ILIAS  release_7 Revision v7.30-3-g800a261c036
class.ilAuthProviderLDAP.php
Go to the documentation of this file.
1<?php
2
3/* Copyright (c) 1998-2010 ILIAS open source, Extended GPL, see docs/LICENSE */
4
5include_once './Services/Authentication/classes/Provider/class.ilAuthProvider.php';
6include_once './Services/Authentication/interfaces/interface.ilAuthProviderInterface.php';
7include_once './Services/Authentication/interfaces/interface.ilAuthProviderAccountMigrationInterface.php';
8
15class ilAuthProviderLDAP extends ilAuthProvider implements ilAuthProviderInterface, ilAuthProviderAccountMigrationInterface
16{
17 private $server = null;
18 private $migration_account = '';
19 private $force_new_account = false;
20
25 public function __construct(\ilAuthCredentials $credentials, $a_server_id = 0)
26 {
27 parent::__construct($credentials);
28 $this->initServer($a_server_id);
29 }
30
35 public function getServer()
36 {
37 return $this->server;
38 }
39
40
45 public function doAuthentication(\ilAuthStatus $status)
46 {
47 try {
48 // bind
49 include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
50 $query = new ilLDAPQuery($this->getServer());
51 $query->bind(IL_LDAP_BIND_DEFAULT);
52 } catch (ilLDAPQueryException $e) {
53 $this->getLogger()->error('Cannot bind to LDAP server... ' . $e->getMessage());
54 $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
55 return false;
56 }
57 try {
58 // Read user data, which does ensure a sucessful authentication.
59 $users = $query->fetchUser(
60 $this->getCredentials()->getUsername()
61 );
62
63 if (!$users) {
64 $this->handleAuthenticationFail($status, 'err_wrong_login');
65 return false;
66 }
67 if (!trim($this->getCredentials()->getPassword())) {
68 $this->handleAuthenticationFail($status, 'err_wrong_login');
69 return false;
70 }
71 if (!array_key_exists($this->changeKeyCase($this->getCredentials()->getUsername()), $users)) {
72 $this->getLogger()->warning('Cannot find user: ' . $this->changeKeyCase($this->getCredentials()->getUsername()));
73 $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
74 return false;
75 }
76
77 // check group membership
78 if (!$query->checkGroupMembership(
79 $this->getCredentials()->getUsername(),
80 $users[$this->changeKeyCase($this->getCredentials()->getUsername())]
81 )) {
82 $this->handleAuthenticationFail($status, 'err_wrong_login');
83 return false;
84 }
85 } catch (ilLDAPQueryException $e) {
86 $this->getLogger()->error('Cannot fetch LDAP user data... ' . $e->getMessage());
87 $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
88 return false;
89 }
90 try {
91 // now bind with login credentials
92 $query->bind(IL_LDAP_BIND_AUTH, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]['dn'], $this->getCredentials()->getPassword());
93 } catch (ilLDAPQueryException $e) {
94 $this->handleAuthenticationFail($status, 'err_wrong_login');
95 return false;
96 }
97
98 // authentication success update profile
99 return $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
100 }
101
107 protected function updateAccount(ilAuthStatus $status, array $user)
108 {
109 $user = array_change_key_case($user, CASE_LOWER);
110 $this->getLogger()->dump($user, ilLogLevel::DEBUG);
111
112 include_once './Services/LDAP/classes/class.ilLDAPUserSynchronisation.php';
113 $sync = new ilLDAPUserSynchronisation('ldap_' . $this->getServer()->getServerId(), $this->getServer()->getServerId());
114 $sync->setExternalAccount($this->getCredentials()->getUsername());
115 $sync->setUserData($user);
116 $sync->forceCreation($this->force_new_account);
117
118 try {
119 $internal_account = $sync->sync();
120 $this->getLogger()->debug('Internal account: ' . $internal_account);
121 } catch (UnexpectedValueException $e) {
122 $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
123 $this->handleAuthenticationFail($status, 'err_wrong_login');
124 return false;
125 } catch (ilLDAPSynchronisationFailedException $e) {
126 $this->handleAuthenticationFail($status, 'err_auth_ldap_failed');
127 return false;
128 } catch (ilLDAPSynchronisationForbiddenException $e) {
129 // No syncronisation allowed => create Error
130 $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
131 $this->handleAuthenticationFail($status, 'err_auth_ldap_no_ilias_user');
132 return false;
133 } catch (ilLDAPAccountMigrationRequiredException $e) {
134 // Account migration required
135 $this->setExternalAccountName($this->getCredentials()->getUsername());
136 $this->getLogger()->info('Authentication failed: account migration required for external account: ' . $this->getCredentials()->getUsername());
137 $status->setStatus(ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED);
138 return false;
139 }
140 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
141 $status->setAuthenticatedUserId(ilObjUser::_lookupId($internal_account));
142 return true;
143 }
144
145
146
150 protected function initServer($a_server_id)
151 {
152 include_once './Services/LDAP/classes/class.ilLDAPServer.php';
153 $this->server = new ilLDAPServer($a_server_id);
154 }
155
156 // Account migration
157
161 public function createNewAccount(ilAuthStatus $status)
162 {
163 $this->force_new_account = true;
164
165 try {
166 include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
167 $query = new ilLDAPQuery($this->getServer());
168 $query->bind(IL_LDAP_BIND_DEFAULT);
169 } catch (ilLDAPQueryException $e) {
170 $this->getLogger()->error('Cannot bind to LDAP server... ' . $e->getMessage());
171 $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
172 return false;
173 }
174 try {
175 // fetch user
176 $users = $query->fetchUser(
177 $this->getCredentials()->getUsername()
178 );
179 if (!$users) {
180 $this->handleAuthenticationFail($status, 'err_wrong_login');
181 return false;
182 }
183 if (!array_key_exists($this->changeKeyCase($this->getCredentials()->getUsername()), $users)) {
184 $this->handleAuthenticationFail($status, 'err_wrong_login');
185 return false;
186 }
187 } catch (ilLDAPQueryException $e) {
188 $this->getLogger()->error('Cannot fetch LDAP user data... ' . $e->getMessage());
189 $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
190 return false;
191 }
192
193 // authentication success update profile
194 $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
195 }
196
197
198
202 public function migrateAccount(ilAuthStatus $status)
203 {
204 $this->force_new_account = true;
205
206 try {
207 include_once './Services/LDAP/classes/class.ilLDAPQuery.php';
208 $query = new ilLDAPQuery($this->getServer());
209 $query->bind(IL_LDAP_BIND_DEFAULT);
210 } catch (ilLDAPQueryException $e) {
211 $this->getLogger()->error('Cannot bind to LDAP server... ' . $e->getMessage());
212 $this->handleAuthenticationFail($status, 'auth_err_ldap_exception');
213 return false;
214 }
215
216 $users = $query->fetchUser($this->getCredentials()->getUsername());
217 $this->updateAccount($status, $users[$this->changeKeyCase($this->getCredentials()->getUsername())]);
218 return true;
219 }
220
224 public function getTriggerAuthMode()
225 {
226 return AUTH_LDAP . '_' . $this->getServer()->getServerId();
227 }
228
232 public function getUserAuthModeName()
233 {
234 return 'ldap_' . $this->getServer()->getServerId();
235 }
236
241 public function getExternalAccountName()
242 {
243 return $this->migration_account;
244 }
245
250 public function setExternalAccountName($a_name)
251 {
252 $this->migration_account = $a_name;
253 }
254
260 protected function changeKeyCase($a_string)
261 {
262 $as_array = array_change_key_case(array($a_string => $a_string));
263 foreach ($as_array as $key => $string) {
264 return $key;
265 }
266 }
267}
php
An exception for terminatinating execution or to throw for unit testing.
AUTH_LDAP
const AUTH_LDAP
Definition: class.ilAuthUtils.php:8
IL_LDAP_BIND_AUTH
const IL_LDAP_BIND_AUTH
Definition: class.ilLDAPQuery.php:27
IL_LDAP_BIND_DEFAULT
const IL_LDAP_BIND_DEFAULT
Definition: class.ilLDAPQuery.php:24
ilAuthProviderLDAP
Description of class class.
Definition: class.ilAuthProviderLDAP.php:16
ilAuthProviderLDAP\updateAccount
updateAccount(ilAuthStatus $status, array $user)
Update Account.
Definition: class.ilAuthProviderLDAP.php:107
ilAuthProviderLDAP\getTriggerAuthMode
getTriggerAuthMode()
Get trigger auth mode.
Definition: class.ilAuthProviderLDAP.php:224
ilAuthProviderLDAP\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name.
Definition: class.ilAuthProviderLDAP.php:232
ilAuthProviderLDAP\initServer
initServer($a_server_id)
Init Server.
Definition: class.ilAuthProviderLDAP.php:150
ilAuthProviderLDAP\migrateAccount
migrateAccount(ilAuthStatus $status)
Create new account.
Definition: class.ilAuthProviderLDAP.php:202
ilAuthProviderLDAP\createNewAccount
createNewAccount(ilAuthStatus $status)
Create new ILIAS account for external_account.
Definition: class.ilAuthProviderLDAP.php:161
ilAuthProviderLDAP\doAuthentication
doAuthentication(\ilAuthStatus $status)
Do authentication.
Definition: class.ilAuthProviderLDAP.php:45
ilAuthProviderLDAP\getExternalAccountName
getExternalAccountName()
Get external account name.
Definition: class.ilAuthProviderLDAP.php:241
ilAuthProviderLDAP\__construct
__construct(\ilAuthCredentials $credentials, $a_server_id=0)
Constructor.
Definition: class.ilAuthProviderLDAP.php:25
ilAuthProviderLDAP\changeKeyCase
changeKeyCase($a_string)
Change case similar to array_change_key_case, to avoid further encoding problems.
Definition: class.ilAuthProviderLDAP.php:260
ilAuthProviderLDAP\setExternalAccountName
setExternalAccountName($a_name)
Set external account name.
Definition: class.ilAuthProviderLDAP.php:250
ilAuthProvider
Base class for authentication providers (radius, ldap, apache, ...)
Definition: class.ilAuthProvider.php:12
ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:38
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, $a_reason)
Handle failed authentication.
Definition: class.ilAuthProvider.php:55
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:12
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:20
ilLDAPAccountMigrationRequiredException
Description of ilLDAPAccountMigrationRequiredException.
Definition: class.ilLDAPAccountMigrationRequiredException.php:13
ilLDAPSynchronisationFailedException
Thrown in case of failed synchronisation settings.
Definition: class.ilLDAPSynchronisationFailedException.php:11
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, radius , cas,...
Definition: class.ilLDAPUserSynchronisation.php:15
ilObjUser\_lookupId
static _lookupId($a_user_str)
Lookup id by login.
Definition: class.ilObjUser.php:832
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:12
ilAuthProviderInterface
Standard interface for auth provider implementations.
Definition: interface.ilAuthProviderInterface.php:12
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
@inheritDoc
Definition: PluginProviderHelper.php:40
$query
$query
Definition: proxy_ylocal.php:13