Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-10921

LDAP Auth to Active Directory requires LDAP_OPT_REFERRALS option set

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.8, 1.8.1, 1.8.2
    • Fix Version/s: 1.7.3, 1.8.3, 1.9
    • Component/s: Authentication
    • Labels:
      None
    • Environment:
      Moodle on LAMP with Active Directory as Authentication source
    • Affected Branches:
      MOODLE_18_STABLE
    • Fixed Branches:
      MOODLE_17_STABLE, MOODLE_18_STABLE, MOODLE_19_STABLE

      Description

      inserting

      ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0);

      around line 1315 like this:

      if (!empty($this->config->version))

      { ldap_set_option($connresult, LDAP_OPT_PROTOCOL_VERSION, $this->config->version); }

      ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0);

      if (!empty($binddn)) {
      //bind with search-user

      Without this option being set the following errors will occur (you need to have debug messages turned on to see this)

      Warning: ldap_search(): Search: Operations error in /moodle/auth/ldap/auth.php on line 1380

      Warning: ldap_first_entry(): supplied argument is not a valid ldap result resource in /moodle/auth/ldap/auth.php on line 1388

      Not sure what impact this will have on other ldap authenication schemes. It should probably be wrapped with a test for selection of MS Active Directory as source.

        Gliffy Diagrams

          Activity

          Hide
          thowden Tony Howden added a comment -

          Just checked against latest daily build 1.8.2+ 21st August 2007

          Without the ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); I get errors:

          Warning: ldap_search(): Search: Operations error in /moodle182/auth/ldap/auth.php on line 1403

          Warning: ldap_first_entry(): supplied argument is not a valid ldap result resource in /moodle182/auth/ldap/auth.php on line 1411

          With the ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); it works.

          Show
          thowden Tony Howden added a comment - Just checked against latest daily build 1.8.2+ 21st August 2007 Without the ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); I get errors: Warning: ldap_search(): Search: Operations error in /moodle182/auth/ldap/auth.php on line 1403 Warning: ldap_first_entry(): supplied argument is not a valid ldap result resource in /moodle182/auth/ldap/auth.php on line 1411 With the ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); it works.
          Hide
          skodak Petr Skoda added a comment -

          Iñaki, could you please check it out? I do not have AD test setup here

          Show
          skodak Petr Skoda added a comment - Iñaki, could you please check it out? I do not have AD test setup here
          Hide
          iarenaza Iñaki Arenaza added a comment -

          I'll test it in the following hours with an up to date 1.8.x setup, but I've never needed this with any previous version, and I don't see anything has changed in that area in 1.8.

          I suspect is has something to do with a multi-domain AD setup, where the LDAP server Tony is using is sending referals to some other DCs for a given subdomain.

          Anyway, I'll test it in my single domain AD setup and see what I get.

          Saludos. Iñaki.

          Show
          iarenaza Iñaki Arenaza added a comment - I'll test it in the following hours with an up to date 1.8.x setup, but I've never needed this with any previous version, and I don't see anything has changed in that area in 1.8. I suspect is has something to do with a multi-domain AD setup, where the LDAP server Tony is using is sending referals to some other DCs for a given subdomain. Anyway, I'll test it in my single domain AD setup and see what I get. Saludos. Iñaki.
          Hide
          iarenaza Iñaki Arenaza added a comment -

          I've been unable to reproduce the error here on my test setup:

          • Moodle 1.8.2+ (2007021520)
          • Debian etch, with PHP 4.4.4 (package version 4.4.4-8+etch4), and
            OpenLDAP 2.1.30 libraries (package version 2.1.30-13.3 )
          • Windows 2003 (without SP1 or SR1, running in W2003 domain functional
            level). I've tested both a single forest/single domain setup and
            single forest/multidomain setup (a top domain and one subdomain),
            using a single DC per domain.
          • I've used ou=Moodle,dc=domain,dc=org (and ou=Moodle,dc=subdom,
            dc=domain,dc=org) as the contexts for Moodle uers.

          On the single forest/single domain setup everything works as expected,
          both querying the GC service (port 3268) and the normal DC service
          (port 389).

          On the single forest/multidomain setupt, if I configure Moodle to
          query the Global Catalog (running on the top domain DC) everything
          works as expected. If I use the top domain DC as a regular DC, then
          the users of that domain are able to login normally and the users of
          the subdomain can't (quite normal, as the non-GC DCs only know about
          their own domain data). Much the same if I query the subdomain DC (the
          set of users that can login is reversed, of course).

          But I don't get the error in any case. Maybe this can be related to
          the specific setup of the AD forest/domains and/or Moodle
          configuration of Tony's setup.

          In any case, adding that option just for the 'ad' case won't
          hurt. I've seen several references to it being necessary when you
          query AD on W2003. So adding something like the attached patch should
          do it.

          Saludos. Iñaki.

          Show
          iarenaza Iñaki Arenaza added a comment - I've been unable to reproduce the error here on my test setup: Moodle 1.8.2+ (2007021520) Debian etch, with PHP 4.4.4 (package version 4.4.4-8+etch4), and OpenLDAP 2.1.30 libraries (package version 2.1.30-13.3 ) Windows 2003 (without SP1 or SR1, running in W2003 domain functional level). I've tested both a single forest/single domain setup and single forest/multidomain setup (a top domain and one subdomain), using a single DC per domain. I've used ou=Moodle,dc=domain,dc=org (and ou=Moodle,dc=subdom, dc=domain,dc=org) as the contexts for Moodle uers. On the single forest/single domain setup everything works as expected, both querying the GC service (port 3268) and the normal DC service (port 389). On the single forest/multidomain setupt, if I configure Moodle to query the Global Catalog (running on the top domain DC) everything works as expected. If I use the top domain DC as a regular DC, then the users of that domain are able to login normally and the users of the subdomain can't (quite normal, as the non-GC DCs only know about their own domain data). Much the same if I query the subdomain DC (the set of users that can login is reversed, of course). But I don't get the error in any case. Maybe this can be related to the specific setup of the AD forest/domains and/or Moodle configuration of Tony's setup. In any case, adding that option just for the 'ad' case won't hurt. I've seen several references to it being necessary when you query AD on W2003. So adding something like the attached patch should do it. Saludos. Iñaki.
          Hide
          skodak Petr Skoda added a comment -

          committed into CVS, thanks for the report+review+patch

          Show
          skodak Petr Skoda added a comment - committed into CVS, thanks for the report+review+patch
          Hide
          iarenaza Iñaki Arenaza added a comment -

          I've backported the fix to 1.7.2+, as a couple of people asked for it in the forums (and was a trivial fix anyway).

          Saludos. Iñaki.

          Show
          iarenaza Iñaki Arenaza added a comment - I've backported the fix to 1.7.2+, as a couple of people asked for it in the forums (and was a trivial fix anyway). Saludos. Iñaki.
          Hide
          skodak Petr Skoda added a comment -

          thanks

          Show
          skodak Petr Skoda added a comment - thanks
          Hide
          ppollet Patrick Pollet added a comment -

          The backport to Moodle 1.7x raises a fatal error in auth_ldap_connect() ;-((

          PHP Fatal error: Using $this when not in object context in /var/www/html/moodle173/auth/ldap/lib.php on line 1453

          // Fix MDL-10921
          if ($this->config->user_type == 'ad')

          { ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); }


          it should be

          // Fix MDL-10921
          if ($CFG->ldap_user_type =='ad') { ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); }
          Show
          ppollet Patrick Pollet added a comment - The backport to Moodle 1.7x raises a fatal error in auth_ldap_connect() ;-(( PHP Fatal error: Using $this when not in object context in /var/www/html/moodle173/auth/ldap/lib.php on line 1453 // Fix MDL-10921 if ($this->config->user_type == 'ad') { ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); } it should be // Fix MDL-10921 if ($CFG->ldap_user_type =='ad') { ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); }
          Hide
          iarenaza Iñaki Arenaza added a comment -

          You are 100% right Patrick. My bad.

          I have just fixed it in CVS. Thanks for the report and the proposed patch!

          Saludos. Iñaki.

          Show
          iarenaza Iñaki Arenaza added a comment - You are 100% right Patrick. My bad. I have just fixed it in CVS. Thanks for the report and the proposed patch! Saludos. Iñaki.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                11/Oct/07