auth/ldap MDL-23652 Error in auth_ldap_sync_users.php

We need to specify a valid user id in the call to role_assign(). And we only have to make the call if the user has been added successfully, not otherwise. Also make sure we lowercase the memberuser and group distinguished names before comparing them. Depending on the LDAP server we can get mixed case values for the DNs, and the user may have specified the creators group/ou name in a different case. By the way, this has been broken for ages (since the auth cleanup in 1.8, in 2007!). It's a bit strange nobody noticed before :-O Credit goes to Joe Chryst.
2025-04-21 00:12:56 +02:00 · 2010-08-07 00:40:16 +00:00 · 2010-08-07 00:40:16 +00:00 · 3e5f4b870e
commit 3e5f4b870e
parent a789ac6f6b
2 changed files with 6 additions and 5 deletions
--- a/auth/ldap/auth.php
+++ b/auth/ldap/auth.php
@ -866,14 +866,15 @@ class auth_plugin_ldap extends auth_plugin_base {
                    if (!empty($this->config->forcechangepassword)) {
                        set_user_preference('auth_forcepasswordchange', 1, $id);
                    }
+
+                    // Add course creators if needed
+                    if ($creatorrole !== false and $this->iscreator($user->username)) {
+                        role_assign($creatorrole->id, $id, $sitecontext->id, $this->roleauth);
+                    }
                } else {
                    echo "\t"; print_string('auth_dbinsertusererror', 'auth_db', $user->username); echo "\n";
                }

-                // Add course creators if needed
-                if ($creatorrole !== false and $this->iscreator($user->username)) {
-                    role_assign($creatorrole->id, $user->id, $sitecontext->id, $this->roleauth);
-                }
            }
            $transaction->allow_commit();
            unset($add_users); // free mem
--- a/lib/ldaplib.php
+++ b/lib/ldaplib.php
@ -125,7 +125,7 @@ function ldap_isgroupmember($ldapconnection, $userid, $group_dns, $member_attrib
        // Check cheaply if the user's DN sits in a subtree of the
        // "group" DN provided. Granted, this isn't a proper LDAP
        // group, but it's a popular usage.
-        if (stripos(strrev($userid), strrev($group)) === 0) {
+        if (stripos(strrev(strtolower($userid)), strrev(strtolower($group))) === 0) {
            $result = true;
            break;
        }