ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
class.ilAuthProviderLDAP.php
Go to the documentation of this file.
1<?php
2
3/* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4
5include_once './Services/Authentication/classes/Provider/class.ilAuthProvider.php';
6include_once './Services/Authentication/interfaces/interface.ilAuthProviderInterface.php';
7include_once './Services/Authentication/interfaces/interface.ilAuthProviderAccountMigrationInterface.php';
8
15class ilAuthProviderLDAP extends ilAuthProvider implements ilAuthProviderInterface, ilAuthProviderAccountMigrationInterface
16{
17 private $server = null;
18 private $migration_account = '';
19 private $force_new_account = false;
20
25 public function __construct(\ilAuthCredentials $credentials, $a_server_id = 0)
26 {
27 parent::__construct($credentials);
28 $this->initServer($a_server_id);
29 }
30
35 public function getServer()
36 {
37 return $this->server;
38 }
39
40
45 public function doAuthentication(\ilAuthStatus $status)
46 {
47 try {
48 // bind
49 include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
50 $query = new ilLDAPQuery($this->getServer());
51 $query->bind(IL_LDAP_BIND_DEFAULT);
52 } catch (ilLDAPQueryException $e) {
53 $this->getLogger()->error('Cannot bind to LDAP server... ' . $e->getMessage());
54 $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
55 return false;
56 }
57 try {
58 // Read user data, which does ensure a sucessful authentication.
59 $users = $query->fetchUser(
60 $this->getCredentials()->getUsername()
61 );
62
63 if (!$users) {
64 $this->handleAuthenticationFail($status, 'err_wrong_login');
65 return false;
66 }
67 if (!trim($this->getCredentials()->getPassword())) {
68 $this->handleAuthenticationFail($status, 'err_wrong_login');
69 return false;
70 }
71 if (!array_key_exists($this->changeKeyCase($this->getCredentials()->getUsername()), $users)) {
72 $this->getLogger()->warning('Cannot find user: ' . $this->changeKeyCase($this->getCredentials()->getUsername()));
73 $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
74 return false;
75 }
76
77 // check group membership
78 if (!$query->checkGroupMembership(
79 $this->getCredentials()->getUsername(),
80 $users[$this->changeKeyCase($this->getCredentials()->getUsername())]
81 )) {
82 $this->handleAuthenticationFail($status, 'err_wrong_login');
83 return false;
84 }
85 } catch (ilLDAPQueryException $e) {
86 $this->getLogger()->error('Cannot fetch LDAP user data... ' . $e->getMessage());
87 $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
88 return false;
89 }
90 try {
91 // now bind with login credentials
92 $query->bind(IL_LDAP_BIND_AUTH, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]['dn'], $this->getCredentials()->getPassword());
93 } catch (ilLDAPQueryException $e) {
94 $this->handleAuthenticationFail($status, 'err_wrong_login');
95 return false;
96 }
97
98 // authentication success update profile
99 return $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
100 }
101
107 protected function updateAccount(ilAuthStatus $status, array $user)
108 {
109 $user = array_change_key_case($user, CASE_LOWER);
110 $this->getLogger()->dump($user, ilLogLevel::DEBUG);
111
112 include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
113 $sync = new ilLDAPUserSynchronisation('ldap_' . $this->getServer()->getServerId(), $this->getServer()->getServerId());
114 $sync->setExternalAccount($this->getCredentials()->getUsername());
115 $sync->setUserData($user);
116 $sync->forceCreation($this->force_new_account);
117
118 try {
119 $internal_account = $sync->sync();
120 $this->getLogger()->debug('Internal account: ' . $internal_account);
121 } catch (UnexpectedValueException $e) {
122 $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
123 $this->handleAuthenticationFail($status, 'err_wrong_login');
124 return false;
125 } catch (ilLDAPSynchronisationForbiddenException $e) {
126 // No syncronisation allowed => create Error
127 $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
128 $this->handleAuthenticationFail($status, 'err_auth_ldap_no_ilias_user');
129 return false;
130 } catch (ilLDAPAccountMigrationRequiredException $e) {
131 // Account migration required
132 $this->setExternalAccountName($this->getCredentials()->getUsername());
133 $this->getLogger()->info('Authentication failed: account migration required for external account: ' . $this->getCredentials()->getUsername());
134 $status->setStatus(ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED);
135 return false;
136 }
137 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
138 $status->setAuthenticatedUserId(ilObjUser::_lookupId($internal_account));
139 return true;
140 }
141
142
143
147 protected function initServer($a_server_id)
148 {
149 include_once './Services/LDAP/classes/class.ilLDAPServer.php';
150 $this->server = new ilLDAPServer($a_server_id);
151 }
152
153 // Account migration
154
158 public function createNewAccount(ilAuthStatus $status)
159 {
160 $this->force_new_account = true;
161
162 try {
163 include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
164 $query = new ilLDAPQuery($this->getServer());
165 $query->bind(IL_LDAP_BIND_DEFAULT);
166 } catch (ilLDAPQueryException $e) {
167 $this->getLogger()->error('Cannot bind to LDAP server... ' . $e->getMessage());
168 $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
169 return false;
170 }
171 try {
172 // fetch user
173 $users = $query->fetchUser(
174 $this->getCredentials()->getUsername()
175 );
176 if (!$users) {
177 $this->handleAuthenticationFail($status, 'err_wrong_login');
178 return false;
179 }
180 if (!array_key_exists($this->changeKeyCase($this->getCredentials()->getUsername()), $users)) {
181 $this->handleAuthenticationFail($status, 'err_wrong_login');
182 return false;
183 }
184 } catch (ilLDAPQueryException $e) {
185 $this->getLogger()->error('Cannot fetch LDAP user data... ' . $e->getMessage());
186 $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
187 return false;
188 }
189
190 // authentication success update profile
191 $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
192 }
193
194
195
199 public function migrateAccount(ilAuthStatus $status)
200 {
201 $this->force_new_account = true;
202
203 try {
204 include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
205 $query = new ilLDAPQuery($this->getServer());
206 $query->bind(IL_LDAP_BIND_DEFAULT);
207 } catch (ilLDAPQueryException $e) {
208 $this->getLogger()->error('Cannot bind to LDAP server... ' . $e->getMessage());
209 $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
210 return false;
211 }
212
213 $users = $query->fetchUser($this->getCredentials()->getUsername());
214 $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
215 return true;
216 }
217
221 public function getTriggerAuthMode()
222 {
223 return AUTH_LDAP . '_' . $this->getServer()->getServerId();
224 }
225
229 public function getUserAuthModeName()
230 {
231 return 'ldap_' . $this->getServer()->getServerId();
232 }
233
238 public function getExternalAccountName()
239 {
240 return $this->migration_account;
241 }
242
247 public function setExternalAccountName($a_name)
248 {
249 $this->migration_account = $a_name;
250 }
251
257 protected function changeKeyCase($a_string)
258 {
259 $as_array = array_change_key_case(array($a_string => $a_string));
260 foreach ($as_array as $key => $string) {
261 return $key;
262 }
263 }
264}
$users
$users
Definition: authpage.php:44
php
An exception for terminatinating execution or to throw for unit testing.
AUTH_LDAP
const AUTH_LDAP
Definition: class.ilAuthUtils.php:8
IL_LDAP_BIND_AUTH
const IL_LDAP_BIND_AUTH
Definition: class.ilLDAPQuery.php:27
IL_LDAP_BIND_DEFAULT
const IL_LDAP_BIND_DEFAULT
Definition: class.ilLDAPQuery.php:24
ilAuthProviderLDAP
Description of class class.
Definition: class.ilAuthProviderLDAP.php:16
ilAuthProviderLDAP\updateAccount
updateAccount(ilAuthStatus $status, array $user)
Update Account.
Definition: class.ilAuthProviderLDAP.php:107
ilAuthProviderLDAP\getTriggerAuthMode
getTriggerAuthMode()
Get trigger auth mode.
Definition: class.ilAuthProviderLDAP.php:221
ilAuthProviderLDAP\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name.
Definition: class.ilAuthProviderLDAP.php:229
ilAuthProviderLDAP\initServer
initServer($a_server_id)
Init Server.
Definition: class.ilAuthProviderLDAP.php:147
ilAuthProviderLDAP\migrateAccount
migrateAccount(ilAuthStatus $status)
Create new account.
Definition: class.ilAuthProviderLDAP.php:199
ilAuthProviderLDAP\createNewAccount
createNewAccount(ilAuthStatus $status)
Create new ILIAS account for external_account.
Definition: class.ilAuthProviderLDAP.php:158
ilAuthProviderLDAP\doAuthentication
doAuthentication(\ilAuthStatus $status)
Do authentication.
Definition: class.ilAuthProviderLDAP.php:45
ilAuthProviderLDAP\getExternalAccountName
getExternalAccountName()
Get external account name.
Definition: class.ilAuthProviderLDAP.php:238
ilAuthProviderLDAP\__construct
__construct(\ilAuthCredentials $credentials, $a_server_id=0)
Constructor.
Definition: class.ilAuthProviderLDAP.php:25
ilAuthProviderLDAP\changeKeyCase
changeKeyCase($a_string)
Change case similar to array_change_key_case, to avoid further encoding problems.
Definition: class.ilAuthProviderLDAP.php:257
ilAuthProviderLDAP\setExternalAccountName
setExternalAccountName($a_name)
Set external account name.
Definition: class.ilAuthProviderLDAP.php:247
ilAuthProvider
Base class for authentication providers (radius, ldap, apache, ...)
Definition: class.ilAuthProvider.php:12
ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:38
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, $a_reason)
Handle failed authentication.
Definition: class.ilAuthProvider.php:55
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:12
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:20
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:13
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:15
ilObjUser\_lookupId
static _lookupId($a_user_str)
Lookup id by login.
Definition: class.ilObjUser.php:827
$key
$key
Definition: croninfo.php:18
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:12
ilAuthProviderInterface
Standard interface for auth provider implementations.
Definition: interface.ilAuthProviderInterface.php:12
$sync
$sync
Definition: memcacheSync.php:62
$user
$user
Definition: migrateto20.php:57
$query
$query
Definition: proxy_ylocal.php:13