ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
class.ilAuthContainerLDAP.php
Go to the documentation of this file.
1 <?php
2 /*
3  +-----------------------------------------------------------------------------+
4  | ILIAS open source |
5  +-----------------------------------------------------------------------------+
6  | Copyright (c) 1998-2006 ILIAS open source, University of Cologne |
7  | |
8  | This program is free software; you can redistribute it and/or |
9  | modify it under the terms of the GNU General Public License |
10  | as published by the Free Software Foundation; either version 2 |
11  | of the License, or (at your option) any later version. |
12  | |
13  | This program is distributed in the hope that it will be useful, |
14  | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16  | GNU General Public License for more details. |
17  | |
18  | You should have received a copy of the GNU General Public License |
19  | along with this program; if not, write to the Free Software |
20  | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
21  +-----------------------------------------------------------------------------+
22 */
23 
24 include_once 'Auth/Container/LDAP.php';
25 
36 class ilAuthContainerLDAP extends Auth_Container_LDAP
37 {
38  private static $force_creation = false;
39 
40  private $optional_check = false;
41 
42  private $log = null;
43  private $server = null;
44  private $ldap_attr_to_user = null;
45 
46 
54  public function __construct($a_server_id = null)
55  {
56  global $ilLog;
57 
58  include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
59 
60  if($a_server_id)
61  {
62  $this->server = ilLDAPServer::getInstanceByServerId($a_server_id);
63  }
64  else
65  {
66  $this->server = new ilLDAPServer(ilLDAPServer::_getFirstActiveServer());
67  }
68 
69  $this->log = ilLoggerFactory::getLogger('auth');
70 
71  parent::__construct($this->server->toPearAuthArray());
72  }
73 
74  public function forceCreation($a_status)
75  {
76  self::$force_creation = $a_status;
77  }
78 
86  public function enableOptionalGroupCheck()
87  {
88  $this->optional_check = true;
89  $this->updateUserFilter();
90  }
91 
98  public function enabledOptionalGroupCheck()
99  {
100  return (bool) $this->optional_check;
101  }
102 
109  public function fetchData($username, $password)
110  {
111  if(!$this->server->doConnectionCheck())
112  {
113  return FALSE;
114  }
115 
116 
117  $res = parent::fetchData($username,$password);
118 
119  if (PEAR::isError($res))
120  {
121  $this->log->notice('Authentication failed with message:' . $res->getMessage());
122  return $res;
123  }
124  elseif ($res == true)
125  {
126  $this->log->debug('Authentication successful');
127  return true;
128  }
129  if(!$this->enabledOptionalGroupCheck() and $this->server->isMembershipOptional())
130  {
131  $this->enableOptionalGroupCheck();
132  return parent::fetchData($username,$password);
133  }
134  return false;
135  }
136 
137 
146  public function checkGroup($a_name)
147  {
148  $this->log->debug('Checking group restrictions...');
149 
150  // if there are multiple groups define check all of them for membership
151  $groups = $this->server->getGroupNames();
152 
153  if(!count($groups))
154  {
155  $this->log->debug('no group restrictions found');
156  return true;
157  }
158  elseif($this->server->isMembershipOptional() and !$this->optional_check)
159  {
160  $this->log->debug('Group membership is otional');
161  return true;
162  }
163 
164  foreach($groups as $group)
165  {
166  $this->options['group'] = $group;
167 
168  if(parent::checkGroup($a_name))
169  {
170  return true;
171  }
172  }
173  return false;
174  }
175 
182  private function updateUserFilter()
183  {
184  $this->options['userfilter'] = $this->server->getGroupUserFilter();
185  }
186 
192  public function loginObserver($a_username,$a_auth)
193  {
194  global $ilLog;
195 
196  $user_data = array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
197 
198  $a_username = $this->extractUserName($user_data);
199 
200  include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
201  $sync = new ilLDAPUserSynchronisation('ldap_'.$this->server->getServerId(), $this->server->getServerId());
202  $sync->setExternalAccount($a_username);
203  $sync->setUserData($user_data);
204  $sync->forceCreation(self::$force_creation);
205 
206  try {
207  $internal_account = $sync->sync();
208  }
209  catch(UnexpectedValueException $e) {
210  $this->log->info('Login failed with message: ' . $e->getMessage());
211  $a_auth->status = AUTH_WRONG_LOGIN;
212  $a_auth->logout();
213  return false;
214  }
215  catch(ilLDAPSynchronisationForbiddenException $e) {
216  // No syncronisation allowed => create Error
217  $this->log->info('Login failed with message: ' . $e->getMessage());
218  $a_auth->status = AUTH_LDAP_NO_ILIAS_USER;
219  $a_auth->logout();
220  return false;
221  }
222  catch(ilLDAPAccountMigrationRequiredException $e) {
223  $this->log->info('Starting account migration');
224  $a_auth->logout();
225  ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
226  }
227 
228  $a_auth->setAuth($internal_account);
229  return true;
230  }
237  private function initLDAPAttributeToUser()
238  {
239  include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
240  $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
241  }
242 
248  public function failedLoginObserver($a_username,$a_auth)
249  {
250  return false;
251  }
252 
258  protected function extractUserName($a_user_data)
259  {
260  $a_username = isset($a_user_data[strtolower($this->server->getUserAttribute())]) ?
261  $a_user_data[strtolower($this->server->getUserAttribute())] :
262  trim($a_user_data);
263 
264  // Support for multiple user attributes
265  if(!is_array($a_username))
266  {
267  return $a_username;
268  }
269  foreach($a_username as $name)
270  {
271  // User found with authentication method 'ldap'
272  if(ilObjUser::_checkExternalAuthAccount("ldap",$name))
273  {
274  return trim($name);
275  }
276  }
277  // No existing user found => return first name
278  return $a_username[0];
279  }
280 
286  protected function updateRequired($a_username)
287  {
288  if(!ilObjUser::_checkExternalAuthAccount("ldap",$a_username))
289  {
290  #$GLOBALS['ilLog']->write(__METHOD__.': Required 1');
291  return true;
292  }
293  // Check attribute mapping on login
294  include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
295  if(ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId()))
296  {
297  #$GLOBALS['ilLog']->write(__METHOD__.': Required 2');
298  return true;
299  }
300  include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
301  if(ilLDAPRoleAssignmentRule::hasRulesForUpdate())
302  {
303  #$GLOBALS['ilLog']->write(__METHOD__.': Required 3');
304  return true;
305  }
306  return false;
307  }
308 
312  public function supportsCaptchaVerification()
313  {
314  return true;
315  }
316 }
317 ?>
ilLDAPServer\_getFirstActiveServer
static _getFirstActiveServer()
Get first active server.
Definition: class.ilLDAPServer.php:185
ilLDAPRoleAssignmentRule\hasRulesForUpdate
static hasRulesForUpdate()
Check if there any rule for updates.
Definition: class.ilLDAPRoleAssignmentRule.php:85
ilAuthContainerLDAP\checkGroup
checkGroup($a_name)
check group overwritten base class
Definition: class.ilAuthContainerLDAP.php:146
ilAuthContainerLDAP\loginObserver
loginObserver($a_username, $a_auth)
Called from fetchData after successful login.
Definition: class.ilAuthContainerLDAP.php:192
ilAuthContainerLDAP\failedLoginObserver
failedLoginObserver($a_username, $a_auth)
Called from fetchData after failed login.
Definition: class.ilAuthContainerLDAP.php:248
ilLDAPAttributeMapping\hasRulesForUpdate
static hasRulesForUpdate($a_server_id)
Check if there is ldap attribute -> user data mapping which which is updated on login.
Definition: class.ilLDAPAttributeMapping.php:120
ilAuthContainerLDAP\updateUserFilter
updateUserFilter()
Update user filter.
Definition: class.ilAuthContainerLDAP.php:182
ilAuthContainerLDAP
Overwritten Pear class AuthContainerLDAP This class is overwritten to support nested groups...
Definition: class.ilAuthContainerLDAP.php:36
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:14
ilAuthContainerLDAP\initLDAPAttributeToUser
initLDAPAttributeToUser()
Init LDAP attribute mapping.
Definition: class.ilAuthContainerLDAP.php:237
ilLDAPUserSynchronisation\setExternalAccount
setExternalAccount($a_ext)
Set external account (unique for each auth mode)
Definition: class.ilLDAPUserSynchronisation.php:61
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:12
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId($a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:58
ilAuthContainerLDAP\updateRequired
updateRequired($a_username)
Check if an update is required.
Definition: class.ilAuthContainerLDAP.php:286
Auth_Container_LDAP
Definition: LDAP.php:203
ilAuthContainerLDAP\enableOptionalGroupCheck
enableOptionalGroupCheck()
enable optional group check
Definition: class.ilAuthContainerLDAP.php:86
$ilLog
$ilLog
Definition: inc.setup_header.php:136
AUTH_LDAP_NO_ILIAS_USER
const AUTH_LDAP_NO_ILIAS_USER
Definition: class.ilAuthUtils.php:27
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3766
ilAuthContainerLDAP\fetchData
fetchData($username, $password)
Overwritten from base class.
Definition: class.ilAuthContainerLDAP.php:109
ilAuthContainerLDAP\enabledOptionalGroupCheck
enabledOptionalGroupCheck()
Check if optional group check is enabled.
Definition: class.ilAuthContainerLDAP.php:98
ilAuthContainerLDAP\__construct
__construct($a_server_id=null)
Constructor.
Definition: class.ilAuthContainerLDAP.php:54
Auth_Container\log
log($message, $level=AUTH_LOG_DEBUG)
Log a message to the Auth log.
Definition: Container.php:246
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:82
AUTH_WRONG_LOGIN
const AUTH_WRONG_LOGIN
Returned if container is unable to authenticate user/password pair.
Definition: Auth.php:38
ilLDAPAttributeToUser
Update/create ILIAS user account by given LDAP attributes according to user attribute mapping setting...
Definition: class.ilLDAPAttributeToUser.php:34
ilUtil\redirect
static redirect($a_script)
http redirect to other script
Definition: class.ilUtil.php:3635
PEAR\isError
isError($data, $code=null)
Tell whether a value is a PEAR error.
Definition: PEAR.php:279