ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
class.ilAuthContainerApache.php
Go to the documentation of this file.
1<?php
2/* Copyright (c) 1998-2014 ILIAS open source, Extended GPL, see docs/LICENSE */
3
4require_once 'Auth/Container/MDB2.php';
5
12class ilAuthContainerApache extends Auth_Container
13{
17 public static $force_creation = false;
18
22 public function __construct()
23 {
24 parent::__construct();
25 }
26
30 public static function forceCreation($value)
31 {
32 self::$force_creation = $value;
33 }
34
42 function fetchData($a_username, $password, $isChallengeResponse = false)
43 {
44 ilLoggerFactory::getLogger('auth')->debug('Starting apache auth');
45
51 global $ilDB, $ilSetting , $rbacadmin;
52
53 $settings = new ilSetting('apache_auth');
54
55 if(!$settings->get('apache_enable_auth'))
56 {
57 ilLoggerFactory::getLogger('auth')->debug('Apache auth disabled');
58 return false;
59 }
60 if(!$settings->get('apache_auth_indicator_name') || !$settings->get('apache_auth_indicator_value'))
61 {
62 ilLoggerFactory::getLogger('auth')->debug('Apache auth indicator match failed');
63 return false;
64 }
65 if(!ilUtil::isLogin($a_username))
66 {
67 ilLoggerFactory::getLogger('auth')->debug('Apache auth wrong login');
68 return false;
69 }
70
71 if($a_username == 'anonymous' && $password == 'anonymous')
72 {
73 $query = 'SELECT * FROM usr_data WHERE login = %s';
74 $qres = $ilDB->queryF($query, array('text'), array($a_username));
75 $userRow = $ilDB->fetchAssoc($qres);
76
77 if(is_array($userRow) && $userRow['usr_id'])
78 {
79 // user as a local account...
80 // fetch logindata
81 $this->activeUser = $userRow['login'];
82 foreach($userRow as $key => $value)
83 {
84 if($key == $this->options['passwordcol'] || $key == $this->options['usernamecol'])
85 {
86 continue;
87 }
88 // Use reference to the auth object if exists
89 // This is because the auth session variable can change so a static call to setAuthData does not make sense
90 $this->_auth_obj->setAuthData($key, $value);
91 }
92 ilLoggerFactory::getLogger('auth')->debug('Apache local auth successful.');
93 $this->_auth_obj->setAuth($userRow['login']);
94 return true;
95 }
96 ilLoggerFactory::getLogger('auth')->debug('Apache local auth unsuccessful.');
97 return false;
98 }
99
100 if(
101 !$_SESSION['login_invalid'] &&
102 in_array(
103 $_SERVER[$settings->get('apache_auth_indicator_name')],
104 array_filter(array_map('trim', str_getcsv($settings->get('apache_auth_indicator_value'))))
105 )
106 )
107 {
108 // we have a valid apache auth
109 $list = array(
110 $ilSetting->get('auth_mode')
111 );
112
113 // Respect the auth method sequence
114 include_once('./Services/Authentication/classes/class.ilAuthModeDetermination.php');
115 $det = ilAuthModeDetermination::_getInstance();
116 if(!$det->isManualSelection() && $det->getCountActiveAuthModes() > 1)
117 {
118 $list = array();
119 foreach(ilAuthModeDetermination::_getInstance()->getAuthModeSequence() as $auth_mode)
120 {
121 $list[] = $auth_mode;
122 }
123 }
124
125 // Apache with ldap as data source
126 include_once './Services/LDAP/classes/class.ilLDAPServer.php';
127 if($settings->get('apache_enable_ldap'))
128 {
129 return $this->handleLDAPDataSource($this->_auth_obj,$a_username, $settings);
130 }
131
132
133 foreach($list as $auth_mode)
134 {
135 ilLoggerFactory::getLogger('auth')->debug('Current auth mode: ' . $auth_mode);
136
137 if(AUTH_LDAP == $auth_mode)
138 {
139 ilLoggerFactory::getLogger('auth')->debug('Trying ldap synchronisation');
140 // if no local user has been found AND ldap lookup is enabled
141 if($settings->get('apache_enable_ldap'))
142 {
143 include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
144 $this->server = new ilLDAPServer($settings->get('apache_ldap_sid'));
145 $this->server->doConnectionCheck();
146
147 $config = $this->server->toPearAuthArray();
148
149 $query = new ilLDAPQuery($this->server);
150 $query->bind();
151 $ldapUser = $query->fetchUser($a_username);
152
153 if($ldapUser && $ldapUser[$a_username] && $ldapUser[$a_username][$config['userattr']] == $a_username)
154 {
155 $ldapUser[$a_username]['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap_".$this->server->getServerId(), $a_username);
156 $user_data = $ldapUser[$a_username]; //array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
157 if($this->server->enabledSyncOnLogin())
158 {
159 if(!$user_data['ilInternalAccount'] && $this->server->isAccountMigrationEnabled() && !self::$force_creation)
160 {
161 $this->_auth_obj->logout();
162 $_SESSION['tmp_auth_mode'] = 'apache';
163 $_SESSION['tmp_auth_mode_type'] = 'apache';
164 $_SESSION['tmp_external_account'] = $a_username;
165 $_SESSION['tmp_pass'] = $_POST['password'];
166
167 include_once('./Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php');
168 $roles = ilLDAPRoleAssignmentRules::getAssignmentsForCreation(
169 $this->server->getServerId(),
170 $a_username,
171 $user_data);
172 $_SESSION['tmp_roles'] = array();
173 foreach($roles as $info)
174 {
175 if($info['action'] == ilLDAPRoleAssignmentRules::ROLE_ACTION_ASSIGN)
176 {
177 $_SESSION['tmp_roles'][] = $info['id'];
178 }
179 }
180
181 ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
182 }
183
184 if($this->updateRequired($a_username))
185 {
186 $this->initLDAPAttributeToUser();
187 $this->ldap_attr_to_user->setUserData($ldapUser);
188 $this->ldap_attr_to_user->refresh();
189 $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap_".$this->server->getServerId(), $a_username);
190 }
191 else
192 {
193 // User exists and no update required
194 $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap_".$this->server->getServerId(), $a_username);
195 }
196 }
197 if($user_data['ilInternalAccount'])
198 {
199 $this->_auth_obj->setAuth($user_data['ilInternalAccount']);
200 $this->_auth_obj->username = $user_data['ilInternalAccount'];
201 return true;
202 }
203 }
204 }
205 }
206 else if(AUTH_APACHE != $auth_mode && $settings->get('apache_enable_local'))
207 {
208 $condition = '';
209 if($ilSetting->get("auth_mode") && $ilSetting->get("auth_mode") == 'ldap')
210 {
211 $condition = " AND auth_mode != " . $ilDB->quote('default', 'text') . " ";
212 }
213 $query = "SELECT * FROM usr_data WHERE login = %s AND auth_mode != %s $condition";
214 $qres = $ilDB->queryF($query, array('text', 'text'), array($a_username, 'ldap'));
215 $userRow = $ilDB->fetchAssoc($qres);
216
217 if(is_array($userRow) && $userRow['usr_id'])
218 {
219 // user as a local account...
220 // fetch logindata
221 $this->activeUser = $userRow['login'];
222 foreach($userRow as $key => $value)
223 {
224 if($key == $this->options['passwordcol'] || $key == $this->options['usernamecol'])
225 {
226 continue;
227 }
228 // Use reference to the auth object if exists
229 // This is because the auth session variable can change so a static call to setAuthData does not make sense
230 $this->_auth_obj->setAuthData($key, $value);
231 }
232 $this->_auth_obj->setAuth($userRow['login']);
233 return true;
234 }
235 }
236 }
237
238 if($settings->get('apache_enable_local') && $settings->get('apache_local_autocreate'))
239 {
240 if($_GET['r'])
241 {
242 $_SESSION['profile_complete_redirect'] = $_GET['r'];
243 }
244
245 $user = new ilObjUser();
246 $user->setLogin($a_username);
247 $user->setExternalAccount($a_username);
248 $user->setProfileIncomplete(true);
249 $user->create();
250 $user->setAuthMode('apache');
251 // set a timestamp for last_password_change
252 // this ts is needed by ilSecuritySettings
253 $user->setLastPasswordChangeTS(time());
254 $user->setTimeLimitUnlimited(1);
255
256 $user->setActive(1);
257 //insert user data in table user_data
258 $user->saveAsNew();
259 $user->writePrefs();
260 $rbacadmin->assignUser($settings->get('apache_default_role', 4), $user->getId(), true);
261 return true;
262 }
263 }
264 else if(defined('IL_CERT_SSO') && IL_CERT_SSO)
265 {
266 define('APACHE_ERRORCODE', AUTH_APACHE_FAILED);
267 }
268
269 return false;
270 }
271
277 protected function updateRequired($a_username)
278 {
279 if(!ilObjUser::_checkExternalAuthAccount("ldap_".$this->server->getServerId(), $a_username))
280 {
281 return true;
282 }
283 // Check attribute mapping on login
284 include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
285 if(ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId()))
286 {
287 return true;
288 }
289 include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
290 if(ilLDAPRoleAssignmentRule::hasRulesForUpdate())
291 {
292 return true;
293 }
294 return false;
295 }
296
301 private function initLDAPAttributeToUser()
302 {
303 include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
304 $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
305 }
306
307
313 protected function handleLDAPDataSource($a_auth,$ext_account, $settings)
314 {
315 include_once './Services/LDAP/classes/class.ilLDAPServer.php';
316 $server = ilLDAPServer::getInstanceByServerId(
317 $settings->get('apache_ldap_sid')
318 );
319
320 ilLoggerFactory::getLogger('auth')->debug('Using ldap data source with server configuration: ' . $server->getName());
321
322 include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
323 $sync = new ilLDAPUserSynchronisation('ldap_'.$server->getServerId(), $server->getServerId());
324 $sync->setExternalAccount($ext_account);
325 $sync->setUserData(array());
326 $sync->forceCreation(self::$force_creation);
327 $sync->forceReadLdapData(true);
328
329 try {
330 $internal_account = $sync->sync();
331 }
332 catch(UnexpectedValueException $e) {
333 ilLoggerFactory::getLogger('auth')->info('Login failed with message: ' . $e->getMessage());
334 $a_auth->status = AUTH_WRONG_LOGIN;
335 $a_auth->logout();
336 return false;
337 }
338 catch(ilLDAPSynchronisationForbiddenException $e) {
339 // No syncronisation allowed => create Error
340 ilLoggerFactory::getLogger('auth')->info('Login failed with message: ' . $e->getMessage());
341 $a_auth->status = AUTH_RADIUS_NO_ILIAS_USER;
342 $a_auth->logout();
343 return false;
344 }
345 catch(ilLDAPAccountMigrationRequiredException $e) {
346 ilLoggerFactory::getLogger('auth')->debug('Starting account migration');
347 $a_auth->logout();
348 ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
349 }
350
351 $a_auth->setAuth($internal_account);
352 return true;
353 }
354
355}
AUTH_WRONG_LOGIN
const AUTH_WRONG_LOGIN
Returned if container is unable to authenticate user/password pair.
Definition: Auth.php:38
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
$_SESSION
$_SESSION["AccountId"]
Definition: cfg.phpunit.template.php:10
Auth_Container
Definition: Container.php:40
Auth_Container\fetchData
fetchData($username, $password, $isChallengeResponse=false)
Fetch data from storage container.
Definition: Container.php:82
AUTH_APACHE
const AUTH_APACHE
Definition: class.ilAuthUtils.php:20
AUTH_APACHE_FAILED
const AUTH_APACHE_FAILED
Definition: class.ilAuthUtils.php:34
AUTH_LDAP
const AUTH_LDAP
Definition: class.ilAuthUtils.php:8
AUTH_RADIUS_NO_ILIAS_USER
const AUTH_RADIUS_NO_ILIAS_USER
Definition: class.ilAuthUtils.php:28
ilAuthContainerApache
Authentication against ILIAS database.
Definition: class.ilAuthContainerApache.php:13
ilAuthContainerApache\initLDAPAttributeToUser
initLDAPAttributeToUser()
Init LDAP attribute mapping @access private.
Definition: class.ilAuthContainerApache.php:301
ilAuthContainerApache\updateRequired
updateRequired($a_username)
Check if an update is required.
Definition: class.ilAuthContainerApache.php:277
ilAuthContainerApache\handleLDAPDataSource
handleLDAPDataSource($a_auth, $ext_account, $settings)
Handle ldap as data source.
Definition: class.ilAuthContainerApache.php:313
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:13
ilLDAPAttributeMapping\hasRulesForUpdate
static hasRulesForUpdate($a_server_id)
Check if there is ldap attribute -> user data mapping which which is updated on login.
Definition: class.ilLDAPAttributeMapping.php:120
ilLDAPAttributeToUser
Update/create ILIAS user account by given LDAP attributes according to user attribute mapping setting...
Definition: class.ilLDAPAttributeToUser.php:35
ilLDAPRoleAssignmentRule\hasRulesForUpdate
static hasRulesForUpdate()
Check if there any rule for updates.
Definition: class.ilLDAPRoleAssignmentRule.php:85
ilLDAPRoleAssignmentRules\getAssignmentsForCreation
static getAssignmentsForCreation($a_server_id, $a_usr_name, $a_usr_data)
Definition: class.ilLDAPRoleAssignmentRules.php:181
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId($a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:58
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:15
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:82
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3766
ilSetting
ILIAS Setting Class.
Definition: class.ilSetting.php:33
ilUtil\isLogin
isLogin($a_login)
Definition: class.ilUtil.php:1416
ilUtil\redirect
static redirect($a_script)
http redirect to other script
Definition: class.ilUtil.php:3635
$_POST
$_POST['username']
Definition: cron.php:12
$server
$server
Definition: dummy_client.php:12
$info
$info
Definition: example_052.php:80
$ilSetting
global $ilSetting
Definition: privfeed.php:40
IL_CERT_SSO
const IL_CERT_SSO
Definition: index.php:5
$ilDB
global $ilDB
Definition: storeScorm2004.php:19
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54