Moodle
  1. Moodle
  2. MDL-10921

LDAP Auth to Active Directory requires LDAP_OPT_REFERRALS option set

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.8, 1.8.1, 1.8.2
    • Fix Version/s: 1.7.3, 1.8.3, 1.9
    • Component/s: Authentication
    • Labels:
      None
    • Environment:
      Moodle on LAMP with Active Directory as Authentication source
    • Affected Branches:
      MOODLE_18_STABLE
    • Fixed Branches:
      MOODLE_17_STABLE, MOODLE_18_STABLE, MOODLE_19_STABLE
    • Rank:
      28691

      Description

      inserting

      ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0);

      around line 1315 like this:

      if (!empty($this->config->version))

      { ldap_set_option($connresult, LDAP_OPT_PROTOCOL_VERSION, $this->config->version); }

      ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0);

      if (!empty($binddn)) {
      //bind with search-user

      Without this option being set the following errors will occur (you need to have debug messages turned on to see this)

      Warning: ldap_search(): Search: Operations error in /moodle/auth/ldap/auth.php on line 1380

      Warning: ldap_first_entry(): supplied argument is not a valid ldap result resource in /moodle/auth/ldap/auth.php on line 1388

      Not sure what impact this will have on other ldap authenication schemes. It should probably be wrapped with a test for selection of MS Active Directory as source.

        Activity

        Hide
        Tony Howden added a comment -

        Just checked against latest daily build 1.8.2+ 21st August 2007

        Without the ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); I get errors:

        Warning: ldap_search(): Search: Operations error in /moodle182/auth/ldap/auth.php on line 1403

        Warning: ldap_first_entry(): supplied argument is not a valid ldap result resource in /moodle182/auth/ldap/auth.php on line 1411

        With the ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); it works.

        Show
        Tony Howden added a comment - Just checked against latest daily build 1.8.2+ 21st August 2007 Without the ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); I get errors: Warning: ldap_search(): Search: Operations error in /moodle182/auth/ldap/auth.php on line 1403 Warning: ldap_first_entry(): supplied argument is not a valid ldap result resource in /moodle182/auth/ldap/auth.php on line 1411 With the ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); it works.
        Hide
        Petr Škoda added a comment -

        Iñaki, could you please check it out? I do not have AD test setup here

        Show
        Petr Škoda added a comment - Iñaki, could you please check it out? I do not have AD test setup here
        Hide
        Iñaki Arenaza added a comment -

        I'll test it in the following hours with an up to date 1.8.x setup, but I've never needed this with any previous version, and I don't see anything has changed in that area in 1.8.

        I suspect is has something to do with a multi-domain AD setup, where the LDAP server Tony is using is sending referals to some other DCs for a given subdomain.

        Anyway, I'll test it in my single domain AD setup and see what I get.

        Saludos. Iñaki.

        Show
        Iñaki Arenaza added a comment - I'll test it in the following hours with an up to date 1.8.x setup, but I've never needed this with any previous version, and I don't see anything has changed in that area in 1.8. I suspect is has something to do with a multi-domain AD setup, where the LDAP server Tony is using is sending referals to some other DCs for a given subdomain. Anyway, I'll test it in my single domain AD setup and see what I get. Saludos. Iñaki.
        Hide
        Iñaki Arenaza added a comment -

        I've been unable to reproduce the error here on my test setup:

        • Moodle 1.8.2+ (2007021520)
        • Debian etch, with PHP 4.4.4 (package version 4.4.4-8+etch4), and
          OpenLDAP 2.1.30 libraries (package version 2.1.30-13.3 )
        • Windows 2003 (without SP1 or SR1, running in W2003 domain functional
          level). I've tested both a single forest/single domain setup and
          single forest/multidomain setup (a top domain and one subdomain),
          using a single DC per domain.
        • I've used ou=Moodle,dc=domain,dc=org (and ou=Moodle,dc=subdom,
          dc=domain,dc=org) as the contexts for Moodle uers.

        On the single forest/single domain setup everything works as expected,
        both querying the GC service (port 3268) and the normal DC service
        (port 389).

        On the single forest/multidomain setupt, if I configure Moodle to
        query the Global Catalog (running on the top domain DC) everything
        works as expected. If I use the top domain DC as a regular DC, then
        the users of that domain are able to login normally and the users of
        the subdomain can't (quite normal, as the non-GC DCs only know about
        their own domain data). Much the same if I query the subdomain DC (the
        set of users that can login is reversed, of course).

        But I don't get the error in any case. Maybe this can be related to
        the specific setup of the AD forest/domains and/or Moodle
        configuration of Tony's setup.

        In any case, adding that option just for the 'ad' case won't
        hurt. I've seen several references to it being necessary when you
        query AD on W2003. So adding something like the attached patch should
        do it.

        Saludos. Iñaki.

        Show
        Iñaki Arenaza added a comment - I've been unable to reproduce the error here on my test setup: Moodle 1.8.2+ (2007021520) Debian etch, with PHP 4.4.4 (package version 4.4.4-8+etch4), and OpenLDAP 2.1.30 libraries (package version 2.1.30-13.3 ) Windows 2003 (without SP1 or SR1, running in W2003 domain functional level). I've tested both a single forest/single domain setup and single forest/multidomain setup (a top domain and one subdomain), using a single DC per domain. I've used ou=Moodle,dc=domain,dc=org (and ou=Moodle,dc=subdom, dc=domain,dc=org) as the contexts for Moodle uers. On the single forest/single domain setup everything works as expected, both querying the GC service (port 3268) and the normal DC service (port 389). On the single forest/multidomain setupt, if I configure Moodle to query the Global Catalog (running on the top domain DC) everything works as expected. If I use the top domain DC as a regular DC, then the users of that domain are able to login normally and the users of the subdomain can't (quite normal, as the non-GC DCs only know about their own domain data). Much the same if I query the subdomain DC (the set of users that can login is reversed, of course). But I don't get the error in any case. Maybe this can be related to the specific setup of the AD forest/domains and/or Moodle configuration of Tony's setup. In any case, adding that option just for the 'ad' case won't hurt. I've seen several references to it being necessary when you query AD on W2003. So adding something like the attached patch should do it. Saludos. Iñaki.
        Hide
        Petr Škoda added a comment -

        committed into CVS, thanks for the report+review+patch

        Show
        Petr Škoda added a comment - committed into CVS, thanks for the report+review+patch
        Hide
        Iñaki Arenaza added a comment -

        I've backported the fix to 1.7.2+, as a couple of people asked for it in the forums (and was a trivial fix anyway).

        Saludos. Iñaki.

        Show
        Iñaki Arenaza added a comment - I've backported the fix to 1.7.2+, as a couple of people asked for it in the forums (and was a trivial fix anyway). Saludos. Iñaki.
        Hide
        Petr Škoda added a comment -

        thanks

        Show
        Petr Škoda added a comment - thanks
        Hide
        Patrick Pollet added a comment -

        The backport to Moodle 1.7x raises a fatal error in auth_ldap_connect() ;-((

        PHP Fatal error: Using $this when not in object context in /var/www/html/moodle173/auth/ldap/lib.php on line 1453

        // Fix MDL-10921
        if ($this->config->user_type == 'ad')

        { ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); }


        it should be

        // Fix MDL-10921
        if ($CFG->ldap_user_type =='ad') { ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); }
        Show
        Patrick Pollet added a comment - The backport to Moodle 1.7x raises a fatal error in auth_ldap_connect() ;-(( PHP Fatal error: Using $this when not in object context in /var/www/html/moodle173/auth/ldap/lib.php on line 1453 // Fix MDL-10921 if ($this->config->user_type == 'ad') { ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); } it should be // Fix MDL-10921 if ($CFG->ldap_user_type =='ad') { ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); }
        Hide
        Iñaki Arenaza added a comment -

        You are 100% right Patrick. My bad.

        I have just fixed it in CVS. Thanks for the report and the proposed patch!

        Saludos. Iñaki.

        Show
        Iñaki Arenaza added a comment - You are 100% right Patrick. My bad. I have just fixed it in CVS. Thanks for the report and the proposed patch! Saludos. Iñaki.

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: