ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
class.ilAuthProviderLDAP.php
Go to the documentation of this file.
1 <?php
2 
3 /* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4 
5 include_once './Services/Authentication/classes/Provider/class.ilAuthProvider.php';
6 include_once './Services/Authentication/interfaces/interface.ilAuthProviderInterface.php';
7 include_once './Services/Authentication/interfaces/interface.ilAuthProviderAccountMigrationInterface.php';
8 
15 class ilAuthProviderLDAP extends ilAuthProvider implements ilAuthProviderInterface, ilAuthProviderAccountMigrationInterface
16 {
17  private $server = null;
18  private $migration_account = '';
19  private $force_new_account = false;
20 
25  public function __construct(\ilAuthCredentials $credentials, $a_server_id = 0)
26  {
27  parent::__construct($credentials);
28  $this->initServer($a_server_id);
29  }
30 
35  public function getServer()
36  {
37  return $this->server;
38  }
39 
40 
45  public function doAuthentication(\ilAuthStatus $status)
46  {
47  try {
48  // bind
49  include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
50  $query = new ilLDAPQuery($this->getServer());
51  $query->bind(IL_LDAP_BIND_DEFAULT);
52  } catch (ilLDAPQueryException $e) {
53  $this->getLogger()->error('Cannot bind to LDAP server... ' . $e->getMessage());
54  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
55  return false;
56  }
57  try {
58  // Read user data, which does ensure a sucessful authentication.
59  $users = $query->fetchUser(
60  $this->getCredentials()->getUsername()
61  );
62 
63  if (!$users) {
64  $this->handleAuthenticationFail($status, 'err_wrong_login');
65  return false;
66  }
67  if (!trim($this->getCredentials()->getPassword())) {
68  $this->handleAuthenticationFail($status, 'err_wrong_login');
69  return false;
70  }
71  if (!array_key_exists($this->changeKeyCase($this->getCredentials()->getUsername()), $users)) {
72  $this->getLogger()->warning('Cannot find user: ' . $this->changeKeyCase($this->getCredentials()->getUsername()));
73  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
74  return false;
75  }
76 
77  // check group membership
78  if (!$query->checkGroupMembership(
79  $this->getCredentials()->getUsername(),
80  $users[$this->changeKeyCase($this->getCredentials()->getUsername())]
81  )) {
82  $this->handleAuthenticationFail($status, 'err_wrong_login');
83  return false;
84  }
85  } catch (ilLDAPQueryException $e) {
86  $this->getLogger()->error('Cannot fetch LDAP user data... ' . $e->getMessage());
87  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
88  return false;
89  }
90  try {
91  // now bind with login credentials
92  $query->bind(IL_LDAP_BIND_AUTH, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]['dn'], $this->getCredentials()->getPassword());
93  } catch (ilLDAPQueryException $e) {
94  $this->handleAuthenticationFail($status, 'err_wrong_login');
95  return false;
96  }
97 
98  // authentication success update profile
99  return $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
100  }
101 
107  protected function updateAccount(ilAuthStatus $status, array $user)
108  {
109  $user = array_change_key_case($user, CASE_LOWER);
110  $this->getLogger()->dump($user, ilLogLevel::DEBUG);
111 
112  include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
113  $sync = new ilLDAPUserSynchronisation('ldap_' . $this->getServer()->getServerId(), $this->getServer()->getServerId());
114  $sync->setExternalAccount($this->getCredentials()->getUsername());
115  $sync->setUserData($user);
116  $sync->forceCreation($this->force_new_account);
117 
118  try {
119  $internal_account = $sync->sync();
120  $this->getLogger()->debug('Internal account: ' . $internal_account);
121  } catch (UnexpectedValueException $e) {
122  $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
123  $this->handleAuthenticationFail($status, 'err_wrong_login');
124  return false;
125  } catch (ilLDAPSynchronisationForbiddenException $e) {
126  // No syncronisation allowed => create Error
127  $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
128  $this->handleAuthenticationFail($status, 'err_auth_ldap_no_ilias_user');
129  return false;
130  } catch (ilLDAPAccountMigrationRequiredException $e) {
131  // Account migration required
132  $this->setExternalAccountName($this->getCredentials()->getUsername());
133  $this->getLogger()->info('Authentication failed: account migration required for external account: ' . $this->getCredentials()->getUsername());
134  $status->setStatus(ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED);
135  return false;
136  }
137  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
138  $status->setAuthenticatedUserId(ilObjUser::_lookupId($internal_account));
139  return true;
140  }
141 
142 
143 
147  protected function initServer($a_server_id)
148  {
149  include_once './Services/LDAP/classes/class.ilLDAPServer.php';
150  $this->server = new ilLDAPServer($a_server_id);
151  }
152 
153  // Account migration
154 
158  public function createNewAccount(ilAuthStatus $status)
159  {
160  $this->force_new_account = true;
161 
162  try {
163  include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
164  $query = new ilLDAPQuery($this->getServer());
165  $query->bind(IL_LDAP_BIND_DEFAULT);
166  } catch (ilLDAPQueryException $e) {
167  $this->getLogger()->error('Cannot bind to LDAP server... ' . $e->getMessage());
168  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
169  return false;
170  }
171  try {
172  // fetch user
173  $users = $query->fetchUser(
174  $this->getCredentials()->getUsername()
175  );
176  if (!$users) {
177  $this->handleAuthenticationFail($status, 'err_wrong_login');
178  return false;
179  }
180  if (!array_key_exists($this->changeKeyCase($this->getCredentials()->getUsername()), $users)) {
181  $this->handleAuthenticationFail($status, 'err_wrong_login');
182  return false;
183  }
184  } catch (ilLDAPQueryException $e) {
185  $this->getLogger()->error('Cannot fetch LDAP user data... ' . $e->getMessage());
186  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
187  return false;
188  }
189 
190  // authentication success update profile
191  $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
192  }
193 
194 
195 
199  public function migrateAccount(ilAuthStatus $status)
200  {
201  $this->force_new_account = true;
202 
203  try {
204  include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
205  $query = new ilLDAPQuery($this->getServer());
206  $query->bind(IL_LDAP_BIND_DEFAULT);
207  } catch (ilLDAPQueryException $e) {
208  $this->getLogger()->error('Cannot bind to LDAP server... ' . $e->getMessage());
209  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
210  return false;
211  }
212 
213  $users = $query->fetchUser($this->getCredentials()->getUsername());
214  $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
215  return true;
216  }
217 
221  public function getTriggerAuthMode()
222  {
223  return AUTH_LDAP . '_' . $this->getServer()->getServerId();
224  }
225 
229  public function getUserAuthModeName()
230  {
231  return 'ldap_' . $this->getServer()->getServerId();
232  }
233 
238  public function getExternalAccountName()
239  {
240  return $this->migration_account;
241  }
242 
247  public function setExternalAccountName($a_name)
248  {
249  $this->migration_account = $a_name;
250  }
251 
257  protected function changeKeyCase($a_string)
258  {
259  $as_array = array_change_key_case(array($a_string => $a_string));
260  foreach ($as_array as $key => $string) {
261  return $key;
262  }
263  }
264 }
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:11
ilAuthProviderLDAP\updateAccount
updateAccount(ilAuthStatus $status, array $user)
Update Account.
Definition: class.ilAuthProviderLDAP.php:107
ilAuthProviderLDAP\getTriggerAuthMode
getTriggerAuthMode()
Get trigger auth mode.
Definition: class.ilAuthProviderLDAP.php:221
ilAuthProviderLDAP\createNewAccount
createNewAccount(ilAuthStatus $status)
Create new ILIAS account for external_account.
Definition: class.ilAuthProviderLDAP.php:158
ilAuthProviderLDAP\doAuthentication
doAuthentication(\ilAuthStatus $status)
Do authentication.
Definition: class.ilAuthProviderLDAP.php:45
IL_LDAP_BIND_AUTH
const IL_LDAP_BIND_AUTH
Definition: class.ilLDAPQuery.php:27
IL_LDAP_BIND_DEFAULT
const IL_LDAP_BIND_DEFAULT
Definition: class.ilLDAPQuery.php:24
AUTH_LDAP
const AUTH_LDAP
Definition: class.ilAuthUtils.php:8
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:14
ilObjUser\_lookupId
static _lookupId($a_user_str)
Lookup id by login.
Definition: class.ilObjUser.php:827
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:12
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId($a_id)
Definition: class.ilAuthStatus.php:116
ilAuthProviderLDAP
Description of class class.
Definition: class.ilAuthProviderLDAP.php:15
ilAuthProvider
Base class for authentication providers (radius, ldap, apache, ...)
Definition: class.ilAuthProvider.php:11
ilAuthProviderInterface
Standard interface for auth provider implementations.
Definition: interface.ilAuthProviderInterface.php:11
ilAuthProviderLDAP\__construct
__construct(\ilAuthCredentials $credentials, $a_server_id=0)
Constructor.
Definition: class.ilAuthProviderLDAP.php:25
ilAuthStatus\setStatus
setStatus($a_status)
Set auth status.
Definition: class.ilAuthStatus.php:63
ilAuthProviderLDAP\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name.
Definition: class.ilAuthProviderLDAP.php:229
$sync
$sync
Definition: memcacheSync.php:62
ilAuthProviderLDAP\setExternalAccountName
setExternalAccountName($a_name)
Set external account name.
Definition: class.ilAuthProviderLDAP.php:247
$query
$query
Definition: proxy_ylocal.php:13
$user
$user
Definition: migrateto20.php:57
$users
$users
Definition: authpage.php:44
ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:38
ilAuthProviderLDAP\migrateAccount
migrateAccount(ilAuthStatus $status)
Create new account.
Definition: class.ilAuthProviderLDAP.php:199
ilAuthProviderLDAP\getExternalAccountName
getExternalAccountName()
Get external account name.
Definition: class.ilAuthProviderLDAP.php:238
ilAuthProviderLDAP\initServer
initServer($a_server_id)
Init Server.
Definition: class.ilAuthProviderLDAP.php:147
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, $a_reason)
Handle failed authentication.
Definition: class.ilAuthProvider.php:55
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:11
$key
$key
Definition: croninfo.php:18
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:20
ilAuthProviderLDAP\changeKeyCase
changeKeyCase($a_string)
Change case similar to array_change_key_case, to avoid further encoding problems. ...
Definition: class.ilAuthProviderLDAP.php:257