## Authentication

### Nobody can update profiles

Nobody can update profiles

After upgrading to 1.8 when a user tries to update their profile they get the error "Failed to update user data on external auth: . See the server logs for more details." I also get the error if I try to update their profile as the local admin.

The server logs don't give any additional information.

I am authentication from Active Directory and it seems to be trying (as the error states) to update AD even though in LDAP settings under data mapping "Update Exteral" options are all set to Never.

I verified it in the database that all remote fields are set to zero. I just can't seem to figure out why it's trying to update exteranlly.

Any suggestions?

Thanks,

Randy

Average of ratings: -
Re: Nobody can update profiles

I did a little digging in auth/ldap/auth.php and found that the call to $this->ldap_get_entries($ldapconnection, $user_info_result) at line 863 was returning no results. The reason for this appears to be that the call to$this->config->objectclass at line 859 does not get the right value. Both of these occur before the field mappings are checked to see if external updating is even required. I got around the problem by setting the "Object class" field in LDAP settings to "inetOrgPerson". Once I did that, it was smooth sailing. Not only was this problem fixed, but the "Login As" function started working for LDAP authenticated users.

Average of ratings: -
Re: Nobody can update profiles
This error has been hitting some people for a while and I'd like to nail it down and fix it for good.

Could you help me trace it? I'd need to know your LDAP settings (and the type of LDAP server you are using) and adding a few debugging statements in a couple of places in the code.

Saludos. Iñaki.

Average of ratings: -
Re: Nobody can update profiles
We also had this problem with LDAP authentication. The error is generated from the user_update() function in ldap/auth.php. My quick and dirty hack was to return true; right at the beginning of the function

Would like to know exactly why it's trying to update the users entry on the LDAP server though...

Average of ratings: -
Re: Nobody can update profiles

Would like to know exactly why it's trying to update the users entry on the LDAP server though...

It may be that it isn't, even though you see that error message[1]. That's why I need help from people that are seeing the error, because I'm not able to reproduce it in my test setup.

Saludos. Iñaki.

[1] Because of the way the current LDAP code does certain things.

Average of ratings: -
Re: Nobody can update profiles

We still have this problem and we don't want to hack some ldap-configs in moodle. A clean solution would be nice. What do you need exactly: our auth.php or screenshots of our ldap-settings in moodle?

Greeting, Karsten.

Average of ratings: -
Re: Nobody can update profiles

I need:

• Moodle version ($version from .../moodle/version.php) • LDAP settings (either as text or screenshots). • LDAP server name and version. With all this, I'll propose you to add a few debugging lines to your auth.php file to see what's going on. The debugging lines will just add some details to your PHP error logs (but user output will remain unchanged), so you'll need access to them. I have a suspicion, but I need the output of these debugging lines to confirm it and propose a fix for the problem. Saludos. Iñaki. Average of ratings: - Re: Nobody can update profiles O.k. Please post your e-mail-address here or send a blank mail to me and I'm going to send you the informations you need asap ... Thanx, Karsten. Average of ratings: - Re: Nobody can update profiles Did any one find solution of this problem? We dont want to update LDAP fields but still we want students/teachers to be able to update other fields - like upload their pictures (which are not coming from LDAP). Is this possible? It used to work before upgrading to 1.8.2. Any ideas? Thanks, Bhavna Average of ratings: - Re: Nobody can update profiles I have already send you a mail Saludos. Iñaki. Average of ratings: - Re: Nobody can update profiles Hi Inaki, I've sent the e-mail with our informations to you now. Sorry for the weekend delay! Greetings, Karsten. Average of ratings: - Re: Nobody can update profiles I'll have a look at in the following days. The semester has just started here and I'll be a bit busy Saludos. Iñaki. Average of ratings: - Re: Nobody can update profiles OK, so the only way we can get this message ('Failed to update user data on external auth:') is if we get a false from user_update(). There are only a handful places where we return false, so I propose to add the following debugging statements to the code, so we have enough additional information to trace the execution. All the debuggin statements go to the PHP error logs, so you'll need to get them from there. Edit .../auth/ldap/auth.php, search for the following code (around line 856) and add the lines in bold+blue: $user_dn = $this->ldap_find_userdn($ldapconnection, $extoldusername); error_log('extoldusername: ' . print_r($extoldusername,true));error_log('user_dn: ' . print_r($user_dn,true));$user_info_result = ldap_read($ldapconnection,$user_dn,
$this->config->objectclass,$search_attribs);
error_log('objectclass: ' . print_r($this->config->objectclass,true));error_log('search_attribs: '. print_r($search_attribs,true));error_log('user_info_result: ' . print_r($user_info_result,true)); if ($user_info_result) {
$user_entry =$this->ldap_get_entries($ldapconnection,$user_info_result);
error_log('user_entry: ' . print_r($user_entry,true)); if (empty($user_entry)) {
} else if (count($user_entry) > 1) { error_log('More than one user record'); trigger_error("ldap: Strange! More than one user record found in ldap. Only using the first one."); return false; }  Reproduce the error and paste the info back here (or send it to me) so I can have a look at it and figure what could be going wrong. Saludos. Iñaki. Average of ratings: - Re: Nobody can update profiles I am having similar problems. When I post in the lines from above I get the Old user not found error message showing up in my logs. Average of ratings: - Re: Nobody can update profiles But prior to that line you should get a few other lines. The details of those other lines (the ones for extoldusername, user_dn, objectclass and so on) are very important to try and diagnose the source of the error. If you could paste those lines here (masking user data so you don't compromise your security), that would really help. Saludos. Iñaki. Average of ratings: - Re: Nobody can update profiles Here are the lines previous [Mon Sep 17 14:37:04 2007] [error] [client 129.89.22.77] extoldusername: USERNAME, referer: http://homework.chem.uwm.edu/user/edit.php [Mon Sep 17 14:37:04 2007] [error] [client 129.89.22.77] user_dn: uid=USERNAME,ou=people,o=uwm.edu, referer: http://homework.chem.uwm.edu/user/edit.php [Mon Sep 17 14:37:04 2007] [error] [client 129.89.22.77] objectclass: objectClass=posixAccount, referer: http://homework.chem.uwm.edu/user/edit.php [Mon Sep 17 14:37:04 2007] [error] [client 129.89.22.77] search_attribs: Array\n(\n [0] => givenName\n [1] => sn\n [2] => mail\n [3] => uid\n)\n,$
[Mon Sep 17 14:37:04 2007] [error] [client 129.89.22.77] user_info_result: Resource id #161, referer: http://homework.chem.uwm.edu/user/edit.php
[Mon Sep 17 14:37:04 2007] [error] [client 129.89.22.77] user_entry: Array\n(\n)\n, referer: http://homework.chem.uwm.edu/user/edit.php
[Mon Sep 17 14:37:04 2007] [error] [client 129.89.22.77] Old user not found, referer: http://homework.chem.uwm.edu/user/edit.php

Average of ratings: -
Re: Nobody can update profiles

OK, so it's either failing in the call to ldap_read(), or inside $this->ldap_get_entries(). To discard the first one, if you are able to query your LDAP server from outside Moodle (from the command line, for example), what do you get if you query your LDAP server for that user DN ('uid=USERNAME,ou=people,o=uwm.edu'), asking for the attributes 'givenName', 'sn', 'mail' and 'uid'? Make sure you bind with the same credentials as Moodle. Sorry for asking for so many details, but I'm shooting in the dark and can only advance from what you tell me in each step. Saludos. Iñaki. Average of ratings: - Re: Nobody can update profiles I am having the same issues using Moodle 1.8.2 (2007021520). We are not using any bind credentials, just using anonymous auth. givenName, sn, mail, and uid are all public attributes that are properly populated, yet it still gives the account update with blank information, and then an error of populating the remote LDAP server. After this, there is a blank user created in the Moodle DB that only stores the UID of the authenticated user. Let me know if I can be of any assistance. The screenshots can be located here: Average of ratings: - Re: Nobody can update profiles Let me know if I can be of any assistance. As usual, knowing the exact Moodle version (see version.php), the LDAP server type and version you are using, and Moodle's LDAP configuration settings helps a lot Saludos. Iñaki. Average of ratings: - Re: Nobody can update profiles PHP Version 5.1.6 The last reference I can find for our OpenLDAP servers is 2.2.4, but it might have been updated since then. It still should be OpenLDAP v3 though. Settings I have: host: ldap://hostname version: 3 encoding: utf-8 hide passwords=yes usertype= posix (rfc2307) context = o=people,o=uwm.edu search subcontexts=no dereference = no user attribute = uid force changes =no,no,plaintext ldap experation = no, 10, blank, no create externally = no cron sync = keep internal first name = givenName, on every login, never, unlocked surname = sn, on every login,never,unlocked email = mail, on every login,never,unlocked Everything else is blank. We are able to get all requested attributes with out being bound, it will deny proper ID's with incorrect passwords, and when it creates the blank populated user account, it does see the UID. I believe I provided the exact Moodle version, I'm sorry for formatting, but I'm working from home and its late. Thanks for the help. Let me know what else you'd need. Average of ratings: - Re: Nobody can update profiles I have tried what you suggested and can successfully see givenName, sn, etc. There is no 'mail', since the user doesn't have one. So, what is the next step? Please let me know thanks. --Mike Average of ratings: - Re: Nobody can update profiles Hello Iñaki, I've added your bold blue lines to our auth.php today, forced the error two times in the afternoon and sent you the error.log via e-mail now. I hope it can help you to find the mistake! Greetings, Karsten. Average of ratings: - Re: Nobody can update profiles Hello Iñaki, did you received my e-mail with our latest error log last week? Greetings, Karsten. Average of ratings: - Re: Nobody can update profiles Sorry, yes I did. But I've been a bit busy this week and only had time to have a very cursory look at it (not enough to reach any conclusion). This week is going to be a bit crazy too, but I'll try to have a closer look at it. Saludos. Iñaki. Average of ratings: - Re: Nobody can update profiles HOORAY! I've managed to fix the problem for our installation. I'm not a programmer, so you'll have to forgive my lack of technical description. I managed to track the problem to around line 50 in 'moodle/auth/ldap/auth.php'  if (empty($this->config->objectclass)) { // Can't send empty filter
 $this->config->objectclass='objectClass=*';  } else if (strpos($this->config->objectclass, 'objectClass=') !== 0) {
 $this->config->objectclass = 'objectClass='.$this->config->objectclass;
 }
For our LDAP setup, objectClass was being set to objectClass=posixAccount, which is correct. However, for some reason, that was causing something to fail when doing any kind of ldap_read() or ldap_get_entries(), etc., through PHP. So the user information would come back empty.

I 'fixed' it by taking out the if/else statement and just leaving it as

\$this->config->objectclass='objectClass=*';

I've spoken with our LDAP gurus and have determined exactly what the problem is, given our system. We don't force students to have a university e-mail address, or any other university centralized account. The only one they have to have is our central LDAP login one, called a Passport account. If they never use any other central account, such as e-mail, or a lab account, they will not get a UID. Without a UID they are not considered a 'posixAccount', hence, they don't show up when we query that type in the tree.

So, the fix was to stop looking for a posixAccount and just set it to a wildcard. This is fine since Moodle already knows the exact user_dn when it does the lookup.

Such a simple answer. Anyway, thanks for your help Inaki, and I hope that this info helps someone else fix their problems.

--Mike

Average of ratings: -
Re: Nobody can update profiles
If you want to use 'objectClass=*', then you can specify exactly that in the settings page, instead of modifying the code. This will provide easier upgrades in the future

Saludos. Iñaki.

Average of ratings: -
Re: Nobody can update profiles

Hi,
I set '*' for Object class value on LDAP server configuration page (User lookup settings) and it seems to work (users can update the profile). We use Novell E directory.

Average of ratings: -
Re: Nobody can update profiles
I've also set this configuration option, and it seems to have done the trick - thanks

Average of ratings: -
Re: Nobody can update profiles

Thanks, I hadn't seen that option there. That makes things even easier.

However, there is still the outstanding problem as to why it was trying to write to the LDAP tree, even though it was specifically told not to. I've been able to determine that it was not pulling up a record, and we've fixed that with the objectClass, but why was it still trying to write?

From what I could tell when I looked into it, was that the variable that held the options to write or not, was empty, since it was not able to pull the record in the first place. If it couldn't find the field in the first place, it also can't find whether it's allowed to update it or not, so it tries anyway.

That seems a strange way to handle it, but who knows, I could be completely wrong. Either way, it's something that should be looked into in the future, to avoid problems.

--Mike


Average of ratings: -
Re: Nobody can update profiles

but why was it still trying to write?

It isn't. Really . The problem is the function returns a boolean value, true meaning the update (in case is was needed at all) went well, and false meaning the opposite.

The current code returns false it if can't find the user in the LDAP server, even if we don't need to update anything at all. The 'bug' is trying to look up the user before checking if anything has to be updated.

When the calling function gets the false return value, it blindly prints the generic error message 'Can't update user profile'.

So:

a) the code shouln't try to lookup up the user before checking that we really need to update something in the LDAP server and

b) if we don't find the user, actually print an error message in the logs (right now we don't).

Anyway, not finding an existing user in the LDAP server it quite unusual, at s/he was there in the first place. Otherwise, s/he wouldn't have logged in! So giving a notice to the user changing the profile and logging the fact in the error logs is the way to go IMHO.

Saludos. Iñaki.

Average of ratings: -
Re: Nobody can update profiles

I am unfortunately still having this issue even while attempting to use objectClass = *. Users are properly authenticating, and wrong credentials are being denied access, but we have not been able to have users create their profiles and start using the Moodle site.

We currently have the following fields properly populated and readable via LDAP calls:

1 givenName
2 telephoneNumber
3 sn
4 employeeType
5 ou
6 roomNumber
7 mail
8 uid
10 homePhone
12 title
13 cn
14 buildingName
15 appointingDepartmen

Even if we need to force users to populate their information from scratch but require LDAP authentication, we would be OK with this implementation. Unfortunately I've seemingly attempted every itteration of settings to allow users to create their profiles to move onto the main Moodle page with out success.

Could someone possibly copy their settings that have allowed LDAP users to successfully create their profiles?

Thank you-
Dan

Average of ratings: -
Re: Nobody can update profiles

Before filing the bug, I'd like people having this problem try the attached patch (it's for 1.8.3, but should apply cleanly to any 1.8.x version) and see if the problem is fixed.

There's still a subtle issue pending, but before diving into that I'd like to verify that this patch is on the right track.

Saludos. Iñaki.

Average of ratings: -
Re: Nobody can update profiles

On my test enviroment, OSX server, the authentication and then profile updates work properly after applying the patch.

However, on the CentOS production enviroment, this patch seems to introduce the following errors whenever trying to view a page that needs authentication:

Stack trace:

* line 4840 of lib/weblib.php: call to debugging()
* line 2408 of lib/moodlelib.php: call to error()
* line 25 of login/logout.php: call to get_auth_plugin()

These are both on clean installs of 1.8.3 stable. Even when I replace auth/ldap/auth.php with the clean 1.8.3, the CentOS instance will not allow anything to be done. I have to do a clean install for the error to disappear.

At this point, administrators can access the users/authentication section. As soon as the auth.php file is patched, a logged in authentication continues to receive the plugin ldap not found.

Thoughts?

Average of ratings: -
Re: Nobody can update profiles

Make sure the patched auth.php file is readable by the web server user (and the directory it's in too).

Saludos. Iñaki.

Average of ratings: -
Re: Nobody can update profiles

Dan,
Did you get this problem solved? We're having the same problem, authenticating against an OS X Xsan LDAP with the same settings you specified above, and not sure if patching will solve the issue. Did Iñaki's tip above (re: permissions on the patched file and directory) help?

Thanks for any info.
Ali

Average of ratings: -
Re: Nobody can update profiles

In case anyone else runs across this thread with the same problem, we found that it's a bug in 1.8.2, that is fixed in 1.8.4, but you also can fix it by making sure that if you are overriding the Object class field by using "objectClass = *", make sure you have a capital C and not a lowercase c in that string (e.g. objectClass=* NOT objectclass=*). 1.8.4 fixes the code that causes this to be a problem; before updating to 1.8.4, we found the issue was resolved as soon as we changed objectclass to objectClass.
Here are the details from the bugfix report for 1.8.4:
http://tracker.moodle.org/browse/MDL-11299

Average of ratings: -
Re: Nobody can update profiles

Hi,

Could you please send me your e-mail address also? I've compiled the information you requested regarding our setup, and would like to forward it to you. You can send it to mstreet ATATATATAT yorku.ca.

Thank you.

Average of ratings: -
Re: Nobody can update profiles

Hi Inaki,

I installed moodle and experiencing the same problem. Seems like it is creating a blank user ( i can see the blank user from the user list panel). Updating failing similar to others described in this page.

Here are my settings:

Moodle Version: 1.8.2+
Ldap server type: iPlanet
Ldap Settings I am using:

Host URL: ldap://ldapsrv.org.domain:389/o=org.domain
LDAP Encoding: utf-8
LDAP Version 3
Bind Settings:
Disting. Name: uid=ldapbind,ou=People,o=Accounts,o=org.domain

User Lookup Settings:
User type: posixAccount (I was not sure about it, i tried all of them, posix lets me authenticate to the server - moodle logs in and goes to the user update page, the others denies login).
Contexts: ou=Student,o=Accounts,o=org.domain;ou=Staff,o=Accounts,o=org.domain;ou=Faculty,o=Accounts,o=org.domain
Search Subcontexts: Yes
Dereference Aliases: No
Rest of the stuff i left default.
After logging in with an LDAP login, it goes to the user edit page, and i notice it does not show the first and last names...

I am new to moodle...let me know if you need any other info. I hope there is a fix for it!!

Average of ratings: -
Re: Nobody can update profiles

Rest of the stuff i left default.

If you don't specify any mappings Moodle won't be able to fill in those fields. So your users will be redirected to the profile edition page as soon as they login to fill in the obligatory fields.

You need to specify the mappings for at least firstname, surname, email, location, country and description, if I'm not mistaken. Otherwise, users will be redirected to the profile page, to fill what's missing.

Saludos. Iñaki.

Average of ratings: -