ILIAS  release_4-3 Revision
 All Data Structures Namespaces Files Functions Variables Groups Pages
ilAuthUtils Class Reference

static utility functions used to manage authentication modes More...

+ Collaboration diagram for ilAuthUtils:

Public Member Functions

 _initAuth ()
 initialises $ilAuth
 _getAuthModeOfUser ($a_username, $a_password, $a_db_handler= '')
 _getAuthMode ($a_auth_mode, $a_db_handler= '')
 _getActiveAuthModes ()
 _getAllAuthModes ()
 _generateLogin ($a_login)
 generate free login by starting with a default string and adding postfix numbers

Static Public Member Functions

static _getAuthModeName ($a_auth_key)
static _hasMultipleAuthenticationMethods ()
static _getMultipleAuthModeOptions ($lng)
static _isExternalAccountEnabled ()
 Check if an external account name is required.
static _allowPasswordModificationByAuthMode ($a_auth_mode)
 Allow password modification.
static _needsExternalAccountByAuthMode ($a_auth_mode)
 Check if chosen auth mode needs an external account entry.
static isPasswordModificationEnabled ($a_authmode)
 Check if password modification is enabled.
static supportsLocalPasswordValidation ($a_authmode)
 Check if local password validation is supported.

Data Fields

const LOCAL_PWV_FULL = 1
const LOCAL_PWV_NO = 2
const LOCAL_PWV_USER = 3

Detailed Description

static utility functions used to manage authentication modes

Author
Sascha Hofmann sasch.nosp@m.ahof.nosp@m.mann@.nosp@m.gmx..nosp@m.de
Version
$Id$

Definition at line 62 of file class.ilAuthUtils.php.

Member Function Documentation

static ilAuthUtils::_allowPasswordModificationByAuthMode (   $a_auth_mode)
static

Allow password modification.

public

Parameters
intauth_mode

Definition at line 640 of file class.ilAuthUtils.php.

References AUTH_ECS, AUTH_LDAP, AUTH_OPENID, and AUTH_RADIUS.

Referenced by ilPasswordInputGUI\checkInput(), ilObjUserGUI\editOldObject(), ilObjUserGUI\updateObject(), and ilObjUserGUI\updateObjectOld().

{
switch($a_auth_mode)
{
case AUTH_LDAP:
case AUTH_ECS:
return false;
default:
return true;
}
}

+ Here is the caller graph for this function:

ilAuthUtils::_generateLogin (   $a_login)

generate free login by starting with a default string and adding postfix numbers

Definition at line 492 of file class.ilAuthUtils.php.

Referenced by ilOpenIdAttributeToUser\create(), ilRadiusAttributeToUser\create(), ilAuthContainerECS\createUser(), ilCASAuth\login(), ilAuthContainerCAS\loginObserver(), ilAuthContainerSOAP\loginObserver(), and ilLDAPAttributeToUser\usersToXML().

{
global $ilDB;
// Check if username already exists
$found = false;
$postfix = 0;
$c_login = $a_login;
while(!$found)
{
$r = $ilDB->query("SELECT login FROM usr_data WHERE login = ".
$ilDB->quote($c_login));
if ($r->numRows() > 0)
{
$postfix++;
$c_login = $a_login.$postfix;
}
else
{
$found = true;
}
}
return $c_login;
}

+ Here is the caller graph for this function:

ilAuthUtils::_getActiveAuthModes ( )

Definition at line 438 of file class.ilAuthUtils.php.

References $ilSetting, ilLDAPServer\_getActiveServerList(), AUTH_APACHE, AUTH_CAS, AUTH_ECS, AUTH_LDAP, AUTH_LOCAL, AUTH_OPENID, AUTH_RADIUS, AUTH_SCRIPT, AUTH_SHIBBOLETH, AUTH_SOAP, ilOpenIdSettings\getInstance(), and ilECSServerSettings\getInstance().

Referenced by ilSoapInstallationInfoXMLWriter\__buildClient(), ilObjAuthSettingsGUI\authSettingsObject(), ilObjUserGUI\editOldObject(), ilSoapAdministration\getNIC(), and ilObjUserGUI\initForm().

{
global $ilias,$ilSetting;
$modes = array(
'default' => $ilSetting->get("auth_mode"),
'local' => AUTH_LOCAL
);
include_once('Services/LDAP/classes/class.ilLDAPServer.php');
{
$modes['ldap'] = AUTH_LDAP;
}
if ($ilSetting->get("radius_active")) $modes['radius'] = AUTH_RADIUS;
if ($ilSetting->get("shib_active")) $modes['shibboleth'] = AUTH_SHIBBOLETH;
if ($ilSetting->get("script_active")) $modes['script'] = AUTH_SCRIPT;
if ($ilSetting->get("cas_active")) $modes['cas'] = AUTH_CAS;
if ($ilSetting->get("soap_auth_active")) $modes['soap'] = AUTH_SOAP;
if ($ilSetting->get("apache_active")) $modes['apache'] = AUTH_APACHE;
include_once './Services/WebServices/ECS/classes/class.ilECSServerSettings.php';
if(ilECSServerSettings::getInstance()->activeServerExists())
{
$modes['ecs'] = AUTH_ECS;
}
include_once './Services/OpenId/classes/class.ilOpenIdSettings.php';
{
$modes['openid'] = AUTH_OPENID;
}
return $modes;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilAuthUtils::_getAuthMode (   $a_auth_mode,
  $a_db_handler = '' 
)

Definition at line 333 of file class.ilAuthUtils.php.

References $ilSetting, AUTH_APACHE, AUTH_CAS, AUTH_ECS, AUTH_LDAP, AUTH_LOCAL, AUTH_OPENID, AUTH_RADIUS, AUTH_SCRIPT, AUTH_SHIBBOLETH, and AUTH_SOAP.

Referenced by ilSoapUserAdministration\__validateUserData(), _getAuthModeOfUser(), ilPasswordInputGUI\checkInput(), ilObjUserGUI\editOldObject(), ilObjUser\getAuthMode(), ilAuthContainerMDB2\loginObserver(), ilObjUserGUI\updateObject(), and ilObjUserGUI\updateObjectOld().

{
global $ilDB, $ilSetting;
$db =& $ilDB;
if ($a_db_handler != '')
{
$db =& $a_db_handler;
}
switch ($a_auth_mode)
{
case "local":
return AUTH_LOCAL;
break;
case "ldap":
return AUTH_LDAP;
break;
case "radius":
return AUTH_RADIUS;
break;
case "script":
return AUTH_SCRIPT;
break;
case "shibboleth":
break;
case "cas":
return AUTH_CAS;
break;
case "soap":
return AUTH_SOAP;
break;
case 'ecs':
return AUTH_ECS;
case 'openid':
return AUTH_OPENID;
case 'apache':
return AUTH_APACHE;
default:
return $ilSetting->get("auth_mode");
break;
}
}

+ Here is the caller graph for this function:

static ilAuthUtils::_getAuthModeName (   $a_auth_key)
static

Definition at line 389 of file class.ilAuthUtils.php.

References AUTH_APACHE, AUTH_CAS, AUTH_ECS, AUTH_LDAP, AUTH_LOCAL, AUTH_OPENID, AUTH_RADIUS, AUTH_SCRIPT, AUTH_SHIBBOLETH, and AUTH_SOAP.

Referenced by ilSoapInstallationInfoXMLWriter\__buildClient(), ilObjUser\_checkExternalAuthAccount(), _getAllAuthModes(), ilObjUser\_getExternalAccountsByAuthMode(), ilObjAuthSettingsGUI\authSettingsObject(), ilObjUserGUI\editOldObject(), ilLDAPServer\getAuthenticationMappingKey(), ilSoapAdministration\getNIC(), ilUserImportParser\importEndTag(), ilObjUserGUI\initForm(), ilLDAPQuery\parseAuthMode(), and ilUserImportParser\verifyEndTag().

{
global $ilias;
switch ($a_auth_key)
{
case AUTH_LOCAL:
return "local";
break;
case AUTH_LDAP:
return "ldap";
break;
return "radius";
break;
case AUTH_CAS:
return "cas";
break;
return "script";
break;
return "shibboleth";
break;
case AUTH_SOAP:
return "soap";
break;
case AUTH_ECS:
return 'ecs';
return 'apache';
return 'open_id';
default:
return "default";
break;
}
}

+ Here is the caller graph for this function:

ilAuthUtils::_getAuthModeOfUser (   $a_username,
  $a_password,
  $a_db_handler = '' 
)

Definition at line 281 of file class.ilAuthUtils.php.

References $_GET, $_POST, $GLOBALS, $row, _getAuthMode(), ilAuthModeDetermination\_getInstance(), AUTH_ECS, AUTH_INACTIVE, AUTH_MULTIPLE, AUTH_OPENID, ilAuthFactory\CONTEXT_ECS, ilAuthFactory\CONTEXT_OPENID, DB_FETCHMODE_OBJECT, and ilAuthFactory\setContext().

Referenced by _initAuth().

{
global $ilDB;
if(isset($_GET['ecs_hash']) or isset($_GET['ecs_hash_url']))
{
return AUTH_ECS;
}
if(isset($_POST['auth_mode']))
{
return (int) $_POST['auth_mode'];
}
if(isset($_POST['oid_username']) or $_GET['oid_check_status'])
{
$GLOBALS['ilLog']->write(__METHOD__.' set context to open id');
return AUTH_OPENID;
}
include_once('./Services/Authentication/classes/class.ilAuthModeDetermination.php');
if(!$det->isManualSelection() and $det->getCountActiveAuthModes() > 1)
{
return AUTH_MULTIPLE;
}
$db =& $ilDB;
if ($a_db_handler != '')
{
$db =& $a_db_handler;
}
// Is it really necessary to check the auth mode with password ?
// Changed: smeyer
$q = "SELECT auth_mode FROM usr_data WHERE ".
"login = ".$ilDB->quote($a_username);
//"passwd = ".$ilDB->quote(md5($a_password))."";
$r = $db->query($q);
$row = $r->fetchRow(DB_FETCHMODE_OBJECT);
//echo "+".$row->auth_mode."+";
$auth_mode = self::_getAuthMode($row->auth_mode,$db);
return in_array($auth_mode,self::_getActiveAuthModes()) ? $auth_mode : AUTH_INACTIVE;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

static ilAuthUtils::_getMultipleAuthModeOptions (   $lng)
static

Definition at line 540 of file class.ilAuthUtils.php.

References $_REQUEST, $ilSetting, $lng, ilLDAPServer\_getFirstActiveServer(), ilRadiusSettings\_getInstance(), AUTH_APACHE, AUTH_LDAP, AUTH_LOCAL, and AUTH_RADIUS.

Referenced by ilStartUpGUI\showLoginForm().

{
global $ilSetting;
// in the moment only ldap is activated as additional authentication method
include_once('Services/LDAP/classes/class.ilLDAPServer.php');
$options[AUTH_LOCAL]['txt'] = $lng->txt('authenticate_ilias');
// LDAP
{
$ldap_server = new ilLDAPServer($ldap_id);
$options[AUTH_LDAP]['txt'] = $ldap_server->getName();
}
include_once('Services/Radius/classes/class.ilRadiusSettings.php');
$rad_settings = ilRadiusSettings::_getInstance();
if($rad_settings->isActive())
{
$options[AUTH_RADIUS]['txt'] = $rad_settings->getName();
}
if ($ilSetting->get('apache_active'))
{
global $lng;
$apache_settings = new ilSetting('apache_auth');
$options[AUTH_APACHE]['txt'] = $apache_settings->get('name', $lng->txt('apache_auth'));
$options[AUTH_APACHE]['hide_in_ui'] = true;
}
if($ilSetting->get('auth_mode',AUTH_LOCAL) == AUTH_LDAP)
{
$default = AUTH_LDAP;
}
elseif($ilSetting->get('auth_mode',AUTH_LOCAL) == AUTH_RADIUS)
{
$default = AUTH_RADIUS;
}
else
{
$default = AUTH_LOCAL;
}
$default = $ilSetting->get('default_auth_mode',$default);
$default = (int) $_REQUEST['auth_mode'] ? (int) $_REQUEST['auth_mode'] : $default;
$options[$default]['checked'] = true;
return $options ? $options : array();
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

static ilAuthUtils::_hasMultipleAuthenticationMethods ( )
static

Definition at line 518 of file class.ilAuthUtils.php.

References $ilSetting, ilLDAPServer\_getActiveServerList(), and ilRadiusSettings\_getInstance().

Referenced by ilStartUpGUI\showLoginForm().

{
include_once('Services/Radius/classes/class.ilRadiusSettings.php');
$rad_settings = ilRadiusSettings::_getInstance();
if($rad_settings->isActive())
{
return true;
}
include_once('Services/LDAP/classes/class.ilLDAPServer.php');
return true;
global $ilSetting;
if ($ilSetting->get('apache_active')) {
return true;
}
return false;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ilAuthUtils::_initAuth ( )

initialises $ilAuth

Definition at line 72 of file class.ilAuthUtils.php.

References $_GET, $_POST, $_SESSION, $GLOBALS, $ilBench, $ilLog, $ilSetting, _getAuthModeOfUser(), AUTH_APACHE, AUTH_CAS, AUTH_ECS, AUTH_INACTIVE, AUTH_LDAP, AUTH_LOCAL, AUTH_MODE_INACTIVE, AUTH_MULTIPLE, AUTH_OPENID, AUTH_RADIUS, AUTH_SHIBBOLETH, AUTH_SOAP, ilSessionControl\checkExpiredSession(), ilAuthFactory\CONTEXT_APACHE, ilAuthFactory\CONTEXT_CAS, ilAuthFactory\factory(), ilSession\getIdleValue(), ilAuthFactory\setContext(), and WebDAV_Authentication.

Referenced by ilInitialisation\goToPublicSection(), and ilInitialisation\initUser().

{
global $ilAuth, $ilSetting, $ilDB, $ilClientIniFile,$ilBench;
$user_auth_mode = false;
$ilBench->start('Auth','initAuth');
// get default auth mode
//$default_auth_mode = $this->getSetting("auth_mode");
define ("AUTH_DEFAULT", $ilSetting->get("auth_mode") ? $ilSetting->get("auth_mode") : AUTH_LOCAL);
// determine authentication method if no session is found and username & password is posted
// does this if statement make any sense? we enter this block nearly everytime.
if (empty($_SESSION) ||
(!isset($_SESSION['_authsession']['registered']) ||
$_SESSION['_authsession']['registered'] !== true))
{
// no sesssion found
if (isset($_POST['username']) and $_POST['username'] != '' and $_POST['password'] != '' or isset($_GET['ecs_hash']) or isset($_GET['ecs_hash_url']) or isset($_POST['oid_username']) or isset($_GET['oid_check_status']))
{
$user_auth_mode = ilAuthUtils::_getAuthModeOfUser($_POST['username'], $_POST['password'], $ilDB);
if ($user_auth_mode == AUTH_CAS && $ilSetting->get("cas_allow_local"))
{
$user_auth_mode = AUTH_LOCAL;
}
if ($user_auth_mode == AUTH_SOAP && $ilSetting->get("soap_auth_allow_local"))
{
$user_auth_mode = AUTH_LOCAL;
}
if ($user_auth_mode == AUTH_SHIBBOLETH && $ilSetting->get("shib_auth_allow_local"))
{
$user_auth_mode = AUTH_LOCAL;
}
}
else if ($_POST['auth_mode'] == AUTH_APACHE)
{
$user_auth_mode = AUTH_APACHE;
}
}
// to do: other solution?
if (!$ilSetting->get("soap_auth_active") && $user_auth_mode == AUTH_SOAP)
{
$user_auth_mode = AUTH_LOCAL;
}
if($ilSetting->get("cas_active") && $_GET['forceCASLogin'])
{
$user_auth_mode = AUTH_CAS;
}
if($ilSetting->get("apache_active") && $user_auth_mode == AUTH_APACHE)
{
$user_auth_mode = AUTH_APACHE;
}
// BEGIN WebDAV: Share session between browser and WebDAV client.
// The realm is needed to support a common session between Auth_HTTP and Auth.
// It also helps us to distinguish between parallel sessions run on different clients.
// Common session only works if we use a common session name starting with "_authhttp".
// We must use the "_authttp" prefix, because it is hardcoded in the session name of
// class Auth_HTTP.
// Whenever we use Auth_HTTP, we need to explicitly switch off "sessionSharing", because
// it interfers with the session mechanism of the other Auth modules. If we would
// keep this switched on, then users could steal each others session, which would cause
// a major security breach.
// Note: The realm and sessionName used here, must be the same as in
// class ilBaseAuthentication. Otherwise, Soap clients won't be able to log
// in to ILIAS.
$realm = CLIENT_ID;
//$this->writelog('ilias.php realm='.$realm);
// END WebDAV: Share session between browser and WebDAV client.
//var_dump($_SESSION);
//echo "1-".$ilSetting->get("soap_auth_active")."-";
// if soap authentication activated and soap credentials given
if (($ilSetting->get("soap_auth_active") && !empty($_GET["ext_uid"])
&& !empty($_GET["soap_pw"])) || $user_auth_mode == AUTH_SOAP)
{
define('AUTH_CURRENT',AUTH_SOAP);
}
// if Shibboleth is active and the user is authenticated
// we set auth_mode to Shibboleth
else if ( $ilSetting->get("shib_active")
&& $_SERVER[$ilSetting->get("shib_login")])
{
define ("AUTH_CURRENT", AUTH_SHIBBOLETH);
}
else
{
define ("AUTH_CURRENT", $user_auth_mode);
}
//var_dump($_SESSION);
// Determine the authentication method to use
if (defined("WebDAV_Authentication") && WebDAV_Authentication == 'HTTP') {
// Since WebDAV clients create the login form by
// themselves, we can not provide buttons on the form for
// choosing an authentication method.
// If the user is already logged in, we continue using
// the current authentication method. If the user is
// not logged in yet, we use the "multiple authentication"
// method using a predefined sequence of authentication methods.
$authmode = AUTH_CURRENT ? AUTH_CURRENT : AUTH_MULTIPLE;
}
else
{
$authmode = AUTH_CURRENT;
}
//var_dump($authmode);
// if no auth mode selected AND default mode is AUTH_APACHE then use it...
if ($authmode == null && AUTH_DEFAULT == AUTH_APACHE)
$authmode = AUTH_APACHE;
switch ($authmode)
{
case AUTH_LDAP:
include_once './Services/LDAP/classes/class.ilAuthContainerLDAP.php';
break;
include_once './Services/Radius/classes/class.ilAuthContainerRadius.php';
break;
// build option string for SHIB::Auth
$auth_params = array();
$auth_params['sessionName'] = "_authhttp".md5($realm);
$ilAuth = new ShibAuth($auth_params,true);
break;
case AUTH_CAS:
include_once './Services/CAS/classes/class.ilAuthContainerCAS.php';
break;
case AUTH_SOAP:
include_once './Services/SOAPAuth/classes/class.ilAuthContainerSOAP.php';
break;
include_once './Services/Authentication/classes/class.ilAuthContainerMultiple.php';
break;
case AUTH_ECS:
include_once './Services/WebServices/ECS/classes/class.ilAuthContainerECS.php';
break;
include_once './Services/OpenId/classes/class.ilAuthContainerOpenId.php';
break;
require_once('./Services/Authentication/classes/class.ilAuthInactive.php');
break;
include_once './Services/AuthApache/classes/class.ilAuthContainerApache.php';
break;
case AUTH_LOCAL:
default:
global $ilLog;
include_once './Services/Database/classes/class.ilAuthContainerMDB2.php';
break;
}
// Due to a bug in Pear Auth_HTTP, we can't use idle time
// with WebDAV clients. If we used it, users could never log
// back into ILIAS once their session idled out. :(
if (!defined("WebDAV_Authentication") || WebDAV_Authentication != 'HTTP')
{
$ilAuth->setIdle(ilSession::getIdleValue(), false);
}
$ilAuth->setExpire(0);
ini_set("session.cookie_lifetime", "0");
//echo "-".get_class($ilAuth)."-";
$GLOBALS['ilAuth'] =& $ilAuth;
$ilBench->stop('Auth','initAuth');
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

static ilAuthUtils::_isExternalAccountEnabled ( )
static

Check if an external account name is required.

That's the case if Radius,LDAP, CAS or SOAP is active

public

Parameters

Definition at line 599 of file class.ilAuthUtils.php.

References $ilSetting, ilLDAPServer\_getActiveServerList(), and ilOpenIdSettings\getInstance().

Referenced by ilObjUserGUI\editOldObject(), ilObjUserGUI\initForm(), and ilObjUserGUI\saveObject().

{
global $ilSetting;
if($ilSetting->get("cas_active"))
{
return true;
}
if($ilSetting->get("soap_auth_active"))
{
return true;
}
if($ilSetting->get("shib_active"))
{
return true;
}
if($ilSetting->get('radius_active'))
{
return true;
}
include_once('Services/LDAP/classes/class.ilLDAPServer.php');
{
return true;
}
include_once './Services/OpenId/classes/class.ilOpenIdSettings.php';
{
return true;
}
return false;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

static ilAuthUtils::_needsExternalAccountByAuthMode (   $a_auth_mode)
static

Check if chosen auth mode needs an external account entry.

public

Parameters
intauth_mode

Definition at line 662 of file class.ilAuthUtils.php.

References AUTH_APACHE, and AUTH_LOCAL.

Referenced by ilSoapUserAdministration\__validateUserData(), ilObjUser\isPasswordChangeDemanded(), and ilObjUserGUI\updateObjectOld().

{
switch($a_auth_mode)
{
case AUTH_LOCAL:
return false;
default:
return true;
}
}

+ Here is the caller graph for this function:

static ilAuthUtils::isPasswordModificationEnabled (   $a_authmode)
static

Check if password modification is enabled.

Parameters
object$a_authmode
Returns

Definition at line 679 of file class.ilAuthUtils.php.

References $ilSetting, AUTH_APACHE, AUTH_CAS, AUTH_ECS, AUTH_LDAP, AUTH_LOCAL, AUTH_OPENID, AUTH_RADIUS, AUTH_SCRIPT, AUTH_SHIBBOLETH, and AUTH_SOAP.

Referenced by ilPersonalSettingsGUI\allowPasswordChange(), ilAuthContainerMDB2\loginObserver(), and supportsLocalPasswordValidation().

{
global $ilSetting;
if($ilSetting->get('usr_settings_hide_password') or $ilSetting->get('usr_settings_disable_password'))
{
return false;
}
switch($a_authmode)
{
// No local passwords for these auth modes
case AUTH_LDAP:
case AUTH_ECS:
return false;
// Always for openid and local
case AUTH_LOCAL:
return true;
// Read setting:
return $ilSetting->get("shib_auth_allow_local");
case AUTH_SOAP:
return $ilSetting->get("soap_auth_allow_local");
case AUTH_CAS:
return $ilSetting->get("cas_allow_local");
}
}

+ Here is the caller graph for this function:

static ilAuthUtils::supportsLocalPasswordValidation (   $a_authmode)
static

Check if local password validation is supported.

Parameters
object$a_authmode
Returns

Definition at line 718 of file class.ilAuthUtils.php.

References AUTH_APACHE, AUTH_CAS, AUTH_ECS, AUTH_LDAP, AUTH_LOCAL, AUTH_OPENID, AUTH_RADIUS, AUTH_SCRIPT, AUTH_SHIBBOLETH, AUTH_SOAP, isPasswordModificationEnabled(), LOCAL_PWV_FULL, LOCAL_PWV_NO, and LOCAL_PWV_USER.

Referenced by ilDAVUtils\isLocalPasswordInstructionRequired().

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Field Documentation

const ilAuthUtils::LOCAL_PWV_FULL = 1

Definition at line 64 of file class.ilAuthUtils.php.

Referenced by supportsLocalPasswordValidation().

const ilAuthUtils::LOCAL_PWV_NO = 2

Definition at line 65 of file class.ilAuthUtils.php.

Referenced by supportsLocalPasswordValidation().

const ilAuthUtils::LOCAL_PWV_USER = 3

The documentation for this class was generated from the following file: