/**
* Check if an update is required
* @return
* @param string $a_username
*/
protected function updateRequired($a_username)
{
if (!ilObjUser::_checkExternalAuthAccount("apache", $a_username)) {
return true;
}
// Check attribute mapping on login
include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
if (ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId())) {
#$GLOBALS['ilLog']->write(__METHOD__.': Required 2');
return true;
}
include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
if (ilLDAPRoleAssignmentRule::hasRulesForUpdate()) {
#$GLOBALS['ilLog']->write(__METHOD__.': Required 3');
return true;
}
return false;
}
/**
* Check if user agreement is accepted
*
* @access protected
* @param string auth_mode local,ldap or cas
*
*/
protected function __checkAgreement($a_auth_mode)
{
global $ilDB;
include_once './Services/User/classes/class.ilObjUser.php';
include_once './Services/Administration/classes/class.ilSetting.php';
$GLOBALS['ilSetting'] = new ilSetting();
if (!($login = ilObjUser::_checkExternalAuthAccount($a_auth_mode, $this->getUsername()))) {
// User does not exist
return true;
}
if (!ilObjUser::_hasAcceptedAgreement($login)) {
$this->__setMessage('User agreement no accepted.');
return false;
}
return true;
}
/**
* Refresh status of course member assignments
* @param object $course_member
* @param int $obj_id
*/
protected function refreshAssignmentStatus($course_member, $obj_id, $sub_id, $assigned)
{
include_once './Services/WebServices/ECS/classes/Course/class.ilECSCourseMemberAssignment.php';
$type = ilObject::_lookupType($obj_id);
if ($type == 'crs') {
include_once './Modules/Course/classes/class.ilCourseParticipants.php';
$part = ilCourseParticipants::_getInstanceByObjId($obj_id);
} else {
include_once './Modules/Group/classes/class.ilGroupParticipants.php';
$part = ilGroupParticipants::_getInstanceByObjId($obj_id);
}
$course_id = (int) $course_member->lectureID;
$usr_ids = ilECSCourseMemberAssignment::lookupUserIds($course_id, $sub_id, $obj_id);
// Delete remote deleted
foreach ((array) $usr_ids as $usr_id) {
if (!isset($assigned[$usr_id])) {
$ass = ilECSCourseMemberAssignment::lookupAssignment($course_id, $sub_id, $obj_id, $usr_id);
if ($ass instanceof ilECSCourseMemberAssignment) {
$acc = ilObjUser::_checkExternalAuthAccount(ilECSSetting::lookupAuthMode(), (string) $usr_id);
if ($il_usr_id = ilObjUser::_lookupId($acc)) {
// this removes also admin, tutor roles
$part->delete($il_usr_id);
$GLOBALS['ilLog']->write(__METHOD__ . ': Deassigning user ' . $usr_id . ' ' . 'from course ' . ilObject::_lookupTitle($obj_id));
} else {
$GLOBALS['ilLog']->write(__METHOD__ . ': Deassigning unknown ILIAS user ' . $usr_id . ' ' . 'from course ' . ilObject::_lookupTitle($obj_id));
}
$ass->delete();
}
}
}
// Assign new participants
foreach ((array) $assigned as $person_id => $person) {
$role = $this->lookupRole($person['role']);
$role_info = ilECSMappingUtils::getRoleMappingInfo($role);
$acc = ilObjUser::_checkExternalAuthAccount(ilECSSetting::lookupAuthMode(), (string) $person_id);
$GLOBALS['ilLog']->write(__METHOD__ . ': Handling user ' . (string) $person_id);
if (in_array($person_id, $usr_ids)) {
if ($il_usr_id = ilObjUser::_lookupId($acc)) {
$GLOBALS['ilLog']->write(__METHOD__ . ': ' . print_r($role, true));
$part->updateRoleAssignments($il_usr_id, array($role));
// Nothing to do, user is member or is locally deleted
}
} else {
if ($il_usr_id = ilObjUser::_lookupId($acc)) {
if ($role) {
// Add user
$GLOBALS['ilLog']->write(__METHOD__ . ': Assigning new user ' . $person_id . ' ' . 'to ' . ilObject::_lookupTitle($obj_id));
$part->add($il_usr_id, $role);
}
} else {
if ($role_info['create']) {
$this->createMember($person_id);
$GLOBALS['ilLog']->write(__METHOD__ . ': Added new user ' . $person_id);
}
}
$assignment = new ilECSCourseMemberAssignment();
$assignment->setServer($this->getServer()->getServerId());
$assignment->setMid($this->mid);
$assignment->setCmsId($course_id);
$assignment->setCmsSubId($sub_id);
$assignment->setObjId($obj_id);
$assignment->setUid($person_id);
$assignment->save();
}
}
return true;
}
/**
* Called from base class after successful login
*
* @param string username
*/
public function loginObserver($a_username, $a_auth)
{
// Radius with ldap as data source
include_once './Services/LDAP/classes/class.ilLDAPServer.php';
if (ilLDAPServer::isDataSourceActive(AUTH_RADIUS)) {
return $this->handleLDAPDataSource($a_auth, $a_username);
}
$user_data = array_change_key_case($a_auth->getAuthData(), CASE_LOWER);
$user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("radius", $a_username);
if (!$user_data['ilInternalAccount']) {
if ($this->radius_settings->enabledCreation()) {
if ($this->radius_settings->isAccountMigrationEnabled() and !$this->force_creation) {
$a_auth->logout();
$_SESSION['tmp_auth_mode'] = 'radius';
$_SESSION['tmp_external_account'] = $a_username;
$_SESSION['tmp_pass'] = $_POST['password'];
$_SESSION['tmp_roles'] = array(0 => $this->radius_settings->getDefaultRole());
ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmd=showAccountMigration&cmdClass=ilstartupgui');
}
$this->initRADIUSAttributeToUser();
$new_name = $this->radius_user->create($a_username);
$a_auth->setAuth($new_name);
return true;
} else {
// No syncronisation allowed => create Error
$a_auth->status = AUTH_RADIUS_NO_ILIAS_USER;
$a_auth->logout();
return false;
}
} else {
$a_auth->setAuth($user_data['ilInternalAccount']);
return true;
}
}
/**
* Read user data
* @param bool check dn
* @param bool use group filter
* @access private
*/
private function readUserData($a_name, $a_check_dn = true, $a_try_group_user_filter = false)
{
$filter = $this->settings->getFilter();
if ($a_try_group_user_filter) {
if ($this->settings->isMembershipOptional()) {
$filter = $this->settings->getGroupUserFilter();
}
}
// Build filter
if ($this->settings->enabledGroupMemberIsDN() and $a_check_dn) {
$dn = $a_name;
#$res = $this->queryByScope(IL_LDAP_SCOPE_BASE,$dn,$filter,$this->user_fields);
$fields = array_merge($this->user_fields, array('useraccountcontrol'));
$res = $this->queryByScope(IL_LDAP_SCOPE_BASE, strtolower($dn), $filter, $fields);
} else {
$filter = sprintf('(&(%s=%s)%s)', $this->settings->getUserAttribute(), $a_name, $filter);
// Build search base
if (($dn = $this->settings->getSearchBase()) && substr($dn, -1) != ',') {
$dn .= ',';
}
$dn .= $this->settings->getBaseDN();
$fields = array_merge($this->user_fields, array('useraccountcontrol'));
$res = $this->queryByScope($this->settings->getUserScope(), strtolower($dn), $filter, $fields);
}
$tmp_result = new ilLDAPResult($this->lh, $res);
if (!$tmp_result->numRows()) {
$this->log->write('LDAP: No user data found for: ' . $a_name);
unset($tmp_result);
return false;
}
if ($user_data = $tmp_result->get()) {
if (isset($user_data['useraccountcontrol'])) {
if ($user_data['useraccountcontrol'] & 0x2) {
$this->log->write(__METHOD__ . ': ' . $a_name . ' account disabled.');
return;
}
}
$user_ext = $user_data[strtolower($this->settings->getUserAttribute())];
// auth mode depends on ldap server settings
$auth_mode = $this->parseAuthMode();
$user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount($auth_mode, $user_ext);
$this->users[$user_ext] = $user_data;
}
return true;
}
/**
* Auth and email related methods
* @group IL_Init
*/
public function testAuthAndEmailMethods()
{
include_once "./Services/User/classes/class.ilObjUser.php";
$value = "";
// creation
$user = new ilObjUser();
$d = array("login" => "aatestuser2", "passwd_type" => IL_PASSWD_PLAIN, "passwd" => "password", "gender" => "f", "firstname" => "Heidi", "lastname" => "Kabel", "email" => "*****@*****.**", "ext_account" => "ext_");
$user->assignData($d);
$user->setActive(true);
$user->create();
$user->saveAsNew();
$user->setLanguage("de");
$user->writePrefs();
$id = $user->getId();
ilObjUser::_writeExternalAccount($id, "ext_kabel");
ilObjUser::_writeAuthMode($id, "cas");
$ids = ilObjUser::_getUserIdsByEmail("*****@*****.**");
//var_dump($ids);
if (is_array($ids) && count($ids) == 1 && $ids[0] == "aatestuser2") {
$value .= "email1-";
}
$uid = ilObjUser::getUserIdByEmail("*****@*****.**");
if ($uid == $id) {
$value .= "email2-";
}
$acc = ilObjUser::_getExternalAccountsByAuthMode("cas");
foreach ($acc as $k => $v) {
if ($k == $id && $v == "ext_kabel") {
$value .= "auth1-";
}
}
if (ilObjUser::_lookupAuthMode($id) == "cas") {
$value .= "auth2-";
}
if (ilObjUser::_checkExternalAuthAccount("cas", "ext_kabel") == "aatestuser2") {
$value .= "auth3-";
}
if (ilObjUser::_externalAccountExists("ext_kabel", "cas")) {
$value .= "auth4-";
}
ilObjUser::_getNumberOfUsersPerAuthMode();
$la = ilObjUser::_getLocalAccountsForEmail("*****@*****.**");
ilObjUser::_incrementLoginAttempts($id);
ilObjUser::_getLoginAttempts($id);
ilObjUser::_resetLoginAttempts($id);
ilObjUser::_setUserInactive($id);
// deletion
$user->delete();
$this->assertEquals("email1-email2-auth1-auth2-auth3-auth4-", $value);
}
/**
* handler for end of element when in verify mode.
*/
function verifyEndTag($a_xml_parser, $a_name)
{
global $lng, $ilAccess, $ilSetting, $ilObjDataCache;
switch ($a_name) {
case "Role":
$this->roles[$this->current_role_id]["name"] = $this->cdata;
$this->roles[$this->current_role_id]["type"] = $this->current_role_type;
$this->roles[$this->current_role_id]["action"] = $this->current_role_action;
break;
case "User":
$this->userObj->setFullname();
if ($this->user_id != -1 && $this->action == "Update") {
$user_exists = !is_null(ilObjUser::_lookupLogin($this->user_id));
} else {
$user_exists = ilObjUser::getUserIdByLogin($this->userObj->getLogin()) != 0;
}
if (is_null($this->userObj->getLogin())) {
$this->logFailure("---", sprintf($lng->txt("usrimport_xml_element_for_action_required"), "Login", "Insert"));
}
switch ($this->action) {
case "Insert":
if ($user_exists and $this->conflict_rule == IL_FAIL_ON_CONFLICT) {
$this->logWarning($this->userObj->getLogin(), $lng->txt("usrimport_cant_insert"));
}
if (is_null($this->userObj->getGender()) && $this->isFieldRequired("gender")) {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_for_action_required"), "Gender", "Insert"));
}
if (is_null($this->userObj->getFirstname())) {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_for_action_required"), "Firstname", "Insert"));
}
if (is_null($this->userObj->getLastname())) {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_for_action_required"), "Lastname", "Insert"));
}
if (count($this->roles) == 0) {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_for_action_required"), "Role", "Insert"));
} else {
$has_global_role = false;
foreach ($this->roles as $role) {
if ($role['type'] == 'Global') {
$has_global_role = true;
break;
}
}
if (!$has_global_role) {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_global_role_for_action_required"), "Insert"));
}
}
break;
case "Update":
if (!$user_exists) {
$this->logWarning($this->userObj->getLogin(), $lng->txt("usrimport_cant_update"));
} elseif ($this->user_id != -1 && !is_null($this->userObj->getLogin())) {
$someonesId = ilObjUser::_lookupId($this->userObj->getLogin());
if (is_numeric($someonesId) && $someonesId != $this->user_id) {
$this->logFailure($this->userObj->getLogin(), $lng->txt("usrimport_login_is_not_unique"));
}
}
break;
case "Delete":
if (!$user_exists) {
$this->logWarning($this->userObj->getLogin(), $lng->txt("usrimport_cant_delete"));
}
break;
}
// init role array for next user
$this->roles = array();
break;
case "Login":
if (array_key_exists($this->cdata, $this->logins)) {
$this->logWarning($this->cdata, $lng->txt("usrimport_login_is_not_unique"));
} else {
$this->logins[$this->cdata] = $this->cdata;
}
$this->userObj->setLogin($this->cdata);
break;
case "Password":
switch ($this->currPasswordType) {
case "ILIAS2":
$this->userObj->setPasswd($this->cdata, IL_PASSWD_CRYPT);
break;
case "ILIAS3":
$this->userObj->setPasswd($this->cdata, IL_PASSWD_MD5);
break;
case "PLAIN":
$this->userObj->setPasswd($this->cdata, IL_PASSWD_PLAIN);
$this->acc_mail->setUserPassword($this->currPassword);
break;
default:
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_attribute_value_illegal"), "Type", "Password", $this->currPasswordType));
break;
}
break;
case "Firstname":
$this->userObj->setFirstname($this->cdata);
break;
case "Lastname":
$this->userObj->setLastname($this->cdata);
break;
case "Title":
$this->userObj->setUTitle($this->cdata);
break;
case "Gender":
if ($this->cdata != "m" && $this->cdata != "f") {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "Gender", $this->cdata));
}
$this->userObj->setGender($this->cdata);
break;
case "Email":
$this->userObj->setEmail($this->cdata);
break;
case "Institution":
$this->userObj->setInstitution($this->cdata);
break;
case "Street":
$this->userObj->setStreet($this->cdata);
break;
case "City":
$this->userObj->setCity($this->cdata);
break;
case "PostalCode":
$this->userObj->setZipCode($this->cdata);
break;
case "Country":
$this->userObj->setCountry($this->cdata);
break;
case "PhoneOffice":
$this->userObj->setPhoneOffice($this->cdata);
break;
case "PhoneHome":
$this->userObj->setPhoneHome($this->cdata);
break;
case "PhoneMobile":
$this->userObj->setPhoneMobile($this->cdata);
break;
case "Fax":
$this->userObj->setFax($this->cdata);
break;
case "Hobby":
$this->userObj->setHobby($this->cdata);
break;
case "Comment":
$this->userObj->setComment($this->cdata);
break;
case "Department":
$this->userObj->setDepartment($this->cdata);
break;
case "Matriculation":
$this->userObj->setMatriculation($this->cdata);
break;
case "ExternalAccount":
//echo "-".$this->userObj->getAuthMode()."-".$this->userObj->getLogin()."-";
$am = $this->userObj->getAuthMode() == "default" || $this->userObj->getAuthMode() == "" ? ilAuthUtils::_getAuthModeName($ilSetting->get('auth_mode')) : $this->userObj->getAuthMode();
$loginForExternalAccount = trim($this->cdata) == "" ? "" : ilObjUser::_checkExternalAuthAccount($am, trim($this->cdata));
switch ($this->action) {
case "Insert":
if ($loginForExternalAccount != "") {
$this->logWarning($this->userObj->getLogin(), $lng->txt("usrimport_no_insert_ext_account_exists") . " (" . $this->cdata . ")");
}
break;
case "Update":
if ($loginForExternalAccount != "") {
$externalAccountHasChanged = trim($this->cdata) != ilObjUser::_lookupExternalAccount($this->user_id);
if ($externalAccountHasChanged && trim($loginForExternalAccount) != trim($this->userObj->getLogin())) {
$this->logWarning($this->userObj->getLogin(), $lng->txt("usrimport_no_update_ext_account_exists") . " (" . $this->cdata . " for " . $loginForExternalAccount . ")");
}
}
break;
}
if ($externalAccountHasChanged) {
$this->userObj->setExternalAccount(trim($this->cdata));
}
break;
case "Active":
if ($this->cdata != "true" && $this->cdata != "false") {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "Active", $this->cdata));
}
$this->currActive = $this->cdata;
break;
case "TimeLimitOwner":
if (!preg_match("/\\d+/", $this->cdata)) {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitOwner", $this->cdata));
} elseif (!$ilAccess->checkAccess('cat_administrate_users', '', $this->cdata)) {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitOwner", $this->cdata));
} elseif ($ilObjDataCache->lookupType($ilObjDataCache->lookupObjId($this->cdata)) != 'cat' && !(int) $this->cdata == USER_FOLDER_ID) {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitOwner", $this->cdata));
}
$this->userObj->setTimeLimitOwner($this->cdata);
break;
case "TimeLimitUnlimited":
switch (strtolower($this->cdata)) {
case "true":
case "1":
$this->userObj->setTimeLimitUnlimited(1);
break;
case "false":
case "0":
$this->userObj->setTimeLimitUnlimited(0);
break;
default:
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitUnlimited", $this->cdata));
break;
}
break;
case "TimeLimitFrom":
// Accept datetime or Unix timestamp
if (strtotime($this->cdata) === false && !is_numeric($this->cdata)) {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitFrom", $this->cdata));
}
$this->userObj->setTimeLimitFrom($this->cdata);
break;
case "TimeLimitUntil":
// Accept datetime or Unix timestamp
if (strtotime($this->cdata) === false && !is_numeric($this->cdata)) {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitUntil", $this->cdata));
}
$this->userObj->setTimeLimitUntil($this->cdata);
break;
case "TimeLimitMessage":
switch (strtolower($this->cdata)) {
case "1":
$this->userObj->setTimeLimitMessage(1);
break;
case "0":
$this->userObj->setTimeLimitMessage(0);
break;
default:
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitMessage", $this->cdata));
break;
}
break;
case "ApproveDate":
// Accept datetime or Unix timestamp
if (strtotime($this->cdata) === false && !is_numeric($this->cdata) && !$this->cdata == "0000-00-00 00:00:00") {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "ApproveDate", $this->cdata));
}
break;
case "AgreeDate":
// Accept datetime or Unix timestamp
if (strtotime($this->cdata) === false && !is_numeric($this->cdata) && !$this->cdata == "0000-00-00 00:00:00") {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "AgreeDate", $this->cdata));
}
break;
case "iLincID":
if (!preg_match("/\\d+/", $this->cdata)) {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "iLincID", $this->cdata));
}
break;
case "iLincUser":
if (!preg_match("/\\w+/", $this->cdata)) {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "iLincUser", $this->cdata));
}
break;
case "iLincPasswd":
if (!preg_match("/\\w+/", $this->cdata)) {
$this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "iLincPasswd", $this->cdata));
}
break;
case "Pref":
if ($this->currentPrefKey != null) {
$this->verifyPref($this->currentPrefKey, $this->cdata);
}
$this->currentPrefKey == null;
}
}
/**
* @see ilAuthContainerBase::loginObserver()
*/
public function loginObserver($a_username, $a_auth)
{
global $ilias, $rbacadmin, $ilSetting, $ilLog, $PHPCAS_CLIENT;
$ilLog->write(__METHOD__ . ': Successful CAS login.');
// Radius with ldap as data source
include_once './Services/LDAP/classes/class.ilLDAPServer.php';
if (ilLDAPServer::isDataSourceActive(AUTH_CAS)) {
return $this->handleLDAPDataSource($a_auth, $a_username);
}
include_once "./Services/CAS/lib/CAS.php";
if ($PHPCAS_CLIENT->getUser() != "") {
$username = $PHPCAS_CLIENT->getUser();
$ilLog->write(__METHOD__ . ': Username: '******'./Services/User/classes/class.ilObjUser.php';
$local_user = ilObjUser::_checkExternalAuthAccount("cas", $username);
if ($local_user != "") {
$a_auth->setAuth($local_user);
} else {
if (!$ilSetting->get("cas_create_users")) {
$a_auth->status = AUTH_CAS_NO_ILIAS_USER;
$a_auth->logout();
return false;
}
$userObj = new ilObjUser();
$local_user = ilAuthUtils::_generateLogin($username);
$newUser["firstname"] = $local_user;
$newUser["lastname"] = "";
$newUser["login"] = $local_user;
// set "plain md5" password (= no valid password)
$newUser["passwd"] = "";
$newUser["passwd_type"] = IL_PASSWD_MD5;
//$newUser["gender"] = "m";
$newUser["auth_mode"] = "cas";
$newUser["ext_account"] = $username;
$newUser["profile_incomplete"] = 1;
// system data
$userObj->assignData($newUser);
$userObj->setTitle($userObj->getFullname());
$userObj->setDescription($userObj->getEmail());
// set user language to system language
$userObj->setLanguage($ilSetting->get("language"));
// Time limit
$userObj->setTimeLimitOwner(7);
$userObj->setTimeLimitUnlimited(1);
$userObj->setTimeLimitFrom(time());
$userObj->setTimeLimitUntil(time());
// Create user in DB
$userObj->setOwner(0);
$userObj->create();
$userObj->setActive(1);
$userObj->updateOwner();
//insert user data in table user_data
$userObj->saveAsNew();
// setup user preferences
$userObj->writePrefs();
// to do: test this
$rbacadmin->assignUser($ilSetting->get('cas_user_default_role'), $userObj->getId(), true);
unset($userObj);
$a_auth->setAuth($local_user);
return true;
}
} else {
$ilLog->write(__METHOD__ . ': Login failed.');
// This should never occur unless CAS is not configured properly
$a_auth->status = AUTH_WRONG_LOGIN;
return false;
}
return false;
}
function authenticate()
{
include_once "./Services/Init/classes/class.ilInitialisation.php";
$this->init = new ilInitialisation();
$this->init->requireCommonIncludes();
//$init->initSettings();
if (!$this->getClient()) {
$this->__setMessage('No client given');
return false;
}
if (!$this->getUsername()) {
$this->__setMessage('No username given');
return false;
}
// Read ilias ini
if (!$this->__buildDSN()) {
$this->__setMessage('Error building dsn/Wrong client Id?');
return false;
}
if (!$this->__setSessionSaveHandler()) {
return false;
}
if (!$this->__checkAgreement('cas')) {
return false;
}
if (!$this->__buildAuth()) {
return false;
}
if ($this->soap_check and !$this->__checkSOAPEnabled()) {
$this->__setMessage('SOAP is not enabled in ILIAS administration for this client');
$this->__setMessageCode('Server');
return false;
}
// check whether authentication is valid
//if (!$this->auth->checkCASAuth())
if (!phpCAS::checkAuthentication()) {
$this->__setMessage('ilSOAPAuthenticationCAS::authenticate(): No valid CAS authentication.');
return false;
}
$this->auth->forceCASAuth();
if ($this->getUsername() != $this->auth->getCASUser()) {
$this->__setMessage('ilSOAPAuthenticationCAS::authenticate(): SOAP CAS user does not match to ticket user.');
return false;
}
include_once './Services/User/classes/class.ilObjUser.php';
$local_user = ilObjUser::_checkExternalAuthAccount("cas", $this->auth->getCASUser());
if ($local_user == "") {
$this->__setMessage('ilSOAPAuthenticationCAS::authenticate(): SOAP CAS user authenticated but not existing in ILIAS user database.');
return false;
}
/*
$init->initIliasIniFile();
$init->initSettings();
$ilias =& new ILIAS();
$GLOBALS['ilias'] =& $ilias;*/
$this->auth->start();
if (!$this->auth->getAuth()) {
$this->__getAuthStatus();
return false;
}
$this->setSid(session_id());
return true;
}
/**
* Read internal account of user
* @throws UnexpectedValueException
*/
protected function readInternalAccount()
{
if (!$this->getExternalAccount()) {
throw new UnexpectedValueException('No external account given.');
}
$this->intaccount = ilObjUser::_checkExternalAuthAccount($this->getAuthMode(), $this->getExternalAccount());
}
/**
* Automatically generates the username/screenname of a Shibboleth user or returns
* the user's already existing username
*
* @access private
* @return String Generated username
*/
function generateLogin()
{
global $ilias, $ilDB;
$shibID = $_SERVER[$ilias->getSetting('shib_login')];
$lastname = $this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]);
$firstname = $this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]);
if (trim($shibID) == "") {
return;
}
//***********************************************//
// For backwards compatibility with previous versions
// We use the passwd field as mapping attribute for Shibboleth users
// because they don't need a password
$ilias->db->query("UPDATE usr_data SET auth_mode='shibboleth', passwd=" . $ilDB->quote(md5(end(ilUtil::generatePasswords(1)))) . ", ext_account=" . $ilDB->quote($shibID) . " WHERE passwd=" . $ilDB->quote($shibID));
//***********************************************//
// Let's see if user already is registered
$local_user = ilObjUser::_checkExternalAuthAccount("shibboleth", $shibID);
if ($local_user) {
return $local_user;
}
// Let's see if user already is registered but authenticates by ldap
$local_user = ilObjUser::_checkExternalAuthAccount("ldap", $shibID);
if ($local_user) {
return $local_user;
}
// User doesn't seem to exist yet
// Generate new username
// This can be overruled by the data conversion API but you have
// to do it yourself in that case
// Generate the username out of the first character of firstname and the
// first word in lastname (adding the second one if the login is too short,
// avoiding meaningless last names like 'von' or 'd' and eliminating
// non-ASCII-characters, spaces, dashes etc.
$ln_arr = preg_split("/[ '-;]/", $lastname);
$login = substr($this->toAscii($firstname), 0, 1) . "." . $this->toAscii($ln_arr[0]);
if (strlen($login) < 6) {
$login .= $this->toAscii($ln_arr[1]);
}
$prefix = strtolower($login);
// If the user name didn't contain any ASCII characters, assign the
// name 'shibboleth' followed by a number, starting with 1.
if (strlen($prefix) == 0) {
$prefix = 'shibboleth';
$number = 1;
} else {
// Try if the login name is not already taken
if (!ilObjUser::getUserIdByLogin($prefix)) {
return $prefix;
}
// If the login name is in use, append a number, starting with 2.
$number = 2;
}
// Append a number, if the username is already taken
while (ilObjUser::getUserIdByLogin($prefix . $number)) {
$number++;
}
return $prefix . $number;
}
/**
* Call is isValidSession of soap server
* @return bool
* @param string $a_username
* @param string $a_password
* @param bool $isChallengeResponse[optional]
*/
public function fetchData($a_username, $a_password, $isChallengeResponse = false)
{
$GLOBALS['ilLog']->write(__METHOD__ . ': Soap auth fetch data');
// check whether external user exists in ILIAS database
$local_user = ilObjUser::_checkExternalAuthAccount("soap", $a_username);
if ($local_user == "") {
$new_user = true;
} else {
$new_user = false;
}
$soapAction = "";
$nspref = "";
if ($this->use_dotnet) {
$soapAction = $this->server_nms . "/isValidSession";
$nspref = "ns1:";
}
$valid = $this->client->call('isValidSession', array($nspref . 'ext_uid' => $a_username, $nspref . 'soap_pw' => $a_password, $nspref . 'new_user' => $new_user), $this->server_nms, $soapAction);
//echo "<br>== Request ==";
//echo '<br><pre>' . htmlspecialchars($this->soap_client->request, ENT_QUOTES) . '</pre><br>';
//echo "<br>== Response ==";
//echo "<br>Valid: -".$valid["valid"]."-";
//echo '<br><pre>' . htmlspecialchars($this->soap_client->response, ENT_QUOTES) . '</pre>';
if (trim($valid["valid"]) == "false") {
$valid["valid"] = false;
}
// to do check SOAP error!?
$valid["local_user"] = $local_user;
$this->response = $valid;
return $valid['valid'] == true;
}
/**
* @see ilAuthContainerBase::loginObserver()
*/
public function loginObserver($a_username, $a_auth)
{
global $ilLog;
$GLOBALS['ilLog']->write(__METHOD__ . ': Login observer called for openid');
$this->initSettings();
$this->response_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("openid", $this->response_data['nickname']);
if (!$this->response_data['ilInternalAccount']) {
if ($this->settings->isCreationEnabled()) {
if ($this->settings->isAccountMigrationEnabled() and !$this->force_creation and !$_SESSION['force_creation']) {
//$a_auth->logout();
$_SESSION['tmp_auth_mode'] = 'openid';
$_SESSION['tmp_oid_username'] = urldecode($_GET['openid_identity']);
$_SESSION['tmp_oid_provider'] = $_POST['oid_provider'];
$_SESSION['tmp_external_account'] = $this->response_data['nickname'];
$_SESSION['tmp_pass'] = $_POST['password'];
$_SESSION['tmp_roles'] = array(0 => $this->settings->getDefaultRole());
$GLOBALS['ilLog']->write(__METHOD__ . ': Redirect migration');
ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmd=showAccountMigration&cmdClass=ilstartupgui');
}
include_once './Services/OpenId/classes/class.ilOpenIdAttributeToUser.php';
$new_user = new ilOpenIdAttributeToUser();
$new_name = $new_user->create($this->response_data['nickname'], $this->response_data);
$GLOBALS['ilLog']->write(__METHOD__ . ': Create user with name:' . $new_name);
$a_auth->setAuth($new_name);
return true;
} else {
// No syncronisation allowed => create Error
$a_auth->status = AUTH_OPENID_NO_ILIAS_USER;
$a_auth->logout();
$GLOBALS['ilLog']->write(__METHOD__ . ': No creation');
return false;
}
} else {
$GLOBALS['ilLog']->write(__METHOD__ . ': Using old name: ' . $this->response_data['ilInternalAccount']);
$a_auth->setAuth($this->response_data['ilInternalAccount']);
return true;
}
return false;
}
/**
* Login function
*
* @access private
* @return void
*/
function login()
{
global $ilias, $rbacadmin, $ilSetting;
if (phpCAS::getUser() != "") {
$username = phpCAS::getUser();
// Authorize this user
include_once './Services/User/classes/class.ilObjUser.php';
$local_user = ilObjUser::_checkExternalAuthAccount("cas", $username);
if ($local_user != "") {
$this->setAuth($local_user);
} else {
if (!$ilSetting->get("cas_create_users")) {
$this->status = AUTH_CAS_NO_ILIAS_USER;
$this->logout();
return;
}
$userObj = new ilObjUser();
$local_user = ilAuthUtils::_generateLogin($username);
$newUser["firstname"] = $local_user;
$newUser["lastname"] = "";
$newUser["login"] = $local_user;
// set "plain md5" password (= no valid password)
$newUser["passwd"] = "";
$newUser["passwd_type"] = IL_PASSWD_MD5;
//$newUser["gender"] = "m";
$newUser["auth_mode"] = "cas";
$newUser["ext_account"] = $username;
$newUser["profile_incomplete"] = 1;
// system data
$userObj->assignData($newUser);
$userObj->setTitle($userObj->getFullname());
$userObj->setDescription($userObj->getEmail());
// set user language to system language
$userObj->setLanguage($ilSetting->get("language"));
// Time limit
$userObj->setTimeLimitOwner(7);
$userObj->setTimeLimitUnlimited(1);
$userObj->setTimeLimitFrom(time());
$userObj->setTimeLimitUntil(time());
// Create user in DB
$userObj->setOwner(0);
$userObj->create();
$userObj->setActive(1);
$userObj->updateOwner();
//insert user data in table user_data
$userObj->saveAsNew();
// setup user preferences
$userObj->writePrefs();
// to do: test this
$rbacadmin->assignUser($ilSetting->get('cas_user_default_role'), $userObj->getId(), true);
unset($userObj);
$this->setAuth($local_user);
}
} else {
// This should never occur unless CAS is not configured properly
$this->status = AUTH_WRONG_LOGIN;
}
}
/**
* Does input checks and updates a user account if everything is fine.
* @access public
*/
function updateObjectOld()
{
global $ilias, $rbacsystem, $rbacadmin, $ilUser;
include_once './Services/Authentication/classes/class.ilAuthUtils.php';
//load ILIAS settings
$settings = $ilias->getAllSettings();
// User folder
if ($this->usrf_ref_id == USER_FOLDER_ID and !$rbacsystem->checkAccess('visible,read,write', $this->usrf_ref_id)) {
$this->ilias->raiseError($this->lng->txt("msg_no_perm_modify_user"), $this->ilias->error_obj->MESSAGE);
}
// if called from local administration $this->usrf_ref_id is category id
// Todo: this has to be fixed. Do not mix user folder id and category id
if ($this->usrf_ref_id != USER_FOLDER_ID) {
// check if user is assigned to category
if (!$rbacsystem->checkAccess('cat_administrate_users', $this->object->getTimeLimitOwner())) {
$this->ilias->raiseError($this->lng->txt("msg_no_perm_modify_user"), $this->ilias->error_obj->MESSAGE);
}
}
foreach ($_POST["Fobject"] as $key => $val) {
$_POST["Fobject"][$key] = ilUtil::stripSlashes($val);
}
// check dynamically required fields
foreach ($settings as $key => $val) {
$field = substr($key, 8);
switch ($field) {
case 'passwd':
case 'passwd2':
if (ilAuthUtils::_allowPasswordModificationByAuthMode(ilAuthUtils::_getAuthMode($_POST['Fobject']['auth_mode']))) {
$require_keys[] = $field;
}
break;
default:
$require_keys[] = $field;
break;
}
}
foreach ($require_keys as $key => $val) {
// exclude required system and registration-only fields
$system_fields = array("default_role");
if (!in_array($val, $system_fields)) {
if (isset($settings["require_" . $val]) && $settings["require_" . $val]) {
if (empty($_POST["Fobject"][$val])) {
$this->ilias->raiseError($this->lng->txt("fill_out_all_required_fields") . ": " . $this->lng->txt($val), $this->ilias->error_obj->MESSAGE);
}
}
}
}
if (!$this->__checkUserDefinedRequiredFields()) {
$this->ilias->raiseError($this->lng->txt("fill_out_all_required_fields"), $this->ilias->error_obj->MESSAGE);
}
// validate login
if ($this->object->getLogin() != $_POST["Fobject"]["login"] && !ilUtil::isLogin($_POST["Fobject"]["login"])) {
$this->ilias->raiseError($this->lng->txt("login_invalid"), $this->ilias->error_obj->MESSAGE);
}
// check loginname
if (ilObjUser::_loginExists($_POST["Fobject"]["login"], $this->id)) {
$this->ilias->raiseError($this->lng->txt("login_exists"), $this->ilias->error_obj->MESSAGE);
}
if (ilAuthUtils::_allowPasswordModificationByAuthMode(ilAuthUtils::_getAuthMode($_POST['Fobject']['auth_mode']))) {
if ($_POST['Fobject']['passwd'] == "********" and !strlen($this->object->getPasswd())) {
$this->ilias->raiseError($this->lng->txt("fill_out_all_required_fields") . ": " . $this->lng->txt('password'), $this->ilias->error_obj->MESSAGE);
}
// check passwords
if ($_POST["Fobject"]["passwd"] != $_POST["Fobject"]["passwd2"]) {
$this->ilias->raiseError($this->lng->txt("passwd_not_match"), $this->ilias->error_obj->MESSAGE);
}
// validate password
if (!ilUtil::isPassword($_POST["Fobject"]["passwd"])) {
$this->ilias->raiseError($this->lng->txt("passwd_invalid"), $this->ilias->error_obj->MESSAGE);
}
} else {
// Password will not be changed...
$_POST['Fobject']['passwd'] = "********";
}
if (ilAuthUtils::_needsExternalAccountByAuthMode(ilAuthUtils::_getAuthMode($_POST['Fobject']['auth_mode']))) {
if (!strlen($_POST['Fobject']['ext_account'])) {
$this->ilias->raiseError($this->lng->txt('ext_acccount_required'), $this->ilias->error_obj->MESSAGE);
}
}
if ($_POST['Fobject']['ext_account'] && ($elogin = ilObjUser::_checkExternalAuthAccount($_POST['Fobject']['auth_mode'], $_POST['Fobject']['ext_account']))) {
if ($elogin != $this->object->getLogin()) {
$this->ilias->raiseError(sprintf($this->lng->txt("err_auth_ext_user_exists"), $_POST["Fobject"]["ext_account"], $_POST['Fobject']['auth_mode'], $elogin), $this->ilias->error_obj->MESSAGE);
}
}
// The password type is not passed with the post data. Therefore we
// append it here manually.
include_once './Services/User/classes/class.ilObjUser.php';
$_POST["Fobject"]["passwd_type"] = IL_PASSWD_PLAIN;
// validate email
if (strlen($_POST['Fobject']['email']) and !ilUtil::is_email($_POST["Fobject"]["email"])) {
$this->ilias->raiseError($this->lng->txt("email_not_valid"), $this->ilias->error_obj->MESSAGE);
}
$start = $this->__toUnix($_POST["time_limit"]["from"]);
$end = $this->__toUnix($_POST["time_limit"]["until"]);
// validate time limit
if (!$_POST["time_limit"]["unlimited"] and $start > $end) {
$this->ilias->raiseError($this->lng->txt("time_limit_not_valid"), $this->ilias->error_obj->MESSAGE);
}
if (!$this->ilias->account->getTimeLimitUnlimited()) {
if ($start < $this->ilias->account->getTimeLimitFrom() or $end > $this->ilias->account->getTimeLimitUntil() or $_POST['time_limit']['unlimited']) {
$_SESSION['error_post_vars'] = $_POST;
ilUtil::sendFailure($this->lng->txt('time_limit_not_within_owners'));
$this->editObject();
return false;
}
}
// TODO: check length of login and passwd
// checks passed. save user
$_POST['Fobject']['time_limit_owner'] = $this->object->getTimeLimitOwner();
$_POST['Fobject']['time_limit_unlimited'] = (int) $_POST['time_limit']['unlimited'];
$_POST['Fobject']['time_limit_from'] = $this->__toUnix($_POST['time_limit']['from']);
$_POST['Fobject']['time_limit_until'] = $this->__toUnix($_POST['time_limit']['until']);
if ($_POST['Fobject']['time_limit_unlimited'] != $this->object->getTimeLimitUnlimited() or $_POST['Fobject']['time_limit_from'] != $this->object->getTimeLimitFrom() or $_POST['Fobject']['time_limit_until'] != $this->object->getTimeLimitUntil()) {
$_POST['Fobject']['time_limit_message'] = 0;
} else {
$_POST['Fobject']['time_limit_message'] = $this->object->getTimeLimitMessage();
}
$this->object->assignData($_POST["Fobject"]);
$this->object->setUserDefinedData($_POST['udf']);
try {
$this->object->updateLogin($_POST['Fobject']['login']);
} catch (ilUserException $e) {
ilUtil::sendFailure($e->getMessage());
$this->form_gui->setValuesByPost();
return $tpl->setContent($this->form_gui->getHtml());
}
$this->object->setTitle($this->object->getFullname());
$this->object->setDescription($this->object->getEmail());
$this->object->setLanguage($_POST["Fobject"]["language"]);
//set user skin and style
$sknst = explode(":", $_POST["Fobject"]["skin_style"]);
if ($this->object->getPref("style") != $sknst[1] || $this->object->getPref("skin") != $sknst[0]) {
$this->object->setPref("skin", $sknst[0]);
$this->object->setPref("style", $sknst[1]);
}
// set hits per pages
$this->object->setPref("hits_per_page", $_POST["Fobject"]["hits_per_page"]);
// set show users online
$this->object->setPref("show_users_online", $_POST["Fobject"]["show_users_online"]);
// set hide_own_online_status
if ($_POST["Fobject"]["hide_own_online_status"]) {
$this->object->setPref("hide_own_online_status", $_POST["Fobject"]["hide_own_online_status"]);
} else {
$this->object->setPref("hide_own_online_status", "n");
}
$this->update = $this->object->update();
//$rbacadmin->updateDefaultRole($_POST["Fobject"]["default_role"], $this->object->getId());
// BEGIN DiskQuota: Remember the state of the "send info mail" checkbox
global $ilUser;
$ilUser->setPref('send_info_mails', $_POST['send_mail'] == 'y' ? 'y' : 'n');
$ilUser->writePrefs();
// END DiskQuota: Remember the state of the "send info mail" checkbox
$mail_message = $this->__sendProfileMail();
$msg = $this->lng->txt('saved_successfully') . $mail_message;
// feedback
ilUtil::sendSuccess($msg, true);
if (strtolower($_GET["baseClass"]) == 'iladministrationgui') {
$this->ctrl->redirectByClass("ilobjuserfoldergui", "view");
} else {
$this->ctrl->redirectByClass('ilobjcategorygui', 'listUsers');
}
}
