ILIAS  trunk Revision v11.0_alpha-3011-gc6b235a2e85
class.ilLDAPUserSynchronisation.php
Go to the documentation of this file.
1<?php
2
19declare(strict_types=1);
20
26class ilLDAPUserSynchronisation
27{
28 private string $authmode;
29 private ilLDAPServer $server;
30 private ?string $extaccount;
31 private ?string $intaccount;
32
33 private array $user_data = array();
34 private bool $force_creation = false;
35 private bool $force_read_ldap_data = false;
36 private ilLogger $logger;
37
38 public function __construct(string $a_authmode, int $a_server_id)
39 {
40 global $DIC;
41
42 $this->logger = $DIC->logger()->auth();
43 $this->initServer($a_authmode, $a_server_id);
44 }
45
50 public function getServer(): ilLDAPServer
51 {
52 return $this->server;
53 }
54
58 public function getAuthMode(): string
59 {
60 return $this->authmode;
61 }
62
66 public function setExternalAccount(string $a_ext): void
67 {
68 $this->extaccount = $a_ext;
69 }
70
74 public function getExternalAccount(): ?string
75 {
76 return $this->extaccount;
77 }
78
83 public function getInternalAccount(): ?string
84 {
85 return $this->intaccount;
86 }
87
91 public function forceCreation(bool $a_force): void
92 {
93 $this->force_creation = $a_force;
94 }
95
96 public function forceReadLdapData(bool $a_status): void
97 {
98 $this->force_read_ldap_data = $a_status;
99 }
100
105 public function getUserData(): array
106 {
107 return $this->user_data;
108 }
109
113 public function setUserData(array $a_data): void
114 {
115 $this->user_data = $a_data;
116 }
117
125 public function sync(): string
126 {
127 $this->readInternalAccount();
128
129 if (!$this->getInternalAccount()) {
130 ilLoggerFactory::getLogger('auth')->debug('Creating new account');
131 $this->handleCreation();
132 }
133
134 // Nothing to do if sync on login is disabled
135 if (!$this->getServer()->enabledSyncOnLogin()) {
136 return $this->getInternalAccount();
137 }
138
139 // For performance reasons, check if (an update is required)
140 if ($this->isUpdateRequired()) {
141 ilLoggerFactory::getLogger('auth')->debug('Perform update of user data');
142 $this->readUserData();
143 $this->performUpdate();
144 }
145 return $this->getInternalAccount();
146 }
147
153 protected function handleCreation(): void
154 {
155 // Disabled sync on login
156 if (!$this->getServer()->enabledSyncOnLogin()) {
157 throw new ilLDAPSynchronisationForbiddenException('User synchronisation forbidden.');
158 }
159 // Account migration
160 if (!$this->force_creation && $this->getServer()->isAccountMigrationEnabled()) {
161 $this->readUserData();
162 throw new ilLDAPAccountMigrationRequiredException('Account migration check required.');
163 }
164 }
165
169 protected function performUpdate(): bool
170 {
171 ilUserCreationContext::getInstance()->addContext(ilUserCreationContext::CONTEXT_LDAP);
172
173 $update = new ilLDAPAttributeToUser($this->getServer());
174 if ($this->force_creation) {
175 $update->addMode(ilLDAPAttributeToUser::MODE_INITIALIZE_ROLES);
176 }
177 $update->setNewUserAuthMode($this->getAuthMode());
178 $update->setUserData(
179 array(
180 $this->getExternalAccount() => $this->getUserData()
181 )
182 );
183
184 $update->refresh();
185
186 // User has been created, now read internal account again
187 $this->readInternalAccount();
188 return true;
189 }
190
196 protected function readUserData(): bool
197 {
198 // Add internal account to user data
199 $this->user_data['ilInternalAccount'] = $this->getInternalAccount();
200 if (!$this->force_read_ldap_data && strpos($this->getAuthMode(), 'ldap') === 0) {
201 return true;
202 }
203
204 try {
205 $query = new ilLDAPQuery($this->getServer());
206 $query->bind(ilLDAPQuery::LDAP_BIND_DEFAULT);
207 $user = $query->fetchUser($this->getExternalAccount());
208 $this->logger->dump($user, ilLogLevel::DEBUG);
209 $this->user_data = (array) $user[strtolower($this->getExternalAccount())];
210 } catch (ilLDAPQueryException $e) {
211 $this->logger->error('LDAP bind failed with message: ' . $e->getMessage());
212 throw new ilLDAPSynchronisationFailedException($e->getMessage());
213 }
214
215 return true;
216 }
217
218
223 protected function readInternalAccount(): void
224 {
225 if (!$this->getExternalAccount()) {
226 throw new UnexpectedValueException('No external account given.');
227 }
228 $this->intaccount = ilObjUser::_checkExternalAuthAccount(
229 $this->getAuthMode(),
230 $this->getExternalAccount()
231 );
232 }
233
237 protected function isUpdateRequired(): bool
238 {
239 if ($this->force_creation) {
240 return true;
241 }
242 if (!$this->getInternalAccount()) {
243 return true;
244 }
245
246 // Check attribute mapping on login
247 if (ilLDAPAttributeMapping::hasRulesForUpdate($this->getServer()->getServerId())) {
248 return true;
249 }
250
251 // Check if there is any change in role assignments
252 if (ilLDAPRoleAssignmentRule::hasRulesForUpdate()) {
253 return true;
254 }
255 return false;
256 }
257
258
262 protected function initServer(string $a_auth_mode, int $a_server_id): void
263 {
264 $this->authmode = $a_auth_mode;
265 $this->server = ilLDAPServer::getInstanceByServerId($a_server_id);
266 }
267}
ilLDAPAttributeMapping\hasRulesForUpdate
static hasRulesForUpdate(int $a_server_id)
Check if there is ldap attribute -> user data mapping which which is updated on login.
Definition: class.ilLDAPAttributeMapping.php:87
ilLDAPAttributeToUser
Update/create ILIAS user account by given LDAP attributes according to user attribute mapping setting...
Definition: class.ilLDAPAttributeToUser.php:30
ilLDAPRoleAssignmentRule\hasRulesForUpdate
static hasRulesForUpdate()
Check if there any rule for updates.
Definition: class.ilLDAPRoleAssignmentRule.php:72
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId(int $a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:101
ilLDAPSynchronisationFailedException
Thrown in case of failed synchronisation settings.
Definition: class.ilLDAPSynchronisationFailedException.php:27
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, ,...
Definition: class.ilLDAPUserSynchronisation.php:27
ilLDAPUserSynchronisation\getInternalAccount
getInternalAccount()
Get ILIAS unique internal account name.
Definition: class.ilLDAPUserSynchronisation.php:83
ilLDAPUserSynchronisation\setExternalAccount
setExternalAccount(string $a_ext)
Set external account (unique for each auth mode)
Definition: class.ilLDAPUserSynchronisation.php:66
ilLDAPUserSynchronisation\performUpdate
performUpdate()
Update user account and role assignments.
Definition: class.ilLDAPUserSynchronisation.php:169
ilLDAPUserSynchronisation\setUserData
setUserData(array $a_data)
Set user data.
Definition: class.ilLDAPUserSynchronisation.php:113
ilLDAPUserSynchronisation\initServer
initServer(string $a_auth_mode, int $a_server_id)
Init LDAP server.
Definition: class.ilLDAPUserSynchronisation.php:262
ilLDAPUserSynchronisation\isUpdateRequired
isUpdateRequired()
Check if an update is required.
Definition: class.ilLDAPUserSynchronisation.php:237
ilLDAPUserSynchronisation\handleCreation
handleCreation()
Handle creation of user accounts.
Definition: class.ilLDAPUserSynchronisation.php:153
ilLDAPUserSynchronisation\forceCreation
forceCreation(bool $a_force)
Force cration of user accounts (Account migration enabled)
Definition: class.ilLDAPUserSynchronisation.php:91
ilLDAPUserSynchronisation\readInternalAccount
readInternalAccount()
Read internal account of user.
Definition: class.ilLDAPUserSynchronisation.php:223
ilLDAPUserSynchronisation\__construct
__construct(string $a_authmode, int $a_server_id)
Definition: class.ilLDAPUserSynchronisation.php:38
ilLoggerFactory\getLogger
static getLogger(string $a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:89
ilLogger
Component logger with individual log levels by component id.
Definition: class.ilLogger.php:29
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2813
$DIC
global $DIC
Definition: shib_login.php:26