ILIAS  release_5-0 Revision 5.0.0-1144-gc4397b1f870
class.ilAuthContainerLDAP.php
Go to the documentation of this file.
1<?php
2/*
3 +-----------------------------------------------------------------------------+
4 | ILIAS open source |
5 +-----------------------------------------------------------------------------+
6 | Copyright (c) 1998-2006 ILIAS open source, University of Cologne |
7 | |
8 | This program is free software; you can redistribute it and/or |
9 | modify it under the terms of the GNU General Public License |
10 | as published by the Free Software Foundation; either version 2 |
11 | of the License, or (at your option) any later version. |
12 | |
13 | This program is distributed in the hope that it will be useful, |
14 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | GNU General Public License for more details. |
17 | |
18 | You should have received a copy of the GNU General Public License |
19 | along with this program; if not, write to the Free Software |
20 | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
21 +-----------------------------------------------------------------------------+
22*/
23
24include_once 'Auth/Container/LDAP.php';
25
36class ilAuthContainerLDAP extends Auth_Container_LDAP
37{
38 private static $force_creation = false;
39
40 private $optional_check = false;
41
42 private $log = null;
43 private $server = null;
44 private $ldap_attr_to_user = null;
45
46
54 public function __construct()
55 {
56 global $ilLog;
57
58 include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
59 $this->server = new ilLDAPServer(ilLDAPServer::_getFirstActiveServer());
60 $this->log = $ilLog;
61
62 parent::__construct($this->server->toPearAuthArray());
63 }
64
65 public function forceCreation($a_status)
66 {
67 self::$force_creation = $a_status;
68 }
69
77 public function enableOptionalGroupCheck()
78 {
79 $this->optional_check = true;
80 $this->updateUserFilter();
81 }
82
89 public function enabledOptionalGroupCheck()
90 {
91 return (bool) $this->optional_check;
92 }
93
100 public function fetchData($username, $password)
101 {
102 if(!$this->server->doConnectionCheck())
103 {
104 return FALSE;
105 }
106
107
108 $res = parent::fetchData($username,$password);
109
110 if (PEAR::isError($res))
111 {
112 $this->log('Container '.$key.': '.$res->getMessage(), AUTH_LOG_ERR);
113 return $res;
114 }
115 elseif ($res == true)
116 {
117 $this->log('Container '.$key.': Authentication successful.', AUTH_LOG_DEBUG);
118 return true;
119 }
120 if(!$this->enabledOptionalGroupCheck() and $this->server->isMembershipOptional())
121 {
122 $this->enableOptionalGroupCheck();
123 return parent::fetchData($username,$password);
124 }
125 return false;
126 }
127
128
137 public function checkGroup($a_name)
138 {
139 $this->log->write(__METHOD__.': checking group restrictions...');
140
141 // if there are multiple groups define check all of them for membership
142 $groups = $this->server->getGroupNames();
143
144 if(!count($groups))
145 {
146 $this->log->write(__METHOD__.': No group restrictions found.');
147 return true;
148 }
149 elseif($this->server->isMembershipOptional() and !$this->optional_check)
150 {
151 $this->log->write(__METHOD__.': Group membership is optional.');
152 return true;
153 }
154
155 foreach($groups as $group)
156 {
157 $this->options['group'] = $group;
158
159 if(parent::checkGroup($a_name))
160 {
161 return true;
162 }
163 }
164 return false;
165 }
166
173 private function updateUserFilter()
174 {
175 $this->options['userfilter'] = $this->server->getGroupUserFilter();
176 }
177
183 public function loginObserver($a_username,$a_auth)
184 {
185 global $ilLog;
186
187 $user_data = array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
188
189 $a_username = $this->extractUserName($user_data);
190
191 include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
192 $sync = new ilLDAPUserSynchronisation('ldap', $this->server->getServerId());
193 $sync->setExternalAccount($a_username);
194 $sync->setUserData($user_data);
195 $sync->forceCreation(self::$force_creation);
196
197 try {
198 $internal_account = $sync->sync();
199 }
200 catch(UnexpectedValueException $e) {
201 $GLOBALS['ilLog']->write(__METHOD__.': Login failed with message: '. $e->getMessage());
202 $a_auth->status = AUTH_WRONG_LOGIN;
203 $a_auth->logout();
204 return false;
205 }
206 catch(ilLDAPSynchronisationForbiddenException $e) {
207 // No syncronisation allowed => create Error
208 $GLOBALS['ilLog']->write(__METHOD__.': Login failed with message: '. $e->getMessage());
209 $a_auth->status = AUTH_LDAP_NO_ILIAS_USER;
210 $a_auth->logout();
211 return false;
212 }
213 catch(ilLDAPAccountMigrationRequiredException $e) {
214 $GLOBALS['ilLog']->write(__METHOD__.': Starting account migration.');
215 $a_auth->logout();
216 ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
217 }
218
219 $a_auth->setAuth($internal_account);
220 return true;
221 }
228 private function initLDAPAttributeToUser()
229 {
230 include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
231 $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
232 }
233
239 public function failedLoginObserver($a_username,$a_auth)
240 {
241 return false;
242 }
243
249 protected function extractUserName($a_user_data)
250 {
251 $a_username = isset($a_user_data[strtolower($this->server->getUserAttribute())]) ?
252 $a_user_data[strtolower($this->server->getUserAttribute())] :
253 trim($a_user_data);
254
255 // Support for multiple user attributes
256 if(!is_array($a_username))
257 {
258 return $a_username;
259 }
260 foreach($a_username as $name)
261 {
262 // User found with authentication method 'ldap'
263 if(ilObjUser::_checkExternalAuthAccount("ldap",$name))
264 {
265 return trim($name);
266 }
267 }
268 // No existing user found => return first name
269 return $a_username[0];
270 }
271
277 protected function updateRequired($a_username)
278 {
279 if(!ilObjUser::_checkExternalAuthAccount("ldap",$a_username))
280 {
281 #$GLOBALS['ilLog']->write(__METHOD__.': Required 1');
282 return true;
283 }
284 // Check attribute mapping on login
285 include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
286 if(ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId()))
287 {
288 #$GLOBALS['ilLog']->write(__METHOD__.': Required 2');
289 return true;
290 }
291 include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
292 if(ilLDAPRoleAssignmentRule::hasRulesForUpdate())
293 {
294 #$GLOBALS['ilLog']->write(__METHOD__.': Required 3');
295 return true;
296 }
297 return false;
298 }
299
303 public function supportsCaptchaVerification()
304 {
305 return true;
306 }
307}
308?>
AUTH_LOG_DEBUG
const AUTH_LOG_DEBUG
Auth Log level - DEBUG.
Definition: Auth.php:59
AUTH_WRONG_LOGIN
const AUTH_WRONG_LOGIN
Returned if container is unable to authenticate user/password pair.
Definition: Auth.php:38
Auth_Container_LDAP
Definition: LDAP.php:204
Auth_Container\log
log($message, $level=AUTH_LOG_DEBUG)
Log a message to the Auth log.
Definition: Container.php:246
PEAR\isError
isError($data, $code=null)
Tell whether a value is a PEAR error.
Definition: PEAR.php:279
AUTH_LDAP_NO_ILIAS_USER
const AUTH_LDAP_NO_ILIAS_USER
Definition: class.ilAuthUtils.php:27
ilAuthContainerLDAP
Overwritten Pear class AuthContainerLDAP This class is overwritten to support nested groups.
Definition: class.ilAuthContainerLDAP.php:37
ilAuthContainerLDAP\loginObserver
loginObserver($a_username, $a_auth)
Called from fetchData after successful login.
Definition: class.ilAuthContainerLDAP.php:183
ilAuthContainerLDAP\updateRequired
updateRequired($a_username)
Check if an update is required.
Definition: class.ilAuthContainerLDAP.php:277
ilAuthContainerLDAP\updateUserFilter
updateUserFilter()
Update user filter.
Definition: class.ilAuthContainerLDAP.php:173
ilAuthContainerLDAP\initLDAPAttributeToUser
initLDAPAttributeToUser()
Init LDAP attribute mapping.
Definition: class.ilAuthContainerLDAP.php:228
ilAuthContainerLDAP\checkGroup
checkGroup($a_name)
check group overwritten base class
Definition: class.ilAuthContainerLDAP.php:137
ilAuthContainerLDAP\fetchData
fetchData($username, $password)
Overwritten from base class.
Definition: class.ilAuthContainerLDAP.php:100
ilAuthContainerLDAP\failedLoginObserver
failedLoginObserver($a_username, $a_auth)
Called from fetchData after failed login.
Definition: class.ilAuthContainerLDAP.php:239
ilAuthContainerLDAP\enableOptionalGroupCheck
enableOptionalGroupCheck()
enable optional group check
Definition: class.ilAuthContainerLDAP.php:77
ilAuthContainerLDAP\enabledOptionalGroupCheck
enabledOptionalGroupCheck()
Check if optional group check is enabled.
Definition: class.ilAuthContainerLDAP.php:89
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:13
ilLDAPAttributeMapping\hasRulesForUpdate
static hasRulesForUpdate($a_server_id)
Check if there is ldap attribute -> user data mapping which which is updated on login.
Definition: class.ilLDAPAttributeMapping.php:120
ilLDAPAttributeToUser
Update/create ILIAS user account by given LDAP attributes according to user attribute mapping setting...
Definition: class.ilLDAPAttributeToUser.php:35
ilLDAPRoleAssignmentRule\hasRulesForUpdate
static hasRulesForUpdate()
Check if there any rule for updates.
Definition: class.ilLDAPRoleAssignmentRule.php:85
ilLDAPServer\_getFirstActiveServer
static _getFirstActiveServer()
Get first active server.
Definition: class.ilLDAPServer.php:180
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:15
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3767
ilUtil\redirect
static redirect($a_script)
http redirect to other script
Definition: class.ilUtil.php:3611
$GLOBALS
$GLOBALS['ct_recipient']
Definition: example_form.ajax.php:4
$ilLog
$ilLog
Definition: inc.setup_header.php:132