3 require_once("$CFG->dirroot/enrol/enrol.class.php");
5 class enrolment_plugin_ldap
{
9 var $enrol_localcoursefield = 'idnumber';
12 * This function syncs a user's enrolments with those on the LDAP server.
14 function setup_enrolments(&$user) {
17 //error_log('[ENROL_LDAP] setup_enrolments called');
19 // Connect to the external database
20 $ldap_connection = $this->enrol_ldap_connect();
21 if (!$ldap_connection) {
22 @ldap_close
($ldap_connection);
23 notify("[ENROL_LDAP] LDAP-module cannot connect to server: {$CFG->enrol_ldap_host_url}");
27 // we are connected OK, continue...
29 // Get all the possible roles
30 $roles = get_records('role');
32 // Make sure the config settings have been upgraded.
33 $this->check_legacy_config();
35 // Get the entire list of role assignments that currently exist for this user.
36 $roleassignments = get_records('role_assignments', 'userid', $user->id
);
37 if (!$roleassignments) {
38 $roleassignments = array();
41 // Get the ones that came from LDAP
42 $ldap_assignments = array_filter($roleassignments, create_function('$x', 'return $x->enrol == \'ldap\';'));
44 //error_log('[ENROL_LDAP] ' . count($roleassignments) . ' roles currently associated with this user');
46 // Get enrolments for each type of role from LDAP.
47 foreach($roles as $role) {
48 $enrolments = $this->find_ext_enrolments(
53 //error_log('[ENROL_LDAP] LDAP reports ' . count($enrolments) . ' enrolments of type ' . $role->shortname . '.');
55 foreach ($enrolments as $enrol){
57 $course_ext_id = $enrol[$CFG->enrol_ldap_course_idnumber
][0];
58 if(empty($course_ext_id)){
59 error_log("[ENROL_LDAP] The course external id is invalid!\n");
60 continue; // next; skip this one!
63 // create the course ir required
64 $course_obj = get_record( 'course',
65 $this->enrol_localcoursefield
,
68 if (empty($course_obj)){ // course doesn't exist
69 if($CFG->enrol_ldap_autocreate
){ // autocreate
70 error_log("[ENROL_LDAP] CREATE User $user->username enrolled to a nonexistant course $course_ext_id \n");
71 $newcourseid = $this->create_course($enrol);
72 $course_obj = get_record( 'course', 'id', $newcourseid);
74 error_log("[ENROL_LDAP] User $user->username enrolled to a nonexistant course $course_ext_id \n");
78 // deal with enrolment in the moodle db
79 if (!empty($course_obj)) { // does course exist now?
81 $context = get_context_instance(CONTEXT_COURSE
, $course_obj->id
);
82 //$courseroles = get_user_roles($context, $user->id);
84 if (!get_record('role_assignments', 'roleid', $role->id
, 'userid', $user->id
, 'contextid', $context->id
)) {
85 //error_log("[ENROL_LDAP] Assigning role '{$role->name}' to {$user->id} ({$user->username}) in course {$course_obj->id} ({$course_obj->shortname})");
86 if (!role_assign($role->id
, $user->id
, 0, $context->id
, 0, 0, 0, 'ldap')){
87 error_log("[ENROL_LDAP] Failed to assign role '{$role->name}' to $user->id ($user->username) into course $course_obj->id ($course_obj->shortname)");
90 //error_log("[ENROL_LDAP] Role '{$role->name}' already assigned to {$user->id} ({$user->username}) in course {$course_obj->id} ({$course_obj->shortname})");
93 // Remove the role from the list we created earlier. This
94 // way we can find those roles that are no longer required.
95 foreach($ldap_assignments as $key => $roleassignment) {
96 if ($roleassignment->roleid
== $role->id
97 && $roleassignment->contextid
== $context->id
) {
98 unset($ldap_assignments[$key]);
106 // ok, if there's any thing still left in the $roleassignments array we
107 // made at the start, we want to remove any of the ldap ones.
108 foreach ($ldap_assignments as $ra) {
109 if($ra->enrol
=== 'ldap') {
110 error_log("Unassigning role_assignment with id '{$ra->id}' from user {$user->id} ({$user->username})");
111 role_unassign($ra->roleid
, $user->id
, 0, $ra->contextid
, 'ldap');
115 @ldap_close
($ldap_connection);
117 //error_log('[ENROL_LDAP] finished with setup_enrolments');
122 /// sync enrolments with ldap, create courses if required.
123 function sync_enrolments($type, $enrol = false) {
126 // Get the role. If it doesn't exist, that is bad.
127 $role = get_record('role', 'shortname', $type);
129 notify("No such role: $type");
133 // Connect to the external database
134 $ldap_connection = $this->enrol_ldap_connect();
135 if (!$ldap_connection) {
136 @ldap_close
($ldap_connection);
137 notify("LDAP-module cannot connect to server: $CFG->ldap_host_url");
141 // we are connected OK, continue...
142 $this->enrol_ldap_bind($ldap_connection);
144 //get all contexts and look for first matching user
145 $ldap_contexts = explode(";",$CFG->{'enrol_ldap_contexts_role'.$role->id
});
147 // get all the fields we will want for the potential course creation
148 // as they are light. don't get membership -- potentially a lot of data.
149 $ldap_fields_wanted = array( 'dn', $CFG->enrol_ldap_course_idnumber
);
150 if (!empty($CFG->enrol_ldap_course_fullname
)){
151 array_push($ldap_fields_wanted, $CFG->enrol_ldap_course_fullname
);
153 if (!empty($CFG->enrol_ldap_course_shortname
)){
154 array_push($ldap_fields_wanted, $CFG->enrol_ldap_course_shortname
);
156 if (!empty($CFG->enrol_ldap_course_summary
)){
157 array_push($ldap_fields_wanted, $CFG->enrol_ldap_course_summary
);
160 array_push($ldap_fields_wanted, $CFG->{'enrol_ldap_memberattribute_role'.$role->id
});
163 // define the search pattern
164 if (!empty($CFG->enrol_ldap_objectclass
)){
165 $ldap_search_pattern='(objectclass='.$CFG->enrol_ldap_objectclass
.')';
167 $ldap_search_pattern="(objectclass=*)";
171 // first, pack the sortorder...
172 fix_course_sortorder();
174 foreach ($ldap_contexts as $context) {
176 $context = trim($context);
177 if ($CFG->enrol_ldap_search_sub
){
178 //use ldap_search to find first user from subtree
179 $ldap_result = @ldap_search
($ldap_connection,
181 $ldap_search_pattern,
182 $ldap_fields_wanted);
185 //search only in this context
186 $ldap_result = @ldap_list
($ldap_connection,
188 $ldap_search_pattern,
189 $ldap_fields_wanted,0,0);
192 // check and push results
193 $records = $ldap_result
194 ?
ldap_get_entries($ldap_connection,$ldap_result)
195 : array('count' => 0);
197 // ldap libraries return an odd array, really. fix it:
198 $flat_records=array();
199 for ($c=0;$c<$records['count'];$c++
) {
200 array_push($flat_records, $records["$c"]);
202 // free mem -- is there a leak?
203 $records=0; $ldap_result=0;
205 if (count($flat_records)) {
208 foreach($flat_records as $course){
209 $idnumber = $course{$CFG->enrol_ldap_course_idnumber
}[0];
210 print "== Synching $idnumber\n";
211 // does the course exist in moodle already?
213 $course_obj = get_record( 'course',
214 $this->enrol_localcoursefield
,
216 if (!is_object($course_obj)) {
217 // ok, now then let's create it!
218 print "Creating Course $idnumber...";
219 $newcourseid = $this->create_course($course, true); // we are skipping fix_course_sortorder()
220 $course_obj = get_record( 'course', 'id', $newcourseid);
221 if (is_object($course_obj)) {
228 // enrol&unenrol if required
229 if($enrol && is_object($course_obj)){
231 // Get a context object.
232 $context = get_context_instance(CONTEXT_COURSE
, $course_obj->id
);
234 // pull the ldap membership into a nice array
235 // this is an odd array -- mix of hash and array --
236 $ldapmembers=array();
238 if(array_key_exists('enrol_ldap_memberattribute_role'.$role->id
, $CFG)
239 && !empty($CFG->{'enrol_ldap_memberattribute_role'.$role->id
})
240 && !empty($course[strtolower($CFG->{'enrol_ldap_memberattribute_role'.$role->id
} ) ])){ // may have no membership!
242 $ldapmembers = $course[strtolower($CFG->{'enrol_ldap_memberattribute_role'.$role->id
} )];
243 unset($ldapmembers['count']); // remove oddity ;)
244 $ldapmembers = addslashes_recursive($ldapmembers);
247 // prune old ldap enrolments
248 // hopefully they'll fit in the max buffer size for the RDBMS
250 SELECT enr.userid AS user, 1
251 FROM '.$CFG->prefix
.'role_assignments enr
252 JOIN '.$CFG->prefix
.'user usr ON usr.id=enr.userid
253 WHERE enr.roleid = '.$role->id
.'
254 AND enr.contextid = '.$context->id
.'
255 AND enr.enrol = \'ldap\' ';
256 if (!empty($ldapmembers)) {
257 $sql .= 'AND usr.idnumber NOT IN (\''. join('\',\'', $ldapmembers).'\')';
259 print ("Empty enrolment for $course_obj->shortname \n");
261 $todelete = get_records_sql($sql);
262 if(!empty($todelete)){
263 foreach ($todelete as $member) {
264 $member = $member->user
;
266 if (role_unassign($role->id
, $member, 0, $context->id
, 'ldap')) {
267 print "Unassigned $type from $member for course $course_obj->id ($course_obj->shortname)\n";
269 print "Failed to unassign $type from $member for course $course_obj->id ($course_obj->shortname)\n";
274 // insert current enrolments
275 // bad we can't do INSERT IGNORE with postgres...
276 foreach ($ldapmembers as $ldapmember) {
277 $sql = 'SELECT id,1 FROM '.$CFG->prefix
.'user '
278 ." WHERE idnumber='$ldapmember'";
279 $member = get_record_sql($sql);
280 // print "sql: $sql \nidnumber = ".stripslashes($ldapmember)." \n".var_dump($member);
281 if(empty($member) ||
empty($member->id
)){
282 print "Could not find user ".stripslashes($ldapmember).", skipping\n";
285 $member = $member->id
;
286 if (!get_record('role_assignments', 'roleid', $role->id
,
287 'contextid', $context->id
,
288 'userid', $member, 'enrol', 'ldap')){
289 if (role_assign($role->id
, $member, 0, $context->id
, 0, 0, 0, 'ldap')){
290 print "Assigned role $type to $member (".stripslashes($ldapmember).") for course $course_obj->id ($course_obj->shortname)\n";
292 print "Failed to assign role $type to $member (".stripslashes($ldapmember).") for course $course_obj->id ($course_obj->shortname)\n";
301 // we are done now, a bit of housekeeping
302 fix_course_sortorder();
304 @ldap_close
($ldap_connection);
309 /// Overide the get_access_icons() function
310 function get_access_icons($course) {
314 /// Overrise the base config_form() function
315 function config_form($frm) {
318 $this->check_legacy_config();
320 include("$CFG->dirroot/enrol/ldap/config.html");
323 /// Override the base process_config() function
324 function process_config($config) {
326 $this->check_legacy_config();
328 if (!isset ($config->enrol_ldap_host_url
)) {
329 $config->enrol_ldap_host_url
= '';
331 set_config('enrol_ldap_host_url', $config->enrol_ldap_host_url
);
333 if (!isset ($config->enrol_ldap_version
)) {
334 $config->enrol_ldap_version
= '';
336 set_config('enrol_ldap_version', $config->enrol_ldap_version
);
338 if (!isset ($config->enrol_ldap_bind_dn
)) {
339 $config->enrol_ldap_bind_dn
= '';
341 set_config('enrol_ldap_bind_dn', $config->enrol_ldap_bind_dn
);
343 if (!isset ($config->enrol_ldap_bind_pw
)) {
344 $config->enrol_ldap_bind_pw
= '';
346 set_config('enrol_ldap_bind_pw', $config->enrol_ldap_bind_pw
);
348 if (!isset ($config->enrol_ldap_objectclass
)) {
349 $config->enrol_ldap_objectclass
= '';
351 set_config('enrol_ldap_objectclass', $config->enrol_ldap_objectclass
);
353 if (!isset ($config->enrol_ldap_category
)) {
354 $config->enrol_ldap_category
= '';
356 set_config('enrol_ldap_category', $config->enrol_ldap_category
);
358 if (!isset ($config->enrol_ldap_template
)) {
359 $config->enrol_ldap_template
= '';
361 set_config('enrol_ldap_template', $config->enrol_ldap_template
);
363 if (!isset ($config->enrol_ldap_course_fullname
)) {
364 $config->enrol_ldap_course_fullname
= '';
366 set_config('enrol_ldap_course_fullname', $config->enrol_ldap_course_fullname
);
368 if (!isset ($config->enrol_ldap_course_shortname
)) {
369 $config->enrol_ldap_course_shortname
= '';
371 set_config('enrol_ldap_course_shortname', $config->enrol_ldap_course_shortname
);
373 if (!isset ($config->enrol_ldap_course_summary
)) {
374 $config->enrol_ldap_course_summary
= '';
376 set_config('enrol_ldap_course_summary', $config->enrol_ldap_course_summary
);
378 if (!isset ($config->enrol_ldap_course_idnumber
)) {
379 $config->enrol_ldap_course_idnumber
= '';
381 set_config('enrol_ldap_course_idnumber', $config->enrol_ldap_course_idnumber
);
383 if (!isset ($config->enrol_localcoursefield
)) {
384 $config->enrol_localcoursefield
= '';
386 set_config('enrol_localcoursefield', $config->enrol_localcoursefield
);
388 if (!isset ($config->enrol_ldap_user_memberfield
)) {
389 $config->enrol_ldap_user_memberfield
= '';
391 set_config('enrol_ldap_user_memberfield', $config->enrol_ldap_user_memberfield
);
393 if (!isset ($config->enrol_ldap_search_sub
)) {
394 $config->enrol_ldap_search_sub
= '0';
396 set_config('enrol_ldap_search_sub', $config->enrol_ldap_search_sub
);
398 if (!isset ($config->enrol_ldap_autocreate
)) {
399 $config->enrol_ldap_autocreate
= '0';
401 set_config('enrol_ldap_autocreate', $config->enrol_ldap_autocreate
);
403 $roles = get_records('role');
404 foreach ($roles as $role) {
405 if (!isset($config->{'enrol_ldap_contexts_role'.$role->id
})) {
406 $config->{'enrol_ldap_contexts_role'.$role->id
} = '';
409 if (!isset($config->{'enrol_ldap_memberattribute_role'.$role->id
})) {
410 $config->{'enrol_ldap_memberattribute_role'.$role->id
} = '';
413 set_config('enrol_ldap_contexts_role'.$role->id
, $config->{'enrol_ldap_contexts_role'.$role->id
});
414 set_config('enrol_ldap_memberattribute_role'.$role->id
, $config->{'enrol_ldap_memberattribute_role'.$role->id
});
420 function enrol_ldap_connect(){
421 /// connects to ldap-server
424 $result = ldap_connect($CFG->enrol_ldap_host_url
);
427 if (!empty($CFG->enrol_ldap_version
)) {
428 ldap_set_option($result, LDAP_OPT_PROTOCOL_VERSION
, $CFG->enrol_ldap_version
);
431 if (!empty($CFG->enrol_ldap_bind_dn
)) {
432 $bind = ldap_bind( $result,
433 $CFG->enrol_ldap_bind_dn
,
434 $CFG->enrol_ldap_bind_pw
);
436 notify("Error in binding to LDAP server");
437 trigger_error("Error in binding to LDAP server $!");
443 notify("LDAP-module cannot connect to server: $CFG->enrol_ldap_host_url");
448 function enrol_ldap_bind($ldap_connection){
449 /// makes bind to ldap for searching users
450 /// uses ldap_bind_dn or anonymous bind
454 if ( ! empty($CFG->enrol_ldap_bind_dn
) ){
455 //bind with search-user
456 if (!ldap_bind($ldap_connection, $CFG->enrol_ldap_bind_dn
,$CFG->enrol_ldap_bind_pw
)){
457 notify("Error: could not bind ldap with ldap_bind_dn/pw");
463 if ( !ldap_bind($ldap_connection)){
464 notify("Error: could not bind ldap anonymously");
472 function find_ext_enrolments ($ldap_connection, $memberuid, $role){
473 /// role is a record from the mdl_role table
474 /// return multidimentional array array with of courses (at least dn and idnumber)
479 if(empty($memberuid)) { // No "idnumber" stored for this user, so no LDAP enrolments
483 //default return value
485 $this->enrol_ldap_bind($ldap_connection);
487 //get all contexts and look for first matching user
488 $ldap_contexts = explode(";",$CFG->{'enrol_ldap_contexts_role'.$role->id
});
490 // get all the fields we will want for the potential course creation
491 // as they are light. don't get membership -- potentially a lot of data.
492 $ldap_fields_wanted = array( 'dn', $CFG->enrol_ldap_course_idnumber
);
493 if (!empty($CFG->enrol_ldap_course_fullname
)){
494 array_push($ldap_fields_wanted, $CFG->enrol_ldap_course_fullname
);
496 if (!empty($CFG->enrol_ldap_course_shortname
)){
497 array_push($ldap_fields_wanted, $CFG->enrol_ldap_course_shortname
);
499 if (!empty($CFG->enrol_ldap_course_summary
)){
500 array_push($ldap_fields_wanted, $CFG->enrol_ldap_course_summary
);
503 // define the search pattern
504 $ldap_search_pattern = "(".$CFG->{'enrol_ldap_memberattribute_role'.$role->id
}."=".$memberuid.")";
505 if (!empty($CFG->enrol_ldap_objectclass
)){
506 $ldap_search_pattern='(&(objectclass='.$CFG->enrol_ldap_objectclass
.')'.$ldap_search_pattern.')';
509 foreach ($ldap_contexts as $context) {
510 $context == trim($context);
511 if (empty($context)) {
515 if ($CFG->enrol_ldap_search_sub
){
516 //use ldap_search to find first user from subtree
517 $ldap_result = ldap_search($ldap_connection,
519 $ldap_search_pattern,
520 $ldap_fields_wanted);
523 //search only in this context
524 $ldap_result = ldap_list($ldap_connection,
526 $ldap_search_pattern,
527 $ldap_fields_wanted);
530 // check and push results
531 $records = ldap_get_entries($ldap_connection,$ldap_result);
533 // ldap libraries return an odd array, really. fix it:
534 $flat_records=array();
535 for ($c=0;$c<$records['count'];$c++
) {
536 array_push($flat_records, $records["$c"]);
539 if (count($flat_records)) {
540 $courses = array_merge($courses, $flat_records);
547 // will create the moodle course from the template
548 // course_ext is an array as obtained from ldap -- flattened somewhat
549 // NOTE: if you pass true for $skip_fix_course_sortorder
550 // you will want to call fix_course_sortorder() after your are done
551 // with course creation
552 function create_course ($course_ext,$skip_fix_course_sortorder=0){
555 // override defaults with template course
556 if(!empty($CFG->enrol_ldap_template
)){
557 $course = get_record("course", 'shortname', $CFG->enrol_ldap_template
);
558 unset($course->id
); // so we are clear to reinsert the record
559 unset($course->sortorder
);
562 $course = new object();
563 $course->student
= get_string('defaultcoursestudent');
564 $course->students
= get_string('defaultcoursestudents');
565 $course->teacher
= get_string('defaultcourseteacher');
566 $course->teachers
= get_string('defaultcourseteachers');
567 $course->format
= 'topics';
570 // override with required ext data
571 $course->idnumber
= $course_ext[$CFG->enrol_ldap_course_idnumber
][0];
572 $course->fullname
= $course_ext[$CFG->enrol_ldap_course_fullname
][0];
573 $course->shortname
= $course_ext[$CFG->enrol_ldap_course_shortname
][0];
574 if ( empty($course->idnumber
)
575 ||
empty($course->fullname
)
576 ||
empty($course->shortname
) ) {
577 // we are in trouble!
578 error_log("Cannot create course: missing required data from the LDAP record!");
579 error_log(var_export($course, true));
583 $course->summary
= empty($CFG->enrol_ldap_course_summary
) ||
empty($course_ext[$CFG->enrol_ldap_course_summary
][0])
585 : $course_ext[$CFG->enrol_ldap_course_summary
][0];
587 if(!empty($CFG->enrol_ldap_category
)){ // optional ... but ensure it is set!
588 $course->category
= $CFG->enrol_ldap_category
;
590 if ($course->category
== 0){ // must be avoided as it'll break moodle
591 $course->category
= 1; // the misc 'catch-all' category
594 // define the sortorder (yuck)
595 $sort = get_record_sql('SELECT MAX(sortorder) AS max, 1 FROM ' . $CFG->prefix
. 'course WHERE category=' . $course->category
);
598 $course->sortorder
= $sort;
600 // override with local data
601 $course->startdate
= time();
602 $course->timecreated
= time();
603 $course->visible
= 1;
605 $course = addslashes_recursive($course);
608 if ($newcourseid = insert_record("course", $course)) { // Set up new course
609 $section = new object();
610 $section->course
= $newcourseid; // Create a default section.
611 $section->section
= 0;
612 $section->id
= insert_record("course_sections", $section);
613 $page = page_create_object(PAGE_COURSE_VIEW
, $newcourseid);
614 blocks_repopulate_page($page); // Return value no
617 if(!$skip_fix_course_sortorder){
618 fix_course_sortorder();
620 add_to_log($newcourseid, "course", "new", "view.php?id=$newcourseid", "enrol/ldap auto-creation");
622 error_log("Could not create new course from LDAP from DN:" . $course_ext['dn']);
623 notify("Serious Error! Could not create the new course!");
631 * This function checks for the presence of old 'legacy' config settings. If
632 * they exist, it corrects them.
636 function check_legacy_config () {
639 if (isset($CFG->enrol_ldap_student_contexts
)) {
640 if ($student_role = get_record('role', 'shortname', 'student')) {
641 set_config('enrol_ldap_contexts_role'.$student_role->id
, $CFG->enrol_ldap_student_contexts
);
644 unset_config('enrol_ldap_student_contexts');
647 if (isset($CFG->enrol_ldap_student_memberattribute
)) {
648 if (isset($student_role)
649 or $student_role = get_record('role', 'shortname', 'student')) {
650 set_config('enrol_ldap_memberattribute_role'.$student_role->id
, $CFG->enrol_ldap_student_memberattribute
);
653 unset_config('enrol_ldap_student_memberattribute');
656 if (isset($CFG->enrol_ldap_teacher_contexts
)) {
657 if ($teacher_role = get_record('role', 'shortname', 'teacher')) {
658 set_config('enrol_ldap_contexts_role'.$teacher_role->id
, $CFG->enrol_ldap_student_contexts
);
661 unset_config('enrol_ldap_teacher_contexts');
664 if (isset($CFG->enrol_ldap_teacher_memberattribute
)) {
665 if (isset($teacher_role)
666 or $teacher_role = get_record('role', 'shortname', 'teacher')) {
667 set_config('enrol_ldap_memberattribute_role'.$teacher_role->id
, $CFG->enrol_ldap_teacher_memberattribute
);
670 unset_config('enrol_ldap_teacher_memberattribute');
