ilLDAPRoleGroupMapping Class Reference

Collaboration diagram for ilLDAPRoleGroupMapping:

Public Member Functions
	getInfoStrings (int $a_obj_id, bool $a_check_type=false)
	Get info string for object If check info type is enabled this function will check if the info string is visible in the repository. More...
	assign ($a_role_id, $a_usr_id)
	This method is typically called from class RbacAdmin::assignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is assigned to the LDAP group. More...
	deleteRole (int $a_role_id)
	Delete role. More...
	deassign ($a_role_id, $a_usr_id)
	This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is deassigned from the LDAP group. More...
	deleteUser ($a_usr_id)
	Delete user => deassign from all ldap groups. More...

Static Public Member Functions
static	_getInstance ()
	Get singleton instance of this class. More...

Private Member Functions
	__construct ()
	Singleton contructor. More...
	initServers ()
	Check if there is any active server with. More...
	isHandledRole ($a_role_id)
	isHandledUser ($a_usr_id)
	Check if user is ldap user. More...
	assignToGroup ($a_role_id, $a_usr_id)
	Assign user to group. More...
	deassignFromGroup ($a_role_id, $a_usr_id)
	Deassign user from group. More...
	checkOtherMembership (int $a_usr_id, int $a_role_id, array $a_data)
	Check other membership. More...
	readDN (int $a_usr_id, int $a_server_id)
	Read DN of user. More...
	getLDAPQueryInstance ($a_server_id, $a_url)
	Get LDAPQueryInstance. More...

Private Attributes
ilLogger	$log
ilRbacReview	$rbacreview
ilObjectDataCache	$ilObjDataCache
array	$servers
array	$mappings
array	$mapping_members
array	$mapping_info
array	$mapping_info_strict
array	$query
array	$users
array	$user_dns
bool	$active_servers = false

Static Private Attributes
static ilLDAPRoleGroupMapping	$instance = null

Detailed Description

Author

Stefan Meyer meyer.nosp@m.@lei.nosp@m.fos.c.nosp@m.om

Definition at line 24 of file class.ilLDAPRoleGroupMapping.php.

Constructor & Destructor Documentation

__construct()

ilLDAPRoleGroupMapping::__construct ( )

private

Singleton contructor.

Definition at line 44 of file class.ilLDAPRoleGroupMapping.php.

References $DIC, and initServers().

    {
        global $DIC;

        $this->log = $DIC->logger()->auth();
        $this->rbacreview = $DIC->rbac()->review();
        $this->ilObjDataCache = $DIC['ilObjDataCache'];

        $this->initServers();
    }

Here is the call graph for this function:

Member Function Documentation

_getInstance()

static ilLDAPRoleGroupMapping::_getInstance ( )

static

Get singleton instance of this class.

Definition at line 58 of file class.ilLDAPRoleGroupMapping.php.

Referenced by ilRbacAdmin\assignUser(), ilRbacAdmin\assignUserLimited(), ilRbacAdmin\deassignUser(), ilObjUser\delete(), ilRbacAdmin\deleteRole(), and ilInfoScreenGUI\showLDAPRoleGroupMappingInfo().

                                         : ?ilLDAPRoleGroupMapping
    {
        if (is_object(self::$instance)) {
            return self::$instance;
        }
        return self::$instance = new ilLDAPRoleGroupMapping();
    }

Here is the caller graph for this function:

assign()

ilLDAPRoleGroupMapping::assign	(		$a_role_id,
			$a_usr_id
	)

This method is typically called from class RbacAdmin::assignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is assigned to the LDAP group.

Definition at line 97 of file class.ilLDAPRoleGroupMapping.php.

References assignToGroup(), isHandledRole(), and isHandledUser().

                                                 : bool
    {
        // return if there nothing to do
        if (!$this->active_servers) {
            return false;
        }

        if (!$this->isHandledRole($a_role_id)) {
            return false;
        }
        if (!$this->isHandledUser($a_usr_id)) {
            $this->log->write('LDAP assign: User ID: ' . $a_usr_id . ' has no LDAP account');
            return false;
        }
        $this->log->write('LDAP assign: User ID: ' . $a_usr_id . ' Role Id: ' . $a_role_id);
        $this->assignToGroup($a_role_id, $a_usr_id);

        return true;
    }

Here is the call graph for this function:

assignToGroup()

ilLDAPRoleGroupMapping::assignToGroup (   $a_role_id,   $a_usr_id  )

private

Assign user to group.

Parameters

int	role_id
int	user_id

Definition at line 245 of file class.ilLDAPRoleGroupMapping.php.

References $data, getLDAPQueryInstance(), and readDN().

Referenced by assign().

                                                         : void
    {
        foreach ($this->mappings[$a_role_id] as $data) {
            try {
                if ($data['isdn']) {
                    $external_account = $this->readDN($a_usr_id, $data['server_id']);
                } else {
                    $external_account = $this->users[$a_usr_id];
                }

                // Forcing modAdd since Active directory is too slow and i cannot check if a user is member or not.
                #if($this->isMember($external_account,$data))
                #{
                #       $this->log->write("LDAP assign: User already assigned to group '".$data['dn']."'");
                #}
                #else
                {
                    // Add user
                    $query_obj = $this->getLDAPQueryInstance($data['server_id'], $data['url']);
                    $query_obj->modAdd($data['dn'], array($data['member'] => $external_account));
                    $this->log->write('LDAP assign: Assigned ' . $external_account . ' to group ' . $data['dn']);
                }
            } catch (ilLDAPQueryException $exc) {
                $this->log->write($exc->getMessage());
                // try next mapping
                continue;
            }
        }
    }

Here is the call graph for this function:

Here is the caller graph for this function:

checkOtherMembership()

ilLDAPRoleGroupMapping::checkOtherMembership ( int  $a_usr_id, int  $a_role_id, array  $a_data  )

private

Check other membership.

Returns

string|false role name

Definition at line 330 of file class.ilLDAPRoleGroupMapping.php.

References $data.

Referenced by deassignFromGroup().

    {
        foreach ($this->mappings as $role_id => $tmp_data) {
            foreach ($tmp_data as $data) {
                if ($role_id === $a_role_id) {
                    continue;
                }
                if ($data['server_id'] !== $a_data['server_id']) {
                    continue;
                }
                if ($data['dn'] !== $a_data['dn']) {
                    continue;
                }
                if ($this->rbacreview->isAssigned($a_usr_id, $role_id)) {
                    return $this->ilObjDataCache->lookupTitle((int) $role_id);
                }
            }
        }
        return false;
    }

Here is the caller graph for this function:

deassign()

ilLDAPRoleGroupMapping::deassign	(		$a_role_id,
			$a_usr_id
	)

This method is typically called from class RbacAdmin::deassignUser() It checks if there is a role mapping and if the user has auth mode LDAP After these checks the user is deassigned from the LDAP group.

Definition at line 148 of file class.ilLDAPRoleGroupMapping.php.

References deassignFromGroup(), isHandledRole(), and isHandledUser().

Referenced by deleteRole(), and deleteUser().

                                                   : bool
    {
        // return if there notzing to do
        if (!$this->active_servers) {
            return false;
        }
        if (!$this->isHandledRole($a_role_id)) {
            return false;
        }
        if (!$this->isHandledUser($a_usr_id)) {
            return false;
        }
        $this->log->write('LDAP deassign: User ID: ' . $a_usr_id . ' Role Id: ' . $a_role_id);
        $this->deassignFromGroup($a_role_id, $a_usr_id);

        return true;
    }

Here is the call graph for this function:

Here is the caller graph for this function:

deassignFromGroup()

ilLDAPRoleGroupMapping::deassignFromGroup (   $a_role_id,   $a_usr_id  )

private

Deassign user from group.

Parameters

int	role_id
int	user_id

Definition at line 282 of file class.ilLDAPRoleGroupMapping.php.

References $data, checkOtherMembership(), getLDAPQueryInstance(), and readDN().

Referenced by deassign().

                                                             : void
    {
        foreach ($this->mappings[$a_role_id] as $data) {
            try {
                if ($data['isdn']) {
                    $external_account = $this->readDN($a_usr_id, $data['server_id']);
                } else {
                    $external_account = $this->users[$a_usr_id];
                }

                // Check for other role membership
                if ($role_id = $this->checkOtherMembership($a_usr_id, $a_role_id, $data)) {
                    $this->log->write('LDAP deassign: User is still assigned to role "' . $role_id . '".');
                    continue;
                }
                /*
                if(!$this->isMember($external_account,$data))
                 {
                    $this->log->write("LDAP deassign: User not assigned to group '".$data['dn']."'");
                    continue;
                 }
                */
                // Deassign user
                $query_obj = $this->getLDAPQueryInstance($data['server_id'], $data['url']);
                $query_obj->modDelete($data['dn'], array($data['member'] => $external_account));
                $this->log->write('LDAP deassign: Deassigned ' . $external_account . ' from group ' . $data['dn']);

                // Delete from cache
                if (is_array($this->mapping_members[$data['mapping_id']])) {
                    $key = array_search($external_account, $this->mapping_members[$data['mapping_id']], true);
                    if ($key || $key === 0) {
                        unset($this->mapping_members[$data['mapping_id']]);
                    }
                }
            } catch (ilLDAPQueryException $exc) {
                $this->log->write($exc->getMessage());
                // try next mapping
                continue;
            }
        }
    }

Here is the call graph for this function:

Here is the caller graph for this function:

deleteRole()

ilLDAPRoleGroupMapping::deleteRole

(

int

$a_role_id

)

Delete role.

This function triggered from ilRbacAdmin::deleteRole It deassigns all user from the mapped ldap group.

Parameters

int

role id

Definition at line 125 of file class.ilLDAPRoleGroupMapping.php.

References deassign(), and isHandledRole().

                                              : bool
    {
        // return if there nothing to do
        if (!$this->active_servers) {
            return false;
        }

        if (!$this->isHandledRole($a_role_id)) {
            return false;
        }

        foreach ($this->rbacreview->assignedUsers($a_role_id) as $usr_id) {
            $this->deassign($a_role_id, $usr_id);
        }
        return true;
    }

Here is the call graph for this function:

deleteUser()

ilLDAPRoleGroupMapping::deleteUser

(

$a_usr_id

)

Delete user => deassign from all ldap groups.

Parameters

int

user id

Definition at line 171 of file class.ilLDAPRoleGroupMapping.php.

References deassign().

                                         : bool
    {
        if (!$this->active_servers) {
            return false;
        }

        foreach ($this->mappings as $role_id) {
            $this->deassign($role_id, $a_usr_id);
        }
        return true;
    }

Here is the call graph for this function:

getInfoStrings()

ilLDAPRoleGroupMapping::getInfoStrings	(	int	$a_obj_id,
		bool	$a_check_type = false
	)

Get info string for object If check info type is enabled this function will check if the info string is visible in the repository.

Parameters

int	object id
bool	check info type

Returns

string[]

Definition at line 74 of file class.ilLDAPRoleGroupMapping.php.

                                                                             : array
    {
        if (!$this->active_servers) {
            return [];
        }

        if ($a_check_type) {
            if (isset($this->mapping_info_strict[$a_obj_id]) && is_array($this->mapping_info_strict[$a_obj_id])) {
                return $this->mapping_info_strict[$a_obj_id];
            }
        } elseif (isset($this->mapping_info[$a_obj_id]) && is_array($this->mapping_info[$a_obj_id])) {
            return $this->mapping_info[$a_obj_id];
        }

        return [];
    }

getLDAPQueryInstance()

ilLDAPRoleGroupMapping::getLDAPQueryInstance (   $a_server_id,   $a_url  )

private

Get LDAPQueryInstance.

Exceptions

ilLDAPQueryException

Definition at line 410 of file class.ilLDAPRoleGroupMapping.php.

References ilLDAPQuery\LDAP_BIND_ADMIN.

Referenced by assignToGroup(), deassignFromGroup(), and readDN().

    {
        if (array_key_exists($a_server_id, $this->query) &&
            array_key_exists($a_url, $this->query[$a_server_id]) &&
            is_object($this->query[$a_server_id][$a_url])) {
            return $this->query[$a_server_id][$a_url];
        }
        $tmp_query = new ilLDAPQuery($this->servers[$a_server_id], $a_url);
        $tmp_query->bind(ilLDAPQuery::LDAP_BIND_ADMIN);

        return $this->query[$a_server_id][$a_url] = $tmp_query;
    }

Here is the caller graph for this function:

initServers()

ilLDAPRoleGroupMapping::initServers ( )

private

Check if there is any active server with.

Definition at line 187 of file class.ilLDAPRoleGroupMapping.php.

References $data, ilObjUser\_getExternalAccountsByAuthMode(), ilLDAPServer\_getRoleSyncServerIds(), and ilLDAPRoleGroupMappingSettings\MAPPING_INFO_ALL.

Referenced by __construct().

                                  : void
    {
        $server_ids = ilLDAPServer::_getRoleSyncServerIds();

        if (!count($server_ids)) {
            return;
        }

        // Init servers
        $this->active_servers = true;
        $this->servers = [];
        $this->mappings = [];
        foreach ($server_ids as $server_id) {
            $this->servers[$server_id] = new ilLDAPServer($server_id);
            $this->mappings = ilLDAPRoleGroupMappingSettings::_getAllActiveMappings();
        }
        $this->mapping_info = [];
        $this->mapping_info_strict = [];
        foreach ($this->mappings as $mapping) {
            foreach ($mapping as $data) {
                if ($data['info'] !== '' && $data['object_id']) {
                    $this->mapping_info[$data['object_id']][] = $data['info'];
                }
                if ($data['info'] !== '' && ($data['info_type'] === ilLDAPRoleGroupMappingSettings::MAPPING_INFO_ALL)) {
                    $this->mapping_info_strict[$data['object_id']][] = $data['info'];
                }
            }
        }
        $this->users = ilObjUser::_getExternalAccountsByAuthMode('ldap', true);
    }

Here is the call graph for this function:

Here is the caller graph for this function:

isHandledRole()

ilLDAPRoleGroupMapping::isHandledRole (   $a_role_id )

private

Parameters

int | string | null

$a_role_id

Definition at line 221 of file class.ilLDAPRoleGroupMapping.php.

Referenced by assign(), deassign(), and deleteRole().

                                              : bool
    {
        if (!is_string($a_role_id) || !is_int($a_role_id)) {
            return false;
        }

        return array_key_exists($a_role_id, $this->mappings);
    }

Here is the caller graph for this function:

isHandledUser()

ilLDAPRoleGroupMapping::isHandledUser (   $a_usr_id )

private

Check if user is ldap user.

Definition at line 233 of file class.ilLDAPRoleGroupMapping.php.

Referenced by assign(), and deassign().

                                             : bool
    {
        return array_key_exists($a_usr_id, $this->users);
    }

Here is the caller graph for this function:

readDN()

ilLDAPRoleGroupMapping::readDN ( int  $a_usr_id, int  $a_server_id  )

private

Read DN of user.

Parameters

int	user id
int	server id

Exceptions

ilLDAPQueryException

Definition at line 358 of file class.ilLDAPRoleGroupMapping.php.

References $data, $res, $server, getLDAPQueryInstance(), and null.

Referenced by assignToGroup(), and deassignFromGroup().

    {
        if ($this->user_dns === null) {
            $this->user_dns = [];
        }
        if (isset($this->user_dns[$a_usr_id])) {
            return $this->user_dns[$a_usr_id];
        }

        $external_account = $this->users[$a_usr_id];

        $server = $this->servers[$a_server_id];
        $query_obj = $this->getLDAPQueryInstance($a_server_id, $server->getUrl());

        if ($search_base = $server->getSearchBase()) {
            $search_base .= ',';
        }
        $search_base .= $server->getBaseDN();

        // try optional group user filter first
        if ($server->isMembershipOptional() && $server->getGroupUserFilter()) {
            $userFilter = $server->getGroupUserFilter();
        } else {
            $userFilter = $server->getFilter();
        }

        $filter = sprintf(
            '(&(%s=%s)%s)',
            $server->getUserAttribute(),
            $external_account,
            $userFilter
        );

        $res = $query_obj->query($search_base, $filter, $server->getUserScope(), array('dn'));

        if (!$res->numRows()) {
            throw new ilLDAPQueryException(__METHOD__ . ' cannot find dn for user ' . $external_account);
        }
        if ($res->numRows() > 1) {
            throw new ilLDAPQueryException(__METHOD__ . ' found multiple distinguished name for: ' . $external_account);
        }

        $data = $res->get();
        $this->user_dns[$a_usr_id] = $data['dn'];
        return $this->user_dns[$a_usr_id];
    }

Here is the call graph for this function:

Here is the caller graph for this function:

Field Documentation

$active_servers

bool ilLDAPRoleGroupMapping::$active_servers = false

private

Definition at line 39 of file class.ilLDAPRoleGroupMapping.php.

$ilObjDataCache

ilObjectDataCache ilLDAPRoleGroupMapping::$ilObjDataCache

private

Definition at line 29 of file class.ilLDAPRoleGroupMapping.php.

$instance

ilLDAPRoleGroupMapping ilLDAPRoleGroupMapping::$instance = null

staticprivate

Definition at line 26 of file class.ilLDAPRoleGroupMapping.php.

$log

ilLogger ilLDAPRoleGroupMapping::$log

private

Definition at line 27 of file class.ilLDAPRoleGroupMapping.php.

$mapping_info

array ilLDAPRoleGroupMapping::$mapping_info

private

Definition at line 34 of file class.ilLDAPRoleGroupMapping.php.

$mapping_info_strict

array ilLDAPRoleGroupMapping::$mapping_info_strict

private

Definition at line 35 of file class.ilLDAPRoleGroupMapping.php.

$mapping_members

array ilLDAPRoleGroupMapping::$mapping_members

private

Definition at line 33 of file class.ilLDAPRoleGroupMapping.php.

$mappings

array ilLDAPRoleGroupMapping::$mappings

private

Definition at line 32 of file class.ilLDAPRoleGroupMapping.php.

$query

array ilLDAPRoleGroupMapping::$query

private

Definition at line 36 of file class.ilLDAPRoleGroupMapping.php.

$rbacreview

ilRbacReview ilLDAPRoleGroupMapping::$rbacreview

private

Definition at line 28 of file class.ilLDAPRoleGroupMapping.php.

$servers

array ilLDAPRoleGroupMapping::$servers

private

Definition at line 31 of file class.ilLDAPRoleGroupMapping.php.

$user_dns

array ilLDAPRoleGroupMapping::$user_dns

private

Definition at line 38 of file class.ilLDAPRoleGroupMapping.php.

$users

array ilLDAPRoleGroupMapping::$users

private

Definition at line 37 of file class.ilLDAPRoleGroupMapping.php.

---

The documentation for this class was generated from the following file:

• components/ILIAS/LDAP/classes/class.ilLDAPRoleGroupMapping.php