ILIAS  Release_4_0_x_branch Revision 61816
 All Data Structures Namespaces Files Functions Variables Groups Pages
Public Member Functions | Protected Member Functions | Private Member Functions | Private Attributes | Static Private Attributes
ilAuthContainerLDAP Class Reference
Services/LDAP

Overwritten Pear class AuthContainerLDAP This class is overwritten to support nested groups. More...

+ Inheritance diagram for ilAuthContainerLDAP:
+ Collaboration diagram for ilAuthContainerLDAP:

Public Member Functions

 __construct ()
 Constructor.
 forceCreation ($a_status)
 enableOptionalGroupCheck ()
 enable optional group check
 enabledOptionalGroupCheck ()
 Check if optional group check is enabled.
 fetchData ($username, $password)
 Overwritten from base class.
 checkGroup ($a_name)
 check group overwritten base class
 loginObserver ($a_username, $a_auth)
 Called from fetchData after successful login.
 failedLoginObserver ($a_username, $a_auth)
 Called from fetchData after failed login.
- Public Member Functions inherited from Auth_Container_LDAP
 Auth_Container_LDAP ($params)
 Constructor of the container class.
 _prepare ()
 Prepare LDAP connection.
 _connect ()
 Connect to the LDAP server using the global options.
 _disconnect ()
 Disconnects (unbinds) from ldap server.
 _getBaseDN ()
 Tries to find Basedn via namingContext Attribute.
 _isValidLink ()
 determines whether there is a valid ldap conenction or not
 _setDefaults ()
 Set some default options.
 _parseOptions ($array)
 Parse options passed to the container class.
 _setV12OptionsToV13 ($array)
 Adapt deprecated options from Auth 1.2 LDAP to Auth 1.3 LDAP.
 _scope2function ($scope)
 Get search function for scope.
 _quoteFilterString ($filter_str)
 Escapes LDAP filter special characters as defined in RFC 2254.
- Public Member Functions inherited from Auth_Container
 Auth_Container ()
 Constructor.
 fetchData ($username, $password, $isChallengeResponse=false)
 Fetch data from storage container.
 verifyPassword ($password1, $password2, $cryptType="md5")
 Crypt and verfiy the entered password.
 supportsChallengeResponse ()
 Returns true if the container supports Challenge Response password authentication.
 getCryptType ()
 Returns the crypt current crypt type of the container.
 listUsers ()
 List all users that are available from the storage container.
 getUser ($username)
 Returns a user assoc array.
 addUser ($username, $password, $additional=null)
 Add a new user to the storage container.
 removeUser ($username)
 Remove user from the storage container.
 changePassword ($username, $password)
 Change password for user in the storage container.
 log ($message, $level=AUTH_LOG_DEBUG)
 Log a message to the Auth log.
- Public Member Functions inherited from ilAuthContainerBase
 checkAuthObserver ($a_username, $a_auth)
 Called after check auth requests.
 logoutObserver ($a_username, $a_auth)
 Called after logout.

Protected Member Functions

 extractUserName ($a_user_data)
 updateRequired ($a_username)
 Check if an update is required.

Private Member Functions

 updateUserFilter ()
 Update user filter.
 initLDAPAttributeToUser ()
 Init LDAP attribute mapping.

Private Attributes

 $optional_check = false
 $log = null
 $server = null
 $ldap_attr_to_user = null

Static Private Attributes

static $force_creation = false

Additional Inherited Members

- Data Fields inherited from Auth_Container_LDAP
 $options = array()
 $conn_id = false

Detailed Description

Overwritten Pear class AuthContainerLDAP This class is overwritten to support nested groups.

Author
Stefan Meyer smeye.nosp@m.r.il.nosp@m.ias@g.nosp@m.mx.d.nosp@m.e
Version
$Id$

Definition at line 36 of file class.ilAuthContainerLDAP.php.

Constructor & Destructor Documentation

ilAuthContainerLDAP::__construct ( )

Constructor.

public

Parameters
arrayarray of pear parameters

Definition at line 54 of file class.ilAuthContainerLDAP.php.

References $ilLog, ilLDAPServer\_getFirstActiveServer(), and Auth_Container\log().

{
global $ilLog;
include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
$this->server = new ilLDAPServer(ilLDAPServer::_getFirstActiveServer());
$this->server->doConnectionCheck();
$this->log = $ilLog;
parent::__construct($this->server->toPearAuthArray());
}

+ Here is the call graph for this function:

Member Function Documentation

ilAuthContainerLDAP::checkGroup (   $a_name)

check group overwritten base class

public

Parameters
stringuser name (DN or external account name)

Reimplemented from Auth_Container_LDAP.

Definition at line 132 of file class.ilAuthContainerLDAP.php.

References $optional_check, elseif(), and Auth_Container\log().

{
$this->log->write(__METHOD__.': checking group restrictions...');
// if there are multiple groups define check all of them for membership
$groups = $this->server->getGroupNames();
if(!count($groups))
{
$this->log->write(__METHOD__.': No group restrictions found.');
return true;
}
elseif($this->server->isMembershipOptional() and !$this->optional_check)
{
$this->log->write(__METHOD__.': Group membership is optional.');
return true;
}
foreach($groups as $group)
{
$this->options['group'] = $group;
if(parent::checkGroup($a_name))
{
return true;
}
}
return false;
}

+ Here is the call graph for this function:

ilAuthContainerLDAP::enabledOptionalGroupCheck ( )

Check if optional group check is enabled.

public

Definition at line 90 of file class.ilAuthContainerLDAP.php.

References $optional_check.

Referenced by fetchData().

{
return (bool) $this->optional_check;
}

+ Here is the caller graph for this function:

ilAuthContainerLDAP::enableOptionalGroupCheck ( )

enable optional group check

public

Parameters

Definition at line 78 of file class.ilAuthContainerLDAP.php.

References updateUserFilter().

Referenced by fetchData().

{
$this->optional_check = true;
$this->updateUserFilter();
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilAuthContainerLDAP::extractUserName (   $a_user_data)
protected
Parameters
@returnstring ldap username

Definition at line 276 of file class.ilAuthContainerLDAP.php.

References $name, and ilObjUser\_checkExternalAuthAccount().

Referenced by loginObserver().

{
$a_username = isset($a_user_data[strtolower($this->server->getUserAttribute())]) ?
$a_user_data[strtolower($this->server->getUserAttribute())] :
trim($a_user_data);
// Support for multiple user attributes
if(!is_array($a_username))
{
return $a_username;
}
foreach($a_username as $name)
{
// User found with authentication method 'ldap'
if(ilObjUser::_checkExternalAuthAccount("ldap",$name))
{
return trim($name);
}
}
// No existing user found => return first name
return $a_username[0];
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilAuthContainerLDAP::failedLoginObserver (   $a_username,
  $a_auth 
)

Called from fetchData after failed login.

Parameters
stringusername
objectPEAR auth object

Reimplemented from ilAuthContainerBase.

Definition at line 266 of file class.ilAuthContainerLDAP.php.

{
return false;
}
ilAuthContainerLDAP::fetchData (   $username,
  $password 
)

Overwritten from base class.

Parameters
object$username
object$password
Returns

Reimplemented from Auth_Container_LDAP.

Definition at line 101 of file class.ilAuthContainerLDAP.php.

References $key, $password, $res, AUTH_LOG_DEBUG, elseif(), enabledOptionalGroupCheck(), enableOptionalGroupCheck(), PEAR\isError(), and Auth_Container\log().

{
$res = parent::fetchData($username,$password);
if (PEAR::isError($res))
{
$this->log('Container '.$key.': '.$res->getMessage(), AUTH_LOG_ERR);
return $res;
}
elseif ($res == true)
{
$this->log('Container '.$key.': Authentication successful.', AUTH_LOG_DEBUG);
return true;
}
if(!$this->enabledOptionalGroupCheck() and $this->server->isMembershipOptional())
{
$this->enableOptionalGroupCheck();
return parent::fetchData($username,$password);
}
return false;
}

+ Here is the call graph for this function:

ilAuthContainerLDAP::forceCreation (   $a_status)

Definition at line 66 of file class.ilAuthContainerLDAP.php.

{
self::$force_creation = $a_status;
}
ilAuthContainerLDAP::initLDAPAttributeToUser ( )
private

Init LDAP attribute mapping.

private

Definition at line 255 of file class.ilAuthContainerLDAP.php.

Referenced by loginObserver().

{
include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
$this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
}

+ Here is the caller graph for this function:

ilAuthContainerLDAP::loginObserver (   $a_username,
  $a_auth 
)

Called from fetchData after successful login.

Parameters
stringusername

Reimplemented from ilAuthContainerBase.

Definition at line 178 of file class.ilAuthContainerLDAP.php.

References $_POST, $_SESSION, $force_creation, $ilBench, $ilLog, ilObjUser\_checkExternalAuthAccount(), AUTH_LDAP_NO_ILIAS_USER, extractUserName(), ilLDAPRoleAssignmentRules\getAssignmentsForCreation(), initLDAPAttributeToUser(), ilUtil\redirect(), ilLDAPRoleAssignmentRules\ROLE_ACTION_ASSIGN, and updateRequired().

{
global $ilBench;
global $ilLog;
$ilBench->start('Auth','LDAPLoginObserver');
$user_data = array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
$a_username = $this->extractUserName($user_data);
$user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap",$a_username);
$users[$a_username] = $user_data;
if($this->server->enabledSyncOnLogin())
{
if(!$user_data['ilInternalAccount'] and
$this->server->isAccountMigrationEnabled() and
!self::$force_creation)
{
$a_auth->logout();
$_SESSION['tmp_auth_mode'] = 'ldap';
$_SESSION['tmp_external_account'] = $a_username;
$_SESSION['tmp_pass'] = $_POST['password'];
include_once('./Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php');
$roles = ilLDAPRoleAssignmentRules::getAssignmentsForCreation($a_username, $user_data);
$_SESSION['tmp_roles'] = array();
foreach($roles as $info)
{
if($info['action'] == ilLDAPRoleAssignmentRules::ROLE_ACTION_ASSIGN)
{
$_SESSION['tmp_roles'][] = $info['id'];
}
}
$ilBench->stop('Auth','LDAPLoginObserver');
ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
}
// Refresh or create user data
$ilBench->start('Auth','LDAPUserSynchronization');
if($this->updateRequired($a_username))
{
#$GLOBALS['ilLog']->write(__METHOD__.': Starting update');
$this->initLDAPAttributeToUser();
$this->ldap_attr_to_user->setUserData($users);
$this->ldap_attr_to_user->refresh();
$user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap",$a_username);
}
else
{
// User exists and no update required
$user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap",$a_username);
}
$ilBench->stop('Auth','LDAPUserSynchronization');
}
if(!$user_data['ilInternalAccount'])
{
// No syncronisation allowed => create Error
$a_auth->status = AUTH_LDAP_NO_ILIAS_USER;
$a_auth->logout();
$ilBench->stop('Auth','LDAPLoginObserver');
return false;
}
// Finally setAuth
$a_auth->setAuth($user_data['ilInternalAccount']);
$ilBench->stop('Auth','LDAPLoginObserver');
return true;
}

+ Here is the call graph for this function:

ilAuthContainerLDAP::updateRequired (   $a_username)
protected

Check if an update is required.

Returns
Parameters
string$a_username

Definition at line 304 of file class.ilAuthContainerLDAP.php.

References ilObjUser\_checkExternalAuthAccount(), ilLDAPRoleAssignmentRule\hasRulesForUpdate(), and ilLDAPAttributeMapping\hasRulesForUpdate().

Referenced by loginObserver().

{
if(!ilObjUser::_checkExternalAuthAccount("ldap",$a_username))
{
#$GLOBALS['ilLog']->write(__METHOD__.': Required 1');
return true;
}
// Check attribute mapping on login
include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
if(ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId()))
{
#$GLOBALS['ilLog']->write(__METHOD__.': Required 2');
return true;
}
include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
if(ilLDAPRoleAssignmentRule::hasRulesForUpdate())
{
#$GLOBALS['ilLog']->write(__METHOD__.': Required 3');
return true;
}
return false;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilAuthContainerLDAP::updateUserFilter ( )
private

Update user filter.

private

Definition at line 168 of file class.ilAuthContainerLDAP.php.

Referenced by enableOptionalGroupCheck().

{
$this->options['userfilter'] = $this->server->getGroupUserFilter();
}

+ Here is the caller graph for this function:

Field Documentation

ilAuthContainerLDAP::$force_creation = false
staticprivate

Definition at line 38 of file class.ilAuthContainerLDAP.php.

Referenced by loginObserver().

ilAuthContainerLDAP::$ldap_attr_to_user = null
private

Definition at line 44 of file class.ilAuthContainerLDAP.php.

ilAuthContainerLDAP::$log = null
private

Definition at line 42 of file class.ilAuthContainerLDAP.php.

ilAuthContainerLDAP::$optional_check = false
private

Definition at line 40 of file class.ilAuthContainerLDAP.php.

Referenced by checkGroup(), and enabledOptionalGroupCheck().

ilAuthContainerLDAP::$server = null
private

Definition at line 43 of file class.ilAuthContainerLDAP.php.

The documentation for this class was generated from the following file: