public function LoginValidatorBase::checkAllowedExcluded in Lightweight Directory Access Protocol (LDAP) 8.4
Check if exclusion criteria match.
Parameters
string $authName: Authname.
\Symfony\Component\Ldap\Entry $ldap_user: LDAP Entry.
Return value
bool Exclusion result.
Overrides LoginValidatorInterface::checkAllowedExcluded
2 calls to LoginValidatorBase::checkAllowedExcluded()
- LoginValidatorLoginForm::testCredentials in ldap_authentication/
src/ Controller/ LoginValidatorLoginForm.php - Credentials are tested.
- LoginValidatorSso::testCredentials in ldap_authentication/
src/ Controller/ LoginValidatorSso.php - @todo Reduce code duplication w/ LoginValidator, split this function up.
File
- ldap_authentication/
src/ Controller/ LoginValidatorBase.php, line 501
Class
- LoginValidatorBase
- Handles the actual testing of credentials and authentication of users.
Namespace
Drupal\ldap_authentication\ControllerCode
public function checkAllowedExcluded(string $authName, Entry $ldap_user) : bool {
// Do one of the exclude attribute pairs match? If user does not already
// exists and deferring to user settings AND user settings only allow.
foreach ($this->config
->get('excludeIfTextInDn') as $test) {
if (stripos($ldap_user
->getDn(), $test) !== FALSE) {
return FALSE;
}
}
// Check if one of the allow attribute pairs match.
if (count($this->config
->get('allowOnlyIfTextInDn'))) {
$fail = TRUE;
foreach ($this->config
->get('allowOnlyIfTextInDn') as $test) {
if (stripos($ldap_user
->getDn(), $test) !== FALSE) {
$fail = FALSE;
}
}
if ($fail) {
return FALSE;
}
}
// Handle excludeIfNoAuthorizations enabled and user has no groups.
if ($this->moduleHandler
->moduleExists('ldap_authorization') && $this->config
->get('excludeIfNoAuthorizations')) {
$user = FALSE;
$id = $this->externalAuth
->getUid($authName, 'ldap_user');
if ($id) {
$user = $this->entityTypeManager
->getStorage('user')
->load($id);
}
if (!$user) {
$user = $this->entityTypeManager
->getStorage('user')
->create([
'name' => $authName,
]);
}
// We are not injecting this service properly to avoid forcing this
// dependency on authorization.
/** @var \Drupal\user\Entity\User $user */
/** @var \Drupal\authorization\AuthorizationController $controller */
// @codingStandardsIgnoreLine
$controller = \Drupal::service('authorization.manager');
$controller
->setUser($user);
$profiles = $this->entityTypeManager
->getStorage('authorization_profile')
->getQuery()
->condition('provider', 'ldap_provider')
->execute();
foreach ($profiles as $profile) {
$controller
->queryIndividualProfile($profile);
}
$authorizations = $controller
->getProcessedAuthorizations();
$controller
->clearAuthorizations();
$valid_profile = FALSE;
foreach ($authorizations as $authorization) {
if (!empty($authorization
->getAuthorizationsApplied())) {
$valid_profile = TRUE;
}
}
if (!$valid_profile) {
$this->messenger
->addWarning($this
->t('The site logon is currently not working due to a configuration error. Please see logs for additional details.'));
$this->logger
->notice('LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured.');
return FALSE;
}
}
// Allow other modules to hook in and refuse if they like.
$hook_result = TRUE;
$this->moduleHandler
->alter('ldap_authentication_allowuser_results', $ldap_user, $authName, $hook_result);
if (!$hook_result) {
$this->logger
->notice('Authentication Allow User Result=refused for %name', [
'%name' => $authName,
]);
return FALSE;
}
// Default to allowed.
return TRUE;
}