ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
Public Member Functions | Protected Member Functions
sspmod_ldap_Auth_Process_AttributeAddUsersGroups Class Reference
+ Inheritance diagram for sspmod_ldap_Auth_Process_AttributeAddUsersGroups:
+ Collaboration diagram for sspmod_ldap_Auth_Process_AttributeAddUsersGroups:

Public Member Functions

 process (&$request)
 This is run when the filter is processed by SimpleSAML. More...
 
- Public Member Functions inherited from sspmod_ldap_Auth_Process_BaseFilter
 __construct (&$config, $reserved)
 Checks the authsource, if defined, for configuration values to the LDAP server. More...
 
 __construct (&$config, $reserved)
 Constructor for a processing filter. More...
 
 process (&$request)
 Process a request. More...
 

Protected Member Functions

 getGroups ($attributes)
 This section of code was broken out because the child filter AuthorizeByGroup can use this method as well. More...
 
 getGroupsOpenLdap ($attributes)
 OpenLDAP optimized search using the required attribute values from the user to get their group membership, recursively. More...
 
 getGroupsActiveDirectory ($attributes)
 Active Directory optimized search using the required attribute values from the user to get their group membership, recursively. More...
 
 search ($memberof)
 Looks for groups from the list of DN's passed. More...
 
 searchActiveDirectory ($dn)
 Searches LDAP using a ActiveDirectory specific filter, looking for group membership for the users DN. More...
 
- Protected Member Functions inherited from sspmod_ldap_Auth_Process_BaseFilter
 getLdap ()
 Getter for the LDAP connection object. More...
 
 var_export ($value)
 Local utility function to get details about a variable, basically converting it to a string to be used in a log message. More...
 

Additional Inherited Members

- Data Fields inherited from SimpleSAML_Auth_ProcessingFilter
 $priority = 50
 Priority of this filter. More...
 
- Protected Attributes inherited from sspmod_ldap_Auth_Process_BaseFilter
 $attribute_map
 
 $base_dn
 
 $config
 
 $product
 
 $title = 'ldap:BaseFilter : '
 
 $type_map
 

Detailed Description

Definition at line 11 of file AttributeAddUsersGroups.php.

Member Function Documentation

◆ getGroups()

sspmod_ldap_Auth_Process_AttributeAddUsersGroups::getGroups (   $attributes)
protected

This section of code was broken out because the child filter AuthorizeByGroup can use this method as well.

Based on the LDAP product, it will do an optimized search using the required attribute values from the user to get their group membership, recursively.

Exceptions
SimpleSAML_Error_Exception
Parameters
array$attributes
Returns
array

Definition at line 76 of file AttributeAddUsersGroups.php.

77 {
78 // Log the request
79 SimpleSAML\Logger::debug(
80 $this->title . 'Checking for groups based on the best method for the LDAP product.'
81 );
82
83 // Based on the directory service, search LDAP for groups
84 // If any attributes are needed, prepare them before calling search method
85 switch ($this->product) {
86 case 'ACTIVEDIRECTORY':
87 $groups = $this->getGroupsActiveDirectory($attributes);
88 break;
89 case 'OPENLDAP':
90 $groups = $this->getGroupsOpenLdap($attributes);
91 break;
92 default:
93 // Reference the map, just to make the name shorter
94 $map =& $this->attribute_map;
95
96 // Log the general search
97 SimpleSAML\Logger::debug(
98 $this->title . 'Searching LDAP using the default search method.'
99 );
100
101 // Make sure the defined memberOf attribute exists
102 if (!isset($attributes[$map['memberof']])) {
103 throw new SimpleSAML_Error_Exception(
104 $this->title . 'The memberof attribute [' . $map['memberof'] .
105 '] is not defined in the user\'s Attributes: ' . implode(', ', array_keys($attributes)));
106 }
107
108 // MemberOf must be an array of group DN's
109 if (!is_array($attributes[$map['memberof']])) {
110 throw new SimpleSAML_Error_Exception(
111 $this->title . 'The memberof attribute [' . $map['memberof'] .
112 '] is not an array of group DNs. ' . $this->var_export($attributes[$map['memberof']])
113 );
114 }
115
116 // Search for the users group membership, recursively
117 $groups = $this->search($attributes[$map['memberof']]);
118 }
119
120 // All done
121 SimpleSAML\Logger::debug(
122 $this->title . 'User found to be a member of the groups:' . implode('; ', $groups)
123 );
124 return $groups;
125 }
SimpleSAML\Logger\debug
static debug($string)
Definition: Logger.php:211
SimpleSAML_Error_Exception
Definition: Exception.php:13
sspmod_ldap_Auth_Process_AttributeAddUsersGroups\getGroupsActiveDirectory
getGroupsActiveDirectory($attributes)
Active Directory optimized search using the required attribute values from the user to get their grou...
Definition: AttributeAddUsersGroups.php:179
sspmod_ldap_Auth_Process_AttributeAddUsersGroups\search
search($memberof)
Looks for groups from the list of DN's passed.
Definition: AttributeAddUsersGroups.php:217
sspmod_ldap_Auth_Process_AttributeAddUsersGroups\getGroupsOpenLdap
getGroupsOpenLdap($attributes)
OpenLDAP optimized search using the required attribute values from the user to get their group member...
Definition: AttributeAddUsersGroups.php:137
sspmod_ldap_Auth_Process_BaseFilter\var_export
var_export($value)
Local utility function to get details about a variable, basically converting it to a string to be use...
Definition: BaseFilter.php:306
sspmod_ldap_Auth_Process_BaseFilter\$attribute_map
$attribute_map
Definition: BaseFilter.php:25
$map
$map
Definition: fetch_windows_zones.php:13
$attributes
if(array_key_exists('yes', $_REQUEST)) $attributes
Definition: getconsent.php:85

References sspmod_ldap_Auth_Process_BaseFilter\$attribute_map, $attributes, $map, SimpleSAML\Logger\debug(), getGroupsActiveDirectory(), getGroupsOpenLdap(), search(), and sspmod_ldap_Auth_Process_BaseFilter\var_export().

Referenced by process().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getGroupsActiveDirectory()

sspmod_ldap_Auth_Process_AttributeAddUsersGroups::getGroupsActiveDirectory (   $attributes)
protected

Active Directory optimized search using the required attribute values from the user to get their group membership, recursively.

Exceptions
SimpleSAML_Error_Exception
Parameters
array$attributes
Returns
array

Definition at line 179 of file AttributeAddUsersGroups.php.

180 {
181 // Log the AD specific search
182 SimpleSAML\Logger::debug(
183 $this->title . 'Searching LDAP using ActiveDirectory specific method.'
184 );
185
186 // Reference the map, just to make the name shorter
187 $map =& $this->attribute_map;
188
189 // Make sure the defined dn attribute exists
190 if (!isset($attributes[$map['dn']])) {
191 throw new SimpleSAML_Error_Exception(
192 $this->title . 'The DN attribute [' . $map['dn'] .
193 '] is not defined in the user\'s Attributes: ' . implode(', ', array_keys($attributes)));
194 }
195
196 // DN attribute must have a value
197 if (!isset($attributes[$map['dn']][0]) || !$attributes[$map['dn']][0]) {
198 throw new SimpleSAML_Error_Exception(
199 $this->title . 'The DN attribute [' . $map['dn'] .
200 '] does not have a [0] value defined. ' . $this->var_export($attributes[$map['dn']])
201 );
202 }
203
204 // Pass to the AD specific search
205 return $this->searchActiveDirectory($attributes[$map['dn']][0]);
206 }
sspmod_ldap_Auth_Process_AttributeAddUsersGroups\searchActiveDirectory
searchActiveDirectory($dn)
Searches LDAP using a ActiveDirectory specific filter, looking for group membership for the users DN.
Definition: AttributeAddUsersGroups.php:296

References sspmod_ldap_Auth_Process_BaseFilter\$attribute_map, $attributes, $map, SimpleSAML\Logger\debug(), searchActiveDirectory(), and sspmod_ldap_Auth_Process_BaseFilter\var_export().

Referenced by getGroups().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getGroupsOpenLdap()

sspmod_ldap_Auth_Process_AttributeAddUsersGroups::getGroupsOpenLdap (   $attributes)
protected

OpenLDAP optimized search using the required attribute values from the user to get their group membership, recursively.

Exceptions
SimpleSAML_Error_Exception
Parameters
array$attributes
Returns
array

Definition at line 137 of file AttributeAddUsersGroups.php.

138 {
139 // Log the OpenLDAP specific search
140 SimpleSAML\Logger::debug(
141 $this->title . 'Searching LDAP using OpenLDAP specific method.'
142 );
143
144 // Reference the map, just to make the name shorter
145 $map =& $this->attribute_map;
146
147 // Print group search string and search for all group names
148 $openldap_base = $this->config->getString('ldap.basedn','ou=groups,dc=example,dc=com');
149 SimpleSAML\Logger::debug(
150 $this->title . "Searching for groups in ldap.basedn ".$openldap_base." with filter (".$map['memberof']."=".$attributes[$map['username']][0].") and attributes ".$map['member']
151 );
152
153 $groups = array();
154 try {
155 // Intention is to filter in 'ou=groups,dc=example,dc=com' for '(memberUid = <value of attribute.username>)' and take only the attributes 'cn' (=name of the group)
156 $all_groups = $this->getLdap()->searchformultiple($openldap_base, array($map['memberof'] => $attributes[$map['username']][0]) , array($map['member']));
157 } catch (SimpleSAML_Error_UserNotFound $e) {
158 return $groups; // if no groups found return with empty (still just initialized) groups array
159 }
160
161 // run through all groups and add each to our groups array
162 foreach ($all_groups as $group_entry) {
163 $groups[] .= $group_entry[$map['member']][0];
164 }
165
166 return $groups;
167 }
SimpleSAML_Error_UserNotFound
Definition: UserNotFound.php:11
sspmod_ldap_Auth_Process_BaseFilter\getLdap
getLdap()
Getter for the LDAP connection object.
Definition: BaseFilter.php:259

References sspmod_ldap_Auth_Process_BaseFilter\$attribute_map, $attributes, $map, SimpleSAML\Logger\debug(), and sspmod_ldap_Auth_Process_BaseFilter\getLdap().

Referenced by getGroups().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ process()

sspmod_ldap_Auth_Process_AttributeAddUsersGroups::process ( $request)

This is run when the filter is processed by SimpleSAML.

It will attempt to find the current users groups using the best method possible for the LDAP product. The groups are then added to the request attributes.

Exceptions
SimpleSAML_Error_Exception
Parameters
$request

Reimplemented from SimpleSAML_Auth_ProcessingFilter.

Definition at line 22 of file AttributeAddUsersGroups.php.

23 {
24 assert(is_array($request));
25 assert(array_key_exists('Attributes', $request));
26
27 // Log the process
28 SimpleSAML\Logger::debug(
29 $this->title . 'Attempting to get the users groups...'
30 );
31
32 // Reference the attributes, just to make the names shorter
33 $attributes =& $request['Attributes'];
34 $map =& $this->attribute_map;
35
36 // Get the users groups from LDAP
37 $groups = $this->getGroups($attributes);
38
39 // Make the array if it is not set already
40 if (!isset($attributes[$map['groups']])) {
41 $attributes[$map['groups']] = array();
42 }
43
44 // Must be an array, else cannot merge groups
45 if (!is_array($attributes[$map['groups']])) {
46 throw new SimpleSAML_Error_Exception(
47 $this->title . 'The group attribute [' . $map['groups'] .
48 '] is not an array of group DNs. ' . $this->var_export($attributes[$map['groups']])
49 );
50 }
51
52 // Add the users group(s)
53 $group_attribute =& $attributes[$map['groups']];
54 $group_attribute = array_merge($group_attribute, $groups);
55 $group_attribute = array_unique($group_attribute);
56
57 // All done
58 SimpleSAML\Logger::debug(
59 $this->title . 'Added users groups to the group attribute [' .
60 $map['groups'] . ']: ' . implode('; ', $groups)
61 );
62 }
$request
foreach($paths as $path) $request
Definition: asyncclient.php:32
sspmod_ldap_Auth_Process_AttributeAddUsersGroups\getGroups
getGroups($attributes)
This section of code was broken out because the child filter AuthorizeByGroup can use this method as ...
Definition: AttributeAddUsersGroups.php:76

References sspmod_ldap_Auth_Process_BaseFilter\$attribute_map, $attributes, $map, $request, SimpleSAML\Logger\debug(), getGroups(), and sspmod_ldap_Auth_Process_BaseFilter\var_export().

+ Here is the call graph for this function:

◆ search()

sspmod_ldap_Auth_Process_AttributeAddUsersGroups::search (   $memberof)
protected

Looks for groups from the list of DN's passed.

Also recursively searches groups for further membership. Avoids loops by only searching a DN once. Returns the list of groups found.

Parameters
array$memberof
Returns
array

Definition at line 217 of file AttributeAddUsersGroups.php.

218 {
219 assert(is_array($memberof));
220
221 // Used to determine what DN's have already been searched
222 static $searched = array();
223
224 // Init the groups variable
225 $groups = array();
226
227 // Shorten the variable name
228 $map =& $this->attribute_map;
229
230 // Log the search
231 SimpleSAML\Logger::debug(
232 $this->title . 'Checking DNs for groups.' .
233 ' DNs: '. implode('; ', $memberof) .
234 ' Attributes: ' . $map['memberof'] . ', ' . $map['type'] .
235 ' Group Type: ' . $this->type_map['group']
236 );
237
238 // Work out what attributes to get for a group
239 $use_group_name = FALSE;
240 $get_attributes = array($map['memberof'], $map['type']);
241 if (isset($map['name']) && $map['name']) {
242 $get_attributes[] = $map['name'];
243 $use_group_name = TRUE;
244 }
245
246 // Check each DN of the passed memberOf
247 foreach ($memberof as $dn) {
248
249 // Avoid infinite loops, only need to check a DN once
250 if (isset($searched[$dn])) {
251 continue;
252 }
253
254 // Track all DN's that are searched
255 // Use DN for key as well, isset() is faster than in_array()
256 $searched[$dn] = $dn;
257
258 // Query LDAP for the attribute values for the DN
259 try {
260 $attributes = $this->getLdap()->getAttributes($dn, $get_attributes);
261 } catch (SimpleSAML_Error_AuthSource $e) {
262 continue; // DN must not exist, just continue. Logged by the LDAP object
263 }
264
265 // Only look for groups
266 if (!in_array($this->type_map['group'], $attributes[$map['type']], true)) {
267 continue;
268 }
269
270 // Add to found groups array
271 if ($use_group_name && isset($attributes[$map['name']]) && is_array($attributes[$map['name']])) {
272 $groups[] = $attributes[$map['name']][0];
273 } else {
274 $groups[] = $dn;
275 }
276
277 // Recursively search "sub" groups
278 if (!empty($attributes[$map['memberof']])) {
279 $groups = array_merge($groups, $this->search($attributes[$map['memberof']]));
280 }
281 }
282
283 // Return only the unique group names
284 return array_unique($groups);
285 }
SimpleSAML_Error_AuthSource
Definition: AuthSource.php:9

References sspmod_ldap_Auth_Process_BaseFilter\$attribute_map, $attributes, $map, SimpleSAML\Logger\debug(), sspmod_ldap_Auth_Process_BaseFilter\getLdap(), and search().

Referenced by getGroups(), and search().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ searchActiveDirectory()

sspmod_ldap_Auth_Process_AttributeAddUsersGroups::searchActiveDirectory (   $dn)
protected

Searches LDAP using a ActiveDirectory specific filter, looking for group membership for the users DN.

Returns the list of group DNs retrieved.

Parameters
string$dn
Returns
array

Definition at line 296 of file AttributeAddUsersGroups.php.

297 {
298 assert(is_string($dn) && $dn != '');
299
300 // Shorten the variable name
301 $map =& $this->attribute_map;
302
303 // Log the search
304 SimpleSAML\Logger::debug(
305 $this->title . 'Searching ActiveDirectory group membership.' .
306 ' DN: ' . $dn .
307 ' DN Attribute: ' . $map['dn'] .
308 ' Member Attribute: ' . $map['member'] .
309 ' Type Attribute: ' . $map['type'] .
310 ' Type Value: ' . $this->type_map['group'] .
311 ' Base: ' . implode('; ', $this->base_dn)
312 );
313
314 // AD connections should have this set
315 $this->getLdap()->setOption(LDAP_OPT_REFERRALS, 0);
316
317 // Search AD with the specific recursive flag
318 try {
319 $entries = $this->getLdap()->searchformultiple(
320 $this->base_dn,
321 array($map['type'] => $this->type_map['group'], $map['member'] . ':1.2.840.113556.1.4.1941:' => $dn),
322 array($map['dn'])
323 );
324
325 // The search may throw an exception if no entries
326 // are found, unlikely but possible.
327 } catch (SimpleSAML_Error_UserNotFound $e) {
328 return array();
329 }
330
331 //Init the groups
332 $groups = array();
333
334 // Check each entry..
335 foreach ($entries as $entry) {
336 // Check for the DN using the original attribute name
337 if (isset($entry[$map['dn']][0])) {
338 $groups[] = $entry[$map['dn']][0];
339 continue;
340 }
341
342 // Sometimes the returned attribute names are lowercase
343 if (isset($entry[strtolower($map['dn'])][0])) {
344 $groups[] = $entry[strtolower($map['dn'])][0];
345 continue;
346 }
347
348 // AD queries also seem to return the objects dn by default
349 if (isset($entry['dn'])) {
350 $groups[] = $entry['dn'];
351 continue;
352 }
353
354 // Could not find DN, log and continue
355 SimpleSAML\Logger::notice(
356 $this->title . 'The DN attribute [' .
357 implode(', ', array($map['dn'], strtolower($map['dn']), 'dn')) .
358 '] could not be found in the entry. ' . $this->var_export($entry)
359 );
360 }
361
362 // All done
363 return $groups;
364 }
SimpleSAML\Logger\notice
static notice($string)
Definition: Logger.php:188

References sspmod_ldap_Auth_Process_BaseFilter\$attribute_map, $map, SimpleSAML\Logger\debug(), sspmod_ldap_Auth_Process_BaseFilter\getLdap(), SimpleSAML\Logger\notice(), and sspmod_ldap_Auth_Process_BaseFilter\var_export().

Referenced by getGroupsActiveDirectory().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:
The documentation for this class was generated from the following file: