ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
Public Member Functions | Static Public Member Functions | Private Member Functions | Private Attributes | Static Private Attributes
ilLDAPRoleGroupMapping Class Reference
Services/LDAP
+ Collaboration diagram for ilLDAPRoleGroupMapping:

Public Member Functions

 getInfoStrings ($a_obj_id, $a_check_type=false)
 Get info string for object If check info type is enabled this function will check if the info string is visible in the repository. More...
 
 assign ($a_role_id, $a_usr_id)
 This method is typically called from class RbacAdmin::assignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is assigned to the LDAP group. More...
 
 deleteRole ($a_role_id)
 Delete role. More...
 
 deassign ($a_role_id, $a_usr_id)
 This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is deassigned from the LDAP group. More...
 
 deleteUser ($a_usr_id)
 Delete user => deassign from all ldap groups. More...
 

Static Public Member Functions

static _getInstance ()
 Get singleton instance of this class. More...
 

Private Member Functions

 __construct ()
 Singleton contructor. More...
 
 initServers ()
 Check if there is any active server with. More...
 
 isHandledRole ($a_role_id)
 Check if a role is handled or not. More...
 
 isHandledUser ($a_usr_id)
 Check if user is ldap user. More...
 
 assignToGroup ($a_role_id, $a_usr_id)
 Assign user to group. More...
 
 deassignFromGroup ($a_role_id, $a_usr_id)
 Deassign user from group. More...
 
 checkOtherMembership ($a_usr_id, $a_role_id, $a_data)
 Check other membership. More...
 
 storeMembers ($a_mapping_id, $a_data)
 Store Members. More...
 
 readDN ($a_usr_id, $a_server_id)
 Read DN of user. More...
 
 getLDAPQueryInstance ($a_server_id, $a_url)
 Get LDAPQueryInstance. More...
 

Private Attributes

 $log = null
 
 $servers = null
 
 $mappings = array()
 
 $mapping_members = array()
 
 $query = array()
 
 $active_servers = false
 
 $users = []
 

Static Private Attributes

static $instance = null
 

Detailed Description

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 34 of file class.ilLDAPRoleGroupMapping.php.

Constructor & Destructor Documentation

◆ __construct()

ilLDAPRoleGroupMapping::__construct ( )
private

Singleton contructor.

private

Definition at line 58 of file class.ilLDAPRoleGroupMapping.php.

References $DIC, and initServers().

59  {
60  global $DIC;
61 
62  $this->log = $DIC->logger()->auth();
63 
64  $this->initServers();
65  }
ilLDAPRoleGroupMapping\initServers
initServers()
Check if there is any active server with.
Definition: class.ilLDAPRoleGroupMapping.php:217
$DIC
global $DIC
Definition: saml.php:7
+ Here is the call graph for this function:

Member Function Documentation

◆ _getInstance()

static ilLDAPRoleGroupMapping::_getInstance ( )
static

Get singleton instance of this class.

public

Definition at line 73 of file class.ilLDAPRoleGroupMapping.php.

Referenced by ilObjectListGUI\__construct(), ilRbacAdmin\assignUser(), ilRbacAdmin\assignUserLimited(), ilRbacAdmin\deassignUser(), ilObjUser\delete(), ilRbacAdmin\deleteRole(), and ilInfoScreenGUI\showLDAPRoleGroupMappingInfo().

74  {
75  if (is_object(self::$instance)) {
76  return self::$instance;
77  }
78  return self::$instance = new ilLDAPRoleGroupMapping();
79  }
+ Here is the caller graph for this function:

◆ assign()

ilLDAPRoleGroupMapping::assign (   $a_role_id,
  $a_usr_id 
)

This method is typically called from class RbacAdmin::assignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is assigned to the LDAP group.

public

Parameters

Definition at line 117 of file class.ilLDAPRoleGroupMapping.php.

References assignToGroup(), isHandledRole(), and isHandledUser().

118  {
119  // return if there nothing to do
120  if (!$this->active_servers) {
121  return false;
122  }
123 
124  if (!$this->isHandledRole($a_role_id)) {
125  return false;
126  }
127  if (!$this->isHandledUser($a_usr_id)) {
128  $this->log->info('LDAP assign: User ID: ' . $a_usr_id . ' has no LDAP account');
129  return false;
130  }
131  $this->log->info('LDAP assigned: User ID: ' . $a_usr_id . ' Role Id: ' . $a_role_id);
132  $this->assignToGroup($a_role_id, $a_usr_id);
133 
134  return true;
135  }
ilLDAPRoleGroupMapping\isHandledRole
isHandledRole($a_role_id)
Check if a role is handled or not.
Definition: class.ilLDAPRoleGroupMapping.php:262
ilLDAPRoleGroupMapping\assignToGroup
assignToGroup($a_role_id, $a_usr_id)
Assign user to group.
Definition: class.ilLDAPRoleGroupMapping.php:290
ilLDAPRoleGroupMapping\isHandledUser
isHandledUser($a_usr_id)
Check if user is ldap user.
Definition: class.ilLDAPRoleGroupMapping.php:272
+ Here is the call graph for this function:

◆ assignToGroup()

ilLDAPRoleGroupMapping::assignToGroup (   $a_role_id,
  $a_usr_id 
)
private

Assign user to group.

private

Parameters
introle_id
intuser_id

Definition at line 290 of file class.ilLDAPRoleGroupMapping.php.

References $data, getLDAPQueryInstance(), and readDN().

Referenced by assign().

291  {
292  foreach ($this->mappings[$a_role_id] as $data) {
293  try {
294  if ($data['isdn']) {
295  $external_account = $this->readDN($a_usr_id, $data['server_id']);
296  } else {
297  $external_account = $this->users[$data['server_id']][$a_usr_id];
298  }
299  // Forcing modAdd since Active directory is too slow and i cannot check if a user is member or not.
300  $query_obj = $this->getLDAPQueryInstance($data['server_id'], $data['url']);
301  $query_obj->modAdd($data['dn'], array($data['member'] => $external_account));
302  $this->log->info('LDAP assign: Assigned ' . $external_account . ' to group ' . $data['dn']);
303  } catch (ilLDAPQueryException $exc) {
304  $this->log->warning($exc->getMessage());
305  // try next mapping
306  continue;
307  }
308  }
309  }
ilLDAPRoleGroupMapping\getLDAPQueryInstance
getLDAPQueryInstance($a_server_id, $a_url)
Get LDAPQueryInstance.
Definition: class.ilLDAPRoleGroupMapping.php:477
ilLDAPRoleGroupMapping\readDN
readDN($a_usr_id, $a_server_id)
Read DN of user.
Definition: class.ilLDAPRoleGroupMapping.php:421
$data
$data
Definition: bench.php:6
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkOtherMembership()

ilLDAPRoleGroupMapping::checkOtherMembership (   $a_usr_id,
  $a_role_id,
  $a_data 
)
private

Check other membership.

private

Returns
string role name

Definition at line 362 of file class.ilLDAPRoleGroupMapping.php.

References $data, and $DIC.

Referenced by deassignFromGroup().

363  {
364  global $DIC;
365 
366  $rbacreview = $DIC['rbacreview'];
367  $ilObjDataCache = $DIC['ilObjDataCache'];
368 
369  foreach ($this->mappings as $role_id => $tmp_data) {
370  foreach ($tmp_data as $data) {
371  if ($role_id == $a_role_id) {
372  continue;
373  }
374  if ($data['server_id'] != $a_data['server_id']) {
375  continue;
376  }
377  if ($data['dn'] != $a_data['dn']) {
378  continue;
379  }
380  if ($rbacreview->isAssigned($a_usr_id, $role_id)) {
381  return $ilObjDataCache->lookupTitle($role_id);
382  }
383  }
384  }
385  return false;
386  }
$DIC
global $DIC
Definition: saml.php:7
$data
$data
Definition: bench.php:6
+ Here is the caller graph for this function:

◆ deassign()

ilLDAPRoleGroupMapping::deassign (   $a_role_id,
  $a_usr_id 
)

This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is deassigned from the LDAP group.

public

Parameters

Definition at line 177 of file class.ilLDAPRoleGroupMapping.php.

References deassignFromGroup(), isHandledRole(), and isHandledUser().

Referenced by deleteRole(), and deleteUser().

178  {
179  // return if there notzing to do
180  if (!$this->active_servers) {
181  return false;
182  }
183  if (!$this->isHandledRole($a_role_id)) {
184  return false;
185  }
186  if (!$this->isHandledUser($a_usr_id)) {
187  return false;
188  }
189  $this->log->info('LDAP deassigned: User ID: ' . $a_usr_id . ' Role Id: ' . $a_role_id);
190  $this->deassignFromGroup($a_role_id, $a_usr_id);
191 
192  return true;
193  }
ilLDAPRoleGroupMapping\isHandledRole
isHandledRole($a_role_id)
Check if a role is handled or not.
Definition: class.ilLDAPRoleGroupMapping.php:262
ilLDAPRoleGroupMapping\isHandledUser
isHandledUser($a_usr_id)
Check if user is ldap user.
Definition: class.ilLDAPRoleGroupMapping.php:272
ilLDAPRoleGroupMapping\deassignFromGroup
deassignFromGroup($a_role_id, $a_usr_id)
Deassign user from group.
Definition: class.ilLDAPRoleGroupMapping.php:319
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deassignFromGroup()

ilLDAPRoleGroupMapping::deassignFromGroup (   $a_role_id,
  $a_usr_id 
)
private

Deassign user from group.

private

Parameters
introle_id
intuser_id

Definition at line 319 of file class.ilLDAPRoleGroupMapping.php.

References $data, $key, checkOtherMembership(), getLDAPQueryInstance(), and readDN().

Referenced by deassign().

320  {
321  foreach ($this->mappings[$a_role_id] as $data) {
322  try {
323  if ($data['isdn']) {
324  $external_account = $this->readDN($a_usr_id, $data['server_id']);
325  } else {
326  $external_account = $this->users[$data['server_id']][$a_usr_id];
327  }
328 
329  // Check for other role membership
330  if ($role_id = $this->checkOtherMembership($a_usr_id, $a_role_id, $data)) {
331  $this->log->info('LDAP deassign: User is still assigned to role "' . $role_id . '".');
332  continue;
333  }
334  // Deassign user
335  $query_obj = $this->getLDAPQueryInstance($data['server_id'], $data['url']);
336  $query_obj->modDelete($data['dn'], array($data['member'] => $external_account));
337  $this->log->info('LDAP deassign: Deassigned ' . $external_account . ' from group ' . $data['dn']);
338 
339  // Delete from cache
340  if (is_array($this->mapping_members[$data['mapping_id']])) {
341  $key = array_search($external_account, $this->mapping_members[$data['mapping_id']]);
342  if ($key or $key === 0) {
343  unset($this->mapping_members[$data['mapping_id']]);
344  }
345  }
346  } catch (ilLDAPQueryException $exc) {
347  $this->log->warning($exc->getMessage());
348  // try next mapping
349  continue;
350  }
351  }
352  }
ilLDAPRoleGroupMapping\getLDAPQueryInstance
getLDAPQueryInstance($a_server_id, $a_url)
Get LDAPQueryInstance.
Definition: class.ilLDAPRoleGroupMapping.php:477
ilLDAPRoleGroupMapping\checkOtherMembership
checkOtherMembership($a_usr_id, $a_role_id, $a_data)
Check other membership.
Definition: class.ilLDAPRoleGroupMapping.php:362
ilLDAPRoleGroupMapping\readDN
readDN($a_usr_id, $a_server_id)
Read DN of user.
Definition: class.ilLDAPRoleGroupMapping.php:421
$key
$key
Definition: croninfo.php:18
$data
$data
Definition: bench.php:6
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deleteRole()

ilLDAPRoleGroupMapping::deleteRole (   $a_role_id)

Delete role.

This function triggered from ilRbacAdmin::deleteRole It deassigns all user from the mapped ldap group.

public

Parameters
introle id

Definition at line 146 of file class.ilLDAPRoleGroupMapping.php.

References $DIC, deassign(), and isHandledRole().

147  {
148  global $DIC;
149 
150  $rbacreview = $DIC['rbacreview'];
151 
152  // return if there nothing to do
153  if (!$this->active_servers) {
154  return false;
155  }
156 
157  if (!$this->isHandledRole($a_role_id)) {
158  return false;
159  }
160 
161  foreach ($rbacreview->assignedUsers($a_role_id) as $usr_id) {
162  $this->deassign($a_role_id, $usr_id);
163  }
164  return true;
165  }
$DIC
global $DIC
Definition: saml.php:7
ilLDAPRoleGroupMapping\deassign
deassign($a_role_id, $a_usr_id)
This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role map...
Definition: class.ilLDAPRoleGroupMapping.php:177
ilLDAPRoleGroupMapping\isHandledRole
isHandledRole($a_role_id)
Check if a role is handled or not.
Definition: class.ilLDAPRoleGroupMapping.php:262
+ Here is the call graph for this function:

◆ deleteUser()

ilLDAPRoleGroupMapping::deleteUser (   $a_usr_id)

Delete user => deassign from all ldap groups.

public

Parameters
intuser id

Definition at line 201 of file class.ilLDAPRoleGroupMapping.php.

References $data, and deassign().

202  {
203  foreach ($this->mappings as $role_id => $data) {
204  $this->deassign($role_id, $a_usr_id);
205  }
206  return true;
207  }
ilLDAPRoleGroupMapping\deassign
deassign($a_role_id, $a_usr_id)
This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role map...
Definition: class.ilLDAPRoleGroupMapping.php:177
$data
$data
Definition: bench.php:6
+ Here is the call graph for this function:

◆ getInfoStrings()

ilLDAPRoleGroupMapping::getInfoStrings (   $a_obj_id,
  $a_check_type = false 
)

Get info string for object If check info type is enabled this function will check if the info string is visible in the repository.

public

Parameters
intobject id
boolcheck info type

Definition at line 90 of file class.ilLDAPRoleGroupMapping.php.

91  {
92  if (!$this->active_servers) {
93  return false;
94  }
95  if ($a_check_type) {
96  if (isset($this->mapping_info_strict[$a_obj_id]) and is_array($this->mapping_info_strict[$a_obj_id])) {
97  return $this->mapping_info_strict[$a_obj_id];
98  }
99  } else {
100  if (isset($this->mapping_info[$a_obj_id]) and is_array($this->mapping_info[$a_obj_id])) {
101  return $this->mapping_info[$a_obj_id];
102  }
103  }
104  return false;
105  }

◆ getLDAPQueryInstance()

ilLDAPRoleGroupMapping::getLDAPQueryInstance (   $a_server_id,
  $a_url 
)
private

Get LDAPQueryInstance.

private

Parameters

Definition at line 477 of file class.ilLDAPRoleGroupMapping.php.

References IL_LDAP_BIND_ADMIN.

Referenced by assignToGroup(), deassignFromGroup(), and readDN().

478  {
479  include_once 'Services/LDAP/classes/class.ilLDAPQuery.php';
480 
481  if (array_key_exists($a_server_id, $this->query) and
482  array_key_exists($a_url, $this->query[$a_server_id]) and
483  is_object($this->query[$a_server_id][$a_url])) {
484  return $this->query[$a_server_id][$a_url];
485  }
486  try {
487  $tmp_query = new ilLDAPQuery($this->servers[$a_server_id], $a_url);
488  $tmp_query->bind(IL_LDAP_BIND_ADMIN);
489  } catch (ilLDAPQueryException $exc) {
490  throw $exc;
491  }
492  return $this->query[$a_server_id][$a_url] = $tmp_query;
493  }
IL_LDAP_BIND_ADMIN
const IL_LDAP_BIND_ADMIN
Definition: class.ilLDAPQuery.php:25
+ Here is the caller graph for this function:

◆ initServers()

ilLDAPRoleGroupMapping::initServers ( )
private

Check if there is any active server with.

private

Parameters

Definition at line 217 of file class.ilLDAPRoleGroupMapping.php.

References $data, $key, ilLDAPRoleGroupMappingSettings\_getAllActiveMappings(), ilObjUser\_getExternalAccountsByAuthMode(), ilLDAPServer\_getRoleSyncServerIds(), and ilLDAPRoleGroupMappingSettings\MAPPING_INFO_ALL.

Referenced by __construct().

218  {
219  $server_ids = ilLDAPServer::_getRoleSyncServerIds();
220 
221  if (!count($server_ids)) {
222  return false;
223  }
224 
225  // Init servers
226  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMappingSettings.php');
227 
228  $this->active_servers = true;
229  $this->mappings = array();
230  $this->users = [];
231  foreach ($server_ids as $server_id) {
232  $this->servers[$server_id] = new ilLDAPServer($server_id);
233  $this->mappings = ilLDAPRoleGroupMappingSettings::_getAllActiveMappings();
234  $this->users[$server_id] = ilObjUser::_getExternalAccountsByAuthMode(
235  'ldap_' . $server_id,
236  true
237  );
238  }
239  $this->mapping_info = array();
240  $this->mapping_info_strict = array();
241  foreach ($this->mappings as $mapping) {
242  foreach ($mapping as $key => $data) {
243  if (strlen($data['info']) and $data['object_id']) {
244  $this->mapping_info[$data['object_id']][] = $data['info'];
245  }
246  if (strlen($data['info']) && ($data['info_type'] == ilLDAPRoleGroupMappingSettings::MAPPING_INFO_ALL)) {
247  $this->mapping_info_strict[$data['object_id']][] = $data['info'];
248  }
249  }
250  }
251  return true;
252  }
ilObjUser\_getExternalAccountsByAuthMode
static _getExternalAccountsByAuthMode($a_auth_mode, $a_read_auth_default=false)
Get list of external account by authentication method Note: If login == ext_account for two user with...
Definition: class.ilObjUser.php:3820
$key
$key
Definition: croninfo.php:18
ilLDAPServer\_getRoleSyncServerIds
static _getRoleSyncServerIds()
Check whether there if there is an active server with option role_sync_active.
Definition: class.ilLDAPServer.php:156
$data
$data
Definition: bench.php:6
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ isHandledRole()

ilLDAPRoleGroupMapping::isHandledRole (   $a_role_id)
private

Check if a role is handled or not.

private

Parameters
introle_id
Returns
int server id or 0 if mapping exists

Definition at line 262 of file class.ilLDAPRoleGroupMapping.php.

Referenced by assign(), deassign(), and deleteRole().

263  {
264  return array_key_exists($a_role_id, $this->mappings);
265  }
+ Here is the caller graph for this function:

◆ isHandledUser()

ilLDAPRoleGroupMapping::isHandledUser (   $a_usr_id)
private

Check if user is ldap user.

private

Definition at line 272 of file class.ilLDAPRoleGroupMapping.php.

References $users.

Referenced by assign(), and deassign().

273  {
274  foreach ($this->users as $server_id => $users) {
275  if (array_key_exists($a_usr_id, $users)) {
276  return true;
277  }
278  }
279  return false;
280  }
+ Here is the caller graph for this function:

◆ readDN()

ilLDAPRoleGroupMapping::readDN (   $a_usr_id,
  $a_server_id 
)
private

Read DN of user.

private

Parameters
intuser id
intserver id
Exceptions
ilLDAPQueryException

Definition at line 421 of file class.ilLDAPRoleGroupMapping.php.

References $data, $res, $server, and getLDAPQueryInstance().

Referenced by assignToGroup(), and deassignFromGroup().

422  {
423  if (isset($this->user_dns[$a_usr_id])) {
424  return $this->user_dns[$a_usr_id];
425  }
426 
427  $external_account = $this->users[$a_server_id][$a_usr_id];
428 
429  try {
430  $server = $this->servers[$a_server_id];
431  $query_obj = $this->getLDAPQueryInstance($a_server_id, $server->getUrl());
432 
433  if ($search_base = $server->getSearchBase()) {
434  $search_base .= ',';
435  }
436  $search_base .= $server->getBaseDN();
437 
438  // try optional group user filter first
439  if ($server->isMembershipOptional() and $server->getGroupUserFilter()) {
440  $userFilter = $server->getGroupUserFilter();
441  } else {
442  $userFilter = $server->getFilter();
443  }
444 
445  $filter = sprintf(
446  '(&(%s=%s)%s)',
447  $server->getUserAttribute(),
448  $external_account,
449  $userFilter
450  );
451 
452  $res = $query_obj->query($search_base, $filter, $server->getUserScope(), array('dn'));
453 
454  if (!$res->numRows()) {
455  include_once('Services/LDAP/classes/class.ilLDAPQueryException.php');
456  throw new ilLDAPQueryException(__METHOD__ . ' cannot find dn for user ' . $external_account);
457  }
458  if ($res->numRows() > 1) {
459  include_once('Services/LDAP/classes/class.ilLDAPQueryException.php');
460  throw new ilLDAPQueryException(__METHOD__ . ' found multiple distinguished name for: ' . $external_account);
461  }
462 
463  $data = $res->get();
464  return $this->user_dns[$a_usr_id] = $data['dn'];
465  } catch (ilLDAPQueryException $exc) {
466  throw $exc;
467  }
468  }
ilLDAPRoleGroupMapping\getLDAPQueryInstance
getLDAPQueryInstance($a_server_id, $a_url)
Get LDAPQueryInstance.
Definition: class.ilLDAPRoleGroupMapping.php:477
$server
$server
Definition: sabredav.php:48
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15
$data
$data
Definition: bench.php:6
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ storeMembers()

ilLDAPRoleGroupMapping::storeMembers (   $a_mapping_id,
  $a_data 
)
private

Store Members.

private

Definition at line 394 of file class.ilLDAPRoleGroupMapping.php.

395  {
396  $this->mapping_members[$a_mapping_id] = array();
397  foreach ($a_data as $field => $value) {
398  if (strtolower($field) == 'dn') {
399  continue;
400  }
401 
402  if (!is_array($value)) {
403  $this->mapping_members[$a_mapping_id][] = $value;
404  continue;
405  }
406  foreach ($value as $external_account) {
407  $this->mapping_members[$a_mapping_id][] = $external_account;
408  }
409  }
410  return true;
411  }

Field Documentation

◆ $active_servers

ilLDAPRoleGroupMapping::$active_servers = false
private

Definition at line 45 of file class.ilLDAPRoleGroupMapping.php.

◆ $instance

ilLDAPRoleGroupMapping::$instance = null
staticprivate

Definition at line 40 of file class.ilLDAPRoleGroupMapping.php.

◆ $log

ilLDAPRoleGroupMapping::$log = null
private

Definition at line 39 of file class.ilLDAPRoleGroupMapping.php.

◆ $mapping_members

ilLDAPRoleGroupMapping::$mapping_members = array()
private

Definition at line 43 of file class.ilLDAPRoleGroupMapping.php.

◆ $mappings

ilLDAPRoleGroupMapping::$mappings = array()
private

Definition at line 42 of file class.ilLDAPRoleGroupMapping.php.

◆ $query

ilLDAPRoleGroupMapping::$query = array()
private

Definition at line 44 of file class.ilLDAPRoleGroupMapping.php.

◆ $servers

ilLDAPRoleGroupMapping::$servers = null
private

Definition at line 41 of file class.ilLDAPRoleGroupMapping.php.

◆ $users

ilLDAPRoleGroupMapping::$users = []
private

Definition at line 50 of file class.ilLDAPRoleGroupMapping.php.

Referenced by isHandledUser().

The documentation for this class was generated from the following file: