Auth_Container_LDAP Class Reference
Inheritance diagram for Auth_Container_LDAP:
Collaboration diagram for Auth_Container_LDAP:
Public Member Functions | |
| Auth_Container_LDAP ($params) | |
| Constructor of the container class. More... | |
| _prepare () | |
| Prepare LDAP connection. More... | |
| _connect () | |
| Connect to the LDAP server using the global options. More... | |
| _disconnect () | |
| Disconnects (unbinds) from ldap server. More... | |
| _getBaseDN () | |
| Tries to find Basedn via namingContext Attribute. More... | |
| _isValidLink () | |
| determines whether there is a valid ldap conenction or not More... | |
| _setDefaults () | |
| Set some default options. More... | |
| _parseOptions ($array) | |
| Parse options passed to the container class. More... | |
| _setV12OptionsToV13 ($array) | |
| Adapt deprecated options from Auth 1.2 LDAP to Auth 1.3 LDAP. More... | |
| _scope2function ($scope) | |
| Get search function for scope. More... | |
| fetchData ($username, $password) | |
| Fetch data from LDAP server. More... | |
| checkGroup ($user) | |
| Validate group membership. More... | |
| _quoteFilterString ($filter_str) | |
| Escapes LDAP filter special characters as defined in RFC 2254. More... | |
| Public Member Functions inherited from Auth_Container | |
| Auth_Container () | |
| Constructor. More... | |
| fetchData ($username, $password, $isChallengeResponse=false) | |
| Fetch data from storage container. More... | |
| verifyPassword ($password1, $password2, $cryptType="md5") | |
| Crypt and verfiy the entered password. More... | |
| supportsChallengeResponse () | |
| Returns true if the container supports Challenge Response password authentication. More... | |
| getCryptType () | |
| Returns the crypt current crypt type of the container. More... | |
| listUsers () | |
| List all users that are available from the storage container. More... | |
| getUser ($username) | |
| Returns a user assoc array. More... | |
| addUser ($username, $password, $additional=null) | |
| Add a new user to the storage container. More... | |
| removeUser ($username) | |
| Remove user from the storage container. More... | |
| changePassword ($username, $password) | |
| Change password for user in the storage container. More... | |
| log ($message, $level=AUTH_LOG_DEBUG) | |
| Log a message to the Auth log. More... | |
| Public Member Functions inherited from ilAuthContainerBase | |
| loginObserver ($a_username, $a_auth) | |
| Called after successful login. More... | |
| failedLoginObserver ($a_username, $a_auth) | |
| Called after failed login. More... | |
| checkAuthObserver ($a_username, $a_auth) | |
| Called after check auth requests. More... | |
| logoutObserver ($a_username, $a_auth) | |
| Called after logout. More... | |
| supportsCaptchaVerification () | |
| Returns whether or not the auth container supports the verification of captchas This should be true for those auth methods, which are available in the default login form. More... | |
Data Fields | |
| $options = array() | |
| $conn_id = false | |
| Data Fields inherited from Auth_Container | |
| $activeUser = "" | |
| User that is currently selected from the storage container. More... | |
| $_auth_obj = null | |
| The Auth object this container is attached to. More... | |
Detailed Description
Member Function Documentation
◆ _connect()
| Auth_Container_LDAP::_connect | ( | ) |
Connect to the LDAP server using the global options.
@access private
- Returns
- object Returns a PEAR error object if an error occurs.
Definition at line 276 of file LDAP.php.
277 {
279 // connect
280 if (isset($this->options['url']) && $this->options['url'] != '') {
282 $conn_params = array($this->options['url']);
283 } else {
285 $conn_params = array($this->options['host'], $this->options['port']);
286 }
287
288 if (($this->conn_id = @call_user_func_array('ldap_connect', $conn_params)) === false) {
290 $this->log('LDAP ERROR: '.ldap_errno($this->conn_id).': '.ldap_error($this->conn_id), AUTH_LOG_DEBUG);
292 }
294
295 // switch LDAP version
296 if (is_numeric($this->options['version']) && $this->options['version'] > 2) {
298 @ldap_set_option($this->conn_id, LDAP_OPT_PROTOCOL_VERSION, $this->options['version']);
299
300 // start TLS if available
301 if (isset($this->options['start_tls']) && $this->options['start_tls']) {
303 if (@ldap_start_tls($this->conn_id) === false) {
305 $this->log('LDAP ERROR: '.ldap_errno($this->conn_id).': '.ldap_error($this->conn_id), AUTH_LOG_DEBUG);
307 }
308 }
309 }
310
311 // switch LDAP referrals
312 if (is_bool($this->options['referrals'])) {
313 $this->log("Switching LDAP referrals to " . (($this->options['referrals']) ? 'true' : 'false'), AUTH_LOG_DEBUG);
314 if (@ldap_set_option($this->conn_id, LDAP_OPT_REFERRALS, $this->options['referrals']) === false) {
316 $this->log('LDAP ERROR: '.ldap_errno($this->conn_id).': '.ldap_error($this->conn_id), AUTH_LOG_DEBUG);
317 }
318 }
319
320 // bind with credentials or anonymously
321 if (strlen($this->options['binddn']) && strlen($this->options['bindpw'])) {
323 $bind_params = array($this->conn_id, $this->options['binddn'], $this->options['bindpw']);
324 } else {
326 $bind_params = array($this->conn_id);
327 }
328
329 // bind for searching
330 // smeyer: set default network timeout
331 @call_user_func_array('ldap_set_options', array($this->conn_id,LDAP_OPT_NETWORK_TIMEOUT, ilLDAPServer::DEFAULT_NETWORK_TIMEOUT));
332 if ((@call_user_func_array('ldap_bind', $bind_params)) === false) {
334 $this->log('LDAP ERROR: '.ldap_errno($this->conn_id).': '.ldap_error($this->conn_id), AUTH_LOG_DEBUG);
335 $this->_disconnect();
337 }
339
340 return true;
341 }
& raiseError($message=null, $code=null, $mode=null, $options=null, $userinfo=null, $error_class=null, $skipmsg=false)
This method is a wrapper that returns an instance of the configured error class with this object's de...
Definition: PEAR.php:524
const DEFAULT_NETWORK_TIMEOUT
Definition: class.ilLDAPServer.php:30
References _disconnect(), AUTH_LOG_DEBUG, ilLDAPServer\DEFAULT_NETWORK_TIMEOUT, Auth_Container\log(), and PEAR\raiseError().
Referenced by _prepare().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _disconnect()
| Auth_Container_LDAP::_disconnect | ( | ) |
Disconnects (unbinds) from ldap server.
@access private
Definition at line 351 of file LDAP.php.
352 {
356 @ldap_unbind($this->conn_id);
357 }
358 }
References _isValidLink(), AUTH_LOG_DEBUG, and Auth_Container\log().
Referenced by _connect(), and fetchData().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _getBaseDN()
| Auth_Container_LDAP::_getBaseDN | ( | ) |
Tries to find Basedn via namingContext Attribute.
@access private
Definition at line 368 of file LDAP.php.
369 {
371 $err = $this->_prepare();
372 if ($err !== true) {
374 }
375
378
379 $result_id = @ldap_read($this->conn_id, "", "(objectclass=*)", array("namingContexts"));
380
381 if (@ldap_count_entries($this->conn_id, $result_id) == 1) {
382
384
385 $entry_id = @ldap_first_entry($this->conn_id, $result_id);
386 $attrs = @ldap_get_attributes($this->conn_id, $entry_id);
387 $basedn = $attrs['namingContexts'][0];
388
389 if ($basedn != "") {
391 $this->options['basedn'] = $basedn;
392 }
393 }
394 @ldap_free_result($result_id);
395 }
396
397 // if base ist still not set, raise error
398 if ($this->options['basedn'] == "") {
400 }
401 return true;
402 }
References _isValidLink(), _prepare(), AUTH_LOG_DEBUG, Auth_Container\log(), and PEAR\raiseError().
Referenced by fetchData().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _isValidLink()
| Auth_Container_LDAP::_isValidLink | ( | ) |
determines whether there is a valid ldap conenction or not
@accessd private
- Returns
- boolean
Definition at line 413 of file LDAP.php.
414 {
415 if (is_resource($this->conn_id)) {
416 if (get_resource_type($this->conn_id) == 'ldap link') {
417 return true;
418 }
419 }
420 return false;
421 }
Referenced by _disconnect(), _getBaseDN(), and _prepare().
Here is the caller graph for this function:
◆ _parseOptions()
| Auth_Container_LDAP::_parseOptions | ( | $array | ) |
Parse options passed to the container class.
@access private
- Parameters
-
array
Definition at line 468 of file LDAP.php.
469 {
470 $array = $this->_setV12OptionsToV13($array);
471
472 foreach ($array as $key => $value) {
473 if (array_key_exists($key, $this->options)) {
474 if ($key == 'attributes') {
475 if (is_array($value)) {
476 $this->options[$key] = $value;
477 } else {
478 $this->options[$key] = explode(',', $value);
479 }
480 } else {
481 $this->options[$key] = $value;
482 }
483 }
484 }
485 }
_setV12OptionsToV13($array)
Adapt deprecated options from Auth 1.2 LDAP to Auth 1.3 LDAP.
Definition: LDAP.php:498
References _setV12OptionsToV13().
Referenced by Auth_Container_LDAP().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _prepare()
| Auth_Container_LDAP::_prepare | ( | ) |
Prepare LDAP connection.
This function checks if we have already opened a connection to the LDAP server. If that's not the case, a new connection is opened.
@access private
- Returns
- mixed True or a PEAR error object.
Definition at line 256 of file LDAP.php.
257 {
262 }
263 }
264 return true;
265 }
References $res, _connect(), _isValidLink(), and PEAR\isError().
Referenced by _getBaseDN(), checkGroup(), and fetchData().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ _quoteFilterString()
| Auth_Container_LDAP::_quoteFilterString | ( | $filter_str | ) |
Escapes LDAP filter special characters as defined in RFC 2254.
@access private
- Parameters
-
string Filter String
Definition at line 758 of file LDAP.php.
759 {
760 $metas = array( '\\', '*', '(', ')', "\x00");
761 $quoted_metas = array('\\\\', '\*', '\(', '\)', "\\\x00");
762 return str_replace($metas, $quoted_metas, $filter_str);
763 }
Referenced by checkGroup(), and fetchData().
Here is the caller graph for this function:
◆ _scope2function()
| Auth_Container_LDAP::_scope2function | ( | $scope | ) |
Get search function for scope.
- Parameters
-
string scope
- Returns
- string ldap search function
Definition at line 519 of file LDAP.php.
520 {
521 switch($scope) {
522 case 'one':
523 $function = 'ldap_list';
524 break;
525 case 'base':
526 $function = 'ldap_read';
527 break;
528 default:
529 $function = 'ldap_search';
530 break;
531 }
532 return $function;
533 }
Referenced by checkGroup(), and fetchData().
Here is the caller graph for this function:
◆ _setDefaults()
| Auth_Container_LDAP::_setDefaults | ( | ) |
Set some default options.
@access private
Definition at line 431 of file LDAP.php.
432 {
433 $this->options['url'] = '';
434 $this->options['host'] = 'localhost';
435 $this->options['port'] = '389';
436 $this->options['version'] = 2;
437 $this->options['referrals'] = true;
438 $this->options['binddn'] = '';
439 $this->options['bindpw'] = '';
440 $this->options['basedn'] = '';
441 $this->options['userdn'] = '';
442 $this->options['userscope'] = 'sub';
443 $this->options['userattr'] = 'uid';
444 $this->options['userfilter'] = '(objectClass=posixAccount)';
445 $this->options['attributes'] = array(''); // no attributes
446 $this->options['attrformat'] = 'AUTH'; // returns attribute like other Auth containers
447 $this->options['group'] = '';
448 $this->options['groupdn'] = '';
449 $this->options['groupscope'] = 'sub';
450 $this->options['groupattr'] = 'cn';
451 $this->options['groupfilter'] = '(objectClass=groupOfUniqueNames)';
452 $this->options['memberattr'] = 'uniqueMember';
453 $this->options['memberisdn'] = true;
454 $this->options['start_tls'] = false;
455 $this->options['debug'] = false;
456 $this->options['try_all'] = false; // Try all user ids returned not just the first one
457 }
Referenced by Auth_Container_LDAP().
Here is the caller graph for this function:
◆ _setV12OptionsToV13()
| Auth_Container_LDAP::_setV12OptionsToV13 | ( | $array | ) |
Adapt deprecated options from Auth 1.2 LDAP to Auth 1.3 LDAP.
- Parameters
-
array
- Returns
- array
Definition at line 498 of file LDAP.php.
499 {
500 if (isset($array['useroc']))
501 $array['userfilter'] = "(objectClass=".$array['useroc'].")";
502 if (isset($array['groupoc']))
503 $array['groupfilter'] = "(objectClass=".$array['groupoc'].")";
504 if (isset($array['scope']))
505 $array['userscope'] = $array['scope'];
506
507 return $array;
508 }
Referenced by _parseOptions().
Here is the caller graph for this function:
◆ Auth_Container_LDAP()
| Auth_Container_LDAP::Auth_Container_LDAP | ( | $params | ) |
Constructor of the container class.
- Parameters
-
$params,associative hash with host,port,basedn and userattr key
- Returns
- object Returns an error object if something went wrong
Definition at line 230 of file LDAP.php.
231 {
232 if (false === extension_loaded('ldap')) {
234 41, PEAR_ERROR_DIE);
235 }
236
237 $this->_setDefaults();
238
241 }
242 }
References $params, _parseOptions(), _setDefaults(), PEAR_ERROR_DIE, and PEAR\raiseError().
Here is the call graph for this function:
◆ checkGroup()
| Auth_Container_LDAP::checkGroup | ( | $user | ) |
Validate group membership.
Searches the LDAP server for group membership of the supplied username. Quotes all LDAP filter meta characters in the user name before querying the LDAP server.
- Parameters
-
string Distinguished Name of the authenticated User
- Returns
- boolean
Reimplemented in ilAuthContainerLDAP.
Definition at line 707 of file LDAP.php.
708 {
710 $err = $this->_prepare();
711 if ($err !== true) {
713 }
714
715 // make filter
716 $filter = sprintf('(&(%s=%s)(%s=%s)%s)',
717 $this->options['groupattr'],
718 $this->options['group'],
719 $this->options['memberattr'],
720 $this->_quoteFilterString($user),
721 $this->options['groupfilter']);
722
723 // make search base dn
724 $search_basedn = $this->options['groupdn'];
725 if ($search_basedn != '' && substr($search_basedn, -1) != ',') {
726 $search_basedn .= ',';
727 }
728 $search_basedn .= $this->options['basedn'];
729
730 $func_params = array($this->conn_id, $search_basedn, $filter,
731 array($this->options['memberattr']));
733
735
736 // search
737 if (($result_id = @call_user_func_array($func_name, $func_params)) != false) {
738 if (@ldap_count_entries($this->conn_id, $result_id) == 1) {
739 @ldap_free_result($result_id);
741 return true;
742 }
743 }
744 // default
746 return false;
747 }
_quoteFilterString($filter_str)
Escapes LDAP filter special characters as defined in RFC 2254.
Definition: LDAP.php:758
References _prepare(), _quoteFilterString(), _scope2function(), AUTH_LOG_DEBUG, Auth_Container\log(), and PEAR\raiseError().
Referenced by fetchData().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ fetchData()
| Auth_Container_LDAP::fetchData | ( | $username, | |
| $password | |||
| ) |
Fetch data from LDAP server.
Searches the LDAP server for the given username/password combination. Escapes all LDAP meta characters in username before performing the query.
- Parameters
-
string Username string Password
- Returns
- boolean
Reimplemented in ilAuthContainerLDAP.
Definition at line 549 of file LDAP.php.
550 {
552 $err = $this->_prepare();
553 if ($err !== true) {
555 }
556
557 $err = $this->_getBaseDN();
558 if ($err !== true) {
560 }
561
562 // UTF8 Encode username for LDAPv3
563 if (@ldap_get_option($this->conn_id, LDAP_OPT_PROTOCOL_VERSION, $ver) && $ver == 3) {
565 $username = utf8_encode($username);
566 }
567
568 // make search filter
569 $filter = sprintf('(&(%s=%s)%s)',
570 $this->options['userattr'],
571 $this->_quoteFilterString($username),
572 $this->options['userfilter']);
573
574 // make search base dn
575 $search_basedn = $this->options['userdn'];
576 if ($search_basedn != '' && substr($search_basedn, -1) != ',') {
577 $search_basedn .= ',';
578 }
579 $search_basedn .= $this->options['basedn'];
580
581 // attributes
582 $searchAttributes = $this->options['attributes'];
583
584 // make functions params array
585 $func_params = array($this->conn_id, $search_basedn, $filter, $searchAttributes);
586
587 // search function to use
589
591
592 // search
593 if (($result_id = @call_user_func_array($func_name, $func_params)) === false) {
595 } elseif (@ldap_count_entries($this->conn_id, $result_id) >= 1) { // did we get some possible results?
596
598
599 $first = true;
600 $entry_id = null;
601
602 do {
603
604 // then get the user dn
605 if ($first) {
606 $entry_id = @ldap_first_entry($this->conn_id, $result_id);
607 $first = false;
608 } else {
609 $entry_id = @ldap_next_entry($this->conn_id, $entry_id);
610 if ($entry_id === false)
611 break;
612 }
613 $user_dn = @ldap_get_dn($this->conn_id, $entry_id);
614
615 // as the dn is not fetched as an attribute, we save it anyway
616 if (is_array($searchAttributes) && in_array('dn', $searchAttributes)) {
618 $this->_auth_obj->setAuthData('dn', $user_dn);
619 }
620
621 // fetch attributes
622 if ($attributes = @ldap_get_attributes($this->conn_id, $entry_id)) {
623
624 if (is_array($attributes) && isset($attributes['count']) &&
625 $attributes['count'] > 0) {
626
627 // ldap_get_attributes() returns a specific multi dimensional array
628 // format containing all the attributes and where each array starts
629 // with a 'count' element providing the number of attributes in the
630 // entry, or the number of values for attribute. For compatibility
631 // reasons, it remains the default format returned by LDAP container
632 // setAuthData().
633 // The code below optionally returns attributes in another format,
634 // more compliant with other Auth containers, where each attribute
635 // element are directly set in the 'authData' list. This option is
636 // enabled by setting 'attrformat' to
637 // 'AUTH' in the 'options' array.
638 // eg. $this->options['attrformat'] = 'AUTH'
639
640 if ( strtoupper($this->options['attrformat']) == 'AUTH' ) {
642 unset ($attributes['count']);
643 foreach ($attributes as $attributeName => $attributeValue ) {
644 if (is_int($attributeName)) continue;
645 if (is_array($attributeValue) && isset($attributeValue['count'])) {
646 unset ($attributeValue['count']);
647 }
648 if (count($attributeValue)<=1) $attributeValue = $attributeValue[0];
650 $this->_auth_obj->setAuthData($attributeName, $attributeValue);
651 }
652 }
653 else
654 {
656 $this->_auth_obj->setAuthData('attributes', $attributes);
657 }
658 }
659 }
660 @ldap_free_result($result_id);
661
662 // need to catch an empty password as openldap seems to return TRUE
663 // if anonymous binding is allowed
664 if ($password != "") {
666
667 // try binding as this user with the supplied password
668 @call_user_func_array('ldap_set_options', array($this->conn_id,LDAP_OPT_NETWORK_TIMEOUT, ilLDAPServer::DEFAULT_NETWORK_TIMEOUT));
669 if (@ldap_bind($this->conn_id, $user_dn, $password)) {
671
672 // check group if appropiate
673 if (strlen($this->options['group'])) {
674 // decide whether memberattr value is a dn or the username
677 $this->_disconnect();
678 return $return;
679 } else {
681 $this->_disconnect();
682 return true; // user authenticated
683 } // checkGroup
684 } // bind
685 } // non-empty password
686 } while ($this->options['try_all'] == true); // interate through entries
687 } // get results
688 // default
690 $this->_disconnect();
691 return false;
692 }
References _disconnect(), _getBaseDN(), _prepare(), _quoteFilterString(), _scope2function(), AUTH_LOG_DEBUG, checkGroup(), ilLDAPServer\DEFAULT_NETWORK_TIMEOUT, Auth_Container\log(), and PEAR\raiseError().
Here is the call graph for this function:
Field Documentation
◆ $conn_id
◆ $options
The documentation for this class was generated from the following file:
- Services/PEAR/lib/Auth/Container/LDAP.php
