ILIAS  release_5-2 Revision v5.2.25-18-g3f80b828510
class.ilAuthProviderLDAP.php
Go to the documentation of this file.
1 <?php
2 
3 /* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4 
5 include_once './Services/Authentication/classes/Provider/class.ilAuthProvider.php';
6 include_once './Services/Authentication/interfaces/interface.ilAuthProviderInterface.php';
7 include_once './Services/Authentication/interfaces/interface.ilAuthProviderAccountMigrationInterface.php';
8 
15 class ilAuthProviderLDAP extends ilAuthProvider implements ilAuthProviderInterface, ilAuthProviderAccountMigrationInterface
16 {
17  private $server = null;
18  private $migration_account = '';
19  private $force_new_account = false;
20 
25  public function __construct(\ilAuthCredentials $credentials, $a_server_id = 0)
26  {
27  parent::__construct($credentials);
28  $this->initServer($a_server_id);
29  }
30 
35  public function getServer()
36  {
37  return $this->server;
38  }
39 
40 
45  public function doAuthentication(\ilAuthStatus $status)
46  {
47  try
48  {
49  // bind
50  include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
51  $query = new ilLDAPQuery($this->getServer());
52  $query->bind(IL_LDAP_BIND_DEFAULT);
53  }
54  catch(ilLDAPQueryException $e)
55  {
56  $this->getLogger()->error('Cannot bind to LDAP server... '. $e->getMessage());
57  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
58  return false;
59  }
60  try
61  {
62  // Read user data, which does ensure a sucessful authentication.
63  $users = $query->fetchUser(
64  $this->getCredentials()->getUsername()
65  );
66 
67  if(!$users)
68  {
69  $this->handleAuthenticationFail($status, 'err_wrong_login');
70  return false;
71  }
72  if(!trim($this->getCredentials()->getPassword()))
73  {
74  $this->handleAuthenticationFail($status, 'err_wrong_login');
75  return false;
76  }
77  if(!array_key_exists($this->changeKeyCase($this->getCredentials()->getUsername()), $users))
78  {
79  $this->getLogger()->warning('Cannot find user: '. $this->changeKeyCase($this->getCredentials()->getUsername()));
80  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
81  return false;
82  }
83 
84  // check group membership
85  if(!$query->checkGroupMembership(
86  $this->getCredentials()->getUsername(),
87  $users[$this->changeKeyCase($this->getCredentials()->getUsername())]
88  ))
89  {
90  $this->handleAuthenticationFail($status, 'err_wrong_login');
91  return false;
92  }
93  }
94  catch (ilLDAPQueryException $e) {
95  $this->getLogger()->error('Cannot fetch LDAP user data... '. $e->getMessage());
96  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
97  return false;
98  }
99  try
100  {
101  // now bind with login credentials
102  $query->bind(IL_LDAP_BIND_AUTH, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]['dn'], $this->getCredentials()->getPassword());
103  }
104  catch (ilLDAPQueryException $e) {
105  $this->handleAuthenticationFail($status, 'err_wrong_login');
106  return false;
107  }
108 
109  // authentication success update profile
110  return $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
111  }
112 
118  protected function updateAccount(ilAuthStatus $status, array $user)
119  {
120  $user = array_change_key_case($user,CASE_LOWER);
121  $this->getLogger()->dump($user, ilLogLevel::DEBUG);
122 
123  include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
124  $sync = new ilLDAPUserSynchronisation('ldap_'.$this->getServer()->getServerId(), $this->getServer()->getServerId());
125  $sync->setExternalAccount($this->getCredentials()->getUsername());
126  $sync->setUserData($user);
127  $sync->forceCreation($this->force_new_account);
128 
129  try {
130  $internal_account = $sync->sync();
131  $this->getLogger()->debug('Internal account: ' . $internal_account);
132  }
133  catch(UnexpectedValueException $e) {
134  $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
135  $this->handleAuthenticationFail($status, 'err_wrong_login');
136  return false;
137  }
138  catch(ilLDAPSynchronisationForbiddenException $e) {
139  // No syncronisation allowed => create Error
140  $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
141  $this->handleAuthenticationFail($status, 'err_auth_ldap_no_ilias_user');
142  return false;
143  }
144  catch(ilLDAPAccountMigrationRequiredException $e) {
145  // Account migration required
146  $this->setExternalAccountName($this->getCredentials()->getUsername());
147  $this->getLogger()->info('Authentication failed: account migration required for external account: ' . $this->getCredentials()->getUsername());
148  $status->setStatus(ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED);
149  return false;
150  }
151  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
152  $status->setAuthenticatedUserId(ilObjUser::_lookupId($internal_account));
153  return true;
154 
155  }
156 
157 
158 
162  protected function initServer($a_server_id)
163  {
164  include_once './Services/LDAP/classes/class.ilLDAPServer.php';
165  $this->server = new ilLDAPServer($a_server_id);
166  }
167 
168  // Account migration
169 
173  public function createNewAccount(ilAuthStatus $status)
174  {
175  $this->force_new_account = true;
176 
177  try
178  {
179  include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
180  $query = new ilLDAPQuery($this->getServer());
181  $query->bind(IL_LDAP_BIND_DEFAULT);
182  }
183  catch(ilLDAPQueryException $e)
184  {
185  $this->getLogger()->error('Cannot bind to LDAP server... '. $e->getMessage());
186  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
187  return false;
188  }
189  try
190  {
191  // fetch user
192  $users = $query->fetchUser(
193  $this->getCredentials()->getUsername()
194  );
195  if(!$users)
196  {
197  $this->handleAuthenticationFail($status, 'err_wrong_login');
198  return false;
199  }
200  if(!array_key_exists($this->changeKeyCase($this->getCredentials()->getUsername()), $users))
201  {
202  $this->handleAuthenticationFail($status, 'err_wrong_login');
203  return false;
204  }
205  }
206  catch (ilLDAPQueryException $e) {
207  $this->getLogger()->error('Cannot fetch LDAP user data... '. $e->getMessage());
208  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
209  return false;
210  }
211 
212  // authentication success update profile
213  $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
214  }
215 
216 
217 
221  public function migrateAccount(ilAuthStatus $status)
222  {
223  $this->force_new_account = true;
224 
225  try
226  {
227  include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
228  $query = new ilLDAPQuery($this->getServer());
229  $query->bind(IL_LDAP_BIND_DEFAULT);
230  }
231  catch(ilLDAPQueryException $e)
232  {
233  $this->getLogger()->error('Cannot bind to LDAP server... '. $e->getMessage());
234  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
235  return false;
236  }
237 
238  $users = $query->fetchUser($this->getCredentials()->getUsername());
239  $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
240  return true;
241  }
242 
246  public function getTriggerAuthMode()
247  {
248  return AUTH_LDAP.'_'.$this->getServer()->getServerId();
249  }
250 
254  public function getUserAuthModeName()
255  {
256  return 'ldap_'.$this->getServer()->getServerId();
257  }
258 
263  public function getExternalAccountName()
264  {
265  return $this->migration_account;
266  }
267 
272  public function setExternalAccountName($a_name)
273  {
274  $this->migration_account = $a_name;
275  }
276 
282  protected function changeKeyCase($a_string)
283  {
284  $as_array = array_change_key_case(array($a_string => $a_string));
285  foreach($as_array as $key => $string)
286  {
287  return $key;
288  }
289  }
290 
291 }
292 ?>
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:11
ilAuthProviderLDAP\updateAccount
updateAccount(ilAuthStatus $status, array $user)
Update Account.
Definition: class.ilAuthProviderLDAP.php:118
ilAuthProviderLDAP\getTriggerAuthMode
getTriggerAuthMode()
Get trigger auth mode.
Definition: class.ilAuthProviderLDAP.php:246
ilAuthProviderLDAP\createNewAccount
createNewAccount(ilAuthStatus $status)
Create new ILIAS account for external_account.
Definition: class.ilAuthProviderLDAP.php:173
ilAuthProviderLDAP\doAuthentication
doAuthentication(\ilAuthStatus $status)
Do authentication.
Definition: class.ilAuthProviderLDAP.php:45
IL_LDAP_BIND_AUTH
const IL_LDAP_BIND_AUTH
Definition: class.ilLDAPQuery.php:27
IL_LDAP_BIND_DEFAULT
const IL_LDAP_BIND_DEFAULT
Definition: class.ilLDAPQuery.php:24
AUTH_LDAP
const AUTH_LDAP
Definition: class.ilAuthUtils.php:8
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:14
ilObjUser\_lookupId
static _lookupId($a_user_str)
Lookup id by login.
Definition: class.ilObjUser.php:787
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:12
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId($a_id)
Definition: class.ilAuthStatus.php:118
ilAuthProviderLDAP
Description of class class.
Definition: class.ilAuthProviderLDAP.php:15
ilAuthProvider
Base class for authentication providers (radius, ldap, apache, ...)
Definition: class.ilAuthProvider.php:11
ilAuthProviderInterface
Standard interface for auth provider implementations.
Definition: interface.ilAuthProviderInterface.php:11
ilAuthProviderLDAP\__construct
__construct(\ilAuthCredentials $credentials, $a_server_id=0)
Constructor.
Definition: class.ilAuthProviderLDAP.php:25
ilAuthStatus\setStatus
setStatus($a_status)
Set auth status.
Definition: class.ilAuthStatus.php:64
ilAuthProviderLDAP\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name.
Definition: class.ilAuthProviderLDAP.php:254
ilAuthProviderLDAP\setExternalAccountName
setExternalAccountName($a_name)
Set external account name.
Definition: class.ilAuthProviderLDAP.php:272
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:38
ilAuthProviderLDAP\migrateAccount
migrateAccount(ilAuthStatus $status)
Create new account.
Definition: class.ilAuthProviderLDAP.php:221
ilAuthProviderLDAP\getExternalAccountName
getExternalAccountName()
Get external account name.
Definition: class.ilAuthProviderLDAP.php:263
ilAuthProviderLDAP\initServer
initServer($a_server_id)
Init Server.
Definition: class.ilAuthProviderLDAP.php:162
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, $a_reason)
Handle failed authentication.
Definition: class.ilAuthProvider.php:55
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:11
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:20
ilAuthProviderLDAP\changeKeyCase
changeKeyCase($a_string)
Change case similar to array_change_key_case, to avoid further encoding problems. ...
Definition: class.ilAuthProviderLDAP.php:282