search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'MDL-59169-master' of https://github.com/nwp90/moodle
[moodle.git] / auth / ldap / settings.php
blobf9bc8d9b8f344f02fd11cc1c8a6eaf74bf7da553
1 <?php
2 // This file is part of Moodle - http://moodle.org/
3 //
4 // Moodle is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // Moodle is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License
15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>.
16
17 /**
18 * Admin settings and defaults.
19 *
20 * @package auth_ldap
21 * @copyright 2017 Stephen Bourget
22 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
23 */
24
25 defined('MOODLE_INTERNAL') || die;
26
27 if ($ADMIN->fulltree) {
28
29 if (!function_exists('ldap_connect')) {
30 $settings->add(new admin_setting_heading('auth_ldap_noextension', '', get_string('auth_ldap_noextension', 'auth_ldap')));
31 } else {
32
33 // We use a couple of custom admin settings since we need to massage the data before it is inserted into the DB.
34 require_once($CFG->dirroot.'/auth/ldap/classes/admin_setting_special_lowercase_configtext.php');
35 require_once($CFG->dirroot.'/auth/ldap/classes/admin_setting_special_contexts_configtext.php');
36 require_once($CFG->dirroot.'/auth/ldap/classes/admin_setting_special_ntlm_configtext.php');
37
38 // We need to use some of the Moodle LDAP constants / functions to create the list of options.
39 require_once($CFG->dirroot.'/auth/ldap/auth.php');
40
41 // Introductory explanation.
42 $settings->add(new admin_setting_heading('auth_ldap/pluginname', '',
43 new lang_string('auth_ldapdescription', 'auth_ldap')));
44
45 // LDAP server settings.
46 $settings->add(new admin_setting_heading('auth_ldap/ldapserversettings',
47 new lang_string('auth_ldap_server_settings', 'auth_ldap'), ''));
48
49 // Host.
50 $settings->add(new admin_setting_configtext('auth_ldap/host_url',
51 get_string('auth_ldap_host_url_key', 'auth_ldap'),
52 get_string('auth_ldap_host_url', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
53
54 // Version.
55 $versions = array();
56 $versions[2] = '2';
57 $versions[3] = '3';
58 $settings->add(new admin_setting_configselect('auth_ldap/ldap_version',
59 new lang_string('auth_ldap_version_key', 'auth_ldap'),
60 new lang_string('auth_ldap_version', 'auth_ldap'), 3, $versions));
61
62 // Start TLS.
63 $yesno = array(
64 new lang_string('no'),
65 new lang_string('yes'),
66 );
67 $settings->add(new admin_setting_configselect('auth_ldap/start_tls',
68 new lang_string('start_tls_key', 'auth_ldap'),
69 new lang_string('start_tls', 'auth_ldap'), 0 , $yesno));
70
71
72 // Encoding.
73 $settings->add(new admin_setting_configtext('auth_ldap/ldapencoding',
74 get_string('auth_ldap_ldap_encoding_key', 'auth_ldap'),
75 get_string('auth_ldap_ldap_encoding', 'auth_ldap'), 'utf-8', PARAM_RAW_TRIMMED));
76
77 // Page Size. (Hide if not available).
78 $settings->add(new admin_setting_configtext('auth_ldap/pagesize',
79 get_string('pagesize_key', 'auth_ldap'),
80 get_string('pagesize', 'auth_ldap'), '250', PARAM_INT));
81
82 // Bind settings.
83 $settings->add(new admin_setting_heading('auth_ldap/ldapbindsettings',
84 new lang_string('auth_ldap_bind_settings', 'auth_ldap'), ''));
85
86 // Store Password in DB.
87 $settings->add(new admin_setting_configselect('auth_ldap/preventpassindb',
88 new lang_string('auth_ldap_preventpassindb_key', 'auth_ldap'),
89 new lang_string('auth_ldap_preventpassindb', 'auth_ldap'), 0 , $yesno));
90
91 // User ID.
92 $settings->add(new admin_setting_configtext('auth_ldap/bind_dn',
93 get_string('auth_ldap_bind_dn_key', 'auth_ldap'),
94 get_string('auth_ldap_bind_dn', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
95
96 // Password.
97 $settings->add(new admin_setting_configpasswordunmask('auth_ldap/bind_pw',
98 get_string('auth_ldap_bind_pw_key', 'auth_ldap'),
99 get_string('auth_ldap_bind_pw', 'auth_ldap'), ''));
100
101 // User Lookup settings.
102 $settings->add(new admin_setting_heading('auth_ldap/ldapuserlookup',
103 new lang_string('auth_ldap_user_settings', 'auth_ldap'), ''));
104
105 // User Type.
106 $settings->add(new admin_setting_configselect('auth_ldap/user_type',
107 new lang_string('auth_ldap_user_type_key', 'auth_ldap'),
108 new lang_string('auth_ldap_user_type', 'auth_ldap'), 'default', ldap_supported_usertypes()));
109
110 // Contexts.
111 $settings->add(new auth_ldap_admin_setting_special_contexts_configtext('auth_ldap/contexts',
112 get_string('auth_ldap_contexts_key', 'auth_ldap'),
113 get_string('auth_ldap_contexts', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
114
115 // Search subcontexts.
116 $settings->add(new admin_setting_configselect('auth_ldap/search_sub',
117 new lang_string('auth_ldap_search_sub_key', 'auth_ldap'),
118 new lang_string('auth_ldap_search_sub', 'auth_ldap'), 0 , $yesno));
119
120 // Dereference aliases.
121 $optderef = array();
122 $optderef[LDAP_DEREF_NEVER] = get_string('no');
123 $optderef[LDAP_DEREF_ALWAYS] = get_string('yes');
124
125 $settings->add(new admin_setting_configselect('auth_ldap/opt_deref',
126 new lang_string('auth_ldap_opt_deref_key', 'auth_ldap'),
127 new lang_string('auth_ldap_opt_deref', 'auth_ldap'), LDAP_DEREF_NEVER , $optderef));
128
129 // User attribute.
130 $settings->add(new auth_ldap_admin_setting_special_lowercase_configtext('auth_ldap/user_attribute',
131 get_string('auth_ldap_user_attribute_key', 'auth_ldap'),
132 get_string('auth_ldap_user_attribute', 'auth_ldap'), '', PARAM_RAW));
133
134 // Suspended attribute.
135 $settings->add(new auth_ldap_admin_setting_special_lowercase_configtext('auth_ldap/suspended_attribute',
136 get_string('auth_ldap_suspended_attribute_key', 'auth_ldap'),
137 get_string('auth_ldap_suspended_attribute', 'auth_ldap'), '', PARAM_RAW));
138
139 // Member attribute.
140 $settings->add(new auth_ldap_admin_setting_special_lowercase_configtext('auth_ldap/memberattribute',
141 get_string('auth_ldap_memberattribute_key', 'auth_ldap'),
142 get_string('auth_ldap_memberattribute', 'auth_ldap'), '', PARAM_RAW));
143
144 // Member attribute uses dn.
145 $settings->add(new admin_setting_configtext('auth_ldap/memberattribute_isdn',
146 get_string('auth_ldap_memberattribute_isdn_key', 'auth_ldap'),
147 get_string('auth_ldap_memberattribute_isdn', 'auth_ldap'), '', PARAM_RAW));
148
149 // Object class.
150 $settings->add(new admin_setting_configtext('auth_ldap/objectclass',
151 get_string('auth_ldap_objectclass_key', 'auth_ldap'),
152 get_string('auth_ldap_objectclass', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
153
154 // Force Password change Header.
155 $settings->add(new admin_setting_heading('auth_ldap/ldapforcepasswordchange',
156 new lang_string('forcechangepassword', 'auth'), ''));
157
158 // Force Password change.
159 $settings->add(new admin_setting_configselect('auth_ldap/forcechangepassword',
160 new lang_string('forcechangepassword', 'auth'),
161 new lang_string('forcechangepasswordfirst_help', 'auth'), 0 , $yesno));
162
163 // Standard Password Change.
164 $settings->add(new admin_setting_configselect('auth_ldap/stdchangepassword',
165 new lang_string('stdchangepassword', 'auth'), new lang_string('stdchangepassword_expl', 'auth') .' '.
166 get_string('stdchangepassword_explldap', 'auth'), 0 , $yesno));
167
168 // Password Type.
169 $passtype = array();
170 $passtype['plaintext'] = get_string('plaintext', 'auth');
171 $passtype['md5'] = get_string('md5', 'auth');
172 $passtype['sha1'] = get_string('sha1', 'auth');
173
174 $settings->add(new admin_setting_configselect('auth_ldap/passtype',
175 new lang_string('auth_ldap_passtype_key', 'auth_ldap'),
176 new lang_string('auth_ldap_passtype', 'auth_ldap'), 'plaintext', $passtype));
177
178 // Password change URL.
179 $settings->add(new admin_setting_configtext('auth_ldap/changepasswordurl',
180 get_string('auth_ldap_changepasswordurl_key', 'auth_ldap'),
181 get_string('changepasswordhelp', 'auth'), '', PARAM_URL));
182
183 // Password Expiration Header.
184 $settings->add(new admin_setting_heading('auth_ldap/passwordexpire',
185 new lang_string('auth_ldap_passwdexpire_settings', 'auth_ldap'), ''));
186
187 // Password Expiration.
188
189 // Create the description lang_string object.
190 $strno = get_string('no');
191 $strldapserver = get_string('pluginname', 'auth_ldap');
192 $langobject = new stdClass();
193 $langobject->no = $strno;
194 $langobject->ldapserver = $strldapserver;
195 $description = new lang_string('auth_ldap_expiration_desc', 'auth_ldap', $langobject);
196
197 // Now create the options.
198 $expiration = array();
199 $expiration['0'] = $strno;
200 $expiration['1'] = $strldapserver;
201
202 // Add the setting.
203 $settings->add(new admin_setting_configselect('auth_ldap/expiration',
204 new lang_string('auth_ldap_expiration_key', 'auth_ldap'),
205 $description, 0 , $expiration));
206
207 // Password Expiration warning.
208 $settings->add(new admin_setting_configtext('auth_ldap/expiration_warning',
209 get_string('auth_ldap_expiration_warning_key', 'auth_ldap'),
210 get_string('auth_ldap_expiration_warning_desc', 'auth_ldap'), '', PARAM_RAW));
211
212 // Password Expiration attribute.
213 $settings->add(new auth_ldap_admin_setting_special_lowercase_configtext('auth_ldap/expireattr',
214 get_string('auth_ldap_expireattr_key', 'auth_ldap'),
215 get_string('auth_ldap_expireattr_desc', 'auth_ldap'), '', PARAM_RAW));
216
217 // Grace Logins.
218 $settings->add(new admin_setting_configselect('auth_ldap/gracelogins',
219 new lang_string('auth_ldap_gracelogins_key', 'auth_ldap'),
220 new lang_string('auth_ldap_gracelogins_desc', 'auth_ldap'), 0 , $yesno));
221
222 // Grace logins attribute.
223 $settings->add(new auth_ldap_admin_setting_special_lowercase_configtext('auth_ldap/graceattr',
224 get_string('auth_ldap_gracelogin_key', 'auth_ldap'),
225 get_string('auth_ldap_graceattr_desc', 'auth_ldap'), '', PARAM_RAW));
226
227 // User Creation.
228 $settings->add(new admin_setting_heading('auth_ldap/usercreation',
229 new lang_string('auth_user_create', 'auth'), ''));
230
231 // Create users externally.
232 $settings->add(new admin_setting_configselect('auth_ldap/auth_user_create',
233 new lang_string('auth_ldap_auth_user_create_key', 'auth_ldap'),
234 new lang_string('auth_user_creation', 'auth'), 0 , $yesno));
235
236 // Context for new users.
237 $settings->add(new admin_setting_configtext('auth_ldap/create_context',
238 get_string('auth_ldap_create_context_key', 'auth_ldap'),
239 get_string('auth_ldap_create_context', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
240
241 // System roles mapping header.
242 $settings->add(new admin_setting_heading('auth_ldap/systemrolemapping',
243 new lang_string('systemrolemapping', 'auth_ldap'), ''));
244
245 // Create system role mapping field for each assignable system role.
246 $roles = get_ldap_assignable_role_names();
247 foreach ($roles as $role) {
248 // Before we can add this setting we need to check a few things.
249 // A) It does not exceed 100 characters otherwise it will break the DB as the 'name' field
250 // in the 'config_plugins' table is a varchar(100).
251 // B) The setting name does not contain hyphens. If it does then it will fail the check
252 // in parse_setting_name() and everything will explode. Role short names are validated
253 // against PARAM_ALPHANUMEXT which is similar to the regex used in parse_setting_name()
254 // except it also allows hyphens.
255 // Instead of shortening the name and removing/replacing the hyphens we are showing a warning.
256 // If we were to manipulate the setting name by removing the hyphens we may get conflicts, eg
257 // 'thisisashortname' and 'this-is-a-short-name'. The same applies for shortening the setting name.
258 if (core_text::strlen($role['settingname']) > 100 || !preg_match('/^[a-zA-Z0-9_]+$/', $role['settingname'])) {
259 $url = new moodle_url('/admin/roles/define.php', array('action' => 'edit', 'roleid' => $role['id']));
260 $a = (object)['rolename' => $role['localname'], 'shortname' => $role['shortname'], 'charlimit' => 93,
261 'link' => $url->out()];
262 $settings->add(new admin_setting_heading('auth_ldap/role_not_mapped_' . sha1($role['settingname']), '',
263 get_string('cannotmaprole', 'auth_ldap', $a)));
264 } else {
265 $settings->add(new admin_setting_configtext('auth_ldap/' . $role['settingname'],
266 get_string('auth_ldap_rolecontext', 'auth_ldap', $role),
267 get_string('auth_ldap_rolecontext_help', 'auth_ldap', $role), '', PARAM_RAW_TRIMMED));
268 }
269 }
270
271 // User Account Sync.
272 $settings->add(new admin_setting_heading('auth_ldap/syncusers',
273 new lang_string('auth_sync_script', 'auth'), ''));
274
275 // Remove external user.
276 $deleteopt = array();
277 $deleteopt[AUTH_REMOVEUSER_KEEP] = get_string('auth_remove_keep', 'auth');
278 $deleteopt[AUTH_REMOVEUSER_SUSPEND] = get_string('auth_remove_suspend', 'auth');
279 $deleteopt[AUTH_REMOVEUSER_FULLDELETE] = get_string('auth_remove_delete', 'auth');
280
281 $settings->add(new admin_setting_configselect('auth_ldap/removeuser',
282 new lang_string('auth_remove_user_key', 'auth'),
283 new lang_string('auth_remove_user', 'auth'), AUTH_REMOVEUSER_KEEP, $deleteopt));
284
285 // Sync Suspension.
286 $settings->add(new admin_setting_configselect('auth_ldap/sync_suspended',
287 new lang_string('auth_sync_suspended_key', 'auth'),
288 new lang_string('auth_sync_suspended', 'auth'), 0 , $yesno));
289
290 // NTLM SSO Header.
291 $settings->add(new admin_setting_heading('auth_ldap/ntlm',
292 new lang_string('auth_ntlmsso', 'auth_ldap'), ''));
293
294 // Enable NTLM.
295 $settings->add(new admin_setting_configselect('auth_ldap/ntlmsso_enabled',
296 new lang_string('auth_ntlmsso_enabled_key', 'auth_ldap'),
297 new lang_string('auth_ntlmsso_enabled', 'auth_ldap'), 0 , $yesno));
298
299 // Subnet.
300 $settings->add(new admin_setting_configtext('auth_ldap/ntlmsso_subnet',
301 get_string('auth_ntlmsso_subnet_key', 'auth_ldap'),
302 get_string('auth_ntlmsso_subnet', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
303
304 // NTLM Fast Path.
305 $fastpathoptions = array();
306 $fastpathoptions[AUTH_NTLM_FASTPATH_YESFORM] = get_string('auth_ntlmsso_ie_fastpath_yesform', 'auth_ldap');
307 $fastpathoptions[AUTH_NTLM_FASTPATH_YESATTEMPT] = get_string('auth_ntlmsso_ie_fastpath_yesattempt', 'auth_ldap');
308 $fastpathoptions[AUTH_NTLM_FASTPATH_ATTEMPT] = get_string('auth_ntlmsso_ie_fastpath_attempt', 'auth_ldap');
309
310 $settings->add(new admin_setting_configselect('auth_ldap/ntlmsso_ie_fastpath',
311 new lang_string('auth_ntlmsso_ie_fastpath_key', 'auth_ldap'),
312 new lang_string('auth_ntlmsso_ie_fastpath', 'auth_ldap'),
313 AUTH_NTLM_FASTPATH_ATTEMPT, $fastpathoptions));
314
315 // Authentication type.
316 $types = array();
317 $types['ntlm'] = 'NTLM';
318 $types['kerberos'] = 'Kerberos';
319
320 $settings->add(new admin_setting_configselect('auth_ldap/ntlmsso_type',
321 new lang_string('auth_ntlmsso_type_key', 'auth_ldap'),
322 new lang_string('auth_ntlmsso_type', 'auth_ldap'), 'ntlm', $types));
323
324 // Remote Username format.
325 $settings->add(new auth_ldap_admin_setting_special_ntlm_configtext('auth_ldap/ntlmsso_remoteuserformat',
326 get_string('auth_ntlmsso_remoteuserformat_key', 'auth_ldap'),
327 get_string('auth_ntlmsso_remoteuserformat', 'auth_ldap'), '', PARAM_RAW_TRIMMED));
328 }
329
330 // Display locking / mapping of profile fields.
331 $authplugin = get_auth_plugin('ldap');
332 $help = get_string('auth_ldapextrafields', 'auth_ldap');
333 $help .= get_string('auth_updatelocal_expl', 'auth');
334 $help .= get_string('auth_fieldlock_expl', 'auth');
335 $help .= get_string('auth_updateremote_expl', 'auth');
336 $help .= '<hr />';
337 $help .= get_string('auth_updateremote_ldap', 'auth');
338 display_auth_lock_options($settings, $authplugin->authtype, $authplugin->userfields,
339 $help, true, true, $authplugin->get_custom_user_profile_fields());
340 }
Read-only mirror of the Moodle CVS