Authentication

Removed ext user- Which does what

 
 
Picture of Ben Steeples
Removed ext user- Which does what
 
Hi all,

Our LDAP server is configured not to hand out account details of expired accounts. Hence Moodle runs its auth_ldap_sync script each night, sees the users are missing, and deletes them from its internal database (using Delete Internal setting for Removed ext user).

The problem we've just realised, is when a user is temporarily inactive in LDAP, they are completely removed from Moodle's user database. When they become active again, they are reimported, but given a new database record ID. This has the effect of locking users out of previous objects, such as previous quiz attempts.

The solution is to change Removed ext user in the LDAP configuration page. Ideally I'd like to do this directly on our live server, but I just wanted to clarify with everyone before I did this:

Delete Internal - Does exactly that, if the external account isn't in LDAP then it will be removed from Moodle. If the account reappears in LDAP, it will be added back into Moodle, but with a new account ID.

Keep Internal - Does nothing to the account if it disappears from LDAP. As users authenticate against LDAP, if their account is inactive, their login will fail.

Suspend Internal - Suspends the account, preventing them from logging in again until the account is un-suspended. If the account is suspended in Moodle, but active in LDAP, the user cannot log in to Moodle.


I am guessing that Keep Internal is good enough. We will still want to run the ldap script with Delete Internal periodically, just to purge Moodle of completely expired accounts.

Does this make sense? Is Keep Internal the best option?

Thanks,
Ben
 
Average of ratings: -
Picture of Iñaki Arenaza
Re: Removed ext user- Which does what
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers

Humm, having a look at the code I see suspend Internal is mostly like 'Keep internal', with the only differences that:

  • the user account is effectively suspended in Moodle (so thre is one less trip to the LDAP server before denying the logon; not a big gain though).

  • you get better logging of suspended/inactive accounts, as the sync script logs which accounts are being suspended/revived.

Saludos. Iñaki.

 
Average of ratings: -
Picture of Arnaud Saint-Georges
Re: Removed ext user - Suspended but still present?
 
Bonjour,

I have been using CAS authentication (based on LDAP) for two years, running auth_ldap_sync every night.

With Moodle 1.6, the users were deleted when they disappear from valid LDAP branch. And they were revived when they reappear in this branch. That was perfect for me.

Since Moodle 1.7:
  • either the users are suspended; they cannot no longer connect to Moodle but they still appear in Moodle, in particular as course participant surprise because their enrolments were not deleted
  • either the users are deleted; but, as you wrote, they will get a new account when they will reappear in valid LDAP branch sad
Currently, what is the purpose of 'Suspend Internal'? In any case, if the users are actually deleted from LDAP, they can no longer connect to Moodle, isn't? And the information as the user is suspended doesn't appear anywhere, I believe...
Could we imagine that suspended users would be unenrolled from all courses and no longer appear in user list, enrolments, etc.
Or, probably simpler, existing Moodle users could be revived when they reappear in LDAP, no matter they were "suspended" or "deleted"? As did Moodle 1.6 thoughtful
 
Average of ratings: -
C'est moi :-)
Re: Removed ext user - Suspended but still present?
Group Documentation writersGroup Particularly helpful MoodlersGroup TestersGroup Translators
Hello,

i use LDAP authentication with Moodle 1.8.4, and also use synchronisation script every nigth. As already said, deleted users can't be reactivated any more as same old existing users sad
I really think, like you, that they should be revived this way smile

About the suspend feature, i think it's usefull not to directly unenroll from course... because when user comes back, he still has all previous access to everything. It let's time for people to pay for a new academic year, for exemple, being suspended the time to pay, but without having administrative people to reenroll them after paiment wink

Séverin


 
Average of ratings: -
Picture of Mostafa Itani
Re: Removed ext user - Suspended but still present?
 

Hello All,

I am really stuck with this issue in our real server. Our purpose is to remove users that are deleted from LDAP or suspended from LDAP to log inside the course, however we would like them to come back to the course with all the material they have when they are unsuspended from LDAP.

Any suggestion or solution for that?
And if yes, can you please include the steps for that?

Waiting your reply, since the suitation is really disasterous in our enviroment. Things used to work fine in Moodle 1.6, but no more in Moodle 1.8.4.

Regards,
Mostafa

 
Average of ratings: -
Picture of Arnaud Saint-Georges
Re: Removed ext user - Suspended but still present?
 
Mostafa,
Could you explain why "Suspend internal" (or "Keep internal"!) is not good for you?
 
Average of ratings: -
Picture of Arnaud Saint-Georges
Re: Removed ext user - Suspended but still present?
 
Séverin,
Could you explain why you should need "Suspend internal" for preventing users from log in? Since you use LDAP (or CAS-LDAP) authentication, LDAP-suspended users cannot log in Moodle, in any case... thoughtful
 
Average of ratings: -
Picture of Arnaud Saint-Georges
Re: Removed ext user - Suspended but still present?
 
Bonjour,

About processing users having been deleted/deactivated/suspended from LDAP, I think we need 5 different settings, from "do nothing" to "fully delete".

1) Keep internal
- does no change in Moodle
- however the user cannot log in Moodle because he cannot identify against LDAP

2) Suspend internal
- only one change in Moodle : tagged as "suspended"
- the user can no longer log in Moodle
- he still appears as course participant
- he would be be revived in Moodle if he did reappear in LDAP

3) Hide internal (new setting)
- the user is tagged as "hidden" in Moodle
- he can no longer log in Moodle
- he does no longer appear as course participant
- he would be revived in Moodle if he did reappear in LDAP (with his previous enrollments)

4) Deactivate internal (new setting, like "delete internal" in Moodle 1.6)
- the user is tagged as "deactivated" in Moodle
- he is unenrolled from his Moodle courses
- he can no longer log in Moodle
- of course he does no longer appear as course participant
- he would be revived in Moodle if he did reappear in LDAP (without any enrollment)

5) Delete internal
- the user is tagged as "deleted" in Moodle
- he is unenrolled from his Moodle courses
- his email and idnumber are cleared
- of course he can no longer log in Moodle
- of course he does no longer appear as course participant
- of course he won't be revived in Moodle if he did reappear in LDAP

What do you think about these different settings?

Arnaud
 
Average of ratings: -
Picture of Arnaud Saint-Georges
Re: Removed ext user - Suspended but still present?
 
About this issue, I have created a new entry in the tracker:
http://tracker.moodle.org/browse/MDL-13563
Vote for it if you need.
 
Average of ratings: -
C'est moi :-)
Re: Removed ext user - Suspended but still present?
Group Documentation writersGroup Particularly helpful MoodlersGroup TestersGroup Translators
Thanks Arnaud, I totally agree with this proposition, voted for it smile

I also think you have the answer for your previous question (sorry i had not seen it) wink

Thanks also for your patch smile

Séverin

 
Average of ratings: -
Picture of Arnaud Saint-Georges
Re: Removed ext user - Suspended but still present?
 
Salut Séverin,

Here is a patch for those (like me) who want to be able to "revive" users coming back to LDAP. So did the "delete internal" setting in Moodle 1.6.

What does exactly this patch?
- it tags the user no longer in LDAP as "deleted" in Moodle
- it unenrolled him from his Moodle courses
- it would revived him in Moodle if he did reappear in LDAP (without any enrollment)

Note that:
- the user can no longer log in Moodle
- of course he does no longer appear as course participant

Arnaud

--- MOODLE_0709/auth/cas/auth.php 2008-01-03 12:18:49.000000000 +0100
+++ moodle/auth/cas/auth.php 2008-02-25 16:34:01.000000000 +0100
@@ -713,9 +713,9 @@
$updateuser = new object();
$updateuser->id = $user->id;
$updateuser->deleted = 1;
- $updateuser->username = addslashes("$user->email.".time()); // Remember it just in case
- $updateuser->email = ''; // Clear this field to free it up
- $updateuser->idnumber = ''; // Clear this field to free it up
+ //WE SHOULD BE ABLE TO REVIVE THE DELETED USERS $updateuser->username = addslashes("$user->email.".time()); // R
emember it just in case
+ //WE SHOULD BE ABLE TO REVIVE THE DELETED USERS $updateuser->email = ''; // Clear this field to
free it up
+ //WE SHOULD BE ABLE TO REVIVE THE DELETED USERS $updateuser->idnumber = ''; // Clear this field to
free it up
$updateuser->timemodified = time();
if (update_record('user', $updateuser)) {
delete_records('role_assignments', 'userid', $user->id); // unassign all roles
@@ -742,11 +742,11 @@
unset($remove_users); // free mem!
}
/// Revive suspended users
- if (!empty($this->config->removeuser) and $this->config->removeuser == 1) {
- $sql = "SELECT u.id, u.username
+ if (!empty($this->config->removeuser) and ($this->config->removeuser == 1 or $this->config->removeuser == 2)) { //WE ALSO REVIVE THE
DELETED USERS
+ $sql = "SELECT u.id, u.username, u.deleted
FROM $temptable e, {$CFG->prefix}user u
WHERE e.username=u.username
- AND u.auth='nologin'";
+ AND (u.auth='nologin' OR u.deleted=1)"; //WE ALSO REVIVE THE DELETED USERS
$revive_users = get_records_sql($sql);
if (!empty($revive_users)) {
print "User entries to be revived: ". count($revive_users) . "\n";
@@ -754,9 +754,10 @@
foreach ($revive_users as $user) {
$updateuser = new object();
$updateuser->id = $user->id;
- $updateuser->auth = 'cas';
+ if ($user->auth = 'nologin') {$updateuser->auth = 'cas';} // RESTRICT TO 'nologin' USERS, JUST IN CASE
+ if ($user->deleted == 1) {$updateuser->deleted = 0;} //WE ALSO REVIVE THE DELETED USERS
if (update_record('user', $updateuser)) {
- echo "\t"; print_string('auth_dbreviveser', 'auth', array($user->username, $user->id)); echo "\n";
+ echo "\t"; print_string('auth_dbreviveduser', 'auth', array($user->username, $user->id)); echo "\n";
} else {
echo "\t"; print_string('auth_dbreviveusererror', 'auth', $user->username); echo "\n";
}
 
Average of ratings: -