ILIAS  release_5-2 Revision v5.2.25-18-g3f80b828510
class.ilAuthUtils.php
Go to the documentation of this file.
1 <?php
2 
3 /* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4 
5 
6 // define auth modes
7 define ("AUTH_LOCAL",1);
8 define ("AUTH_LDAP",2);
9 define ("AUTH_RADIUS",3);
10 define ("AUTH_SCRIPT",4);
11 define ("AUTH_SHIBBOLETH",5);
12 define ("AUTH_CAS",6);
13 define ("AUTH_SOAP",7);
14 // BEGIN WebDAV: Add support for HTTP authentication
15 define ("AUTH_HTTP",8);
16 // END WebDAV: Add support for HTTP authentication
17 define ("AUTH_ECS",9);
18 
19 define ("AUTH_APACHE",11);
20 
21 define ("AUTH_INACTIVE",18);
22 
23 define('AUTH_MULTIPLE',20);
24 
25 define ('AUTH_SESSION', 21);
26 
27 define('AUTH_SOAP_NO_ILIAS_USER', -100);
28 define('AUTH_LDAP_NO_ILIAS_USER',-200);
29 define('AUTH_RADIUS_NO_ILIAS_USER',-300);
30 
31 // apache auhtentication failed...
32 // maybe no (valid) certificate or
33 // username could not be extracted
34 define('AUTH_APACHE_FAILED', -500);
35 
36 
37 define('AUTH_MODE_INACTIVE',-1000);
38 
39 // an external user cannot be found in ilias, but his email address
40 // matches one or more ILIAS users
41 define('AUTH_SOAP_NO_ILIAS_USER_BUT_EMAIL', -101);
42 define('AUTH_CAS_NO_ILIAS_USER', -90);
43 
44 // ilUser validation (no login)
45 define('AUTH_USER_WRONG_IP', -600);
46 define('AUTH_USER_INACTIVE', -601);
47 define('AUTH_USER_TIME_LIMIT_EXCEEDED', -602);
48 define('AUTH_USER_SIMULTANEOUS_LOGIN', -603);
49 define('AUTH_CAPTCHA_INVALID', -604);
50 
51 
52 include_once './Services/Authentication/classes/class.ilAuthFactory.php';
53 require_once('Services/Authentication/classes/class.ilSessionControl.php');
54 
55 
63 class ilAuthUtils
64 {
65  const LOCAL_PWV_FULL = 1;
66  const LOCAL_PWV_NO = 2;
67  const LOCAL_PWV_USER = 3;
68 
69 
73  public static function initSession()
74  {
75 
76  }
77 
78  public static function handleForcedAuthentication()
79  {
80  if(isset($_GET['ecs_hash']) or isset($_GET['ecs_hash_url']))
81  {
82  include_once './Services/Authentication/classes/Frontend/class.ilAuthFrontendCredentials.php';
83  $credentials = new ilAuthFrontendCredentials();
84  $credentials->setUsername($_GET['ecs_login']);
85  $credentials->setAuthMode(AUTH_ECS);
86 
87  include_once './Services/Authentication/classes/Provider/class.ilAuthProviderFactory.php';
88  $provider_factory = new ilAuthProviderFactory();
89  $providers = $provider_factory->getProviders($credentials);
90 
91  include_once './Services/Authentication/classes/class.ilAuthStatus.php';
92  $status = ilAuthStatus::getInstance();
93 
94  include_once './Services/Authentication/classes/Frontend/class.ilAuthFrontendFactory.php';
95  $frontend_factory = new ilAuthFrontendFactory();
96  $frontend_factory->setContext(ilAuthFrontendFactory::CONTEXT_STANDARD_FORM);
97  $frontend = $frontend_factory->getFrontend(
98  $GLOBALS['DIC']['ilAuthSession'],
99  $status,
100  $credentials,
101  $providers
102  );
103 
104  $frontend->authenticate();
105 
106  switch($status->getStatus())
107  {
108  case ilAuthStatus::STATUS_AUTHENTICATED:
109  return;
110 
111  case ilAuthStatus::STATUS_AUTHENTICATION_FAILED:
112  ilInitialisation::goToPublicSection();
113  return;
114  }
115  }
116  }
117 
118 
122  public static function _initAuth()
123  {
124  global $ilAuth, $ilSetting, $ilDB, $ilClientIniFile,$ilBench;
125 
126  $user_auth_mode = false;
127  $ilBench->start('Auth','initAuth');
128 
129 
130  // get default auth mode
131  //$default_auth_mode = $this->getSetting("auth_mode");
132  define ("AUTH_DEFAULT", $ilSetting->get("auth_mode") ? $ilSetting->get("auth_mode") : AUTH_LOCAL);
133 
134  // determine authentication method if no session is found and username & password is posted
135  // does this if statement make any sense? we enter this block nearly everytime.
136 
137  if(
138  empty($_SESSION) ||
139  (!isset($_SESSION['_authsession']['registered']) ||
140  $_SESSION['_authsession']['registered'] !== true))
141  {
142  ilLoggerFactory::getLogger('auth')->debug('User is not remembered');
143 
144  // no sesssion found
145  if (isset($_POST['username']) and $_POST['username'] != '' and $_POST['password'] != '' or isset($_GET['ecs_hash']) or isset($_GET['ecs_hash_url']) or isset($_POST['oid_username']) or isset($_GET['oid_check_status']))
146  {
147  $user_auth_mode = ilAuthUtils::_getAuthModeOfUser($_POST['username'], $_POST['password'], $ilDB);
148  ilLoggerFactory::getLogger('auth')->debug('Authmode is '. $user_auth_mode);
149 
150  if ($user_auth_mode == AUTH_CAS && $ilSetting->get("cas_allow_local"))
151  {
152  $user_auth_mode = AUTH_LOCAL;
153  }
154  if ($user_auth_mode == AUTH_SOAP && $ilSetting->get("soap_auth_allow_local"))
155  {
156  $user_auth_mode = AUTH_LOCAL;
157  }
158  if ($user_auth_mode == AUTH_SHIBBOLETH && $ilSetting->get("shib_auth_allow_local"))
159  {
160  $user_auth_mode = AUTH_LOCAL;
161  }
162  }
163  else if ($_POST['auth_mode'] == AUTH_APACHE)
164  {
165  $user_auth_mode = AUTH_APACHE;
166  }
167  }
168 
169  // to do: other solution?
170  if (!$ilSetting->get("soap_auth_active") && $user_auth_mode == AUTH_SOAP)
171  {
172  $user_auth_mode = AUTH_LOCAL;
173  }
174 
175  if($ilSetting->get("cas_active") && $_GET['forceCASLogin'])
176  {
177  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_CAS);
178  $user_auth_mode = AUTH_CAS;
179  }
180 
181  if($ilSetting->get("apache_active") && $user_auth_mode == AUTH_APACHE)
182  {
183  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_APACHE);
184  $user_auth_mode = AUTH_APACHE;
185  }
186 
187  // begin-patch auth
188  $user_auth_mode = AUTH_SESSION;
189 
190 
191  // BEGIN WebDAV: Share session between browser and WebDAV client.
192  // The realm is needed to support a common session between Auth_HTTP and Auth.
193  // It also helps us to distinguish between parallel sessions run on different clients.
194  // Common session only works if we use a common session name starting with "_authhttp".
195  // We must use the "_authttp" prefix, because it is hardcoded in the session name of
196  // class Auth_HTTP.
197  // Whenever we use Auth_HTTP, we need to explicitly switch off "sessionSharing", because
198  // it interfers with the session mechanism of the other Auth modules. If we would
199  // keep this switched on, then users could steal each others session, which would cause
200  // a major security breach.
201  // Note: The realm and sessionName used here, must be the same as in
202  // class ilBaseAuthentication. Otherwise, Soap clients won't be able to log
203  // in to ILIAS.
204  $realm = CLIENT_ID;
205  //$this->writelog('ilias.php realm='.$realm);
206  // END WebDAV: Share session between browser and WebDAV client.
207 
208 //var_dump($_SESSION);
209 //echo "1-".$ilSetting->get("soap_auth_active")."-";
210  // if soap authentication activated and soap credentials given
211  if (($ilSetting->get("soap_auth_active") && !empty($_GET["ext_uid"])
212  && !empty($_GET["soap_pw"])) || $user_auth_mode == AUTH_SOAP)
213  {
214 
215  define('AUTH_CURRENT',AUTH_SOAP);
216  }
217  // if Shibboleth is active and the user is authenticated
218  // we set auth_mode to Shibboleth
219  else if ( $ilSetting->get("shib_active")
220  && $_SERVER[$ilSetting->get("shib_login")])
221  {
222  define ("AUTH_CURRENT", AUTH_SHIBBOLETH);
223  }
224  else
225  {
226  define ("AUTH_CURRENT", $user_auth_mode);
227  }
228 //var_dump($_SESSION);
229 
230  // Determine the authentication method to use
231  if (defined("WebDAV_Authentication") && WebDAV_Authentication == 'HTTP') {
232  // Since WebDAV clients create the login form by
233  // themselves, we can not provide buttons on the form for
234  // choosing an authentication method.
235  // If the user is already logged in, we continue using
236  // the current authentication method. If the user is
237  // not logged in yet, we use the "multiple authentication"
238  // method using a predefined sequence of authentication methods.
239  $authmode = AUTH_CURRENT ? AUTH_CURRENT : AUTH_MULTIPLE;
240  }
241  else
242  {
243  $authmode = AUTH_CURRENT;
244  }
245 //var_dump($authmode);
246  // if no auth mode selected AND default mode is AUTH_APACHE then use it...
247  if ($authmode == null && AUTH_DEFAULT == AUTH_APACHE)
248  $authmode = AUTH_APACHE;
249 
250  // begin-patch ldap_multiple
251  // we cast to int => AUTH_LDAP_1 matches AUTH_LDAP
252  switch ((int) $authmode)
253  {
254  case AUTH_LDAP:
255 
256  include_once './Services/LDAP/classes/class.ilLDAPServer.php';
257  $sid = ilLDAPServer::getServerIdByAuthMode($authmode);
258  include_once './Services/LDAP/classes/class.ilAuthContainerLDAP.php';
259  $ilAuth = ilAuthFactory::factory(new ilAuthContainerLDAP($sid));
260  break;
261 
262  case AUTH_RADIUS:
263 
264  include_once './Services/Radius/classes/class.ilAuthContainerRadius.php';
265  $ilAuth = ilAuthFactory::factory(new ilAuthContainerRadius());
266  break;
267 
268  case AUTH_SHIBBOLETH:
269  include_once './Services/AuthShibboleth/classes/class.ilShibboleth.php';
270  $ilAuth = new ShibAuth(array(),true);
271  break;
272 
273  case AUTH_CAS:
274 
275  include_once './Services/CAS/classes/class.ilAuthContainerCAS.php';
276  $ilAuth = ilAuthFactory::factory(new ilAuthContainerCAS());
277  break;
278 
279  case AUTH_SOAP:
280 
281  include_once './Services/SOAPAuth/classes/class.ilAuthContainerSOAP.php';
282  $ilAuth = ilAuthFactory::factory(new ilAuthContainerSOAP());
283  break;
284 
285  case AUTH_MULTIPLE:
286 
287  include_once './Services/Authentication/classes/class.ilAuthContainerMultiple.php';
288  $ilAuth = ilAuthFactory::factory(new ilAuthContainerMultiple());
289  break;
290 
291  case AUTH_ECS:
292  include_once './Services/WebServices/ECS/classes/class.ilAuthContainerECS.php';
293  $ilAuth = ilAuthFactory::factory(new ilAuthContainerECS());
294  break;
295 
296 
297  case AUTH_INACTIVE:
298  require_once('./Services/Authentication/classes/class.ilAuthInactive.php');
299  $ilAuth = new ilAuthInactive(AUTH_MODE_INACTIVE);
300  break;
301 
302  case AUTH_APACHE:
303  include_once './Services/AuthApache/classes/class.ilAuthContainerApache.php';
304  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_APACHE);
305  $ilAuth = ilAuthFactory::factory(new ilAuthContainerApache());
306  break;
307 
308  // begin-patch auth_plugin
309  case AUTH_LOCAL:
310  global $ilDB;
311  if($ilDB instanceof ilDBPdo) {
312  require_once 'Services/Authentication/classes/PDO/class.ilPDOAuthentication.php';
313  $ilAuth = new ilPDOAuthentication(ilAuthFactory::getContextOptions(ilAuthFactory::getContext()));
314  } else {
315  include_once './Services/Database/classes/class.ilAuthContainerMDB2.php';
316  $ilAuth = ilAuthFactory::factory(new ilAuthContainerMDB2());
317  }
318  break;
319 
320  case AUTH_SESSION:
321 
322 
323  default:
324  // check for plugin
325  if($authmode)
326  {
327  foreach(self::getAuthPlugins() as $pl)
328  {
329  $container = $pl->getContainer($authmode);
330  if($container instanceof Auth_Container)
331  {
332  ilLoggerFactory::getLogger('auth')->info('Using plugin authentication with auth mode ' . $authmode);
333  $ilAuth = ilAuthFactory::factory($container);
334  break 2;
335  }
336  }
337  }
338  #$GLOBALS['ilLog']->write(__METHOD__.' Using default authentication');
339  // default for logged in users
340  if($ilDB instanceof ilDBPdo) {
341  require_once 'Services/Authentication/classes/PDO/class.ilPDOAuthentication.php';
342  $ilAuth = new ilPDOAuthentication();
343  } else {
344  include_once './Services/Database/classes/class.ilAuthContainerMDB2.php';
345  $ilAuth = ilAuthFactory::factory(new ilAuthContainerMDB2());
346  }
347  break;
348  // end-patch auth_plugin
349  }
350 
351  // Due to a bug in Pear Auth_HTTP, we can't use idle time
352  // with WebDAV clients. If we used it, users could never log
353  // back into ILIAS once their session idled out. :(
354  if (!defined("WebDAV_Authentication") || WebDAV_Authentication != 'HTTP')
355  {
356  $ilAuth->setIdle(ilSession::getIdleValue(), false);
357  }
358  $ilAuth->setExpire(0);
359 
360  ini_set("session.cookie_lifetime", "0");
361 //echo "-".get_class($ilAuth)."-";
362 
363  ilSessionControl::checkExpiredSession();
364 
365  $ilBench->stop('Auth','initAuth');
366  ilLoggerFactory::getLogger('auth')->debug('Using auth implementation: ' . get_class($ilAuth));
367  }
368 
369  static function _getAuthModeOfUser($a_username,$a_password,$a_db_handler = '')
370  {
371  global $ilDB;
372 
373  if(isset($_GET['ecs_hash']) or isset($_GET['ecs_hash_url']))
374  {
375  ilAuthFactory::setContext(ilAuthFactory::CONTEXT_ECS);
376  return AUTH_ECS;
377  }
378  if(isset($_POST['auth_mode']))
379  {
380  // begin-patch ldap_multiple
381  return $_POST['auth_mode'];
382  // end-patch ldap_multiple
383  }
384 
385  include_once('./Services/Authentication/classes/class.ilAuthModeDetermination.php');
386  $det = ilAuthModeDetermination::_getInstance();
387 
388  if(!$det->isManualSelection() and $det->getCountActiveAuthModes() > 1)
389  {
390  ilLoggerFactory::getLogger('auth')->debug('Using AUTH_MULTIPLE');
391  return AUTH_MULTIPLE;
392  }
393 
394 
395  $db =& $ilDB;
396 
397  if ($a_db_handler != '')
398  {
399  $db =& $a_db_handler;
400  }
401 
402  // Is it really necessary to check the auth mode with password ?
403  // Changed: smeyer
404  $q = "SELECT auth_mode FROM usr_data WHERE ".
405  "login = ".$ilDB->quote($a_username);
406  //"passwd = ".$ilDB->quote(md5($a_password))."";
407 
408 
409  $r = $db->query($q);
410  $row = $r->fetchRow(ilDBConstants::FETCHMODE_OBJECT);
411 //echo "+".$row->auth_mode."+";
412 
413 
414  $auth_mode = self::_getAuthMode($row->auth_mode,$db);
415 
416  return in_array($auth_mode,self::_getActiveAuthModes()) ? $auth_mode : AUTH_INACTIVE;
417  }
418 
419  static function _getAuthMode($a_auth_mode,$a_db_handler = '')
420  {
421  global $ilDB, $ilSetting;
422 
423  $db =& $ilDB;
424 
425  if ($a_db_handler != '')
426  {
427  $db =& $a_db_handler;
428  }
429 
430  // begin-patch ldap_multiple
431  if(strpos($a_auth_mode, '_') !== FALSE)
432  {
433  $auth_arr = explode('_',$a_auth_mode);
434  $auth_switch = $auth_arr[0];
435  }
436  else
437  {
438  $auth_switch = $a_auth_mode;
439  }
440  switch ($auth_switch)
441  {
442  case "local":
443  return AUTH_LOCAL;
444  break;
445 
446  case "ldap":
447  // begin-patch ldap_multiple
448  include_once './Services/LDAP/classes/class.ilLDAPServer.php';
449  return ilLDAPServer::getKeyByAuthMode($a_auth_mode);
450  // end-patch ldap_multiple
451 
452  case "radius":
453  return AUTH_RADIUS;
454  break;
455 
456  case "script":
457  return AUTH_SCRIPT;
458  break;
459 
460  case "shibboleth":
461  return AUTH_SHIBBOLETH;
462  break;
463 
464  case "cas":
465  return AUTH_CAS;
466  break;
467 
468  case "soap":
469  return AUTH_SOAP;
470  break;
471 
472  case 'ecs':
473  return AUTH_ECS;
474 
475  case 'apache':
476  return AUTH_APACHE;
477 
478  default:
479  return $ilSetting->get("auth_mode");
480  break;
481  }
482  }
483 
484  public static function _getAuthModeName($a_auth_key)
485  {
486  global $ilias;
487 
488  // begin-patch ldap_multiple
489  switch ((int) $a_auth_key)
490  {
491  case AUTH_LOCAL:
492  return "local";
493  break;
494 
495  case AUTH_LDAP:
496  // begin-patch ldap_multiple
497  include_once './Services/LDAP/classes/class.ilLDAPServer.php';
498  return ilLDAPServer::getAuthModeByKey($a_auth_key);
499  // end-patch ldap_multiple
500 
501  case AUTH_RADIUS:
502  return "radius";
503  break;
504 
505  case AUTH_CAS:
506  return "cas";
507  break;
508 
509  case AUTH_SCRIPT:
510  return "script";
511  break;
512 
513  case AUTH_SHIBBOLETH:
514  return "shibboleth";
515  break;
516 
517  case AUTH_SOAP:
518  return "soap";
519  break;
520 
521  case AUTH_ECS:
522  return 'ecs';
523 
524  case AUTH_APACHE:
525  return 'apache';
526 
527  default:
528  return "default";
529  break;
530  }
531  }
532 
533  static function _getActiveAuthModes()
534  {
535  global $ilias,$ilSetting;
536 
537  $modes = array(
538  'default' => $ilSetting->get("auth_mode"),
539  'local' => AUTH_LOCAL
540  );
541  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
542  // begin-patch ldap_multiple
543  foreach(ilLDAPServer::_getActiveServerList() as $sid)
544  {
545  $modes['ldap_'.$sid] = (AUTH_LDAP.'_'.$sid);
546  }
547  // end-patch ldap_multiple
548  if ($ilSetting->get("radius_active")) $modes['radius'] = AUTH_RADIUS;
549  if ($ilSetting->get("shib_active")) $modes['shibboleth'] = AUTH_SHIBBOLETH;
550  if ($ilSetting->get("script_active")) $modes['script'] = AUTH_SCRIPT;
551  if ($ilSetting->get("cas_active")) $modes['cas'] = AUTH_CAS;
552  if ($ilSetting->get("soap_auth_active")) $modes['soap'] = AUTH_SOAP;
553  if ($ilSetting->get("apache_active")) $modes['apache'] = AUTH_APACHE;
554 
555  include_once './Services/WebServices/ECS/classes/class.ilECSServerSettings.php';
556  if(ilECSServerSettings::getInstance()->activeServerExists())
557  {
558  $modes['ecs'] = AUTH_ECS;
559  }
560 
561  // begin-path auth_plugin
562  foreach(self::getAuthPlugins() as $pl)
563  {
564  foreach($pl->getAuthIds() as $auth_id)
565  {
566  if($pl->isAuthActive($auth_id))
567  {
568  $modes[$pl->getAuthName($auth_id)] = $auth_id;
569  }
570  }
571  }
572  // end-path auth_plugin
573  return $modes;
574  }
575 
576  static function _getAllAuthModes()
577  {
578  $modes = array(
579  AUTH_LOCAL,
580  AUTH_LDAP,
581  AUTH_SHIBBOLETH,
582  AUTH_CAS,
583  AUTH_SOAP,
584  AUTH_RADIUS,
585  AUTH_ECS,
586  AUTH_OPENID,
587  AUTH_APACHE
588  );
589  $ret = array();
590  foreach($modes as $mode)
591  {
592  // multi ldap implementation
593  if($mode == AUTH_LDAP)
594  {
595  foreach(ilLDAPServer::_getServerList() as $ldap_id)
596  {
597  $id = AUTH_LDAP . '_' . $ldap_id;
598  $ret[$id] = ilAuthUtils::_getAuthModeName($id);
599  }
600  continue;
601  }
602  $ret[$mode] = ilAuthUtils::_getAuthModeName($mode);
603  }
604  return $ret;
605  }
606 
611  public static function _generateLogin($a_login)
612  {
613  global $ilDB;
614 
615  // Check if username already exists
616  $found = false;
617  $postfix = 0;
618  $c_login = $a_login;
619  while(!$found)
620  {
621  $r = $ilDB->query("SELECT login FROM usr_data WHERE login = ".
622  $ilDB->quote($c_login));
623  if ($r->numRows() > 0)
624  {
625  $postfix++;
626  $c_login = $a_login.$postfix;
627  }
628  else
629  {
630  $found = true;
631  }
632  }
633 
634  return $c_login;
635  }
636 
637  public static function _hasMultipleAuthenticationMethods()
638  {
639  include_once('Services/Radius/classes/class.ilRadiusSettings.php');
640 
641  $rad_settings = ilRadiusSettings::_getInstance();
642  if($rad_settings->isActive())
643  {
644  return true;
645  }
646  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
647 
648  if (count(ilLDAPServer::_getActiveServerList()))
649  return true;
650 
651  global $ilSetting;
652 
653  if ($ilSetting->get('apache_active')) {
654  return true;
655  }
656 
657  // begin-patch auth_plugin
658  foreach(ilAuthUtils::getAuthPlugins() as $pl)
659  {
660  foreach($pl->getAuthIds() as $auth_id)
661  {
662  if($pl->getMultipleAuthModeOptions($auth_id))
663  {
664  return true;
665  }
666  }
667  }
668  // end-patch auth_plugin
669 
670 
671  return false;
672  }
673 
674  public static function _getMultipleAuthModeOptions($lng)
675  {
676  global $ilSetting;
677 
678  // in the moment only ldap is activated as additional authentication method
679  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
680 
681  $options[AUTH_LOCAL]['txt'] = $lng->txt('authenticate_ilias');
682 
683 
684  // begin-patch ldap_multiple
685  foreach(ilLDAPServer::_getActiveServerList() as $sid)
686  {
687  $server = ilLDAPServer::getInstanceByServerId($sid);
688  $options[AUTH_LDAP.'_'.$sid]['txt'] = $server->getName();
689  }
690  // end-patch ldap_multiple
691 
692  include_once('Services/Radius/classes/class.ilRadiusSettings.php');
693  $rad_settings = ilRadiusSettings::_getInstance();
694  if($rad_settings->isActive())
695  {
696  $options[AUTH_RADIUS]['txt'] = $rad_settings->getName();
697  }
698 
699  if ($ilSetting->get('apache_active'))
700  {
701  global $lng;
702  $apache_settings = new ilSetting('apache_auth');
703  $options[AUTH_APACHE]['txt'] = $apache_settings->get('name', $lng->txt('apache_auth'));
704  $options[AUTH_APACHE]['hide_in_ui'] = true;
705  }
706 
707  if($ilSetting->get('auth_mode',AUTH_LOCAL) == AUTH_LDAP)
708  {
709  $default = AUTH_LDAP;
710  }
711  elseif($ilSetting->get('auth_mode',AUTH_LOCAL) == AUTH_RADIUS)
712  {
713  $default = AUTH_RADIUS;
714  }
715  else
716  {
717  $default = AUTH_LOCAL;
718  }
719 
720  $default = $ilSetting->get('default_auth_mode',$default);
721  $default = (int) $_REQUEST['auth_mode'] ? (int) $_REQUEST['auth_mode'] : $default;
722 
723 
724  // begin-patch auth_plugin
725  $pls = ilAuthUtils::getAuthPlugins();
726  foreach($pls as $pl)
727  {
728  $auths = $pl->getAuthIds();
729  foreach($auths as $auth_id)
730  {
731  $pl_auth_option = $pl->getMultipleAuthModeOptions($auth_id);
732  if($pl_auth_option)
733  {
734  $options = $options + $pl_auth_option;
735  }
736  }
737  }
738  // end-patch auth_plugins
739 
740  if(array_key_exists($default, $options))
741  {
742  $options[$default]['checked'] = true;
743  }
744 
745  return $options ? $options : array();
746  }
747 
757  public static function _isExternalAccountEnabled()
758  {
759  global $ilSetting;
760 
761  if($ilSetting->get("cas_active"))
762  {
763  return true;
764  }
765  if($ilSetting->get("soap_auth_active"))
766  {
767  return true;
768  }
769  if($ilSetting->get("shib_active"))
770  {
771  return true;
772  }
773  if($ilSetting->get('radius_active'))
774  {
775  return true;
776  }
777  include_once('Services/LDAP/classes/class.ilLDAPServer.php');
778  if(count(ilLDAPServer::_getActiveServerList()))
779  {
780  return true;
781  }
782 
783  // begin-path auth_plugin
784  foreach(self::getAuthPlugins() as $pl)
785  {
786  foreach($pl->getAuthIds() as $auth_id)
787  {
788  if($pl->isAuthActive($auth_id) and $pl->isExternalAccountNameRequired($auth_id))
789  {
790  return true;
791  }
792  }
793  }
794  // end-path auth_plugin
795 
796  return false;
797  }
798 
807  public static function _allowPasswordModificationByAuthMode($a_auth_mode)
808  {
809  // begin-patch ldap_multiple
810  // cast to int
811  switch((int) $a_auth_mode)
812  {
813  case AUTH_LDAP:
814  case AUTH_RADIUS:
815  case AUTH_ECS:
816  return false;
817  default:
818  return true;
819  }
820  }
821 
830  public static function _needsExternalAccountByAuthMode($a_auth_mode)
831  {
832  switch($a_auth_mode)
833  {
834  case AUTH_LOCAL:
835  case AUTH_APACHE:
836  return false;
837  default:
838  return true;
839  }
840  }
841 
845  public static function isPasswordModificationHidden()
846  {
848  global $ilSetting;
849 
850  if ($ilSetting->get('usr_settings_hide_password') || $ilSetting->get('usr_settings_disable_password')) {
851  return true;
852  }
853 
854  return false;
855  }
856 
862  public static function isLocalPasswordEnabledForAuthMode($a_authmode)
863  {
864  global $ilSetting;
865 
866  switch((int) $a_authmode)
867  {
868  // always enabled
869  case AUTH_LOCAL:
870  case AUTH_APACHE:
871  return true;
872 
873  // No local passwords for these auth modes
874  case AUTH_LDAP:
875  case AUTH_RADIUS:
876  case AUTH_ECS:
877  case AUTH_SCRIPT:
878  return false;
879 
880  case AUTH_SHIBBOLETH:
881  return $ilSetting->get("shib_auth_allow_local");
882  case AUTH_SOAP:
883  return $ilSetting->get("soap_auth_allow_local");
884  case AUTH_CAS:
885  return $ilSetting->get("cas_allow_local");
886 
887  }
888  return false;
889  }
890 
891 
892 
898  public static function isPasswordModificationEnabled($a_authmode)
899  {
900  global $ilSetting;
901 
902  if (self::isPasswordModificationHidden()) {
903  return false;
904  }
905 
906  // begin-patch ldap_multiple
907  // cast to int
908  switch((int) $a_authmode)
909  {
910  // No local passwords for these auth modes
911  case AUTH_LDAP:
912  case AUTH_RADIUS:
913  case AUTH_ECS:
914  case AUTH_SCRIPT:
915  return false;
916 
917  // Always for and local
918  case AUTH_LOCAL:
919  case AUTH_APACHE:
920  return true;
921 
922  // Read setting:
923  case AUTH_SHIBBOLETH:
924  return $ilSetting->get("shib_auth_allow_local");
925  case AUTH_SOAP:
926  return $ilSetting->get("soap_auth_allow_local");
927  case AUTH_CAS:
928  return $ilSetting->get("cas_allow_local");
929  }
930  }
931 
937  public static function supportsLocalPasswordValidation($a_authmode)
938  {
939  // begin-patch ldap_multiple
940  // cast to int
941  switch((int) $a_authmode)
942  {
943  case AUTH_LDAP:
944  case AUTH_LOCAL:
945  case AUTH_RADIUS:
946  return ilAuthUtils::LOCAL_PWV_FULL;
947 
948  case AUTH_SHIBBOLETH:
949  case AUTH_SOAP:
950  case AUTH_CAS:
951  if(!ilAuthUtils::isPasswordModificationEnabled($a_authmode))
952  {
953  return ilAuthUtils::LOCAL_PWV_NO;
954  }
955  return ilAuthUtils::LOCAL_PWV_USER;
956 
957  case AUTH_ECS:
958  case AUTH_SCRIPT:
959  case AUTH_APACHE:
960  default:
961  return ilAuthUtils::LOCAL_PWV_USER;
962  }
963  }
964 
965  // begin-patch auth_plugin
970  public static function getAuthPlugins()
971  {
972  $pls = $GLOBALS['ilPluginAdmin']->getActivePluginsForSlot(
973  IL_COMP_SERVICE,
974  'Authentication',
975  'authhk'
976  );
977  $pl_objs = array();
978  foreach($pls as $pl)
979  {
980  $pl_objs[] = $GLOBALS['ilPluginAdmin']->getPluginObject(
981  IL_COMP_SERVICE,
982  'Authentication',
983  'authhk',
984  $pl
985  );
986  }
987  return $pl_objs;
988  }
989  // end-patch auth_plugins
990 
995  public static function getAuthModeTranslation($a_auth_key)
996  {
997  global $lng;
998 
999  switch((int) $a_auth_key)
1000  {
1001  case AUTH_LDAP:
1002  include_once './Services/LDAP/classes/class.ilLDAPServer.php';
1003  $sid = ilLDAPServer::getServerIdByAuthMode($a_auth_key);
1004  $server = ilLDAPServer::getInstanceByServerId($sid);
1005  return $server->getName();
1006 
1007  default:
1008  return $lng->txt('auth_'.self::_getAuthModeName($a_auth_key));
1009  }
1010  }
1011 }
1012 ?>
AUTH_INACTIVE
const AUTH_INACTIVE
Definition: class.ilAuthUtils.php:21
Auth_Container
ilAuthFactory\getContextOptions
static getContextOptions()
Get options for a specific context.
Definition: class.ilAuthFactory.php:116
ilSetting
ILIAS Setting Class.
Definition: class.ilSetting.php:32
AUTH_MODE_INACTIVE
const AUTH_MODE_INACTIVE
Definition: class.ilAuthUtils.php:37
AUTH_MULTIPLE
const AUTH_MULTIPLE
Definition: class.ilAuthUtils.php:23
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54
$_SESSION
$_SESSION["AccountId"]
Definition: cfg.phpunit.template.php:10
ilAuthUtils\_hasMultipleAuthenticationMethods
static _hasMultipleAuthenticationMethods()
Definition: class.ilAuthUtils.php:637
ilLDAPServer\_getServerList
static _getServerList()
Get list of all configured servers.
Definition: class.ilLDAPServer.php:200
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
ilAuthContainerLDAP
Overwritten Pear class AuthContainerLDAP This class is overwritten to support nested groups...
Definition: class.ilAuthContainerLDAP.php:36
ilAuthStatus\STATUS_AUTHENTICATION_FAILED
const STATUS_AUTHENTICATION_FAILED
Definition: class.ilAuthStatus.php:19
ilECSServerSettings\getInstance
static getInstance()
Get singleton instance.
Definition: class.ilECSServerSettings.php:54
ilLDAPServer\getAuthModeByKey
static getAuthModeByKey($a_auth_key)
get auth mode by key
Definition: class.ilLDAPServer.php:401
AUTH_LDAP
const AUTH_LDAP
Definition: class.ilAuthUtils.php:8
ilAuthUtils\initSession
static initSession()
Initialize session.
Definition: class.ilAuthUtils.php:73
ilAuthFrontendFactory
Factory for auth frontend classes.
Definition: class.ilAuthFrontendFactory.php:11
ilAuthUtils\_generateLogin
static _generateLogin($a_login)
generate free login by starting with a default string and adding postfix numbers
Definition: class.ilAuthUtils.php:611
AUTH_CAS
const AUTH_CAS
Definition: class.ilAuthUtils.php:12
$GLOBALS
$GLOBALS['loaded']
Global hash that tracks already loaded includes.
Definition: generate-standalone.php:18
AUTH_SHIBBOLETH
const AUTH_SHIBBOLETH
Definition: class.ilAuthUtils.php:11
ilInitialisation\goToPublicSection
static goToPublicSection()
go to public section
Definition: class.ilInitialisation.php:631
ilAuthUtils\supportsLocalPasswordValidation
static supportsLocalPasswordValidation($a_authmode)
Check if local password validation is supported.
Definition: class.ilAuthUtils.php:937
ilAuthUtils\_getActiveAuthModes
static _getActiveAuthModes()
Definition: class.ilAuthUtils.php:533
ilLDAPServer\_getActiveServerList
static _getActiveServerList()
Get active server list.
Definition: class.ilLDAPServer.php:105
AUTH_APACHE
const AUTH_APACHE
Definition: class.ilAuthUtils.php:19
ilAuthContainerMDB2
Authentication against ILIAS database.
Definition: class.ilAuthContainerMDB2.php:35
ilAuthUtils\_needsExternalAccountByAuthMode
static _needsExternalAccountByAuthMode($a_auth_mode)
Check if chosen auth mode needs an external account entry.
Definition: class.ilAuthUtils.php:830
ilAuthUtils\_getAuthMode
static _getAuthMode($a_auth_mode, $a_db_handler='')
Definition: class.ilAuthUtils.php:419
ilAuthUtils\_getAuthModeName
static _getAuthModeName($a_auth_key)
Definition: class.ilAuthUtils.php:484
ilAuthUtils\_initAuth
static _initAuth()
initialises $ilAuth
Definition: class.ilAuthUtils.php:122
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId($a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:58
ilAuthUtils\_allowPasswordModificationByAuthMode
static _allowPasswordModificationByAuthMode($a_auth_mode)
Allow password modification.
Definition: class.ilAuthUtils.php:807
ilDBPdo
Class pdoDB.
Definition: class.ilDBPdo.php:18
ilAuthUtils
static utility functions used to manage authentication modes
Definition: class.ilAuthUtils.php:63
AUTH_SESSION
const AUTH_SESSION
Definition: class.ilAuthUtils.php:25
ilAuthUtils\getAuthPlugins
static getAuthPlugins()
Get active enabled auth plugins.
Definition: class.ilAuthUtils.php:970
ilAuthUtils\handleForcedAuthentication
static handleForcedAuthentication()
Definition: class.ilAuthUtils.php:78
$r
$r
Definition: example_031.php:79
$options
if(!is_array($argv)) $options
Definition: tcpdf_addfont.php:137
AUTH_SCRIPT
const AUTH_SCRIPT
Definition: class.ilAuthUtils.php:10
ilAuthUtils\_getMultipleAuthModeOptions
static _getMultipleAuthModeOptions($lng)
Definition: class.ilAuthUtils.php:674
AUTH_ECS
const AUTH_ECS
Definition: class.ilAuthUtils.php:17
ilRadiusSettings\_getInstance
static _getInstance()
singleton get instance
Definition: class.ilRadiusSettings.php:74
ilAuthFactory\setContext
static setContext($a_context)
set context
Definition: class.ilAuthFactory.php:95
ilSessionControl\checkExpiredSession
static checkExpiredSession()
checks for possibly expired session should be called from ilAuthUtils::__initAuth() so it&#39;s called be...
Definition: class.ilSessionControl.php:85
AUTH_LOCAL
const AUTH_LOCAL
Definition: class.ilAuthUtils.php:7
ilAuthUtils\_isExternalAccountEnabled
static _isExternalAccountEnabled()
Check if an external account name is required.
Definition: class.ilAuthUtils.php:757
ilLDAPServer\getServerIdByAuthMode
static getServerIdByAuthMode($a_auth_mode)
Get auth id by auth mode.
Definition: class.ilLDAPServer.php:387
ilSession\getIdleValue
static getIdleValue($fixedMode=false)
Returns the idle time in seconds.
Definition: class.ilSession.php:342
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
AUTH_SOAP
const AUTH_SOAP
Definition: class.ilAuthUtils.php:13
$server
$server
Definition: dummy_client.php:12
ilLDAPServer\getKeyByAuthMode
static getKeyByAuthMode($a_auth_mode)
Get auth id by auth mode.
Definition: class.ilLDAPServer.php:416
ilAuthUtils\isLocalPasswordEnabledForAuthMode
static isLocalPasswordEnabledForAuthMode($a_authmode)
Check if local password validation is enabled for a specific auth_mode.
Definition: class.ilAuthUtils.php:862
ilAuthUtils\_getAllAuthModes
static _getAllAuthModes()
Definition: class.ilAuthUtils.php:576
ilAuthUtils\_getAuthModeOfUser
static _getAuthModeOfUser($a_username, $a_password, $a_db_handler='')
Definition: class.ilAuthUtils.php:369
WebDAV_Authentication
const WebDAV_Authentication
Definition: webdav.php:30
ilAuthUtils\getAuthModeTranslation
static getAuthModeTranslation($a_auth_key)
Definition: class.ilAuthUtils.php:995
ilAuthStatus\getInstance
static getInstance()
Get status instance.
Definition: class.ilAuthStatus.php:42
$ilSetting
global $ilSetting
Definition: privfeed.php:17
$lng
global $lng
Definition: privfeed.php:17
ilAuthContainerRadius
Overwritten Pear class AuthContainerRadius This class is overwritten to support to perform Radius aut...
Definition: class.ilAuthContainerRadius.php:37
$ilBench
global $ilBench
Definition: ilias.php:18
$ilDB
global $ilDB
Definition: storeScorm2004.php:16
ilAuthContainerApache
Authentication against ILIAS database.
Definition: class.ilAuthContainerApache.php:12
$ret
$ret
Definition: parser.php:6
ilAuthFactory\factory
static factory(ilAuthContainerBase $deco)
The factory.
Definition: class.ilAuthFactory.php:130
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:82
defined
defined( 'APPLICATION_ENV')||define( 'APPLICATION_ENV'
Definition: bootstrap.php:27
ilAuthContainerSOAP
Authentication against external SOAP server
Definition: class.ilAuthContainerSOAP.php:35
ilAuthContainerECS
Custom PEAR Auth Container for ECS auth checks.
Definition: class.ilAuthContainerECS.php:34
ilAuthUtils\isPasswordModificationEnabled
static isPasswordModificationEnabled($a_authmode)
Check if password modification is enabled.
Definition: class.ilAuthUtils.php:898
$_POST
$_POST["username"]
Definition: cfg.phpunit.template.php:11
IL_COMP_SERVICE
const IL_COMP_SERVICE
Definition: class.ilComponent.php:6
AUTH_RADIUS
const AUTH_RADIUS
Definition: class.ilAuthUtils.php:9