parent 8703d9f5bfd8ded57f263fd4a1f70d121b656b03 (tevent-0-9-8-325-g8703d9f) commit b0bfa856136db090d2df8bc9c75e0d170ace568d Author: Jan Engelhardt Date: Tue Sep 15 22:48:27 2009 +0200 s3/smbldap: add option to disable following LDAP refs smbd gets pretty unhappy when it sees the same user on two different DNs, such as by having "diamond reachability" (a->b->d, a->c->d) in an LDAP tree where smbd searches from the top of the diamond or nodes above it. --- docs-xml/smbdotconf/ldap/ldapreffollow.xml | 21 ++++++++++++++++++++ source3/lib/smbldap.c | 12 +++++++++- source3/param/loadparm.c | 11 ++++++++++ 3 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 docs-xml/smbdotconf/ldap/ldapreffollow.xml diff --git a/docs-xml/smbdotconf/ldap/ldapreffollow.xml b/docs-xml/smbdotconf/ldap/ldapreffollow.xml new file mode 100644 index 0000000..f059f15 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapreffollow.xml @@ -0,0 +1,21 @@ + + + + + This option controls whether to follow LDAP referrals or not when + searching for entries in the LDAP database. Possible values are + on to enable following referrals, + off to disable this, and + auto, to use the libldap default settings. + libldap's choice of following referrals or not is set in + /etc/openldap/ldap.conf with the REFERRALS parameter as documented in + ldap.conf(5). + + + +auto +off + + diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c index c96801a..47b2208 100644 --- a/source3/lib/smbldap.c +++ b/source3/lib/smbldap.c @@ -721,9 +721,18 @@ int smb_ldap_setup_conn(LDAP **ldap_struct, const char *uri) rc = ldap_initialize(ldap_struct, uri); if (rc) { DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc))); + return rc; } - return rc; + if (lp_ldap_ref_follow() != Auto) { + rc = ldap_set_option(*ldap_struct, LDAP_OPT_REFERRALS, + lp_ldap_ref_follow() ? LDAP_OPT_ON : LDAP_OPT_OFF); + if (rc != LDAP_SUCCESS) + DEBUG(0, ("Failed to set LDAP_OPT_REFERRALS: %s\n", + ldap_err2string(rc))); + } + + return LDAP_SUCCESS; #else /* Parse the string manually */ @@ -774,7 +783,6 @@ int smb_ldap_setup_conn(LDAP **ldap_struct, const char *uri) } #endif /* HAVE_LDAP_INITIALIZE */ - /* now set connection timeout */ #ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */ { diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index b278b96..835824a 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -260,6 +260,7 @@ struct global { char *szLdapGroupSuffix; int ldap_ssl; bool ldap_ssl_ads; + int ldap_ref_follow; char *szLdapSuffix; char *szLdapAdminDn; int ldap_debug_level; @@ -3667,6 +3668,14 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED, }, { + .label = "ldap ref follow", + .type = P_ENUM, + .p_class = P_GLOBAL, + .ptr = &Globals.ldap_ref_follow, + .enum_list = enum_bool_auto, + .flags = FLAG_ADVANCED, + }, + { .label = "ldap timeout", .type = P_INTEGER, .p_class = P_GLOBAL, @@ -5038,6 +5047,7 @@ static void init_globals(bool first_time_only) Globals.ldap_passwd_sync = LDAP_PASSWD_SYNC_OFF; Globals.ldap_delete_dn = False; Globals.ldap_replication_sleep = 1000; /* wait 1 sec for replication */ + Globals.ldap_ref_follow = Auto; Globals.ldap_timeout = LDAP_DEFAULT_TIMEOUT; Globals.ldap_connection_timeout = LDAP_CONNECTION_DEFAULT_TIMEOUT; Globals.ldap_page_size = LDAP_PAGE_SIZE; @@ -5387,6 +5397,7 @@ FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix) FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn) FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl) FN_GLOBAL_BOOL(lp_ldap_ssl_ads, &Globals.ldap_ssl_ads) +FN_GLOBAL_INTEGER(lp_ldap_ref_follow, &Globals.ldap_ref_follow) FN_GLOBAL_INTEGER(lp_ldap_passwd_sync, &Globals.ldap_passwd_sync) FN_GLOBAL_BOOL(lp_ldap_delete_dn, &Globals.ldap_delete_dn) FN_GLOBAL_INTEGER(lp_ldap_replication_sleep, &Globals.ldap_replication_sleep) -- # Created with git-export-patch