/** * This function retrieve information from headers, and starts a session * automatically for the user found. * @return boolean */ public function auth_validatelogin () { global $obm; // // First of all, we have to check if headers are set. // $user = $this->_engine->getUserLogin(); $domain = $this->_engine->getUserDomain(); // // If headers are not found, use normal authentication process. // The method auth_validatelogin() corresponding to class defined // by the constant DEFAULT_LEMONLDAP_SECONDARY_AUTHCLASS will be // automatically called. We can not use auth_preauth function instead, // because it does not the job correctly for us. // if (strlen($user) == 0) { $this->_logger->debug('Proceed to non-SSO authentication'); $d_auth_class_name = DEFAULT_LEMONLDAP_SECONDARY_AUTHCLASS; $d_auth_object = new $d_auth_class_name (); return $d_auth_object->auth_validatelogin(); } // // Trace SSO Headers, and check if the request is correct. // // $this->_logger->debug("Headers: " . var_export($this->_engine->getHeaders(), true)); if (!$this->checkLemonldapRequest()) { $this->_logger->warn('Not a valid Lemonldap request, stop authentication'); return false; } // // Search for ID corresponding to the user and the domain. If the user // does not exists, user_id will be false. // $domain_id = $this->_engine->getDomainID($domain); $user_id = $this->_engine->isUserExists($user, $domain_id); $user_id = $user_id !== false ? $user_id : null; // // Then, we try to update/create the account, only if the synchronization // is allowed. The synchronization could be failed, and the function could // return false. In this case, it means that there is something wrong // during the synchronization. // $sync = new LemonLDAP_Sync($this->_engine); if ($sync->isEnabled()) { $user_id_sync = $sync->syncUser($user_id, $domain_id, $user, $domain); if ($user_id_sync !== false) { $user_id = $user_id_sync; } } // // The synchronization task have to return the user_id: the one // created or the one found during an update. Even if the synchronization // fails, we authenticate the user. // A flag that indicates that user is logged through LemonLDAP is stored. // This flag could be then used to personnalize OBM modules, and lock some // functionnalities (such as changing OBM password). // $user_auth = false; $user_data = $this->_engine->getUserDataFromId($user_id, $domain_id); if (is_array($user_data) && array_key_exists('user_id', $user_data)) { if (global_unfreeze_user($user_data['user_id'])) { $obm['login'] = $user_data['login']; $obm['profile'] = $user_data['profile']; $obm['domain_id'] = $domain_id; $obm['delegation'] = $user_data['delegation_target']; $user_auth = $user_data['user_id']; $this->_logged = true; } } $this->_logger->info("authentication for $user@$domain: " . ($this->_logged ? "SUCCEED" : "FAILED")); return $user_auth; }