A complete ldap context syntax optionally includes a scope and filter, in the form of dn?scope?filter, but neither the ldap authentication nor ldap enrolment plugins seem to support it.
I should be able to use something like "ou=people,dc=example,dc=org?one?(&(uid=*)(!(mail=*)))" as an authentication context so that any special accounts that don't have email addresses won't be created or synced by the LDAP authentication plugin. When I tried to use this context, here is the result from the sync_users.php script:
Connecting to LDAP server...
Creating temporary table tmp_extuser
Did not get any users from LDAP -- error? -- exiting
Potential coding error - existing temptables found when disposing database. Must be dropped!
We have thousands of courses listed in our LDAP as posixGroup. I don't want to have to duplicate copies of these values in an additional container with a supplementary/structural objectclass only for moolde courses I want autocreated/autoenrolled. Suppose I enhance the existing course posixGroup entry with an objectClass called moodleGroup (SUP posixGroup AUXILIARY) only in courses I want in Moodle autoenrolment to see. I should be able to use something like "ou=courses,ou=group,dc=example,dc=org?one?(objectClass=moodleGroup)" for any of the role mapping contexts. This is equivalent to hiding all other course posixGroup entries from Moodle's ldap enrolment plugin. I have to create a test Moodle container to try this out, but I'm assuming it won't work because the php code is likely similar to the ldap authentication plugin.