nextcloud / server

apps/user_ldap/lib/Connection.php

Indentation +683 added lines, -683 removed lines

@@ -96,687 +96,687 @@
  * @property string $ldapAttributePronouns
  */
 class Connection extends LDAPUtility {
-	private ?\LDAP\Connection $ldapConnectionRes = null;
-	private bool $configured = false;
-
-	/**
-	 * @var bool whether connection should be kept on __destruct
-	 */
-	private bool $dontDestruct = false;
-
-	/**
-	 * @var bool runtime flag that indicates whether supported primary groups are available
-	 */
-	public $hasPrimaryGroups = true;
-
-	/**
-	 * @var bool runtime flag that indicates whether supported POSIX gidNumber are available
-	 */
-	public $hasGidNumber = true;
-
-	/**
-	 * @var ICache|null
-	 */
-	protected $cache = null;
-
-	/** @var Configuration settings handler * */
-	protected $configuration;
-
-	/**
-	 * @var bool
-	 */
-	protected $doNotValidate = false;
-
-	/**
-	 * @var bool
-	 */
-	protected $ignoreValidation = false;
-
-	/**
-	 * @var array{sum?: string, result?: bool}
-	 */
-	protected $bindResult = [];
-
-	protected LoggerInterface $logger;
-	private IL10N $l10n;
-
-	/**
-	 * Constructor
-	 * @param string $configPrefix a string with the prefix for the configkey column (appconfig table)
-	 * @param string|null $configID a string with the value for the appid column (appconfig table) or null for on-the-fly connections
-	 */
-	public function __construct(
-		ILDAPWrapper $ldap,
-		private string $configPrefix = '',
-		private ?string $configID = 'user_ldap',
-	) {
-		parent::__construct($ldap);
-		$this->configuration = new Configuration($this->configPrefix, !is_null($this->configID));
-		$memcache = Server::get(ICacheFactory::class);
-		if ($memcache->isAvailable()) {
-			$this->cache = $memcache->createDistributed();
-		}
-		$helper = new Helper(Server::get(IConfig::class), Server::get(IDBConnection::class));
-		$this->doNotValidate = !in_array($this->configPrefix,
-			$helper->getServerConfigurationPrefixes());
-		$this->logger = Server::get(LoggerInterface::class);
-		$this->l10n = Util::getL10N('user_ldap');
-	}
-
-	public function __destruct() {
-		if (!$this->dontDestruct && $this->ldap->isResource($this->ldapConnectionRes)) {
-			@$this->ldap->unbind($this->ldapConnectionRes);
-			$this->bindResult = [];
-		}
-	}
-
-	/**
-	 * defines behaviour when the instance is cloned
-	 */
-	public function __clone() {
-		$this->configuration = new Configuration($this->configPrefix,
-			!is_null($this->configID));
-		if (count($this->bindResult) !== 0 && $this->bindResult['result'] === true) {
-			$this->bindResult = [];
-		}
-		$this->ldapConnectionRes = null;
-		$this->dontDestruct = true;
-	}
-
-	public function __get(string $name) {
-		if (!$this->configured) {
-			$this->readConfiguration();
-		}
-
-		return $this->configuration->$name;
-	}
-
-	/**
-	 * @param string $name
-	 * @param mixed $value
-	 */
-	public function __set($name, $value) {
-		$this->doNotValidate = false;
-		$before = $this->configuration->$name;
-		$this->configuration->$name = $value;
-		$after = $this->configuration->$name;
-		if ($before !== $after) {
-			if ($this->configID !== '' && $this->configID !== null) {
-				$this->configuration->saveConfiguration();
-			}
-			$this->validateConfiguration();
-		}
-	}
-
-	/**
-	 * @param string $rule
-	 * @return array
-	 * @throws \RuntimeException
-	 */
-	public function resolveRule($rule) {
-		return $this->configuration->resolveRule($rule);
-	}
-
-	/**
-	 * sets whether the result of the configuration validation shall
-	 * be ignored when establishing the connection. Used by the Wizard
-	 * in early configuration state.
-	 * @param bool $state
-	 */
-	public function setIgnoreValidation($state) {
-		$this->ignoreValidation = (bool)$state;
-	}
-
-	/**
-	 * initializes the LDAP backend
-	 * @param bool $force read the config settings no matter what
-	 */
-	public function init($force = false) {
-		$this->readConfiguration($force);
-		$this->establishConnection();
-	}
-
-	/**
-	 * @return \LDAP\Connection The LDAP resource
-	 */
-	public function getConnectionResource(): \LDAP\Connection {
-		if (!$this->ldapConnectionRes) {
-			$this->init();
-		}
-		if (is_null($this->ldapConnectionRes)) {
-			$this->logger->error(
-				'No LDAP Connection to server ' . $this->configuration->ldapHost,
-				['app' => 'user_ldap']
-			);
-			throw new ServerNotAvailableException('Connection to LDAP server could not be established');
-		}
-		return $this->ldapConnectionRes;
-	}
-
-	/**
-	 * resets the connection resource
-	 */
-	public function resetConnectionResource(): void {
-		if (!is_null($this->ldapConnectionRes)) {
-			@$this->ldap->unbind($this->ldapConnectionRes);
-			$this->ldapConnectionRes = null;
-			$this->bindResult = [];
-		}
-	}
-
-	/**
-	 * @param string|null $key
-	 */
-	private function getCacheKey($key): string {
-		$prefix = 'LDAP-' . $this->configID . '-' . $this->configPrefix . '-';
-		if (is_null($key)) {
-			return $prefix;
-		}
-		return $prefix . hash('sha256', $key);
-	}
-
-	/**
-	 * @param string $key
-	 * @return mixed|null
-	 */
-	public function getFromCache($key) {
-		if (!$this->configured) {
-			$this->readConfiguration();
-		}
-		if (is_null($this->cache) || !$this->configuration->ldapCacheTTL) {
-			return null;
-		}
-		$key = $this->getCacheKey($key);
-
-		return json_decode(base64_decode($this->cache->get($key) ?? ''), true);
-	}
-
-	public function getConfigPrefix(): string {
-		return $this->configPrefix;
-	}
-
-	/**
-	 * @param string $key
-	 * @param mixed $value
-	 */
-	public function writeToCache($key, $value, ?int $ttlOverride = null): void {
-		if (!$this->configured) {
-			$this->readConfiguration();
-		}
-		if (is_null($this->cache)
-			|| !$this->configuration->ldapCacheTTL
-			|| !$this->configuration->ldapConfigurationActive) {
-			return;
-		}
-		$key = $this->getCacheKey($key);
-		$value = base64_encode(json_encode($value));
-		$ttl = $ttlOverride ?? $this->configuration->ldapCacheTTL;
-		$this->cache->set($key, $value, $ttl);
-	}
-
-	public function clearCache() {
-		if (!is_null($this->cache)) {
-			$this->cache->clear($this->getCacheKey(null));
-		}
-	}
-
-	/**
-	 * Caches the general LDAP configuration.
-	 * @param bool $force optional. true, if the re-read should be forced. defaults
-	 *                    to false.
-	 */
-	private function readConfiguration(bool $force = false): void {
-		if ((!$this->configured || $force) && !is_null($this->configID)) {
-			$this->configuration->readConfiguration();
-			$this->configured = $this->validateConfiguration();
-		}
-	}
-
-	/**
-	 * set LDAP configuration with values delivered by an array, not read from configuration
-	 * @param array $config array that holds the config parameters in an associated array
-	 * @param array &$setParameters optional; array where the set fields will be given to
-	 * @param bool $throw if true, throw ConfigurationIssueException with details instead of returning false
-	 * @return bool true if config validates, false otherwise. Check with $setParameters for detailed success on single parameters
-	 */
-	public function setConfiguration(array $config, ?array &$setParameters = null, bool $throw = false): bool {
-		if (is_null($setParameters)) {
-			$setParameters = [];
-		}
-		$this->doNotValidate = false;
-		$this->configuration->setConfiguration($config, $setParameters);
-		if (count($setParameters) > 0) {
-			$this->configured = $this->validateConfiguration($throw);
-		}
-
-
-		return $this->configured;
-	}
-
-	/**
-	 * saves the current Configuration in the database and empties the
-	 * cache
-	 * @return null
-	 */
-	public function saveConfiguration() {
-		$this->configuration->saveConfiguration();
-		$this->clearCache();
-	}
-
-	/**
-	 * get the current LDAP configuration
-	 * @return array
-	 */
-	public function getConfiguration() {
-		$this->readConfiguration();
-		$config = $this->configuration->getConfiguration();
-		$cta = $this->configuration->getConfigTranslationArray();
-		$result = [];
-		foreach ($cta as $dbkey => $configkey) {
-			switch ($configkey) {
-				case 'homeFolderNamingRule':
-					if (str_starts_with($config[$configkey], 'attr:')) {
-						$result[$dbkey] = substr($config[$configkey], 5);
-					} else {
-						$result[$dbkey] = '';
-					}
-					break;
-				case 'ldapBase':
-				case 'ldapBaseUsers':
-				case 'ldapBaseGroups':
-				case 'ldapAttributesForUserSearch':
-				case 'ldapAttributesForGroupSearch':
-					if (is_array($config[$configkey])) {
-						$result[$dbkey] = implode("\n", $config[$configkey]);
-						break;
-					} //else follows default
-					// no break
-				default:
-					$result[$dbkey] = $config[$configkey];
-			}
-		}
-		return $result;
-	}
-
-	private function doSoftValidation(): void {
-		//if User or Group Base are not set, take over Base DN setting
-		foreach (['ldapBaseUsers', 'ldapBaseGroups'] as $keyBase) {
-			$val = $this->configuration->$keyBase;
-			if (empty($val)) {
-				$this->configuration->$keyBase = $this->configuration->ldapBase;
-			}
-		}
-
-		foreach (['ldapExpertUUIDUserAttr' => 'ldapUuidUserAttribute',
-			'ldapExpertUUIDGroupAttr' => 'ldapUuidGroupAttribute'] as $expertSetting => $effectiveSetting) {
-			$uuidOverride = $this->configuration->$expertSetting;
-			if (!empty($uuidOverride)) {
-				$this->configuration->$effectiveSetting = $uuidOverride;
-			} else {
-				$uuidAttributes = Access::UUID_ATTRIBUTES;
-				array_unshift($uuidAttributes, 'auto');
-				if (!in_array($this->configuration->$effectiveSetting, $uuidAttributes)
-					&& !is_null($this->configID)) {
-					$this->configuration->$effectiveSetting = 'auto';
-					$this->configuration->saveConfiguration();
-					$this->logger->info(
-						'Illegal value for the ' . $effectiveSetting . ', reset to autodetect.',
-						['app' => 'user_ldap']
-					);
-				}
-			}
-		}
-
-		$backupPort = (int)$this->configuration->ldapBackupPort;
-		if ($backupPort <= 0) {
-			$this->configuration->ldapBackupPort = $this->configuration->ldapPort;
-		}
-
-		//make sure empty search attributes are saved as simple, empty array
-		$saKeys = ['ldapAttributesForUserSearch',
-			'ldapAttributesForGroupSearch'];
-		foreach ($saKeys as $key) {
-			$val = $this->configuration->$key;
-			if (is_array($val) && count($val) === 1 && empty($val[0])) {
-				$this->configuration->$key = [];
-			}
-		}
-
-		if ((stripos((string)$this->configuration->ldapHost, 'ldaps://') === 0)
-			&& $this->configuration->ldapTLS) {
-			$this->configuration->ldapTLS = (string)false;
-			$this->logger->info(
-				'LDAPS (already using secure connection) and TLS do not work together. Switched off TLS.',
-				['app' => 'user_ldap']
-			);
-		}
-	}
-
-	/**
-	 * @throws ConfigurationIssueException
-	 */
-	private function doCriticalValidation(): void {
-		//options that shall not be empty
-		$options = ['ldapHost', 'ldapUserDisplayName',
-			'ldapGroupDisplayName', 'ldapLoginFilter'];
-
-		//ldapPort should not be empty either unless ldapHost is pointing to a socket
-		if (!$this->configuration->usesLdapi()) {
-			$options[] = 'ldapPort';
-		}
-
-		foreach ($options as $key) {
-			$val = $this->configuration->$key;
-			if (empty($val)) {
-				switch ($key) {
-					case 'ldapHost':
-						$subj = 'LDAP Host';
-						break;
-					case 'ldapPort':
-						$subj = 'LDAP Port';
-						break;
-					case 'ldapUserDisplayName':
-						$subj = 'LDAP User Display Name';
-						break;
-					case 'ldapGroupDisplayName':
-						$subj = 'LDAP Group Display Name';
-						break;
-					case 'ldapLoginFilter':
-						$subj = 'LDAP Login Filter';
-						break;
-					default:
-						$subj = $key;
-						break;
-				}
-				throw new ConfigurationIssueException(
-					'No ' . $subj . ' given!',
-					$this->l10n->t('Mandatory field "%s" left empty', $subj),
-				);
-			}
-		}
-
-		//combinations
-		$agent = $this->configuration->ldapAgentName;
-		$pwd = $this->configuration->ldapAgentPassword;
-		if ($agent === '' && $pwd !== '') {
-			throw new ConfigurationIssueException(
-				'A password is given, but not an LDAP agent',
-				$this->l10n->t('A password is given, but not an LDAP agent'),
-			);
-		}
-		if ($agent !== '' && $pwd === '') {
-			throw new ConfigurationIssueException(
-				'No password is given for the user agent',
-				$this->l10n->t('No password is given for the user agent'),
-			);
-		}
-
-		$base = $this->configuration->ldapBase;
-		$baseUsers = $this->configuration->ldapBaseUsers;
-		$baseGroups = $this->configuration->ldapBaseGroups;
-
-		if (empty($base)) {
-			throw new ConfigurationIssueException(
-				'Not a single Base DN given',
-				$this->l10n->t('No LDAP base DN was given'),
-			);
-		}
-
-		if (!empty($baseUsers) && !$this->checkBasesAreValid($baseUsers, $base)) {
-			throw new ConfigurationIssueException(
-				'User base is not in root base',
-				$this->l10n->t('User base DN is not a subnode of global base DN'),
-			);
-		}
-
-		if (!empty($baseGroups) && !$this->checkBasesAreValid($baseGroups, $base)) {
-			throw new ConfigurationIssueException(
-				'Group base is not in root base',
-				$this->l10n->t('Group base DN is not a subnode of global base DN'),
-			);
-		}
-
-		if (mb_strpos((string)$this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8') === false) {
-			throw new ConfigurationIssueException(
-				'Login filter does not contain %uid placeholder.',
-				$this->l10n->t('Login filter does not contain %s placeholder.', ['%uid']),
-			);
-		}
-	}
-
-	/**
-	 * Checks that all bases are subnodes of one of the root bases
-	 */
-	private function checkBasesAreValid(array $bases, array $rootBases): bool {
-		foreach ($bases as $base) {
-			$ok = false;
-			foreach ($rootBases as $rootBase) {
-				if (str_ends_with($base, $rootBase)) {
-					$ok = true;
-					break;
-				}
-			}
-			if (!$ok) {
-				return false;
-			}
-		}
-		return true;
-	}
-
-	/**
-	 * Validates the user specified configuration
-	 * @return bool true if configuration seems OK, false otherwise
-	 */
-	private function validateConfiguration(bool $throw = false): bool {
-		if ($this->doNotValidate) {
-			//don't do a validation if it is a new configuration with pure
-			//default values. Will be allowed on changes via __set or
-			//setConfiguration
-			return false;
-		}
-
-		// first step: "soft" checks: settings that are not really
-		// necessary, but advisable. If left empty, give an info message
-		$this->doSoftValidation();
-
-		//second step: critical checks. If left empty or filled wrong, mark as
-		//not configured and give a warning.
-		try {
-			$this->doCriticalValidation();
-			return true;
-		} catch (ConfigurationIssueException $e) {
-			if ($throw) {
-				throw $e;
-			}
-			$this->logger->warning(
-				'Configuration Error (prefix ' . $this->configPrefix . '): ' . $e->getMessage(),
-				['exception' => $e]
-			);
-			return false;
-		}
-	}
-
-
-	/**
-	 * Connects and Binds to LDAP
-	 *
-	 * @throws ServerNotAvailableException
-	 */
-	private function establishConnection(): ?bool {
-		if (!$this->configuration->ldapConfigurationActive) {
-			return null;
-		}
-		static $phpLDAPinstalled = true;
-		if (!$phpLDAPinstalled) {
-			return false;
-		}
-		if (!$this->ignoreValidation && !$this->configured) {
-			$this->logger->warning(
-				'Configuration is invalid, cannot connect',
-				['app' => 'user_ldap']
-			);
-			return false;
-		}
-		if (!$this->ldapConnectionRes) {
-			if (!$this->ldap->areLDAPFunctionsAvailable()) {
-				$phpLDAPinstalled = false;
-				$this->logger->error(
-					'function ldap_connect is not available. Make sure that the PHP ldap module is installed.',
-					['app' => 'user_ldap']
-				);
-
-				return false;
-			}
-
-			$hasBackupHost = (trim($this->configuration->ldapBackupHost ?? '') !== '');
-			$hasBackgroundHost = (trim($this->configuration->ldapBackgroundHost ?? '') !== '');
-			$useBackgroundHost = (\OC::$CLI && $hasBackgroundHost);
-			$overrideCacheKey = ($useBackgroundHost ? 'overrideBackgroundServer' : 'overrideMainServer');
-			$forceBackupHost = ($this->configuration->ldapOverrideMainServer || $this->getFromCache($overrideCacheKey));
-			$bindStatus = false;
-			if (!$forceBackupHost) {
-				try {
-					$host = $this->configuration->ldapHost ?? '';
-					$port = $this->configuration->ldapPort ?? '';
-					if ($useBackgroundHost) {
-						$host = $this->configuration->ldapBackgroundHost ?? '';
-						$port = $this->configuration->ldapBackgroundPort ?? '';
-					}
-					$this->doConnect($host, $port);
-					return $this->bind();
-				} catch (ServerNotAvailableException $e) {
-					if (!$hasBackupHost) {
-						throw $e;
-					}
-				}
-				$this->logger->warning(
-					'Main LDAP not reachable, connecting to backup: {msg}',
-					[
-						'app' => 'user_ldap',
-						'msg' => $e->getMessage(),
-						'exception' => $e,
-					]
-				);
-			}
-
-			// if LDAP server is not reachable, try the Backup (Replica!) Server
-			$this->doConnect($this->configuration->ldapBackupHost ?? '', $this->configuration->ldapBackupPort ?? '');
-			$this->bindResult = [];
-			$bindStatus = $this->bind();
-			$error = $this->ldap->isResource($this->ldapConnectionRes) ?
-				$this->ldap->errno($this->ldapConnectionRes) : -1;
-			if ($bindStatus && $error === 0 && !$forceBackupHost) {
-				//when bind to backup server succeeded and failed to main server,
-				//skip contacting it for 15min
-				$this->writeToCache($overrideCacheKey, true, 60 * 15);
-			}
-
-			return $bindStatus;
-		}
-		return null;
-	}
-
-	/**
-	 * @param string $host
-	 * @param string $port
-	 * @throws \OC\ServerNotAvailableException
-	 */
-	private function doConnect($host, $port): bool {
-		if ($host === '') {
-			return false;
-		}
-
-		$this->ldapConnectionRes = $this->ldap->connect($host, $port) ?: null;
-
-		if ($this->ldapConnectionRes === null) {
-			throw new ServerNotAvailableException('Connection failed');
-		}
-
-		if (!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_PROTOCOL_VERSION, 3)) {
-			throw new ServerNotAvailableException('Could not set required LDAP Protocol version.');
-		}
-
-		if (!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_REFERRALS, 0)) {
-			throw new ServerNotAvailableException('Could not disable LDAP referrals.');
-		}
-
-		if (!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_NETWORK_TIMEOUT, $this->configuration->ldapConnectionTimeout)) {
-			throw new ServerNotAvailableException('Could not set network timeout');
-		}
-
-		if ($this->configuration->ldapTLS) {
-			if ($this->configuration->turnOffCertCheck) {
-				if ($this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER)) {
-					$this->logger->debug(
-						'Turned off SSL certificate validation successfully.',
-						['app' => 'user_ldap']
-					);
-				} else {
-					$this->logger->warning(
-						'Could not turn off SSL certificate validation.',
-						['app' => 'user_ldap']
-					);
-				}
-			}
-
-			if (!$this->ldap->startTls($this->ldapConnectionRes)) {
-				throw new ServerNotAvailableException('Start TLS failed, when connecting to LDAP host ' . $host . '.');
-			}
-		}
-
-		return true;
-	}
-
-	/**
-	 * Binds to LDAP
-	 */
-	public function bind() {
-		if (!$this->configuration->ldapConfigurationActive) {
-			return false;
-		}
-		$cr = $this->ldapConnectionRes;
-		if (!$this->ldap->isResource($cr)) {
-			$cr = $this->getConnectionResource();
-		}
-
-		if (
-			count($this->bindResult) !== 0
-			&& $this->bindResult['sum'] === md5($this->configuration->ldapAgentName . $this->configPrefix . $this->configuration->ldapAgentPassword)
-		) {
-			// don't attempt to bind again with the same data as before
-			// bind might have been invoked via getConnectionResource(),
-			// but we need results specifically for e.g. user login
-			return $this->bindResult['result'];
-		}
-
-		$ldapLogin = @$this->ldap->bind($cr,
-			$this->configuration->ldapAgentName,
-			$this->configuration->ldapAgentPassword);
-
-		$this->bindResult = [
-			'sum' => md5($this->configuration->ldapAgentName . $this->configPrefix . $this->configuration->ldapAgentPassword),
-			'result' => $ldapLogin,
-		];
-
-		if (!$ldapLogin) {
-			$errno = $this->ldap->errno($cr);
-
-			$this->logger->warning(
-				'Bind failed: ' . $errno . ': ' . $this->ldap->error($cr),
-				['app' => 'user_ldap']
-			);
-
-			// Set to failure mode, if LDAP error code is not one of
-			// - LDAP_SUCCESS (0)
-			// - LDAP_INVALID_CREDENTIALS (49)
-			// - LDAP_INSUFFICIENT_ACCESS (50, spotted Apple Open Directory)
-			// - LDAP_UNWILLING_TO_PERFORM (53, spotted eDirectory)
-			if (!in_array($errno, [0, 49, 50, 53], true)) {
-				$this->ldapConnectionRes = null;
-			}
-
-			return false;
-		}
-		return true;
-	}
+    private ?\LDAP\Connection $ldapConnectionRes = null;
+    private bool $configured = false;
+
+    /**
+     * @var bool whether connection should be kept on __destruct
+     */
+    private bool $dontDestruct = false;
+
+    /**
+     * @var bool runtime flag that indicates whether supported primary groups are available
+     */
+    public $hasPrimaryGroups = true;
+
+    /**
+     * @var bool runtime flag that indicates whether supported POSIX gidNumber are available
+     */
+    public $hasGidNumber = true;
+
+    /**
+     * @var ICache|null
+     */
+    protected $cache = null;
+
+    /** @var Configuration settings handler * */
+    protected $configuration;
+
+    /**
+     * @var bool
+     */
+    protected $doNotValidate = false;
+
+    /**
+     * @var bool
+     */
+    protected $ignoreValidation = false;
+
+    /**
+     * @var array{sum?: string, result?: bool}
+     */
+    protected $bindResult = [];
+
+    protected LoggerInterface $logger;
+    private IL10N $l10n;
+
+    /**
+     * Constructor
+     * @param string $configPrefix a string with the prefix for the configkey column (appconfig table)
+     * @param string|null $configID a string with the value for the appid column (appconfig table) or null for on-the-fly connections
+     */
+    public function __construct(
+        ILDAPWrapper $ldap,
+        private string $configPrefix = '',
+        private ?string $configID = 'user_ldap',
+    ) {
+        parent::__construct($ldap);
+        $this->configuration = new Configuration($this->configPrefix, !is_null($this->configID));
+        $memcache = Server::get(ICacheFactory::class);
+        if ($memcache->isAvailable()) {
+            $this->cache = $memcache->createDistributed();
+        }
+        $helper = new Helper(Server::get(IConfig::class), Server::get(IDBConnection::class));
+        $this->doNotValidate = !in_array($this->configPrefix,
+            $helper->getServerConfigurationPrefixes());
+        $this->logger = Server::get(LoggerInterface::class);
+        $this->l10n = Util::getL10N('user_ldap');
+    }
+
+    public function __destruct() {
+        if (!$this->dontDestruct && $this->ldap->isResource($this->ldapConnectionRes)) {
+            @$this->ldap->unbind($this->ldapConnectionRes);
+            $this->bindResult = [];
+        }
+    }
+
+    /**
+     * defines behaviour when the instance is cloned
+     */
+    public function __clone() {
+        $this->configuration = new Configuration($this->configPrefix,
+            !is_null($this->configID));
+        if (count($this->bindResult) !== 0 && $this->bindResult['result'] === true) {
+            $this->bindResult = [];
+        }
+        $this->ldapConnectionRes = null;
+        $this->dontDestruct = true;
+    }
+
+    public function __get(string $name) {
+        if (!$this->configured) {
+            $this->readConfiguration();
+        }
+
+        return $this->configuration->$name;
+    }
+
+    /**
+     * @param string $name
+     * @param mixed $value
+     */
+    public function __set($name, $value) {
+        $this->doNotValidate = false;
+        $before = $this->configuration->$name;
+        $this->configuration->$name = $value;
+        $after = $this->configuration->$name;
+        if ($before !== $after) {
+            if ($this->configID !== '' && $this->configID !== null) {
+                $this->configuration->saveConfiguration();
+            }
+            $this->validateConfiguration();
+        }
+    }
+
+    /**
+     * @param string $rule
+     * @return array
+     * @throws \RuntimeException
+     */
+    public function resolveRule($rule) {
+        return $this->configuration->resolveRule($rule);
+    }
+
+    /**
+     * sets whether the result of the configuration validation shall
+     * be ignored when establishing the connection. Used by the Wizard
+     * in early configuration state.
+     * @param bool $state
+     */
+    public function setIgnoreValidation($state) {
+        $this->ignoreValidation = (bool)$state;
+    }
+
+    /**
+     * initializes the LDAP backend
+     * @param bool $force read the config settings no matter what
+     */
+    public function init($force = false) {
+        $this->readConfiguration($force);
+        $this->establishConnection();
+    }
+
+    /**
+     * @return \LDAP\Connection The LDAP resource
+     */
+    public function getConnectionResource(): \LDAP\Connection {
+        if (!$this->ldapConnectionRes) {
+            $this->init();
+        }
+        if (is_null($this->ldapConnectionRes)) {
+            $this->logger->error(
+                'No LDAP Connection to server ' . $this->configuration->ldapHost,
+                ['app' => 'user_ldap']
+            );
+            throw new ServerNotAvailableException('Connection to LDAP server could not be established');
+        }
+        return $this->ldapConnectionRes;
+    }
+
+    /**
+     * resets the connection resource
+     */
+    public function resetConnectionResource(): void {
+        if (!is_null($this->ldapConnectionRes)) {
+            @$this->ldap->unbind($this->ldapConnectionRes);
+            $this->ldapConnectionRes = null;
+            $this->bindResult = [];
+        }
+    }
+
+    /**
+     * @param string|null $key
+     */
+    private function getCacheKey($key): string {
+        $prefix = 'LDAP-' . $this->configID . '-' . $this->configPrefix . '-';
+        if (is_null($key)) {
+            return $prefix;
+        }
+        return $prefix . hash('sha256', $key);
+    }
+
+    /**
+     * @param string $key
+     * @return mixed|null
+     */
+    public function getFromCache($key) {
+        if (!$this->configured) {
+            $this->readConfiguration();
+        }
+        if (is_null($this->cache) || !$this->configuration->ldapCacheTTL) {
+            return null;
+        }
+        $key = $this->getCacheKey($key);
+
+        return json_decode(base64_decode($this->cache->get($key) ?? ''), true);
+    }
+
+    public function getConfigPrefix(): string {
+        return $this->configPrefix;
+    }
+
+    /**
+     * @param string $key
+     * @param mixed $value
+     */
+    public function writeToCache($key, $value, ?int $ttlOverride = null): void {
+        if (!$this->configured) {
+            $this->readConfiguration();
+        }
+        if (is_null($this->cache)
+            || !$this->configuration->ldapCacheTTL
+            || !$this->configuration->ldapConfigurationActive) {
+            return;
+        }
+        $key = $this->getCacheKey($key);
+        $value = base64_encode(json_encode($value));
+        $ttl = $ttlOverride ?? $this->configuration->ldapCacheTTL;
+        $this->cache->set($key, $value, $ttl);
+    }
+
+    public function clearCache() {
+        if (!is_null($this->cache)) {
+            $this->cache->clear($this->getCacheKey(null));
+        }
+    }
+
+    /**
+     * Caches the general LDAP configuration.
+     * @param bool $force optional. true, if the re-read should be forced. defaults
+     *                    to false.
+     */
+    private function readConfiguration(bool $force = false): void {
+        if ((!$this->configured || $force) && !is_null($this->configID)) {
+            $this->configuration->readConfiguration();
+            $this->configured = $this->validateConfiguration();
+        }
+    }
+
+    /**
+     * set LDAP configuration with values delivered by an array, not read from configuration
+     * @param array $config array that holds the config parameters in an associated array
+     * @param array &$setParameters optional; array where the set fields will be given to
+     * @param bool $throw if true, throw ConfigurationIssueException with details instead of returning false
+     * @return bool true if config validates, false otherwise. Check with $setParameters for detailed success on single parameters
+     */
+    public function setConfiguration(array $config, ?array &$setParameters = null, bool $throw = false): bool {
+        if (is_null($setParameters)) {
+            $setParameters = [];
+        }
+        $this->doNotValidate = false;
+        $this->configuration->setConfiguration($config, $setParameters);
+        if (count($setParameters) > 0) {
+            $this->configured = $this->validateConfiguration($throw);
+        }
+
+
+        return $this->configured;
+    }
+
+    /**
+     * saves the current Configuration in the database and empties the
+     * cache
+     * @return null
+     */
+    public function saveConfiguration() {
+        $this->configuration->saveConfiguration();
+        $this->clearCache();
+    }
+
+    /**
+     * get the current LDAP configuration
+     * @return array
+     */
+    public function getConfiguration() {
+        $this->readConfiguration();
+        $config = $this->configuration->getConfiguration();
+        $cta = $this->configuration->getConfigTranslationArray();
+        $result = [];
+        foreach ($cta as $dbkey => $configkey) {
+            switch ($configkey) {
+                case 'homeFolderNamingRule':
+                    if (str_starts_with($config[$configkey], 'attr:')) {
+                        $result[$dbkey] = substr($config[$configkey], 5);
+                    } else {
+                        $result[$dbkey] = '';
+                    }
+                    break;
+                case 'ldapBase':
+                case 'ldapBaseUsers':
+                case 'ldapBaseGroups':
+                case 'ldapAttributesForUserSearch':
+                case 'ldapAttributesForGroupSearch':
+                    if (is_array($config[$configkey])) {
+                        $result[$dbkey] = implode("\n", $config[$configkey]);
+                        break;
+                    } //else follows default
+                    // no break
+                default:
+                    $result[$dbkey] = $config[$configkey];
+            }
+        }
+        return $result;
+    }
+
+    private function doSoftValidation(): void {
+        //if User or Group Base are not set, take over Base DN setting
+        foreach (['ldapBaseUsers', 'ldapBaseGroups'] as $keyBase) {
+            $val = $this->configuration->$keyBase;
+            if (empty($val)) {
+                $this->configuration->$keyBase = $this->configuration->ldapBase;
+            }
+        }
+
+        foreach (['ldapExpertUUIDUserAttr' => 'ldapUuidUserAttribute',
+            'ldapExpertUUIDGroupAttr' => 'ldapUuidGroupAttribute'] as $expertSetting => $effectiveSetting) {
+            $uuidOverride = $this->configuration->$expertSetting;
+            if (!empty($uuidOverride)) {
+                $this->configuration->$effectiveSetting = $uuidOverride;
+            } else {
+                $uuidAttributes = Access::UUID_ATTRIBUTES;
+                array_unshift($uuidAttributes, 'auto');
+                if (!in_array($this->configuration->$effectiveSetting, $uuidAttributes)
+                    && !is_null($this->configID)) {
+                    $this->configuration->$effectiveSetting = 'auto';
+                    $this->configuration->saveConfiguration();
+                    $this->logger->info(
+                        'Illegal value for the ' . $effectiveSetting . ', reset to autodetect.',
+                        ['app' => 'user_ldap']
+                    );
+                }
+            }
+        }
+
+        $backupPort = (int)$this->configuration->ldapBackupPort;
+        if ($backupPort <= 0) {
+            $this->configuration->ldapBackupPort = $this->configuration->ldapPort;
+        }
+
+        //make sure empty search attributes are saved as simple, empty array
+        $saKeys = ['ldapAttributesForUserSearch',
+            'ldapAttributesForGroupSearch'];
+        foreach ($saKeys as $key) {
+            $val = $this->configuration->$key;
+            if (is_array($val) && count($val) === 1 && empty($val[0])) {
+                $this->configuration->$key = [];
+            }
+        }
+
+        if ((stripos((string)$this->configuration->ldapHost, 'ldaps://') === 0)
+            && $this->configuration->ldapTLS) {
+            $this->configuration->ldapTLS = (string)false;
+            $this->logger->info(
+                'LDAPS (already using secure connection) and TLS do not work together. Switched off TLS.',
+                ['app' => 'user_ldap']
+            );
+        }
+    }
+
+    /**
+     * @throws ConfigurationIssueException
+     */
+    private function doCriticalValidation(): void {
+        //options that shall not be empty
+        $options = ['ldapHost', 'ldapUserDisplayName',
+            'ldapGroupDisplayName', 'ldapLoginFilter'];
+
+        //ldapPort should not be empty either unless ldapHost is pointing to a socket
+        if (!$this->configuration->usesLdapi()) {
+            $options[] = 'ldapPort';
+        }
+
+        foreach ($options as $key) {
+            $val = $this->configuration->$key;
+            if (empty($val)) {
+                switch ($key) {
+                    case 'ldapHost':
+                        $subj = 'LDAP Host';
+                        break;
+                    case 'ldapPort':
+                        $subj = 'LDAP Port';
+                        break;
+                    case 'ldapUserDisplayName':
+                        $subj = 'LDAP User Display Name';
+                        break;
+                    case 'ldapGroupDisplayName':
+                        $subj = 'LDAP Group Display Name';
+                        break;
+                    case 'ldapLoginFilter':
+                        $subj = 'LDAP Login Filter';
+                        break;
+                    default:
+                        $subj = $key;
+                        break;
+                }
+                throw new ConfigurationIssueException(
+                    'No ' . $subj . ' given!',
+                    $this->l10n->t('Mandatory field "%s" left empty', $subj),
+                );
+            }
+        }
+
+        //combinations
+        $agent = $this->configuration->ldapAgentName;
+        $pwd = $this->configuration->ldapAgentPassword;
+        if ($agent === '' && $pwd !== '') {
+            throw new ConfigurationIssueException(
+                'A password is given, but not an LDAP agent',
+                $this->l10n->t('A password is given, but not an LDAP agent'),
+            );
+        }
+        if ($agent !== '' && $pwd === '') {
+            throw new ConfigurationIssueException(
+                'No password is given for the user agent',
+                $this->l10n->t('No password is given for the user agent'),
+            );
+        }
+
+        $base = $this->configuration->ldapBase;
+        $baseUsers = $this->configuration->ldapBaseUsers;
+        $baseGroups = $this->configuration->ldapBaseGroups;
+
+        if (empty($base)) {
+            throw new ConfigurationIssueException(
+                'Not a single Base DN given',
+                $this->l10n->t('No LDAP base DN was given'),
+            );
+        }
+
+        if (!empty($baseUsers) && !$this->checkBasesAreValid($baseUsers, $base)) {
+            throw new ConfigurationIssueException(
+                'User base is not in root base',
+                $this->l10n->t('User base DN is not a subnode of global base DN'),
+            );
+        }
+
+        if (!empty($baseGroups) && !$this->checkBasesAreValid($baseGroups, $base)) {
+            throw new ConfigurationIssueException(
+                'Group base is not in root base',
+                $this->l10n->t('Group base DN is not a subnode of global base DN'),
+            );
+        }
+
+        if (mb_strpos((string)$this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8') === false) {
+            throw new ConfigurationIssueException(
+                'Login filter does not contain %uid placeholder.',
+                $this->l10n->t('Login filter does not contain %s placeholder.', ['%uid']),
+            );
+        }
+    }
+
+    /**
+     * Checks that all bases are subnodes of one of the root bases
+     */
+    private function checkBasesAreValid(array $bases, array $rootBases): bool {
+        foreach ($bases as $base) {
+            $ok = false;
+            foreach ($rootBases as $rootBase) {
+                if (str_ends_with($base, $rootBase)) {
+                    $ok = true;
+                    break;
+                }
+            }
+            if (!$ok) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Validates the user specified configuration
+     * @return bool true if configuration seems OK, false otherwise
+     */
+    private function validateConfiguration(bool $throw = false): bool {
+        if ($this->doNotValidate) {
+            //don't do a validation if it is a new configuration with pure
+            //default values. Will be allowed on changes via __set or
+            //setConfiguration
+            return false;
+        }
+
+        // first step: "soft" checks: settings that are not really
+        // necessary, but advisable. If left empty, give an info message
+        $this->doSoftValidation();
+
+        //second step: critical checks. If left empty or filled wrong, mark as
+        //not configured and give a warning.
+        try {
+            $this->doCriticalValidation();
+            return true;
+        } catch (ConfigurationIssueException $e) {
+            if ($throw) {
+                throw $e;
+            }
+            $this->logger->warning(
+                'Configuration Error (prefix ' . $this->configPrefix . '): ' . $e->getMessage(),
+                ['exception' => $e]
+            );
+            return false;
+        }
+    }
+
+
+    /**
+     * Connects and Binds to LDAP
+     *
+     * @throws ServerNotAvailableException
+     */
+    private function establishConnection(): ?bool {
+        if (!$this->configuration->ldapConfigurationActive) {
+            return null;
+        }
+        static $phpLDAPinstalled = true;
+        if (!$phpLDAPinstalled) {
+            return false;
+        }
+        if (!$this->ignoreValidation && !$this->configured) {
+            $this->logger->warning(
+                'Configuration is invalid, cannot connect',
+                ['app' => 'user_ldap']
+            );
+            return false;
+        }
+        if (!$this->ldapConnectionRes) {
+            if (!$this->ldap->areLDAPFunctionsAvailable()) {
+                $phpLDAPinstalled = false;
+                $this->logger->error(
+                    'function ldap_connect is not available. Make sure that the PHP ldap module is installed.',
+                    ['app' => 'user_ldap']
+                );
+
+                return false;
+            }
+
+            $hasBackupHost = (trim($this->configuration->ldapBackupHost ?? '') !== '');
+            $hasBackgroundHost = (trim($this->configuration->ldapBackgroundHost ?? '') !== '');
+            $useBackgroundHost = (\OC::$CLI && $hasBackgroundHost);
+            $overrideCacheKey = ($useBackgroundHost ? 'overrideBackgroundServer' : 'overrideMainServer');
+            $forceBackupHost = ($this->configuration->ldapOverrideMainServer || $this->getFromCache($overrideCacheKey));
+            $bindStatus = false;
+            if (!$forceBackupHost) {
+                try {
+                    $host = $this->configuration->ldapHost ?? '';
+                    $port = $this->configuration->ldapPort ?? '';
+                    if ($useBackgroundHost) {
+                        $host = $this->configuration->ldapBackgroundHost ?? '';
+                        $port = $this->configuration->ldapBackgroundPort ?? '';
+                    }
+                    $this->doConnect($host, $port);
+                    return $this->bind();
+                } catch (ServerNotAvailableException $e) {
+                    if (!$hasBackupHost) {
+                        throw $e;
+                    }
+                }
+                $this->logger->warning(
+                    'Main LDAP not reachable, connecting to backup: {msg}',
+                    [
+                        'app' => 'user_ldap',
+                        'msg' => $e->getMessage(),
+                        'exception' => $e,
+                    ]
+                );
+            }
+
+            // if LDAP server is not reachable, try the Backup (Replica!) Server
+            $this->doConnect($this->configuration->ldapBackupHost ?? '', $this->configuration->ldapBackupPort ?? '');
+            $this->bindResult = [];
+            $bindStatus = $this->bind();
+            $error = $this->ldap->isResource($this->ldapConnectionRes) ?
+                $this->ldap->errno($this->ldapConnectionRes) : -1;
+            if ($bindStatus && $error === 0 && !$forceBackupHost) {
+                //when bind to backup server succeeded and failed to main server,
+                //skip contacting it for 15min
+                $this->writeToCache($overrideCacheKey, true, 60 * 15);
+            }
+
+            return $bindStatus;
+        }
+        return null;
+    }
+
+    /**
+     * @param string $host
+     * @param string $port
+     * @throws \OC\ServerNotAvailableException
+     */
+    private function doConnect($host, $port): bool {
+        if ($host === '') {
+            return false;
+        }
+
+        $this->ldapConnectionRes = $this->ldap->connect($host, $port) ?: null;
+
+        if ($this->ldapConnectionRes === null) {
+            throw new ServerNotAvailableException('Connection failed');
+        }
+
+        if (!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_PROTOCOL_VERSION, 3)) {
+            throw new ServerNotAvailableException('Could not set required LDAP Protocol version.');
+        }
+
+        if (!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_REFERRALS, 0)) {
+            throw new ServerNotAvailableException('Could not disable LDAP referrals.');
+        }
+
+        if (!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_NETWORK_TIMEOUT, $this->configuration->ldapConnectionTimeout)) {
+            throw new ServerNotAvailableException('Could not set network timeout');
+        }
+
+        if ($this->configuration->ldapTLS) {
+            if ($this->configuration->turnOffCertCheck) {
+                if ($this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER)) {
+                    $this->logger->debug(
+                        'Turned off SSL certificate validation successfully.',
+                        ['app' => 'user_ldap']
+                    );
+                } else {
+                    $this->logger->warning(
+                        'Could not turn off SSL certificate validation.',
+                        ['app' => 'user_ldap']
+                    );
+                }
+            }
+
+            if (!$this->ldap->startTls($this->ldapConnectionRes)) {
+                throw new ServerNotAvailableException('Start TLS failed, when connecting to LDAP host ' . $host . '.');
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Binds to LDAP
+     */
+    public function bind() {
+        if (!$this->configuration->ldapConfigurationActive) {
+            return false;
+        }
+        $cr = $this->ldapConnectionRes;
+        if (!$this->ldap->isResource($cr)) {
+            $cr = $this->getConnectionResource();
+        }
+
+        if (
+            count($this->bindResult) !== 0
+            && $this->bindResult['sum'] === md5($this->configuration->ldapAgentName . $this->configPrefix . $this->configuration->ldapAgentPassword)
+        ) {
+            // don't attempt to bind again with the same data as before
+            // bind might have been invoked via getConnectionResource(),
+            // but we need results specifically for e.g. user login
+            return $this->bindResult['result'];
+        }
+
+        $ldapLogin = @$this->ldap->bind($cr,
+            $this->configuration->ldapAgentName,
+            $this->configuration->ldapAgentPassword);
+
+        $this->bindResult = [
+            'sum' => md5($this->configuration->ldapAgentName . $this->configPrefix . $this->configuration->ldapAgentPassword),
+            'result' => $ldapLogin,
+        ];
+
+        if (!$ldapLogin) {
+            $errno = $this->ldap->errno($cr);
+
+            $this->logger->warning(
+                'Bind failed: ' . $errno . ': ' . $this->ldap->error($cr),
+                ['app' => 'user_ldap']
+            );
+
+            // Set to failure mode, if LDAP error code is not one of
+            // - LDAP_SUCCESS (0)
+            // - LDAP_INVALID_CREDENTIALS (49)
+            // - LDAP_INSUFFICIENT_ACCESS (50, spotted Apple Open Directory)
+            // - LDAP_UNWILLING_TO_PERFORM (53, spotted eDirectory)
+            if (!in_array($errno, [0, 49, 50, 53], true)) {
+                $this->ldapConnectionRes = null;
+            }
+
+            return false;
+        }
+        return true;
+    }
 }

Spacing +15 added lines, -15 removed lines

@@ -224,7 +224,7 @@ 
 	 * @param bool $state
 	 */
 	public function setIgnoreValidation($state) {
-		$this->ignoreValidation = (bool)$state;
+		$this->ignoreValidation = (bool) $state;
 	}
 
 	/**
@@ -245,7 +245,7 @@ 
 		}
 		if (is_null($this->ldapConnectionRes)) {
 			$this->logger->error(
-				'No LDAP Connection to server ' . $this->configuration->ldapHost,
+				'No LDAP Connection to server '.$this->configuration->ldapHost,
 				['app' => 'user_ldap']
 			);
 			throw new ServerNotAvailableException('Connection to LDAP server could not be established');
@@ -268,11 +268,11 @@ 
 	 * @param string|null $key
 	 */
 	private function getCacheKey($key): string {
-		$prefix = 'LDAP-' . $this->configID . '-' . $this->configPrefix . '-';
+		$prefix = 'LDAP-'.$this->configID.'-'.$this->configPrefix.'-';
 		if (is_null($key)) {
 			return $prefix;
 		}
-		return $prefix . hash('sha256', $key);
+		return $prefix.hash('sha256', $key);
 	}
 
 	/**
@@ -420,14 +420,14 @@ 
 					$this->configuration->$effectiveSetting = 'auto';
 					$this->configuration->saveConfiguration();
 					$this->logger->info(
-						'Illegal value for the ' . $effectiveSetting . ', reset to autodetect.',
+						'Illegal value for the '.$effectiveSetting.', reset to autodetect.',
 						['app' => 'user_ldap']
 					);
 				}
 			}
 		}
 
-		$backupPort = (int)$this->configuration->ldapBackupPort;
+		$backupPort = (int) $this->configuration->ldapBackupPort;
 		if ($backupPort <= 0) {
 			$this->configuration->ldapBackupPort = $this->configuration->ldapPort;
 		}
@@ -442,9 +442,9 @@ 
 			}
 		}
 
-		if ((stripos((string)$this->configuration->ldapHost, 'ldaps://') === 0)
+		if ((stripos((string) $this->configuration->ldapHost, 'ldaps://') === 0)
 			&& $this->configuration->ldapTLS) {
-			$this->configuration->ldapTLS = (string)false;
+			$this->configuration->ldapTLS = (string) false;
 			$this->logger->info(
 				'LDAPS (already using secure connection) and TLS do not work together. Switched off TLS.',
 				['app' => 'user_ldap']
@@ -489,7 +489,7 @@ 
 						break;
 				}
 				throw new ConfigurationIssueException(
-					'No ' . $subj . ' given!',
+					'No '.$subj.' given!',
 					$this->l10n->t('Mandatory field "%s" left empty', $subj),
 				);
 			}
@@ -536,7 +536,7 @@ 
 			);
 		}
 
-		if (mb_strpos((string)$this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8') === false) {
+		if (mb_strpos((string) $this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8') === false) {
 			throw new ConfigurationIssueException(
 				'Login filter does not contain %uid placeholder.',
 				$this->l10n->t('Login filter does not contain %s placeholder.', ['%uid']),
@@ -589,7 +589,7 @@ 
 				throw $e;
 			}
 			$this->logger->warning(
-				'Configuration Error (prefix ' . $this->configPrefix . '): ' . $e->getMessage(),
+				'Configuration Error (prefix '.$this->configPrefix.'): '.$e->getMessage(),
 				['exception' => $e]
 			);
 			return false;
@@ -720,7 +720,7 @@ 
 			}
 
 			if (!$this->ldap->startTls($this->ldapConnectionRes)) {
-				throw new ServerNotAvailableException('Start TLS failed, when connecting to LDAP host ' . $host . '.');
+				throw new ServerNotAvailableException('Start TLS failed, when connecting to LDAP host '.$host.'.');
 			}
 		}
 
@@ -741,7 +741,7 @@ 
 
 		if (
 			count($this->bindResult) !== 0
-			&& $this->bindResult['sum'] === md5($this->configuration->ldapAgentName . $this->configPrefix . $this->configuration->ldapAgentPassword)
+			&& $this->bindResult['sum'] === md5($this->configuration->ldapAgentName.$this->configPrefix.$this->configuration->ldapAgentPassword)
 		) {
 			// don't attempt to bind again with the same data as before
 			// bind might have been invoked via getConnectionResource(),
@@ -754,7 +754,7 @@ 
 			$this->configuration->ldapAgentPassword);
 
 		$this->bindResult = [
-			'sum' => md5($this->configuration->ldapAgentName . $this->configPrefix . $this->configuration->ldapAgentPassword),
+			'sum' => md5($this->configuration->ldapAgentName.$this->configPrefix.$this->configuration->ldapAgentPassword),
 			'result' => $ldapLogin,
 		];
 
@@ -762,7 +762,7 @@ 
 			$errno = $this->ldap->errno($cr);
 
 			$this->logger->warning(
-				'Bind failed: ' . $errno . ': ' . $this->ldap->error($cr),
+				'Bind failed: '.$errno.': '.$this->ldap->error($cr),
 				['app' => 'user_ldap']
 			);