diff --git a/src/main/java/org/olat/ldap/LDAPLoginModule.java b/src/main/java/org/olat/ldap/LDAPLoginModule.java
index ea2e39f19451a9a29024601ee605fed75a486a46..c132239472740b504f17cde169c122dc9399f581 100644
--- a/src/main/java/org/olat/ldap/LDAPLoginModule.java
+++ b/src/main/java/org/olat/ldap/LDAPLoginModule.java
@@ -80,6 +80,10 @@ public class LDAPLoginModule implements Initializable {
// List of bases where to find users
private static List<String> ldapBases;
private static Integer connectionTimeout;
+ /**
+ * Create LDAP users on the fly when authenticated successfully
+ */
+ private boolean createUsersOnLogin;
// Use a valid ldap password and save it as olat password to reduce dependency
// to LDAP server availability and allow WeDAV access
private static boolean cacheLDAPPwdAsOLATPwdOnLogin;
@@ -581,7 +585,11 @@ public class LDAPLoginModule implements Initializable {
public void setCacheLDAPPwdAsOLATPwdOnLogin(boolean cacheLDAPPwdAsOLATPwdOnLogin) {
LDAPLoginModule.cacheLDAPPwdAsOLATPwdOnLogin = cacheLDAPPwdAsOLATPwdOnLogin;
}
-
+
+ public void setCreateUsersOnLogin(boolean createUsersOnLogin) {
+ this.createUsersOnLogin = createUsersOnLogin;
+ }
+
public void setConvertExistingLocalUsersToLDAPUsers(boolean convertExistingLocalUsersToLDAPUsers) {
LDAPLoginModule.convertExistingLocalUsersToLDAPUsers = convertExistingLocalUsersToLDAPUsers;
}
@@ -703,6 +711,10 @@ public class LDAPLoginModule implements Initializable {
public static String getLdapSyncCronSyncExpression() {
return ldapSyncCronSyncExpression;
}
+
+ public boolean isCreateUsersOnLogin() {
+ return createUsersOnLogin;
+ }
public static boolean isCacheLDAPPwdAsOLATPwdOnLogin() {
return cacheLDAPPwdAsOLATPwdOnLogin;
diff --git a/src/main/java/org/olat/ldap/_spring/ldapContext.xml b/src/main/java/org/olat/ldap/_spring/ldapContext.xml
index 3e4b3d18f7ef61a2dd9535f99c895feb5d301353..d0d45e2c9091146adcd10a0d265a9fc2bdc76a5d 100644
--- a/src/main/java/org/olat/ldap/_spring/ldapContext.xml
+++ b/src/main/java/org/olat/ldap/_spring/ldapContext.xml
@@ -3,7 +3,7 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+ http://www.springframework.org/schema/beans/spring-beans.xsd">
<!--
*****************************************
@@ -37,6 +37,7 @@
<property name="trustStoreLocation" value="${ldap.trustStoreLocation}"/>
<property name="trustStorePwd" value="${ldap.trustStorePwd}"/>
<property name="trustStoreType" value="${ldap.trustStoreType}"/>
+ <property name="createUsersOnLogin" value="${ldap.ldapCreateUsersOnLogin}" />
<!--
When users log in via LDAP, the system can keep a copy of the password as encrypted
hash in the database. This makes OLAT more independent from an offline LDAP server
diff --git a/src/main/java/org/olat/ldap/ui/LDAPAuthenticationController.java b/src/main/java/org/olat/ldap/ui/LDAPAuthenticationController.java
index 797f1f061c4ac77ebc0faaec5e6d739aef02ddbb..2f37bd35c36b09a841a21edd856e62de0787770f 100644
--- a/src/main/java/org/olat/ldap/ui/LDAPAuthenticationController.java
+++ b/src/main/java/org/olat/ldap/ui/LDAPAuthenticationController.java
@@ -254,17 +254,25 @@ protected void event(UserRequest ureq, Component source, Event event) {
}
public static Identity authenticate(String username, String pwd, LDAPError ldapError) {
+ final LDAPLoginModule ldapModule = CoreSpringFactory.getImpl(LDAPLoginModule.class);
+ final LDAPLoginManager ldapManager = CoreSpringFactory.getImpl(LDAPLoginManager.class);
+ final BaseSecurity secMgr = BaseSecurityManager.getInstance();
- LDAPLoginManager ldapManager = (LDAPLoginManager) CoreSpringFactory.getBean(LDAPLoginManager.class);
+ //authenticate against LDAP server
Attributes attrs = ldapManager.bindUser(username, pwd, ldapError);
-
if (ldapError.isEmpty() && attrs != null) {
Identity identity = ldapManager.findIdentyByLdapAuthentication(username, ldapError);
- if (!ldapError.isEmpty()) return null;
+ if (!ldapError.isEmpty()) {
+ return null;
+ }
if (identity == null) {
- // User authenticated but not yet existing - create as new OLAT user
- ldapManager.createAndPersistUser(attrs);
- identity = ldapManager.findIdentyByLdapAuthentication(username, ldapError);
+ if(ldapModule.isCreateUsersOnLogin()) {
+ // User authenticated but not yet existing - create as new OLAT user
+ ldapManager.createAndPersistUser(attrs);
+ identity = ldapManager.findIdentyByLdapAuthentication(username, ldapError);
+ } else {
+ ldapError.insert("login.notauthenticated");
+ }
} else {
// User does already exist - just sync attributes
Map<String, String> olatProToSync = ldapManager.prepareUserPropertyForSync(attrs, identity);
@@ -274,7 +282,7 @@ protected void event(UserRequest ureq, Component source, Event event) {
}
// Add or update an OLAT authentication token for this user if configured in the module
if (identity != null && LDAPLoginModule.isCacheLDAPPwdAsOLATPwdOnLogin()) {
- BaseSecurity secMgr = BaseSecurityManager.getInstance();
+
Authentication auth = secMgr.findAuthentication(identity, BaseSecurityModule.getDefaultAuthProviderIdentifier());
if (auth == null) {
// Create new authentication token
diff --git a/src/main/resources/serviceconfig/olat.properties b/src/main/resources/serviceconfig/olat.properties
index fa5df89b9a2e06e994b6be526033016e461d712f..932d6eb6b6cd225f9526a73ab669f8c5e74f8cc9 100644
--- a/src/main/resources/serviceconfig/olat.properties
+++ b/src/main/resources/serviceconfig/olat.properties
@@ -707,6 +707,8 @@ ldap.sslEnabled=false
ldap.trustStoreLocation=/usr/lib/j2sdk1.5-sun/jre/lib/security/cacerts
ldap.trustStorePwd=changeit
ldap.trustStoreType=JKS
+# Create LDAP users on the fly when authenticated successfully
+ldap.ldapCreateUsersOnLogin=true
# When users log in via LDAP, the system can keep a copy of the password as encrypted
# hash in the database. This makes OLAT more independent from an offline LDAP server
# and users can use their LDAP password to use the WebDAV functionality.