AD Enrolment issue with distinguishedName

AD Enrolment issue with distinguishedName

by Gordon Falk -
Number of replies: 7

I am running Moodle 1.9.4+.  I have configured AD Authentication, and AD enrolment correctly, as far as I can tell.  I have created two test students with the following distinguishedName(s):

CN=StudentTest,OU=eLearning,OU=Students,DC=ccsmj,DC=com

CN=Student\, Test,OU=eLearning,OU=Students,DC=ccsmj,DC=com

The first user is auto enroled correctly.  The second user is not.  Our AD structure lists all users in a manner similar to the second, with the CN containing a \, so I would really like to get the second distinguishedName to enrol.

Thanks in advance for helping.

Average of ratings: -
In reply to Gordon Falk

Re: AD Enrolment issue with distinguishedName

by Gordon Falk -

OK, I have done some more testing, and checking phpMyAdmin.  Here is what I have found:

With idnumber Update Local set to On Every Login...

On first log in, the user is created with the idnumber being the dn CN=Student\, Test,OU=eLearning,OU=Students,DC=ccsmj,DC=com but the user is not enroled in the courses.  This is the distinguishedName listed in ldp.exe.

On second log in, the user's idnumber is changed to CN=Student, Test,OU=eLearning,OU=Students,DC=ccsmj,DC=com and the user is still not enroled in the courses. (stripped the slash.)

I changed idnumber to Update Local on Creation, and manually edited the idnumber to be CN=Student\\, Test,OU=eLearning,OU=Students,DC=ccsmj,DC=com and was enroled in the courses correctly.

I decided to try the \\ trick after reading this thread : http://moodle.org/mod/forum/discuss.php?d=35865#226068, which is an authentication issue rather than an enrolment issue.

Can someone please tell me if this is a bug, or if I have some settings set wrong that would fix this.

Thanks,

Gord

Average of ratings: -
In reply to Gordon Falk

Re: AD Enrolment issue with distinguishedName

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

It looks like a bug to me. I'd say the bug's at lib/moodlelib.php, function update_user_record(), around line 2961 (1.9.5 current as of today) in the piece of code that reads:

if ($confval === 'onlogin') { $value = addslashes(stripslashes($value)); // Just in case // MDL-4207 Don't overwrite modified user profile values with // empty LDAP values when 'unlocked if empty' is set. The purpose ...

I think the stripslashes() call is not needed and make those LDAP slashes disappear for no real reason. So changing that line to:

if ($confval === 'onlogin') { $value = addslashes($value); // MDL-4207 Don't overwrite modified user profile values with // empty LDAP values when 'unlocked if empty' is set. The purpose ...

should do it. I'm not absolutely sure of the full implications of removing that stripslashes() call, as far as I've seen, it shouldn't be security hole.

Saludos. Iñaki.

Average of ratings: -
In reply to Iñaki Arenaza

Re: AD Enrolment issue with distinguishedName

by Gordon Falk -

Thanks for the reply Iñaki.  I apologize for not following up here earlier.  In the thread above, you posted a patch for the Authentication module dealing with slashes in the DN.  After I applied that patch, Enrolment worked correctly as well.

The reason I was not having an issue with authentication is I am using sAMAccountName for it, rather than the DN.

Later,

Gord

Average of ratings: -
In reply to Gordon Falk

Re: AD Enrolment issue with distinguishedName

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

What patch and where did you apply it exactly? I'm rather confused, as the patch you mention should be needed in 1.9.4 (if I'm reading the current code right) and it deals with authentication only, but is not used in the enrolment code at all. mixed

Saludos. Iñaki.

Average of ratings: -
In reply to Iñaki Arenaza

Re: AD Enrolment issue with distinguishedName

by Gordon Falk -

Sorry Iñaki, I was not thinking very clearly when I posted yesterday...

I applied both the 0002 and 0005 patches from THIS thread and it fixed the issues I was having with enrolment.

http://moodle.org/mod/forum/discuss.php?d=102718

The reason it only affected enrolment for me, and not the actual authentication, is that I authenticate against the sAMAccountName which is lastname.firstname with now slashes to deal with.  However I was mapping the idnumber to be the distinguishedName, which for us is stored in AD as CN=lastname\, Firstname,OU=...

Before applying the patches, there was some wierd behavior with the idnumber.  On first logon it created it with the backslash, then on subsequent logons it removed all backslashes.  But enrolment never worked unless I manually made it have two backslashes.

Please commit these patches as soon as possible so that this is not an issue from here on in.

Thanks again for all you do for the community, it is greatly appreciated.

Later,

Gord

Average of ratings: -
In reply to Gordon Falk

Re: AD Enrolment issue with distinguishedName

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Gordon,

sorry for the delay, and thanks a lot for the information. I need to talk a bit with Petr Skodak about those changes, to make sure they don't break other authentication plugins. But as soon as we are sure they don't, I'll commit them.

Saludos. Iñaki.

Average of ratings: -