You are here

function ldapauth_drupal_user_create in LDAP integration 6

Create a new Drupal user from an LDAP user entry with checks to ensure that:

The admin settings allow account creation The user name is unique. The e-mail is unique and not a reserved address. If PUID are used that the PUID is unique and not null.

Parameters

LDAPInterface $ldap An initialized LDAP server Interface object:

String $name The LDAP user name/login name. If Null, user name will be extracted from attributes.:

Mixed $ldap_user The user's dn or and with the user's ldap attributes.:

String $error An error message or '' if no errors. Errors also logged via watchdog.:

Return value

The new user object or FALSE if an error occured.

3 calls to ldapauth_drupal_user_create()
ldapauth_authenticate in ./ldapauth.module
Main user authentication function. Called by form validator.
_ldapauth_auth in ./ldapauth.module
Authenticate the user against LDAP servers.
_ldapsync_process_entry in ./ldapsync.module
Take an ldap object entry and determine if there is an existing account or a new account needs to be created.

File

includes/ldap.core.inc, line 454
The core functions that ldapauth supplies for submodules. Will be included by default by ldapauth.

Code

function ldapauth_drupal_user_create($ldap, $name, $ldap_user, &$error) {
  if (is_string($ldap_user)) {
    $is_dn = TRUE;
    $dn = $ldap_user;
  }
  elseif (isset($ldap_user['dn'])) {
    $is_dn = FALSE;
    $dn = $ldap_user['dn'];
  }
  else {

    // Hmm invalid entry maybe should log this?
    $error = t('Invalid LDAP information supplied!  Could not find dn.');
    watchdog('ldapauth', 'Drupal user %name could not be created because the ldap_user parameter did not contain a valid dn.', array(
      '%name' => $name,
    ), WATCHDOG_ERROR);
    return FALSE;
  }
  $error = '';

  // Has the admin turned of automatic account creation?
  if (!variable_get('ldapauth_create_users', TRUE)) {
    $error = t('Your account is not authorized to access this system.');
    watchdog('ldapauth', 'The valid LDAP account %name was denied access because there was no matching Drupal account.', array(
      '%name' => $name,
    ), WATCHDOG_ERROR);
    return FALSE;
  }
  if ($is_dn) {
    $ldap_user = ldapauth_user_lookup_by_dn($ldap, $dn, LDAPAUTH_SYNC_CONTEXT_AUTHENTICATE_DRUPAL_USER);
  }

  // Get drupal name from ldap uid name
  if (!$name) {
    $name_attr = $ldap
      ->getOption('user_attr') ? $ldap
      ->getOption('user_attr') : LDAPAUTH_DEFAULT_USER_ATTR;
    $name = isset($ldap_user[$name_attr][0]) ? $ldap_user[$name_attr][0] : (isset($ldap_user[drupal_strtolower($name_attr)][0]) ? $ldap_user[drupal_strtolower($name_attr)][0] : $name);
  }

  // Let other modules change this if needed.
  $drupal_name = ldapauth_drupal_user_name($name, $ldap, $dn);

  // Check for unique name probably already done but double check to be sure.
  if (user_load(array(
    'name' => $drupal_name,
  ))) {
    watchdog('ldapauth', 'LDAP user with DN %dn has a naming conflict with a local Drupal user %name', array(
      '%dn' => $dn,
      '%name' => $drupal_name,
    ), WATCHDOG_ERROR);
    $error = t('Another user already exists in the system with the same login name. You should contact the system administrator in order to solve this conflict.');
    return FALSE;
  }
  if ($ldap_user) {

    // If mail attribute is missing, set the name as mail.
    $init = $mail = key_exists($ldap
      ->getOption('mail_attr') ? $ldap
      ->getOption('mail_attr') : LDAPAUTH_DEFAULT_MAIL_ATTR, $ldap_user) ? $ldap_user[$ldap
      ->getOption('mail_attr')][0] : $name;

    // Check that the e-mail is not denied.
    if (drupal_is_denied('mail', $mail)) {
      $error = t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array(
        '%name' => $name,
      ));
      return FALSE;
    }

    // Check that e-mail is unique
    if ($existing_user_by_email = user_load(array(
      'mail' => $mail,
    ))) {
      $error = t('The e-mail address, %mail, associated with this account is already in use.', array(
        '%mail' => $mail,
      ));
      watchdog('ldapauth', 'The valid LDAP account %name was denied access their email address, %mail, was already in use.', array(
        '%name' => $name,
        '%mail' => $mail,
      ), WATCHDOG_ERROR);
      return FALSE;
    }
    $sid = $ldap
      ->getOption('sid');

    // Validate / Create PUID entry.
    if ($ldap
      ->getOption('puid_attr')) {
      $puid = ldapauth_extract_puid($sid, $name, $ldap_user);
      if (empty($puid)) {

        // Give other modules a chance to create a puid if needed.
        drupal_alter('ldap_user_puid', $puid, $name, $dn, $sid);
      }
      if (empty($puid)) {
        $error = t("This LDAP user entry was not configured properly (No PUID).  Please contact your system administrator.");
        watchdog('ldapauth', 'LDAP user did not have required PUID attribute! ldap_attr=%attr sid=%sid dn=%dn', array(
          '%attr' => $ldap
            ->getOption('puid_attr'),
          '%sid' => $sid,
          '%dn' => $dn,
        ), WATCHDOG_ERROR);
        return FALSE;
      }
      if (ldapauth_userinfo_load_by_puid($puid)) {
        $error = t("This LDAP user entry was not configured properly (Duplicate PUID).  Please contact your system administrator.");
        watchdog('ldapauth', 'A duplicate PUID was found! attr=%attr sid=%sid dn=%dn', array(
          '%attr' => $ldap
            ->getOption('puid_attr'),
          '%sid' => $sid,
          '%dn' => $dn,
        ), WATCHDOG_ERROR);
        return FALSE;
      }
    }
    else {
      $puid = $name;

      // default to $name for PUID.
    }

    // Use name as is set in the LDAP server.
    $name_attr = $ldap
      ->getOption('user_attr') ? $ldap
      ->getOption('user_attr') : LDAPAUTH_DEFAULT_USER_ATTR;
    $name_new = isset($ldap_user[$name_attr][0]) ? $ldap_user[$name_attr][0] : (isset($ldap_user[drupal_strtolower($name_attr)][0]) ? $ldap_user[drupal_strtolower($name_attr)][0] : $name);

    // Unless another module has altered it.
    if ($drupal_name != $name) {
      $name_new = $drupal_name;
    }

    // Generate a random drupal password. LDAP password will be used anyways.
    $pass_new = LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_EXCLUSIVED || !LDAPAUTH_SYNC_PASSWORDS ? user_password(20) : $pass;
    $new_user = array(
      'name' => $name_new,
      'pass' => $pass_new,
      'mail' => $mail,
      'init' => $init,
      'status' => 1,
      'authname_ldapauth' => $name,
      'ldap_authentified' => TRUE,
      'ldap_dn' => $ldap_user['dn'],
      'ldap_config' => $ldap
        ->getOption('sid'),
      'ldap_name' => $name,
    );
    $account = user_save('', $new_user);

    // Save ldapauth_users info.
    $user_info = array(
      'uid' => $account->uid,
      'sid' => $sid,
      'machine_name' => $ldap
        ->getOption('machine_name'),
      'dn' => $dn,
      'puid' => $puid,
    );
    ldapauth_userinfo_save($user_info);
    watchdog('ldapauth', 'New external user %name created from the LDAP server %server.', array(
      '%name' => $name,
      '%server' => $ldap
        ->getOption('name'),
    ), WATCHDOG_NOTICE, l(t('edit'), 'user/' . $user->uid . '/edit'));

    // Invoke post user creation hook.
    module_invoke_all('ldapauth_create', $account);
    return $account;
  }
  $error = t("Could not find dn entry! dn=%dn", array(
    '%dn' => $dn,
  ));
  return FALSE;
}