Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47004

LDAP defaults the AD objectClass to "user", not the best default conf

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.7.1, 2.9
    • Fix Version/s: 2.9
    • Component/s: Authentication
    • Labels:
    • Testing Instructions:
      Hide

      (difficulty: hard, requires an Active Directory - including a new computer to be joined to the Windows domain - to be configured in two separated Moodle instances)

      Instance #1. Before applying the patch, w/ having enabled LDAP

      1. Configure Moodle LDAP auth with the default values, pointing to an Active Directory containing both users and computers and enable it.
      2. Configure CLI sync (sync_users.php) and confirm that the sync will import Computer accounts too.
      3. Apply the patch and add a new computer to AD: the new Computer account will be still imported during the sync.

      Instance #2. After applying the patch, w/o having ever enabled LDAP

      1. Configure Moodle LDAP auth with the default values, pointing to an Active Directory containing both users and computers and enable it.
      2. Configure CLI sync (sync_users.php) and confirm that the sync will not import Computer accounts too.
      Show
      (difficulty: hard, requires an Active Directory - including a new computer to be joined to the Windows domain - to be configured in two separated Moodle instances) Instance #1. Before applying the patch, w/ having enabled LDAP Configure Moodle LDAP auth with the default values, pointing to an Active Directory containing both users and computers and enable it. Configure CLI sync ( sync_users.php ) and confirm that the sync will import Computer accounts too. Apply the patch and add a new computer to AD: the new Computer account will be still imported during the sync. Instance #2. After applying the patch, w/o having ever enabled LDAP Configure Moodle LDAP auth with the default values, pointing to an Active Directory containing both users and computers and enable it. Configure CLI sync ( sync_users.php ) and confirm that the sync will not import Computer accounts too.
    • Affected Branches:
      MOODLE_27_STABLE, MOODLE_29_STABLE
    • Fixed Branches:
      MOODLE_29_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      m29_MDL-47004_LDAP_Better_Default_ObjectClass

      Description

      The objectClass provided by default for Active Directory is user, https://github.com/moodle/moodle/blob/deae60239d70880053ae271a573c782880eb9bb2/lib/ldaplib.php#L67.

      This default choice combined with using auth/ldap/cli/sync_users.php drives to sync also the computer objects.
      The best selector for user objects is (samAccountType=805306368) while someone could argue that we should exclude the disabled accounts via (!(userAccountControl=514)).

      My proposal is to default the AD choice to (sAMAccountType=805306368), at least in master: this will help beginners in having a smarter AD default configuration.

      Note: I'm available in creating the PR(s) once agreed on the improvement and on how proceeding.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  11/May/15