ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
class.ilAuthContainerApache.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (c) 1998-2014 ILIAS open source, Extended GPL, see docs/LICENSE */
3 
4 require_once 'Auth/Container/MDB2.php';
5 
12 class ilAuthContainerApache extends Auth_Container
13 {
17  public static $force_creation = false;
18 
22  public function __construct()
23  {
24  parent::__construct();
25  }
26 
30  public static function forceCreation($value)
31  {
32  self::$force_creation = $value;
33  }
34 
42  function fetchData($a_username, $password, $isChallengeResponse = false)
43  {
44  ilLoggerFactory::getLogger('auth')->debug('Starting apache auth');
45 
51  global $ilDB, $ilSetting , $rbacadmin;
52 
53  $settings = new ilSetting('apache_auth');
54 
55  if(!$settings->get('apache_enable_auth'))
56  {
57  ilLoggerFactory::getLogger('auth')->debug('Apache auth disabled');
58  return false;
59  }
60  if(!$settings->get('apache_auth_indicator_name') || !$settings->get('apache_auth_indicator_value'))
61  {
62  ilLoggerFactory::getLogger('auth')->debug('Apache auth indicator match failed');
63  return false;
64  }
65  if(!ilUtil::isLogin($a_username))
66  {
67  ilLoggerFactory::getLogger('auth')->debug('Apache auth wrong login');
68  return false;
69  }
70 
71  if($a_username == 'anonymous' && $password == 'anonymous')
72  {
73  $query = 'SELECT * FROM usr_data WHERE login = %s';
74  $qres = $ilDB->queryF($query, array('text'), array($a_username));
75  $userRow = $ilDB->fetchAssoc($qres);
76 
77  if(is_array($userRow) && $userRow['usr_id'])
78  {
79  // user as a local account...
80  // fetch logindata
81  $this->activeUser = $userRow['login'];
82  foreach($userRow as $key => $value)
83  {
84  if($key == $this->options['passwordcol'] || $key == $this->options['usernamecol'])
85  {
86  continue;
87  }
88  // Use reference to the auth object if exists
89  // This is because the auth session variable can change so a static call to setAuthData does not make sense
90  $this->_auth_obj->setAuthData($key, $value);
91  }
92  ilLoggerFactory::getLogger('auth')->debug('Apache local auth successful.');
93  $this->_auth_obj->setAuth($userRow['login']);
94  return true;
95  }
96  ilLoggerFactory::getLogger('auth')->debug('Apache local auth unsuccessful.');
97  return false;
98  }
99 
100  if(
101  !$_SESSION['login_invalid'] &&
102  in_array(
103  $_SERVER[$settings->get('apache_auth_indicator_name')],
104  array_filter(array_map('trim', str_getcsv($settings->get('apache_auth_indicator_value'))))
105  )
106  )
107  {
108  // we have a valid apache auth
109  $list = array(
110  $ilSetting->get('auth_mode')
111  );
112 
113  // Respect the auth method sequence
114  include_once('./Services/Authentication/classes/class.ilAuthModeDetermination.php');
115  $det = ilAuthModeDetermination::_getInstance();
116  if(!$det->isManualSelection() && $det->getCountActiveAuthModes() > 1)
117  {
118  $list = array();
119  foreach(ilAuthModeDetermination::_getInstance()->getAuthModeSequence() as $auth_mode)
120  {
121  $list[] = $auth_mode;
122  }
123  }
124 
125  // Apache with ldap as data source
126  include_once './Services/LDAP/classes/class.ilLDAPServer.php';
127  if($settings->get('apache_enable_ldap'))
128  {
129  return $this->handleLDAPDataSource($this->_auth_obj,$a_username, $settings);
130  }
131 
132 
133  foreach($list as $auth_mode)
134  {
135  ilLoggerFactory::getLogger('auth')->debug('Current auth mode: ' . $auth_mode);
136 
137  if(AUTH_LDAP == $auth_mode)
138  {
139  ilLoggerFactory::getLogger('auth')->debug('Trying ldap synchronisation');
140  // if no local user has been found AND ldap lookup is enabled
141  if($settings->get('apache_enable_ldap'))
142  {
143  include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
144  $this->server = new ilLDAPServer($settings->get('apache_ldap_sid'));
145  $this->server->doConnectionCheck();
146 
147  $config = $this->server->toPearAuthArray();
148 
149  $query = new ilLDAPQuery($this->server);
150  $query->bind();
151  $ldapUser = $query->fetchUser($a_username);
152 
153  if($ldapUser && $ldapUser[$a_username] && $ldapUser[$a_username][$config['userattr']] == $a_username)
154  {
155  $ldapUser[$a_username]['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap_".$this->server->getServerId(), $a_username);
156  $user_data = $ldapUser[$a_username]; //array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
157  if($this->server->enabledSyncOnLogin())
158  {
159  if(!$user_data['ilInternalAccount'] && $this->server->isAccountMigrationEnabled() && !self::$force_creation)
160  {
161  $this->_auth_obj->logout();
162  $_SESSION['tmp_auth_mode'] = 'apache';
163  $_SESSION['tmp_auth_mode_type'] = 'apache';
164  $_SESSION['tmp_external_account'] = $a_username;
165  $_SESSION['tmp_pass'] = $_POST['password'];
166 
167  include_once('./Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php');
168  $roles = ilLDAPRoleAssignmentRules::getAssignmentsForCreation(
169  $this->server->getServerId(),
170  $a_username,
171  $user_data);
172  $_SESSION['tmp_roles'] = array();
173  foreach($roles as $info)
174  {
175  if($info['action'] == ilLDAPRoleAssignmentRules::ROLE_ACTION_ASSIGN)
176  {
177  $_SESSION['tmp_roles'][] = $info['id'];
178  }
179  }
180 
181  ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
182  }
183 
184  if($this->updateRequired($a_username))
185  {
186  $this->initLDAPAttributeToUser();
187  $this->ldap_attr_to_user->setUserData($ldapUser);
188  $this->ldap_attr_to_user->refresh();
189  $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap_".$this->server->getServerId(), $a_username);
190  }
191  else
192  {
193  // User exists and no update required
194  $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap_".$this->server->getServerId(), $a_username);
195  }
196  }
197  if($user_data['ilInternalAccount'])
198  {
199  $this->_auth_obj->setAuth($user_data['ilInternalAccount']);
200  $this->_auth_obj->username = $user_data['ilInternalAccount'];
201  return true;
202  }
203  }
204  }
205  }
206  else if(AUTH_APACHE != $auth_mode && $settings->get('apache_enable_local'))
207  {
208  $condition = '';
209  if($ilSetting->get("auth_mode") && $ilSetting->get("auth_mode") == 'ldap')
210  {
211  $condition = " AND auth_mode != " . $ilDB->quote('default', 'text') . " ";
212  }
213  $query = "SELECT * FROM usr_data WHERE login = %s AND auth_mode != %s $condition";
214  $qres = $ilDB->queryF($query, array('text', 'text'), array($a_username, 'ldap'));
215  $userRow = $ilDB->fetchAssoc($qres);
216 
217  if(is_array($userRow) && $userRow['usr_id'])
218  {
219  // user as a local account...
220  // fetch logindata
221  $this->activeUser = $userRow['login'];
222  foreach($userRow as $key => $value)
223  {
224  if($key == $this->options['passwordcol'] || $key == $this->options['usernamecol'])
225  {
226  continue;
227  }
228  // Use reference to the auth object if exists
229  // This is because the auth session variable can change so a static call to setAuthData does not make sense
230  $this->_auth_obj->setAuthData($key, $value);
231  }
232  $this->_auth_obj->setAuth($userRow['login']);
233  return true;
234  }
235  }
236  }
237 
238  if($settings->get('apache_enable_local') && $settings->get('apache_local_autocreate'))
239  {
240  if($_GET['r'])
241  {
242  $_SESSION['profile_complete_redirect'] = $_GET['r'];
243  }
244 
245  $user = new ilObjUser();
246  $user->setLogin($a_username);
247  $user->setExternalAccount($a_username);
248  $user->setProfileIncomplete(true);
249  $user->create();
250  $user->setAuthMode('apache');
251  // set a timestamp for last_password_change
252  // this ts is needed by ilSecuritySettings
253  $user->setLastPasswordChangeTS(time());
254  $user->setTimeLimitUnlimited(1);
255 
256  $user->setActive(1);
257  //insert user data in table user_data
258  $user->saveAsNew();
259  $user->writePrefs();
260  $rbacadmin->assignUser($settings->get('apache_default_role', 4), $user->getId(), true);
261  return true;
262  }
263  }
264  else if(defined('IL_CERT_SSO') && IL_CERT_SSO)
265  {
266  define('APACHE_ERRORCODE', AUTH_APACHE_FAILED);
267  }
268 
269  return false;
270  }
271 
277  protected function updateRequired($a_username)
278  {
279  if(!ilObjUser::_checkExternalAuthAccount("ldap_".$this->server->getServerId(), $a_username))
280  {
281  return true;
282  }
283  // Check attribute mapping on login
284  include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
285  if(ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId()))
286  {
287  return true;
288  }
289  include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
290  if(ilLDAPRoleAssignmentRule::hasRulesForUpdate())
291  {
292  return true;
293  }
294  return false;
295  }
296 
301  private function initLDAPAttributeToUser()
302  {
303  include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
304  $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
305  }
306 
307 
313  protected function handleLDAPDataSource($a_auth,$ext_account, $settings)
314  {
315  include_once './Services/LDAP/classes/class.ilLDAPServer.php';
316  $server = ilLDAPServer::getInstanceByServerId(
317  $settings->get('apache_ldap_sid')
318  );
319 
320  ilLoggerFactory::getLogger('auth')->debug('Using ldap data source with server configuration: ' . $server->getName());
321 
322  include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
323  $sync = new ilLDAPUserSynchronisation('ldap_'.$server->getServerId(), $server->getServerId());
324  $sync->setExternalAccount($ext_account);
325  $sync->setUserData(array());
326  $sync->forceCreation(self::$force_creation);
327  $sync->forceReadLdapData(true);
328 
329  try {
330  $internal_account = $sync->sync();
331  }
332  catch(UnexpectedValueException $e) {
333  ilLoggerFactory::getLogger('auth')->info('Login failed with message: ' . $e->getMessage());
334  $a_auth->status = AUTH_WRONG_LOGIN;
335  $a_auth->logout();
336  return false;
337  }
338  catch(ilLDAPSynchronisationForbiddenException $e) {
339  // No syncronisation allowed => create Error
340  ilLoggerFactory::getLogger('auth')->info('Login failed with message: ' . $e->getMessage());
341  $a_auth->status = AUTH_RADIUS_NO_ILIAS_USER;
342  $a_auth->logout();
343  return false;
344  }
345  catch(ilLDAPAccountMigrationRequiredException $e) {
346  ilLoggerFactory::getLogger('auth')->debug('Starting account migration');
347  $a_auth->logout();
348  ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
349  }
350 
351  $a_auth->setAuth($internal_account);
352  return true;
353  }
354 
355 }
Auth_Container
Definition: Container.php:39
ilLDAPRoleAssignmentRules\getAssignmentsForCreation
static getAssignmentsForCreation($a_server_id, $a_usr_name, $a_usr_data)
Definition: class.ilLDAPRoleAssignmentRules.php:181
ilLDAPRoleAssignmentRule\hasRulesForUpdate
static hasRulesForUpdate()
Check if there any rule for updates.
Definition: class.ilLDAPRoleAssignmentRule.php:85
ilSetting
ILIAS Setting Class.
Definition: class.ilSetting.php:32
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54
$_POST
$_POST['username']
Definition: cron.php:12
$_SESSION
$_SESSION["AccountId"]
Definition: cfg.phpunit.template.php:10
ilLDAPAttributeMapping\hasRulesForUpdate
static hasRulesForUpdate($a_server_id)
Check if there is ldap attribute -> user data mapping which which is updated on login.
Definition: class.ilLDAPAttributeMapping.php:120
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
IL_CERT_SSO
const IL_CERT_SSO
Definition: index.php:5
AUTH_LDAP
const AUTH_LDAP
Definition: class.ilAuthUtils.php:8
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:14
AUTH_RADIUS_NO_ILIAS_USER
const AUTH_RADIUS_NO_ILIAS_USER
Definition: class.ilAuthUtils.php:28
ilLDAPUserSynchronisation\setExternalAccount
setExternalAccount($a_ext)
Set external account (unique for each auth mode)
Definition: class.ilLDAPUserSynchronisation.php:61
AUTH_APACHE
const AUTH_APACHE
Definition: class.ilAuthUtils.php:20
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:12
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId($a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:58
Auth_Container\fetchData
fetchData($username, $password, $isChallengeResponse=false)
Fetch data from storage container.
Definition: Container.php:82
ilAuthContainerApache\handleLDAPDataSource
handleLDAPDataSource($a_auth, $ext_account, $settings)
Handle ldap as data source.
Definition: class.ilAuthContainerApache.php:313
AUTH_APACHE_FAILED
const AUTH_APACHE_FAILED
Definition: class.ilAuthUtils.php:34
$info
$info
Definition: example_052.php:80
ilLDAPServer\doConnectionCheck
doConnectionCheck()
Check ldap connection and do a fallback to the next server if no connection is possible.
Definition: class.ilLDAPServer.php:532
$server
$server
Definition: dummy_client.php:12
ilUtil\isLogin
isLogin($a_login)
Definition: class.ilUtil.php:1416
$ilSetting
global $ilSetting
Definition: privfeed.php:40
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3766
$ilDB
global $ilDB
Definition: storeScorm2004.php:16
ilAuthContainerApache
Authentication against ILIAS database.
Definition: class.ilAuthContainerApache.php:12
ilAuthContainerApache\initLDAPAttributeToUser
initLDAPAttributeToUser()
Init LDAP attribute mapping private.
Definition: class.ilAuthContainerApache.php:301
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:82
AUTH_WRONG_LOGIN
const AUTH_WRONG_LOGIN
Returned if container is unable to authenticate user/password pair.
Definition: Auth.php:38
ilLDAPAttributeToUser
Update/create ILIAS user account by given LDAP attributes according to user attribute mapping setting...
Definition: class.ilLDAPAttributeToUser.php:34
ilUtil\redirect
static redirect($a_script)
http redirect to other script
Definition: class.ilUtil.php:3635
ilAuthContainerApache\updateRequired
updateRequired($a_username)
Check if an update is required.
Definition: class.ilAuthContainerApache.php:277