ILIAS  Release_4_2_x_branch Revision 61807
 All Data Structures Namespaces Files Functions Variables Groups Pages
class.ilAuthUtils.php
Go to the documentation of this file.
1 <?php
2 
3 /* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4 
5 
6 // define auth modes
7 define ("AUTH_LOCAL",1);
8 define ("AUTH_LDAP",2);
9 define ("AUTH_RADIUS",3);
10 define ("AUTH_SCRIPT",4);
11 define ("AUTH_SHIBBOLETH",5);
12 define ("AUTH_CAS",6);
13 define ("AUTH_SOAP",7);
14 // BEGIN WebDAV: Add support for HTTP authentication
15 define ("AUTH_HTTP",8);
16 // END WebDAV: Add support for HTTP authentication
17 define ("AUTH_ECS",9);
18 define('AUTH_OPENID',10);
19 
20 define ("AUTH_APACHE",11);
21 
22 define ("AUTH_INACTIVE",18);
23 
24 define('AUTH_MULTIPLE',20);
25 
26 define('AUTH_SOAP_NO_ILIAS_USER', -100);
27 define('AUTH_LDAP_NO_ILIAS_USER',-200);
28 define('AUTH_RADIUS_NO_ILIAS_USER',-300);
29 define('AUTH_OPENID_NO_ILIAS_USER',-400);
30 
31 // apache auhtentication failed...
32 // maybe no (valid) certificate or
33 // username could not be extracted
34 define('AUTH_APACHE_FAILED', -500);
35 
36 
37 define('AUTH_MODE_INACTIVE',-1000);
38 
39 
40 // an external user cannot be found in ilias, but his email address
41 // matches one or more ILIAS users
42 define('AUTH_SOAP_NO_ILIAS_USER_BUT_EMAIL', -101);
43 define('AUTH_CAS_NO_ILIAS_USER', -90);
44 
45 include_once './Services/Authentication/classes/class.ilAuthFactory.php';
46 require_once('Services/Authentication/classes/class.ilSessionControl.php');
47 
48 
56 class ilAuthUtils
57 {
58  const LOCAL_PWV_FULL = 1;
59  const LOCAL_PWV_NO = 2;
60  const LOCAL_PWV_USER = 3;
61 
62 
66  function _initAuth()
67  {
68  global $ilAuth, $ilSetting, $ilDB, $ilClientIniFile,$ilBench;
69 
70  $user_auth_mode = false;
71  $ilBench->start('Auth','initAuth');
72 
73 
74  // get default auth mode
75  //$default_auth_mode = $this->getSetting("auth_mode");
76  define ("AUTH_DEFAULT", $ilSetting->get("auth_mode") ? $ilSetting->get("auth_mode") : AUTH_LOCAL);
77 
78  // determine authentication method if no session is found and username & password is posted
79  // does this if statement make any sense? we enter this block nearly everytime.
80 
81  if (empty($_SESSION) ||
82  (!isset($_SESSION['_authsession']['registered']) ||
83  $_SESSION['_authsession']['registered'] !== true))
84  {
85  // no sesssion found
86  if (isset($_POST['username']) and $_POST['username'] != '' and $_POST['password'] != '' or isset($_GET['ecs_hash']) or isset($_POST['oid_username']) or isset($_GET['oid_check_status']))
87  {
88  $user_auth_mode = ilAuthUtils::_getAuthModeOfUser($_POST['username'], $_POST['password'], $ilDB);
89 
90  if ($user_auth_mode == AUTH_CAS && $ilSetting->get("cas_allow_local"))
91  {
92  $user_auth_mode = AUTH_LOCAL;
93  }
94  if ($user_auth_mode == AUTH_SOAP && $ilSetting->get("soap_auth_allow_local"))
95  {
96  $user_auth_mode = AUTH_LOCAL;
97  }
98  if ($user_auth_mode == AUTH_SHIBBOLETH && $ilSetting->get("shib_auth_allow_local"))
99  {
100  $user_auth_mode = AUTH_LOCAL;
101  }
102  }
103  else if ($_POST['auth_mode'] == AUTH_APACHE) {
104  $user_auth_mode = AUTH_APACHE;
105  }
106  }
107 
108  // to do: other solution?
109  if (!$ilSetting->get("soap_auth_active") && $user_auth_mode == AUTH_SOAP)
110  {
111  $user_auth_mode = AUTH_LOCAL;
112  }
113 
114  if($ilSetting->get("cas_active") && $_GET['forceCASLogin'])
115  {
116  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_CAS);
117  $user_auth_mode = AUTH_CAS;
118  }
119 
120  if($ilSetting->get("apache_active") && $user_auth_mode == AUTH_APACHE)
121  {
122  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_APACHE);
123  $user_auth_mode = AUTH_APACHE;
124  }
125 
126  // BEGIN WebDAV: Share session between browser and WebDAV client.
127  // The realm is needed to support a common session between Auth_HTTP and Auth.
128  // It also helps us to distinguish between parallel sessions run on different clients.
129  // Common session only works if we use a common session name starting with "_authhttp".
130  // We must use the "_authttp" prefix, because it is hardcoded in the session name of
131  // class Auth_HTTP.
132  // Whenever we use Auth_HTTP, we need to explicitly switch off "sessionSharing", because
133  // it interfers with the session mechanism of the other Auth modules. If we would
134  // keep this switched on, then users could steal each others session, which would cause
135  // a major security breach.
136  // Note: The realm and sessionName used here, must be the same as in
137  // class ilBaseAuthentication. Otherwise, Soap clients won't be able to log
138  // in to ILIAS.
139  $realm = CLIENT_ID;
140  //$this->writelog('ilias.php realm='.$realm);
141  // END WebDAV: Share session between browser and WebDAV client.
142 
143 //var_dump($_SESSION);
144 //echo "1-".$ilSetting->get("soap_auth_active")."-";
145  // if soap authentication activated and soap credentials given
146  if (($ilSetting->get("soap_auth_active") && !empty($_GET["ext_uid"])
147  && !empty($_GET["soap_pw"])) || $user_auth_mode == AUTH_SOAP)
148  {
149 
150  define('AUTH_CURRENT',AUTH_SOAP);
151  }
152  // if Shibboleth is active and the user is authenticated
153  // we set auth_mode to Shibboleth
154  else if ( $ilSetting->get("shib_active")
155  && $_SERVER[$ilSetting->get("shib_login")])
156  {
157  define ("AUTH_CURRENT", AUTH_SHIBBOLETH);
158  }
159  else
160  {
161  define ("AUTH_CURRENT", $user_auth_mode);
162  }
163 //var_dump($_SESSION);
164 
165  // Determine the authentication method to use
166  if (defined("WebDAV_Authentication") && WebDAV_Authentication == 'HTTP') {
167  // Since WebDAV clients create the login form by
168  // themselves, we can not provide buttons on the form for
169  // choosing an authentication method.
170  // If the user is already logged in, we continue using
171  // the current authentication method. If the user is
172  // not logged in yet, we use the "multiple authentication"
173  // method using a predefined sequence of authentication methods.
174  $authmode = AUTH_CURRENT ? AUTH_CURRENT : AUTH_MULTIPLE;
175  }
176  else
177  {
178  $authmode = AUTH_CURRENT;
179  }
180 //var_dump($authmode);
181  // if no auth mode selected AND default mode is AUTH_APACHE then use it...
182  if ($authmode == null && AUTH_DEFAULT == AUTH_APACHE)
183  $authmode = AUTH_APACHE;
184 
185  switch ($authmode)
186  {
187  case AUTH_LDAP:
188 
189  include_once './Services/LDAP/classes/class.ilAuthContainerLDAP.php';
190  $ilAuth = ilAuthFactory::factory(new ilAuthContainerLDAP());
191  break;
192 
193  case AUTH_RADIUS:
194 
195  include_once './Services/Radius/classes/class.ilAuthContainerRadius.php';
196  $ilAuth = ilAuthFactory::factory(new ilAuthContainerRadius());
197  break;
198 
199  case AUTH_SHIBBOLETH:
200  // build option string for SHIB::Auth
201  $auth_params = array();
202  $auth_params['sessionName'] = "_authhttp".md5($realm);
203  $ilAuth = new ShibAuth($auth_params,true);
204  break;
205 
206  case AUTH_CAS:
207 
208  include_once './Services/CAS/classes/class.ilAuthContainerCAS.php';
209  $ilAuth = ilAuthFactory::factory(new ilAuthContainerCAS());
210  break;
211 
212  case AUTH_SOAP:
213 
214  include_once './Services/SOAPAuth/classes/class.ilAuthContainerSOAP.php';
215  $ilAuth = ilAuthFactory::factory(new ilAuthContainerSOAP());
216  break;
217 
218  case AUTH_MULTIPLE:
219 
220  include_once './Services/Authentication/classes/class.ilAuthContainerMultiple.php';
221  $ilAuth = ilAuthFactory::factory(new ilAuthContainerMultiple());
222  break;
223 
224  case AUTH_ECS:
225  include_once './Services/WebServices/ECS/classes/class.ilAuthContainerECS.php';
226  $ilAuth = ilAuthFactory::factory(new ilAuthContainerECS());
227  break;
228 
229  case AUTH_OPENID:
230 
231  include_once './Services/OpenId/classes/class.ilAuthContainerOpenId.php';
232  $ilAuth = ilAuthFactory::factory(new ilAuthContainerOpenId());
233  break;
234 
235  case AUTH_INACTIVE:
236  require_once('./Services/Authentication/classes/class.ilAuthInactive.php');
237  $ilAuth = new ilAuthInactive(AUTH_MODE_INACTIVE);
238  break;
239 
240  case AUTH_APACHE:
241  include_once './Services/AuthApache/classes/class.ilAuthContainerApache.php';
242  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_APACHE);
243  $ilAuth = ilAuthFactory::factory(new ilAuthContainerApache());
244  break;
245 
246  case AUTH_LOCAL:
247  default:
248 
249  global $ilLog;
250 
251  include_once './Services/Database/classes/class.ilAuthContainerMDB2.php';
252  $ilAuth = ilAuthFactory::factory(new ilAuthContainerMDB2());
253  break;
254  }
255 
256  // Due to a bug in Pear Auth_HTTP, we can't use idle time
257  // with WebDAV clients. If we used it, users could never log
258  // back into ILIAS once their session idled out. :(
259  if (!defined("WebDAV_Authentication") || WebDAV_Authentication != 'HTTP')
260  {
261  $ilAuth->setIdle(ilSession::getIdleValue(), false);
262  }
263  $ilAuth->setExpire(0);
264 
265  ini_set("session.cookie_lifetime", "0");
266 //echo "-".get_class($ilAuth)."-";
267  $GLOBALS['ilAuth'] =& $ilAuth;
268 
269  ilSessionControl::checkExpiredSession();
270 
271  $ilBench->stop('Auth','initAuth');
272  }
273 
274  function _getAuthModeOfUser($a_username,$a_password,$a_db_handler = '')
275  {
276  global $ilDB;
277 
278  if(isset($_GET['ecs_hash']))
279  {
280  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_ECS);
281  return AUTH_ECS;
282  }
283  if(isset($_POST['auth_mode']))
284  {
285  return (int) $_POST['auth_mode'];
286  }
287  if(isset($_POST['oid_username']) or $_GET['oid_check_status'])
288  {
289  $GLOBALS['ilLog']->write(__METHOD__.' set context to open id');
290  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_OPENID);
291  return AUTH_OPENID;
292  }
293 
294  include_once('./Services/Authentication/classes/class.ilAuthModeDetermination.php');
295  $det = ilAuthModeDetermination::_getInstance();
296 
297  if(!$det->isManualSelection() and $det->getCountActiveAuthModes() > 1)
298  {
299  return AUTH_MULTIPLE;
300  }
301 
302 
303  $db =& $ilDB;
304 
305  if ($a_db_handler != '')
306  {
307  $db =& $a_db_handler;
308  }
309 
310  // Is it really necessary to check the auth mode with password ?
311  // Changed: smeyer
312  $q = "SELECT auth_mode FROM usr_data WHERE ".
313  "login = ".$ilDB->quote($a_username);
314  //"passwd = ".$ilDB->quote(md5($a_password))."";
315 
316 
317  $r = $db->query($q);
318  $row = $r->fetchRow(DB_FETCHMODE_OBJECT);
319 //echo "+".$row->auth_mode."+";
320 
321  $auth_mode = self::_getAuthMode($row->auth_mode,$db);
322 
323  return in_array($auth_mode,self::_getActiveAuthModes()) ? $auth_mode : AUTH_INACTIVE;
324  }
325 
326  function _getAuthMode($a_auth_mode,$a_db_handler = '')
327  {
328  global $ilDB, $ilSetting;
329 
330  $db =& $ilDB;
331 
332  if ($a_db_handler != '')
333  {
334  $db =& $a_db_handler;
335  }
336 
337  switch ($a_auth_mode)
338  {
339  case "local":
340  return AUTH_LOCAL;
341  break;
342 
343  case "ldap":
344  return AUTH_LDAP;
345  break;
346 
347  case "radius":
348  return AUTH_RADIUS;
349  break;
350 
351  case "script":
352  return AUTH_SCRIPT;
353  break;
354 
355  case "shibboleth":
356  return AUTH_SHIBBOLETH;
357  break;
358 
359  case "cas":
360  return AUTH_CAS;
361  break;
362 
363  case "soap":
364  return AUTH_SOAP;
365  break;
366 
367  case 'ecs':
368  return AUTH_ECS;
369 
370  case 'openid':
371  return AUTH_OPENID;
372 
373  case 'apache':
374  return AUTH_APACHE;
375 
376  default:
377  return $ilSetting->get("auth_mode");
378  break;
379  }
380  }
381 
382  public static function _getAuthModeName($a_auth_key)
383  {
384  global $ilias;
385 
386  switch ($a_auth_key)
387  {
388  case AUTH_LOCAL:
389  return "local";
390  break;
391 
392  case AUTH_LDAP:
393  return "ldap";
394  break;
395 
396  case AUTH_RADIUS:
397  return "radius";
398  break;
399 
400  case AUTH_CAS:
401  return "cas";
402  break;
403 
404  case AUTH_SCRIPT:
405  return "script";
406  break;
407 
408  case AUTH_SHIBBOLETH:
409  return "shibboleth";
410  break;
411 
412  case AUTH_SOAP:
413  return "soap";
414  break;
415 
416  case AUTH_ECS:
417  return 'ecs';
418 
419  case AUTH_APACHE:
420  return 'apache';
421 
422  case AUTH_OPENID:
423  return 'open_id';
424 
425  default:
426  return "default";
427  break;
428  }
429  }
430 
431  function _getActiveAuthModes()
432  {
433  global $ilias,$ilSetting;
434 
435  $modes = array(
436  'default' => $ilSetting->get("auth_mode"),
437  'local' => AUTH_LOCAL
438  );
439  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
440  if(count(ilLDAPServer::_getActiveServerList()))
441  {
442  $modes['ldap'] = AUTH_LDAP;
443  }
444  if ($ilSetting->get("radius_active")) $modes['radius'] = AUTH_RADIUS;
445  if ($ilSetting->get("shib_active")) $modes['shibboleth'] = AUTH_SHIBBOLETH;
446  if ($ilSetting->get("script_active")) $modes['script'] = AUTH_SCRIPT;
447  if ($ilSetting->get("cas_active")) $modes['cas'] = AUTH_CAS;
448  if ($ilSetting->get("soap_auth_active")) $modes['soap'] = AUTH_SOAP;
449  if ($ilSetting->get("apache_active")) $modes['apache'] = AUTH_APACHE;
450 
451  include_once './Services/WebServices/ECS/classes/class.ilECSServerSettings.php';
452  if(ilECSServerSettings::getInstance()->activeServerExists())
453  {
454  $modes['ecs'] = AUTH_ECS;
455  }
456 
457  include_once './Services/OpenId/classes/class.ilOpenIdSettings.php';
458  if(ilOpenIdSettings::getInstance()->isActive())
459  {
460  $modes['openid'] = AUTH_OPENID;
461  }
462 
463  return $modes;
464  }
465 
466  function _getAllAuthModes()
467  {
468  return array(
469  AUTH_LOCAL => ilAuthUtils::_getAuthModeName(AUTH_LOCAL),
470  AUTH_LDAP => ilAuthUtils::_getAuthModeName(AUTH_LDAP),
471  AUTH_SHIBBOLETH => ilAuthUtils::_getAuthModeName(AUTH_SHIBBOLETH),
472  AUTH_CAS => ilAuthUtils::_getAuthModeName(AUTH_CAS),
473  AUTH_SOAP => ilAuthUtils::_getAuthModeName(AUTH_SOAP),
474  AUTH_RADIUS => ilAuthUtils::_getAuthModeName(AUTH_RADIUS),
475  AUTH_ECS => ilAuthUtils::_getAuthModeName(AUTH_ECS),
476  AUTH_OPENID => ilAuthUtils::_getAuthModeName(AUTH_OPENID),
477  AUTH_APACHE => ilAuthUtils::_getAuthModeName(AUTH_APACHE)
478  );
479  }
480 
485  function _generateLogin($a_login)
486  {
487  global $ilDB;
488 
489  // Check if username already exists
490  $found = false;
491  $postfix = 0;
492  $c_login = $a_login;
493  while(!$found)
494  {
495  $r = $ilDB->query("SELECT login FROM usr_data WHERE login = ".
496  $ilDB->quote($c_login));
497  if ($r->numRows() > 0)
498  {
499  $postfix++;
500  $c_login = $a_login.$postfix;
501  }
502  else
503  {
504  $found = true;
505  }
506  }
507 
508  return $c_login;
509  }
510 
511  public static function _hasMultipleAuthenticationMethods()
512  {
513  include_once('Services/Radius/classes/class.ilRadiusSettings.php');
514 
515  $rad_settings = ilRadiusSettings::_getInstance();
516  if($rad_settings->isActive())
517  {
518  return true;
519  }
520  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
521 
522  if (count(ilLDAPServer::_getActiveServerList()))
523  return true;
524 
525  global $ilSetting;
526 
527  if ($ilSetting->get('apache_active')) {
528  return true;
529  }
530  return false;
531  }
532 
533  public static function _getMultipleAuthModeOptions($lng)
534  {
535  global $ilSetting;
536 
537  // in the moment only ldap is activated as additional authentication method
538  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
539 
540  $options[AUTH_LOCAL]['txt'] = $lng->txt('authenticate_ilias');
541 
542  // LDAP
543  if($ldap_id = ilLDAPServer::_getFirstActiveServer())
544  {
545  $ldap_server = new ilLDAPServer($ldap_id);
546  $options[AUTH_LDAP]['txt'] = $ldap_server->getName();
547  }
548  include_once('Services/Radius/classes/class.ilRadiusSettings.php');
549  $rad_settings = ilRadiusSettings::_getInstance();
550  if($rad_settings->isActive())
551  {
552  $options[AUTH_RADIUS]['txt'] = $rad_settings->getName();
553  }
554 
555  if ($ilSetting->get('apache_active'))
556  {
557  global $lng;
558  $apache_settings = new ilSetting('apache_auth');
559  $options[AUTH_APACHE]['txt'] = $apache_settings->get('name', $lng->txt('apache_auth'));
560  $options[AUTH_APACHE]['hide_in_ui'] = true;
561  }
562 
563  if($ilSetting->get('auth_mode',AUTH_LOCAL) == AUTH_LDAP)
564  {
565  $default = AUTH_LDAP;
566  }
567  elseif($ilSetting->get('auth_mode',AUTH_LOCAL) == AUTH_RADIUS)
568  {
569  $default = AUTH_RADIUS;
570  }
571  else
572  {
573  $default = AUTH_LOCAL;
574  }
575 
576  $default = $ilSetting->get('default_auth_mode',$default);
577  $default = (int) $_REQUEST['auth_mode'] ? (int) $_REQUEST['auth_mode'] : $default;
578 
579  $options[$default]['checked'] = true;
580  return $options ? $options : array();
581  }
582 
592  public static function _isExternalAccountEnabled()
593  {
594  global $ilSetting;
595 
596  if($ilSetting->get("cas_active"))
597  {
598  return true;
599  }
600  if($ilSetting->get("soap_auth_active"))
601  {
602  return true;
603  }
604  if($ilSetting->get("shib_active"))
605  {
606  return true;
607  }
608  if($ilSetting->get('radius_active'))
609  {
610  return true;
611  }
612  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
613  if(count(ilLDAPServer::_getActiveServerList()))
614  {
615  return true;
616  }
617  include_once './Services/OpenId/classes/class.ilOpenIdSettings.php';
618  if(ilOpenIdSettings::getInstance()->isActive())
619  {
620  return true;
621  }
622  return false;
623  }
624 
633  public static function _allowPasswordModificationByAuthMode($a_auth_mode)
634  {
635  switch($a_auth_mode)
636  {
637  case AUTH_LDAP:
638  case AUTH_RADIUS:
639  case AUTH_ECS:
640  case AUTH_OPENID:
641  return false;
642  default:
643  return true;
644  }
645  }
646 
655  public static function _needsExternalAccountByAuthMode($a_auth_mode)
656  {
657  switch($a_auth_mode)
658  {
659  case AUTH_LOCAL:
660  return false;
661  default:
662  return true;
663  }
664  }
665 
671  public static function isPasswordModificationEnabled($a_authmode)
672  {
673  global $ilSetting;
674 
675  if($ilSetting->get('usr_settings_hide_password') or $ilSetting->get('usr_settings_disable_password'))
676  {
677  return false;
678  }
679 
680  switch($a_authmode)
681  {
682  // No local passwords for these auth modes
683  case AUTH_LDAP:
684  case AUTH_RADIUS:
685  case AUTH_ECS:
686  case AUTH_SCRIPT:
687  return false;
688 
689  // Always for openid and local
690  case AUTH_LOCAL:
691  case AUTH_OPENID:
692  return true;
693 
694  // Read setting:
695  case AUTH_SHIBBOLETH:
696  return $ilSetting->get("shib_auth_allow_local");
697  case AUTH_SOAP:
698  return $ilSetting->get("soap_auth_allow_local");
699  case AUTH_CAS:
700  return $ilSetting->get("cas_allow_local");
701  }
702  }
703 
709  public static function supportsLocalPasswordValidation($a_authmode)
710  {
711  switch($a_authmode)
712  {
713  case AUTH_LDAP:
714  case AUTH_LOCAL:
715  case AUTH_RADIUS:
716  return ilAuthUtils::LOCAL_PWV_FULL;
717 
718  case AUTH_SHIBBOLETH:
719  case AUTH_SOAP:
720  case AUTH_CAS:
721  if(!ilAuthUtils::isPasswordModificationEnabled($a_authmode))
722  {
723  return ilAuthUtils::LOCAL_PWV_NO;
724  }
725  return ilAuthUtils::LOCAL_PWV_USER;
726 
727  case AUTH_ECS:
728  case AUTH_OPENID:
729  case AUTH_SCRIPT:
730  case AUTH_APACHE:
731  default:
732  return ilAuthUtils::LOCAL_PWV_USER;
733  }
734  }
735 }
736 ?>