ILIAS  release_6 Revision v6.24-5-g0c8bfefb3b8
All Data Structures Namespaces Files Functions Variables Modules Pages
class.ilAuthProviderLDAP.php
Go to the documentation of this file.
1 <?php
2 
3 /* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4 
5 include_once './Services/Authentication/classes/Provider/class.ilAuthProvider.php';
6 include_once './Services/Authentication/interfaces/interface.ilAuthProviderInterface.php';
7 include_once './Services/Authentication/interfaces/interface.ilAuthProviderAccountMigrationInterface.php';
8 
15 class ilAuthProviderLDAP extends ilAuthProvider implements ilAuthProviderInterface, ilAuthProviderAccountMigrationInterface
16 {
17  private $server = null;
18  private $migration_account = '';
19  private $force_new_account = false;
20 
25  public function __construct(\ilAuthCredentials $credentials, $a_server_id = 0)
26  {
27  parent::__construct($credentials);
28  $this->initServer($a_server_id);
29  }
30 
35  public function getServer()
36  {
37  return $this->server;
38  }
39 
40 
45  public function doAuthentication(\ilAuthStatus $status)
46  {
47  try {
48  // bind
49  include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
50  $query = new ilLDAPQuery($this->getServer());
51  $query->bind(IL_LDAP_BIND_DEFAULT);
52  } catch (ilLDAPQueryException $e) {
53  $this->getLogger()->error('Cannot bind to LDAP server... ' . $e->getMessage());
54  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
55  return false;
56  }
57  try {
58  // Read user data, which does ensure a sucessful authentication.
59  $users = $query->fetchUser(
60  $this->getCredentials()->getUsername()
61  );
62 
63  if (!$users) {
64  $this->handleAuthenticationFail($status, 'err_wrong_login');
65  return false;
66  }
67  if (!trim($this->getCredentials()->getPassword())) {
68  $this->handleAuthenticationFail($status, 'err_wrong_login');
69  return false;
70  }
71  if (!array_key_exists($this->changeKeyCase($this->getCredentials()->getUsername()), $users)) {
72  $this->getLogger()->warning('Cannot find user: ' . $this->changeKeyCase($this->getCredentials()->getUsername()));
73  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
74  return false;
75  }
76 
77  // check group membership
78  if (!$query->checkGroupMembership(
79  $this->getCredentials()->getUsername(),
80  $users[$this->changeKeyCase($this->getCredentials()->getUsername())]
81  )) {
82  $this->handleAuthenticationFail($status, 'err_wrong_login');
83  return false;
84  }
85  } catch (ilLDAPQueryException $e) {
86  $this->getLogger()->error('Cannot fetch LDAP user data... ' . $e->getMessage());
87  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
88  return false;
89  }
90  try {
91  // now bind with login credentials
92  $query->bind(IL_LDAP_BIND_AUTH, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]['dn'], $this->getCredentials()->getPassword());
93  } catch (ilLDAPQueryException $e) {
94  $this->handleAuthenticationFail($status, 'err_wrong_login');
95  return false;
96  }
97 
98  // authentication success update profile
99  return $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
100  }
101 
107  protected function updateAccount(ilAuthStatus $status, array $user)
108  {
109  $user = array_change_key_case($user, CASE_LOWER);
110  $this->getLogger()->dump($user, ilLogLevel::DEBUG);
111 
112  include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
113  $sync = new ilLDAPUserSynchronisation('ldap_' . $this->getServer()->getServerId(), $this->getServer()->getServerId());
114  $sync->setExternalAccount($this->getCredentials()->getUsername());
115  $sync->setUserData($user);
116  $sync->forceCreation($this->force_new_account);
117 
118  try {
119  $internal_account = $sync->sync();
120  $this->getLogger()->debug('Internal account: ' . $internal_account);
121  } catch (UnexpectedValueException $e) {
122  $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
123  $this->handleAuthenticationFail($status, 'err_wrong_login');
124  return false;
125  } catch (ilLDAPSynchronisationFailedException $e) {
126  $this->handleAuthenticationFail($status, 'err_auth_ldap_failed');
127  return false;
128  } catch (ilLDAPSynchronisationForbiddenException $e) {
129  // No syncronisation allowed => create Error
130  $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
131  $this->handleAuthenticationFail($status, 'err_auth_ldap_no_ilias_user');
132  return false;
133  } catch (ilLDAPAccountMigrationRequiredException $e) {
134  // Account migration required
135  $this->setExternalAccountName($this->getCredentials()->getUsername());
136  $this->getLogger()->info('Authentication failed: account migration required for external account: ' . $this->getCredentials()->getUsername());
137  $status->setStatus(ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED);
138  return false;
139  }
140  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
141  $status->setAuthenticatedUserId(ilObjUser::_lookupId($internal_account));
142  return true;
143  }
144 
145 
146 
150  protected function initServer($a_server_id)
151  {
152  include_once './Services/LDAP/classes/class.ilLDAPServer.php';
153  $this->server = new ilLDAPServer($a_server_id);
154  }
155 
156  // Account migration
157 
161  public function createNewAccount(ilAuthStatus $status)
162  {
163  $this->force_new_account = true;
164 
165  try {
166  include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
167  $query = new ilLDAPQuery($this->getServer());
168  $query->bind(IL_LDAP_BIND_DEFAULT);
169  } catch (ilLDAPQueryException $e) {
170  $this->getLogger()->error('Cannot bind to LDAP server... ' . $e->getMessage());
171  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
172  return false;
173  }
174  try {
175  // fetch user
176  $users = $query->fetchUser(
177  $this->getCredentials()->getUsername()
178  );
179  if (!$users) {
180  $this->handleAuthenticationFail($status, 'err_wrong_login');
181  return false;
182  }
183  if (!array_key_exists($this->changeKeyCase($this->getCredentials()->getUsername()), $users)) {
184  $this->handleAuthenticationFail($status, 'err_wrong_login');
185  return false;
186  }
187  } catch (ilLDAPQueryException $e) {
188  $this->getLogger()->error('Cannot fetch LDAP user data... ' . $e->getMessage());
189  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
190  return false;
191  }
192 
193  // authentication success update profile
194  $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
195  }
196 
197 
198 
202  public function migrateAccount(ilAuthStatus $status)
203  {
204  $this->force_new_account = true;
205 
206  try {
207  include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
208  $query = new ilLDAPQuery($this->getServer());
209  $query->bind(IL_LDAP_BIND_DEFAULT);
210  } catch (ilLDAPQueryException $e) {
211  $this->getLogger()->error('Cannot bind to LDAP server... ' . $e->getMessage());
212  $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
213  return false;
214  }
215 
216  $users = $query->fetchUser($this->getCredentials()->getUsername());
217  $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
218  return true;
219  }
220 
224  public function getTriggerAuthMode()
225  {
226  return AUTH_LDAP . '_' . $this->getServer()->getServerId();
227  }
228 
232  public function getUserAuthModeName()
233  {
234  return 'ldap_' . $this->getServer()->getServerId();
235  }
236 
241  public function getExternalAccountName()
242  {
243  return $this->migration_account;
244  }
245 
250  public function setExternalAccountName($a_name)
251  {
252  $this->migration_account = $a_name;
253  }
254 
260  protected function changeKeyCase($a_string)
261  {
262  $as_array = array_change_key_case(array($a_string => $a_string));
263  foreach ($as_array as $key => $string) {
264  return $key;
265  }
266  }
267 }
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:11
ilAuthProviderLDAP\updateAccount
updateAccount(ilAuthStatus $status, array $user)
Update Account.
Definition: class.ilAuthProviderLDAP.php:107
ilAuthProviderLDAP\getTriggerAuthMode
getTriggerAuthMode()
Get trigger auth mode.
Definition: class.ilAuthProviderLDAP.php:224
ilAuthProviderLDAP\createNewAccount
createNewAccount(ilAuthStatus $status)
Create new ILIAS account for external_account.
Definition: class.ilAuthProviderLDAP.php:161
ilAuthProviderLDAP\doAuthentication
doAuthentication(\ilAuthStatus $status)
Do authentication.
Definition: class.ilAuthProviderLDAP.php:45
IL_LDAP_BIND_AUTH
const IL_LDAP_BIND_AUTH
Definition: class.ilLDAPQuery.php:27
ilLDAPSynchronisationFailedException
Thrown in case of failed synchronisation settings.
Definition: class.ilLDAPSynchronisationFailedException.php:10
IL_LDAP_BIND_DEFAULT
const IL_LDAP_BIND_DEFAULT
Definition: class.ilLDAPQuery.php:24
AUTH_LDAP
const AUTH_LDAP
Definition: class.ilAuthUtils.php:8
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:14
ilObjUser\_lookupId
static _lookupId($a_user_str)
Lookup id by login.
Definition: class.ilObjUser.php:831
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:12
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId($a_id)
Definition: class.ilAuthStatus.php:116
ilAuthProviderLDAP
Description of class class.
Definition: class.ilAuthProviderLDAP.php:15
ilAuthProvider
Base class for authentication providers (radius, ldap, apache, ...)
Definition: class.ilAuthProvider.php:11
ilAuthProviderInterface
Standard interface for auth provider implementations.
Definition: interface.ilAuthProviderInterface.php:11
ilAuthProviderLDAP\__construct
__construct(\ilAuthCredentials $credentials, $a_server_id=0)
Constructor.
Definition: class.ilAuthProviderLDAP.php:25
ilAuthStatus\setStatus
setStatus($a_status)
Set auth status.
Definition: class.ilAuthStatus.php:63
ilAuthProviderLDAP\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name.
Definition: class.ilAuthProviderLDAP.php:232
ilAuthProviderLDAP\setExternalAccountName
setExternalAccountName($a_name)
Set external account name.
Definition: class.ilAuthProviderLDAP.php:250
$query
$query
Definition: proxy_ylocal.php:13
ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:38
ilAuthProviderLDAP\migrateAccount
migrateAccount(ilAuthStatus $status)
Create new account.
Definition: class.ilAuthProviderLDAP.php:202
ilAuthProviderLDAP\getExternalAccountName
getExternalAccountName()
Get external account name.
Definition: class.ilAuthProviderLDAP.php:241
ilAuthProviderLDAP\initServer
initServer($a_server_id)
Init Server.
Definition: class.ilAuthProviderLDAP.php:150
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
Definition: PluginProviderHelper.php:30
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, $a_reason)
Handle failed authentication.
Definition: class.ilAuthProvider.php:55
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:11
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:20
ilAuthProviderLDAP\changeKeyCase
changeKeyCase($a_string)
Change case similar to array_change_key_case, to avoid further encoding problems. ...
Definition: class.ilAuthProviderLDAP.php:260