ILIAS  Release_5_0_x_branch Revision 61816
 All Data Structures Namespaces Files Functions Variables Groups Pages
class.ilAuthContainerApache.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (c) 1998-2014 ILIAS open source, Extended GPL, see docs/LICENSE */
3 
4 require_once 'Auth/Container/MDB2.php';
5 
12 class ilAuthContainerApache extends Auth_Container
13 {
17  public static $force_creation = false;
18 
22  public function __construct()
23  {
24  parent::__construct();
25  }
26 
30  public static function forceCreation($value)
31  {
32  self::$force_creation = $value;
33  }
34 
42  function fetchData($a_username, $password, $isChallengeResponse = false)
43  {
49  global $ilDB, $ilSetting , $rbacadmin;
50 
51  $settings = new ilSetting('apache_auth');
52 
53  if(!$settings->get('apache_enable_auth'))
54  {
55  return false;
56  }
57  if(!$settings->get('apache_auth_indicator_name') || !$settings->get('apache_auth_indicator_value'))
58  {
59  return false;
60  }
61  if(!ilUtil::isLogin($a_username))
62  {
63  return false;
64  }
65 
66  if($a_username == 'anonymous' && $password == 'anonymous')
67  {
68  $query = 'SELECT * FROM usr_data WHERE login = %s';
69  $qres = $ilDB->queryF($query, array('text'), array($a_username));
70  $userRow = $ilDB->fetchAssoc($qres);
71 
72  if(is_array($userRow) && $userRow['usr_id'])
73  {
74  // user as a local account...
75  // fetch logindata
76  $this->activeUser = $userRow['login'];
77  foreach($userRow as $key => $value)
78  {
79  if($key == $this->options['passwordcol'] || $key == $this->options['usernamecol'])
80  {
81  continue;
82  }
83  // Use reference to the auth object if exists
84  // This is because the auth session variable can change so a static call to setAuthData does not make sense
85  $this->_auth_obj->setAuthData($key, $value);
86  }
87  $this->_auth_obj->setAuth($userRow['login']);
88  return true;
89  }
90  return false;
91  }
92 
93  if(
94  !$_SESSION['login_invalid'] &&
95  in_array(
96  $_SERVER[$settings->get('apache_auth_indicator_name')],
97  array_filter(array_map('trim', str_getcsv($settings->get('apache_auth_indicator_value'))))
98  )
99  )
100  {
101  // we have a valid apache auth
102  $list = array(
103  $ilSetting->get('auth_mode')
104  );
105 
106  // Respect the auth method sequence
107  include_once('./Services/Authentication/classes/class.ilAuthModeDetermination.php');
108  $det = ilAuthModeDetermination::_getInstance();
109  if(!$det->isManualSelection() && $det->getCountActiveAuthModes() > 1)
110  {
111  $list = array();
112  foreach(ilAuthModeDetermination::_getInstance()->getAuthModeSequence() as $auth_mode)
113  {
114  $list[] = $auth_mode;
115  }
116  }
117 
118  foreach($list as $auth_mode)
119  {
120  if(AUTH_LDAP == $auth_mode)
121  {
122  // if no local user has been found AND ldap lookup is enabled
123  if($settings->get('apache_enable_ldap'))
124  {
125  include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
126  $this->server = new ilLDAPServer(ilLDAPServer::_getFirstActiveServer());
127  $this->server->doConnectionCheck();
128 
129  $config = $this->server->toPearAuthArray();
130 
131  $query = new ilLDAPQuery($this->server);
132  $query->bind();
133  $ldapUser = $query->fetchUser($a_username);
134 
135  if($ldapUser && $ldapUser[$a_username] && $ldapUser[$a_username][$config['userattr']] == $a_username)
136  {
137  $ldapUser[$a_username]['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap", $a_username);
138  $user_data = $ldapUser[$a_username]; //array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
139  if($this->server->enabledSyncOnLogin())
140  {
141  if(!$user_data['ilInternalAccount'] && $this->server->isAccountMigrationEnabled() && !self::$force_creation)
142  {
143  $this->_auth_obj->logout();
144  $_SESSION['tmp_auth_mode'] = 'ldap';
145  $_SESSION['tmp_external_account'] = $a_username;
146  $_SESSION['tmp_pass'] = $_POST['password'];
147 
148  include_once('./Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php');
149  $roles = ilLDAPRoleAssignmentRules::getAssignmentsForCreation($a_username, $user_data);
150  $_SESSION['tmp_roles'] = array();
151  foreach($roles as $info)
152  {
153  if($info['action'] == ilLDAPRoleAssignmentRules::ROLE_ACTION_ASSIGN)
154  {
155  $_SESSION['tmp_roles'][] = $info['id'];
156  }
157  }
158 
159  ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
160  }
161 
162  if($this->updateRequired($a_username))
163  {
164  $this->initLDAPAttributeToUser();
165  $this->ldap_attr_to_user->setUserData($ldapUser);
166  $this->ldap_attr_to_user->refresh();
167  $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap", $a_username);
168  }
169  else
170  {
171  // User exists and no update required
172  $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap", $a_username);
173  }
174  }
175  if($user_data['ilInternalAccount'])
176  {
177  $this->_auth_obj->setAuth($user_data['ilInternalAccount']);
178  $this->_auth_obj->username = $user_data['ilInternalAccount'];
179  return true;
180  }
181  }
182  }
183  }
184  else if(AUTH_APACHE != $auth_mode && $settings->get('apache_enable_local'))
185  {
186  $condition = '';
187  if($ilSetting->get("auth_mode") && $ilSetting->get("auth_mode") == 'ldap')
188  {
189  $condition = " AND auth_mode != " . $ilDB->quote('default', 'text') . " ";
190  }
191  $query = "SELECT * FROM usr_data WHERE login = %s AND auth_mode != %s $condition";
192  $qres = $ilDB->queryF($query, array('text', 'text'), array($a_username, 'ldap'));
193  $userRow = $ilDB->fetchAssoc($qres);
194 
195  if(is_array($userRow) && $userRow['usr_id'])
196  {
197  // user as a local account...
198  // fetch logindata
199  $this->activeUser = $userRow['login'];
200  foreach($userRow as $key => $value)
201  {
202  if($key == $this->options['passwordcol'] || $key == $this->options['usernamecol'])
203  {
204  continue;
205  }
206  // Use reference to the auth object if exists
207  // This is because the auth session variable can change so a static call to setAuthData does not make sense
208  $this->_auth_obj->setAuthData($key, $value);
209  }
210  $this->_auth_obj->setAuth($userRow['login']);
211  return true;
212  }
213  }
214  }
215 
216  if($settings->get('apache_enable_local') && $settings->get('apache_local_autocreate'))
217  {
218  if($_GET['r'])
219  {
220  $_SESSION['profile_complete_redirect'] = $_GET['r'];
221  }
222 
223  $user = new ilObjUser();
224  $user->setLogin($a_username);
225  $user->setExternalAccount($a_username);
226  $user->setProfileIncomplete(true);
227  $user->create();
228  $user->setAuthMode('apache');
229  // set a timestamp for last_password_change
230  // this ts is needed by ilSecuritySettings
231  $user->setLastPasswordChangeTS(time());
232  $user->setTimeLimitUnlimited(1);
233 
234  $user->setActive(1);
235  //insert user data in table user_data
236  $user->saveAsNew();
237  $user->writePrefs();
238  $rbacadmin->assignUser($settings->get('apache_default_role', 4), $user->getId(), true);
239  return true;
240  }
241  }
242  else if(defined('IL_CERT_SSO') && IL_CERT_SSO)
243  {
244  define('APACHE_ERRORCODE', AUTH_APACHE_FAILED);
245  }
246 
247  return false;
248  }
249 
255  protected function updateRequired($a_username)
256  {
257  if(!ilObjUser::_checkExternalAuthAccount("ldap", $a_username))
258  {
259  return true;
260  }
261  // Check attribute mapping on login
262  include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
263  if(ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId()))
264  {
265  return true;
266  }
267  include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
268  if(ilLDAPRoleAssignmentRule::hasRulesForUpdate())
269  {
270  return true;
271  }
272  return false;
273  }
274 
279  private function initLDAPAttributeToUser()
280  {
281  include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
282  $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
283  }
284 }