ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
class.ilLDAPRoleGroupMapping.php
Go to the documentation of this file.
1 <?php
2 /*
3  +-----------------------------------------------------------------------------+
4  | ILIAS open source |
5  +-----------------------------------------------------------------------------+
6  | Copyright (c) 1998-2006 ILIAS open source, University of Cologne |
7  | |
8  | This program is free software; you can redistribute it and/or |
9  | modify it under the terms of the GNU General Public License |
10  | as published by the Free Software Foundation; either version 2 |
11  | of the License, or (at your option) any later version. |
12  | |
13  | This program is distributed in the hope that it will be useful, |
14  | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16  | GNU General Public License for more details. |
17  | |
18  | You should have received a copy of the GNU General Public License |
19  | along with this program; if not, write to the Free Software |
20  | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
21  +-----------------------------------------------------------------------------+
22 */
23 
24 include_once('Services/LDAP/classes/class.ilLDAPServer.php');
25 
34 class ilLDAPRoleGroupMapping
35 {
39  private $log = null;
40  private static $instance = null;
41  private $servers = null;
42  private $mappings = array();
43  private $mapping_members = array();
44  private $query = array();
45  private $active_servers = false;
46 
50  private $users = [];
51 
58  private function __construct()
59  {
60  global $DIC;
61 
62  $this->log = $DIC->logger()->auth();
63 
64  $this->initServers();
65  }
66 
73  public static function _getInstance()
74  {
75  if (is_object(self::$instance)) {
76  return self::$instance;
77  }
78  return self::$instance = new ilLDAPRoleGroupMapping();
79  }
80 
90  public function getInfoStrings($a_obj_id, $a_check_type = false)
91  {
92  if (!$this->active_servers) {
93  return false;
94  }
95  if ($a_check_type) {
96  if (isset($this->mapping_info_strict[$a_obj_id]) and is_array($this->mapping_info_strict[$a_obj_id])) {
97  return $this->mapping_info_strict[$a_obj_id];
98  }
99  } else {
100  if (isset($this->mapping_info[$a_obj_id]) and is_array($this->mapping_info[$a_obj_id])) {
101  return $this->mapping_info[$a_obj_id];
102  }
103  }
104  return false;
105  }
106 
107 
117  public function assign($a_role_id, $a_usr_id)
118  {
119  // return if there nothing to do
120  if (!$this->active_servers) {
121  return false;
122  }
123 
124  if (!$this->isHandledRole($a_role_id)) {
125  return false;
126  }
127  if (!$this->isHandledUser($a_usr_id)) {
128  $this->log->info('LDAP assign: User ID: ' . $a_usr_id . ' has no LDAP account');
129  return false;
130  }
131  $this->log->info('LDAP assigned: User ID: ' . $a_usr_id . ' Role Id: ' . $a_role_id);
132  $this->assignToGroup($a_role_id, $a_usr_id);
133 
134  return true;
135  }
136 
146  public function deleteRole($a_role_id)
147  {
148  global $DIC;
149 
150  $rbacreview = $DIC['rbacreview'];
151 
152  // return if there nothing to do
153  if (!$this->active_servers) {
154  return false;
155  }
156 
157  if (!$this->isHandledRole($a_role_id)) {
158  return false;
159  }
160 
161  foreach ($rbacreview->assignedUsers($a_role_id) as $usr_id) {
162  $this->deassign($a_role_id, $usr_id);
163  }
164  return true;
165  }
166 
167 
177  public function deassign($a_role_id, $a_usr_id)
178  {
179  // return if there notzing to do
180  if (!$this->active_servers) {
181  return false;
182  }
183  if (!$this->isHandledRole($a_role_id)) {
184  return false;
185  }
186  if (!$this->isHandledUser($a_usr_id)) {
187  return false;
188  }
189  $this->log->info('LDAP deassigned: User ID: ' . $a_usr_id . ' Role Id: ' . $a_role_id);
190  $this->deassignFromGroup($a_role_id, $a_usr_id);
191 
192  return true;
193  }
194 
201  public function deleteUser($a_usr_id)
202  {
203  foreach ($this->mappings as $role_id => $data) {
204  $this->deassign($role_id, $a_usr_id);
205  }
206  return true;
207  }
208 
209 
217  private function initServers()
218  {
219  $server_ids = ilLDAPServer::_getRoleSyncServerIds();
220 
221  if (!count($server_ids)) {
222  return false;
223  }
224 
225  // Init servers
226  include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMappingSettings.php');
227 
228  $this->active_servers = true;
229  $this->mappings = array();
230  $this->users = [];
231  foreach ($server_ids as $server_id) {
232  $this->servers[$server_id] = new ilLDAPServer($server_id);
233  $this->mappings = ilLDAPRoleGroupMappingSettings::_getAllActiveMappings();
234  $this->users[$server_id] = ilObjUser::_getExternalAccountsByAuthMode(
235  'ldap_' . $server_id,
236  true
237  );
238  }
239  $this->mapping_info = array();
240  $this->mapping_info_strict = array();
241  foreach ($this->mappings as $mapping) {
242  foreach ($mapping as $key => $data) {
243  if (strlen($data['info']) and $data['object_id']) {
244  $this->mapping_info[$data['object_id']][] = $data['info'];
245  }
246  if (strlen($data['info']) && ($data['info_type'] == ilLDAPRoleGroupMappingSettings::MAPPING_INFO_ALL)) {
247  $this->mapping_info_strict[$data['object_id']][] = $data['info'];
248  }
249  }
250  }
251  return true;
252  }
253 
262  private function isHandledRole($a_role_id)
263  {
264  return array_key_exists($a_role_id, $this->mappings);
265  }
266 
272  private function isHandledUser($a_usr_id)
273  {
274  foreach ($this->users as $server_id => $users) {
275  if (array_key_exists($a_usr_id, $users)) {
276  return true;
277  }
278  }
279  return false;
280  }
281 
282 
290  private function assignToGroup($a_role_id, $a_usr_id)
291  {
292  foreach ($this->mappings[$a_role_id] as $data) {
293  try {
294  if ($data['isdn']) {
295  $external_account = $this->readDN($a_usr_id, $data['server_id']);
296  } else {
297  $external_account = $this->users[$data['server_id']][$a_usr_id];
298  }
299  // Forcing modAdd since Active directory is too slow and i cannot check if a user is member or not.
300  $query_obj = $this->getLDAPQueryInstance($data['server_id'], $data['url']);
301  $query_obj->modAdd($data['dn'], array($data['member'] => $external_account));
302  $this->log->info('LDAP assign: Assigned ' . $external_account . ' to group ' . $data['dn']);
303  } catch (ilLDAPQueryException $exc) {
304  $this->log->warning($exc->getMessage());
305  // try next mapping
306  continue;
307  }
308  }
309  }
310 
319  private function deassignFromGroup($a_role_id, $a_usr_id)
320  {
321  foreach ($this->mappings[$a_role_id] as $data) {
322  try {
323  if ($data['isdn']) {
324  $external_account = $this->readDN($a_usr_id, $data['server_id']);
325  } else {
326  $external_account = $this->users[$data['server_id']][$a_usr_id];
327  }
328 
329  // Check for other role membership
330  if ($role_id = $this->checkOtherMembership($a_usr_id, $a_role_id, $data)) {
331  $this->log->info('LDAP deassign: User is still assigned to role "' . $role_id . '".');
332  continue;
333  }
334  // Deassign user
335  $query_obj = $this->getLDAPQueryInstance($data['server_id'], $data['url']);
336  $query_obj->modDelete($data['dn'], array($data['member'] => $external_account));
337  $this->log->info('LDAP deassign: Deassigned ' . $external_account . ' from group ' . $data['dn']);
338 
339  // Delete from cache
340  if (is_array($this->mapping_members[$data['mapping_id']])) {
341  $key = array_search($external_account, $this->mapping_members[$data['mapping_id']]);
342  if ($key or $key === 0) {
343  unset($this->mapping_members[$data['mapping_id']]);
344  }
345  }
346  } catch (ilLDAPQueryException $exc) {
347  $this->log->warning($exc->getMessage());
348  // try next mapping
349  continue;
350  }
351  }
352  }
353 
354 
362  private function checkOtherMembership($a_usr_id, $a_role_id, $a_data)
363  {
364  global $DIC;
365 
366  $rbacreview = $DIC['rbacreview'];
367  $ilObjDataCache = $DIC['ilObjDataCache'];
368 
369  foreach ($this->mappings as $role_id => $tmp_data) {
370  foreach ($tmp_data as $data) {
371  if ($role_id == $a_role_id) {
372  continue;
373  }
374  if ($data['server_id'] != $a_data['server_id']) {
375  continue;
376  }
377  if ($data['dn'] != $a_data['dn']) {
378  continue;
379  }
380  if ($rbacreview->isAssigned($a_usr_id, $role_id)) {
381  return $ilObjDataCache->lookupTitle($role_id);
382  }
383  }
384  }
385  return false;
386  }
387 
394  private function storeMembers($a_mapping_id, $a_data)
395  {
396  $this->mapping_members[$a_mapping_id] = array();
397  foreach ($a_data as $field => $value) {
398  if (strtolower($field) == 'dn') {
399  continue;
400  }
401 
402  if (!is_array($value)) {
403  $this->mapping_members[$a_mapping_id][] = $value;
404  continue;
405  }
406  foreach ($value as $external_account) {
407  $this->mapping_members[$a_mapping_id][] = $external_account;
408  }
409  }
410  return true;
411  }
412 
421  private function readDN($a_usr_id, $a_server_id)
422  {
423  if (isset($this->user_dns[$a_usr_id])) {
424  return $this->user_dns[$a_usr_id];
425  }
426 
427  $external_account = $this->users[$a_server_id][$a_usr_id];
428 
429  try {
430  $server = $this->servers[$a_server_id];
431  $query_obj = $this->getLDAPQueryInstance($a_server_id, $server->getUrl());
432 
433  if ($search_base = $server->getSearchBase()) {
434  $search_base .= ',';
435  }
436  $search_base .= $server->getBaseDN();
437 
438  // try optional group user filter first
439  if ($server->isMembershipOptional() and $server->getGroupUserFilter()) {
440  $userFilter = $server->getGroupUserFilter();
441  } else {
442  $userFilter = $server->getFilter();
443  }
444 
445  $filter = sprintf(
446  '(&(%s=%s)%s)',
447  $server->getUserAttribute(),
448  $external_account,
449  $userFilter
450  );
451 
452  $res = $query_obj->query($search_base, $filter, $server->getUserScope(), array('dn'));
453 
454  if (!$res->numRows()) {
455  include_once('Services/LDAP/classes/class.ilLDAPQueryException.php');
456  throw new ilLDAPQueryException(__METHOD__ . ' cannot find dn for user ' . $external_account);
457  }
458  if ($res->numRows() > 1) {
459  include_once('Services/LDAP/classes/class.ilLDAPQueryException.php');
460  throw new ilLDAPQueryException(__METHOD__ . ' found multiple distinguished name for: ' . $external_account);
461  }
462 
463  $data = $res->get();
464  return $this->user_dns[$a_usr_id] = $data['dn'];
465  } catch (ilLDAPQueryException $exc) {
466  throw $exc;
467  }
468  }
469 
477  private function getLDAPQueryInstance($a_server_id, $a_url)
478  {
479  include_once 'Services/LDAP/classes/class.ilLDAPQuery.php';
480 
481  if (array_key_exists($a_server_id, $this->query) and
482  array_key_exists($a_url, $this->query[$a_server_id]) and
483  is_object($this->query[$a_server_id][$a_url])) {
484  return $this->query[$a_server_id][$a_url];
485  }
486  try {
487  $tmp_query = new ilLDAPQuery($this->servers[$a_server_id], $a_url);
488  $tmp_query->bind(IL_LDAP_BIND_ADMIN);
489  } catch (ilLDAPQueryException $exc) {
490  throw $exc;
491  }
492  return $this->query[$a_server_id][$a_url] = $tmp_query;
493  }
494 }
ilLDAPRoleGroupMapping\getLDAPQueryInstance
getLDAPQueryInstance($a_server_id, $a_url)
Get LDAPQueryInstance.
Definition: class.ilLDAPRoleGroupMapping.php:477
ilLDAPRoleGroupMapping\deleteRole
deleteRole($a_role_id)
Delete role.
Definition: class.ilLDAPRoleGroupMapping.php:146
ilLDAPRoleGroupMapping\initServers
initServers()
Check if there is any active server with.
Definition: class.ilLDAPRoleGroupMapping.php:217
$DIC
global $DIC
Definition: saml.php:7
ilLDAPRoleGroupMapping\checkOtherMembership
checkOtherMembership($a_usr_id, $a_role_id, $a_data)
Check other membership.
Definition: class.ilLDAPRoleGroupMapping.php:362
ilObjUser\_getExternalAccountsByAuthMode
static _getExternalAccountsByAuthMode($a_auth_mode, $a_read_auth_default=false)
Get list of external account by authentication method Note: If login == ext_account for two user with...
Definition: class.ilObjUser.php:3820
ilLDAPRoleGroupMapping\__construct
__construct()
Singleton contructor.
Definition: class.ilLDAPRoleGroupMapping.php:58
$server
$server
Definition: sabredav.php:48
ilLDAPRoleGroupMapping\deassign
deassign($a_role_id, $a_usr_id)
This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role map...
Definition: class.ilLDAPRoleGroupMapping.php:177
ilLDAPRoleGroupMapping\isHandledRole
isHandledRole($a_role_id)
Check if a role is handled or not.
Definition: class.ilLDAPRoleGroupMapping.php:262
ilLDAPRoleGroupMapping\readDN
readDN($a_usr_id, $a_server_id)
Read DN of user.
Definition: class.ilLDAPRoleGroupMapping.php:421
ilLDAPRoleGroupMapping\_getInstance
static _getInstance()
Get singleton instance of this class.
Definition: class.ilLDAPRoleGroupMapping.php:73
ilLDAPRoleGroupMapping\assign
assign($a_role_id, $a_usr_id)
This method is typically called from class RbacAdmin::assignUser() It checks if there is a role mappi...
Definition: class.ilLDAPRoleGroupMapping.php:117
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15
ilLDAPRoleGroupMapping\deleteUser
deleteUser($a_usr_id)
Delete user => deassign from all ldap groups.
Definition: class.ilLDAPRoleGroupMapping.php:201
ilLDAPRoleGroupMapping\assignToGroup
assignToGroup($a_role_id, $a_usr_id)
Assign user to group.
Definition: class.ilLDAPRoleGroupMapping.php:290
ilLDAPRoleGroupMapping\storeMembers
storeMembers($a_mapping_id, $a_data)
Store Members.
Definition: class.ilLDAPRoleGroupMapping.php:394
ilLDAPRoleGroupMapping\isHandledUser
isHandledUser($a_usr_id)
Check if user is ldap user.
Definition: class.ilLDAPRoleGroupMapping.php:272
IL_LDAP_BIND_ADMIN
const IL_LDAP_BIND_ADMIN
Definition: class.ilLDAPQuery.php:25
ilLDAPRoleGroupMapping\getInfoStrings
getInfoStrings($a_obj_id, $a_check_type=false)
Get info string for object If check info type is enabled this function will check if the info string ...
Definition: class.ilLDAPRoleGroupMapping.php:90
ilLDAPRoleGroupMapping\deassignFromGroup
deassignFromGroup($a_role_id, $a_usr_id)
Deassign user from group.
Definition: class.ilLDAPRoleGroupMapping.php:319
$key
$key
Definition: croninfo.php:18
ilLDAPServer\_getRoleSyncServerIds
static _getRoleSyncServerIds()
Check whether there if there is an active server with option role_sync_active.
Definition: class.ilLDAPServer.php:156
$data
$data
Definition: bench.php:6