First try on known LDAP server(s) to speed-up login

glpi-project · Sep 21, 2021 · f2e92a1 · f2e92a1
1 parent abb5468
commit f2e92a1
Showing 1 changed file with 30 additions and 1 deletion.
diff --git a/inc/authldap.class.php b/inc/authldap.class.php
@@ -2844,12 +2844,41 @@ static function ldapAuth($auth, $login, $password, $ldap_method, $user_dn) {
     * @return object identification object
     */
    static function tryLdapAuth($auth, $login, $password, $auths_id = 0, $user_dn = false, $break = true) {
+      global $DB;
 
       //If no specific source is given, test all ldap directories
       if ($auths_id <= 0) {
          $user_found = false;
 
-         foreach ($auth->authtypes["ldap"] as $ldap_method) {
+         $ldap_methods = $auth->authtypes["ldap"];
+
+         // Sort servers to first try on known servers for given login.
+         // It is necessary to still necessary to try to connect on all servers to handle following cases:
+         //  - there are multiple users having same login on different LDAP servers,
+         //  - a user has been migrated from a LDAP server to another one, but GLPI is not yet aware of this.
+         // Caveat: if user uses a wrong password, a login attempt will still be done on all active LDAP servers.
+         $known_servers = $DB->request(
+            [
+               'SELECT' => 'auths_id',
+               'FROM'   => User::getTable(),
+               'WHERE'  => ['name' => addslashes($login)],
+            ]
+         );
+         $known_servers_id = array_column(iterator_to_array($known_servers), 'auths_id');
+         usort(
+            $ldap_methods,
+            function (array $a, array $b) use ($known_servers_id) {
+               if (in_array($a['id'], $known_servers_id) && !in_array($b['id'], $known_servers_id)) {
+                  return -1;
+               }
+               if (!in_array($a['id'], $known_servers_id) && in_array($b['id'], $known_servers_id)) {
+                  return 1;
+               }
+               return $a['id'] <=> $b['id'];
+            }
+         );
+
+         foreach ($ldap_methods as $ldap_method) {
             if ($ldap_method['is_active']) {
                $auth = self::ldapAuth($auth, $login, $password, $ldap_method, $user_dn);