search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MDL-10239:
[moodle-linuxchix.git] / auth / cas / auth.php
blob5188d3f5322c112d02b33d08a00ae0891d2ef9ee
1 <?php
2 /**
3 * @author Martin Dougiamas
4 * @authro Jerome GUTIERREZ
5 * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
6 * @package moodle multiauth
7 *
8 * Authentication Plugin: CAS Authentication
9 *
10 * Authentication using CAS (Central Authentication Server).
11 *
12 * 2006-08-28 File created.
13 */
14 if (!defined('MOODLE_INTERNAL')) {
15 die('Direct access to this script is forbidden.'); /// It must be included from a Moodle page
16 }
17 require_once($CFG->libdir.'/authlib.php');
18 require_once($CFG->dirroot.'/auth/cas/CAS/CAS.php');
19 /**
20 * CAS authentication plugin.
21 */
22 class auth_plugin_cas extends auth_plugin_base {
23 /**
24 * Constructor.
25 */
26 function auth_plugin_cas() {
27 $this->authtype = 'cas';
28 $this->config = get_config('auth/cas');
29 if (empty($this->config->ldapencoding)) {
30 $this->config->ldapencoding = 'utf-8';
31 }
32 if (empty($this->config->user_type)) {
33 $this->config->user_type = 'default';
34 }
35 $default = $this->ldap_getdefaults();
36 //use defaults if values not given
37 foreach ($default as $key => $value) {
38 // watch out - 0, false are correct values too
39 if (!isset($this->config->{$key}) or $this->config->{$key} == '') {
40 $this->config->{$key} = $value[$this->config->user_type];
41 }
42 }
43 //hack prefix to objectclass
44 if (empty($this->config->objectclass)) { // Can't send empty filter
45 $this->config->objectclass='objectClass=*';
46 } else if (strpos($this->config->objectclass, 'objectClass=') !== 0) {
47 $this->config->objectclass = 'objectClass='.$this->config->objectclass;
48 }
49 }
50 /**
51 * Authenticates user againt CAS
52 * Returns true if the username and password work and false if they are
53 * wrong or don't exist.
54 *
55 * @param string $username The username
56 * @param string $password The password
57 * @return bool Authentication success or failure.
58 */
59 function user_login ($username, $password) {
60 $this->connectCAS();
61 return phpCAS::isAuthenticated();
62 }
63 /**
64 * Returns true if this authentication plugin is 'internal'.
65 *
66 * @return bool
67 */
68 function is_internal() {
69 return false;
70 }
71 /**
72 * Returns true if this authentication plugin can change the user's
73 * password.
74 *
75 * @return bool
76 */
77 function can_change_password() {
78 return false;
79 }
80 /**
81 * authentication choice (CAS or other)
82 * redirection to the CAS form or to login/index.php
83 * for other authentication
84 */
85 function loginpage_hook() {
86 global $frm;
87 global $CFG;
88 global $SESSION;
89
90 $site = get_site();
91 $CASform = get_string("CASform","auth");
92 $username = optional_param("username");
93
94 if (!empty($username)) {
95 if (strstr($SESSION->wantsurl,'ticket') || strstr($SESSION->wantsurl,'NOCAS'))
96 unset($SESSION->wantsurl);
97 return;
98 }
99
100 // Test si cas activé et paramêtres non remplis
101 if (empty($this->config->hostname)) {
102 return;
103 }
104
105 // Connection to CAS server
106 $this->connectCAS();
107
108 // Gestion de la connection CAS si accès direct d'un ent ou autre
109 if (phpCAS::checkAuthentication()) {
110 $frm->username=phpCAS::getUser();
111 // if (phpCAS::getUser()=='esup9992')
112 // $frm->username='erhar0062';
113 $frm->password="passwdCas";
114 return;
115 }
116
117 if ($this->config->multiauth) {
118 $authCAS = optional_param("authCAS");
119 if ($authCAS=="NOCAS")
120 return;
121
122 // choice authentication form for multi-authentication
123 // test pgtIou parameter for proxy mode (https connection
124 // in background from CAS server to the php server)
125 if ($authCAS!="CAS" && !isset($_GET["pgtIou"])) {
126 print_header("$site->fullname: $CASform", $site->fullname, $CASform);
127 include($CFG->dirroot."/auth/cas/cas_form.html");
128 print_footer();
129 exit();
130 }
131 }
132 // CAS authentication
133 if (!phpCAS::isAuthenticated())
134 {phpCAS::forceAuthentication();}
135 }
136 /**
137 * logout from the cas
138 *
139 * This function is called from admin/auth.php
140 *
141 */
142 function prelogout_hook() {
143 global $CFG;
144 if ($this->config->logoutcas ) {
145 $backurl = $CFG->wwwroot;
146 $this->connectCAS();
147 phpCAS::logout($backurl);
148 }
149 }
150 /**
151 * Connect to the cas (clientcas connection or proxycas connection
152 *
153 * This function is called from admin/auth.php
154 *
155 */
156 function connectCAS() {
157
158 global $PHPCAS_CLIENT;
159 // mode proxy CAS
160 if ( !is_object($PHPCAS_CLIENT) ) {
161 if ($this->config->proxycas) {
162 phpCAS::proxy($this->config->casversion, $this-> config->hostname, (int) $this->config->port, $this->config->baseuri);
163 }
164 // mode client CAS
165 else {
166 phpCAS::client($this->config->casversion, $this-> config->hostname, (int) $this->config->port, $this->config->baseuri);
167 }
168 }
169
170 }
171 /**
172 * Prints a form for configuring this authentication plugin.
173 *
174 * This function is called from admin/auth.php, and outputs a full page with
175 * a form for configuring this plugin.
176 *
177 * @param array $page An object containing all the data for this page.
178 */
179 function config_form($config, $err, $user_fields) {
180 include 'config.html';
181 }
182 /**
183 * Returns the URL for changing the user's pw, or empty if the default can
184 * be used.
185 *
186 * @return string
187 */
188 function change_password_url() {
189 return "";
190 }
191 /**
192 * returns predefined usertypes
193 *
194 * @return array of predefined usertypes
195 */
196 function ldap_suppported_usertypes() {
197 $types = array();
198 $types['edir']='Novell Edirectory';
199 $types['rfc2307']='posixAccount (rfc2307)';
200 $types['rfc2307bis']='posixAccount (rfc2307bis)';
201 $types['samba']='sambaSamAccount (v.3.0.7)';
202 $types['ad']='MS ActiveDirectory';
203 $types['default']=get_string('default');
204 return $types;
205 }
206 /**
207 * Processes and stores configuration data for this authentication plugin.
208 */
209 function process_config($config) {
210 // set to defaults if undefined
211 // CAS settings
212 if (!isset ($config->hostname))
213 $config->hostname = '';
214 if (!isset ($config->port))
215 $config->port = '';
216 if (!isset ($config->casversion))
217 $config->casversion = '';
218 if (!isset ($config->baseuri))
219 $config->baseuri = '';
220 if (!isset ($config->language))
221 $config->language = '';
222 if (!isset ($config->proxycas))
223 $config->proxycas = '';
224 if (!isset ($config->logoutcas))
225 $config->logoutcas = '';
226 if (!isset ($config->multiauth))
227 $config->multiauth = '';
228 // LDAP settings
229 if (!isset($config->host_url))
230 { $config->host_url = ''; }
231 if (empty($config->ldapencoding))
232 { $config->ldapencoding = 'utf-8'; }
233 if (!isset($config->contexts))
234 { $config->contexts = ''; }
235 if (!isset($config->user_type))
236 { $config->user_type = 'default'; }
237 if (!isset($config->user_attribute))
238 { $config->user_attribute = ''; }
239 if (!isset($config->search_sub))
240 { $config->search_sub = ''; }
241 if (!isset($config->opt_deref))
242 { $config->opt_deref = ''; }
243 if (!isset($config->bind_dn))
244 {$config->bind_dn = ''; }
245 if (!isset($config->bind_pw))
246 {$config->bind_pw = ''; }
247 if (!isset($config->version))
248 {$config->version = '2'; }
249 if (!isset($config->objectclass))
250 {$config->objectclass = ''; }
251 if (!isset($config->memberattribute))
252 {$config->memberattribute = ''; }
253 if (!isset($config->memberattribute_isdn))
254 {$config->memberattribute_isdn = ''; }
255 if (!isset($config->attrcreators))
256 {$config->attrcreators = ''; }
257 if (!isset($config->groupecreators))
258 {$config->groupecreators = ''; }
259 if (!isset($config->removeuser))
260 {$config->removeuser = 0; }
261 // save CAS settings
262 set_config('hostname', $config->hostname, 'auth/cas');
263 set_config('port', $config->port, 'auth/cas');
264 set_config('casversion', $config->casversion, 'auth/cas');
265 set_config('baseuri', $config->baseuri, 'auth/cas');
266 set_config('language', $config->language, 'auth/cas');
267 set_config('proxycas', $config->proxycas, 'auth/cas');
268 set_config('logoutcas', $config->logoutcas, 'auth/cas');
269 set_config('multiauth', $config->multiauth, 'auth/cas');
270 // save LDAP settings
271 set_config('host_url', $config->host_url, 'auth/cas');
272 set_config('ldapencoding', $config->ldapencoding, 'auth/cas');
273 set_config('host_url', $config->host_url, 'auth/cas');
274 set_config('contexts', $config->contexts, 'auth/cas');
275 set_config('user_type', $config->user_type, 'auth/cas');
276 set_config('user_attribute', $config->user_attribute, 'auth/cas');
277 set_config('search_sub', $config->search_sub, 'auth/cas');
278 set_config('opt_deref', $config->opt_deref, 'auth/cas');
279 set_config('bind_dn', $config->bind_dn, 'auth/cas');
280 set_config('bind_pw', $config->bind_pw, 'auth/cas');
281 set_config('version', $config->version, 'auth/cas');
282 set_config('objectclass', $config->objectclass, 'auth/cas');
283 set_config('memberattribute', $config->memberattribute, 'auth/cas');
284 set_config('memberattribute_isdn', $config->memberattribute_isdn, 'auth/cas');
285 set_config('attrcreators', $config->attrcreators, 'auth/cas');
286 set_config('groupecreators', $config->groupecreators, 'auth/cas');
287 set_config('removeuser', $config->removeuser, 'auth/cas');
288 return true;
289 }
290 /**
291 * Initializes needed ldap variables for cas-module
292 *
293 * Uses names defined in ldap_supported_usertypes.
294 * $default is first defined as:
295 * $default['pseudoname'] = array(
296 * 'typename1' => 'value',
297 * 'typename2' => 'value'
298 * ....
299 * );
300 *
301 * @return array of default values
302 */
303 function ldap_getdefaults() {
304 $default['objectclass'] = array(
305 'edir' => 'User',
306 'rfc2307' => 'posixAccount',
307 'rfc2307bis' => 'posixAccount',
308 'samba' => 'sambaSamAccount',
309 'ad' => 'user',
310 'default' => '*'
311 );
312 $default['user_attribute'] = array(
313 'edir' => 'cn',
314 'rfc2307' => 'uid',
315 'rfc2307bis' => 'uid',
316 'samba' => 'uid',
317 'ad' => 'cn',
318 'default' => 'cn'
319 );
320 $default['memberattribute'] = array(
321 'edir' => 'member',
322 'rfc2307' => 'member',
323 'rfc2307bis' => 'member',
324 'samba' => 'member',
325 'ad' => 'member',
326 'default' => 'member'
327 );
328 $default['memberattribute_isdn'] = array(
329 'edir' => '1',
330 'rfc2307' => '0',
331 'rfc2307bis' => '1',
332 'samba' => '0', //is this right?
333 'ad' => '1',
334 'default' => '0'
335 );
336 return $default;
337 }
338 /**
339 * reads userinformation from ldap and return it in array()
340 *
341 * Read user information from external database and returns it as array().
342 * Function should return all information available. If you are saving
343 * this information to moodle user-table you should honor syncronization flags
344 *
345 * @param string $username username (with system magic quotes)
346 *
347 * @return mixed array with no magic quotes or false on error
348 */
349 function get_userinfo($username) {
350 $textlib = textlib_get_instance();
351 $extusername = $textlib->convert(stripslashes($username), 'utf-8', $this->config->ldapencoding);
352 $ldapconnection = $this->ldap_connect();
353 $attrmap = $this->ldap_attributes();
354 $result = array();
355 $search_attribs = array();
356 foreach ($attrmap as $key=>$values) {
357 if (!is_array($values)) {
358 $values = array($values);
359 }
360 foreach ($values as $value) {
361 if (!in_array($value, $search_attribs)) {
362 array_push($search_attribs, $value);
363 }
364 }
365 }
366 $user_dn = $this->ldap_find_userdn($ldapconnection, $extusername);
367 if (!$user_info_result = ldap_read($ldapconnection, $user_dn, $this->config->objectclass, $search_attribs)) {
368 return false; // error!
369 }
370 $user_entry = $this->ldap_get_entries($ldapconnection, $user_info_result);
371 if (empty($user_entry)) {
372 return false; // entry not found
373 }
374 foreach ($attrmap as $key=>$values) {
375 if (!is_array($values)) {
376 $values = array($values);
377 }
378 $ldapval = NULL;
379 foreach ($values as $value) {
380 if ($value == 'dn') {
381 $result[$key] = $user_dn;
382 }
383 if (!array_key_exists(strtolower($value), $user_entry[0])) {
384 continue; // wrong data mapping!
385 }
386 if (is_array($user_entry[0][strtolower($value)])) {
387 $newval = $textlib->convert($user_entry[0][strtolower($value)][0], $this->config->ldapencoding, 'utf-8');
388 } else {
389 $newval = $textlib->convert($user_entry[0][strtolower($value)], $this->config->ldapencoding, 'utf-8');
390 }
391
392 if (!empty($newval)) { // favour ldap entries that are set
393 $ldapval = $newval;
394 }
395 }
396 if (!is_null($ldapval)) {
397 $result[$key] = $ldapval;
398 }
399 }
400 @ldap_close($ldapconnection);
401 return $result;
402 }
403 /**
404 * reads userinformation from ldap and return it in an object
405 *
406 * @param string $username username (with system magic quotes)
407 * @return mixed object or false on error
408 */
409 function get_userinfo_asobj($username) {
410 $user_array = $this->get_userinfo($username);
411 if ($user_array == false) {
412 return false; //error or not found
413 }
414 $user_array = truncate_userinfo($user_array);
415 $user = new object();
416 foreach ($user_array as $key=>$value) {
417 $user->{$key} = $value;
418 }
419 return $user;
420 }
421 /**
422 * connects to ldap server
423 *
424 * Tries connect to specified ldap servers.
425 * Returns connection result or error.
426 *
427 * @return connection result
428 */
429 function ldap_connect($binddn='',$bindpwd='') {
430 //Select bind password, With empty values use
431 //ldap_bind_* variables or anonymous bind if ldap_bind_* are empty
432 if ($binddn == '' and $bindpwd == '') {
433 if (!empty($this->config->bind_dn)) {
434 $binddn = $this->config->bind_dn;
435 }
436 if (!empty($this->config->bind_pw)) {
437 $bindpwd = $this->config->bind_pw;
438 }
439 }
440 $urls = explode(";",$this->config->host_url);
441 foreach ($urls as $server) {
442 $server = trim($server);
443 if (empty($server)) {
444 continue;
445 }
446 $connresult = ldap_connect($server);
447 //ldap_connect returns ALWAYS true
448 if (!empty($this->config->version)) {
449 ldap_set_option($connresult, LDAP_OPT_PROTOCOL_VERSION, $this->config->version);
450 }
451 if (!empty($binddn)) {
452 //bind with search-user
453 //$debuginfo .= 'Using bind user'.$binddn.'and password:'.$bindpwd;
454 $bindresult=ldap_bind($connresult, $binddn,$bindpwd);
455 }
456 else {
457 //bind anonymously
458 $bindresult=@ldap_bind($connresult);
459 }
460 if (!empty($this->config->opt_deref)) {
461 ldap_set_option($connresult, LDAP_OPT_DEREF, $this->config->opt_deref);
462 }
463 if ($bindresult) {
464 return $connresult;
465 }
466 $debuginfo .= "<br/>Server: '$server' <br/> Connection: '$connresult'<br/> Bind result: '$bindresult'</br>";
467 }
468 //If any of servers are alive we have already returned connection
469 print_error('auth_ldap_noconnect_all','auth',$this->config->user_type);
470 return false;
471 }
472 /**
473 * retuns user attribute mappings between moodle and ldap
474 *
475 * @return array
476 */
477 function ldap_attributes () {
478 $fields = array("firstname", "lastname", "email", "phone1", "phone2",
479 "department", "address", "city", "country", "description",
480 "idnumber", "lang" );
481 $moodleattributes = array();
482 foreach ($fields as $field) {
483 if (!empty($this->config->{"field_map_$field"})) {
484 $moodleattributes[$field] = $this->config->{"field_map_$field"};
485 if (preg_match('/,/',$moodleattributes[$field])) {
486 $moodleattributes[$field] = explode(',', $moodleattributes[$field]); // split ?
487 }
488 }
489 }
490 $moodleattributes['username'] = $this->config->user_attribute;
491 return $moodleattributes;
492 }
493 /**
494 * retuns dn of username
495 *
496 * Search specified contexts for username and return user dn
497 * like: cn=username,ou=suborg,o=org
498 *
499 * @param mixed $ldapconnection $ldapconnection result
500 * @param mixed $username username (external encoding no slashes)
501 *
502 */
503 function ldap_find_userdn ($ldapconnection, $extusername) {
504 //default return value
505 $ldap_user_dn = FALSE;
506 //get all contexts and look for first matching user
507 $ldap_contexts = explode(";",$this->config->contexts);
508 if (!empty($this->config->create_context)) {
509 array_push($ldap_contexts, $this->config->create_context);
510 }
511 foreach ($ldap_contexts as $context) {
512 $context = trim($context);
513 if (empty($context)) {
514 continue;
515 }
516 if ($this->config->search_sub) {
517 //use ldap_search to find first user from subtree
518 $ldap_result = ldap_search($ldapconnection, $context, "(".$this->config->user_attribute."=".$this->filter_addslashes($extusername).")",array($this->config->user_attribute));
519 }
520 else {
521 //search only in this context
522 $ldap_result = ldap_list($ldapconnection, $context, "(".$this->config->user_attribute."=".$this->filter_addslashes($extusername).")",array($this->config->user_attribute));
523 }
524 $entry = ldap_first_entry($ldapconnection,$ldap_result);
525 if ($entry) {
526 $ldap_user_dn = ldap_get_dn($ldapconnection, $entry);
527 break ;
528 }
529 }
530 return $ldap_user_dn;
531 }
532 /**
533 * Quote control characters in quoted "texts" used in ldap
534 *
535 * @param string
536 */
537 function ldap_addslashes($text) {
538 $text = str_replace('\\', '\\\\', $text);
539 $text = str_replace(array('"', "\0"),
540 array('\\"', '\\00'), $text);
541 return $text;
542 }
543 /**
544 * returns all usernames from external database
545 *
546 * get_userlist returns all usernames from external database
547 *
548 * @return array
549 */
550 function get_userlist() {
551 return $this->ldap_get_userlist("({$this->config->user_attribute}=*)");
552 }
553 /**
554 * checks if user exists on external db
555 *
556 * @param string $username (with system magic quotes)
557 */
558 function user_exists($username) {
559 $textlib = textlib_get_instance();
560 $extusername = $textlib->convert(stripslashes($username), 'utf-8', $this->config->ldapencoding);
561 //returns true if given username exist on ldap
562 $users = $this->ldap_get_userlist("({$this->config->user_attribute}=".$this->filter_addslashes($extusername).")");
563 return count($users);
564 }
565 /**
566 * syncronizes user fron external db to moodle user table
567 *
568 * Sync is now using username attribute.
569 *
570 * Syncing users removes or suspends users that dont exists anymore in external db.
571 * Creates new users and updates coursecreator status of users.
572 *
573 * @param int $bulk_insert_records will insert $bulkinsert_records per insert statement
574 * valid only with $unsafe. increase to a couple thousand for
575 * blinding fast inserts -- but test it: you may hit mysqld's
576 * max_allowed_packet limit.
577 * @param bool $do_updates will do pull in data updates from ldap if relevant
578 */
579 function sync_users ($bulk_insert_records = 1000, $do_updates = true) {
580 global $CFG;
581 $textlib = textlib_get_instance();
582 $droptablesql = array(); /// sql commands to drop the table (because session scope could be a problem for
583 /// some persistent drivers like ODBTP (mssql) or if this function is invoked
584 /// from within a PHP application using persistent connections
585 // configure a temp table
586 print "Configuring temp table\n";
587 switch (strtolower($CFG->dbfamily)) {
588 case 'mysql':
589 $temptable = $CFG->prefix . 'extuser';
590 $droptablesql[] = 'DROP TEMPORARY TABLE ' . $temptable; // sql command to drop the table (because session scope could be a problem)
591 execute_sql_arr($droptablesql, true, false); /// Drop temp table to avoid persistence problems later
592 echo "Creating temp table $temptable\n";
593 execute_sql('CREATE TEMPORARY TABLE ' . $temptable . ' (username VARCHAR(64), PRIMARY KEY (username)) TYPE=MyISAM', false);
594 break;
595 case 'postgres':
596 $temptable = $CFG->prefix . 'extuser';
597 $droptablesql[] = 'DROP TABLE ' . $temptable; // sql command to drop the table (because session scope could be a problem)
598 execute_sql_arr($droptablesql, true, false); /// Drop temp table to avoid persistence problems later
599 echo "Creating temp table $temptable\n";
600 $bulk_insert_records = 1; // no support for multiple sets of values
601 execute_sql('CREATE TEMPORARY TABLE '. $temptable . ' (username VARCHAR(64), PRIMARY KEY (username))', false);
602 break;
603 case 'mssql':
604 $temptable = '#'.$CFG->prefix . 'extuser'; /// MSSQL temp tables begin with #
605 $droptablesql[] = 'DROP TABLE ' . $temptable; // sql command to drop the table (because session scope could be a problem)
606 execute_sql_arr($droptablesql, true, false); /// Drop temp table to avoid persistence problems later
607 echo "Creating temp table $temptable\n";
608 $bulk_insert_records = 1; // no support for multiple sets of values
609 execute_sql('CREATE TABLE ' . $temptable . ' (username VARCHAR(64), PRIMARY KEY (username))', false);
610 break;
611 case 'oracle':
612 $temptable = $CFG->prefix . 'extuser';
613 $droptablesql[] = 'TRUNCATE TABLE ' . $temptable; // oracle requires truncate before being able to drop a temp table
614 $droptablesql[] = 'DROP TABLE ' . $temptable; // sql command to drop the table (because session scope could be a problem)
615 execute_sql_arr($droptablesql, true, false); /// Drop temp table to avoid persistence problems later
616 echo "Creating temp table $temptable\n";
617 $bulk_insert_records = 1; // no support for multiple sets of values
618 execute_sql('CREATE GLOBAL TEMPORARY TABLE '.$temptable.' (username VARCHAR(64), PRIMARY KEY (username)) ON COMMIT PRESERVE ROWS', false);
619 break;
620 }
621 print "Connecting to ldap...\n";
622 $ldapconnection = $this->ldap_connect();
623 if (!$ldapconnection) {
624 @ldap_close($ldapconnection);
625 print get_string('auth_ldap_noconnect','auth',$this->config->host_url);
626 exit;
627 }
628 ////
629 //// get user's list from ldap to sql in a scalable fashion
630 ////
631 // prepare some data we'll need
632 $filter = "(&(".$this->config->user_attribute."=*)(".$this->config->objectclass."))";
633 $contexts = explode(";",$this->config->contexts);
634 if (!empty($this->config->create_context)) {
635 array_push($contexts, $this->config->create_context);
636 }
637 $fresult = array();
638 foreach ($contexts as $context) {
639 $context = trim($context);
640 if (empty($context)) {
641 continue;
642 }
643 begin_sql();
644 if ($this->config->search_sub) {
645 //use ldap_search to find first user from subtree
646 $ldap_result = ldap_search($ldapconnection, $context,
647 $filter,
648 array($this->config->user_attribute));
649 } else {
650 //search only in this context
651 $ldap_result = ldap_list($ldapconnection, $context,
652 $filter,
653 array($this->config->user_attribute));
654 }
655 if ($entry = ldap_first_entry($ldapconnection, $ldap_result)) {
656 do {
657 $value = ldap_get_values_len($ldapconnection, $entry, $this->config->user_attribute);
658 $value = $textlib->convert($value[0], $this->config->ldapencoding, 'utf-8');
659 array_push($fresult, $value);
660 if (count($fresult) >= $bulk_insert_records) {
661 $this->ldap_bulk_insert($fresult, $temptable);
662 $fresult = array();
663 }
664 } while ($entry = ldap_next_entry($ldapconnection, $entry));
665 }
666 unset($ldap_result); // free mem
667 // insert any remaining users and release mem
668 if (count($fresult)) {
669 $this->ldap_bulk_insert($fresult, $temptable);
670 $fresult = array();
671 }
672 commit_sql();
673 }
674 /// preserve our user database
675 /// if the temp table is empty, it probably means that something went wrong, exit
676 /// so as to avoid mass deletion of users; which is hard to undo
677 $count = get_record_sql('SELECT COUNT(username) AS count, 1 FROM ' . $temptable);
678 $count = $count->{'count'};
679 if ($count < 1) {
680 print "Did not get any users from LDAP -- error? -- exiting\n";
681 exit;
682 } else {
683 print "Got $count records from LDAP\n\n";
684 }
685 /// User removal
686 // find users in DB that aren't in ldap -- to be removed!
687 // this is still not as scalable (but how often do we mass delete?)
688 if (!empty($this->config->removeuser)) {
689 $sql = "SELECT u.id, u.username, u.email
690 FROM {$CFG->prefix}user u
691 LEFT JOIN $temptable e ON u.username = e.username
692 WHERE u.auth='cas'
693 AND u.deleted=0
694 AND e.username IS NULL";
695 $remove_users = get_records_sql($sql);
696 if (!empty($remove_users)) {
697 print "User entries to remove: ". count($remove_users) . "\n";
698 begin_sql();
699 foreach ($remove_users as $user) {
700 if ($this->config->removeuser == 2) {
701 //following is copy pasted from admin/user.php
702 //maybe this should moved to function in lib/datalib.php
703 $updateuser = new object();
704 $updateuser->id = $user->id;
705 $updateuser->deleted = 1;
706 $updateuser->username = addslashes("$user->email.".time()); // Remember it just in case
707 $updateuser->email = ''; // Clear this field to free it up
708 $updateuser->idnumber = ''; // Clear this field to free it up
709 $updateuser->timemodified = time();
710 if (update_record('user', $updateuser)) {
711 delete_records('role_assignments', 'userid', $user->id); // unassign all roles
712 //copy pasted part ends
713 echo "\t"; print_string('auth_dbdeleteuser', 'auth', array($user->username, $user->id)); echo "\n";
714 } else {
715 echo "\t"; print_string('auth_dbdeleteusererror', 'auth', $user->username); echo "\n";
716 }
717 } else if ($this->config->removeuser == 1) {
718 $updateuser = new object();
719 $updateuser->id = $user->id;
720 $updateuser->auth = 'nologin';
721 if (update_record('user', $updateuser)) {
722 echo "\t"; print_string('auth_dbsuspenduser', 'auth', array($user->username, $user->id)); echo "\n";
723 } else {
724 echo "\t"; print_string('auth_dbsuspendusererror', 'auth', $user->username); echo "\n";
725 }
726 }
727 }
728 commit_sql();
729 } else {
730 print "No user entries to be removed\n";
731 }
732 unset($remove_users); // free mem!
733 }
734 /// Revive suspended users
735 if (!empty($this->config->removeuser) and $this->config->removeuser == 1) {
736 $sql = "SELECT u.id, u.username
737 FROM $temptable e, {$CFG->prefix}user u
738 WHERE e.username=u.username
739 AND u.auth='nologin'";
740 $revive_users = get_records_sql($sql);
741 if (!empty($revive_users)) {
742 print "User entries to be revived: ". count($revive_users) . "\n";
743 begin_sql();
744 foreach ($revive_users as $user) {
745 $updateuser = new object();
746 $updateuser->id = $user->id;
747 $updateuser->auth = 'cas';
748 if (update_record('user', $updateuser)) {
749 echo "\t"; print_string('auth_dbreviveser', 'auth', array($user->username, $user->id)); echo "\n";
750 } else {
751 echo "\t"; print_string('auth_dbreviveusererror', 'auth', $user->username); echo "\n";
752 }
753 }
754 commit_sql();
755 } else {
756 print "No user entries to be revived\n";
757 }
758 unset($revive_users);
759 }
760 /// User Updates - time-consuming (optional)
761 if ($do_updates) {
762 // narrow down what fields we need to update
763 $all_keys = array_keys(get_object_vars($this->config));
764 $updatekeys = array();
765 foreach ($all_keys as $key) {
766 if (preg_match('/^field_updatelocal_(.+)$/',$key, $match)) {
767 // if we have a field to update it from
768 // and it must be updated 'onlogin' we
769 // update it on cron
770 if ( !empty($this->config->{'field_map_'.$match[1]})
771 and $this->config->{$match[0]} === 'onlogin') {
772 array_push($updatekeys, $match[1]); // the actual key name
773 }
774 }
775 }
776 // print_r($all_keys); print_r($updatekeys);
777 unset($all_keys); unset($key);
778 } else {
779 print "No updates to be done\n";
780 }
781 if ( $do_updates and !empty($updatekeys) ) { // run updates only if relevant
782 $users = get_records_sql("SELECT u.username, u.id
783 FROM {$CFG->prefix}user u
784 WHERE u.deleted=0 AND u.auth='cas'");
785 if (!empty($users)) {
786 print "User entries to update: ". count($users). "\n";
787 $sitecontext = get_context_instance(CONTEXT_SYSTEM);
788 if (!empty($this->config->creators) and !empty($this->config->memberattribute)
789 and $roles = get_roles_with_capability('moodle/legacy:coursecreator', CAP_ALLOW)) {
790 $creatorrole = array_shift($roles); // We can only use one, let's use the first one
791 } else {
792 $creatorrole = false;
793 }
794 begin_sql();
795 $xcount = 0;
796 $maxxcount = 100;
797 foreach ($users as $user) {
798 echo "\t"; print_string('auth_dbupdatinguser', 'auth', array($user->username, $user->id));
799 if (!$this->update_user_record(addslashes($user->username), $updatekeys)) {
800 echo " - ".get_string('skipped');
801 }
802 echo "\n";
803 $xcount++;
804 // update course creators if needed
805 if ($creatorrole !== false) {
806 if ($this->iscreator($user->username)) {
807 role_assign($creatorrole->id, $user->id, 0, $sitecontext->id, 0, 0, 0, 'cas');
808 } else {
809 role_unassign($creatorrole->id, $user->id, 0, $sitecontext->id, 'cas');
810 }
811 }
812 if ($xcount++ > $maxxcount) {
813 commit_sql();
814 begin_sql();
815 $xcount = 0;
816 }
817 }
818 commit_sql();
819 unset($users); // free mem
820 }
821 } else { // end do updates
822 print "No updates to be done\n";
823 }
824 /// User Additions
825 // find users missing in DB that are in LDAP
826 // note that get_records_sql wants at least 2 fields returned,
827 // and gives me a nifty object I don't want.
828 // note: we do not care about deleted accounts anymore, this feature was replaced by suspending to nologin auth plugin
829 $sql = "SELECT e.username, e.username
830 FROM $temptable e LEFT JOIN {$CFG->prefix}user u ON e.username = u.username
831 WHERE u.id IS NULL";
832 $add_users = get_records_sql($sql); // get rid of the fat
833 if (!empty($add_users)) {
834 print "User entries to add: ". count($add_users). "\n";
835 $sitecontext = get_context_instance(CONTEXT_SYSTEM);
836 if (!empty($this->config->creators) and !empty($this->config->memberattribute)
837 and $roles = get_roles_with_capability('moodle/legacy:coursecreator', CAP_ALLOW)) {
838 $creatorrole = array_shift($roles); // We can only use one, let's use the first one
839 } else {
840 $creatorrole = false;
841 }
842 begin_sql();
843 foreach ($add_users as $user) {
844 $user = $this->get_userinfo_asobj(addslashes($user->username));
845 // prep a few params
846 $user->modified = time();
847 $user->confirmed = 1;
848 $user->auth = 'cas';
849 $user->mnethostid = $CFG->mnet_localhost_id;
850 if (empty($user->lang)) {
851 $user->lang = $CFG->lang;
852 }
853 $user = addslashes_recursive($user);
854 if ($id = insert_record('user',$user)) {
855 echo "\t"; print_string('auth_dbinsertuser', 'auth', array(stripslashes($user->username), $id)); echo "\n";
856 $userobj = $this->update_user_record($user->username);
857 if (!empty($this->config->forcechangepassword)) {
858 set_user_preference('auth_forcepasswordchange', 1, $userobj->id);
859 }
860 } else {
861 echo "\t"; print_string('auth_dbinsertusererror', 'auth', $user->username); echo "\n";
862 }
863 // add course creators if needed
864 if ($creatorrole !== false and $this->iscreator(stripslashes($user->username))) {
865 role_assign($creatorrole->id, $user->id, 0, $sitecontext->id, 0, 0, 0, 'cas');
866 }
867 }
868 commit_sql();
869 unset($add_users); // free mem
870 } else {
871 print "No users to be added\n";
872 }
873 return true;
874 }
875 /**
876 * Update a local user record from an external source.
877 * This is a lighter version of the one in moodlelib -- won't do
878 * expensive ops such as enrolment.
879 *
880 * If you don't pass $updatekeys, there is a performance hit and
881 * values removed from LDAP won't be removed from moodle.
882 *
883 * @param string $username username (with system magic quotes)
884 */
885 function update_user_record($username, $updatekeys = false) {
886 global $CFG;
887 //just in case check text case
888 $username = trim(moodle_strtolower($username));
889 // get the current user record
890 $user = get_record('user', 'username', $username, 'mnethostid', $CFG->mnet_localhost_id);
891 if (empty($user)) { // trouble
892 error_log("Cannot update non-existent user: ".stripslashes($username));
893 print_error('auth_dbusernotexist','auth',$username);
894 die;
895 }
896 // Protect the userid from being overwritten
897 $userid = $user->id;
898 if ($newinfo = $this->get_userinfo($username)) {
899 $newinfo = truncate_userinfo($newinfo);
900 if (empty($updatekeys)) { // all keys? this does not support removing values
901 $updatekeys = array_keys($newinfo);
902 }
903 foreach ($updatekeys as $key) {
904 if (isset($newinfo[$key])) {
905 $value = $newinfo[$key];
906 } else {
907 $value = '';
908 }
909 if (!empty($this->config->{'field_updatelocal_' . $key})) {
910 if ($user->{$key} != $value) { // only update if it's changed
911 set_field('user', $key, addslashes($value), 'id', $userid);
912 }
913 }
914 }
915 } else {
916 return false;
917 }
918 return get_record_select('user', "id = $userid AND deleted = 0");
919 }
920 /**
921 * Bulk insert in SQL's temp table
922 * @param array $users is an array of usernames
923 */
924 function ldap_bulk_insert($users, $temptable) {
925 // bulk insert -- superfast with $bulk_insert_records
926 $sql = 'INSERT INTO ' . $temptable . ' (username) VALUES ';
927 // make those values safe
928 $users = addslashes_recursive($users);
929 // join and quote the whole lot
930 $sql = $sql . "('" . implode("'),('", $users) . "')";
931 print "\t+ " . count($users) . " users\n";
932 execute_sql($sql, false);
933 }
934 /**
935 * Returns true if user should be coursecreator.
936 *
937 * @param mixed $username username (without system magic quotes)
938 * @return boolean result
939 */
940 function iscreator($username) {
941 if ((empty($this->config->attrcreators) && empty($this->config->groupecreators)) or empty($this->config->memberattribute)) {
942 return null;
943 }
944 $textlib = textlib_get_instance();
945 $extusername = $textlib->convert($username, 'utf-8', $this->config->ldapencoding);
946 //test for groupe creator
947 if (!empty($this->config->groupecreators))
948 if ((boolean)$this->ldap_isgroupmember($extusername, $this->config->groupecreators))
949 return true;
950 //build filter for attrcreator
951 if (!empty($this->config->attrcreators)) {
952 $attrs = explode(";",$this->config->attrcreators);
953 $filter = "(& (".$this->config->user_attribute."=$username)(|";
954 foreach ($attrs as $attr){
955 if(strpos($attr, "="))
956 $filter .= "($attr)";
957 else
958 $filter .= "(".$this->config->memberattribute."=$attr)";
959 }
960 $filter .= "))";
961 //search
962 $result = $this->ldap_get_userlist($filter);
963 if (count($result)!=0)
964 return true;
965 }
966
967 return false;
968 }
969 /**
970 * checks if user belong to specific group(s)
971 *
972 * Returns true if user belongs group in grupdns string.
973 *
974 * @param mixed $username username
975 * @param mixed $groupdns string of group dn separated by ;
976 *
977 */
978 function ldap_isgroupmember($extusername='', $groupdns='') {
979 // Takes username and groupdn(s) , separated by ;
980 // Returns true if user is member of any given groups
981 $ldapconnection = $this->ldap_connect();
982 if (empty($extusername) or empty($groupdns)) {
983 return false;
984 }
985 if ($this->config->memberattribute_isdn) {
986 $memberuser = $this->ldap_find_userdn($ldapconnection, $extusername);
987 } else {
988 $memberuser = $extusername;
989 }
990 if (empty($memberuser)) {
991 return false;
992 }
993 $groups = explode(";",$groupdns);
994 $result = false;
995 foreach ($groups as $group) {
996 $group = trim($group);
997 if (empty($group)) {
998 continue;
999 }
1000 //echo "Checking group $group for member $username\n";
1001 $search = ldap_read($ldapconnection, $group, '('.$this->config->memberattribute.'='.$this->filter_addslashes($memberuser).')', array($this->config->memberattribute));
1002 if (!empty($search) and ldap_count_entries($ldapconnection, $search)) {
1003 $info = $this->ldap_get_entries($ldapconnection, $search);
1004 if (count($info) > 0 ) {
1005 // user is member of group
1006 $result = true;
1007 break;
1008 }
1009 }
1010 }
1011 return $result;
1012 }
1013 /**
1014 * return all usernames from ldap
1015 *
1016 * @return array
1017 */
1018 function ldap_get_userlist($filter="*") {
1019 /// returns all users from ldap servers
1020 $fresult = array();
1021 $ldapconnection = $this->ldap_connect();
1022 if ($filter=="*") {
1023 $filter = "(&(".$this->config->user_attribute."=*)(".$this->config->objectclass."))";
1024 }
1025 $contexts = explode(";",$this->config->contexts);
1026 if (!empty($this->config->create_context)) {
1027 array_push($contexts, $this->config->create_context);
1028 }
1029 foreach ($contexts as $context) {
1030 $context = trim($context);
1031 if (empty($context)) {
1032 continue;
1033 }
1034 if ($this->config->search_sub) {
1035 //use ldap_search to find first user from subtree
1036 $ldap_result = ldap_search($ldapconnection, $context,$filter,array($this->config->user_attribute));
1037 }
1038 else {
1039 //search only in this context
1040 $ldap_result = ldap_list($ldapconnection, $context,
1041 $filter,
1042 array($this->config->user_attribute));
1043 }
1044 $users = $this->ldap_get_entries($ldapconnection, $ldap_result);
1045 //add found users to list
1046 for ($i=0;$i<count($users);$i++) {
1047 array_push($fresult, ($users[$i][$this->config->user_attribute][0]) );
1048 }
1049 }
1050 return $fresult;
1051 }
1052 /**
1053 * return entries from ldap
1054 *
1055 * Returns values like ldap_get_entries but is
1056 * binary compatible and return all attributes as array
1057 *
1058 * @return array ldap-entries
1059 */
1060 function ldap_get_entries($conn, $searchresult) {
1061 //Returns values like ldap_get_entries but is
1062 //binary compatible
1063 $i=0;
1064 $fresult=array();
1065 $entry = ldap_first_entry($conn, $searchresult);
1066 do {
1067 $attributes = @ldap_get_attributes($conn, $entry);
1068 for ($j=0; $j<$attributes['count']; $j++) {
1069 $values = ldap_get_values_len($conn, $entry,$attributes[$j]);
1070
1071 if (is_array($values)) {
1072 $fresult[$i][strtolower($attributes[$j])] = $values;
1073 }
1074 else {
1075 $fresult[$i][strtolower($attributes[$j])] = array($values);
1076 }
1077 }
1078 $i++;
1079 }
1080 while ($entry = @ldap_next_entry($conn, $entry));
1081 //were done
1082
1083 return ($fresult);
1084 }
1085 /**
1086 * Sync roles for this user
1087 *
1088 * @param $user object user object (without system magic quotes)
1089 */
1090 function sync_roles($user) {
1091 $iscreator = $this->iscreator($user->username);
1092 if ($iscreator === null) {
1093 return; //nothing to sync - creators not configured
1094 }
1095 if ($roles = get_roles_with_capability('moodle/legacy:coursecreator', CAP_ALLOW)) {
1096 $creatorrole = array_shift($roles); // We can only use one, let's use the first one
1097 $systemcontext = get_context_instance(CONTEXT_SYSTEM);
1098 if ($iscreator) { // Following calls will not create duplicates
1099 role_assign($creatorrole->id, $user->id, 0, $systemcontext->id, 0, 0, 0, 'cas');
1100 } else {
1101 //unassign only if previously assigned by this plugin!
1102 role_unassign($creatorrole->id, $user->id, 0, $systemcontext->id, 'cas');
1103 }
1104 }
1105 }
1106 /**
1107 * Quote control characters in texts used in ldap filters - see rfc2254.txt
1108 *
1109 * @param string
1110 */
1111 function filter_addslashes($text) {
1112 $text = str_replace('\\', '\\5c', $text);
1113 $text = str_replace(array('*', '(', ')', "\0"),
1114 array('\\2a', '\\28', '\\29', '\\00'), $text);
1115 return $text;
1116 }
1117 }
1118 ?>
Moodle Repo, with LinuxChix modifications