ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
class.ilAuthContainerApache.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (c) 1998-2014 ILIAS open source, Extended GPL, see docs/LICENSE */
3 
4 require_once 'Auth/Container/MDB2.php';
5 
12 class ilAuthContainerApache extends Auth_Container
13 {
17  public static $force_creation = false;
18 
22  public function __construct()
23  {
24  parent::__construct();
25  }
26 
30  public static function forceCreation($value)
31  {
32  self::$force_creation = $value;
33  }
34 
42  public function fetchData($a_username, $password, $isChallengeResponse = false)
43  {
44  ilLoggerFactory::getLogger('auth')->debug('Starting apache auth');
45 
51  global $ilDB, $ilSetting , $rbacadmin;
52 
53  $settings = new ilSetting('apache_auth');
54 
55  if (!$settings->get('apache_enable_auth')) {
56  ilLoggerFactory::getLogger('auth')->debug('Apache auth disabled');
57  return false;
58  }
59  if (!$settings->get('apache_auth_indicator_name') || !$settings->get('apache_auth_indicator_value')) {
60  ilLoggerFactory::getLogger('auth')->debug('Apache auth indicator match failed');
61  return false;
62  }
63  if (!ilUtil::isLogin($a_username)) {
64  ilLoggerFactory::getLogger('auth')->debug('Apache auth wrong login');
65  return false;
66  }
67 
68  if ($a_username == 'anonymous' && $password == 'anonymous') {
69  $query = 'SELECT * FROM usr_data WHERE login = %s';
70  $qres = $ilDB->queryF($query, array('text'), array($a_username));
71  $userRow = $ilDB->fetchAssoc($qres);
72 
73  if (is_array($userRow) && $userRow['usr_id']) {
74  // user as a local account...
75  // fetch logindata
76  $this->activeUser = $userRow['login'];
77  foreach ($userRow as $key => $value) {
78  if ($key == $this->options['passwordcol'] || $key == $this->options['usernamecol']) {
79  continue;
80  }
81  // Use reference to the auth object if exists
82  // This is because the auth session variable can change so a static call to setAuthData does not make sense
83  $this->_auth_obj->setAuthData($key, $value);
84  }
85  ilLoggerFactory::getLogger('auth')->debug('Apache local auth successful.');
86  $this->_auth_obj->setAuth($userRow['login']);
87  return true;
88  }
89  ilLoggerFactory::getLogger('auth')->debug('Apache local auth unsuccessful.');
90  return false;
91  }
92 
93  if (
94  !$_SESSION['login_invalid'] &&
95  in_array(
96  $_SERVER[$settings->get('apache_auth_indicator_name')],
97  array_filter(array_map('trim', str_getcsv($settings->get('apache_auth_indicator_value'))))
98  )
99  ) {
100  // we have a valid apache auth
101  $list = array(
102  $ilSetting->get('auth_mode')
103  );
104 
105  // Respect the auth method sequence
106  include_once('./Services/Authentication/classes/class.ilAuthModeDetermination.php');
107  $det = ilAuthModeDetermination::_getInstance();
108  if (!$det->isManualSelection() && $det->getCountActiveAuthModes() > 1) {
109  $list = array();
110  foreach (ilAuthModeDetermination::_getInstance()->getAuthModeSequence() as $auth_mode) {
111  $list[] = $auth_mode;
112  }
113  }
114 
115  // Apache with ldap as data source
116  include_once './Services/LDAP/classes/class.ilLDAPServer.php';
117  if ($settings->get('apache_enable_ldap')) {
118  return $this->handleLDAPDataSource($this->_auth_obj, $a_username, $settings);
119  }
120 
121 
122  foreach ($list as $auth_mode) {
123  ilLoggerFactory::getLogger('auth')->debug('Current auth mode: ' . $auth_mode);
124 
125  if (AUTH_LDAP == $auth_mode) {
126  ilLoggerFactory::getLogger('auth')->debug('Trying ldap synchronisation');
127  // if no local user has been found AND ldap lookup is enabled
128  if ($settings->get('apache_enable_ldap')) {
129  include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
130  $this->server = new ilLDAPServer($settings->get('apache_ldap_sid'));
131  $this->server->doConnectionCheck();
132 
133  $config = $this->server->toPearAuthArray();
134 
135  $query = new ilLDAPQuery($this->server);
136  $query->bind();
137  $ldapUser = $query->fetchUser($a_username);
138 
139  if ($ldapUser && $ldapUser[$a_username] && $ldapUser[$a_username][$config['userattr']] == $a_username) {
140  $ldapUser[$a_username]['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap_" . $this->server->getServerId(), $a_username);
141  $user_data = $ldapUser[$a_username]; //array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
142  if ($this->server->enabledSyncOnLogin()) {
143  if (!$user_data['ilInternalAccount'] && $this->server->isAccountMigrationEnabled() && !self::$force_creation) {
144  $this->_auth_obj->logout();
145  $_SESSION['tmp_auth_mode'] = 'apache';
146  $_SESSION['tmp_auth_mode_type'] = 'apache';
147  $_SESSION['tmp_external_account'] = $a_username;
148  $_SESSION['tmp_pass'] = $_POST['password'];
149 
150  include_once('./Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php');
151  $roles = ilLDAPRoleAssignmentRules::getAssignmentsForCreation(
152  $this->server->getServerId(),
153  $a_username,
154  $user_data
155  );
156  $_SESSION['tmp_roles'] = array();
157  foreach ($roles as $info) {
158  if ($info['action'] == ilLDAPRoleAssignmentRules::ROLE_ACTION_ASSIGN) {
159  $_SESSION['tmp_roles'][] = $info['id'];
160  }
161  }
162 
163  ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
164  }
165 
166  if ($this->updateRequired($a_username)) {
167  $this->initLDAPAttributeToUser();
168  $this->ldap_attr_to_user->setUserData($ldapUser);
169  $this->ldap_attr_to_user->refresh();
170  $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap_" . $this->server->getServerId(), $a_username);
171  } else {
172  // User exists and no update required
173  $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap_" . $this->server->getServerId(), $a_username);
174  }
175  }
176  if ($user_data['ilInternalAccount']) {
177  $this->_auth_obj->setAuth($user_data['ilInternalAccount']);
178  $this->_auth_obj->username = $user_data['ilInternalAccount'];
179  return true;
180  }
181  }
182  }
183  } elseif (AUTH_APACHE != $auth_mode && $settings->get('apache_enable_local')) {
184  $condition = '';
185  if ($ilSetting->get("auth_mode") && $ilSetting->get("auth_mode") == 'ldap') {
186  $condition = " AND auth_mode != " . $ilDB->quote('default', 'text') . " ";
187  }
188  $query = "SELECT * FROM usr_data WHERE login = %s AND auth_mode != %s $condition";
189  $qres = $ilDB->queryF($query, array('text', 'text'), array($a_username, 'ldap'));
190  $userRow = $ilDB->fetchAssoc($qres);
191 
192  if (is_array($userRow) && $userRow['usr_id']) {
193  // user as a local account...
194  // fetch logindata
195  $this->activeUser = $userRow['login'];
196  foreach ($userRow as $key => $value) {
197  if ($key == $this->options['passwordcol'] || $key == $this->options['usernamecol']) {
198  continue;
199  }
200  // Use reference to the auth object if exists
201  // This is because the auth session variable can change so a static call to setAuthData does not make sense
202  $this->_auth_obj->setAuthData($key, $value);
203  }
204  $this->_auth_obj->setAuth($userRow['login']);
205  return true;
206  }
207  }
208  }
209 
210  if ($settings->get('apache_enable_local') && $settings->get('apache_local_autocreate')) {
211  if ($_GET['r']) {
212  $_SESSION['profile_complete_redirect'] = $_GET['r'];
213  }
214 
215  $user = new ilObjUser();
216  $user->setLogin($a_username);
217  $user->setExternalAccount($a_username);
218  $user->setProfileIncomplete(true);
219  $user->create();
220  $user->setAuthMode('apache');
221  // set a timestamp for last_password_change
222  // this ts is needed by ilSecuritySettings
223  $user->setLastPasswordChangeTS(time());
224  $user->setTimeLimitUnlimited(1);
225 
226  $user->setActive(1);
227  //insert user data in table user_data
228  $user->saveAsNew();
229  $user->writePrefs();
230  $rbacadmin->assignUser($settings->get('apache_default_role', 4), $user->getId(), true);
231  return true;
232  }
233  } elseif (defined('IL_CERT_SSO') && IL_CERT_SSO) {
234  define('APACHE_ERRORCODE', AUTH_APACHE_FAILED);
235  }
236 
237  return false;
238  }
239 
245  protected function updateRequired($a_username)
246  {
247  if (!ilObjUser::_checkExternalAuthAccount("ldap_" . $this->server->getServerId(), $a_username)) {
248  return true;
249  }
250  // Check attribute mapping on login
251  include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
252  if (ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId())) {
253  return true;
254  }
255  include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
256  if (ilLDAPRoleAssignmentRule::hasRulesForUpdate()) {
257  return true;
258  }
259  return false;
260  }
261 
266  private function initLDAPAttributeToUser()
267  {
268  include_once('Services/LDAP/classes/class.ilLDAPAttributeToUser.php');
269  $this->ldap_attr_to_user = new ilLDAPAttributeToUser($this->server);
270  }
271 
272 
278  protected function handleLDAPDataSource($a_auth, $ext_account, $settings)
279  {
280  include_once './Services/LDAP/classes/class.ilLDAPServer.php';
281  $server = ilLDAPServer::getInstanceByServerId(
282  $settings->get('apache_ldap_sid')
283  );
284 
285  ilLoggerFactory::getLogger('auth')->debug('Using ldap data source with server configuration: ' . $server->getName());
286 
287  include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
288  $sync = new ilLDAPUserSynchronisation('ldap_' . $server->getServerId(), $server->getServerId());
289  $sync->setExternalAccount($ext_account);
290  $sync->setUserData(array());
291  $sync->forceCreation(self::$force_creation);
292  $sync->forceReadLdapData(true);
293 
294  try {
295  $internal_account = $sync->sync();
296  } catch (UnexpectedValueException $e) {
297  ilLoggerFactory::getLogger('auth')->info('Login failed with message: ' . $e->getMessage());
298  $a_auth->status = AUTH_WRONG_LOGIN;
299  $a_auth->logout();
300  return false;
301  } catch (ilLDAPSynchronisationForbiddenException $e) {
302  // No syncronisation allowed => create Error
303  ilLoggerFactory::getLogger('auth')->info('Login failed with message: ' . $e->getMessage());
304  $a_auth->status = AUTH_RADIUS_NO_ILIAS_USER;
305  $a_auth->logout();
306  return false;
307  } catch (ilLDAPAccountMigrationRequiredException $e) {
308  ilLoggerFactory::getLogger('auth')->debug('Starting account migration');
309  $a_auth->logout();
310  ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
311  }
312 
313  $a_auth->setAuth($internal_account);
314  return true;
315  }
316 }
Auth_Container
ilLDAPRoleAssignmentRules\getAssignmentsForCreation
static getAssignmentsForCreation($a_server_id, $a_usr_name, $a_usr_data)
Definition: class.ilLDAPRoleAssignmentRules.php:169
ilLDAPRoleAssignmentRule\hasRulesForUpdate
static hasRulesForUpdate()
Check if there any rule for updates.
Definition: class.ilLDAPRoleAssignmentRule.php:71
$list
if(isset($_REQUEST['delete'])) $list
Definition: registry.php:41
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54
$_SESSION
$_SESSION["AccountId"]
Definition: cfg.phpunit.template.php:10
ilLDAPAttributeMapping\hasRulesForUpdate
static hasRulesForUpdate($a_server_id)
Check if there is ldap attribute -> user data mapping which which is updated on login.
Definition: class.ilLDAPAttributeMapping.php:118
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
AUTH_LDAP
const AUTH_LDAP
Definition: class.ilAuthUtils.php:8
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:14
AUTH_RADIUS_NO_ILIAS_USER
const AUTH_RADIUS_NO_ILIAS_USER
Definition: class.ilAuthUtils.php:32
AUTH_APACHE
const AUTH_APACHE
Definition: class.ilAuthUtils.php:19
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:12
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId($a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:58
ilAuthContainerApache\handleLDAPDataSource
handleLDAPDataSource($a_auth, $ext_account, $settings)
Handle ldap as data source.
Definition: class.ilAuthContainerApache.php:278
$password
$password
Definition: pwgen.php:17
AUTH_APACHE_FAILED
const AUTH_APACHE_FAILED
Definition: class.ilAuthUtils.php:37
ilLDAPServer\doConnectionCheck
doConnectionCheck()
Check ldap connection and do a fallback to the next server if no connection is possible.
Definition: class.ilLDAPServer.php:509
$sync
$sync
Definition: memcacheSync.php:62
$query
$query
Definition: proxy_ylocal.php:13
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account, $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3692
$server
$server
Definition: getUserInfo.php:12
ilUtil\isLogin
static isLogin($a_login)
Definition: class.ilUtil.php:1317
$ilSetting
global $ilSetting
Definition: privfeed.php:17
$ilDB
global $ilDB
Definition: storeScorm2004.php:16
ilAuthContainerApache
Authentication against ILIAS database.
Definition: class.ilAuthContainerApache.php:12
ilAuthContainerApache\initLDAPAttributeToUser
initLDAPAttributeToUser()
Init LDAP attribute mapping private.
Definition: class.ilAuthContainerApache.php:266
ilLoggerFactory\getLogger
static getLogger($a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:79
ilLDAPAttributeToUser
Update/create ILIAS user account by given LDAP attributes according to user attribute mapping setting...
Definition: class.ilLDAPAttributeToUser.php:34
time
Add data(end) time
Method that wraps PHPs time in order to allow simulations with the workflow.
Definition: 40duplicateStyle.php:39
defined
defined( 'APPLICATION_ENV')||define( 'APPLICATION_ENV'
Definition: bootstrap.php:27
$info
$info
Definition: index.php:5
ilUtil\redirect
static redirect($a_script)
Definition: class.ilUtil.php:3353
ilAuthContainerApache\updateRequired
updateRequired($a_username)
Check if an update is required.
Definition: class.ilAuthContainerApache.php:245
$key
$key
Definition: croninfo.php:18
$_POST
$_POST["username"]
Definition: cfg.phpunit.template.php:11