PageRenderTime 249ms CodeModel.GetById 81ms app.highlight 91ms RepoModel.GetById 70ms app.codeStats 0ms

/apps/user_ldap/lib/connection.php

https://github.com/sezuan/core
PHP | 678 lines | 545 code | 48 blank | 85 comment | 97 complexity | 8188d8c03d9be8fad89118867a1f543f MD5 | raw file
  1<?php
  2
  3/**
  4 * ownCloud – LDAP Access
  5 *
  6 * @author Arthur Schiwon
  7 * @copyright 2012, 2013 Arthur Schiwon blizzz@owncloud.com
  8 *
  9 * This library is free software; you can redistribute it and/or
 10 * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
 11 * License as published by the Free Software Foundation; either
 12 * version 3 of the License, or any later version.
 13 *
 14 * This library is distributed in the hope that it will be useful,
 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 17 * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
 18 *
 19 * You should have received a copy of the GNU Affero General Public
 20 * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 21 *
 22 */
 23
 24namespace OCA\user_ldap\lib;
 25
 26class Connection {
 27	private $ldapConnectionRes = null;
 28	private $configPrefix;
 29	private $configID;
 30	private $configured = false;
 31
 32	//cache handler
 33	protected $cache;
 34
 35	//settings
 36	protected $config = array(
 37		'ldapHost' => null,
 38		'ldapPort' => null,
 39		'ldapBackupHost' => null,
 40		'ldapBackupPort' => null,
 41		'ldapBase' => null,
 42		'ldapBaseUsers' => null,
 43		'ldapBaseGroups' => null,
 44		'ldapAgentName' => null,
 45		'ldapAgentPassword' => null,
 46		'ldapTLS' => null,
 47		'ldapNoCase' => null,
 48		'turnOffCertCheck' => null,
 49		'ldapIgnoreNamingRules' => null,
 50		'ldapUserDisplayName' => null,
 51		'ldapUserFilter' => null,
 52		'ldapGroupFilter' => null,
 53		'ldapGroupDisplayName' => null,
 54		'ldapGroupMemberAssocAttr' => null,
 55		'ldapLoginFilter' => null,
 56		'ldapQuotaAttribute' => null,
 57		'ldapQuotaDefault' => null,
 58		'ldapEmailAttribute' => null,
 59		'ldapCacheTTL' => null,
 60		'ldapUuidAttribute' => null,
 61		'ldapOverrideUuidAttribute' => null,
 62		'ldapOverrideMainServer' => false,
 63		'ldapConfigurationActive' => false,
 64		'ldapAttributesForUserSearch' => null,
 65		'ldapAttributesForGroupSearch' => null,
 66		'homeFolderNamingRule' => null,
 67		'hasPagedResultSupport' => false,
 68		'ldapExpertUsernameAttr' => null,
 69		'ldapExpertUUIDAttr' => null,
 70	);
 71
 72	/**
 73	 * @brief Constructor
 74	 * @param $configPrefix a string with the prefix for the configkey column (appconfig table)
 75	 * @param $configID a string with the value for the appid column (appconfig table) or null for on-the-fly connections
 76	 */
 77	public function __construct($configPrefix = '', $configID = 'user_ldap') {
 78		$this->configPrefix = $configPrefix;
 79		$this->configID = $configID;
 80		$this->cache = \OC_Cache::getGlobalCache();
 81		$this->config['hasPagedResultSupport'] = (function_exists('ldap_control_paged_result')
 82			&& function_exists('ldap_control_paged_result_response'));
 83	}
 84
 85	public function __destruct() {
 86		if(is_resource($this->ldapConnectionRes)) {
 87			@ldap_unbind($this->ldapConnectionRes);
 88		};
 89	}
 90
 91	public function __get($name) {
 92		if(!$this->configured) {
 93			$this->readConfiguration();
 94		}
 95
 96		if(isset($this->config[$name])) {
 97			return $this->config[$name];
 98		}
 99	}
100
101	public function __set($name, $value) {
102		$changed = false;
103		//only few options are writable
104		if($name === 'ldapUuidAttribute') {
105			\OCP\Util::writeLog('user_ldap', 'Set config ldapUuidAttribute to  '.$value, \OCP\Util::DEBUG);
106			$this->config[$name] = $value;
107			if(!empty($this->configID)) {
108				\OCP\Config::setAppValue($this->configID, $this->configPrefix.'ldap_uuid_attribute', $value);
109			}
110			$changed = true;
111		}
112		if($changed) {
113			$this->validateConfiguration();
114		}
115	}
116
117	/**
118	 * @brief initializes the LDAP backend
119	 * @param $force read the config settings no matter what
120	 *
121	 * initializes the LDAP backend
122	 */
123	public function init($force = false) {
124		$this->readConfiguration($force);
125		$this->establishConnection();
126	}
127
128	/**
129	 * Returns the LDAP handler
130	 */
131	public function getConnectionResource() {
132		if(!$this->ldapConnectionRes) {
133			$this->init();
134		} else if(!is_resource($this->ldapConnectionRes)) {
135			$this->ldapConnectionRes = null;
136			$this->establishConnection();
137		}
138		if(is_null($this->ldapConnectionRes)) {
139			\OCP\Util::writeLog('user_ldap', 'Connection could not be established', \OCP\Util::ERROR);
140		}
141		return $this->ldapConnectionRes;
142	}
143
144	private function getCacheKey($key) {
145		$prefix = 'LDAP-'.$this->configID.'-'.$this->configPrefix.'-';
146		if(is_null($key)) {
147			return $prefix;
148		}
149		return $prefix.md5($key);
150	}
151
152	public function getFromCache($key) {
153		if(!$this->configured) {
154			$this->readConfiguration();
155		}
156		if(!$this->config['ldapCacheTTL']) {
157			return null;
158		}
159		if(!$this->isCached($key)) {
160			return null;
161
162		}
163		$key = $this->getCacheKey($key);
164
165		return unserialize(base64_decode($this->cache->get($key)));
166	}
167
168	public function isCached($key) {
169		if(!$this->configured) {
170			$this->readConfiguration();
171		}
172		if(!$this->config['ldapCacheTTL']) {
173			return false;
174		}
175		$key = $this->getCacheKey($key);
176		return $this->cache->hasKey($key);
177	}
178
179	public function writeToCache($key, $value) {
180		if(!$this->configured) {
181			$this->readConfiguration();
182		}
183		if(!$this->config['ldapCacheTTL']
184			|| !$this->config['ldapConfigurationActive']) {
185			return null;
186		}
187		$key   = $this->getCacheKey($key);
188		$value = base64_encode(serialize($value));
189		$this->cache->set($key, $value, $this->config['ldapCacheTTL']);
190	}
191
192	public function clearCache() {
193		$this->cache->clear($this->getCacheKey(null));
194	}
195
196	private function getValue($varname) {
197		static $defaults;
198		if(is_null($defaults)) {
199			$defaults = $this->getDefaults();
200		}
201		return \OCP\Config::getAppValue($this->configID,
202										$this->configPrefix.$varname,
203										$defaults[$varname]);
204	}
205
206	private function setValue($varname, $value) {
207		\OCP\Config::setAppValue($this->configID,
208									$this->configPrefix.$varname,
209									$value);
210	}
211
212	/**
213	 * Special handling for reading Base Configuration
214	 *
215	 * @param $base the internal name of the config key
216	 * @param $value the value stored for the base
217	 */
218	private function readBase($base, $value) {
219		if(empty($value)) {
220			$value = '';
221		} else {
222			$value = preg_split('/\r\n|\r|\n/', $value);
223		}
224
225		$this->config[$base] = $value;
226	}
227
228	/**
229	 * Caches the general LDAP configuration.
230	 */
231	private function readConfiguration($force = false) {
232		if((!$this->configured || $force) && !is_null($this->configID)) {
233			$v = 'getValue';
234			$this->config['ldapHost']       = $this->$v('ldap_host');
235			$this->config['ldapBackupHost'] = $this->$v('ldap_backup_host');
236			$this->config['ldapPort']       = $this->$v('ldap_port');
237			$this->config['ldapBackupPort'] = $this->$v('ldap_backup_port');
238			$this->config['ldapOverrideMainServer']
239				= $this->$v('ldap_override_main_server');
240			$this->config['ldapAgentName']  = $this->$v('ldap_dn');
241			$this->config['ldapAgentPassword']
242				= base64_decode($this->$v('ldap_agent_password'));
243			$this->readBase('ldapBase',       $this->$v('ldap_base'));
244			$this->readBase('ldapBaseUsers',  $this->$v('ldap_base_users'));
245			$this->readBase('ldapBaseGroups', $this->$v('ldap_base_groups'));
246			$this->config['ldapTLS']        = $this->$v('ldap_tls');
247			$this->config['ldapNoCase']     = $this->$v('ldap_nocase');
248			$this->config['turnOffCertCheck']
249				= $this->$v('ldap_turn_off_cert_check');
250			$this->config['ldapUserDisplayName']
251				= mb_strtolower($this->$v('ldap_display_name'), 'UTF-8');
252			$this->config['ldapUserFilter']
253				= $this->$v('ldap_userlist_filter');
254			$this->config['ldapGroupFilter'] = $this->$v('ldap_group_filter');
255			$this->config['ldapLoginFilter'] = $this->$v('ldap_login_filter');
256			$this->config['ldapGroupDisplayName']
257				= mb_strtolower($this->$v('ldap_group_display_name'), 'UTF-8');
258			$this->config['ldapQuotaAttribute']
259				= $this->$v('ldap_quota_attr');
260			$this->config['ldapQuotaDefault']
261				= $this->$v('ldap_quota_def');
262			$this->config['ldapEmailAttribute']
263				= $this->$v('ldap_email_attr');
264			$this->config['ldapGroupMemberAssocAttr']
265				= $this->$v('ldap_group_member_assoc_attribute');
266			$this->config['ldapIgnoreNamingRules']
267				= \OCP\Config::getSystemValue('ldapIgnoreNamingRules', false);
268			$this->config['ldapCacheTTL']    = $this->$v('ldap_cache_ttl');
269			$this->config['ldapUuidAttribute']
270				= $this->$v('ldap_uuid_attribute');
271			$this->config['ldapOverrideUuidAttribute']
272				= $this->$v('ldap_override_uuid_attribute');
273			$this->config['homeFolderNamingRule']
274				= $this->$v('home_folder_naming_rule');
275			$this->config['ldapConfigurationActive']
276				= $this->$v('ldap_configuration_active');
277			$this->config['ldapAttributesForUserSearch']
278				= preg_split('/\r\n|\r|\n/', $this->$v('ldap_attributes_for_user_search'));
279			$this->config['ldapAttributesForGroupSearch']
280				= preg_split('/\r\n|\r|\n/', $this->$v('ldap_attributes_for_group_search'));
281			$this->config['ldapExpertUsernameAttr']
282				= $this->$v('ldap_expert_username_attr');
283			$this->config['ldapExpertUUIDAttr']
284				= $this->$v('ldap_expert_uuid_attr');
285
286			$this->configured = $this->validateConfiguration();
287		}
288	}
289
290	/**
291	 * @return returns an array that maps internal variable names to database fields
292	 */
293	private function getConfigTranslationArray() {
294		static $array = array(
295			'ldap_host'=>'ldapHost',
296			'ldap_port'=>'ldapPort',
297			'ldap_backup_host'=>'ldapBackupHost',
298			'ldap_backup_port'=>'ldapBackupPort',
299			'ldap_override_main_server' => 'ldapOverrideMainServer',
300			'ldap_dn'=>'ldapAgentName',
301			'ldap_agent_password'=>'ldapAgentPassword',
302			'ldap_base'=>'ldapBase',
303			'ldap_base_users'=>'ldapBaseUsers',
304			'ldap_base_groups'=>'ldapBaseGroups',
305			'ldap_userlist_filter'=>'ldapUserFilter',
306			'ldap_login_filter'=>'ldapLoginFilter',
307			'ldap_group_filter'=>'ldapGroupFilter',
308			'ldap_display_name'=>'ldapUserDisplayName',
309			'ldap_group_display_name'=>'ldapGroupDisplayName',
310			'ldap_tls'=>'ldapTLS',
311			'ldap_nocase'=>'ldapNoCase',
312			'ldap_quota_def'=>'ldapQuotaDefault',
313			'ldap_quota_attr'=>'ldapQuotaAttribute',
314			'ldap_email_attr'=>'ldapEmailAttribute',
315			'ldap_group_member_assoc_attribute'=>'ldapGroupMemberAssocAttr',
316			'ldap_cache_ttl'=>'ldapCacheTTL',
317			'home_folder_naming_rule' => 'homeFolderNamingRule',
318			'ldap_turn_off_cert_check' => 'turnOffCertCheck',
319			'ldap_configuration_active' => 'ldapConfigurationActive',
320			'ldap_attributes_for_user_search' => 'ldapAttributesForUserSearch',
321			'ldap_attributes_for_group_search' => 'ldapAttributesForGroupSearch',
322			'ldap_expert_username_attr' => 'ldapExpertUsernameAttr',
323			'ldap_expert_uuid_attr' => 'ldapExpertUUIDAttr',
324		);
325		return $array;
326	}
327
328	/**
329	 * @brief set LDAP configuration with values delivered by an array, not read from configuration
330	 * @param $config array that holds the config parameters in an associated array
331	 * @param &$setParameters optional; array where the set fields will be given to
332	 * @return true if config validates, false otherwise. Check with $setParameters for detailed success on single parameters
333	 */
334	public function setConfiguration($config, &$setParameters = null) {
335		if(!is_array($config)) {
336			return false;
337		}
338
339		$params = $this->getConfigTranslationArray();
340
341		foreach($config as $parameter => $value) {
342			if(($parameter === 'homeFolderNamingRule'
343				|| (isset($params[$parameter])
344					&& $params[$parameter] === 'homeFolderNamingRule'))
345				&& !empty($value)) {
346				$value = 'attr:'.$value;
347			}
348		    if(isset($this->config[$parameter])) {
349				$this->config[$parameter] = $value;
350				if(is_array($setParameters)) {
351					$setParameters[] = $parameter;
352				}
353		    } else if(isset($params[$parameter])) {
354				$this->config[$params[$parameter]] = $value;
355				if(is_array($setParameters)) {
356					$setParameters[] = $params[$parameter];
357				}
358		    }
359		}
360
361		$this->configured = $this->validateConfiguration();
362
363		return $this->configured;
364	}
365
366	/**
367	 * @brief saves the current Configuration in the database
368	 */
369	public function saveConfiguration() {
370		$trans = array_flip($this->getConfigTranslationArray());
371		foreach($this->config as $key => $value) {
372			\OCP\Util::writeLog('user_ldap', 'LDAP: storing key '.$key.' value '.$value, \OCP\Util::DEBUG);
373			switch ($key) {
374				case 'ldapAgentPassword':
375					$value = base64_encode($value);
376					break;
377				case 'ldapBase':
378				case 'ldapBaseUsers':
379				case 'ldapBaseGroups':
380				case 'ldapAttributesForUserSearch':
381				case 'ldapAttributesForGroupSearch':
382					if(is_array($value)) {
383						$value = implode("\n", $value);
384					}
385					break;
386				case 'ldapIgnoreNamingRules':
387				case 'ldapOverrideUuidAttribute':
388				case 'ldapUuidAttribute':
389				case 'hasPagedResultSupport':
390					continue 2;
391			}
392			if(is_null($value)) {
393				$value = '';
394			}
395
396		    $this->setValue($trans[$key], $value);
397		}
398		$this->clearCache();
399	}
400
401	/**
402	 * @brief get the current LDAP configuration
403	 * @return array
404	 */
405	public function getConfiguration() {
406		$this->readConfiguration();
407		$trans = $this->getConfigTranslationArray();
408		$config = array();
409		foreach($trans as $dbKey => $classKey) {
410			if($classKey === 'homeFolderNamingRule') {
411				if(strpos($this->config[$classKey], 'attr:') === 0) {
412					$config[$dbKey] = substr($this->config[$classKey], 5);
413				} else {
414					$config[$dbKey] = '';
415				}
416				continue;
417			} else if((strpos($classKey, 'ldapBase') !== false)
418					|| (strpos($classKey, 'ldapAttributes') !== false)) {
419				$config[$dbKey] = implode("\n", $this->config[$classKey]);
420				continue;
421			}
422			$config[$dbKey] = $this->config[$classKey];
423		}
424
425		return $config;
426	}
427
428	/**
429	 * @brief Validates the user specified configuration
430	 * @returns true if configuration seems OK, false otherwise
431	 */
432	private function validateConfiguration() {
433		// first step: "soft" checks: settings that are not really
434		// necessary, but advisable. If left empty, give an info message
435		if(empty($this->config['ldapBaseUsers'])) {
436			\OCP\Util::writeLog('user_ldap', 'Base tree for Users is empty, using Base DN', \OCP\Util::INFO);
437			$this->config['ldapBaseUsers'] = $this->config['ldapBase'];
438		}
439		if(empty($this->config['ldapBaseGroups'])) {
440			\OCP\Util::writeLog('user_ldap', 'Base tree for Groups is empty, using Base DN', \OCP\Util::INFO);
441			$this->config['ldapBaseGroups'] = $this->config['ldapBase'];
442		}
443		if(empty($this->config['ldapGroupFilter']) && empty($this->config['ldapGroupMemberAssocAttr'])) {
444			\OCP\Util::writeLog('user_ldap',
445				'No group filter is specified, LDAP group feature will not be used.',
446				\OCP\Util::INFO);
447		}
448		$uuidAttributes = array(
449			'auto', 'entryuuid', 'nsuniqueid', 'objectguid', 'guid');
450		if(!in_array($this->config['ldapUuidAttribute'], $uuidAttributes)
451			&& (!is_null($this->configID))) {
452			\OCP\Config::setAppValue($this->configID, $this->configPrefix.'ldap_uuid_attribute', 'auto');
453			\OCP\Util::writeLog('user_ldap',
454				'Illegal value for the UUID Attribute, reset to autodetect.',
455				\OCP\Util::INFO);
456		}
457		if(empty($this->config['ldapBackupPort'])) {
458			//force default
459			$this->config['ldapBackupPort'] = $this->config['ldapPort'];
460		}
461		foreach(array('ldapAttributesForUserSearch', 'ldapAttributesForGroupSearch') as $key) {
462			if(is_array($this->config[$key])
463				&& count($this->config[$key]) === 1
464				&& empty($this->config[$key][0])) {
465				$this->config[$key] = array();
466			}
467		}
468		if((strpos($this->config['ldapHost'], 'ldaps') === 0)
469			&& $this->config['ldapTLS']) {
470			$this->config['ldapTLS'] = false;
471			\OCP\Util::writeLog('user_ldap',
472				'LDAPS (already using secure connection) and TLS do not work together. Switched off TLS.',
473				\OCP\Util::INFO);
474		}
475
476
477
478		//second step: critical checks. If left empty or filled wrong, set as unconfigured and give a warning.
479		$configurationOK = true;
480		if(empty($this->config['ldapHost'])) {
481			\OCP\Util::writeLog('user_ldap', 'No LDAP host given, won`t connect.', \OCP\Util::WARN);
482			$configurationOK = false;
483		}
484		if(empty($this->config['ldapPort'])) {
485			\OCP\Util::writeLog('user_ldap', 'No LDAP Port given, won`t connect.', \OCP\Util::WARN);
486			$configurationOK = false;
487		}
488		if((empty($this->config['ldapAgentName']) && !empty($this->config['ldapAgentPassword']))
489			|| (!empty($this->config['ldapAgentName']) && empty($this->config['ldapAgentPassword']))) {
490			\OCP\Util::writeLog('user_ldap',
491				'Either no password given for the user agent or a password is given, but no LDAP agent; won`t connect.',
492				\OCP\Util::WARN);
493			$configurationOK = false;
494		}
495		//TODO: check if ldapAgentName is in DN form
496		if(empty($this->config['ldapBase'])
497			&& (empty($this->config['ldapBaseUsers'])
498			&& empty($this->config['ldapBaseGroups']))) {
499			\OCP\Util::writeLog('user_ldap', 'No Base DN given, won`t connect.', \OCP\Util::WARN);
500			$configurationOK = false;
501		}
502		if(empty($this->config['ldapUserDisplayName'])) {
503			\OCP\Util::writeLog('user_ldap',
504				'No user display name attribute specified, won`t connect.',
505				\OCP\Util::WARN);
506			$configurationOK = false;
507		}
508		if(empty($this->config['ldapGroupDisplayName'])) {
509			\OCP\Util::writeLog('user_ldap',
510				'No group display name attribute specified, won`t connect.',
511				\OCP\Util::WARN);
512			$configurationOK = false;
513		}
514		if(empty($this->config['ldapLoginFilter'])) {
515			\OCP\Util::writeLog('user_ldap', 'No login filter specified, won`t connect.', \OCP\Util::WARN);
516			$configurationOK = false;
517		}
518		if(mb_strpos($this->config['ldapLoginFilter'], '%uid', 0, 'UTF-8') === false) {
519			\OCP\Util::writeLog('user_ldap',
520				'Login filter does not contain %uid place holder, won`t connect.',
521				\OCP\Util::WARN);
522			\OCP\Util::writeLog('user_ldap', 'Login filter was ' . $this->config['ldapLoginFilter'], \OCP\Util::DEBUG);
523			$configurationOK = false;
524		}
525
526		if(!empty($this->config['ldapExpertUUIDAttr'])) {
527			$this->config['ldapUuidAttribute'] = $this->config['ldapExpertUUIDAttr'];
528		}
529
530		return $configurationOK;
531	}
532
533	/**
534	 * @returns an associative array with the default values. Keys are correspond
535	 * to config-value entries in the database table
536	 */
537	public function getDefaults() {
538		return array(
539			'ldap_host'                         => '',
540			'ldap_port'                         => '389',
541			'ldap_backup_host'                  => '',
542			'ldap_backup_port'                  => '',
543			'ldap_override_main_server'         => '',
544			'ldap_dn'                           => '',
545			'ldap_agent_password'               => '',
546			'ldap_base'                         => '',
547			'ldap_base_users'                   => '',
548			'ldap_base_groups'                  => '',
549			'ldap_userlist_filter'              => 'objectClass=person',
550			'ldap_login_filter'                 => 'uid=%uid',
551			'ldap_group_filter'                 => 'objectClass=posixGroup',
552			'ldap_display_name'                 => 'cn',
553			'ldap_group_display_name'           => 'cn',
554			'ldap_tls'                          => 1,
555			'ldap_nocase'                       => 0,
556			'ldap_quota_def'                    => '',
557			'ldap_quota_attr'                   => '',
558			'ldap_email_attr'                   => '',
559			'ldap_group_member_assoc_attribute' => 'uniqueMember',
560			'ldap_cache_ttl'                    => 600,
561			'ldap_uuid_attribute'				=> 'auto',
562			'ldap_override_uuid_attribute'		=> 0,
563			'home_folder_naming_rule'           => '',
564			'ldap_turn_off_cert_check'			=> 0,
565			'ldap_configuration_active'			=> 1,
566			'ldap_attributes_for_user_search'	=> '',
567			'ldap_attributes_for_group_search'	=> '',
568			'ldap_expert_username_attr'              => '',
569			'ldap_expert_uuid_attr'             => '',
570		);
571	}
572
573	/**
574	 * Connects and Binds to LDAP
575	 */
576	private function establishConnection() {
577		if(!$this->config['ldapConfigurationActive']) {
578			return null;
579		}
580		static $phpLDAPinstalled = true;
581		if(!$phpLDAPinstalled) {
582			return false;
583		}
584		if(!$this->configured) {
585			\OCP\Util::writeLog('user_ldap', 'Configuration is invalid, cannot connect', \OCP\Util::WARN);
586			return false;
587		}
588		if(!$this->ldapConnectionRes) {
589			if(!function_exists('ldap_connect')) {
590				$phpLDAPinstalled = false;
591				\OCP\Util::writeLog('user_ldap',
592					'function ldap_connect is not available. Make sure that the PHP ldap module is installed.',
593					\OCP\Util::ERROR);
594
595				return false;
596			}
597			if($this->config['turnOffCertCheck']) {
598				if(putenv('LDAPTLS_REQCERT=never')) {
599					\OCP\Util::writeLog('user_ldap',
600						'Turned off SSL certificate validation successfully.',
601						\OCP\Util::WARN);
602				} else {
603					\OCP\Util::writeLog('user_ldap', 'Could not turn off SSL certificate validation.', \OCP\Util::WARN);
604				}
605			}
606			if(!$this->config['ldapOverrideMainServer'] && !$this->getFromCache('overrideMainServer')) {
607				$this->doConnect($this->config['ldapHost'], $this->config['ldapPort']);
608				$bindStatus = $this->bind();
609				$error = is_resource($this->ldapConnectionRes) ? ldap_errno($this->ldapConnectionRes) : -1;
610			} else {
611				$bindStatus = false;
612				$error = null;
613			}
614
615			//if LDAP server is not reachable, try the Backup (Replica!) Server
616			if((!$bindStatus && ($error !== 0))
617				|| $this->config['ldapOverrideMainServer']
618				|| $this->getFromCache('overrideMainServer')) {
619					$this->doConnect($this->config['ldapBackupHost'], $this->config['ldapBackupPort']);
620					$bindStatus = $this->bind();
621					if(!$bindStatus && $error === -1) {
622						//when bind to backup server succeeded and failed to main server,
623						//skip contacting him until next cache refresh
624						$this->writeToCache('overrideMainServer', true);
625					}
626			}
627			return $bindStatus;
628		}
629	}
630
631	private function doConnect($host, $port) {
632		if(empty($host)) {
633			return false;
634		}
635		if(strpos($host, '://') !== false) {
636			//ldap_connect ignores port paramater when URLs are passed
637			$host .= ':' . $port;
638		}
639		$this->ldapConnectionRes = ldap_connect($host, $port);
640		if(ldap_set_option($this->ldapConnectionRes, LDAP_OPT_PROTOCOL_VERSION, 3)) {
641			if(ldap_set_option($this->ldapConnectionRes, LDAP_OPT_REFERRALS, 0)) {
642				if($this->config['ldapTLS']) {
643					ldap_start_tls($this->ldapConnectionRes);
644				}
645			}
646		}
647	}
648
649	/**
650	 * Binds to LDAP
651	 */
652	public function bind() {
653		static $getConnectionResourceAttempt = false;
654		if(!$this->config['ldapConfigurationActive']) {
655			return false;
656		}
657		if($getConnectionResourceAttempt) {
658			$getConnectionResourceAttempt = false;
659			return false;
660		}
661		$getConnectionResourceAttempt = true;
662		$cr = $this->getConnectionResource();
663		$getConnectionResourceAttempt = false;
664		if(!is_resource($cr)) {
665			return false;
666		}
667		$ldapLogin = @ldap_bind($cr, $this->config['ldapAgentName'], $this->config['ldapAgentPassword']);
668		if(!$ldapLogin) {
669			\OCP\Util::writeLog('user_ldap',
670				'Bind failed: ' . ldap_errno($cr) . ': ' . ldap_error($cr),
671				\OCP\Util::ERROR);
672			$this->ldapConnectionRes = null;
673			return false;
674		}
675		return true;
676	}
677
678}