Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-19672

update_user_record() usage of stripslashes() breaks LDAP authentication/enrolment with certain configurations



    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.9.5
    • Fix Version/s: 1.9.6
    • Component/s: Authentication, Enrolments
    • Labels:
    • Environment:
      MS Active Directory as the LDAP backend (mainly, but not only)
    • Database:
    • Affected Branches:
    • Fixed Branches:


      When using LDAP as the authentication source and we map the distinguished name on one of the user attributes (usually the ID Number) and this mapping is configured to update the value on each login, if the distinguished name cotains a '\' character (the quote character in LDAP ditinguished names), update_user_record() mangles the value as it calls stripslashed() before calling addslashes() to store the value.

      If this mapped value is later used for enrolment (a typical scenario) Moodle unenrols the user from the courses, as it doesn't match what comes back from the LDAP enrolment server.

      So we need to keep update_user_record() from mangling the value. All the values processed by update_user_record() come from the external authentication sub-systems (external db, ldap server, cas server, etc.) via get_userinfo(), and the convention is that this function returns the data with no magic quotes.

      I discussed this issue with Petr and Eloy in the developer chat and given that no contrib plugin provides get_userinfo(), we agreed that we can simply remove the call to stripslahes().

      But this is just the first step. In order to be able to used a distiguished name with '\' (and other LDAP special characters) in a LDAP filter to find the user enrolments, we need to quote it using the LDAP filter quoting rules. Now that we are at it, I've also updated ldap_addslashes() to deal with all the special characters specified in the latest RFC.

      If this was not enough, MS Active Directory doesn't return the distiguished name as the 'dn' attribute, but as 'distinguishedName', so we need to take that into account too.

      The patch is only for 1.9, as I plan to refactor LDAP authentication and enrolment in 2.0 (I have it nearly ready, and it includes the same functionnality of this patch)


          Issue Links



              iarenaza Iñaki Arenaza
              iarenaza Iñaki Arenaza
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
              0 Vote for this issue
              0 Start watching this issue


                Fix Release Date: