s3/smbldap: add option to disable following LDAP refs

Fix bug #6717.

diff --git a/docs-xml/smbdotconf/ldap/ldapreffollow.xml b/docs-xml/smbdotconf/ldap/ldapreffollow.xml
new file mode 100644 (file)
index 0000000..f059f15
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapreffollow.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="ldap ref follow" context="G" type="enum"
+       advanced="1" developer="1"
+       xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<description>
+
+       <para>This option controls whether to follow LDAP referrals or not when
+       searching for entries in the LDAP database. Possible values are
+       <emphasis>on</emphasis> to enable following referrals,
+       <emphasis>off</emphasis> to disable this, and
+       <emphasis>auto</emphasis>, to use the libldap default settings.
+       libldap's choice of following referrals or not is set in
+       /etc/openldap/ldap.conf with the REFERRALS parameter as documented in
+       ldap.conf(5).</para>
+
+</description>
+
+<value type="default">auto</value>
+<value type="example">off</value>
+
+</samba:parameter>

diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index c96801a72b2961f6e3e3800f53e9b8d4b9391021..47b2208880e1e1d9c53f06098d412d72f73df28b 100644 (file)
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -721,9 +721,18 @@ int smb_ldap_setup_conn(LDAP **ldap_struct, const char *uri)
        rc = ldap_initialize(ldap_struct, uri);
        if (rc) {
                DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
+               return rc;
        }
 
-       return rc;
+       if (lp_ldap_ref_follow() != Auto) {
+               rc = ldap_set_option(*ldap_struct, LDAP_OPT_REFERRALS,
+                    lp_ldap_ref_follow() ? LDAP_OPT_ON : LDAP_OPT_OFF);
+               if (rc != LDAP_SUCCESS)
+                       DEBUG(0, ("Failed to set LDAP_OPT_REFERRALS: %s\n",
+                               ldap_err2string(rc)));
+       }
+
+       return LDAP_SUCCESS;
 #else 
 
        /* Parse the string manually */
@@ -774,7 +783,6 @@ int smb_ldap_setup_conn(LDAP **ldap_struct, const char *uri)
        }
 #endif /* HAVE_LDAP_INITIALIZE */
 
-
        /* now set connection timeout */
 #ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
        {

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index b1f2a4aeb576648874e0f1bae1ebd4cbdce859d9..7bac72ebd3e32311f14481ba233cd4a6dadbfe74 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -260,6 +260,7 @@ struct global {
        char *szLdapGroupSuffix;
        int ldap_ssl;
        bool ldap_ssl_ads;
+       int ldap_ref_follow;
        char *szLdapSuffix;
        char *szLdapAdminDn;
        int ldap_debug_level;
@@ -3666,6 +3667,14 @@ static struct parm_struct parm_table[] = {
                .enum_list      = NULL,
                .flags          = FLAG_ADVANCED,
        },
+       {
+               .label          = "ldap ref follow",
+               .type           = P_ENUM,
+               .p_class        = P_GLOBAL,
+               .ptr            = &Globals.ldap_ref_follow,
+               .enum_list      = enum_bool_auto,
+               .flags          = FLAG_ADVANCED,
+       },
        {
                .label          = "ldap timeout",
                .type           = P_INTEGER,
@@ -5038,6 +5047,7 @@ static void init_globals(bool first_time_only)
        Globals.ldap_passwd_sync = LDAP_PASSWD_SYNC_OFF;
        Globals.ldap_delete_dn = False;
        Globals.ldap_replication_sleep = 1000; /* wait 1 sec for replication */
+       Globals.ldap_ref_follow = Auto;
        Globals.ldap_timeout = LDAP_DEFAULT_TIMEOUT;
        Globals.ldap_connection_timeout = LDAP_CONNECTION_DEFAULT_TIMEOUT;
        Globals.ldap_page_size = LDAP_PAGE_SIZE;
@@ -5387,6 +5397,7 @@ FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix)
 FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
 FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
 FN_GLOBAL_BOOL(lp_ldap_ssl_ads, &Globals.ldap_ssl_ads)
+FN_GLOBAL_INTEGER(lp_ldap_ref_follow, &Globals.ldap_ref_follow)
 FN_GLOBAL_INTEGER(lp_ldap_passwd_sync, &Globals.ldap_passwd_sync)
 FN_GLOBAL_BOOL(lp_ldap_delete_dn, &Globals.ldap_delete_dn)
 FN_GLOBAL_INTEGER(lp_ldap_replication_sleep, &Globals.ldap_replication_sleep)