Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-50625

LDAP user synchronisation and enrolment insists on using page control

XMLWordPrintable

    • MOODLE_29_STABLE
    • MOODLE_31_STABLE, MOODLE_32_STABLE
    • wip_master_mdl-50625_ldap_better_check_paged_results_support
    • Hide

      Pre-requisites: you need to have at least two LDAP servers available: one that supports Paged Results (e.g., OpenLDAP or MS Active Directory), and another one that doesn't (e.g. Sun Directory Server 6.x or Apache DS 1.5.x or earlier)

      For the following tests to succedd, you need to configure your LDAP server to also accept LDAP version 2 connections (not all of them do by default). Ideally for these tests, you should configure your server so it has more users to sync than the maximum amount of entries to return when not using paged results. If you are using OpenLDAP, you can configure the following settings in your OpenLDAP database (means 5 entries as a soft limit without paged results, 10 as a hard limit without paged results, and unlimited when using paged results)

      olcLimits: * size.soft=5 size.hard=10 size.prtotal=unlimited
      

      Thus, if you have more than 10 users to sync, without using paged results you will only sync the first 10, and miss the rest. For the following test, I'll assume that 10 is the hard limit for the server when not using paged results. If the limit is higher, adjust the test instructions accordingly.

      LDAP auth

      First we will test with a LDAP server that supports Paged Results.

      1. Make sure you have the LDAP authentication plugin enabled.
      2. Go to the LDAP authentication plugin settings page and remove any pre-existing settings. Save the changes.
      3. Go to the LDAP authentication plugin settings page again. A text box stating that paged results are not supported should be displayed.
      4. Configure the LDAP settings suitable for the LDAP server, using LDAP version 2. Save the changes.
      5. Go to the LDAP authentication plugin settings page again. The text box stating that paged results are not supported should still be displayed.
      6. Execute the LDAP user sync task. There shouldn't be any errors related to missing critical controls or similar error messsages, and the user sync should proceed normally. But only 10 users should be synced.
      7. Change LDAP version setting to 3 and save the changes.
      8. Go to the LDAP authentication plugin settings page again. The text box stating that paged results are not supported should not be displayed.
      9. Execute the LDAP user sync task. There shouldn't be any errors related to missing critical controls or similar error messsages, and the user sync should proceed normally. All the users should be synced.

      Next we will test with a LDAP that doesn't support Paged Results.

      1. Make sure you have the LDAP authentication plugin enabled.
      2. Go to the LDAP authentication plugin settings page and remove any pre-existing settings. Save the changes.
      3. Go to the LDAP authentication plugin settings page again. A text box stating that paged results are not supported should be displayed.
      4. Configure the LDAP settings suitable for the LDAP server, using LDAP version 2. Save the changes.
      5. Go to the LDAP authentication plugin settings page again. The text box stating that paged results are not supported should still be displayed.
      6. Execute the LDAP user sync task. There shouldn't be any errors related to missing critical controls or similar error messsages, and the user sync should proceed normally, but only 10 users should be synced.
      7. Change LDAP version setting to 3 and save the changes.
      8. Go to the LDAP authentication plugin settings page again. The text box stating that paged results are not supported should still be displayed.
      9. Execute the LDAP user sync task. There shouldn't be any errors related to missing critical controls or similar error messsages, and the user sync should proceed normally. But only 10 users should be synced this time.

      CAS auth

      CAS has the same settings as LDAP and you can use the same servers. But you will need to set up a CAS server too.

      1. Launch your CAS server
      2. Enable the CAS auth plugin
      3. Go to settings, and enter information for your CAS server, but not any LDAP settings yet. Remove any LDAP settings if present
      4. Go to the CAS authentication plugin settings page again. A text box stating that paged results are not supported should be displayed.
      5. Configure the LDAP settings suitable for the LDAP server, using LDAP version 2. Save the changes.
      6. Go to the CAS authentication plugin settings page again. The text box stating that paged results are not supported should still be displayed.
      7. Execute the CAS user sync task. There shouldn't be any errors related to missing critical controls or similar error messsages, and the user sync should proceed normally, but only 10 users should be synced.
      8. Go to the CAS authentication plugin settings page again. Change LDAP version setting to 3 and save the changes.
      9. Go to the CAS authentication plugin settings page again. The text box stating that paged results are not supported should still be displayed.
      10. Execute the CAS user sync task. There shouldn't be any errors related to missing critical controls or similar error messsages, and the user sync should proceed normally. But only 10 users should be synced this time.
      Show
      Pre-requisites: you need to have at least two LDAP servers available: one that supports Paged Results (e.g., OpenLDAP or MS Active Directory), and another one that doesn't (e.g. Sun Directory Server 6.x or Apache DS 1.5.x or earlier) For the following tests to succedd, you need to configure your LDAP server to also accept LDAP version 2 connections (not all of them do by default). Ideally for these tests, you should configure your server so it has more users to sync than the maximum amount of entries to return when not using paged results. If you are using OpenLDAP, you can configure the following settings in your OpenLDAP database (means 5 entries as a soft limit without paged results, 10 as a hard limit without paged results, and unlimited when using paged results) olcLimits: * size.soft=5 size.hard=10 size.prtotal=unlimited Thus, if you have more than 10 users to sync, without using paged results you will only sync the first 10, and miss the rest. For the following test, I'll assume that 10 is the hard limit for the server when not using paged results. If the limit is higher, adjust the test instructions accordingly. LDAP auth First we will test with a LDAP server that supports Paged Results. Make sure you have the LDAP authentication plugin enabled. Go to the LDAP authentication plugin settings page and remove any pre-existing settings. Save the changes. Go to the LDAP authentication plugin settings page again. A text box stating that paged results are not supported should be displayed. Configure the LDAP settings suitable for the LDAP server, using LDAP version 2. Save the changes. Go to the LDAP authentication plugin settings page again. The text box stating that paged results are not supported should still be displayed. Execute the LDAP user sync task. There shouldn't be any errors related to missing critical controls or similar error messsages, and the user sync should proceed normally. But only 10 users should be synced. Change LDAP version setting to 3 and save the changes. Go to the LDAP authentication plugin settings page again. The text box stating that paged results are not supported should not be displayed. Execute the LDAP user sync task. There shouldn't be any errors related to missing critical controls or similar error messsages, and the user sync should proceed normally. All the users should be synced. Next we will test with a LDAP that doesn't support Paged Results. Make sure you have the LDAP authentication plugin enabled. Go to the LDAP authentication plugin settings page and remove any pre-existing settings. Save the changes. Go to the LDAP authentication plugin settings page again. A text box stating that paged results are not supported should be displayed. Configure the LDAP settings suitable for the LDAP server, using LDAP version 2. Save the changes. Go to the LDAP authentication plugin settings page again. The text box stating that paged results are not supported should still be displayed. Execute the LDAP user sync task. There shouldn't be any errors related to missing critical controls or similar error messsages, and the user sync should proceed normally, but only 10 users should be synced. Change LDAP version setting to 3 and save the changes. Go to the LDAP authentication plugin settings page again. The text box stating that paged results are not supported should still be displayed. Execute the LDAP user sync task. There shouldn't be any errors related to missing critical controls or similar error messsages, and the user sync should proceed normally. But only 10 users should be synced this time. CAS auth CAS has the same settings as LDAP and you can use the same servers. But you will need to set up a CAS server too. Launch your CAS server Enable the CAS auth plugin Go to settings, and enter information for your CAS server, but not any LDAP settings yet. Remove any LDAP settings if present Go to the CAS authentication plugin settings page again. A text box stating that paged results are not supported should be displayed. Configure the LDAP settings suitable for the LDAP server, using LDAP version 2. Save the changes. Go to the CAS authentication plugin settings page again. The text box stating that paged results are not supported should still be displayed. Execute the CAS user sync task. There shouldn't be any errors related to missing critical controls or similar error messsages, and the user sync should proceed normally, but only 10 users should be synced. Go to the CAS authentication plugin settings page again. Change LDAP version setting to 3 and save the changes. Go to the CAS authentication plugin settings page again. The text box stating that paged results are not supported should still be displayed. Execute the CAS user sync task. There shouldn't be any errors related to missing critical controls or similar error messsages, and the user sync should proceed normally. But only 10 users should be synced this time.

      The LDAP synchronisation scripts for users and enrolments (i.e. auth/ldap/cli/sync_users.php and enrol/ldap/cli/sync.php) use LDAP pagination control (page size). As far as I can tell this functionality is an extension to LDAPv3, not mandatory. If the LDAP server does not support this extension when you try to do the search you get the error "Critical extension is unavailable". Note that this error occurs on the call to PHP function ldap_list() or ldap_search() not the call to ldap_control_paged_result().

      The LDAP enrolment plugin allows you to set a blank value for page size (enrol_ldap | pagesize). This causes the PHP function ldap_control_paged_result() to generate a warning and not send the pagination control request with the result that the LDAP query succeeds.

      However, the LDAP authentication plugin does not allow a blank value (it's changed to 0) with the result that the ldap_control_paged_result() call works and the LDAP query consequently fails.

      I suggest that this is a bug as Moodle is asserting that page control must be present if the server is LDAPv3 (see /lib/ldaplib.php:ldap_paged_results_supported()) whereas RFC-2696 says this is an extension to LDAPv3 making this an invalid assumption.

      I think that both enrolment and authentication plugins should allow a blank value for page size and not call ldap_control_paged_result() if the value is empty.

            iarenaza Iñaki Arenaza
            leonstr Leon Stringer
            John Okely John Okely
            Dan Poltawski Dan Poltawski
            Rajesh Taneja Rajesh Taneja
            Votes:
            4 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.