MDL-12178 auth/ldap: "creators" role assignment now also supports contexts

Now the DNs that indicate a course-creator role can also be contexts. This way we support one more widely used practice in the weird and wonderful LDAP world...
2025-04-19 07:25:30 +02:00 · 2007-11-14 22:23:45 +00:00 · 2007-11-14 22:23:45 +00:00 · 6626b9ab48
commit 6626b9ab48
parent 4025cf8031
2 changed files with 14 additions and 2 deletions
--- a/auth/ldap/auth.php
+++ b/auth/ldap/auth.php
@ -1443,8 +1443,11 @@ class auth_plugin_ldap extends auth_plugin_base {

    /**
     * checks if user belong to specific group(s)
+     * or is in a subtree.
     *
-     * Returns true if user belongs group in grupdns string.
+     * Returns true if user belongs group in grupdns string OR
+     * if the DN of the user is in a subtree pf the DN provided
+     * as "group"
     *
     * @param mixed $username    username
     * @param mixed $groupdns    string of group dn separated by ;
@ -1478,6 +1481,15 @@ class auth_plugin_ldap extends auth_plugin_base {
            if (empty($group)) {
                continue;
            }
+
+            // check cheaply if the user's DN sits in a subtree
+            // of the "group" DN provided. Granted, this isn't
+            // a proper LDAP group, but it's a popular usage.
+            if (strpos(strrev($memberuser), strrev($group))===0) {
+                $result = true;
+                break;
+            }
+
            //echo "Checking group $group for member $username\n";
            $search = ldap_read($ldapconnection, $group,  '('.$this->config->memberattribute.'='.$this->filter_addslashes($memberuser).')', array($this->config->memberattribute));
            if (!empty($search) and ldap_count_entries($ldapconnection, $search)) {
--- a/lang/en_utf8/auth.php
+++ b/lang/en_utf8/auth.php
@ -159,7 +159,7 @@ $string['auth_ldap_bind_settings'] = 'Bind settings';
 $string['auth_ldap_contexts'] = 'List of contexts where users are located. Separate different contexts with \';\'. For example: \'ou=users,o=org; ou=others,o=org\'';
 $string['auth_ldap_create_context'] = 'If you enable user creation with email confirmation, specify the context where users are created. This context should be different from other users to prevent security issues. You don\'t need to add this context to ldap_context-variable, Moodle will search for users from this context automatically.<br /><b>Note!</b> You have to modify the method user_create() in file auth/ldap/auth.php to make user creation work';
 $string['auth_ldap_create_error'] = 'Error creating user in LDAP.';
-$string['auth_ldap_creators'] = 'List of groups whose members are allowed to create new courses. Separate multiple groups with \';\'. Usually something like \'cn=teachers,ou=staff,o=myorg\'';
+$string['auth_ldap_creators'] = 'List of groups or contexts whose members are allowed to create new courses. Separate multiple groups with \';\'. Usually something like \'cn=teachers,ou=staff,o=myorg\'';
 $string['auth_ldap_expiration_desc'] = 'Select No to disable expired password checking or LDAP to read passwordexpiration time directly from LDAP';
 $string['auth_ldap_expiration_warning_desc'] = 'Number of days before password expiration warning is issued.';
 $string['auth_ldap_expireattr_desc'] = 'Optional: overrides ldap-attribute that stores password expiration time';