ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
class.ilAuthContainerApache.php
Go to the documentation of this file.
1<?php
2/* Copyright (c) 1998-2014 ILIAS open source, Extended GPL, see docs/LICENSE */
3
4require_once 'Auth/Container/MDB2.php';
5
12class ilAuthContainerApache extends Auth_Container
13{
17 public static $force_creation = false;
18
22 public function __construct()
23 {
24 parent::__construct();
25 }
26
30 public static function forceCreation($value)
31 {
32 self::$force_creation = $value;
33 }
34
42 public function fetchData($a_username, $password, $isChallengeResponse = false)
43 {
44 ilLoggerFactory::getLogger('auth')->debug('Starting apache auth');
45
51 global $ilDB, $ilSetting , $rbacadmin;
52
53 $settings = new ilSetting('apache_auth');
54
55 if (!$settings->get('apache_enable_auth')) {
56 ilLoggerFactory::getLogger('auth')->debug('Apache auth disabled');
57 return false;
58 }
59 if (!$settings->get('apache_auth_indicator_name') || !$settings->get('apache_auth_indicator_value')) {
60 ilLoggerFactory::getLogger('auth')->debug('Apache auth indicator match failed');
61 return false;
62 }
63 if (!ilUtil::isLogin($a_username)) {
64 ilLoggerFactory::getLogger('auth')->debug('Apache auth wrong login');
65 return false;
66 }
67
68 if ($a_username == 'anonymous' && $password == 'anonymous') {
69 $query = 'SELECT * FROM usr_data WHERE login = %s';
70 $qres = $ilDB->queryF($query, array('text'), array($a_username));
71 $userRow = $ilDB->fetchAssoc($qres);
72
73 if (is_array($userRow) && $userRow['usr_id']) {
74 // user as a local account...
75 // fetch logindata
76 $this->activeUser = $userRow['login'];
77 foreach ($userRow as $key => $value) {
78 if ($key == $this->options['passwordcol'] || $key == $this->options['usernamecol']) {
79 continue;
80 }
81 // Use reference to the auth object if exists
82 // This is because the auth session variable can change so a static call to setAuthData does not make sense
83 $this->_auth_obj->setAuthData($key, $value);
84 }
85 ilLoggerFactory::getLogger('auth')->debug('Apache local auth successful.');
86 $this->_auth_obj->setAuth($userRow['login']);
87 return true;
88 }
89 ilLoggerFactory::getLogger('auth')->debug('Apache local auth unsuccessful.');
90 return false;
91 }
92
93 if (
94 !$_SESSION['login_invalid'] &&
95 in_array(
96 $_SERVER[$settings->get('apache_auth_indicator_name')],
97 array_filter(array_map('trim', str_getcsv($settings->get('apache_auth_indicator_value'))))
98 )
99 ) {
100 // we have a valid apache auth
101 $list = array(
102 $ilSetting->get('auth_mode')
103 );
104
105 // Respect the auth method sequence
106 include_once('./Services/Authentication/classes/class.ilAuthModeDetermination.php');
107 $det = ilAuthModeDetermination::_getInstance();
108 if (!$det->isManualSelection() && $det->getCountActiveAuthModes() > 1) {
109 $list = array();
110 foreach (ilAuthModeDetermination::_getInstance()->getAuthModeSequence() as $auth_mode) {
111 $list[] = $auth_mode;
112 }
113 }
114
115 // Apache with ldap as data source
116 include_once './Services/LDAP/classes/class.ilLDAPServer.php';
117 if ($settings->get('apache_enable_ldap')) {
118 return $this->handleLDAPDataSource($this->_auth_obj, $a_username, $settings);
119 }
120
121
122 foreach ($list as $auth_mode) {
123 ilLoggerFactory::getLogger('auth')->debug('Current auth mode: ' . $auth_mode);
124
125 if (AUTH_LDAP == $auth_mode) {
126 ilLoggerFactory::getLogger('auth')->debug('Trying ldap synchronisation');
127 // if no local user has been found AND ldap lookup is enabled
128 if ($settings->get('apache_enable_ldap')) {
129 include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
130 $this->server = new ilLDAPServer($settings->get('apache_ldap_sid'));
131 $this->server->doConnectionCheck();
132
133 $config = $this->server->toPearAuthArray();
134
135 $query = new ilLDAPQuery($this->server);
136 $query->bind();
137 $ldapUser = $query->fetchUser($a_username);
138
139 if ($ldapUser && $ldapUser[$a_username] && $ldapUser[$a_username][$config['userattr']] == $a_username) {
140 $ldapUser[$a_username]['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap_" . $this->server->getServerId(), $a_username);
141 $user_data = $ldapUser[$a_username]; //array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
142 if ($this->server->enabledSyncOnLogin()) {
143 if (!$user_data['ilInternalAccount'] && $this->server->isAccountMigrationEnabled() && !self::$force_creation) {
144 $this->_auth_obj->logout();
145 $_SESSION['tmp_auth_mode'] = 'apache';
146 $_SESSION['tmp_auth_mode_type'] = 'apache';
147 $_SESSION['tmp_external_account'] = $a_username;
148 $_SESSION['tmp_pass'] = $_POST['password'];
149
150 include_once('./Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php');
151 $roles = ilLDAPRoleAssignmentRules::getAssignmentsForCreation(
152 $this->server->getServerId(),
153 $a_username,
154 $user_data
155 );
156 $_SESSION['tmp_roles'] = array();
157 foreach ($roles as $info) {
158 if ($info['action'] == ilLDAPRoleAssignmentRules::ROLE_ACTION_ASSIGN) {
159 $_SESSION['tmp_roles'][] = $info['id'];
160 }
161 }
162
163 ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
164 }
165
166 if ($this->updateRequired($a_username)) {
167 $this->initLDAPAttributeToUser();
168 $this->ldap_attr_to_user->setUserData($ldapUser);
169 $this->ldap_attr_to_user->refresh();
170 $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap_" . $this->server->getServerId(), $a_username);
171 } else {
172 // User exists and no update required
173 $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap_" . $this->server->getServerId(), $a_username);
174 }
175 }
176 if ($user_data['ilInternalAccount']) {
177 $this->_auth_obj->setAuth($user_data['ilInternalAccount']);
178 $this->_auth_obj->username = $user_data['ilInternalAccount'];
179 return true;
180 }
181 }
182 }
183 } elseif (AUTH_APACHE != $auth_mode && $settings->get('apache_enable_local')) {
184 $condition = '';
185 if ($ilSetting->get("auth_mode") && $ilSetting->get("auth_mode") == 'ldap') {
186 $condition = " AND auth_mode != " . $ilDB->quote('default', 'text') . " ";
187 }
188 $query = "SELECT * FROM usr_data WHERE login = %s AND auth_mode != %s $condition";
189 $qres = $ilDB->queryF($query, array('text', 'text'), array($a_username, 'ldap'));
190 $userRow = $ilDB->fetchAssoc($qres);
191
192 if (is_array($userRow) && $userRow['usr_id']) {
193 // user as a local account...
194 // fetch logindata
195 $this->activeUser = $userRow['login'];
196 foreach ($userRow as $key => $value) {
197 if ($key == $this->options['passwordcol'] || $key == $this->options['usernamecol']) {
198 continue;
199 }
200 // Use reference to the auth object if exists
201 // This is because the auth session variable can change so a static call to setAuthData does not make sense
202 $this->_auth_obj->setAuthData($key, $value);
203 }
204 $this->_auth_obj->setAuth($userRow['login']);
205 return true;
206 }
207 }
208 }
209
210 if ($settings->get('apache_enable_local') && $settings->get('apache_local_autocreate')) {
211 if ($_GET['r']) {
212 $_SESSION['profile_complete_redirect'] = $_GET['r'];
213 }
214
215 $user = new ilObjUser();
216 $user->setLogin($a_username);
217 $user->setExternalAccount($a_username);
218 $user->setProfileIncomplete(true);
219 $user->create();
220 $user->setAuthMode('apache');
221 // set a timestamp for last_password_change
222 // this ts is needed by ilSecuritySettings
223 $user->setLastPasswordChangeTS(time());
224 $user->setTimeLimitUnlimited(1);
225
226 $user->setActive(1);
227 //insert user data in table user_data
228 $user->saveAsNew();
229 $user->writePrefs();
230 $rbacadmin->assignUser($settings->get('apache_default_role', 4), $user->getId(), true);
231 return true;
232 }
233 } elseif (defined('IL_CERT_SSO') && IL_CERT_SSO) {
234 define('APACHE_ERRORCODE', AUTH_APACHE_FAILED);
235 }
236
237 return false;
238 }
239
245 protected function updateRequired($a_username)
246 {
247 if (!ilObjUser::_checkExternalAuthAccount("ldap_" . $this->server->getServerId(), $a_username)) {
248 return true;
249 }
250 // Check attribute mapping on login
251 include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
252 if (ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId())) {
253 return true;
254 }
255 include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
256 if (ilLDAPRoleAssignmentRule::hasRulesForUpdate()) {
257 return true;
258 }
259 return false;
260 }
261
266 private function initLDAPAttributeToUser()
267 {
268 include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
269 $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
270 }
271
272
278 protected function handleLDAPDataSource($a_auth, $ext_account, $settings)
279 {
280 include_once './Services/LDAP/classes/class.ilLDAPServer.php';
281 $server = ilLDAPServer::getInstanceByServerId(
282 $settings->get('apache_ldap_sid')
283 );
284
285 ilLoggerFactory::getLogger('auth')->debug('Using ldap data source with server configuration: ' . $server->getName());
286
287 include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
288 $sync = new ilLDAPUserSynchronisation('ldap_' . $server->getServerId(), $server->getServerId());
289 $sync->setExternalAccount($ext_account);
290 $sync->setUserData(array());
291 $sync->forceCreation(self::$force_creation);
292 $sync->forceReadLdapData(true);
293
294 try {
295 $internal_account = $sync->sync();
296 } catch (UnexpectedValueException $e) {
297 ilLoggerFactory::getLogger('auth')->info('Login failed with message: ' . $e->getMessage());
298 $a_auth->status = AUTH_WRONG_LOGIN;
299 $a_auth->logout();
300 return false;
301 } catch (ilLDAPSynchronisationForbiddenException $e) {
302 // No syncronisation allowed => create Error
303 ilLoggerFactory::getLogger('auth')->info('Login failed with message: ' . $e->getMessage());
304 $a_auth->status = AUTH_RADIUS_NO_ILIAS_USER;
305 $a_auth->logout();
306 return false;
307 } catch (ilLDAPAccountMigrationRequiredException $e) {
308 ilLoggerFactory::getLogger('auth')->debug('Starting account migration');
309 $a_auth->logout();
310 ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
311 }
312
313 $a_auth->setAuth($internal_account);
314 return true;
315 }
316}
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
$_POST
$_POST["username"]
Definition: cfg.phpunit.template.php:11
$_SESSION
$_SESSION["AccountId"]
Definition: cfg.phpunit.template.php:10
Auth_Container
php
An exception for terminatinating execution or to throw for unit testing.
AUTH_APACHE
const AUTH_APACHE
Definition: class.ilAuthUtils.php:19
AUTH_APACHE_FAILED
const AUTH_APACHE_FAILED
Definition: class.ilAuthUtils.php:37
AUTH_LDAP
const AUTH_LDAP
Definition: class.ilAuthUtils.php:8
AUTH_RADIUS_NO_ILIAS_USER
const AUTH_RADIUS_NO_ILIAS_USER
Definition: class.ilAuthUtils.php:32
ilAuthContainerApache
Authentication against ILIAS database.
Definition: class.ilAuthContainerApache.php:13
ilAuthContainerApache\initLDAPAttributeToUser
initLDAPAttributeToUser()
Init LDAP attribute mapping @access private.
Definition: class.ilAuthContainerApache.php:266
ilAuthContainerApache\updateRequired
updateRequired($a_username)
Check if an update is required.
Definition: class.ilAuthContainerApache.php:245
ilAuthContainerApache\handleLDAPDataSource
handleLDAPDataSource($a_auth, $ext_account, $settings)
Handle ldap as data source.
Definition: class.ilAuthContainerApache.php:278
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:13
ilLDAPAttributeMapping\hasRulesForUpdate
static hasRulesForUpdate($a_server_id)
Check if there is ldap attribute -> user data mapping which which is updated on login.
Definition: class.ilLDAPAttributeMapping.php:118
ilLDAPAttributeToUser
Update/create ILIAS user account by given LDAP attributes according to user attribute mapping setting...
Definition: class.ilLDAPAttributeToUser.php:35
ilLDAPRoleAssignmentRule\hasRulesForUpdate
static hasRulesForUpdate()
Check if there any rule for updates.
Definition: class.ilLDAPRoleAssignmentRule.php:71
ilLDAPRoleAssignmentRules\getAssignmentsForCreation
static getAssignmentsForCreation($a_server_id, $a_usr_name, $a_usr_data)
Definition: class.ilLDAPRoleAssignmentRules.php:169
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId($a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:58
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:15
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:79
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account, $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3692
ilSetting
ILIAS Setting Class.
Definition: class.ilSetting.php:33
ilUtil\redirect
static redirect($a_script)
Definition: class.ilUtil.php:3353
ilUtil\isLogin
static isLogin($a_login)
Definition: class.ilUtil.php:1317
$key
$key
Definition: croninfo.php:18
$server
$server
Definition: getUserInfo.php:12
$info
$info
Definition: index.php:5
$sync
$sync
Definition: memcacheSync.php:62
defined
defined( 'APPLICATION_ENV')||define( 'APPLICATION_ENV'
Definition: bootstrap.php:27
$ilSetting
global $ilSetting
Definition: privfeed.php:17
$query
$query
Definition: proxy_ylocal.php:13
$password
$password
Definition: pwgen.php:17
$list
if(isset($_REQUEST['delete'])) $list
Definition: registry.php:41
$ilDB
global $ilDB
Definition: storeScorm2004.php:19
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54