From 0b543a65082d2fbb44093ad5995b0ad1300572d3 Mon Sep 17 00:00:00 2001 From: paca70 Date: Wed, 22 Sep 2004 09:41:20 +0000 Subject: [PATCH] Added support for multiiple ldap-servers. When first server(s) are down there delay before connecting secondary servers. So you system feels slow if first server is down, but Moodle still authenticates to sedondary servers. Other major change: auth_ldap_bind fuction is removed. due phps ldap_connect() limitations auth_ldap_connect() does now also ldap_bind() to see if server is up. --- auth/ldap/lib.php | 169 ++++++++++++++++++++-------------------------- 1 file changed, 74 insertions(+), 95 deletions(-) diff --git a/auth/ldap/lib.php b/auth/ldap/lib.php index 57e4a4999f..daf4a5ad97 100644 --- a/auth/ldap/lib.php +++ b/auth/ldap/lib.php @@ -1,5 +1,8 @@ ldap_host_url"); } return false; @@ -113,7 +116,7 @@ function auth_get_userinfo($username){ $config = (array)$CFG; $attrmap = auth_ldap_attributes(); - $ldap_connection=auth_ldap_connect(); + $ldapconnection=auth_ldap_connect(); $result = array(); $search_attribs = array(); @@ -124,16 +127,16 @@ function auth_get_userinfo($username){ } } - $user_dn = auth_ldap_find_userdn($ldap_connection, $username); + $user_dn = auth_ldap_find_userdn($ldapconnection, $username); if (empty($CFG->ldap_objectclass)) { // Can't send empty filter $CFG->ldap_objectclass="objectClass=*"; } - $user_info_result = ldap_read($ldap_connection,$user_dn,$CFG->ldap_objectclass, $search_attribs); + $user_info_result = ldap_read($ldapconnection,$user_dn,$CFG->ldap_objectclass, $search_attribs); if ($user_info_result) { - $user_entry = ldap_get_entries($ldap_connection, $user_info_result); + $user_entry = ldap_get_entries($ldapconnection, $user_info_result); foreach ($attrmap as $key=>$value){ if(isset($user_entry[0][strtolower($value)][0])){ $result[$key]=$user_entry[0][strtolower($value)][0]; @@ -141,7 +144,7 @@ function auth_get_userinfo($username){ } } - @ldap_close($ldap_connection); + @ldap_close($ldapconnection); return $result; } @@ -163,8 +166,7 @@ function auth_user_create ($userobject,$plainpass) { //return true if user is created, false on error global $CFG; $attrmap = auth_ldap_attributes(); - $ldapconnect = auth_ldap_connect(); - $ldapbind = auth_ldap_bind($ldapconnect); + $ldapconnection = auth_ldap_connect(); $newuser = array(); @@ -182,9 +184,9 @@ function auth_user_create ($userobject,$plainpass) { $newuser['userpassword']=$plainpass; unset($newuser[country]); - $uadd = ldap_add($ldapconnect, $CFG->ldap_user_attribute."=$userobject->username,".$CFG->ldap_create_context, $newuser); + $uadd = ldap_add($ldapconnection, $CFG->ldap_user_attribute."=$userobject->username,".$CFG->ldap_create_context, $newuser); - ldap_close($ldapconnect); + ldap_close($ldapconnection); return $uadd; } @@ -194,9 +196,7 @@ function auth_get_users($filter='*') { global $CFG; $fresult = array(); - $ldap_connection = auth_ldap_connect(); - - auth_ldap_bind($ldap_connection); + $ldapconnection = auth_ldap_connect(); if (empty($CFG->ldap_objectclass)) { $CFG->ldap_objectclass="objectClass=*"; @@ -227,17 +227,17 @@ function auth_get_users($filter='*') { if ($CFG->ldap_search_sub) { //use ldap_search to find first user from subtree - $ldap_result = ldap_search($ldap_connection, $context, + $ldap_result = ldap_search($ldapconnection, $context, $filter, $search_attribs); } else { //search only in this context - $ldap_result = ldap_list($ldap_connection, $context, + $ldap_result = ldap_list($ldapconnection, $context, $filter, $search_attribs); } - $users = auth_ldap_get_entries($ldap_connection, $ldap_result); + $users = auth_ldap_get_entries($ldapconnection, $ldap_result); //add found users to list foreach ($users as $ldapuser=>$attribs) { @@ -399,15 +399,14 @@ function auth_user_activate ($username) { //activate new ldap-user after email-address is confirmed global $CFG; - $ldapconnect = auth_ldap_connect(); - $ldapbind = auth_ldap_bind($ldapconnect); + $ldapconnection = auth_ldap_connect(); $userdn = auth_ldap_find_userdn($ldapconnect, $username); $newinfo['loginDisabled']="FALSE"; - $result = ldap_modify($ldapconnect, $userdn, $newinfo); - ldap_close($ldapconnect); + $result = ldap_modify($ldapconnection, $userdn, $newinfo); + ldap_close($ldapconnection); return $result; } @@ -416,13 +415,12 @@ function auth_user_disable ($username) { global $CFG; $ldapconnect = auth_ldap_connect(); - $ldapbind = auth_ldap_bind($ldapconnect); - $userdn = auth_ldap_find_userdn($ldapconnect, $username); + $userdn = auth_ldap_find_userdn($ldapconnection, $username); $newinfo['loginDisabled']="TRUE"; - $result = ldap_modify($ldapconnect, $userdn, $newinfo); - ldap_close($ldapconnect); + $result = ldap_modify($ldapconnection, $userdn, $newinfo); + ldap_close($ldapconnection); return $result; } @@ -447,8 +445,7 @@ function auth_user_update($olduser, $newuser) { global $USER , $CFG; - $ldap_connection = auth_ldap_connect(); - $ldapbind = auth_ldap_bind($ldap_connection); + $ldapconnection = auth_ldap_connect(); $result = array(); $search_attribs = array(); @@ -460,24 +457,24 @@ function auth_user_update($olduser, $newuser) { } } - $user_dn = auth_ldap_find_userdn($ldap_connection, $olduser->username); + $user_dn = auth_ldap_find_userdn($ldapconnection, $olduser->username); if (empty($CFG->ldap_objectclass)) { $CFG->ldap_objectclass="objectClass=*"; } - $user_info_result = ldap_read($ldap_connection,$user_dn,$CFG->ldap_objectclass, $search_attribs); + $user_info_result = ldap_read($ldapconnection,$user_dn,$CFG->ldap_objectclass, $search_attribs); if ($user_info_result){ - $user_entry = ldap_get_entries($ldap_connection, $user_info_result); + $user_entry = ldap_get_entries($ldapconnection, $user_info_result); //error_log(var_export($user_entry) . 'fpp' ); foreach ($attrmap as $key=>$ldapkey){ if (isset($CFG->{'auth_user_'. $key.'_updateremote'}) && $CFG->{'auth_user_'. $key.'_updateremote'}){ // skip update if the values already match if( !($newuser->$key === $user_entry[0][strtolower($ldapkey)][0]) ){ - ldap_modify($ldap_connection, $user_dn, array($ldapkey => utf8_encode($newuser->$key))); + ldap_modify($ldapconnection, $user_dn, array($ldapkey => utf8_encode($newuser->$key))); } else { error_log("Skip updating field $key for entry $user_dn: it seems to be already same on LDAP. " . " old moodle value: '" . $olduser->$key . @@ -490,11 +487,11 @@ function auth_user_update($olduser, $newuser) { } else { error_log("ERROR:No user found in LDAP"); - @ldap_close($ldap_connection); + @ldap_close($ldapconnection); return false; } - @ldap_close($ldap_connection); + @ldap_close($ldapconnection); return true; @@ -508,27 +505,24 @@ function auth_user_update_password($username, $newpassword) { global $CFG; $result = false; - $ldap_connection = auth_ldap_connect(); - $ldapbind = auth_ldap_bind($ldap_connection); - - + $ldapconnection = auth_ldap_connect(); - $user_dn = auth_ldap_find_userdn($ldap_connection, $username); + $user_dn = auth_ldap_find_userdn($ldapconnection, $username); if(!$user_dn){ error_log('LDAP Error in auth_user_update_password(). No DN for: ' . $username); return false; } // send ldap the password in cleartext, it will md5 it itself - $result = ldap_modify($ldap_connection, $user_dn, array('userPassword' => $newpassword)); + $result = ldap_modify($ldapconnection, $user_dn, array('userPassword' => $newpassword)); if(!$result){ error_log('LDAP Error in auth_user_update_password(). Error code: ' - . ldap_errno($ldap_connection) . '; Error string : ' - . ldap_err2str(ldap_errno($ldap_connection))); + . ldap_errno($ldapconnection) . '; Error string : ' + . ldap_err2str(ldap_errno($ldapconnection))); } - @ldap_close($ldap_connection); + @ldap_close($ldapconnection); return $result; } @@ -542,8 +536,6 @@ function auth_ldap_isgroupmember ($username='', $groupdns='') { global $CFG, $USER; - $ldapconnect = auth_ldap_connect(); - $ldapbind = auth_ldap_bind($ldapconnect); if (empty($username) OR empty($groupdns)) { return false; @@ -564,53 +556,43 @@ function auth_ldap_isgroupmember ($username='', $groupdns='') { } function auth_ldap_connect(){ -/// connects to ldap-server +/// connects and binds to ldap-server +/// Returns connection result + global $CFG; + $urls = explode(";",$CFG->ldap_host_url); - $result = ldap_connect($CFG->ldap_host_url); + foreach ($urls as $server){ + $connresult = ldap_connect($server); + //ldap_connect returns ALWAYS true - if ($result) { if (!empty($CFG->ldap_version)) { - ldap_set_option($result, LDAP_OPT_PROTOCOL_VERSION, $CFG->ldap_version); + ldap_set_option($connresult, LDAP_OPT_PROTOCOL_VERSION, $CFG->ldap_version); } - return $result; - - } else { - error("LDAP-module cannot connect to server: $CFG->ldap_host_url"); - return false; - } -} - - - -function auth_ldap_bind($ldap_connection){ -/// makes bind to ldap for searching users -/// uses ldap_bind_dn or anonymous bind - - global $CFG; + if ($CFG->ldap_bind_dn){ + //bind with search-user + $bindresult=@ldap_bind($connresult, $CFG->ldap_bind_dn,$CFG->ldap_bind_pw); + } else { + //bind anonymously + $bindresult=@ldap_bind($connresult); + } - if ($CFG->ldap_bind_dn){ - //bind with search-user - if (!ldap_bind($ldap_connection, $CFG->ldap_bind_dn,$CFG->ldap_bind_pw)){ - error("Error: could not bind ldap with ldap_bind_dn/pw"); - return false; + if ($bindresult) { + return $connresult; } + } + + //If any of servers are alive we have already returned connection + error("LDAP-module cannot connect any LDAP servers : $CFG->ldap_host_url"); + return false; +} - } else { - //bind anonymously - if ( !ldap_bind($ldap_connection)){ - error("Error: could not bind ldap anonymously"); - return false; - } - } - return true; -} -function auth_ldap_find_userdn ($ldap_connection, $username){ +function auth_ldap_find_userdn ($ldapconnection, $username){ /// return dn of username /// like: cn=username,ou=suborg,o=org /// or false if username not found @@ -620,8 +602,6 @@ function auth_ldap_find_userdn ($ldap_connection, $username){ //default return value $ldap_user_dn = FALSE; - auth_ldap_bind($ldap_connection); - //get all contexts and look for first matching user $ldap_contexts = explode(";",$CFG->ldap_contexts); @@ -635,17 +615,17 @@ function auth_ldap_find_userdn ($ldap_connection, $username){ if ($CFG->ldap_search_sub){ //use ldap_search to find first user from subtree - $ldap_result = ldap_search($ldap_connection, $context, "(".$CFG->ldap_user_attribute."=".$username.")",array($CFG->ldap_user_attribute)); + $ldap_result = ldap_search($ldapconnection, $context, "(".$CFG->ldap_user_attribute."=".$username.")",array($CFG->ldap_user_attribute)); } else { //search only in this context - $ldap_result = ldap_list($ldap_connection, $context, "(".$CFG->ldap_user_attribute."=".$username.")",array($CFG->ldap_user_attribute)); + $ldap_result = ldap_list($ldapconnection, $context, "(".$CFG->ldap_user_attribute."=".$username.")",array($CFG->ldap_user_attribute)); } - $entry = ldap_first_entry($ldap_connection,$ldap_result); + $entry = ldap_first_entry($ldapconnection,$ldap_result); if ($entry){ - $ldap_user_dn = ldap_get_dn($ldap_connection, $entry); + $ldap_user_dn = ldap_get_dn($ldapconnection, $entry); break ; } } @@ -677,9 +657,8 @@ function auth_ldap_get_userlist($filter="*") { global $CFG; $fresult = array(); - $ldap_connection = auth_ldap_connect(); - auth_ldap_bind($ldap_connection); + $ldapconnection = auth_ldap_connect(); if (empty($CFG->ldap_objectclass)) { $CFG->ldap_objectclass="objectClass=*"; @@ -699,17 +678,17 @@ function auth_ldap_get_userlist($filter="*") { if ($CFG->ldap_search_sub) { //use ldap_search to find first user from subtree - $ldap_result = ldap_search($ldap_connection, $context, + $ldap_result = ldap_search($ldapconnection, $context, $filter, array($CFG->ldap_user_attribute)); } else { //search only in this context - $ldap_result = ldap_list($ldap_connection, $context, + $ldap_result = ldap_list($ldapconnection, $context, $filter, array($CFG->ldap_user_attribute)); } - $users = ldap_get_entries($ldap_connection, $ldap_result); + $users = ldap_get_entries($ldapconnection, $ldap_result); //add found users to list for ($i=0;$i<$users['count'];$i++) { @@ -735,7 +714,7 @@ function auth_ldap_get_entries($conn, $searchresult){ $i++; } while ($entry = ldap_next_entry($conn, $entry)); - //we're done + //were done return ($fresult); } -- 2.39.5