function fetchData($a_username, $password, $isChallengeResponse = false)
{
//var_dump(func_get_args());
//var_dump($_SERVER);
global $lng;
$settings = new ilSetting('apache_auth');
if (!$settings->get('apache_enable_auth')) {
return false;
}
if (!$settings->get('apache_auth_indicator_name') || !$settings->get('apache_auth_indicator_value')) {
return false;
}
if (!ilUtil::isLogin($a_username)) {
return false;
}
if ($a_username == 'anonymous' && $password == 'anonymous') {
global $ilDB;
$query = 'SELECT * FROM usr_data WHERE login = %s';
$qres = $ilDB->queryF($query, array('text'), array($a_username));
$userRow = $ilDB->fetchAssoc($qres);
if (is_array($userRow) && $userRow['usr_id']) {
// user as a local account...
// fetch logindata
$this->activeUser = $userRow['login'];
foreach ($userRow as $key => $value) {
if ($key == $this->options['passwordcol'] || $key == $this->options['usernamecol']) {
continue;
}
// Use reference to the auth object if exists
// This is because the auth session variable can change so a static call to setAuthData does not make sense
$this->_auth_obj->setAuthData($key, $value);
}
//var_dump($userRow);
$this->_auth_obj->setAuth($userRow['login']);
return true;
}
return false;
}
if (!$_SESSION['login_invalid'] && $_SERVER[$settings->get('apache_auth_indicator_name')] == $settings->get('apache_auth_indicator_value')) {
// we have a valid apache auth
global $ilDB;
if ($settings->get('apache_enable_local')) {
$query = 'SELECT * FROM usr_data WHERE login = %s OR (auth_mode = %s AND ext_account = %s)';
$qres = $ilDB->queryF($query, array('text', 'text', 'text'), array($a_username, 'apache', $a_username));
$userRow = $ilDB->fetchAssoc($qres);
if (is_array($userRow) && $userRow['usr_id']) {
// user as a local account...
// fetch logindata
$this->activeUser = $userRow['login'];
foreach ($userRow as $key => $value) {
if ($key == $this->options['passwordcol'] || $key == $this->options['usernamecol']) {
continue;
}
// Use reference to the auth object if exists
// This is because the auth session variable can change so a static call to setAuthData does not make sense
$this->_auth_obj->setAuthData($key, $value);
}
//var_dump($userRow);
$this->_auth_obj->setAuth($userRow['login']);
return true;
}
}
// if no local user has been found AND ldap lookup is enabled
if ($settings->get('apache_enable_ldap')) {
include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
$this->server = new ilLDAPServer(ilLDAPServer::_getFirstActiveServer());
$this->server->doConnectionCheck();
$config = $this->server->toPearAuthArray();
$query = new ilLDAPQuery($this->server);
$ldapUser = $query->fetchUser($a_username);
if ($ldapUser && $ldapUser[$a_username] && $ldapUser[$a_username][$config['userattr']] == $a_username) {
$ldapUser[$a_username]['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("apache", $a_username);
$user_data = $ldapUser[$a_username];
//array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
if ($this->server->enabledSyncOnLogin()) {
if (!$user_data['ilInternalAccount'] && $this->server->isAccountMigrationEnabled() && !self::$force_creation) {
$this->_auth_obj->logout();
$_SESSION['tmp_auth_mode'] = 'apache';
$_SESSION['tmp_external_account'] = $a_username;
$_SESSION['tmp_pass'] = $_POST['password'];
include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php';
$roles = ilLDAPRoleAssignmentRules::getAssignmentsForCreation($a_username, $user_data);
$_SESSION['tmp_roles'] = array();
foreach ($roles as $info) {
if ($info['action'] == ilLDAPRoleAssignmentRules::ROLE_ACTION_ASSIGN) {
$_SESSION['tmp_roles'][] = $info['id'];
}
}
ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
exit;
}
if ($this->updateRequired($a_username)) {
$this->initLDAPAttributeToUser();
$this->ldap_attr_to_user->setUserData($ldapUser);
$this->ldap_attr_to_user->refresh();
$user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("apache", $a_username);
} else {
// User exists and no update required
$user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("apache", $a_username);
}
}
if ($user_data['ilInternalAccount']) {
$this->_auth_obj->setAuth($user_data['ilInternalAccount']);
return true;
}
}
}
if ($settings->get('apache_enable_local') && $settings->get('apache_local_autocreate')) {
// no local user, no ldap match or ldap not activated
// if (!self::$force_creation)
// {
// $_SESSION['tmp_auth_mode'] = 'apache';
// $_SESSION['tmp_external_account'] = $a_username;
// $_SESSION['tmp_pass'] = $_POST['password'];
//ilUtil::redirect('https://lernwelt.janposselt.de/ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
// }
// else
// {
global $ilIliasIniFile;
if ($_GET['r']) {
$_SESSION['profile_complete_redirect'] = $_GET['r'];
}
$user = new ilObjUser();
$user->setLogin($a_username);
$user->setExternalAccount($a_username);
$user->setProfileIncomplete(true);
$user->create();
$user->setAuthMode('apache');
// set a timestamp for last_password_change
// this ts is needed by ilSecuritySettings
$user->setLastPasswordChangeTS(time());
$user->setTimeLimitUnlimited(1);
$user->setActive(1);
//insert user data in table user_data
$user->saveAsNew();
$user->writePrefs();
global $rbacadmin;
$rbacadmin->assignUser($settings->get('apache_default_role', 4), $user->getId(), true);
return true;
// }
}
} else {
if (defined('IL_CERT_SSO') && IL_CERT_SSO) {
define('APACHE_ERRORCODE', AUTH_APACHE_FAILED);
}
}
return false;
}
/**
* fetch required fields of user profile data
*
* @access private
* @param
*
*/
private function fetchUserProfileFields()
{
include_once 'Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php';
$this->user_fields = array_merge(array($this->settings->getUserAttribute()), array('dn'), $this->mapping->getFields(), ilLDAPRoleAssignmentRules::getAttributeNames());
}
/**
* @param $a_username
* @param $password
* @param bool $isChallengeResponse
* @return bool|void
* @throws ilLDAPQueryException
*/
function fetchData($a_username, $password, $isChallengeResponse = false)
{
/**
* @var $ilDB ilDB
* @var $ilSetting ilSetting
* @var $rbacadmin ilRbacAdmin
*/
global $ilDB, $ilSetting, $rbacadmin;
$settings = new ilSetting('apache_auth');
if (!$settings->get('apache_enable_auth')) {
return false;
}
if (!$settings->get('apache_auth_indicator_name') || !$settings->get('apache_auth_indicator_value')) {
return false;
}
if (!ilUtil::isLogin($a_username)) {
return false;
}
if ($a_username == 'anonymous' && $password == 'anonymous') {
$query = 'SELECT * FROM usr_data WHERE login = %s';
$qres = $ilDB->queryF($query, array('text'), array($a_username));
$userRow = $ilDB->fetchAssoc($qres);
if (is_array($userRow) && $userRow['usr_id']) {
// user as a local account...
// fetch logindata
$this->activeUser = $userRow['login'];
foreach ($userRow as $key => $value) {
if ($key == $this->options['passwordcol'] || $key == $this->options['usernamecol']) {
continue;
}
// Use reference to the auth object if exists
// This is because the auth session variable can change so a static call to setAuthData does not make sense
$this->_auth_obj->setAuthData($key, $value);
}
$this->_auth_obj->setAuth($userRow['login']);
return true;
}
return false;
}
if (!$_SESSION['login_invalid'] && in_array($_SERVER[$settings->get('apache_auth_indicator_name')], array_filter(array_map('trim', str_getcsv($settings->get('apache_auth_indicator_value')))))) {
// we have a valid apache auth
$list = array($ilSetting->get('auth_mode'));
// Respect the auth method sequence
include_once './Services/Authentication/classes/class.ilAuthModeDetermination.php';
$det = ilAuthModeDetermination::_getInstance();
if (!$det->isManualSelection() && $det->getCountActiveAuthModes() > 1) {
$list = array();
foreach (ilAuthModeDetermination::_getInstance()->getAuthModeSequence() as $auth_mode) {
$list[] = $auth_mode;
}
}
foreach ($list as $auth_mode) {
if (AUTH_LDAP == $auth_mode) {
// if no local user has been found AND ldap lookup is enabled
if ($settings->get('apache_enable_ldap')) {
include_once 'Services/LDAP/classes/class.ilLDAPServer.php';
$this->server = new ilLDAPServer(ilLDAPServer::_getFirstActiveServer());
$this->server->doConnectionCheck();
$config = $this->server->toPearAuthArray();
$query = new ilLDAPQuery($this->server);
$query->bind();
$ldapUser = $query->fetchUser($a_username);
if ($ldapUser && $ldapUser[$a_username] && $ldapUser[$a_username][$config['userattr']] == $a_username) {
$ldapUser[$a_username]['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap", $a_username);
$user_data = $ldapUser[$a_username];
//array_change_key_case($a_auth->getAuthData(),CASE_LOWER);
if ($this->server->enabledSyncOnLogin()) {
if (!$user_data['ilInternalAccount'] && $this->server->isAccountMigrationEnabled() && !self::$force_creation) {
$this->_auth_obj->logout();
$_SESSION['tmp_auth_mode'] = 'ldap';
$_SESSION['tmp_external_account'] = $a_username;
$_SESSION['tmp_pass'] = $_POST['password'];
include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php';
$roles = ilLDAPRoleAssignmentRules::getAssignmentsForCreation($a_username, $user_data);
$_SESSION['tmp_roles'] = array();
foreach ($roles as $info) {
if ($info['action'] == ilLDAPRoleAssignmentRules::ROLE_ACTION_ASSIGN) {
$_SESSION['tmp_roles'][] = $info['id'];
}
}
ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmdClass=ilstartupgui&cmd=showAccountMigration');
}
if ($this->updateRequired($a_username)) {
$this->initLDAPAttributeToUser();
$this->ldap_attr_to_user->setUserData($ldapUser);
$this->ldap_attr_to_user->refresh();
$user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap", $a_username);
} else {
// User exists and no update required
$user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("ldap", $a_username);
}
}
if ($user_data['ilInternalAccount']) {
$this->_auth_obj->setAuth($user_data['ilInternalAccount']);
$this->_auth_obj->username = $user_data['ilInternalAccount'];
return true;
}
}
}
} else {
if (AUTH_APACHE != $auth_mode && $settings->get('apache_enable_local')) {
$condition = '';
if ($ilSetting->get("auth_mode") && $ilSetting->get("auth_mode") == 'ldap') {
$condition = " AND auth_mode != " . $ilDB->quote('default', 'text') . " ";
}
$query = "SELECT * FROM usr_data WHERE login = %s AND auth_mode != %s {$condition}";
$qres = $ilDB->queryF($query, array('text', 'text'), array($a_username, 'ldap'));
$userRow = $ilDB->fetchAssoc($qres);
if (is_array($userRow) && $userRow['usr_id']) {
// user as a local account...
// fetch logindata
$this->activeUser = $userRow['login'];
foreach ($userRow as $key => $value) {
if ($key == $this->options['passwordcol'] || $key == $this->options['usernamecol']) {
continue;
}
// Use reference to the auth object if exists
// This is because the auth session variable can change so a static call to setAuthData does not make sense
$this->_auth_obj->setAuthData($key, $value);
}
$this->_auth_obj->setAuth($userRow['login']);
return true;
}
}
}
}
if ($settings->get('apache_enable_local') && $settings->get('apache_local_autocreate')) {
if ($_GET['r']) {
$_SESSION['profile_complete_redirect'] = $_GET['r'];
}
$user = new ilObjUser();
$user->setLogin($a_username);
$user->setExternalAccount($a_username);
$user->setProfileIncomplete(true);
$user->create();
$user->setAuthMode('apache');
// set a timestamp for last_password_change
// this ts is needed by ilSecuritySettings
$user->setLastPasswordChangeTS(time());
$user->setTimeLimitUnlimited(1);
$user->setActive(1);
//insert user data in table user_data
$user->saveAsNew();
$user->writePrefs();
$rbacadmin->assignUser($settings->get('apache_default_role', 4), $user->getId(), true);
return true;
}
} else {
if (defined('IL_CERT_SSO') && IL_CERT_SSO) {
define('APACHE_ERRORCODE', AUTH_APACHE_FAILED);
}
}
return false;
}
/**
* Get attribute array for pear auth data
*
* @access private
* @param
*
*/
private function getPearAtributeArray()
{
if ($this->enabledSyncOnLogin()) {
include_once 'Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
include_once 'Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php';
$mapping = ilLDAPAttributeMapping::_getInstanceByServerId($this->getServerId());
return array_merge(array($this->getUserAttribute()), $mapping->getFields(), array('dn'), ilLDAPRoleAssignmentRules::getAttributeNames());
} else {
return array($this->getUserAttribute());
}
}
/**
* Handle account migration
* @todo to much session based handling
*/
protected function handleAccountMigration()
{
// TODO: handle multiple ldap server
$_SESSION['tmp_auth_mode'] = $this->getAuthMode();
$_SESSION['tmp_external_account'] = $this->getExternalAccount();
$_SESSION['tmp_pass'] = $_POST['password'];
include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php';
$roles = ilLDAPRoleAssignmentRules::getAssignmentsForCreation($this->getExternalAccount(), $this->getUserData());
$_SESSION['tmp_roles'] = array();
foreach ($roles as $info) {
if ($info['action'] == ilLDAPRoleAssignmentRules::ROLE_ACTION_ASSIGN) {
$_SESSION['tmp_roles'][] = $info['id'];
}
}
return true;
}
/**
* Create xml string of user according to mapping rules
*
* @access private
*
*/
private function usersToXML()
{
include_once './Services/Xml/classes/class.ilXmlWriter.php';
$this->writer = new ilXmlWriter();
$this->writer->xmlStartTag('Users');
$cnt_update = 0;
$cnt_create = 0;
// Single users
foreach ($this->user_data as $external_account => $user) {
$user['ilExternalAccount'] = $external_account;
// Required fields
if ($user['ilInternalAccount']) {
$usr_id = ilObjUser::_lookupId($user['ilInternalAccount']);
++$cnt_update;
// User exists
$this->writer->xmlStartTag('User', array('Id' => $usr_id, 'Action' => 'Update'));
$this->writer->xmlElement('Login', array(), $user['ilInternalAccount']);
$this->writer->xmlElement('ExternalAccount', array(), $external_account);
$this->writer->xmlElement('AuthMode', array(type => $this->getNewUserAuthMode()), null);
$rules = $this->mapping->getRulesForUpdate();
include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php';
foreach (ilLDAPRoleAssignmentRules::getAssignmentsForUpdate($usr_id, $external_account, $user) as $role_data) {
$this->writer->xmlElement('Role', array('Id' => $role_data['id'], 'Type' => $role_data['type'], 'Action' => $role_data['action']), '');
}
} else {
++$cnt_create;
// Create user
$this->writer->xmlStartTag('User', array('Action' => 'Insert'));
$this->writer->xmlElement('Login', array(), ilAuthUtils::_generateLogin($external_account));
include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php';
foreach (ilLDAPRoleAssignmentRules::getAssignmentsForCreation($external_account, $user) as $role_data) {
$this->writer->xmlElement('Role', array('Id' => $role_data['id'], 'Type' => $role_data['type'], 'Action' => $role_data['action']), '');
}
$rules = $this->mapping->getRules();
}
$this->writer->xmlElement('Active', array(), "true");
$this->writer->xmlElement('TimeLimitOwner', array(), 7);
$this->writer->xmlElement('TimeLimitUnlimited', array(), 1);
$this->writer->xmlElement('TimeLimitFrom', array(), time());
$this->writer->xmlElement('TimeLimitUntil', array(), time());
// only for new users.
// If auth_mode is 'default' (ldap) this status should remain.
if (!$user['ilInternalAccount']) {
$this->writer->xmlElement('AuthMode', array('type' => $this->getNewUserAuthMode()), $this->getNewUserAuthMode());
$this->writer->xmlElement('ExternalAccount', array(), $external_account);
}
foreach ($rules as $field => $data) {
// Do Mapping: it is possible to assign multiple ldap attribute to one user data field
if (!($value = $this->doMapping($user, $data))) {
continue;
}
switch ($field) {
case 'gender':
switch (strtolower($value)) {
case 'm':
case 'male':
$this->writer->xmlElement('Gender', array(), 'm');
break;
case 'f':
case 'female':
default:
$this->writer->xmlElement('Gender', array(), 'f');
break;
}
break;
case 'firstname':
$this->writer->xmlElement('Firstname', array(), $value);
break;
case 'lastname':
$this->writer->xmlElement('Lastname', array(), $value);
break;
case 'hobby':
$this->writer->xmlElement('Hobby', array(), $value);
break;
case 'title':
$this->writer->xmlElement('Title', array(), $value);
break;
case 'institution':
$this->writer->xmlElement('Institution', array(), $value);
break;
case 'department':
$this->writer->xmlElement('Department', array(), $value);
break;
case 'street':
$this->writer->xmlElement('Street', array(), $value);
break;
case 'city':
$this->writer->xmlElement('City', array(), $value);
break;
case 'zipcode':
$this->writer->xmlElement('PostalCode', array(), $value);
break;
case 'country':
$this->writer->xmlElement('Country', array(), $value);
break;
case 'phone_office':
$this->writer->xmlElement('PhoneOffice', array(), $value);
break;
case 'phone_home':
$this->writer->xmlElement('PhoneHome', array(), $value);
break;
case 'phone_mobile':
$this->writer->xmlElement('PhoneMobile', array(), $value);
break;
case 'fax':
$this->writer->xmlElement('Fax', array(), $value);
break;
case 'email':
$this->writer->xmlElement('Email', array(), $value);
break;
case 'matriculation':
$this->writer->xmlElement('Matriculation', array(), $value);
break;
/*
case 'photo':
$this->writer->xmlElement('PersonalPicture',array('encoding' => 'Base64','imagetype' => 'image/jpeg'),
base64_encode($this->convertInput($user[$value])));
break;
*/
/*
case 'photo':
$this->writer->xmlElement('PersonalPicture',array('encoding' => 'Base64','imagetype' => 'image/jpeg'),
base64_encode($this->convertInput($user[$value])));
break;
*/
default:
// Handle user defined fields
if (substr($field, 0, 4) != 'udf_') {
continue;
}
$id_data = explode('_', $field);
if (!isset($id_data[1])) {
continue;
}
$this->initUserDefinedFields();
$definition = $this->udf->getDefinition($id_data[1]);
$this->writer->xmlElement('UserDefinedField', array('Id' => $definition['il_id'], 'Name' => $definition['field_name']), $value);
break;
}
}
$this->writer->xmlEndTag('User');
}
if ($cnt_create) {
$this->log->write('LDAP: Started creation of ' . $cnt_create . ' users.');
}
if ($cnt_update) {
$this->log->write('LDAP: Started update of ' . $cnt_update . ' users.');
}
$this->writer->xmlEndTag('Users');
}
/**
* Fetch additional attributes from plugin
* @return
*/
protected static function getAdditionalPluginAttributes()
{
global $ilPluginAdmin;
if (self::$active_plugins == null) {
self::$active_plugins = $ilPluginAdmin->getActivePluginsForSlot(IL_COMP_SERVICE, 'LDAP', 'ldaphk');
}
$attributes = array();
foreach (self::$active_plugins as $plugin_name) {
$ok = false;
$plugin_obj = $ilPluginAdmin->getPluginObject(IL_COMP_SERVICE, 'LDAP', 'ldaphk', $plugin_name);
if ($plugin_obj instanceof ilLDAPRoleAssignmentPlugin) {
$attributes = array_merge($attributes, $plugin_obj->getAdditionalAttributeNames());
}
}
return $attributes ? $attributes : array();
}
/**
* Check if a rule matches
* @return
* @param object $a_user_data
*/
public function matches($a_user_data)
{
global $ilLog;
switch ($this->getType()) {
case self::TYPE_PLUGIN:
include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRules.php';
return ilLDAPRoleAssignmentRules::callPlugin($this->getPluginId(), $a_user_data);
case self::TYPE_ATTRIBUTE:
$attn = strtolower($this->getAttributeName());
if (!isset($a_user_data[$attn])) {
return false;
}
if (!is_array($a_user_data[$attn])) {
$attribute_val = array(0 => $a_user_data[$attn]);
} else {
$attribute_val = $a_user_data[$attn];
}
foreach ($attribute_val as $value) {
if ($this->wildcardCompare(trim($this->getAttributeValue()), trim($value))) {
$ilLog->write(__METHOD__ . ': Found role mapping: ' . ilObject::_lookupTitle($this->getRoleId()));
return true;
}
/*
if(trim($value) == trim($this->getAttributeValue()))
{
$ilLog->write(__METHOD__.': Found role mapping: '.ilObject::_lookupTitle($this->getRoleId()));
return true;
}
*/
}
return false;
case self::TYPE_GROUP:
return $this->isGroupMember($a_user_data);
}
}
