It bears repeating (and the examples should probably be updated) that ldap_connect() doesn't actually test the connection to the specified ldap server. This is important if you're trying to build failover into your ldap-based authentication routine.
The only way to test the connection is to actually call ldap_bind( $ds, $username, $password ). But if that fails, is it because you have the wrong username/password or is it because the connection is down? As far as I can see there isn't any way to tell.
It seems that if ldap_bind() fails against your primary server, you have no choice but to try ldap_bind() with the same credentials against the backup. And yet, if your organization limits failed login attempts, a single bad password counts as two failed login attempts. Not good.
One possible workaround is to try an anonymous bind first:
<?php
$ds = ldap_connect( 'ldap://10.0.0.7/' );
$anon = @ldap_bind( $ds );
if ( !$anon ) {
$ds = ldap_connect( 'ldap://10.0.0.8/' );
}
else {
ldap_unbind( $ds );
$ds = ldap_connect( 'ldap://10.0.0.7/' );
}
$login = @ldap_bind( $ds, $username, $password );
?>
Note that this workaround relies on anonymous login being enabled, which may not always be the case. It's a little sad that there is no other way to test the connection. Hopefully this can be remedied in some future implementation of ldap_connect().
