-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathlib.php
388 lines (334 loc) · 14.3 KB
/
lib.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
<?php // $Id$
/**
* LDAP User role assignment plugin.
*
* This plugin synchronises user roles with LDAP
*
* @package enrol
* @subpackage ldapuserrel
* @author Maxime Pelletier - based on code by Penny Leach, Iñaki Arenaza, Martin Dougiamas, Martin Langhoff and others
* @copyright 1999 onwards Martin Dougiamas {@link http://moodle.com}
* @copyright 2007 Penny Leach <[email protected]>
* @copyright 2010 Iñaki Arenaza <[email protected]>
* @copyright 2012 Maxime Pelletier <[email protected]>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
defined('MOODLE_INTERNAL') || die();
class enrol_ldapuserrel_plugin extends enrol_plugin {
var $log;
/**
* Constructor for the plugin. In addition to calling the parent
* constructor, we define and 'fix' some settings depending on the
* real settings the admin defined.
*/
public function __construct() {
global $CFG;
require_once($CFG->libdir.'/ldaplib.php');
// Do our own stuff to fix the config (it's easier to do it
// here than using the admin settings infrastructure). We
// don't call $this->set_config() for any of the 'fixups'
// (except the objectclass, as it's critical) because the user
// didn't specify any values and relied on the default values
// defined for the user type she chose.
$this->load_config();
// Make sure we get sane defaults for critical values.
$this->config->ldapencoding = $this->get_config('ldapencoding', 'utf-8');
$this->config->user_type = $this->get_config('user_type', 'default');
$ldap_usertypes = ldap_supported_usertypes();
$this->config->user_type_name = $ldap_usertypes[$this->config->user_type];
unset($ldap_usertypes);
$default = ldap_getdefaults();
// Remove the objectclass default, as the values specified there are for
// users, and we are dealing with groups here.
unset($default['objectclass']);
// Use defaults if values not given. Dont use this->get_config()
// here to be able to check for 0 and false values too.
foreach ($default as $key => $value) {
// Watch out - 0, false are correct values too, so we can't use $this->get_config()
if (!isset($this->config->{$key}) or $this->config->{$key} == '') {
$this->config->{$key} = $value[$this->config->user_type];
}
}
if (empty($this->config->filter)) {
// Can't send empty filter. Fix it for now and future occasions
$this->set_config('filter', '(objectClass=*)');
} else if (stripos($this->config->filter, 'objectClass=') === 0) {
// Value is 'objectClass=some-string-here', so just add ()
// around the value (filter _must_ have them).
// Fix it for now and future occasions
$this->set_config('filter', '('.$this->config->filter.')');
} else if (stripos($this->config->filter, '(') !== 0) {
// Value is 'some-string-not-starting-with-left-parentheses',
// which is assumed to be the objectClass matching value.
// So build a valid filter with it.
$this->set_config('filter', '(objectClass='.$this->config->filter.')');
} else {
// There is an additional possible value
// '(some-string-here)', that can be used to specify any
// valid filter string, to select subsets of users based
// on any criteria. For example, we could select the users
// whose objectClass is 'user' and have the
// 'enabledMoodleUser' attribute, with something like:
//
// (&(objectClass=user)(enabledMoodleUser=1))
//
// In this particular case we don't need to do anything,
// so leave $this->config->objectclass as is.
}
}
/**
* Is it possible to delete enrol instance via standard UI?
*
* @param object $instance
* @return bool
*/
public function instance_deleteable($instance) {
if (!enrol_is_enabled('ldapuserrel')) {
return true;
}
if (!$this->get_config('host_url') or !$this->get_config('idnumber_attribute') or !$this->get_config('filter') ) {
return true;
}
//TODO: connect to external system and make sure no users are to be enrolled in this course
return false;
}
/**
* Does this plugin allow manual unenrolment of a specific user?
* Yes, but only if user suspended...
*
* @param stdClass $instance course enrol instance
* @param stdClass $ue record from user_enrolments table
*
* @return bool - true means user with 'enrol/xxx:unenrol' may unenrol this user, false means nobody may touch this user enrolment
*/
public function allow_unenrol_user(stdClass $instance, stdClass $ue) {
if ($ue->status == ENROL_USER_SUSPENDED) {
return true;
}
return false;
}
/*
* MAIN FUNCTION
* Let's go out and look in LDAP
* for an authoritative list of relationships, and then adjust the
* local Moodle assignments to match.
* @param bool $verbose
* @return int 0 means success, 1 ldap connect failure
*/
function setup_enrolments($verbose = false) {
global $CFG, $DB;
mtrace('Starting LDAP user role assignment synchronization...');
if ($verbose) {
mtrace("Calling ldap_connect()");
}
$ldapconnection = $this->ldap_connect();
if (!$ldapconnection) {
mtrace('Error: [ENROL_ldapuserrel] Could not make a connection to LDAP');
return 1;
}
// we may need a lot of memory here
@set_time_limit(0);
raise_memory_limit(MEMORY_HUGE);
// Store the field values in some shorter variable names to ease reading of the code.
$flocalmentor = strtolower($this->get_config('localsubjectuserfield')); // Mentor
$flocalmentee = strtolower($this->get_config('localobjectuserfield')); // Mentee
// Unique identifier of the role assignment
$uniqfield = $DB->sql_concat("r.id", "'|'", "u1.$flocalmentor", "'|'", "u2.$flocalmentee");
// Query to retreive all user role assignment from Moodle
$sql = "SELECT $uniqfield AS uniq,
ra.*, r.id ,
u1.{$flocalmentor} AS subjectid,
u2.{$flocalmentee} AS objectid
FROM {role_assignments} ra
JOIN {role} r ON ra.roleid = r.id
JOIN {context} c ON c.id = ra.contextid
JOIN {user} u1 ON ra.userid = u1.id
JOIN {user} u2 ON c.instanceid = u2.id
WHERE ra.component = 'enrol_ldapuserrel'
AND c.contextlevel = " . CONTEXT_USER;
// Is there any role in Moodle?
// The first column is used as the key
if (!$existing = $DB->get_records_sql($sql)) {
$existing = array();
}
if ($verbose) {
mtrace(sizeof($existing)." role assignement entries from ldapuserrel found in Moodle DB");
}
// Get enrolments for each user role.
$roles = get_roles_for_contextlevels(CONTEXT_USER);
if ($verbose) {
mtrace(sizeof($roles)." user roles found in Moodle DB");
//print_r($roles);
}
$enrolments = array();
foreach($roles as $role) {
// Find role name
$rolename = $DB->get_field('role', 'name', array('id' => $role) );
// Get all LDAP contexts for that role
$ldap_contexts = explode(';', $this->config->{'contexts_role'.$role});
// Get all the fields we will want for the potential role assignment
$ldap_fields_wanted = array('dn', $this->config->idnumber_attribute);
// Add the field containing the list of mentee for the given role
array_push($ldap_fields_wanted, $this->config->{'memberattribute_role'.$role});
// Define the search pattern
$ldap_search_pattern = $this->config->filter;
if ($verbose) {
mtrace("Filter : ".$ldap_search_pattern);
mtrace("LDAP attributes:");
//print_r($ldap_fields_wanted);
}
// Loop through all LDAP contexts specified for the current role
foreach ($ldap_contexts as $ldap_context) {
$ldap_context = trim($ldap_context);
if (empty($ldap_context)) {
continue; // Next;
}
if ($this->config->search_sub) {
// Use ldap_search to find first user from subtree
$ldap_result = ldap_search($ldapconnection,
$ldap_context,
$ldap_search_pattern,
$ldap_fields_wanted);
} else {
// Search only in this context
$ldap_result = ldap_list($ldapconnection,
$ldap_context,
$ldap_search_pattern,
$ldap_fields_wanted);
}
if (!$ldap_result) {
mtrace('Warning: [ENROL_ldapuserrel] Couldn\'t get entries from LDAP for role '.$rolename.' and context '.$ldap_context.'-- no relationships to assign');
continue; // Next
}
// Check and push results
$records = ldap_get_entries($ldapconnection, $ldap_result);
// LDAP libraries return an odd array, really. fix it:
$flat_records = array();
for ($c = 0; $c < $records['count']; $c++) {
array_push($flat_records, $records[$c]);
}
// Free some mem
unset($records);
mtrace("Syncing ".sizeof($flat_records)." entries from LDAP for context ".$ldap_context." and role ".$rolename);
// Is there something in LDAP?
if (count($flat_records)) {
$mentorusers = array(); // cache of mapping of mentors to mdl_user.id (for get_context_instance)
$menteeusers = array(); // cache of mapping of mentees to mdl_user.id (for get_context_instance)
// We loop through all the records found in LDAP
foreach($flat_records as $mentor) {
$mentor_idnumber = $mentor{$this->config->idnumber_attribute}[0];
if ($verbose) {
mtrace("Mentor LDAP entry:".$mentor_idnumber);
//print_r($mentor);
}
if ( !isset($mentor{$this->config->{'memberattribute_role'.$role}}) ) {
// No children set, we skip this entry
if ($verbose) {
mtrace("--> No mentee for ".$mentor_idnumber);
}
continue;
}
// Loop through all mentee of the mentor
for ( $i=0; $i < (sizeof($mentor{$this->config->{'memberattribute_role'.$role}})-1);$i++ ) {
$mentee = $mentor{$this->config->{'memberattribute_role'.$role}}[$i];
$key = $role . '|' . $mentor_idnumber . '|' . $mentee;
if ($verbose) {
mtrace("--> Mentee LDAP entry:".$mentee."(".$key.")");
}
// Check if the role is already assigned
if (array_key_exists($key, $existing)) {
// exists in moodle db already, unset it (so we can delete everything left)
unset($existing[$key]);
if ($verbose) {
mtrace("--> Warning: [$key] exists in moodle already");
}
continue;
}
// Fill the mentor userid cache array
if (!array_key_exists($mentor_idnumber, $mentorusers)) {
$mentorusers[$mentor_idnumber] = $DB->get_field('user', 'id', array($flocalmentor => $mentor_idnumber) );
}
// Check if mentor exist in Moodle
if ($mentorusers[$mentor_idnumber] == false) {
mtrace("--> Warning: [" . $mentor_idnumber . "] couldn't find mentor user in Moodle -- skipping $key");
// couldn't find user, skip
continue;
}
// Fill the mentee userid cache array
if (!array_key_exists($mentee, $menteeusers)) {
$menteeusers[$mentee] = $DB->get_field('user', 'id', array($flocalmentee => $mentee) );
}
// Check if mentee exist in Moodle
if ($menteeusers[$mentee] == false) {
// couldn't find user, skip
mtrace("--> Warning: [" . $mentee . "] couldn't find mentee user in Moodle -- skipping $key");
continue;
}
// Get the context of the mentee
//$context = get_context_instance(CONTEXT_USER, $menteeusers[$mentee]);
$context = context_user::instance($menteeusers[$mentee]);
mtrace("----> Information: [" . $mentor_idnumber . "] assigning role " . $rolename . " to " . $mentor_idnumber . " on " . $mentee);
role_assign($role, $mentorusers[$mentor_idnumber], $context->id, 'enrol_ldapuserrel', 0, '');
}
}
}
mtrace("Deleting old role assignations");
// delete everything left in existing
foreach ($existing as $key => $assignment) {
if ($assignment->component == 'enrol_ldapuserrel') {
mtrace("Information: [$key] unassigning $key");
role_unassign($assignment->roleid, $assignment->userid, $assignment->contextid, 'enrol_ldapuserrel', 0);
}
}
}
}
if ($verbose) {
mtrace("Calling ldap_close()");
}
$this->ldap_close();
mtrace('Execution completed normally...');
}
/**
* Connect to the LDAP server, using the plugin configured
* settings. It's actually a wrapper around ldap_connect_moodle()
*
* @return mixed A valid LDAP connection or false.
*/
protected function ldap_connect() {
global $CFG;
require_once($CFG->libdir.'/ldaplib.php');
// Cache ldap connections. They are expensive to set up
// and can drain the TCP/IP ressources on the server if we
// are syncing a lot of users (as we try to open a new connection
// to get the user details). This is the least invasive way
// to reuse existing connections without greater code surgery.
if(!empty($this->ldapconnection)) {
$this->ldapconns++;
return $this->ldapconnection;
}
if ($ldapconnection = ldap_connect_moodle($this->get_config('host_url'), $this->get_config('ldap_version'),
$this->get_config('user_type'), $this->get_config('bind_dn'),
$this->get_config('bind_pw'), $this->get_config('opt_deref'),
$debuginfo)) {
$this->ldapconns = 1;
$this->ldapconnection = $ldapconnection;
return $ldapconnection;
}
// Log the problem, but don't show it to the user. She doesn't
// even have a chance to see it, as we redirect instantly to
// the user/front page.
error_log($this->errorlogtag.$debuginfo);
return false;
}
/**
* Disconnects from a LDAP server
*
*/
protected function ldap_close() {
$this->ldapconns--;
if($this->ldapconns == 0) {
@ldap_close($this->ldapconnection);
unset($this->ldapconnection);
}
}
} // end of class