ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
Public Member Functions | Data Fields
Auth_Container_LDAP Class Reference
+ Inheritance diagram for Auth_Container_LDAP:
+ Collaboration diagram for Auth_Container_LDAP:

Public Member Functions

 Auth_Container_LDAP ($params)
 Constructor of the container class. More...
 
 _prepare ()
 Prepare LDAP connection. More...
 
 _connect ()
 Connect to the LDAP server using the global options. More...
 
 _disconnect ()
 Disconnects (unbinds) from ldap server. More...
 
 _getBaseDN ()
 Tries to find Basedn via namingContext Attribute. More...
 
 _isValidLink ()
 determines whether there is a valid ldap conenction or not More...
 
 _setDefaults ()
 Set some default options. More...
 
 _parseOptions ($array)
 Parse options passed to the container class. More...
 
 _setV12OptionsToV13 ($array)
 Adapt deprecated options from Auth 1.2 LDAP to Auth 1.3 LDAP. More...
 
 _scope2function ($scope)
 Get search function for scope. More...
 
 fetchData ($username, $password)
 Fetch data from LDAP server. More...
 
 checkGroup ($user)
 Validate group membership. More...
 
 _quoteFilterString ($filter_str)
 Escapes LDAP filter special characters as defined in RFC 2254. More...
 
- Public Member Functions inherited from Auth_Container
 Auth_Container ()
 Constructor. More...
 
 fetchData ($username, $password, $isChallengeResponse=false)
 Fetch data from storage container. More...
 
 verifyPassword ($password1, $password2, $cryptType="md5")
 Crypt and verfiy the entered password. More...
 
 supportsChallengeResponse ()
 Returns true if the container supports Challenge Response password authentication. More...
 
 getCryptType ()
 Returns the crypt current crypt type of the container. More...
 
 listUsers ()
 List all users that are available from the storage container. More...
 
 getUser ($username)
 Returns a user assoc array. More...
 
 addUser ($username, $password, $additional=null)
 Add a new user to the storage container. More...
 
 removeUser ($username)
 Remove user from the storage container. More...
 
 changePassword ($username, $password)
 Change password for user in the storage container. More...
 
 log ($message, $level=AUTH_LOG_DEBUG)
 Log a message to the Auth log. More...
 
- Public Member Functions inherited from ilAuthContainerBase
 loginObserver ($a_username, $a_auth)
 Called after successful login. More...
 
 failedLoginObserver ($a_username, $a_auth)
 Called after failed login. More...
 
 checkAuthObserver ($a_username, $a_auth)
 Called after check auth requests. More...
 
 logoutObserver ($a_username, $a_auth)
 Called after logout. More...
 
 supportsCaptchaVerification ()
 Returns whether or not the auth container supports the verification of captchas This should be true for those auth methods, which are available in the default login form. More...
 

Data Fields

 $options = array()
 
 $conn_id = false
 
- Data Fields inherited from Auth_Container
 $activeUser = ""
 User that is currently selected from the storage container. More...
 
 $_auth_obj = null
 The Auth object this container is attached to. More...
 

Detailed Description

Definition at line 203 of file LDAP.php.

Member Function Documentation

◆ _connect()

Auth_Container_LDAP::_connect ( )

Connect to the LDAP server using the global options.

private

Returns
object Returns a PEAR error object if an error occurs.

Definition at line 276 of file LDAP.php.

References _disconnect(), AUTH_LOG_DEBUG, ilLDAPServer\DEFAULT_NETWORK_TIMEOUT, Auth_Container\log(), and PEAR\raiseError().

Referenced by _prepare().

277  {
278  $this->log('Auth_Container_LDAP::_connect() called.', AUTH_LOG_DEBUG);
279  // connect
280  if (isset($this->options['url']) && $this->options['url'] != '') {
281  $this->log('Connecting with URL', AUTH_LOG_DEBUG);
282  $conn_params = array($this->options['url']);
283  } else {
284  $this->log('Connecting with host:port', AUTH_LOG_DEBUG);
285  $conn_params = array($this->options['host'], $this->options['port']);
286  }
287 
288  if (($this->conn_id = @call_user_func_array('ldap_connect', $conn_params)) === false) {
289  $this->log('Connection to server failed.', AUTH_LOG_DEBUG);
290  $this->log('LDAP ERROR: '.ldap_errno($this->conn_id).': '.ldap_error($this->conn_id), AUTH_LOG_DEBUG);
291  return PEAR::raiseError('Auth_Container_LDAP: Could not connect to server.', 41);
292  }
293  $this->log('Successfully connected to server', AUTH_LOG_DEBUG);
294 
295  // switch LDAP version
296  if (is_numeric($this->options['version']) && $this->options['version'] > 2) {
297  $this->log("Switching to LDAP version {$this->options['version']}", AUTH_LOG_DEBUG);
298  @ldap_set_option($this->conn_id, LDAP_OPT_PROTOCOL_VERSION, $this->options['version']);
299 
300  // start TLS if available
301  if (isset($this->options['start_tls']) && $this->options['start_tls']) {
302  $this->log("Starting TLS session", AUTH_LOG_DEBUG);
303  if (@ldap_start_tls($this->conn_id) === false) {
304  $this->log('Could not start TLS session', AUTH_LOG_DEBUG);
305  $this->log('LDAP ERROR: '.ldap_errno($this->conn_id).': '.ldap_error($this->conn_id), AUTH_LOG_DEBUG);
306  return PEAR::raiseError('Auth_Container_LDAP: Could not start tls.', 41);
307  }
308  }
309  }
310 
311  // switch LDAP referrals
312  if (is_bool($this->options['referrals'])) {
313  $this->log("Switching LDAP referrals to " . (($this->options['referrals']) ? 'true' : 'false'), AUTH_LOG_DEBUG);
314  if (@ldap_set_option($this->conn_id, LDAP_OPT_REFERRALS, $this->options['referrals']) === false) {
315  $this->log('Could not change LDAP referrals options', AUTH_LOG_DEBUG);
316  $this->log('LDAP ERROR: '.ldap_errno($this->conn_id).': '.ldap_error($this->conn_id), AUTH_LOG_DEBUG);
317  }
318  }
319 
320  // bind with credentials or anonymously
321  if (strlen($this->options['binddn']) && strlen($this->options['bindpw'])) {
322  $this->log('Binding with credentials', AUTH_LOG_DEBUG);
323  $bind_params = array($this->conn_id, $this->options['binddn'], $this->options['bindpw']);
324  } else {
325  $this->log('Binding anonymously', AUTH_LOG_DEBUG);
326  $bind_params = array($this->conn_id);
327  }
328 
329  // bind for searching
330  // smeyer: set default network timeout
331  @call_user_func_array('ldap_set_options', array($this->conn_id,LDAP_OPT_NETWORK_TIMEOUT, ilLDAPServer::DEFAULT_NETWORK_TIMEOUT));
332  if ((@call_user_func_array('ldap_bind', $bind_params)) === false) {
333  $this->log('Bind failed', AUTH_LOG_DEBUG);
334  $this->log('LDAP ERROR: '.ldap_errno($this->conn_id).': '.ldap_error($this->conn_id), AUTH_LOG_DEBUG);
335  $this->_disconnect();
336  return PEAR::raiseError("Auth_Container_LDAP: Could not bind to LDAP server.", 41);
337  }
338  $this->log('Binding was successful', AUTH_LOG_DEBUG);
339 
340  return true;
341  }
AUTH_LOG_DEBUG
const AUTH_LOG_DEBUG
Auth Log level - DEBUG.
Definition: Auth.php:59
ilLDAPServer\DEFAULT_NETWORK_TIMEOUT
const DEFAULT_NETWORK_TIMEOUT
Definition: class.ilLDAPServer.php:30
Auth_Container_LDAP\_disconnect
_disconnect()
Disconnects (unbinds) from ldap server.
Definition: LDAP.php:351
PEAR\raiseError
& raiseError($message=null, $code=null, $mode=null, $options=null, $userinfo=null, $error_class=null, $skipmsg=false)
This method is a wrapper that returns an instance of the configured error class with this object's de...
Definition: PEAR.php:524
Auth_Container\log
log($message, $level=AUTH_LOG_DEBUG)
Log a message to the Auth log.
Definition: Container.php:246
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _disconnect()

Auth_Container_LDAP::_disconnect ( )

Disconnects (unbinds) from ldap server.

private

Definition at line 351 of file LDAP.php.

References _isValidLink(), AUTH_LOG_DEBUG, and Auth_Container\log().

Referenced by _connect(), and fetchData().

352  {
353  $this->log('Auth_Container_LDAP::_disconnect() called.', AUTH_LOG_DEBUG);
354  if ($this->_isValidLink()) {
355  $this->log('disconnecting from server');
356  @ldap_unbind($this->conn_id);
357  }
358  }
Auth_Container_LDAP\_isValidLink
_isValidLink()
determines whether there is a valid ldap conenction or not
Definition: LDAP.php:413
AUTH_LOG_DEBUG
const AUTH_LOG_DEBUG
Auth Log level - DEBUG.
Definition: Auth.php:59
Auth_Container\log
log($message, $level=AUTH_LOG_DEBUG)
Log a message to the Auth log.
Definition: Container.php:246
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _getBaseDN()

Auth_Container_LDAP::_getBaseDN ( )

Tries to find Basedn via namingContext Attribute.

private

Definition at line 368 of file LDAP.php.

References _isValidLink(), _prepare(), AUTH_LOG_DEBUG, Auth_Container\log(), and PEAR\raiseError().

Referenced by fetchData().

369  {
370  $this->log('Auth_Container_LDAP::_getBaseDN() called.', AUTH_LOG_DEBUG);
371  $err = $this->_prepare();
372  if ($err !== true) {
373  return PEAR::raiseError($err->getMessage(), $err->getCode());
374  }
375 
376  if ($this->options['basedn'] == "" && $this->_isValidLink()) {
377  $this->log("basedn not set, searching via namingContexts.", AUTH_LOG_DEBUG);
378 
379  $result_id = @ldap_read($this->conn_id, "", "(objectclass=*)", array("namingContexts"));
380 
381  if (@ldap_count_entries($this->conn_id, $result_id) == 1) {
382 
383  $this->log("got result for namingContexts", AUTH_LOG_DEBUG);
384 
385  $entry_id = @ldap_first_entry($this->conn_id, $result_id);
386  $attrs = @ldap_get_attributes($this->conn_id, $entry_id);
387  $basedn = $attrs['namingContexts'][0];
388 
389  if ($basedn != "") {
390  $this->log("result for namingContexts was $basedn", AUTH_LOG_DEBUG);
391  $this->options['basedn'] = $basedn;
392  }
393  }
394  @ldap_free_result($result_id);
395  }
396 
397  // if base ist still not set, raise error
398  if ($this->options['basedn'] == "") {
399  return PEAR::raiseError("Auth_Container_LDAP: LDAP search base not specified!", 41);
400  }
401  return true;
402  }
Auth_Container_LDAP\_isValidLink
_isValidLink()
determines whether there is a valid ldap conenction or not
Definition: LDAP.php:413
AUTH_LOG_DEBUG
const AUTH_LOG_DEBUG
Auth Log level - DEBUG.
Definition: Auth.php:59
PEAR\raiseError
& raiseError($message=null, $code=null, $mode=null, $options=null, $userinfo=null, $error_class=null, $skipmsg=false)
This method is a wrapper that returns an instance of the configured error class with this object's de...
Definition: PEAR.php:524
Auth_Container\log
log($message, $level=AUTH_LOG_DEBUG)
Log a message to the Auth log.
Definition: Container.php:246
Auth_Container_LDAP\_prepare
_prepare()
Prepare LDAP connection.
Definition: LDAP.php:256
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _isValidLink()

Auth_Container_LDAP::_isValidLink ( )

determines whether there is a valid ldap conenction or not

private

Returns
boolean

Definition at line 413 of file LDAP.php.

Referenced by _disconnect(), _getBaseDN(), and _prepare().

414  {
415  if (is_resource($this->conn_id)) {
416  if (get_resource_type($this->conn_id) == 'ldap link') {
417  return true;
418  }
419  }
420  return false;
421  }
+ Here is the caller graph for this function:

◆ _parseOptions()

Auth_Container_LDAP::_parseOptions (   $array)

Parse options passed to the container class.

private

Parameters
array

Definition at line 468 of file LDAP.php.

References _setV12OptionsToV13().

Referenced by Auth_Container_LDAP().

469  {
470  $array = $this->_setV12OptionsToV13($array);
471 
472  foreach ($array as $key => $value) {
473  if (array_key_exists($key, $this->options)) {
474  if ($key == 'attributes') {
475  if (is_array($value)) {
476  $this->options[$key] = $value;
477  } else {
478  $this->options[$key] = explode(',', $value);
479  }
480  } else {
481  $this->options[$key] = $value;
482  }
483  }
484  }
485  }
Auth_Container_LDAP\_setV12OptionsToV13
_setV12OptionsToV13($array)
Adapt deprecated options from Auth 1.2 LDAP to Auth 1.3 LDAP.
Definition: LDAP.php:498
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _prepare()

Auth_Container_LDAP::_prepare ( )

Prepare LDAP connection.

This function checks if we have already opened a connection to the LDAP server. If that's not the case, a new connection is opened.

private

Returns
mixed True or a PEAR error object.

Definition at line 256 of file LDAP.php.

References $res, _connect(), _isValidLink(), and PEAR\isError().

Referenced by _getBaseDN(), checkGroup(), and fetchData().

257  {
258  if (!$this->_isValidLink()) {
259  $res = $this->_connect();
260  if (PEAR::isError($res)) {
261  return $res;
262  }
263  }
264  return true;
265  }
Auth_Container_LDAP\_connect
_connect()
Connect to the LDAP server using the global options.
Definition: LDAP.php:276
Auth_Container_LDAP\_isValidLink
_isValidLink()
determines whether there is a valid ldap conenction or not
Definition: LDAP.php:413
PEAR\isError
isError($data, $code=null)
Tell whether a value is a PEAR error.
Definition: PEAR.php:279
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _quoteFilterString()

Auth_Container_LDAP::_quoteFilterString (   $filter_str)

Escapes LDAP filter special characters as defined in RFC 2254.

private

Parameters
stringFilter String

Definition at line 758 of file LDAP.php.

Referenced by checkGroup(), and fetchData().

759  {
760  $metas = array( '\\', '*', '(', ')', "\x00");
761  $quoted_metas = array('\\\\', '\*', '\(', '\)', "\\\x00");
762  return str_replace($metas, $quoted_metas, $filter_str);
763  }
+ Here is the caller graph for this function:

◆ _scope2function()

Auth_Container_LDAP::_scope2function (   $scope)

Get search function for scope.

Parameters
stringscope
Returns
string ldap search function

Definition at line 519 of file LDAP.php.

Referenced by checkGroup(), and fetchData().

520  {
521  switch($scope) {
522  case 'one':
523  $function = 'ldap_list';
524  break;
525  case 'base':
526  $function = 'ldap_read';
527  break;
528  default:
529  $function = 'ldap_search';
530  break;
531  }
532  return $function;
533  }
+ Here is the caller graph for this function:

◆ _setDefaults()

Auth_Container_LDAP::_setDefaults ( )

Set some default options.

private

Definition at line 431 of file LDAP.php.

Referenced by Auth_Container_LDAP().

432  {
433  $this->options['url'] = '';
434  $this->options['host'] = 'localhost';
435  $this->options['port'] = '389';
436  $this->options['version'] = 2;
437  $this->options['referrals'] = true;
438  $this->options['binddn'] = '';
439  $this->options['bindpw'] = '';
440  $this->options['basedn'] = '';
441  $this->options['userdn'] = '';
442  $this->options['userscope'] = 'sub';
443  $this->options['userattr'] = 'uid';
444  $this->options['userfilter'] = '(objectClass=posixAccount)';
445  $this->options['attributes'] = array(''); // no attributes
446  $this->options['attrformat'] = 'AUTH'; // returns attribute like other Auth containers
447  $this->options['group'] = '';
448  $this->options['groupdn'] = '';
449  $this->options['groupscope'] = 'sub';
450  $this->options['groupattr'] = 'cn';
451  $this->options['groupfilter'] = '(objectClass=groupOfUniqueNames)';
452  $this->options['memberattr'] = 'uniqueMember';
453  $this->options['memberisdn'] = true;
454  $this->options['start_tls'] = false;
455  $this->options['debug'] = false;
456  $this->options['try_all'] = false; // Try all user ids returned not just the first one
457  }
+ Here is the caller graph for this function:

◆ _setV12OptionsToV13()

Auth_Container_LDAP::_setV12OptionsToV13 (   $array)

Adapt deprecated options from Auth 1.2 LDAP to Auth 1.3 LDAP.

Author
Hugues Peeters hugue.nosp@m.s.pe.nosp@m.eters.nosp@m.@cla.nosp@m.rolin.nosp@m.e.ne.nosp@m.t private
Parameters
array
Returns
array

Definition at line 498 of file LDAP.php.

Referenced by _parseOptions().

499  {
500  if (isset($array['useroc']))
501  $array['userfilter'] = "(objectClass=".$array['useroc'].")";
502  if (isset($array['groupoc']))
503  $array['groupfilter'] = "(objectClass=".$array['groupoc'].")";
504  if (isset($array['scope']))
505  $array['userscope'] = $array['scope'];
506 
507  return $array;
508  }
+ Here is the caller graph for this function:

◆ Auth_Container_LDAP()

Auth_Container_LDAP::Auth_Container_LDAP (   $params)

Constructor of the container class.

Parameters
$params,associativehash with host,port,basedn and userattr key
Returns
object Returns an error object if something went wrong

Definition at line 230 of file LDAP.php.

References $params, _parseOptions(), _setDefaults(), PEAR_ERROR_DIE, and PEAR\raiseError().

231  {
232  if (false === extension_loaded('ldap')) {
233  return PEAR::raiseError('Auth_Container_LDAP: LDAP Extension not loaded',
234  41, PEAR_ERROR_DIE);
235  }
236 
237  $this->_setDefaults();
238 
239  if (is_array($params)) {
240  $this->_parseOptions($params);
241  }
242  }
Auth_Container_LDAP\_parseOptions
_parseOptions($array)
Parse options passed to the container class.
Definition: LDAP.php:468
PEAR_ERROR_DIE
const PEAR_ERROR_DIE
Definition: PEAR.php:34
Auth_Container_LDAP\_setDefaults
_setDefaults()
Set some default options.
Definition: LDAP.php:431
PEAR\raiseError
& raiseError($message=null, $code=null, $mode=null, $options=null, $userinfo=null, $error_class=null, $skipmsg=false)
This method is a wrapper that returns an instance of the configured error class with this object's de...
Definition: PEAR.php:524
$params
$params
Definition: example_049.php:96
+ Here is the call graph for this function:

◆ checkGroup()

Auth_Container_LDAP::checkGroup (   $user)

Validate group membership.

Searches the LDAP server for group membership of the supplied username. Quotes all LDAP filter meta characters in the user name before querying the LDAP server.

Parameters
stringDistinguished Name of the authenticated User
Returns
boolean

Definition at line 707 of file LDAP.php.

References _prepare(), _quoteFilterString(), _scope2function(), AUTH_LOG_DEBUG, Auth_Container\log(), and PEAR\raiseError().

Referenced by fetchData().

708  {
709  $this->log('Auth_Container_LDAP::checkGroup() called.', AUTH_LOG_DEBUG);
710  $err = $this->_prepare();
711  if ($err !== true) {
712  return PEAR::raiseError($err->getMessage(), $err->getCode());
713  }
714 
715  // make filter
716  $filter = sprintf('(&(%s=%s)(%s=%s)%s)',
717  $this->options['groupattr'],
718  $this->options['group'],
719  $this->options['memberattr'],
720  $this->_quoteFilterString($user),
721  $this->options['groupfilter']);
722 
723  // make search base dn
724  $search_basedn = $this->options['groupdn'];
725  if ($search_basedn != '' && substr($search_basedn, -1) != ',') {
726  $search_basedn .= ',';
727  }
728  $search_basedn .= $this->options['basedn'];
729 
730  $func_params = array($this->conn_id, $search_basedn, $filter,
731  array($this->options['memberattr']));
732  $func_name = $this->_scope2function($this->options['groupscope']);
733 
734  $this->log("Searching with $func_name and filter $filter in $search_basedn", AUTH_LOG_DEBUG);
735 
736  // search
737  if (($result_id = @call_user_func_array($func_name, $func_params)) != false) {
738  if (@ldap_count_entries($this->conn_id, $result_id) == 1) {
739  @ldap_free_result($result_id);
740  $this->log('User is member of group', AUTH_LOG_DEBUG);
741  return true;
742  }
743  }
744  // default
745  $this->log('User is NOT member of group', AUTH_LOG_DEBUG);
746  return false;
747  }
Auth_Container_LDAP\_quoteFilterString
_quoteFilterString($filter_str)
Escapes LDAP filter special characters as defined in RFC 2254.
Definition: LDAP.php:758
Auth_Container_LDAP\_scope2function
_scope2function($scope)
Get search function for scope.
Definition: LDAP.php:519
AUTH_LOG_DEBUG
const AUTH_LOG_DEBUG
Auth Log level - DEBUG.
Definition: Auth.php:59
PEAR\raiseError
& raiseError($message=null, $code=null, $mode=null, $options=null, $userinfo=null, $error_class=null, $skipmsg=false)
This method is a wrapper that returns an instance of the configured error class with this object's de...
Definition: PEAR.php:524
Auth_Container\log
log($message, $level=AUTH_LOG_DEBUG)
Log a message to the Auth log.
Definition: Container.php:246
Auth_Container_LDAP\_prepare
_prepare()
Prepare LDAP connection.
Definition: LDAP.php:256
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ fetchData()

Auth_Container_LDAP::fetchData (   $username,
  $password 
)

Fetch data from LDAP server.

Searches the LDAP server for the given username/password combination. Escapes all LDAP meta characters in username before performing the query.

Parameters
stringUsername
stringPassword
Returns
boolean

Definition at line 549 of file LDAP.php.

References _disconnect(), _getBaseDN(), _prepare(), _quoteFilterString(), _scope2function(), AUTH_LOG_DEBUG, checkGroup(), ilLDAPServer\DEFAULT_NETWORK_TIMEOUT, Auth_Container\log(), and PEAR\raiseError().

550  {
551  $this->log('Auth_Container_LDAP::fetchData() called.', AUTH_LOG_DEBUG);
552  $err = $this->_prepare();
553  if ($err !== true) {
554  return PEAR::raiseError($err->getMessage(), $err->getCode());
555  }
556 
557  $err = $this->_getBaseDN();
558  if ($err !== true) {
559  return PEAR::raiseError($err->getMessage(), $err->getCode());
560  }
561 
562  // UTF8 Encode username for LDAPv3
563  if (@ldap_get_option($this->conn_id, LDAP_OPT_PROTOCOL_VERSION, $ver) && $ver == 3) {
564  $this->log('UTF8 encoding username for LDAPv3', AUTH_LOG_DEBUG);
565  $username = utf8_encode($username);
566  }
567 
568  // make search filter
569  $filter = sprintf('(&(%s=%s)%s)',
570  $this->options['userattr'],
571  $this->_quoteFilterString($username),
572  $this->options['userfilter']);
573 
574  // make search base dn
575  $search_basedn = $this->options['userdn'];
576  if ($search_basedn != '' && substr($search_basedn, -1) != ',') {
577  $search_basedn .= ',';
578  }
579  $search_basedn .= $this->options['basedn'];
580 
581  // attributes
582  $searchAttributes = $this->options['attributes'];
583 
584  // make functions params array
585  $func_params = array($this->conn_id, $search_basedn, $filter, $searchAttributes);
586 
587  // search function to use
588  $func_name = $this->_scope2function($this->options['userscope']);
589 
590  $this->log("Searching with $func_name and filter $filter in $search_basedn", AUTH_LOG_DEBUG);
591 
592  // search
593  if (($result_id = @call_user_func_array($func_name, $func_params)) === false) {
594  $this->log('User not found', AUTH_LOG_DEBUG);
595  } elseif (@ldap_count_entries($this->conn_id, $result_id) >= 1) { // did we get some possible results?
596 
597  $this->log('User(s) found', AUTH_LOG_DEBUG);
598 
599  $first = true;
600  $entry_id = null;
601 
602  do {
603 
604  // then get the user dn
605  if ($first) {
606  $entry_id = @ldap_first_entry($this->conn_id, $result_id);
607  $first = false;
608  } else {
609  $entry_id = @ldap_next_entry($this->conn_id, $entry_id);
610  if ($entry_id === false)
611  break;
612  }
613  $user_dn = @ldap_get_dn($this->conn_id, $entry_id);
614 
615  // as the dn is not fetched as an attribute, we save it anyway
616  if (is_array($searchAttributes) && in_array('dn', $searchAttributes)) {
617  $this->log('Saving DN to AuthData', AUTH_LOG_DEBUG);
618  $this->_auth_obj->setAuthData('dn', $user_dn);
619  }
620 
621  // fetch attributes
622  if ($attributes = @ldap_get_attributes($this->conn_id, $entry_id)) {
623 
624  if (is_array($attributes) && isset($attributes['count']) &&
625  $attributes['count'] > 0) {
626 
627  // ldap_get_attributes() returns a specific multi dimensional array
628  // format containing all the attributes and where each array starts
629  // with a 'count' element providing the number of attributes in the
630  // entry, or the number of values for attribute. For compatibility
631  // reasons, it remains the default format returned by LDAP container
632  // setAuthData().
633  // The code below optionally returns attributes in another format,
634  // more compliant with other Auth containers, where each attribute
635  // element are directly set in the 'authData' list. This option is
636  // enabled by setting 'attrformat' to
637  // 'AUTH' in the 'options' array.
638  // eg. $this->options['attrformat'] = 'AUTH'
639 
640  if ( strtoupper($this->options['attrformat']) == 'AUTH' ) {
641  $this->log('Saving attributes to Auth data in AUTH format', AUTH_LOG_DEBUG);
642  unset ($attributes['count']);
643  foreach ($attributes as $attributeName => $attributeValue ) {
644  if (is_int($attributeName)) continue;
645  if (is_array($attributeValue) && isset($attributeValue['count'])) {
646  unset ($attributeValue['count']);
647  }
648  if (count($attributeValue)<=1) $attributeValue = $attributeValue[0];
649  $this->log('Storing additional field: '.$attributeName, AUTH_LOG_DEBUG);
650  $this->_auth_obj->setAuthData($attributeName, $attributeValue);
651  }
652  }
653  else
654  {
655  $this->log('Saving attributes to Auth data in LDAP format', AUTH_LOG_DEBUG);
656  $this->_auth_obj->setAuthData('attributes', $attributes);
657  }
658  }
659  }
660  @ldap_free_result($result_id);
661 
662  // need to catch an empty password as openldap seems to return TRUE
663  // if anonymous binding is allowed
664  if ($password != "") {
665  $this->log("Bind as $user_dn", AUTH_LOG_DEBUG);
666 
667  // try binding as this user with the supplied password
668  @call_user_func_array('ldap_set_options', array($this->conn_id,LDAP_OPT_NETWORK_TIMEOUT, ilLDAPServer::DEFAULT_NETWORK_TIMEOUT));
669  if (@ldap_bind($this->conn_id, $user_dn, $password)) {
670  $this->log('Bind successful', AUTH_LOG_DEBUG);
671 
672  // check group if appropiate
673  if (strlen($this->options['group'])) {
674  // decide whether memberattr value is a dn or the username
675  $this->log('Checking group membership', AUTH_LOG_DEBUG);
676  $return = $this->checkGroup(($this->options['memberisdn']) ? $user_dn : $username);
677  $this->_disconnect();
678  return $return;
679  } else {
680  $this->log('Authenticated', AUTH_LOG_DEBUG);
681  $this->_disconnect();
682  return true; // user authenticated
683  } // checkGroup
684  } // bind
685  } // non-empty password
686  } while ($this->options['try_all'] == true); // interate through entries
687  } // get results
688  // default
689  $this->log('NOT authenticated!', AUTH_LOG_DEBUG);
690  $this->_disconnect();
691  return false;
692  }
Auth_Container_LDAP\checkGroup
checkGroup($user)
Validate group membership.
Definition: LDAP.php:707
Auth_Container_LDAP\_quoteFilterString
_quoteFilterString($filter_str)
Escapes LDAP filter special characters as defined in RFC 2254.
Definition: LDAP.php:758
Auth_Container_LDAP\_getBaseDN
_getBaseDN()
Tries to find Basedn via namingContext Attribute.
Definition: LDAP.php:368
Auth_Container_LDAP\_scope2function
_scope2function($scope)
Get search function for scope.
Definition: LDAP.php:519
AUTH_LOG_DEBUG
const AUTH_LOG_DEBUG
Auth Log level - DEBUG.
Definition: Auth.php:59
ilLDAPServer\DEFAULT_NETWORK_TIMEOUT
const DEFAULT_NETWORK_TIMEOUT
Definition: class.ilLDAPServer.php:30
Auth_Container_LDAP\_disconnect
_disconnect()
Disconnects (unbinds) from ldap server.
Definition: LDAP.php:351
PEAR\raiseError
& raiseError($message=null, $code=null, $mode=null, $options=null, $userinfo=null, $error_class=null, $skipmsg=false)
This method is a wrapper that returns an instance of the configured error class with this object&#39;s de...
Definition: PEAR.php:524
Auth_Container\log
log($message, $level=AUTH_LOG_DEBUG)
Log a message to the Auth log.
Definition: Container.php:246
Auth_Container_LDAP\_prepare
_prepare()
Prepare LDAP connection.
Definition: LDAP.php:256
+ Here is the call graph for this function:

Field Documentation

◆ $conn_id

Auth_Container_LDAP::$conn_id = false

Definition at line 218 of file LDAP.php.

◆ $options

Auth_Container_LDAP::$options = array()

Definition at line 212 of file LDAP.php.

The documentation for this class was generated from the following file: