ILIAS  Release_4_1_x_branch Revision 61804
 All Data Structures Namespaces Files Functions Variables Groups Pages
class.ilAuthContainerLDAP.php
Go to the documentation of this file.
1 <?php
2 /*
3  +-----------------------------------------------------------------------------+
4  | ILIAS open source |
5  +-----------------------------------------------------------------------------+
6  | Copyright (c) 1998-2006 ILIAS open source, University of Cologne |
7  | |
8  | This program is free software; you can redistribute it and/or |
9  | modify it under the terms of the GNU General Public License |
10  | as published by the Free Software Foundation; either version 2 |
11  | of the License, or (at your option) any later version. |
12  | |
13  | This program is distributed in the hope that it will be useful, |
14  | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16  | GNU General Public License for more details. |
17  | |
18  | You should have received a copy of the GNU General Public License |
19  | along with this program; if not, write to the Free Software |
20  | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
21  +-----------------------------------------------------------------------------+
22 */
23 
24 include_once 'Auth/Container/LDAP.php';
25 
36 class ilAuthContainerLDAP extends Auth_Container_LDAP
37 {
38  private static $force_creation = false;
39 
40  private $optional_check = false;
41 
42  private $log = null;
43  private $server = null;
44  private $ldap_attr_to_user = null;
45 
46 
54  public function __construct()
55  {
56  global $ilLog;
57 
58  include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
59  $this->server = new ilLDAPServer(ilLDAPServer::_getFirstActiveServer());
60  $this->server->doConnectionCheck();
61  $this->log = $ilLog;
62 
63  parent::__construct($this->server->toPearAuthArray());
64  }
65 
66  public function forceCreation($a_status)
67  {
68  self::$force_creation = $a_status;
69  }
70 
78  public function enableOptionalGroupCheck()
79  {
80  $this->optional_check = true;
81  $this->updateUserFilter();
82  }
83 
90  public function enabledOptionalGroupCheck()
91  {
92  return (bool) $this->optional_check;
93  }
94 
101  public function fetchData($username, $password)
102  {
103  $res = parent::fetchData($username,$password);
104 
105  if (PEAR::isError($res))
106  {
107  $this->log('Container '.$key.': '.$res->getMessage(), AUTH_LOG_ERR);
108  return $res;
109  }
110  elseif ($res == true)
111  {
112  $this->log('Container '.$key.': Authentication successful.', AUTH_LOG_DEBUG);
113  return true;
114  }
115  if(!$this->enabledOptionalGroupCheck() and $this->server->isMembershipOptional())
116  {
117  $this->enableOptionalGroupCheck();
118  return parent::fetchData($username,$password);
119  }
120  return false;
121  }
122 
123 
132  public function checkGroup($a_name)
133  {
134  $this->log->write(__METHOD__.': checking group restrictions...');
135 
136  // if there are multiple groups define check all of them for membership
137  $groups = $this->server->getGroupNames();
138 
139  if(!count($groups))
140  {
141  $this->log->write(__METHOD__.': No group restrictions found.');
142  return true;
143  }
144  elseif($this->server->isMembershipOptional() and !$this->optional_check)
145  {
146  $this->log->write(__METHOD__.': Group membership is optional.');
147  return true;
148  }
149 
150  foreach($groups as $group)
151  {
152  $this->options['group'] = $group;
153 
154  if(parent::checkGroup($a_name))
155  {
156  return true;
157  }
158  }
159  return false;
160  }
161 
168  private function updateUserFilter()
169  {
170  $this->options['userfilter'] = $this->server->getGroupUserFilter();
171  }
172 
178  public function loginObserver($a_username,$a_auth)
179  {
180  global $ilBench;
181  global $ilLog;
182 
183  $ilBench->start('Auth','LDAPLoginObserver');
184  $user_data = array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
185 
186  $a_username = $this->extractUserName($user_data);
187 
188  $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap",$a_username);
189  $users[$a_username] = $user_data;
190 
191  if($this->server->enabledSyncOnLogin())
192  {
193  if(!$user_data['ilInternalAccount'] and
194  $this->server->isAccountMigrationEnabled() and
195  !self::$force_creation)
196  {
197  $a_auth->logout();
198  $_SESSION['tmp_auth_mode'] = 'ldap';
199  $_SESSION['tmp_external_account'] = $a_username;
200  $_SESSION['tmp_pass'] = $_POST['password'];
201 
202  include_once('./Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php');
203  $roles = ilLDAPRoleAssignmentRules::getAssignmentsForCreation($a_username, $user_data);
204  $_SESSION['tmp_roles'] = array();
205  foreach($roles as $info)
206  {
207  if($info['action'] == ilLDAPRoleAssignmentRules::ROLE_ACTION_ASSIGN)
208  {
209  $_SESSION['tmp_roles'][] = $info['id'];
210  }
211  }
212  $ilBench->stop('Auth','LDAPLoginObserver');
213  ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
214  }
215 
216  // Refresh or create user data
217  $ilBench->start('Auth','LDAPUserSynchronization');
218  if($this->updateRequired($a_username))
219  {
220  #$GLOBALS['ilLog']->write(__METHOD__.': Starting update');
221  $this->initLDAPAttributeToUser();
222  $this->ldap_attr_to_user->setUserData($users);
223  $this->ldap_attr_to_user->refresh();
224  $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap",$a_username);
225  }
226  else
227  {
228  // User exists and no update required
229  $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap",$a_username);
230  }
231  $ilBench->stop('Auth','LDAPUserSynchronization');
232  }
233 
234  if(!$user_data['ilInternalAccount'])
235  {
236  // No syncronisation allowed => create Error
237  $a_auth->status = AUTH_LDAP_NO_ILIAS_USER;
238  $a_auth->logout();
239  $ilBench->stop('Auth','LDAPLoginObserver');
240  return false;
241  }
242 
243  // Finally setAuth
244  $a_auth->setAuth($user_data['ilInternalAccount']);
245  $ilBench->stop('Auth','LDAPLoginObserver');
246  return true;
247 
248  }
255  private function initLDAPAttributeToUser()
256  {
257  include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
258  $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
259  }
260 
266  public function failedLoginObserver($a_username,$a_auth)
267  {
268  return false;
269  }
270 
276  protected function extractUserName($a_user_data)
277  {
278  $a_username = isset($a_user_data[strtolower($this->server->getUserAttribute())]) ?
279  $a_user_data[strtolower($this->server->getUserAttribute())] :
280  trim($a_user_data);
281 
282  // Support for multiple user attributes
283  if(!is_array($a_username))
284  {
285  return $a_username;
286  }
287  foreach($a_username as $name)
288  {
289  // User found with authentication method 'ldap'
290  if(ilObjUser::_checkExternalAuthAccount("ldap",$name))
291  {
292  return trim($name);
293  }
294  }
295  // No existing user found => return first name
296  return $a_username[0];
297  }
298 
304  protected function updateRequired($a_username)
305  {
306  if(!ilObjUser::_checkExternalAuthAccount("ldap",$a_username))
307  {
308  #$GLOBALS['ilLog']->write(__METHOD__.': Required 1');
309  return true;
310  }
311  // Check attribute mapping on login
312  include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
313  if(ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId()))
314  {
315  #$GLOBALS['ilLog']->write(__METHOD__.': Required 2');
316  return true;
317  }
318  include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
319  if(ilLDAPRoleAssignmentRule::hasRulesForUpdate())
320  {
321  #$GLOBALS['ilLog']->write(__METHOD__.': Required 3');
322  return true;
323  }
324  return false;
325  }
326 }
327 ?>