Commit Graph

200 Commits

Author SHA1 Message Date
cescobedo 53b9dbdb11 MDL-63207 auth_ldap: Update user profile if field is empty 2021-09-07 22:50:48 +02:00
Michael Milette de91d620f2 MDL-58395 auth_ldap: User sync now brings problem details and continue
Co-authored-by: Iñaki Arenaza <iarenaza@mondragon.edu>
2021-08-19 19:53:22 +02:00
Sander Wind c9855a8b20 MDL-70668 auth: Fix secret validation during user confirmation
Co-authored-by: Michael Hawkins <michaelh@moodle.com>
2021-03-02 23:44:24 +01:00
Eloy Lafuente (stronk7) 74ee34fd87 MDL-69521 core: Move all comments in code from 4.1 to 3.11 2020-09-08 18:59:30 +02:00
Farhan Karmali 470f94dc46 MDL-67419 admin: New admin setting for lang during user creation 2020-08-10 18:34:19 +05:30
Eloy Lafuente (stronk7) 988f9bf5b5 MDL-67118 auth_ldap: paged results functions deprecated php74 and up
Starting with php74 the following functions are deprecated:
- ldap_control_paged_result()
- ldap_control_paged_result_response()

Starting with php73, ldap servercontrols were included. One of those
servercontrols, LDAP_CONTROL_PAGEDRESULTS, is the one in charge of
controlling paged results.

So, we are going to add some conditional code here:

1) if php < 7.3, use old paged result functions.
2) if php >= 7.3, switch to LDAP_CONTROL_PAGEDRESULTS servercontrol.

With a TODO about removing 1) in Moodle 4.1, once php73 becomes required.
2020-01-16 19:16:14 +01:00
Eloy Lafuente (stronk7) 89da3f67e4 Merge branch 'MDL-64071-master' of https://github.com/UniGe/moodle 2019-02-06 17:56:59 +01:00
Jake Dallimore 39ac02f424 MDL-63887 auth_ldap: fix unclean exit from sync when users not found
We should return, not exit, and we should clean up before we do.
2018-12-12 09:42:13 +08:00
papillon326 43dcb956ba MDL-63887 auth_ldap: avoid infinite loop when search limit is reached 2018-12-06 15:39:35 +08:00
papillon326 8707682e3a MDL-63887 auth_ldap: changed variable names to be conform to core 2018-12-06 15:39:35 +08:00
Marco Ferrante e45c86375a MDL-64071 auth: enhanced diagnostic of LDAP auth config 2018-11-20 13:30:51 +01:00
Damyon Wiese 6dfe428363 MDL-63183 auth: Login protection
CSRF protection for the login form. The authenticate_user_login function was
extended to validate the token (in \core\session\manager) but by default it
does not perform the extra validation. Existing uses of this function from
auth plugins and features like "change password" will continue to work without
changes. New config value $CFG->disablelogintoken can bypass this check.
2018-11-07 00:14:48 +01:00
cescobedo a282b0f51d MDL-61296 auth_ldap: remove PHP notices when field does not exist. 2018-06-20 11:39:16 +02:00
Jonathan Champ 9651175f70 MDL-61584 auth_ldap: use get_cache_flag()
get_cache_flags() is only useful when you want multiple responses or
you don't know the name/key for the value pair. We know the name/key
here is the session ID, so use get_cache_flag() instead and gain the
performance benefit.
2018-03-03 15:50:58 -05:00
Mark Nelson 029ec1edfe MDL-61260 auth_ldap: require /user/profile/lib.php file 2018-01-29 11:30:05 +08:00
Dan Marsden 0c64c64b48 MDL-61050 auth_ldap: fix regression caused by MDL-42834 2018-01-05 10:43:20 +13:00
Andrew Nicols 725fcf3178 MDL-40613 auth_ldap: Call update_user_record on create 2018-01-04 14:32:13 +08:00
Mark Nelson e8a1a5868a MDL-40613 auth_ldap: removed usage of profile_load_custom_fields()
Also reverted profile_load_custom_fields() signature and changed
behaviour of the new function profile_save_custom_fields().
2018-01-03 18:13:01 +08:00
Mark Nelson 4e133e775c MDL-40613 auth: avoid undefined property 'suspended_attribute'
Re-introduce MDL-53580.
2017-12-19 14:13:34 +08:00
Mark Nelson 220ca688c1 MDL-40613 auth_ldap: include necessary file for saving profile fields 2017-12-19 14:13:34 +08:00
Albert Gasset 2c977ceb29 MDL-40613 auth_ldap: sync custom profile fields 2017-12-19 14:13:34 +08:00
John Okely 672f483670 MDL-42834 admin: Removal of httpswwwroot 2017-10-23 12:25:36 +08:00
Andrew Nicols ed7431a37b MDL-59734 auth_ldap: Fix role sync
The unit tests were failing because the upgrade step was missed.
In addition, there was a typo in a variable name, which meant that the
role was not actually synchronised.
2017-08-07 09:42:24 +08:00
David Balch 8fb9a27170 MDL-30634 auth_ldap: Assign arbitrary system roles via LDAP sync.
Loosely based on a 2.7 branch by Mark Johnson.
2017-07-20 10:00:36 +01:00
Iñaki Arenaza 67bebb69eb MDL-57558 ldap: fix ldap_get_entries_moodle()
While ldap_get_entries_moodle() PHPdocs state that it returns "array
ldap-entries with lower-cased attributes as indexes.", this is not true. It
uses ldap_get_attributes() internally, which returns both numerically indexed
attribute names, and dictionary-like entries indexed by attribute names.

Current code lowercases the dictionary-like entries, but then uses the
numerically indexed entries for the attribute names used as keys in the
returned array. The numerically indexed names might or might not be lowercased,
depending on the LDAP server and PHP version) version. E.g., OpenLDAP 2.x,
Novell eDirectory 8.x and MS Active Directory return mixed-cased attribute
names, and PHP 5.x and PHP 7.x don't lowercase them inside ldap_get_entries().

This is probably why all calls to ldap_get_entries_moodle() are followed by
calls to array_change_key_case(), even if that shouldn't be necessary.

So make sure we always return lower-cased attributs as indexes and add some
unit tests to avoid regressions in the future.
2017-05-16 10:48:27 +01:00
Stephen Bourget 037273d87e MDL-12689: convert auth plugins to use settings.php 2017-04-03 10:50:09 -04:00
Iñaki Arenaza e47863e840 MDL-50625 auth_ldap: Better check for paged results support
There is at least one LDAP server (Sun Directory Server) that doesn't
support Paged Results extension, even if it supports LDAP version 3. So
checking just for LDAP version is not enough.

If possible, we check the supportedControl attribute of the LDAP rootDSE
and see if the paged results control is available. This needs an LDAP
connection, which might not be possible to establish before we configure
some essential LDAP settings (server, bind user, password, etc.). Thus
we try to establish the connection and check the supportedControl
attribute. But if we fail, we perform only basic checks that are less
accurate and err on the side of cautiousness.
2017-01-19 10:55:26 +01:00
David Mudrák 8df850ad6f MDL-46946 user: Make missing required custom fields trigger profile edit
If there is a required custom field that the user can fill by editing
their profile, and that field is missing, the user should be considered
as not fully set up. Instead, we want to redirect them to edit their
profile first.

There are some exceptions when we want to fall back to the previous
behaviour and check just the name and email fields. These exceptional
cases include checking remote user data in incoming MNet request (no
user id, no custom fields supported) and calls to require_login() with
redirecting disabled (typically ajax filepicker requests on profile
editing page itself).

Additional plugins that call the function user_not_fully_set_up()
themselves, should perform the strict check in most/typical cases. So
the strict mode is enabled by default even if it changes the behaviour
slightly. In improbable case of additional plugins relying on the
previous behaviour of the function, they can use the $strict parameter
and keep performing the lax check. However, I am sure the correct fix in
that case will likely be to stop abusing this function.

Note that custom fields are not currently transferred during the MNet
roaming. So having custom fields configured as required on MNet service
provider site (where users can't edit their profiles) is expected to
display an error (as the site is considered as misconfigured).
2016-09-21 17:46:30 +02:00
Cameron Ball 8ffe9aef1f MDL-53580 auth_ldap: Set default value for suspended_attribute
It was also necessary to cast some boolean values to ints as a
workaround for moodle's broken boolean validation.
2016-05-10 23:04:46 +08:00
Cameron Ball 6141dcfe67 MDL-52386 auth_ldap: Add support for disabled accounts 2016-03-11 16:48:18 +08:00
Rajesh Taneja b4a5d4fa17 MDL-52387 auth_ldap: Use proper dn to find password age
dn with fine grained password should be used
to get msds-maximumpasswordage attribute.
No checks should be used to see if the array
key is set as entry should always return them.
2016-02-18 11:38:03 +08:00
David Monllao ce74ad69ae Merge branch 'MDL-52387-master' of git://github.com/lameze/moodle 2016-02-16 11:25:22 +08:00
Simey Lameze c1bc628e1d MDL-52387 auth_ldap: add support for fine grained password
Contributed by Matthew Johnson.
2016-02-16 11:03:42 +08:00
Andrew Nicols abedeb8c70 MDL-51723 ldap: Normalise the user objectclass 2016-02-01 10:24:34 +08:00
Marina Glancy 4a89e83b80 MDL-52285 auth: use __construct() for constructors 2015-12-10 13:40:42 +08:00
Simey Lameze 06ae66043b MDL-49360 core_lib: remove get_referer() call form auth ldap 2015-07-29 10:43:03 +08:00
Simey Lameze 25565918d9 MDL-49360 core_lib: fix typo on auth_ldap 2015-07-28 15:04:27 +08:00
Simey Lameze dcee0b9447 MDL-49360 core_lib: add new method get_local_referer()
This commit also replace all usages of $_SERVER['HTTP_REFERER'] and get_referer().
2015-07-27 11:11:24 +08:00
Eloy Lafuente (stronk7) 870d1aae1e MDL-49022 auth_ldap: keep method visibility unmodified. 2015-06-24 03:07:35 +02:00
Mark Ward 7b9643b59c MDL-49022 auth_ldap: trigger event when required.
When calling update_user_record() for auth_ldap the method
now has option to trigger event core\event\user_updated when
syncing with domain controller.
This means that the event will be triggered by sync_users()
but not by user_signup().
2015-06-23 17:00:34 +08:00
Marina Glancy 4f8b6d5674 MDL-50099 auth: less verbose account confirmed message 2015-05-05 15:33:36 +01:00
Frederic Massart b2687a055d MDL-49179 weblib: Secure the direct usage of $_SERVER['HTTP_REFERER'] 2015-05-05 18:31:13 +08:00
Eloy Lafuente (stronk7) 6054036fbc Merge branch 'MDL-48255-master' of git://github.com/lameze/moodle 2014-12-08 19:14:07 +01:00
Simey Lameze ef9739f0eb MDL-48255 auth_ldap: make ldap cookie check more robust
Thanks to Baptiste Desprez for spotting this and provide a solution.
2014-12-02 15:28:03 +08:00
Petr Skoda 1d658535b6 MDL-47830 auth: Add pw rotation restrictions 2014-12-01 08:53:52 +13:00
Petr Skoda f720c2c060 MDL-48282 Standardise update of user->firstaccess 2014-11-21 09:25:57 +13:00
zbdd 77218e4a52 MDL-42993 auth: spaces removed from usernames by default only
Functionality by default does not change with this patch.
However spaces are no longer stripped when cleaning usernames IF
$CFG->extendedusernamechars has been set.

Also included 2 trim statements where small issues were found with reading
external usernames in that  were not filtered for trailing whitespaces.
2014-10-01 08:24:54 +13:00
Rajesh Taneja 9363073b22 MDL-45641 event: Manually trigger event where needed.
Some places, user_created_user and user_updated_user
events should be triggred after profile data is saved.
2014-06-27 15:44:56 +08:00
Dan Poltawski e78e671f29 Merge branch 'MDL-43405_master' of https://github.com/markn86/moodle 2014-02-25 10:30:35 +08:00
fabmen fcf2176098 MDL-43405 auth_ldap: Fixed issue with undefined variable: ldap_cookie 2014-02-16 14:22:48 -08:00