Commit Graph

63 Commits

Author SHA1 Message Date
iarenaza fc54986465 ldap auth and enrolment: MDL-19672 prevent update_user_record() from mangling distinguished names with backslashes
In addition to it, in order to be able to used a distiguished name with '\'
(and other LDAP special characters) in a LDAP filter to find the user
enrolments, we need to quote it using the LDAP filter quoting rules
2009-07-06 18:51:30 +00:00
iarenaza aab2bf6809 ntlmsso login hook: MDL-18596 We need to call httpsrequired() before using httpswwwroot 2009-06-04 22:22:37 +00:00
dongsheng 551d425a88 "MDL-19037, use getremoteaddr to get remote ip address, backported from 2.0" 2009-05-01 08:06:08 +00:00
iarenaza 6a31fe27bb Cache LDAP connections: MDL-18130 Properly handle open LDAP connections.
Both CAS and LDAP auth plugins open new connections to the LDAP server
to get the user account details. While this is the desired behaviour
for regular logins (we probably don't have an already open connection
to the LDAP server), this is a ressource hog when we are doing user
synchronization, as the closed connections remain in the TCP_WAIT
state for a while before the server can reuse them. If we are syncing
a lot of users, we can make the server run out of available TCP
ressources.

So we cache the connection the first time we establish it and return
the same connection handle everytime, unless we've closed all the
'open' connections, or the auth object is destroyed.

In addition to that, there were a few missing calls to ldap_close().
2009-02-15 14:53:58 +00:00
iarenaza b65da94dd7 NTLM SSO: MDL-13760 Speed up ntlm sign on with conditional redirect for msie
Provides an option, configurable by admin, to make the ntlm test happen
only if MSIE is not used. This speeds things up for IE.
2009-02-14 16:17:51 +00:00
iarenaza f8102d906e NTLM SSO: MDL-14584 Fix for several outstanding NTLM SSO issues.
These include:

MDL-14078: redirect() doubles the specified timeout when we haven't printed
           the page header and uses javascript to execute the redirect. This
           is interacting badly with some versions of IE and FF (at least
           3.0.x Windows version) that fireup javascript timers even if
           we already left the page where we set those up. Just print
           the page header (we are printing other content anyway) to
           make redirect respect our timeouts.

MDL-14071: All the relevant details are in the description of the bug :)

MDL-14297: This is probably the same as MDL-14078
2009-02-14 16:14:22 +00:00
iarenaza b11a0766ed auth/ldap: MDL-9405 sync_users() can create duplicated users
Merged from MOODLE_18_STABLE

If we are using auth_ldap_sync_users.php to synchronize our users, and we
have a database which is case-sensitive when doing comparisons (Postgres and
Oracle at least), and any of our users has the vale of the username attribute
in mixed-case (like 'John Smith'), we get duplicated users.

This is because we don't make sure the username attribute value is 'lowercased'
after we retrive it from the LDAP server and before we insert it into the
database.
2008-12-26 16:00:12 +00:00
iarenaza b29004e366 MDL-16061 Revert incorrect fix for "Remove 'username' from the $moodleattributes array".
Merged from MOODLE_18_STABLE.

The fix is wrong, as it breaks auth_db_sync_users.php and
auth_ldap_sync_users.php at least. No new users are added to Moodle, as the
username is missing from the new user info record.

The fix needs to go into update_user_record() in lib/moodlelib.php to make it
skip the 'username' key, as we really need get_userinfo() to return the
username as part of the user info array.
2008-08-25 22:40:29 +00:00
iarenaza 6046523272 MDL-15799 LDAP - user data mapping doesn't work. Merged from MOODLE_18_STABLE
The Right Way(tm) to write a LDAP filter is enclosing it in parentheses (see
RFC 4515/2254).
2008-08-24 20:42:57 +00:00
iarenaza 1e6da87629 MDL-16061 Remove 'username' from the $moodleattributes array.
It doesn't make sense at all (username is not part of the externally mapped
fields) and produces a notice that breaks HTTP headers with debugging enabled.
2008-08-15 11:21:48 +00:00
stronk7 fc9d285a62 Fixed copy&paste error. Credit goes to Sergio Rabellino.
http://moodle.org/mod/forum/discuss.php?d=102933
2008-08-07 17:09:27 +00:00
skodak 2959f8b18e MDL-9983, MDL-13998, MDL-15552 core events related cleanup and potential sql injection problem fixed; please note the changes are not backwards compatible, 3rd party code will need to be updated - sorry for the trouble 2008-07-06 17:55:54 +00:00
iarenaza 8278b5164b MDL-4248 Fix error when updating user profiles and any of these fields is empty
According to http://es2.php.net/manual/en/function.ldap-modify.php#43216 we
need to specify an array() value to delete an attribute's value, instead of an
empty string.

Merged from MOODLE_18_STABLE
2008-05-31 14:55:56 +00:00
iarenaza c875af622e MDL-14987 Default attribute for Active Directory password expiry is missing
Backported from HEAD
2008-05-25 21:55:50 +00:00
skodak 475419e555 MDL-14543 fixed broken deleting from auth sync 2008-04-25 13:20:28 +00:00
dongsheng 29a2749da5 MDL-12531, make the new member value available to all the affected plugins, thanks, Robert 2008-04-08 05:40:15 +00:00
iarenaza d0d840eaed MDL-12858 fix print_error() usage.
print_error()'s third parameter is the URL we jump to (defaults to
$CFG->wwwroot if not set) when we click the 'Continue' button, not the message
string parameter object.

Forward ported from MOODLE_18_STABLE
2008-01-08 00:16:18 +00:00
iarenaza 4efbaec111 MDL-12323 MDL-4061 Don't connect to the LDAP server if update external is not set for any field.
Forward ported from MOODLE_18_STABLE
2007-12-28 12:08:57 +00:00
martinlanghoff 27278d2346 user_login() was not converted to using get_cache_flags().
It was still using the 'old' get_config() interface, so the 'cookie'
set by ntlmsso_finish() wasn't retrieved at all, and the automatic
login always failed.

Signed-off-by: Iñaki Arenaza <iarenuno@eteo.mondragon.edu>


Author: Iñaki Arenaza <iarenuno@eteo.mondragon.edu>
Committer: Martin Langhoff <martin@catalyst.net.nz>
2007-11-19 02:51:36 +00:00
martinlanghoff bb4bfe13df If the cache flag is not set, it doesn't make sense trying to test its value
Signed-off-by: Iñaki Arenaza <iarenuno@eteo.mondragon.edu>


Author: Iñaki Arenaza <iarenuno@eteo.mondragon.edu>
Committer: Martin Langhoff <martin@catalyst.net.nz>
2007-11-19 02:51:25 +00:00
martinlanghoff c124578f93 Fix typo in ntlmsso_finish()
Signed-off-by: Iñaki Arenaza <iarenuno@eteo.mondragon.edu>


Author: Iñaki Arenaza <iarenuno@eteo.mondragon.edu>
Committer: Martin Langhoff <martin@catalyst.net.nz>
2007-11-19 02:51:14 +00:00
martinlanghoff 2e2892ce89 auth/ldap: "creators" role assignment now also supports contexts
Now the DNs that indicate a course-creator role can also be contexts.
This way we support one more widely used practice in the weird and
wonderful LDAP world... MDL-12178
2007-11-19 02:50:55 +00:00
martinlanghoff 53cda2de31 MDL-9399 - auth/ldap NTLM SSO - fix a missing global 2007-11-14 23:40:50 +00:00
martinlanghoff c1ef755c30 MDL-9399 auth/ldap: NTLM temp sessions now use cache_flags
cache_flags is now the apropriate way to manage this kind of temp
data. It gives us time expiry and GC for free, so it's a perfect fit
for the job, as it simplifies the code a bit.
2007-11-14 23:39:41 +00:00
martinlanghoff 4912df1582 MDL-9399 auth/ldap: NTLM SSO - move textlib conversion earlier
From Iñaki Arenaza - fix for

... I forgot to put the textlib conversion
call before the block of code that uses $extusername, so it
completely breaks the user validation process.
2007-11-14 23:39:11 +00:00
martinlanghoff 6e45019417 MDL-9399 auth/ldap: NTLM SSO - cleanup of sesskey handling
Fix a bug in ntlmsso_finish(), and tighten up user_login() to avoid a
pointless DB lookup if the password doesn't match the sesskey.

Hopefully this makes things work again...
(thanks I~naki for the testing!)
2007-11-14 23:38:44 +00:00
martinlanghoff d8ee4dfa6e MDL-9399 auth/ldap: NTLM SSO - use sesskey and other tidyups
Several tidyups:

- use moodle_strtolower() for utf-8 correctness

 - use sesskey as the key instead of IP addr to support
   proxied users

 - clean the sesskey after success!

 - pull timeout out to a constant: AUTH_NTLMTIMEOUT
2007-11-14 23:38:31 +00:00
martinlanghoff 176307a26a MDL-9399 auth/ldap: Tighten NTLM AD checks to the appropriate OU
From Iñaki Arenaza...

Right now, if someone logs in via NTLM magic, we don't check if that
user is inside the contexts specified in the LDAP settings. I mean,
if I want to restrict my Moodle site to those users inside a given OU
or subtree of my LDAP directory, with the current code any valid user
in my whole AD domain (and if we are using a GC as the LDAP server,
the whole forest) can log in. We should check that the user is inside
one of the configured contexts before allowing his/her to log in.

Something along the lines of the attached patch could do it.
2007-11-14 23:37:53 +00:00
martinlanghoff 58af55c35e MDL-9399 auth/ldap: ntlmsso_finish() now completes the user session setup
As Iñaki points out, ntlmsso_finish() needs to do all the setup that
login/index.php would do for a user once auth succeeds. With this
patch, the session setup is complete so the logon is usable.
2007-11-14 23:37:40 +00:00
martinlanghoff afac1a0781 MDL-9399 auth/ldap: NTLM redirect only on initial GET
We only want to redirect when users are being shown the login page (on
GET) but not when users are POSTing to it, actually trying to login.
2007-11-14 23:37:26 +00:00
martinlanghoff a1353477c4 MDL-9399 auth/ldap: NTLM SSO - lots of fixes from Iñaki
Lots of typos and minor errors fixed by Iñaki. Thanks!
2007-11-14 23:37:10 +00:00
martinlanghoff 3ae767d8ba MDL-9399 auth/ldap: NTLM SSO - Resolve Moodle cookies issue, tighten config.php require()s
Use $nomoodlecookie global to avoid session troubles. Also

 * Ensure we load the appropriate config.php, even if we are executing
   under a strange environment (ie: with a user's credentials!)

 * Test we have a spacer gif to open before we open it
2007-11-14 23:36:56 +00:00
martinlanghoff 94beeb79c7 MDL-9399 auth/ldap: flesh out ntlmsso_* functions
Flesh out the functions that get the job done. These will be triggered
by PHP files sitting under auth/ldap/ ...

ntlmsso_magic() - here is where the magic happens. Call it serving
something harmless, like a space GIF, from a URL that is blessed with
Integrated Windows Authentication. If the IWA is successful, it will
set a special session cookie in config_plugins table.

It won't complete the job because when we are under IWA magic we
cannot change (even read!) the session data, as the execution happens
under the OS privileges of the actual user acct being logged in (!!!)

ntlmsso_finish() - if it finds the session set by ntlmsso_magic() and
it hasn't expired, it will finish the job of logging in the user, by
calling authenticate_user_login() and exercising the whole auth
machinery.

user_login() - when called by authenticate_user_login() it will check
to see if there's a session setup by ntlmsso_magic() and OK the login
without really asking the AD backend to proof a password we don't have
anyway.
2007-11-14 23:36:14 +00:00
martinlanghoff 056a54babe MDL-9399 auth/ldap: Introducing loginpage_hook(), ntlmsso_attempt(), ntlmsso_finish()
A work in progress -- initial loginpage_hook() and headers for the
remaining functions. One thing to consider here is that this won't
work if there's a proxy in the middle.

Does NTLM auth thingy support proxies?
2007-11-14 23:36:00 +00:00
martinlanghoff 04038968be MDL-9399 auth/ldap: Manage 2 new config settings for NTLM SSO
Changes in the forms and forms handling to set and edit NTLM SSO
related config options.
2007-11-14 23:35:46 +00:00
toyomoyo 4e3dad540c MDL-10509, LDAP username to be always in lowercase 2007-11-06 01:00:27 +00:00
iarenaza bb4e530b93 MDL-11299 - Make objectClass string comparison case insensitive.
LDAP serves accept attribute names in a case insensitive way, so don't
force the users to use any particular spelling.
2007-09-17 21:30:20 +00:00
skodak f6c80923bf MDL-10921 LDAP Auth to Active Directory requires LDAP_OPT_REFERRALS option set 2007-08-29 20:42:41 +00:00
skodak 90afcf3280 MDL-10260 added new user_delete() hook into auth plugins; refactored user delete code = new function delete_user() in moodlelib.php + improved cleanup in core tables when deleting user 2007-08-21 20:52:36 +00:00
ikawhero 831d450e3f Adding custom profile fields to the signup page.
The only two authentication plugins this affects are email and ldap.
2007-08-20 08:30:34 +00:00
nicolasconnault e295df447f MDL-10870 All files updated to new build_navigation() method. 2007-08-17 11:18:58 +00:00
poltawski 63b1cf1fe2 MDL-10343 - abort early when can't create temporary tables when syning users
from LDAP
2007-07-22 21:33:31 +00:00
skodak 9347082d10 MDL-10309 Broken password expiration support for LDAP user types rfc2307 and rfc2307bis, patch by Iñaki Arenaza; merged from MOODLE_18_STABLE 2007-07-01 15:42:36 +00:00
skodak 4225d4ba3a MDL-10068 "Lost Password" button does not work for ldap auth 2007-06-10 19:26:12 +00:00
skodak 7a4025d0b6 MDL-10061 LDAP user creation broken for Novell eDirectory since 1.8; patch by Iñaki Arenaza 2007-06-09 15:33:22 +00:00
skodak bffe39c6d5 MDL-4687 Password expiration support for AD (with patch) - patch by Iñaki Arenaza, thanks! 2007-05-30 08:54:52 +00:00
skodak 81fb221d31 MDL-9626 Enable user signup with Active Directory (via LDAP); patch by Iñaki Arenaza - thanks! 2007-05-30 08:47:00 +00:00
skodak 4db13f9465 MDL-9880 Remove user_activate() method from public API because it was used only from user_confirm() in LDAP, other plugins use only user_confirm()
MDL-9575 fix email signup in ldap auth mod
2007-05-21 20:33:42 +00:00
skodak 2cef74f91f MDL-9861 Password expiration value is calculated wrong when ldap_expirationtime2unix() returns 0 - patch by Iñaki Arenaza; merged from MOODLE_18_STABLE 2007-05-21 20:08:45 +00:00
moodler d0e84e1be0 Added Iñaki's patch from MDL-7233 for 1.9 - thanks! 2007-05-21 05:23:00 +00:00