You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 8.3 » LoginValidator.php » LoginValidator

public function LoginValidator::testSsoCredentials in Lightweight Directory Access Protocol (LDAP) 8.3

Test the SSO credentials.

Return value

int Returns the authentication result.

1 call to LoginValidator::testSsoCredentials()
LoginValidator::processSsoLogin in ldap_authentication/src/Controller/LoginValidator.php
Processes an SSO login.

File

ldap_authentication/src/Controller/LoginValidator.php, line 429

Class

LoginValidator
Handles the actual testing of credentials and authentication of users.

Namespace

Drupal\ldap_authentication\Controller

Code

public function testSsoCredentials($authName) {

  // TODO: Verify if MODE_EXCLUSIVE check is a regression.
  $authenticationResult = self::AUTHENTICATION_FAILURE_GENERIC;
  foreach (LdapAuthenticationConfiguration::getEnabledAuthenticationServers() as $server) {
    $authenticationResult = self::AUTHENTICATION_FAILURE_GENERIC;
    $this->serverDrupalUser = Server::load($server);
    $this->detailLog
      ->log('%username: Trying server %id where bind_method = %bind_method', [
      '%username' => $authName,
      '%id' => $this->serverDrupalUser
        ->id(),
      '%bind_method' => $this->serverDrupalUser
        ->get('bind_method'),
    ], 'ldap_authentication');
    if (!$this
      ->connectToServer()) {
      continue;
    }
    $bindResult = $this
      ->bindToServerSso();
    if ($bindResult != 'success') {
      $authenticationResult = $bindResult;

      // If bind fails, onto next server.
      continue;
    }
    $this->ldapUser = $this->serverDrupalUser
      ->matchUsernameToExistingLdapEntry($authName);
    if (!$this->ldapUser) {
      $this->detailLog
        ->log('%username: Trying server %id where bind_method = %bind_method. Error: %err_text', [
        '%username' => $authName,
        '%bind_method' => $this->serverDrupalUser
          ->get('bind_method'),
        '%err_text' => $this->serverDrupalUser
          ->formattedError($this->serverDrupalUser
          ->ldapErrorNumber()),
      ], 'ldap_authentication');
      if ($this->serverDrupalUser
        ->hasError()) {
        $authenticationResult = self::AUTHENTICATION_FAILURE_SERVER;
        break;
      }
      $authenticationResult = self::AUTHENTICATION_FAILURE_FIND;

      // Next server, please.
      continue;
    }
    if (!$this
      ->checkAllowedExcluded($this->authName, $this->ldapUser)) {
      $authenticationResult = self::AUTHENTICATION_FAILURE_DISALLOWED;

      // Regardless of how many servers, disallowed user fails.
      break;
    }
    $authenticationResult = self::AUTHENTICATION_SUCCESS;
    if ($this->serverDrupalUser
      ->get('bind_method') == 'anon_user') {

      // After successful bind, lookup user again to get private attributes.
      $this->ldapUser = $this->serverDrupalUser
        ->matchUsernameToExistingLdapEntry($authName);
    }
    if ($this->serverDrupalUser
      ->get('bind_method') == 'service_account' || $this->serverDrupalUser
      ->get('bind_method') == 'anon_user') {
      $this->serverDrupalUser
        ->disconnect();
    }

    // Success.
    break;

    // End loop through servers.
  }
  $this->detailLog
    ->log('Authentication result for %username is: %err_text', [
    '%username' => $authName,
    '%err_text' => $this
      ->authenticationHelpText($authenticationResult) . ' ' . $this
      ->additionalDebuggingResponse($authenticationResult),
  ], 'ldap_authentication');
  return $authenticationResult;
}