/** * Check if an update is required * @return * @param string $a_username */ protected function updateRequired($a_username) { if (!ilObjUser::_checkExternalAuthAccount("apache", $a_username)) { return true; } // Check attribute mapping on login include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php'; if (ilLDAPAttributeMapping::hasRulesForUpdate($this->server->getServerId())) { #$GLOBALS['ilLog']->write(__METHOD__.': Required 2'); return true; } include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php'; if (ilLDAPRoleAssignmentRule::hasRulesForUpdate()) { #$GLOBALS['ilLog']->write(__METHOD__.': Required 3'); return true; } return false; }
/** * Check if user agreement is accepted * * @access protected * @param string auth_mode local,ldap or cas * */ protected function __checkAgreement($a_auth_mode) { global $ilDB; include_once './Services/User/classes/class.ilObjUser.php'; include_once './Services/Administration/classes/class.ilSetting.php'; $GLOBALS['ilSetting'] = new ilSetting(); if (!($login = ilObjUser::_checkExternalAuthAccount($a_auth_mode, $this->getUsername()))) { // User does not exist return true; } if (!ilObjUser::_hasAcceptedAgreement($login)) { $this->__setMessage('User agreement no accepted.'); return false; } return true; }
/** * Refresh status of course member assignments * @param object $course_member * @param int $obj_id */ protected function refreshAssignmentStatus($course_member, $obj_id, $sub_id, $assigned) { include_once './Services/WebServices/ECS/classes/Course/class.ilECSCourseMemberAssignment.php'; $type = ilObject::_lookupType($obj_id); if ($type == 'crs') { include_once './Modules/Course/classes/class.ilCourseParticipants.php'; $part = ilCourseParticipants::_getInstanceByObjId($obj_id); } else { include_once './Modules/Group/classes/class.ilGroupParticipants.php'; $part = ilGroupParticipants::_getInstanceByObjId($obj_id); } $course_id = (int) $course_member->lectureID; $usr_ids = ilECSCourseMemberAssignment::lookupUserIds($course_id, $sub_id, $obj_id); // Delete remote deleted foreach ((array) $usr_ids as $usr_id) { if (!isset($assigned[$usr_id])) { $ass = ilECSCourseMemberAssignment::lookupAssignment($course_id, $sub_id, $obj_id, $usr_id); if ($ass instanceof ilECSCourseMemberAssignment) { $acc = ilObjUser::_checkExternalAuthAccount(ilECSSetting::lookupAuthMode(), (string) $usr_id); if ($il_usr_id = ilObjUser::_lookupId($acc)) { // this removes also admin, tutor roles $part->delete($il_usr_id); $GLOBALS['ilLog']->write(__METHOD__ . ': Deassigning user ' . $usr_id . ' ' . 'from course ' . ilObject::_lookupTitle($obj_id)); } else { $GLOBALS['ilLog']->write(__METHOD__ . ': Deassigning unknown ILIAS user ' . $usr_id . ' ' . 'from course ' . ilObject::_lookupTitle($obj_id)); } $ass->delete(); } } } // Assign new participants foreach ((array) $assigned as $person_id => $person) { $role = $this->lookupRole($person['role']); $role_info = ilECSMappingUtils::getRoleMappingInfo($role); $acc = ilObjUser::_checkExternalAuthAccount(ilECSSetting::lookupAuthMode(), (string) $person_id); $GLOBALS['ilLog']->write(__METHOD__ . ': Handling user ' . (string) $person_id); if (in_array($person_id, $usr_ids)) { if ($il_usr_id = ilObjUser::_lookupId($acc)) { $GLOBALS['ilLog']->write(__METHOD__ . ': ' . print_r($role, true)); $part->updateRoleAssignments($il_usr_id, array($role)); // Nothing to do, user is member or is locally deleted } } else { if ($il_usr_id = ilObjUser::_lookupId($acc)) { if ($role) { // Add user $GLOBALS['ilLog']->write(__METHOD__ . ': Assigning new user ' . $person_id . ' ' . 'to ' . ilObject::_lookupTitle($obj_id)); $part->add($il_usr_id, $role); } } else { if ($role_info['create']) { $this->createMember($person_id); $GLOBALS['ilLog']->write(__METHOD__ . ': Added new user ' . $person_id); } } $assignment = new ilECSCourseMemberAssignment(); $assignment->setServer($this->getServer()->getServerId()); $assignment->setMid($this->mid); $assignment->setCmsId($course_id); $assignment->setCmsSubId($sub_id); $assignment->setObjId($obj_id); $assignment->setUid($person_id); $assignment->save(); } } return true; }
/** * Called from base class after successful login * * @param string username */ public function loginObserver($a_username, $a_auth) { // Radius with ldap as data source include_once './Services/LDAP/classes/class.ilLDAPServer.php'; if (ilLDAPServer::isDataSourceActive(AUTH_RADIUS)) { return $this->handleLDAPDataSource($a_auth, $a_username); } $user_data = array_change_key_case($a_auth->getAuthData(), CASE_LOWER); $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("radius", $a_username); if (!$user_data['ilInternalAccount']) { if ($this->radius_settings->enabledCreation()) { if ($this->radius_settings->isAccountMigrationEnabled() and !$this->force_creation) { $a_auth->logout(); $_SESSION['tmp_auth_mode'] = 'radius'; $_SESSION['tmp_external_account'] = $a_username; $_SESSION['tmp_pass'] = $_POST['password']; $_SESSION['tmp_roles'] = array(0 => $this->radius_settings->getDefaultRole()); ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmd=showAccountMigration&cmdClass=ilstartupgui'); } $this->initRADIUSAttributeToUser(); $new_name = $this->radius_user->create($a_username); $a_auth->setAuth($new_name); return true; } else { // No syncronisation allowed => create Error $a_auth->status = AUTH_RADIUS_NO_ILIAS_USER; $a_auth->logout(); return false; } } else { $a_auth->setAuth($user_data['ilInternalAccount']); return true; } }
/** * Read user data * @param bool check dn * @param bool use group filter * @access private */ private function readUserData($a_name, $a_check_dn = true, $a_try_group_user_filter = false) { $filter = $this->settings->getFilter(); if ($a_try_group_user_filter) { if ($this->settings->isMembershipOptional()) { $filter = $this->settings->getGroupUserFilter(); } } // Build filter if ($this->settings->enabledGroupMemberIsDN() and $a_check_dn) { $dn = $a_name; #$res = $this->queryByScope(IL_LDAP_SCOPE_BASE,$dn,$filter,$this->user_fields); $fields = array_merge($this->user_fields, array('useraccountcontrol')); $res = $this->queryByScope(IL_LDAP_SCOPE_BASE, strtolower($dn), $filter, $fields); } else { $filter = sprintf('(&(%s=%s)%s)', $this->settings->getUserAttribute(), $a_name, $filter); // Build search base if (($dn = $this->settings->getSearchBase()) && substr($dn, -1) != ',') { $dn .= ','; } $dn .= $this->settings->getBaseDN(); $fields = array_merge($this->user_fields, array('useraccountcontrol')); $res = $this->queryByScope($this->settings->getUserScope(), strtolower($dn), $filter, $fields); } $tmp_result = new ilLDAPResult($this->lh, $res); if (!$tmp_result->numRows()) { $this->log->write('LDAP: No user data found for: ' . $a_name); unset($tmp_result); return false; } if ($user_data = $tmp_result->get()) { if (isset($user_data['useraccountcontrol'])) { if ($user_data['useraccountcontrol'] & 0x2) { $this->log->write(__METHOD__ . ': ' . $a_name . ' account disabled.'); return; } } $user_ext = $user_data[strtolower($this->settings->getUserAttribute())]; // auth mode depends on ldap server settings $auth_mode = $this->parseAuthMode(); $user_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount($auth_mode, $user_ext); $this->users[$user_ext] = $user_data; } return true; }
/** * Auth and email related methods * @group IL_Init */ public function testAuthAndEmailMethods() { include_once "./Services/User/classes/class.ilObjUser.php"; $value = ""; // creation $user = new ilObjUser(); $d = array("login" => "aatestuser2", "passwd_type" => IL_PASSWD_PLAIN, "passwd" => "password", "gender" => "f", "firstname" => "Heidi", "lastname" => "Kabel", "email" => "*****@*****.**", "ext_account" => "ext_"); $user->assignData($d); $user->setActive(true); $user->create(); $user->saveAsNew(); $user->setLanguage("de"); $user->writePrefs(); $id = $user->getId(); ilObjUser::_writeExternalAccount($id, "ext_kabel"); ilObjUser::_writeAuthMode($id, "cas"); $ids = ilObjUser::_getUserIdsByEmail("*****@*****.**"); //var_dump($ids); if (is_array($ids) && count($ids) == 1 && $ids[0] == "aatestuser2") { $value .= "email1-"; } $uid = ilObjUser::getUserIdByEmail("*****@*****.**"); if ($uid == $id) { $value .= "email2-"; } $acc = ilObjUser::_getExternalAccountsByAuthMode("cas"); foreach ($acc as $k => $v) { if ($k == $id && $v == "ext_kabel") { $value .= "auth1-"; } } if (ilObjUser::_lookupAuthMode($id) == "cas") { $value .= "auth2-"; } if (ilObjUser::_checkExternalAuthAccount("cas", "ext_kabel") == "aatestuser2") { $value .= "auth3-"; } if (ilObjUser::_externalAccountExists("ext_kabel", "cas")) { $value .= "auth4-"; } ilObjUser::_getNumberOfUsersPerAuthMode(); $la = ilObjUser::_getLocalAccountsForEmail("*****@*****.**"); ilObjUser::_incrementLoginAttempts($id); ilObjUser::_getLoginAttempts($id); ilObjUser::_resetLoginAttempts($id); ilObjUser::_setUserInactive($id); // deletion $user->delete(); $this->assertEquals("email1-email2-auth1-auth2-auth3-auth4-", $value); }
/** * handler for end of element when in verify mode. */ function verifyEndTag($a_xml_parser, $a_name) { global $lng, $ilAccess, $ilSetting, $ilObjDataCache; switch ($a_name) { case "Role": $this->roles[$this->current_role_id]["name"] = $this->cdata; $this->roles[$this->current_role_id]["type"] = $this->current_role_type; $this->roles[$this->current_role_id]["action"] = $this->current_role_action; break; case "User": $this->userObj->setFullname(); if ($this->user_id != -1 && $this->action == "Update") { $user_exists = !is_null(ilObjUser::_lookupLogin($this->user_id)); } else { $user_exists = ilObjUser::getUserIdByLogin($this->userObj->getLogin()) != 0; } if (is_null($this->userObj->getLogin())) { $this->logFailure("---", sprintf($lng->txt("usrimport_xml_element_for_action_required"), "Login", "Insert")); } switch ($this->action) { case "Insert": if ($user_exists and $this->conflict_rule == IL_FAIL_ON_CONFLICT) { $this->logWarning($this->userObj->getLogin(), $lng->txt("usrimport_cant_insert")); } if (is_null($this->userObj->getGender()) && $this->isFieldRequired("gender")) { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_for_action_required"), "Gender", "Insert")); } if (is_null($this->userObj->getFirstname())) { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_for_action_required"), "Firstname", "Insert")); } if (is_null($this->userObj->getLastname())) { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_for_action_required"), "Lastname", "Insert")); } if (count($this->roles) == 0) { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_for_action_required"), "Role", "Insert")); } else { $has_global_role = false; foreach ($this->roles as $role) { if ($role['type'] == 'Global') { $has_global_role = true; break; } } if (!$has_global_role) { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_global_role_for_action_required"), "Insert")); } } break; case "Update": if (!$user_exists) { $this->logWarning($this->userObj->getLogin(), $lng->txt("usrimport_cant_update")); } elseif ($this->user_id != -1 && !is_null($this->userObj->getLogin())) { $someonesId = ilObjUser::_lookupId($this->userObj->getLogin()); if (is_numeric($someonesId) && $someonesId != $this->user_id) { $this->logFailure($this->userObj->getLogin(), $lng->txt("usrimport_login_is_not_unique")); } } break; case "Delete": if (!$user_exists) { $this->logWarning($this->userObj->getLogin(), $lng->txt("usrimport_cant_delete")); } break; } // init role array for next user $this->roles = array(); break; case "Login": if (array_key_exists($this->cdata, $this->logins)) { $this->logWarning($this->cdata, $lng->txt("usrimport_login_is_not_unique")); } else { $this->logins[$this->cdata] = $this->cdata; } $this->userObj->setLogin($this->cdata); break; case "Password": switch ($this->currPasswordType) { case "ILIAS2": $this->userObj->setPasswd($this->cdata, IL_PASSWD_CRYPT); break; case "ILIAS3": $this->userObj->setPasswd($this->cdata, IL_PASSWD_MD5); break; case "PLAIN": $this->userObj->setPasswd($this->cdata, IL_PASSWD_PLAIN); $this->acc_mail->setUserPassword($this->currPassword); break; default: $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_attribute_value_illegal"), "Type", "Password", $this->currPasswordType)); break; } break; case "Firstname": $this->userObj->setFirstname($this->cdata); break; case "Lastname": $this->userObj->setLastname($this->cdata); break; case "Title": $this->userObj->setUTitle($this->cdata); break; case "Gender": if ($this->cdata != "m" && $this->cdata != "f") { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "Gender", $this->cdata)); } $this->userObj->setGender($this->cdata); break; case "Email": $this->userObj->setEmail($this->cdata); break; case "Institution": $this->userObj->setInstitution($this->cdata); break; case "Street": $this->userObj->setStreet($this->cdata); break; case "City": $this->userObj->setCity($this->cdata); break; case "PostalCode": $this->userObj->setZipCode($this->cdata); break; case "Country": $this->userObj->setCountry($this->cdata); break; case "PhoneOffice": $this->userObj->setPhoneOffice($this->cdata); break; case "PhoneHome": $this->userObj->setPhoneHome($this->cdata); break; case "PhoneMobile": $this->userObj->setPhoneMobile($this->cdata); break; case "Fax": $this->userObj->setFax($this->cdata); break; case "Hobby": $this->userObj->setHobby($this->cdata); break; case "Comment": $this->userObj->setComment($this->cdata); break; case "Department": $this->userObj->setDepartment($this->cdata); break; case "Matriculation": $this->userObj->setMatriculation($this->cdata); break; case "ExternalAccount": //echo "-".$this->userObj->getAuthMode()."-".$this->userObj->getLogin()."-"; $am = $this->userObj->getAuthMode() == "default" || $this->userObj->getAuthMode() == "" ? ilAuthUtils::_getAuthModeName($ilSetting->get('auth_mode')) : $this->userObj->getAuthMode(); $loginForExternalAccount = trim($this->cdata) == "" ? "" : ilObjUser::_checkExternalAuthAccount($am, trim($this->cdata)); switch ($this->action) { case "Insert": if ($loginForExternalAccount != "") { $this->logWarning($this->userObj->getLogin(), $lng->txt("usrimport_no_insert_ext_account_exists") . " (" . $this->cdata . ")"); } break; case "Update": if ($loginForExternalAccount != "") { $externalAccountHasChanged = trim($this->cdata) != ilObjUser::_lookupExternalAccount($this->user_id); if ($externalAccountHasChanged && trim($loginForExternalAccount) != trim($this->userObj->getLogin())) { $this->logWarning($this->userObj->getLogin(), $lng->txt("usrimport_no_update_ext_account_exists") . " (" . $this->cdata . " for " . $loginForExternalAccount . ")"); } } break; } if ($externalAccountHasChanged) { $this->userObj->setExternalAccount(trim($this->cdata)); } break; case "Active": if ($this->cdata != "true" && $this->cdata != "false") { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "Active", $this->cdata)); } $this->currActive = $this->cdata; break; case "TimeLimitOwner": if (!preg_match("/\\d+/", $this->cdata)) { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitOwner", $this->cdata)); } elseif (!$ilAccess->checkAccess('cat_administrate_users', '', $this->cdata)) { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitOwner", $this->cdata)); } elseif ($ilObjDataCache->lookupType($ilObjDataCache->lookupObjId($this->cdata)) != 'cat' && !(int) $this->cdata == USER_FOLDER_ID) { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitOwner", $this->cdata)); } $this->userObj->setTimeLimitOwner($this->cdata); break; case "TimeLimitUnlimited": switch (strtolower($this->cdata)) { case "true": case "1": $this->userObj->setTimeLimitUnlimited(1); break; case "false": case "0": $this->userObj->setTimeLimitUnlimited(0); break; default: $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitUnlimited", $this->cdata)); break; } break; case "TimeLimitFrom": // Accept datetime or Unix timestamp if (strtotime($this->cdata) === false && !is_numeric($this->cdata)) { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitFrom", $this->cdata)); } $this->userObj->setTimeLimitFrom($this->cdata); break; case "TimeLimitUntil": // Accept datetime or Unix timestamp if (strtotime($this->cdata) === false && !is_numeric($this->cdata)) { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitUntil", $this->cdata)); } $this->userObj->setTimeLimitUntil($this->cdata); break; case "TimeLimitMessage": switch (strtolower($this->cdata)) { case "1": $this->userObj->setTimeLimitMessage(1); break; case "0": $this->userObj->setTimeLimitMessage(0); break; default: $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "TimeLimitMessage", $this->cdata)); break; } break; case "ApproveDate": // Accept datetime or Unix timestamp if (strtotime($this->cdata) === false && !is_numeric($this->cdata) && !$this->cdata == "0000-00-00 00:00:00") { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "ApproveDate", $this->cdata)); } break; case "AgreeDate": // Accept datetime or Unix timestamp if (strtotime($this->cdata) === false && !is_numeric($this->cdata) && !$this->cdata == "0000-00-00 00:00:00") { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "AgreeDate", $this->cdata)); } break; case "iLincID": if (!preg_match("/\\d+/", $this->cdata)) { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "iLincID", $this->cdata)); } break; case "iLincUser": if (!preg_match("/\\w+/", $this->cdata)) { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "iLincUser", $this->cdata)); } break; case "iLincPasswd": if (!preg_match("/\\w+/", $this->cdata)) { $this->logFailure($this->userObj->getLogin(), sprintf($lng->txt("usrimport_xml_element_content_illegal"), "iLincPasswd", $this->cdata)); } break; case "Pref": if ($this->currentPrefKey != null) { $this->verifyPref($this->currentPrefKey, $this->cdata); } $this->currentPrefKey == null; } }
/** * @see ilAuthContainerBase::loginObserver() */ public function loginObserver($a_username, $a_auth) { global $ilias, $rbacadmin, $ilSetting, $ilLog, $PHPCAS_CLIENT; $ilLog->write(__METHOD__ . ': Successful CAS login.'); // Radius with ldap as data source include_once './Services/LDAP/classes/class.ilLDAPServer.php'; if (ilLDAPServer::isDataSourceActive(AUTH_CAS)) { return $this->handleLDAPDataSource($a_auth, $a_username); } include_once "./Services/CAS/lib/CAS.php"; if ($PHPCAS_CLIENT->getUser() != "") { $username = $PHPCAS_CLIENT->getUser(); $ilLog->write(__METHOD__ . ': Username: '******'./Services/User/classes/class.ilObjUser.php'; $local_user = ilObjUser::_checkExternalAuthAccount("cas", $username); if ($local_user != "") { $a_auth->setAuth($local_user); } else { if (!$ilSetting->get("cas_create_users")) { $a_auth->status = AUTH_CAS_NO_ILIAS_USER; $a_auth->logout(); return false; } $userObj = new ilObjUser(); $local_user = ilAuthUtils::_generateLogin($username); $newUser["firstname"] = $local_user; $newUser["lastname"] = ""; $newUser["login"] = $local_user; // set "plain md5" password (= no valid password) $newUser["passwd"] = ""; $newUser["passwd_type"] = IL_PASSWD_MD5; //$newUser["gender"] = "m"; $newUser["auth_mode"] = "cas"; $newUser["ext_account"] = $username; $newUser["profile_incomplete"] = 1; // system data $userObj->assignData($newUser); $userObj->setTitle($userObj->getFullname()); $userObj->setDescription($userObj->getEmail()); // set user language to system language $userObj->setLanguage($ilSetting->get("language")); // Time limit $userObj->setTimeLimitOwner(7); $userObj->setTimeLimitUnlimited(1); $userObj->setTimeLimitFrom(time()); $userObj->setTimeLimitUntil(time()); // Create user in DB $userObj->setOwner(0); $userObj->create(); $userObj->setActive(1); $userObj->updateOwner(); //insert user data in table user_data $userObj->saveAsNew(); // setup user preferences $userObj->writePrefs(); // to do: test this $rbacadmin->assignUser($ilSetting->get('cas_user_default_role'), $userObj->getId(), true); unset($userObj); $a_auth->setAuth($local_user); return true; } } else { $ilLog->write(__METHOD__ . ': Login failed.'); // This should never occur unless CAS is not configured properly $a_auth->status = AUTH_WRONG_LOGIN; return false; } return false; }
function authenticate() { include_once "./Services/Init/classes/class.ilInitialisation.php"; $this->init = new ilInitialisation(); $this->init->requireCommonIncludes(); //$init->initSettings(); if (!$this->getClient()) { $this->__setMessage('No client given'); return false; } if (!$this->getUsername()) { $this->__setMessage('No username given'); return false; } // Read ilias ini if (!$this->__buildDSN()) { $this->__setMessage('Error building dsn/Wrong client Id?'); return false; } if (!$this->__setSessionSaveHandler()) { return false; } if (!$this->__checkAgreement('cas')) { return false; } if (!$this->__buildAuth()) { return false; } if ($this->soap_check and !$this->__checkSOAPEnabled()) { $this->__setMessage('SOAP is not enabled in ILIAS administration for this client'); $this->__setMessageCode('Server'); return false; } // check whether authentication is valid //if (!$this->auth->checkCASAuth()) if (!phpCAS::checkAuthentication()) { $this->__setMessage('ilSOAPAuthenticationCAS::authenticate(): No valid CAS authentication.'); return false; } $this->auth->forceCASAuth(); if ($this->getUsername() != $this->auth->getCASUser()) { $this->__setMessage('ilSOAPAuthenticationCAS::authenticate(): SOAP CAS user does not match to ticket user.'); return false; } include_once './Services/User/classes/class.ilObjUser.php'; $local_user = ilObjUser::_checkExternalAuthAccount("cas", $this->auth->getCASUser()); if ($local_user == "") { $this->__setMessage('ilSOAPAuthenticationCAS::authenticate(): SOAP CAS user authenticated but not existing in ILIAS user database.'); return false; } /* $init->initIliasIniFile(); $init->initSettings(); $ilias =& new ILIAS(); $GLOBALS['ilias'] =& $ilias;*/ $this->auth->start(); if (!$this->auth->getAuth()) { $this->__getAuthStatus(); return false; } $this->setSid(session_id()); return true; }
/** * Read internal account of user * @throws UnexpectedValueException */ protected function readInternalAccount() { if (!$this->getExternalAccount()) { throw new UnexpectedValueException('No external account given.'); } $this->intaccount = ilObjUser::_checkExternalAuthAccount($this->getAuthMode(), $this->getExternalAccount()); }
/** * Automatically generates the username/screenname of a Shibboleth user or returns * the user's already existing username * * @access private * @return String Generated username */ function generateLogin() { global $ilias, $ilDB; $shibID = $_SERVER[$ilias->getSetting('shib_login')]; $lastname = $this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]); $firstname = $this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]); if (trim($shibID) == "") { return; } //***********************************************// // For backwards compatibility with previous versions // We use the passwd field as mapping attribute for Shibboleth users // because they don't need a password $ilias->db->query("UPDATE usr_data SET auth_mode='shibboleth', passwd=" . $ilDB->quote(md5(end(ilUtil::generatePasswords(1)))) . ", ext_account=" . $ilDB->quote($shibID) . " WHERE passwd=" . $ilDB->quote($shibID)); //***********************************************// // Let's see if user already is registered $local_user = ilObjUser::_checkExternalAuthAccount("shibboleth", $shibID); if ($local_user) { return $local_user; } // Let's see if user already is registered but authenticates by ldap $local_user = ilObjUser::_checkExternalAuthAccount("ldap", $shibID); if ($local_user) { return $local_user; } // User doesn't seem to exist yet // Generate new username // This can be overruled by the data conversion API but you have // to do it yourself in that case // Generate the username out of the first character of firstname and the // first word in lastname (adding the second one if the login is too short, // avoiding meaningless last names like 'von' or 'd' and eliminating // non-ASCII-characters, spaces, dashes etc. $ln_arr = preg_split("/[ '-;]/", $lastname); $login = substr($this->toAscii($firstname), 0, 1) . "." . $this->toAscii($ln_arr[0]); if (strlen($login) < 6) { $login .= $this->toAscii($ln_arr[1]); } $prefix = strtolower($login); // If the user name didn't contain any ASCII characters, assign the // name 'shibboleth' followed by a number, starting with 1. if (strlen($prefix) == 0) { $prefix = 'shibboleth'; $number = 1; } else { // Try if the login name is not already taken if (!ilObjUser::getUserIdByLogin($prefix)) { return $prefix; } // If the login name is in use, append a number, starting with 2. $number = 2; } // Append a number, if the username is already taken while (ilObjUser::getUserIdByLogin($prefix . $number)) { $number++; } return $prefix . $number; }
/** * Call is isValidSession of soap server * @return bool * @param string $a_username * @param string $a_password * @param bool $isChallengeResponse[optional] */ public function fetchData($a_username, $a_password, $isChallengeResponse = false) { $GLOBALS['ilLog']->write(__METHOD__ . ': Soap auth fetch data'); // check whether external user exists in ILIAS database $local_user = ilObjUser::_checkExternalAuthAccount("soap", $a_username); if ($local_user == "") { $new_user = true; } else { $new_user = false; } $soapAction = ""; $nspref = ""; if ($this->use_dotnet) { $soapAction = $this->server_nms . "/isValidSession"; $nspref = "ns1:"; } $valid = $this->client->call('isValidSession', array($nspref . 'ext_uid' => $a_username, $nspref . 'soap_pw' => $a_password, $nspref . 'new_user' => $new_user), $this->server_nms, $soapAction); //echo "<br>== Request =="; //echo '<br><pre>' . htmlspecialchars($this->soap_client->request, ENT_QUOTES) . '</pre><br>'; //echo "<br>== Response =="; //echo "<br>Valid: -".$valid["valid"]."-"; //echo '<br><pre>' . htmlspecialchars($this->soap_client->response, ENT_QUOTES) . '</pre>'; if (trim($valid["valid"]) == "false") { $valid["valid"] = false; } // to do check SOAP error!? $valid["local_user"] = $local_user; $this->response = $valid; return $valid['valid'] == true; }
/** * @see ilAuthContainerBase::loginObserver() */ public function loginObserver($a_username, $a_auth) { global $ilLog; $GLOBALS['ilLog']->write(__METHOD__ . ': Login observer called for openid'); $this->initSettings(); $this->response_data['ilInternalAccount'] = ilObjUser::_checkExternalAuthAccount("openid", $this->response_data['nickname']); if (!$this->response_data['ilInternalAccount']) { if ($this->settings->isCreationEnabled()) { if ($this->settings->isAccountMigrationEnabled() and !$this->force_creation and !$_SESSION['force_creation']) { //$a_auth->logout(); $_SESSION['tmp_auth_mode'] = 'openid'; $_SESSION['tmp_oid_username'] = urldecode($_GET['openid_identity']); $_SESSION['tmp_oid_provider'] = $_POST['oid_provider']; $_SESSION['tmp_external_account'] = $this->response_data['nickname']; $_SESSION['tmp_pass'] = $_POST['password']; $_SESSION['tmp_roles'] = array(0 => $this->settings->getDefaultRole()); $GLOBALS['ilLog']->write(__METHOD__ . ': Redirect migration'); ilUtil::redirect('ilias.php?baseClass=ilStartUpGUI&cmd=showAccountMigration&cmdClass=ilstartupgui'); } include_once './Services/OpenId/classes/class.ilOpenIdAttributeToUser.php'; $new_user = new ilOpenIdAttributeToUser(); $new_name = $new_user->create($this->response_data['nickname'], $this->response_data); $GLOBALS['ilLog']->write(__METHOD__ . ': Create user with name:' . $new_name); $a_auth->setAuth($new_name); return true; } else { // No syncronisation allowed => create Error $a_auth->status = AUTH_OPENID_NO_ILIAS_USER; $a_auth->logout(); $GLOBALS['ilLog']->write(__METHOD__ . ': No creation'); return false; } } else { $GLOBALS['ilLog']->write(__METHOD__ . ': Using old name: ' . $this->response_data['ilInternalAccount']); $a_auth->setAuth($this->response_data['ilInternalAccount']); return true; } return false; }
/** * Login function * * @access private * @return void */ function login() { global $ilias, $rbacadmin, $ilSetting; if (phpCAS::getUser() != "") { $username = phpCAS::getUser(); // Authorize this user include_once './Services/User/classes/class.ilObjUser.php'; $local_user = ilObjUser::_checkExternalAuthAccount("cas", $username); if ($local_user != "") { $this->setAuth($local_user); } else { if (!$ilSetting->get("cas_create_users")) { $this->status = AUTH_CAS_NO_ILIAS_USER; $this->logout(); return; } $userObj = new ilObjUser(); $local_user = ilAuthUtils::_generateLogin($username); $newUser["firstname"] = $local_user; $newUser["lastname"] = ""; $newUser["login"] = $local_user; // set "plain md5" password (= no valid password) $newUser["passwd"] = ""; $newUser["passwd_type"] = IL_PASSWD_MD5; //$newUser["gender"] = "m"; $newUser["auth_mode"] = "cas"; $newUser["ext_account"] = $username; $newUser["profile_incomplete"] = 1; // system data $userObj->assignData($newUser); $userObj->setTitle($userObj->getFullname()); $userObj->setDescription($userObj->getEmail()); // set user language to system language $userObj->setLanguage($ilSetting->get("language")); // Time limit $userObj->setTimeLimitOwner(7); $userObj->setTimeLimitUnlimited(1); $userObj->setTimeLimitFrom(time()); $userObj->setTimeLimitUntil(time()); // Create user in DB $userObj->setOwner(0); $userObj->create(); $userObj->setActive(1); $userObj->updateOwner(); //insert user data in table user_data $userObj->saveAsNew(); // setup user preferences $userObj->writePrefs(); // to do: test this $rbacadmin->assignUser($ilSetting->get('cas_user_default_role'), $userObj->getId(), true); unset($userObj); $this->setAuth($local_user); } } else { // This should never occur unless CAS is not configured properly $this->status = AUTH_WRONG_LOGIN; } }
/** * Does input checks and updates a user account if everything is fine. * @access public */ function updateObjectOld() { global $ilias, $rbacsystem, $rbacadmin, $ilUser; include_once './Services/Authentication/classes/class.ilAuthUtils.php'; //load ILIAS settings $settings = $ilias->getAllSettings(); // User folder if ($this->usrf_ref_id == USER_FOLDER_ID and !$rbacsystem->checkAccess('visible,read,write', $this->usrf_ref_id)) { $this->ilias->raiseError($this->lng->txt("msg_no_perm_modify_user"), $this->ilias->error_obj->MESSAGE); } // if called from local administration $this->usrf_ref_id is category id // Todo: this has to be fixed. Do not mix user folder id and category id if ($this->usrf_ref_id != USER_FOLDER_ID) { // check if user is assigned to category if (!$rbacsystem->checkAccess('cat_administrate_users', $this->object->getTimeLimitOwner())) { $this->ilias->raiseError($this->lng->txt("msg_no_perm_modify_user"), $this->ilias->error_obj->MESSAGE); } } foreach ($_POST["Fobject"] as $key => $val) { $_POST["Fobject"][$key] = ilUtil::stripSlashes($val); } // check dynamically required fields foreach ($settings as $key => $val) { $field = substr($key, 8); switch ($field) { case 'passwd': case 'passwd2': if (ilAuthUtils::_allowPasswordModificationByAuthMode(ilAuthUtils::_getAuthMode($_POST['Fobject']['auth_mode']))) { $require_keys[] = $field; } break; default: $require_keys[] = $field; break; } } foreach ($require_keys as $key => $val) { // exclude required system and registration-only fields $system_fields = array("default_role"); if (!in_array($val, $system_fields)) { if (isset($settings["require_" . $val]) && $settings["require_" . $val]) { if (empty($_POST["Fobject"][$val])) { $this->ilias->raiseError($this->lng->txt("fill_out_all_required_fields") . ": " . $this->lng->txt($val), $this->ilias->error_obj->MESSAGE); } } } } if (!$this->__checkUserDefinedRequiredFields()) { $this->ilias->raiseError($this->lng->txt("fill_out_all_required_fields"), $this->ilias->error_obj->MESSAGE); } // validate login if ($this->object->getLogin() != $_POST["Fobject"]["login"] && !ilUtil::isLogin($_POST["Fobject"]["login"])) { $this->ilias->raiseError($this->lng->txt("login_invalid"), $this->ilias->error_obj->MESSAGE); } // check loginname if (ilObjUser::_loginExists($_POST["Fobject"]["login"], $this->id)) { $this->ilias->raiseError($this->lng->txt("login_exists"), $this->ilias->error_obj->MESSAGE); } if (ilAuthUtils::_allowPasswordModificationByAuthMode(ilAuthUtils::_getAuthMode($_POST['Fobject']['auth_mode']))) { if ($_POST['Fobject']['passwd'] == "********" and !strlen($this->object->getPasswd())) { $this->ilias->raiseError($this->lng->txt("fill_out_all_required_fields") . ": " . $this->lng->txt('password'), $this->ilias->error_obj->MESSAGE); } // check passwords if ($_POST["Fobject"]["passwd"] != $_POST["Fobject"]["passwd2"]) { $this->ilias->raiseError($this->lng->txt("passwd_not_match"), $this->ilias->error_obj->MESSAGE); } // validate password if (!ilUtil::isPassword($_POST["Fobject"]["passwd"])) { $this->ilias->raiseError($this->lng->txt("passwd_invalid"), $this->ilias->error_obj->MESSAGE); } } else { // Password will not be changed... $_POST['Fobject']['passwd'] = "********"; } if (ilAuthUtils::_needsExternalAccountByAuthMode(ilAuthUtils::_getAuthMode($_POST['Fobject']['auth_mode']))) { if (!strlen($_POST['Fobject']['ext_account'])) { $this->ilias->raiseError($this->lng->txt('ext_acccount_required'), $this->ilias->error_obj->MESSAGE); } } if ($_POST['Fobject']['ext_account'] && ($elogin = ilObjUser::_checkExternalAuthAccount($_POST['Fobject']['auth_mode'], $_POST['Fobject']['ext_account']))) { if ($elogin != $this->object->getLogin()) { $this->ilias->raiseError(sprintf($this->lng->txt("err_auth_ext_user_exists"), $_POST["Fobject"]["ext_account"], $_POST['Fobject']['auth_mode'], $elogin), $this->ilias->error_obj->MESSAGE); } } // The password type is not passed with the post data. Therefore we // append it here manually. include_once './Services/User/classes/class.ilObjUser.php'; $_POST["Fobject"]["passwd_type"] = IL_PASSWD_PLAIN; // validate email if (strlen($_POST['Fobject']['email']) and !ilUtil::is_email($_POST["Fobject"]["email"])) { $this->ilias->raiseError($this->lng->txt("email_not_valid"), $this->ilias->error_obj->MESSAGE); } $start = $this->__toUnix($_POST["time_limit"]["from"]); $end = $this->__toUnix($_POST["time_limit"]["until"]); // validate time limit if (!$_POST["time_limit"]["unlimited"] and $start > $end) { $this->ilias->raiseError($this->lng->txt("time_limit_not_valid"), $this->ilias->error_obj->MESSAGE); } if (!$this->ilias->account->getTimeLimitUnlimited()) { if ($start < $this->ilias->account->getTimeLimitFrom() or $end > $this->ilias->account->getTimeLimitUntil() or $_POST['time_limit']['unlimited']) { $_SESSION['error_post_vars'] = $_POST; ilUtil::sendFailure($this->lng->txt('time_limit_not_within_owners')); $this->editObject(); return false; } } // TODO: check length of login and passwd // checks passed. save user $_POST['Fobject']['time_limit_owner'] = $this->object->getTimeLimitOwner(); $_POST['Fobject']['time_limit_unlimited'] = (int) $_POST['time_limit']['unlimited']; $_POST['Fobject']['time_limit_from'] = $this->__toUnix($_POST['time_limit']['from']); $_POST['Fobject']['time_limit_until'] = $this->__toUnix($_POST['time_limit']['until']); if ($_POST['Fobject']['time_limit_unlimited'] != $this->object->getTimeLimitUnlimited() or $_POST['Fobject']['time_limit_from'] != $this->object->getTimeLimitFrom() or $_POST['Fobject']['time_limit_until'] != $this->object->getTimeLimitUntil()) { $_POST['Fobject']['time_limit_message'] = 0; } else { $_POST['Fobject']['time_limit_message'] = $this->object->getTimeLimitMessage(); } $this->object->assignData($_POST["Fobject"]); $this->object->setUserDefinedData($_POST['udf']); try { $this->object->updateLogin($_POST['Fobject']['login']); } catch (ilUserException $e) { ilUtil::sendFailure($e->getMessage()); $this->form_gui->setValuesByPost(); return $tpl->setContent($this->form_gui->getHtml()); } $this->object->setTitle($this->object->getFullname()); $this->object->setDescription($this->object->getEmail()); $this->object->setLanguage($_POST["Fobject"]["language"]); //set user skin and style $sknst = explode(":", $_POST["Fobject"]["skin_style"]); if ($this->object->getPref("style") != $sknst[1] || $this->object->getPref("skin") != $sknst[0]) { $this->object->setPref("skin", $sknst[0]); $this->object->setPref("style", $sknst[1]); } // set hits per pages $this->object->setPref("hits_per_page", $_POST["Fobject"]["hits_per_page"]); // set show users online $this->object->setPref("show_users_online", $_POST["Fobject"]["show_users_online"]); // set hide_own_online_status if ($_POST["Fobject"]["hide_own_online_status"]) { $this->object->setPref("hide_own_online_status", $_POST["Fobject"]["hide_own_online_status"]); } else { $this->object->setPref("hide_own_online_status", "n"); } $this->update = $this->object->update(); //$rbacadmin->updateDefaultRole($_POST["Fobject"]["default_role"], $this->object->getId()); // BEGIN DiskQuota: Remember the state of the "send info mail" checkbox global $ilUser; $ilUser->setPref('send_info_mails', $_POST['send_mail'] == 'y' ? 'y' : 'n'); $ilUser->writePrefs(); // END DiskQuota: Remember the state of the "send info mail" checkbox $mail_message = $this->__sendProfileMail(); $msg = $this->lng->txt('saved_successfully') . $mail_message; // feedback ilUtil::sendSuccess($msg, true); if (strtolower($_GET["baseClass"]) == 'iladministrationgui') { $this->ctrl->redirectByClass("ilobjuserfoldergui", "view"); } else { $this->ctrl->redirectByClass('ilobjcategorygui', 'listUsers'); } }