Support 2 ldap servers for HA

Author: Gaetano Giunta

Adapter/LDAP/Client.php

@@ -21,12 +21,12 @@ class Client implements ClientInterface
     protected $settings;
 
     /**
-     * @param LdapClientInterface $ldap
+     * @param LdapClientInterface|LdapClientInterface[] $ldap
      * @param array $settings
      *
      * @todo document the settings
      */
-    public function __construct(LdapClientInterface $ldap, array $settings)
+    public function __construct($ldap, array $settings)
     {
         $this->ldap = $ldap;
         $this->settings = $settings;
@@ -50,78 +50,92 @@ public function authenticateUser($username, $password)
     {
         if ($this->logger) $this->logger->info("Looking up remote user: '$username'");
 
-        try {
-            $this->ldap->bind($this->settings['search_dn'], $this->settings['search_password']);
-            $username = $this->ldap->escape($username, '', LDAP_ESCAPE_FILTER);
-            $query = str_replace('{username}', $username, $this->settings['filter']);
-            if (isset($this->settings['attributes']) && count($this->settings['attributes'])) {
-                $search = $this->ldap->find($this->settings['base_dn'], $query, $this->settings['attributes']);
-            } else {
-                $search = $this->ldap->find($this->settings['base_dn'], $query);
-            }
+        $ldaps = is_array($this->ldap) ? array_values($this->ldap) : array($this->ldap);
+        $i = 0;
 
-        } catch (ConnectionException $e) {
-            if ($this->logger) $this->logger->error(sprintf('Connection error "%s"', $e->getMessage()));
+        while (true) {
 
-            /// @todo shall we log an error ?
-            throw new AuthenticationServiceException(sprintf('Connection error "%s"', $e->getMessage()), 0, $e);
-        } catch (\Exception $e) {
-            if ($this->logger) $this->logger->error(sprintf('Unexpected error "%s"', $e->getMessage()));
+            $ldap = $ldaps[$i];
+            $i++;
 
-            throw new AuthenticationServiceException(sprintf('Internal error "%s"', $e->getMessage()), 0, $e);
-        }
+            try {
+                $ldap->bind($this->settings['search_dn'], $this->settings['search_password']);
+                $username = $ldap->escape($username, '', LDAP_ESCAPE_FILTER);
+                $query = str_replace('{username}', $username, $this->settings['filter']);
+                if (isset($this->settings['attributes']) && count($this->settings['attributes'])) {
+                    $search = $ldap->find($this->settings['base_dn'], $query, $this->settings['attributes']);
+                } else {
+                    $search = $ldap->find($this->settings['base_dn'], $query);
+                }
 
-        if (!$search) {
-            if ($this->logger) $this->logger->info("User not found");
+            } catch (ConnectionException $e) {
+                if ($this->logger) $this->logger->error(sprintf('Connection error "%s"', $e->getMessage()));
 
-            throw new BadCredentialsException(sprintf('User "%s" not found.', $username));
-        }
+                if ($i < count($ldaps)) {
+                    if ($this->logger) $this->logger->error("Connecting to ldap server $i");
+                    continue;
+                }
 
-        if ($search['count'] > 1) {
-            if ($this->logger) $this->logger->warning('More than one ldap account found for ' . $username);
+                /// @todo shall we log an error ?
+                throw new AuthenticationServiceException(sprintf('Connection error "%s"', $e->getMessage()), 0, $e);
+            } catch (\Exception $e) {
+                if ($this->logger) $this->logger->error(sprintf('Unexpected error "%s"', $e->getMessage()));
 
-            throw new AuthenticationServiceException('More than one user found');
-        }
+                throw new AuthenticationServiceException(sprintf('Internal error "%s"', $e->getMessage()), 0, $e);
+            }
 
-        // always carry out this check, as the data is needed to log in
-        if (!isset($this->settings['ldap_login_attribute']) || !isset($search[0][$this->settings['ldap_login_attribute']][0])) {
-            if ($this->logger) $this->logger->info("Authentication failed for user: '$username', missing attribute used to log in to ldap: " . @$this->settings['ldap_login_attribute']);
+            if (!$search) {
+                if ($this->logger) $this->logger->info("User not found");
 
-            throw new AuthenticationServiceException('Invalid user profile: missing ldap attribute needed for log-in');
-        }
+                throw new BadCredentialsException(sprintf('User "%s" not found.', $username));
+            }
 
-        try {
-            $this->validateLdapResults($search[0]);
-        } catch (\Exception $e) {
-            if ($this->logger) $this->logger->warning("Invalid user profile for user: '$username': ".$e->getMessage());
+            if ($search['count'] > 1) {
+                if ($this->logger) $this->logger->warning('More than one ldap account found for ' . $username);
 
-            throw new AuthenticationServiceException('Invalid user profile: '.$e->getMessage());
-        }
+                throw new AuthenticationServiceException('More than one user found');
+            }
 
-        if ($this->logger) $this->logger->info("Remote user found, attempting authentication for user: '$username'");
+            // always carry out this check, as the data is needed to log in
+            if (!isset($this->settings['ldap_login_attribute']) || !isset($search[0][$this->settings['ldap_login_attribute']][0])) {
+                if ($this->logger) $this->logger->info("Authentication failed for user: '$username', missing attribute used to log in to ldap: " . @$this->settings['ldap_login_attribute']);
 
-        try {
-            $this->ldap->bind($search[0][$this->settings['ldap_login_attribute']][0], $password);
-        } catch (ConnectionException $e) {
-            if ($this->logger) $this->logger->info("Authentication failed for user: '$username', bind failed: ".$e->getMessage());
-            throw new BadCredentialsException('The presented password is invalid.');
-        } catch (\Exception $e) {
-            if ($this->logger) $this->logger->info("Authentication failed for user: '$username', unexpected ldap error: ".$e->getMessage());
-            throw new AuthenticationServiceException('Unexpected exception: '.$e->getMessage());
-        }
+                throw new AuthenticationServiceException('Invalid user profile: missing ldap attribute needed for log-in');
+            }
+
+            try {
+                $this->validateLdapResults($search[0]);
+            } catch (\Exception $e) {
+                if ($this->logger) $this->logger->warning("Invalid user profile for user: '$username': ".$e->getMessage());
 
-        if ($this->logger) $this->logger->info("Authentication succeeded for user: '$username'");
+                throw new AuthenticationServiceException('Invalid user profile: '.$e->getMessage());
+            }
 
-        // allow ldap to give us back the actual login field to be used in eZ. It might be different because of dashes, spaces, case...
-        if (isset($this->settings['login_attribute']) && isset($search[0][$this->settings['login_attribute']][0])) {
-            if ($username != $search[0][$this->settings['login_attribute']][0]) {
-                if ($this->logger) $this->logger->info("Renamed user '$username' to '{$search[0][$this->settings['login_attribute']][0]}'");
+            if ($this->logger) $this->logger->info("Remote user found, attempting authentication for user: '$username'");
 
-                $username = $search[0][$this->settings['login_attribute']][0];
+            try {
+                $ldap->bind($search[0][$this->settings['ldap_login_attribute']][0], $password);
+            } catch (ConnectionException $e) {
+                if ($this->logger) $this->logger->info("Authentication failed for user: '$username', bind failed: ".$e->getMessage());
+                throw new BadCredentialsException('The presented password is invalid.');
+            } catch (\Exception $e) {
+                if ($this->logger) $this->logger->info("Authentication failed for user: '$username', unexpected ldap error: ".$e->getMessage());
+                throw new AuthenticationServiceException('Unexpected exception: '.$e->getMessage());
             }
-        }
 
-        return new RemoteUser($search[0], $this->settings['email_attribute'], $username, $password);
+            if ($this->logger) $this->logger->info("Authentication succeeded for user: '$username'");
+
+            // allow ldap to give us back the actual login field to be used in eZ. It might be different because of dashes, spaces, case...
+            if (isset($this->settings['login_attribute']) && isset($search[0][$this->settings['login_attribute']][0])) {
+                if ($username != $search[0][$this->settings['login_attribute']][0]) {
+                    if ($this->logger) $this->logger->info("Renamed user '$username' to '{$search[0][$this->settings['login_attribute']][0]}'");
+
+                    $username = $search[0][$this->settings['login_attribute']][0];
+                }
+            }
+
+            return new RemoteUser($search[0], $this->settings['email_attribute'], $username, $password);
+        }
     }
 
     /**

readme.md

@@ -74,6 +74,7 @@ Contributions are welcome :-)
         my.ldap_auth.client:
             class: Kaliop\IdentityManagementBundle\Adapter\LDAP\Client
             arguments:
+                # NB: here you can pass in either one ldap client, or an array of clients, to achieve high-availability
                 - "@my.ldap"
                 -
                     # the credentials used to serach the ldap