We finally found a workaround.
We slightly changed the function ldap_authenticate in core\ldap_api.php so that it now loops on severals ldap_root_dn declared in the config_inc.php
In config_inc.php
$g_ldap_root_dn1 = ...
$g_ldap_root_dn2 = ...
we also added a new variable
$g_ldap_root_dn_count = 2; # In our case.
# --------------------
# Attempt to authenticate the user against the LDAP directory
# return true on successful authentication, false otherwise
function ldap_authenticate( $p_user_id, $p_password ) {
# if password is empty and ldap allows anonymous login, then
# the user will be able to login, hence, we need to check
# for this special case.
if ( is_blank( $p_password ) ) {
return false;
}
$t_ldap_organization = config_get( 'ldap_organization' );
$t_username = user_get_field( $p_user_id, 'username' );
$t_ldap_uid_field = config_get( 'ldap_uid_field', 'uid' ) ;
$t_search_filter = "(&$t_ldap_organization($t_ldap_uid_field=$t_username))";
$t_search_attrs = array( $t_ldap_uid_field, 'dn' );
$t_ds = ldap_connect_bind();
# Search for the user id in DNs
$t_authenticated = false;
$t_ldap_root_dn_count = config_get( 'ldap_root_dn_count');
for ( $j = 1 ; $j <= $t_ldap_root_dn_count ; $j++ ) {
$t_ldap_root_dn = config_get( 'ldap_root_dn'.$j);
$t_sr = ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
$t_info = ldap_get_entries( $t_ds, $t_sr );
if ( $t_info ) {
# Try to authenticate to each until we get a match
for ( $i = 0 ; $i < $t_info['count'] ; $i++ ) {
$t_dn = $t_info[$i]['dn'];
# Attempt to bind with the DN and password
if ( @ldap_bind( $t_ds, $t_dn, $p_password ) ) {
$t_authenticated = true;
break; # Don't need to go any further
}
}
}
ldap_free_result( $t_sr );
}
ldap_unbind( $t_ds );
return $t_authenticated;
}
I agree the code could be smarter ... but it works fine like this.
C.
