iarenaza · October 12, 2020 19:05
diff --git a/moodle-ldap-msad-add-created-users-to-group.patch b/moodle-ldap-msad-add-created-users-to-group.patch
 diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php
 index f03372f3154..3dc9b7258ba 100644
 --- a/auth/ldap/auth.php
 +++ b/auth/ldap/auth.php
 @@ -468,6 +468,16 @@ class auth_plugin_ldap extends auth_plugin_base {
                     print_error('auth_ldap_ad_create_req', 'auth_ldap');
                 }
 
 +                // Add the user to the default group (if configured)
 +                if (!empty($this->config->create_default_group)) {
 +                    $groupinfo['member'] = $userdn;
 +                    if (!ldap_mod_add($ldapconnection, $this->config->create_default_group, $groupinfo)) {
 +                        // Something went wrong: delete the user account and error out
 +                        ldap_delete ($ldapconnection, $userdn);
 +                        print_error('auth_ldap_ad_create_req', 'auth_ldap');
 +                    }
 +                }
 +
                 // Now set the password
                 unset($newuser);
                 $newuser['unicodePwd'] = mb_convert_encoding('"' . $extpassword . '"',
 diff --git a/auth/ldap/lang/en/auth_ldap.php b/auth/ldap/lang/en/auth_ldap.php
 index 5ed9e14da93..1b31666531d 100644
 --- a/auth/ldap/lang/en/auth_ldap.php
 +++ b/auth/ldap/lang/en/auth_ldap.php
 @@ -35,6 +35,8 @@ $string['auth_ldap_contexts'] = 'List of contexts where users are located. Separ
 $string['auth_ldap_contexts_key'] = 'Contexts';
 $string['auth_ldap_create_context'] = 'If you enable user creation with email confirmation, specify the context where users are created. This context should be different from other users to prevent security issues. You don\'t need to add this context to ldap_context-variable, Moodle will search for users from this context automatically.<br /><b>Note!</b> You have to modify the method user_create() in file auth/ldap/auth.php to make user creation work';
 $string['auth_ldap_create_context_key'] = 'Context for new users';
 +$string['auth_ldap_create_default_group'] = 'If you enable user creation with email confirmation, you can specify the default group to which created users will belong to. You need to specify the distinguished name of the group (e.g, cn=my-special-group,cn=users,dc=my-domain,dc=local). This only works for Microsoft Active Directory LDAP servers.';
 +$string['auth_ldap_create_default_group_key'] = 'Default group for new users';
 $string['auth_ldap_create_error'] = 'Error creating user in LDAP.';
 $string['auth_ldapdescription'] = 'This method provides authentication against an external LDAP server. If the given username and password are valid, Moodle creates a new user entry in its database. This plugin can read user attributes from LDAP and prefill wanted fields in Moodle. For following logins only the username and password are checked.';
 $string['auth_ldap_expiration_desc'] = 'Select \'{$a->no}\' to disable expired password checking or \'{$a->ldapserver}\' to read the password expiry time directly from the LDAP server.';
 diff --git a/auth/ldap/settings.php b/auth/ldap/settings.php
 index d72aed77ac1..cf007df9216 100644
 --- a/auth/ldap/settings.php
 +++ b/auth/ldap/settings.php
 @@ -238,6 +238,11 @@ if ($ADMIN->fulltree) {
                 get_string('auth_ldap_create_context_key', 'auth_ldap'),
                 get_string('auth_ldap_create_context', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
 
 +        // Default group for new users.
 +        $settings->add(new admin_setting_configtext('auth_ldap/create_default_group',
 +                get_string('auth_ldap_create_default_group_key', 'auth_ldap'),
 +                get_string('auth_ldap_create_default_group', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
 +
         // System roles mapping header.
         $settings->add(new admin_setting_heading('auth_ldap/systemrolemapping',
                                         new lang_string('systemrolemapping', 'auth_ldap'), ''));
	diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php
	index f03372f3154..3dc9b7258ba 100644
	--- a/auth/ldap/auth.php
	+++ b/auth/ldap/auth.php
	@@ -468,6 +468,16 @@ class auth_plugin_ldap extends auth_plugin_base {
	print_error('auth_ldap_ad_create_req', 'auth_ldap');
	}

	+ // Add the user to the default group (if configured)
	+ if (!empty($this->config->create_default_group)) {
	+ $groupinfo['member'] = $userdn;
	+ if (!ldap_mod_add($ldapconnection, $this->config->create_default_group, $groupinfo)) {
	+ // Something went wrong: delete the user account and error out
	+ ldap_delete ($ldapconnection, $userdn);
	+ print_error('auth_ldap_ad_create_req', 'auth_ldap');
	+ }
	+ }
	+
	// Now set the password
	unset($newuser);
	$newuser['unicodePwd'] = mb_convert_encoding('"' . $extpassword . '"',
	diff --git a/auth/ldap/lang/en/auth_ldap.php b/auth/ldap/lang/en/auth_ldap.php
	index 5ed9e14da93..1b31666531d 100644
	--- a/auth/ldap/lang/en/auth_ldap.php
	+++ b/auth/ldap/lang/en/auth_ldap.php
	@@ -35,6 +35,8 @@ $string['auth_ldap_contexts'] = 'List of contexts where users are located. Separ
	$string['auth_ldap_contexts_key'] = 'Contexts';
	$string['auth_ldap_create_context'] = 'If you enable user creation with email confirmation, specify the context where users are created. This context should be different from other users to prevent security issues. You don\'t need to add this context to ldap_context-variable, Moodle will search for users from this context automatically.<br /><b>Note!</b> You have to modify the method user_create() in file auth/ldap/auth.php to make user creation work';
	$string['auth_ldap_create_context_key'] = 'Context for new users';
	+$string['auth_ldap_create_default_group'] = 'If you enable user creation with email confirmation, you can specify the default group to which created users will belong to. You need to specify the distinguished name of the group (e.g, cn=my-special-group,cn=users,dc=my-domain,dc=local). This only works for Microsoft Active Directory LDAP servers.';
	+$string['auth_ldap_create_default_group_key'] = 'Default group for new users';
	$string['auth_ldap_create_error'] = 'Error creating user in LDAP.';
	$string['auth_ldapdescription'] = 'This method provides authentication against an external LDAP server. If the given username and password are valid, Moodle creates a new user entry in its database. This plugin can read user attributes from LDAP and prefill wanted fields in Moodle. For following logins only the username and password are checked.';
	$string['auth_ldap_expiration_desc'] = 'Select \'{$a->no}\' to disable expired password checking or \'{$a->ldapserver}\' to read the password expiry time directly from the LDAP server.';
	diff --git a/auth/ldap/settings.php b/auth/ldap/settings.php
	index d72aed77ac1..cf007df9216 100644
	--- a/auth/ldap/settings.php
	+++ b/auth/ldap/settings.php
	@@ -238,6 +238,11 @@ if ($ADMIN->fulltree) {
	get_string('auth_ldap_create_context_key', 'auth_ldap'),
	get_string('auth_ldap_create_context', 'auth_ldap'), '', PARAM_RAW_TRIMMED));

	+ // Default group for new users.
	+ $settings->add(new admin_setting_configtext('auth_ldap/create_default_group',
	+ get_string('auth_ldap_create_default_group_key', 'auth_ldap'),
	+ get_string('auth_ldap_create_default_group', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
	+
	// System roles mapping header.
	$settings->add(new admin_setting_heading('auth_ldap/systemrolemapping',
	new lang_string('systemrolemapping', 'auth_ldap'), ''));