Inspection of "Merge pull request #21171 from nextcloud/enh/noid/..." - nextcloud/server - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( db782f...d72d9f )

by Morris

created 2020-07-06 12:00 UTC

Status

Indentation +1984 added lines, -1984 removed lines patch added patch discarded remove patch

@@ -63,1771 +63,1771 @@  discard block
 block discarded – undo
  * @package OCA\User_LDAP
  */
 class Access extends LDAPUtility {
-	public const UUID_ATTRIBUTES = ['entryuuid', 'nsuniqueid', 'objectguid', 'guid', 'ipauniqueid'];
-
-	/** @var \OCA\User_LDAP\Connection */
-	public $connection;
-	/** @var Manager */
-	public $userManager;
-	//never ever check this var directly, always use getPagedSearchResultState
-	protected $pagedSearchedSuccessful;
-
-	/**
-	 * protected $cookies = [];
-	 *
-	 * @var AbstractMapping $userMapper
-	 */
-	protected $userMapper;
-
-	/**
-	 * @var AbstractMapping $userMapper
-	 */
-	protected $groupMapper;
-
-	/**
-	 * @var \OCA\User_LDAP\Helper
-	 */
-	private $helper;
-	/** @var IConfig */
-	private $config;
-	/** @var IUserManager */
-	private $ncUserManager;
-	/** @var string */
-	private $lastCookie = '';
-
-	public function __construct(
-		Connection $connection,
-		ILDAPWrapper $ldap,
-		Manager $userManager,
-		Helper $helper,
-		IConfig $config,
-		IUserManager $ncUserManager
-	) {
-		parent::__construct($ldap);
-		$this->connection = $connection;
-		$this->userManager = $userManager;
-		$this->userManager->setLdapAccess($this);
-		$this->helper = $helper;
-		$this->config = $config;
-		$this->ncUserManager = $ncUserManager;
-	}
-
-	/**
-	 * sets the User Mapper
-	 *
-	 * @param AbstractMapping $mapper
-	 */
-	public function setUserMapper(AbstractMapping $mapper) {
-		$this->userMapper = $mapper;
-	}
-
-	/**
-	 * returns the User Mapper
-	 *
-	 * @return AbstractMapping
-	 * @throws \Exception
-	 */
-	public function getUserMapper() {
-		if (is_null($this->userMapper)) {
-			throw new \Exception('UserMapper was not assigned to this Access instance.');
-		}
-		return $this->userMapper;
-	}
-
-	/**
-	 * sets the Group Mapper
-	 *
-	 * @param AbstractMapping $mapper
-	 */
-	public function setGroupMapper(AbstractMapping $mapper) {
-		$this->groupMapper = $mapper;
-	}
-
-	/**
-	 * returns the Group Mapper
-	 *
-	 * @return AbstractMapping
-	 * @throws \Exception
-	 */
-	public function getGroupMapper() {
-		if (is_null($this->groupMapper)) {
-			throw new \Exception('GroupMapper was not assigned to this Access instance.');
-		}
-		return $this->groupMapper;
-	}
-
-	/**
-	 * @return bool
-	 */
-	private function checkConnection() {
-		return ($this->connection instanceof Connection);
-	}
-
-	/**
-	 * returns the Connection instance
-	 *
-	 * @return \OCA\User_LDAP\Connection
-	 */
-	public function getConnection() {
-		return $this->connection;
-	}
-
-	/**
-	 * reads a given attribute for an LDAP record identified by a DN
-	 *
-	 * @param string $dn the record in question
-	 * @param string $attr the attribute that shall be retrieved
-	 *        if empty, just check the record's existence
-	 * @param string $filter
-	 * @return array|false an array of values on success or an empty
-	 *          array if $attr is empty, false otherwise
-	 * @throws ServerNotAvailableException
-	 */
-	public function readAttribute($dn, $attr, $filter = 'objectClass=*') {
-		if (!$this->checkConnection()) {
-			\OCP\Util::writeLog('user_ldap',
-				'No LDAP Connector assigned, access impossible for readAttribute.',
-				ILogger::WARN);
-			return false;
-		}
-		$cr = $this->connection->getConnectionResource();
-		if (!$this->ldap->isResource($cr)) {
-			//LDAP not available
-			\OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', ILogger::DEBUG);
-			return false;
-		}
-		//Cancel possibly running Paged Results operation, otherwise we run in
-		//LDAP protocol errors
-		$this->abandonPagedSearch();
-		// openLDAP requires that we init a new Paged Search. Not needed by AD,
-		// but does not hurt either.
-		$pagingSize = (int)$this->connection->ldapPagingSize;
-		// 0 won't result in replies, small numbers may leave out groups
-		// (cf. #12306), 500 is default for paging and should work everywhere.
-		$maxResults = $pagingSize > 20 ? $pagingSize : 500;
-		$attr = mb_strtolower($attr, 'UTF-8');
-		// the actual read attribute later may contain parameters on a ranged
-		// request, e.g. member;range=99-199. Depends on server reply.
-		$attrToRead = $attr;
-
-		$values = [];
-		$isRangeRequest = false;
-		do {
-			$result = $this->executeRead($cr, $dn, $attrToRead, $filter, $maxResults);
-			if (is_bool($result)) {
-				// when an exists request was run and it was successful, an empty
-				// array must be returned
-				return $result ? [] : false;
-			}
-
-			if (!$isRangeRequest) {
-				$values = $this->extractAttributeValuesFromResult($result, $attr);
-				if (!empty($values)) {
-					return $values;
-				}
-			}
-
-			$isRangeRequest = false;
-			$result = $this->extractRangeData($result, $attr);
-			if (!empty($result)) {
-				$normalizedResult = $this->extractAttributeValuesFromResult(
-					[$attr => $result['values']],
-					$attr
-				);
-				$values = array_merge($values, $normalizedResult);
-
-				if ($result['rangeHigh'] === '*') {
-					// when server replies with * as high range value, there are
-					// no more results left
-					return $values;
-				} else {
-					$low = $result['rangeHigh'] + 1;
-					$attrToRead = $result['attributeName'] . ';range=' . $low . '-*';
-					$isRangeRequest = true;
-				}
-			}
-		} while ($isRangeRequest);
-
-		\OCP\Util::writeLog('user_ldap', 'Requested attribute ' . $attr . ' not found for ' . $dn, ILogger::DEBUG);
-		return false;
-	}
-
-	/**
-	 * Runs an read operation against LDAP
-	 *
-	 * @param resource $cr the LDAP connection
-	 * @param string $dn
-	 * @param string $attribute
-	 * @param string $filter
-	 * @param int $maxResults
-	 * @return array|bool false if there was any error, true if an exists check
-	 *                    was performed and the requested DN found, array with the
-	 *                    returned data on a successful usual operation
-	 * @throws ServerNotAvailableException
-	 */
-	public function executeRead($cr, $dn, $attribute, $filter, $maxResults) {
-		$this->initPagedSearch($filter, $dn, [$attribute], $maxResults, 0);
-		$dn = $this->helper->DNasBaseParameter($dn);
-		$rr = @$this->invokeLDAPMethod('read', $cr, $dn, $filter, [$attribute]);
-		if (!$this->ldap->isResource($rr)) {
-			if ($attribute !== '') {
-				//do not throw this message on userExists check, irritates
-				\OCP\Util::writeLog('user_ldap', 'readAttribute failed for DN ' . $dn, ILogger::DEBUG);
-			}
-			//in case an error occurs , e.g. object does not exist
-			return false;
-		}
-		if ($attribute === '' && ($filter === 'objectclass=*' || $this->invokeLDAPMethod('countEntries', $cr, $rr) === 1)) {
-			\OCP\Util::writeLog('user_ldap', 'readAttribute: ' . $dn . ' found', ILogger::DEBUG);
-			return true;
-		}
-		$er = $this->invokeLDAPMethod('firstEntry', $cr, $rr);
-		if (!$this->ldap->isResource($er)) {
-			//did not match the filter, return false
-			return false;
-		}
-		//LDAP attributes are not case sensitive
-		$result = \OCP\Util::mb_array_change_key_case(
-			$this->invokeLDAPMethod('getAttributes', $cr, $er), MB_CASE_LOWER, 'UTF-8');
-
-		return $result;
-	}
-
-	/**
-	 * Normalizes a result grom getAttributes(), i.e. handles DNs and binary
-	 * data if present.
-	 *
-	 * @param array $result from ILDAPWrapper::getAttributes()
-	 * @param string $attribute the attribute name that was read
-	 * @return string[]
-	 */
-	public function extractAttributeValuesFromResult($result, $attribute) {
-		$values = [];
-		if (isset($result[$attribute]) && $result[$attribute]['count'] > 0) {
-			$lowercaseAttribute = strtolower($attribute);
-			for ($i = 0; $i < $result[$attribute]['count']; $i++) {
-				if ($this->resemblesDN($attribute)) {
-					$values[] = $this->helper->sanitizeDN($result[$attribute][$i]);
-				} elseif ($lowercaseAttribute === 'objectguid' || $lowercaseAttribute === 'guid') {
-					$values[] = $this->convertObjectGUID2Str($result[$attribute][$i]);
-				} else {
-					$values[] = $result[$attribute][$i];
-				}
-			}
-		}
-		return $values;
-	}
-
-	/**
-	 * Attempts to find ranged data in a getAttribute results and extracts the
-	 * returned values as well as information on the range and full attribute
-	 * name for further processing.
-	 *
-	 * @param array $result from ILDAPWrapper::getAttributes()
-	 * @param string $attribute the attribute name that was read. Without ";range=…"
-	 * @return array If a range was detected with keys 'values', 'attributeName',
-	 *               'attributeFull' and 'rangeHigh', otherwise empty.
-	 */
-	public function extractRangeData($result, $attribute) {
-		$keys = array_keys($result);
-		foreach ($keys as $key) {
-			if ($key !== $attribute && strpos($key, $attribute) === 0) {
-				$queryData = explode(';', $key);
-				if (strpos($queryData[1], 'range=') === 0) {
-					$high = substr($queryData[1], 1 + strpos($queryData[1], '-'));
-					$data = [
-						'values' => $result[$key],
-						'attributeName' => $queryData[0],
-						'attributeFull' => $key,
-						'rangeHigh' => $high,
-					];
-					return $data;
-				}
-			}
-		}
-		return [];
-	}
-
-	/**
-	 * Set password for an LDAP user identified by a DN
-	 *
-	 * @param string $userDN the user in question
-	 * @param string $password the new password
-	 * @return bool
-	 * @throws HintException
-	 * @throws \Exception
-	 */
-	public function setPassword($userDN, $password) {
-		if ((int)$this->connection->turnOnPasswordChange !== 1) {
-			throw new \Exception('LDAP password changes are disabled.');
-		}
-		$cr = $this->connection->getConnectionResource();
-		if (!$this->ldap->isResource($cr)) {
-			//LDAP not available
-			\OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', ILogger::DEBUG);
-			return false;
-		}
-		try {
-			// try PASSWD extended operation first
-			return @$this->invokeLDAPMethod('exopPasswd', $cr, $userDN, '', $password) ||
-				@$this->invokeLDAPMethod('modReplace', $cr, $userDN, $password);
-		} catch (ConstraintViolationException $e) {
-			throw new HintException('Password change rejected.', \OC::$server->getL10N('user_ldap')->t('Password change rejected. Hint: ') . $e->getMessage(), $e->getCode());
-		}
-	}
-
-	/**
-	 * checks whether the given attributes value is probably a DN
-	 *
-	 * @param string $attr the attribute in question
-	 * @return boolean if so true, otherwise false
-	 */
-	private function resemblesDN($attr) {
-		$resemblingAttributes = [
-			'dn',
-			'uniquemember',
-			'member',
-			// memberOf is an "operational" attribute, without a definition in any RFC
-			'memberof'
-		];
-		return in_array($attr, $resemblingAttributes);
-	}
-
-	/**
-	 * checks whether the given string is probably a DN
-	 *
-	 * @param string $string
-	 * @return boolean
-	 */
-	public function stringResemblesDN($string) {
-		$r = $this->ldap->explodeDN($string, 0);
-		// if exploding a DN succeeds and does not end up in
-		// an empty array except for $r[count] being 0.
-		return (is_array($r) && count($r) > 1);
-	}
-
-	/**
-	 * returns a DN-string that is cleaned from not domain parts, e.g.
-	 * cn=foo,cn=bar,dc=foobar,dc=server,dc=org
-	 * becomes dc=foobar,dc=server,dc=org
-	 *
-	 * @param string $dn
-	 * @return string
-	 */
-	public function getDomainDNFromDN($dn) {
-		$allParts = $this->ldap->explodeDN($dn, 0);
-		if ($allParts === false) {
-			//not a valid DN
-			return '';
-		}
-		$domainParts = [];
-		$dcFound = false;
-		foreach ($allParts as $part) {
-			if (!$dcFound && strpos($part, 'dc=') === 0) {
-				$dcFound = true;
-			}
-			if ($dcFound) {
-				$domainParts[] = $part;
-			}
-		}
-		return implode(',', $domainParts);
-	}
-
-	/**
-	 * returns the LDAP DN for the given internal Nextcloud name of the group
-	 *
-	 * @param string $name the Nextcloud name in question
-	 * @return string|false LDAP DN on success, otherwise false
-	 */
-	public function groupname2dn($name) {
-		return $this->groupMapper->getDNByName($name);
-	}
-
-	/**
-	 * returns the LDAP DN for the given internal Nextcloud name of the user
-	 *
-	 * @param string $name the Nextcloud name in question
-	 * @return string|false with the LDAP DN on success, otherwise false
-	 */
-	public function username2dn($name) {
-		$fdn = $this->userMapper->getDNByName($name);
-
-		//Check whether the DN belongs to the Base, to avoid issues on multi-
-		//server setups
-		if (is_string($fdn) && $this->isDNPartOfBase($fdn, $this->connection->ldapBaseUsers)) {
-			return $fdn;
-		}
-
-		return false;
-	}
-
-	/**
-	 * returns the internal Nextcloud name for the given LDAP DN of the group, false on DN outside of search DN or failure
-	 *
-	 * @param string $fdn the dn of the group object
-	 * @param string $ldapName optional, the display name of the object
-	 * @return string|false with the name to use in Nextcloud, false on DN outside of search DN
-	 * @throws \Exception
-	 */
-	public function dn2groupname($fdn, $ldapName = null) {
-		//To avoid bypassing the base DN settings under certain circumstances
-		//with the group support, check whether the provided DN matches one of
-		//the given Bases
-		if (!$this->isDNPartOfBase($fdn, $this->connection->ldapBaseGroups)) {
-			return false;
-		}
-
-		return $this->dn2ocname($fdn, $ldapName, false);
-	}
-
-	/**
-	 * returns the internal Nextcloud name for the given LDAP DN of the user, false on DN outside of search DN or failure
-	 *
-	 * @param string $dn the dn of the user object
-	 * @param string $ldapName optional, the display name of the object
-	 * @return string|false with with the name to use in Nextcloud
-	 * @throws \Exception
-	 */
-	public function dn2username($fdn, $ldapName = null) {
-		//To avoid bypassing the base DN settings under certain circumstances
-		//with the group support, check whether the provided DN matches one of
-		//the given Bases
-		if (!$this->isDNPartOfBase($fdn, $this->connection->ldapBaseUsers)) {
-			return false;
-		}
-
-		return $this->dn2ocname($fdn, $ldapName, true);
-	}
-
-	/**
-	 * returns an internal Nextcloud name for the given LDAP DN, false on DN outside of search DN
-	 *
-	 * @param string $fdn the dn of the user object
-	 * @param string|null $ldapName optional, the display name of the object
-	 * @param bool $isUser optional, whether it is a user object (otherwise group assumed)
-	 * @param bool|null $newlyMapped
-	 * @param array|null $record
-	 * @return false|string with with the name to use in Nextcloud
-	 * @throws \Exception
-	 */
-	public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, array $record = null) {
-		$newlyMapped = false;
-		if ($isUser) {
-			$mapper = $this->getUserMapper();
-			$nameAttribute = $this->connection->ldapUserDisplayName;
-			$filter = $this->connection->ldapUserFilter;
-		} else {
-			$mapper = $this->getGroupMapper();
-			$nameAttribute = $this->connection->ldapGroupDisplayName;
-			$filter = $this->connection->ldapGroupFilter;
-		}
-
-		//let's try to retrieve the Nextcloud name from the mappings table
-		$ncName = $mapper->getNameByDN($fdn);
-		if (is_string($ncName)) {
-			return $ncName;
-		}
-
-		//second try: get the UUID and check if it is known. Then, update the DN and return the name.
-		$uuid = $this->getUUID($fdn, $isUser, $record);
-		if (is_string($uuid)) {
-			$ncName = $mapper->getNameByUUID($uuid);
-			if (is_string($ncName)) {
-				$mapper->setDNbyUUID($fdn, $uuid);
-				return $ncName;
-			}
-		} else {
-			//If the UUID can't be detected something is foul.
-			\OCP\Util::writeLog('user_ldap', 'Cannot determine UUID for ' . $fdn . '. Skipping.', ILogger::INFO);
-			return false;
-		}
-
-		if (is_null($ldapName)) {
-			$ldapName = $this->readAttribute($fdn, $nameAttribute, $filter);
-			if (!isset($ldapName[0]) && empty($ldapName[0])) {
-				\OCP\Util::writeLog('user_ldap', 'No or empty name for ' . $fdn . ' with filter ' . $filter . '.', ILogger::INFO);
-				return false;
-			}
-			$ldapName = $ldapName[0];
-		}
-
-		if ($isUser) {
-			$usernameAttribute = (string)$this->connection->ldapExpertUsernameAttr;
-			if ($usernameAttribute !== '') {
-				$username = $this->readAttribute($fdn, $usernameAttribute);
-				$username = $username[0];
-			} else {
-				$username = $uuid;
-			}
-			try {
-				$intName = $this->sanitizeUsername($username);
-			} catch (\InvalidArgumentException $e) {
-				\OC::$server->getLogger()->logException($e, [
-					'app' => 'user_ldap',
-					'level' => ILogger::WARN,
-				]);
-				// we don't attempt to set a username here. We can go for
-				// for an alternative 4 digit random number as we would append
-				// otherwise, however it's likely not enough space in bigger
-				// setups, and most importantly: this is not intended.
-				return false;
-			}
-		} else {
-			$intName = $ldapName;
-		}
-
-		//a new user/group! Add it only if it doesn't conflict with other backend's users or existing groups
-		//disabling Cache is required to avoid that the new user is cached as not-existing in fooExists check
-		//NOTE: mind, disabling cache affects only this instance! Using it
-		// outside of core user management will still cache the user as non-existing.
-		$originalTTL = $this->connection->ldapCacheTTL;
-		$this->connection->setConfiguration(['ldapCacheTTL' => 0]);
-		if ($intName !== ''
-			&& (($isUser && !$this->ncUserManager->userExists($intName))
-				|| (!$isUser && !\OC::$server->getGroupManager()->groupExists($intName))
-			)
-		) {
-			$this->connection->setConfiguration(['ldapCacheTTL' => $originalTTL]);
-			$newlyMapped = $this->mapAndAnnounceIfApplicable($mapper, $fdn, $intName, $uuid, $isUser);
-			if ($newlyMapped) {
-				return $intName;
-			}
-		}
-
-		$this->connection->setConfiguration(['ldapCacheTTL' => $originalTTL]);
-		$altName = $this->createAltInternalOwnCloudName($intName, $isUser);
-		if (is_string($altName)) {
-			if ($this->mapAndAnnounceIfApplicable($mapper, $fdn, $altName, $uuid, $isUser)) {
-				$newlyMapped = true;
-				return $altName;
-			}
-		}
-
-		//if everything else did not help..
-		\OCP\Util::writeLog('user_ldap', 'Could not create unique name for ' . $fdn . '.', ILogger::INFO);
-		return false;
-	}
-
-	public function mapAndAnnounceIfApplicable(
-		AbstractMapping $mapper,
-		string $fdn,
-		string $name,
-		string $uuid,
-		bool $isUser
-	): bool {
-		if ($mapper->map($fdn, $name, $uuid)) {
-			if ($this->ncUserManager instanceof PublicEmitter && $isUser) {
-				$this->cacheUserExists($name);
-				$this->ncUserManager->emit('\OC\User', 'assignedUserId', [$name]);
-			} elseif (!$isUser) {
-				$this->cacheGroupExists($name);
-			}
-			return true;
-		}
-		return false;
-	}
-
-	/**
-	 * gives back the user names as they are used ownClod internally
-	 *
-	 * @param array $ldapUsers as returned by fetchList()
-	 * @return array an array with the user names to use in Nextcloud
-	 *
-	 * gives back the user names as they are used ownClod internally
-	 * @throws \Exception
-	 */
-	public function nextcloudUserNames($ldapUsers) {
-		return $this->ldap2NextcloudNames($ldapUsers, true);
-	}
-
-	/**
-	 * gives back the group names as they are used ownClod internally
-	 *
-	 * @param array $ldapGroups as returned by fetchList()
-	 * @return array an array with the group names to use in Nextcloud
-	 *
-	 * gives back the group names as they are used ownClod internally
-	 * @throws \Exception
-	 */
-	public function nextcloudGroupNames($ldapGroups) {
-		return $this->ldap2NextcloudNames($ldapGroups, false);
-	}
-
-	/**
-	 * @param array $ldapObjects as returned by fetchList()
-	 * @param bool $isUsers
-	 * @return array
-	 * @throws \Exception
-	 */
-	private function ldap2NextcloudNames($ldapObjects, $isUsers) {
-		if ($isUsers) {
-			$nameAttribute = $this->connection->ldapUserDisplayName;
-			$sndAttribute = $this->connection->ldapUserDisplayName2;
-		} else {
-			$nameAttribute = $this->connection->ldapGroupDisplayName;
-		}
-		$nextcloudNames = [];
-
-		foreach ($ldapObjects as $ldapObject) {
-			$nameByLDAP = null;
-			if (isset($ldapObject[$nameAttribute])
-				&& is_array($ldapObject[$nameAttribute])
-				&& isset($ldapObject[$nameAttribute][0])
-			) {
-				// might be set, but not necessarily. if so, we use it.
-				$nameByLDAP = $ldapObject[$nameAttribute][0];
-			}
-
-			$ncName = $this->dn2ocname($ldapObject['dn'][0], $nameByLDAP, $isUsers);
-			if ($ncName) {
-				$nextcloudNames[] = $ncName;
-				if ($isUsers) {
-					$this->updateUserState($ncName);
-					//cache the user names so it does not need to be retrieved
-					//again later (e.g. sharing dialogue).
-					if (is_null($nameByLDAP)) {
-						continue;
-					}
-					$sndName = isset($ldapObject[$sndAttribute][0])
-						? $ldapObject[$sndAttribute][0] : '';
-					$this->cacheUserDisplayName($ncName, $nameByLDAP, $sndName);
-				} elseif ($nameByLDAP !== null) {
-					$this->cacheGroupDisplayName($ncName, $nameByLDAP);
-				}
-			}
-		}
-		return $nextcloudNames;
-	}
-
-	/**
-	 * removes the deleted-flag of a user if it was set
-	 *
-	 * @param string $ncname
-	 * @throws \Exception
-	 */
-	public function updateUserState($ncname) {
-		$user = $this->userManager->get($ncname);
-		if ($user instanceof OfflineUser) {
-			$user->unmark();
-		}
-	}
-
-	/**
-	 * caches the user display name
-	 *
-	 * @param string $ocName the internal Nextcloud username
-	 * @param string|false $home the home directory path
-	 */
-	public function cacheUserHome($ocName, $home) {
-		$cacheKey = 'getHome' . $ocName;
-		$this->connection->writeToCache($cacheKey, $home);
-	}
-
-	/**
-	 * caches a user as existing
-	 *
-	 * @param string $ocName the internal Nextcloud username
-	 */
-	public function cacheUserExists($ocName) {
-		$this->connection->writeToCache('userExists' . $ocName, true);
-	}
-
-	/**
-	 * caches a group as existing
-	 */
-	public function cacheGroupExists(string $gid): void {
-		$this->connection->writeToCache('groupExists' . $gid, true);
-	}
-
-	/**
-	 * caches the user display name
-	 *
-	 * @param string $ocName the internal Nextcloud username
-	 * @param string $displayName the display name
-	 * @param string $displayName2 the second display name
-	 * @throws \Exception
-	 */
-	public function cacheUserDisplayName($ocName, $displayName, $displayName2 = '') {
-		$user = $this->userManager->get($ocName);
-		if ($user === null) {
-			return;
-		}
-		$displayName = $user->composeAndStoreDisplayName($displayName, $displayName2);
-		$cacheKeyTrunk = 'getDisplayName';
-		$this->connection->writeToCache($cacheKeyTrunk . $ocName, $displayName);
-	}
-
-	public function cacheGroupDisplayName(string $ncName, string $displayName): void {
-		$cacheKey = 'group_getDisplayName' . $ncName;
-		$this->connection->writeToCache($cacheKey, $displayName);
-	}
-
-	/**
-	 * creates a unique name for internal Nextcloud use for users. Don't call it directly.
-	 *
-	 * @param string $name the display name of the object
-	 * @return string|false with with the name to use in Nextcloud or false if unsuccessful
-	 *
-	 * Instead of using this method directly, call
-	 * createAltInternalOwnCloudName($name, true)
-	 */
-	private function _createAltInternalOwnCloudNameForUsers($name) {
-		$attempts = 0;
-		//while loop is just a precaution. If a name is not generated within
-		//20 attempts, something else is very wrong. Avoids infinite loop.
-		while ($attempts < 20) {
-			$altName = $name . '_' . rand(1000, 9999);
-			if (!$this->ncUserManager->userExists($altName)) {
-				return $altName;
-			}
-			$attempts++;
-		}
-		return false;
-	}
-
-	/**
-	 * creates a unique name for internal Nextcloud use for groups. Don't call it directly.
-	 *
-	 * @param string $name the display name of the object
-	 * @return string|false with with the name to use in Nextcloud or false if unsuccessful.
-	 *
-	 * Instead of using this method directly, call
-	 * createAltInternalOwnCloudName($name, false)
-	 *
-	 * Group names are also used as display names, so we do a sequential
-	 * numbering, e.g. Developers_42 when there are 41 other groups called
-	 * "Developers"
-	 */
-	private function _createAltInternalOwnCloudNameForGroups($name) {
-		$usedNames = $this->groupMapper->getNamesBySearch($name, "", '_%');
-		if (!$usedNames || count($usedNames) === 0) {
-			$lastNo = 1; //will become name_2
-		} else {
-			natsort($usedNames);
-			$lastName = array_pop($usedNames);
-			$lastNo = (int)substr($lastName, strrpos($lastName, '_') + 1);
-		}
-		$altName = $name . '_' . (string)($lastNo + 1);
-		unset($usedNames);
-
-		$attempts = 1;
-		while ($attempts < 21) {
-			// Check to be really sure it is unique
-			// while loop is just a precaution. If a name is not generated within
-			// 20 attempts, something else is very wrong. Avoids infinite loop.
-			if (!\OC::$server->getGroupManager()->groupExists($altName)) {
-				return $altName;
-			}
-			$altName = $name . '_' . ($lastNo + $attempts);
-			$attempts++;
-		}
-		return false;
-	}
-
-	/**
-	 * creates a unique name for internal Nextcloud use.
-	 *
-	 * @param string $name the display name of the object
-	 * @param boolean $isUser whether name should be created for a user (true) or a group (false)
-	 * @return string|false with with the name to use in Nextcloud or false if unsuccessful
-	 */
-	private function createAltInternalOwnCloudName($name, $isUser) {
-		$originalTTL = $this->connection->ldapCacheTTL;
-		$this->connection->setConfiguration(['ldapCacheTTL' => 0]);
-		if ($isUser) {
-			$altName = $this->_createAltInternalOwnCloudNameForUsers($name);
-		} else {
-			$altName = $this->_createAltInternalOwnCloudNameForGroups($name);
-		}
-		$this->connection->setConfiguration(['ldapCacheTTL' => $originalTTL]);
-
-		return $altName;
-	}
-
-	/**
-	 * fetches a list of users according to a provided loginName and utilizing
-	 * the login filter.
-	 */
-	public function fetchUsersByLoginName(string $loginName, array $attributes = ['dn']): array {
-		$loginName = $this->escapeFilterPart($loginName);
-		$filter = str_replace('%uid', $loginName, $this->connection->ldapLoginFilter);
-		return $this->fetchListOfUsers($filter, $attributes);
-	}
-
-	/**
-	 * counts the number of users according to a provided loginName and
-	 * utilizing the login filter.
-	 *
-	 * @param string $loginName
-	 * @return int
-	 */
-	public function countUsersByLoginName($loginName) {
-		$loginName = $this->escapeFilterPart($loginName);
-		$filter = str_replace('%uid', $loginName, $this->connection->ldapLoginFilter);
-		return $this->countUsers($filter);
-	}
-
-	/**
-	 * @throws \Exception
-	 */
-	public function fetchListOfUsers(string $filter, array $attr, int $limit = null, int $offset = null, bool $forceApplyAttributes = false): array {
-		$ldapRecords = $this->searchUsers($filter, $attr, $limit, $offset);
-		$recordsToUpdate = $ldapRecords;
-		if (!$forceApplyAttributes) {
-			$isBackgroundJobModeAjax = $this->config
-					->getAppValue('core', 'backgroundjobs_mode', 'ajax') === 'ajax';
-			$listOfDNs = array_reduce($ldapRecords, function ($listOfDNs, $entry) {
-				$listOfDNs[] = $entry['dn'][0];
-				return $listOfDNs;
-			}, []);
-			$idsByDn = $this->userMapper->getListOfIdsByDn($listOfDNs);
-			$recordsToUpdate = array_filter($ldapRecords, function ($record) use ($isBackgroundJobModeAjax, $idsByDn) {
-				$newlyMapped = false;
-				$uid = $idsByDn[$record['dn'][0]] ?? null;
-				if ($uid === null) {
-					$uid = $this->dn2ocname($record['dn'][0], null, true, $newlyMapped, $record);
-				}
-				if (is_string($uid)) {
-					$this->cacheUserExists($uid);
-				}
-				return ($uid !== false) && ($newlyMapped || $isBackgroundJobModeAjax);
-			});
-		}
-		$this->batchApplyUserAttributes($recordsToUpdate);
-		return $this->fetchList($ldapRecords, $this->manyAttributes($attr));
-	}
-
-	/**
-	 * provided with an array of LDAP user records the method will fetch the
-	 * user object and requests it to process the freshly fetched attributes and
-	 * and their values
-	 *
-	 * @param array $ldapRecords
-	 * @throws \Exception
-	 */
-	public function batchApplyUserAttributes(array $ldapRecords) {
-		$displayNameAttribute = strtolower($this->connection->ldapUserDisplayName);
-		foreach ($ldapRecords as $userRecord) {
-			if (!isset($userRecord[$displayNameAttribute])) {
-				// displayName is obligatory
-				continue;
-			}
-			$ocName = $this->dn2ocname($userRecord['dn'][0], null, true);
-			if ($ocName === false) {
-				continue;
-			}
-			$this->updateUserState($ocName);
-			$user = $this->userManager->get($ocName);
-			if ($user !== null) {
-				$user->processAttributes($userRecord);
-			} else {
-				\OC::$server->getLogger()->debug(
-					"The ldap user manager returned null for $ocName",
-					['app' => 'user_ldap']
-				);
-			}
-		}
-	}
-
-	/**
-	 * @param string $filter
-	 * @param string|string[] $attr
-	 * @param int $limit
-	 * @param int $offset
-	 * @return array
-	 */
-	public function fetchListOfGroups($filter, $attr, $limit = null, $offset = null) {
-		$groupRecords = $this->searchGroups($filter, $attr, $limit, $offset);
-
-		$listOfDNs = array_reduce($groupRecords, function ($listOfDNs, $entry) {
-			$listOfDNs[] = $entry['dn'][0];
-			return $listOfDNs;
-		}, []);
-		$idsByDn = $this->groupMapper->getListOfIdsByDn($listOfDNs);
-
-		array_walk($groupRecords, function ($record) use ($idsByDn) {
-			$newlyMapped = false;
-			$gid = $uidsByDn[$record['dn'][0]] ?? null;
-			if ($gid === null) {
-				$gid = $this->dn2ocname($record['dn'][0], null, false, $newlyMapped, $record);
-			}
-			if (!$newlyMapped && is_string($gid)) {
-				$this->cacheGroupExists($gid);
-			}
-		});
-		return $this->fetchList($groupRecords, $this->manyAttributes($attr));
-	}
-
-	/**
-	 * @param array $list
-	 * @param bool $manyAttributes
-	 * @return array
-	 */
-	private function fetchList($list, $manyAttributes) {
-		if (is_array($list)) {
-			if ($manyAttributes) {
-				return $list;
-			} else {
-				$list = array_reduce($list, function ($carry, $item) {
-					$attribute = array_keys($item)[0];
-					$carry[] = $item[$attribute][0];
-					return $carry;
-				}, []);
-				return array_unique($list, SORT_LOCALE_STRING);
-			}
-		}
-
-		//error cause actually, maybe throw an exception in future.
-		return [];
-	}
-
-	/**
-	 * @throws ServerNotAvailableException
-	 */
-	public function searchUsers(string $filter, array $attr = null, int $limit = null, int $offset = null): array {
-		$result = [];
-		foreach ($this->connection->ldapBaseUsers as $base) {
-			$result = array_merge($result, $this->search($filter, $base, $attr, $limit, $offset));
-		}
-		return $result;
-	}
-
-	/**
-	 * @param string $filter
-	 * @param string|string[] $attr
-	 * @param int $limit
-	 * @param int $offset
-	 * @return false|int
-	 * @throws ServerNotAvailableException
-	 */
-	public function countUsers($filter, $attr = ['dn'], $limit = null, $offset = null) {
-		$result = false;
-		foreach ($this->connection->ldapBaseUsers as $base) {
-			$count = $this->count($filter, [$base], $attr, $limit, $offset);
-			$result = is_int($count) ? (int)$result + $count : $result;
-		}
-		return $result;
-	}
-
-	/**
-	 * executes an LDAP search, optimized for Groups
-	 *
-	 * @param string $filter the LDAP filter for the search
-	 * @param string|string[] $attr optional, when a certain attribute shall be filtered out
-	 * @param integer $limit
-	 * @param integer $offset
-	 * @return array with the search result
-	 *
-	 * Executes an LDAP search
-	 * @throws ServerNotAvailableException
-	 */
-	public function searchGroups($filter, $attr = null, $limit = null, $offset = null) {
-		$result = [];
-		foreach ($this->connection->ldapBaseGroups as $base) {
-			$result = array_merge($result, $this->search($filter, $base, $attr, $limit, $offset));
-		}
-		return $result;
-	}
-
-	/**
-	 * returns the number of available groups
-	 *
-	 * @param string $filter the LDAP search filter
-	 * @param string[] $attr optional
-	 * @param int|null $limit
-	 * @param int|null $offset
-	 * @return int|bool
-	 * @throws ServerNotAvailableException
-	 */
-	public function countGroups($filter, $attr = ['dn'], $limit = null, $offset = null) {
-		$result = false;
-		foreach ($this->connection->ldapBaseGroups as $base) {
-			$count = $this->count($filter, [$base], $attr, $limit, $offset);
-			$result = is_int($count) ? (int)$result + $count : $result;
-		}
-		return $result;
-	}
-
-	/**
-	 * returns the number of available objects on the base DN
-	 *
-	 * @param int|null $limit
-	 * @param int|null $offset
-	 * @return int|bool
-	 * @throws ServerNotAvailableException
-	 */
-	public function countObjects($limit = null, $offset = null) {
-		$result = false;
-		foreach ($this->connection->ldapBase as $base) {
-			$count = $this->count('objectclass=*', [$base], ['dn'], $limit, $offset);
-			$result = is_int($count) ? (int)$result + $count : $result;
-		}
-		return $result;
-	}
-
-	/**
-	 * Returns the LDAP handler
-	 *
-	 * @throws \OC\ServerNotAvailableException
-	 */
-
-	/**
-	 * @return mixed
-	 * @throws \OC\ServerNotAvailableException
-	 */
-	private function invokeLDAPMethod() {
-		$arguments = func_get_args();
-		$command = array_shift($arguments);
-		$cr = array_shift($arguments);
-		if (!method_exists($this->ldap, $command)) {
-			return null;
-		}
-		array_unshift($arguments, $cr);
-		// php no longer supports call-time pass-by-reference
-		// thus cannot support controlPagedResultResponse as the third argument
-		// is a reference
-		$doMethod = function () use ($command, &$arguments) {
-			if ($command == 'controlPagedResultResponse') {
-				throw new \InvalidArgumentException('Invoker does not support controlPagedResultResponse, call LDAP Wrapper directly instead.');
-			} else {
-				return call_user_func_array([$this->ldap, $command], $arguments);
-			}
-		};
-		try {
-			$ret = $doMethod();
-		} catch (ServerNotAvailableException $e) {
-			/* Server connection lost, attempt to reestablish it
+    public const UUID_ATTRIBUTES = ['entryuuid', 'nsuniqueid', 'objectguid', 'guid', 'ipauniqueid'];
+
+    /** @var \OCA\User_LDAP\Connection */
+    public $connection;
+    /** @var Manager */
+    public $userManager;
+    //never ever check this var directly, always use getPagedSearchResultState
+    protected $pagedSearchedSuccessful;
+
+    /**
+     * protected $cookies = [];
+     *
+     * @var AbstractMapping $userMapper
+     */
+    protected $userMapper;
+
+    /**
+     * @var AbstractMapping $userMapper
+     */
+    protected $groupMapper;
+
+    /**
+     * @var \OCA\User_LDAP\Helper
+     */
+    private $helper;
+    /** @var IConfig */
+    private $config;
+    /** @var IUserManager */
+    private $ncUserManager;
+    /** @var string */
+    private $lastCookie = '';
+
+    public function __construct(
+        Connection $connection,
+        ILDAPWrapper $ldap,
+        Manager $userManager,
+        Helper $helper,
+        IConfig $config,
+        IUserManager $ncUserManager
+    ) {
+        parent::__construct($ldap);
+        $this->connection = $connection;
+        $this->userManager = $userManager;
+        $this->userManager->setLdapAccess($this);
+        $this->helper = $helper;
+        $this->config = $config;
+        $this->ncUserManager = $ncUserManager;
+    }
+
+    /**
+     * sets the User Mapper
+     *
+     * @param AbstractMapping $mapper
+     */
+    public function setUserMapper(AbstractMapping $mapper) {
+        $this->userMapper = $mapper;
+    }
+
+    /**
+     * returns the User Mapper
+     *
+     * @return AbstractMapping
+     * @throws \Exception
+     */
+    public function getUserMapper() {
+        if (is_null($this->userMapper)) {
+            throw new \Exception('UserMapper was not assigned to this Access instance.');
+        }
+        return $this->userMapper;
+    }
+
+    /**
+     * sets the Group Mapper
+     *
+     * @param AbstractMapping $mapper
+     */
+    public function setGroupMapper(AbstractMapping $mapper) {
+        $this->groupMapper = $mapper;
+    }
+
+    /**
+     * returns the Group Mapper
+     *
+     * @return AbstractMapping
+     * @throws \Exception
+     */
+    public function getGroupMapper() {
+        if (is_null($this->groupMapper)) {
+            throw new \Exception('GroupMapper was not assigned to this Access instance.');
+        }
+        return $this->groupMapper;
+    }
+
+    /**
+     * @return bool
+     */
+    private function checkConnection() {
+        return ($this->connection instanceof Connection);
+    }
+
+    /**
+     * returns the Connection instance
+     *
+     * @return \OCA\User_LDAP\Connection
+     */
+    public function getConnection() {
+        return $this->connection;
+    }
+
+    /**
+     * reads a given attribute for an LDAP record identified by a DN
+     *
+     * @param string $dn the record in question
+     * @param string $attr the attribute that shall be retrieved
+     *        if empty, just check the record's existence
+     * @param string $filter
+     * @return array|false an array of values on success or an empty
+     *          array if $attr is empty, false otherwise
+     * @throws ServerNotAvailableException
+     */
+    public function readAttribute($dn, $attr, $filter = 'objectClass=*') {
+        if (!$this->checkConnection()) {
+            \OCP\Util::writeLog('user_ldap',
+                'No LDAP Connector assigned, access impossible for readAttribute.',
+                ILogger::WARN);
+            return false;
+        }
+        $cr = $this->connection->getConnectionResource();
+        if (!$this->ldap->isResource($cr)) {
+            //LDAP not available
+            \OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', ILogger::DEBUG);
+            return false;
+        }
+        //Cancel possibly running Paged Results operation, otherwise we run in
+        //LDAP protocol errors
+        $this->abandonPagedSearch();
+        // openLDAP requires that we init a new Paged Search. Not needed by AD,
+        // but does not hurt either.
+        $pagingSize = (int)$this->connection->ldapPagingSize;
+        // 0 won't result in replies, small numbers may leave out groups
+        // (cf. #12306), 500 is default for paging and should work everywhere.
+        $maxResults = $pagingSize > 20 ? $pagingSize : 500;
+        $attr = mb_strtolower($attr, 'UTF-8');
+        // the actual read attribute later may contain parameters on a ranged
+        // request, e.g. member;range=99-199. Depends on server reply.
+        $attrToRead = $attr;
+
+        $values = [];
+        $isRangeRequest = false;
+        do {
+            $result = $this->executeRead($cr, $dn, $attrToRead, $filter, $maxResults);
+            if (is_bool($result)) {
+                // when an exists request was run and it was successful, an empty
+                // array must be returned
+                return $result ? [] : false;
+            }
+
+            if (!$isRangeRequest) {
+                $values = $this->extractAttributeValuesFromResult($result, $attr);
+                if (!empty($values)) {
+                    return $values;
+                }
+            }
+
+            $isRangeRequest = false;
+            $result = $this->extractRangeData($result, $attr);
+            if (!empty($result)) {
+                $normalizedResult = $this->extractAttributeValuesFromResult(
+                    [$attr => $result['values']],
+                    $attr
+                );
+                $values = array_merge($values, $normalizedResult);
+
+                if ($result['rangeHigh'] === '*') {
+                    // when server replies with * as high range value, there are
+                    // no more results left
+                    return $values;
+                } else {
+                    $low = $result['rangeHigh'] + 1;
+                    $attrToRead = $result['attributeName'] . ';range=' . $low . '-*';
+                    $isRangeRequest = true;
+                }
+            }
+        } while ($isRangeRequest);
+
+        \OCP\Util::writeLog('user_ldap', 'Requested attribute ' . $attr . ' not found for ' . $dn, ILogger::DEBUG);
+        return false;
+    }
+
+    /**
+     * Runs an read operation against LDAP
+     *
+     * @param resource $cr the LDAP connection
+     * @param string $dn
+     * @param string $attribute
+     * @param string $filter
+     * @param int $maxResults
+     * @return array|bool false if there was any error, true if an exists check
+     *                    was performed and the requested DN found, array with the
+     *                    returned data on a successful usual operation
+     * @throws ServerNotAvailableException
+     */
+    public function executeRead($cr, $dn, $attribute, $filter, $maxResults) {
+        $this->initPagedSearch($filter, $dn, [$attribute], $maxResults, 0);
+        $dn = $this->helper->DNasBaseParameter($dn);
+        $rr = @$this->invokeLDAPMethod('read', $cr, $dn, $filter, [$attribute]);
+        if (!$this->ldap->isResource($rr)) {
+            if ($attribute !== '') {
+                //do not throw this message on userExists check, irritates
+                \OCP\Util::writeLog('user_ldap', 'readAttribute failed for DN ' . $dn, ILogger::DEBUG);
+            }
+            //in case an error occurs , e.g. object does not exist
+            return false;
+        }
+        if ($attribute === '' && ($filter === 'objectclass=*' || $this->invokeLDAPMethod('countEntries', $cr, $rr) === 1)) {
+            \OCP\Util::writeLog('user_ldap', 'readAttribute: ' . $dn . ' found', ILogger::DEBUG);
+            return true;
+        }
+        $er = $this->invokeLDAPMethod('firstEntry', $cr, $rr);
+        if (!$this->ldap->isResource($er)) {
+            //did not match the filter, return false
+            return false;
+        }
+        //LDAP attributes are not case sensitive
+        $result = \OCP\Util::mb_array_change_key_case(
+            $this->invokeLDAPMethod('getAttributes', $cr, $er), MB_CASE_LOWER, 'UTF-8');
+
+        return $result;
+    }
+
+    /**
+     * Normalizes a result grom getAttributes(), i.e. handles DNs and binary
+     * data if present.
+     *
+     * @param array $result from ILDAPWrapper::getAttributes()
+     * @param string $attribute the attribute name that was read
+     * @return string[]
+     */
+    public function extractAttributeValuesFromResult($result, $attribute) {
+        $values = [];
+        if (isset($result[$attribute]) && $result[$attribute]['count'] > 0) {
+            $lowercaseAttribute = strtolower($attribute);
+            for ($i = 0; $i < $result[$attribute]['count']; $i++) {
+                if ($this->resemblesDN($attribute)) {
+                    $values[] = $this->helper->sanitizeDN($result[$attribute][$i]);
+                } elseif ($lowercaseAttribute === 'objectguid' || $lowercaseAttribute === 'guid') {
+                    $values[] = $this->convertObjectGUID2Str($result[$attribute][$i]);
+                } else {
+                    $values[] = $result[$attribute][$i];
+                }
+            }
+        }
+        return $values;
+    }
+
+    /**
+     * Attempts to find ranged data in a getAttribute results and extracts the
+     * returned values as well as information on the range and full attribute
+     * name for further processing.
+     *
+     * @param array $result from ILDAPWrapper::getAttributes()
+     * @param string $attribute the attribute name that was read. Without ";range=…"
+     * @return array If a range was detected with keys 'values', 'attributeName',
+     *               'attributeFull' and 'rangeHigh', otherwise empty.
+     */
+    public function extractRangeData($result, $attribute) {
+        $keys = array_keys($result);
+        foreach ($keys as $key) {
+            if ($key !== $attribute && strpos($key, $attribute) === 0) {
+                $queryData = explode(';', $key);
+                if (strpos($queryData[1], 'range=') === 0) {
+                    $high = substr($queryData[1], 1 + strpos($queryData[1], '-'));
+                    $data = [
+                        'values' => $result[$key],
+                        'attributeName' => $queryData[0],
+                        'attributeFull' => $key,
+                        'rangeHigh' => $high,
+                    ];
+                    return $data;
+                }
+            }
+        }
+        return [];
+    }
+
+    /**
+     * Set password for an LDAP user identified by a DN
+     *
+     * @param string $userDN the user in question
+     * @param string $password the new password
+     * @return bool
+     * @throws HintException
+     * @throws \Exception
+     */
+    public function setPassword($userDN, $password) {
+        if ((int)$this->connection->turnOnPasswordChange !== 1) {
+            throw new \Exception('LDAP password changes are disabled.');
+        }
+        $cr = $this->connection->getConnectionResource();
+        if (!$this->ldap->isResource($cr)) {
+            //LDAP not available
+            \OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', ILogger::DEBUG);
+            return false;
+        }
+        try {
+            // try PASSWD extended operation first
+            return @$this->invokeLDAPMethod('exopPasswd', $cr, $userDN, '', $password) ||
+                @$this->invokeLDAPMethod('modReplace', $cr, $userDN, $password);
+        } catch (ConstraintViolationException $e) {
+            throw new HintException('Password change rejected.', \OC::$server->getL10N('user_ldap')->t('Password change rejected. Hint: ') . $e->getMessage(), $e->getCode());
+        }
+    }
+
+    /**
+     * checks whether the given attributes value is probably a DN
+     *
+     * @param string $attr the attribute in question
+     * @return boolean if so true, otherwise false
+     */
+    private function resemblesDN($attr) {
+        $resemblingAttributes = [
+            'dn',
+            'uniquemember',
+            'member',
+            // memberOf is an "operational" attribute, without a definition in any RFC
+            'memberof'
+        ];
+        return in_array($attr, $resemblingAttributes);
+    }
+
+    /**
+     * checks whether the given string is probably a DN
+     *
+     * @param string $string
+     * @return boolean
+     */
+    public function stringResemblesDN($string) {
+        $r = $this->ldap->explodeDN($string, 0);
+        // if exploding a DN succeeds and does not end up in
+        // an empty array except for $r[count] being 0.
+        return (is_array($r) && count($r) > 1);
+    }
+
+    /**
+     * returns a DN-string that is cleaned from not domain parts, e.g.
+     * cn=foo,cn=bar,dc=foobar,dc=server,dc=org
+     * becomes dc=foobar,dc=server,dc=org
+     *
+     * @param string $dn
+     * @return string
+     */
+    public function getDomainDNFromDN($dn) {
+        $allParts = $this->ldap->explodeDN($dn, 0);
+        if ($allParts === false) {
+            //not a valid DN
+            return '';
+        }
+        $domainParts = [];
+        $dcFound = false;
+        foreach ($allParts as $part) {
+            if (!$dcFound && strpos($part, 'dc=') === 0) {
+                $dcFound = true;
+            }
+            if ($dcFound) {
+                $domainParts[] = $part;
+            }
+        }
+        return implode(',', $domainParts);
+    }
+
+    /**
+     * returns the LDAP DN for the given internal Nextcloud name of the group
+     *
+     * @param string $name the Nextcloud name in question
+     * @return string|false LDAP DN on success, otherwise false
+     */
+    public function groupname2dn($name) {
+        return $this->groupMapper->getDNByName($name);
+    }
+
+    /**
+     * returns the LDAP DN for the given internal Nextcloud name of the user
+     *
+     * @param string $name the Nextcloud name in question
+     * @return string|false with the LDAP DN on success, otherwise false
+     */
+    public function username2dn($name) {
+        $fdn = $this->userMapper->getDNByName($name);
+
+        //Check whether the DN belongs to the Base, to avoid issues on multi-
+        //server setups
+        if (is_string($fdn) && $this->isDNPartOfBase($fdn, $this->connection->ldapBaseUsers)) {
+            return $fdn;
+        }
+
+        return false;
+    }
+
+    /**
+     * returns the internal Nextcloud name for the given LDAP DN of the group, false on DN outside of search DN or failure
+     *
+     * @param string $fdn the dn of the group object
+     * @param string $ldapName optional, the display name of the object
+     * @return string|false with the name to use in Nextcloud, false on DN outside of search DN
+     * @throws \Exception
+     */
+    public function dn2groupname($fdn, $ldapName = null) {
+        //To avoid bypassing the base DN settings under certain circumstances
+        //with the group support, check whether the provided DN matches one of
+        //the given Bases
+        if (!$this->isDNPartOfBase($fdn, $this->connection->ldapBaseGroups)) {
+            return false;
+        }
+
+        return $this->dn2ocname($fdn, $ldapName, false);
+    }
+
+    /**
+     * returns the internal Nextcloud name for the given LDAP DN of the user, false on DN outside of search DN or failure
+     *
+     * @param string $dn the dn of the user object
+     * @param string $ldapName optional, the display name of the object
+     * @return string|false with with the name to use in Nextcloud
+     * @throws \Exception
+     */
+    public function dn2username($fdn, $ldapName = null) {
+        //To avoid bypassing the base DN settings under certain circumstances
+        //with the group support, check whether the provided DN matches one of
+        //the given Bases
+        if (!$this->isDNPartOfBase($fdn, $this->connection->ldapBaseUsers)) {
+            return false;
+        }
+
+        return $this->dn2ocname($fdn, $ldapName, true);
+    }
+
+    /**
+     * returns an internal Nextcloud name for the given LDAP DN, false on DN outside of search DN
+     *
+     * @param string $fdn the dn of the user object
+     * @param string|null $ldapName optional, the display name of the object
+     * @param bool $isUser optional, whether it is a user object (otherwise group assumed)
+     * @param bool|null $newlyMapped
+     * @param array|null $record
+     * @return false|string with with the name to use in Nextcloud
+     * @throws \Exception
+     */
+    public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, array $record = null) {
+        $newlyMapped = false;
+        if ($isUser) {
+            $mapper = $this->getUserMapper();
+            $nameAttribute = $this->connection->ldapUserDisplayName;
+            $filter = $this->connection->ldapUserFilter;
+        } else {
+            $mapper = $this->getGroupMapper();
+            $nameAttribute = $this->connection->ldapGroupDisplayName;
+            $filter = $this->connection->ldapGroupFilter;
+        }
+
+        //let's try to retrieve the Nextcloud name from the mappings table
+        $ncName = $mapper->getNameByDN($fdn);
+        if (is_string($ncName)) {
+            return $ncName;
+        }
+
+        //second try: get the UUID and check if it is known. Then, update the DN and return the name.
+        $uuid = $this->getUUID($fdn, $isUser, $record);
+        if (is_string($uuid)) {
+            $ncName = $mapper->getNameByUUID($uuid);
+            if (is_string($ncName)) {
+                $mapper->setDNbyUUID($fdn, $uuid);
+                return $ncName;
+            }
+        } else {
+            //If the UUID can't be detected something is foul.
+            \OCP\Util::writeLog('user_ldap', 'Cannot determine UUID for ' . $fdn . '. Skipping.', ILogger::INFO);
+            return false;
+        }
+
+        if (is_null($ldapName)) {
+            $ldapName = $this->readAttribute($fdn, $nameAttribute, $filter);
+            if (!isset($ldapName[0]) && empty($ldapName[0])) {
+                \OCP\Util::writeLog('user_ldap', 'No or empty name for ' . $fdn . ' with filter ' . $filter . '.', ILogger::INFO);
+                return false;
+            }
+            $ldapName = $ldapName[0];
+        }
+
+        if ($isUser) {
+            $usernameAttribute = (string)$this->connection->ldapExpertUsernameAttr;
+            if ($usernameAttribute !== '') {
+                $username = $this->readAttribute($fdn, $usernameAttribute);
+                $username = $username[0];
+            } else {
+                $username = $uuid;
+            }
+            try {
+                $intName = $this->sanitizeUsername($username);
+            } catch (\InvalidArgumentException $e) {
+                \OC::$server->getLogger()->logException($e, [
+                    'app' => 'user_ldap',
+                    'level' => ILogger::WARN,
+                ]);
+                // we don't attempt to set a username here. We can go for
+                // for an alternative 4 digit random number as we would append
+                // otherwise, however it's likely not enough space in bigger
+                // setups, and most importantly: this is not intended.
+                return false;
+            }
+        } else {
+            $intName = $ldapName;
+        }
+
+        //a new user/group! Add it only if it doesn't conflict with other backend's users or existing groups
+        //disabling Cache is required to avoid that the new user is cached as not-existing in fooExists check
+        //NOTE: mind, disabling cache affects only this instance! Using it
+        // outside of core user management will still cache the user as non-existing.
+        $originalTTL = $this->connection->ldapCacheTTL;
+        $this->connection->setConfiguration(['ldapCacheTTL' => 0]);
+        if ($intName !== ''
+            && (($isUser && !$this->ncUserManager->userExists($intName))
+                || (!$isUser && !\OC::$server->getGroupManager()->groupExists($intName))
+            )
+        ) {
+            $this->connection->setConfiguration(['ldapCacheTTL' => $originalTTL]);
+            $newlyMapped = $this->mapAndAnnounceIfApplicable($mapper, $fdn, $intName, $uuid, $isUser);
+            if ($newlyMapped) {
+                return $intName;
+            }
+        }
+
+        $this->connection->setConfiguration(['ldapCacheTTL' => $originalTTL]);
+        $altName = $this->createAltInternalOwnCloudName($intName, $isUser);
+        if (is_string($altName)) {
+            if ($this->mapAndAnnounceIfApplicable($mapper, $fdn, $altName, $uuid, $isUser)) {
+                $newlyMapped = true;
+                return $altName;
+            }
+        }
+
+        //if everything else did not help..
+        \OCP\Util::writeLog('user_ldap', 'Could not create unique name for ' . $fdn . '.', ILogger::INFO);
+        return false;
+    }
+
+    public function mapAndAnnounceIfApplicable(
+        AbstractMapping $mapper,
+        string $fdn,
+        string $name,
+        string $uuid,
+        bool $isUser
+    ): bool {
+        if ($mapper->map($fdn, $name, $uuid)) {
+            if ($this->ncUserManager instanceof PublicEmitter && $isUser) {
+                $this->cacheUserExists($name);
+                $this->ncUserManager->emit('\OC\User', 'assignedUserId', [$name]);
+            } elseif (!$isUser) {
+                $this->cacheGroupExists($name);
+            }
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * gives back the user names as they are used ownClod internally
+     *
+     * @param array $ldapUsers as returned by fetchList()
+     * @return array an array with the user names to use in Nextcloud
+     *
+     * gives back the user names as they are used ownClod internally
+     * @throws \Exception
+     */
+    public function nextcloudUserNames($ldapUsers) {
+        return $this->ldap2NextcloudNames($ldapUsers, true);
+    }
+
+    /**
+     * gives back the group names as they are used ownClod internally
+     *
+     * @param array $ldapGroups as returned by fetchList()
+     * @return array an array with the group names to use in Nextcloud
+     *
+     * gives back the group names as they are used ownClod internally
+     * @throws \Exception
+     */
+    public function nextcloudGroupNames($ldapGroups) {
+        return $this->ldap2NextcloudNames($ldapGroups, false);
+    }
+
+    /**
+     * @param array $ldapObjects as returned by fetchList()
+     * @param bool $isUsers
+     * @return array
+     * @throws \Exception
+     */
+    private function ldap2NextcloudNames($ldapObjects, $isUsers) {
+        if ($isUsers) {
+            $nameAttribute = $this->connection->ldapUserDisplayName;
+            $sndAttribute = $this->connection->ldapUserDisplayName2;
+        } else {
+            $nameAttribute = $this->connection->ldapGroupDisplayName;
+        }
+        $nextcloudNames = [];
+
+        foreach ($ldapObjects as $ldapObject) {
+            $nameByLDAP = null;
+            if (isset($ldapObject[$nameAttribute])
+                && is_array($ldapObject[$nameAttribute])
+                && isset($ldapObject[$nameAttribute][0])
+            ) {
+                // might be set, but not necessarily. if so, we use it.
+                $nameByLDAP = $ldapObject[$nameAttribute][0];
+            }
+
+            $ncName = $this->dn2ocname($ldapObject['dn'][0], $nameByLDAP, $isUsers);
+            if ($ncName) {
+                $nextcloudNames[] = $ncName;
+                if ($isUsers) {
+                    $this->updateUserState($ncName);
+                    //cache the user names so it does not need to be retrieved
+                    //again later (e.g. sharing dialogue).
+                    if (is_null($nameByLDAP)) {
+                        continue;
+                    }
+                    $sndName = isset($ldapObject[$sndAttribute][0])
+                        ? $ldapObject[$sndAttribute][0] : '';
+                    $this->cacheUserDisplayName($ncName, $nameByLDAP, $sndName);
+                } elseif ($nameByLDAP !== null) {
+                    $this->cacheGroupDisplayName($ncName, $nameByLDAP);
+                }
+            }
+        }
+        return $nextcloudNames;
+    }
+
+    /**
+     * removes the deleted-flag of a user if it was set
+     *
+     * @param string $ncname
+     * @throws \Exception
+     */
+    public function updateUserState($ncname) {
+        $user = $this->userManager->get($ncname);
+        if ($user instanceof OfflineUser) {
+            $user->unmark();
+        }
+    }
+
+    /**
+     * caches the user display name
+     *
+     * @param string $ocName the internal Nextcloud username
+     * @param string|false $home the home directory path
+     */
+    public function cacheUserHome($ocName, $home) {
+        $cacheKey = 'getHome' . $ocName;
+        $this->connection->writeToCache($cacheKey, $home);
+    }
+
+    /**
+     * caches a user as existing
+     *
+     * @param string $ocName the internal Nextcloud username
+     */
+    public function cacheUserExists($ocName) {
+        $this->connection->writeToCache('userExists' . $ocName, true);
+    }
+
+    /**
+     * caches a group as existing
+     */
+    public function cacheGroupExists(string $gid): void {
+        $this->connection->writeToCache('groupExists' . $gid, true);
+    }
+
+    /**
+     * caches the user display name
+     *
+     * @param string $ocName the internal Nextcloud username
+     * @param string $displayName the display name
+     * @param string $displayName2 the second display name
+     * @throws \Exception
+     */
+    public function cacheUserDisplayName($ocName, $displayName, $displayName2 = '') {
+        $user = $this->userManager->get($ocName);
+        if ($user === null) {
+            return;
+        }
+        $displayName = $user->composeAndStoreDisplayName($displayName, $displayName2);
+        $cacheKeyTrunk = 'getDisplayName';
+        $this->connection->writeToCache($cacheKeyTrunk . $ocName, $displayName);
+    }
+
+    public function cacheGroupDisplayName(string $ncName, string $displayName): void {
+        $cacheKey = 'group_getDisplayName' . $ncName;
+        $this->connection->writeToCache($cacheKey, $displayName);
+    }
+
+    /**
+     * creates a unique name for internal Nextcloud use for users. Don't call it directly.
+     *
+     * @param string $name the display name of the object
+     * @return string|false with with the name to use in Nextcloud or false if unsuccessful
+     *
+     * Instead of using this method directly, call
+     * createAltInternalOwnCloudName($name, true)
+     */
+    private function _createAltInternalOwnCloudNameForUsers($name) {
+        $attempts = 0;
+        //while loop is just a precaution. If a name is not generated within
+        //20 attempts, something else is very wrong. Avoids infinite loop.
+        while ($attempts < 20) {
+            $altName = $name . '_' . rand(1000, 9999);
+            if (!$this->ncUserManager->userExists($altName)) {
+                return $altName;
+            }
+            $attempts++;
+        }
+        return false;
+    }
+
+    /**
+     * creates a unique name for internal Nextcloud use for groups. Don't call it directly.
+     *
+     * @param string $name the display name of the object
+     * @return string|false with with the name to use in Nextcloud or false if unsuccessful.
+     *
+     * Instead of using this method directly, call
+     * createAltInternalOwnCloudName($name, false)
+     *
+     * Group names are also used as display names, so we do a sequential
+     * numbering, e.g. Developers_42 when there are 41 other groups called
+     * "Developers"
+     */
+    private function _createAltInternalOwnCloudNameForGroups($name) {
+        $usedNames = $this->groupMapper->getNamesBySearch($name, "", '_%');
+        if (!$usedNames || count($usedNames) === 0) {
+            $lastNo = 1; //will become name_2
+        } else {
+            natsort($usedNames);
+            $lastName = array_pop($usedNames);
+            $lastNo = (int)substr($lastName, strrpos($lastName, '_') + 1);
+        }
+        $altName = $name . '_' . (string)($lastNo + 1);
+        unset($usedNames);
+
+        $attempts = 1;
+        while ($attempts < 21) {
+            // Check to be really sure it is unique
+            // while loop is just a precaution. If a name is not generated within
+            // 20 attempts, something else is very wrong. Avoids infinite loop.
+            if (!\OC::$server->getGroupManager()->groupExists($altName)) {
+                return $altName;
+            }
+            $altName = $name . '_' . ($lastNo + $attempts);
+            $attempts++;
+        }
+        return false;
+    }
+
+    /**
+     * creates a unique name for internal Nextcloud use.
+     *
+     * @param string $name the display name of the object
+     * @param boolean $isUser whether name should be created for a user (true) or a group (false)
+     * @return string|false with with the name to use in Nextcloud or false if unsuccessful
+     */
+    private function createAltInternalOwnCloudName($name, $isUser) {
+        $originalTTL = $this->connection->ldapCacheTTL;
+        $this->connection->setConfiguration(['ldapCacheTTL' => 0]);
+        if ($isUser) {
+            $altName = $this->_createAltInternalOwnCloudNameForUsers($name);
+        } else {
+            $altName = $this->_createAltInternalOwnCloudNameForGroups($name);
+        }
+        $this->connection->setConfiguration(['ldapCacheTTL' => $originalTTL]);
+
+        return $altName;
+    }
+
+    /**
+     * fetches a list of users according to a provided loginName and utilizing
+     * the login filter.
+     */
+    public function fetchUsersByLoginName(string $loginName, array $attributes = ['dn']): array {
+        $loginName = $this->escapeFilterPart($loginName);
+        $filter = str_replace('%uid', $loginName, $this->connection->ldapLoginFilter);
+        return $this->fetchListOfUsers($filter, $attributes);
+    }
+
+    /**
+     * counts the number of users according to a provided loginName and
+     * utilizing the login filter.
+     *
+     * @param string $loginName
+     * @return int
+     */
+    public function countUsersByLoginName($loginName) {
+        $loginName = $this->escapeFilterPart($loginName);
+        $filter = str_replace('%uid', $loginName, $this->connection->ldapLoginFilter);
+        return $this->countUsers($filter);
+    }
+
+    /**
+     * @throws \Exception
+     */
+    public function fetchListOfUsers(string $filter, array $attr, int $limit = null, int $offset = null, bool $forceApplyAttributes = false): array {
+        $ldapRecords = $this->searchUsers($filter, $attr, $limit, $offset);
+        $recordsToUpdate = $ldapRecords;
+        if (!$forceApplyAttributes) {
+            $isBackgroundJobModeAjax = $this->config
+                    ->getAppValue('core', 'backgroundjobs_mode', 'ajax') === 'ajax';
+            $listOfDNs = array_reduce($ldapRecords, function ($listOfDNs, $entry) {
+                $listOfDNs[] = $entry['dn'][0];
+                return $listOfDNs;
+            }, []);
+            $idsByDn = $this->userMapper->getListOfIdsByDn($listOfDNs);
+            $recordsToUpdate = array_filter($ldapRecords, function ($record) use ($isBackgroundJobModeAjax, $idsByDn) {
+                $newlyMapped = false;
+                $uid = $idsByDn[$record['dn'][0]] ?? null;
+                if ($uid === null) {
+                    $uid = $this->dn2ocname($record['dn'][0], null, true, $newlyMapped, $record);
+                }
+                if (is_string($uid)) {
+                    $this->cacheUserExists($uid);
+                }
+                return ($uid !== false) && ($newlyMapped || $isBackgroundJobModeAjax);
+            });
+        }
+        $this->batchApplyUserAttributes($recordsToUpdate);
+        return $this->fetchList($ldapRecords, $this->manyAttributes($attr));
+    }
+
+    /**
+     * provided with an array of LDAP user records the method will fetch the
+     * user object and requests it to process the freshly fetched attributes and
+     * and their values
+     *
+     * @param array $ldapRecords
+     * @throws \Exception
+     */
+    public function batchApplyUserAttributes(array $ldapRecords) {
+        $displayNameAttribute = strtolower($this->connection->ldapUserDisplayName);
+        foreach ($ldapRecords as $userRecord) {
+            if (!isset($userRecord[$displayNameAttribute])) {
+                // displayName is obligatory
+                continue;
+            }
+            $ocName = $this->dn2ocname($userRecord['dn'][0], null, true);
+            if ($ocName === false) {
+                continue;
+            }
+            $this->updateUserState($ocName);
+            $user = $this->userManager->get($ocName);
+            if ($user !== null) {
+                $user->processAttributes($userRecord);
+            } else {
+                \OC::$server->getLogger()->debug(
+                    "The ldap user manager returned null for $ocName",
+                    ['app' => 'user_ldap']
+                );
+            }
+        }
+    }
+
+    /**
+     * @param string $filter
+     * @param string|string[] $attr
+     * @param int $limit
+     * @param int $offset
+     * @return array
+     */
+    public function fetchListOfGroups($filter, $attr, $limit = null, $offset = null) {
+        $groupRecords = $this->searchGroups($filter, $attr, $limit, $offset);
+
+        $listOfDNs = array_reduce($groupRecords, function ($listOfDNs, $entry) {
+            $listOfDNs[] = $entry['dn'][0];
+            return $listOfDNs;
+        }, []);
+        $idsByDn = $this->groupMapper->getListOfIdsByDn($listOfDNs);
+
+        array_walk($groupRecords, function ($record) use ($idsByDn) {
+            $newlyMapped = false;
+            $gid = $uidsByDn[$record['dn'][0]] ?? null;
+            if ($gid === null) {
+                $gid = $this->dn2ocname($record['dn'][0], null, false, $newlyMapped, $record);
+            }
+            if (!$newlyMapped && is_string($gid)) {
+                $this->cacheGroupExists($gid);
+            }
+        });
+        return $this->fetchList($groupRecords, $this->manyAttributes($attr));
+    }
+
+    /**
+     * @param array $list
+     * @param bool $manyAttributes
+     * @return array
+     */
+    private function fetchList($list, $manyAttributes) {
+        if (is_array($list)) {
+            if ($manyAttributes) {
+                return $list;
+            } else {
+                $list = array_reduce($list, function ($carry, $item) {
+                    $attribute = array_keys($item)[0];
+                    $carry[] = $item[$attribute][0];
+                    return $carry;
+                }, []);
+                return array_unique($list, SORT_LOCALE_STRING);
+            }
+        }
+
+        //error cause actually, maybe throw an exception in future.
+        return [];
+    }
+
+    /**
+     * @throws ServerNotAvailableException
+     */
+    public function searchUsers(string $filter, array $attr = null, int $limit = null, int $offset = null): array {
+        $result = [];
+        foreach ($this->connection->ldapBaseUsers as $base) {
+            $result = array_merge($result, $this->search($filter, $base, $attr, $limit, $offset));
+        }
+        return $result;
+    }
+
+    /**
+     * @param string $filter
+     * @param string|string[] $attr
+     * @param int $limit
+     * @param int $offset
+     * @return false|int
+     * @throws ServerNotAvailableException
+     */
+    public function countUsers($filter, $attr = ['dn'], $limit = null, $offset = null) {
+        $result = false;
+        foreach ($this->connection->ldapBaseUsers as $base) {
+            $count = $this->count($filter, [$base], $attr, $limit, $offset);
+            $result = is_int($count) ? (int)$result + $count : $result;
+        }
+        return $result;
+    }
+
+    /**
+     * executes an LDAP search, optimized for Groups
+     *
+     * @param string $filter the LDAP filter for the search
+     * @param string|string[] $attr optional, when a certain attribute shall be filtered out
+     * @param integer $limit
+     * @param integer $offset
+     * @return array with the search result
+     *
+     * Executes an LDAP search
+     * @throws ServerNotAvailableException
+     */
+    public function searchGroups($filter, $attr = null, $limit = null, $offset = null) {
+        $result = [];
+        foreach ($this->connection->ldapBaseGroups as $base) {
+            $result = array_merge($result, $this->search($filter, $base, $attr, $limit, $offset));
+        }
+        return $result;
+    }
+
+    /**
+     * returns the number of available groups
+     *
+     * @param string $filter the LDAP search filter
+     * @param string[] $attr optional
+     * @param int|null $limit
+     * @param int|null $offset
+     * @return int|bool
+     * @throws ServerNotAvailableException
+     */
+    public function countGroups($filter, $attr = ['dn'], $limit = null, $offset = null) {
+        $result = false;
+        foreach ($this->connection->ldapBaseGroups as $base) {
+            $count = $this->count($filter, [$base], $attr, $limit, $offset);
+            $result = is_int($count) ? (int)$result + $count : $result;
+        }
+        return $result;
+    }
+
+    /**
+     * returns the number of available objects on the base DN
+     *
+     * @param int|null $limit
+     * @param int|null $offset
+     * @return int|bool
+     * @throws ServerNotAvailableException
+     */
+    public function countObjects($limit = null, $offset = null) {
+        $result = false;
+        foreach ($this->connection->ldapBase as $base) {
+            $count = $this->count('objectclass=*', [$base], ['dn'], $limit, $offset);
+            $result = is_int($count) ? (int)$result + $count : $result;
+        }
+        return $result;
+    }
+
+    /**
+     * Returns the LDAP handler
+     *
+     * @throws \OC\ServerNotAvailableException
+     */
+
+    /**
+     * @return mixed
+     * @throws \OC\ServerNotAvailableException
+     */
+    private function invokeLDAPMethod() {
+        $arguments = func_get_args();
+        $command = array_shift($arguments);
+        $cr = array_shift($arguments);
+        if (!method_exists($this->ldap, $command)) {
+            return null;
+        }
+        array_unshift($arguments, $cr);
+        // php no longer supports call-time pass-by-reference
+        // thus cannot support controlPagedResultResponse as the third argument
+        // is a reference
+        $doMethod = function () use ($command, &$arguments) {
+            if ($command == 'controlPagedResultResponse') {
+                throw new \InvalidArgumentException('Invoker does not support controlPagedResultResponse, call LDAP Wrapper directly instead.');
+            } else {
+                return call_user_func_array([$this->ldap, $command], $arguments);
+            }
+        };
+        try {
+            $ret = $doMethod();
+        } catch (ServerNotAvailableException $e) {
+            /* Server connection lost, attempt to reestablish it
 			 * Maybe implement exponential backoff?
 			 * This was enough to get solr indexer working which has large delays between LDAP fetches.
 			 */
-			\OCP\Util::writeLog('user_ldap', "Connection lost on $command, attempting to reestablish.", ILogger::DEBUG);
-			$this->connection->resetConnectionResource();
-			$cr = $this->connection->getConnectionResource();
-
-			if (!$this->ldap->isResource($cr)) {
-				// Seems like we didn't find any resource.
-				\OCP\Util::writeLog('user_ldap', "Could not $command, because resource is missing.", ILogger::DEBUG);
-				throw $e;
-			}
-
-			$arguments[0] = $cr;
-			$ret = $doMethod();
-		}
-		return $ret;
-	}
-
-	/**
-	 * retrieved. Results will according to the order in the array.
-	 *
-	 * @param string $filter
-	 * @param string $base
-	 * @param string[] $attr
-	 * @param int|null $limit optional, maximum results to be counted
-	 * @param int|null $offset optional, a starting point
-	 * @return array|false array with the search result as first value and pagedSearchOK as
-	 * second | false if not successful
-	 * @throws ServerNotAvailableException
-	 */
-	private function executeSearch(
-		string $filter,
-		string $base,
-		?array &$attr,
-		?int $limit,
-		?int $offset
-	) {
-		// See if we have a resource, in case not cancel with message
-		$cr = $this->connection->getConnectionResource();
-		if (!$this->ldap->isResource($cr)) {
-			// Seems like we didn't find any resource.
-			// Return an empty array just like before.
-			\OCP\Util::writeLog('user_ldap', 'Could not search, because resource is missing.', ILogger::DEBUG);
-			return false;
-		}
-
-		//check whether paged search should be attempted
-		$pagedSearchOK = $this->initPagedSearch($filter, $base, $attr, (int)$limit, (int)$offset);
-
-		$sr = $this->invokeLDAPMethod('search', $cr, $base, $filter, $attr);
-		// cannot use $cr anymore, might have changed in the previous call!
-		$error = $this->ldap->errno($this->connection->getConnectionResource());
-		if (!$this->ldap->isResource($sr) || $error !== 0) {
-			\OCP\Util::writeLog('user_ldap', 'Attempt for Paging?  ' . print_r($pagedSearchOK, true), ILogger::ERROR);
-			return false;
-		}
-
-		return [$sr, $pagedSearchOK];
-	}
-
-	/**
-	 * processes an LDAP paged search operation
-	 *
-	 * @param resource $sr the array containing the LDAP search resources
-	 * @param int $foundItems number of results in the single search operation
-	 * @param int $limit maximum results to be counted
-	 * @param bool $pagedSearchOK whether a paged search has been executed
-	 * @param bool $skipHandling required for paged search when cookies to
-	 * prior results need to be gained
-	 * @return bool cookie validity, true if we have more pages, false otherwise.
-	 * @throws ServerNotAvailableException
-	 */
-	private function processPagedSearchStatus(
-		$sr,
-		int $foundItems,
-		int $limit,
-		bool $pagedSearchOK,
-		bool $skipHandling
-	): bool {
-		$cookie = null;
-		if ($pagedSearchOK) {
-			$cr = $this->connection->getConnectionResource();
-			if ($this->ldap->controlPagedResultResponse($cr, $sr, $cookie)) {
-				$this->lastCookie = $cookie;
-			}
-
-			//browsing through prior pages to get the cookie for the new one
-			if ($skipHandling) {
-				return false;
-			}
-			// if count is bigger, then the server does not support
-			// paged search. Instead, he did a normal search. We set a
-			// flag here, so the callee knows how to deal with it.
-			if ($foundItems <= $limit) {
-				$this->pagedSearchedSuccessful = true;
-			}
-		} else {
-			if (!is_null($limit) && (int)$this->connection->ldapPagingSize !== 0) {
-				\OC::$server->getLogger()->debug(
-					'Paged search was not available',
-					['app' => 'user_ldap']
-				);
-			}
-		}
-		/* ++ Fixing RHDS searches with pages with zero results ++
+            \OCP\Util::writeLog('user_ldap', "Connection lost on $command, attempting to reestablish.", ILogger::DEBUG);
+            $this->connection->resetConnectionResource();
+            $cr = $this->connection->getConnectionResource();
+
+            if (!$this->ldap->isResource($cr)) {
+                // Seems like we didn't find any resource.
+                \OCP\Util::writeLog('user_ldap', "Could not $command, because resource is missing.", ILogger::DEBUG);
+                throw $e;
+            }
+
+            $arguments[0] = $cr;
+            $ret = $doMethod();
+        }
+        return $ret;
+    }
+
+    /**
+     * retrieved. Results will according to the order in the array.
+     *
+     * @param string $filter
+     * @param string $base
+     * @param string[] $attr
+     * @param int|null $limit optional, maximum results to be counted
+     * @param int|null $offset optional, a starting point
+     * @return array|false array with the search result as first value and pagedSearchOK as
+     * second | false if not successful
+     * @throws ServerNotAvailableException
+     */
+    private function executeSearch(
+        string $filter,
+        string $base,
+        ?array &$attr,
+        ?int $limit,
+        ?int $offset
+    ) {
+        // See if we have a resource, in case not cancel with message
+        $cr = $this->connection->getConnectionResource();
+        if (!$this->ldap->isResource($cr)) {
+            // Seems like we didn't find any resource.
+            // Return an empty array just like before.
+            \OCP\Util::writeLog('user_ldap', 'Could not search, because resource is missing.', ILogger::DEBUG);
+            return false;
+        }
+
+        //check whether paged search should be attempted
+        $pagedSearchOK = $this->initPagedSearch($filter, $base, $attr, (int)$limit, (int)$offset);
+
+        $sr = $this->invokeLDAPMethod('search', $cr, $base, $filter, $attr);
+        // cannot use $cr anymore, might have changed in the previous call!
+        $error = $this->ldap->errno($this->connection->getConnectionResource());
+        if (!$this->ldap->isResource($sr) || $error !== 0) {
+            \OCP\Util::writeLog('user_ldap', 'Attempt for Paging?  ' . print_r($pagedSearchOK, true), ILogger::ERROR);
+            return false;
+        }
+
+        return [$sr, $pagedSearchOK];
+    }
+
+    /**
+     * processes an LDAP paged search operation
+     *
+     * @param resource $sr the array containing the LDAP search resources
+     * @param int $foundItems number of results in the single search operation
+     * @param int $limit maximum results to be counted
+     * @param bool $pagedSearchOK whether a paged search has been executed
+     * @param bool $skipHandling required for paged search when cookies to
+     * prior results need to be gained
+     * @return bool cookie validity, true if we have more pages, false otherwise.
+     * @throws ServerNotAvailableException
+     */
+    private function processPagedSearchStatus(
+        $sr,
+        int $foundItems,
+        int $limit,
+        bool $pagedSearchOK,
+        bool $skipHandling
+    ): bool {
+        $cookie = null;
+        if ($pagedSearchOK) {
+            $cr = $this->connection->getConnectionResource();
+            if ($this->ldap->controlPagedResultResponse($cr, $sr, $cookie)) {
+                $this->lastCookie = $cookie;
+            }
+
+            //browsing through prior pages to get the cookie for the new one
+            if ($skipHandling) {
+                return false;
+            }
+            // if count is bigger, then the server does not support
+            // paged search. Instead, he did a normal search. We set a
+            // flag here, so the callee knows how to deal with it.
+            if ($foundItems <= $limit) {
+                $this->pagedSearchedSuccessful = true;
+            }
+        } else {
+            if (!is_null($limit) && (int)$this->connection->ldapPagingSize !== 0) {
+                \OC::$server->getLogger()->debug(
+                    'Paged search was not available',
+                    ['app' => 'user_ldap']
+                );
+            }
+        }
+        /* ++ Fixing RHDS searches with pages with zero results ++
 		 * Return cookie status. If we don't have more pages, with RHDS
 		 * cookie is null, with openldap cookie is an empty string and
 		 * to 386ds '0' is a valid cookie. Even if $iFoundItems == 0
 		 */
-		return !empty($cookie) || $cookie === '0';
-	}
-
-	/**
-	 * executes an LDAP search, but counts the results only
-	 *
-	 * @param string $filter the LDAP filter for the search
-	 * @param array $bases an array containing the LDAP subtree(s) that shall be searched
-	 * @param string|string[] $attr optional, array, one or more attributes that shall be
-	 * retrieved. Results will according to the order in the array.
-	 * @param int $limit optional, maximum results to be counted
-	 * @param int $offset optional, a starting point
-	 * @param bool $skipHandling indicates whether the pages search operation is
-	 * completed
-	 * @return int|false Integer or false if the search could not be initialized
-	 * @throws ServerNotAvailableException
-	 */
-	private function count(
-		string $filter,
-		array $bases,
-		$attr = null,
-		?int $limit = null,
-		?int $offset = null,
-		bool $skipHandling = false
-	) {
-		\OC::$server->getLogger()->debug('Count filter: {filter}', [
-			'app' => 'user_ldap',
-			'filter' => $filter
-		]);
-
-		if (!is_null($attr) && !is_array($attr)) {
-			$attr = [mb_strtolower($attr, 'UTF-8')];
-		}
-
-		$limitPerPage = (int)$this->connection->ldapPagingSize;
-		if (!is_null($limit) && $limit < $limitPerPage && $limit > 0) {
-			$limitPerPage = $limit;
-		}
-
-		$counter = 0;
-		$count = null;
-		$this->connection->getConnectionResource();
-
-		foreach ($bases as $base) {
-			do {
-				$search = $this->executeSearch($filter, $base, $attr, $limitPerPage, $offset);
-				if ($search === false) {
-					return $counter > 0 ? $counter : false;
-				}
-				list($sr, $pagedSearchOK) = $search;
-
-				/* ++ Fixing RHDS searches with pages with zero results ++
+        return !empty($cookie) || $cookie === '0';
+    }
+
+    /**
+     * executes an LDAP search, but counts the results only
+     *
+     * @param string $filter the LDAP filter for the search
+     * @param array $bases an array containing the LDAP subtree(s) that shall be searched
+     * @param string|string[] $attr optional, array, one or more attributes that shall be
+     * retrieved. Results will according to the order in the array.
+     * @param int $limit optional, maximum results to be counted
+     * @param int $offset optional, a starting point
+     * @param bool $skipHandling indicates whether the pages search operation is
+     * completed
+     * @return int|false Integer or false if the search could not be initialized
+     * @throws ServerNotAvailableException
+     */
+    private function count(
+        string $filter,
+        array $bases,
+        $attr = null,
+        ?int $limit = null,
+        ?int $offset = null,
+        bool $skipHandling = false
+    ) {
+        \OC::$server->getLogger()->debug('Count filter: {filter}', [
+            'app' => 'user_ldap',
+            'filter' => $filter
+        ]);
+
+        if (!is_null($attr) && !is_array($attr)) {
+            $attr = [mb_strtolower($attr, 'UTF-8')];
+        }
+
+        $limitPerPage = (int)$this->connection->ldapPagingSize;
+        if (!is_null($limit) && $limit < $limitPerPage && $limit > 0) {
+            $limitPerPage = $limit;
+        }
+
+        $counter = 0;
+        $count = null;
+        $this->connection->getConnectionResource();
+
+        foreach ($bases as $base) {
+            do {
+                $search = $this->executeSearch($filter, $base, $attr, $limitPerPage, $offset);
+                if ($search === false) {
+                    return $counter > 0 ? $counter : false;
+                }
+                list($sr, $pagedSearchOK) = $search;
+
+                /* ++ Fixing RHDS searches with pages with zero results ++
 				 * countEntriesInSearchResults() method signature changed
 				 * by removing $limit and &$hasHitLimit parameters
 				 */
-				$count = $this->countEntriesInSearchResults($sr);
-				$counter += $count;
+                $count = $this->countEntriesInSearchResults($sr);
+                $counter += $count;
 
-				$hasMorePages = $this->processPagedSearchStatus($sr, $count, $limitPerPage, $pagedSearchOK, $skipHandling);
-				$offset += $limitPerPage;
-				/* ++ Fixing RHDS searches with pages with zero results ++
+                $hasMorePages = $this->processPagedSearchStatus($sr, $count, $limitPerPage, $pagedSearchOK, $skipHandling);
+                $offset += $limitPerPage;
+                /* ++ Fixing RHDS searches with pages with zero results ++
 				 * Continue now depends on $hasMorePages value
 				 */
-				$continue = $pagedSearchOK && $hasMorePages;
-			} while ($continue && (is_null($limit) || $limit <= 0 || $limit > $counter));
-		}
-
-		return $counter;
-	}
-
-	/**
-	 * @param resource $sr
-	 * @return int
-	 * @throws ServerNotAvailableException
-	 */
-	private function countEntriesInSearchResults($sr): int {
-		return (int)$this->invokeLDAPMethod('countEntries', $this->connection->getConnectionResource(), $sr);
-	}
-
-	/**
-	 * Executes an LDAP search
-	 *
-	 * @throws ServerNotAvailableException
-	 */
-	public function search(
-		string $filter,
-		string $base,
-		?array $attr = null,
-		?int $limit = null,
-		?int $offset = null,
-		bool $skipHandling = false
-	): array {
-		$limitPerPage = (int)$this->connection->ldapPagingSize;
-		if (!is_null($limit) && $limit < $limitPerPage && $limit > 0) {
-			$limitPerPage = $limit;
-		}
-
-		if (!is_null($attr) && !is_array($attr)) {
-			$attr = [mb_strtolower($attr, 'UTF-8')];
-		}
-
-		/* ++ Fixing RHDS searches with pages with zero results ++
+                $continue = $pagedSearchOK && $hasMorePages;
+            } while ($continue && (is_null($limit) || $limit <= 0 || $limit > $counter));
+        }
+
+        return $counter;
+    }
+
+    /**
+     * @param resource $sr
+     * @return int
+     * @throws ServerNotAvailableException
+     */
+    private function countEntriesInSearchResults($sr): int {
+        return (int)$this->invokeLDAPMethod('countEntries', $this->connection->getConnectionResource(), $sr);
+    }
+
+    /**
+     * Executes an LDAP search
+     *
+     * @throws ServerNotAvailableException
+     */
+    public function search(
+        string $filter,
+        string $base,
+        ?array $attr = null,
+        ?int $limit = null,
+        ?int $offset = null,
+        bool $skipHandling = false
+    ): array {
+        $limitPerPage = (int)$this->connection->ldapPagingSize;
+        if (!is_null($limit) && $limit < $limitPerPage && $limit > 0) {
+            $limitPerPage = $limit;
+        }
+
+        if (!is_null($attr) && !is_array($attr)) {
+            $attr = [mb_strtolower($attr, 'UTF-8')];
+        }
+
+        /* ++ Fixing RHDS searches with pages with zero results ++
 		 * As we can have pages with zero results and/or pages with less
 		 * than $limit results but with a still valid server 'cookie',
 		 * loops through until we get $continue equals true and
 		 * $findings['count'] < $limit
 		 */
-		$findings = [];
-		$savedoffset = $offset;
-		$iFoundItems = 0;
-
-		do {
-			$search = $this->executeSearch($filter, $base, $attr, $limitPerPage, $offset);
-			if ($search === false) {
-				return [];
-			}
-			list($sr, $pagedSearchOK) = $search;
-			$cr = $this->connection->getConnectionResource();
-
-			if ($skipHandling) {
-				//i.e. result do not need to be fetched, we just need the cookie
-				//thus pass 1 or any other value as $iFoundItems because it is not
-				//used
-				$this->processPagedSearchStatus($sr, 1, $limitPerPage, $pagedSearchOK, $skipHandling);
-				return [];
-			}
-
-			$findings = array_merge($findings, $this->invokeLDAPMethod('getEntries', $cr, $sr));
-			$iFoundItems = max($iFoundItems, $findings['count']);
-			unset($findings['count']);
-
-			$continue = $this->processPagedSearchStatus($sr, $iFoundItems, $limitPerPage, $pagedSearchOK, $skipHandling);
-			$offset += $limitPerPage;
-		} while ($continue && $pagedSearchOK && ($limit === null || count($findings) < $limit));
-
-		// resetting offset
-		$offset = $savedoffset;
-
-		// if we're here, probably no connection resource is returned.
-		// to make Nextcloud behave nicely, we simply give back an empty array.
-		if (is_null($findings)) {
-			return [];
-		}
-
-		if (!is_null($attr)) {
-			$selection = [];
-			$i = 0;
-			foreach ($findings as $item) {
-				if (!is_array($item)) {
-					continue;
-				}
-				$item = \OCP\Util::mb_array_change_key_case($item, MB_CASE_LOWER, 'UTF-8');
-				foreach ($attr as $key) {
-					if (isset($item[$key])) {
-						if (is_array($item[$key]) && isset($item[$key]['count'])) {
-							unset($item[$key]['count']);
-						}
-						if ($key !== 'dn') {
-							if ($this->resemblesDN($key)) {
-								$selection[$i][$key] = $this->helper->sanitizeDN($item[$key]);
-							} elseif ($key === 'objectguid' || $key === 'guid') {
-								$selection[$i][$key] = [$this->convertObjectGUID2Str($item[$key][0])];
-							} else {
-								$selection[$i][$key] = $item[$key];
-							}
-						} else {
-							$selection[$i][$key] = [$this->helper->sanitizeDN($item[$key])];
-						}
-					}
-				}
-				$i++;
-			}
-			$findings = $selection;
-		}
-		//we slice the findings, when
-		//a) paged search unsuccessful, though attempted
-		//b) no paged search, but limit set
-		if ((!$this->getPagedSearchResultState()
-				&& $pagedSearchOK)
-			|| (
-				!$pagedSearchOK
-				&& !is_null($limit)
-			)
-		) {
-			$findings = array_slice($findings, (int)$offset, $limit);
-		}
-		return $findings;
-	}
-
-	/**
-	 * @param string $name
-	 * @return string
-	 * @throws \InvalidArgumentException
-	 */
-	public function sanitizeUsername($name) {
-		$name = trim($name);
-
-		if ($this->connection->ldapIgnoreNamingRules) {
-			return $name;
-		}
-
-		// Transliteration to ASCII
-		$transliterated = @iconv('UTF-8', 'ASCII//TRANSLIT', $name);
-		if ($transliterated !== false) {
-			// depending on system config iconv can work or not
-			$name = $transliterated;
-		}
-
-		// Replacements
-		$name = str_replace(' ', '_', $name);
-
-		// Every remaining disallowed characters will be removed
-		$name = preg_replace('/[^a-zA-Z0-9_.@-]/u', '', $name);
-
-		if ($name === '') {
-			throw new \InvalidArgumentException('provided name template for username does not contain any allowed characters');
-		}
-
-		return $name;
-	}
-
-	/**
-	 * escapes (user provided) parts for LDAP filter
-	 *
-	 * @param string $input , the provided value
-	 * @param bool $allowAsterisk whether in * at the beginning should be preserved
-	 * @return string the escaped string
-	 */
-	public function escapeFilterPart($input, $allowAsterisk = false): string {
-		$asterisk = '';
-		if ($allowAsterisk && strlen($input) > 0 && $input[0] === '*') {
-			$asterisk = '*';
-			$input = mb_substr($input, 1, null, 'UTF-8');
-		}
-		$search = ['*', '\\', '(', ')'];
-		$replace = ['\\*', '\\\\', '\\(', '\\)'];
-		return $asterisk . str_replace($search, $replace, $input);
-	}
-
-	/**
-	 * combines the input filters with AND
-	 *
-	 * @param string[] $filters the filters to connect
-	 * @return string the combined filter
-	 */
-	public function combineFilterWithAnd($filters): string {
-		return $this->combineFilter($filters, '&');
-	}
-
-	/**
-	 * combines the input filters with OR
-	 *
-	 * @param string[] $filters the filters to connect
-	 * @return string the combined filter
-	 * Combines Filter arguments with OR
-	 */
-	public function combineFilterWithOr($filters) {
-		return $this->combineFilter($filters, '|');
-	}
-
-	/**
-	 * combines the input filters with given operator
-	 *
-	 * @param string[] $filters the filters to connect
-	 * @param string $operator either & or |
-	 * @return string the combined filter
-	 */
-	private function combineFilter($filters, $operator) {
-		$combinedFilter = '(' . $operator;
-		foreach ($filters as $filter) {
-			if ($filter !== '' && $filter[0] !== '(') {
-				$filter = '(' . $filter . ')';
-			}
-			$combinedFilter .= $filter;
-		}
-		$combinedFilter .= ')';
-		return $combinedFilter;
-	}
-
-	/**
-	 * creates a filter part for to perform search for users
-	 *
-	 * @param string $search the search term
-	 * @return string the final filter part to use in LDAP searches
-	 */
-	public function getFilterPartForUserSearch($search) {
-		return $this->getFilterPartForSearch($search,
-			$this->connection->ldapAttributesForUserSearch,
-			$this->connection->ldapUserDisplayName);
-	}
-
-	/**
-	 * creates a filter part for to perform search for groups
-	 *
-	 * @param string $search the search term
-	 * @return string the final filter part to use in LDAP searches
-	 */
-	public function getFilterPartForGroupSearch($search) {
-		return $this->getFilterPartForSearch($search,
-			$this->connection->ldapAttributesForGroupSearch,
-			$this->connection->ldapGroupDisplayName);
-	}
-
-	/**
-	 * creates a filter part for searches by splitting up the given search
-	 * string into single words
-	 *
-	 * @param string $search the search term
-	 * @param string[] $searchAttributes needs to have at least two attributes,
-	 * otherwise it does not make sense :)
-	 * @return string the final filter part to use in LDAP searches
-	 * @throws \Exception
-	 */
-	private function getAdvancedFilterPartForSearch($search, $searchAttributes) {
-		if (!is_array($searchAttributes) || count($searchAttributes) < 2) {
-			throw new \Exception('searchAttributes must be an array with at least two string');
-		}
-		$searchWords = explode(' ', trim($search));
-		$wordFilters = [];
-		foreach ($searchWords as $word) {
-			$word = $this->prepareSearchTerm($word);
-			//every word needs to appear at least once
-			$wordMatchOneAttrFilters = [];
-			foreach ($searchAttributes as $attr) {
-				$wordMatchOneAttrFilters[] = $attr . '=' . $word;
-			}
-			$wordFilters[] = $this->combineFilterWithOr($wordMatchOneAttrFilters);
-		}
-		return $this->combineFilterWithAnd($wordFilters);
-	}
-
-	/**
-	 * creates a filter part for searches
-	 *
-	 * @param string $search the search term
-	 * @param string[]|null $searchAttributes
-	 * @param string $fallbackAttribute a fallback attribute in case the user
-	 * did not define search attributes. Typically the display name attribute.
-	 * @return string the final filter part to use in LDAP searches
-	 */
-	private function getFilterPartForSearch($search, $searchAttributes, $fallbackAttribute) {
-		$filter = [];
-		$haveMultiSearchAttributes = (is_array($searchAttributes) && count($searchAttributes) > 0);
-		if ($haveMultiSearchAttributes && strpos(trim($search), ' ') !== false) {
-			try {
-				return $this->getAdvancedFilterPartForSearch($search, $searchAttributes);
-			} catch (\Exception $e) {
-				\OCP\Util::writeLog(
-					'user_ldap',
-					'Creating advanced filter for search failed, falling back to simple method.',
-					ILogger::INFO
-				);
-			}
-		}
-
-		$search = $this->prepareSearchTerm($search);
-		if (!is_array($searchAttributes) || count($searchAttributes) === 0) {
-			if ($fallbackAttribute === '') {
-				return '';
-			}
-			$filter[] = $fallbackAttribute . '=' . $search;
-		} else {
-			foreach ($searchAttributes as $attribute) {
-				$filter[] = $attribute . '=' . $search;
-			}
-		}
-		if (count($filter) === 1) {
-			return '(' . $filter[0] . ')';
-		}
-		return $this->combineFilterWithOr($filter);
-	}
-
-	/**
-	 * returns the search term depending on whether we are allowed
-	 * list users found by ldap with the current input appended by
-	 * a *
-	 *
-	 * @return string
-	 */
-	private function prepareSearchTerm($term) {
-		$config = \OC::$server->getConfig();
-
-		$allowEnum = $config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes');
-
-		$result = $term;
-		if ($term === '') {
-			$result = '*';
-		} elseif ($allowEnum !== 'no') {
-			$result = $term . '*';
-		}
-		return $result;
-	}
-
-	/**
-	 * returns the filter used for counting users
-	 *
-	 * @return string
-	 */
-	public function getFilterForUserCount() {
-		$filter = $this->combineFilterWithAnd([
-			$this->connection->ldapUserFilter,
-			$this->connection->ldapUserDisplayName . '=*'
-		]);
-
-		return $filter;
-	}
-
-	/**
-	 * @param string $name
-	 * @param string $password
-	 * @return bool
-	 */
-	public function areCredentialsValid($name, $password) {
-		$name = $this->helper->DNasBaseParameter($name);
-		$testConnection = clone $this->connection;
-		$credentials = [
-			'ldapAgentName' => $name,
-			'ldapAgentPassword' => $password
-		];
-		if (!$testConnection->setConfiguration($credentials)) {
-			return false;
-		}
-		return $testConnection->bind();
-	}
-
-	/**
-	 * reverse lookup of a DN given a known UUID
-	 *
-	 * @param string $uuid
-	 * @return string
-	 * @throws \Exception
-	 */
-	public function getUserDnByUuid($uuid) {
-		$uuidOverride = $this->connection->ldapExpertUUIDUserAttr;
-		$filter = $this->connection->ldapUserFilter;
-		$bases = $this->connection->ldapBaseUsers;
-
-		if ($this->connection->ldapUuidUserAttribute === 'auto' && $uuidOverride === '') {
-			// Sacrebleu! The UUID attribute is unknown :( We need first an
-			// existing DN to be able to reliably detect it.
-			foreach ($bases as $base) {
-				$result = $this->search($filter, $base, ['dn'], 1);
-				if (!isset($result[0]) || !isset($result[0]['dn'])) {
-					continue;
-				}
-				$dn = $result[0]['dn'][0];
-				if ($hasFound = $this->detectUuidAttribute($dn, true)) {
-					break;
-				}
-			}
-			if (!isset($hasFound) || !$hasFound) {
-				throw new \Exception('Cannot determine UUID attribute');
-			}
-		} else {
-			// The UUID attribute is either known or an override is given.
-			// By calling this method we ensure that $this->connection->$uuidAttr
-			// is definitely set
-			if (!$this->detectUuidAttribute('', true)) {
-				throw new \Exception('Cannot determine UUID attribute');
-			}
-		}
-
-		$uuidAttr = $this->connection->ldapUuidUserAttribute;
-		if ($uuidAttr === 'guid' || $uuidAttr === 'objectguid') {
-			$uuid = $this->formatGuid2ForFilterUser($uuid);
-		}
-
-		$filter = $uuidAttr . '=' . $uuid;
-		$result = $this->searchUsers($filter, ['dn'], 2);
-		if (is_array($result) && isset($result[0]) && isset($result[0]['dn']) && count($result) === 1) {
-			// we put the count into account to make sure that this is
-			// really unique
-			return $result[0]['dn'][0];
-		}
-
-		throw new \Exception('Cannot determine UUID attribute');
-	}
-
-	/**
-	 * auto-detects the directory's UUID attribute
-	 *
-	 * @param string $dn a known DN used to check against
-	 * @param bool $isUser
-	 * @param bool $force the detection should be run, even if it is not set to auto
-	 * @param array|null $ldapRecord
-	 * @return bool true on success, false otherwise
-	 * @throws ServerNotAvailableException
-	 */
-	private function detectUuidAttribute($dn, $isUser = true, $force = false, array $ldapRecord = null) {
-		if ($isUser) {
-			$uuidAttr = 'ldapUuidUserAttribute';
-			$uuidOverride = $this->connection->ldapExpertUUIDUserAttr;
-		} else {
-			$uuidAttr = 'ldapUuidGroupAttribute';
-			$uuidOverride = $this->connection->ldapExpertUUIDGroupAttr;
-		}
-
-		if (!$force) {
-			if ($this->connection->$uuidAttr !== 'auto') {
-				return true;
-			} elseif (is_string($uuidOverride) && trim($uuidOverride) !== '') {
-				$this->connection->$uuidAttr = $uuidOverride;
-				return true;
-			}
-
-			$attribute = $this->connection->getFromCache($uuidAttr);
-			if (!$attribute === null) {
-				$this->connection->$uuidAttr = $attribute;
-				return true;
-			}
-		}
-
-		foreach (self::UUID_ATTRIBUTES as $attribute) {
-			if ($ldapRecord !== null) {
-				// we have the info from LDAP already, we don't need to talk to the server again
-				if (isset($ldapRecord[$attribute])) {
-					$this->connection->$uuidAttr = $attribute;
-					return true;
-				}
-			}
-
-			$value = $this->readAttribute($dn, $attribute);
-			if (is_array($value) && isset($value[0]) && !empty($value[0])) {
-				\OC::$server->getLogger()->debug(
-					'Setting {attribute} as {subject}',
-					[
-						'app' => 'user_ldap',
-						'attribute' => $attribute,
-						'subject' => $uuidAttr
-					]
-				);
-				$this->connection->$uuidAttr = $attribute;
-				$this->connection->writeToCache($uuidAttr, $attribute);
-				return true;
-			}
-		}
-		\OC::$server->getLogger()->debug('Could not autodetect the UUID attribute', ['app' => 'user_ldap']);
-
-		return false;
-	}
-
-	/**
-	 * @param string $dn
-	 * @param bool $isUser
-	 * @param null $ldapRecord
-	 * @return bool|string
-	 * @throws ServerNotAvailableException
-	 */
-	public function getUUID($dn, $isUser = true, $ldapRecord = null) {
-		if ($isUser) {
-			$uuidAttr = 'ldapUuidUserAttribute';
-			$uuidOverride = $this->connection->ldapExpertUUIDUserAttr;
-		} else {
-			$uuidAttr = 'ldapUuidGroupAttribute';
-			$uuidOverride = $this->connection->ldapExpertUUIDGroupAttr;
-		}
-
-		$uuid = false;
-		if ($this->detectUuidAttribute($dn, $isUser, false, $ldapRecord)) {
-			$attr = $this->connection->$uuidAttr;
-			$uuid = isset($ldapRecord[$attr]) ? $ldapRecord[$attr] : $this->readAttribute($dn, $attr);
-			if (!is_array($uuid)
-				&& $uuidOverride !== ''
-				&& $this->detectUuidAttribute($dn, $isUser, true, $ldapRecord)) {
-				$uuid = isset($ldapRecord[$this->connection->$uuidAttr])
-					? $ldapRecord[$this->connection->$uuidAttr]
-					: $this->readAttribute($dn, $this->connection->$uuidAttr);
-			}
-			if (is_array($uuid) && isset($uuid[0]) && !empty($uuid[0])) {
-				$uuid = $uuid[0];
-			}
-		}
-
-		return $uuid;
-	}
-
-	/**
-	 * converts a binary ObjectGUID into a string representation
-	 *
-	 * @param string $oguid the ObjectGUID in it's binary form as retrieved from AD
-	 * @return string
-	 * @link http://www.php.net/manual/en/function.ldap-get-values-len.php#73198
-	 */
-	private function convertObjectGUID2Str($oguid) {
-		$hex_guid = bin2hex($oguid);
-		$hex_guid_to_guid_str = '';
-		for ($k = 1; $k <= 4; ++$k) {
-			$hex_guid_to_guid_str .= substr($hex_guid, 8 - 2 * $k, 2);
-		}
-		$hex_guid_to_guid_str .= '-';
-		for ($k = 1; $k <= 2; ++$k) {
-			$hex_guid_to_guid_str .= substr($hex_guid, 12 - 2 * $k, 2);
-		}
-		$hex_guid_to_guid_str .= '-';
-		for ($k = 1; $k <= 2; ++$k) {
-			$hex_guid_to_guid_str .= substr($hex_guid, 16 - 2 * $k, 2);
-		}
-		$hex_guid_to_guid_str .= '-' . substr($hex_guid, 16, 4);
-		$hex_guid_to_guid_str .= '-' . substr($hex_guid, 20);
-
-		return strtoupper($hex_guid_to_guid_str);
-	}
-
-	/**
-	 * the first three blocks of the string-converted GUID happen to be in
-	 * reverse order. In order to use it in a filter, this needs to be
-	 * corrected. Furthermore the dashes need to be replaced and \\ preprended
-	 * to every two hax figures.
-	 *
-	 * If an invalid string is passed, it will be returned without change.
-	 *
-	 * @param string $guid
-	 * @return string
-	 */
-	public function formatGuid2ForFilterUser($guid) {
-		if (!is_string($guid)) {
-			throw new \InvalidArgumentException('String expected');
-		}
-		$blocks = explode('-', $guid);
-		if (count($blocks) !== 5) {
-			/*
+        $findings = [];
+        $savedoffset = $offset;
+        $iFoundItems = 0;
+
+        do {
+            $search = $this->executeSearch($filter, $base, $attr, $limitPerPage, $offset);
+            if ($search === false) {
+                return [];
+            }
+            list($sr, $pagedSearchOK) = $search;
+            $cr = $this->connection->getConnectionResource();
+
+            if ($skipHandling) {
+                //i.e. result do not need to be fetched, we just need the cookie
+                //thus pass 1 or any other value as $iFoundItems because it is not
+                //used
+                $this->processPagedSearchStatus($sr, 1, $limitPerPage, $pagedSearchOK, $skipHandling);
+                return [];
+            }
+
+            $findings = array_merge($findings, $this->invokeLDAPMethod('getEntries', $cr, $sr));
+            $iFoundItems = max($iFoundItems, $findings['count']);
+            unset($findings['count']);
+
+            $continue = $this->processPagedSearchStatus($sr, $iFoundItems, $limitPerPage, $pagedSearchOK, $skipHandling);
+            $offset += $limitPerPage;
+        } while ($continue && $pagedSearchOK && ($limit === null || count($findings) < $limit));
+
+        // resetting offset
+        $offset = $savedoffset;
+
+        // if we're here, probably no connection resource is returned.
+        // to make Nextcloud behave nicely, we simply give back an empty array.
+        if (is_null($findings)) {
+            return [];
+        }
+
+        if (!is_null($attr)) {
+            $selection = [];
+            $i = 0;
+            foreach ($findings as $item) {
+                if (!is_array($item)) {
+                    continue;
+                }
+                $item = \OCP\Util::mb_array_change_key_case($item, MB_CASE_LOWER, 'UTF-8');
+                foreach ($attr as $key) {
+                    if (isset($item[$key])) {
+                        if (is_array($item[$key]) && isset($item[$key]['count'])) {
+                            unset($item[$key]['count']);
+                        }
+                        if ($key !== 'dn') {
+                            if ($this->resemblesDN($key)) {
+                                $selection[$i][$key] = $this->helper->sanitizeDN($item[$key]);
+                            } elseif ($key === 'objectguid' || $key === 'guid') {
+                                $selection[$i][$key] = [$this->convertObjectGUID2Str($item[$key][0])];
+                            } else {
+                                $selection[$i][$key] = $item[$key];
+                            }
+                        } else {
+                            $selection[$i][$key] = [$this->helper->sanitizeDN($item[$key])];
+                        }
+                    }
+                }
+                $i++;
+            }
+            $findings = $selection;
+        }
+        //we slice the findings, when
+        //a) paged search unsuccessful, though attempted
+        //b) no paged search, but limit set
+        if ((!$this->getPagedSearchResultState()
+                && $pagedSearchOK)
+            || (
+                !$pagedSearchOK
+                && !is_null($limit)
+            )
+        ) {
+            $findings = array_slice($findings, (int)$offset, $limit);
+        }
+        return $findings;
+    }
+
+    /**
+     * @param string $name
+     * @return string
+     * @throws \InvalidArgumentException
+     */
+    public function sanitizeUsername($name) {
+        $name = trim($name);
+
+        if ($this->connection->ldapIgnoreNamingRules) {
+            return $name;
+        }
+
+        // Transliteration to ASCII
+        $transliterated = @iconv('UTF-8', 'ASCII//TRANSLIT', $name);
+        if ($transliterated !== false) {
+            // depending on system config iconv can work or not
+            $name = $transliterated;
+        }
+
+        // Replacements
+        $name = str_replace(' ', '_', $name);
+
+        // Every remaining disallowed characters will be removed
+        $name = preg_replace('/[^a-zA-Z0-9_.@-]/u', '', $name);
+
+        if ($name === '') {
+            throw new \InvalidArgumentException('provided name template for username does not contain any allowed characters');
+        }
+
+        return $name;
+    }
+
+    /**
+     * escapes (user provided) parts for LDAP filter
+     *
+     * @param string $input , the provided value
+     * @param bool $allowAsterisk whether in * at the beginning should be preserved
+     * @return string the escaped string
+     */
+    public function escapeFilterPart($input, $allowAsterisk = false): string {
+        $asterisk = '';
+        if ($allowAsterisk && strlen($input) > 0 && $input[0] === '*') {
+            $asterisk = '*';
+            $input = mb_substr($input, 1, null, 'UTF-8');
+        }
+        $search = ['*', '\\', '(', ')'];
+        $replace = ['\\*', '\\\\', '\\(', '\\)'];
+        return $asterisk . str_replace($search, $replace, $input);
+    }
+
+    /**
+     * combines the input filters with AND
+     *
+     * @param string[] $filters the filters to connect
+     * @return string the combined filter
+     */
+    public function combineFilterWithAnd($filters): string {
+        return $this->combineFilter($filters, '&');
+    }
+
+    /**
+     * combines the input filters with OR
+     *
+     * @param string[] $filters the filters to connect
+     * @return string the combined filter
+     * Combines Filter arguments with OR
+     */
+    public function combineFilterWithOr($filters) {
+        return $this->combineFilter($filters, '|');
+    }
+
+    /**
+     * combines the input filters with given operator
+     *
+     * @param string[] $filters the filters to connect
+     * @param string $operator either & or |
+     * @return string the combined filter
+     */
+    private function combineFilter($filters, $operator) {
+        $combinedFilter = '(' . $operator;
+        foreach ($filters as $filter) {
+            if ($filter !== '' && $filter[0] !== '(') {
+                $filter = '(' . $filter . ')';
+            }
+            $combinedFilter .= $filter;
+        }
+        $combinedFilter .= ')';
+        return $combinedFilter;
+    }
+
+    /**
+     * creates a filter part for to perform search for users
+     *
+     * @param string $search the search term
+     * @return string the final filter part to use in LDAP searches
+     */
+    public function getFilterPartForUserSearch($search) {
+        return $this->getFilterPartForSearch($search,
+            $this->connection->ldapAttributesForUserSearch,
+            $this->connection->ldapUserDisplayName);
+    }
+
+    /**
+     * creates a filter part for to perform search for groups
+     *
+     * @param string $search the search term
+     * @return string the final filter part to use in LDAP searches
+     */
+    public function getFilterPartForGroupSearch($search) {
+        return $this->getFilterPartForSearch($search,
+            $this->connection->ldapAttributesForGroupSearch,
+            $this->connection->ldapGroupDisplayName);
+    }
+
+    /**
+     * creates a filter part for searches by splitting up the given search
+     * string into single words
+     *
+     * @param string $search the search term
+     * @param string[] $searchAttributes needs to have at least two attributes,
+     * otherwise it does not make sense :)
+     * @return string the final filter part to use in LDAP searches
+     * @throws \Exception
+     */
+    private function getAdvancedFilterPartForSearch($search, $searchAttributes) {
+        if (!is_array($searchAttributes) || count($searchAttributes) < 2) {
+            throw new \Exception('searchAttributes must be an array with at least two string');
+        }
+        $searchWords = explode(' ', trim($search));
+        $wordFilters = [];
+        foreach ($searchWords as $word) {
+            $word = $this->prepareSearchTerm($word);
+            //every word needs to appear at least once
+            $wordMatchOneAttrFilters = [];
+            foreach ($searchAttributes as $attr) {
+                $wordMatchOneAttrFilters[] = $attr . '=' . $word;
+            }
+            $wordFilters[] = $this->combineFilterWithOr($wordMatchOneAttrFilters);
+        }
+        return $this->combineFilterWithAnd($wordFilters);
+    }
+
+    /**
+     * creates a filter part for searches
+     *
+     * @param string $search the search term
+     * @param string[]|null $searchAttributes
+     * @param string $fallbackAttribute a fallback attribute in case the user
+     * did not define search attributes. Typically the display name attribute.
+     * @return string the final filter part to use in LDAP searches
+     */
+    private function getFilterPartForSearch($search, $searchAttributes, $fallbackAttribute) {
+        $filter = [];
+        $haveMultiSearchAttributes = (is_array($searchAttributes) && count($searchAttributes) > 0);
+        if ($haveMultiSearchAttributes && strpos(trim($search), ' ') !== false) {
+            try {
+                return $this->getAdvancedFilterPartForSearch($search, $searchAttributes);
+            } catch (\Exception $e) {
+                \OCP\Util::writeLog(
+                    'user_ldap',
+                    'Creating advanced filter for search failed, falling back to simple method.',
+                    ILogger::INFO
+                );
+            }
+        }
+
+        $search = $this->prepareSearchTerm($search);
+        if (!is_array($searchAttributes) || count($searchAttributes) === 0) {
+            if ($fallbackAttribute === '') {
+                return '';
+            }
+            $filter[] = $fallbackAttribute . '=' . $search;
+        } else {
+            foreach ($searchAttributes as $attribute) {
+                $filter[] = $attribute . '=' . $search;
+            }
+        }
+        if (count($filter) === 1) {
+            return '(' . $filter[0] . ')';
+        }
+        return $this->combineFilterWithOr($filter);
+    }
+
+    /**
+     * returns the search term depending on whether we are allowed
+     * list users found by ldap with the current input appended by
+     * a *
+     *
+     * @return string
+     */
+    private function prepareSearchTerm($term) {
+        $config = \OC::$server->getConfig();
+
+        $allowEnum = $config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes');
+
+        $result = $term;
+        if ($term === '') {
+            $result = '*';
+        } elseif ($allowEnum !== 'no') {
+            $result = $term . '*';
+        }
+        return $result;
+    }
+
+    /**
+     * returns the filter used for counting users
+     *
+     * @return string
+     */
+    public function getFilterForUserCount() {
+        $filter = $this->combineFilterWithAnd([
+            $this->connection->ldapUserFilter,
+            $this->connection->ldapUserDisplayName . '=*'
+        ]);
+
+        return $filter;
+    }
+
+    /**
+     * @param string $name
+     * @param string $password
+     * @return bool
+     */
+    public function areCredentialsValid($name, $password) {
+        $name = $this->helper->DNasBaseParameter($name);
+        $testConnection = clone $this->connection;
+        $credentials = [
+            'ldapAgentName' => $name,
+            'ldapAgentPassword' => $password
+        ];
+        if (!$testConnection->setConfiguration($credentials)) {
+            return false;
+        }
+        return $testConnection->bind();
+    }
+
+    /**
+     * reverse lookup of a DN given a known UUID
+     *
+     * @param string $uuid
+     * @return string
+     * @throws \Exception
+     */
+    public function getUserDnByUuid($uuid) {
+        $uuidOverride = $this->connection->ldapExpertUUIDUserAttr;
+        $filter = $this->connection->ldapUserFilter;
+        $bases = $this->connection->ldapBaseUsers;
+
+        if ($this->connection->ldapUuidUserAttribute === 'auto' && $uuidOverride === '') {
+            // Sacrebleu! The UUID attribute is unknown :( We need first an
+            // existing DN to be able to reliably detect it.
+            foreach ($bases as $base) {
+                $result = $this->search($filter, $base, ['dn'], 1);
+                if (!isset($result[0]) || !isset($result[0]['dn'])) {
+                    continue;
+                }
+                $dn = $result[0]['dn'][0];
+                if ($hasFound = $this->detectUuidAttribute($dn, true)) {
+                    break;
+                }
+            }
+            if (!isset($hasFound) || !$hasFound) {
+                throw new \Exception('Cannot determine UUID attribute');
+            }
+        } else {
+            // The UUID attribute is either known or an override is given.
+            // By calling this method we ensure that $this->connection->$uuidAttr
+            // is definitely set
+            if (!$this->detectUuidAttribute('', true)) {
+                throw new \Exception('Cannot determine UUID attribute');
+            }
+        }
+
+        $uuidAttr = $this->connection->ldapUuidUserAttribute;
+        if ($uuidAttr === 'guid' || $uuidAttr === 'objectguid') {
+            $uuid = $this->formatGuid2ForFilterUser($uuid);
+        }
+
+        $filter = $uuidAttr . '=' . $uuid;
+        $result = $this->searchUsers($filter, ['dn'], 2);
+        if (is_array($result) && isset($result[0]) && isset($result[0]['dn']) && count($result) === 1) {
+            // we put the count into account to make sure that this is
+            // really unique
+            return $result[0]['dn'][0];
+        }
+
+        throw new \Exception('Cannot determine UUID attribute');
+    }
+
+    /**
+     * auto-detects the directory's UUID attribute
+     *
+     * @param string $dn a known DN used to check against
+     * @param bool $isUser
+     * @param bool $force the detection should be run, even if it is not set to auto
+     * @param array|null $ldapRecord
+     * @return bool true on success, false otherwise
+     * @throws ServerNotAvailableException
+     */
+    private function detectUuidAttribute($dn, $isUser = true, $force = false, array $ldapRecord = null) {
+        if ($isUser) {
+            $uuidAttr = 'ldapUuidUserAttribute';
+            $uuidOverride = $this->connection->ldapExpertUUIDUserAttr;
+        } else {
+            $uuidAttr = 'ldapUuidGroupAttribute';
+            $uuidOverride = $this->connection->ldapExpertUUIDGroupAttr;
+        }
+
+        if (!$force) {
+            if ($this->connection->$uuidAttr !== 'auto') {
+                return true;
+            } elseif (is_string($uuidOverride) && trim($uuidOverride) !== '') {
+                $this->connection->$uuidAttr = $uuidOverride;
+                return true;
+            }
+
+            $attribute = $this->connection->getFromCache($uuidAttr);
+            if (!$attribute === null) {
+                $this->connection->$uuidAttr = $attribute;
+                return true;
+            }
+        }
+
+        foreach (self::UUID_ATTRIBUTES as $attribute) {
+            if ($ldapRecord !== null) {
+                // we have the info from LDAP already, we don't need to talk to the server again
+                if (isset($ldapRecord[$attribute])) {
+                    $this->connection->$uuidAttr = $attribute;
+                    return true;
+                }
+            }
+
+            $value = $this->readAttribute($dn, $attribute);
+            if (is_array($value) && isset($value[0]) && !empty($value[0])) {
+                \OC::$server->getLogger()->debug(
+                    'Setting {attribute} as {subject}',
+                    [
+                        'app' => 'user_ldap',
+                        'attribute' => $attribute,
+                        'subject' => $uuidAttr
+                    ]
+                );
+                $this->connection->$uuidAttr = $attribute;
+                $this->connection->writeToCache($uuidAttr, $attribute);
+                return true;
+            }
+        }
+        \OC::$server->getLogger()->debug('Could not autodetect the UUID attribute', ['app' => 'user_ldap']);
+
+        return false;
+    }
+
+    /**
+     * @param string $dn
+     * @param bool $isUser
+     * @param null $ldapRecord
+     * @return bool|string
+     * @throws ServerNotAvailableException
+     */
+    public function getUUID($dn, $isUser = true, $ldapRecord = null) {
+        if ($isUser) {
+            $uuidAttr = 'ldapUuidUserAttribute';
+            $uuidOverride = $this->connection->ldapExpertUUIDUserAttr;
+        } else {
+            $uuidAttr = 'ldapUuidGroupAttribute';
+            $uuidOverride = $this->connection->ldapExpertUUIDGroupAttr;
+        }
+
+        $uuid = false;
+        if ($this->detectUuidAttribute($dn, $isUser, false, $ldapRecord)) {
+            $attr = $this->connection->$uuidAttr;
+            $uuid = isset($ldapRecord[$attr]) ? $ldapRecord[$attr] : $this->readAttribute($dn, $attr);
+            if (!is_array($uuid)
+                && $uuidOverride !== ''
+                && $this->detectUuidAttribute($dn, $isUser, true, $ldapRecord)) {
+                $uuid = isset($ldapRecord[$this->connection->$uuidAttr])
+                    ? $ldapRecord[$this->connection->$uuidAttr]
+                    : $this->readAttribute($dn, $this->connection->$uuidAttr);
+            }
+            if (is_array($uuid) && isset($uuid[0]) && !empty($uuid[0])) {
+                $uuid = $uuid[0];
+            }
+        }
+
+        return $uuid;
+    }
+
+    /**
+     * converts a binary ObjectGUID into a string representation
+     *
+     * @param string $oguid the ObjectGUID in it's binary form as retrieved from AD
+     * @return string
+     * @link http://www.php.net/manual/en/function.ldap-get-values-len.php#73198
+     */
+    private function convertObjectGUID2Str($oguid) {
+        $hex_guid = bin2hex($oguid);
+        $hex_guid_to_guid_str = '';
+        for ($k = 1; $k <= 4; ++$k) {
+            $hex_guid_to_guid_str .= substr($hex_guid, 8 - 2 * $k, 2);
+        }
+        $hex_guid_to_guid_str .= '-';
+        for ($k = 1; $k <= 2; ++$k) {
+            $hex_guid_to_guid_str .= substr($hex_guid, 12 - 2 * $k, 2);
+        }
+        $hex_guid_to_guid_str .= '-';
+        for ($k = 1; $k <= 2; ++$k) {
+            $hex_guid_to_guid_str .= substr($hex_guid, 16 - 2 * $k, 2);
+        }
+        $hex_guid_to_guid_str .= '-' . substr($hex_guid, 16, 4);
+        $hex_guid_to_guid_str .= '-' . substr($hex_guid, 20);
+
+        return strtoupper($hex_guid_to_guid_str);
+    }
+
+    /**
+     * the first three blocks of the string-converted GUID happen to be in
+     * reverse order. In order to use it in a filter, this needs to be
+     * corrected. Furthermore the dashes need to be replaced and \\ preprended
+     * to every two hax figures.
+     *
+     * If an invalid string is passed, it will be returned without change.
+     *
+     * @param string $guid
+     * @return string
+     */
+    public function formatGuid2ForFilterUser($guid) {
+        if (!is_string($guid)) {
+            throw new \InvalidArgumentException('String expected');
+        }
+        $blocks = explode('-', $guid);
+        if (count($blocks) !== 5) {
+            /*
 			 * Why not throw an Exception instead? This method is a utility
 			 * called only when trying to figure out whether a "missing" known
 			 * LDAP user was or was not renamed on the LDAP server. And this
@@ -1838,246 +1838,246 @@  discard block
 block discarded – undo
 			 * an exception here would kill the experience for a valid, acting
 			 * user. Instead we write a log message.
 			 */
-			\OC::$server->getLogger()->info(
-				'Passed string does not resemble a valid GUID. Known UUID ' .
-				'({uuid}) probably does not match UUID configuration.',
-				['app' => 'user_ldap', 'uuid' => $guid]
-			);
-			return $guid;
-		}
-		for ($i = 0; $i < 3; $i++) {
-			$pairs = str_split($blocks[$i], 2);
-			$pairs = array_reverse($pairs);
-			$blocks[$i] = implode('', $pairs);
-		}
-		for ($i = 0; $i < 5; $i++) {
-			$pairs = str_split($blocks[$i], 2);
-			$blocks[$i] = '\\' . implode('\\', $pairs);
-		}
-		return implode('', $blocks);
-	}
-
-	/**
-	 * gets a SID of the domain of the given dn
-	 *
-	 * @param string $dn
-	 * @return string|bool
-	 * @throws ServerNotAvailableException
-	 */
-	public function getSID($dn) {
-		$domainDN = $this->getDomainDNFromDN($dn);
-		$cacheKey = 'getSID-' . $domainDN;
-		$sid = $this->connection->getFromCache($cacheKey);
-		if (!is_null($sid)) {
-			return $sid;
-		}
-
-		$objectSid = $this->readAttribute($domainDN, 'objectsid');
-		if (!is_array($objectSid) || empty($objectSid)) {
-			$this->connection->writeToCache($cacheKey, false);
-			return false;
-		}
-		$domainObjectSid = $this->convertSID2Str($objectSid[0]);
-		$this->connection->writeToCache($cacheKey, $domainObjectSid);
-
-		return $domainObjectSid;
-	}
-
-	/**
-	 * converts a binary SID into a string representation
-	 *
-	 * @param string $sid
-	 * @return string
-	 */
-	public function convertSID2Str($sid) {
-		// The format of a SID binary string is as follows:
-		// 1 byte for the revision level
-		// 1 byte for the number n of variable sub-ids
-		// 6 bytes for identifier authority value
-		// n*4 bytes for n sub-ids
-		//
-		// Example: 010400000000000515000000a681e50e4d6c6c2bca32055f
-		//  Legend: RRNNAAAAAAAAAAAA11111111222222223333333344444444
-		$revision = ord($sid[0]);
-		$numberSubID = ord($sid[1]);
-
-		$subIdStart = 8; // 1 + 1 + 6
-		$subIdLength = 4;
-		if (strlen($sid) !== $subIdStart + $subIdLength * $numberSubID) {
-			// Incorrect number of bytes present.
-			return '';
-		}
-
-		// 6 bytes = 48 bits can be represented using floats without loss of
-		// precision (see https://gist.github.com/bantu/886ac680b0aef5812f71)
-		$iav = number_format(hexdec(bin2hex(substr($sid, 2, 6))), 0, '', '');
-
-		$subIDs = [];
-		for ($i = 0; $i < $numberSubID; $i++) {
-			$subID = unpack('V', substr($sid, $subIdStart + $subIdLength * $i, $subIdLength));
-			$subIDs[] = sprintf('%u', $subID[1]);
-		}
-
-		// Result for example above: S-1-5-21-249921958-728525901-1594176202
-		return sprintf('S-%d-%s-%s', $revision, $iav, implode('-', $subIDs));
-	}
-
-	/**
-	 * checks if the given DN is part of the given base DN(s)
-	 *
-	 * @param string $dn the DN
-	 * @param string[] $bases array containing the allowed base DN or DNs
-	 * @return bool
-	 */
-	public function isDNPartOfBase($dn, $bases) {
-		$belongsToBase = false;
-		$bases = $this->helper->sanitizeDN($bases);
-
-		foreach ($bases as $base) {
-			$belongsToBase = true;
-			if (mb_strripos($dn, $base, 0, 'UTF-8') !== (mb_strlen($dn, 'UTF-8') - mb_strlen($base, 'UTF-8'))) {
-				$belongsToBase = false;
-			}
-			if ($belongsToBase) {
-				break;
-			}
-		}
-		return $belongsToBase;
-	}
-
-	/**
-	 * resets a running Paged Search operation
-	 *
-	 * @throws ServerNotAvailableException
-	 */
-	private function abandonPagedSearch() {
-		if ($this->lastCookie === '') {
-			return;
-		}
-		$cr = $this->connection->getConnectionResource();
-		$this->invokeLDAPMethod('controlPagedResult', $cr, 0, false);
-		$this->getPagedSearchResultState();
-		$this->lastCookie = '';
-	}
-
-	/**
-	 * checks whether an LDAP paged search operation has more pages that can be
-	 * retrieved, typically when offset and limit are provided.
-	 *
-	 * Be very careful to use it: the last cookie value, which is inspected, can
-	 * be reset by other operations. Best, call it immediately after a search(),
-	 * searchUsers() or searchGroups() call. count-methods are probably safe as
-	 * well. Don't rely on it with any fetchList-method.
-	 *
-	 * @return bool
-	 */
-	public function hasMoreResults() {
-		if (empty($this->lastCookie) && $this->lastCookie !== '0') {
-			// as in RFC 2696, when all results are returned, the cookie will
-			// be empty.
-			return false;
-		}
-
-		return true;
-	}
-
-	/**
-	 * Check whether the most recent paged search was successful. It flushed the state var. Use it always after a possible paged search.
-	 *
-	 * @return boolean|null true on success, null or false otherwise
-	 */
-	public function getPagedSearchResultState() {
-		$result = $this->pagedSearchedSuccessful;
-		$this->pagedSearchedSuccessful = null;
-		return $result;
-	}
-
-	/**
-	 * Prepares a paged search, if possible
-	 *
-	 * @param string $filter the LDAP filter for the search
-	 * @param string[] $bases an array containing the LDAP subtree(s) that shall be searched
-	 * @param string[] $attr optional, when a certain attribute shall be filtered outside
-	 * @param int $limit
-	 * @param int $offset
-	 * @return bool|true
-	 * @throws ServerNotAvailableException
-	 */
-	private function initPagedSearch(
-		string $filter,
-		string $base,
-		?array $attr,
-		int $limit,
-		int $offset
-	): bool {
-		$pagedSearchOK = false;
-		if ($limit !== 0) {
-			\OC::$server->getLogger()->debug(
-				'initializing paged search for filter {filter}, base {base}, attr {attr}, limit {limit}, offset {offset}',
-				[
-					'app' => 'user_ldap',
-					'filter' => $filter,
-					'base' => $base,
-					'attr' => $attr,
-					'limit' => $limit,
-					'offset' => $offset
-				]
-			);
-			//get the cookie from the search for the previous search, required by LDAP
-			if (empty($this->lastCookie) && $this->lastCookie !== "0" && ($offset > 0)) {
-				// no cookie known from a potential previous search. We need
-				// to start from 0 to come to the desired page. cookie value
-				// of '0' is valid, because 389ds
-				$reOffset = ($offset - $limit) < 0 ? 0 : $offset - $limit;
-				$this->search($filter, $base, $attr, $limit, $reOffset, true);
-				if (!$this->hasMoreResults()) {
-					// when the cookie is reset with != 0 offset, there are no further
-					// results, so stop.
-					return false;
-				}
-			}
-			if ($this->lastCookie !== '' && $offset === 0) {
-				//since offset = 0, this is a new search. We abandon other searches that might be ongoing.
-				$this->abandonPagedSearch();
-			}
-			$pagedSearchOK = true === $this->invokeLDAPMethod(
-					'controlPagedResult', $this->connection->getConnectionResource(), $limit, false
-				);
-			if ($pagedSearchOK) {
-				\OC::$server->getLogger()->debug('Ready for a paged search', ['app' => 'user_ldap']);
-			}
-			/* ++ Fixing RHDS searches with pages with zero results ++
+            \OC::$server->getLogger()->info(
+                'Passed string does not resemble a valid GUID. Known UUID ' .
+                '({uuid}) probably does not match UUID configuration.',
+                ['app' => 'user_ldap', 'uuid' => $guid]
+            );
+            return $guid;
+        }
+        for ($i = 0; $i < 3; $i++) {
+            $pairs = str_split($blocks[$i], 2);
+            $pairs = array_reverse($pairs);
+            $blocks[$i] = implode('', $pairs);
+        }
+        for ($i = 0; $i < 5; $i++) {
+            $pairs = str_split($blocks[$i], 2);
+            $blocks[$i] = '\\' . implode('\\', $pairs);
+        }
+        return implode('', $blocks);
+    }
+
+    /**
+     * gets a SID of the domain of the given dn
+     *
+     * @param string $dn
+     * @return string|bool
+     * @throws ServerNotAvailableException
+     */
+    public function getSID($dn) {
+        $domainDN = $this->getDomainDNFromDN($dn);
+        $cacheKey = 'getSID-' . $domainDN;
+        $sid = $this->connection->getFromCache($cacheKey);
+        if (!is_null($sid)) {
+            return $sid;
+        }
+
+        $objectSid = $this->readAttribute($domainDN, 'objectsid');
+        if (!is_array($objectSid) || empty($objectSid)) {
+            $this->connection->writeToCache($cacheKey, false);
+            return false;
+        }
+        $domainObjectSid = $this->convertSID2Str($objectSid[0]);
+        $this->connection->writeToCache($cacheKey, $domainObjectSid);
+
+        return $domainObjectSid;
+    }
+
+    /**
+     * converts a binary SID into a string representation
+     *
+     * @param string $sid
+     * @return string
+     */
+    public function convertSID2Str($sid) {
+        // The format of a SID binary string is as follows:
+        // 1 byte for the revision level
+        // 1 byte for the number n of variable sub-ids
+        // 6 bytes for identifier authority value
+        // n*4 bytes for n sub-ids
+        //
+        // Example: 010400000000000515000000a681e50e4d6c6c2bca32055f
+        //  Legend: RRNNAAAAAAAAAAAA11111111222222223333333344444444
+        $revision = ord($sid[0]);
+        $numberSubID = ord($sid[1]);
+
+        $subIdStart = 8; // 1 + 1 + 6
+        $subIdLength = 4;
+        if (strlen($sid) !== $subIdStart + $subIdLength * $numberSubID) {
+            // Incorrect number of bytes present.
+            return '';
+        }
+
+        // 6 bytes = 48 bits can be represented using floats without loss of
+        // precision (see https://gist.github.com/bantu/886ac680b0aef5812f71)
+        $iav = number_format(hexdec(bin2hex(substr($sid, 2, 6))), 0, '', '');
+
+        $subIDs = [];
+        for ($i = 0; $i < $numberSubID; $i++) {
+            $subID = unpack('V', substr($sid, $subIdStart + $subIdLength * $i, $subIdLength));
+            $subIDs[] = sprintf('%u', $subID[1]);
+        }
+
+        // Result for example above: S-1-5-21-249921958-728525901-1594176202
+        return sprintf('S-%d-%s-%s', $revision, $iav, implode('-', $subIDs));
+    }
+
+    /**
+     * checks if the given DN is part of the given base DN(s)
+     *
+     * @param string $dn the DN
+     * @param string[] $bases array containing the allowed base DN or DNs
+     * @return bool
+     */
+    public function isDNPartOfBase($dn, $bases) {
+        $belongsToBase = false;
+        $bases = $this->helper->sanitizeDN($bases);
+
+        foreach ($bases as $base) {
+            $belongsToBase = true;
+            if (mb_strripos($dn, $base, 0, 'UTF-8') !== (mb_strlen($dn, 'UTF-8') - mb_strlen($base, 'UTF-8'))) {
+                $belongsToBase = false;
+            }
+            if ($belongsToBase) {
+                break;
+            }
+        }
+        return $belongsToBase;
+    }
+
+    /**
+     * resets a running Paged Search operation
+     *
+     * @throws ServerNotAvailableException
+     */
+    private function abandonPagedSearch() {
+        if ($this->lastCookie === '') {
+            return;
+        }
+        $cr = $this->connection->getConnectionResource();
+        $this->invokeLDAPMethod('controlPagedResult', $cr, 0, false);
+        $this->getPagedSearchResultState();
+        $this->lastCookie = '';
+    }
+
+    /**
+     * checks whether an LDAP paged search operation has more pages that can be
+     * retrieved, typically when offset and limit are provided.
+     *
+     * Be very careful to use it: the last cookie value, which is inspected, can
+     * be reset by other operations. Best, call it immediately after a search(),
+     * searchUsers() or searchGroups() call. count-methods are probably safe as
+     * well. Don't rely on it with any fetchList-method.
+     *
+     * @return bool
+     */
+    public function hasMoreResults() {
+        if (empty($this->lastCookie) && $this->lastCookie !== '0') {
+            // as in RFC 2696, when all results are returned, the cookie will
+            // be empty.
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Check whether the most recent paged search was successful. It flushed the state var. Use it always after a possible paged search.
+     *
+     * @return boolean|null true on success, null or false otherwise
+     */
+    public function getPagedSearchResultState() {
+        $result = $this->pagedSearchedSuccessful;
+        $this->pagedSearchedSuccessful = null;
+        return $result;
+    }
+
+    /**
+     * Prepares a paged search, if possible
+     *
+     * @param string $filter the LDAP filter for the search
+     * @param string[] $bases an array containing the LDAP subtree(s) that shall be searched
+     * @param string[] $attr optional, when a certain attribute shall be filtered outside
+     * @param int $limit
+     * @param int $offset
+     * @return bool|true
+     * @throws ServerNotAvailableException
+     */
+    private function initPagedSearch(
+        string $filter,
+        string $base,
+        ?array $attr,
+        int $limit,
+        int $offset
+    ): bool {
+        $pagedSearchOK = false;
+        if ($limit !== 0) {
+            \OC::$server->getLogger()->debug(
+                'initializing paged search for filter {filter}, base {base}, attr {attr}, limit {limit}, offset {offset}',
+                [
+                    'app' => 'user_ldap',
+                    'filter' => $filter,
+                    'base' => $base,
+                    'attr' => $attr,
+                    'limit' => $limit,
+                    'offset' => $offset
+                ]
+            );
+            //get the cookie from the search for the previous search, required by LDAP
+            if (empty($this->lastCookie) && $this->lastCookie !== "0" && ($offset > 0)) {
+                // no cookie known from a potential previous search. We need
+                // to start from 0 to come to the desired page. cookie value
+                // of '0' is valid, because 389ds
+                $reOffset = ($offset - $limit) < 0 ? 0 : $offset - $limit;
+                $this->search($filter, $base, $attr, $limit, $reOffset, true);
+                if (!$this->hasMoreResults()) {
+                    // when the cookie is reset with != 0 offset, there are no further
+                    // results, so stop.
+                    return false;
+                }
+            }
+            if ($this->lastCookie !== '' && $offset === 0) {
+                //since offset = 0, this is a new search. We abandon other searches that might be ongoing.
+                $this->abandonPagedSearch();
+            }
+            $pagedSearchOK = true === $this->invokeLDAPMethod(
+                    'controlPagedResult', $this->connection->getConnectionResource(), $limit, false
+                );
+            if ($pagedSearchOK) {
+                \OC::$server->getLogger()->debug('Ready for a paged search', ['app' => 'user_ldap']);
+            }
+            /* ++ Fixing RHDS searches with pages with zero results ++
 			 * We coudn't get paged searches working with our RHDS for login ($limit = 0),
 			 * due to pages with zero results.
 			 * So we added "&& !empty($this->lastCookie)" to this test to ignore pagination
 			 * if we don't have a previous paged search.
 			 */
-		} elseif ($limit === 0 && !empty($this->lastCookie)) {
-			// a search without limit was requested. However, if we do use
-			// Paged Search once, we always must do it. This requires us to
-			// initialize it with the configured page size.
-			$this->abandonPagedSearch();
-			// in case someone set it to 0 … use 500, otherwise no results will
-			// be returned.
-			$pageSize = (int)$this->connection->ldapPagingSize > 0 ? (int)$this->connection->ldapPagingSize : 500;
-			$pagedSearchOK = $this->invokeLDAPMethod('controlPagedResult',
-				$this->connection->getConnectionResource(),
-				$pageSize, false);
-		}
-
-		return $pagedSearchOK;
-	}
-
-	/**
-	 * Is more than one $attr used for search?
-	 *
-	 * @param string|string[]|null $attr
-	 * @return bool
-	 */
-	private function manyAttributes($attr): bool {
-		if (\is_array($attr)) {
-			return \count($attr) > 1;
-		}
-		return false;
-	}
+        } elseif ($limit === 0 && !empty($this->lastCookie)) {
+            // a search without limit was requested. However, if we do use
+            // Paged Search once, we always must do it. This requires us to
+            // initialize it with the configured page size.
+            $this->abandonPagedSearch();
+            // in case someone set it to 0 … use 500, otherwise no results will
+            // be returned.
+            $pageSize = (int)$this->connection->ldapPagingSize > 0 ? (int)$this->connection->ldapPagingSize : 500;
+            $pagedSearchOK = $this->invokeLDAPMethod('controlPagedResult',
+                $this->connection->getConnectionResource(),
+                $pageSize, false);
+        }
+
+        return $pagedSearchOK;
+    }
+
+    /**
+     * Is more than one $attr used for search?
+     *
+     * @param string|string[]|null $attr
+     * @return bool
+     */
+    private function manyAttributes($attr): bool {
+        if (\is_array($attr)) {
+            return \count($attr) > 1;
+        }
+        return false;
+    }
 }

Please login to merge, or discard this patch.

apps/user_ldap/lib/Connection.php 1 patch

Indentation +615 added lines, -615 removed lines patch added patch discarded remove patch

@@ -74,619 +74,619 @@
 block discarded – undo
  * @property int useMemberOfToDetectMembership
  */
 class Connection extends LDAPUtility {
-	private $ldapConnectionRes = null;
-	private $configPrefix;
-	private $configID;
-	private $configured = false;
-	//whether connection should be kept on __destruct
-	private $dontDestruct = false;
-
-	/**
-	 * @var bool runtime flag that indicates whether supported primary groups are available
-	 */
-	public $hasPrimaryGroups = true;
-
-	/**
-	 * @var bool runtime flag that indicates whether supported POSIX gidNumber are available
-	 */
-	public $hasGidNumber = true;
-
-	//cache handler
-	protected $cache;
-
-	/** @var Configuration settings handler **/
-	protected $configuration;
-
-	protected $doNotValidate = false;
-
-	protected $ignoreValidation = false;
-
-	protected $bindResult = [];
-
-	/**
-	 * Constructor
-	 * @param ILDAPWrapper $ldap
-	 * @param string $configPrefix a string with the prefix for the configkey column (appconfig table)
-	 * @param string|null $configID a string with the value for the appid column (appconfig table) or null for on-the-fly connections
-	 */
-	public function __construct(ILDAPWrapper $ldap, $configPrefix = '', $configID = 'user_ldap') {
-		parent::__construct($ldap);
-		$this->configPrefix = $configPrefix;
-		$this->configID = $configID;
-		$this->configuration = new Configuration($configPrefix,
-												 !is_null($configID));
-		$memcache = \OC::$server->getMemCacheFactory();
-		if ($memcache->isAvailable()) {
-			$this->cache = $memcache->createDistributed();
-		}
-		$helper = new Helper(\OC::$server->getConfig());
-		$this->doNotValidate = !in_array($this->configPrefix,
-			$helper->getServerConfigurationPrefixes());
-	}
-
-	public function __destruct() {
-		if (!$this->dontDestruct && $this->ldap->isResource($this->ldapConnectionRes)) {
-			@$this->ldap->unbind($this->ldapConnectionRes);
-			$this->bindResult = [];
-		}
-	}
-
-	/**
-	 * defines behaviour when the instance is cloned
-	 */
-	public function __clone() {
-		$this->configuration = new Configuration($this->configPrefix,
-												 !is_null($this->configID));
-		if (count($this->bindResult) !== 0 && $this->bindResult['result'] === true) {
-			$this->bindResult = [];
-		}
-		$this->ldapConnectionRes = null;
-		$this->dontDestruct = true;
-	}
-
-	/**
-	 * @param string $name
-	 * @return bool|mixed
-	 */
-	public function __get($name) {
-		if (!$this->configured) {
-			$this->readConfiguration();
-		}
-
-		return $this->configuration->$name;
-	}
-
-	/**
-	 * @param string $name
-	 * @param mixed $value
-	 */
-	public function __set($name, $value) {
-		$this->doNotValidate = false;
-		$before = $this->configuration->$name;
-		$this->configuration->$name = $value;
-		$after = $this->configuration->$name;
-		if ($before !== $after) {
-			if ($this->configID !== '' && $this->configID !== null) {
-				$this->configuration->saveConfiguration();
-			}
-			$this->validateConfiguration();
-		}
-	}
-
-	/**
-	 * @param string $rule
-	 * @return array
-	 * @throws \RuntimeException
-	 */
-	public function resolveRule($rule) {
-		return $this->configuration->resolveRule($rule);
-	}
-
-	/**
-	 * sets whether the result of the configuration validation shall
-	 * be ignored when establishing the connection. Used by the Wizard
-	 * in early configuration state.
-	 * @param bool $state
-	 */
-	public function setIgnoreValidation($state) {
-		$this->ignoreValidation = (bool)$state;
-	}
-
-	/**
-	 * initializes the LDAP backend
-	 * @param bool $force read the config settings no matter what
-	 */
-	public function init($force = false) {
-		$this->readConfiguration($force);
-		$this->establishConnection();
-	}
-
-	/**
-	 * Returns the LDAP handler
-	 */
-	public function getConnectionResource() {
-		if (!$this->ldapConnectionRes) {
-			$this->init();
-		} elseif (!$this->ldap->isResource($this->ldapConnectionRes)) {
-			$this->ldapConnectionRes = null;
-			$this->establishConnection();
-		}
-		if (is_null($this->ldapConnectionRes)) {
-			\OCP\Util::writeLog('user_ldap', 'No LDAP Connection to server ' . $this->configuration->ldapHost, ILogger::ERROR);
-			throw new ServerNotAvailableException('Connection to LDAP server could not be established');
-		}
-		return $this->ldapConnectionRes;
-	}
-
-	/**
-	 * resets the connection resource
-	 */
-	public function resetConnectionResource() {
-		if (!is_null($this->ldapConnectionRes)) {
-			@$this->ldap->unbind($this->ldapConnectionRes);
-			$this->ldapConnectionRes = null;
-			$this->bindResult = [];
-		}
-	}
-
-	/**
-	 * @param string|null $key
-	 * @return string
-	 */
-	private function getCacheKey($key) {
-		$prefix = 'LDAP-'.$this->configID.'-'.$this->configPrefix.'-';
-		if (is_null($key)) {
-			return $prefix;
-		}
-		return $prefix.hash('sha256', $key);
-	}
-
-	/**
-	 * @param string $key
-	 * @return mixed|null
-	 */
-	public function getFromCache($key) {
-		if (!$this->configured) {
-			$this->readConfiguration();
-		}
-		if (is_null($this->cache) || !$this->configuration->ldapCacheTTL) {
-			return null;
-		}
-		$key = $this->getCacheKey($key);
-
-		return json_decode(base64_decode($this->cache->get($key)), true);
-	}
-
-	/**
-	 * @param string $key
-	 * @param mixed $value
-	 *
-	 * @return string
-	 */
-	public function writeToCache($key, $value) {
-		if (!$this->configured) {
-			$this->readConfiguration();
-		}
-		if (is_null($this->cache)
-			|| !$this->configuration->ldapCacheTTL
-			|| !$this->configuration->ldapConfigurationActive) {
-			return null;
-		}
-		$key   = $this->getCacheKey($key);
-		$value = base64_encode(json_encode($value));
-		$this->cache->set($key, $value, $this->configuration->ldapCacheTTL);
-	}
-
-	public function clearCache() {
-		if (!is_null($this->cache)) {
-			$this->cache->clear($this->getCacheKey(null));
-		}
-	}
-
-	/**
-	 * Caches the general LDAP configuration.
-	 * @param bool $force optional. true, if the re-read should be forced. defaults
-	 * to false.
-	 * @return null
-	 */
-	private function readConfiguration($force = false) {
-		if ((!$this->configured || $force) && !is_null($this->configID)) {
-			$this->configuration->readConfiguration();
-			$this->configured = $this->validateConfiguration();
-		}
-	}
-
-	/**
-	 * set LDAP configuration with values delivered by an array, not read from configuration
-	 * @param array $config array that holds the config parameters in an associated array
-	 * @param array &$setParameters optional; array where the set fields will be given to
-	 * @return boolean true if config validates, false otherwise. Check with $setParameters for detailed success on single parameters
-	 */
-	public function setConfiguration($config, &$setParameters = null) {
-		if (is_null($setParameters)) {
-			$setParameters = [];
-		}
-		$this->doNotValidate = false;
-		$this->configuration->setConfiguration($config, $setParameters);
-		if (count($setParameters) > 0) {
-			$this->configured = $this->validateConfiguration();
-		}
-
-
-		return $this->configured;
-	}
-
-	/**
-	 * saves the current Configuration in the database and empties the
-	 * cache
-	 * @return null
-	 */
-	public function saveConfiguration() {
-		$this->configuration->saveConfiguration();
-		$this->clearCache();
-	}
-
-	/**
-	 * get the current LDAP configuration
-	 * @return array
-	 */
-	public function getConfiguration() {
-		$this->readConfiguration();
-		$config = $this->configuration->getConfiguration();
-		$cta = $this->configuration->getConfigTranslationArray();
-		$result = [];
-		foreach ($cta as $dbkey => $configkey) {
-			switch ($configkey) {
-				case 'homeFolderNamingRule':
-					if (strpos($config[$configkey], 'attr:') === 0) {
-						$result[$dbkey] = substr($config[$configkey], 5);
-					} else {
-						$result[$dbkey] = '';
-					}
-					break;
-				case 'ldapBase':
-				case 'ldapBaseUsers':
-				case 'ldapBaseGroups':
-				case 'ldapAttributesForUserSearch':
-				case 'ldapAttributesForGroupSearch':
-					if (is_array($config[$configkey])) {
-						$result[$dbkey] = implode("\n", $config[$configkey]);
-						break;
-					} //else follows default
-					// no break
-				default:
-					$result[$dbkey] = $config[$configkey];
-			}
-		}
-		return $result;
-	}
-
-	private function doSoftValidation() {
-		//if User or Group Base are not set, take over Base DN setting
-		foreach (['ldapBaseUsers', 'ldapBaseGroups'] as $keyBase) {
-			$val = $this->configuration->$keyBase;
-			if (empty($val)) {
-				$this->configuration->$keyBase = $this->configuration->ldapBase;
-			}
-		}
-
-		foreach (['ldapExpertUUIDUserAttr'  => 'ldapUuidUserAttribute',
-			'ldapExpertUUIDGroupAttr' => 'ldapUuidGroupAttribute']
-				as $expertSetting => $effectiveSetting) {
-			$uuidOverride = $this->configuration->$expertSetting;
-			if (!empty($uuidOverride)) {
-				$this->configuration->$effectiveSetting = $uuidOverride;
-			} else {
-				$uuidAttributes = Access::UUID_ATTRIBUTES;
-				array_unshift($uuidAttributes, 'auto');
-				if (!in_array($this->configuration->$effectiveSetting,
-							$uuidAttributes)
-					&& (!is_null($this->configID))) {
-					$this->configuration->$effectiveSetting = 'auto';
-					$this->configuration->saveConfiguration();
-					\OCP\Util::writeLog('user_ldap',
-										'Illegal value for the '.
-										$effectiveSetting.', '.'reset to '.
-										'autodetect.', ILogger::INFO);
-				}
-			}
-		}
-
-		$backupPort = (int)$this->configuration->ldapBackupPort;
-		if ($backupPort <= 0) {
-			$this->configuration->backupPort = $this->configuration->ldapPort;
-		}
-
-		//make sure empty search attributes are saved as simple, empty array
-		$saKeys = ['ldapAttributesForUserSearch',
-			'ldapAttributesForGroupSearch'];
-		foreach ($saKeys as $key) {
-			$val = $this->configuration->$key;
-			if (is_array($val) && count($val) === 1 && empty($val[0])) {
-				$this->configuration->$key = [];
-			}
-		}
-
-		if ((stripos($this->configuration->ldapHost, 'ldaps://') === 0)
-			&& $this->configuration->ldapTLS) {
-			$this->configuration->ldapTLS = false;
-			\OCP\Util::writeLog(
-				'user_ldap',
-				'LDAPS (already using secure connection) and TLS do not work together. Switched off TLS.',
-				ILogger::INFO
-			);
-		}
-	}
-
-	/**
-	 * @return bool
-	 */
-	private function doCriticalValidation() {
-		$configurationOK = true;
-		$errorStr = 'Configuration Error (prefix '.
-			(string)$this->configPrefix .'): ';
-
-		//options that shall not be empty
-		$options = ['ldapHost', 'ldapPort', 'ldapUserDisplayName',
-			'ldapGroupDisplayName', 'ldapLoginFilter'];
-		foreach ($options as $key) {
-			$val = $this->configuration->$key;
-			if (empty($val)) {
-				switch ($key) {
-					case 'ldapHost':
-						$subj = 'LDAP Host';
-						break;
-					case 'ldapPort':
-						$subj = 'LDAP Port';
-						break;
-					case 'ldapUserDisplayName':
-						$subj = 'LDAP User Display Name';
-						break;
-					case 'ldapGroupDisplayName':
-						$subj = 'LDAP Group Display Name';
-						break;
-					case 'ldapLoginFilter':
-						$subj = 'LDAP Login Filter';
-						break;
-					default:
-						$subj = $key;
-						break;
-				}
-				$configurationOK = false;
-				\OCP\Util::writeLog(
-					'user_ldap',
-					$errorStr.'No '.$subj.' given!',
-					ILogger::WARN
-				);
-			}
-		}
-
-		//combinations
-		$agent = $this->configuration->ldapAgentName;
-		$pwd = $this->configuration->ldapAgentPassword;
-		if (
-			($agent === ''  && $pwd !== '')
-			|| ($agent !== '' && $pwd === '')
-		) {
-			\OCP\Util::writeLog(
-				'user_ldap',
-				$errorStr.'either no password is given for the user ' .
-					'agent or a password is given, but not an LDAP agent.',
-				ILogger::WARN);
-			$configurationOK = false;
-		}
-
-		$base = $this->configuration->ldapBase;
-		$baseUsers = $this->configuration->ldapBaseUsers;
-		$baseGroups = $this->configuration->ldapBaseGroups;
-
-		if (empty($base) && empty($baseUsers) && empty($baseGroups)) {
-			\OCP\Util::writeLog(
-				'user_ldap',
-				$errorStr.'Not a single Base DN given.',
-				ILogger::WARN
-			);
-			$configurationOK = false;
-		}
-
-		if (mb_strpos($this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8')
-		   === false) {
-			\OCP\Util::writeLog(
-				'user_ldap',
-				$errorStr.'login filter does not contain %uid place holder.',
-				ILogger::WARN
-			);
-			$configurationOK = false;
-		}
-
-		return $configurationOK;
-	}
-
-	/**
-	 * Validates the user specified configuration
-	 * @return bool true if configuration seems OK, false otherwise
-	 */
-	private function validateConfiguration() {
-		if ($this->doNotValidate) {
-			//don't do a validation if it is a new configuration with pure
-			//default values. Will be allowed on changes via __set or
-			//setConfiguration
-			return false;
-		}
-
-		// first step: "soft" checks: settings that are not really
-		// necessary, but advisable. If left empty, give an info message
-		$this->doSoftValidation();
-
-		//second step: critical checks. If left empty or filled wrong, mark as
-		//not configured and give a warning.
-		return $this->doCriticalValidation();
-	}
-
-
-	/**
-	 * Connects and Binds to LDAP
-	 *
-	 * @throws ServerNotAvailableException
-	 */
-	private function establishConnection() {
-		if (!$this->configuration->ldapConfigurationActive) {
-			return null;
-		}
-		static $phpLDAPinstalled = true;
-		if (!$phpLDAPinstalled) {
-			return false;
-		}
-		if (!$this->ignoreValidation && !$this->configured) {
-			\OCP\Util::writeLog(
-				'user_ldap',
-				'Configuration is invalid, cannot connect',
-				ILogger::WARN
-			);
-			return false;
-		}
-		if (!$this->ldapConnectionRes) {
-			if (!$this->ldap->areLDAPFunctionsAvailable()) {
-				$phpLDAPinstalled = false;
-				\OCP\Util::writeLog(
-					'user_ldap',
-					'function ldap_connect is not available. Make sure that the PHP ldap module is installed.',
-					ILogger::ERROR
-				);
-
-				return false;
-			}
-			if ($this->configuration->turnOffCertCheck) {
-				if (putenv('LDAPTLS_REQCERT=never')) {
-					\OCP\Util::writeLog('user_ldap',
-						'Turned off SSL certificate validation successfully.',
-						ILogger::DEBUG);
-				} else {
-					\OCP\Util::writeLog(
-						'user_ldap',
-						'Could not turn off SSL certificate validation.',
-						ILogger::WARN
-					);
-				}
-			}
-
-			$isOverrideMainServer = ($this->configuration->ldapOverrideMainServer
-				|| $this->getFromCache('overrideMainServer'));
-			$isBackupHost = (trim($this->configuration->ldapBackupHost) !== "");
-			$bindStatus = false;
-			try {
-				if (!$isOverrideMainServer) {
-					$this->doConnect($this->configuration->ldapHost,
-						$this->configuration->ldapPort);
-					return $this->bind();
-				}
-			} catch (ServerNotAvailableException $e) {
-				if (!$isBackupHost) {
-					throw $e;
-				}
-			}
-
-			//if LDAP server is not reachable, try the Backup (Replica!) Server
-			if ($isBackupHost || $isOverrideMainServer) {
-				$this->doConnect($this->configuration->ldapBackupHost,
-								 $this->configuration->ldapBackupPort);
-				$this->bindResult = [];
-				$bindStatus = $this->bind();
-				$error = $this->ldap->isResource($this->ldapConnectionRes) ?
-					$this->ldap->errno($this->ldapConnectionRes) : -1;
-				if ($bindStatus && $error === 0 && !$this->getFromCache('overrideMainServer')) {
-					//when bind to backup server succeeded and failed to main server,
-					//skip contacting him until next cache refresh
-					$this->writeToCache('overrideMainServer', true);
-				}
-			}
-
-			return $bindStatus;
-		}
-		return null;
-	}
-
-	/**
-	 * @param string $host
-	 * @param string $port
-	 * @return bool
-	 * @throws \OC\ServerNotAvailableException
-	 */
-	private function doConnect($host, $port) {
-		if ($host === '') {
-			return false;
-		}
-
-		$this->ldapConnectionRes = $this->ldap->connect($host, $port);
-
-		if (!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_PROTOCOL_VERSION, 3)) {
-			throw new ServerNotAvailableException('Could not set required LDAP Protocol version.');
-		}
-
-		if (!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_REFERRALS, 0)) {
-			throw new ServerNotAvailableException('Could not disable LDAP referrals.');
-		}
-
-		if ($this->configuration->ldapTLS) {
-			if (!$this->ldap->startTls($this->ldapConnectionRes)) {
-				throw new ServerNotAvailableException('Start TLS failed, when connecting to LDAP host ' . $host . '.');
-			}
-		}
-
-		return true;
-	}
-
-	/**
-	 * Binds to LDAP
-	 */
-	public function bind() {
-		if (!$this->configuration->ldapConfigurationActive) {
-			return false;
-		}
-		$cr = $this->ldapConnectionRes;
-		if (!$this->ldap->isResource($cr)) {
-			$cr = $this->getConnectionResource();
-		}
-
-		if (
-			count($this->bindResult) !== 0
-			&& $this->bindResult['dn'] === $this->configuration->ldapAgentName
-			&& \OC::$server->getHasher()->verify(
-				$this->configPrefix . $this->configuration->ldapAgentPassword,
-				$this->bindResult['hash']
-			)
-		) {
-			// don't attempt to bind again with the same data as before
-			// bind might have been invoked via getConnectionResource(),
-			// but we need results specifically for e.g. user login
-			return $this->bindResult['result'];
-		}
-
-		$ldapLogin = @$this->ldap->bind($cr,
-										$this->configuration->ldapAgentName,
-										$this->configuration->ldapAgentPassword);
-
-		$this->bindResult = [
-			'dn' => $this->configuration->ldapAgentName,
-			'hash' => \OC::$server->getHasher()->hash($this->configPrefix . $this->configuration->ldapAgentPassword),
-			'result' => $ldapLogin,
-		];
-
-		if (!$ldapLogin) {
-			$errno = $this->ldap->errno($cr);
-
-			\OCP\Util::writeLog('user_ldap',
-				'Bind failed: ' . $errno . ': ' . $this->ldap->error($cr),
-				ILogger::WARN);
-
-			// Set to failure mode, if LDAP error code is not LDAP_SUCCESS or LDAP_INVALID_CREDENTIALS
-			// or (needed for Apple Open Directory:) LDAP_INSUFFICIENT_ACCESS
-			if ($errno !== 0 && $errno !== 49 && $errno !== 50) {
-				$this->ldapConnectionRes = null;
-			}
-
-			return false;
-		}
-		return true;
-	}
+    private $ldapConnectionRes = null;
+    private $configPrefix;
+    private $configID;
+    private $configured = false;
+    //whether connection should be kept on __destruct
+    private $dontDestruct = false;
+
+    /**
+     * @var bool runtime flag that indicates whether supported primary groups are available
+     */
+    public $hasPrimaryGroups = true;
+
+    /**
+     * @var bool runtime flag that indicates whether supported POSIX gidNumber are available
+     */
+    public $hasGidNumber = true;
+
+    //cache handler
+    protected $cache;
+
+    /** @var Configuration settings handler **/
+    protected $configuration;
+
+    protected $doNotValidate = false;
+
+    protected $ignoreValidation = false;
+
+    protected $bindResult = [];
+
+    /**
+     * Constructor
+     * @param ILDAPWrapper $ldap
+     * @param string $configPrefix a string with the prefix for the configkey column (appconfig table)
+     * @param string|null $configID a string with the value for the appid column (appconfig table) or null for on-the-fly connections
+     */
+    public function __construct(ILDAPWrapper $ldap, $configPrefix = '', $configID = 'user_ldap') {
+        parent::__construct($ldap);
+        $this->configPrefix = $configPrefix;
+        $this->configID = $configID;
+        $this->configuration = new Configuration($configPrefix,
+                                                    !is_null($configID));
+        $memcache = \OC::$server->getMemCacheFactory();
+        if ($memcache->isAvailable()) {
+            $this->cache = $memcache->createDistributed();
+        }
+        $helper = new Helper(\OC::$server->getConfig());
+        $this->doNotValidate = !in_array($this->configPrefix,
+            $helper->getServerConfigurationPrefixes());
+    }
+
+    public function __destruct() {
+        if (!$this->dontDestruct && $this->ldap->isResource($this->ldapConnectionRes)) {
+            @$this->ldap->unbind($this->ldapConnectionRes);
+            $this->bindResult = [];
+        }
+    }
+
+    /**
+     * defines behaviour when the instance is cloned
+     */
+    public function __clone() {
+        $this->configuration = new Configuration($this->configPrefix,
+                                                    !is_null($this->configID));
+        if (count($this->bindResult) !== 0 && $this->bindResult['result'] === true) {
+            $this->bindResult = [];
+        }
+        $this->ldapConnectionRes = null;
+        $this->dontDestruct = true;
+    }
+
+    /**
+     * @param string $name
+     * @return bool|mixed
+     */
+    public function __get($name) {
+        if (!$this->configured) {
+            $this->readConfiguration();
+        }
+
+        return $this->configuration->$name;
+    }
+
+    /**
+     * @param string $name
+     * @param mixed $value
+     */
+    public function __set($name, $value) {
+        $this->doNotValidate = false;
+        $before = $this->configuration->$name;
+        $this->configuration->$name = $value;
+        $after = $this->configuration->$name;
+        if ($before !== $after) {
+            if ($this->configID !== '' && $this->configID !== null) {
+                $this->configuration->saveConfiguration();
+            }
+            $this->validateConfiguration();
+        }
+    }
+
+    /**
+     * @param string $rule
+     * @return array
+     * @throws \RuntimeException
+     */
+    public function resolveRule($rule) {
+        return $this->configuration->resolveRule($rule);
+    }
+
+    /**
+     * sets whether the result of the configuration validation shall
+     * be ignored when establishing the connection. Used by the Wizard
+     * in early configuration state.
+     * @param bool $state
+     */
+    public function setIgnoreValidation($state) {
+        $this->ignoreValidation = (bool)$state;
+    }
+
+    /**
+     * initializes the LDAP backend
+     * @param bool $force read the config settings no matter what
+     */
+    public function init($force = false) {
+        $this->readConfiguration($force);
+        $this->establishConnection();
+    }
+
+    /**
+     * Returns the LDAP handler
+     */
+    public function getConnectionResource() {
+        if (!$this->ldapConnectionRes) {
+            $this->init();
+        } elseif (!$this->ldap->isResource($this->ldapConnectionRes)) {
+            $this->ldapConnectionRes = null;
+            $this->establishConnection();
+        }
+        if (is_null($this->ldapConnectionRes)) {
+            \OCP\Util::writeLog('user_ldap', 'No LDAP Connection to server ' . $this->configuration->ldapHost, ILogger::ERROR);
+            throw new ServerNotAvailableException('Connection to LDAP server could not be established');
+        }
+        return $this->ldapConnectionRes;
+    }
+
+    /**
+     * resets the connection resource
+     */
+    public function resetConnectionResource() {
+        if (!is_null($this->ldapConnectionRes)) {
+            @$this->ldap->unbind($this->ldapConnectionRes);
+            $this->ldapConnectionRes = null;
+            $this->bindResult = [];
+        }
+    }
+
+    /**
+     * @param string|null $key
+     * @return string
+     */
+    private function getCacheKey($key) {
+        $prefix = 'LDAP-'.$this->configID.'-'.$this->configPrefix.'-';
+        if (is_null($key)) {
+            return $prefix;
+        }
+        return $prefix.hash('sha256', $key);
+    }
+
+    /**
+     * @param string $key
+     * @return mixed|null
+     */
+    public function getFromCache($key) {
+        if (!$this->configured) {
+            $this->readConfiguration();
+        }
+        if (is_null($this->cache) || !$this->configuration->ldapCacheTTL) {
+            return null;
+        }
+        $key = $this->getCacheKey($key);
+
+        return json_decode(base64_decode($this->cache->get($key)), true);
+    }
+
+    /**
+     * @param string $key
+     * @param mixed $value
+     *
+     * @return string
+     */
+    public function writeToCache($key, $value) {
+        if (!$this->configured) {
+            $this->readConfiguration();
+        }
+        if (is_null($this->cache)
+            || !$this->configuration->ldapCacheTTL
+            || !$this->configuration->ldapConfigurationActive) {
+            return null;
+        }
+        $key   = $this->getCacheKey($key);
+        $value = base64_encode(json_encode($value));
+        $this->cache->set($key, $value, $this->configuration->ldapCacheTTL);
+    }
+
+    public function clearCache() {
+        if (!is_null($this->cache)) {
+            $this->cache->clear($this->getCacheKey(null));
+        }
+    }
+
+    /**
+     * Caches the general LDAP configuration.
+     * @param bool $force optional. true, if the re-read should be forced. defaults
+     * to false.
+     * @return null
+     */
+    private function readConfiguration($force = false) {
+        if ((!$this->configured || $force) && !is_null($this->configID)) {
+            $this->configuration->readConfiguration();
+            $this->configured = $this->validateConfiguration();
+        }
+    }
+
+    /**
+     * set LDAP configuration with values delivered by an array, not read from configuration
+     * @param array $config array that holds the config parameters in an associated array
+     * @param array &$setParameters optional; array where the set fields will be given to
+     * @return boolean true if config validates, false otherwise. Check with $setParameters for detailed success on single parameters
+     */
+    public function setConfiguration($config, &$setParameters = null) {
+        if (is_null($setParameters)) {
+            $setParameters = [];
+        }
+        $this->doNotValidate = false;
+        $this->configuration->setConfiguration($config, $setParameters);
+        if (count($setParameters) > 0) {
+            $this->configured = $this->validateConfiguration();
+        }
+
+
+        return $this->configured;
+    }
+
+    /**
+     * saves the current Configuration in the database and empties the
+     * cache
+     * @return null
+     */
+    public function saveConfiguration() {
+        $this->configuration->saveConfiguration();
+        $this->clearCache();
+    }
+
+    /**
+     * get the current LDAP configuration
+     * @return array
+     */
+    public function getConfiguration() {
+        $this->readConfiguration();
+        $config = $this->configuration->getConfiguration();
+        $cta = $this->configuration->getConfigTranslationArray();
+        $result = [];
+        foreach ($cta as $dbkey => $configkey) {
+            switch ($configkey) {
+                case 'homeFolderNamingRule':
+                    if (strpos($config[$configkey], 'attr:') === 0) {
+                        $result[$dbkey] = substr($config[$configkey], 5);
+                    } else {
+                        $result[$dbkey] = '';
+                    }
+                    break;
+                case 'ldapBase':
+                case 'ldapBaseUsers':
+                case 'ldapBaseGroups':
+                case 'ldapAttributesForUserSearch':
+                case 'ldapAttributesForGroupSearch':
+                    if (is_array($config[$configkey])) {
+                        $result[$dbkey] = implode("\n", $config[$configkey]);
+                        break;
+                    } //else follows default
+                    // no break
+                default:
+                    $result[$dbkey] = $config[$configkey];
+            }
+        }
+        return $result;
+    }
+
+    private function doSoftValidation() {
+        //if User or Group Base are not set, take over Base DN setting
+        foreach (['ldapBaseUsers', 'ldapBaseGroups'] as $keyBase) {
+            $val = $this->configuration->$keyBase;
+            if (empty($val)) {
+                $this->configuration->$keyBase = $this->configuration->ldapBase;
+            }
+        }
+
+        foreach (['ldapExpertUUIDUserAttr'  => 'ldapUuidUserAttribute',
+            'ldapExpertUUIDGroupAttr' => 'ldapUuidGroupAttribute']
+                as $expertSetting => $effectiveSetting) {
+            $uuidOverride = $this->configuration->$expertSetting;
+            if (!empty($uuidOverride)) {
+                $this->configuration->$effectiveSetting = $uuidOverride;
+            } else {
+                $uuidAttributes = Access::UUID_ATTRIBUTES;
+                array_unshift($uuidAttributes, 'auto');
+                if (!in_array($this->configuration->$effectiveSetting,
+                            $uuidAttributes)
+                    && (!is_null($this->configID))) {
+                    $this->configuration->$effectiveSetting = 'auto';
+                    $this->configuration->saveConfiguration();
+                    \OCP\Util::writeLog('user_ldap',
+                                        'Illegal value for the '.
+                                        $effectiveSetting.', '.'reset to '.
+                                        'autodetect.', ILogger::INFO);
+                }
+            }
+        }
+
+        $backupPort = (int)$this->configuration->ldapBackupPort;
+        if ($backupPort <= 0) {
+            $this->configuration->backupPort = $this->configuration->ldapPort;
+        }
+
+        //make sure empty search attributes are saved as simple, empty array
+        $saKeys = ['ldapAttributesForUserSearch',
+            'ldapAttributesForGroupSearch'];
+        foreach ($saKeys as $key) {
+            $val = $this->configuration->$key;
+            if (is_array($val) && count($val) === 1 && empty($val[0])) {
+                $this->configuration->$key = [];
+            }
+        }
+
+        if ((stripos($this->configuration->ldapHost, 'ldaps://') === 0)
+            && $this->configuration->ldapTLS) {
+            $this->configuration->ldapTLS = false;
+            \OCP\Util::writeLog(
+                'user_ldap',
+                'LDAPS (already using secure connection) and TLS do not work together. Switched off TLS.',
+                ILogger::INFO
+            );
+        }
+    }
+
+    /**
+     * @return bool
+     */
+    private function doCriticalValidation() {
+        $configurationOK = true;
+        $errorStr = 'Configuration Error (prefix '.
+            (string)$this->configPrefix .'): ';
+
+        //options that shall not be empty
+        $options = ['ldapHost', 'ldapPort', 'ldapUserDisplayName',
+            'ldapGroupDisplayName', 'ldapLoginFilter'];
+        foreach ($options as $key) {
+            $val = $this->configuration->$key;
+            if (empty($val)) {
+                switch ($key) {
+                    case 'ldapHost':
+                        $subj = 'LDAP Host';
+                        break;
+                    case 'ldapPort':
+                        $subj = 'LDAP Port';
+                        break;
+                    case 'ldapUserDisplayName':
+                        $subj = 'LDAP User Display Name';
+                        break;
+                    case 'ldapGroupDisplayName':
+                        $subj = 'LDAP Group Display Name';
+                        break;
+                    case 'ldapLoginFilter':
+                        $subj = 'LDAP Login Filter';
+                        break;
+                    default:
+                        $subj = $key;
+                        break;
+                }
+                $configurationOK = false;
+                \OCP\Util::writeLog(
+                    'user_ldap',
+                    $errorStr.'No '.$subj.' given!',
+                    ILogger::WARN
+                );
+            }
+        }
+
+        //combinations
+        $agent = $this->configuration->ldapAgentName;
+        $pwd = $this->configuration->ldapAgentPassword;
+        if (
+            ($agent === ''  && $pwd !== '')
+            || ($agent !== '' && $pwd === '')
+        ) {
+            \OCP\Util::writeLog(
+                'user_ldap',
+                $errorStr.'either no password is given for the user ' .
+                    'agent or a password is given, but not an LDAP agent.',
+                ILogger::WARN);
+            $configurationOK = false;
+        }
+
+        $base = $this->configuration->ldapBase;
+        $baseUsers = $this->configuration->ldapBaseUsers;
+        $baseGroups = $this->configuration->ldapBaseGroups;
+
+        if (empty($base) && empty($baseUsers) && empty($baseGroups)) {
+            \OCP\Util::writeLog(
+                'user_ldap',
+                $errorStr.'Not a single Base DN given.',
+                ILogger::WARN
+            );
+            $configurationOK = false;
+        }
+
+        if (mb_strpos($this->configuration->ldapLoginFilter, '%uid', 0, 'UTF-8')
+            === false) {
+            \OCP\Util::writeLog(
+                'user_ldap',
+                $errorStr.'login filter does not contain %uid place holder.',
+                ILogger::WARN
+            );
+            $configurationOK = false;
+        }
+
+        return $configurationOK;
+    }
+
+    /**
+     * Validates the user specified configuration
+     * @return bool true if configuration seems OK, false otherwise
+     */
+    private function validateConfiguration() {
+        if ($this->doNotValidate) {
+            //don't do a validation if it is a new configuration with pure
+            //default values. Will be allowed on changes via __set or
+            //setConfiguration
+            return false;
+        }
+
+        // first step: "soft" checks: settings that are not really
+        // necessary, but advisable. If left empty, give an info message
+        $this->doSoftValidation();
+
+        //second step: critical checks. If left empty or filled wrong, mark as
+        //not configured and give a warning.
+        return $this->doCriticalValidation();
+    }
+
+
+    /**
+     * Connects and Binds to LDAP
+     *
+     * @throws ServerNotAvailableException
+     */
+    private function establishConnection() {
+        if (!$this->configuration->ldapConfigurationActive) {
+            return null;
+        }
+        static $phpLDAPinstalled = true;
+        if (!$phpLDAPinstalled) {
+            return false;
+        }
+        if (!$this->ignoreValidation && !$this->configured) {
+            \OCP\Util::writeLog(
+                'user_ldap',
+                'Configuration is invalid, cannot connect',
+                ILogger::WARN
+            );
+            return false;
+        }
+        if (!$this->ldapConnectionRes) {
+            if (!$this->ldap->areLDAPFunctionsAvailable()) {
+                $phpLDAPinstalled = false;
+                \OCP\Util::writeLog(
+                    'user_ldap',
+                    'function ldap_connect is not available. Make sure that the PHP ldap module is installed.',
+                    ILogger::ERROR
+                );
+
+                return false;
+            }
+            if ($this->configuration->turnOffCertCheck) {
+                if (putenv('LDAPTLS_REQCERT=never')) {
+                    \OCP\Util::writeLog('user_ldap',
+                        'Turned off SSL certificate validation successfully.',
+                        ILogger::DEBUG);
+                } else {
+                    \OCP\Util::writeLog(
+                        'user_ldap',
+                        'Could not turn off SSL certificate validation.',
+                        ILogger::WARN
+                    );
+                }
+            }
+
+            $isOverrideMainServer = ($this->configuration->ldapOverrideMainServer
+                || $this->getFromCache('overrideMainServer'));
+            $isBackupHost = (trim($this->configuration->ldapBackupHost) !== "");
+            $bindStatus = false;
+            try {
+                if (!$isOverrideMainServer) {
+                    $this->doConnect($this->configuration->ldapHost,
+                        $this->configuration->ldapPort);
+                    return $this->bind();
+                }
+            } catch (ServerNotAvailableException $e) {
+                if (!$isBackupHost) {
+                    throw $e;
+                }
+            }
+
+            //if LDAP server is not reachable, try the Backup (Replica!) Server
+            if ($isBackupHost || $isOverrideMainServer) {
+                $this->doConnect($this->configuration->ldapBackupHost,
+                                    $this->configuration->ldapBackupPort);
+                $this->bindResult = [];
+                $bindStatus = $this->bind();
+                $error = $this->ldap->isResource($this->ldapConnectionRes) ?
+                    $this->ldap->errno($this->ldapConnectionRes) : -1;
+                if ($bindStatus && $error === 0 && !$this->getFromCache('overrideMainServer')) {
+                    //when bind to backup server succeeded and failed to main server,
+                    //skip contacting him until next cache refresh
+                    $this->writeToCache('overrideMainServer', true);
+                }
+            }
+
+            return $bindStatus;
+        }
+        return null;
+    }
+
+    /**
+     * @param string $host
+     * @param string $port
+     * @return bool
+     * @throws \OC\ServerNotAvailableException
+     */
+    private function doConnect($host, $port) {
+        if ($host === '') {
+            return false;
+        }
+
+        $this->ldapConnectionRes = $this->ldap->connect($host, $port);
+
+        if (!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_PROTOCOL_VERSION, 3)) {
+            throw new ServerNotAvailableException('Could not set required LDAP Protocol version.');
+        }
+
+        if (!$this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_REFERRALS, 0)) {
+            throw new ServerNotAvailableException('Could not disable LDAP referrals.');
+        }
+
+        if ($this->configuration->ldapTLS) {
+            if (!$this->ldap->startTls($this->ldapConnectionRes)) {
+                throw new ServerNotAvailableException('Start TLS failed, when connecting to LDAP host ' . $host . '.');
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Binds to LDAP
+     */
+    public function bind() {
+        if (!$this->configuration->ldapConfigurationActive) {
+            return false;
+        }
+        $cr = $this->ldapConnectionRes;
+        if (!$this->ldap->isResource($cr)) {
+            $cr = $this->getConnectionResource();
+        }
+
+        if (
+            count($this->bindResult) !== 0
+            && $this->bindResult['dn'] === $this->configuration->ldapAgentName
+            && \OC::$server->getHasher()->verify(
+                $this->configPrefix . $this->configuration->ldapAgentPassword,
+                $this->bindResult['hash']
+            )
+        ) {
+            // don't attempt to bind again with the same data as before
+            // bind might have been invoked via getConnectionResource(),
+            // but we need results specifically for e.g. user login
+            return $this->bindResult['result'];
+        }
+
+        $ldapLogin = @$this->ldap->bind($cr,
+                                        $this->configuration->ldapAgentName,
+                                        $this->configuration->ldapAgentPassword);
+
+        $this->bindResult = [
+            'dn' => $this->configuration->ldapAgentName,
+            'hash' => \OC::$server->getHasher()->hash($this->configPrefix . $this->configuration->ldapAgentPassword),
+            'result' => $ldapLogin,
+        ];
+
+        if (!$ldapLogin) {
+            $errno = $this->ldap->errno($cr);
+
+            \OCP\Util::writeLog('user_ldap',
+                'Bind failed: ' . $errno . ': ' . $this->ldap->error($cr),
+                ILogger::WARN);
+
+            // Set to failure mode, if LDAP error code is not LDAP_SUCCESS or LDAP_INVALID_CREDENTIALS
+            // or (needed for Apple Open Directory:) LDAP_INSUFFICIENT_ACCESS
+            if ($errno !== 0 && $errno !== 49 && $errno !== 50) {
+                $this->ldapConnectionRes = null;
+            }
+
+            return false;
+        }
+        return true;
+    }
 }

Please login to merge, or discard this patch.

apps/user_ldap/lib/Group_LDAP.php 2 patches

Indentation +1183 added lines, -1183 removed lines patch added patch discarded remove patch

@@ -53,1187 +53,1187 @@
 block discarded – undo
 use OCP\ILogger;
 
 class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend {
-	protected $enabled = false;
-
-	/** @var string[] $cachedGroupMembers array of users with gid as key */
-	protected $cachedGroupMembers;
-	/** @var string[] $cachedGroupsByMember array of groups with uid as key */
-	protected $cachedGroupsByMember;
-	/** @var string[] $cachedNestedGroups array of groups with gid (DN) as key */
-	protected $cachedNestedGroups;
-	/** @var GroupPluginManager */
-	protected $groupPluginManager;
-	/** @var ILogger */
-	protected $logger;
-
-	public function __construct(Access $access, GroupPluginManager $groupPluginManager) {
-		parent::__construct($access);
-		$filter = $this->access->connection->ldapGroupFilter;
-		$gAssoc = $this->access->connection->ldapGroupMemberAssocAttr;
-		if (!empty($filter) && !empty($gAssoc)) {
-			$this->enabled = true;
-		}
-
-		$this->cachedGroupMembers = new CappedMemoryCache();
-		$this->cachedGroupsByMember = new CappedMemoryCache();
-		$this->cachedNestedGroups = new CappedMemoryCache();
-		$this->groupPluginManager = $groupPluginManager;
-		$this->logger = OC::$server->getLogger();
-	}
-
-	/**
-	 * is user in group?
-	 *
-	 * @param string $uid uid of the user
-	 * @param string $gid gid of the group
-	 * @return bool
-	 * @throws Exception
-	 * @throws ServerNotAvailableException
-	 */
-	public function inGroup($uid, $gid) {
-		if (!$this->enabled) {
-			return false;
-		}
-		$cacheKey = 'inGroup' . $uid . ':' . $gid;
-		$inGroup = $this->access->connection->getFromCache($cacheKey);
-		if (!is_null($inGroup)) {
-			return (bool)$inGroup;
-		}
-
-		$userDN = $this->access->username2dn($uid);
-
-		if (isset($this->cachedGroupMembers[$gid])) {
-			return in_array($userDN, $this->cachedGroupMembers[$gid]);
-		}
-
-		$cacheKeyMembers = 'inGroup-members:' . $gid;
-		$members = $this->access->connection->getFromCache($cacheKeyMembers);
-		if (!is_null($members)) {
-			$this->cachedGroupMembers[$gid] = $members;
-			$isInGroup = in_array($userDN, $members, true);
-			$this->access->connection->writeToCache($cacheKey, $isInGroup);
-			return $isInGroup;
-		}
-
-		$groupDN = $this->access->groupname2dn($gid);
-		// just in case
-		if (!$groupDN || !$userDN) {
-			$this->access->connection->writeToCache($cacheKey, false);
-			return false;
-		}
-
-		//check primary group first
-		if ($gid === $this->getUserPrimaryGroup($userDN)) {
-			$this->access->connection->writeToCache($cacheKey, true);
-			return true;
-		}
-
-		//usually, LDAP attributes are said to be case insensitive. But there are exceptions of course.
-		$members = $this->_groupMembers($groupDN);
-		if (!is_array($members) || count($members) === 0) {
-			$this->access->connection->writeToCache($cacheKey, false);
-			return false;
-		}
-
-		//extra work if we don't get back user DNs
-		if (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid') {
-			$requestAttributes = $this->access->userManager->getAttributes(true);
-			$dns = [];
-			$filterParts = [];
-			$bytes = 0;
-			foreach ($members as $mid) {
-				$filter = str_replace('%uid', $mid, $this->access->connection->ldapLoginFilter);
-				$filterParts[] = $filter;
-				$bytes += strlen($filter);
-				if ($bytes >= 9000000) {
-					// AD has a default input buffer of 10 MB, we do not want
-					// to take even the chance to exceed it
-					$filter = $this->access->combineFilterWithOr($filterParts);
-					$bytes = 0;
-					$filterParts = [];
-					$users = $this->access->fetchListOfUsers($filter, $requestAttributes, count($filterParts));
-					$dns = array_merge($dns, $users);
-				}
-			}
-			if (count($filterParts) > 0) {
-				$filter = $this->access->combineFilterWithOr($filterParts);
-				$users = $this->access->fetchListOfUsers($filter, $requestAttributes, count($filterParts));
-				$dns = array_merge($dns, $users);
-			}
-			$members = $dns;
-		}
-
-		$isInGroup = in_array($userDN, $members);
-		$this->access->connection->writeToCache($cacheKey, $isInGroup);
-		$this->access->connection->writeToCache($cacheKeyMembers, $members);
-		$this->cachedGroupMembers[$gid] = $members;
-
-		return $isInGroup;
-	}
-
-	/**
-	 * For a group that has user membership defined by an LDAP search url
-	 * attribute returns the users that match the search url otherwise returns
-	 * an empty array.
-	 *
-	 * @throws ServerNotAvailableException
-	 */
-	public function getDynamicGroupMembers(string $dnGroup): array {
-		$dynamicGroupMemberURL = strtolower($this->access->connection->ldapDynamicGroupMemberURL);
-
-		if (empty($dynamicGroupMemberURL)) {
-			return [];
-		}
-
-		$dynamicMembers = [];
-		$memberURLs = $this->access->readAttribute(
-			$dnGroup,
-			$dynamicGroupMemberURL,
-			$this->access->connection->ldapGroupFilter
-		);
-		if ($memberURLs !== false) {
-			// this group has the 'memberURL' attribute so this is a dynamic group
-			// example 1: ldap:///cn=users,cn=accounts,dc=dcsubbase,dc=dcbase??one?(o=HeadOffice)
-			// example 2: ldap:///cn=users,cn=accounts,dc=dcsubbase,dc=dcbase??one?(&(o=HeadOffice)(uidNumber>=500))
-			$pos = strpos($memberURLs[0], '(');
-			if ($pos !== false) {
-				$memberUrlFilter = substr($memberURLs[0], $pos);
-				$foundMembers = $this->access->searchUsers($memberUrlFilter, 'dn');
-				$dynamicMembers = [];
-				foreach ($foundMembers as $value) {
-					$dynamicMembers[$value['dn'][0]] = 1;
-				}
-			} else {
-				$this->logger->debug('No search filter found on member url of group {dn}',
-					[
-						'app' => 'user_ldap',
-						'dn' => $dnGroup,
-					]
-				);
-			}
-		}
-		return $dynamicMembers;
-	}
-
-	/**
-	 * @throws ServerNotAvailableException
-	 */
-	private function _groupMembers(string $dnGroup, ?array &$seen = null): array {
-		if ($seen === null) {
-			$seen = [];
-		}
-		$allMembers = [];
-		if (array_key_exists($dnGroup, $seen)) {
-			return [];
-		}
-		// used extensively in cron job, caching makes sense for nested groups
-		$cacheKey = '_groupMembers' . $dnGroup;
-		$groupMembers = $this->access->connection->getFromCache($cacheKey);
-		if ($groupMembers !== null) {
-			return $groupMembers;
-		}
-		$seen[$dnGroup] = 1;
-		$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
-		if (is_array($members)) {
-			$fetcher = function ($memberDN, &$seen) {
-				return $this->_groupMembers($memberDN, $seen);
-			};
-			$allMembers = $this->walkNestedGroups($dnGroup, $fetcher, $members);
-		}
-
-		$allMembers += $this->getDynamicGroupMembers($dnGroup);
-
-		$this->access->connection->writeToCache($cacheKey, $allMembers);
-		return $allMembers;
-	}
-
-	/**
-	 * @throws ServerNotAvailableException
-	 */
-	private function _getGroupDNsFromMemberOf(string $dn): array {
-		$groups = $this->access->readAttribute($dn, 'memberOf');
-		if (!is_array($groups)) {
-			return [];
-		}
-
-		$fetcher = function ($groupDN) {
-			if (isset($this->cachedNestedGroups[$groupDN])) {
-				$nestedGroups = $this->cachedNestedGroups[$groupDN];
-			} else {
-				$nestedGroups = $this->access->readAttribute($groupDN, 'memberOf');
-				if (!is_array($nestedGroups)) {
-					$nestedGroups = [];
-				}
-				$this->cachedNestedGroups[$groupDN] = $nestedGroups;
-			}
-			return $nestedGroups;
-		};
-
-		$groups = $this->walkNestedGroups($dn, $fetcher, $groups);
-		return $this->filterValidGroups($groups);
-	}
-
-	private function walkNestedGroups(string $dn, Closure $fetcher, array $list): array {
-		$nesting = (int)$this->access->connection->ldapNestedGroups;
-		// depending on the input, we either have a list of DNs or a list of LDAP records
-		// also, the output expects either DNs or records. Testing the first element should suffice.
-		$recordMode = is_array($list) && isset($list[0]) && is_array($list[0]) && isset($list[0]['dn'][0]);
-
-		if ($nesting !== 1) {
-			if ($recordMode) {
-				// the keys are numeric, but should hold the DN
-				return array_reduce($list, function ($transformed, $record) use ($dn) {
-					if ($record['dn'][0] != $dn) {
-						$transformed[$record['dn'][0]] = $record;
-					}
-					return $transformed;
-				}, []);
-			}
-			return $list;
-		}
-
-		$seen = [];
-		while ($record = array_pop($list)) {
-			$recordDN = $recordMode ? $record['dn'][0] : $record;
-			if ($recordDN === $dn || array_key_exists($recordDN, $seen)) {
-				// Prevent loops
-				continue;
-			}
-			$fetched = $fetcher($record, $seen);
-			$list = array_merge($list, $fetched);
-			$seen[$recordDN] = $record;
-		}
-
-		return $recordMode ? $seen : array_keys($seen);
-	}
-
-	/**
-	 * translates a gidNumber into an ownCloud internal name
-	 *
-	 * @return string|bool
-	 * @throws Exception
-	 * @throws ServerNotAvailableException
-	 */
-	public function gidNumber2Name(string $gid, string $dn) {
-		$cacheKey = 'gidNumberToName' . $gid;
-		$groupName = $this->access->connection->getFromCache($cacheKey);
-		if (!is_null($groupName) && isset($groupName)) {
-			return $groupName;
-		}
-
-		//we need to get the DN from LDAP
-		$filter = $this->access->combineFilterWithAnd([
-			$this->access->connection->ldapGroupFilter,
-			'objectClass=posixGroup',
-			$this->access->connection->ldapGidNumber . '=' . $gid
-		]);
-		return $this->getNameOfGroup($filter, $cacheKey) ?? false;
-	}
-
-	/**
-	 * @throws ServerNotAvailableException
-	 * @throws Exception
-	 */
-	private function getNameOfGroup(string $filter, string $cacheKey) {
-		$result = $this->access->searchGroups($filter, ['dn'], 1);
-		if (empty($result)) {
-			return null;
-		}
-		$dn = $result[0]['dn'][0];
-
-		//and now the group name
-		//NOTE once we have separate Nextcloud group IDs and group names we can
-		//directly read the display name attribute instead of the DN
-		$name = $this->access->dn2groupname($dn);
-
-		$this->access->connection->writeToCache($cacheKey, $name);
-
-		return $name;
-	}
-
-	/**
-	 * returns the entry's gidNumber
-	 *
-	 * @return string|bool
-	 * @throws ServerNotAvailableException
-	 */
-	private function getEntryGidNumber(string $dn, string $attribute) {
-		$value = $this->access->readAttribute($dn, $attribute);
-		if (is_array($value) && !empty($value)) {
-			return $value[0];
-		}
-		return false;
-	}
-
-	/**
-	 * @return string|bool
-	 * @throws ServerNotAvailableException
-	 */
-	public function getGroupGidNumber(string $dn) {
-		return $this->getEntryGidNumber($dn, 'gidNumber');
-	}
-
-	/**
-	 * returns the user's gidNumber
-	 *
-	 * @return string|bool
-	 * @throws ServerNotAvailableException
-	 */
-	public function getUserGidNumber(string $dn) {
-		$gidNumber = false;
-		if ($this->access->connection->hasGidNumber) {
-			$gidNumber = $this->getEntryGidNumber($dn, $this->access->connection->ldapGidNumber);
-			if ($gidNumber === false) {
-				$this->access->connection->hasGidNumber = false;
-			}
-		}
-		return $gidNumber;
-	}
-
-	/**
-	 * @throws ServerNotAvailableException
-	 * @throws Exception
-	 */
-	private function prepareFilterForUsersHasGidNumber(string $groupDN, string $search = ''): string {
-		$groupID = $this->getGroupGidNumber($groupDN);
-		if ($groupID === false) {
-			throw new Exception('Not a valid group');
-		}
-
-		$filterParts = [];
-		$filterParts[] = $this->access->getFilterForUserCount();
-		if ($search !== '') {
-			$filterParts[] = $this->access->getFilterPartForUserSearch($search);
-		}
-		$filterParts[] = $this->access->connection->ldapGidNumber . '=' . $groupID;
-
-		return $this->access->combineFilterWithAnd($filterParts);
-	}
-
-	/**
-	 * returns a list of users that have the given group as gid number
-	 *
-	 * @throws ServerNotAvailableException
-	 */
-	public function getUsersInGidNumber(
-		string $groupDN,
-		string $search = '',
-		?int $limit = -1,
-		?int $offset = 0
-	): array {
-		try {
-			$filter = $this->prepareFilterForUsersHasGidNumber($groupDN, $search);
-			$users = $this->access->fetchListOfUsers(
-				$filter,
-				[$this->access->connection->ldapUserDisplayName, 'dn'],
-				$limit,
-				$offset
-			);
-			return $this->access->nextcloudUserNames($users);
-		} catch (ServerNotAvailableException $e) {
-			throw $e;
-		} catch (Exception $e) {
-			return [];
-		}
-	}
-
-	/**
-	 * @throws ServerNotAvailableException
-	 * @return bool
-	 */
-	public function getUserGroupByGid(string $dn) {
-		$groupID = $this->getUserGidNumber($dn);
-		if ($groupID !== false) {
-			$groupName = $this->gidNumber2Name($groupID, $dn);
-			if ($groupName !== false) {
-				return $groupName;
-			}
-		}
-
-		return false;
-	}
-
-	/**
-	 * translates a primary group ID into an Nextcloud internal name
-	 *
-	 * @return string|bool
-	 * @throws Exception
-	 * @throws ServerNotAvailableException
-	 */
-	public function primaryGroupID2Name(string $gid, string $dn) {
-		$cacheKey = 'primaryGroupIDtoName';
-		$groupNames = $this->access->connection->getFromCache($cacheKey);
-		if (!is_null($groupNames) && isset($groupNames[$gid])) {
-			return $groupNames[$gid];
-		}
-
-		$domainObjectSid = $this->access->getSID($dn);
-		if ($domainObjectSid === false) {
-			return false;
-		}
-
-		//we need to get the DN from LDAP
-		$filter = $this->access->combineFilterWithAnd([
-			$this->access->connection->ldapGroupFilter,
-			'objectsid=' . $domainObjectSid . '-' . $gid
-		]);
-		return $this->getNameOfGroup($filter, $cacheKey) ?? false;
-	}
-
-	/**
-	 * returns the entry's primary group ID
-	 *
-	 * @return string|bool
-	 * @throws ServerNotAvailableException
-	 */
-	private function getEntryGroupID(string $dn, string $attribute) {
-		$value = $this->access->readAttribute($dn, $attribute);
-		if (is_array($value) && !empty($value)) {
-			return $value[0];
-		}
-		return false;
-	}
-
-	/**
-	 * @return string|bool
-	 * @throws ServerNotAvailableException
-	 */
-	public function getGroupPrimaryGroupID(string $dn) {
-		return $this->getEntryGroupID($dn, 'primaryGroupToken');
-	}
-
-	/**
-	 * @return string|bool
-	 * @throws ServerNotAvailableException
-	 */
-	public function getUserPrimaryGroupIDs(string $dn) {
-		$primaryGroupID = false;
-		if ($this->access->connection->hasPrimaryGroups) {
-			$primaryGroupID = $this->getEntryGroupID($dn, 'primaryGroupID');
-			if ($primaryGroupID === false) {
-				$this->access->connection->hasPrimaryGroups = false;
-			}
-		}
-		return $primaryGroupID;
-	}
-
-	/**
-	 * @throws Exception
-	 * @throws ServerNotAvailableException
-	 */
-	private function prepareFilterForUsersInPrimaryGroup(string $groupDN, string $search = ''): string {
-		$groupID = $this->getGroupPrimaryGroupID($groupDN);
-		if ($groupID === false) {
-			throw new Exception('Not a valid group');
-		}
-
-		$filterParts = [];
-		$filterParts[] = $this->access->getFilterForUserCount();
-		if ($search !== '') {
-			$filterParts[] = $this->access->getFilterPartForUserSearch($search);
-		}
-		$filterParts[] = 'primaryGroupID=' . $groupID;
-
-		return $this->access->combineFilterWithAnd($filterParts);
-	}
-
-	/**
-	 * @throws ServerNotAvailableException
-	 */
-	public function getUsersInPrimaryGroup(
-		string $groupDN,
-		string $search = '',
-		?int $limit = -1,
-		?int $offset = 0
-	): array {
-		try {
-			$filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
-			$users = $this->access->fetchListOfUsers(
-				$filter,
-				[$this->access->connection->ldapUserDisplayName, 'dn'],
-				$limit,
-				$offset
-			);
-			return $this->access->nextcloudUserNames($users);
-		} catch (ServerNotAvailableException $e) {
-			throw $e;
-		} catch (Exception $e) {
-			return [];
-		}
-	}
-
-	/**
-	 * @throws ServerNotAvailableException
-	 */
-	public function countUsersInPrimaryGroup(
-		string $groupDN,
-		string $search = '',
-		int $limit = -1,
-		int $offset = 0
-	): int {
-		try {
-			$filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
-			$users = $this->access->countUsers($filter, ['dn'], $limit, $offset);
-			return (int)$users;
-		} catch (ServerNotAvailableException $e) {
-			throw $e;
-		} catch (Exception $e) {
-			return 0;
-		}
-	}
-
-	/**
-	 * @return string|bool
-	 * @throws ServerNotAvailableException
-	 */
-	public function getUserPrimaryGroup(string $dn) {
-		$groupID = $this->getUserPrimaryGroupIDs($dn);
-		if ($groupID !== false) {
-			$groupName = $this->primaryGroupID2Name($groupID, $dn);
-			if ($groupName !== false) {
-				return $groupName;
-			}
-		}
-
-		return false;
-	}
-
-	/**
-	 * This function fetches all groups a user belongs to. It does not check
-	 * if the user exists at all.
-	 *
-	 * This function includes groups based on dynamic group membership.
-	 *
-	 * @param string $uid Name of the user
-	 * @return array with group names
-	 * @throws Exception
-	 * @throws ServerNotAvailableException
-	 */
-	public function getUserGroups($uid) {
-		if (!$this->enabled) {
-			return [];
-		}
-		$cacheKey = 'getUserGroups' . $uid;
-		$userGroups = $this->access->connection->getFromCache($cacheKey);
-		if (!is_null($userGroups)) {
-			return $userGroups;
-		}
-		$userDN = $this->access->username2dn($uid);
-		if (!$userDN) {
-			$this->access->connection->writeToCache($cacheKey, []);
-			return [];
-		}
-
-		$groups = [];
-		$primaryGroup = $this->getUserPrimaryGroup($userDN);
-		$gidGroupName = $this->getUserGroupByGid($userDN);
-
-		$dynamicGroupMemberURL = strtolower($this->access->connection->ldapDynamicGroupMemberURL);
-
-		if (!empty($dynamicGroupMemberURL)) {
-			// look through dynamic groups to add them to the result array if needed
-			$groupsToMatch = $this->access->fetchListOfGroups(
-				$this->access->connection->ldapGroupFilter, ['dn', $dynamicGroupMemberURL]);
-			foreach ($groupsToMatch as $dynamicGroup) {
-				if (!array_key_exists($dynamicGroupMemberURL, $dynamicGroup)) {
-					continue;
-				}
-				$pos = strpos($dynamicGroup[$dynamicGroupMemberURL][0], '(');
-				if ($pos !== false) {
-					$memberUrlFilter = substr($dynamicGroup[$dynamicGroupMemberURL][0], $pos);
-					// apply filter via ldap search to see if this user is in this
-					// dynamic group
-					$userMatch = $this->access->readAttribute(
-						$userDN,
-						$this->access->connection->ldapUserDisplayName,
-						$memberUrlFilter
-					);
-					if ($userMatch !== false) {
-						// match found so this user is in this group
-						$groupName = $this->access->dn2groupname($dynamicGroup['dn'][0]);
-						if (is_string($groupName)) {
-							// be sure to never return false if the dn could not be
-							// resolved to a name, for whatever reason.
-							$groups[] = $groupName;
-						}
-					}
-				} else {
-					$this->logger->debug('No search filter found on member url of group {dn}',
-						[
-							'app' => 'user_ldap',
-							'dn' => $dynamicGroup,
-						]
-					);
-				}
-			}
-		}
-
-		// if possible, read out membership via memberOf. It's far faster than
-		// performing a search, which still is a fallback later.
-		// memberof doesn't support memberuid, so skip it here.
-		if ((int)$this->access->connection->hasMemberOfFilterSupport === 1
-			&& (int)$this->access->connection->useMemberOfToDetectMembership === 1
-			&& strtolower($this->access->connection->ldapGroupMemberAssocAttr) !== 'memberuid'
-		) {
-			$groupDNs = $this->_getGroupDNsFromMemberOf($userDN);
-			if (is_array($groupDNs)) {
-				foreach ($groupDNs as $dn) {
-					$groupName = $this->access->dn2groupname($dn);
-					if (is_string($groupName)) {
-						// be sure to never return false if the dn could not be
-						// resolved to a name, for whatever reason.
-						$groups[] = $groupName;
-					}
-				}
-			}
-
-			if ($primaryGroup !== false) {
-				$groups[] = $primaryGroup;
-			}
-			if ($gidGroupName !== false) {
-				$groups[] = $gidGroupName;
-			}
-			$this->access->connection->writeToCache($cacheKey, $groups);
-			return $groups;
-		}
-
-		//uniqueMember takes DN, memberuid the uid, so we need to distinguish
-		if ((strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'uniquemember')
-			|| (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'member')
-		) {
-			$uid = $userDN;
-		} elseif (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid') {
-			$result = $this->access->readAttribute($userDN, 'uid');
-			if ($result === false) {
-				$this->logger->debug('No uid attribute found for DN {dn} on {host}',
-					[
-						'app' => 'user_ldap',
-						'dn' => $userDN,
-						'host' => $this->access->connection->ldapHost,
-					]
-				);
-				$uid = false;
-			} else {
-				$uid = $result[0];
-			}
-		} else {
-			// just in case
-			$uid = $userDN;
-		}
-
-		if ($uid !== false) {
-			if (isset($this->cachedGroupsByMember[$uid])) {
-				$groups = array_merge($groups, $this->cachedGroupsByMember[$uid]);
-			} else {
-				$groupsByMember = array_values($this->getGroupsByMember($uid));
-				$groupsByMember = $this->access->nextcloudGroupNames($groupsByMember);
-				$this->cachedGroupsByMember[$uid] = $groupsByMember;
-				$groups = array_merge($groups, $groupsByMember);
-			}
-		}
-
-		if ($primaryGroup !== false) {
-			$groups[] = $primaryGroup;
-		}
-		if ($gidGroupName !== false) {
-			$groups[] = $gidGroupName;
-		}
-
-		$groups = array_unique($groups, SORT_LOCALE_STRING);
-		$this->access->connection->writeToCache($cacheKey, $groups);
-
-		return $groups;
-	}
-
-	/**
-	 * @throws ServerNotAvailableException
-	 */
-	private function getGroupsByMember(string $dn, array &$seen = null): array {
-		if ($seen === null) {
-			$seen = [];
-		}
-		if (array_key_exists($dn, $seen)) {
-			// avoid loops
-			return [];
-		}
-		$allGroups = [];
-		$seen[$dn] = true;
-		$filter = $this->access->connection->ldapGroupMemberAssocAttr . '=' . $dn;
-		$groups = $this->access->fetchListOfGroups($filter,
-			[strtolower($this->access->connection->ldapGroupMemberAssocAttr), $this->access->connection->ldapGroupDisplayName, 'dn']);
-		if (is_array($groups)) {
-			$fetcher = function ($dn, &$seen) {
-				if (is_array($dn) && isset($dn['dn'][0])) {
-					$dn = $dn['dn'][0];
-				}
-				return $this->getGroupsByMember($dn, $seen);
-			};
-			$allGroups = $this->walkNestedGroups($dn, $fetcher, $groups);
-		}
-		$visibleGroups = $this->filterValidGroups($allGroups);
-		return array_intersect_key($allGroups, $visibleGroups);
-	}
-
-	/**
-	 * get a list of all users in a group
-	 *
-	 * @param string $gid
-	 * @param string $search
-	 * @param int $limit
-	 * @param int $offset
-	 * @return array with user ids
-	 * @throws Exception
-	 * @throws ServerNotAvailableException
-	 */
-	public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) {
-		if (!$this->enabled) {
-			return [];
-		}
-		if (!$this->groupExists($gid)) {
-			return [];
-		}
-		$search = $this->access->escapeFilterPart($search, true);
-		$cacheKey = 'usersInGroup-' . $gid . '-' . $search . '-' . $limit . '-' . $offset;
-		// check for cache of the exact query
-		$groupUsers = $this->access->connection->getFromCache($cacheKey);
-		if (!is_null($groupUsers)) {
-			return $groupUsers;
-		}
-
-		if ($limit === -1) {
-			$limit = null;
-		}
-		// check for cache of the query without limit and offset
-		$groupUsers = $this->access->connection->getFromCache('usersInGroup-' . $gid . '-' . $search);
-		if (!is_null($groupUsers)) {
-			$groupUsers = array_slice($groupUsers, $offset, $limit);
-			$this->access->connection->writeToCache($cacheKey, $groupUsers);
-			return $groupUsers;
-		}
-
-		$groupDN = $this->access->groupname2dn($gid);
-		if (!$groupDN) {
-			// group couldn't be found, return empty resultset
-			$this->access->connection->writeToCache($cacheKey, []);
-			return [];
-		}
-
-		$primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $search, $limit, $offset);
-		$posixGroupUsers = $this->getUsersInGidNumber($groupDN, $search, $limit, $offset);
-		$members = $this->_groupMembers($groupDN);
-		if (!$members && empty($posixGroupUsers) && empty($primaryUsers)) {
-			//in case users could not be retrieved, return empty result set
-			$this->access->connection->writeToCache($cacheKey, []);
-			return [];
-		}
-
-		$groupUsers = [];
-		$isMemberUid = (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid');
-		$attrs = $this->access->userManager->getAttributes(true);
-		foreach ($members as $member) {
-			if ($isMemberUid) {
-				//we got uids, need to get their DNs to 'translate' them to user names
-				$filter = $this->access->combineFilterWithAnd([
-					str_replace('%uid', trim($member), $this->access->connection->ldapLoginFilter),
-					$this->access->combineFilterWithAnd([
-						$this->access->getFilterPartForUserSearch($search),
-						$this->access->connection->ldapUserFilter
-					])
-				]);
-				$ldap_users = $this->access->fetchListOfUsers($filter, $attrs, 1);
-				if (count($ldap_users) < 1) {
-					continue;
-				}
-				$groupUsers[] = $this->access->dn2username($ldap_users[0]['dn'][0]);
-			} else {
-				//we got DNs, check if we need to filter by search or we can give back all of them
-				$uid = $this->access->dn2username($member);
-				if (!$uid) {
-					continue;
-				}
-
-				$cacheKey = 'userExistsOnLDAP' . $uid;
-				$userExists = $this->access->connection->getFromCache($cacheKey);
-				if ($userExists === false) {
-					continue;
-				}
-				if ($userExists === null || $search !== '') {
-					if (!$this->access->readAttribute($member,
-						$this->access->connection->ldapUserDisplayName,
-						$this->access->combineFilterWithAnd([
-							$this->access->getFilterPartForUserSearch($search),
-							$this->access->connection->ldapUserFilter
-						]))) {
-						if ($search === '') {
-							$this->access->connection->writeToCache($cacheKey, false);
-						}
-						continue;
-					}
-					$this->access->connection->writeToCache($cacheKey, true);
-				}
-				$groupUsers[] = $uid;
-			}
-		}
-
-		$groupUsers = array_unique(array_merge($groupUsers, $primaryUsers, $posixGroupUsers));
-		natsort($groupUsers);
-		$this->access->connection->writeToCache('usersInGroup-' . $gid . '-' . $search, $groupUsers);
-		$groupUsers = array_slice($groupUsers, $offset, $limit);
-
-		$this->access->connection->writeToCache($cacheKey, $groupUsers);
-
-		return $groupUsers;
-	}
-
-	/**
-	 * returns the number of users in a group, who match the search term
-	 *
-	 * @param string $gid the internal group name
-	 * @param string $search optional, a search string
-	 * @return int|bool
-	 * @throws Exception
-	 * @throws ServerNotAvailableException
-	 */
-	public function countUsersInGroup($gid, $search = '') {
-		if ($this->groupPluginManager->implementsActions(GroupInterface::COUNT_USERS)) {
-			return $this->groupPluginManager->countUsersInGroup($gid, $search);
-		}
-
-		$cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
-		if (!$this->enabled || !$this->groupExists($gid)) {
-			return false;
-		}
-		$groupUsers = $this->access->connection->getFromCache($cacheKey);
-		if (!is_null($groupUsers)) {
-			return $groupUsers;
-		}
-
-		$groupDN = $this->access->groupname2dn($gid);
-		if (!$groupDN) {
-			// group couldn't be found, return empty result set
-			$this->access->connection->writeToCache($cacheKey, false);
-			return false;
-		}
-
-		$members = $this->_groupMembers($groupDN);
-		$primaryUserCount = $this->countUsersInPrimaryGroup($groupDN, '');
-		if (!$members && $primaryUserCount === 0) {
-			//in case users could not be retrieved, return empty result set
-			$this->access->connection->writeToCache($cacheKey, false);
-			return false;
-		}
-
-		if ($search === '') {
-			$groupUsers = count($members) + $primaryUserCount;
-			$this->access->connection->writeToCache($cacheKey, $groupUsers);
-			return $groupUsers;
-		}
-		$search = $this->access->escapeFilterPart($search, true);
-		$isMemberUid =
-			(strtolower($this->access->connection->ldapGroupMemberAssocAttr)
-				=== 'memberuid');
-
-		//we need to apply the search filter
-		//alternatives that need to be checked:
-		//a) get all users by search filter and array_intersect them
-		//b) a, but only when less than 1k 10k ?k users like it is
-		//c) put all DNs|uids in a LDAP filter, combine with the search string
-		//   and let it count.
-		//For now this is not important, because the only use of this method
-		//does not supply a search string
-		$groupUsers = [];
-		foreach ($members as $member) {
-			if ($isMemberUid) {
-				//we got uids, need to get their DNs to 'translate' them to user names
-				$filter = $this->access->combineFilterWithAnd([
-					str_replace('%uid', $member, $this->access->connection->ldapLoginFilter),
-					$this->access->getFilterPartForUserSearch($search)
-				]);
-				$ldap_users = $this->access->fetchListOfUsers($filter, ['dn'], 1);
-				if (count($ldap_users) < 1) {
-					continue;
-				}
-				$groupUsers[] = $this->access->dn2username($ldap_users[0]);
-			} else {
-				//we need to apply the search filter now
-				if (!$this->access->readAttribute($member,
-					$this->access->connection->ldapUserDisplayName,
-					$this->access->getFilterPartForUserSearch($search))) {
-					continue;
-				}
-				// dn2username will also check if the users belong to the allowed base
-				if ($ncGroupId = $this->access->dn2username($member)) {
-					$groupUsers[] = $ncGroupId;
-				}
-			}
-		}
-
-		//and get users that have the group as primary
-		$primaryUsers = $this->countUsersInPrimaryGroup($groupDN, $search);
-
-		return count($groupUsers) + $primaryUsers;
-	}
-
-	/**
-	 * get a list of all groups using a paged search
-	 *
-	 * @param string $search
-	 * @param int $limit
-	 * @param int $offset
-	 * @return array with group names
-	 *
-	 * Returns a list with all groups
-	 * Uses a paged search if available to override a
-	 * server side search limit.
-	 * (active directory has a limit of 1000 by default)
-	 * @throws Exception
-	 */
-	public function getGroups($search = '', $limit = -1, $offset = 0) {
-		if (!$this->enabled) {
-			return [];
-		}
-		$cacheKey = 'getGroups-' . $search . '-' . $limit . '-' . $offset;
-
-		//Check cache before driving unnecessary searches
-		$ldap_groups = $this->access->connection->getFromCache($cacheKey);
-		if (!is_null($ldap_groups)) {
-			return $ldap_groups;
-		}
-
-		// if we'd pass -1 to LDAP search, we'd end up in a Protocol
-		// error. With a limit of 0, we get 0 results. So we pass null.
-		if ($limit <= 0) {
-			$limit = null;
-		}
-		$filter = $this->access->combineFilterWithAnd([
-			$this->access->connection->ldapGroupFilter,
-			$this->access->getFilterPartForGroupSearch($search)
-		]);
-		$ldap_groups = $this->access->fetchListOfGroups($filter,
-			[$this->access->connection->ldapGroupDisplayName, 'dn'],
-			$limit,
-			$offset);
-		$ldap_groups = $this->access->nextcloudGroupNames($ldap_groups);
-
-		$this->access->connection->writeToCache($cacheKey, $ldap_groups);
-		return $ldap_groups;
-	}
-
-	/**
-	 * check if a group exists
-	 *
-	 * @param string $gid
-	 * @return bool
-	 * @throws ServerNotAvailableException
-	 */
-	public function groupExists($gid) {
-		$groupExists = $this->access->connection->getFromCache('groupExists' . $gid);
-		if (!is_null($groupExists)) {
-			return (bool)$groupExists;
-		}
-
-		//getting dn, if false the group does not exist. If dn, it may be mapped
-		//only, requires more checking.
-		$dn = $this->access->groupname2dn($gid);
-		if (!$dn) {
-			$this->access->connection->writeToCache('groupExists' . $gid, false);
-			return false;
-		}
-
-		if (!$this->access->isDNPartOfBase($dn, $this->access->connection->ldapBaseGroups)) {
-			$this->access->connection->writeToCache('groupExists' . $gid, false);
-			return false;
-		}
-
-		//if group really still exists, we will be able to read its objectClass
-		if (!is_array($this->access->readAttribute($dn, '', $this->access->connection->ldapGroupFilter))) {
-			$this->access->connection->writeToCache('groupExists' . $gid, false);
-			return false;
-		}
-
-		$this->access->connection->writeToCache('groupExists' . $gid, true);
-		return true;
-	}
-
-	/**
-	 * @throws ServerNotAvailableException
-	 * @throws Exception
-	 */
-	protected function filterValidGroups(array $listOfGroups): array {
-		$validGroupDNs = [];
-		foreach ($listOfGroups as $key => $item) {
-			$dn = is_string($item) ? $item : $item['dn'][0];
-			$gid = $this->access->dn2groupname($dn);
-			if (!$gid) {
-				continue;
-			}
-			if ($this->groupExists($gid)) {
-				$validGroupDNs[$key] = $item;
-			}
-		}
-		return $validGroupDNs;
-	}
-
-	/**
-	 * Check if backend implements actions
-	 *
-	 * @param int $actions bitwise-or'ed actions
-	 * @return boolean
-	 *
-	 * Returns the supported actions as int to be
-	 * compared with GroupInterface::CREATE_GROUP etc.
-	 */
-	public function implementsActions($actions) {
-		return (bool)((GroupInterface::COUNT_USERS |
-				$this->groupPluginManager->getImplementedActions()) & $actions);
-	}
-
-	/**
-	 * Return access for LDAP interaction.
-	 *
-	 * @return Access instance of Access for LDAP interaction
-	 */
-	public function getLDAPAccess($gid) {
-		return $this->access;
-	}
-
-	/**
-	 * create a group
-	 *
-	 * @param string $gid
-	 * @return bool
-	 * @throws Exception
-	 * @throws ServerNotAvailableException
-	 */
-	public function createGroup($gid) {
-		if ($this->groupPluginManager->implementsActions(GroupInterface::CREATE_GROUP)) {
-			if ($dn = $this->groupPluginManager->createGroup($gid)) {
-				//updates group mapping
-				$uuid = $this->access->getUUID($dn, false);
-				if (is_string($uuid)) {
-					$this->access->mapAndAnnounceIfApplicable(
-						$this->access->getGroupMapper(),
-						$dn,
-						$gid,
-						$uuid,
-						false
-					);
-					$this->access->cacheGroupExists($gid);
-				}
-			}
-			return $dn != null;
-		}
-		throw new Exception('Could not create group in LDAP backend.');
-	}
-
-	/**
-	 * delete a group
-	 *
-	 * @param string $gid gid of the group to delete
-	 * @return bool
-	 * @throws Exception
-	 */
-	public function deleteGroup($gid) {
-		if ($this->groupPluginManager->implementsActions(GroupInterface::DELETE_GROUP)) {
-			if ($ret = $this->groupPluginManager->deleteGroup($gid)) {
-				#delete group in nextcloud internal db
-				$this->access->getGroupMapper()->unmap($gid);
-				$this->access->connection->writeToCache("groupExists" . $gid, false);
-			}
-			return $ret;
-		}
-		throw new Exception('Could not delete group in LDAP backend.');
-	}
-
-	/**
-	 * Add a user to a group
-	 *
-	 * @param string $uid Name of the user to add to group
-	 * @param string $gid Name of the group in which add the user
-	 * @return bool
-	 * @throws Exception
-	 */
-	public function addToGroup($uid, $gid) {
-		if ($this->groupPluginManager->implementsActions(GroupInterface::ADD_TO_GROUP)) {
-			if ($ret = $this->groupPluginManager->addToGroup($uid, $gid)) {
-				$this->access->connection->clearCache();
-				unset($this->cachedGroupMembers[$gid]);
-			}
-			return $ret;
-		}
-		throw new Exception('Could not add user to group in LDAP backend.');
-	}
-
-	/**
-	 * Removes a user from a group
-	 *
-	 * @param string $uid Name of the user to remove from group
-	 * @param string $gid Name of the group from which remove the user
-	 * @return bool
-	 * @throws Exception
-	 */
-	public function removeFromGroup($uid, $gid) {
-		if ($this->groupPluginManager->implementsActions(GroupInterface::REMOVE_FROM_GROUP)) {
-			if ($ret = $this->groupPluginManager->removeFromGroup($uid, $gid)) {
-				$this->access->connection->clearCache();
-				unset($this->cachedGroupMembers[$gid]);
-			}
-			return $ret;
-		}
-		throw new Exception('Could not remove user from group in LDAP backend.');
-	}
-
-	/**
-	 * Gets group details
-	 *
-	 * @param string $gid Name of the group
-	 * @return array|false
-	 * @throws Exception
-	 */
-	public function getGroupDetails($gid) {
-		if ($this->groupPluginManager->implementsActions(GroupInterface::GROUP_DETAILS)) {
-			return $this->groupPluginManager->getGroupDetails($gid);
-		}
-		throw new Exception('Could not get group details in LDAP backend.');
-	}
-
-	/**
-	 * Return LDAP connection resource from a cloned connection.
-	 * The cloned connection needs to be closed manually.
-	 * of the current access.
-	 *
-	 * @param string $gid
-	 * @return resource of the LDAP connection
-	 * @throws ServerNotAvailableException
-	 */
-	public function getNewLDAPConnection($gid) {
-		$connection = clone $this->access->getConnection();
-		return $connection->getConnectionResource();
-	}
-
-	/**
-	 * @throws ServerNotAvailableException
-	 */
-	public function getDisplayName(string $gid): string {
-		if ($this->groupPluginManager instanceof IGetDisplayNameBackend) {
-			return $this->groupPluginManager->getDisplayName($gid);
-		}
-
-		$cacheKey = 'group_getDisplayName' . $gid;
-		if (!is_null($displayName = $this->access->connection->getFromCache($cacheKey))) {
-			return $displayName;
-		}
-
-		$displayName = $this->access->readAttribute(
-			$this->access->groupname2dn($gid),
-			$this->access->connection->ldapGroupDisplayName);
-
-		if ($displayName && (count($displayName) > 0)) {
-			$displayName = $displayName[0];
-			$this->access->connection->writeToCache($cacheKey, $displayName);
-			return $displayName;
-		}
-
-		return '';
-	}
+    protected $enabled = false;
+
+    /** @var string[] $cachedGroupMembers array of users with gid as key */
+    protected $cachedGroupMembers;
+    /** @var string[] $cachedGroupsByMember array of groups with uid as key */
+    protected $cachedGroupsByMember;
+    /** @var string[] $cachedNestedGroups array of groups with gid (DN) as key */
+    protected $cachedNestedGroups;
+    /** @var GroupPluginManager */
+    protected $groupPluginManager;
+    /** @var ILogger */
+    protected $logger;
+
+    public function __construct(Access $access, GroupPluginManager $groupPluginManager) {
+        parent::__construct($access);
+        $filter = $this->access->connection->ldapGroupFilter;
+        $gAssoc = $this->access->connection->ldapGroupMemberAssocAttr;
+        if (!empty($filter) && !empty($gAssoc)) {
+            $this->enabled = true;
+        }
+
+        $this->cachedGroupMembers = new CappedMemoryCache();
+        $this->cachedGroupsByMember = new CappedMemoryCache();
+        $this->cachedNestedGroups = new CappedMemoryCache();
+        $this->groupPluginManager = $groupPluginManager;
+        $this->logger = OC::$server->getLogger();
+    }
+
+    /**
+     * is user in group?
+     *
+     * @param string $uid uid of the user
+     * @param string $gid gid of the group
+     * @return bool
+     * @throws Exception
+     * @throws ServerNotAvailableException
+     */
+    public function inGroup($uid, $gid) {
+        if (!$this->enabled) {
+            return false;
+        }
+        $cacheKey = 'inGroup' . $uid . ':' . $gid;
+        $inGroup = $this->access->connection->getFromCache($cacheKey);
+        if (!is_null($inGroup)) {
+            return (bool)$inGroup;
+        }
+
+        $userDN = $this->access->username2dn($uid);
+
+        if (isset($this->cachedGroupMembers[$gid])) {
+            return in_array($userDN, $this->cachedGroupMembers[$gid]);
+        }
+
+        $cacheKeyMembers = 'inGroup-members:' . $gid;
+        $members = $this->access->connection->getFromCache($cacheKeyMembers);
+        if (!is_null($members)) {
+            $this->cachedGroupMembers[$gid] = $members;
+            $isInGroup = in_array($userDN, $members, true);
+            $this->access->connection->writeToCache($cacheKey, $isInGroup);
+            return $isInGroup;
+        }
+
+        $groupDN = $this->access->groupname2dn($gid);
+        // just in case
+        if (!$groupDN || !$userDN) {
+            $this->access->connection->writeToCache($cacheKey, false);
+            return false;
+        }
+
+        //check primary group first
+        if ($gid === $this->getUserPrimaryGroup($userDN)) {
+            $this->access->connection->writeToCache($cacheKey, true);
+            return true;
+        }
+
+        //usually, LDAP attributes are said to be case insensitive. But there are exceptions of course.
+        $members = $this->_groupMembers($groupDN);
+        if (!is_array($members) || count($members) === 0) {
+            $this->access->connection->writeToCache($cacheKey, false);
+            return false;
+        }
+
+        //extra work if we don't get back user DNs
+        if (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid') {
+            $requestAttributes = $this->access->userManager->getAttributes(true);
+            $dns = [];
+            $filterParts = [];
+            $bytes = 0;
+            foreach ($members as $mid) {
+                $filter = str_replace('%uid', $mid, $this->access->connection->ldapLoginFilter);
+                $filterParts[] = $filter;
+                $bytes += strlen($filter);
+                if ($bytes >= 9000000) {
+                    // AD has a default input buffer of 10 MB, we do not want
+                    // to take even the chance to exceed it
+                    $filter = $this->access->combineFilterWithOr($filterParts);
+                    $bytes = 0;
+                    $filterParts = [];
+                    $users = $this->access->fetchListOfUsers($filter, $requestAttributes, count($filterParts));
+                    $dns = array_merge($dns, $users);
+                }
+            }
+            if (count($filterParts) > 0) {
+                $filter = $this->access->combineFilterWithOr($filterParts);
+                $users = $this->access->fetchListOfUsers($filter, $requestAttributes, count($filterParts));
+                $dns = array_merge($dns, $users);
+            }
+            $members = $dns;
+        }
+
+        $isInGroup = in_array($userDN, $members);
+        $this->access->connection->writeToCache($cacheKey, $isInGroup);
+        $this->access->connection->writeToCache($cacheKeyMembers, $members);
+        $this->cachedGroupMembers[$gid] = $members;
+
+        return $isInGroup;
+    }
+
+    /**
+     * For a group that has user membership defined by an LDAP search url
+     * attribute returns the users that match the search url otherwise returns
+     * an empty array.
+     *
+     * @throws ServerNotAvailableException
+     */
+    public function getDynamicGroupMembers(string $dnGroup): array {
+        $dynamicGroupMemberURL = strtolower($this->access->connection->ldapDynamicGroupMemberURL);
+
+        if (empty($dynamicGroupMemberURL)) {
+            return [];
+        }
+
+        $dynamicMembers = [];
+        $memberURLs = $this->access->readAttribute(
+            $dnGroup,
+            $dynamicGroupMemberURL,
+            $this->access->connection->ldapGroupFilter
+        );
+        if ($memberURLs !== false) {
+            // this group has the 'memberURL' attribute so this is a dynamic group
+            // example 1: ldap:///cn=users,cn=accounts,dc=dcsubbase,dc=dcbase??one?(o=HeadOffice)
+            // example 2: ldap:///cn=users,cn=accounts,dc=dcsubbase,dc=dcbase??one?(&(o=HeadOffice)(uidNumber>=500))
+            $pos = strpos($memberURLs[0], '(');
+            if ($pos !== false) {
+                $memberUrlFilter = substr($memberURLs[0], $pos);
+                $foundMembers = $this->access->searchUsers($memberUrlFilter, 'dn');
+                $dynamicMembers = [];
+                foreach ($foundMembers as $value) {
+                    $dynamicMembers[$value['dn'][0]] = 1;
+                }
+            } else {
+                $this->logger->debug('No search filter found on member url of group {dn}',
+                    [
+                        'app' => 'user_ldap',
+                        'dn' => $dnGroup,
+                    ]
+                );
+            }
+        }
+        return $dynamicMembers;
+    }
+
+    /**
+     * @throws ServerNotAvailableException
+     */
+    private function _groupMembers(string $dnGroup, ?array &$seen = null): array {
+        if ($seen === null) {
+            $seen = [];
+        }
+        $allMembers = [];
+        if (array_key_exists($dnGroup, $seen)) {
+            return [];
+        }
+        // used extensively in cron job, caching makes sense for nested groups
+        $cacheKey = '_groupMembers' . $dnGroup;
+        $groupMembers = $this->access->connection->getFromCache($cacheKey);
+        if ($groupMembers !== null) {
+            return $groupMembers;
+        }
+        $seen[$dnGroup] = 1;
+        $members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
+        if (is_array($members)) {
+            $fetcher = function ($memberDN, &$seen) {
+                return $this->_groupMembers($memberDN, $seen);
+            };
+            $allMembers = $this->walkNestedGroups($dnGroup, $fetcher, $members);
+        }
+
+        $allMembers += $this->getDynamicGroupMembers($dnGroup);
+
+        $this->access->connection->writeToCache($cacheKey, $allMembers);
+        return $allMembers;
+    }
+
+    /**
+     * @throws ServerNotAvailableException
+     */
+    private function _getGroupDNsFromMemberOf(string $dn): array {
+        $groups = $this->access->readAttribute($dn, 'memberOf');
+        if (!is_array($groups)) {
+            return [];
+        }
+
+        $fetcher = function ($groupDN) {
+            if (isset($this->cachedNestedGroups[$groupDN])) {
+                $nestedGroups = $this->cachedNestedGroups[$groupDN];
+            } else {
+                $nestedGroups = $this->access->readAttribute($groupDN, 'memberOf');
+                if (!is_array($nestedGroups)) {
+                    $nestedGroups = [];
+                }
+                $this->cachedNestedGroups[$groupDN] = $nestedGroups;
+            }
+            return $nestedGroups;
+        };
+
+        $groups = $this->walkNestedGroups($dn, $fetcher, $groups);
+        return $this->filterValidGroups($groups);
+    }
+
+    private function walkNestedGroups(string $dn, Closure $fetcher, array $list): array {
+        $nesting = (int)$this->access->connection->ldapNestedGroups;
+        // depending on the input, we either have a list of DNs or a list of LDAP records
+        // also, the output expects either DNs or records. Testing the first element should suffice.
+        $recordMode = is_array($list) && isset($list[0]) && is_array($list[0]) && isset($list[0]['dn'][0]);
+
+        if ($nesting !== 1) {
+            if ($recordMode) {
+                // the keys are numeric, but should hold the DN
+                return array_reduce($list, function ($transformed, $record) use ($dn) {
+                    if ($record['dn'][0] != $dn) {
+                        $transformed[$record['dn'][0]] = $record;
+                    }
+                    return $transformed;
+                }, []);
+            }
+            return $list;
+        }
+
+        $seen = [];
+        while ($record = array_pop($list)) {
+            $recordDN = $recordMode ? $record['dn'][0] : $record;
+            if ($recordDN === $dn || array_key_exists($recordDN, $seen)) {
+                // Prevent loops
+                continue;
+            }
+            $fetched = $fetcher($record, $seen);
+            $list = array_merge($list, $fetched);
+            $seen[$recordDN] = $record;
+        }
+
+        return $recordMode ? $seen : array_keys($seen);
+    }
+
+    /**
+     * translates a gidNumber into an ownCloud internal name
+     *
+     * @return string|bool
+     * @throws Exception
+     * @throws ServerNotAvailableException
+     */
+    public function gidNumber2Name(string $gid, string $dn) {
+        $cacheKey = 'gidNumberToName' . $gid;
+        $groupName = $this->access->connection->getFromCache($cacheKey);
+        if (!is_null($groupName) && isset($groupName)) {
+            return $groupName;
+        }
+
+        //we need to get the DN from LDAP
+        $filter = $this->access->combineFilterWithAnd([
+            $this->access->connection->ldapGroupFilter,
+            'objectClass=posixGroup',
+            $this->access->connection->ldapGidNumber . '=' . $gid
+        ]);
+        return $this->getNameOfGroup($filter, $cacheKey) ?? false;
+    }
+
+    /**
+     * @throws ServerNotAvailableException
+     * @throws Exception
+     */
+    private function getNameOfGroup(string $filter, string $cacheKey) {
+        $result = $this->access->searchGroups($filter, ['dn'], 1);
+        if (empty($result)) {
+            return null;
+        }
+        $dn = $result[0]['dn'][0];
+
+        //and now the group name
+        //NOTE once we have separate Nextcloud group IDs and group names we can
+        //directly read the display name attribute instead of the DN
+        $name = $this->access->dn2groupname($dn);
+
+        $this->access->connection->writeToCache($cacheKey, $name);
+
+        return $name;
+    }
+
+    /**
+     * returns the entry's gidNumber
+     *
+     * @return string|bool
+     * @throws ServerNotAvailableException
+     */
+    private function getEntryGidNumber(string $dn, string $attribute) {
+        $value = $this->access->readAttribute($dn, $attribute);
+        if (is_array($value) && !empty($value)) {
+            return $value[0];
+        }
+        return false;
+    }
+
+    /**
+     * @return string|bool
+     * @throws ServerNotAvailableException
+     */
+    public function getGroupGidNumber(string $dn) {
+        return $this->getEntryGidNumber($dn, 'gidNumber');
+    }
+
+    /**
+     * returns the user's gidNumber
+     *
+     * @return string|bool
+     * @throws ServerNotAvailableException
+     */
+    public function getUserGidNumber(string $dn) {
+        $gidNumber = false;
+        if ($this->access->connection->hasGidNumber) {
+            $gidNumber = $this->getEntryGidNumber($dn, $this->access->connection->ldapGidNumber);
+            if ($gidNumber === false) {
+                $this->access->connection->hasGidNumber = false;
+            }
+        }
+        return $gidNumber;
+    }
+
+    /**
+     * @throws ServerNotAvailableException
+     * @throws Exception
+     */
+    private function prepareFilterForUsersHasGidNumber(string $groupDN, string $search = ''): string {
+        $groupID = $this->getGroupGidNumber($groupDN);
+        if ($groupID === false) {
+            throw new Exception('Not a valid group');
+        }
+
+        $filterParts = [];
+        $filterParts[] = $this->access->getFilterForUserCount();
+        if ($search !== '') {
+            $filterParts[] = $this->access->getFilterPartForUserSearch($search);
+        }
+        $filterParts[] = $this->access->connection->ldapGidNumber . '=' . $groupID;
+
+        return $this->access->combineFilterWithAnd($filterParts);
+    }
+
+    /**
+     * returns a list of users that have the given group as gid number
+     *
+     * @throws ServerNotAvailableException
+     */
+    public function getUsersInGidNumber(
+        string $groupDN,
+        string $search = '',
+        ?int $limit = -1,
+        ?int $offset = 0
+    ): array {
+        try {
+            $filter = $this->prepareFilterForUsersHasGidNumber($groupDN, $search);
+            $users = $this->access->fetchListOfUsers(
+                $filter,
+                [$this->access->connection->ldapUserDisplayName, 'dn'],
+                $limit,
+                $offset
+            );
+            return $this->access->nextcloudUserNames($users);
+        } catch (ServerNotAvailableException $e) {
+            throw $e;
+        } catch (Exception $e) {
+            return [];
+        }
+    }
+
+    /**
+     * @throws ServerNotAvailableException
+     * @return bool
+     */
+    public function getUserGroupByGid(string $dn) {
+        $groupID = $this->getUserGidNumber($dn);
+        if ($groupID !== false) {
+            $groupName = $this->gidNumber2Name($groupID, $dn);
+            if ($groupName !== false) {
+                return $groupName;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * translates a primary group ID into an Nextcloud internal name
+     *
+     * @return string|bool
+     * @throws Exception
+     * @throws ServerNotAvailableException
+     */
+    public function primaryGroupID2Name(string $gid, string $dn) {
+        $cacheKey = 'primaryGroupIDtoName';
+        $groupNames = $this->access->connection->getFromCache($cacheKey);
+        if (!is_null($groupNames) && isset($groupNames[$gid])) {
+            return $groupNames[$gid];
+        }
+
+        $domainObjectSid = $this->access->getSID($dn);
+        if ($domainObjectSid === false) {
+            return false;
+        }
+
+        //we need to get the DN from LDAP
+        $filter = $this->access->combineFilterWithAnd([
+            $this->access->connection->ldapGroupFilter,
+            'objectsid=' . $domainObjectSid . '-' . $gid
+        ]);
+        return $this->getNameOfGroup($filter, $cacheKey) ?? false;
+    }
+
+    /**
+     * returns the entry's primary group ID
+     *
+     * @return string|bool
+     * @throws ServerNotAvailableException
+     */
+    private function getEntryGroupID(string $dn, string $attribute) {
+        $value = $this->access->readAttribute($dn, $attribute);
+        if (is_array($value) && !empty($value)) {
+            return $value[0];
+        }
+        return false;
+    }
+
+    /**
+     * @return string|bool
+     * @throws ServerNotAvailableException
+     */
+    public function getGroupPrimaryGroupID(string $dn) {
+        return $this->getEntryGroupID($dn, 'primaryGroupToken');
+    }
+
+    /**
+     * @return string|bool
+     * @throws ServerNotAvailableException
+     */
+    public function getUserPrimaryGroupIDs(string $dn) {
+        $primaryGroupID = false;
+        if ($this->access->connection->hasPrimaryGroups) {
+            $primaryGroupID = $this->getEntryGroupID($dn, 'primaryGroupID');
+            if ($primaryGroupID === false) {
+                $this->access->connection->hasPrimaryGroups = false;
+            }
+        }
+        return $primaryGroupID;
+    }
+
+    /**
+     * @throws Exception
+     * @throws ServerNotAvailableException
+     */
+    private function prepareFilterForUsersInPrimaryGroup(string $groupDN, string $search = ''): string {
+        $groupID = $this->getGroupPrimaryGroupID($groupDN);
+        if ($groupID === false) {
+            throw new Exception('Not a valid group');
+        }
+
+        $filterParts = [];
+        $filterParts[] = $this->access->getFilterForUserCount();
+        if ($search !== '') {
+            $filterParts[] = $this->access->getFilterPartForUserSearch($search);
+        }
+        $filterParts[] = 'primaryGroupID=' . $groupID;
+
+        return $this->access->combineFilterWithAnd($filterParts);
+    }
+
+    /**
+     * @throws ServerNotAvailableException
+     */
+    public function getUsersInPrimaryGroup(
+        string $groupDN,
+        string $search = '',
+        ?int $limit = -1,
+        ?int $offset = 0
+    ): array {
+        try {
+            $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
+            $users = $this->access->fetchListOfUsers(
+                $filter,
+                [$this->access->connection->ldapUserDisplayName, 'dn'],
+                $limit,
+                $offset
+            );
+            return $this->access->nextcloudUserNames($users);
+        } catch (ServerNotAvailableException $e) {
+            throw $e;
+        } catch (Exception $e) {
+            return [];
+        }
+    }
+
+    /**
+     * @throws ServerNotAvailableException
+     */
+    public function countUsersInPrimaryGroup(
+        string $groupDN,
+        string $search = '',
+        int $limit = -1,
+        int $offset = 0
+    ): int {
+        try {
+            $filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
+            $users = $this->access->countUsers($filter, ['dn'], $limit, $offset);
+            return (int)$users;
+        } catch (ServerNotAvailableException $e) {
+            throw $e;
+        } catch (Exception $e) {
+            return 0;
+        }
+    }
+
+    /**
+     * @return string|bool
+     * @throws ServerNotAvailableException
+     */
+    public function getUserPrimaryGroup(string $dn) {
+        $groupID = $this->getUserPrimaryGroupIDs($dn);
+        if ($groupID !== false) {
+            $groupName = $this->primaryGroupID2Name($groupID, $dn);
+            if ($groupName !== false) {
+                return $groupName;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * This function fetches all groups a user belongs to. It does not check
+     * if the user exists at all.
+     *
+     * This function includes groups based on dynamic group membership.
+     *
+     * @param string $uid Name of the user
+     * @return array with group names
+     * @throws Exception
+     * @throws ServerNotAvailableException
+     */
+    public function getUserGroups($uid) {
+        if (!$this->enabled) {
+            return [];
+        }
+        $cacheKey = 'getUserGroups' . $uid;
+        $userGroups = $this->access->connection->getFromCache($cacheKey);
+        if (!is_null($userGroups)) {
+            return $userGroups;
+        }
+        $userDN = $this->access->username2dn($uid);
+        if (!$userDN) {
+            $this->access->connection->writeToCache($cacheKey, []);
+            return [];
+        }
+
+        $groups = [];
+        $primaryGroup = $this->getUserPrimaryGroup($userDN);
+        $gidGroupName = $this->getUserGroupByGid($userDN);
+
+        $dynamicGroupMemberURL = strtolower($this->access->connection->ldapDynamicGroupMemberURL);
+
+        if (!empty($dynamicGroupMemberURL)) {
+            // look through dynamic groups to add them to the result array if needed
+            $groupsToMatch = $this->access->fetchListOfGroups(
+                $this->access->connection->ldapGroupFilter, ['dn', $dynamicGroupMemberURL]);
+            foreach ($groupsToMatch as $dynamicGroup) {
+                if (!array_key_exists($dynamicGroupMemberURL, $dynamicGroup)) {
+                    continue;
+                }
+                $pos = strpos($dynamicGroup[$dynamicGroupMemberURL][0], '(');
+                if ($pos !== false) {
+                    $memberUrlFilter = substr($dynamicGroup[$dynamicGroupMemberURL][0], $pos);
+                    // apply filter via ldap search to see if this user is in this
+                    // dynamic group
+                    $userMatch = $this->access->readAttribute(
+                        $userDN,
+                        $this->access->connection->ldapUserDisplayName,
+                        $memberUrlFilter
+                    );
+                    if ($userMatch !== false) {
+                        // match found so this user is in this group
+                        $groupName = $this->access->dn2groupname($dynamicGroup['dn'][0]);
+                        if (is_string($groupName)) {
+                            // be sure to never return false if the dn could not be
+                            // resolved to a name, for whatever reason.
+                            $groups[] = $groupName;
+                        }
+                    }
+                } else {
+                    $this->logger->debug('No search filter found on member url of group {dn}',
+                        [
+                            'app' => 'user_ldap',
+                            'dn' => $dynamicGroup,
+                        ]
+                    );
+                }
+            }
+        }
+
+        // if possible, read out membership via memberOf. It's far faster than
+        // performing a search, which still is a fallback later.
+        // memberof doesn't support memberuid, so skip it here.
+        if ((int)$this->access->connection->hasMemberOfFilterSupport === 1
+            && (int)$this->access->connection->useMemberOfToDetectMembership === 1
+            && strtolower($this->access->connection->ldapGroupMemberAssocAttr) !== 'memberuid'
+        ) {
+            $groupDNs = $this->_getGroupDNsFromMemberOf($userDN);
+            if (is_array($groupDNs)) {
+                foreach ($groupDNs as $dn) {
+                    $groupName = $this->access->dn2groupname($dn);
+                    if (is_string($groupName)) {
+                        // be sure to never return false if the dn could not be
+                        // resolved to a name, for whatever reason.
+                        $groups[] = $groupName;
+                    }
+                }
+            }
+
+            if ($primaryGroup !== false) {
+                $groups[] = $primaryGroup;
+            }
+            if ($gidGroupName !== false) {
+                $groups[] = $gidGroupName;
+            }
+            $this->access->connection->writeToCache($cacheKey, $groups);
+            return $groups;
+        }
+
+        //uniqueMember takes DN, memberuid the uid, so we need to distinguish
+        if ((strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'uniquemember')
+            || (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'member')
+        ) {
+            $uid = $userDN;
+        } elseif (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid') {
+            $result = $this->access->readAttribute($userDN, 'uid');
+            if ($result === false) {
+                $this->logger->debug('No uid attribute found for DN {dn} on {host}',
+                    [
+                        'app' => 'user_ldap',
+                        'dn' => $userDN,
+                        'host' => $this->access->connection->ldapHost,
+                    ]
+                );
+                $uid = false;
+            } else {
+                $uid = $result[0];
+            }
+        } else {
+            // just in case
+            $uid = $userDN;
+        }
+
+        if ($uid !== false) {
+            if (isset($this->cachedGroupsByMember[$uid])) {
+                $groups = array_merge($groups, $this->cachedGroupsByMember[$uid]);
+            } else {
+                $groupsByMember = array_values($this->getGroupsByMember($uid));
+                $groupsByMember = $this->access->nextcloudGroupNames($groupsByMember);
+                $this->cachedGroupsByMember[$uid] = $groupsByMember;
+                $groups = array_merge($groups, $groupsByMember);
+            }
+        }
+
+        if ($primaryGroup !== false) {
+            $groups[] = $primaryGroup;
+        }
+        if ($gidGroupName !== false) {
+            $groups[] = $gidGroupName;
+        }
+
+        $groups = array_unique($groups, SORT_LOCALE_STRING);
+        $this->access->connection->writeToCache($cacheKey, $groups);
+
+        return $groups;
+    }
+
+    /**
+     * @throws ServerNotAvailableException
+     */
+    private function getGroupsByMember(string $dn, array &$seen = null): array {
+        if ($seen === null) {
+            $seen = [];
+        }
+        if (array_key_exists($dn, $seen)) {
+            // avoid loops
+            return [];
+        }
+        $allGroups = [];
+        $seen[$dn] = true;
+        $filter = $this->access->connection->ldapGroupMemberAssocAttr . '=' . $dn;
+        $groups = $this->access->fetchListOfGroups($filter,
+            [strtolower($this->access->connection->ldapGroupMemberAssocAttr), $this->access->connection->ldapGroupDisplayName, 'dn']);
+        if (is_array($groups)) {
+            $fetcher = function ($dn, &$seen) {
+                if (is_array($dn) && isset($dn['dn'][0])) {
+                    $dn = $dn['dn'][0];
+                }
+                return $this->getGroupsByMember($dn, $seen);
+            };
+            $allGroups = $this->walkNestedGroups($dn, $fetcher, $groups);
+        }
+        $visibleGroups = $this->filterValidGroups($allGroups);
+        return array_intersect_key($allGroups, $visibleGroups);
+    }
+
+    /**
+     * get a list of all users in a group
+     *
+     * @param string $gid
+     * @param string $search
+     * @param int $limit
+     * @param int $offset
+     * @return array with user ids
+     * @throws Exception
+     * @throws ServerNotAvailableException
+     */
+    public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) {
+        if (!$this->enabled) {
+            return [];
+        }
+        if (!$this->groupExists($gid)) {
+            return [];
+        }
+        $search = $this->access->escapeFilterPart($search, true);
+        $cacheKey = 'usersInGroup-' . $gid . '-' . $search . '-' . $limit . '-' . $offset;
+        // check for cache of the exact query
+        $groupUsers = $this->access->connection->getFromCache($cacheKey);
+        if (!is_null($groupUsers)) {
+            return $groupUsers;
+        }
+
+        if ($limit === -1) {
+            $limit = null;
+        }
+        // check for cache of the query without limit and offset
+        $groupUsers = $this->access->connection->getFromCache('usersInGroup-' . $gid . '-' . $search);
+        if (!is_null($groupUsers)) {
+            $groupUsers = array_slice($groupUsers, $offset, $limit);
+            $this->access->connection->writeToCache($cacheKey, $groupUsers);
+            return $groupUsers;
+        }
+
+        $groupDN = $this->access->groupname2dn($gid);
+        if (!$groupDN) {
+            // group couldn't be found, return empty resultset
+            $this->access->connection->writeToCache($cacheKey, []);
+            return [];
+        }
+
+        $primaryUsers = $this->getUsersInPrimaryGroup($groupDN, $search, $limit, $offset);
+        $posixGroupUsers = $this->getUsersInGidNumber($groupDN, $search, $limit, $offset);
+        $members = $this->_groupMembers($groupDN);
+        if (!$members && empty($posixGroupUsers) && empty($primaryUsers)) {
+            //in case users could not be retrieved, return empty result set
+            $this->access->connection->writeToCache($cacheKey, []);
+            return [];
+        }
+
+        $groupUsers = [];
+        $isMemberUid = (strtolower($this->access->connection->ldapGroupMemberAssocAttr) === 'memberuid');
+        $attrs = $this->access->userManager->getAttributes(true);
+        foreach ($members as $member) {
+            if ($isMemberUid) {
+                //we got uids, need to get their DNs to 'translate' them to user names
+                $filter = $this->access->combineFilterWithAnd([
+                    str_replace('%uid', trim($member), $this->access->connection->ldapLoginFilter),
+                    $this->access->combineFilterWithAnd([
+                        $this->access->getFilterPartForUserSearch($search),
+                        $this->access->connection->ldapUserFilter
+                    ])
+                ]);
+                $ldap_users = $this->access->fetchListOfUsers($filter, $attrs, 1);
+                if (count($ldap_users) < 1) {
+                    continue;
+                }
+                $groupUsers[] = $this->access->dn2username($ldap_users[0]['dn'][0]);
+            } else {
+                //we got DNs, check if we need to filter by search or we can give back all of them
+                $uid = $this->access->dn2username($member);
+                if (!$uid) {
+                    continue;
+                }
+
+                $cacheKey = 'userExistsOnLDAP' . $uid;
+                $userExists = $this->access->connection->getFromCache($cacheKey);
+                if ($userExists === false) {
+                    continue;
+                }
+                if ($userExists === null || $search !== '') {
+                    if (!$this->access->readAttribute($member,
+                        $this->access->connection->ldapUserDisplayName,
+                        $this->access->combineFilterWithAnd([
+                            $this->access->getFilterPartForUserSearch($search),
+                            $this->access->connection->ldapUserFilter
+                        ]))) {
+                        if ($search === '') {
+                            $this->access->connection->writeToCache($cacheKey, false);
+                        }
+                        continue;
+                    }
+                    $this->access->connection->writeToCache($cacheKey, true);
+                }
+                $groupUsers[] = $uid;
+            }
+        }
+
+        $groupUsers = array_unique(array_merge($groupUsers, $primaryUsers, $posixGroupUsers));
+        natsort($groupUsers);
+        $this->access->connection->writeToCache('usersInGroup-' . $gid . '-' . $search, $groupUsers);
+        $groupUsers = array_slice($groupUsers, $offset, $limit);
+
+        $this->access->connection->writeToCache($cacheKey, $groupUsers);
+
+        return $groupUsers;
+    }
+
+    /**
+     * returns the number of users in a group, who match the search term
+     *
+     * @param string $gid the internal group name
+     * @param string $search optional, a search string
+     * @return int|bool
+     * @throws Exception
+     * @throws ServerNotAvailableException
+     */
+    public function countUsersInGroup($gid, $search = '') {
+        if ($this->groupPluginManager->implementsActions(GroupInterface::COUNT_USERS)) {
+            return $this->groupPluginManager->countUsersInGroup($gid, $search);
+        }
+
+        $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
+        if (!$this->enabled || !$this->groupExists($gid)) {
+            return false;
+        }
+        $groupUsers = $this->access->connection->getFromCache($cacheKey);
+        if (!is_null($groupUsers)) {
+            return $groupUsers;
+        }
+
+        $groupDN = $this->access->groupname2dn($gid);
+        if (!$groupDN) {
+            // group couldn't be found, return empty result set
+            $this->access->connection->writeToCache($cacheKey, false);
+            return false;
+        }
+
+        $members = $this->_groupMembers($groupDN);
+        $primaryUserCount = $this->countUsersInPrimaryGroup($groupDN, '');
+        if (!$members && $primaryUserCount === 0) {
+            //in case users could not be retrieved, return empty result set
+            $this->access->connection->writeToCache($cacheKey, false);
+            return false;
+        }
+
+        if ($search === '') {
+            $groupUsers = count($members) + $primaryUserCount;
+            $this->access->connection->writeToCache($cacheKey, $groupUsers);
+            return $groupUsers;
+        }
+        $search = $this->access->escapeFilterPart($search, true);
+        $isMemberUid =
+            (strtolower($this->access->connection->ldapGroupMemberAssocAttr)
+                === 'memberuid');
+
+        //we need to apply the search filter
+        //alternatives that need to be checked:
+        //a) get all users by search filter and array_intersect them
+        //b) a, but only when less than 1k 10k ?k users like it is
+        //c) put all DNs|uids in a LDAP filter, combine with the search string
+        //   and let it count.
+        //For now this is not important, because the only use of this method
+        //does not supply a search string
+        $groupUsers = [];
+        foreach ($members as $member) {
+            if ($isMemberUid) {
+                //we got uids, need to get their DNs to 'translate' them to user names
+                $filter = $this->access->combineFilterWithAnd([
+                    str_replace('%uid', $member, $this->access->connection->ldapLoginFilter),
+                    $this->access->getFilterPartForUserSearch($search)
+                ]);
+                $ldap_users = $this->access->fetchListOfUsers($filter, ['dn'], 1);
+                if (count($ldap_users) < 1) {
+                    continue;
+                }
+                $groupUsers[] = $this->access->dn2username($ldap_users[0]);
+            } else {
+                //we need to apply the search filter now
+                if (!$this->access->readAttribute($member,
+                    $this->access->connection->ldapUserDisplayName,
+                    $this->access->getFilterPartForUserSearch($search))) {
+                    continue;
+                }
+                // dn2username will also check if the users belong to the allowed base
+                if ($ncGroupId = $this->access->dn2username($member)) {
+                    $groupUsers[] = $ncGroupId;
+                }
+            }
+        }
+
+        //and get users that have the group as primary
+        $primaryUsers = $this->countUsersInPrimaryGroup($groupDN, $search);
+
+        return count($groupUsers) + $primaryUsers;
+    }
+
+    /**
+     * get a list of all groups using a paged search
+     *
+     * @param string $search
+     * @param int $limit
+     * @param int $offset
+     * @return array with group names
+     *
+     * Returns a list with all groups
+     * Uses a paged search if available to override a
+     * server side search limit.
+     * (active directory has a limit of 1000 by default)
+     * @throws Exception
+     */
+    public function getGroups($search = '', $limit = -1, $offset = 0) {
+        if (!$this->enabled) {
+            return [];
+        }
+        $cacheKey = 'getGroups-' . $search . '-' . $limit . '-' . $offset;
+
+        //Check cache before driving unnecessary searches
+        $ldap_groups = $this->access->connection->getFromCache($cacheKey);
+        if (!is_null($ldap_groups)) {
+            return $ldap_groups;
+        }
+
+        // if we'd pass -1 to LDAP search, we'd end up in a Protocol
+        // error. With a limit of 0, we get 0 results. So we pass null.
+        if ($limit <= 0) {
+            $limit = null;
+        }
+        $filter = $this->access->combineFilterWithAnd([
+            $this->access->connection->ldapGroupFilter,
+            $this->access->getFilterPartForGroupSearch($search)
+        ]);
+        $ldap_groups = $this->access->fetchListOfGroups($filter,
+            [$this->access->connection->ldapGroupDisplayName, 'dn'],
+            $limit,
+            $offset);
+        $ldap_groups = $this->access->nextcloudGroupNames($ldap_groups);
+
+        $this->access->connection->writeToCache($cacheKey, $ldap_groups);
+        return $ldap_groups;
+    }
+
+    /**
+     * check if a group exists
+     *
+     * @param string $gid
+     * @return bool
+     * @throws ServerNotAvailableException
+     */
+    public function groupExists($gid) {
+        $groupExists = $this->access->connection->getFromCache('groupExists' . $gid);
+        if (!is_null($groupExists)) {
+            return (bool)$groupExists;
+        }
+
+        //getting dn, if false the group does not exist. If dn, it may be mapped
+        //only, requires more checking.
+        $dn = $this->access->groupname2dn($gid);
+        if (!$dn) {
+            $this->access->connection->writeToCache('groupExists' . $gid, false);
+            return false;
+        }
+
+        if (!$this->access->isDNPartOfBase($dn, $this->access->connection->ldapBaseGroups)) {
+            $this->access->connection->writeToCache('groupExists' . $gid, false);
+            return false;
+        }
+
+        //if group really still exists, we will be able to read its objectClass
+        if (!is_array($this->access->readAttribute($dn, '', $this->access->connection->ldapGroupFilter))) {
+            $this->access->connection->writeToCache('groupExists' . $gid, false);
+            return false;
+        }
+
+        $this->access->connection->writeToCache('groupExists' . $gid, true);
+        return true;
+    }
+
+    /**
+     * @throws ServerNotAvailableException
+     * @throws Exception
+     */
+    protected function filterValidGroups(array $listOfGroups): array {
+        $validGroupDNs = [];
+        foreach ($listOfGroups as $key => $item) {
+            $dn = is_string($item) ? $item : $item['dn'][0];
+            $gid = $this->access->dn2groupname($dn);
+            if (!$gid) {
+                continue;
+            }
+            if ($this->groupExists($gid)) {
+                $validGroupDNs[$key] = $item;
+            }
+        }
+        return $validGroupDNs;
+    }
+
+    /**
+     * Check if backend implements actions
+     *
+     * @param int $actions bitwise-or'ed actions
+     * @return boolean
+     *
+     * Returns the supported actions as int to be
+     * compared with GroupInterface::CREATE_GROUP etc.
+     */
+    public function implementsActions($actions) {
+        return (bool)((GroupInterface::COUNT_USERS |
+                $this->groupPluginManager->getImplementedActions()) & $actions);
+    }
+
+    /**
+     * Return access for LDAP interaction.
+     *
+     * @return Access instance of Access for LDAP interaction
+     */
+    public function getLDAPAccess($gid) {
+        return $this->access;
+    }
+
+    /**
+     * create a group
+     *
+     * @param string $gid
+     * @return bool
+     * @throws Exception
+     * @throws ServerNotAvailableException
+     */
+    public function createGroup($gid) {
+        if ($this->groupPluginManager->implementsActions(GroupInterface::CREATE_GROUP)) {
+            if ($dn = $this->groupPluginManager->createGroup($gid)) {
+                //updates group mapping
+                $uuid = $this->access->getUUID($dn, false);
+                if (is_string($uuid)) {
+                    $this->access->mapAndAnnounceIfApplicable(
+                        $this->access->getGroupMapper(),
+                        $dn,
+                        $gid,
+                        $uuid,
+                        false
+                    );
+                    $this->access->cacheGroupExists($gid);
+                }
+            }
+            return $dn != null;
+        }
+        throw new Exception('Could not create group in LDAP backend.');
+    }
+
+    /**
+     * delete a group
+     *
+     * @param string $gid gid of the group to delete
+     * @return bool
+     * @throws Exception
+     */
+    public function deleteGroup($gid) {
+        if ($this->groupPluginManager->implementsActions(GroupInterface::DELETE_GROUP)) {
+            if ($ret = $this->groupPluginManager->deleteGroup($gid)) {
+                #delete group in nextcloud internal db
+                $this->access->getGroupMapper()->unmap($gid);
+                $this->access->connection->writeToCache("groupExists" . $gid, false);
+            }
+            return $ret;
+        }
+        throw new Exception('Could not delete group in LDAP backend.');
+    }
+
+    /**
+     * Add a user to a group
+     *
+     * @param string $uid Name of the user to add to group
+     * @param string $gid Name of the group in which add the user
+     * @return bool
+     * @throws Exception
+     */
+    public function addToGroup($uid, $gid) {
+        if ($this->groupPluginManager->implementsActions(GroupInterface::ADD_TO_GROUP)) {
+            if ($ret = $this->groupPluginManager->addToGroup($uid, $gid)) {
+                $this->access->connection->clearCache();
+                unset($this->cachedGroupMembers[$gid]);
+            }
+            return $ret;
+        }
+        throw new Exception('Could not add user to group in LDAP backend.');
+    }
+
+    /**
+     * Removes a user from a group
+     *
+     * @param string $uid Name of the user to remove from group
+     * @param string $gid Name of the group from which remove the user
+     * @return bool
+     * @throws Exception
+     */
+    public function removeFromGroup($uid, $gid) {
+        if ($this->groupPluginManager->implementsActions(GroupInterface::REMOVE_FROM_GROUP)) {
+            if ($ret = $this->groupPluginManager->removeFromGroup($uid, $gid)) {
+                $this->access->connection->clearCache();
+                unset($this->cachedGroupMembers[$gid]);
+            }
+            return $ret;
+        }
+        throw new Exception('Could not remove user from group in LDAP backend.');
+    }
+
+    /**
+     * Gets group details
+     *
+     * @param string $gid Name of the group
+     * @return array|false
+     * @throws Exception
+     */
+    public function getGroupDetails($gid) {
+        if ($this->groupPluginManager->implementsActions(GroupInterface::GROUP_DETAILS)) {
+            return $this->groupPluginManager->getGroupDetails($gid);
+        }
+        throw new Exception('Could not get group details in LDAP backend.');
+    }
+
+    /**
+     * Return LDAP connection resource from a cloned connection.
+     * The cloned connection needs to be closed manually.
+     * of the current access.
+     *
+     * @param string $gid
+     * @return resource of the LDAP connection
+     * @throws ServerNotAvailableException
+     */
+    public function getNewLDAPConnection($gid) {
+        $connection = clone $this->access->getConnection();
+        return $connection->getConnectionResource();
+    }
+
+    /**
+     * @throws ServerNotAvailableException
+     */
+    public function getDisplayName(string $gid): string {
+        if ($this->groupPluginManager instanceof IGetDisplayNameBackend) {
+            return $this->groupPluginManager->getDisplayName($gid);
+        }
+
+        $cacheKey = 'group_getDisplayName' . $gid;
+        if (!is_null($displayName = $this->access->connection->getFromCache($cacheKey))) {
+            return $displayName;
+        }
+
+        $displayName = $this->access->readAttribute(
+            $this->access->groupname2dn($gid),
+            $this->access->connection->ldapGroupDisplayName);
+
+        if ($displayName && (count($displayName) > 0)) {
+            $displayName = $displayName[0];
+            $this->access->connection->writeToCache($cacheKey, $displayName);
+            return $displayName;
+        }
+
+        return '';
+    }
 }

Please login to merge, or discard this patch.

Spacing +34 added lines, -34 removed lines patch added patch discarded remove patch

@@ -94,10 +94,10 @@  discard block
 block discarded – undo
 		if (!$this->enabled) {
 			return false;
 		}
-		$cacheKey = 'inGroup' . $uid . ':' . $gid;
+		$cacheKey = 'inGroup'.$uid.':'.$gid;
 		$inGroup = $this->access->connection->getFromCache($cacheKey);
 		if (!is_null($inGroup)) {
-			return (bool)$inGroup;
+			return (bool) $inGroup;
 		}
 
 		$userDN = $this->access->username2dn($uid);
@@ -106,7 +106,7 @@  discard block
 block discarded – undo
 			return in_array($userDN, $this->cachedGroupMembers[$gid]);
 		}
 
-		$cacheKeyMembers = 'inGroup-members:' . $gid;
+		$cacheKeyMembers = 'inGroup-members:'.$gid;
 		$members = $this->access->connection->getFromCache($cacheKeyMembers);
 		if (!is_null($members)) {
 			$this->cachedGroupMembers[$gid] = $members;
@@ -227,7 +227,7 @@  discard block
 block discarded – undo
 			return [];
 		}
 		// used extensively in cron job, caching makes sense for nested groups
-		$cacheKey = '_groupMembers' . $dnGroup;
+		$cacheKey = '_groupMembers'.$dnGroup;
 		$groupMembers = $this->access->connection->getFromCache($cacheKey);
 		if ($groupMembers !== null) {
 			return $groupMembers;
@@ -235,7 +235,7 @@  discard block
 block discarded – undo
 		$seen[$dnGroup] = 1;
 		$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
 		if (is_array($members)) {
-			$fetcher = function ($memberDN, &$seen) {
+			$fetcher = function($memberDN, &$seen) {
 				return $this->_groupMembers($memberDN, $seen);
 			};
 			$allMembers = $this->walkNestedGroups($dnGroup, $fetcher, $members);
@@ -256,7 +256,7 @@  discard block
 block discarded – undo
 			return [];
 		}
 
-		$fetcher = function ($groupDN) {
+		$fetcher = function($groupDN) {
 			if (isset($this->cachedNestedGroups[$groupDN])) {
 				$nestedGroups = $this->cachedNestedGroups[$groupDN];
 			} else {
@@ -274,7 +274,7 @@  discard block
 block discarded – undo
 	}
 
 	private function walkNestedGroups(string $dn, Closure $fetcher, array $list): array {
-		$nesting = (int)$this->access->connection->ldapNestedGroups;
+		$nesting = (int) $this->access->connection->ldapNestedGroups;
 		// depending on the input, we either have a list of DNs or a list of LDAP records
 		// also, the output expects either DNs or records. Testing the first element should suffice.
 		$recordMode = is_array($list) && isset($list[0]) && is_array($list[0]) && isset($list[0]['dn'][0]);
@@ -282,7 +282,7 @@  discard block
 block discarded – undo
 		if ($nesting !== 1) {
 			if ($recordMode) {
 				// the keys are numeric, but should hold the DN
-				return array_reduce($list, function ($transformed, $record) use ($dn) {
+				return array_reduce($list, function($transformed, $record) use ($dn) {
 					if ($record['dn'][0] != $dn) {
 						$transformed[$record['dn'][0]] = $record;
 					}
@@ -315,7 +315,7 @@  discard block
 block discarded – undo
 	 * @throws ServerNotAvailableException
 	 */
 	public function gidNumber2Name(string $gid, string $dn) {
-		$cacheKey = 'gidNumberToName' . $gid;
+		$cacheKey = 'gidNumberToName'.$gid;
 		$groupName = $this->access->connection->getFromCache($cacheKey);
 		if (!is_null($groupName) && isset($groupName)) {
 			return $groupName;
@@ -325,7 +325,7 @@  discard block
 block discarded – undo
 		$filter = $this->access->combineFilterWithAnd([
 			$this->access->connection->ldapGroupFilter,
 			'objectClass=posixGroup',
-			$this->access->connection->ldapGidNumber . '=' . $gid
+			$this->access->connection->ldapGidNumber.'='.$gid
 		]);
 		return $this->getNameOfGroup($filter, $cacheKey) ?? false;
 	}
@@ -405,7 +405,7 @@  discard block
 block discarded – undo
 		if ($search !== '') {
 			$filterParts[] = $this->access->getFilterPartForUserSearch($search);
 		}
-		$filterParts[] = $this->access->connection->ldapGidNumber . '=' . $groupID;
+		$filterParts[] = $this->access->connection->ldapGidNumber.'='.$groupID;
 
 		return $this->access->combineFilterWithAnd($filterParts);
 	}
@@ -475,7 +475,7 @@  discard block
 block discarded – undo
 		//we need to get the DN from LDAP
 		$filter = $this->access->combineFilterWithAnd([
 			$this->access->connection->ldapGroupFilter,
-			'objectsid=' . $domainObjectSid . '-' . $gid
+			'objectsid='.$domainObjectSid.'-'.$gid
 		]);
 		return $this->getNameOfGroup($filter, $cacheKey) ?? false;
 	}
@@ -532,7 +532,7 @@  discard block
 block discarded – undo
 		if ($search !== '') {
 			$filterParts[] = $this->access->getFilterPartForUserSearch($search);
 		}
-		$filterParts[] = 'primaryGroupID=' . $groupID;
+		$filterParts[] = 'primaryGroupID='.$groupID;
 
 		return $this->access->combineFilterWithAnd($filterParts);
 	}
@@ -574,7 +574,7 @@  discard block
 block discarded – undo
 		try {
 			$filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
 			$users = $this->access->countUsers($filter, ['dn'], $limit, $offset);
-			return (int)$users;
+			return (int) $users;
 		} catch (ServerNotAvailableException $e) {
 			throw $e;
 		} catch (Exception $e) {
@@ -613,7 +613,7 @@  discard block
 block discarded – undo
 		if (!$this->enabled) {
 			return [];
 		}
-		$cacheKey = 'getUserGroups' . $uid;
+		$cacheKey = 'getUserGroups'.$uid;
 		$userGroups = $this->access->connection->getFromCache($cacheKey);
 		if (!is_null($userGroups)) {
 			return $userGroups;
@@ -671,8 +671,8 @@  discard block
 block discarded – undo
 		// if possible, read out membership via memberOf. It's far faster than
 		// performing a search, which still is a fallback later.
 		// memberof doesn't support memberuid, so skip it here.
-		if ((int)$this->access->connection->hasMemberOfFilterSupport === 1
-			&& (int)$this->access->connection->useMemberOfToDetectMembership === 1
+		if ((int) $this->access->connection->hasMemberOfFilterSupport === 1
+			&& (int) $this->access->connection->useMemberOfToDetectMembership === 1
 			&& strtolower($this->access->connection->ldapGroupMemberAssocAttr) !== 'memberuid'
 		) {
 			$groupDNs = $this->_getGroupDNsFromMemberOf($userDN);
@@ -758,11 +758,11 @@  discard block
 block discarded – undo
 		}
 		$allGroups = [];
 		$seen[$dn] = true;
-		$filter = $this->access->connection->ldapGroupMemberAssocAttr . '=' . $dn;
+		$filter = $this->access->connection->ldapGroupMemberAssocAttr.'='.$dn;
 		$groups = $this->access->fetchListOfGroups($filter,
 			[strtolower($this->access->connection->ldapGroupMemberAssocAttr), $this->access->connection->ldapGroupDisplayName, 'dn']);
 		if (is_array($groups)) {
-			$fetcher = function ($dn, &$seen) {
+			$fetcher = function($dn, &$seen) {
 				if (is_array($dn) && isset($dn['dn'][0])) {
 					$dn = $dn['dn'][0];
 				}
@@ -793,7 +793,7 @@  discard block
 block discarded – undo
 			return [];
 		}
 		$search = $this->access->escapeFilterPart($search, true);
-		$cacheKey = 'usersInGroup-' . $gid . '-' . $search . '-' . $limit . '-' . $offset;
+		$cacheKey = 'usersInGroup-'.$gid.'-'.$search.'-'.$limit.'-'.$offset;
 		// check for cache of the exact query
 		$groupUsers = $this->access->connection->getFromCache($cacheKey);
 		if (!is_null($groupUsers)) {
@@ -804,7 +804,7 @@  discard block
 block discarded – undo
 			$limit = null;
 		}
 		// check for cache of the query without limit and offset
-		$groupUsers = $this->access->connection->getFromCache('usersInGroup-' . $gid . '-' . $search);
+		$groupUsers = $this->access->connection->getFromCache('usersInGroup-'.$gid.'-'.$search);
 		if (!is_null($groupUsers)) {
 			$groupUsers = array_slice($groupUsers, $offset, $limit);
 			$this->access->connection->writeToCache($cacheKey, $groupUsers);
@@ -852,7 +852,7 @@  discard block
 block discarded – undo
 					continue;
 				}
 
-				$cacheKey = 'userExistsOnLDAP' . $uid;
+				$cacheKey = 'userExistsOnLDAP'.$uid;
 				$userExists = $this->access->connection->getFromCache($cacheKey);
 				if ($userExists === false) {
 					continue;
@@ -877,7 +877,7 @@  discard block
 block discarded – undo
 
 		$groupUsers = array_unique(array_merge($groupUsers, $primaryUsers, $posixGroupUsers));
 		natsort($groupUsers);
-		$this->access->connection->writeToCache('usersInGroup-' . $gid . '-' . $search, $groupUsers);
+		$this->access->connection->writeToCache('usersInGroup-'.$gid.'-'.$search, $groupUsers);
 		$groupUsers = array_slice($groupUsers, $offset, $limit);
 
 		$this->access->connection->writeToCache($cacheKey, $groupUsers);
@@ -899,7 +899,7 @@  discard block
 block discarded – undo
 			return $this->groupPluginManager->countUsersInGroup($gid, $search);
 		}
 
-		$cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
+		$cacheKey = 'countUsersInGroup-'.$gid.'-'.$search;
 		if (!$this->enabled || !$this->groupExists($gid)) {
 			return false;
 		}
@@ -992,7 +992,7 @@  discard block
 block discarded – undo
 		if (!$this->enabled) {
 			return [];
 		}
-		$cacheKey = 'getGroups-' . $search . '-' . $limit . '-' . $offset;
+		$cacheKey = 'getGroups-'.$search.'-'.$limit.'-'.$offset;
 
 		//Check cache before driving unnecessary searches
 		$ldap_groups = $this->access->connection->getFromCache($cacheKey);
@@ -1027,31 +1027,31 @@  discard block
 block discarded – undo
 	 * @throws ServerNotAvailableException
 	 */
 	public function groupExists($gid) {
-		$groupExists = $this->access->connection->getFromCache('groupExists' . $gid);
+		$groupExists = $this->access->connection->getFromCache('groupExists'.$gid);
 		if (!is_null($groupExists)) {
-			return (bool)$groupExists;
+			return (bool) $groupExists;
 		}
 
 		//getting dn, if false the group does not exist. If dn, it may be mapped
 		//only, requires more checking.
 		$dn = $this->access->groupname2dn($gid);
 		if (!$dn) {
-			$this->access->connection->writeToCache('groupExists' . $gid, false);
+			$this->access->connection->writeToCache('groupExists'.$gid, false);
 			return false;
 		}
 
 		if (!$this->access->isDNPartOfBase($dn, $this->access->connection->ldapBaseGroups)) {
-			$this->access->connection->writeToCache('groupExists' . $gid, false);
+			$this->access->connection->writeToCache('groupExists'.$gid, false);
 			return false;
 		}
 
 		//if group really still exists, we will be able to read its objectClass
 		if (!is_array($this->access->readAttribute($dn, '', $this->access->connection->ldapGroupFilter))) {
-			$this->access->connection->writeToCache('groupExists' . $gid, false);
+			$this->access->connection->writeToCache('groupExists'.$gid, false);
 			return false;
 		}
 
-		$this->access->connection->writeToCache('groupExists' . $gid, true);
+		$this->access->connection->writeToCache('groupExists'.$gid, true);
 		return true;
 	}
 
@@ -1084,7 +1084,7 @@  discard block
 block discarded – undo
 	 * compared with GroupInterface::CREATE_GROUP etc.
 	 */
 	public function implementsActions($actions) {
-		return (bool)((GroupInterface::COUNT_USERS |
+		return (bool) ((GroupInterface::COUNT_USERS |
 				$this->groupPluginManager->getImplementedActions()) & $actions);
 	}
 
@@ -1138,7 +1138,7 @@  discard block
 block discarded – undo
 			if ($ret = $this->groupPluginManager->deleteGroup($gid)) {
 				#delete group in nextcloud internal db
 				$this->access->getGroupMapper()->unmap($gid);
-				$this->access->connection->writeToCache("groupExists" . $gid, false);
+				$this->access->connection->writeToCache("groupExists".$gid, false);
 			}
 			return $ret;
 		}
@@ -1219,7 +1219,7 @@  discard block
 block discarded – undo
 			return $this->groupPluginManager->getDisplayName($gid);
 		}
 
-		$cacheKey = 'group_getDisplayName' . $gid;
+		$cacheKey = 'group_getDisplayName'.$gid;
 		if (!is_null($displayName = $this->access->connection->getFromCache($cacheKey))) {
 			return $displayName;
 		}

Please login to merge, or discard this patch.

		@@ -94,10 +94,10 @@ discard block
		block discarded – undo
94	94	if (!$this->enabled) {
95	95	return false;
96	96	}
97		- $cacheKey = 'inGroup' . $uid . ':' . $gid;
	97	+ $cacheKey = 'inGroup'.$uid.':'.$gid;
98	98	$inGroup = $this->access->connection->getFromCache($cacheKey);
99	99	if (!is_null($inGroup)) {
100		- return (bool)$inGroup;
	100	+ return (bool) $inGroup;
101	101	}
102	102
103	103	$userDN = $this->access->username2dn($uid);
		@@ -106,7 +106,7 @@ discard block
		block discarded – undo
106	106	return in_array($userDN, $this->cachedGroupMembers[$gid]);
107	107	}
108	108
109		- $cacheKeyMembers = 'inGroup-members:' . $gid;
	109	+ $cacheKeyMembers = 'inGroup-members:'.$gid;
110	110	$members = $this->access->connection->getFromCache($cacheKeyMembers);
111	111	if (!is_null($members)) {
112	112	$this->cachedGroupMembers[$gid] = $members;
		@@ -227,7 +227,7 @@ discard block
		block discarded – undo
227	227	return [];
228	228	}
229	229	// used extensively in cron job, caching makes sense for nested groups
230		- $cacheKey = '_groupMembers' . $dnGroup;
	230	+ $cacheKey = '_groupMembers'.$dnGroup;
231	231	$groupMembers = $this->access->connection->getFromCache($cacheKey);
232	232	if ($groupMembers !== null) {
233	233	return $groupMembers;
		@@ -235,7 +235,7 @@ discard block
		block discarded – undo
235	235	$seen[$dnGroup] = 1;
236	236	$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
237	237	if (is_array($members)) {
238		- $fetcher = function ($memberDN, &$seen) {
	238	+ $fetcher = function($memberDN, &$seen) {
239	239	return $this->_groupMembers($memberDN, $seen);
240	240	};
241	241	$allMembers = $this->walkNestedGroups($dnGroup, $fetcher, $members);
		@@ -256,7 +256,7 @@ discard block
		block discarded – undo
256	256	return [];
257	257	}
258	258
259		- $fetcher = function ($groupDN) {
	259	+ $fetcher = function($groupDN) {
260	260	if (isset($this->cachedNestedGroups[$groupDN])) {
261	261	$nestedGroups = $this->cachedNestedGroups[$groupDN];
262	262	} else {
		@@ -274,7 +274,7 @@ discard block
		block discarded – undo
274	274	}
275	275
276	276	private function walkNestedGroups(string $dn, Closure $fetcher, array $list): array {
277		- $nesting = (int)$this->access->connection->ldapNestedGroups;
	277	+ $nesting = (int) $this->access->connection->ldapNestedGroups;
278	278	// depending on the input, we either have a list of DNs or a list of LDAP records
279	279	// also, the output expects either DNs or records. Testing the first element should suffice.
280	280	$recordMode = is_array($list) && isset($list[0]) && is_array($list[0]) && isset($list[0]['dn'][0]);
		@@ -282,7 +282,7 @@ discard block
		block discarded – undo
282	282	if ($nesting !== 1) {
283	283	if ($recordMode) {
284	284	// the keys are numeric, but should hold the DN
285		- return array_reduce($list, function ($transformed, $record) use ($dn) {
	285	+ return array_reduce($list, function($transformed, $record) use ($dn) {
286	286	if ($record['dn'][0] != $dn) {
287	287	$transformed[$record['dn'][0]] = $record;
288	288	}
		@@ -315,7 +315,7 @@ discard block
		block discarded – undo
315	315	* @throws ServerNotAvailableException
316	316	*/
317	317	public function gidNumber2Name(string $gid, string $dn) {
318		- $cacheKey = 'gidNumberToName' . $gid;
	318	+ $cacheKey = 'gidNumberToName'.$gid;
319	319	$groupName = $this->access->connection->getFromCache($cacheKey);
320	320	if (!is_null($groupName) && isset($groupName)) {
321	321	return $groupName;
		@@ -325,7 +325,7 @@ discard block
		block discarded – undo
325	325	$filter = $this->access->combineFilterWithAnd([
326	326	$this->access->connection->ldapGroupFilter,
327	327	'objectClass=posixGroup',
328		- $this->access->connection->ldapGidNumber . '=' . $gid
	328	+ $this->access->connection->ldapGidNumber.'='.$gid
329	329	]);
330	330	return $this->getNameOfGroup($filter, $cacheKey) ?? false;
331	331	}
		@@ -405,7 +405,7 @@ discard block
		block discarded – undo
405	405	if ($search !== '') {
406	406	$filterParts[] = $this->access->getFilterPartForUserSearch($search);
407	407	}
408		- $filterParts[] = $this->access->connection->ldapGidNumber . '=' . $groupID;
	408	+ $filterParts[] = $this->access->connection->ldapGidNumber.'='.$groupID;
409	409
410	410	return $this->access->combineFilterWithAnd($filterParts);
411	411	}
		@@ -475,7 +475,7 @@ discard block
		block discarded – undo
475	475	//we need to get the DN from LDAP
476	476	$filter = $this->access->combineFilterWithAnd([
477	477	$this->access->connection->ldapGroupFilter,
478		- 'objectsid=' . $domainObjectSid . '-' . $gid
	478	+ 'objectsid='.$domainObjectSid.'-'.$gid
479	479	]);
480	480	return $this->getNameOfGroup($filter, $cacheKey) ?? false;
481	481	}
		@@ -532,7 +532,7 @@ discard block
		block discarded – undo
532	532	if ($search !== '') {
533	533	$filterParts[] = $this->access->getFilterPartForUserSearch($search);
534	534	}
535		- $filterParts[] = 'primaryGroupID=' . $groupID;
	535	+ $filterParts[] = 'primaryGroupID='.$groupID;
536	536
537	537	return $this->access->combineFilterWithAnd($filterParts);
538	538	}
		@@ -574,7 +574,7 @@ discard block
		block discarded – undo
574	574	try {
575	575	$filter = $this->prepareFilterForUsersInPrimaryGroup($groupDN, $search);
576	576	$users = $this->access->countUsers($filter, ['dn'], $limit, $offset);
577		- return (int)$users;
	577	+ return (int) $users;
578	578	} catch (ServerNotAvailableException $e) {
579	579	throw $e;
580	580	} catch (Exception $e) {
		@@ -613,7 +613,7 @@ discard block
		block discarded – undo
613	613	if (!$this->enabled) {
614	614	return [];
615	615	}
616		- $cacheKey = 'getUserGroups' . $uid;
	616	+ $cacheKey = 'getUserGroups'.$uid;
617	617	$userGroups = $this->access->connection->getFromCache($cacheKey);
618	618	if (!is_null($userGroups)) {
619	619	return $userGroups;
		@@ -671,8 +671,8 @@ discard block
		block discarded – undo
671	671	// if possible, read out membership via memberOf. It's far faster than
672	672	// performing a search, which still is a fallback later.
673	673	// memberof doesn't support memberuid, so skip it here.
674		- if ((int)$this->access->connection->hasMemberOfFilterSupport === 1
675		- && (int)$this->access->connection->useMemberOfToDetectMembership === 1
	674	+ if ((int) $this->access->connection->hasMemberOfFilterSupport === 1
	675	+ && (int) $this->access->connection->useMemberOfToDetectMembership === 1
676	676	&& strtolower($this->access->connection->ldapGroupMemberAssocAttr) !== 'memberuid'
677	677	) {
678	678	$groupDNs = $this->_getGroupDNsFromMemberOf($userDN);
		@@ -758,11 +758,11 @@ discard block
		block discarded – undo
758	758	}
759	759	$allGroups = [];
760	760	$seen[$dn] = true;
761		- $filter = $this->access->connection->ldapGroupMemberAssocAttr . '=' . $dn;
	761	+ $filter = $this->access->connection->ldapGroupMemberAssocAttr.'='.$dn;
762	762	$groups = $this->access->fetchListOfGroups($filter,
763	763	[strtolower($this->access->connection->ldapGroupMemberAssocAttr), $this->access->connection->ldapGroupDisplayName, 'dn']);
764	764	if (is_array($groups)) {
765		- $fetcher = function ($dn, &$seen) {
	765	+ $fetcher = function($dn, &$seen) {
766	766	if (is_array($dn) && isset($dn['dn'][0])) {
767	767	$dn = $dn['dn'][0];
768	768	}
		@@ -793,7 +793,7 @@ discard block
		block discarded – undo
793	793	return [];
794	794	}
795	795	$search = $this->access->escapeFilterPart($search, true);
796		- $cacheKey = 'usersInGroup-' . $gid . '-' . $search . '-' . $limit . '-' . $offset;
	796	+ $cacheKey = 'usersInGroup-'.$gid.'-'.$search.'-'.$limit.'-'.$offset;
797	797	// check for cache of the exact query
798	798	$groupUsers = $this->access->connection->getFromCache($cacheKey);
799	799	if (!is_null($groupUsers)) {
		@@ -804,7 +804,7 @@ discard block
		block discarded – undo
804	804	$limit = null;
805	805	}
806	806	// check for cache of the query without limit and offset
807		- $groupUsers = $this->access->connection->getFromCache('usersInGroup-' . $gid . '-' . $search);
	807	+ $groupUsers = $this->access->connection->getFromCache('usersInGroup-'.$gid.'-'.$search);
808	808	if (!is_null($groupUsers)) {
809	809	$groupUsers = array_slice($groupUsers, $offset, $limit);
810	810	$this->access->connection->writeToCache($cacheKey, $groupUsers);
		@@ -852,7 +852,7 @@ discard block
		block discarded – undo
852	852	continue;
853	853	}
854	854
855		- $cacheKey = 'userExistsOnLDAP' . $uid;
	855	+ $cacheKey = 'userExistsOnLDAP'.$uid;
856	856	$userExists = $this->access->connection->getFromCache($cacheKey);
857	857	if ($userExists === false) {
858	858	continue;
		@@ -877,7 +877,7 @@ discard block
		block discarded – undo
877	877
878	878	$groupUsers = array_unique(array_merge($groupUsers, $primaryUsers, $posixGroupUsers));
879	879	natsort($groupUsers);
880		- $this->access->connection->writeToCache('usersInGroup-' . $gid . '-' . $search, $groupUsers);
	880	+ $this->access->connection->writeToCache('usersInGroup-'.$gid.'-'.$search, $groupUsers);
881	881	$groupUsers = array_slice($groupUsers, $offset, $limit);
882	882
883	883	$this->access->connection->writeToCache($cacheKey, $groupUsers);
		@@ -899,7 +899,7 @@ discard block
		block discarded – undo
899	899	return $this->groupPluginManager->countUsersInGroup($gid, $search);
900	900	}
901	901
902		- $cacheKey = 'countUsersInGroup-' . $gid . '-' . $search;
	902	+ $cacheKey = 'countUsersInGroup-'.$gid.'-'.$search;
903	903	if (!$this->enabled \|\| !$this->groupExists($gid)) {
904	904	return false;
905	905	}
		@@ -992,7 +992,7 @@ discard block
		block discarded – undo
992	992	if (!$this->enabled) {
993	993	return [];
994	994	}
995		- $cacheKey = 'getGroups-' . $search . '-' . $limit . '-' . $offset;
	995	+ $cacheKey = 'getGroups-'.$search.'-'.$limit.'-'.$offset;
996	996
997	997	//Check cache before driving unnecessary searches
998	998	$ldap_groups = $this->access->connection->getFromCache($cacheKey);
		@@ -1027,31 +1027,31 @@ discard block
		block discarded – undo
1027	1027	* @throws ServerNotAvailableException
1028	1028	*/
1029	1029	public function groupExists($gid) {
1030		- $groupExists = $this->access->connection->getFromCache('groupExists' . $gid);
	1030	+ $groupExists = $this->access->connection->getFromCache('groupExists'.$gid);
1031	1031	if (!is_null($groupExists)) {
1032		- return (bool)$groupExists;
	1032	+ return (bool) $groupExists;
1033	1033	}
1034	1034
1035	1035	//getting dn, if false the group does not exist. If dn, it may be mapped
1036	1036	//only, requires more checking.
1037	1037	$dn = $this->access->groupname2dn($gid);
1038	1038	if (!$dn) {
1039		- $this->access->connection->writeToCache('groupExists' . $gid, false);
	1039	+ $this->access->connection->writeToCache('groupExists'.$gid, false);
1040	1040	return false;
1041	1041	}
1042	1042
1043	1043	if (!$this->access->isDNPartOfBase($dn, $this->access->connection->ldapBaseGroups)) {
1044		- $this->access->connection->writeToCache('groupExists' . $gid, false);
	1044	+ $this->access->connection->writeToCache('groupExists'.$gid, false);
1045	1045	return false;
1046	1046	}
1047	1047
1048	1048	//if group really still exists, we will be able to read its objectClass
1049	1049	if (!is_array($this->access->readAttribute($dn, '', $this->access->connection->ldapGroupFilter))) {
1050		- $this->access->connection->writeToCache('groupExists' . $gid, false);
	1050	+ $this->access->connection->writeToCache('groupExists'.$gid, false);
1051	1051	return false;
1052	1052	}
1053	1053
1054		- $this->access->connection->writeToCache('groupExists' . $gid, true);
	1054	+ $this->access->connection->writeToCache('groupExists'.$gid, true);
1055	1055	return true;
1056	1056	}
1057	1057
		@@ -1084,7 +1084,7 @@ discard block
		block discarded – undo
1084	1084	* compared with GroupInterface::CREATE_GROUP etc.
1085	1085	*/
1086	1086	public function implementsActions($actions) {
1087		- return (bool)((GroupInterface::COUNT_USERS \|
	1087	+ return (bool) ((GroupInterface::COUNT_USERS \|
1088	1088	$this->groupPluginManager->getImplementedActions()) & $actions);
1089	1089	}
1090	1090
		@@ -1138,7 +1138,7 @@ discard block
		block discarded – undo
1138	1138	if ($ret = $this->groupPluginManager->deleteGroup($gid)) {
1139	1139	#delete group in nextcloud internal db
1140	1140	$this->access->getGroupMapper()->unmap($gid);
1141		- $this->access->connection->writeToCache("groupExists" . $gid, false);
	1141	+ $this->access->connection->writeToCache("groupExists".$gid, false);
1142	1142	}
1143	1143	return $ret;
1144	1144	}
		@@ -1219,7 +1219,7 @@ discard block
		block discarded – undo
1219	1219	return $this->groupPluginManager->getDisplayName($gid);
1220	1220	}
1221	1221
1222		- $cacheKey = 'group_getDisplayName' . $gid;
	1222	+ $cacheKey = 'group_getDisplayName'.$gid;
1223	1223	if (!is_null($displayName = $this->access->connection->getFromCache($cacheKey))) {
1224	1224	return $displayName;
1225	1225	}

nextcloud / server

Push — master ( db782f...d72d9f )

Status

Category

Indentation +1984 added lines, -1984 removed lines patch added patch discarded remove patch

Indentation +615 added lines, -615 removed lines patch added patch discarded remove patch

Indentation +1183 added lines, -1183 removed lines patch added patch discarded remove patch

Spacing +34 added lines, -34 removed lines patch added patch discarded remove patch