I've just finished a small patch that 'fixes' a long standing issue with LDAP enrolment for those who use MS Active Directory: the need to use 'distinguishedName' as the ID Number for the user.
I needed to fix it as part of the real enhancement I was after: the
ability to use nested groups with LDAP enrolment. There have been
several requests in the past:
here,
here,
here and
here for example,
and this time I needed it too, so I've gone ahead and done it . The
patch offers both features, and each one of them can be enabled
independently.
In order to keep the patch restricted to the LDAP enrolment plugin
I've had to duplicate a bit of code from the LDAP authentication
plugin (namely ldap_find_userdn() and filter_addslashes()), that
should ideally be refactored in a common LDAP library (that is part of
a longer term effort I'm tackling separately )
The first feature (not needing to use distinguishedName) is based on a couple of premises:
that you may not be using LDAP authentication (quite improbable, but certainly possible).
that having a peek at the LDAP authentication settings (to use them) might not be a good idea. This introduces dependencies on the authentication plugin that can make the enrolment plugin morefragile.
So the patch adds a new few settings for this feature to work (that are basically a replica of the ones in the authentication plugin) to specify:
if the group member attribute contains distinguished names or not (we need to set it to 'Yes' with MS Active Directory). The default value is 'No', which is the current behaviour.
the LDAP attribute we'll use to resolve the Moodle username to the LDAP distinguished name (e.g, 'sAMAccountName', 'cn', etc.). The default value is empty.
the LDAP contexts where we are going to search for the users, as will need to resolve the Moodle username to the LDAP distinguished name. The default value is empty
if we want to search the users in sub-contexts of the specified contexts or not. The default value is 'No'.
The default values make the enrolment plugin behave exactly like now, so it should be safe to use it in existing setups.
Regarding the second feature (nested groups), due to the way the current enrolment code works, it depends on having an LDAP attribute that tells us what groups a given object belongs to (e.g., 'memberOf' in the case of MS Active Directory), and we need to specify that attribute in the settings page.
The code then recursively finds all the groups a given object (initially the user object) belongs to, keeping track of already 'seen' groups (as MS Active Directory allows you to make circular references between groups!!!). And then the course search filter is modified to include not only the user but all the groups found, specifying that any of them can be the member of the course group.
I have tested the patch with both MS Active Directory (which does use distinguished names in group membership and allows nested groups) and OpenLDAP (which neither uses distinguished names nor allows nested groups -as far as I know-) and everything works as expected.
The patch is available for 1.8, 1.9 and HEAD (and could backport it to 1.7 if there is demand for it).
Do you think this could/should go into core?
Saluduos. Iñaki.
P.S. You can get the patches from http://orodruin.escomposlinux.org/~iarenaza/moodle/enrol_ldap_groups/
. I should have pointed out, of course, that I think the patch is great and should certainly go in core. Regarding the groups/OUs, I would strongly vote for supporting both as it would seem a bit odd to say that Moodle supports LDAP groups, but then for it to only work with certain configurations.