Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47004

LDAP defaults the AD objectClass to "user", not the best default conf

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • 2.9
    • 2.7.1, 2.9
    • Authentication
    • MOODLE_27_STABLE, MOODLE_29_STABLE
    • MOODLE_29_STABLE
    • m29_MDL-47004_LDAP_Better_Default_ObjectClass
    • Hide

      (difficulty: hard, requires an Active Directory - including a new computer to be joined to the Windows domain - to be configured in two separated Moodle instances)

      Instance #1. Before applying the patch, w/ having enabled LDAP

      1. Configure Moodle LDAP auth with the default values, pointing to an Active Directory containing both users and computers and enable it.
      2. Configure CLI sync (sync_users.php) and confirm that the sync will import Computer accounts too.
      3. Apply the patch and add a new computer to AD: the new Computer account will be still imported during the sync.

      Instance #2. After applying the patch, w/o having ever enabled LDAP

      1. Configure Moodle LDAP auth with the default values, pointing to an Active Directory containing both users and computers and enable it.
      2. Configure CLI sync (sync_users.php) and confirm that the sync will not import Computer accounts too.
      Show
      (difficulty: hard, requires an Active Directory - including a new computer to be joined to the Windows domain - to be configured in two separated Moodle instances) Instance #1. Before applying the patch, w/ having enabled LDAP Configure Moodle LDAP auth with the default values, pointing to an Active Directory containing both users and computers and enable it. Configure CLI sync ( sync_users.php ) and confirm that the sync will import Computer accounts too. Apply the patch and add a new computer to AD: the new Computer account will be still imported during the sync. Instance #2. After applying the patch, w/o having ever enabled LDAP Configure Moodle LDAP auth with the default values, pointing to an Active Directory containing both users and computers and enable it. Configure CLI sync ( sync_users.php ) and confirm that the sync will not import Computer accounts too.

      The objectClass provided by default for Active Directory is user, https://github.com/moodle/moodle/blob/deae60239d70880053ae271a573c782880eb9bb2/lib/ldaplib.php#L67.

      This default choice combined with using auth/ldap/cli/sync_users.php drives to sync also the computer objects.
      The best selector for user objects is (samAccountType=805306368) while someone could argue that we should exclude the disabled accounts via (!(userAccountControl=514)).

      My proposal is to default the AD choice to (sAMAccountType=805306368), at least in master: this will help beginners in having a smarter AD default configuration.

      Note: I'm available in creating the PR(s) once agreed on the improvement and on how proceeding.

            matteo Matteo Scaramuccia
            matteo Matteo Scaramuccia
            Iñaki Arenaza Iñaki Arenaza
            Dan Poltawski Dan Poltawski
            Rajesh Taneja Rajesh Taneja
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.