Forward port of all latest 2.5 changes

diff --git a/helpers/basic_auth/LDAP/squid_ldap_auth.8 b/helpers/basic_auth/LDAP/squid_ldap_auth.8
index b8c032d179b2cb1905cf4beab6744fd6bf2f0d91..bc6fb7bfe7810500a465604357a8c15c91f8160b 100644 (file)
--- a/helpers/basic_auth/LDAP/squid_ldap_auth.8
+++ b/helpers/basic_auth/LDAP/squid_ldap_auth.8
@@ -1,4 +1,4 @@
-.TH squid_ldap_auth 8 "17 July 2004" "Squid LDAP Auth"
+.TH squid_ldap_auth 8 "14 January 2005" "Squid LDAP Auth"
 .
 .SH NAME
 squid_ldap_auth - Squid LDAP authentication helper
@@ -13,6 +13,16 @@ squid_ldap_auth - Squid LDAP authentication helper
 .SH DESCRIPTION
 This helper allows Squid to connect to a LDAP directory to
 validate the user name and password of Basic HTTP authentication.
+LDAP options are specified as parameters on the command line,
+while the username(s) and password(s) to be checked against the
+LDAP directory are specified on subsequent lines of input to the
+helper, one username/password pair per line separated by a space.
+.P
+As expected by the basic authentication construct of Squid, after
+specifying a username and password followed by a new line, this
+helper will produce either OK or ERR on the following line
+to show if the specified credentials are correct according to
+the LDAP directory.
 .P
 The program has two major modes of operation. In the default mode
 of operation the users DN is constructed using the base DN and
@@ -135,6 +145,10 @@ other than the default LDAP port 389. Can also be specified within the
 server specificiation by using servername:port syntax.
 .
 .TP
+.BI -v " 2|3"
+LDAP protocol version. Defaults to 2 if not specified.
+.
+.TP
 .BI -Z
 Use TLS encryption
 .

diff --git a/helpers/basic_auth/LDAP/squid_ldap_auth.c b/helpers/basic_auth/LDAP/squid_ldap_auth.c
index 5c727adf73165bcec8b26e337bda531e713b287c..0fde1d17c86003bd5ea3e4e1e65dd61b9adc49f5 100644 (file)
--- a/helpers/basic_auth/LDAP/squid_ldap_auth.c
+++ b/helpers/basic_auth/LDAP/squid_ldap_auth.c
@@ -32,13 +32,13 @@
  * Changes:
  * 2005-01-07: Henrik Nordstrom <hno@squid-cache.org>
  *             - Added some sanity checks on login names to avoid
- *             users bypassing equality checks by exploring the
- *             overly helpful match capabilities of LDAP
+ *               users bypassing equality checks by exploring the
+ *               overly helpful match capabilities of LDAP
  * 2004-07-17: Henrik Nordstrom <hno@squid-cache.org>
  *             - Corrected non-persistent mode to only issue one
- *             ldap_bind per connection.
+ *               ldap_bind per connection.
  *             - -U option to compare the users password rather
- *             than binding.
+ *               than binding.
  * 2004-03-01: Henrik Nordstrom <hno@squid-cache.org>
  *             - corrected building of search filters to escape
  *               unsafe input
@@ -152,6 +152,10 @@ static int readSecret(const char *filename);
 
 /* Yuck.. we need to glue to different versions of the API */
 
+#ifndef LDAP_NO_ATTRS
+#define LDAP_NO_ATTRS "1.1"
+#endif
+
 #if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823
 static int
 squid_ldap_errno(LDAP * ld)
@@ -635,7 +639,7 @@ checkLDAP(LDAP * persistent_ld, const char *userid, const char *password, const
        LDAPMessage *res = NULL;
        LDAPMessage *entry;
        char *searchattr[] =
-       {NULL};
+       {LDAP_NO_ATTRS, NULL};
        char *userdn;
        int rc;
        LDAP *search_ld = persistent_ld;