Merge branch 'hotfix/48'

Close #48

Author: weierophinney

.gitignore

@@ -6,9 +6,12 @@
 .vagrant/
 .*.sw*
 .*.un~
+doc/html/
+tmp/
+vendor/
+zf-mkdoc-theme/
+
 clover.xml
 coveralls-upload.json
 nbproject
 phpunit.xml
-tmp/
-vendor/

.travis.yml

@@ -10,6 +10,8 @@ branches:
 cache:
   directories:
     - $HOME/.composer/cache
+    - $HOME/.local
+    - zf-mkdoc-theme
 
 addons:
   apt:
@@ -21,6 +23,11 @@ env:
   global:
     - TESTS_ZEND_LDAP_ONLINE_ENABLED=true
     - COMPOSER_ARGS="--no-interaction --ignore-platform-reqs"
+    - SITE_URL: https://zendframework.github.io/zend-ldap
+    - GH_USER_NAME: "Matthew Weier O'Phinney"
+    - GH_USER_EMAIL: [email protected]
+    - GH_REF: github.com/zendframework/zend-ldap.git
+    - secure: "oyutreHfOP5k3jQ3zZ28iJj64OSVCNqnCVfQrWnTDf3woV63vK0Le4X1O6WopAbd8yoEaN30nJ49X81zAUFN4lneulvitFHjEHvzNkOxFPWxfBK+APCnu0U0Z/a0BiFyoo1A5CGS3OrRpT1WL+CpTy49gpaqlfCnUVP/EnOP1uisKQIVQFbzoKl+0yAMzIXZ8rS5uFTej9lKbGi0V3+Gg896xXsmhLkb4ElNNNkccvB11cgDBLUarM43qL/s7kINv1uPbJ51WERujlZkcRH/s4OcYKPRREeDr+9aMZTELTuGFKLQKrhuA13YkHOSB/j6NnXEuEIVCpaVndrMXm69NBe/IfOuvSQoa4m0E7Ks6DZlX7nkj3rudlmX/+KakI+uJQdQLs7JDYKchuhX5hDO0dHGNTdwsPJAb06zDKR2HIfgzVZTX27//5PAKSU5DLOEM9sDYJAhQkxt0iC1L4xmQo/XOG8VNXL7usARouVI9FhmgPezmUDaN4CzvrD6kYtOVL3I9UwklnBQ0tJbO/CHnaq/eiWeNFL4tPDNim6c4pz9YayFQbOlu3SUy6lE/fwbXS1YtMl3t0MlO62B8wt+x0XlIJVTmMK0PFVj/cl93WUYZxxTZnFNvcy3VtmK7g6aNtHpAJaDQCl6Fu8K4xrWoTewG9m78KXu7p21gv9BjW8="
 
 matrix:
   fast_finish: true
@@ -42,6 +49,8 @@ matrix:
       env:
         - DEPS=locked
         - TEST_COVERAGE=true
+        - DEPLOY_DOCS="$(if [[ $TRAVIS_BRANCH == 'master' && $TRAVIS_PULL_REQUEST == 'false' ]]; then echo -n 'true' ; else echo -n 'false' ; fi)"
+        - PATH="$HOME/.local/bin:$PATH"
     - php: 5.6
       env:
         - DEPS=latest
@@ -91,6 +100,11 @@ script:
   - if [[ $TEST_COVERAGE == 'true' ]]; then composer test-coverage ; fi
   - if [[ $TEST_COVERAGE != 'true' ]]; then composer test ; fi
   - if [[ $CHECK_CS == 'true' ]]; then composer cs-check ; fi
+  - if [[ $DEPLOY_DOCS == "true" && "$TRAVIS_TEST_RESULT" == "0" ]]; then wget -O theme-installer.sh "https://raw.githubusercontent.com/zendframework/zf-mkdoc-theme/master/theme-installer.sh" ; chmod 755 theme-installer.sh ; ./theme-installer.sh ; fi
+
+after_success:
+  - if [[ $DEPLOY_DOCS == "true" ]]; then echo "Preparing to build and deploy documentation" ; ./zf-mkdoc-theme/deploy.sh ; echo "Completed deploying documentation" ; fi
+
 
 after_script:
   - if [[ $TEST_COVERAGE == 'true' ]]; then travis_retry composer upload-coverage ; fi

CHANGELOG.md

@@ -6,7 +6,8 @@ All notable changes to this project will be documented in this file, in reverse
 
 ### Added
 
-- Nothing.
+- [#48](https://github.com/zendframework/zend-ldap/pull/48) adds and publishes
+  the documentation to https://zendframework.github.io/zend-ldap/
 
 ### Deprecated
 

README.md

@@ -3,9 +3,8 @@
 [![Build Status](https://secure.travis-ci.org/zendframework/zend-ldap.svg?branch=master)](https://secure.travis-ci.org/zendframework/zend-ldap)
 [![Coverage Status](https://coveralls.io/repos/zendframework/zend-ldap/badge.svg?branch=master)](https://coveralls.io/r/zendframework/zend-ldap?branch=master)
 
-`Zend\Ldap\Ldap` is a class for performing LDAP operations including but not
-limited to binding, searching and modifying entries in an LDAP directory.
-
+zend-ldap provides functionality for performing LDAP operations, including, but
+not limited to, binding, searching and modifying entries in an LDAP directory.
 
 - File issues at https://github.com/zendframework/zend-ldap/issues
-- Documentation is at http://framework.zend.com/manual/current/en/index.html#zend-ldap
+- Documentation is at https://zendframework.github.io/zend-ldap/

doc/book/api.md

@@ -0,0 +1,12 @@
+<div class="container">
+    <div class="jumbotron">
+        <h1>zend-ldap</h1>
+
+        <p>
+            Perform LDAP operations, including binding, searching and modifying entries in an LDAP directory.
+        </p>
+
+        <pre><code class="language-bash">$ composer require zendframework/zend-ldap</code></pre>
+    </div>
+</div>
+

doc/book/index.html

@@ -0,0 +1 @@
+../../README.md

doc/book/index.md

@@ -0,0 +1,215 @@
+# Introduction
+
+zend-ldap lets you perform LDAP operations, including, but not limited to,
+binding, searching and modifying entries in an LDAP directory.
+
+## Theory of operation
+
+This component currently consists of the main `Zend\Ldap\Ldap` class, which
+conceptually represents a binding to a single LDAP server and allows for
+executing operations against a LDAP server such as OpenLDAP or ActiveDirectory
+(AD) servers. The parameters for binding may be provided explicitly or in the
+form of an options array. `Zend\Ldap\Node` provides an object-oriented interface
+for single LDAP nodes and can be used to form a basis for an active-record-like
+interface for a LDAP-based domain model.
+
+The component provides several helper classes to perform operations on LDAP
+entries (`Zend\Ldap\Attribute`) such as setting and retrieving attributes (date
+values, passwords, boolean values, ...), to create and modify LDAP filter
+strings (`Zend\Ldap\Filter`) and to manipulate LDAP distinguished names (DN)
+(`Zend\Ldap\Dn`).
+
+Additionally the component abstracts LDAP schema browsing for OpenLDAP and
+ActiveDirectory servers `Zend\Ldap\Node\Schema` and server information retrieval
+for OpenLDAP-, ActiveDirectory- and Novell eDirectory servers
+(`Zend\Ldap\Node\RootDse`).
+
+Usage of zend-ldap depends on the type of LDAP server, and is best summarized with
+some examples.
+
+If you are using OpenLDAP, consider the following example (note that the
+`bindRequiresDn` option is important if you are **not** using AD):
+
+```php
+use Zend\Ldap\Ldap;
+
+$options = [
+    'host'              => 's0.foo.net',
+    'username'          => 'CN=user1,DC=foo,DC=net',
+    'password'          => 'pass1',
+    'bindRequiresDn'    => true,
+    'accountDomainName' => 'foo.net',
+    'baseDn'            => 'OU=Sales,DC=foo,DC=net',
+];
+
+$ldap = new Ldap($options);
+$acctname = $ldap->getCanonicalAccountName('abaker', Ldap::ACCTNAME_FORM_DN);
+echo "$acctname\n";
+```
+
+If you are using Microsoft AD:
+
+```php
+use Zend\Ldap\Ldap;
+
+$options = [
+    'host'                   => 'dc1.w.net',
+    'useStartTls'            => true,
+    'username'               => '[email protected]',
+    'password'               => 'pass1',
+    'accountDomainName'      => 'w.net',
+    'accountDomainNameShort' => 'W',
+    'baseDn'                 => 'CN=Users,DC=w,DC=net',
+];
+
+$ldap = new Ldap($options);
+$acctname = $ldap->getCanonicalAccountName('bcarter', Ldap::ACCTNAME_FORM_DN);
+echo "$acctname\n";
+```
+
+Note that we use the `getCanonicalAccountName()` method to retrieve the account
+DN here only because that is what exercises the most of what little code is
+currently present in this class.
+
+### Automatic Username Canonicalization When Binding
+
+If `bind()` is called with a non-DN username but `bindRequiresDN` is `true`
+and no username in DN form was supplied as an option, the bind will fail.
+However, if a username in DN form is supplied in the options array,
+`Zend\Ldap\Ldap` will first bind with that username, retrieve the account DN for
+the username supplied to `bind()` and then re-bind with that DN.
+
+This behavior is critical to [Zend\\Authentication\\Adapter\\Ldap](http://zendframework.github.io/zend-authentication/adapter/ldap/),
+which passes the username supplied by the user directly to `bind()`.
+
+The following example illustrates how the non-DN username 'abaker' can be used
+with `bind()`:
+
+```php
+use Zend\Ldap\Ldap;
+
+$options = [
+    'host'              => 's0.foo.net',
+    'username'          => 'CN=user1,DC=foo,DC=net',
+    'password'          => 'pass1',
+    'bindRequiresDn'    => true,
+    'accountDomainName' => 'foo.net',
+    'baseDn'            => 'OU=Sales,DC=foo,DC=net',
+];
+
+$ldap = new Ldap($options);
+$ldap->bind('abaker', 'moonbike55');
+$acctname = $ldap->getCanonicalAccountName('abaker', Ldap::ACCTNAME_FORM_DN);
+echo "$acctname\n";
+```
+
+The `bind()` call in this example sees that the username 'abaker' is not in DN
+form, finds `bindRequiresDn` is `TRUE`, uses `CN=user1,DC=foo,DC=net` and
+`pass1` to bind, retrieves the DN for 'abaker', unbinds and then rebinds with
+the newly discovered `CN=Alice Baker,OU=Sales,DC=foo,DC=net`.
+
+### Account Name Canonicalization
+
+The `accountDomainName` and `accountDomainNameShort` options are used for two
+purposes: (1) they facilitate multi-domain authentication and failover
+capability, and (2) they are also used to canonicalize usernames. Specifically,
+names are canonicalized to the form specified by the `accountCanonicalForm`
+option. This option may one of the following values:
+
+The default canonicalization depends on what account domain name options were
+supplied. If `accountDomainNameShort` was supplied, the default
+`accountCanonicalForm` value is `ACCTNAME_FORM_BACKSLASH`. Otherwise, if
+`accountDomainName` was supplied, the default is `ACCTNAME_FORM_PRINCIPAL`.
+
+Account name canonicalization ensures that the string used to identify an
+account is consistent regardless of what was supplied to `bind()`. For example,
+if the user supplies an account name of `[email protected]` or just `abaker`
+and the `accountCanonicalForm` is set to 3, the resulting canonicalized name
+would be `EXAMPLE\\abaker`.
+
+### Multi-domain Authentication and Failover
+
+The `Zend\Ldap\Ldap` component by itself makes no attempt to authenticate with
+multiple servers.  However, `Zend\Ldap\Ldap` is specifically designed to handle
+this scenario gracefully. The required technique is to simply iterate over an
+array of arrays of serve options and attempt to bind with each server. As
+described above `bind()` will automatically canonicalize each name, so it does
+not matter if the user passes `[email protected]` or `Wbcarter` or `cdavis`; the
+`bind()` method will only succeed if the credentials were successfully used in
+the bind.
+
+Consider the following example that illustrates the technique required to
+implement multi-domain authentication and failover:
+
+```php
+use Zend\Ldap\Exception\LdapException;
+use Zend\Ldap\Ldap;
+
+$acctname = 'W\\user2';
+$password = 'pass2';
+
+$multiOptions = [
+    'server1' => [
+        'host'                   => 's0.foo.net',
+        'username'               => 'CN=user1,DC=foo,DC=net',
+        'password'               => 'pass1',
+        'bindRequiresDn'         => true,
+        'accountDomainName'      => 'foo.net',
+        'accountDomainNameShort' => 'FOO',
+        'accountCanonicalForm'   => 4, // ACCT_FORM_PRINCIPAL
+        'baseDn'                 => 'OU=Sales,DC=foo,DC=net',
+    ],
+    'server2' => [
+        'host'                   => 'dc1.w.net',
+        'useSsl'                 => true,
+        'username'               => '[email protected]',
+        'password'               => 'pass1',
+        'accountDomainName'      => 'w.net',
+        'accountDomainNameShort' => 'W',
+        'accountCanonicalForm'   => 4, // ACCT_FORM_PRINCIPAL
+        'baseDn'                 => 'CN=Users,DC=w,DC=net',
+    ],
+];
+
+$ldap = new Ldap();
+
+foreach ($multiOptions as $name => $options) {
+    echo "Trying to bind using server options for '$name'\n";
+
+    $ldap->setOptions($options);
+    try {
+        $ldap->bind($acctname, $password);
+        $acctname = $ldap->getCanonicalAccountName($acctname);
+        echo "SUCCESS: authenticated $acctname\n";
+        return;
+    } catch (LdapException $zle) {
+        echo '  ' . $zle->getMessage() . "\n";
+        if ($zle->getCode() === LdapException::LDAP_X_DOMAIN_MISMATCH) {
+            continue;
+        }
+    }
+}
+```
+
+If the bind fails for any reason, the next set of server options is tried.
+
+The `getCanonicalAccountName()` call gets the canonical account name that the
+application would presumably use to associate data with such as preferences. The
+`accountCanonicalForm = 4` in all server options ensures that the canonical form
+is consistent regardless of which server was ultimately used.
+
+The special `LDAP_X_DOMAIN_MISMATCH` exception occurs when an account name with
+a domain component was supplied (e.g., `[email protected]` or `FOO\\abaker` and not
+just `abaker`) but the domain component did not match either domain in the
+currently selected server options. This exception indicates that the server is
+not an authority for the account. In this case, the bind will not be performed,
+thereby eliminating unnecessary communication with the server. Note that the
+`continue` instruction has no effect in this example, but in practice for error
+handling and debugging purposes, you will probably want to check for
+`LDAP_X_DOMAIN_MISMATCH` as well as `LDAP_NO_SUCH_OBJECT` and
+`LDAP_INVALID_CREDENTIALS`.
+
+The above code is very similar to code used within
+[Zend\\Authentication\\Adapter\\Ldap](http://zendframework.github.io/zend-authentication/adapter/ldap/).
+In fact,we recommend that you use that authentication adapter for multi-domain +
+failover LDAP based authentication (or copy the code).