ILIAS  release_5-0 Revision 5.0.0-1144-gc4397b1f870
All Data Structures Namespaces Files Functions Variables Modules Pages
class.ilAuthContainerLDAP.php
Go to the documentation of this file.
1 <?php
2 /*
3  +-----------------------------------------------------------------------------+
4  | ILIAS open source |
5  +-----------------------------------------------------------------------------+
6  | Copyright (c) 1998-2006 ILIAS open source, University of Cologne |
7  | |
8  | This program is free software; you can redistribute it and/or |
9  | modify it under the terms of the GNU General Public License |
10  | as published by the Free Software Foundation; either version 2 |
11  | of the License, or (at your option) any later version. |
12  | |
13  | This program is distributed in the hope that it will be useful, |
14  | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16  | GNU General Public License for more details. |
17  | |
18  | You should have received a copy of the GNU General Public License |
19  | along with this program; if not, write to the Free Software |
20  | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
21  +-----------------------------------------------------------------------------+
22 */
23 
24 include_once 'Auth/Container/LDAP.php';
25 
36 class ilAuthContainerLDAP extends Auth_Container_LDAP
37 {
38  private static $force_creation = false;
39 
40  private $optional_check = false;
41 
42  private $log = null;
43  private $server = null;
44  private $ldap_attr_to_user = null;
45 
46 
54  public function __construct()
55  {
56  global $ilLog;
57 
58  include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
59  $this->server = new ilLDAPServer(ilLDAPServer::_getFirstActiveServer());
60  $this->log = $ilLog;
61 
62  parent::__construct($this->server->toPearAuthArray());
63  }
64 
65  public function forceCreation($a_status)
66  {
67  self::$force_creation = $a_status;
68  }
69 
77  public function enableOptionalGroupCheck()
78  {
79  $this->optional_check = true;
80  $this->updateUserFilter();
81  }
82 
89  public function enabledOptionalGroupCheck()
90  {
91  return (bool) $this->optional_check;
92  }
93 
100  public function fetchData($username, $password)
101  {
102  if(!$this->server->doConnectionCheck())
103  {
104  return FALSE;
105  }
106 
107 
108  $res = parent::fetchData($username,$password);
109 
110  if (PEAR::isError($res))
111  {
112  $this->log('Container '.$key.': '.$res->getMessage(), AUTH_LOG_ERR);
113  return $res;
114  }
115  elseif ($res == true)
116  {
117  $this->log('Container '.$key.': Authentication successful.', AUTH_LOG_DEBUG);
118  return true;
119  }
120  if(!$this->enabledOptionalGroupCheck() and $this->server->isMembershipOptional())
121  {
122  $this->enableOptionalGroupCheck();
123  return parent::fetchData($username,$password);
124  }
125  return false;
126  }
127 
128 
137  public function checkGroup($a_name)
138  {
139  $this->log->write(__METHOD__.': checking group restrictions...');
140 
141  // if there are multiple groups define check all of them for membership
142  $groups = $this->server->getGroupNames();
143 
144  if(!count($groups))
145  {
146  $this->log->write(__METHOD__.': No group restrictions found.');
147  return true;
148  }
149  elseif($this->server->isMembershipOptional() and !$this->optional_check)
150  {
151  $this->log->write(__METHOD__.': Group membership is optional.');
152  return true;
153  }
154 
155  foreach($groups as $group)
156  {
157  $this->options['group'] = $group;
158 
159  if(parent::checkGroup($a_name))
160  {
161  return true;
162  }
163  }
164  return false;
165  }
166 
173  private function updateUserFilter()
174  {
175  $this->options['userfilter'] = $this->server->getGroupUserFilter();
176  }
177 
183  public function loginObserver($a_username,$a_auth)
184  {
185  global $ilLog;
186 
187  $user_data = array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
188 
189  $a_username = $this->extractUserName($user_data);
190 
191  include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
192  $sync = new ilLDAPUserSynchronisation('ldap', $this->server->getServerId());
193  $sync->setExternalAccount($a_username);
194  $sync->setUserData($user_data);
195  $sync->forceCreation(self::$force_creation);
196 
197  try {
198  $internal_account = $sync->sync();
199  }
200  catch(UnexpectedValueException $e) {
201  $GLOBALS['ilLog']->write(__METHOD__.': Login failed with message: '. $e->getMessage());
202  $a_auth->status = AUTH_WRONG_LOGIN;
203  $a_auth->logout();
204  return false;
205  }
206  catch(ilLDAPSynchronisationForbiddenException $e) {
207  // No syncronisation allowed => create Error
208  $GLOBALS['ilLog']->write(__METHOD__.': Login failed with message: '. $e->getMessage());
209  $a_auth->status = AUTH_LDAP_NO_ILIAS_USER;
210  $a_auth->logout();
211  return false;
212  }
213  catch(ilLDAPAccountMigrationRequiredException $e) {
214  $GLOBALS['ilLog']->write(__METHOD__.': Starting account migration.');
215  $a_auth->logout();
216  ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
217  }
218 
219  $a_auth->setAuth($internal_account);
220  return true;
221  }
228  private function initLDAPAttributeToUser()
229  {
230  include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
231  $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
232  }
233 
239  public function failedLoginObserver($a_username,$a_auth)
240  {
241  return false;
242  }
243 
249  protected function extractUserName($a_user_data)
250  {
251  $a_username = isset($a_user_data[strtolower($this->server->getUserAttribute())]) ?
252  $a_user_data[strtolower($this->server->getUserAttribute())] :
253  trim($a_user_data);
254 
255  // Support for multiple user attributes
256  if(!is_array($a_username))
257  {
258  return $a_username;
259  }
260  foreach($a_username as $name)
261  {
262  // User found with authentication method 'ldap'
263  if(ilObjUser::_checkExternalAuthAccount("ldap",$name))
264  {
265  return trim($name);
266  }
267  }
268  // No existing user found => return first name
269  return $a_username[0];
270  }
271 
277  protected function updateRequired($a_username)
278  {
279  if(!ilObjUser::_checkExternalAuthAccount("ldap",$a_username))
280  {
281  #$GLOBALS['ilLog']->write(__METHOD__.': Required 1');
282  return true;
283  }
284  // Check attribute mapping on login
285  include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
286  if(ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId()))
287  {
288  #$GLOBALS['ilLog']->write(__METHOD__.': Required 2');
289  return true;
290  }
291  include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
292  if(ilLDAPRoleAssignmentRule::hasRulesForUpdate())
293  {
294  #$GLOBALS['ilLog']->write(__METHOD__.': Required 3');
295  return true;
296  }
297  return false;
298  }
299 
303  public function supportsCaptchaVerification()
304  {
305  return true;
306  }
307 }
308 ?>
ilLDAPServer\_getFirstActiveServer
static _getFirstActiveServer()
Get first active server.
Definition: class.ilLDAPServer.php:180
ilLDAPRoleAssignmentRule\hasRulesForUpdate
static hasRulesForUpdate()
Check if there any rule for updates.
Definition: class.ilLDAPRoleAssignmentRule.php:85
ilAuthContainerLDAP\checkGroup
checkGroup($a_name)
check group overwritten base class
Definition: class.ilAuthContainerLDAP.php:137
ilAuthContainerLDAP\loginObserver
loginObserver($a_username, $a_auth)
Called from fetchData after successful login.
Definition: class.ilAuthContainerLDAP.php:183
ilAuthContainerLDAP\failedLoginObserver
failedLoginObserver($a_username, $a_auth)
Called from fetchData after failed login.
Definition: class.ilAuthContainerLDAP.php:239
ilLDAPAttributeMapping\hasRulesForUpdate
static hasRulesForUpdate($a_server_id)
Check if there is ldap attribute -> user data mapping which which is updated on login.
Definition: class.ilLDAPAttributeMapping.php:120
ilAuthContainerLDAP\updateUserFilter
updateUserFilter()
Update user filter.
Definition: class.ilAuthContainerLDAP.php:173
ilAuthContainerLDAP
Overwritten Pear class AuthContainerLDAP This class is overwritten to support nested groups...
Definition: class.ilAuthContainerLDAP.php:36
AUTH_LOG_DEBUG
const AUTH_LOG_DEBUG
Auth Log level - DEBUG.
Definition: Auth.php:59
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:14
ilAuthContainerLDAP\initLDAPAttributeToUser
initLDAPAttributeToUser()
Init LDAP attribute mapping.
Definition: class.ilAuthContainerLDAP.php:228
ilLDAPUserSynchronisation\setExternalAccount
setExternalAccount($a_ext)
Set external account (unique for each auth mode)
Definition: class.ilLDAPUserSynchronisation.php:60
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:12
ilAuthContainerLDAP\updateRequired
updateRequired($a_username)
Check if an update is required.
Definition: class.ilAuthContainerLDAP.php:277
Auth_Container_LDAP
Definition: LDAP.php:203
ilAuthContainerLDAP\enableOptionalGroupCheck
enableOptionalGroupCheck()
enable optional group check
Definition: class.ilAuthContainerLDAP.php:77
$GLOBALS
$GLOBALS['ct_recipient']
Definition: example_form.ajax.php:4
$ilLog
$ilLog
Definition: inc.setup_header.php:132
AUTH_LDAP_NO_ILIAS_USER
const AUTH_LDAP_NO_ILIAS_USER
Definition: class.ilAuthUtils.php:27
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3767
ilAuthContainerLDAP\fetchData
fetchData($username, $password)
Overwritten from base class.
Definition: class.ilAuthContainerLDAP.php:100
ilAuthContainerLDAP\enabledOptionalGroupCheck
enabledOptionalGroupCheck()
Check if optional group check is enabled.
Definition: class.ilAuthContainerLDAP.php:89
Auth_Container\log
log($message, $level=AUTH_LOG_DEBUG)
Log a message to the Auth log.
Definition: Container.php:246
AUTH_WRONG_LOGIN
const AUTH_WRONG_LOGIN
Returned if container is unable to authenticate user/password pair.
Definition: Auth.php:38
ilLDAPAttributeToUser
Update/create ILIAS user account by given LDAP attributes according to user attribute mapping setting...
Definition: class.ilLDAPAttributeToUser.php:34
ilUtil\redirect
static redirect($a_script)
http redirect to other script
Definition: class.ilUtil.php:3611
PEAR\isError
isError($data, $code=null)
Tell whether a value is a PEAR error.
Definition: PEAR.php:279