ILIAS  release_4-4 Revision
Public Member Functions | Protected Member Functions | Private Member Functions | Private Attributes | Static Private Attributes
ilAuthContainerLDAP Class Reference
Services/LDAP

Overwritten Pear class AuthContainerLDAP This class is overwritten to support nested groups. More...

+ Inheritance diagram for ilAuthContainerLDAP:
+ Collaboration diagram for ilAuthContainerLDAP:

Public Member Functions

 __construct ()
 Constructor. More...
 
 forceCreation ($a_status)
 
 enableOptionalGroupCheck ()
 enable optional group check More...
 
 enabledOptionalGroupCheck ()
 Check if optional group check is enabled. More...
 
 fetchData ($username, $password)
 Overwritten from base class. More...
 
 checkGroup ($a_name)
 check group overwritten base class More...
 
 loginObserver ($a_username, $a_auth)
 Called from fetchData after successful login. More...
 
 failedLoginObserver ($a_username, $a_auth)
 Called from fetchData after failed login. More...
 
 supportsCaptchaVerification ()
 
- Public Member Functions inherited from Auth_Container_LDAP
 Auth_Container_LDAP ($params)
 Constructor of the container class. More...
 
 _prepare ()
 Prepare LDAP connection. More...
 
 _connect ()
 Connect to the LDAP server using the global options. More...
 
 _disconnect ()
 Disconnects (unbinds) from ldap server. More...
 
 _getBaseDN ()
 Tries to find Basedn via namingContext Attribute. More...
 
 _isValidLink ()
 determines whether there is a valid ldap conenction or not More...
 
 _setDefaults ()
 Set some default options. More...
 
 _parseOptions ($array)
 Parse options passed to the container class. More...
 
 _setV12OptionsToV13 ($array)
 Adapt deprecated options from Auth 1.2 LDAP to Auth 1.3 LDAP. More...
 
 _scope2function ($scope)
 Get search function for scope. More...
 
 fetchData ($username, $password)
 Fetch data from LDAP server. More...
 
 checkGroup ($user)
 Validate group membership. More...
 
 _quoteFilterString ($filter_str)
 Escapes LDAP filter special characters as defined in RFC 2254. More...
 
- Public Member Functions inherited from Auth_Container
 Auth_Container ()
 Constructor. More...
 
 fetchData ($username, $password, $isChallengeResponse=false)
 Fetch data from storage container. More...
 
 verifyPassword ($password1, $password2, $cryptType="md5")
 Crypt and verfiy the entered password. More...
 
 supportsChallengeResponse ()
 Returns true if the container supports Challenge Response password authentication. More...
 
 getCryptType ()
 Returns the crypt current crypt type of the container. More...
 
 listUsers ()
 List all users that are available from the storage container. More...
 
 getUser ($username)
 Returns a user assoc array. More...
 
 addUser ($username, $password, $additional=null)
 Add a new user to the storage container. More...
 
 removeUser ($username)
 Remove user from the storage container. More...
 
 changePassword ($username, $password)
 Change password for user in the storage container. More...
 
 log ($message, $level=AUTH_LOG_DEBUG)
 Log a message to the Auth log. More...
 
- Public Member Functions inherited from ilAuthContainerBase
 loginObserver ($a_username, $a_auth)
 Called after successful login. More...
 
 failedLoginObserver ($a_username, $a_auth)
 Called after failed login. More...
 
 checkAuthObserver ($a_username, $a_auth)
 Called after check auth requests. More...
 
 logoutObserver ($a_username, $a_auth)
 Called after logout. More...
 
 supportsCaptchaVerification ()
 Returns whether or not the auth container supports the verification of captchas This should be true for those auth methods, which are available in the default login form. More...
 

Protected Member Functions

 extractUserName ($a_user_data)
 
 updateRequired ($a_username)
 Check if an update is required. More...
 

Private Member Functions

 updateUserFilter ()
 Update user filter. More...
 
 initLDAPAttributeToUser ()
 Init LDAP attribute mapping. More...
 

Private Attributes

 $optional_check = false
 
 $log = null
 
 $server = null
 
 $ldap_attr_to_user = null
 

Static Private Attributes

static $force_creation = false
 

Additional Inherited Members

- Data Fields inherited from Auth_Container_LDAP
 $options = array()
 
 $conn_id = false
 
- Data Fields inherited from Auth_Container
 $activeUser = ""
 User that is currently selected from the storage container. More...
 
 $_auth_obj = null
 The Auth object this container is attached to. More...
 

Detailed Description

Overwritten Pear class AuthContainerLDAP This class is overwritten to support nested groups.

Author
Stefan Meyer smeye.nosp@m.r.il.nosp@m.ias@g.nosp@m.mx.d.nosp@m.e
Version
$Id$

Definition at line 36 of file class.ilAuthContainerLDAP.php.

Constructor & Destructor Documentation

◆ __construct()

ilAuthContainerLDAP::__construct ( )

Constructor.

public

Parameters
arrayarray of pear parameters

Definition at line 54 of file class.ilAuthContainerLDAP.php.

References $ilLog, ilLDAPServer\_getFirstActiveServer(), and Auth_Container\log().

55  {
56  global $ilLog;
57 
58  include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
59  $this->server = new ilLDAPServer(ilLDAPServer::_getFirstActiveServer());
60  $this->log = $ilLog;
61 
62  parent::__construct($this->server->toPearAuthArray());
63  }
ilLDAPServer\_getFirstActiveServer
static _getFirstActiveServer()
Get first active server.
Definition: class.ilLDAPServer.php:180
$ilLog
$ilLog
Definition: inc.setup_header.php:126
Auth_Container\log
log($message, $level=AUTH_LOG_DEBUG)
Log a message to the Auth log.
Definition: Container.php:246
+ Here is the call graph for this function:

Member Function Documentation

◆ checkGroup()

ilAuthContainerLDAP::checkGroup (   $a_name)

check group overwritten base class

public

Parameters
stringuser name (DN or external account name)

Definition at line 137 of file class.ilAuthContainerLDAP.php.

References $optional_check, and Auth_Container\log().

138  {
139  $this->log->write(__METHOD__.': checking group restrictions...');
140 
141  // if there are multiple groups define check all of them for membership
142  $groups = $this->server->getGroupNames();
143 
144  if(!count($groups))
145  {
146  $this->log->write(__METHOD__.': No group restrictions found.');
147  return true;
148  }
149  elseif($this->server->isMembershipOptional() and !$this->optional_check)
150  {
151  $this->log->write(__METHOD__.': Group membership is optional.');
152  return true;
153  }
154 
155  foreach($groups as $group)
156  {
157  $this->options['group'] = $group;
158 
159  if(parent::checkGroup($a_name))
160  {
161  return true;
162  }
163  }
164  return false;
165  }
Auth_Container\log
log($message, $level=AUTH_LOG_DEBUG)
Log a message to the Auth log.
Definition: Container.php:246
+ Here is the call graph for this function:

◆ enabledOptionalGroupCheck()

ilAuthContainerLDAP::enabledOptionalGroupCheck ( )

Check if optional group check is enabled.

public

Definition at line 89 of file class.ilAuthContainerLDAP.php.

References $optional_check.

Referenced by fetchData().

90  {
91  return (bool) $this->optional_check;
92  }
+ Here is the caller graph for this function:

◆ enableOptionalGroupCheck()

ilAuthContainerLDAP::enableOptionalGroupCheck ( )

enable optional group check

public

Parameters

Definition at line 77 of file class.ilAuthContainerLDAP.php.

References updateUserFilter().

Referenced by fetchData().

78  {
79  $this->optional_check = true;
80  $this->updateUserFilter();
81  }
ilAuthContainerLDAP\updateUserFilter
updateUserFilter()
Update user filter.
Definition: class.ilAuthContainerLDAP.php:173
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ extractUserName()

ilAuthContainerLDAP::extractUserName (   $a_user_data)
protected
Parameters

Definition at line 249 of file class.ilAuthContainerLDAP.php.

References ilObjUser\_checkExternalAuthAccount().

Referenced by loginObserver().

250  {
251  $a_username = isset($a_user_data[strtolower($this->server->getUserAttribute())]) ?
252  $a_user_data[strtolower($this->server->getUserAttribute())] :
253  trim($a_user_data);
254 
255  // Support for multiple user attributes
256  if(!is_array($a_username))
257  {
258  return $a_username;
259  }
260  foreach($a_username as $name)
261  {
262  // User found with authentication method 'ldap'
263  if(ilObjUser::_checkExternalAuthAccount("ldap",$name))
264  {
265  return trim($name);
266  }
267  }
268  // No existing user found => return first name
269  return $a_username[0];
270  }
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3803
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ failedLoginObserver()

ilAuthContainerLDAP::failedLoginObserver (   $a_username,
  $a_auth 
)

Called from fetchData after failed login.

Parameters
stringusername
objectPEAR auth object

Definition at line 239 of file class.ilAuthContainerLDAP.php.

240  {
241  return false;
242  }

◆ fetchData()

ilAuthContainerLDAP::fetchData (   $username,
  $password 
)

Overwritten from base class.

Parameters
object$username
object$password
Returns

Definition at line 100 of file class.ilAuthContainerLDAP.php.

References $res, AUTH_LOG_DEBUG, enabledOptionalGroupCheck(), enableOptionalGroupCheck(), PEAR\isError(), and Auth_Container\log().

101  {
102  if(!$this->server->doConnectionCheck())
103  {
104  return FALSE;
105  }
106 
107 
108  $res = parent::fetchData($username,$password);
109 
110  if (PEAR::isError($res))
111  {
112  $this->log('Container '.$key.': '.$res->getMessage(), AUTH_LOG_ERR);
113  return $res;
114  }
115  elseif ($res == true)
116  {
117  $this->log('Container '.$key.': Authentication successful.', AUTH_LOG_DEBUG);
118  return true;
119  }
120  if(!$this->enabledOptionalGroupCheck() and $this->server->isMembershipOptional())
121  {
122  $this->enableOptionalGroupCheck();
123  return parent::fetchData($username,$password);
124  }
125  return false;
126  }
AUTH_LOG_DEBUG
const AUTH_LOG_DEBUG
Auth Log level - DEBUG.
Definition: Auth.php:59
ilAuthContainerLDAP\enableOptionalGroupCheck
enableOptionalGroupCheck()
enable optional group check
Definition: class.ilAuthContainerLDAP.php:77
ilAuthContainerLDAP\enabledOptionalGroupCheck
enabledOptionalGroupCheck()
Check if optional group check is enabled.
Definition: class.ilAuthContainerLDAP.php:89
Auth_Container\log
log($message, $level=AUTH_LOG_DEBUG)
Log a message to the Auth log.
Definition: Container.php:246
PEAR\isError
isError($data, $code=null)
Tell whether a value is a PEAR error.
Definition: PEAR.php:279
+ Here is the call graph for this function:

◆ forceCreation()

ilAuthContainerLDAP::forceCreation (   $a_status)

Definition at line 65 of file class.ilAuthContainerLDAP.php.

66  {
67  self::$force_creation = $a_status;
68  }

◆ initLDAPAttributeToUser()

ilAuthContainerLDAP::initLDAPAttributeToUser ( )
private

Init LDAP attribute mapping.

private

Definition at line 228 of file class.ilAuthContainerLDAP.php.

229  {
230  include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
231  $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
232  }
ilLDAPAttributeToUser
Update/create ILIAS user account by given LDAP attributes according to user attribute mapping setting...
Definition: class.ilLDAPAttributeToUser.php:34

◆ loginObserver()

ilAuthContainerLDAP::loginObserver (   $a_username,
  $a_auth 
)

Called from fetchData after successful login.

Parameters
stringusername

Definition at line 183 of file class.ilAuthContainerLDAP.php.

References $GLOBALS, $ilLog, AUTH_LDAP_NO_ILIAS_USER, AUTH_WRONG_LOGIN, extractUserName(), ilUtil\redirect(), and ilLDAPUserSynchronisation\setExternalAccount().

184  {
185  global $ilLog;
186 
187  $user_data = array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
188 
189  $a_username = $this->extractUserName($user_data);
190 
191  include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
192  $sync = new ilLDAPUserSynchronisation('ldap', $this->server->getServerId());
193  $sync->setExternalAccount($a_username);
194  $sync->setUserData($user_data);
195  $sync->forceCreation(self::$force_creation);
196 
197  try {
198  $internal_account = $sync->sync();
199  }
200  catch(UnexpectedValueException $e) {
201  $GLOBALS['ilLog']->write(__METHOD__.': Login failed with message: '. $e->getMessage());
202  $a_auth->status = AUTH_WRONG_LOGIN;
203  $a_auth->logout();
204  return false;
205  }
206  catch(ilLDAPSynchronisationForbiddenException $e) {
207  // No syncronisation allowed => create Error
208  $GLOBALS['ilLog']->write(__METHOD__.': Login failed with message: '. $e->getMessage());
209  $a_auth->status = AUTH_LDAP_NO_ILIAS_USER;
210  $a_auth->logout();
211  return false;
212  }
213  catch(ilLDAPAccountMigrationRequiredException $e) {
214  $GLOBALS['ilLog']->write(__METHOD__.': Starting account migration.');
215  $a_auth->logout();
216  ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
217  }
218 
219  $a_auth->setAuth($internal_account);
220  return true;
221  }
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:14
ilLDAPUserSynchronisation\setExternalAccount
setExternalAccount($a_ext)
Set external account (unique for each auth mode)
Definition: class.ilLDAPUserSynchronisation.php:60
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:12
$GLOBALS
$GLOBALS['ct_recipient']
Definition: example_form.ajax.php:4
$ilLog
$ilLog
Definition: inc.setup_header.php:126
AUTH_LDAP_NO_ILIAS_USER
const AUTH_LDAP_NO_ILIAS_USER
Definition: class.ilAuthUtils.php:27
AUTH_WRONG_LOGIN
const AUTH_WRONG_LOGIN
Returned if container is unable to authenticate user/password pair.
Definition: Auth.php:38
ilUtil\redirect
static redirect($a_script)
http redirect to other script
Definition: class.ilUtil.php:3609
+ Here is the call graph for this function:

◆ supportsCaptchaVerification()

ilAuthContainerLDAP::supportsCaptchaVerification ( )
Returns
bool

Definition at line 303 of file class.ilAuthContainerLDAP.php.

304  {
305  return true;
306  }

◆ updateRequired()

ilAuthContainerLDAP::updateRequired (   $a_username)
protected

Check if an update is required.

Returns
Parameters
string$a_username

Definition at line 277 of file class.ilAuthContainerLDAP.php.

References ilObjUser\_checkExternalAuthAccount(), ilLDAPRoleAssignmentRule\hasRulesForUpdate(), and ilLDAPAttributeMapping\hasRulesForUpdate().

278  {
279  if(!ilObjUser::_checkExternalAuthAccount("ldap",$a_username))
280  {
281  #$GLOBALS['ilLog']->write(__METHOD__.': Required 1');
282  return true;
283  }
284  // Check attribute mapping on login
285  include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
286  if(ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId()))
287  {
288  #$GLOBALS['ilLog']->write(__METHOD__.': Required 2');
289  return true;
290  }
291  include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
292  if(ilLDAPRoleAssignmentRule::hasRulesForUpdate())
293  {
294  #$GLOBALS['ilLog']->write(__METHOD__.': Required 3');
295  return true;
296  }
297  return false;
298  }
ilLDAPRoleAssignmentRule\hasRulesForUpdate
static hasRulesForUpdate()
Check if there any rule for updates.
Definition: class.ilLDAPRoleAssignmentRule.php:85
ilLDAPAttributeMapping\hasRulesForUpdate
static hasRulesForUpdate($a_server_id)
Check if there is ldap attribute -> user data mapping which which is updated on login.
Definition: class.ilLDAPAttributeMapping.php:120
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3803
+ Here is the call graph for this function:

◆ updateUserFilter()

ilAuthContainerLDAP::updateUserFilter ( )
private

Update user filter.

private

Definition at line 173 of file class.ilAuthContainerLDAP.php.

Referenced by enableOptionalGroupCheck().

174  {
175  $this->options['userfilter'] = $this->server->getGroupUserFilter();
176  }
+ Here is the caller graph for this function:

Field Documentation

◆ $force_creation

ilAuthContainerLDAP::$force_creation = false
staticprivate

Definition at line 38 of file class.ilAuthContainerLDAP.php.

◆ $ldap_attr_to_user

ilAuthContainerLDAP::$ldap_attr_to_user = null
private

Definition at line 44 of file class.ilAuthContainerLDAP.php.

◆ $log

ilAuthContainerLDAP::$log = null
private

Definition at line 42 of file class.ilAuthContainerLDAP.php.

◆ $optional_check

ilAuthContainerLDAP::$optional_check = false
private

Definition at line 40 of file class.ilAuthContainerLDAP.php.

Referenced by checkGroup(), and enabledOptionalGroupCheck().

◆ $server

ilAuthContainerLDAP::$server = null
private

Definition at line 43 of file class.ilAuthContainerLDAP.php.

The documentation for this class was generated from the following file: