/** * This function retrieve information from headers, and starts a session * automatically for the user found. * @return boolean */ public function auth_validatelogin () { global $obm; // // First of all, we have to check if headers are set. // $user = $this->_engine->getUserLogin(); $domain = $this->_engine->getUserDomain(); // // If headers are not found, use normal authentication process. // The method auth_validatelogin() corresponding to class defined // by the constant DEFAULT_LEMONLDAP_SECONDARY_AUTHCLASS will be // automatically called. We can not use auth_preauth function instead, // because it does not the job correctly for us. // if (strlen($user) == 0) { $this->_logger->debug('Proceed to non-SSO authentication'); $d_auth_class_name = DEFAULT_LEMONLDAP_SECONDARY_AUTHCLASS; $d_auth_object = new $d_auth_class_name (); return $d_auth_object->auth_validatelogin(); } // // Trace SSO Headers, and check if the request is correct. // // $this->_logger->debug("Headers: " . var_export($this->_engine->getHeaders(), true)); if (!$this->checkLemonldapRequest()) { $this->_logger->warn('Not a valid Lemonldap request, stop authentication'); return false; } // // Search for ID corresponding to the user and the domain. If the user // does not exists, user_id will be false. // $domain_id = $this->_engine->getDomainID($domain); $user_id = $this->_engine->isUserExists($user, $domain_id); $user_id = $user_id !== false ? $user_id : null; // // Then, we try to update/create the account, only if the synchronization // is allowed. The synchronization could be failed, and the function could // return false. In this case, it means that there is something wrong // during the synchronization. // $sync = new LemonLDAP_Sync($this->_engine); if ($sync->isEnabled()) { $user_id_sync = $sync->syncUser($user_id, $domain_id, $user, $domain); if ($user_id_sync !== false) { $user_id = $user_id_sync; } } // // The synchronization task have to return the user_id: the one // created or the one found during an update. Even if the synchronization // fails, we authenticate the user. // A flag that indicates that user is logged through LemonLDAP is stored. // This flag could be then used to personnalize OBM modules, and lock some // functionnalities (such as changing OBM password). // $user_auth = false; $user_data = $this->_engine->getUserDataFromId($user_id, $domain_id); if (is_array($user_data) && array_key_exists('user_id', $user_data)) { if (global_unfreeze_user($user_data['user_id'])) { $obm['login'] = $user_data['login']; $obm['profile'] = $user_data['profile']; $obm['domain_id'] = $domain_id; $obm['delegation'] = $user_data['delegation_target']; $user_auth = $user_data['user_id']; $this->_logged = true; } } $this->_logger->info("authentication for $user@$domain: " . ($this->_logged ? "SUCCEED" : "FAILED")); return $user_auth; }
/** * Manage user groups synchronization. * Note that group should be update or created, but never deleted. By the * way, user should be associate with or deassociated from a group. Note that * if one group is not correctly created or updated, then this function will * return false. * @param $user_id The user unique identifier. * @param $domain_id The domain identifier. * @param $groups Groups of user. * @return boolean True is the user groups are correctly created or updated. */ protected function syncUserGroups ($user_id, $domain_id, $groups) { if (!$this->isEnabled()) { return false; } if (!$this->_forceGroupUpdate && sizeof($groups)) { return true; } // // Update or create groups in OBM. The primary default group have not to be // managed by this library. // $sync_succeed = true; $groups_ldap = $groups; foreach ($groups_ldap as $group_name => $group_data) { $group_id = $this->_engine->isGroupExists($group_name, $domain_id); if ($group_id !== false) { $group_id = $this->_engine->updateGroup( $group_name, $group_id, $group_data, $user_id, $domain_id); } else { $group_id = $this->_engine->addGroup( $group_name, $group_data, $user_id, $domain_id); } if ($group_id !== false) { $groups_ldap[$group_name]['group_id'] = $group_id; } else { $sync_succeed = false; } } // // Calculate the intersection between groups in database and groups // in HTTP headers. For all groups that are in HTTP headers but not // in database, the user will be associated. For all groups that are // in database but not in HTTP headers, the user will be disassociated. // If we have only one error during groups synchronization in OBM, // we do not update user information in groups. // $groups_db = $this->_engine->getGroups($user_id, $domain_id); foreach ($groups_ldap as $group_name => $group_data) { if (array_key_exists($group_name, $groups_db)) { continue; } $group_id = $this->_engine->isGroupExists($group_name, $domain_id); if ($group_id === false) { continue; } if (!$this->_engine->addUserInGroup($user_id, $group_id, $domain_id)) { $this->_logger->warn("Fail to add user in group $group_name"); $sync_succeed = false; } } // // Now, remove each DB group which not have a corresponding LDAP group. // This will be applied if and only if the option is set by configuration. // if ($sync_succeed && $this->_forceGroupUpdate) { foreach ($groups_db as $group_name => $group_id) { if ($group_name == DEFAULT_USEROBM_GROUPNAME) { continue; } if (!array_key_exists($group_name, $groups_ldap)) { $this->_engine->removeUserFromGroup($user_id, $group_id, $domain_id); } } } return $sync_succeed; }