ILIAS  Release_3_10_x_branch Revision 61812
 All Data Structures Namespaces Files Functions Variables Groups Pages
class.ilAuthContainerLDAP.php
Go to the documentation of this file.
1 <?php
2 /*
3  +-----------------------------------------------------------------------------+
4  | ILIAS open source |
5  +-----------------------------------------------------------------------------+
6  | Copyright (c) 1998-2006 ILIAS open source, University of Cologne |
7  | |
8  | This program is free software; you can redistribute it and/or |
9  | modify it under the terms of the GNU General Public License |
10  | as published by the Free Software Foundation; either version 2 |
11  | of the License, or (at your option) any later version. |
12  | |
13  | This program is distributed in the hope that it will be useful, |
14  | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16  | GNU General Public License for more details. |
17  | |
18  | You should have received a copy of the GNU General Public License |
19  | along with this program; if not, write to the Free Software |
20  | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
21  +-----------------------------------------------------------------------------+
22 */
23 
24 include_once('Auth/Container/LDAP.php');
25 
49 class ilAuthContainerLDAP extends Auth_Container_LDAP
50 {
51  private $optional_check = false;
52 
53  private $log = null;
54  private $server = null;
55  private $ldap_attr_to_user = null;
56 
64  private $isObserversEnabled;
65 
73  public function __construct(ilLDAPServer $server,$a_params)
74  {
75  global $ilLog;
76 
77  $this->server = $server;
78  parent::__construct($a_params);
79  $this->log = $ilLog;
80  }
81 
87  function fetchData($username, $password, $isChallengeResponse=false)
88  {
89  $isSuccessful = parent::fetchData($username, $password, $isChallengeResponse);
90  if ($this->isObserversEnabled)
91  {
92  if ($isSuccessful)
93  {
94  $this->loginObserver($username);
95  }
96  else
97  {
98  $this->failedLoginObserver();
99  }
100  }
101  return $isSuccessful;
102  }
110  public function enableOptionalGroupCheck()
111  {
112  $this->optional_check = true;
113  $this->updateUserFilter();
114  }
115 
122  public function enabledOptionalGroupCheck()
123  {
124  return (bool) $this->optional_check;
125  }
126 
127 
136  public function checkGroup($a_name)
137  {
138  $this->log->write(__METHOD__.': checking group restrictions...');
139 
140  // if there are multiple groups define check all of them for membership
141  $groups = $this->server->getGroupNames();
142 
143  if(!count($groups))
144  {
145  $this->log->write(__METHOD__.': No group restrictions found.');
146  return true;
147  }
148  elseif($this->server->isMembershipOptional() and !$this->optional_check)
149  {
150  $this->log->write(__METHOD__.': Group membership is optional.');
151  return true;
152  }
153 
154  foreach($groups as $group)
155  {
156  $this->options['group'] = $group;
157 
158  if(parent::checkGroup($a_name))
159  {
160  return true;
161  }
162  }
163  return false;
164  }
174  public function _debug($a_message = '',$a_line = 0)
175  {
176  if(is_object($this->log))
177  {
178  $this->log->write('LDAP PEAR: '.$a_message);
179  }
180  parent::_debug($a_message,$a_line);
181  }
182 
189  private function updateUserFilter()
190  {
191  $this->options['userfilter'] = $this->server->getGroupUserFilter();
192  }
193 
197  public function setObserversEnabled($boolean)
198  {
199  $this->isObserversEnabled = $boolean;
200  }
201 
205  public function isObserversEnabled()
206  {
207  $this->isObserversEnabled;
208  }
209 
215  public function loginObserver($a_username)
216  {
217  global $ilBench;
218  global $ilLog;
219  $ilLog->write(__METHOD__.': logged in as '.$a_username.
220  ', remote:'.$_SERVER['REMOTE_ADDR'].':'.$_SERVER['REMOTE_PORT'].
221  ', server:'.$_SERVER['SERVER_ADDR'].':'.$_SERVER['SERVER_PORT']
222  );
223 
224  $ilBench->start('Auth','LDAPLoginObserver');
225  $user_data = array_change_key_case($this->_auth_obj->getAuthData(),CASE_LOWER);
226 
227  $a_username = $this->extractUserName($user_data);
228 
229  $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap",$a_username);
230  $users[$a_username] = $user_data;
231 
232 
233  if($this->server->enabledSyncOnLogin())
234  {
235  if(!$user_data['ilInternalAccount'] and $this->server->isAccountMigrationEnabled() and !$this->_auth_obj->force_creation)
236  {
237  $this->_auth_obj->logout();
238  $_SESSION['tmp_auth_mode'] = 'ldap';
239  $_SESSION['tmp_external_account'] = $a_username;
240  $_SESSION['tmp_pass'] = $_POST['password'];
241 
242  include_once('./Services/LDAP/classes/class.ilLDAPRoleAssignments.php');
243  $role_ass = ilLDAPRoleAssignments::_getInstanceByServer($this->server);
244  $role_inf = $role_ass->assignedRoles($a_username,$user_data);
245  $_SESSION['tmp_roles'] = array();
246  foreach($role_inf as $info)
247  {
248  $_SESSION['tmp_roles'][] = $info['id'];
249  }
250  $ilBench->stop('Auth','LDAPLoginObserver');
251  ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
252  }
253 
254  // Refresh or create user data
255  $ilBench->start('Auth','LDAPUserSynchronization');
256  if($this->updateRequired($a_username))
257  {
258  #$GLOBALS['ilLog']->write(__METHOD__.': Starting update');
259  $this->initLDAPAttributeToUser();
260  $this->ldap_attr_to_user->setUserData($users);
261  $this->ldap_attr_to_user->refresh();
262  $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap",$a_username);
263  }
264  else
265  {
266  // User exists and no update required
267  $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap",$a_username);
268  }
269  $ilBench->stop('Auth','LDAPUserSynchronization');
270  }
271 
272  if(!$user_data['ilInternalAccount'])
273  {
274  // No syncronisation allowed => create Error
275  $this->_auth_obj->status = AUTH_LDAP_NO_ILIAS_USER;
276  $this->_auth_obj->logout();
277  $ilBench->stop('Auth','LDAPLoginObserver');
278  return;
279  }
280  // Finally setAuth
281  $this->_auth_obj->setAuth($user_data['ilInternalAccount']);
282  $ilBench->stop('Auth','LDAPLoginObserver');
283  return;
284 
285  }
292  private function initLDAPAttributeToUser()
293  {
294  include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
295  $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
296  }
297 
303  public function failedLoginObserver()
304  {
305  global $ilLog;
306  $ilLog->write(__METHOD__.': login failed'.
307  ', remote:'.$_SERVER['REMOTE_ADDR'].':'.$_SERVER['REMOTE_PORT'].
308  ', server:'.$_SERVER['SERVER_ADDR'].':'.$_SERVER['SERVER_PORT']
309  );
310 
311  if(!$this->enabledOptionalGroupCheck() and $this->server->isMembershipOptional())
312  {
313  $this->_auth_obj->logout();
314  $this->enableOptionalGroupCheck();
315  $this->_auth_obj->start();
316  }
317  }
318 
324  protected function extractUserName($a_user_data)
325  {
326  $a_username = isset($a_user_data[strtolower($this->server->getUserAttribute())]) ?
327  $a_user_data[strtolower($this->server->getUserAttribute())] :
328  trim($a_user_data);
329 
330  // Support for multiple user attributes
331  if(!is_array($a_username))
332  {
333  return $a_username;
334  }
335  foreach($a_username as $name)
336  {
337  // User found with authentication method 'ldap'
338  if(ilObjUser::_checkExternalAuthAccount("ldap",$name))
339  {
340  return trim($name);
341  }
342  }
343  // No existing user found => return first name
344  return $a_username[0];
345  }
346 
352  protected function updateRequired($a_username)
353  {
354  if(!ilObjUser::_checkExternalAuthAccount("ldap",$a_username))
355  {
356  return true;
357  }
358  // Check attribute mapping on login
359  include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
360  if(ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId()))
361  {
362  return true;
363  }
364  return false;
365  }
366 
367 
368 }
369 
370 ?>