ILIAS  Release_4_1_x_branch Revision 61804
 All Data Structures Namespaces Files Functions Variables Groups Pages
Public Member Functions | Static Public Member Functions | Private Member Functions | Private Attributes | Static Private Attributes
ilLDAPRoleGroupMapping Class Reference
Services/LDAP
+ Collaboration diagram for ilLDAPRoleGroupMapping:

Public Member Functions

 getInfoStrings ($a_obj_id, $a_check_type=false)
 Get info string for object If check info type is enabled this function will check if the info string is visible in the repository.
 assign ($a_role_id, $a_usr_id)
 This method is typically called from class RbacAdmin::assignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is assigned to the LDAP group.
 deleteRole ($a_role_id)
 Delete role.
 deassign ($a_role_id, $a_usr_id)
 This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is deassigned from the LDAP group.
 deleteUser ($a_usr_id)
 Delete user => deassign from all ldap groups.

Static Public Member Functions

static _getInstance ()
 Get singleton instance of this class.

Private Member Functions

 __construct ()
 Singleton contructor.
 initServers ()
 Check if there is any active server with.
 isHandledRole ($a_role_id)
 Check if a role is handled or not.
 isHandledUser ($a_usr_id)
 Check if user is ldap user.
 assignToGroup ($a_role_id, $a_usr_id)
 Assign user to group.
 deassignFromGroup ($a_role_id, $a_usr_id)
 Deassign user from group.
 isMember ($a_uid, $data)
 Check if user is member.
 checkOtherMembership ($a_usr_id, $a_role_id, $a_data)
 Check other membership.
 storeMembers ($a_mapping_id, $a_data)
 Store Members.
 readDN ($a_usr_id, $a_server_id)
 Read DN of user.
 getLDAPQueryInstance ($a_server_id, $a_url)
 Get LDAPQueryInstance.

Private Attributes

 $log = null
 $servers = null
 $mappings = array()
 $mapping_members = array()
 $query = array()
 $active_servers = false

Static Private Attributes

static $instance = null

Detailed Description

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 34 of file class.ilLDAPRoleGroupMapping.php.

Constructor & Destructor Documentation

ilLDAPRoleGroupMapping::__construct ( )
private

Singleton contructor.

private

Definition at line 50 of file class.ilLDAPRoleGroupMapping.php.

References $ilLog, and initServers().

{
global $ilLog;
$this->log = $ilLog;
$this->initServers();
}

+ Here is the call graph for this function:

Member Function Documentation

static ilLDAPRoleGroupMapping::_getInstance ( )
static

Get singleton instance of this class.

public

Definition at line 64 of file class.ilLDAPRoleGroupMapping.php.

References $instance.

Referenced by ilRbacAdmin\assignUser(), ilRbacAdmin\deassignUser(), ilObjUser\delete(), ilRbacAdmin\deleteRole(), ilObjectListGUI\ilObjectListGUI(), and ilInfoScreenGUI\showLDAPRoleGroupMappingInfo().

{
if(is_object(self::$instance))
{
return self::$instance;
}
return self::$instance = new ilLDAPRoleGroupMapping();
}

+ Here is the caller graph for this function:

ilLDAPRoleGroupMapping::assign (   $a_role_id,
  $a_usr_id 
)

This method is typically called from class RbacAdmin::assignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is assigned to the LDAP group.

public

Parameters

Definition at line 116 of file class.ilLDAPRoleGroupMapping.php.

References assignToGroup(), isHandledRole(), and isHandledUser().

{
// return if there nothing to do
if(!$this->active_servers)
{
return false;
}
if(!$this->isHandledRole($a_role_id))
{
return false;
}
if(!$this->isHandledUser($a_usr_id))
{
$this->log->write('LDAP assign: User ID: '.$a_usr_id.' has no LDAP account');
return false;
}
$this->log->write('LDAP assign: User ID: '.$a_usr_id.' Role Id: '.$a_role_id);
$this->assignToGroup($a_role_id,$a_usr_id);
return true;
}

+ Here is the call graph for this function:

ilLDAPRoleGroupMapping::assignToGroup (   $a_role_id,
  $a_usr_id 
)
private

Assign user to group.

private

Parameters
introle_id
intuser_id

Definition at line 295 of file class.ilLDAPRoleGroupMapping.php.

References $data, getLDAPQueryInstance(), and readDN().

Referenced by assign().

{
foreach($this->mappings[$a_role_id] as $data)
{
try
{
if($data['isdn'])
{
$external_account = $this->readDN($a_usr_id,$data['server_id']);
}
else
{
$external_account = $this->users[$a_usr_id];
}
// Forcing modAdd since Active directory is too slow and i cannot check if a user is member or not.
#if($this->isMember($external_account,$data))
#{
# $this->log->write("LDAP assign: User already assigned to group '".$data['dn']."'");
#}
#else
{
// Add user
$query_obj = $this->getLDAPQueryInstance($data['server_id'],$data['url']);
$query_obj->modAdd($data['dn'],array($data['member'] => $external_account));
$this->log->write('LDAP assign: Assigned '.$external_account.' to group '.$data['dn']);
}
}
catch(ilLDAPQueryException $exc)
{
$this->log->write($exc->getMessage());
// try next mapping
continue;
}
}
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilLDAPRoleGroupMapping::checkOtherMembership (   $a_usr_id,
  $a_role_id,
  $a_data 
)
private

Check other membership.

private

Returns
string role name

Definition at line 440 of file class.ilLDAPRoleGroupMapping.php.

References $data.

Referenced by deassignFromGroup().

{
global $rbacreview,$ilObjDataCache;
foreach($this->mappings as $role_id => $tmp_data)
{
foreach($tmp_data as $data)
{
if($role_id == $a_role_id)
{
continue;
}
if($data['server_id'] != $a_data['server_id'])
{
continue;
}
if($data['dn'] != $a_data['dn'])
{
continue;
}
if($rbacreview->isAssigned($a_usr_id,$role_id))
{
return $ilObjDataCache->lookupTitle($role_id);
}
}
}
return false;
}

+ Here is the caller graph for this function:

ilLDAPRoleGroupMapping::deassign (   $a_role_id,
  $a_usr_id 
)

This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is deassigned from the LDAP group.

public

Parameters

Definition at line 180 of file class.ilLDAPRoleGroupMapping.php.

References deassignFromGroup(), isHandledRole(), and isHandledUser().

Referenced by deleteRole(), and deleteUser().

{
// return if there notzing to do
if(!$this->active_servers)
{
return false;
}
if(!$this->isHandledRole($a_role_id))
{
return false;
}
if(!$this->isHandledUser($a_usr_id))
{
return false;
}
$this->log->write('LDAP deassign: User ID: '.$a_usr_id.' Role Id: '.$a_role_id);
$this->deassignFromGroup($a_role_id,$a_usr_id);
return true;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilLDAPRoleGroupMapping::deassignFromGroup (   $a_role_id,
  $a_usr_id 
)
private

Deassign user from group.

private

Parameters
introle_id
intuser_id

Definition at line 340 of file class.ilLDAPRoleGroupMapping.php.

References $data, checkOtherMembership(), getLDAPQueryInstance(), and readDN().

Referenced by deassign().

{
foreach($this->mappings[$a_role_id] as $data)
{
try
{
if($data['isdn'])
{
$external_account = $this->readDN($a_usr_id,$data['server_id']);
}
else
{
$external_account = $this->users[$a_usr_id];
}
// Check for other role membership
if($role_id = $this->checkOtherMembership($a_usr_id,$a_role_id,$data))
{
$this->log->write('LDAP deassign: User is still assigned to role "'.$role_id.'".');
continue;
}
/*
if(!$this->isMember($external_account,$data))
{
$this->log->write("LDAP deassign: User not assigned to group '".$data['dn']."'");
continue;
}
*/
// Deassign user
$query_obj = $this->getLDAPQueryInstance($data['server_id'],$data['url']);
$query_obj->modDelete($data['dn'],array($data['member'] => $external_account));
$this->log->write('LDAP deassign: Deassigned '.$external_account.' from group '.$data['dn']);
// Delete from cache
if(is_array($this->mapping_members[$data['mapping_id']]))
{
$key = array_search($external_account,$this->mapping_members[$data['mapping_id']]);
if($key or $key === 0)
{
unset($this->mapping_members[$data['mapping_id']]);
}
}
}
catch(ilLDAPQueryException $exc)
{
$this->log->write($exc->getMessage());
// try next mapping
continue;
}
}
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilLDAPRoleGroupMapping::deleteRole (   $a_role_id)

Delete role.

This function triggered from ilRbacAdmin::deleteRole It deassigns all user from the mapped ldap group.

public

Parameters
introle id

Definition at line 148 of file class.ilLDAPRoleGroupMapping.php.

References $usr_id, deassign(), and isHandledRole().

{
global $rbacreview;
// return if there nothing to do
if(!$this->active_servers)
{
return false;
}
if(!$this->isHandledRole($a_role_id))
{
return false;
}
foreach($rbacreview->assignedUsers($a_role_id) as $usr_id)
{
$this->deassign($a_role_id,$usr_id);
}
return true;
}

+ Here is the call graph for this function:

ilLDAPRoleGroupMapping::deleteUser (   $a_usr_id)

Delete user => deassign from all ldap groups.

public

Parameters
intuser id

Definition at line 207 of file class.ilLDAPRoleGroupMapping.php.

References $data, and deassign().

{
foreach($this->mappings as $role_id => $data)
{
$this->deassign($role_id,$a_usr_id);
}
return true;
}

+ Here is the call graph for this function:

ilLDAPRoleGroupMapping::getInfoStrings (   $a_obj_id,
  $a_check_type = false 
)

Get info string for object If check info type is enabled this function will check if the info string is visible in the repository.

public

Parameters
intobject id
boolcheck info type

Definition at line 82 of file class.ilLDAPRoleGroupMapping.php.

{
if(!$this->active_servers)
{
return false;
}
if($a_check_type)
{
if(isset($this->mapping_info_strict[$a_obj_id]) and is_array($this->mapping_info_strict[$a_obj_id]))
{
return $this->mapping_info_strict[$a_obj_id];
}
}
else
{
if(isset($this->mapping_info[$a_obj_id]) and is_array($this->mapping_info[$a_obj_id]))
{
return $this->mapping_info[$a_obj_id];
}
}
return false;
}
ilLDAPRoleGroupMapping::getLDAPQueryInstance (   $a_server_id,
  $a_url 
)
private

Get LDAPQueryInstance.

private

Parameters
@throwsilLDAPQueryException

Definition at line 571 of file class.ilLDAPRoleGroupMapping.php.

References IL_LDAP_BIND_ADMIN.

Referenced by assignToGroup(), deassignFromGroup(), isMember(), and readDN().

{
include_once 'Services/LDAP/classes/class.ilLDAPQuery.php';
if(array_key_exists($a_server_id,$this->query) and
array_key_exists($a_url,$this->query[$a_server_id]) and
is_object($this->query[$a_server_id][$a_url]))
{
return $this->query[$a_server_id][$a_url];
}
try
{
$tmp_query = new ilLDAPQuery($this->servers[$a_server_id],$a_url);
$tmp_query->bind(IL_LDAP_BIND_ADMIN);
}
catch(ilLDAPQueryException $exc)
{
throw $exc;
}
return $this->query[$a_server_id][$a_url] = $tmp_query;
}

+ Here is the caller graph for this function:

ilLDAPRoleGroupMapping::initServers ( )
private

Check if there is any active server with.

private

Parameters

Definition at line 224 of file class.ilLDAPRoleGroupMapping.php.

References $data, ilLDAPRoleGroupMappingSettings\_getAllActiveMappings(), ilObjUser\_getExternalAccountsByAuthMode(), ilLDAPServer\_getRoleSyncServerIds(), and ilLDAPRoleGroupMappingSettings\MAPPING_INFO_ALL.

Referenced by __construct().

{
$server_ids = ilLDAPServer::_getRoleSyncServerIds();
if(!count($server_ids))
{
return false;
}
// Init servers
include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMappingSettings.php');
$this->active_servers = true;
$this->mappings = array();
foreach($server_ids as $server_id)
{
$this->servers[$server_id] = new ilLDAPServer($server_id);
$this->mappings = ilLDAPRoleGroupMappingSettings::_getAllActiveMappings();
}
$this->mapping_info = array();
$this->mapping_info_strict = array();
foreach($this->mappings as $mapping)
{
foreach($mapping as $key => $data)
{
if(strlen($data['info']) and $data['object_id'])
{
$this->mapping_info[$data['object_id']][] = $data['info'];
}
if(strlen($data['info']) && ($data['info_type'] == ilLDAPRoleGroupMappingSettings::MAPPING_INFO_ALL))
{
$this->mapping_info_strict[$data['object_id']][] = $data['info'];
}
}
}
$this->users = ilObjUser::_getExternalAccountsByAuthMode('ldap',true);
return true;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilLDAPRoleGroupMapping::isHandledRole (   $a_role_id)
private

Check if a role is handled or not.

private

Parameters
introle_id
Returns
int server id or 0 if mapping exists

Definition at line 272 of file class.ilLDAPRoleGroupMapping.php.

Referenced by assign(), deassign(), and deleteRole().

{
return array_key_exists($a_role_id,$this->mappings);
}

+ Here is the caller graph for this function:

ilLDAPRoleGroupMapping::isHandledUser (   $a_usr_id)
private

Check if user is ldap user.

private

Definition at line 282 of file class.ilLDAPRoleGroupMapping.php.

Referenced by assign(), and deassign().

{
return array_key_exists($a_usr_id,$this->users);
}

+ Here is the caller graph for this function:

ilLDAPRoleGroupMapping::isMember (   $a_uid,
  $data 
)
private

Check if user is member.

private

Exceptions
ilLDAPQueryException

Definition at line 399 of file class.ilLDAPRoleGroupMapping.php.

References $data, $res, $server, getLDAPQueryInstance(), IL_LDAP_SCOPE_BASE, and storeMembers().

{
if(!isset($this->mapping_members["$data[mapping_id]"]))
{
// Read members
try
{
$server = $this->servers["$data[server_id]"];
$query_obj = $this->getLDAPQueryInstance($data['server_id'],$server->getUrl());
// query for members
$res = $query_obj->query($data['dn'],
'(objectClass=*)',
IL_LDAP_SCOPE_BASE,
array($data['member']));
$this->storeMembers($data['mapping_id'],$res->get());
unset($res);
}
catch(ilLDAPQueryException $exc)
{
throw $exc;
}
}
#var_dump("<pre>",$a_uid,$this->mapping_members,"</pre>");
// Now check for membership in stored result
if(in_array($a_uid,$this->mapping_members["$data[mapping_id]"]))
{
return true;
}
return false;
}

+ Here is the call graph for this function:

ilLDAPRoleGroupMapping::readDN (   $a_usr_id,
  $a_server_id 
)
private

Read DN of user.

private

Parameters
intuser id
intserver id
Exceptions
ilLDAPQueryException

Definition at line 507 of file class.ilLDAPRoleGroupMapping.php.

References $data, $res, $server, and getLDAPQueryInstance().

Referenced by assignToGroup(), and deassignFromGroup().

{
if(isset($this->user_dns[$a_usr_id]))
{
return $this->user_dns[$a_usr_id];
}
$external_account = $this->users[$a_usr_id];
try
{
$server = $this->servers[$a_server_id];
$query_obj = $this->getLDAPQueryInstance($a_server_id,$server->getUrl());
if($search_base = $server->getSearchBase())
{
$search_base .= ',';
}
$search_base .= $server->getBaseDN();
// try optional group user filter first
if($server->isMembershipOptional() and $server->getGroupUserFilter())
{
$userFilter = $server->getGroupUserFilter();
}
else
{
$userFilter = $server->getFilter();
}
$filter = sprintf('(&(%s=%s)%s)',
$server->getUserAttribute(),
$external_account,
$userFilter);
$res = $query_obj->query($search_base,$filter,$server->getUserScope(),array('dn'));
if(!$res->numRows())
{
include_once('Services/LDAP/classes/class.ilLDAPQueryException.php');
throw new ilLDAPQueryException(__METHOD__.' cannot find dn for user '.$external_account);
}
if($res->numRows() > 1)
{
include_once('Services/LDAP/classes/class.ilLDAPQueryException.php');
throw new ilLDAPQueryException(__METHOD__.' found multiple distinguished name for: '.$external_account);
}
$data = $res->get();
return $this->user_dns[$a_usr_id] = $data['dn'];
}
catch(ilLDAPQueryException $exc)
{
throw $exc;
}
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilLDAPRoleGroupMapping::storeMembers (   $a_mapping_id,
  $a_data 
)
private

Store Members.

private

Definition at line 476 of file class.ilLDAPRoleGroupMapping.php.

Referenced by isMember().

{
$this->mapping_members[$a_mapping_id] = array();
foreach($a_data as $field => $value)
{
if(strtolower($field) == 'dn')
{
continue;
}
if(!is_array($value))
{
$this->mapping_members[$a_mapping_id][] = $value;
continue;
}
foreach($value as $external_account)
{
$this->mapping_members[$a_mapping_id][] = $external_account;
}
}
return true;
}

+ Here is the caller graph for this function:

Field Documentation

ilLDAPRoleGroupMapping::$active_servers = false
private

Definition at line 42 of file class.ilLDAPRoleGroupMapping.php.

ilLDAPRoleGroupMapping::$instance = null
staticprivate

Definition at line 37 of file class.ilLDAPRoleGroupMapping.php.

Referenced by _getInstance().

ilLDAPRoleGroupMapping::$log = null
private

Definition at line 36 of file class.ilLDAPRoleGroupMapping.php.

ilLDAPRoleGroupMapping::$mapping_members = array()
private

Definition at line 40 of file class.ilLDAPRoleGroupMapping.php.

ilLDAPRoleGroupMapping::$mappings = array()
private

Definition at line 39 of file class.ilLDAPRoleGroupMapping.php.

ilLDAPRoleGroupMapping::$query = array()
private

Definition at line 41 of file class.ilLDAPRoleGroupMapping.php.

ilLDAPRoleGroupMapping::$servers = null
private

Definition at line 38 of file class.ilLDAPRoleGroupMapping.php.

The documentation for this class was generated from the following file: