diff options
Diffstat (limited to 'lib/plugins/authldap/auth.php')
| -rw-r--r-- | lib/plugins/authldap/auth.php | 110 |
1 files changed, 63 insertions, 47 deletions
diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 723685f94..721abb48e 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -1,10 +1,4 @@ <?php -/** - * Plugin auth provider - * - * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) - * @author Jan Schumann <js@schumann-it.com> - */ // must be run within Dokuwiki if(!defined('DOKU_INC')) die(); @@ -16,8 +10,7 @@ if(!defined('DOKU_INC')) die(); * @author Chris Smith <chris@jalakaic.co.uk> * @author Jan Schumann <js@schumann-it.com> */ -class auth_plugin_authldap extends DokuWiki_Auth_Plugin -{ +class auth_plugin_authldap extends DokuWiki_Auth_Plugin { var $cnf = null; var $con = null; var $bound = 0; // 0: anonymous, 1: user, 2: superuser @@ -25,7 +18,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin /** * Constructor */ - function auth_plugin_authldap(){ + function __construct(){ global $conf; $this->cnf = $conf['auth']['ldap']; @@ -317,8 +310,6 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin } } return $result; - - } /** @@ -370,7 +361,6 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin function _constructPattern($filter) { $this->_pattern = array(); foreach ($filter as $item => $pattern) { -// $this->_pattern[$item] = '/'.preg_quote($pattern,"/").'/i'; // don't allow regex characters $this->_pattern[$item] = '/'.str_replace('/','\/',$pattern).'/i'; // allow regex characters } } @@ -400,49 +390,75 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin $this->bound = 0; $port = ($this->cnf['port']) ? $this->cnf['port'] : 389; - $this->con = @ldap_connect($this->cnf['server'],$port); - if(!$this->con){ - msg("LDAP: couldn't connect to LDAP server",-1); - return false; - } + $bound = false; + $servers = explode(',', $this->cnf['server']); + foreach ($servers as $server) { + $server = trim($server); + $this->con = @ldap_connect($server, $port); + if (!$this->con) { + continue; + } - //set protocol version and dependend options - if($this->cnf['version']){ - if(!@ldap_set_option($this->con, LDAP_OPT_PROTOCOL_VERSION, - $this->cnf['version'])){ - msg('Setting LDAP Protocol version '.$this->cnf['version'].' failed',-1); - if($this->cnf['debug']) - msg('LDAP version set: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); - }else{ - //use TLS (needs version 3) - if($this->cnf['starttls']) { - if (!@ldap_start_tls($this->con)){ - msg('Starting TLS failed',-1); - if($this->cnf['debug']) - msg('LDAP TLS set: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + /* + * When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does + * not actually connect but just initializes the connecting parameters. The actual + * connect happens with the next calls to ldap_* funcs, usually with ldap_bind(). + * + * So we should try to bind to server in order to check its availability. + */ + + //set protocol version and dependend options + if($this->cnf['version']){ + if(!@ldap_set_option($this->con, LDAP_OPT_PROTOCOL_VERSION, + $this->cnf['version'])){ + msg('Setting LDAP Protocol version '.$this->cnf['version'].' failed',-1); + if($this->cnf['debug']) + msg('LDAP version set: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + }else{ + //use TLS (needs version 3) + if($this->cnf['starttls']) { + if (!@ldap_start_tls($this->con)){ + msg('Starting TLS failed',-1); + if($this->cnf['debug']) + msg('LDAP TLS set: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + } } - } - // needs version 3 - if(isset($this->cnf['referrals'])) { - if(!@ldap_set_option($this->con, LDAP_OPT_REFERRALS, - $this->cnf['referrals'])){ - msg('Setting LDAP referrals to off failed',-1); - if($this->cnf['debug']) - msg('LDAP referal set: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + // needs version 3 + if(isset($this->cnf['referrals'])) { + if(!@ldap_set_option($this->con, LDAP_OPT_REFERRALS, + $this->cnf['referrals'])){ + msg('Setting LDAP referrals to off failed',-1); + if($this->cnf['debug']) + msg('LDAP referal set: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + } } } } - } - //set deref mode - if($this->cnf['deref']){ - if(!@ldap_set_option($this->con, LDAP_OPT_DEREF, $this->cnf['deref'])){ - msg('Setting LDAP Deref mode '.$this->cnf['deref'].' failed',-1); - if($this->cnf['debug']) - msg('LDAP deref set: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + //set deref mode + if($this->cnf['deref']){ + if(!@ldap_set_option($this->con, LDAP_OPT_DEREF, $this->cnf['deref'])){ + msg('Setting LDAP Deref mode '.$this->cnf['deref'].' failed',-1); + if($this->cnf['debug']) + msg('LDAP deref set: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + } + } + /* As of PHP 5.3.0 we can set timeout to speedup skipping of invalid servers */ + if (defined('LDAP_OPT_NETWORK_TIMEOUT')) { + ldap_set_option($this->con, LDAP_OPT_NETWORK_TIMEOUT, 1); } + $bound = @ldap_bind($this->con); + if ($bound) { + break; + } + } + + if(!$bound) { + msg("LDAP: couldn't connect to LDAP server",-1); + return false; } + $this->canDo['getUsers'] = true; return true; } @@ -468,4 +484,4 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin $attrsonly, $sizelimit, $timelimit, $deref); } } -}
\ No newline at end of file +} |