Moodle PHP Documentation 4.3
Moodle 4.3.5 (Build: 20240610) (7dcfaa79f78)
|
LDAP authentication plugin. More...
Public Member Functions | |
__construct () | |
Constructor with initialisation. | |
auth_plugin_ldap () | |
Old syntax of class constructor. | |
can_be_manually_set () | |
Returns true if plugin can be manually set. | |
can_change_password () | |
Returns true if this authentication plugin can change the user's password. | |
can_confirm () | |
Returns true if plugin allows confirming of new users. | |
can_edit_profile () | |
Returns true if this authentication plugin can edit the users' profile. | |
can_reset_password () | |
Returns true if plugin allows resetting of password from moodle. | |
can_signup () | |
Returns true if plugin allows signup and user creation. | |
change_password_url () | |
Returns the URL for changing the user's password, or empty if the default can be used. | |
config_form ($config, $err, $user_fields) | |
Prints a form for configuring this authentication plugin. | |
edit_profile_url () | |
Returns the URL for editing the users' profile, or empty if the default URL can be used. | |
get_custom_user_profile_fields () | |
Return custom user profile fields. | |
get_description () | |
Get the auth description (from core or own auth lang files) | |
get_extrauserinfo () | |
Returns extra user information. | |
get_password_change_info (stdClass $user) | |
Returns information on how the specified user can change their password. | |
get_title () | |
Return the properly translated human-friendly title of this auth plugin. | |
get_userinfo ($username) | |
Reads user information from ldap and returns it in array() | |
get_userinfo_asobj ($username) | |
Reads user information from ldap and returns it in an object. | |
get_userlist () | |
Returns all usernames from LDAP. | |
ignore_timeout_hook ($user, $sid, $timecreated, $timemodified) | |
Hook called before timing out of database session. | |
init_plugin ($authtype) | |
Init plugin config from database settings depending on the plugin auth type. | |
is_captcha_enabled () | |
Returns whether or not the captcha element is enabled. | |
is_configured () | |
Returns false if this plugin is enabled but not configured. | |
is_internal () | |
Returns true if this authentication plugin is 'internal'. | |
is_synchronised_with_external () | |
Indicates if moodle should automatically update internal user records with data from external sources using the information from get_userinfo() method. | |
iscreator ($username) | |
Returns true if user should be coursecreator. | |
ldap_attributes () | |
Returns user attribute mappings between moodle and LDAP. | |
ldap_bulk_insert ($username) | |
Bulk insert in SQL's temp table. | |
ldap_close ($force=false) | |
Disconnects from a LDAP server. | |
ldap_connect () | |
Connect to the LDAP server, using the plugin configured settings. | |
ldap_expirationtime2unix ($time, $ldapconnection, $user_dn) | |
Take expirationtime and return it as unix timestamp in seconds. | |
ldap_find_userdn ($ldapconnection, $extusername) | |
Search specified contexts for username and return the user dn like: cn=username,ou=suborg,o=org. | |
ldap_get_ad_pwdexpire ($pwdlastset, $ldapconn, $user_dn) | |
Get password expiration time for a given user from Active Directory. | |
ldap_get_userlist ($filter=' *') | |
Returns all usernames from LDAP. | |
ldap_unix2expirationtime ($time) | |
Takes unix timestamp and returns it formated for storing in LDAP. | |
loginpage_hook () | |
Will get called before the login page is shownr. | |
loginpage_idp_list ($wantsurl) | |
Returns a list of potential IdPs that this authentication plugin supports. | |
object | logoutpage_hook () |
Hook for overriding behaviour of logout page. | |
ntlmsso_finish () | |
Find the session set by ntlmsso_magic(), validate it and call authenticate_user_login() to authenticate the user through the auth machinery. | |
ntlmsso_magic ($sesskey) | |
To be called from a page running under NTLM's "Integrated Windows Authentication". | |
password_expire ($username) | |
Return number of days to user password expires. | |
postlogout_hook ($user) | |
Post logout hook. | |
pre_loginpage_hook () | |
Hook for overriding behaviour before going to the login page. | |
pre_user_login_hook (&$user) | |
Pre user_login hook. | |
object | prelogout_hook () |
Pre logout hook. | |
prevent_local_passwords () | |
Indicates if password hashes should be stored in local moodle database. | |
process_config ($config) | |
Processes and stores configuration data for this authentication plugin. | |
set_extrauserinfo (array $values) | |
Set extra user information. | |
signup_form () | |
Return a form to capture user details for account creation. | |
sync_roles ($user) | |
Sync roles for this user. | |
sync_users ($do_updates=true) | |
Syncronizes user fron external LDAP server to moodle user table. | |
test_settings () | |
Test if settings are correct, print info to output. | |
user_activate ($username) | |
Activates (enables) user in external LDAP so user can login. | |
user_authenticated_hook (&$user, $username, $password) | |
Post authentication hook. | |
user_confirm ($username, $confirmsecret) | |
Confirm the new user as registered. | |
user_create ($userobject, $plainpass) | |
Creates a new user on LDAP. | |
user_delete ($olduser) | |
User delete requested - internal user record is mared as deleted already, username not present anymore. | |
user_exists ($username) | |
Checks if user exists on LDAP. | |
user_login ($username, $password) | |
Returns true if the username and password work and false if they are wrong or don't exist. | |
user_signup ($user, $notify=true) | |
Sign up a new user ready for confirmation. | |
user_update ($olduser, $newuser) | |
Called when the user record is updated. | |
user_update_password ($user, $newpassword) | |
Changes userpassword in LDAP. | |
validate_form ($form, &$err) | |
A chance to validate form data, and last chance to do stuff before it is inserted in config_plugin. | |
Static Public Member Functions | |
static | get_identity_providers ($authsequence) |
Return the list of enabled identity providers. | |
static | prepare_identity_providers_for_output ($identityproviders, renderer_base $output) |
Prepare a list of identity providers for output. | |
Protected Member Functions | |
get_ntlm_remote_user ($remoteuser) | |
When using NTLM SSO, the format of the remote username we get in $_SERVER['REMOTE_USER'] may vary, depending on where from and how the web server gets the data. | |
get_profile_keys ($fetchall=false) | |
Get the list of profile fields. | |
is_user_suspended ($user) | |
Check if a user is suspended. | |
ldap_ad_pwdexpired_from_diagmsg ($diagmsg) | |
Check if the diagnostic message for the LDAP login error tells us that the login is denied because the user password has expired or the password needs to be changed on first login (using interactive SMB/Windows logins, not LDAP logins). | |
update_user_record ($username, $updatekeys=false, $triggerevent=false, $suspenduser=false) | |
Update a local user record from an external source. | |
LDAP authentication plugin.
auth_plugin_ldap::__construct | ( | ) |
Constructor with initialisation.
Reimplemented in auth_plugin_cas.
auth_plugin_ldap::auth_plugin_ldap | ( | ) |
auth_plugin_ldap::can_be_manually_set | ( | ) |
auth_plugin_ldap::can_change_password | ( | ) |
Returns true if this authentication plugin can change the user's password.
bool |
Reimplemented from auth_plugin_base.
Reimplemented in auth_plugin_cas.
auth_plugin_ldap::can_confirm | ( | ) |
Returns true if plugin allows confirming of new users.
bool |
Reimplemented from auth_plugin_base.
|
inherited |
Returns true if this authentication plugin can edit the users' profile.
bool |
auth_plugin_ldap::can_reset_password | ( | ) |
Returns true if plugin allows resetting of password from moodle.
bool |
Reimplemented from auth_plugin_base.
auth_plugin_ldap::can_signup | ( | ) |
Returns true if plugin allows signup and user creation.
bool |
Reimplemented from auth_plugin_base.
auth_plugin_ldap::change_password_url | ( | ) |
Returns the URL for changing the user's password, or empty if the default can be used.
moodle_url |
Reimplemented from auth_plugin_base.
Reimplemented in auth_plugin_cas.
|
inherited |
Prints a form for configuring this authentication plugin.
This function is called from admin/auth.php, and outputs a full page with a form for configuring this plugin.
object | $config | |
object | $err | |
array | $user_fields |
|
inherited |
Returns the URL for editing the users' profile, or empty if the default URL can be used.
This method is used if can_edit_profile() returns true. This method is called only when user is logged in, it may use global $USER.
moodle_url | url of the profile page or null if standard used |
|
inherited |
Return custom user profile fields.
array | list of custom fields. |
|
inherited |
Get the auth description (from core or own auth lang files)
string | The description |
|
inherited |
Returns extra user information.
array | An array of keys and values |
|
staticinherited |
Return the list of enabled identity providers.
Each identity provider data contains the keys url, name and iconurl (or icon). See the documentation of auth_plugin_base::loginpage_idp_list() for detailed description of the returned structure.
array | $authsequence | site's auth sequence (list of auth plugins ordered) |
array | List of arrays describing the identity providers |
|
protected |
When using NTLM SSO, the format of the remote username we get in $_SERVER['REMOTE_USER'] may vary, depending on where from and how the web server gets the data.
So we let the admin configure the format using two place holders (domain% and username%). This function tries to extract the username (stripping the domain part and any separators if they are present) from the value present in $_SERVER['REMOTE_USER'], using the configured format.
string | $remoteuser | The value from $_SERVER['REMOTE_USER'] (converted to UTF-8) |
string | The remote username (without domain part or separators). Empty string if we can't extract the username. |
|
inherited |
Returns information on how the specified user can change their password.
stdClass | $user | A user object |
string[] | An array of strings with keys subject and message |
Reimplemented in auth_oauth2\auth, and auth_plugin_nologin.
|
protected |
Get the list of profile fields.
bool | $fetchall | Fetch all, not just those for update. |
array |
|
inherited |
Return the properly translated human-friendly title of this auth plugin.
auth_plugin_ldap::get_userinfo | ( | $username | ) |
Reads user information from ldap and returns it in array()
Function should return all information available. If you are saving this information to moodle user-table you should honor syncronization flags
string | $username | username |
mixed | array with no magic quotes or false on error |
Reimplemented from auth_plugin_base.
Reimplemented in auth_plugin_cas.
auth_plugin_ldap::get_userinfo_asobj | ( | $username | ) |
Reads user information from ldap and returns it in an object.
string | $username | username (with system magic quotes) |
mixed | object or false on error |
auth_plugin_ldap::get_userlist | ( | ) |
Returns all usernames from LDAP.
get_userlist returns all usernames from LDAP
array |
|
inherited |
Hook called before timing out of database session.
This is useful for SSO and MNET.
object | $user | |
string | $sid | session id |
int | $timecreated | start of session |
int | $timemodified | user last seen |
bool | true means do not timeout session yet |
|
inherited |
Returns whether or not the captcha element is enabled.
@abstract Implement in child classes
bool |
Reimplemented in auth_plugin_email.
|
inherited |
Returns false if this plugin is enabled but not configured.
bool |
Reimplemented in auth_plugin_db.
auth_plugin_ldap::is_internal | ( | ) |
Returns true if this authentication plugin is 'internal'.
bool |
Reimplemented from auth_plugin_base.
Reimplemented in auth_plugin_cas.
|
inherited |
Indicates if moodle should automatically update internal user records with data from external sources using the information from get_userinfo() method.
bool | true means automatically copy data from ext to user table |
Reimplemented in auth_oauth2\auth, and auth_plugin_db.
|
protected |
Check if a user is suspended.
This function is intended to be used after calling get_userinfo_asobj. This is needed because LDAP doesn't have a notion of disabled users, however things like MS Active Directory support it and expose information through a field.
object | $user | the user object returned by get_userinfo_asobj |
boolean |
auth_plugin_ldap::iscreator | ( | $username | ) |
Returns true if user should be coursecreator.
mixed | $username | username (without system magic quotes) |
mixed | result null if course creators is not configured, boolean otherwise. |
Reimplemented in auth_plugin_cas.
|
protected |
Check if the diagnostic message for the LDAP login error tells us that the login is denied because the user password has expired or the password needs to be changed on first login (using interactive SMB/Windows logins, not LDAP logins).
string | the diagnostic message for the LDAP login error |
bool | true if the password has expired or the password must be changed on first login |
auth_plugin_ldap::ldap_attributes | ( | ) |
Returns user attribute mappings between moodle and LDAP.
array |
auth_plugin_ldap::ldap_close | ( | $force = false | ) |
Disconnects from a LDAP server.
force | boolean Forces closing the real connection to the LDAP server, ignoring any cached connections. This is needed when we've used paged results and want to use normal results again. |
auth_plugin_ldap::ldap_connect | ( | ) |
Connect to the LDAP server, using the plugin configured settings.
It's actually a wrapper around ldap_connect_moodle()
resource | A valid LDAP connection (or dies if it can't connect) |
auth_plugin_ldap::ldap_expirationtime2unix | ( | $time, | |
$ldapconnection, | |||
$user_dn ) |
Take expirationtime and return it as unix timestamp in seconds.
Takes expiration timestamp as read from LDAP and returns it as unix timestamp in seconds Depends on $this->config->user_type variable
mixed | time Time stamp read from LDAP as it is. | |
string | $ldapconnection | Only needed for Active Directory. |
string | $user_dn | User distinguished name for the user we are checking password expiration (only needed for Active Directory). |
timestamp |
auth_plugin_ldap::ldap_find_userdn | ( | $ldapconnection, | |
$extusername ) |
Search specified contexts for username and return the user dn like: cn=username,ou=suborg,o=org.
It's actually a wrapper around ldap_find_userdn().
resource | $ldapconnection | a valid LDAP connection |
string | $extusername | the username to search (in external LDAP encoding, no db slashes) |
mixed | the user dn (external LDAP encoding) or false |
auth_plugin_ldap::ldap_get_ad_pwdexpire | ( | $pwdlastset, | |
$ldapconn, | |||
$user_dn ) |
Get password expiration time for a given user from Active Directory.
string | $pwdlastset | The time last time we changed the password. |
resource | $lcapconn | The open LDAP connection. |
string | $user_dn | The distinguished name of the user we are checking. |
string\$unixtime |
auth_plugin_ldap::ldap_get_userlist | ( | $filter = '*' | ) |
Returns all usernames from LDAP.
$filter | An LDAP search filter to select desired users |
array | of LDAP user names converted to UTF-8 |
auth_plugin_ldap::ldap_unix2expirationtime | ( | $time | ) |
Takes unix timestamp and returns it formated for storing in LDAP.
integer | unix time stamp |
auth_plugin_ldap::loginpage_hook | ( | ) |
Will get called before the login page is shownr.
Ff NTLM SSO is enabled, and the user is in the right network, we'll redirect to the magic NTLM page for SSO...
Reimplemented from auth_plugin_base.
Reimplemented in auth_plugin_cas.
|
inherited |
Returns a list of potential IdPs that this authentication plugin supports.
This is used to provide links on the login page and the login block.
The parameter $wantsurl is typically used by the plugin to implement a return-url feature.
The returned value is expected to be a list of associative arrays with string keys:
For legacy reasons, pre-3.3 plugins can provide the icon via the key:
string | $wantsurl | The relative url fragment the user wants to get to. |
array | List of associative arrays with keys url, name, iconurl|icon |
Reimplemented in auth_oauth2\auth, auth_plugin_cas, auth_plugin_mnet, and auth_plugin_shibboleth.
|
inherited |
Hook for overriding behaviour of logout page.
This method is called from login/logout.php page for all enabled auth plugins.
@global string
Reimplemented in auth_plugin_cas, auth_plugin_mnet, and auth_plugin_shibboleth.
auth_plugin_ldap::ntlmsso_finish | ( | ) |
Find the session set by ntlmsso_magic(), validate it and call authenticate_user_login() to authenticate the user through the auth machinery.
It is complemented by a similar check in user_login().
If it succeeds, it never returns.
auth_plugin_ldap::ntlmsso_magic | ( | $sesskey | ) |
To be called from a page running under NTLM's "Integrated Windows Authentication".
If successful, it will set a special "cookie" (not an HTTP cookie!) in cache_flags under the $this->pluginconfig/ntlmsess "plugin" and return true. The "cookie" will be picked up by ntlmsso_finish() to complete the process.
On failure it will return false for the caller to display an appropriate error message (probably saying that Integrated Windows Auth isn't enabled!)
NOTE that this code will execute under the OS user credentials, so we MUST avoid dealing with files – such as session files. (The caller should define('NO_MOODLE_COOKIES', true) before including config.php)
auth_plugin_ldap::password_expire | ( | $username | ) |
Return number of days to user password expires.
If userpassword does not expire it should return 0. If password is already expired it should return negative value.
mixed | $username | username |
integer |
Reimplemented from auth_plugin_base.
|
inherited |
Post logout hook.
This method is used after moodle logout by auth classes to execute server logout.
stdClass | $user | clone of USER object before the user session was terminated |
Reimplemented in auth_plugin_cas.
|
inherited |
Hook for overriding behaviour before going to the login page.
This method is called from require_login from potentially any page for all enabled auth plugins and gives each plugin a chance to redirect directly to an external login page, or to instantly login a user where possible.
If an auth plugin implements this hook, it must not rely on ONLY this hook in order to work, as there are many ways a user can browse directly to the standard login page. As a general rule in this case you should also implement the loginpage_hook as well.
|
inherited |
Pre user_login hook.
This method is called from authenticate_user_login() right after the user object is generated. This gives the auth plugins an option to make adjustments before the verification process starts.
object | $user | user object, later used for $USER |
|
inherited |
Pre logout hook.
This method is called from require_logout() for all enabled auth plugins,
Reimplemented in auth_plugin_mnet.
|
staticinherited |
Prepare a list of identity providers for output.
array | $identityproviders | as returned by self::get_identity_providers() |
renderer_base | $output |
array | the identity providers ready for output |
auth_plugin_ldap::prevent_local_passwords | ( | ) |
Indicates if password hashes should be stored in local moodle database.
bool | true means flag 'not_cached' stored instead of password hash |
Reimplemented from auth_plugin_base.
Reimplemented in auth_plugin_cas.
|
inherited |
Processes and stores configuration data for this authentication plugin.
object | object with submitted configuration settings (without system magic quotes) |
|
inherited |
Set extra user information.
array | $values | Any Key value pair. |
void |
|
inherited |
Return a form to capture user details for account creation.
This is used in /login/signup.php.
moodle_form | A form which edits a record from the user table. |
auth_plugin_ldap::sync_roles | ( | $user | ) |
Sync roles for this user.
object | $user | The user to sync (without system magic quotes). |
Reimplemented from auth_plugin_base.
auth_plugin_ldap::sync_users | ( | $do_updates = true | ) |
Syncronizes user fron external LDAP server to moodle user table.
Sync is now using username attribute.
Syncing users removes or suspends users that dont exists anymore in external LDAP. Creates new users and updates coursecreator status of users.
bool | $do_updates | will do pull in data updates from LDAP if relevant |
Reimplemented in auth_plugin_cas.
|
protectedinherited |
Update a local user record from an external source.
This is a lighter version of the one in moodlelib – won't do expensive ops such as enrolment.
string | $username | username |
array | $updatekeys | fields to update, false updates all fields. |
bool | $triggerevent | set false if user_updated event should not be triggered. This will not affect user_password_updated event triggering. |
bool | $suspenduser | Should the user be suspended? |
stdClass|bool | updated user record or false if there is no new info to update. |
auth_plugin_ldap::user_activate | ( | $username | ) |
Activates (enables) user in external LDAP so user can login.
mixed | $username |
boolean | result |
|
inherited |
Post authentication hook.
This method is called from authenticate_user_login() for all enabled auth plugins.
object | $user | user object, later used for $USER |
string | $username | (with system magic quotes) |
string | $password | plain text password (with system magic quotes) |
auth_plugin_ldap::user_confirm | ( | $username, | |
$confirmsecret ) |
Confirm the new user as registered.
string | $username | |
string | $confirmsecret |
Reimplemented from auth_plugin_base.
auth_plugin_ldap::user_create | ( | $userobject, | |
$plainpass ) |
Creates a new user on LDAP.
By using information in userobject Use user_exists to prevent duplicate usernames
mixed | $userobject | Moodle userobject |
mixed | $plainpass | Plaintext password |
|
inherited |
User delete requested - internal user record is mared as deleted already, username not present anymore.
Do any action in external database.
object | $user | Userobject before delete (without system magic quotes) |
void |
auth_plugin_ldap::user_exists | ( | $username | ) |
auth_plugin_ldap::user_login | ( | $username, | |
$password ) |
Returns true if the username and password work and false if they are wrong or don't exist.
string | $username | The username (without system magic quotes) |
string | $password | The password (without system magic quotes) |
bool | Authentication success or failure. |
Reimplemented from auth_plugin_base.
Reimplemented in auth_plugin_cas.
auth_plugin_ldap::user_signup | ( | $user, | |
$notify = true ) |
Sign up a new user ready for confirmation.
Password is passed in plaintext.
object | $user | new user object |
boolean | $notify | print notice with link and terminate |
boolean | success |
Reimplemented from auth_plugin_base.
auth_plugin_ldap::user_update | ( | $olduser, | |
$newuser ) |
Called when the user record is updated.
Modifies user in external LDAP server. It takes olduser (before changes) and newuser (after changes) compares information and saves modified information to external LDAP server.
mixed | $olduser | Userobject before modifications (without system magic quotes) |
mixed | $newuser | Userobject new modified userobject (without system magic quotes) |
boolean | result |
Reimplemented from auth_plugin_base.
auth_plugin_ldap::user_update_password | ( | $user, | |
$newpassword ) |
Changes userpassword in LDAP.
Called when the user password is updated. It assumes it is called by an admin or that you've otherwise checked the user's credentials
object | $user | User table object |
string | $newpassword | Plaintext password (not crypted/md5'ed) |
boolean | result |
Reimplemented from auth_plugin_base.
|
inherited |
A chance to validate form data, and last chance to do stuff before it is inserted in config_plugin.
object | object with submitted configuration settings (without system magic quotes) | |
array | $err | array of error messages |