You are here

function ldapauth_drupal_user_lookup in LDAP integration 6

Map an LDAP user to a Drupal user account if one exists.

Parameters

LDAPInterface $ldap An initialized LDAP server interface object.:

String $name The user name (from login form):

String $dn The user's dn:

String $error An error message or '' if no errors. NOTE: Errors NOT reported via watchdog:

String $puid Save an ldap query if the PUID is already known (e.g ldapsync):

Return value

A user object, FALSE (user not found) or NULL (if error)

3 calls to ldapauth_drupal_user_lookup()
ldapauth_authenticate in ./ldapauth.module
Main user authentication function. Called by form validator.
ldapgroups_user_test_output in ./ldapgroups.admin.inc
Generate the test results for the user and ldap settings.
_ldapsync_process_entry in ./ldapsync.module
Take an ldap object entry and determine if there is an existing account or a new account needs to be created.

File

includes/ldap.core.inc, line 336
The core functions that ldapauth supplies for submodules. Will be included by default by ldapauth.

Code

function ldapauth_drupal_user_lookup($ldap, $name, $dn, &$error, $puid = NULL) {
  $error = '';
  if (!$ldap) {
    $error = t('LDAPInterface not initialized in ldapauth_drupal_user_lookup!');
    return NULL;
  }
  $sid = $ldap
    ->getOption('sid');

  // If a PUID attribute is set, then use this to map users
  if ($ldap
    ->getOption('puid_attr')) {
    if (!$puid) {
      $ldap_entry = ldapauth_user_lookup_by_dn($ldap, $dn, LDAPAUTH_SYNC_CONTEXT_AUTHENTICATE_DRUPAL_USER);
      if (empty($ldap_entry)) {
        $error = t("Error looking up user in LDAP:  Supplied dn not found! sid=%sid dn=%dn", array(
          '%sid' => $sid,
          '%dn' => $dn,
        ));
        return NULL;
      }
      $puid = ldapauth_extract_puid($sid, $name, $ldap_entry);
    }

    // Try to get PUID to UID mapping.
    if (!empty($puid)) {
      $user_info = ldapauth_userinfo_load_by_puid($puid);

      // Found matching ldapauth_users entry.  Return this users.
      if (isset($user_info->uid)) {
        $account = user_load($user_info->uid);
        $account->ldap_puid = $puid;
        return $account;
      }
    }
    else {
      $error = t("LDAP user did not have required PUID attribute, %puid_attr! sid=%sid dn=%dn", array(
        '%puid_attr' => $ldap
          ->getOption('puid_attr'),
        '%sid' => $sid,
        '%dn' => $dn,
      ));
      return NULL;
    }

    // Have PUID but no matching userinfo, then see if entry needs to be rebuilt.
    // Most likely one of the following:
    //   Converting from prePUID to PUID;
    //   Changed PUID attribute; or
    //   Server re-created with new sid.
    // TODO: Make this configurable?
    $drupal_name = ldapauth_drupal_user_name($name, $ldap, $dn);
    $account = user_load(array(
      'name' => $drupal_name,
    ));
    if (!$account) {
      return FALSE;
    }

    // Does the name map to an existing LDAP related account.
    if (isset($account->ldap_authentified)) {
      $user_info = ldapauth_userinfo_load_by_uid($account->uid);

      // No user with different PUID
      if (empty($user_info)) {

        // DNs match.
        if (drupal_strtolower($account->ldap_dn) == drupal_strtolower($dn)) {
          $old_server = ldapauth_server_load($account->ldap_config);

          // Do sids match or old sid does not exist
          if ($account->ldap_config == $sid || empty($old_server)) {
            $user_info = array(
              'uid' => $account->uid,
              'sid' => $sid,
              'machine_name' => $ldap
                ->getOption('machine_name'),
              'dn' => $dn,
              'puid' => $puid,
            );
            ldapauth_userinfo_save($user_info);
            $account->ldap_puid = $puid;
            return $account;
          }
        }
      }
      else {
        $error = t('User, %name, already associated with a different LDAP user', array(
          '%name' => $name,
        ));
        return NULL;
      }
    }

    // Return normal drupal account so login process can decide to map or not.
    $account->ldap_puid = $puid;
    return $account;
  }
  else {
    $drupal_name = ldapauth_drupal_user_name($name, $ldap, $dn);
    $account = user_load(array(
      'name' => $drupal_name,
    ));
    if (!$account) {
      return FALSE;
    }

    // Double check that ldap user matches this account.
    if ($account->ldap_authentified) {

      // Do DNs map
      if (drupal_strtolower($account->ldap_dn) == drupal_strtolower($dn)) {
        $old_server = ldapauth_server_load($account->ldap_config);

        // Do sids match or old sid does not exist
        if ($account->ldap_config == $sid || empty($old_server)) {
          $account->ldap_puid = $name;

          // Default if puid attr not set.
          return $account;
        }
      }
      return FALSE;
    }
    $account->ldap_puid = $name;

    // Default if puid attr not set.
    return $account;
  }
}