Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-43430

LDAP Enrolments are lost when user is a member of a group that contains parenthesis in it's name. Enrolmenrs are reinstated running ldap_sync.php cli script

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.5.1, 2.5.4, 2.6, 2.6.5, 2.7.2
    • Fix Version/s: 2.6.6, 2.7.3
    • Component/s: Enrolments
    • Labels:
    • Environment:
      You need a LDAP server that has nested groups support. 99.9 % of the time this is Active Directory (Novell eDirectory also supports nested groups, but I haven't seen anyone using that feature).
    • Database:
      Any
    • Testing Instructions:
      Hide
      1. Enable and configure LDAP authentication
      2. Create and configure a test user in the LDAP server.
      3. Enable and configure LDAP enrolment with nested groups support.
      4. In your LDAP server create a group with parenthesis in the name. Let's call this group "GroupA". Add the test user to it. This group doesn't have to be created inside one of the contexts used for LDAP enrolments (though it can).
      5. Create a second LDAP group (with or without parenthesis in the name). Let's call this group "GroupB", and add the first group as a member to this one. Add only the first group, not the user itself. This second group must to be created inside one of the contexts used for LDAP enrolments.
      6. Create a third LDAP group without parenthesis in the name. Let's call this group "GroupC", and add the test user as a member of this group. This third group must to be created inside one of the contexts used for LDAP enrolments.
      7. Run the auth/ldap/cli/sync_users.php script (or log in interactively with that user, then log out) to make sure the user is created in Moodle if she didn't exist before.
      8. Either configure the LDAP enrolment plugin to auto-create courses, or make sure the courses corresponding to "GroupB" and "GroupC" already exist.
      9. Run the enrol/ldap/cli/sync.php script to create/update the user enrolments.
      10. Verify that the user is enroled in the two courses corresponding to groups "GroupB" and "GroupC".
      11. Without applying the patch, log in with the test user. It should have been unenroled from "GroupB" and "GroupC".
      12. Log out and apply the patch.
      13. Run the enrol/ldap/cli/sync.php script to create/update the user enrolments again. Verify that the user is re-enroled in the two courses corresponding to groups "GroupB" and "GroupC".
      14. Log in with the test user. It should still be enroled in "GroupB" and "GroupC".
      Show
      Enable and configure LDAP authentication Create and configure a test user in the LDAP server. Enable and configure LDAP enrolment with nested groups support. In your LDAP server create a group with parenthesis in the name. Let's call this group "GroupA". Add the test user to it. This group doesn't have to be created inside one of the contexts used for LDAP enrolments (though it can). Create a second LDAP group (with or without parenthesis in the name). Let's call this group "GroupB", and add the first group as a member to this one. Add only the first group, not the user itself. This second group must to be created inside one of the contexts used for LDAP enrolments. Create a third LDAP group without parenthesis in the name. Let's call this group "GroupC", and add the test user as a member of this group. This third group must to be created inside one of the contexts used for LDAP enrolments. Run the auth/ldap/cli/sync_users.php script (or log in interactively with that user, then log out) to make sure the user is created in Moodle if she didn't exist before. Either configure the LDAP enrolment plugin to auto-create courses, or make sure the courses corresponding to "GroupB" and "GroupC" already exist. Run the enrol/ldap/cli/sync.php script to create/update the user enrolments. Verify that the user is enroled in the two courses corresponding to groups "GroupB" and "GroupC". Without applying the patch, log in with the test user. It should have been unenroled from "GroupB" and "GroupC". Log out and apply the patch. Run the enrol/ldap/cli/sync.php script to create/update the user enrolments again. Verify that the user is re-enroled in the two courses corresponding to groups "GroupB" and "GroupC". Log in with the test user. It should still be enroled in "GroupB" and "GroupC".
    • Affected Branches:
      MOODLE_25_STABLE, MOODLE_26_STABLE, MOODLE_27_STABLE
    • Fixed Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      wip_master_mdl-43430
    • Pull Master Diff URL:

      Description

      When running the /enrol/ldap/cli/sync.php users are enroled to their correct courses.

      As soon as a user logs on, who is a member of a group with parenthesis in it's name, all LDAP enrolments for that user are lost until the sync.php is run again reinstating the enrolment.

      At present I have ldap enrolment set to never unenrol a user. This however means changes from LDAP are never reflected unless the change is reverted and the script run then set back to keep users.

      I have only recently switched to LDAP enrolment but I know that I am experiencing this issue in 2.5 and 2.6.

      Other users I have spoken to on the forums have indicated that 2.4 is also affected and enrolment with the same settings works in 2.3 I have been unable to verify this though.

      Moodle forum link:

      https://moodle.org/mod/forum/discuss.php?d=241404

      and

      https://moodle.org/mod/forum/discuss.php?d=243785

      My LDAP settings can be seen here:

      http://cdal.co.uk/2013/12/05/moodle-ldap-setup-for-ldap-auto-enrolment/

      I'm pretty sure these are correct as enrolment initiated from the cli works fine but not when a user logs in.

      Inaki gave me some code to run (in the above forum post) which shows that users logging on are seeing nothing returned in the LDAP enrolment. Is there any difference between the cli version of the code and what gets called when a user logs on?

      An example group name that affects all members of the group would be: 'Student Name (Reg Group)'

      Thanks,

      Seb

        Attachments

          Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-47514 LDAP Enrolments with nested groups fails when group names have ldap filter characters

          • Minor - Minor loss of function where workaround is possible
          • Closed

            Activity

              People

              Assignee:
              iarenaza Iñaki Arenaza
              Reporter:
              networkseb Seb Harrington
              Peer reviewer:
              Simey Lameze
              Integrator:
              Damyon Wiese
              Tester:
              Rajesh Taneja
              Participants:
              Component watchers:
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
              Votes:
              2 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                10/Nov/14