ILIAS  release_5-2 Revision v5.2.25-18-g3f80b828510
Public Member Functions | Protected Member Functions | Private Member Functions | Private Attributes | Static Private Attributes
ilAuthContainerLDAP Class Reference
Services/LDAP

Overwritten Pear class AuthContainerLDAP This class is overwritten to support nested groups. More...

+ Inheritance diagram for ilAuthContainerLDAP:
+ Collaboration diagram for ilAuthContainerLDAP:

Public Member Functions

 __construct ($a_server_id=null)
 Constructor. More...
 
 forceCreation ($a_status)
 
 enableOptionalGroupCheck ()
 enable optional group check More...
 
 enabledOptionalGroupCheck ()
 Check if optional group check is enabled. More...
 
 fetchData ($username, $password)
 Overwritten from base class. More...
 
 checkGroup ($a_name)
 check group overwritten base class More...
 
 loginObserver ($a_username, $a_auth)
 Called from fetchData after successful login. More...
 
 failedLoginObserver ($a_username, $a_auth)
 Called from fetchData after failed login. More...
 
 supportsCaptchaVerification ()
 

Protected Member Functions

 extractUserName ($a_user_data)
 
 updateRequired ($a_username)
 Check if an update is required. More...
 

Private Member Functions

 updateUserFilter ()
 Update user filter. More...
 
 initLDAPAttributeToUser ()
 Init LDAP attribute mapping. More...
 

Private Attributes

 $optional_check = false
 
 $log = null
 
 $server = null
 
 $ldap_attr_to_user = null
 

Static Private Attributes

static $force_creation = false
 

Detailed Description

Overwritten Pear class AuthContainerLDAP This class is overwritten to support nested groups.

Author
Stefan Meyer smeye.nosp@m.r.il.nosp@m.ias@g.nosp@m.mx.d.nosp@m.e
Version
$Id$

Definition at line 36 of file class.ilAuthContainerLDAP.php.

Constructor & Destructor Documentation

◆ __construct()

ilAuthContainerLDAP::__construct (   $a_server_id = null)

Constructor.

public

Parameters
intldap server id

Definition at line 54 of file class.ilAuthContainerLDAP.php.

References $ilLog, ilLDAPServer\_getFirstActiveServer(), ilLDAPServer\getInstanceByServerId(), and ilLoggerFactory\getLogger().

55  {
56  global $ilLog;
57 
58  include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
59 
60  if($a_server_id)
61  {
62  $this->server = ilLDAPServer::getInstanceByServerId($a_server_id);
63  }
64  else
65  {
66  $this->server = new ilLDAPServer(ilLDAPServer::_getFirstActiveServer());
67  }
68 
69  $this->log = ilLoggerFactory::getLogger('auth');
70 
71  parent::__construct($this->server->toPearAuthArray());
72  }
ilLDAPServer\_getFirstActiveServer
static _getFirstActiveServer()
Get first active server.
Definition: class.ilLDAPServer.php:185
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId($a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:58
$ilLog
$ilLog
Definition: inc.setup_header.php:130
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:82
+ Here is the call graph for this function:

Member Function Documentation

◆ checkGroup()

ilAuthContainerLDAP::checkGroup (   $a_name)

check group overwritten base class

public

Parameters
stringuser name (DN or external account name)

Definition at line 146 of file class.ilAuthContainerLDAP.php.

References $optional_check.

147  {
148  $this->log->debug('Checking group restrictions...');
149 
150  // if there are multiple groups define check all of them for membership
151  $groups = $this->server->getGroupNames();
152 
153  if(!count($groups))
154  {
155  $this->log->debug('no group restrictions found');
156  return true;
157  }
158  elseif($this->server->isMembershipOptional() and !$this->optional_check)
159  {
160  $this->log->debug('Group membership is otional');
161  return true;
162  }
163 
164  foreach($groups as $group)
165  {
166  $this->options['group'] = $group;
167 
168  if(parent::checkGroup($a_name))
169  {
170  return true;
171  }
172  }
173  return false;
174  }

◆ enabledOptionalGroupCheck()

ilAuthContainerLDAP::enabledOptionalGroupCheck ( )

Check if optional group check is enabled.

public

Definition at line 98 of file class.ilAuthContainerLDAP.php.

References $optional_check.

Referenced by fetchData().

99  {
100  return (bool) $this->optional_check;
101  }
+ Here is the caller graph for this function:

◆ enableOptionalGroupCheck()

ilAuthContainerLDAP::enableOptionalGroupCheck ( )

enable optional group check

public

Parameters

Definition at line 86 of file class.ilAuthContainerLDAP.php.

References updateUserFilter().

Referenced by fetchData().

87  {
88  $this->optional_check = true;
89  $this->updateUserFilter();
90  }
ilAuthContainerLDAP\updateUserFilter
updateUserFilter()
Update user filter.
Definition: class.ilAuthContainerLDAP.php:182
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ extractUserName()

ilAuthContainerLDAP::extractUserName (   $a_user_data)
protected
Parameters

Definition at line 258 of file class.ilAuthContainerLDAP.php.

References ilObjUser\_checkExternalAuthAccount().

Referenced by loginObserver().

259  {
260  $a_username = isset($a_user_data[strtolower($this->server->getUserAttribute())]) ?
261  $a_user_data[strtolower($this->server->getUserAttribute())] :
262  trim($a_user_data);
263 
264  // Support for multiple user attributes
265  if(!is_array($a_username))
266  {
267  return $a_username;
268  }
269  foreach($a_username as $name)
270  {
271  // User found with authentication method 'ldap'
272  if(ilObjUser::_checkExternalAuthAccount("ldap",$name))
273  {
274  return trim($name);
275  }
276  }
277  // No existing user found => return first name
278  return $a_username[0];
279  }
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3721
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ failedLoginObserver()

ilAuthContainerLDAP::failedLoginObserver (   $a_username,
  $a_auth 
)

Called from fetchData after failed login.

Parameters
stringusername
objectPEAR auth object

Definition at line 248 of file class.ilAuthContainerLDAP.php.

249  {
250  return false;
251  }

◆ fetchData()

ilAuthContainerLDAP::fetchData (   $username,
  $password 
)

Overwritten from base class.

Parameters
object$username
object$password
Returns

Definition at line 109 of file class.ilAuthContainerLDAP.php.

References $res, enabledOptionalGroupCheck(), enableOptionalGroupCheck(), and PEAR\isError().

110  {
111  if(!$this->server->doConnectionCheck())
112  {
113  return FALSE;
114  }
115 
116 
117  $res = parent::fetchData($username,$password);
118 
119  if (PEAR::isError($res))
120  {
121  $this->log->notice('Authentication failed with message:' . $res->getMessage());
122  return $res;
123  }
124  elseif ($res == true)
125  {
126  $this->log->debug('Authentication successful');
127  return true;
128  }
129  if(!$this->enabledOptionalGroupCheck() and $this->server->isMembershipOptional())
130  {
131  $this->enableOptionalGroupCheck();
132  return parent::fetchData($username,$password);
133  }
134  return false;
135  }
ilAuthContainerLDAP\enableOptionalGroupCheck
enableOptionalGroupCheck()
enable optional group check
Definition: class.ilAuthContainerLDAP.php:86
ilAuthContainerLDAP\enabledOptionalGroupCheck
enabledOptionalGroupCheck()
Check if optional group check is enabled.
Definition: class.ilAuthContainerLDAP.php:98
PEAR\isError
isError($data, $code=null)
Tell whether a value is a PEAR error.
Definition: PEAR.php:280
+ Here is the call graph for this function:

◆ forceCreation()

ilAuthContainerLDAP::forceCreation (   $a_status)

Definition at line 74 of file class.ilAuthContainerLDAP.php.

75  {
76  self::$force_creation = $a_status;
77  }

◆ initLDAPAttributeToUser()

ilAuthContainerLDAP::initLDAPAttributeToUser ( )
private

Init LDAP attribute mapping.

private

Definition at line 237 of file class.ilAuthContainerLDAP.php.

238  {
239  include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
240  $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
241  }
ilLDAPAttributeToUser
Update/create ILIAS user account by given LDAP attributes according to user attribute mapping setting...
Definition: class.ilLDAPAttributeToUser.php:34

◆ loginObserver()

ilAuthContainerLDAP::loginObserver (   $a_username,
  $a_auth 
)

Called from fetchData after successful login.

Parameters
stringusername

Definition at line 192 of file class.ilAuthContainerLDAP.php.

References $ilLog, AUTH_LDAP_NO_ILIAS_USER, extractUserName(), ilUtil\redirect(), and ilLDAPUserSynchronisation\setExternalAccount().

193  {
194  global $ilLog;
195 
196  $user_data = array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
197 
198  $a_username = $this->extractUserName($user_data);
199 
200  include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
201  $sync = new ilLDAPUserSynchronisation('ldap_'.$this->server->getServerId(), $this->server->getServerId());
202  $sync->setExternalAccount($a_username);
203  $sync->setUserData($user_data);
204  $sync->forceCreation(self::$force_creation);
205 
206  try {
207  $internal_account = $sync->sync();
208  }
209  catch(UnexpectedValueException $e) {
210  $this->log->info('Login failed with message: ' . $e->getMessage());
211  $a_auth->status = AUTH_WRONG_LOGIN;
212  $a_auth->logout();
213  return false;
214  }
215  catch(ilLDAPSynchronisationForbiddenException $e) {
216  // No syncronisation allowed => create Error
217  $this->log->info('Login failed with message: ' . $e->getMessage());
218  $a_auth->status = AUTH_LDAP_NO_ILIAS_USER;
219  $a_auth->logout();
220  return false;
221  }
222  catch(ilLDAPAccountMigrationRequiredException $e) {
223  $this->log->info('Starting account migration');
224  $a_auth->logout();
225  ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
226  }
227 
228  $a_auth->setAuth($internal_account);
229  return true;
230  }
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:14
ilLDAPUserSynchronisation\setExternalAccount
setExternalAccount($a_ext)
Set external account (unique for each auth mode)
Definition: class.ilLDAPUserSynchronisation.php:61
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:12
$ilLog
$ilLog
Definition: inc.setup_header.php:130
AUTH_LDAP_NO_ILIAS_USER
const AUTH_LDAP_NO_ILIAS_USER
Definition: class.ilAuthUtils.php:28
ilUtil\redirect
static redirect($a_script)
http redirect to other script
Definition: class.ilUtil.php:3567
+ Here is the call graph for this function:

◆ supportsCaptchaVerification()

ilAuthContainerLDAP::supportsCaptchaVerification ( )
Returns
bool

Definition at line 312 of file class.ilAuthContainerLDAP.php.

313  {
314  return true;
315  }

◆ updateRequired()

ilAuthContainerLDAP::updateRequired (   $a_username)
protected

Check if an update is required.

Returns
Parameters
string$a_username

Definition at line 286 of file class.ilAuthContainerLDAP.php.

References ilObjUser\_checkExternalAuthAccount(), ilLDAPRoleAssignmentRule\hasRulesForUpdate(), and ilLDAPAttributeMapping\hasRulesForUpdate().

287  {
288  if(!ilObjUser::_checkExternalAuthAccount("ldap",$a_username))
289  {
290  #$GLOBALS['ilLog']->write(__METHOD__.': Required 1');
291  return true;
292  }
293  // Check attribute mapping on login
294  include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
295  if(ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId()))
296  {
297  #$GLOBALS['ilLog']->write(__METHOD__.': Required 2');
298  return true;
299  }
300  include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
301  if(ilLDAPRoleAssignmentRule::hasRulesForUpdate())
302  {
303  #$GLOBALS['ilLog']->write(__METHOD__.': Required 3');
304  return true;
305  }
306  return false;
307  }
ilLDAPRoleAssignmentRule\hasRulesForUpdate
static hasRulesForUpdate()
Check if there any rule for updates.
Definition: class.ilLDAPRoleAssignmentRule.php:72
ilLDAPAttributeMapping\hasRulesForUpdate
static hasRulesForUpdate($a_server_id)
Check if there is ldap attribute -> user data mapping which which is updated on login.
Definition: class.ilLDAPAttributeMapping.php:120
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3721
+ Here is the call graph for this function:

◆ updateUserFilter()

ilAuthContainerLDAP::updateUserFilter ( )
private

Update user filter.

private

Definition at line 182 of file class.ilAuthContainerLDAP.php.

Referenced by enableOptionalGroupCheck().

183  {
184  $this->options['userfilter'] = $this->server->getGroupUserFilter();
185  }
+ Here is the caller graph for this function:

Field Documentation

◆ $force_creation

ilAuthContainerLDAP::$force_creation = false
staticprivate

Definition at line 38 of file class.ilAuthContainerLDAP.php.

◆ $ldap_attr_to_user

ilAuthContainerLDAP::$ldap_attr_to_user = null
private

Definition at line 44 of file class.ilAuthContainerLDAP.php.

◆ $log

ilAuthContainerLDAP::$log = null
private

Definition at line 42 of file class.ilAuthContainerLDAP.php.

◆ $optional_check

ilAuthContainerLDAP::$optional_check = false
private

Definition at line 40 of file class.ilAuthContainerLDAP.php.

Referenced by checkGroup(), and enabledOptionalGroupCheck().

◆ $server

ilAuthContainerLDAP::$server = null
private

Definition at line 43 of file class.ilAuthContainerLDAP.php.

The documentation for this class was generated from the following file: