- Added 'search_dn_default' variable in ldap config

- Better handling of situation when search for bind DN doesn't return data
13 years ago · c041d57036
parent a561cd35b8
commit c041d57036
2 changed files with 86 additions and 62 deletions
--- a/config/main.inc.php.dist
+++ b/config/main.inc.php.dist
@ -535,6 +535,8 @@ $rcmail_config['ldap_public']['Verisign'] = array(
  // The login name is used to search for the DN to bind with
  'search_base_dn' => '',
  'search_filter'  => '',   // e.g. '(&(objectClass=posixAccount)(uid=%u))'
+  // Default for %dn variable if search doesn't return DN value
+  'search_dn_default' => '',
  // Optional authentication identifier to be used as SASL authorization proxy
  // bind_dn need to be empty
  'auth_cid'       => '',
--- a/program/include/rcube_ldap.php
+++ b/program/include/rcube_ldap.php
@ -166,11 +166,13 @@ class rcube_ldap extends rcube_addressbook
        foreach ($this->prop['hosts'] as $host)
        {
            $host     = idn_to_ascii(rcube_parse_host($host));
-            $this->_debug("C: Connect [$host".($this->prop['port'] ? ':'.$this->prop['port'] : '')."]");
+            $hostname = $host.($this->prop['port'] ? ':'.$this->prop['port'] : '');
+
+            $this->_debug("C: Connect [$hostname]");

            if ($lc = @ldap_connect($host, $this->prop['port']))
            {
-                if ($this->prop['use_tls']===true)
+                if ($this->prop['use_tls'] === true)
                    if (!ldap_start_tls($lc))
                        continue;

@ -184,9 +186,18 @@ class rcube_ldap extends rcube_addressbook
            $this->_debug("S: NOT OK");
        }

-        if (is_resource($this->conn))
-        {
-            $this->ready = true;
+        // See if the directory is writeable.
+        if ($this->prop['writable']) {
+            $this->readonly = false;
+        }
+
+        if (!is_resource($this->conn)) {
+            raise_error(array('code' => 100, 'type' => 'ldap',
+                'file' => __FILE__, 'line' => __LINE__,
+                'message' => "Could not connect to any LDAP server, last tried $hostname"), true);
+
+            return false;
+        }

        $bind_pass = $this->prop['bind_pass'];
        $bind_user = $this->prop['bind_user'];
@ -211,7 +222,7 @@ class rcube_ldap extends rcube_addressbook

            $dc = 'dc='.strtr($d, array('.' => ',dc=')); // hierarchal domain string

-                $replaces = array('%dc' => $dc, '%d' => $d, '%fu' => $fu, '%u' => $u);
+            $replaces = array('%dn' => '', '%dc' => $dc, '%d' => $d, '%fu' => $fu, '%u' => $u);

            if ($this->prop['search_base_dn'] && $this->prop['search_filter']) {
                // Search for the dn to use to authenticate
@ -221,17 +232,33 @@ class rcube_ldap extends rcube_addressbook
                $this->_debug("S: searching with base {$this->prop['search_base_dn']} for {$this->prop['search_filter']}");

                $res = @ldap_search($this->conn, $this->prop['search_base_dn'], $this->prop['search_filter'], array('uid'));
-                    if ($res && ($entry = ldap_first_entry($this->conn, $res))) {
-                        $bind_dn = ldap_get_dn($this->conn, $entry);
-
+                if ($res) {
+                    if (($entry = ldap_first_entry($this->conn, $res))
+                        && ($bind_dn = ldap_get_dn($this->conn, $entry))
+                    ) {
                        $this->_debug("S: search returned dn: $bind_dn");
-
-                        if ($bind_dn) {
                        $dn = ldap_explode_dn($bind_dn, 1);
-                            $replaces = array('%dn' => $dn[0]) + $replaces;
+                        $replaces['%dn'] = $dn[0];
                    }
                }
+                else {
+                    $this->_debug("S: ".ldap_error($this->conn));
                }
+
+                // DN not found
+                if (empty($replaces['%dn'])) {
+                    if (!empty($this->prop['search_dn_default']))
+                        $replaces['%dn'] = $this->prop['search_dn_default'];
+                    else {
+                        raise_error(array(
+                            'code' => 100, 'type' => 'ldap',
+                            'file' => __FILE__, 'line' => __LINE__,
+                            'message' => "DN not found using LDAP search."), true);
+                        return false;
+                    }
+                }
+            }
+
            // Replace the bind_dn and base_dn variables.
            $bind_dn              = strtr($bind_dn, $replaces);
            $this->base_dn        = strtr($this->base_dn, $replaces);
@ -242,7 +269,10 @@ class rcube_ldap extends rcube_addressbook
            }
        }

-            if (!empty($bind_pass)) {
+        if (empty($bind_pass)) {
+            $this->ready = true;
+        }
+        else {
            if (!empty($bind_dn)) {
                $this->ready = $this->bind($bind_dn, $bind_pass);
            }
@ -253,16 +283,8 @@ class rcube_ldap extends rcube_addressbook
                $this->ready = $this->sasl_bind($bind_user, $bind_pass);
            }
        }
-        }
-        else
-            raise_error(array('code' => 100, 'type' => 'ldap',
-                'file' => __FILE__, 'line' => __LINE__,
-                'message' => "Could not connect to any LDAP server, last tried $host:{$this->prop[port]}"), true);

-        // See if the directory is writeable.
-        if ($this->prop['writable']) {
-            $this->readonly = false;
-        } // end if
+        return $this->ready;
    }