-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
3.5.8, 3.5.11, 3.6.9, 3.7.5, 3.8.2, 3.9, 4.1.1
-
MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE, MOODLE_401_STABLE
-
MDL-67181-master_ldap_sync_suspended_attribute
-
Sorry, the company LDAP is in Spanish, the print's screen are in this language
.Preconditions:
- We have a ldap MS ActiveDirectory with a pmoodle1 user (I used to test a Windows Server 2012 R2).
- The pmoodle1 user exist in Moodle with ldap auth and it is active.
- The ldap auth plugin is enabled.
- Configure and test the ldap conection.
- Set auth_ldap > suspended_attribute to useraccountcontrol
- Set auth_ldap > removeuser to Suspend internal
Find and Sync the user
- Into LDAP, filter the user name pmoodle1
- The user is active In ActiveDirectory (inactive user icon has a black arrow
) - In the console, in Moodle path, execute:
* Validate in moodle (Site administration > Browse list of users): The user pmoodle1 is activephp admin/cli/scheduled_task.php --execute="\auth_ldap\task\sync_task"
Disable the user
- In the LDAP "Search user" window: disable the account using the drop-down menu.
- Tip: Search again the user to refresh the state icon.
- In the console, execute: __
* In the job log, the pmoodle1 user is Skippedphp admin/cli/scheduled_task.php --execute="\auth_ldap\task\sync_task"
- Validate in moodle (Site administration > Browse list of users): The user pmoodle1 is active
Apply the patch
Apply the patch: https://github.com/davidherney/moodle/commit/19287a233139965f0d0702c94a2a7ef23dbaa9ce
Test again:
- In the console, execute: __
# In the job log, the pmoodle1 user is updated.php admin/cli/scheduled_task.php --execute="\auth_ldap\task\sync_task"
- Validate in moodle (Site administration > Browse list of users): The user pmoodle1 is disabled
Sorry, the company LDAP is in Spanish, the print's screen are in this language . Preconditions: We have a ldap MS ActiveDirectory with a pmoodle1 user (I used to test a Windows Server 2012 R2). The pmoodle1 user exist in Moodle with ldap auth and it is active. The ldap auth plugin is enabled. Configure and test the ldap conection. Set auth_ldap > suspended_attribute to useraccountcontrol Set auth_ldap > removeuser to Suspend internal Find and Sync the user Into LDAP, filter the user name pmoodle1 The user is active In ActiveDirectory (inactive user icon has a black arrow ) In the console, in Moodle path, execute: php admin/cli/scheduled_task.php --execute= "\auth_ldap\task\sync_task" * Validate in moodle (Site administration > Browse list of users): The user pmoodle1 is active Disable the user In the LDAP "Search user" window: disable the account using the drop-down menu. Tip: Search again the user to refresh the state icon. In the console, execute: __ php admin/cli/scheduled_task.php --execute= "\auth_ldap\task\sync_task" * In the job log, the pmoodle1 user is Skipped Validate in moodle (Site administration > Browse list of users): The user pmoodle1 is active Apply the patch Apply the patch: https://github.com/davidherney/moodle/commit/19287a233139965f0d0702c94a2a7ef23dbaa9ce Test again: In the console, execute: __ php admin/cli/scheduled_task.php --execute= "\auth_ldap\task\sync_task" # In the job log, the pmoodle1 user is updated. Validate in moodle (Site administration > Browse list of users): The user pmoodle1 is disabled - We have a ldap MS ActiveDirectory with a pmoodle1 user (I used to test a Windows Server 2012 R2).
Enable LDAP users sync job to suspend user with the following settings, the LDAP users sync job
dose not suspend the users whose AD acounts have been disabled.
The main setting on ldap settings:
Suspended attriubte (auth_ldap | suspended_attribute): UserAccountControl
Removed ext user (auth_ldap | removeuser ): Suspend internal
Synchronise local user suspension status ( auth_ldap | sync_suspended ): Yes
What I found
after looking into the source code, I found a bug in function update_user_records of lib/authlib.php file.
please see the patch belwo, the variable '$needsupdate' should be set to 'true' when $user->suspned dose not equal $suspenduser.
and then the user will be updated as well as his suspend status on Moodle. otherwise the user's suspend status will not be updated as the user will not be updated due to the $needsupdate is not set to 'true', which is not right.
// Some comments here
|
Index: lib/authlib.php
|
IDEA additional info:
|
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
|
<+>UTF-8
|
===================================================================
|
--- lib/authlib.php (revision )
|
+++ lib/authlib.php (revision )
|
@@ -669,7 +669,9 @@
|
$newuser = new stdClass(); |
$newuser->id = $userid; |
// The cast to int is a workaround for MDL-53959. |
- $newuser->suspended = (int) $suspenduser; |
+ if($user->suspended != (int)$suspenduser ) { |
+ $newuser->suspended = (int) $suspenduser;+ $needsupdate = true; |
+ }
|
// Load all custom fields. |
$profilefields = (array) profile_user_record($user->id, false); |
$newprofilefields = []; |
|
I am happy to amend any information please let me know.
