Overwritten Pear class AuthContainerLDAP This class is overwritten to support nested groups. More...

Inheritance diagram for ilAuthContainerLDAP:

Collaboration diagram for ilAuthContainerLDAP:

Public Member Functions
	__construct ($a_server_id=null)
	Constructor. More...

	forceCreation ($a_status)

	enableOptionalGroupCheck ()
	enable optional group check More...

	enabledOptionalGroupCheck ()
	Check if optional group check is enabled. More...

	fetchData ($username, $password)
	Overwritten from base class. More...

	checkGroup ($a_name)
	check group overwritten base class More...

	loginObserver ($a_username, $a_auth)
	Called from fetchData after successful login. More...

	failedLoginObserver ($a_username, $a_auth)
	Called from fetchData after failed login. More...

	supportsCaptchaVerification ()

Public Member Functions inherited from Auth_Container_LDAP
	Auth_Container_LDAP ($params)
	Constructor of the container class. More...

	_prepare ()
	Prepare LDAP connection. More...

	_connect ()
	Connect to the LDAP server using the global options. More...

	_disconnect ()
	Disconnects (unbinds) from ldap server. More...

	_getBaseDN ()
	Tries to find Basedn via namingContext Attribute. More...

	_isValidLink ()
	determines whether there is a valid ldap conenction or not More...

	_setDefaults ()
	Set some default options. More...

	_parseOptions ($array)
	Parse options passed to the container class. More...

	_setV12OptionsToV13 ($array)
	Adapt deprecated options from Auth 1.2 LDAP to Auth 1.3 LDAP. More...

	_scope2function ($scope)
	Get search function for scope. More...

	fetchData ($username, $password)
	Fetch data from LDAP server. More...

	checkGroup ($user)
	Validate group membership. More...

	_quoteFilterString ($filter_str)
	Escapes LDAP filter special characters as defined in RFC 2254. More...

Public Member Functions inherited from Auth_Container
	Auth_Container ()
	Constructor. More...

	fetchData ($username, $password, $isChallengeResponse=false)
	Fetch data from storage container. More...

	verifyPassword ($password1, $password2, $cryptType="md5")
	Crypt and verfiy the entered password. More...

	supportsChallengeResponse ()
	Returns true if the container supports Challenge Response password authentication. More...

	getCryptType ()
	Returns the crypt current crypt type of the container. More...

	listUsers ()
	List all users that are available from the storage container. More...

	getUser ($username)
	Returns a user assoc array. More...

	addUser ($username, $password, $additional=null)
	Add a new user to the storage container. More...

	removeUser ($username)
	Remove user from the storage container. More...

	changePassword ($username, $password)
	Change password for user in the storage container. More...

	log ($message, $level=AUTH_LOG_DEBUG)
	Log a message to the Auth log. More...

Public Member Functions inherited from ilAuthContainerBase
	loginObserver ($a_username, $a_auth)
	Called after successful login. More...

	failedLoginObserver ($a_username, $a_auth)
	Called after failed login. More...

	checkAuthObserver ($a_username, $a_auth)
	Called after check auth requests. More...

	logoutObserver ($a_username, $a_auth)
	Called after logout. More...

	supportsCaptchaVerification ()
	Returns whether or not the auth container supports the verification of captchas This should be true for those auth methods, which are available in the default login form. More...

Protected Member Functions
	extractUserName ($a_user_data)

	updateRequired ($a_username)
	Check if an update is required. More...

Private Member Functions
	updateUserFilter ()
	Update user filter. More...

	initLDAPAttributeToUser ()
	Init LDAP attribute mapping. More...

Private Attributes
	$optional_check = false

	$log = null

	$server = null

	$ldap_attr_to_user = null

Static Private Attributes
static	$force_creation = false

Additional Inherited Members
Data Fields inherited from Auth_Container_LDAP
	$options = array()

	$conn_id = false

Data Fields inherited from Auth_Container
	$activeUser = ""
	User that is currently selected from the storage container. More...

	$_auth_obj = null
	The Auth object this container is attached to. More...

Detailed Description

Overwritten Pear class AuthContainerLDAP This class is overwritten to support nested groups.

Author: Stefan Meyer smeye.nosp@m.r.il.nosp@m.ias@g.nosp@m.mx.d.nosp@m.e

Version: $Id$

Definition at line 36 of file class.ilAuthContainerLDAP.php.

Constructor & Destructor Documentation

◆ __construct()

ilAuthContainerLDAP::__construct ( $a_server_id = null )

Constructor.

@access public

Parameters

int	ldap server id

Definition at line 54 of file class.ilAuthContainerLDAP.php.

        {
                global $ilLog;
                
                include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
                
                if($a_server_id)
                {
                        $this->server = ilLDAPServer::getInstanceByServerId($a_server_id);
                }
                else
                {
                        $this->server = new ilLDAPServer(ilLDAPServer::_getFirstActiveServer());
                }
 
                $this->log = ilLoggerFactory::getLogger('auth');
                
                parent::__construct($this->server->toPearAuthArray());
        }

References $ilLog, ilLDAPServer\_getFirstActiveServer(), ilLDAPServer\getInstanceByServerId(), ilLoggerFactory\getLogger(), and Auth_Container\log().

Here is the call graph for this function:

Member Function Documentation

◆ checkGroup()

ilAuthContainerLDAP::checkGroup ( $a_name )

check group overwritten base class

@access public

Parameters

string user name (DN or external account name)

Reimplemented from Auth_Container_LDAP.

Definition at line 146 of file class.ilAuthContainerLDAP.php.

        {
                $this->log->debug('Checking group restrictions...');
 
                // if there are multiple groups define check all of them for membership
                $groups = $this->server->getGroupNames();
                
                if(!count($groups))
                {
                        $this->log->debug('no group restrictions found');
                        return true;
                }
                elseif($this->server->isMembershipOptional() and !$this->optional_check)
                {
                        $this->log->debug('Group membership is otional');
                        return true;
                }
        
                foreach($groups as $group)
                {
                        $this->options['group'] = $group;
                        
                        if(parent::checkGroup($a_name))
                        {
                                return true;
                        }
                }
                return false;   
        }

References Auth_Container\log().

Here is the call graph for this function:

◆ enabledOptionalGroupCheck()

ilAuthContainerLDAP::enabledOptionalGroupCheck ( )

Check if optional group check is enabled.

@access public

Definition at line 98 of file class.ilAuthContainerLDAP.php.

        {
                return (bool) $this->optional_check;
        }

References $optional_check.

Referenced by fetchData().

Here is the caller graph for this function:

◆ enableOptionalGroupCheck()

ilAuthContainerLDAP::enableOptionalGroupCheck ( )

enable optional group check

@access public

Parameters

Definition at line 86 of file class.ilAuthContainerLDAP.php.

        {
                $this->optional_check = true;
                $this->updateUserFilter();
        }

References updateUserFilter().

Referenced by fetchData().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ extractUserName()

ilAuthContainerLDAP::extractUserName ( $a_user_data )

protected

Parameters

return string ldap username

Definition at line 258 of file class.ilAuthContainerLDAP.php.

        {
                $a_username = isset($a_user_data[strtolower($this->server->getUserAttribute())]) ? 
                        $a_user_data[strtolower($this->server->getUserAttribute())] :
                        trim($a_user_data);
 
                // Support for multiple user attributes
                if(!is_array($a_username))
                {
                        return $a_username;
                }
                foreach($a_username as $name)
                {
                        // User found with authentication method 'ldap'
                        if(ilObjUser::_checkExternalAuthAccount("ldap",$name))
                        {
                                return trim($name);
                        }
                }
                // No existing user found  => return first name
                return $a_username[0];                          
        }

References ilObjUser\_checkExternalAuthAccount().

Referenced by loginObserver().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ failedLoginObserver()

ilAuthContainerLDAP::failedLoginObserver	(	$a_username,
		$a_auth
	)

Called from fetchData after failed login.

Parameters

string	username
object	PEAR auth object

Reimplemented from ilAuthContainerBase.

Definition at line 248 of file class.ilAuthContainerLDAP.php.

        {
                return false;
        }

◆ fetchData()

ilAuthContainerLDAP::fetchData	(	$username,
		$password
	)

Overwritten from base class.

Parameters

object	$username
object	$password

Returns

Reimplemented from Auth_Container_LDAP.

Definition at line 109 of file class.ilAuthContainerLDAP.php.

        {
                if(!$this->server->doConnectionCheck())
                {
                        return FALSE;
                }
                
                
                $res = parent::fetchData($username,$password);
                
                if (PEAR::isError($res))
                { 
                        $this->log->notice('Authentication failed with message:' . $res->getMessage());
                        return $res;
                }
                elseif ($res == true)
                {
                        $this->log->debug('Authentication successful');
                        return true;
                } 
                if(!$this->enabledOptionalGroupCheck() and $this->server->isMembershipOptional())
                {
                        $this->enableOptionalGroupCheck();
                        return parent::fetchData($username,$password);
                }
                return false;
        }

References $res, enabledOptionalGroupCheck(), enableOptionalGroupCheck(), PEAR\isError(), and Auth_Container\log().

Here is the call graph for this function:

◆ forceCreation()

ilAuthContainerLDAP::forceCreation ( $a_status )

Definition at line 74 of file class.ilAuthContainerLDAP.php.

        {
                self::$force_creation = $a_status;
        }

◆ initLDAPAttributeToUser()

ilAuthContainerLDAP::initLDAPAttributeToUser ( )

private

Init LDAP attribute mapping.

@access private

Definition at line 237 of file class.ilAuthContainerLDAP.php.

        {
                include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
                $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
        }

◆ loginObserver()

ilAuthContainerLDAP::loginObserver	(	$a_username,
		$a_auth
	)

Called from fetchData after successful login.

Parameters

string username

Reimplemented from ilAuthContainerBase.

Definition at line 192 of file class.ilAuthContainerLDAP.php.

        {
                global $ilLog;
                
                $user_data = array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
                
                $a_username = $this->extractUserName($user_data);
 
                include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
                $sync = new ilLDAPUserSynchronisation('ldap_'.$this->server->getServerId(), $this->server->getServerId());
                $sync->setExternalAccount($a_username);
                $sync->setUserData($user_data);
                $sync->forceCreation(self::$force_creation);
 
                try {
                        $internal_account = $sync->sync();
                }
                catch(UnexpectedValueException $e) {
                        $this->log->info('Login failed with message: ' . $e->getMessage());
                        $a_auth->status = AUTH_WRONG_LOGIN;
                        $a_auth->logout();
                        return false;
                }
                catch(ilLDAPSynchronisationForbiddenException $e) {
                        // No syncronisation allowed => create Error
                        $this->log->info('Login failed with message: ' . $e->getMessage());
                        $a_auth->status = AUTH_LDAP_NO_ILIAS_USER;
                        $a_auth->logout();
                        return false;
                }
                catch(ilLDAPAccountMigrationRequiredException $e) {
                        $this->log->info('Starting account migration');
                        $a_auth->logout();
                        ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
                }
 
                $a_auth->setAuth($internal_account);
                return true;
        }

References $ilLog, AUTH_LDAP_NO_ILIAS_USER, AUTH_WRONG_LOGIN, extractUserName(), Auth_Container\log(), and ilUtil\redirect().

Here is the call graph for this function:

◆ supportsCaptchaVerification()

ilAuthContainerLDAP::supportsCaptchaVerification ( )

Returns: bool

Reimplemented from ilAuthContainerBase.

Definition at line 312 of file class.ilAuthContainerLDAP.php.

        {
                return true;
        }

◆ updateRequired()

ilAuthContainerLDAP::updateRequired ( $a_username )

protected

Check if an update is required.

Returns

Parameters

string $a_username

Definition at line 286 of file class.ilAuthContainerLDAP.php.

        {
                if(!ilObjUser::_checkExternalAuthAccount("ldap",$a_username))
                {
                        #$GLOBALS['ilLog']->write(__METHOD__.': Required 1');
                        return true;
                }
                // Check attribute mapping on login
                include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
                if(ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId()))
                {
                        #$GLOBALS['ilLog']->write(__METHOD__.': Required 2');
                        return true;
                }
                include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
                if(ilLDAPRoleAssignmentRule::hasRulesForUpdate())
                {
                        #$GLOBALS['ilLog']->write(__METHOD__.': Required 3');
                        return true;
                }
                return false;
        }

References ilObjUser\_checkExternalAuthAccount(), ilLDAPAttributeMapping\hasRulesForUpdate(), and ilLDAPRoleAssignmentRule\hasRulesForUpdate().

Here is the call graph for this function:

◆ updateUserFilter()

ilAuthContainerLDAP::updateUserFilter ( )

private

Update user filter.

@access private

Definition at line 182 of file class.ilAuthContainerLDAP.php.

        {
                $this->options['userfilter'] = $this->server->getGroupUserFilter();
        }

Referenced by enableOptionalGroupCheck().

Here is the caller graph for this function:

Field Documentation

◆ $force_creation

ilAuthContainerLDAP::$force_creation = false

staticprivate

Definition at line 38 of file class.ilAuthContainerLDAP.php.

◆ $ldap_attr_to_user

ilAuthContainerLDAP::$ldap_attr_to_user = null

private

Definition at line 44 of file class.ilAuthContainerLDAP.php.

◆ $log

ilAuthContainerLDAP::$log = null

private

Definition at line 42 of file class.ilAuthContainerLDAP.php.

◆ $optional_check

ilAuthContainerLDAP::$optional_check = false

private

Definition at line 40 of file class.ilAuthContainerLDAP.php.

Referenced by enabledOptionalGroupCheck().

◆ $server

ilAuthContainerLDAP::$server = null

private

Definition at line 43 of file class.ilAuthContainerLDAP.php.

The documentation for this class was generated from the following file:

Services/LDAP/classes/class.ilAuthContainerLDAP.php

Public Member Functions

Protected Member Functions

Private Member Functions

Private Attributes

Static Private Attributes

Additional Inherited Members

Detailed Description

Constructor & Destructor Documentation

◆ __construct()

Member Function Documentation

◆ checkGroup()

◆ enabledOptionalGroupCheck()

◆ enableOptionalGroupCheck()

◆ extractUserName()

◆ failedLoginObserver()

◆ fetchData()

◆ forceCreation()

◆ initLDAPAttributeToUser()

◆ loginObserver()

◆ supportsCaptchaVerification()

◆ updateRequired()

◆ updateUserFilter()

Field Documentation

◆ $force_creation

◆ $ldap_attr_to_user

◆ $log

◆ $optional_check

◆ $server