00001 <?php
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024 include_once('Services/LDAP/classes/class.ilLDAPServer.php');
00025
00034 class ilLDAPRoleGroupMapping
00035 {
00036 private $log = null;
00037 private static $instance = null;
00038 private $servers = null;
00039 private $mappings = array();
00040 private $mapping_members = array();
00041 private $query = array();
00042 private $active_servers = false;
00043
00050 private function __construct()
00051 {
00052 global $ilLog;
00053
00054 $this->log = $ilLog;
00055 $this->initServers();
00056 }
00057
00064 public static function _getInstance()
00065 {
00066 if(is_object(self::$instance))
00067 {
00068 return self::$instance;
00069 }
00070 return self::$instance = new ilLDAPRoleGroupMapping();
00071 }
00072
00082 public function getInfoStrings($a_obj_id,$a_check_type = false)
00083 {
00084 if(!$this->active_servers)
00085 {
00086 return false;
00087 }
00088 if($a_check_type)
00089 {
00090 if(isset($this->mapping_info_strict[$a_obj_id]) and is_array($this->mapping_info_strict[$a_obj_id]))
00091 {
00092 return $this->mapping_info_strict[$a_obj_id];
00093 }
00094 }
00095 else
00096 {
00097 if(isset($this->mapping_info[$a_obj_id]) and is_array($this->mapping_info[$a_obj_id]))
00098 {
00099 return $this->mapping_info[$a_obj_id];
00100 }
00101
00102 }
00103 return false;
00104 }
00105
00106
00116 public function assign($a_role_id,$a_usr_id)
00117 {
00118
00119 if(!$this->active_servers)
00120 {
00121 return false;
00122 }
00123
00124 if(!$this->isHandledRole($a_role_id))
00125 {
00126 return false;
00127 }
00128 if(!$this->isHandledUser($a_usr_id))
00129 {
00130 $this->log->write('LDAP assign: User ID: '.$a_usr_id.' has no LDAP account');
00131 return false;
00132 }
00133 $this->log->write('LDAP assign: User ID: '.$a_usr_id.' Role Id: '.$a_role_id);
00134 $this->assignToGroup($a_role_id,$a_usr_id);
00135
00136 return true;
00137 }
00138
00148 public function deleteRole($a_role_id)
00149 {
00150 global $rbacreview;
00151
00152
00153 if(!$this->active_servers)
00154 {
00155 return false;
00156 }
00157
00158 if(!$this->isHandledRole($a_role_id))
00159 {
00160 return false;
00161 }
00162
00163 foreach($rbacreview->assignedUsers($a_role_id) as $usr_id)
00164 {
00165 $this->deassign($a_role_id,$usr_id);
00166 }
00167 return true;
00168 }
00169
00170
00180 public function deassign($a_role_id,$a_usr_id)
00181 {
00182
00183 if(!$this->active_servers)
00184 {
00185 return false;
00186 }
00187 if(!$this->isHandledRole($a_role_id))
00188 {
00189 return false;
00190 }
00191 if(!$this->isHandledUser($a_usr_id))
00192 {
00193 return false;
00194 }
00195 $this->log->write('LDAP deassign: User ID: '.$a_usr_id.' Role Id: '.$a_role_id);
00196 $this->deassignFromGroup($a_role_id,$a_usr_id);
00197
00198 return true;
00199 }
00200
00207 public function deleteUser($a_usr_id)
00208 {
00209 foreach($this->mappings as $role_id => $data)
00210 {
00211 $this->deassign($role_id,$a_usr_id);
00212 }
00213 return true;
00214 }
00215
00216
00224 private function initServers()
00225 {
00226 $server_ids = ilLDAPServer::_getRoleSyncServerIds();
00227
00228 if(!count($server_ids))
00229 {
00230 return false;
00231 }
00232
00233
00234 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMappingSettings.php');
00235
00236 $this->active_servers = true;
00237 $this->mappings = array();
00238 foreach($server_ids as $server_id)
00239 {
00240 $this->servers[$server_id] = new ilLDAPServer($server_id);
00241 $this->mappings = ilLDAPRoleGroupMappingSettings::_getAllActiveMappings();
00242 }
00243 $this->mapping_info = array();
00244 $this->mapping_info_strict = array();
00245 foreach($this->mappings as $mapping)
00246 {
00247 foreach($mapping as $key => $data)
00248 {
00249 if(strlen($data['info']) and $data['object_id'])
00250 {
00251 $this->mapping_info[$data['object_id']][] = $data['info'];
00252 }
00253 if(strlen($data['info']) && ($data['info_type'] == ilLDAPRoleGroupMappingSettings::MAPPING_INFO_ALL))
00254 {
00255 $this->mapping_info_strict[$data['object_id']][] = $data['info'];
00256 }
00257 }
00258 }
00259 $this->users = ilObjUser::_getExternalAccountsByAuthMode('ldap',true);
00260
00261 return true;
00262 }
00263
00272 private function isHandledRole($a_role_id)
00273 {
00274 return array_key_exists($a_role_id,$this->mappings);
00275 }
00276
00282 private function isHandledUser($a_usr_id)
00283 {
00284 return array_key_exists($a_usr_id,$this->users);
00285 }
00286
00287
00295 private function assignToGroup($a_role_id,$a_usr_id)
00296 {
00297 foreach($this->mappings[$a_role_id] as $data)
00298 {
00299 try
00300 {
00301 if($data['isdn'])
00302 {
00303 $external_account = $this->readDN($a_usr_id,$data['server_id']);
00304 }
00305 else
00306 {
00307 $external_account = $this->users[$a_usr_id];
00308 }
00309
00310
00311 #if($this->isMember($external_account,$data))
00312 #{
00313 # $this->log->write("LDAP assign: User already assigned to group '".$data['dn']."'");
00314 #}
00315 #else
00316 {
00317
00318 $query_obj = $this->getLDAPQueryInstance($data['server_id'],$data['url']);
00319 $query_obj->modAdd($data['dn'],array($data['member'] => $external_account));
00320 $this->log->write('LDAP assign: Assigned '.$external_account.' to group '.$data['dn']);
00321 }
00322 }
00323 catch(ilLDAPQueryException $exc)
00324 {
00325 $this->log->write($exc->getMessage());
00326
00327 continue;
00328 }
00329 }
00330 }
00331
00340 private function deassignFromGroup($a_role_id,$a_usr_id)
00341 {
00342 foreach($this->mappings[$a_role_id] as $data)
00343 {
00344 try
00345 {
00346 if($data['isdn'])
00347 {
00348 $external_account = $this->readDN($a_usr_id,$data['server_id']);
00349 }
00350 else
00351 {
00352 $external_account = $this->users[$a_usr_id];
00353 }
00354
00355
00356 if($role_id = $this->checkOtherMembership($a_usr_id,$a_role_id,$data))
00357 {
00358 $this->log->write('LDAP deassign: User is still assigned to role "'.$role_id.'".');
00359 continue;
00360 }
00361
00362
00363
00364
00365
00366
00367
00368
00369 $query_obj = $this->getLDAPQueryInstance($data['server_id'],$data['url']);
00370 $query_obj->modDelete($data['dn'],array($data['member'] => $external_account));
00371 $this->log->write('LDAP deassign: Deassigned '.$external_account.' from group '.$data['dn']);
00372
00373
00374 if(is_array($this->mapping_members[$data['mapping_id']]))
00375 {
00376 $key = array_search($external_account,$this->mapping_members[$data['mapping_id']]);
00377 if($key or $key === 0)
00378 {
00379 unset($this->mapping_members[$data['mapping_id']]);
00380 }
00381 }
00382
00383 }
00384 catch(ilLDAPQueryException $exc)
00385 {
00386 $this->log->write($exc->getMessage());
00387
00388 continue;
00389 }
00390 }
00391 }
00392
00399 private function isMember($a_uid,$data)
00400 {
00401 if(!isset($this->mapping_members["$data[mapping_id]"]))
00402 {
00403
00404 try
00405 {
00406 $server = $this->servers["$data[server_id]"];
00407 $query_obj = $this->getLDAPQueryInstance($data['server_id'],$server->getUrl());
00408
00409
00410 $res = $query_obj->query($data['dn'],
00411 '(objectClass=*)',
00412 IL_LDAP_SCOPE_BASE,
00413 array($data['member']));
00414
00415 $this->storeMembers($data['mapping_id'],$res->get());
00416 unset($res);
00417 }
00418 catch(ilLDAPQueryException $exc)
00419 {
00420 throw $exc;
00421 }
00422 }
00423 #var_dump("<pre>",$a_uid,$this->mapping_members,"</pre>");
00424
00425
00426 if(in_array($a_uid,$this->mapping_members["$data[mapping_id]"]))
00427 {
00428 return true;
00429 }
00430 return false;
00431 }
00432
00440 private function checkOtherMembership($a_usr_id,$a_role_id,$a_data)
00441 {
00442 global $rbacreview,$ilObjDataCache;
00443
00444 foreach($this->mappings as $role_id => $tmp_data)
00445 {
00446 foreach($tmp_data as $data)
00447 {
00448 if($role_id == $a_role_id)
00449 {
00450 continue;
00451 }
00452 if($data['server_id'] != $a_data['server_id'])
00453 {
00454 continue;
00455 }
00456 if($data['dn'] != $a_data['dn'])
00457 {
00458 continue;
00459 }
00460 if($rbacreview->isAssigned($a_usr_id,$role_id))
00461 {
00462 return $ilObjDataCache->lookupTitle($role_id);
00463 }
00464 }
00465 }
00466 return false;
00467
00468 }
00469
00476 private function storeMembers($a_mapping_id,$a_data)
00477 {
00478 $this->mapping_members[$a_mapping_id] = array();
00479 foreach($a_data as $field => $value)
00480 {
00481 if(strtolower($field) == 'dn')
00482 {
00483 continue;
00484 }
00485
00486 if(!is_array($value))
00487 {
00488 $this->mapping_members[$a_mapping_id][] = $value;
00489 continue;
00490 }
00491 foreach($value as $external_account)
00492 {
00493 $this->mapping_members[$a_mapping_id][] = $external_account;
00494 }
00495 }
00496 return true;
00497 }
00498
00507 private function readDN($a_usr_id,$a_server_id)
00508 {
00509 if(isset($this->user_dns[$a_usr_id]))
00510 {
00511 return $this->user_dns[$a_usr_id];
00512 }
00513
00514 $external_account = $this->users[$a_usr_id];
00515
00516 try
00517 {
00518 $server = $this->servers[$a_server_id];
00519 $query_obj = $this->getLDAPQueryInstance($a_server_id,$server->getUrl());
00520
00521 if($search_base = $server->getSearchBase())
00522 {
00523 $search_base .= ',';
00524 }
00525 $search_base .= $server->getBaseDN();
00526
00527 $filter = sprintf('(&(%s=%s)%s)',
00528 $server->getUserAttribute(),
00529 $external_account,
00530 $server->getFilter());
00531
00532 $res = $query_obj->query($search_base,$filter,$server->getUserScope(),array('dn'));
00533
00534 if(!$res->numRows())
00535 {
00536 include_once('Services/LDAP/classes/class.ilLDAPQueryException.php');
00537 throw new ilLDAPQueryException(__METHOD__.' cannot find dn for user '.$external_account);
00538 }
00539 if($res->numRows() > 1)
00540 {
00541 include_once('Services/LDAP/classes/class.ilLDAPQueryException.php');
00542 throw new ilLDAPQueryException(__METHOD__.' found multiple distinguished name for: '.$external_account);
00543 }
00544
00545 $data = $res->get();
00546 return $this->user_dns[$a_usr_id] = $data['dn'];
00547 }
00548 catch(ilLDAPQueryException $exc)
00549 {
00550 throw $exc;
00551 }
00552 }
00553
00561 private function getLDAPQueryInstance($a_server_id,$a_url)
00562 {
00563 include_once 'Services/LDAP/classes/class.ilLDAPQuery.php';
00564
00565 if(array_key_exists($a_server_id,$this->query) and
00566 array_key_exists($a_url,$this->query[$a_server_id]) and
00567 is_object($this->query[$a_server_id][$a_url]))
00568 {
00569 return $this->query[$a_server_id][$a_url];
00570 }
00571 try
00572 {
00573 $tmp_query = new ilLDAPQuery($this->servers[$a_server_id],$a_url);
00574 $tmp_query->bind(IL_LDAP_BIND_ADMIN);
00575 }
00576 catch(ilLDAPQueryException $exc)
00577 {
00578 throw $exc;
00579 }
00580 return $this->query[$a_server_id][$a_url] = $tmp_query;
00581 }
00582
00583 }
00584
00585
00586 ?>
