ILIAS  release_5-2 Revision v5.2.25-18-g3f80b828510
class.ilAuthProviderApache.php
Go to the documentation of this file.
1<?php
2/* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
3
4include_once './Services/Authentication/classes/Provider/class.ilAuthProvider.php';
5include_once './Services/Authentication/interfaces/interface.ilAuthProviderInterface.php';
6include_once './Services/Authentication/interfaces/interface.ilAuthProviderAccountMigrationInterface.php';
7
14class ilAuthProviderApache extends ilAuthProvider implements ilAuthProviderInterface, ilAuthProviderAccountMigrationInterface
15{
16 const APACHE_AUTH_TYPE_DIRECT_MAPPING = 1;
17 const APACHE_AUTH_TYPE_EXTENDED_MAPPING = 2;
18 const APACHE_AUTH_TYPE_BY_FUNCTION = 3;
19
20 private $settings = null;
21
22 private $migration_account = '';
23 private $force_new_account = false;
24
25
30 public function __construct(\ilAuthCredentials $credentials)
31 {
32 parent::__construct($credentials);
33
34 include_once './Services/Administration/classes/class.ilSetting.php';
35 $this->settings = new ilSetting('apache_auth');
36 }
37
42 protected function getSettings()
43 {
44 return $this->settings;
45 }
46
51 public function doAuthentication(\ilAuthStatus $status)
52 {
53 if(!$this->getSettings()->get('apache_enable_auth'))
54 {
55 $this->getLogger()->info('Apache auth disabled.');
56 $this->handleAuthenticationFail($status, 'apache_auth_err_disabled');
57 return false;
58 }
59
60 if(
61 !$this->getSettings()->get('apache_auth_indicator_name') ||
62 !$this->getSettings()->get('apache_auth_indicator_value')
63 )
64 {
65 $this->getLogger()->warning('Apache auth indicator match failure.');
66 $this->handleAuthenticationFail($status, 'apache_auth_err_indicator_match_failure');
67 return false;
68 }
69
70 if(
71 !in_array(
72 $_SERVER[$this->getSettings()->get('apache_auth_indicator_name')],
73 array_filter(array_map('trim', str_getcsv($this->getSettings()->get('apache_auth_indicator_value'))))
74 )
75 )
76 {
77 $this->getLogger()->warning('Apache authentication failed (indicator name <-> value');
78 $this->handleAuthenticationFail($status, 'err_wrong_login');
79 return false;
80 }
81
82 include_once './Services/Utilities/classes/class.ilUtil.php';
83 if(!ilUtil::isLogin($this->getCredentials()->getUsername()))
84 {
85 $this->getLogger()->warning('Invalid login name given: ' . $this->getCredentials()->getUsername());
86 $this->handleAuthenticationFail($status, 'apache_auth_err_invalid_login');
87 return false;
88 }
89
90 if(!strlen($this->getCredentials()->getUsername()))
91 {
92 $this->getLogger()->info('No username given');
93 $this->handleAuthenticationFail($status, 'err_wrong_login');
94 return false;
95 }
96
97 // Apache with ldap as data source
98 include_once './Services/LDAP/classes/class.ilLDAPServer.php';
99 if($this->getSettings()->get('apache_enable_ldap'))
100 {
101 return $this->handleLDAPDataSource($status);
102 }
103
104 $login = ilObjUser::_checkExternalAuthAccount('apache', $this->getCredentials()->getUsername());
105 $usr_id = ilObjUser::_lookupId($login);
106 if(!$usr_id)
107 {
108 // try to create user
109 if($this->createNewAccount($status))
110 {
111 return true;
112 }
113 $this->getLogger()->info('Cannot find user id for external account: ' . $this->getCredentials()->getUsername());
114 $this->handleAuthenticationFail($status, 'err_wrong_login');
115 return false;
116 }
117
118 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
119 $status->setAuthenticatedUserId($usr_id);
120 return true;
121 }
122
129 public function migrateAccount(\ilAuthStatus $status)
130 {
131 $this->force_new_account = true;
132 if($this->getSettings()->get('apache_enable_ldap'))
133 {
134 return $this->handleLDAPDataSource($status);
135 }
136 }
137
142 public function createNewAccount(\ilAuthStatus $status)
143 {
144 $this->force_new_account = true;
145 if($this->getSettings()->get('apache_enable_ldap'))
146 {
147 return $this->handleLDAPDataSource($status);
148 }
149 // create new account
150 if(
151 $this->getSettings()->get('apache_enable_local') &&
152 $this->getSettings()->get('apache_local_autocreate')
153 )
154 {
155 $this->getLogger()->info('Creating new apache auth account');
156 include_once './Services/User/classes/class.ilObjUser.php';
157 $user = new ilObjUser();
158
159 $login = ilAuthUtils::_generateLogin($this->getCredentials()->getUsername());
160 $user->setLogin($login);
161 $user->setExternalAccount($this->getCredentials()->getUsername());
162 $user->setProfileIncomplete(true);
163 $user->create();
164 $user->setAuthMode('apache');
165 // set a timestamp for last_password_change
166 // this ts is needed by ilSecuritySettings
167 $user->setLastPasswordChangeTS(time());
168 $user->setTimeLimitUnlimited(1);
169
170 $user->setActive(1);
171 //insert user data in table user_data
172 $user->saveAsNew();
173 $user->writePrefs();
174 $GLOBALS['DIC']->rbac()->admin()->assignUser(
175 $this->getSettings()->get('apache_default_role', 4),
176 $user->getId(),
177 true
178 );
179 $status->setAuthenticatedUserId($user->getId());
180 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
181 return true;
182 }
183 return false;
184 }
185
190 public function getExternalAccountName()
191 {
192 return $this->migration_account;
193 }
194
199 public function setExternalAccountName($a_name)
200 {
201 $this->migration_account = $a_name;
202 }
203
207 public function getTriggerAuthMode()
208 {
209 return AUTH_APACHE;
210 }
211
215 public function getUserAuthModeName()
216 {
217 if($this->getSettings()->get('apache_ldap_sid'))
218 {
219 return 'ldap_'.(string) $this->getSettings()->get('apache_ldap_sid');
220 }
221 return 'apache';
222 }
223
229 protected function handleLDAPDataSource(ilAuthStatus $status)
230 {
231 include_once './Services/LDAP/classes/class.ilLDAPServer.php';
232 $server = ilLDAPServer::getInstanceByServerId(
233 $this->getSettings()->get('apache_ldap_sid')
234 );
235
236 $this->getLogger()->debug('Using ldap data source with server configuration: ' . $server->getName());
237
238 include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
239 $sync = new ilLDAPUserSynchronisation('ldap_'.$server->getServerId(), $server->getServerId());
240 $sync->setExternalAccount($this->getCredentials()->getUsername());
241 $sync->setUserData(array());
242 $sync->forceCreation($this->force_new_account);
243 $sync->forceReadLdapData(true);
244
245 try {
246 $internal_account = $sync->sync();
247 $this->getLogger()->debug('Internal account: ' . $internal_account);
248 }
249 catch(UnexpectedValueException $e) {
250 $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
251 $this->handleAuthenticationFail($status, 'err_wrong_login');
252 return false;
253 }
254 catch(ilLDAPSynchronisationForbiddenException $e) {
255 // No syncronisation allowed => create Error
256 $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
257 $this->handleAuthenticationFail($status, 'err_auth_ldap_no_ilias_user');
258 return false;
259 }
260 catch(ilLDAPAccountMigrationRequiredException $e) {
261 // Account migration required
262 $this->setExternalAccountName($this->getCredentials()->getUsername());
263 $this->getLogger()->info('Authentication failed: account migration required for external account: ' . $this->getCredentials()->getUsername());
264 $status->setStatus(ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED);
265 return false;
266 }
267 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
268 $status->setAuthenticatedUserId(ilObjUser::_lookupId($internal_account));
269 return true;
270 }
271}
php
An exception for terminatinating execution or to throw for unit testing.
AUTH_APACHE
const AUTH_APACHE
Definition: class.ilAuthUtils.php:19
ilAuthProviderApache\getTriggerAuthMode
getTriggerAuthMode()
Get auth mode of current authentication type.
Definition: class.ilAuthProviderApache.php:207
ilAuthProviderApache\getExternalAccountName
getExternalAccountName()
Get external account name.
Definition: class.ilAuthProviderApache.php:190
ilAuthProviderApache\createNewAccount
createNewAccount(\ilAuthStatus $status)
Create new account for account migration.
Definition: class.ilAuthProviderApache.php:142
ilAuthProviderApache\handleLDAPDataSource
handleLDAPDataSource(ilAuthStatus $status)
Handle ldap as data source.
Definition: class.ilAuthProviderApache.php:229
ilAuthProviderApache\__construct
__construct(\ilAuthCredentials $credentials)
Constructor.
Definition: class.ilAuthProviderApache.php:30
ilAuthProviderApache\doAuthentication
doAuthentication(\ilAuthStatus $status)
Definition: class.ilAuthProviderApache.php:51
ilAuthProviderApache\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name.
Definition: class.ilAuthProviderApache.php:215
ilAuthProviderApache\migrateAccount
migrateAccount(\ilAuthStatus $status)
Migrate existing account Maybe ldap sync has to be performed here.
Definition: class.ilAuthProviderApache.php:129
ilAuthProviderApache\setExternalAccountName
setExternalAccountName($a_name)
Set external account name.
Definition: class.ilAuthProviderApache.php:199
ilAuthProvider
Base class for authentication providers (radius, ldap, apache, ...)
Definition: class.ilAuthProvider.php:12
ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:38
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, $a_reason)
Handle failed authentication.
Definition: class.ilAuthProvider.php:55
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:12
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:20
ilAuthUtils\_generateLogin
static _generateLogin($a_login)
generate free login by starting with a default string and adding postfix numbers
Definition: class.ilAuthUtils.php:611
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:13
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId($a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:58
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:15
ilObjUser\_lookupId
static _lookupId($a_user_str)
Lookup id by login.
Definition: class.ilObjUser.php:787
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3721
ilSetting
ILIAS Setting Class.
Definition: class.ilSetting.php:33
ilUtil\isLogin
static isLogin($a_login)
Definition: class.ilUtil.php:1408
$server
$server
Definition: dummy_client.php:12
$GLOBALS
$GLOBALS['loaded']
Global hash that tracks already loaded includes.
Definition: generate-standalone.php:18
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:12
ilAuthProviderInterface
Standard interface for auth provider implementations.
Definition: interface.ilAuthProviderInterface.php:12
settings
settings()
Definition: settings.php:2
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54