ILIAS  release_8 Revision v8.19
All Data Structures Namespaces Files Functions Variables Modules Pages
Public Member Functions | Data Fields | Private Member Functions | Private Attributes
ilLDAPQuery Class Reference
+ Collaboration diagram for ilLDAPQuery:

Public Member Functions

 __construct (ilLDAPServer $a_server, string $a_url='')
 
 getServer ()
 Get server. More...
 
 fetchUser (string $a_name)
 Get one user by login name. More...
 
 fetchUsers ()
 Fetch all users. More...
 
 query (string $a_search_base, string $a_filter, int $a_scope, array $a_attributes)
 Perform a query. More...
 
 modAdd (string $a_dn, array $a_attribute)
 Add value to an existing attribute. More...
 
 modDelete (string $a_dn, array $a_attribute)
 Delete value from an existing attribute. More...
 
 checkGroupMembership (string $a_ldap_user_name, array $ldap_user_data)
 check group membership More...
 
 bind (int $a_binding_type=ilLDAPQuery::LDAP_BIND_DEFAULT, string $a_user_dn='', string $a_password='')
 Bind to LDAP server. More...
 
 __destruct ()
 Destructor unbind from ldap server. More...
 
 checkPaginationEnabled ()
 Check if pagination is enabled (rfc: 2696) More...
 

Data Fields

const LDAP_BIND_DEFAULT = 0
 
const LDAP_BIND_ADMIN = 1
 
const LDAP_BIND_TEST = 2
 
const LDAP_BIND_AUTH = 10
 

Private Member Functions

 readAllUsers ()
 Fetch all users This function splits the query to filters like e.g (uid=a*) (uid=b*)... More...
 
 runReadAllUsersPaged (string $dn)
 read all users with ldap paging More...
 
 runReadAllUsersPartial (string $dn)
 Read all users partial by alphabet. More...
 
 fetchGroupMembers (string $a_name='')
 Fetch group member ids. More...
 
 readUserData (string $a_name, bool $a_check_dn=false, bool $a_try_group_user_filter=false)
 Read user data. More...
 
 queryByScope (int $a_scope, string $a_base_dn, string $a_filter, array $a_attributes, array $controls=[])
 Query by scope IL_SCOPE_SUB => ldap_search IL_SCOPE_ONE => ldap_list. More...
 
 connect ()
 Connect to LDAP server. More...
 
 fetchUserProfileFields ()
 fetch required fields of user profile data More...
 

Private Attributes

const IL_LDAP_SUPPORTED_CONTROL = 'supportedControl'
 
const PAGINATION_SIZE = 100
 
string $ldap_server_url
 
ilLDAPServer $settings
 
ilLogger $logger
 
ilLDAPAttributeMapping $mapping
 
array $user_fields = []
 
array $users = []
 
 $lh = false
 

Detailed Description

Author
Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om

Definition at line 25 of file class.ilLDAPQuery.php.

Constructor & Destructor Documentation

◆ __construct()

ilLDAPQuery::__construct ( ilLDAPServer  $a_server,
string  $a_url = '' 
)
Exceptions
ilLDAPQueryException

Definition at line 53 of file class.ilLDAPQuery.php.

References $DIC, ilLDAPAttributeMapping\_getInstanceByServerId(), connect(), fetchUserProfileFields(), ILIAS\Repository\logger(), and ILIAS\Repository\settings().

54  {
55  global $DIC;
56  $this->logger = $DIC->logger()->auth();
57 
58  $this->settings = $a_server;
59 
60  if ($a_url !== '') {
61  $this->ldap_server_url = $a_url;
62  } else {
63  $this->ldap_server_url = $this->settings->getUrl();
64  }
65 
66  $this->mapping = ilLDAPAttributeMapping::_getInstanceByServerId($this->settings->getServerId());
67 
68  $this->fetchUserProfileFields();
69  $this->connect();
70  }
ilLDAPQuery\connect
connect()
Connect to LDAP server.
Definition: class.ilLDAPQuery.php:608
$DIC
global $DIC
Definition: feed.php:28
ilLDAPQuery\fetchUserProfileFields
fetchUserProfileFields()
fetch required fields of user profile data
Definition: class.ilLDAPQuery.php:708
ilLDAPAttributeMapping\_getInstanceByServerId
static _getInstanceByServerId(int $a_server_id)
Definition: class.ilLDAPAttributeMapping.php:45
+ Here is the call graph for this function:

◆ __destruct()

ilLDAPQuery::__destruct ( )

Destructor unbind from ldap server.

Definition at line 721 of file class.ilLDAPQuery.php.

722  {
723  if ($this->lh) {
724  ldap_unbind($this->lh);
725  }
726  }

Member Function Documentation

◆ bind()

ilLDAPQuery::bind ( int  $a_binding_type = ilLDAPQuery::LDAP_BIND_DEFAULT,
string  $a_user_dn = '',
string  $a_password = '' 
)

Bind to LDAP server.

public

Parameters
intbinding_type ilLDAPQuery::LDAP_BIND_DEFAULT || ilLDAPQuery::LDAP_BIND_ADMIN
Exceptions
ilLDAPQueryExceptionon connection failure.

PhpMissingBreakStatementInspection

Definition at line 643 of file class.ilLDAPQuery.php.

References Vendor\Package\$e, $message, ilLDAPServer\DEFAULT_NETWORK_TIMEOUT, ilLDAPServer\LDAP_BIND_USER, ILIAS\Repository\logger(), and ILIAS\Repository\settings().

643  : void
644  {
645  switch ($a_binding_type) {
647  case self::LDAP_BIND_TEST:
648  ldap_set_option($this->lh, LDAP_OPT_NETWORK_TIMEOUT, ilLDAPServer::DEFAULT_NETWORK_TIMEOUT);
649  // fall through
650  // no break
651  case self::LDAP_BIND_DEFAULT:
652  // Now bind anonymously or as user
653  if (
654  ilLDAPServer::LDAP_BIND_USER === $this->settings->getBindingType() &&
655  $this->settings->getBindUser() !== ''
656  ) {
657  $user = $this->settings->getBindUser();
658  $pass = $this->settings->getBindPassword();
659 
660  $this->logger->debug('Bind as ' . $user);
661  } else {
662  $user = $pass = '';
663  $this->logger->debug('Bind anonymous');
664  }
665  break;
666 
667  case self::LDAP_BIND_ADMIN:
668  $user = $this->settings->getRoleBindDN();
669  $pass = $this->settings->getRoleBindPassword();
670 
671  if ($user === '' || $pass === '') {
672  $user = $this->settings->getBindUser();
673  $pass = $this->settings->getBindPassword();
674  }
675  break;
676 
677  case self::LDAP_BIND_AUTH:
678  $this->logger->debug('Trying to bind as: ' . $a_user_dn);
679  $user = $a_user_dn;
680  $pass = $a_password;
681  break;
682 
683 
684  default:
685  throw new ilLDAPQueryException('LDAP: unknown binding type in: ' . __METHOD__);
686  }
687 
688  try {
689  set_error_handler(static function (int $severity, string $message, string $file, int $line): void {
690  throw new ErrorException($message, $severity, $severity, $file, $line);
691  });
692 
693  if (!ldap_bind($this->lh, $user, $pass)) {
694  throw new ilLDAPQueryException('LDAP: Cannot bind as ' . $user . ' with message: ' . ldap_err2str(ldap_errno($this->lh)) . ' Trying fallback...', ldap_errno($this->lh));
695  }
696  } catch (Throwable $e) {
697  throw new ilLDAPQueryException('LDAP: Cannot bind as ' . $user . ' with message: ' . $e->getMessage());
698  } finally {
699  restore_error_handler();
700  }
701 
702  $this->logger->debug('Bind successful.');
703  }
ilLDAPServer\DEFAULT_NETWORK_TIMEOUT
const DEFAULT_NETWORK_TIMEOUT
Definition: class.ilLDAPServer.php:37
$message
$message
Definition: xapiexit.php:32
+ Here is the call graph for this function:

◆ checkGroupMembership()

ilLDAPQuery::checkGroupMembership ( string  $a_ldap_user_name,
array  $ldap_user_data 
)

check group membership

Parameters
stringlogin name
arrayuser data
Returns
bool

Definition at line 318 of file class.ilLDAPQuery.php.

References $res, ilLogLevel\DEBUG, getServer(), ILIAS\Repository\logger(), queryByScope(), and readUserData().

318  : bool
319  {
320  $group_names = $this->getServer()->getGroupNames();
321 
322  if (!count($group_names)) {
323  $this->logger->debug('No LDAP group restrictions found');
324  return true;
325  }
326 
327  $group_dn = $this->getServer()->getGroupDN();
328  if (
329  $group_dn &&
330  (substr($group_dn, -1) !== ',')
331  ) {
332  $group_dn .= ',';
333  }
334  $group_dn .= $this->getServer()->getBaseDN();
335 
336  foreach ($group_names as $group) {
337  $user = $a_ldap_user_name;
338  if ($this->getServer()->enabledGroupMemberIsDN()) {
339  if ($this->getServer()->enabledEscapeDN()) {
340  $user = ldap_escape($ldap_user_data['dn'], "", LDAP_ESCAPE_FILTER);
341  } else {
342  $user = $ldap_user_data['dn'];
343  }
344  }
345 
346  $filter = sprintf(
347  '(&(%s=%s)(%s=%s)%s)',
348  $this->getServer()->getGroupAttribute(),
349  $group,
350  $this->getServer()->getGroupMember(),
351  $user,
352  $this->getServer()->getGroupFilter()
353  );
354  $this->logger->debug('Current group search base: ' . $group_dn);
355  $this->logger->debug('Current group filter: ' . $filter);
356 
357  $res = $this->queryByScope(
358  $this->getServer()->getGroupScope(),
359  $group_dn,
360  $filter,
361  [$this->getServer()->getGroupMember()]
362  );
363 
364  $this->logger->dump($res);
365 
366  $tmp_result = new ilLDAPResult($this->lh, $res);
367  $tmp_result->run();
368  $group_result = $tmp_result->getRows();
369 
370  $this->logger->debug('Group query returned: ');
371  $this->logger->dump($group_result, ilLogLevel::DEBUG);
372 
373  if (count($group_result)) {
374  return true;
375  }
376  }
377 
378  // group restrictions failed check optional membership
379  if ($this->getServer()->isMembershipOptional()) {
380  $this->logger->debug('Group restrictions failed, checking user filter.');
381  if ($this->readUserData($a_ldap_user_name, true, true)) {
382  $this->logger->debug('User filter matches.');
383  return true;
384  }
385  }
386  $this->logger->debug('Group restrictions failed.');
387  return false;
388  }
$res
$res
Definition: ltiservices.php:69
ilLDAPResult
Class ilLDAPPagedResult.
Definition: class.ilLDAPResult.php:26
ilLDAPQuery\getServer
getServer()
Get server.
Definition: class.ilLDAPQuery.php:75
ilLDAPQuery\readUserData
readUserData(string $a_name, bool $a_check_dn=false, bool $a_try_group_user_filter=false)
Read user data.
Definition: class.ilLDAPQuery.php:474
ilLDAPQuery\queryByScope
queryByScope(int $a_scope, string $a_base_dn, string $a_filter, array $a_attributes, array $controls=[])
Query by scope IL_SCOPE_SUB => ldap_search IL_SCOPE_ONE => ldap_list.
Definition: class.ilLDAPQuery.php:545
+ Here is the call graph for this function:

◆ checkPaginationEnabled()

ilLDAPQuery::checkPaginationEnabled ( )

Check if pagination is enabled (rfc: 2696)

Definition at line 731 of file class.ilLDAPQuery.php.

References getServer(), and ILIAS\Repository\logger().

Referenced by readAllUsers().

731  : bool
732  {
733  if ($this->getServer()->getVersion() !== 3) {
734  $this->logger->info('Pagination control unavailable for ldap v' . $this->getServer()->getVersion());
735  return false;
736  }
737 
738  $result = ldap_read($this->lh, '', '(objectClass=*)', [self::IL_LDAP_SUPPORTED_CONTROL]);
739  if ($result === false) {
740  $this->logger->warning('Failed to query for pagination control');
741  return false;
742  }
743  $entries = (array) (ldap_get_entries($this->lh, $result)[0] ?? []);
744  if (
745  array_key_exists(strtolower(self::IL_LDAP_SUPPORTED_CONTROL), $entries) &&
746  is_array($entries[strtolower(self::IL_LDAP_SUPPORTED_CONTROL)]) &&
747  in_array(LDAP_CONTROL_PAGEDRESULTS, $entries[strtolower(self::IL_LDAP_SUPPORTED_CONTROL)], true)
748  ) {
749  $this->logger->info('Using paged control');
750  return true;
751  }
752  $this->logger->info('Paged control disabled');
753  return false;
754  }
ilLDAPQuery\getServer
getServer()
Get server.
Definition: class.ilLDAPQuery.php:75
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ connect()

ilLDAPQuery::connect ( )
private

Connect to LDAP server.

Exceptions
ilLDAPQueryException

Definition at line 608 of file class.ilLDAPQuery.php.

References ILIAS\Repository\logger(), and ILIAS\Repository\settings().

Referenced by __construct().

608  : void
609  {
610  $this->lh = ldap_connect($this->ldap_server_url);
611 
612  // LDAP Connect
613  if (!$this->lh) {
614  throw new ilLDAPQueryException("LDAP: Cannot connect to LDAP Server: " . $this->settings->getUrl());
615  }
616  // LDAP Version
617  if (!ldap_set_option($this->lh, LDAP_OPT_PROTOCOL_VERSION, $this->settings->getVersion())) {
618  throw new ilLDAPQueryException("LDAP: Cannot set version to: " . $this->settings->getVersion());
619  }
620  // Switch on referrals
621  if ($this->settings->isActiveReferrer()) {
622  if (!ldap_set_option($this->lh, LDAP_OPT_REFERRALS, true)) {
623  throw new ilLDAPQueryException("LDAP: Cannot switch on LDAP referrals");
624  }
625  } else {
626  ldap_set_option($this->lh, LDAP_OPT_REFERRALS, false);
627  $this->logger->debug('Switching referrals to false.');
628  }
629  // Start TLS
630  if ($this->settings->isActiveTLS() && !ldap_start_tls($this->lh)) {
631  throw new ilLDAPQueryException("LDAP: Cannot start LDAP TLS");
632  }
633  }
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ fetchGroupMembers()

ilLDAPQuery::fetchGroupMembers ( string  $a_name = '')
private

Fetch group member ids.

Parameters
list<string>$members

Definition at line 394 of file class.ilLDAPQuery.php.

References $data, $res, ILIAS\Repository\logger(), queryByScope(), readUserData(), and ILIAS\Repository\settings().

Referenced by fetchUsers().

394  : void
395  {
396  $group_name = $a_name !== '' ? $a_name : $this->settings->getGroupName();
397 
398  // Build filter
399  $filter = sprintf(
400  '(&(%s=%s)%s)',
401  $this->settings->getGroupAttribute(),
402  $group_name,
403  $this->settings->getGroupFilter()
404  );
405 
406 
407  // Build search base
408  if (($gdn = $this->settings->getGroupDN()) && substr($gdn, -1) !== ',') {
409  $gdn .= ',';
410  }
411  $gdn .= $this->settings->getBaseDN();
412 
413  $this->logger->debug('Using filter ' . $filter);
414  $this->logger->debug('Using DN ' . $gdn);
415  $res = $this->queryByScope(
416  $this->settings->getGroupScope(),
417  $gdn,
418  $filter,
419  array($this->settings->getGroupMember())
420  );
421 
422  $tmp_result = new ilLDAPResult($this->lh, $res);
423  $tmp_result->run();
424  $group_data = $tmp_result->getRows();
425 
426 
427  if (!$tmp_result->numRows()) {
428  $this->logger->info('No group found.');
429  return;
430  }
431 
435  $readUserData = function (array $members): void {
436  if ($members === []) {
437  $this->logger->warning(sprintf(
438  'No valid member values found for group member attribute: %s',
439  $this->settings->getGroupMember()
440  ));
441  return;
442  }
443 
444  foreach ($members as $member) {
445  $this->readUserData($member, true, true);
446  }
447  };
448 
449  // All groups
450  $attribute_name = strtolower($this->settings->getGroupMember());
451  foreach ($group_data as $data) {
452  $members = [];
453  if (isset($data[$attribute_name])) {
454  if (is_array($data[$attribute_name])) {
455  $members = array_map('strval', array_filter($data[$attribute_name]));
456  $this->logger->debug('Found ' . count($members) . ' group members for group ' . $data['dn']);
457  } elseif (is_scalar($data[$attribute_name]) && (string) $data[$attribute_name] !== '') {
458  $members = [
459  (string) $data[$attribute_name]
460  ];
461  }
462  }
463 
464  $readUserData($members);
465  }
466  unset($tmp_result);
467  }
$res
$res
Definition: ltiservices.php:69
ilLDAPResult
Class ilLDAPPagedResult.
Definition: class.ilLDAPResult.php:26
ilLDAPQuery\readUserData
readUserData(string $a_name, bool $a_check_dn=false, bool $a_try_group_user_filter=false)
Read user data.
Definition: class.ilLDAPQuery.php:474
ilLDAPQuery\queryByScope
queryByScope(int $a_scope, string $a_base_dn, string $a_filter, array $a_attributes, array $controls=[])
Query by scope IL_SCOPE_SUB => ldap_search IL_SCOPE_ONE => ldap_list.
Definition: class.ilLDAPQuery.php:545
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ fetchUser()

ilLDAPQuery::fetchUser ( string  $a_name)

Get one user by login name.

Parameters
string$a_namelogin name
Returns
array of user data

Definition at line 86 of file class.ilLDAPQuery.php.

References $users, and readUserData().

86  : array
87  {
88  if (!$this->readUserData($a_name)) {
89  return [];
90  }
91 
92  return $this->users;
93  }
ilLDAPQuery\readUserData
readUserData(string $a_name, bool $a_check_dn=false, bool $a_try_group_user_filter=false)
Read user data.
Definition: class.ilLDAPQuery.php:474
+ Here is the call graph for this function:

◆ fetchUserProfileFields()

ilLDAPQuery::fetchUserProfileFields ( )
private

fetch required fields of user profile data

Definition at line 708 of file class.ilLDAPQuery.php.

References ilLDAPRoleAssignmentRules\getAttributeNames(), getServer(), and ILIAS\Repository\settings().

Referenced by __construct().

708  : void
709  {
710  $this->user_fields = array_merge(
711  array($this->settings->getUserAttribute()),
712  array('dn'),
713  $this->mapping->getFields(),
714  ilLDAPRoleAssignmentRules::getAttributeNames($this->getServer()->getServerId())
715  );
716  }
ilLDAPRoleAssignmentRules\getAttributeNames
static getAttributeNames($a_server_id)
get all possible attribute names
Definition: class.ilLDAPRoleAssignmentRules.php:69
ilLDAPQuery\getServer
getServer()
Get server.
Definition: class.ilLDAPQuery.php:75
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ fetchUsers()

ilLDAPQuery::fetchUsers ( )

Fetch all users.

Returns
array array of user data

Definition at line 101 of file class.ilLDAPQuery.php.

References $users, fetchGroupMembers(), ILIAS\Repository\logger(), readAllUsers(), and ILIAS\Repository\settings().

101  : array
102  {
103  // First of all check if a group restriction is enabled
104  // YES: => fetch all group members
105  // No: => fetch all users
106  if ($this->settings->getGroupName() !== '') {
107  $this->logger->debug('Searching for group members.');
108 
109  $groups = $this->settings->getGroupNames();
110  if (count($groups) <= 1) {
111  $this->fetchGroupMembers();
112  } else {
113  foreach ($groups as $group) {
114  $this->fetchGroupMembers($group);
115  }
116  }
117  }
118  if ($this->settings->getGroupName() === '' || $this->settings->isMembershipOptional()) {
119  $this->logger->info('Start reading all users...');
120  $this->readAllUsers();
121  #throw new ilLDAPQueryException('LDAP: Called import of users without specifying group restrictions. NOT IMPLEMENTED YET!');
122  }
123  return $this->users;
124  }
ilLDAPQuery\readAllUsers
readAllUsers()
Fetch all users This function splits the query to filters like e.g (uid=a*) (uid=b*)...
Definition: class.ilLDAPQuery.php:178
ilLDAPQuery\fetchGroupMembers
fetchGroupMembers(string $a_name='')
Fetch group member ids.
Definition: class.ilLDAPQuery.php:394
+ Here is the call graph for this function:

◆ getServer()

ilLDAPQuery::getServer ( )

Get server.

Definition at line 75 of file class.ilLDAPQuery.php.

References $settings.

Referenced by checkGroupMembership(), checkPaginationEnabled(), and fetchUserProfileFields().

75  : ilLDAPServer
76  {
77  return $this->settings;
78  }
ilLDAPQuery\$settings
ilLDAPServer $settings
Definition: class.ilLDAPQuery.php:36
+ Here is the caller graph for this function:

◆ modAdd()

ilLDAPQuery::modAdd ( string  $a_dn,
array  $a_attribute 
)

Add value to an existing attribute.

Exceptions
ilLDAPQueryException

Definition at line 151 of file class.ilLDAPQuery.php.

151  : bool
152  {
153  if (ldap_mod_add($this->lh, $a_dn, $a_attribute)) {
154  return true;
155  }
156 
157  throw new ilLDAPQueryException(__METHOD__ . ' ' . ldap_error($this->lh));
158  }

◆ modDelete()

ilLDAPQuery::modDelete ( string  $a_dn,
array  $a_attribute 
)

Delete value from an existing attribute.

Exceptions
ilLDAPQueryException

Definition at line 165 of file class.ilLDAPQuery.php.

165  : bool
166  {
167  if (ldap_mod_del($this->lh, $a_dn, $a_attribute)) {
168  return true;
169  }
170  throw new ilLDAPQueryException(__METHOD__ . ' ' . ldap_error($this->lh));
171  }

◆ query()

ilLDAPQuery::query ( string  $a_search_base,
string  $a_filter,
int  $a_scope,
array  $a_attributes 
)

Perform a query.

Exceptions
ilLDAPQueryException

Definition at line 130 of file class.ilLDAPQuery.php.

References $res, and queryByScope().

130  : ilLDAPResult
131  {
132  $res = $this->queryByScope($a_scope, $a_search_base, $a_filter, $a_attributes);
133  if ($res === false) {
134  throw new ilLDAPQueryException(__METHOD__ . ' ' . ldap_error($this->lh) . ' ' .
135  sprintf(
136  'DN: %s, Filter: %s, Scope: %s',
137  $a_search_base,
138  $a_filter,
139  $a_scope
140  ));
141  }
142 
143  return (new ilLDAPResult($this->lh, $res))->run();
144  }
$res
$res
Definition: ltiservices.php:69
ilLDAPResult
Class ilLDAPPagedResult.
Definition: class.ilLDAPResult.php:26
ilLDAPQuery\queryByScope
queryByScope(int $a_scope, string $a_base_dn, string $a_filter, array $a_attributes, array $controls=[])
Query by scope IL_SCOPE_SUB => ldap_search IL_SCOPE_ONE => ldap_list.
Definition: class.ilLDAPQuery.php:545
+ Here is the call graph for this function:

◆ queryByScope()

ilLDAPQuery::queryByScope ( int  $a_scope,
string  $a_base_dn,
string  $a_filter,
array  $a_attributes,
array  $controls = [] 
)
private

Query by scope IL_SCOPE_SUB => ldap_search IL_SCOPE_ONE => ldap_list.

Parameters
array | null$controlsLDAP Control to be passed on the the ldap functions
Returns
null|false|resource|list<>|

Definition at line 545 of file class.ilLDAPQuery.php.

References Vendor\Package\$e, $message, ilLDAPServer\LDAP_SCOPE_BASE, ilLDAPServer\LDAP_SCOPE_ONE, ilLDAPServer\LDAP_SCOPE_SUB, and ILIAS\Repository\logger().

Referenced by checkGroupMembership(), fetchGroupMembers(), query(), readUserData(), runReadAllUsersPaged(), and runReadAllUsersPartial().

551  {
552  $a_filter = $a_filter ?: "(objectclass=*)";
553 
554  set_error_handler(static function (int $severity, string $message, string $file, int $line): void {
555  throw new ErrorException($message, $severity, $severity, $file, $line);
556  });
557 
558  $result = null; // We should ensure the similar behaviour of using the @ operator in PHP < 8.x
559 
560  try {
561  switch ($a_scope) {
562  case ilLDAPServer::LDAP_SCOPE_SUB:
563  $result = ldap_search(
564  $this->lh, $a_base_dn, $a_filter, $a_attributes, 0, 0, 0, LDAP_DEREF_NEVER, $controls
565  );
566  break;
567 
568  case ilLDAPServer::LDAP_SCOPE_ONE:
569  $result = ldap_list(
570  $this->lh, $a_base_dn, $a_filter, $a_attributes, 0, 0, 0, LDAP_DEREF_NEVER, $controls
571  );
572  break;
573 
574  case ilLDAPServer::LDAP_SCOPE_BASE:
575  $result = ldap_read(
576  $this->lh, $a_base_dn, $a_filter, $a_attributes, 0, 0, 0, LDAP_DEREF_NEVER, $controls
577  );
578  break;
579 
580  default:
581  throw new ilLDAPUndefinedScopeException(
582  "Undefined LDAP Search Scope: " . $a_scope
583  );
584  }
585  } catch (ErrorException $e) {
586  $this->logger->warning($e->getMessage());
587  $this->logger->warning($e->getTraceAsString());
588  } finally {
589  restore_error_handler();
590  }
591 
592  $error = ldap_errno($this->lh);
593  if ($error) {
594  $this->logger->warning("LDAP Error Code: " . $error . "(" . ldap_err2str($error) . ")");
595  $this->logger->warning('Base DN:' . $a_base_dn);
596  $this->logger->warning('Filter: ' . $a_filter);
597  }
598 
599  return $result;
600  }
$message
$message
Definition: xapiexit.php:32
ilLDAPUndefinedScopeException
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilLDAPUndefinedScopeException.php:24
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ readAllUsers()

ilLDAPQuery::readAllUsers ( )
private

Fetch all users This function splits the query to filters like e.g (uid=a*) (uid=b*)...

This avoids AD page_size_limit

Definition at line 178 of file class.ilLDAPQuery.php.

References $data, Vendor\Package\$e, checkPaginationEnabled(), ILIAS\Repository\logger(), readUserData(), runReadAllUsersPaged(), runReadAllUsersPartial(), and ILIAS\Repository\settings().

Referenced by fetchUsers().

178  : void
179  {
180  // Build search base
181  $this->logger->debug($this->settings->getSearchBase());
182  $this->logger->debug($this->settings->getBaseDN());
183  if (($dn = $this->settings->getSearchBase()) && substr($dn, -1) !== ',') {
184  $dn .= ',';
185  }
186  $dn .= $this->settings->getBaseDN();
187  if ($this->checkPaginationEnabled()) {
188  try {
189  $tmp_result = $this->runReadAllUsersPaged($dn);
190  } catch (ilLDAPPagingException $e) {
191  $this->logger->warning('Using LDAP with paging failed. Trying to use fallback.');
192  $tmp_result = $this->runReadAllUsersPartial($dn);
193  }
194  } else {
195  $tmp_result = $this->runReadAllUsersPartial($dn);
196  }
197 
198  if (!$tmp_result->numRows()) {
199  $this->logger->notice('No users found. Aborting.');
200  }
201  $this->logger->info('Found ' . $tmp_result->numRows() . ' users.');
202  $attribute = strtolower($this->settings->getUserAttribute());
203  foreach ($tmp_result->getRows() as $data) {
204  if (isset($data[$attribute]) && is_scalar($data[$attribute]) && (string) $data[$attribute] !== '') {
205  $this->readUserData((string) $data[$attribute]);
206  continue;
207  }
208 
209  $this->logger->warning(sprintf(
210  'Unknown error. No or invalid value found for attribute %s: %s',
211  $this->settings->getUserAttribute(),
212  var_export($data[$attribute] ?? null, true)
213  ));
214  }
215  unset($tmp_result);
216  }
ilLDAPQuery\runReadAllUsersPaged
runReadAllUsersPaged(string $dn)
read all users with ldap paging
Definition: class.ilLDAPQuery.php:223
ilLDAPQuery\runReadAllUsersPartial
runReadAllUsersPartial(string $dn)
Read all users partial by alphabet.
Definition: class.ilLDAPQuery.php:277
ilLDAPPagingException
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilLDAPPagingException.php:24
ilLDAPQuery\checkPaginationEnabled
checkPaginationEnabled()
Check if pagination is enabled (rfc: 2696)
Definition: class.ilLDAPQuery.php:731
ilLDAPQuery\readUserData
readUserData(string $a_name, bool $a_check_dn=false, bool $a_try_group_user_filter=false)
Read user data.
Definition: class.ilLDAPQuery.php:474
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ readUserData()

ilLDAPQuery::readUserData ( string  $a_name,
bool  $a_check_dn = false,
bool  $a_try_group_user_filter = false 
)
private

Read user data.

Parameters
bool$a_check_dncheck dn
bool$a_try_group_user_filteruse group filter

Definition at line 474 of file class.ilLDAPQuery.php.

References $res, ilObjUser\_checkExternalAuthAccount(), ilLDAPServer\LDAP_SCOPE_BASE, ILIAS\Repository\logger(), queryByScope(), and ILIAS\Repository\settings().

Referenced by checkGroupMembership(), fetchGroupMembers(), fetchUser(), and readAllUsers().

474  : bool
475  {
476  $filter = $this->settings->getFilter();
477  if ($a_try_group_user_filter && $this->settings->isMembershipOptional()) {
478  $filter = $this->settings->getGroupUserFilter();
479  }
480 
481  // Build filter
482  if ($a_check_dn && $this->settings->enabledGroupMemberIsDN()) {
483  $dn = $a_name;
484 
485  $fields = array_merge($this->user_fields, array('useraccountcontrol'));
486  $res = $this->queryByScope(ilLDAPServer::LDAP_SCOPE_BASE, strtolower($dn), $filter, $fields);
487  } else {
488  $filter = sprintf(
489  '(&(%s=%s)%s)',
490  $this->settings->getUserAttribute(),
491  $a_name,
492  $filter
493  );
494 
495  // Build search base
496  if (($dn = $this->settings->getSearchBase()) && substr($dn, -1) !== ',') {
497  $dn .= ',';
498  }
499  $dn .= $this->settings->getBaseDN();
500  $fields = array_merge($this->user_fields, array('useraccountcontrol'));
501  $res = $this->queryByScope($this->settings->getUserScope(), strtolower($dn), $filter, $fields);
502  }
503 
504 
505  $tmp_result = new ilLDAPResult($this->lh, $res);
506  $tmp_result->run();
507  if (!$tmp_result->numRows()) {
508  $this->logger->info('LDAP: No user data found for: ' . $a_name);
509  unset($tmp_result);
510  return false;
511  }
512 
513  if ($user_data = $tmp_result->get()) {
514  if (isset($user_data['useraccountcontrol']) && ($user_data['useraccountcontrol'] & 0x02)) {
515  $this->logger->notice('LDAP: ' . $a_name . ' account disabled.');
516  return false;
517  }
518 
519  $account = $user_data[strtolower($this->settings->getUserAttribute())] ?? '';
520  if (is_array($account)) {
521  $account = array_shift($account) ?? '';
522  }
523 
524  $user_ext = strtolower((string) $account);
525  if ($user_ext === '') {
526  $this->logger->notice('LDAP: Could not find user attribute ' . $this->settings->getUserAttribute() . '.');
527  return false;
528  }
529 
530  // auth mode depends on ldap server settings
531  $auth_mode = $this->settings->getAuthenticationMappingKey();
532  $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount($auth_mode, $user_ext);
533  $this->users[$user_ext] = $user_data;
534  }
535  return true;
536  }
$res
$res
Definition: ltiservices.php:69
ilLDAPResult
Class ilLDAPPagedResult.
Definition: class.ilLDAPResult.php:26
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2700
ilLDAPQuery\queryByScope
queryByScope(int $a_scope, string $a_base_dn, string $a_filter, array $a_attributes, array $controls=[])
Query by scope IL_SCOPE_SUB => ldap_search IL_SCOPE_ONE => ldap_list.
Definition: class.ilLDAPQuery.php:545
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ runReadAllUsersPaged()

ilLDAPQuery::runReadAllUsersPaged ( string  $dn)
private

read all users with ldap paging

Exceptions
ilLDAPPagingException

Definition at line 223 of file class.ilLDAPQuery.php.

References Vendor\Package\$e, $res, ILIAS\Repository\logger(), queryByScope(), and ILIAS\Repository\settings().

Referenced by readAllUsers().

223  : ilLDAPResult
224  {
225  $filter = '(&' . $this->settings->getFilter();
226  $filter .= ('(' . $this->settings->getUserAttribute() . '=*))');
227  $this->logger->info('Searching with ldap search and filter ' . $filter . ' in ' . $dn);
228 
229  $tmp_result = new ilLDAPResult($this->lh);
230  $cookie = '';
231  $estimated_results = 0;
232  do {
233  // Setup our paged results control.
234  $controls = [
235  LDAP_CONTROL_PAGEDRESULTS => [
236  'oid' => LDAP_CONTROL_PAGEDRESULTS,
237  'isCritical' => true,
238  'value' => [
239  'size' => self::PAGINATION_SIZE,
240  'cookie' => $cookie,
241  ],
242  ],
243  ];
244  $res = $this->queryByScope(
245  $this->settings->getUserScope(),
246  $dn,
247  $filter,
248  array($this->settings->getUserAttribute()),
249  $controls
250  );
251 
252  $tmp_result->setResult($res);
253  $tmp_result->run();
254  try {
255  $errcode = 0;
256  $matcheddn = '';
257  $errmsg = '';
258  $referrals = [];
259  ldap_parse_result($this->lh, $res, $errcode, $matcheddn, $errmsg, $referrals, $controls);
260  $cookie = $controls[LDAP_CONTROL_PAGEDRESULTS]['value']['cookie'] ?? '';
261  $this->logger->debug('Estimated number of results: ' . $estimated_results);
262  } catch (Exception $e) {
263  $this->logger->warning('Result pagination failed with message: ' . $e->getMessage());
264  throw new ilLDAPPagingException($e->getMessage());
265  }
266  } while (!empty($cookie));
267 
268  // finally reset cookie
269  return $tmp_result;
270  }
$res
$res
Definition: ltiservices.php:69
ilLDAPResult
Class ilLDAPPagedResult.
Definition: class.ilLDAPResult.php:26
ilLDAPPagingException
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilLDAPPagingException.php:24
ilLDAPQuery\queryByScope
queryByScope(int $a_scope, string $a_base_dn, string $a_filter, array $a_attributes, array $controls=[])
Query by scope IL_SCOPE_SUB => ldap_search IL_SCOPE_ONE => ldap_list.
Definition: class.ilLDAPQuery.php:545
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ runReadAllUsersPartial()

ilLDAPQuery::runReadAllUsersPartial ( string  $dn)
private

Read all users partial by alphabet.

Parameters
string$dn
Returns
ilLDAPResult

Definition at line 277 of file class.ilLDAPQuery.php.

References $res, ILIAS\Repository\logger(), queryByScope(), and ILIAS\Repository\settings().

Referenced by readAllUsers().

277  : ilLDAPResult
278  {
279  $filter = $this->settings->getFilter();
280  $page_filter = array('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '-');
281  $chars = array('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z');
282  $tmp_result = new ilLDAPResult($this->lh);
283 
284  foreach ($page_filter as $letter) {
285  $new_filter = '(&';
286  $new_filter .= $filter;
287 
288  if ($letter === '-') {
289  $new_filter .= ('(!(|');
290  foreach ($chars as $char) {
291  $new_filter .= ('(' . $this->settings->getUserAttribute() . '=' . $char . '*)');
292  }
293  $new_filter .= ')))';
294  } else {
295  $new_filter .= ('(' . $this->settings->getUserAttribute() . '=' . $letter . '*))');
296  }
297 
298  $this->logger->info('Searching with ldap search and filter ' . $new_filter . ' in ' . $dn);
299  $res = $this->queryByScope(
300  $this->settings->getUserScope(),
301  $dn,
302  $new_filter,
303  array($this->settings->getUserAttribute())
304  );
305  $tmp_result->setResult($res);
306  $tmp_result->run();
307  }
308 
309  return $tmp_result;
310  }
$res
$res
Definition: ltiservices.php:69
ilLDAPResult
Class ilLDAPPagedResult.
Definition: class.ilLDAPResult.php:26
ilLDAPQuery\queryByScope
queryByScope(int $a_scope, string $a_base_dn, string $a_filter, array $a_attributes, array $controls=[])
Query by scope IL_SCOPE_SUB => ldap_search IL_SCOPE_ONE => ldap_list.
Definition: class.ilLDAPQuery.php:545
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

Field Documentation

◆ $ldap_server_url

string ilLDAPQuery::$ldap_server_url
private

Definition at line 35 of file class.ilLDAPQuery.php.

◆ $lh

ilLDAPQuery::$lh = false
private

Definition at line 48 of file class.ilLDAPQuery.php.

◆ $logger

ilLogger ilLDAPQuery::$logger
private

Definition at line 38 of file class.ilLDAPQuery.php.

◆ $mapping

ilLDAPAttributeMapping ilLDAPQuery::$mapping
private

Definition at line 40 of file class.ilLDAPQuery.php.

◆ $settings

ilLDAPServer ilLDAPQuery::$settings
private

Definition at line 36 of file class.ilLDAPQuery.php.

Referenced by getServer().

◆ $user_fields

array ilLDAPQuery::$user_fields = []
private

Definition at line 42 of file class.ilLDAPQuery.php.

◆ $users

array ilLDAPQuery::$users = []
private

Definition at line 43 of file class.ilLDAPQuery.php.

Referenced by fetchUser(), and fetchUsers().

◆ IL_LDAP_SUPPORTED_CONTROL

const ilLDAPQuery::IL_LDAP_SUPPORTED_CONTROL = 'supportedControl'
private

Definition at line 32 of file class.ilLDAPQuery.php.

◆ LDAP_BIND_ADMIN

const ilLDAPQuery::LDAP_BIND_ADMIN = 1

Definition at line 28 of file class.ilLDAPQuery.php.

Referenced by ilLDAPRoleGroupMapping\getLDAPQueryInstance().

◆ LDAP_BIND_AUTH

const ilLDAPQuery::LDAP_BIND_AUTH = 10

Definition at line 30 of file class.ilLDAPQuery.php.

Referenced by ilAuthProviderLDAP\doAuthentication().

◆ LDAP_BIND_DEFAULT

const ilLDAPQuery::LDAP_BIND_DEFAULT = 0

Definition at line 27 of file class.ilLDAPQuery.php.

Referenced by ilECSCmsCourseMemberCommandQueueHandler\createMember(), and ilLDAPUserSynchronisation\readUserData().

◆ LDAP_BIND_TEST

const ilLDAPQuery::LDAP_BIND_TEST = 2

Definition at line 29 of file class.ilLDAPQuery.php.

Referenced by ilLDAPServer\doConnectionCheck().

◆ PAGINATION_SIZE

const ilLDAPQuery::PAGINATION_SIZE = 100
private

Definition at line 33 of file class.ilLDAPQuery.php.

The documentation for this class was generated from the following file: