ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
Public Member Functions | Static Public Member Functions | Private Member Functions | Private Attributes | Static Private Attributes
ilLDAPRoleGroupMapping Class Reference
Services/LDAP
+ Collaboration diagram for ilLDAPRoleGroupMapping:

Public Member Functions

 getInfoStrings ($a_obj_id, $a_check_type=false)
 Get info string for object If check info type is enabled this function will check if the info string is visible in the repository. More...
 
 assign ($a_role_id, $a_usr_id)
 This method is typically called from class RbacAdmin::assignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is assigned to the LDAP group. More...
 
 deleteRole ($a_role_id)
 Delete role. More...
 
 deassign ($a_role_id, $a_usr_id)
 This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is deassigned from the LDAP group. More...
 
 deleteUser ($a_usr_id)
 Delete user => deassign from all ldap groups. More...
 

Static Public Member Functions

static _getInstance ()
 Get singleton instance of this class. More...
 

Private Member Functions

 __construct ()
 Singleton contructor. More...
 
 initServers ()
 Check if there is any active server with. More...
 
 isHandledRole ($a_role_id)
 Check if a role is handled or not. More...
 
 isHandledUser ($a_usr_id)
 Check if user is ldap user. More...
 
 assignToGroup ($a_role_id, $a_usr_id)
 Assign user to group. More...
 
 deassignFromGroup ($a_role_id, $a_usr_id)
 Deassign user from group. More...
 
 isMember ($a_uid, $data)
 Check if user is member. More...
 
 checkOtherMembership ($a_usr_id, $a_role_id, $a_data)
 Check other membership. More...
 
 storeMembers ($a_mapping_id, $a_data)
 Store Members. More...
 
 readDN ($a_usr_id, $a_server_id)
 Read DN of user. More...
 
 getLDAPQueryInstance ($a_server_id, $a_url)
 Get LDAPQueryInstance. More...
 

Private Attributes

 $log = null
 
 $servers = null
 
 $mappings = array()
 
 $mapping_members = array()
 
 $query = array()
 
 $active_servers = false
 

Static Private Attributes

static $instance = null
 

Detailed Description

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 34 of file class.ilLDAPRoleGroupMapping.php.

Constructor & Destructor Documentation

◆ __construct()

ilLDAPRoleGroupMapping::__construct ( )
private

Singleton contructor.

@access private

Definition at line 50 of file class.ilLDAPRoleGroupMapping.php.

51 {
52 global $ilLog;
53
54 $this->log = $ilLog;
55 $this->initServers();
56 }
ilLDAPRoleGroupMapping\initServers
initServers()
Check if there is any active server with.
Definition: class.ilLDAPRoleGroupMapping.php:224
$ilLog
$ilLog
Definition: inc.setup_header.php:136

References $ilLog, and initServers().

+ Here is the call graph for this function:

Member Function Documentation

◆ _getInstance()

static ilLDAPRoleGroupMapping::_getInstance ( )
static

Get singleton instance of this class.

@access public

Definition at line 64 of file class.ilLDAPRoleGroupMapping.php.

65 {
66 if(is_object(self::$instance))
67 {
68 return self::$instance;
69 }
70 return self::$instance = new ilLDAPRoleGroupMapping();
71 }

References $instance.

Referenced by ilRbacAdmin\assignUser(), ilRbacAdmin\assignUserLimited(), ilRbacAdmin\deassignUser(), ilObjUser\delete(), ilRbacAdmin\deleteRole(), ilObjectListGUI\ilObjectListGUI(), and ilInfoScreenGUI\showLDAPRoleGroupMappingInfo().

+ Here is the caller graph for this function:

◆ assign()

ilLDAPRoleGroupMapping::assign (   $a_role_id,
  $a_usr_id 
)

This method is typically called from class RbacAdmin::assignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is assigned to the LDAP group.

@access public

Parameters

Definition at line 116 of file class.ilLDAPRoleGroupMapping.php.

117 {
118 // return if there nothing to do
119 if(!$this->active_servers)
120 {
121 return false;
122 }
123
124 if(!$this->isHandledRole($a_role_id))
125 {
126 return false;
127 }
128 if(!$this->isHandledUser($a_usr_id))
129 {
130 $this->log->write('LDAP assign: User ID: '.$a_usr_id.' has no LDAP account');
131 return false;
132 }
133 $this->log->write('LDAP assign: User ID: '.$a_usr_id.' Role Id: '.$a_role_id);
134 $this->assignToGroup($a_role_id,$a_usr_id);
135
136 return true;
137 }
ilLDAPRoleGroupMapping\isHandledRole
isHandledRole($a_role_id)
Check if a role is handled or not.
Definition: class.ilLDAPRoleGroupMapping.php:272
ilLDAPRoleGroupMapping\assignToGroup
assignToGroup($a_role_id, $a_usr_id)
Assign user to group.
Definition: class.ilLDAPRoleGroupMapping.php:295
ilLDAPRoleGroupMapping\isHandledUser
isHandledUser($a_usr_id)
Check if user is ldap user.
Definition: class.ilLDAPRoleGroupMapping.php:282

References assignToGroup(), isHandledRole(), and isHandledUser().

+ Here is the call graph for this function:

◆ assignToGroup()

ilLDAPRoleGroupMapping::assignToGroup (   $a_role_id,
  $a_usr_id 
)
private

Assign user to group.

@access private

Parameters
introle_id
intuser_id

Definition at line 295 of file class.ilLDAPRoleGroupMapping.php.

296 {
297 foreach($this->mappings[$a_role_id] as $data)
298 {
299 try
300 {
301 if($data['isdn'])
302 {
303 $external_account = $this->readDN($a_usr_id,$data['server_id']);
304 }
305 else
306 {
307 $external_account = $this->users[$a_usr_id];
308 }
309
310 // Forcing modAdd since Active directory is too slow and i cannot check if a user is member or not.
311 #if($this->isMember($external_account,$data))
312 #{
313 # $this->log->write("LDAP assign: User already assigned to group '".$data['dn']."'");
314 #}
315 #else
316 {
317 // Add user
318 $query_obj = $this->getLDAPQueryInstance($data['server_id'],$data['url']);
319 $query_obj->modAdd($data['dn'],array($data['member'] => $external_account));
320 $this->log->write('LDAP assign: Assigned '.$external_account.' to group '.$data['dn']);
321 }
322 }
323 catch(ilLDAPQueryException $exc)
324 {
325 $this->log->write($exc->getMessage());
326 // try next mapping
327 continue;
328 }
329 }
330 }
ilLDAPRoleGroupMapping\readDN
readDN($a_usr_id, $a_server_id)
Read DN of user.
Definition: class.ilLDAPRoleGroupMapping.php:507
ilLDAPRoleGroupMapping\getLDAPQueryInstance
getLDAPQueryInstance($a_server_id, $a_url)
Get LDAPQueryInstance.
Definition: class.ilLDAPRoleGroupMapping.php:571
$data
$data
Definition: example_011.php:126

References $data, getLDAPQueryInstance(), and readDN().

Referenced by assign().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkOtherMembership()

ilLDAPRoleGroupMapping::checkOtherMembership (   $a_usr_id,
  $a_role_id,
  $a_data 
)
private

Check other membership.

@access private

Returns
string role name

Definition at line 440 of file class.ilLDAPRoleGroupMapping.php.

441 {
442 global $rbacreview,$ilObjDataCache;
443
444 foreach($this->mappings as $role_id => $tmp_data)
445 {
446 foreach($tmp_data as $data)
447 {
448 if($role_id == $a_role_id)
449 {
450 continue;
451 }
452 if($data['server_id'] != $a_data['server_id'])
453 {
454 continue;
455 }
456 if($data['dn'] != $a_data['dn'])
457 {
458 continue;
459 }
460 if($rbacreview->isAssigned($a_usr_id,$role_id))
461 {
462 return $ilObjDataCache->lookupTitle($role_id);
463 }
464 }
465 }
466 return false;
467
468 }

References $data.

Referenced by deassignFromGroup().

+ Here is the caller graph for this function:

◆ deassign()

ilLDAPRoleGroupMapping::deassign (   $a_role_id,
  $a_usr_id 
)

This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is deassigned from the LDAP group.

@access public

Parameters

Definition at line 180 of file class.ilLDAPRoleGroupMapping.php.

181 {
182 // return if there notzing to do
183 if(!$this->active_servers)
184 {
185 return false;
186 }
187 if(!$this->isHandledRole($a_role_id))
188 {
189 return false;
190 }
191 if(!$this->isHandledUser($a_usr_id))
192 {
193 return false;
194 }
195 $this->log->write('LDAP deassign: User ID: '.$a_usr_id.' Role Id: '.$a_role_id);
196 $this->deassignFromGroup($a_role_id,$a_usr_id);
197
198 return true;
199 }
ilLDAPRoleGroupMapping\deassignFromGroup
deassignFromGroup($a_role_id, $a_usr_id)
Deassign user from group.
Definition: class.ilLDAPRoleGroupMapping.php:340

References deassignFromGroup(), isHandledRole(), and isHandledUser().

Referenced by deleteRole(), and deleteUser().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deassignFromGroup()

ilLDAPRoleGroupMapping::deassignFromGroup (   $a_role_id,
  $a_usr_id 
)
private

Deassign user from group.

@access private

Parameters
introle_id
intuser_id

Definition at line 340 of file class.ilLDAPRoleGroupMapping.php.

341 {
342 foreach($this->mappings[$a_role_id] as $data)
343 {
344 try
345 {
346 if($data['isdn'])
347 {
348 $external_account = $this->readDN($a_usr_id,$data['server_id']);
349 }
350 else
351 {
352 $external_account = $this->users[$a_usr_id];
353 }
354
355 // Check for other role membership
356 if($role_id = $this->checkOtherMembership($a_usr_id,$a_role_id,$data))
357 {
358 $this->log->write('LDAP deassign: User is still assigned to role "'.$role_id.'".');
359 continue;
360 }
361 /*
362 if(!$this->isMember($external_account,$data))
363 {
364 $this->log->write("LDAP deassign: User not assigned to group '".$data['dn']."'");
365 continue;
366 }
367 */
368 // Deassign user
369 $query_obj = $this->getLDAPQueryInstance($data['server_id'],$data['url']);
370 $query_obj->modDelete($data['dn'],array($data['member'] => $external_account));
371 $this->log->write('LDAP deassign: Deassigned '.$external_account.' from group '.$data['dn']);
372
373 // Delete from cache
374 if(is_array($this->mapping_members[$data['mapping_id']]))
375 {
376 $key = array_search($external_account,$this->mapping_members[$data['mapping_id']]);
377 if($key or $key === 0)
378 {
379 unset($this->mapping_members[$data['mapping_id']]);
380 }
381 }
382
383 }
384 catch(ilLDAPQueryException $exc)
385 {
386 $this->log->write($exc->getMessage());
387 // try next mapping
388 continue;
389 }
390 }
391 }
ilLDAPRoleGroupMapping\checkOtherMembership
checkOtherMembership($a_usr_id, $a_role_id, $a_data)
Check other membership.
Definition: class.ilLDAPRoleGroupMapping.php:440

References $data, checkOtherMembership(), getLDAPQueryInstance(), and readDN().

Referenced by deassign().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deleteRole()

ilLDAPRoleGroupMapping::deleteRole (   $a_role_id)

Delete role.

This function triggered from ilRbacAdmin::deleteRole It deassigns all user from the mapped ldap group.

@access public

Parameters
introle id

Definition at line 148 of file class.ilLDAPRoleGroupMapping.php.

149 {
150 global $rbacreview;
151
152 // return if there nothing to do
153 if(!$this->active_servers)
154 {
155 return false;
156 }
157
158 if(!$this->isHandledRole($a_role_id))
159 {
160 return false;
161 }
162
163 foreach($rbacreview->assignedUsers($a_role_id) as $usr_id)
164 {
165 $this->deassign($a_role_id,$usr_id);
166 }
167 return true;
168 }
ilLDAPRoleGroupMapping\deassign
deassign($a_role_id, $a_usr_id)
This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role map...
Definition: class.ilLDAPRoleGroupMapping.php:180

References deassign(), and isHandledRole().

+ Here is the call graph for this function:

◆ deleteUser()

ilLDAPRoleGroupMapping::deleteUser (   $a_usr_id)

Delete user => deassign from all ldap groups.

@access public

Parameters
intuser id

Definition at line 207 of file class.ilLDAPRoleGroupMapping.php.

208 {
209 foreach($this->mappings as $role_id => $data)
210 {
211 $this->deassign($role_id,$a_usr_id);
212 }
213 return true;
214 }

References $data, and deassign().

+ Here is the call graph for this function:

◆ getInfoStrings()

ilLDAPRoleGroupMapping::getInfoStrings (   $a_obj_id,
  $a_check_type = false 
)

Get info string for object If check info type is enabled this function will check if the info string is visible in the repository.

@access public

Parameters
intobject id
boolcheck info type

Definition at line 82 of file class.ilLDAPRoleGroupMapping.php.

83 {
84 if(!$this->active_servers)
85 {
86 return false;
87 }
88 if($a_check_type)
89 {
90 if(isset($this->mapping_info_strict[$a_obj_id]) and is_array($this->mapping_info_strict[$a_obj_id]))
91 {
92 return $this->mapping_info_strict[$a_obj_id];
93 }
94 }
95 else
96 {
97 if(isset($this->mapping_info[$a_obj_id]) and is_array($this->mapping_info[$a_obj_id]))
98 {
99 return $this->mapping_info[$a_obj_id];
100 }
101
102 }
103 return false;
104 }

◆ getLDAPQueryInstance()

ilLDAPRoleGroupMapping::getLDAPQueryInstance (   $a_server_id,
  $a_url 
)
private

Get LDAPQueryInstance.

@access private

Parameters

throws ilLDAPQueryException

Definition at line 571 of file class.ilLDAPRoleGroupMapping.php.

572 {
573 include_once 'Services/LDAP/classes/class.ilLDAPQuery.php';
574
575 if(array_key_exists($a_server_id,$this->query) and
576 array_key_exists($a_url,$this->query[$a_server_id]) and
577 is_object($this->query[$a_server_id][$a_url]))
578 {
579 return $this->query[$a_server_id][$a_url];
580 }
581 try
582 {
583 $tmp_query = new ilLDAPQuery($this->servers[$a_server_id],$a_url);
584 $tmp_query->bind(IL_LDAP_BIND_ADMIN);
585 }
586 catch(ilLDAPQueryException $exc)
587 {
588 throw $exc;
589 }
590 return $this->query[$a_server_id][$a_url] = $tmp_query;
591 }
IL_LDAP_BIND_ADMIN
const IL_LDAP_BIND_ADMIN
Definition: class.ilLDAPQuery.php:25

References IL_LDAP_BIND_ADMIN.

Referenced by assignToGroup(), deassignFromGroup(), isMember(), and readDN().

+ Here is the caller graph for this function:

◆ initServers()

ilLDAPRoleGroupMapping::initServers ( )
private

Check if there is any active server with.

@access private

Parameters

Definition at line 224 of file class.ilLDAPRoleGroupMapping.php.

225 {
226 $server_ids = ilLDAPServer::_getRoleSyncServerIds();
227
228 if(!count($server_ids))
229 {
230 return false;
231 }
232
233 // Init servers
234 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMappingSettings.php');
235
236 $this->active_servers = true;
237 $this->mappings = array();
238 foreach($server_ids as $server_id)
239 {
240 $this->servers[$server_id] = new ilLDAPServer($server_id);
241 $this->mappings = ilLDAPRoleGroupMappingSettings::_getAllActiveMappings();
242 }
243 $this->mapping_info = array();
244 $this->mapping_info_strict = array();
245 foreach($this->mappings as $mapping)
246 {
247 foreach($mapping as $key => $data)
248 {
249 if(strlen($data['info']) and $data['object_id'])
250 {
251 $this->mapping_info[$data['object_id']][] = $data['info'];
252 }
253 if(strlen($data['info']) && ($data['info_type'] == ilLDAPRoleGroupMappingSettings::MAPPING_INFO_ALL))
254 {
255 $this->mapping_info_strict[$data['object_id']][] = $data['info'];
256 }
257 }
258 }
259 $this->users = ilObjUser::_getExternalAccountsByAuthMode('ldap',true);
260
261 return true;
262 }
ilLDAPServer\_getRoleSyncServerIds
static _getRoleSyncServerIds()
Check whether there if there is an active server with option role_sync_active.
Definition: class.ilLDAPServer.php:150
ilObjUser\_getExternalAccountsByAuthMode
static _getExternalAccountsByAuthMode($a_auth_mode, $a_read_auth_default=false)
Get list of external account by authentication method Note: If login == ext_account for two user with...
Definition: class.ilObjUser.php:3673

References $data, ilLDAPRoleGroupMappingSettings\_getAllActiveMappings(), ilObjUser\_getExternalAccountsByAuthMode(), ilLDAPServer\_getRoleSyncServerIds(), and ilLDAPRoleGroupMappingSettings\MAPPING_INFO_ALL.

Referenced by __construct().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ isHandledRole()

ilLDAPRoleGroupMapping::isHandledRole (   $a_role_id)
private

Check if a role is handled or not.

@access private

Parameters
introle_id
Returns
int server id or 0 if mapping exists

Definition at line 272 of file class.ilLDAPRoleGroupMapping.php.

273 {
274 return array_key_exists($a_role_id,$this->mappings);
275 }

Referenced by assign(), deassign(), and deleteRole().

+ Here is the caller graph for this function:

◆ isHandledUser()

ilLDAPRoleGroupMapping::isHandledUser (   $a_usr_id)
private

Check if user is ldap user.

@access private

Definition at line 282 of file class.ilLDAPRoleGroupMapping.php.

283 {
284 return array_key_exists($a_usr_id,$this->users);
285 }

Referenced by assign(), and deassign().

+ Here is the caller graph for this function:

◆ isMember()

ilLDAPRoleGroupMapping::isMember (   $a_uid,
  $data 
)
private

Check if user is member.

@access private

Exceptions
ilLDAPQueryException

Definition at line 399 of file class.ilLDAPRoleGroupMapping.php.

400 {
401 if(!isset($this->mapping_members["$data[mapping_id]"]))
402 {
403 // Read members
404 try
405 {
406 $server = $this->servers["$data[server_id]"];
407 $query_obj = $this->getLDAPQueryInstance($data['server_id'],$server->getUrl());
408
409 // query for members
410 $res = $query_obj->query($data['dn'],
411 '(objectClass=*)',
412 IL_LDAP_SCOPE_BASE,
413 array($data['member']));
414
415 $this->storeMembers($data['mapping_id'],$res->get());
416 unset($res);
417 }
418 catch(ilLDAPQueryException $exc)
419 {
420 throw $exc;
421 }
422 }
423 #var_dump("<pre>",$a_uid,$this->mapping_members,"</pre>");
424
425 // Now check for membership in stored result
426 if(in_array($a_uid,$this->mapping_members["$data[mapping_id]"]))
427 {
428 return true;
429 }
430 return false;
431 }
IL_LDAP_SCOPE_BASE
const IL_LDAP_SCOPE_BASE
Definition: class.ilLDAPServer.php:10
ilLDAPRoleGroupMapping\storeMembers
storeMembers($a_mapping_id, $a_data)
Store Members.
Definition: class.ilLDAPRoleGroupMapping.php:476
$server
$server
Definition: dummy_client.php:12

References $data, $res, $server, getLDAPQueryInstance(), IL_LDAP_SCOPE_BASE, and storeMembers().

+ Here is the call graph for this function:

◆ readDN()

ilLDAPRoleGroupMapping::readDN (   $a_usr_id,
  $a_server_id 
)
private

Read DN of user.

@access private

Parameters
intuser id
intserver id
Exceptions
ilLDAPQueryException

Definition at line 507 of file class.ilLDAPRoleGroupMapping.php.

508 {
509 if(isset($this->user_dns[$a_usr_id]))
510 {
511 return $this->user_dns[$a_usr_id];
512 }
513
514 $external_account = $this->users[$a_usr_id];
515
516 try
517 {
518 $server = $this->servers[$a_server_id];
519 $query_obj = $this->getLDAPQueryInstance($a_server_id,$server->getUrl());
520
521 if($search_base = $server->getSearchBase())
522 {
523 $search_base .= ',';
524 }
525 $search_base .= $server->getBaseDN();
526
527 // try optional group user filter first
528 if($server->isMembershipOptional() and $server->getGroupUserFilter())
529 {
530 $userFilter = $server->getGroupUserFilter();
531 }
532 else
533 {
534 $userFilter = $server->getFilter();
535 }
536
537 $filter = sprintf('(&(%s=%s)%s)',
538 $server->getUserAttribute(),
539 $external_account,
540 $userFilter);
541
542 $res = $query_obj->query($search_base,$filter,$server->getUserScope(),array('dn'));
543
544 if(!$res->numRows())
545 {
546 include_once('Services/LDAP/classes/class.ilLDAPQueryException.php');
547 throw new ilLDAPQueryException(__METHOD__.' cannot find dn for user '.$external_account);
548 }
549 if($res->numRows() > 1)
550 {
551 include_once('Services/LDAP/classes/class.ilLDAPQueryException.php');
552 throw new ilLDAPQueryException(__METHOD__.' found multiple distinguished name for: '.$external_account);
553 }
554
555 $data = $res->get();
556 return $this->user_dns[$a_usr_id] = $data['dn'];
557 }
558 catch(ilLDAPQueryException $exc)
559 {
560 throw $exc;
561 }
562 }

References $data, $res, $server, and getLDAPQueryInstance().

Referenced by assignToGroup(), and deassignFromGroup().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ storeMembers()

ilLDAPRoleGroupMapping::storeMembers (   $a_mapping_id,
  $a_data 
)
private

Store Members.

@access private

Definition at line 476 of file class.ilLDAPRoleGroupMapping.php.

477 {
478 $this->mapping_members[$a_mapping_id] = array();
479 foreach($a_data as $field => $value)
480 {
481 if(strtolower($field) == 'dn')
482 {
483 continue;
484 }
485
486 if(!is_array($value))
487 {
488 $this->mapping_members[$a_mapping_id][] = $value;
489 continue;
490 }
491 foreach($value as $external_account)
492 {
493 $this->mapping_members[$a_mapping_id][] = $external_account;
494 }
495 }
496 return true;
497 }

Referenced by isMember().

+ Here is the caller graph for this function:

Field Documentation

◆ $active_servers

ilLDAPRoleGroupMapping::$active_servers = false
private

Definition at line 42 of file class.ilLDAPRoleGroupMapping.php.

◆ $instance

ilLDAPRoleGroupMapping::$instance = null
staticprivate

Definition at line 37 of file class.ilLDAPRoleGroupMapping.php.

Referenced by _getInstance().

◆ $log

ilLDAPRoleGroupMapping::$log = null
private

Definition at line 36 of file class.ilLDAPRoleGroupMapping.php.

◆ $mapping_members

ilLDAPRoleGroupMapping::$mapping_members = array()
private

Definition at line 40 of file class.ilLDAPRoleGroupMapping.php.

◆ $mappings

ilLDAPRoleGroupMapping::$mappings = array()
private

Definition at line 39 of file class.ilLDAPRoleGroupMapping.php.

◆ $query

ilLDAPRoleGroupMapping::$query = array()
private

Definition at line 41 of file class.ilLDAPRoleGroupMapping.php.

◆ $servers

ilLDAPRoleGroupMapping::$servers = null
private

Definition at line 38 of file class.ilLDAPRoleGroupMapping.php.

The documentation for this class was generated from the following file: