unset($params2);
    500. 

  500.                         } else {
    501. 

  501.                             $shortname = format_string($course_obj->shortname, true, array('context' => $context));
    502. 

  502.                             $trace->output(get_string('emptyenrolment', 'enrol_ldap',
    503. 

  503.                                          array('role_shortname'=> $role->shortname,
    504. 

  504.                                                'course_shortname' => $shortname)));
    505. 

  505.                         }
    506. 

  506.                         $todelete = $DB->get_records_sql($sql, $params);
    507. 

  507. 

  508.                         if (!empty($todelete)) {
    509. 

  509.                             $transaction = $DB->start_delegated_transaction();
    510. 

  510.                             foreach ($todelete as $row) {
    511. 

  511.                                 $instance = $DB->get_record('enrol', array('id'=>$row->instanceid));
    512. 

  512.                                 switch ($this->get_config('unenrolaction')) {
    513. 

  513.                                 case ENROL_EXT_REMOVED_UNENROL:
    514. 

  514.                                     $this->unenrol_user($instance, $row->userid);
    515. 

  515.                                     $trace->output(get_string('extremovedunenrol', 'enrol_ldap',
    516. 

  516.                                         array('user_username'=> $row->username,
    517. 

  517.                                               'course_shortname'=>$course_obj->shortname,
    518. 

  518.                                               'course_id'=>$course_obj->id)));
    519. 

  519.                                     break;
    520. 

  520.                                 case ENROL_EXT_REMOVED_KEEP:
    521. 

  521.                                     // Keep - only adding enrolments
    522. 

  522.                                     break;
    523. 

  523.                                 case ENROL_EXT_REMOVED_SUSPEND:
    524. 

  524.                                     if ($row->status != ENROL_USER_SUSPENDED) {
    525. 

  525.                                         $DB->set_field('user_enrolments', 'status', ENROL_USER_SUSPENDED, array('enrolid'=>$instance->id, 'userid'=>$row->userid));
    526. 

  526.                                         $trace->output(get_string('extremovedsuspend', 'enrol_ldap',
    527. 

  527.                                             array('user_username'=> $row->username,
    528. 

  528.                                                   'course_shortname'=>$course_obj->shortname,
    529. 

  529.                                                   'course_id'=>$course_obj->id)));
    530. 

  530.                                     }
    531. 

  531.                                     break;
    532. 

  532.                                 case ENROL_EXT_REMOVED_SUSPENDNOROLES:
    533. 

  533.                                     if ($row->status != ENROL_USER_SUSPENDED) {
    534. 

  534.                                         $DB->set_field('user_enrolments', 'status', ENROL_USER_SUSPENDED, array('enrolid'=>$instance->id, 'userid'=>$row->userid));
    535. 

  535.                                     }
    536. 

  536.                                     role_unassign_all(array('contextid'=>$row->contextid, 'userid'=>$row->userid, 'component'=>'enrol_ldap', 'itemid'=>$instance->id));
    537. 

  537.                                     $trace->output(get_string('extremovedsuspendnoroles', 'enrol_ldap',
    538. 

  538.                                         array('user_username'=> $row->username,
    539. 

  539.                                               'course_shortname'=>$course_obj->shortname,
    540. 

  540.                                               'course_id'=>$course_obj->id)));
    541. 

  541.                                     break;
    542. 

  542.                                 }
    543. 

  543.                             }
    544. 

  544.                             $transaction->allow_commit();
    545. 

  545.                         }
    546. 

  546. 

  547.                         // Insert current enrolments
    548. 

  548.                         // bad we can't do INSERT IGNORE with postgres...
    549. 

  549. 

  550.                         // Add necessary enrol instance if not present yet;
    551. 

  551.                         $sql = "SELECT c.id, c.visible, e.id as enrolid
    552. 

  552.                                   FROM {course} c
    553. 

  553.                                   JOIN {enrol} e ON (e.courseid = c.id AND e.enrol = 'ldap')
    554. 

  554.                                  WHERE c.id = :courseid";
    555. 

  555.                         $params = array('courseid'=>$course_obj->id);
    556. 

  556.                         if (!($course_instance = $DB->get_record_sql($sql, $params, IGNORE_MULTIPLE))) {
    557. 

  557.                             $course_instance = new stdClass();
    558. 

  558.                             $course_instance->id = $course_obj->id;
    559. 

  559.                             $course_instance->visible = $course_obj->visible;
    560. 

  560.                             $course_instance->enrolid = $this->add_instance($course_instance);
    561. 

  561.                         }
    562. 

  562. 

  563.                         if (!$instance = $DB->get_record('enrol', array('id'=>$course_instance->enrolid))) {
    564. 

  564.                             continue; // Weird; skip this one.
    565. 

  565.                         }
    566. 

  566. 

  567.                         if ($ignorehidden && !$course_instance->visible) {
    568. 

  568.                             continue;
    569. 

  569.                         }
    570. 

  570. 

  571.                         $transaction = $DB->start_delegated_transaction();
    572. 

  572.                         foreach ($ldapmembers as $ldapmember) {
    573. 

  573.                             $sql = 'SELECT id,username,1 FROM {user} WHERE idnumber = ? AND deleted = 0';
    574. 

  574.                             $member = $DB->get_record_sql($sql, array($ldapmember));
    575. 

  575.                             if(empty($member) || empty($member->id)){
    576. 

  576.                                 $trace->output(get_string('couldnotfinduser', 'enrol_ldap', $ldapmember));
    577. 

  577.                                 continue;
    578. 

  578.                             }
    579. 

  579. 

  580.                             $sql= "SELECT ue.status
    581. 

  581.                                      FROM {user_enrolments} ue
    582. 

  582.                                      JOIN {enrol} e ON (e.id = ue.enrolid AND e.enrol = 'ldap')
    583. 

  583.                                     WHERE e.courseid = :courseid AND ue.userid = :userid";
    584. 

  584.                             $params = array('courseid'=>$course_obj->id, 'userid'=>$member->id);
    585. 

  585.                             $userenrolment = $DB->get_record_sql($sql, $params, IGNORE_MULTIPLE);
    586. 

  586. 

  587.                             if (empty($userenrolment)) {
    588. 

  588.                                 $this->enrol_user($instance, $member->id, $role->id);
    589. 

  589.                                 // Make sure we set the enrolment status to active. If the user wasn't
    590. 

  590.                                 // previously enrolled to the course, enrol_user() sets it. But if we
    591. 

  591.                                 // configured the plugin to suspend the user enrolments _AND_ remove
    592. 

  592.                                 // the role assignments on external unenrol, then enrol_user() doesn't
    593. 

  593.                                 // set it back to active on external re-enrolment. So set it
    594. 

  594.                                 // unconditionally to cover both cases.
    595. 

  595.                                 $DB->set_field('user_enrolments', 'status', ENROL_USER_ACTIVE, array('enrolid'=>$instance->id, 'userid'=>$member->id));
    596. 

  596.                                 $trace->output(get_string('enroluser', 'enrol_ldap',
    597. 

  597.                                     array('user_username'=> $member->username,
    598. 

  598.                                           'course_shortname'=>$course_obj->shortname,
    599. 

  599.                                           'course_id'=>$course_obj->id)));
    600. 

  600. 

  601.                             } else {
    602. 

  602.                                 if (!$DB->record_exists('role_assignments', array('roleid'=>$role->id, 'userid'=>$member->id, 'contextid'=>$context->id, 'component'=>'enrol_ldap', 'itemid'=>$instance->id))) {
    603. 

  603.                                     // This happens when reviving users or when user has multiple roles in one course.
    604. 

  604.                                     $context = context_course::instance($course_obj->id);
    605. 

  605.                                     role_assign($role->id, $member->id, $context->id, 'enrol_ldap', $instance->id);
    606. 

  606.                                     $trace->output("Assign role to user '$member->username' in course '$course_obj->shortname ($course_obj->id)'");
    607. 

  607.                                 }
    608. 

  608.                                 if ($userenrolment->status == ENROL_USER_SUSPENDED) {
    609. 

  609.                                     // Reenable enrolment that was previously disabled. Enrolment refreshed
    610. 

  610.                                     $DB->set_field('user_enrolments', 'status', ENROL_USER_ACTIVE, array('enrolid'=>$instance->id, 'userid'=>$member->id));
    611. 

  611.                                     $trace->output(get_string('enroluserenable', 'enrol_ldap',
    612. 

  612.                                         array('user_username'=> $member->username,
    613. 

  613.                                               'course_shortname'=>$course_obj->shortname,
    614. 

  614.                                               'course_id'=>$course_obj->id)));
    615. 

  615.                                 }
    616. 

  616.                             }
    617. 

  617.                         }
    618. 

  618.                         $transaction->allow_commit();
    619. 

  619.                     }
    620. 

  620.                 }
    621. 

  621.             }
    622. 

  622.         }
    623. 

  623.         @$this->ldap_close();
    624. 

  624.         $trace->finished();
    625. 

  625.     }
    626. 

  626. 

  627.     /**
    628. 

  628.      * Connect to the LDAP server, using the plugin configured
    629. 

  629.      * settings. It's actually a wrapper around ldap_connect_moodle()
    630. 

  630.      *
    631. 

  631.      * @param progress_trace $trace
    632. 

  632.      * @return bool success
    633. 

  633.      */
    634. 

  634.     protected function ldap_connect(progress_trace $trace = null) {
    635. 

  635.         global $CFG;
    636. 

  636.         require_once($CFG->libdir.'/ldaplib.php');
    637. 

  637. 

  638.         if (isset($this->ldapconnection)) {
    639. 

  639.             return true;
    640. 

  640.         }
    641. 

  641. 

  642.         if ($ldapconnection = ldap_connect_moodle($this->get_config('host_url'), $this->get_config('ldap_version'),
    643. 

  643.                                                   $this->get_config('user_type'), $this->get_config('bind_dn'),
    644. 

  644.                                                   $this->get_config('bind_pw'), $this->get_config('opt_deref'),
    645. 

  645.                                                   $debuginfo, $this->get_config('start_tls'))) {
    646. 

  646.             $this->ldapconnection = $ldapconnection;
    647. 

  647.             return true;
    648. 

  648.         }
    649. 

  649. 

  650.         if ($trace) {
    651. 

  651.             $trace->output($debuginfo);
    652. 

  652.         } else {
    653. 

  653.             error_log($this->errorlogtag.$debuginfo);
    654. 

  654.         }
    655. 

  655. 

  656.         return false;
    657. 

  657.     }
    658. 

  658. 

  659.     /**
    660. 

  660.      * Disconnects from a LDAP server
    661. 

  661.      *
    662. 

  662.      */
    663. 

  663.     protected function ldap_close() {
    664. 

  664.         if (isset($this->ldapconnection)) {
    665. 

  665.             @ldap_close($this->ldapconnection);
    666. 

  666.             $this->ldapconnection = null;
    667. 

  667.         }
    668. 

  668.         return;
    669. 

  669.     }
    670. 

  670. 

  671.     /**
    672. 

  672.      * Return multidimensional array with details of user courses (at
    673. 

  673.      * least dn and idnumber).
    674. 

  674.      *
    675. 

  675.      * @param string $memberuid user idnumber (without magic quotes).
    676. 

  676.      * @param object role is a record from the mdl_role table.
    677. 

  677.      * @return array
    678. 

  678.      */
    679. 

  679.     protected function find_ext_enrolments($memberuid, $role) {
    680. 

  680.         global $CFG;
    681. 

  681.         require_once($CFG->libdir.'/ldaplib.php');
    682. 

  682. 

  683.         if (empty($memberuid)) {
    684. 

  684.             // No "idnumber" stored for this user, so no LDAP enrolments
    685. 

  685.             return array();
    686. 

  686.         }
    687. 

  687. 

  688.         $ldap_contexts = trim($this->get_config('contexts_role'.$role->id));
    689. 

  689.         if (empty($ldap_contexts)) {
    690. 

  690.             // No role contexts, so no LDAP enrolments
    691. 

  691.             return array();
    692. 

  692.         }
    693. 

  693. 

  694.         $extmemberuid = textlib::convert($memberuid, 'utf-8', $this->get_config('ldapencoding'));
    695. 

  695. 

  696.         if($this->get_config('memberattribute_isdn')) {
    697. 

  697.             if (!($extmemberuid = $this->ldap_find_userdn($extmemberuid))) {
    698. 

  698.                 return array();
    699. 

  699.             }
    700. 

  700.         }
    701. 

  701. 

  702.         $ldap_search_pattern = '';
    703. 

  703.         if($this->get_config('nested_groups')) {
    704. 

  704.             $usergroups = $this->ldap_find_user_groups($extmemberuid);
    705. 

  705.             if(count($usergroups) > 0) {
    706. 

  706.                 foreach ($usergroups as $group) {
    707. 

  707.                     $ldap_search_pattern .= '('.$this->get_config('memberattribute_role'.$role->id).'='.$group.')';
    708. 

  708.                 }
    709. 

  709.             }
    710. 

  710.         }
    711. 

  711. 

  712.         // Default return value
    713. 

  713.         $courses = array();
    714. 

  714. 

  715.         // Get all the fields we will want for the potential course creation
    716. 

  716.         // as they are light. don't get membership -- potentially a lot of data.
    717. 

  717.         $ldap_fields_wanted = array('dn', $this->get_config('course_idnumber'));
    718. 

  718.         $fullname  = $this->get_config('course_fullname');
    719. 

  719.         $shortname = $this->get_config('course_shortname');
    720. 

  720.         $summary   = $this->get_config('course_summary');
    721. 

  721.         if (isset($fullname)) {
    722. 

  722.             array_push($ldap_fields_wanted, $fullname);
    723. 

  723.         }
    724. 

  724.         if (isset($shortname)) {
    725. 

  725.             array_push($ldap_fields_wanted, $shortname);
    726. 

  726.         }
    727. 

  727.         if (isset($summary)) {
    728. 

  728.             array_push($ldap_fields_wanted, $summary);
    729. 

  729.         }
    730. 

  730. 

  731.         // Define the search pattern
    732. 

  732.         if (empty($ldap_search_pattern)) {
    733. 

  733.             $ldap_search_pattern = '('.$this->get_config('memberattribute_role'.$role->id).'='.ldap_filter_addslashes($extmemberuid).')';
    734. 

  734.         } else {
    735. 

  735.             $ldap_search_pattern = '(|' . $ldap_search_pattern .
    736. 

  736.                                        '('.$this->get_config('memberattribute_role'.$role->id).'='.ldap_filter_addslashes($extmemberuid).')' .
    737. 

  737.                                    ')';
    738. 

  738.         }
    739. 

  739.         $ldap_search_pattern='(&'.$this->get_config('objectclass').$ldap_search_pattern.')';
    740. 

  740. 

  741.         // Get all contexts and look for first matching user
    742. 

  742.         $ldap_contexts = explode(';', $ldap_contexts);
    743. 

  743.         $ldap_pagedresults = ldap_paged_results_supported($this->get_config('ldap_version'));
    744. 

  744.         foreach ($ldap_contexts as $context) {
    745. 

  745.             $context = trim($context);
    746. 

  746.             if (empty($context)) {
    747. 

  747.                 continue;
    748. 

  748.             }
    749. 

  749. 

  750.             $ldap_cookie = '';
    751. 

  751.             $flat_records = array();
    752. 

  752.             do {
    753. 

  753.                 if ($ldap_pagedresults) {
    754. 

  754.                     ldap_control_paged_result($this->ldapconnection, $this->config->pagesize, true, $ldap_cookie);
    755. 

  755.                 }
    756. 

  756. 

  757.                 if ($this->get_config('course_search_sub')) {
    758. 

  758.                     // Use ldap_search to find first user from subtree
    759. 

  759.                     $ldap_result = @ldap_search($this->ldapconnection,
    760. 

  760.                                                 $context,
    761. 

  761.                                                 $ldap_search_pattern,
    762. 

  762.                                                 $ldap_fields_wanted);
    763. 

  763.                 } else {
    764. 

  764.                     // Search only in this context
    765. 

  765.                     $ldap_result = @ldap_list($this->ldapconnection,
    766. 

  766.                                               $context,
    767. 

  767.                                               $ldap_search_pattern,
    768. 

  768.                                               $ldap_fields_wanted);
    769. 

  769.                 }
    770. 

  770. 

  771.                 if (!$ldap_result) {
    772. 

  772.                     continue;
    773. 

  773.                 }
    774. 

  774. 

  775.                 if ($ldap_pagedresults) {
    776. 

  776.                     ldap_control_paged_result_response($this->ldapconnection, $ldap_result, $ldap_cookie);
    777. 

  777.                 }
    778. 

  778. 

  779.                 // Check and push results. ldap_get_entries() already
    780. 

  780.                 // lowercases the attribute index, so there's no need to
    781. 

  781.                 // use array_change_key_case() later.
    782. 

  782.                 $records = ldap_get_entries($this->ldapconnection, $ldap_result);
    783. 

  783. 

  784.                 // LDAP libraries return an odd array, really. Fix it.
    785. 

  785.                 for ($c = 0; $c < $records['count']; $c++) {
    786. 

  786.                     array_push($flat_records, $records[$c]);
    787. 

  787.                 }
    788. 

  788.                 // Free some mem
    789. 

  789.                 unset($records);
    790. 

  790.             } while ($ldap_pagedresults && !empty($ldap_cookie));
    791. 

  791. 

  792.             // If LDAP paged results were used, the current connection must be completely
    793. 

  793.             // closed and a new one created, to work without paged results from here on.
    794. 

  794.             if ($ldap_pagedresults) {
    795. 

  795.                 $this->ldap_close();
    796. 

  796.                 $this->ldap_connect();
    797. 

  797.             }
    798. 

  798. 

  799.             if (count($flat_records)) {
    800. 

  800.                 $courses = array_merge($courses, $flat_records);
    801. 

  801.             }
    802. 

  802.         }
    803. 

  803. 

  804.         return $courses;
    805. 

  805.     }
    806. 

  806. 

  807.     /**
    808. 

  808.      * Search specified contexts for the specified userid and return the
    809. 

  809.      * user dn like: cn=username,ou=suborg,o=org. It's actually a wrapper
    810. 

  810.      * around ldap_find_userdn().
    811. 

  811.      *
    812. 

  812.      * @param string $userid the userid to search for (in external LDAP encoding, no magic quotes).
    813. 

  813.      * @return mixed the user dn or false
    814. 

  814.      */
    815. 

  815.     protected function ldap_find_userdn($userid) {
    816. 

  816.         global $CFG;
    817. 

  817.         require_once($CFG->libdir.'/ldaplib.php');
    818. 

  818. 

  819.         $ldap_contexts = explode(';', $this->get_config('user_contexts'));
    820. 

  820.         $ldap_defaults = ldap_getdefaults();
    821. 

  821. 

  822.         return ldap_find_userdn($this->ldapconnection, $userid, $ldap_contexts,
    823. 

  823.                                 '(objectClass='.$ldap_defaults['objectclass'][$this->get_config('user_type')].')',
    824. 

  824.                                 $this->get_config('idnumber_attribute'), $this->get_config('user_search_sub'));
    825. 

  825.     }
    826. 

  826. 

  827.     /**
    828. 

  828.      * Find the groups a given distinguished name belongs to, both directly
    829. 

  829.      * and indirectly via nested groups membership.
    830. 

  830.      *
    831. 

  831.      * @param string $memberdn distinguished name to search
    832. 

  832.      * @return array with member groups' distinguished names (can be emtpy)
    833. 

  833.      */
    834. 

  834.     protected function ldap_find_user_groups($memberdn) {
    835. 

  835.         $groups = array();
    836. 

  836. 

  837.         $this->ldap_find_user_groups_recursively($memberdn, $groups);
    838. 

  838.         return $groups;
    839. 

  839.     }
    840. 

  840. 

  841.     /**
    842. 

  842.      * Recursively process the groups the given member distinguished name
    843. 

  843.      * belongs to, adding them to the already processed groups array.
    844. 

  844.      *
    845. 

  845.      * @param string $memberdn distinguished name to search
    846. 

  846.      * @param array reference &$membergroups array with already found
    847. 

  847.      *                        groups, where we'll put the newly found
    848. 

  848.      *                        groups.
    849. 

  849.      */
    850. 

  850.     protected function ldap_find_user_groups_recursively($memberdn, &$membergroups) {
    851. 

  851.         $result = @ldap_read($this->ldapconnection, $memberdn, '(objectClass=*)', array($this->get_config('group_memberofattribute')));
    852. 

  852.         if (!$result) {
    853. 

  853.             return;
    854. 

  854.         }
    855. 

  855. 

  856.         if ($entry = ldap_first_entry($this->ldapconnection, $result)) {
    857. 

  857.             do {
    858. 

  858.                 $attributes = ldap_get_attributes($this->ldapconnection, $entry);
    859. 

  859.                 for ($j = 0; $j < $attributes['count']; $j++) {
    860. 

  860.                     $groups = ldap_get_values_len($this->ldapconnection, $entry, $attributes[$j]);
    861. 

  861.                     foreach ($groups as $key => $group) {
    862. 

  862.                         if ($key === 'count') {  // Skip the entries count
    863. 

  863.                             continue;
    864. 

  864.                         }
    865. 

  865.                         if(!in_array($group, $membergroups)) {
    866. 

  866.                             // Only push and recurse if we haven't 'seen' this group before
    867. 

  867.                             // to prevent loops (MS Active Directory allows them!!).
    868. 

  868.                             array_push($membergroups, $group);
    869. 

  869.                             $this->ldap_find_user_groups_recursively($group, $membergroups);
    870. 

  870.                         }
    871. 

  871.                     }
    872. 

  872.                 }
    873. 

  873.             }
    874. 

  874.             while ($entry = ldap_next_entry($this->ldapconnection, $entry));
    875. 

  875.         }
    876. 

  876.     }
    877. 

  877. 

  878.     /**
    879. 

  879.      * Given a group name (either a RDN or a DN), get the list of users
    880. 

  880.      * belonging to that group. If the group has nested groups, expand all
    881. 

  881.      * the intermediate groups and return the full list of users that
    882. 

  882.      * directly or indirectly belong to the group.
    883. 

  883.      *
    884. 

  884.      * @param string $group the group name to search
    885. 

  885.      * @param string $memberattibute the attribute that holds the members of the group
    886. 

  886.      * @return array the list of users belonging to the group. If $group
    887. 

  887.      *         is not actually a group, returns array($group).
    888. 

  888.      */
    889. 

  889.     protected function ldap_explode_group($group, $memberattribute) {
    890. 

  890.         switch ($this->get_config('user_type')) {
    891. 

  891.             case 'ad':
    892. 

  892.                 // $group is already the distinguished name to search.
    893. 

  893.                 $dn = $group;
    894. 

  894. 

  895.                 $result = ldap_read($this->ldapconnection, $dn, '(objectClass=*)', array('objectClass'));
    896. 

  896.                 $entry = ldap_first_entry($this->ldapconnection, $result);
    897. 

  897.                 $objectclass = ldap_get_values($this->ldapconnection, $entry, 'objectClass');
    898. 

  898. 

  899.                 if (!in_array('group', $objectclass)) {
    900. 

  900.                     // Not a group, so return immediately.
    901. 

  901.                     return array($group);
    902. 

  902.                 }
    903. 

  903. 

  904.                 $result = ldap_read($this->ldapconnection, $dn, '(objectClass=*)', array($memberattribute));
    905. 

  905.                 $entry = ldap_first_entry($this->ldapconnection, $result);
    906. 

  906.                 $members = @ldap_get_values($this->ldapconnection, $entry, $memberattribute); // Can be empty and throws a warning
    907. 

  907.                 if ($members['count'] == 0) {
    908. 

  908.                     // There are no members in this group, return nothing.
    909. 

  909.                     return array();
    910. 

  910.                 }
    911. 

  911.                 unset($members['count']);
    912. 

  912. 

  913.                 $users = array();
    914. 

  914.                 foreach ($members as $member) {
    915. 

  915.                     $group_members = $this->ldap_explode_group($member, $memberattribute);
    916. 

  916.                     $users = array_merge($users, $group_members);
    917. 

  917.                 }
    918. 

  918. 

  919.                 return ($users);
    920. 

  920.                 break;
    921. 

  921.             default:
    922. 

  922.                 error_log($this->errorlogtag.get_string('explodegroupusertypenotsupported', 'enrol_ldap',
    923. 

  923.                                                         $this->get_config('user_type_name')));
    924. 

  924. 

  925.                 return array($group);
    926. 

  926.         }
    927. 

  927.     }
    928. 

  928. 

  929.     /**
    930. 

  930.      * Will create the moodle course from the template
    931. 

  931.      * course_ext is an array as obtained from ldap -- flattened somewhat
    932. 

  932.      *
    933. 

  933.      * @param array $course_ext
    934. 

  934.      * @param progress_trace $trace
    935. 

  935.      * @return mixed false on error, id for the newly created course otherwise.
    936. 

  936.      */
    937. 

  937.     function create_course($course_ext, progress_trace $trace) {
    938. 

  938.         global $CFG, $DB;
    939. 

  939. 

  940.         require_once("$CFG->dirroot/course/lib.php");
    941. 

  941. 

  942.         // Override defaults with template course
    943. 

  943.         $template = false;
    944. 

  944.         if ($this->get_config('template')) {
    945. 

  945.             if ($template = $DB->get_record('course', array('shortname'=>$this->get_config('template')))) {
    946. 

  946.                 $template = fullclone(course_get_format($template)->get_course());
    947. 

  947.                 unset($template->id); // So we are clear to reinsert the record
    948. 

  948.                 unset($template->fullname);
    949. 

  949.                 unset($template->shortname);
    950. 

  950.                 unset($template->idnumber);
    951. 

  951.             }
    952. 

  952.         }
    953. 

  953.         if (!$template) {
    954. 

  954.             $courseconfig = get_config('moodlecourse');
    955. 

  955.             $template = new stdClass();
    956. 

  956.             $template->summary        = '';
    957. 

  957.             $template->summaryformat  = FORMAT_HTML;
    958. 

  958.             $template->format         = $courseconfig->format;
    959. 

  959.             $template->newsitems      = $courseconfig->newsitems;
    960. 

  960.             $template->showgrades     = $courseconfig->showgrades;
    961. 

  961.             $template->showreports    = $courseconfig->showreports;
    962. 

  962.             $template->maxbytes       = $courseconfig->maxbytes;
    963. 

  963.             $template->groupmode      = $courseconfig->groupmode;
    964. 

  964.             $template->groupmodeforce = $courseconfig->groupmodeforce;
    965. 

  965.             $template->visible        = $courseconfig->visible;
    966. 

  966.             $template->lang           = $courseconfig->lang;
    967. 

  967.             $template->groupmodeforce = $courseconfig->groupmodeforce;
    968. 

  968.         }
    969. 

  969.         $course = $template;
    970. 

  970. 

  971.         $course->category = $this->get_config('category');
    972. 

  972.         if (!$DB->record_exists('course_categories', array('id'=>$this->get_config('category')))) {
    973. 

  973.             $categories = $DB->get_records('course_categories', array(), 'sortorder', 'id', 0, 1);
    974. 

  974.             $first = reset($categories);
    975. 

  975.             $course->category = $first->id;
    976. 

  976.         }
    977. 

  977. 

  978.         // Override with required ext data
    979. 

  979.         $course->idnumber  = $course_ext[$this->get_config('course_idnumber')][0];
    980. 

  980.         $course->fullname  = $course_ext[$this->get_config('course_fullname')][0];
    981. 

  981.         $course->shortname = $course_ext[$this->get_config('course_shortname')][0];
    982. 

  982.         if (empty($course->idnumber) || empty($course->fullname) || empty($course->shortname)) {
    983. 

  983.             // We are in trouble!
    984. 

  984.             $trace->output(get_string('cannotcreatecourse', 'enrol_ldap').' '.var_export($course, true));
    985. 

  985.             return false;
    986. 

  986.         }
    987. 

  987. 

  988.         $summary = $this->get_config('course_summary');
    989. 

  989.         if (!isset($summary) || empty($course_ext[$summary][0])) {
    990. 

  990.             $course->summary = '';
    991. 

  991.         } else {
    992. 

  992.        
    993.