MDL-11515:
[moodle-linuxchix.git] / enrol / ldap / enrol.php
blobd5795e3312e6f66e2ad6a69ce989d1e9da1717db
1 <?php // $Id$
3 require_once("$CFG->dirroot/enrol/enrol.class.php");
5 class enrolment_plugin_ldap {
7 var $log;
9 var $enrol_localcoursefield = 'idnumber';
11 /**
12 * This function syncs a user's enrolments with those on the LDAP server.
14 function setup_enrolments(&$user) {
15 global $CFG;
17 //error_log('[ENROL_LDAP] setup_enrolments called');
19 // Connect to the external database
20 $ldap_connection = $this->enrol_ldap_connect();
21 if (!$ldap_connection) {
22 @ldap_close($ldap_connection);
23 notify("[ENROL_LDAP] LDAP-module cannot connect to server: {$CFG->enrol_ldap_host_url}");
24 return false;
27 // we are connected OK, continue...
29 // Get all the possible roles
30 $roles = get_records('role');
32 // Make sure the config settings have been upgraded.
33 $this->check_legacy_config();
35 // Get the entire list of role assignments that currently exist for this user.
36 $roleassignments = get_records('role_assignments', 'userid', $user->id);
37 if (!$roleassignments) {
38 $roleassignments = array();
41 // Get the ones that came from LDAP
42 $ldap_assignments = array_filter($roleassignments, create_function('$x', 'return $x->enrol == \'ldap\';'));
44 //error_log('[ENROL_LDAP] ' . count($roleassignments) . ' roles currently associated with this user');
46 // Get enrolments for each type of role from LDAP.
47 foreach($roles as $role) {
48 $enrolments = $this->find_ext_enrolments(
49 $ldap_connection,
50 $user->idnumber ,
51 $role);
53 //error_log('[ENROL_LDAP] LDAP reports ' . count($enrolments) . ' enrolments of type ' . $role->shortname . '.');
55 foreach ($enrolments as $enrol){
57 $course_ext_id = $enrol[$CFG->enrol_ldap_course_idnumber][0];
58 if(empty($course_ext_id)){
59 error_log("[ENROL_LDAP] The course external id is invalid!\n");
60 continue; // next; skip this one!
63 // create the course ir required
64 $course_obj = get_record( 'course',
65 $this->enrol_localcoursefield,
66 $course_ext_id );
68 if (empty($course_obj)){ // course doesn't exist
69 if($CFG->enrol_ldap_autocreate){ // autocreate
70 error_log("[ENROL_LDAP] CREATE User $user->username enrolled to a nonexistant course $course_ext_id \n");
71 $newcourseid = $this->create_course($enrol);
72 $course_obj = get_record( 'course',
73 $this->enrol_localcoursefield,
74 $newcourseid);
75 } else {
76 error_log("[ENROL_LDAP] User $user->username enrolled to a nonexistant course $course_ext_id \n");
78 } else { // the course object exists before we call...
79 if ($course_obj->visible==0) {
80 // non-visible courses don't show up in the enrolled
81 // array, so we should skip them --
82 continue;
86 // deal with enrolment in the moodle db
87 if (!empty($course_obj)) { // does course exist now?
89 $context = get_context_instance(CONTEXT_COURSE, $course_obj->id);
90 //$courseroles = get_user_roles($context, $user->id);
92 if (!get_record('role_assignments', 'roleid', $role->id, 'userid', $user->id, 'contextid', $context->id)) {
93 //error_log("[ENROL_LDAP] Assigning role '{$role->name}' to {$user->id} ({$user->username}) in course {$course_obj->id} ({$course_obj->shortname})");
94 if (!role_assign($role->id, $user->id, 0, $context->id, 0, 0, 0, 'ldap')){
95 error_log("[ENROL_LDAP] Failed to assign role '{$role->name}' to $user->id ($user->username) into course $course_obj->id ($course_obj->shortname)");
97 } else {
98 //error_log("[ENROL_LDAP] Role '{$role->name}' already assigned to {$user->id} ({$user->username}) in course {$course_obj->id} ({$course_obj->shortname})");
101 // Remove the role from the list we created earlier. This
102 // way we can find those roles that are no longer required.
103 foreach($ldap_assignments as $key => $roleassignment) {
104 if ($roleassignment->roleid == $role->id
105 && $roleassignment->contextid == $context->id) {
106 unset($ldap_assignments[$key]);
107 break;
114 // ok, if there's any thing still left in the $roleassignments array we
115 // made at the start, we want to remove any of the ldap ones.
116 foreach ($ldap_assignments as $ra) {
117 if($ra->enrol === 'ldap') {
118 error_log("Unassigning role_assignment with id '{$ra->id}' from user {$user->id} ({$user->username})");
119 role_unassign($ra->id, $user->id, 0, $ra->contextid, 'ldap');
123 @ldap_close($ldap_connection);
125 //error_log('[ENROL_LDAP] finished with setup_enrolments');
127 return true;
130 /// sync enrolments with ldap, create courses if required.
131 function sync_enrolments($type, $enrol = false) {
132 global $CFG;
134 // Get the role. If it doesn't exist, that is bad.
135 $role = get_record('role', 'shortname', $type);
136 if (!$role) {
137 notify("No such role: $type");
138 return false;
141 // Connect to the external database
142 $ldap_connection = $this->enrol_ldap_connect();
143 if (!$ldap_connection) {
144 @ldap_close($ldap_connection);
145 notify("LDAP-module cannot connect to server: $CFG->ldap_host_url");
146 return false;
149 // we are connected OK, continue...
150 $this->enrol_ldap_bind($ldap_connection);
152 //get all contexts and look for first matching user
153 $ldap_contexts = explode(";",$CFG->{'enrol_ldap_contexts_role'.$role->id});
155 // get all the fields we will want for the potential course creation
156 // as they are light. don't get membership -- potentially a lot of data.
157 $ldap_fields_wanted = array( 'dn', $CFG->enrol_ldap_course_idnumber);
158 if (!empty($CFG->enrol_ldap_course_fullname)){
159 array_push($ldap_fields_wanted, $CFG->enrol_ldap_course_fullname);
161 if (!empty($CFG->enrol_ldap_course_shortname)){
162 array_push($ldap_fields_wanted, $CFG->enrol_ldap_course_shortname);
164 if (!empty($CFG->enrol_ldap_course_summary)){
165 array_push($ldap_fields_wanted, $CFG->enrol_ldap_course_summary);
167 if($enrol){
168 array_push($ldap_fields_wanted, $CFG->{'enrol_ldap_memberattribute_role'.$role->id});
171 // define the search pattern
172 if (!empty($CFG->enrol_ldap_objectclass)){
173 $ldap_search_pattern='(objectclass='.$CFG->enrol_ldap_objectclass.')';
174 } else {
175 $ldap_search_pattern="(objectclass=*)";
179 // first, pack the sortorder...
180 fix_course_sortorder();
182 foreach ($ldap_contexts as $context) {
184 $context = trim($context);
185 if ($CFG->enrol_ldap_search_sub){
186 //use ldap_search to find first user from subtree
187 $ldap_result = @ldap_search($ldap_connection,
188 $context,
189 $ldap_search_pattern,
190 $ldap_fields_wanted);
192 } else {
193 //search only in this context
194 $ldap_result = @ldap_list($ldap_connection,
195 $context,
196 $ldap_search_pattern,
197 $ldap_fields_wanted,0,0);
200 // check and push results
201 $records = $ldap_result
202 ? ldap_get_entries($ldap_connection,$ldap_result)
203 : array('count' => 0);
205 // ldap libraries return an odd array, really. fix it:
206 $flat_records=array();
207 for ($c=0;$c<$records['count'];$c++) {
208 array_push($flat_records, $records["$c"]);
210 // free mem -- is there a leak?
211 $records=0; $ldap_result=0;
213 if (count($flat_records)) {
216 foreach($flat_records as $course){
217 $idnumber = $course{$CFG->enrol_ldap_course_idnumber}[0];
218 print "== Synching $idnumber\n";
219 // does the course exist in moodle already?
220 $course_obj = false;
221 $course_obj = get_record( 'course',
222 $this->enrol_localcoursefield,
223 $idnumber );
224 if (!is_object($course_obj)) {
225 // ok, now then let's create it!
226 print "Creating Course $idnumber...";
227 $newcourseid = $this->create_course($course, true); // we are skipping fix_course_sortorder()
228 $course_obj = get_record( 'course', 'id', $newcourseid);
229 if (is_object($course_obj)) {
230 print "OK!\n";
231 } else {
232 print "failed\n";
236 // enrol&unenrol if required
237 if($enrol && is_object($course_obj)){
239 // Get a context object.
240 $context = get_context_instance(CONTEXT_COURSE, $course_obj->id);
242 // pull the ldap membership into a nice array
243 // this is an odd array -- mix of hash and array --
244 $ldapmembers=array();
246 if(array_key_exists('enrol_ldap_memberattribute_role'.$role->id, $CFG)
247 && !empty($CFG->{'enrol_ldap_memberattribute_role'.$role->id})
248 && !empty($course[strtolower($CFG->{'enrol_ldap_memberattribute_role'.$role->id} ) ])){ // may have no membership!
250 $ldapmembers = $course[strtolower($CFG->{'enrol_ldap_memberattribute_role'.$role->id} )];
251 unset($ldapmembers['count']); // remove oddity ;)
254 // prune old ldap enrolments
255 // hopefully they'll fit in the max buffer size for the RDBMS
256 $sql = '
257 SELECT enr.userid AS user, 1
258 FROM '.$CFG->prefix.'role_assignments enr
259 JOIN '.$CFG->prefix.'user usr ON usr.id=enr.userid
260 WHERE enr.roleid = '.$role->id.'
261 AND enr.contextid = '.$context->id.'
262 AND enr.enrol = \'ldap\' ';
263 if (!empty($ldapmembers)) {
264 $sql .= 'AND usr.idnumber NOT IN (\''. join('\',\'', $ldapmembers).'\')';
265 } else {
266 print ("Empty enrolment for $course_obj->shortname \n");
268 $todelete = get_records_sql($sql);
269 if(!empty($todelete)){
270 foreach ($todelete as $member) {
271 $member = $member->user;
273 if (role_unassign($role->id, $member, 0, $context->id, 'ldap')) {
274 print "Unassigned $type from $member for course $course_obj->id ($course_obj->shortname)\n";
275 } else {
276 print "Failed to unassign $type from $member for course $course_obj->id ($course_obj->shortname)\n";
281 // insert current enrolments
282 // bad we can't do INSERT IGNORE with postgres...
283 foreach ($ldapmembers as $ldapmember) {
284 $sql = 'SELECT id,1 FROM '.$CFG->prefix.'user '
285 ." WHERE idnumber='$ldapmember'";
286 $member = get_record_sql($sql);
287 // print "sql: $sql \nidnumber = $ldapmember \n" . var_dump($member);
288 if(empty($member) || empty($member->id)){
289 print "Could not find user $ldapmember, skipping\n";
290 continue;
292 $member = $member->id;
293 if (!get_record('role_assignments', 'roleid', $role->id,
294 'contextid', $context->id,
295 'userid', $member, 'enrol', 'ldap')){
296 if (role_assign($role->id, $member, 0, $context->id, 0, 0, 0, 'ldap')){
297 print "Assigned role $type to $member ($ldapmember) for course $course_obj->id ($course_obj->shortname)\n";
298 } else {
299 print "Failed to assign role $type to $member ($ldapmember) for course $course_obj->id ($course_obj->shortname)\n";
308 // we are done now, a bit of housekeeping
309 fix_course_sortorder();
311 @ldap_close($ldap_connection);
312 return true;
316 /// Overide the get_access_icons() function
317 function get_access_icons($course) {
321 /// Overrise the base config_form() function
322 function config_form($frm) {
323 global $CFG;
325 $this->check_legacy_config();
327 include("$CFG->dirroot/enrol/ldap/config.html");
330 /// Override the base process_config() function
331 function process_config($config) {
333 $this->check_legacy_config();
335 if (!isset ($config->enrol_ldap_host_url)) {
336 $config->enrol_ldap_host_url = '';
338 set_config('enrol_ldap_host_url', $config->enrol_ldap_host_url);
340 if (!isset ($config->enrol_ldap_version)) {
341 $config->enrol_ldap_version = '';
343 set_config('enrol_ldap_version', $config->enrol_ldap_version);
345 if (!isset ($config->enrol_ldap_bind_dn)) {
346 $config->enrol_ldap_bind_dn = '';
348 set_config('enrol_ldap_bind_dn', $config->enrol_ldap_bind_dn);
350 if (!isset ($config->enrol_ldap_bind_pw)) {
351 $config->enrol_ldap_bind_pw = '';
353 set_config('enrol_ldap_bind_pw', $config->enrol_ldap_bind_pw);
355 if (!isset ($config->enrol_ldap_objectclass)) {
356 $config->enrol_ldap_objectclass = '';
358 set_config('enrol_ldap_objectclass', $config->enrol_ldap_objectclass);
360 if (!isset ($config->enrol_ldap_category)) {
361 $config->enrol_ldap_category = '';
363 set_config('enrol_ldap_category', $config->enrol_ldap_category);
365 if (!isset ($config->enrol_ldap_template)) {
366 $config->enrol_ldap_template = '';
368 set_config('enrol_ldap_template', $config->enrol_ldap_template);
370 if (!isset ($config->enrol_ldap_course_fullname)) {
371 $config->enrol_ldap_course_fullname = '';
373 set_config('enrol_ldap_course_fullname', $config->enrol_ldap_course_fullname);
375 if (!isset ($config->enrol_ldap_course_shortname)) {
376 $config->enrol_ldap_course_shortname = '';
378 set_config('enrol_ldap_course_shortname', $config->enrol_ldap_course_shortname);
380 if (!isset ($config->enrol_ldap_course_summary)) {
381 $config->enrol_ldap_course_summary = '';
383 set_config('enrol_ldap_course_summary', $config->enrol_ldap_course_summary);
385 if (!isset ($config->enrol_ldap_course_idnumber)) {
386 $config->enrol_ldap_course_idnumber = '';
388 set_config('enrol_ldap_course_idnumber', $config->enrol_ldap_course_idnumber);
390 if (!isset ($config->enrol_localcoursefield)) {
391 $config->enrol_localcoursefield = '';
393 set_config('enrol_localcoursefield', $config->enrol_localcoursefield);
395 if (!isset ($config->enrol_ldap_user_memberfield)) {
396 $config->enrol_ldap_user_memberfield = '';
398 set_config('enrol_ldap_user_memberfield', $config->enrol_ldap_user_memberfield);
400 if (!isset ($config->enrol_ldap_search_sub)) {
401 $config->enrol_ldap_search_sub = '0';
403 set_config('enrol_ldap_search_sub', $config->enrol_ldap_search_sub);
405 if (!isset ($config->enrol_ldap_autocreate)) {
406 $config->enrol_ldap_autocreate = '0';
408 set_config('enrol_ldap_autocreate', $config->enrol_ldap_autocreate);
410 $roles = get_records('role');
411 foreach ($roles as $role) {
412 if (!isset($config->{'enrol_ldap_contexts_role'.$role->id})) {
413 $config->{'enrol_ldap_contexts_role'.$role->id} = '';
416 if (!isset($config->{'enrol_ldap_memberattribute_role'.$role->id})) {
417 $config->{'enrol_ldap_memberattribute_role'.$role->id} = '';
420 set_config('enrol_ldap_contexts_role'.$role->id, $config->{'enrol_ldap_contexts_role'.$role->id});
421 set_config('enrol_ldap_memberattribute_role'.$role->id, $config->{'enrol_ldap_memberattribute_role'.$role->id});
424 return true;
427 function enrol_ldap_connect(){
428 /// connects to ldap-server
429 global $CFG;
431 $result = ldap_connect($CFG->enrol_ldap_host_url);
433 if ($result) {
434 if (!empty($CFG->enrol_ldap_version)) {
435 ldap_set_option($result, LDAP_OPT_PROTOCOL_VERSION, $CFG->enrol_ldap_version);
438 if (!empty($CFG->enrol_ldap_bind_dn)) {
439 $bind = ldap_bind( $result,
440 $CFG->enrol_ldap_bind_dn,
441 $CFG->enrol_ldap_bind_pw );
442 if (!$bind) {
443 notify("Error in binding to LDAP server");
444 trigger_error("Error in binding to LDAP server $!");
448 return $result;
449 } else {
450 notify("LDAP-module cannot connect to server: $CFG->enrol_ldap_host_url");
451 return false;
455 function enrol_ldap_bind($ldap_connection){
456 /// makes bind to ldap for searching users
457 /// uses ldap_bind_dn or anonymous bind
459 global $CFG;
461 if ( ! empty($CFG->enrol_ldap_bind_dn) ){
462 //bind with search-user
463 if (!ldap_bind($ldap_connection, $CFG->enrol_ldap_bind_dn,$CFG->enrol_ldap_bind_pw)){
464 notify("Error: could not bind ldap with ldap_bind_dn/pw");
465 return false;
468 } else {
469 //bind anonymously
470 if ( !ldap_bind($ldap_connection)){
471 notify("Error: could not bind ldap anonymously");
472 return false;
476 return true;
479 function find_ext_enrolments ($ldap_connection, $memberuid, $role){
480 /// role is a record from the mdl_role table
481 /// return multidimentional array array with of courses (at least dn and idnumber)
482 ///
484 global $CFG;
486 if(empty($memberuid)) { // No "idnumber" stored for this user, so no LDAP enrolments
487 return array();
490 //default return value
491 $courses = array();
492 $this->enrol_ldap_bind($ldap_connection);
494 //get all contexts and look for first matching user
495 $ldap_contexts = explode(";",$CFG->{'enrol_ldap_contexts_role'.$role->id});
497 // get all the fields we will want for the potential course creation
498 // as they are light. don't get membership -- potentially a lot of data.
499 $ldap_fields_wanted = array( 'dn', $CFG->enrol_ldap_course_idnumber);
500 if (!empty($CFG->enrol_ldap_course_fullname)){
501 array_push($ldap_fields_wanted, $CFG->enrol_ldap_course_fullname);
503 if (!empty($CFG->enrol_ldap_course_shortname)){
504 array_push($ldap_fields_wanted, $CFG->enrol_ldap_course_shortname);
506 if (!empty($CFG->enrol_ldap_course_summary)){
507 array_push($ldap_fields_wanted, $CFG->enrol_ldap_course_summary);
510 // define the search pattern
511 $ldap_search_pattern = "(".$CFG->{'enrol_ldap_memberattribute_role'.$role->id}."=".$memberuid.")";
512 if (!empty($CFG->enrol_ldap_objectclass)){
513 $ldap_search_pattern='(&(objectclass='.$CFG->enrol_ldap_objectclass.')'.$ldap_search_pattern.')';
516 foreach ($ldap_contexts as $context) {
517 $context == trim($context);
518 if (empty($context)) {
519 continue; // next;
522 if ($CFG->enrol_ldap_search_sub){
523 //use ldap_search to find first user from subtree
524 $ldap_result = ldap_search($ldap_connection,
525 $context,
526 $ldap_search_pattern,
527 $ldap_fields_wanted);
529 } else {
530 //search only in this context
531 $ldap_result = ldap_list($ldap_connection,
532 $context,
533 $ldap_search_pattern,
534 $ldap_fields_wanted);
537 // check and push results
538 $records = ldap_get_entries($ldap_connection,$ldap_result);
540 // ldap libraries return an odd array, really. fix it:
541 $flat_records=array();
542 for ($c=0;$c<$records['count'];$c++) {
543 array_push($flat_records, $records["$c"]);
546 if (count($flat_records)) {
547 $courses = array_merge($courses, $flat_records);
551 return $courses;
554 // will create the moodle course from the template
555 // course_ext is an array as obtained from ldap -- flattened somewhat
556 // NOTE: if you pass true for $skip_fix_course_sortorder
557 // you will want to call fix_course_sortorder() after your are done
558 // with course creation
559 function create_course ($course_ext,$skip_fix_course_sortorder=0){
560 global $CFG;
562 // override defaults with template course
563 if(!empty($CFG->enrol_ldap_template)){
564 $course = get_record("course", 'shortname', $CFG->enrol_ldap_template);
565 unset($course->id); // so we are clear to reinsert the record
566 unset($course->sortorder);
567 } else {
568 // set defaults
569 $course = new object();
570 $course->student = get_string('defaultcoursestudent');
571 $course->students = get_string('defaultcoursestudents');
572 $course->teacher = get_string('defaultcourseteacher');
573 $course->teachers = get_string('defaultcourseteachers');
574 $course->format = 'topics';
577 // override with required ext data
578 $course->idnumber = $course_ext[$CFG->enrol_ldap_course_idnumber][0];
579 $course->fullname = $course_ext[$CFG->enrol_ldap_course_fullname][0];
580 $course->shortname = $course_ext[$CFG->enrol_ldap_course_shortname][0];
581 if ( empty($course->idnumber)
582 || empty($course->fullname)
583 || empty($course->shortname) ) {
584 // we are in trouble!
585 error_log("Cannot create course: missing required data from the LDAP record!");
586 error_log(var_export($course, true));
587 return false;
590 $course->summary = empty($CFG->enrol_ldap_course_summary) || empty($course_ext[$CFG->enrol_ldap_course_summary][0])
591 ? ''
592 : $course_ext[$CFG->enrol_ldap_course_summary][0];
594 if(!empty($CFG->enrol_ldap_category)){ // optional ... but ensure it is set!
595 $course->category = $CFG->enrol_ldap_category;
597 if ($course->category == 0){ // must be avoided as it'll break moodle
598 $course->category = 1; // the misc 'catch-all' category
601 // define the sortorder (yuck)
602 $sort = get_record_sql('SELECT MAX(sortorder) AS max, 1 FROM ' . $CFG->prefix . 'course WHERE category=' . $course->category);
603 $sort = $sort->max;
604 $sort++;
605 $course->sortorder = $sort;
607 // override with local data
608 $course->startdate = time();
609 $course->timecreated = time();
610 $course->visible = 1;
612 $course = addslashes_recursive($course);
614 // store it and log
615 if ($newcourseid = insert_record("course", $course)) { // Set up new course
616 $section = new object();
617 $section->course = $newcourseid; // Create a default section.
618 $section->section = 0;
619 $section->id = insert_record("course_sections", $section);
620 $page = page_create_object(PAGE_COURSE_VIEW, $newcourseid);
621 blocks_repopulate_page($page); // Return value no
624 if(!$skip_fix_course_sortorder){
625 fix_course_sortorder();
627 add_to_log($newcourseid, "course", "new", "view.php?id=$newcourseid", "enrol/ldap auto-creation");
628 } else {
629 error_log("Could not create new course from LDAP from DN:" . $course_ext['dn']);
630 notify("Serious Error! Could not create the new course!");
631 return false;
634 return $newcourseid;
638 * This function checks for the presence of old 'legacy' config settings. If
639 * they exist, it corrects them.
641 * @uses $CFG
643 function check_legacy_config () {
644 global $CFG;
646 if (isset($CFG->enrol_ldap_student_contexts)) {
647 if ($student_role = get_record('role', 'shortname', 'student')) {
648 set_config('enrol_ldap_contexts_role'.$student_role->id, $CFG->enrol_ldap_student_contexts);
651 unset_config('enrol_ldap_student_contexts');
654 if (isset($CFG->enrol_ldap_student_memberattribute)) {
655 if (isset($student_role)
656 or $student_role = get_record('role', 'shortname', 'student')) {
657 set_config('enrol_ldap_memberattribute_role'.$student_role->id, $CFG->enrol_ldap_student_memberattribute);
660 unset_config('enrol_ldap_student_memberattribute');
663 if (isset($CFG->enrol_ldap_teacher_contexts)) {
664 if ($teacher_role = get_record('role', 'shortname', 'teacher')) {
665 set_config('enrol_ldap_contexts_role'.$teacher_role->id, $CFG->enrol_ldap_student_contexts);
668 unset_config('enrol_ldap_teacher_contexts');
671 if (isset($CFG->enrol_ldap_teacher_memberattribute)) {
672 if (isset($teacher_role)
673 or $teacher_role = get_record('role', 'shortname', 'teacher')) {
674 set_config('enrol_ldap_memberattribute_role'.$teacher_role->id, $CFG->enrol_ldap_teacher_memberattribute);
677 unset_config('enrol_ldap_teacher_memberattribute');
681 } // end of class