[MDL-47004] LDAP defaults the AD objectClass to "user", not the best default conf - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.7.1, 2.9
Fix Version/s: 2.9
Component/s: Authentication
Labels:
- ci
- triaged

Affected Branches:
MOODLE_27_STABLE, MOODLE_29_STABLE
Fixed Branches:
MOODLE_29_STABLE
Pull from Repository:
https://github.com/scara/moodle
Pull Master Branch:
m29_~~MDL-47004~~_LDAP_Better_Default_ObjectClass
Pull Master Diff URL:
https://github.com/scara/moodle/commit/6514ced4f5f76c591c0c355a673b907df1473758
Testing Instructions:
Hide

(difficulty: hard, requires an Active Directory - including a new computer to be joined to the Windows domain - to be configured in two separated Moodle instances)

Instance #1. Before applying the patch, w/ having enabled LDAP

Configure Moodle LDAP auth with the default values, pointing to an Active Directory containing both users and computers and enable it.

Configure CLI sync (sync_users.php) and confirm that the sync will import Computer accounts too.

Apply the patch and add a new computer to AD: the new Computer account will be still imported during the sync.

Instance #2. After applying the patch, w/o having ever enabled LDAP

Configure Moodle LDAP auth with the default values, pointing to an Active Directory containing both users and computers and enable it.

Configure CLI sync (sync_users.php) and confirm that the sync will not import Computer accounts too.
Show
(difficulty: hard, requires an Active Directory - including a new computer to be joined to the Windows domain - to be configured in two separated Moodle instances) Instance #1. Before applying the patch, w/ having enabled LDAP Configure Moodle LDAP auth with the default values, pointing to an Active Directory containing both users and computers and enable it. Configure CLI sync ( sync_users.php ) and confirm that the sync will import Computer accounts too. Apply the patch and add a new computer to AD: the new Computer account will be still imported during the sync. Instance #2. After applying the patch, w/o having ever enabled LDAP Configure Moodle LDAP auth with the default values, pointing to an Active Directory containing both users and computers and enable it. Configure CLI sync ( sync_users.php ) and confirm that the sync will not import Computer accounts too.

Description

The objectClass provided by default for Active Directory is user, https://github.com/moodle/moodle/blob/deae60239d70880053ae271a573c782880eb9bb2/lib/ldaplib.php#L67.

This default choice combined with using auth/ldap/cli/sync_users.php drives to sync also the computer objects.
The best selector for user objects is (samAccountType=805306368) while someone could argue that we should exclude the disabled accounts via (!(userAccountControl=514)).

My proposal is to default the AD choice to (sAMAccountType=805306368), at least in master: this will help beginners in having a smarter AD default configuration.

Note: I'm available in creating the PR(s) once agreed on the improvement and on how proceeding.

Attachments

Issue Links

has been marked as being related by

MDL-51723 Users are unenrolled on login under LDAP auth with Active Directory

Closed

Activity

People

Assignee:: Matteo Scaramuccia

Reporter:: Matteo Scaramuccia

Peer reviewer:: Iñaki Arenaza

Integrator:: Dan Poltawski

Tester:: Rajesh Taneja

Participants:: CiBoT, Dan Poltawski, Eloy Lafuente (stronk7), Iñaki Arenaza, Marina Glancy, Martin Dougiamas, Matteo Scaramuccia, Michael de Raadt, Rajesh Taneja

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 28/Aug/14 1:51 PM

Updated:: 16/Oct/15 7:25 AM

Resolved:: 18/Apr/15 3:54 AM

Fix Release Date:: 11/May/15