Commit Graph

205 Commits

Author SHA1 Message Date
Srdjan 3079896480 MDL-73703 auth_ldap: Break apart sync_task
Extracted code from sync_users() into separate functions
in order to enable ad-hoc sheduling, and chunking.

Co-authored-by: David Woloszyn <david.woloszyn@moodle.com>
2024-01-24 12:17:53 +11:00
Meirza 684343eee7 MDL-77350 auth: Added class properties that are not declared
In PHP 8.2 and later, setting a value to an undeclared class property is
deprecated and emits a deprecation notice.
So we need to add missing class properties that still need to be declared.
2023-05-16 01:03:01 +07:00
Peter Sistrom 1a06546ea3 MDL-60666 auth_ldap: One transaction per user 2022-08-10 13:49:20 +10:00
Sujith Haridasan 73d604369d MDL-71062 core: Step 1 deprecation of print_error function 2022-07-13 08:20:54 +05:30
Eloy Lafuente (stronk7) 5300351831 MDL-73500 general: Remove php < 73 conditional code
This commit removes code that only was being executed by php < 73
and it's 100% safe to do so because Moodle 3.11 and up require
php 73, hence it was not executed ever.

Removed code includes:
- ldap_control_paged_result and ldap_control_paged_result_response
  (that were deprecated in php 73 and have been removed in php 80).
- conditional code in the session manager, where some hacks were
  needed for php < 73. Note that this removes the private function
  append_samesite_cookie_attribute() completely because it was
  doinf nothing (first line was returning for php < 73).
- Also removed the old session.hash_function ini setting because
  it was removed in php 71.

Kept code includes:
- The environmental check_igbinary322_version test has not been
  removed because it doesn't hurt (always returns "ok" for php 73
  sites) and doing it would involve to backport the environment.xml
  file to 39 and 310. Instead, a note has been added to MDL-71747
  in order to get rid of that check for 4.1 and up.
2022-01-21 19:47:55 +01:00
cescobedo 53b9dbdb11 MDL-63207 auth_ldap: Update user profile if field is empty 2021-09-07 22:50:48 +02:00
Michael Milette de91d620f2 MDL-58395 auth_ldap: User sync now brings problem details and continue
Co-authored-by: Iñaki Arenaza <iarenaza@mondragon.edu>
2021-08-19 19:53:22 +02:00
Sander Wind c9855a8b20 MDL-70668 auth: Fix secret validation during user confirmation
Co-authored-by: Michael Hawkins <michaelh@moodle.com>
2021-03-02 23:44:24 +01:00
Eloy Lafuente (stronk7) 74ee34fd87 MDL-69521 core: Move all comments in code from 4.1 to 3.11 2020-09-08 18:59:30 +02:00
Farhan Karmali 470f94dc46 MDL-67419 admin: New admin setting for lang during user creation 2020-08-10 18:34:19 +05:30
Eloy Lafuente (stronk7) 988f9bf5b5 MDL-67118 auth_ldap: paged results functions deprecated php74 and up
Starting with php74 the following functions are deprecated:
- ldap_control_paged_result()
- ldap_control_paged_result_response()

Starting with php73, ldap servercontrols were included. One of those
servercontrols, LDAP_CONTROL_PAGEDRESULTS, is the one in charge of
controlling paged results.

So, we are going to add some conditional code here:

1) if php < 7.3, use old paged result functions.
2) if php >= 7.3, switch to LDAP_CONTROL_PAGEDRESULTS servercontrol.

With a TODO about removing 1) in Moodle 4.1, once php73 becomes required.
2020-01-16 19:16:14 +01:00
Eloy Lafuente (stronk7) 89da3f67e4 Merge branch 'MDL-64071-master' of https://github.com/UniGe/moodle 2019-02-06 17:56:59 +01:00
Jake Dallimore 39ac02f424 MDL-63887 auth_ldap: fix unclean exit from sync when users not found
We should return, not exit, and we should clean up before we do.
2018-12-12 09:42:13 +08:00
papillon326 43dcb956ba MDL-63887 auth_ldap: avoid infinite loop when search limit is reached 2018-12-06 15:39:35 +08:00
papillon326 8707682e3a MDL-63887 auth_ldap: changed variable names to be conform to core 2018-12-06 15:39:35 +08:00
Marco Ferrante e45c86375a MDL-64071 auth: enhanced diagnostic of LDAP auth config 2018-11-20 13:30:51 +01:00
Damyon Wiese 6dfe428363 MDL-63183 auth: Login protection
CSRF protection for the login form. The authenticate_user_login function was
extended to validate the token (in \core\session\manager) but by default it
does not perform the extra validation. Existing uses of this function from
auth plugins and features like "change password" will continue to work without
changes. New config value $CFG->disablelogintoken can bypass this check.
2018-11-07 00:14:48 +01:00
cescobedo a282b0f51d MDL-61296 auth_ldap: remove PHP notices when field does not exist. 2018-06-20 11:39:16 +02:00
Jonathan Champ 9651175f70 MDL-61584 auth_ldap: use get_cache_flag()
get_cache_flags() is only useful when you want multiple responses or
you don't know the name/key for the value pair. We know the name/key
here is the session ID, so use get_cache_flag() instead and gain the
performance benefit.
2018-03-03 15:50:58 -05:00
Mark Nelson 029ec1edfe MDL-61260 auth_ldap: require /user/profile/lib.php file 2018-01-29 11:30:05 +08:00
Dan Marsden 0c64c64b48 MDL-61050 auth_ldap: fix regression caused by MDL-42834 2018-01-05 10:43:20 +13:00
Andrew Nicols 725fcf3178 MDL-40613 auth_ldap: Call update_user_record on create 2018-01-04 14:32:13 +08:00
Mark Nelson e8a1a5868a MDL-40613 auth_ldap: removed usage of profile_load_custom_fields()
Also reverted profile_load_custom_fields() signature and changed
behaviour of the new function profile_save_custom_fields().
2018-01-03 18:13:01 +08:00
Mark Nelson 4e133e775c MDL-40613 auth: avoid undefined property 'suspended_attribute'
Re-introduce MDL-53580.
2017-12-19 14:13:34 +08:00
Mark Nelson 220ca688c1 MDL-40613 auth_ldap: include necessary file for saving profile fields 2017-12-19 14:13:34 +08:00
Albert Gasset 2c977ceb29 MDL-40613 auth_ldap: sync custom profile fields 2017-12-19 14:13:34 +08:00
John Okely 672f483670 MDL-42834 admin: Removal of httpswwwroot 2017-10-23 12:25:36 +08:00
Andrew Nicols ed7431a37b MDL-59734 auth_ldap: Fix role sync
The unit tests were failing because the upgrade step was missed.
In addition, there was a typo in a variable name, which meant that the
role was not actually synchronised.
2017-08-07 09:42:24 +08:00
David Balch 8fb9a27170 MDL-30634 auth_ldap: Assign arbitrary system roles via LDAP sync.
Loosely based on a 2.7 branch by Mark Johnson.
2017-07-20 10:00:36 +01:00
Iñaki Arenaza 67bebb69eb MDL-57558 ldap: fix ldap_get_entries_moodle()
While ldap_get_entries_moodle() PHPdocs state that it returns "array
ldap-entries with lower-cased attributes as indexes.", this is not true. It
uses ldap_get_attributes() internally, which returns both numerically indexed
attribute names, and dictionary-like entries indexed by attribute names.

Current code lowercases the dictionary-like entries, but then uses the
numerically indexed entries for the attribute names used as keys in the
returned array. The numerically indexed names might or might not be lowercased,
depending on the LDAP server and PHP version) version. E.g., OpenLDAP 2.x,
Novell eDirectory 8.x and MS Active Directory return mixed-cased attribute
names, and PHP 5.x and PHP 7.x don't lowercase them inside ldap_get_entries().

This is probably why all calls to ldap_get_entries_moodle() are followed by
calls to array_change_key_case(), even if that shouldn't be necessary.

So make sure we always return lower-cased attributs as indexes and add some
unit tests to avoid regressions in the future.
2017-05-16 10:48:27 +01:00
Stephen Bourget 037273d87e MDL-12689: convert auth plugins to use settings.php 2017-04-03 10:50:09 -04:00
Iñaki Arenaza e47863e840 MDL-50625 auth_ldap: Better check for paged results support
There is at least one LDAP server (Sun Directory Server) that doesn't
support Paged Results extension, even if it supports LDAP version 3. So
checking just for LDAP version is not enough.

If possible, we check the supportedControl attribute of the LDAP rootDSE
and see if the paged results control is available. This needs an LDAP
connection, which might not be possible to establish before we configure
some essential LDAP settings (server, bind user, password, etc.). Thus
we try to establish the connection and check the supportedControl
attribute. But if we fail, we perform only basic checks that are less
accurate and err on the side of cautiousness.
2017-01-19 10:55:26 +01:00
David Mudrák 8df850ad6f MDL-46946 user: Make missing required custom fields trigger profile edit
If there is a required custom field that the user can fill by editing
their profile, and that field is missing, the user should be considered
as not fully set up. Instead, we want to redirect them to edit their
profile first.

There are some exceptions when we want to fall back to the previous
behaviour and check just the name and email fields. These exceptional
cases include checking remote user data in incoming MNet request (no
user id, no custom fields supported) and calls to require_login() with
redirecting disabled (typically ajax filepicker requests on profile
editing page itself).

Additional plugins that call the function user_not_fully_set_up()
themselves, should perform the strict check in most/typical cases. So
the strict mode is enabled by default even if it changes the behaviour
slightly. In improbable case of additional plugins relying on the
previous behaviour of the function, they can use the $strict parameter
and keep performing the lax check. However, I am sure the correct fix in
that case will likely be to stop abusing this function.

Note that custom fields are not currently transferred during the MNet
roaming. So having custom fields configured as required on MNet service
provider site (where users can't edit their profiles) is expected to
display an error (as the site is considered as misconfigured).
2016-09-21 17:46:30 +02:00
Cameron Ball 8ffe9aef1f MDL-53580 auth_ldap: Set default value for suspended_attribute
It was also necessary to cast some boolean values to ints as a
workaround for moodle's broken boolean validation.
2016-05-10 23:04:46 +08:00
Cameron Ball 6141dcfe67 MDL-52386 auth_ldap: Add support for disabled accounts 2016-03-11 16:48:18 +08:00
Rajesh Taneja b4a5d4fa17 MDL-52387 auth_ldap: Use proper dn to find password age
dn with fine grained password should be used
to get msds-maximumpasswordage attribute.
No checks should be used to see if the array
key is set as entry should always return them.
2016-02-18 11:38:03 +08:00
David Monllao ce74ad69ae Merge branch 'MDL-52387-master' of git://github.com/lameze/moodle 2016-02-16 11:25:22 +08:00
Simey Lameze c1bc628e1d MDL-52387 auth_ldap: add support for fine grained password
Contributed by Matthew Johnson.
2016-02-16 11:03:42 +08:00
Andrew Nicols abedeb8c70 MDL-51723 ldap: Normalise the user objectclass 2016-02-01 10:24:34 +08:00
Marina Glancy 4a89e83b80 MDL-52285 auth: use __construct() for constructors 2015-12-10 13:40:42 +08:00
Simey Lameze 06ae66043b MDL-49360 core_lib: remove get_referer() call form auth ldap 2015-07-29 10:43:03 +08:00
Simey Lameze 25565918d9 MDL-49360 core_lib: fix typo on auth_ldap 2015-07-28 15:04:27 +08:00
Simey Lameze dcee0b9447 MDL-49360 core_lib: add new method get_local_referer()
This commit also replace all usages of $_SERVER['HTTP_REFERER'] and get_referer().
2015-07-27 11:11:24 +08:00
Eloy Lafuente (stronk7) 870d1aae1e MDL-49022 auth_ldap: keep method visibility unmodified. 2015-06-24 03:07:35 +02:00
Mark Ward 7b9643b59c MDL-49022 auth_ldap: trigger event when required.
When calling update_user_record() for auth_ldap the method
now has option to trigger event core\event\user_updated when
syncing with domain controller.
This means that the event will be triggered by sync_users()
but not by user_signup().
2015-06-23 17:00:34 +08:00
Marina Glancy 4f8b6d5674 MDL-50099 auth: less verbose account confirmed message 2015-05-05 15:33:36 +01:00
Frederic Massart b2687a055d MDL-49179 weblib: Secure the direct usage of $_SERVER['HTTP_REFERER'] 2015-05-05 18:31:13 +08:00
Eloy Lafuente (stronk7) 6054036fbc Merge branch 'MDL-48255-master' of git://github.com/lameze/moodle 2014-12-08 19:14:07 +01:00
Simey Lameze ef9739f0eb MDL-48255 auth_ldap: make ldap cookie check more robust
Thanks to Baptiste Desprez for spotting this and provide a solution.
2014-12-02 15:28:03 +08:00
Petr Skoda 1d658535b6 MDL-47830 auth: Add pw rotation restrictions 2014-12-01 08:53:52 +13:00