Added "rebind" option to re-authenticate on rebind

Also, change chase_referrals default to unset.  This allows us
to use the OpenLDAP default, OR to force it on/off.

rebind is done only when chase_referrals is true, AND rebind is true

diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index 88b65d927c3d4534fbe712d466c281898360abe2..2fc666216d69920d249d9e64e99835466fb93ef5 100644 (file)
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -137,6 +137,7 @@ typedef struct {
        int             failed_conns;
        int             is_url;
        int             chase_referrals;
+       int             rebind;
        char           *login;
        char           *password;
        char           *filter;
@@ -274,7 +275,9 @@ static const CONF_PARSER module_config[] = {
        {"access_attr_used_for_allow", PW_TYPE_BOOLEAN,
         offsetof(ldap_instance,default_allow), NULL, "yes"},
        {"chase_referrals", PW_TYPE_BOOLEAN,
-        offsetof(ldap_instance,chase_referrals), NULL, "no"},
+        offsetof(ldap_instance,chase_referrals), NULL, NULL},
+       {"rebind", PW_TYPE_BOOLEAN,
+        offsetof(ldap_instance,chase_referrals), NULL, NULL},
 
        /*
         *      Group checks.  These could probably be done
@@ -385,6 +388,8 @@ ldap_instantiate(CONF_SECTION * conf, void **instance)
                return -1;
        }
        memset(inst, 0, sizeof(*inst));
+       inst->chase_referrals = 2; /* use OpenLDAP defaults */
+       inst->rebind = 2;
 
        if (cf_section_parse(conf, inst, module_config) < 0) {
                free(inst);
@@ -2160,6 +2165,16 @@ static int ldap_postauth(void *instance, REQUEST * request)
 }
 #endif
 
+static int ldap_rebind(LDAP *ld, LDAP_CONST char *url,
+                      UNUSED ber_tag_t request, UNUSED ber_int_t msgid,
+                      void *params )
+{
+       ldap_instance   *inst = params;
+
+       DEBUG("rlm_ldap: rebind to URL %s",url);
+       return ldap_bind_s(ld, inst->login, inst->password, LDAP_AUTH_SIMPLE);
+}
+
 static LDAP *ldap_connect(void *instance, const char *dn, const char *password,
                          int auth, int *result, char **err)
 {
@@ -2195,14 +2210,27 @@ static LDAP *ldap_connect(void *instance, const char *dn, const char *password,
                radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_NETWORK_TIMEOUT %d: %s", inst->net_timeout, ldap_err2string(ldap_errno));
        }
 
-       if (inst->chase_referrals) {
-               rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON);
-       } else {
-               rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
-       }
-       if (rc != LDAP_OPT_SUCCESS) {
-               ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
-               radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_REFERRALS=%d  %s", inst->chase_referrals, ldap_err2string(ldap_errno));
+       /*
+        *      Leave "chase_referrals" unset to use the OpenLDAP
+        *      default.
+        */
+       if (inst->chase_referrals != 2) {
+               if (inst->chase_referrals) {
+                       rc=ldap_set_option(ld, LDAP_OPT_REFERRALS,
+                                          LDAP_OPT_ON);
+                       
+                       if (inst->rebind == 1) {
+                               ldap_set_rebind_proc(ld, ldap_rebind,
+                                                    inst);
+                       }
+               } else {
+                       rc=ldap_set_option(ld, LDAP_OPT_REFERRALS,
+                                          LDAP_OPT_OFF);
+               }
+               if (rc != LDAP_OPT_SUCCESS) {
+                       ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
+                       radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_REFERRALS=%d  %s", inst->chase_referrals, ldap_err2string(ldap_errno));
+               }
        }
 
        if (ldap_set_option(ld, LDAP_OPT_TIMELIMIT,