/**
* Get instance
*
* @access public
* @static
*
*/
public static function _getInstance()
{
if (self::$instance) {
return self::$instance;
}
return self::$instance = new ilAuthModeDetermination();
}
public function fetchData($user, $pass)
{
foreach (ilAuthModeDetermination::_getInstance()->getAuthModeSequence() as $auth_mode) {
if ($_REQUEST['force_mode_apache']) {
$this->log('Container Apache: Trying new container', AUTH_LOG_DEBUG);
include_once './Services/AuthApache/classes/class.ilAuthContainerApache.php';
$this->current_container = new ilAuthContainerApache();
$auth = new ilAuthApache($this->current_container);
} else {
switch ($auth_mode) {
case AUTH_LDAP:
$this->log('Container LDAP: Trying new container', AUTH_LOG_DEBUG);
include_once './Services/LDAP/classes/class.ilAuthContainerLDAP.php';
$this->current_container = new ilAuthContainerLDAP();
break;
case AUTH_LOCAL:
$this->log('Container MDB2: Trying new container', AUTH_LOG_DEBUG);
include_once './Services/Database/classes/class.ilAuthContainerMDB2.php';
$this->current_container = new ilAuthContainerMDB2();
break;
case AUTH_SOAP:
$this->log('Container SOAP: Trying new container', AUTH_LOG_DEBUG);
include_once './Services/SOAPAuth/classes/class.ilAuthContainerSOAP.php';
$this->current_container = new ilAuthContainerSOAP();
break;
case AUTH_RADIUS:
$this->log('Container Radius: Trying new container', AUTH_LOG_DEBUG);
include_once './Services/Radius/classes/class.ilAuthContainerRadius.php';
$this->current_container = new ilAuthContainerRadius();
break;
// begin-patch auth_plugin
// begin-patch auth_plugin
default:
$this->log('Container Plugin: Trying new container', AUTH_LOG_DEBUG);
foreach (ilAuthUtils::getAuthPlugins() as $pl) {
$container = $pl->getContainer($auth_mode);
if ($container instanceof Auth_Container) {
$this->current_container = $container;
break;
}
}
break;
// end-patch auth_plugin
}
}
$this->current_container->_auth_obj = $this->_auth_obj;
$result = $this->current_container->fetchData($user, $pass);
if (PEAR::isError($result)) {
$this->log('Container ' . $key . ': ' . $result->getMessage(), AUTH_LOG_ERR);
// Do not return here, otherwise wrong configured auth modes might block ilias database authentication
} elseif ($result == true) {
$this->log('Container ' . $key . ': Authentication successful.', AUTH_LOG_DEBUG);
return true;
} else {
$this->log('Container ' . $key . ': Authentication failed.', AUTH_LOG_DEBUG);
}
}
return false;
}
/**
* @param $a_username
* @param $password
* @param bool $isChallengeResponse
* @return bool|void
* @throws ilLDAPQueryException
*/
function fetchData($a_username, $password, $isChallengeResponse = false)
{
/**
* @var $ilDB ilDB
* @var $ilSetting ilSetting
* @var $rbacadmin ilRbacAdmin
*/
global $ilDB, $ilSetting, $rbacadmin;
$settings = new ilSetting('apache_auth');
if (!$settings->get('apache_enable_auth')) {
return false;
}
if (!$settings->get('apache_auth_indicator_name') || !$settings->get('apache_auth_indicator_value')) {
return false;
}
if (!ilUtil::isLogin($a_username)) {
return false;
}
if ($a_username == 'anonymous' && $password == 'anonymous') {
$query = 'SELECT * FROM usr_data WHERE login = %s';
$qres = $ilDB->queryF($query, array('text'), array($a_username));
$userRow = $ilDB->fetchAssoc($qres);
if (is_array($userRow) && $userRow['usr_id']) {
// user as a local account...
// fetch logindata
$this->activeUser = $userRow['login'];
foreach ($userRow as $key => $value) {
if ($key == $this->options['passwordcol'] || $key == $this->options['usernamecol']) {
continue;
}
// Use reference to the auth object if exists
// This is because the auth session variable can change so a static call to setAuthData does not make sense
$this->_auth_obj->setAuthData($key, $value);
}
$this->_auth_obj->setAuth($userRow['login']);
return true;
}
return false;
}
if (!$_SESSION['login_invalid'] && in_array($_SERVER[$settings->get('apache_auth_indicator_name')], array_filter(array_map('trim', str_getcsv($settings->get('apache_auth_indicator_value')))))) {
// we have a valid apache auth
$list = array($ilSetting->get('auth_mode'));
// Respect the auth method sequence
include_once './Services/Authentication/classes/class.ilAuthModeDetermination.php';
$det = ilAuthModeDetermination::_getInstance();
if (!$det->isManualSelection() && $det->getCountActiveAuthModes() > 1) {
$list = array();
foreach (ilAuthModeDetermination::_getInstance()->getAuthModeSequence() as $auth_mode) {
$list[] = $auth_mode;
}
}
foreach ($list as $auth_mode) {
if (AUTH_LDAP == $auth_mode) {
// if no local user has been found AND ldap lookup is enabled
if ($settings->get('apache_enable_ldap')) {
include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
$this->server = new ilLDAPServer(ilLDAPServer::_getFirstActiveServer());
$this->server->doConnectionCheck();
$config = $this->server->toPearAuthArray();
$query = new ilLDAPQuery($this->server);
$query->bind();
$ldapUser = $query->fetchUser($a_username);
if ($ldapUser && $ldapUser[$a_username] && $ldapUser[$a_username][$config['userattr']] == $a_username) {
$ldapUser[$a_username]['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap", $a_username);
$user_data = $ldapUser[$a_username];
//array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
if ($this->server->enabledSyncOnLogin()) {
if (!$user_data['ilInternalAccount'] && $this->server->isAccountMigrationEnabled() && !self::$force_creation) {
$this->_auth_obj->logout();
$_SESSION['tmp_auth_mode'] = 'ldap';
$_SESSION['tmp_external_account'] = $a_username;
$_SESSION['tmp_pass'] = $_POST['password'];
include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php';
$roles = ilLDAPRoleAssignmentRules::getAssignmentsForCreation($a_username, $user_data);
$_SESSION['tmp_roles'] = array();
foreach ($roles as $info) {
if ($info['action'] == ilLDAPRoleAssignmentRules::ROLE_ACTION_ASSIGN) {
$_SESSION['tmp_roles'][] = $info['id'];
}
}
ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
}
if ($this->updateRequired($a_username)) {
$this->initLDAPAttributeToUser();
$this->ldap_attr_to_user->setUserData($ldapUser);
$this->ldap_attr_to_user->refresh();
$user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap", $a_username);
} else {
// User exists and no update required
$user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap", $a_username);
}
}
if ($user_data['ilInternalAccount']) {
$this->_auth_obj->setAuth($user_data['ilInternalAccount']);
$this->_auth_obj->username = $user_data['ilInternalAccount'];
return true;
}
}
}
} else {
if (AUTH_APACHE != $auth_mode && $settings->get('apache_enable_local')) {
$condition = '';
if ($ilSetting->get("auth_mode") && $ilSetting->get("auth_mode") == 'ldap') {
$condition = " AND auth_mode != " . $ilDB->quote('default', 'text') . " ";
}
$query = "SELECT * FROM usr_data WHERE login = %s AND auth_mode != %s {$condition}";
$qres = $ilDB->queryF($query, array('text', 'text'), array($a_username, 'ldap'));
$userRow = $ilDB->fetchAssoc($qres);
if (is_array($userRow) && $userRow['usr_id']) {
// user as a local account...
// fetch logindata
$this->activeUser = $userRow['login'];
foreach ($userRow as $key => $value) {
if ($key == $this->options['passwordcol'] || $key == $this->options['usernamecol']) {
continue;
}
// Use reference to the auth object if exists
// This is because the auth session variable can change so a static call to setAuthData does not make sense
$this->_auth_obj->setAuthData($key, $value);
}
$this->_auth_obj->setAuth($userRow['login']);
return true;
}
}
}
}
if ($settings->get('apache_enable_local') && $settings->get('apache_local_autocreate')) {
if ($_GET['r']) {
$_SESSION['profile_complete_redirect'] = $_GET['r'];
}
$user = new ilObjUser();
$user->setLogin($a_username);
$user->setExternalAccount($a_username);
$user->setProfileIncomplete(true);
$user->create();
$user->setAuthMode('apache');
// set a timestamp for last_password_change
// this ts is needed by ilSecuritySettings
$user->setLastPasswordChangeTS(time());
$user->setTimeLimitUnlimited(1);
$user->setActive(1);
//insert user data in table user_data
$user->saveAsNew();
$user->writePrefs();
$rbacadmin->assignUser($settings->get('apache_default_role', 4), $user->getId(), true);
return true;
}
} else {
if (defined('IL_CERT_SSO') && IL_CERT_SSO) {
define('APACHE_ERRORCODE', AUTH_APACHE_FAILED);
}
}
return false;
}
/**
* update auth mode determination
*
* @access public
*
*/
public function updateAuthModeDeterminationObject()
{
include_once 'Services/Authentication/classes/class.ilAuthModeDetermination.php';
$det = ilAuthModeDetermination::_getInstance();
$det->setKind((int) $_POST['kind']);
$pos = $_POST['position'] ? $_POST['position'] : array();
asort($pos, SORT_NUMERIC);
$counter = 0;
foreach ($pos as $auth_mode => $dummy) {
$position[$counter++] = $auth_mode;
}
$det->setAuthModeSequence($position ? $position : array());
$det->save();
require_once 'Services/Captcha/classes/class.ilCaptchaUtil.php';
ilCaptchaUtil::setActiveForLogin((bool) $_POST['activate_captcha_anonym']);
ilUtil::sendSuccess($this->lng->txt('settings_saved'));
$this->authSettingsObject();
}
/**
* Show login form
* @global ilSetting $ilSetting
* @param string $page_editor_html
*/
protected function showLoginForm($page_editor_html)
{
global $ilSetting, $lng, $tpl;
// @todo move this to auth utils.
// login via ILIAS (this also includes radius and ldap)
// If local authentication is enabled for shibboleth users, we
// display the login form for ILIAS here.
if (($ilSetting->get("auth_mode") != AUTH_SHIBBOLETH || $ilSetting->get("shib_auth_allow_local")) && $ilSetting->get("auth_mode") != AUTH_CAS) {
include_once "Services/Form/classes/class.ilPropertyFormGUI.php";
$form = new ilPropertyFormGUI();
//$form->setTableWidth('500');
$form->setFormAction($this->ctrl->getFormAction($this, ''));
$form->setName("formlogin");
$form->setShowTopButtons(false);
$form->setTitle($lng->txt("login_to_ilias"));
// auth selection
include_once './Services/Authentication/classes/class.ilAuthModeDetermination.php';
$det = ilAuthModeDetermination::_getInstance();
if (ilAuthUtils::_hasMultipleAuthenticationMethods() and $det->isManualSelection()) {
$visible_auth_methods = array();
$radg = new ilRadioGroupInputGUI($lng->txt("auth_selection"), "auth_mode");
foreach (ilAuthUtils::_getMultipleAuthModeOptions($lng) as $key => $option) {
if (isset($option['hide_in_ui']) && $option['hide_in_ui']) {
continue;
}
$op1 = new ilRadioOption($option['txt'], $key);
$radg->addOption($op1);
if (isset($option['checked'])) {
$radg->setValue($key);
}
$visible_auth_methods[] = $op1;
}
if (count($visible_auth_methods) == 1) {
$first_auth_method = current($visible_auth_methods);
$hidden_auth_method = new ilHiddenInputGUI("auth_mode");
$hidden_auth_method->setValue($first_auth_method->getValue());
$form->addItem($hidden_auth_method);
} else {
$form->addItem($radg);
}
}
$ti = new ilTextInputGUI($lng->txt("username"), "username");
$ti->setSize(20);
$ti->setRequired(true);
$form->addItem($ti);
$pi = new ilPasswordInputGUI($lng->txt("password"), "password");
$pi->setRetype(false);
$pi->setSize(20);
$pi->setDisableHtmlAutoComplete(false);
$pi->setRequired(true);
$form->addItem($pi);
$form->addCommandButton("showLogin", $lng->txt("log_in"));
require_once 'Services/Captcha/classes/class.ilCaptchaUtil.php';
if (ilCaptchaUtil::isActiveForLogin()) {
require_once 'Services/Captcha/classes/class.ilCaptchaInputGUI.php';
$captcha = new ilCaptchaInputGUI($lng->txt('captcha_code'), 'captcha_code');
$captcha->setRequired(true);
$form->addItem($captcha);
}
return $this->substituteLoginPageElements($tpl, $page_editor_html, $form->getHTML(), '[list-login-form]', 'LOGIN_FORM');
}
return $page_editor_html;
}
function _getAuthModeOfUser($a_username, $a_password, $a_db_handler = '')
{
global $ilDB;
if (isset($_GET['ecs_hash']) or isset($_GET['ecs_hash_url'])) {
ilAuthFactory::setContext(ilAuthFactory::CONTEXT_ECS);
return AUTH_ECS;
}
if (isset($_POST['auth_mode'])) {
return (int) $_POST['auth_mode'];
}
if (isset($_POST['oid_username']) or $_GET['oid_check_status']) {
$GLOBALS['ilLog']->write(__METHOD__ . ' set context to open id');
ilAuthFactory::setContext(ilAuthFactory::CONTEXT_OPENID);
return AUTH_OPENID;
}
include_once './Services/Authentication/classes/class.ilAuthModeDetermination.php';
$det = ilAuthModeDetermination::_getInstance();
if (!$det->isManualSelection() and $det->getCountActiveAuthModes() > 1) {
return AUTH_MULTIPLE;
}
$db =& $ilDB;
if ($a_db_handler != '') {
$db =& $a_db_handler;
}
// Is it really necessary to check the auth mode with password ?
// Changed: smeyer
$q = "SELECT auth_mode FROM usr_data WHERE " . "login = "******"passwd = ".$ilDB->quote(md5($a_password))."";
$r = $db->query($q);
$row = $r->fetchRow(DB_FETCHMODE_OBJECT);
//echo "+".$row->auth_mode."+";
$auth_mode = self::_getAuthMode($row->auth_mode, $db);
return in_array($auth_mode, self::_getActiveAuthModes()) ? $auth_mode : AUTH_INACTIVE;
}
