public function LoginValidator::checkAllowedExcluded in Lightweight Directory Access Protocol (LDAP) 8.3
Check if exclusion criteria match.
Return value
bool Exclusion result.
2 calls to LoginValidator::checkAllowedExcluded()
- LoginValidator::testCredentials in ldap_authentication/
src/ Controller/ LoginValidator.php - Credentials are tested.
- LoginValidator::testSsoCredentials in ldap_authentication/
src/ Controller/ LoginValidator.php - Test the SSO credentials.
File
- ldap_authentication/
src/ Controller/ LoginValidator.php, line 612
Class
- LoginValidator
- Handles the actual testing of credentials and authentication of users.
Namespace
Drupal\ldap_authentication\ControllerCode
public function checkAllowedExcluded($authName, $ldap_user) {
// Do one of the exclude attribute pairs match? If user does not already
// exists and deferring to user settings AND user settings only allow.
foreach ($this->config
->get('excludeIfTextInDn') as $test) {
if (stripos($ldap_user['dn'], $test) !== FALSE) {
return FALSE;
}
}
// Check if one of the allow attribute pairs match.
if (count($this->config
->get('allowOnlyIfTextInDn'))) {
$fail = TRUE;
foreach ($this->config
->get('allowOnlyIfTextInDn') as $test) {
if (stripos($ldap_user['dn'], $test) !== FALSE) {
$fail = FALSE;
}
}
if ($fail) {
return FALSE;
}
}
// Handle excludeIfNoAuthorizations enabled and user has no groups.
if ($this->moduleHandler
->moduleExists('ldap_authorization') && $this->config
->get('excludeIfNoAuthorizations')) {
$user = FALSE;
$id = ExternalAuthenticationHelper::getUidFromIdentifierMap($authName);
if ($id) {
$user = $this->entityTypeManager
->getStorage('user')
->load($id);
}
if (!$user) {
$user = User::create([
'name' => $authName,
]);
}
// We are not injecting this service properly to avoid forcing this
// dependency on authorization.
/** @var \Drupal\authorization\AuthorizationController $controller */
$controller = \Drupal::service('authorization.manager');
$controller
->setUser($user);
$profiles = $this->entityTypeManager
->getStorage('authorization_profile')
->getQuery()
->condition('provider', 'ldap_provider')
->execute();
foreach ($profiles as $profile) {
$controller
->queryIndividualProfile($profile);
}
$authorizations = $controller
->getProcessedAuthorizations();
$controller
->clearAuthorizations();
$valid_profile = FALSE;
foreach ($authorizations as $authorization) {
if (!empty($authorization
->getAuthorizationsApplied())) {
$valid_profile = TRUE;
}
}
if (!$valid_profile) {
drupal_set_message($this
->t('The site logon is currently not working due to a configuration error. Please see logs for additional details.'), 'warning');
$this->logger
->notice('LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured.');
return FALSE;
}
}
// Allow other modules to hook in and refuse if they like.
$hook_result = TRUE;
$this->moduleHandler
->alter('ldap_authentication_allowuser_results', $ldap_user, $authName, $hook_result);
if ($hook_result === FALSE) {
$this->logger
->notice('Authentication Allow User Result=refused for %name', [
'%name' => $authName,
]);
return FALSE;
}
// Default to allowed.
return TRUE;
}