This plugin displays a report page and matches user accounts in Moodle with an LDAP directory in the organisation. Various filters can be used to select users. The report may also be exported.
Another functionality of the plugin is that it provides a cli script. This has the same functionality like the report page, but can also be used to automatically suspend, delete accounts or set the emailstop flag for the user.
The use case for the need of this plugin was that the Moodle authentication is done via Shibboleth (an SSO service). If the user is authenticated via the SSO provider and the identity service of the institution, the user is redirected to Moodle together with some information who he is. He then is logged in or even created. A LDAP directory may work here as the identity provider for Shibboleth but there is no direct connection from/to Moodle.
Whenever a user drops out of the institution the identity provider will not allow to log him in anymore. However, the account in Moodle is still active and emails may be sent out to the users email address.
Therefore, there is a need to detect such users and disable or delete them from Moodle once they do not yet exist in the LDAP anymore. The CLI script should automate the process e.g. at each start of a new term.
report
directory.moodle-report_ldapaccounts
into ldapaccounts
.The user match between Moodle and LDAP is done via email solemnly. At the moment there is no other property considered to be taken as the user identity. The user data is taken from the user table in Moodle. The matching email field in LDAP can be configured in the settings of the plugin.
When querying the LDAP directory it's only checked whether there is a match or not.
The email field is the only field that is returned by the LDAP query together with the
dn
field (the user id). However, the latter is not used by the plugin.
At "Site administration" -> "Plugins" -> "Report" -> "Settings for Moodle Accounts in LDAP Report" you find all settings regarding this plugin.
There is a list of fields with the LDAP prefix that handle the connection to the LDAP server. You may also provide certificate files for the connection in case necessary.
The setting "Email field in LDAP" may contain a different field name where the email
is stored in the LDAP directory. By default, this is mail
.
The setting "LDAP Query" may contain some additional LDAP query parameters to select
an user. Imagine the use case that the LDAP directory contains person and institution
items, both having an email field. In this setting the query might contain additional
conditions e.g. (objectClass=person)
to select the person items only.
The setting "Enable logging" is to log all the communication between Moodle and the LDAP service. This is intended for debug reasons and should not be enabled unless necessary (see also notes on Privacy below).
In general the LDAP report just fetches data from the LDAP server and lists data in the report that are already in the Moodle database. However, there are two exceptions when more data is stored and or stored at other places than the database. This is:
As explained before, what is stored depends on the type of the LDAP request and the
selection of the data to be fetched from the user
table.
When the option Download report as CSV is selected, any of the selected columns from the
user
table will be stored into the CSV file, except for the columns password
and
secret
. These two are never exported.
The LDAP server may return many other values, depending on the query, e.g. which properties
are selected from the data entity. By default, the query selects the mail
field only, to
match the entity from the LDAP result with the data set from the user
table. However,
if in the settings the LDAP query is filled to select other fields as well, or if in
the cli script the query is expanded by the argument --ldapquery
more data from the entity
may be stored in the logs.
Both, the csv files for downloading and the log files are stored in moodletemp in a
sub directory report_ldapaccounts
. Logfiles have the date included when they were
written.
The report page can be called using the path /report/ldapaccounts/
. You also get to
that page via "Site administration" -> "Reports" -> "Moodle Accounts in LDAP".
In the form the first section "Filter user data" contains filters to select which users to fetch from the Moodle database that should appear in the report. If you have more than one authentication method you will see a selection to filter by authentication method. The selections "Deleted", "Suspended", "Emailstop", and "LDAP status" work all the same, 0 means option disabled and 1 means option enabled. By default, any of the options can be set i.e. the filter is not applied to the search. The Filters firstname and lastname can be used to select users starting with these letters. No wildcard has to be used.
The email field may use a wildcard. Here you can use a concrete email or e.g. select all emails from a certain domain only. Wildcard character is the asterisk.
While all filters work directly with the data from the user table in Moodle the "LDAP status" field is used on the results after the user items have been queried at the LDAP directory. If the filter is set, only the users are displayed that match the criteria (i.e. exist in the LDAP or not).
The selection "columns" contains a list of field names that exist in the user table.
In addition, the field ldap_status
is here available as well to display whether
the user exists in the LDAP directory. At the end of the selected column list
the fields "User details", "Delete", "Suspend", and "Disable notifications" are added automatically.
These contain links to the users profile page and links to delete the user
account entirely or just disable notifications for a user.
The password
and the secret
fields cannot be displayed. Custom defined user
fields are also not considered.
The report can also be downloaded as a csv file, in case the checkbox is set in the
form. A download link appears below the report table. The files are stored in a
subdirectory report_ldapaccounts
of the Moodle data directory. Old files are not
deleted at the moment, therefore, a cronjob should be installed to do this.
Below the user table a permalink is displayed. This link reflects the current query. Used in another time it queries the data by the same criteria. This link can be bookmarked so that the user doesn't need to remember each setting in the reports page form. When calling the link, the form is displayed and preset with the search terms already.
The cli script resides in report/ldapaccounts/cli/ldapaccounts.php
. Administrators
may run it from the command line occasionally or put it into a cronjob to run it
periodically.
The output is always a csv formatted string witten to standard out. You may write that into a file using the io redirection arguments.
For a list of commands and possible arguments use
the --help
switch to display it.
There are two modes of the script. The first mode works the same as the report page. You select user data. The resulting records are print to standard out.
The other option is to use the --action
parameter to define an action with users
that do not exist in LDAP. These can be delete
, suspend
, or emailstop
.
To suspend user accounts that are not in LDAP you would use --action=suspend
to set
the suspended
property to 1 in the user table.
Also, when using the --action
parameter the output are the data sets that have been
modified (actually they will be modified within an update command before the next
chunk of user records is fetched). If a user record should be modified, but may have
that flag set already that is defined by the action, then this data set is not printed
out.
Filters are more flexible than in the reports page. You can basically use any
column that exists in the user table to define some criterion and filter data with
this condition. Each filter criterion is used with an and conjunction. If a filter
is set on the firstname
and on the lastname
both criteria must match so that the
user record is selected.
If you use any wildcard on strings the asterisk must be set. Also if you use > or < then these operators must be prepended on the value.
Filters must be written as json. To filter all users whose surname starts with W and that are not yet suspended and that have an email in the example.org institution would use the following filter (including the argument switch):
-f='{"lastname":"w*","suspended":0,"email":"*example.org"}'
In case you use a different ldapmail field or add a query part to the ldap query
these options can be submitted by the arguments --ldapmail
and --ldapquery
.
These two values can also be defined in the settings and be used always for all
queries in the cli script and the reports page.
To have no output witten to standard out, the switch --silent
might be used. This
apparently makes sense only if you also use the --action
switch.
Originally the plugin was tailored with a lot of hard coding facts for our personal use. We tried to make it more generic, so that it can be used by other institutions as well. At the moment the functionality of the plugin meets our requirements.
Possible future changes could be:
Initial release that had been approved into the Moodle plugins directory.