Issue Details (XML | Word | Printable)

Key: MDL-5823
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Petr Skoda
Reporter: Jeff Graham
Votes: 1
Watchers: 2
Operations

Add/Edit UI Mockup to this issue
If you were logged in you would be able to see more operations.
Moodle

LDAP authentication uses a mix of username and idnumber

Created: 15/Jun/06 07:49 AM   Updated: 24/Sep/07 04:44 PM
Return to search
Component/s: Authentication
Affects Version/s: 1.6
Fix Version/s: 1.8, 1.9

File Attachments: 1. File enrol_ldap.diff (1 kB)
Environment: All
Issue Links:
Dependency
 

Database: Any
Participants: Dan Marsden, Jeff Graham, Martin Dougiamas, Martín Langhoff, Patrick Pollet and Petr Skoda
Security Level: None
Resolved date: 01/Mar/07
Affected Branches: MOODLE_16_STABLE
Fixed Branches: MOODLE_18_STABLE, MOODLE_19_STABLE


 Description  « Hide
when auth_ldap_sync_users is called it fails if you are not using the username as the idnumber. Thus the temporary table {$CFG->prefix}ext_user gets the idnumber field populated with usernames. Then when the subsequent 'LEFT JOIN' is called the idnumber field returned is NULL for all users. This results in all of the users being deleted and then readded. This causes lots of extraneous work and problems in certain cases.



To resolve the issue the code either needs to be switched to use only idnumber as the keying attribute or username. Even though the other external authentication methods use idnumber as the outside keying entry I think it is correct to use username in the case of LDAP.



One solution is to change the LEFT JOINS, there are two queries, to use the username field from {$CFG->prefix}user rather than idnumber.

 All   Comments   Change History   Version Control      Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Martin Dougiamas added a comment - 20/Jun/06 02:33 AM
From Jeff Graham (jjg7 at humboldt.edu) Tuesday, 20 June 2006, 02:33 AM:

attached is a diff from that should fix this bug. I chose to go with username as the rest of the authentication code is keying off of username rather than idnumber.


[ Permalink | « Hide ]
Dan Marsden added a comment - 24/Nov/06 05:53 AM
Hi Martin, - any chance on gettting this patched? - I could commit it to head if you have no objections!

this is the change I'd suggest

$sql = 'SELECT u.id, u.username
FROM ' . $CFG->prefix .'user u LEFT JOIN ' . $CFG->prefix .'extuser e
ON u.username = e.idnumber
WHERE u.auth=\'' . AUTH_LDAP_NAME . '\' AND u.deleted=\'0\' AND e.idnumber IS NULL';

Instead of:

$sql = 'SELECT u.id, u.username
FROM ' . $CFG->prefix .'user u LEFT JOIN ' . $CFG->prefix .'extuser e
ON u.idnumber = e.idnumber
WHERE u.auth=\'' . AUTH_LDAP_NAME . '\' AND u.deleted=\'0\' AND e.idnumber IS NULL';


[ Permalink | « Hide ]
Martín Langhoff added a comment - 30/Nov/06 07:55 AM
Dan - I agree with the idea but... your "patch" looks backwards?

[ Permalink | « Hide ]
Jeff Graham added a comment - 30/Nov/06 08:04 AM
Bringing attached diff from old tracker over.

[ Permalink | « Hide ]
Jeff Graham added a comment - 30/Nov/06 08:07 AM
Martin,

I believe Dan's patch is correct, but there are 2 queries that need to be adjusted. I have brought over the diff from the old tracker.

The other option would be to populate prefix_extuser.idnumber with the same value as user.idnumber or change that fieldname in extuser to username.


[ Permalink | « Hide ]
Dan Marsden added a comment - 01/Dec/06 01:50 AM
Hi Martin,

Nope - not backwards! - it makes the thing work in our environment! - what looks wrong - will this not work everywhere?

Dan


[ Permalink | « Hide ]
Petr Skoda added a comment - 01/Mar/07 07:08 PM
should be fixed as part of the auth cleanup, only usernames are now used for sync, synchronization of removed users is now fully configurable - allows full delete/suspend/nothing actions.

please report any problems with the new code, closing now - thanks!


[ Permalink | « Hide ]
Patrick Pollet added a comment - 24/Sep/07 04:44 PM
Although revamped code in 1.82 DO fix the previous issue (it is a pity it was not backported in CVS in 1.6 and 1.7 in Novembre 2006 , it would have saved us a lot of headache ;-(() , use of username as the Ldap unique user's information to sync Moodle's user database brings new problems.

See http://moodle.org/mod/forum/discuss.php?d=80652#p358210
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.5-#360) - Bug/feature request - Atlassian news - Contact Administrators