[rlm_ldap] chase_referrals option

[Wileczek Michaël]

Since i was fighting with authentication on a Microsoft Active Directory (bad idea, i know) using referrals , i added an option in rlm_ldap to enable/disable referral chasing during ldap requests.

Here is the proposed patch :

===patch=== 
--- rlm_ldap.c  Thu Dec 28 15:30:43 2006
+++ new_rlm_ldap.c      Thu Dec 28 15:30:56 2006
@@ -270,6 +270,7 @@
        struct timeval  net_timeout;
        struct timeval  timeout;
        int             debug;
+       int             chase_referrals;
        int             tls_mode;
        int             start_tls;
        int             num_conns;
@@ -326,6 +327,7 @@
        /* allow server unlimited time for search (server-side limit) */
        {"timelimit", PW_TYPE_INTEGER, offsetof(ldap_instance,timelimit), NULL, "20"},
        {"identity", PW_TYPE_STRING_PTR, offsetof(ldap_instance,login), NULL, ""},
+       {"chase_referrals", PW_TYPE_BOOLEAN, offsetof(ldap_instance,chase_referrals), NULL, "yes"},
        {"tls_mode", PW_TYPE_BOOLEAN, offsetof(ldap_instance,tls_mode), NULL, "no"},
        {"start_tls", PW_TYPE_BOOLEAN, offsetof(ldap_instance,start_tls), NULL, "no"},
        {"tls_cacertfile", PW_TYPE_STRING_PTR, offsetof(ldap_instance,tls_cacertfile), NULL, NULL},
@@ -1972,6 +1974,15 @@
        }
        if (ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, (void *) &(inst->net_timeout)) != LDAP_OPT_SUCCESS) {
                radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_NETWORK_TIMEOUT %ld.%ld", inst->net_timeout.tv_sec, inst->net_timeout.tv_usec);
+       }
+       if(inst->chase_referrals) {
+               rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON);
+       } else {
+               rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
+       }
+       if (rc != LDAP_OPT_SUCCESS) {
+               ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
+               radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_REFERRALS %d %s", inst->chase_referrals, ldap_err2string(ldap_errno));
        }
        if (ldap_set_option(ld, LDAP_OPT_TIMELIMIT, (void *) &(inst->timelimit)) != LDAP_OPT_SUCCESS) {
                radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_TIMELIMIT %d", inst->timelimit);
===patch===

Michaël Wileczek
System engineer - Technical Operations !TO-MCP-SSPI-IU-IW

http://www.atosorigin.com
Atos Wordline is an Atos Origin company :
www.atosorigin.com
Ce message est strictement confidentiel. Son intégrité n'est pas assurée sur Internet. Le contenu de ce message ne peut engager la responsabilité du groupe Atos Origin. Si vous n'êtes pas destinataire du message, merci d'en avertir immédiatement l'expéditeur et de le détruire.
Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis. 
 
This e-mail is privileged and may contain confidential information intended only for the person(s) named above. If you receive this e-mail in error, please notify the sender immediately by telephone or return e-mail.
Although the sender endeavours to maintain a computer virus free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.