Merge pull request #217 from silinternational/develop

Release 5.4.0

.gitignore

@@ -23,3 +23,4 @@ application/tests/_support/_generated/
 api.html
 
 dockercfg
+*.crt

CHANGELOG.md

@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [5.4.0]
+### Added
+- Allow LDAP host name to be a list of hostname strings as well as a single string for backward compatibility
+
 ## [5.3.4]
 ### Fixed
 - Improved handling of expired session on login
@@ -138,7 +142,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ### Added
 - Initial version of Password Manager Backend.
 
-[Unreleased]: https://github.com/silinternational/idp-pw-api/compare/5.3.4...HEAD
+[Unreleased]: https://github.com/silinternational/idp-pw-api/compare/5.4.0..HEAD
+[5.4.0]: https://github.com/silinternational/idp-pw-api/compare/5.3.4..5.4.0
 [5.3.4]: https://github.com/silinternational/idp-pw-api/compare/5.3.3..5.3.4
 [5.3.3]: https://github.com/silinternational/idp-pw-api/compare/5.3.2..5.3.3
 [5.3.2]: https://github.com/silinternational/idp-pw-api/compare/5.3.1..5.3.2

application/common/components/passwordStore/Ldap.php

@@ -11,7 +11,7 @@ class Ldap extends Component implements PasswordStoreInterface
     /** @var string */
     public $baseDn;
 
-    /** @var string */
+    /** @var string|string[] */
     public $host;
 
     /** @var integer default=636 */
@@ -83,31 +83,71 @@ class Ldap extends Component implements PasswordStoreInterface
      */
     public function connect()
     {
+        // Connection has already been established
+        if ($this->ldapClient !== null) {
+            return;
+        }
+
         if ($this->useSsl && $this->useTls) {
             // Prefer TLS over SSL
             $this->useSsl = false;
         }
 
-        /*
-         * Initialize provider with configuration
-         */
-        $this->ldapClient = new Adldap();
-        $this->ldapClient->addProvider([
+        // ensure the `host` property is an array
+        $this->host = is_array($this->host) ? $this->host : [$this->host];
+
+        // iterate over the list of hosts to find the first one that is good
+        foreach ($this->host as $host) {
+            $client = $this->connectHost($host);
+            if ($client !== null) {
+                $this->ldapClient = $client;
+                return;
+            }
+        }
+
+        // Wasn't able to connect to any of the provided LDAP hosts
+        if ($this->ldapClient === null) {
+            throw new \Exception(
+                "failed to connect to " . $this->displayName . " host",
+                1611157472
+            );
+        }
+    }
+
+    /**
+     * @param string $host
+     * @return Adldap|null
+     */
+    private function connectHost(string $host)
+    {
+        $client = new Adldap();
+        $client->addProvider([
             'base_dn' => $this->baseDn,
-            'hosts' => [$this->host],
+            'hosts' => [$host],
             'port' => $this->port,
             'username' => $this->adminUsername,
             'password' => $this->adminPassword,
             'use_ssl' => $this->useSsl,
             'use_tls' => $this->useTls,
             'schema' => OpenLDAP::class,
+            'timeout' => 3, // set connection timeout to 3 seconds, default is 5 seconds
         ]);
 
         try {
-            $this->ldapProvider = $this->ldapClient->connect();
+            $this->ldapProvider = $client->connect();
         } catch (BindException $e) {
-            throw new \Exception($e->getDetailedError());
+            $err = $e->getDetailedError();
+            \Yii::warning([
+                'action' => 'ldap connect host',
+                'status' => 'warning',
+                'host' => $host,
+                'ldap_code' => $err->getErrorCode(),
+                'diagnostic' => $err->getDiagnosticMessage(),
+                'message' => $err->getErrorMessage(),
+            ]);
+            return null;
         }
+        return $client;
     }
 
     /**