31 August 2015, 7:38

Hello,

This question was asked in the German group at https://mahara.org/interaction/forum/topic.php?id=7350

Ralph has set up his Mahara to synchronize users from Active Directory. However, not all users are brought along. He suspects that only a maximum of 1,000 users can be synchronized per query of AD. Is there something that can be done to also get the remaining users?

Thanks

Kristina

31 August 2015, 10:11

I think this relates to specific php and library versions. AD out of box config will only return 1000 results. Requests either need to be paged or AD can be changed to return more (this my be undesirable).

Useful link:

https://sgehrig.wordpress.com/2009/11/06/reading-paged-ldap-results-with-php-is-a-show-stopper/

For large scale batch/feeds pull needs, PHP 5.4 will be required as far as I know.

31 August 2015, 15:11

Hello Mark,

I updated your profile so you can post links. You were still "on probabion" (a spam protection mechanism). :-)

Cheers

Kristina

15 September 2015, 21:04

Hello,

I'm just a simple user, but also has experience in installing programs on Linux computers.

It is not clear whether I can contribute something to solve the problem. Or remains an unsolved problem?

Ralph

16 September 2015, 15:37

Hi all,

There's actually a comment in the code saying that it doesn't support paged LDAP results, so it'll hit a 1000 user limit in ActiveDirectory: https://github.com/MaharaProject/mahara/blob/15.04_STABLE/htdocs/auth/ldap/lib.php#L889

So I think that is the problem.

From the user comments on php.net, it does look like the LDAP paging commands work correctly with AD from PHP 5.4 and on, so potentially it is a solveable problem. We'd need to rewrite Mahara's PluginAuthLdap->ldap_get_users_scalable() method so that it uses the PHP "ldap_control_paged_result()" method: http://php.net/manual/en/function.ldap-control-paged-result.php

And of course Mahara aims to support PHP 5.3, so we'd need to put a wrapper around that function call that checks to see whether that method exists first, before invoking it.

Cheers,

Aaron

16 September 2015, 21:57

Hello,

thanks for the post.

I am surprised that this is not a problem for other users. At our school are about 1500 students. Today, a colleague came to me. They wanted to take their students into their group, but she has not found her.

Workaround: Students need to sign up once himself individually and can then be taken up only in the group. Should we therefore so do?

Ralph

17 September 2015, 18:09

Hi Ralph,

I've filed a bug report about it on our bug tracker: https://bugs.launchpad.net/mahara/+bug/1496690

Unfortunately, because this problem only affects a subset of Mahara sites (ActiveDirectory, with more than 1000 user accounts), it's not a high-priority bug for us, so it's not on our immediate road map to fix it with our limited community bug-fixing resources. (We're pretty busy fixing things for the upcoming 15.10 release.)

If you've got anyone at your institution who can program in PHP, you can try to write a patch for the problem, using the example code here as a guide: http://php.net/manual/en/function.ldap-control-paged-result.php . Or if you've got a software development budget, and you'd like to hire us at Catalyst IT to fix it, you can contact Kristina Hoeppner about that.

In lieue of either of those, a workaround might be to export the users from Active Directory to a CSV file, and then use the "Upload users by CSV" functionality to generate their accounts

Cheers,

Aaron

17 September 2015, 1:03

> And of course Mahara aims to support PHP 5.3,

PHP 5.3 is not supported anymore and it's the same for PHP 5.4 since last week. I don't understand why of got to support PHP 5.3 anymore ?

17 September 2015, 17:57

We've discussed increasing our minimum supported PHP version, at our Mahara developer meetings. But, even though the PHP folks are no longer releasing updates for PHP 5.3 or 5.4, there are still some popular Linux distribution long-term-support releases which are stuck on 5.3. So, that's the reason we've decided to continue supporting it. Many of the largest Mahara sites out there are run by big bureaucratic institutions which are slow to upgrade to new Linux versions.

In general, supporting 5.3 doesn't put too many limitations on us. Like in this case, we can still use the PHP 5.4-only LDAP paging methods. We just have to put a check to function_exists() around it, to make sure it doesn't cause a fatal error if you're running PHP 5.3.