ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
class.ilAuthContainerLDAP.php
Go to the documentation of this file.
1<?php
2/*
3 +-----------------------------------------------------------------------------+
4 | ILIAS open source |
5 +-----------------------------------------------------------------------------+
6 | Copyright (c) 1998-2006 ILIAS open source, University of Cologne |
7 | |
8 | This program is free software; you can redistribute it and/or |
9 | modify it under the terms of the GNU General Public License |
10 | as published by the Free Software Foundation; either version 2 |
11 | of the License, or (at your option) any later version. |
12 | |
13 | This program is distributed in the hope that it will be useful, |
14 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | GNU General Public License for more details. |
17 | |
18 | You should have received a copy of the GNU General Public License |
19 | along with this program; if not, write to the Free Software |
20 | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
21 +-----------------------------------------------------------------------------+
22*/
23
24include_once 'Auth/Container/LDAP.php';
25
37{
38 private static $force_creation = false;
39
40 private $optional_check = false;
41
42 private $log = null;
43 private $server = null;
44 private $ldap_attr_to_user = null;
45
46
54 public function __construct($a_server_id = null)
55 {
56 global $ilLog;
57
58 include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
59
60 if($a_server_id)
61 {
62 $this->server = ilLDAPServer::getInstanceByServerId($a_server_id);
63 }
64 else
65 {
67 }
68
69 $this->log = ilLoggerFactory::getLogger('auth');
70
71 parent::__construct($this->server->toPearAuthArray());
72 }
73
74 public function forceCreation($a_status)
75 {
76 self::$force_creation = $a_status;
77 }
78
86 public function enableOptionalGroupCheck()
87 {
88 $this->optional_check = true;
89 $this->updateUserFilter();
90 }
91
98 public function enabledOptionalGroupCheck()
99 {
100 return (bool) $this->optional_check;
101 }
102
109 public function fetchData($username, $password)
110 {
111 if(!$this->server->doConnectionCheck())
112 {
113 return FALSE;
114 }
115
116
117 $res = parent::fetchData($username,$password);
118
119 if (PEAR::isError($res))
120 {
121 $this->log->notice('Authentication failed with message:' . $res->getMessage());
122 return $res;
123 }
124 elseif ($res == true)
125 {
126 $this->log->debug('Authentication successful');
127 return true;
128 }
129 if(!$this->enabledOptionalGroupCheck() and $this->server->isMembershipOptional())
130 {
132 return parent::fetchData($username,$password);
133 }
134 return false;
135 }
136
137
146 public function checkGroup($a_name)
147 {
148 $this->log->debug('Checking group restrictions...');
149
150 // if there are multiple groups define check all of them for membership
151 $groups = $this->server->getGroupNames();
152
153 if(!count($groups))
154 {
155 $this->log->debug('no group restrictions found');
156 return true;
157 }
158 elseif($this->server->isMembershipOptional() and !$this->optional_check)
159 {
160 $this->log->debug('Group membership is otional');
161 return true;
162 }
163
164 foreach($groups as $group)
165 {
166 $this->options['group'] = $group;
167
168 if(parent::checkGroup($a_name))
169 {
170 return true;
171 }
172 }
173 return false;
174 }
175
182 private function updateUserFilter()
183 {
184 $this->options['userfilter'] = $this->server->getGroupUserFilter();
185 }
186
192 public function loginObserver($a_username,$a_auth)
193 {
194 global $ilLog;
195
196 $user_data = array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
197
198 $a_username = $this->extractUserName($user_data);
199
200 include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
201 $sync = new ilLDAPUserSynchronisation('ldap_'.$this->server->getServerId(), $this->server->getServerId());
202 $sync->setExternalAccount($a_username);
203 $sync->setUserData($user_data);
204 $sync->forceCreation(self::$force_creation);
205
206 try {
207 $internal_account = $sync->sync();
208 }
209 catch(UnexpectedValueException $e) {
210 $this->log->info('Login failed with message: ' . $e->getMessage());
211 $a_auth->status = AUTH_WRONG_LOGIN;
212 $a_auth->logout();
213 return false;
214 }
216 // No syncronisation allowed => create Error
217 $this->log->info('Login failed with message: ' . $e->getMessage());
218 $a_auth->status = AUTH_LDAP_NO_ILIAS_USER;
219 $a_auth->logout();
220 return false;
221 }
223 $this->log->info('Starting account migration');
224 $a_auth->logout();
225 ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
226 }
227
228 $a_auth->setAuth($internal_account);
229 return true;
230 }
237 private function initLDAPAttributeToUser()
238 {
239 include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
240 $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
241 }
242
248 public function failedLoginObserver($a_username,$a_auth)
249 {
250 return false;
251 }
252
258 protected function extractUserName($a_user_data)
259 {
260 $a_username = isset($a_user_data[strtolower($this->server->getUserAttribute())]) ?
261 $a_user_data[strtolower($this->server->getUserAttribute())] :
262 trim($a_user_data);
263
264 // Support for multiple user attributes
265 if(!is_array($a_username))
266 {
267 return $a_username;
268 }
269 foreach($a_username as $name)
270 {
271 // User found with authentication method 'ldap'
273 {
274 return trim($name);
275 }
276 }
277 // No existing user found => return first name
278 return $a_username[0];
279 }
280
286 protected function updateRequired($a_username)
287 {
288 if(!ilObjUser::_checkExternalAuthAccount("ldap",$a_username))
289 {
290 #$GLOBALS['ilLog']->write(__METHOD__.': Required 1');
291 return true;
292 }
293 // Check attribute mapping on login
294 include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
295 if(ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId()))
296 {
297 #$GLOBALS['ilLog']->write(__METHOD__.': Required 2');
298 return true;
299 }
300 include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
302 {
303 #$GLOBALS['ilLog']->write(__METHOD__.': Required 3');
304 return true;
305 }
306 return false;
307 }
308
313 {
314 return true;
315 }
316}
317?>
const AUTH_WRONG_LOGIN
Returned if container is unable to authenticate user/password pair.
Definition: Auth.php:38
log($message, $level=AUTH_LOG_DEBUG)
Log a message to the Auth log.
Definition: Container.php:246
isError($data, $code=null)
Tell whether a value is a PEAR error.
Definition: PEAR.php:279
const AUTH_LDAP_NO_ILIAS_USER
Overwritten Pear class AuthContainerLDAP This class is overwritten to support nested groups.
loginObserver($a_username, $a_auth)
Called from fetchData after successful login.
updateRequired($a_username)
Check if an update is required.
updateUserFilter()
Update user filter.
initLDAPAttributeToUser()
Init LDAP attribute mapping.
checkGroup($a_name)
check group overwritten base class
fetchData($username, $password)
Overwritten from base class.
__construct($a_server_id=null)
Constructor.
failedLoginObserver($a_username, $a_auth)
Called from fetchData after failed login.
enableOptionalGroupCheck()
enable optional group check
enabledOptionalGroupCheck()
Check if optional group check is enabled.
Description of ilLDAPAccountMigrationRequiredException.
static hasRulesForUpdate($a_server_id)
Check if there is ldap attribute -> user data mapping which which is updated on login.
Update/create ILIAS user account by given LDAP attributes according to user attribute mapping setting...
static hasRulesForUpdate()
Check if there any rule for updates.
static getInstanceByServerId($a_server_id)
Get instance by server id.
static _getFirstActiveServer()
Get first active server.
Synchronization of user accounts used in auth container ldap, radius , cas,...
static getLogger($a_component_id)
Get component logger.
static _checkExternalAuthAccount($a_auth, $a_account)
check whether external account and authentication method matches with a user
static redirect($a_script)
http redirect to other script