Use Net_LDAP3::domain_root_dn() to resolve the domain DN for the %dc variable; replaces PR #268

config/defaults.inc.php

@@ -798,6 +798,10 @@ $config['ldap_public']['Verisign'] = array(
   // DN and password to bind as before searching for bind DN, if anonymous search is not allowed
   'search_bind_dn' => '',
   'search_bind_pw' => '',
+  // Base DN and filter used for resolving the user's domain root DN which feeds the %dc variables
+  // Leave empty to skip this lookup and derive the root DN from the username domain
+  'domain_base_dn' => '',
+  'domain_filter'  => '',
   // Optional map of replacement strings => attributes used when binding for an individual address book
   'search_bind_attrib' => array(),  // e.g. array('%udc' => 'ou')
   // Default for %dn variable if search doesn't return DN value

program/lib/Roundcube/rcube_ldap.php

@@ -283,13 +283,22 @@ class rcube_ldap extends rcube_addressbook
                 }
 
                 // Get the pieces needed for variable replacement.
-                if ($fu = $rcube->get_user_email())
+                if ($fu = $rcube->get_user_email()) {
                     list($u, $d) = explode('@', $fu);
-                else
+                }
+                else {
                     $d = $this->mail_domain;
+                }
 
                 $dc = 'dc='.strtr($d, array('.' => ',dc=')); // hierarchal domain string
 
+                // resolve $dc through LDAP
+                if (!empty($this->prop['domain_filter']) && !empty($this->prop['search_bind_dn']) &&
+                        method_exists($this->ldap, 'domain_root_dn')) {
+                    $this->ldap->bind($this->prop['search_bind_dn'], $this->prop['search_bind_pw']);
+                    $dc = $this->ldap->domain_root_dn($d);
+                }
+
                 $replaces = array('%dn' => '', '%dc' => $dc, '%d' => $d, '%fu' => $fu, '%u' => $u);
 
                 // Search for the dn to use to authenticate