ILIAS  release_7 Revision v7.30-3-g800a261c036
Public Member Functions | Static Public Member Functions | Private Member Functions | Private Attributes | Static Private Attributes
ilLDAPRoleGroupMapping Class Reference
Services/LDAP
+ Collaboration diagram for ilLDAPRoleGroupMapping:

Public Member Functions

 getInfoStrings ($a_obj_id, $a_check_type=false)
 Get info string for object If check info type is enabled this function will check if the info string is visible in the repository. More...
 
 assign ($a_role_id, $a_usr_id)
 This method is typically called from class RbacAdmin::assignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is assigned to the LDAP group. More...
 
 deleteRole ($a_role_id)
 Delete role. More...
 
 deassign ($a_role_id, $a_usr_id)
 This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is deassigned from the LDAP group. More...
 
 deleteUser ($a_usr_id)
 Delete user => deassign from all ldap groups. More...
 

Static Public Member Functions

static _getInstance ()
 Get singleton instance of this class. More...
 

Private Member Functions

 __construct ()
 Singleton contructor. More...
 
 initServers ()
 Check if there is any active server with. More...
 
 isHandledRole ($a_role_id)
 Check if a role is handled or not. More...
 
 isHandledUser ($a_usr_id)
 Check if user is ldap user. More...
 
 assignToGroup ($a_role_id, $a_usr_id)
 Assign user to group. More...
 
 deassignFromGroup ($a_role_id, $a_usr_id)
 Deassign user from group. More...
 
 checkOtherMembership ($a_usr_id, $a_role_id, $a_data)
 Check other membership. More...
 
 storeMembers ($a_mapping_id, $a_data)
 Store Members. More...
 
 readDN ($a_usr_id, $a_server_id)
 Read DN of user. More...
 
 getLDAPQueryInstance ($a_server_id, $a_url)
 Get LDAPQueryInstance. More...
 

Private Attributes

 $log = null
 
 $servers = null
 
 $mappings = array()
 
 $mapping_members = array()
 
 $query = array()
 
 $active_servers = false
 
 $users = []
 

Static Private Attributes

static $instance = null
 

Detailed Description

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om
Version
$Id$

Definition at line 34 of file class.ilLDAPRoleGroupMapping.php.

Constructor & Destructor Documentation

◆ __construct()

ilLDAPRoleGroupMapping::__construct ( )
private

Singleton contructor.

@access private

Definition at line 58 of file class.ilLDAPRoleGroupMapping.php.

59 {
60 global $DIC;
61
62 $this->log = $DIC->logger()->auth();
63
64 $this->initServers();
65 }
ilLDAPRoleGroupMapping\initServers
initServers()
Check if there is any active server with.
Definition: class.ilLDAPRoleGroupMapping.php:217
$DIC
global $DIC
Definition: goto.php:24

References $DIC, and initServers().

+ Here is the call graph for this function:

Member Function Documentation

◆ _getInstance()

static ilLDAPRoleGroupMapping::_getInstance ( )
static

Get singleton instance of this class.

@access public

Definition at line 73 of file class.ilLDAPRoleGroupMapping.php.

74 {
75 if (is_object(self::$instance)) {
76 return self::$instance;
77 }
78 return self::$instance = new ilLDAPRoleGroupMapping();
79 }

References $instance.

Referenced by ilObjectListGUI\__construct(), ilRbacAdmin\assignUser(), ilRbacAdmin\assignUserLimited(), ilRbacAdmin\deassignUser(), ilObjUser\delete(), ilRbacAdmin\deleteRole(), and ilInfoScreenGUI\showLDAPRoleGroupMappingInfo().

+ Here is the caller graph for this function:

◆ assign()

ilLDAPRoleGroupMapping::assign (   $a_role_id,
  $a_usr_id 
)

This method is typically called from class RbacAdmin::assignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is assigned to the LDAP group.

@access public

Parameters

Definition at line 117 of file class.ilLDAPRoleGroupMapping.php.

118 {
119 // return if there nothing to do
120 if (!$this->active_servers) {
121 return false;
122 }
123
124 if (!$this->isHandledRole($a_role_id)) {
125 return false;
126 }
127 if (!$this->isHandledUser($a_usr_id)) {
128 $this->log->info('LDAP assign: User ID: ' . $a_usr_id . ' has no LDAP account');
129 return false;
130 }
131 $this->log->info('LDAP assigned: User ID: ' . $a_usr_id . ' Role Id: ' . $a_role_id);
132 $this->assignToGroup($a_role_id, $a_usr_id);
133
134 return true;
135 }
ilLDAPRoleGroupMapping\isHandledRole
isHandledRole($a_role_id)
Check if a role is handled or not.
Definition: class.ilLDAPRoleGroupMapping.php:262
ilLDAPRoleGroupMapping\assignToGroup
assignToGroup($a_role_id, $a_usr_id)
Assign user to group.
Definition: class.ilLDAPRoleGroupMapping.php:290
ilLDAPRoleGroupMapping\isHandledUser
isHandledUser($a_usr_id)
Check if user is ldap user.
Definition: class.ilLDAPRoleGroupMapping.php:272

References assignToGroup(), isHandledRole(), and isHandledUser().

+ Here is the call graph for this function:

◆ assignToGroup()

ilLDAPRoleGroupMapping::assignToGroup (   $a_role_id,
  $a_usr_id 
)
private

Assign user to group.

@access private

Parameters
introle_id
intuser_id

Definition at line 290 of file class.ilLDAPRoleGroupMapping.php.

291 {
292 foreach ($this->mappings[$a_role_id] as $data) {
293 try {
294 if ($data['isdn']) {
295 $external_account = $this->readDN($a_usr_id, $data['server_id']);
296 } else {
297 $external_account = $this->users[$data['server_id']][$a_usr_id];
298 }
299 // Forcing modAdd since Active directory is too slow and i cannot check if a user is member or not.
300 $query_obj = $this->getLDAPQueryInstance($data['server_id'], $data['url']);
301 $query_obj->modAdd($data['dn'], array($data['member'] => $external_account));
302 $this->log->info('LDAP assign: Assigned ' . $external_account . ' to group ' . $data['dn']);
303 } catch (ilLDAPQueryException $exc) {
304 $this->log->warning($exc->getMessage());
305 // try next mapping
306 continue;
307 }
308 }
309 }
ilLDAPRoleGroupMapping\readDN
readDN($a_usr_id, $a_server_id)
Read DN of user.
Definition: class.ilLDAPRoleGroupMapping.php:421
ilLDAPRoleGroupMapping\getLDAPQueryInstance
getLDAPQueryInstance($a_server_id, $a_url)
Get LDAPQueryInstance.
Definition: class.ilLDAPRoleGroupMapping.php:477
$data
$data
Definition: storeScorm.php:23

References $data, getLDAPQueryInstance(), and readDN().

Referenced by assign().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkOtherMembership()

ilLDAPRoleGroupMapping::checkOtherMembership (   $a_usr_id,
  $a_role_id,
  $a_data 
)
private

Check other membership.

@access private

Returns
string role name

Definition at line 362 of file class.ilLDAPRoleGroupMapping.php.

363 {
364 global $DIC;
365
366 $rbacreview = $DIC['rbacreview'];
367 $ilObjDataCache = $DIC['ilObjDataCache'];
368
369 foreach ($this->mappings as $role_id => $tmp_data) {
370 foreach ($tmp_data as $data) {
371 if ($role_id == $a_role_id) {
372 continue;
373 }
374 if ($data['server_id'] != $a_data['server_id']) {
375 continue;
376 }
377 if ($data['dn'] != $a_data['dn']) {
378 continue;
379 }
380 if ($rbacreview->isAssigned($a_usr_id, $role_id)) {
381 return $ilObjDataCache->lookupTitle($role_id);
382 }
383 }
384 }
385 return false;
386 }

References $data, and $DIC.

Referenced by deassignFromGroup().

+ Here is the caller graph for this function:

◆ deassign()

ilLDAPRoleGroupMapping::deassign (   $a_role_id,
  $a_usr_id 
)

This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is deassigned from the LDAP group.

@access public

Parameters

Definition at line 177 of file class.ilLDAPRoleGroupMapping.php.

178 {
179 // return if there notzing to do
180 if (!$this->active_servers) {
181 return false;
182 }
183 if (!$this->isHandledRole($a_role_id)) {
184 return false;
185 }
186 if (!$this->isHandledUser($a_usr_id)) {
187 return false;
188 }
189 $this->log->info('LDAP deassigned: User ID: ' . $a_usr_id . ' Role Id: ' . $a_role_id);
190 $this->deassignFromGroup($a_role_id, $a_usr_id);
191
192 return true;
193 }
ilLDAPRoleGroupMapping\deassignFromGroup
deassignFromGroup($a_role_id, $a_usr_id)
Deassign user from group.
Definition: class.ilLDAPRoleGroupMapping.php:319

References deassignFromGroup(), isHandledRole(), and isHandledUser().

Referenced by deleteRole(), and deleteUser().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deassignFromGroup()

ilLDAPRoleGroupMapping::deassignFromGroup (   $a_role_id,
  $a_usr_id 
)
private

Deassign user from group.

@access private

Parameters
introle_id
intuser_id

Definition at line 319 of file class.ilLDAPRoleGroupMapping.php.

320 {
321 foreach ($this->mappings[$a_role_id] as $data) {
322 try {
323 if ($data['isdn']) {
324 $external_account = $this->readDN($a_usr_id, $data['server_id']);
325 } else {
326 $external_account = $this->users[$data['server_id']][$a_usr_id];
327 }
328
329 // Check for other role membership
330 if ($role_id = $this->checkOtherMembership($a_usr_id, $a_role_id, $data)) {
331 $this->log->info('LDAP deassign: User is still assigned to role "' . $role_id . '".');
332 continue;
333 }
334 // Deassign user
335 $query_obj = $this->getLDAPQueryInstance($data['server_id'], $data['url']);
336 $query_obj->modDelete($data['dn'], array($data['member'] => $external_account));
337 $this->log->info('LDAP deassign: Deassigned ' . $external_account . ' from group ' . $data['dn']);
338
339 // Delete from cache
340 if (is_array($this->mapping_members[$data['mapping_id']])) {
341 $key = array_search($external_account, $this->mapping_members[$data['mapping_id']]);
342 if ($key or $key === 0) {
343 unset($this->mapping_members[$data['mapping_id']]);
344 }
345 }
346 } catch (ilLDAPQueryException $exc) {
347 $this->log->warning($exc->getMessage());
348 // try next mapping
349 continue;
350 }
351 }
352 }
ilLDAPRoleGroupMapping\checkOtherMembership
checkOtherMembership($a_usr_id, $a_role_id, $a_data)
Check other membership.
Definition: class.ilLDAPRoleGroupMapping.php:362

References $data, checkOtherMembership(), getLDAPQueryInstance(), and readDN().

Referenced by deassign().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ deleteRole()

ilLDAPRoleGroupMapping::deleteRole (   $a_role_id)

Delete role.

This function triggered from ilRbacAdmin::deleteRole It deassigns all user from the mapped ldap group.

@access public

Parameters
introle id

Definition at line 146 of file class.ilLDAPRoleGroupMapping.php.

147 {
148 global $DIC;
149
150 $rbacreview = $DIC['rbacreview'];
151
152 // return if there nothing to do
153 if (!$this->active_servers) {
154 return false;
155 }
156
157 if (!$this->isHandledRole($a_role_id)) {
158 return false;
159 }
160
161 foreach ($rbacreview->assignedUsers($a_role_id) as $usr_id) {
162 $this->deassign($a_role_id, $usr_id);
163 }
164 return true;
165 }
ilLDAPRoleGroupMapping\deassign
deassign($a_role_id, $a_usr_id)
This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role map...
Definition: class.ilLDAPRoleGroupMapping.php:177

References $DIC, deassign(), and isHandledRole().

+ Here is the call graph for this function:

◆ deleteUser()

ilLDAPRoleGroupMapping::deleteUser (   $a_usr_id)

Delete user => deassign from all ldap groups.

@access public

Parameters
intuser id

Definition at line 201 of file class.ilLDAPRoleGroupMapping.php.

202 {
203 foreach ($this->mappings as $role_id => $data) {
204 $this->deassign($role_id, $a_usr_id);
205 }
206 return true;
207 }

References $data, and deassign().

+ Here is the call graph for this function:

◆ getInfoStrings()

ilLDAPRoleGroupMapping::getInfoStrings (   $a_obj_id,
  $a_check_type = false 
)

Get info string for object If check info type is enabled this function will check if the info string is visible in the repository.

@access public

Parameters
intobject id
boolcheck info type

Definition at line 90 of file class.ilLDAPRoleGroupMapping.php.

91 {
92 if (!$this->active_servers) {
93 return false;
94 }
95 if ($a_check_type) {
96 if (isset($this->mapping_info_strict[$a_obj_id]) and is_array($this->mapping_info_strict[$a_obj_id])) {
97 return $this->mapping_info_strict[$a_obj_id];
98 }
99 } else {
100 if (isset($this->mapping_info[$a_obj_id]) and is_array($this->mapping_info[$a_obj_id])) {
101 return $this->mapping_info[$a_obj_id];
102 }
103 }
104 return false;
105 }

◆ getLDAPQueryInstance()

ilLDAPRoleGroupMapping::getLDAPQueryInstance (   $a_server_id,
  $a_url 
)
private

Get LDAPQueryInstance.

@access private

Parameters

throws ilLDAPQueryException

Definition at line 477 of file class.ilLDAPRoleGroupMapping.php.

478 {
479 include_once 'Services/LDAP/classes/class.ilLDAPQuery.php';
480
481 if (array_key_exists($a_server_id, $this->query) and
482 array_key_exists($a_url, $this->query[$a_server_id]) and
483 is_object($this->query[$a_server_id][$a_url])) {
484 return $this->query[$a_server_id][$a_url];
485 }
486 try {
487 $tmp_query = new ilLDAPQuery($this->servers[$a_server_id], $a_url);
488 $tmp_query->bind(IL_LDAP_BIND_ADMIN);
489 } catch (ilLDAPQueryException $exc) {
490 throw $exc;
491 }
492 return $this->query[$a_server_id][$a_url] = $tmp_query;
493 }
IL_LDAP_BIND_ADMIN
const IL_LDAP_BIND_ADMIN
Definition: class.ilLDAPQuery.php:25

References IL_LDAP_BIND_ADMIN.

Referenced by assignToGroup(), deassignFromGroup(), and readDN().

+ Here is the caller graph for this function:

◆ initServers()

ilLDAPRoleGroupMapping::initServers ( )
private

Check if there is any active server with.

@access private

Parameters

Definition at line 217 of file class.ilLDAPRoleGroupMapping.php.

218 {
219 $server_ids = ilLDAPServer::_getRoleSyncServerIds();
220
221 if (!count($server_ids)) {
222 return false;
223 }
224
225 // Init servers
226 include_once('Services/LDAP/classes/class.ilLDAPRoleGroupMappingSettings.php');
227
228 $this->active_servers = true;
229 $this->mappings = array();
230 $this->users = [];
231 foreach ($server_ids as $server_id) {
232 $this->servers[$server_id] = new ilLDAPServer($server_id);
233 $this->mappings = ilLDAPRoleGroupMappingSettings::_getAllActiveMappings();
234 $this->users[$server_id] = ilObjUser::_getExternalAccountsByAuthMode(
235 'ldap_' . $server_id,
236 true
237 );
238 }
239 $this->mapping_info = array();
240 $this->mapping_info_strict = array();
241 foreach ($this->mappings as $mapping) {
242 foreach ($mapping as $key => $data) {
243 if (strlen($data['info']) and $data['object_id']) {
244 $this->mapping_info[$data['object_id']][] = $data['info'];
245 }
246 if (strlen($data['info']) && ($data['info_type'] == ilLDAPRoleGroupMappingSettings::MAPPING_INFO_ALL)) {
247 $this->mapping_info_strict[$data['object_id']][] = $data['info'];
248 }
249 }
250 }
251 return true;
252 }
ilLDAPServer\_getRoleSyncServerIds
static _getRoleSyncServerIds()
Check whether there if there is an active server with option role_sync_active.
Definition: class.ilLDAPServer.php:156
ilObjUser\_getExternalAccountsByAuthMode
static _getExternalAccountsByAuthMode($a_auth_mode, $a_read_auth_default=false)
Get list of external account by authentication method Note: If login == ext_account for two user with...
Definition: class.ilObjUser.php:3479

References $data, ilLDAPRoleGroupMappingSettings\_getAllActiveMappings(), ilObjUser\_getExternalAccountsByAuthMode(), ilLDAPServer\_getRoleSyncServerIds(), and ilLDAPRoleGroupMappingSettings\MAPPING_INFO_ALL.

Referenced by __construct().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ isHandledRole()

ilLDAPRoleGroupMapping::isHandledRole (   $a_role_id)
private

Check if a role is handled or not.

@access private

Parameters
introle_id
Returns
int server id or 0 if mapping exists

Definition at line 262 of file class.ilLDAPRoleGroupMapping.php.

263 {
264 return array_key_exists($a_role_id, $this->mappings);
265 }

Referenced by assign(), deassign(), and deleteRole().

+ Here is the caller graph for this function:

◆ isHandledUser()

ilLDAPRoleGroupMapping::isHandledUser (   $a_usr_id)
private

Check if user is ldap user.

@access private

Definition at line 272 of file class.ilLDAPRoleGroupMapping.php.

273 {
274 foreach ($this->users as $server_id => $users) {
275 if (array_key_exists($a_usr_id, $users)) {
276 return true;
277 }
278 }
279 return false;
280 }

References $users.

Referenced by assign(), and deassign().

+ Here is the caller graph for this function:

◆ readDN()

ilLDAPRoleGroupMapping::readDN (   $a_usr_id,
  $a_server_id 
)
private

Read DN of user.

@access private

Parameters
intuser id
intserver id
Exceptions
ilLDAPQueryException

Definition at line 421 of file class.ilLDAPRoleGroupMapping.php.

422 {
423 if (isset($this->user_dns[$a_usr_id])) {
424 return $this->user_dns[$a_usr_id];
425 }
426
427 $external_account = $this->users[$a_server_id][$a_usr_id];
428
429 try {
430 $server = $this->servers[$a_server_id];
431 $query_obj = $this->getLDAPQueryInstance($a_server_id, $server->getUrl());
432
433 if ($search_base = $server->getSearchBase()) {
434 $search_base .= ',';
435 }
436 $search_base .= $server->getBaseDN();
437
438 // try optional group user filter first
439 if ($server->isMembershipOptional() and $server->getGroupUserFilter()) {
440 $userFilter = $server->getGroupUserFilter();
441 } else {
442 $userFilter = $server->getFilter();
443 }
444
445 $filter = sprintf(
446 '(&(%s=%s)%s)',
447 $server->getUserAttribute(),
448 $external_account,
449 $userFilter
450 );
451
452 $res = $query_obj->query($search_base, $filter, $server->getUserScope(), array('dn'));
453
454 if (!$res->numRows()) {
455 include_once('Services/LDAP/classes/class.ilLDAPQueryException.php');
456 throw new ilLDAPQueryException(__METHOD__ . ' cannot find dn for user ' . $external_account);
457 }
458 if ($res->numRows() > 1) {
459 include_once('Services/LDAP/classes/class.ilLDAPQueryException.php');
460 throw new ilLDAPQueryException(__METHOD__ . ' found multiple distinguished name for: ' . $external_account);
461 }
462
463 $data = $res->get();
464 return $this->user_dns[$a_usr_id] = $data['dn'];
465 } catch (ilLDAPQueryException $exc) {
466 throw $exc;
467 }
468 }
$server
$server
Definition: dummy_client.php:12
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15

References $data, $res, $server, and getLDAPQueryInstance().

Referenced by assignToGroup(), and deassignFromGroup().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ storeMembers()

ilLDAPRoleGroupMapping::storeMembers (   $a_mapping_id,
  $a_data 
)
private

Store Members.

@access private

Definition at line 394 of file class.ilLDAPRoleGroupMapping.php.

395 {
396 $this->mapping_members[$a_mapping_id] = array();
397 foreach ($a_data as $field => $value) {
398 if (strtolower($field) == 'dn') {
399 continue;
400 }
401
402 if (!is_array($value)) {
403 $this->mapping_members[$a_mapping_id][] = $value;
404 continue;
405 }
406 foreach ($value as $external_account) {
407 $this->mapping_members[$a_mapping_id][] = $external_account;
408 }
409 }
410 return true;
411 }

Field Documentation

◆ $active_servers

ilLDAPRoleGroupMapping::$active_servers = false
private

Definition at line 45 of file class.ilLDAPRoleGroupMapping.php.

◆ $instance

ilLDAPRoleGroupMapping::$instance = null
staticprivate

Definition at line 40 of file class.ilLDAPRoleGroupMapping.php.

Referenced by _getInstance().

◆ $log

ilLDAPRoleGroupMapping::$log = null
private

Definition at line 39 of file class.ilLDAPRoleGroupMapping.php.

◆ $mapping_members

ilLDAPRoleGroupMapping::$mapping_members = array()
private

Definition at line 43 of file class.ilLDAPRoleGroupMapping.php.

◆ $mappings

ilLDAPRoleGroupMapping::$mappings = array()
private

Definition at line 42 of file class.ilLDAPRoleGroupMapping.php.

◆ $query

ilLDAPRoleGroupMapping::$query = array()
private

Definition at line 44 of file class.ilLDAPRoleGroupMapping.php.

◆ $servers

ilLDAPRoleGroupMapping::$servers = null
private

Definition at line 41 of file class.ilLDAPRoleGroupMapping.php.

◆ $users

ilLDAPRoleGroupMapping::$users = []
private

Definition at line 50 of file class.ilLDAPRoleGroupMapping.php.

Referenced by isHandledUser().

The documentation for this class was generated from the following file: