From: Alan T. DeKok Date: Thu, 2 Apr 2009 11:45:51 +0000 (+0200) Subject: Added "rebind" option to re-authenticate on rebind X-Git-Tag: release_2_1_7~221 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=58a513cf3d219a1023248339b131e85f7d72e528;p=thirdparty%2Ffreeradius-server.git Added "rebind" option to re-authenticate on rebind Also, change chase_referrals default to unset. This allows us to use the OpenLDAP default, OR to force it on/off. rebind is done only when chase_referrals is true, AND rebind is true --- diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c index 88b65d927c3..2fc666216d6 100644 --- a/src/modules/rlm_ldap/rlm_ldap.c +++ b/src/modules/rlm_ldap/rlm_ldap.c @@ -137,6 +137,7 @@ typedef struct { int failed_conns; int is_url; int chase_referrals; + int rebind; char *login; char *password; char *filter; @@ -274,7 +275,9 @@ static const CONF_PARSER module_config[] = { {"access_attr_used_for_allow", PW_TYPE_BOOLEAN, offsetof(ldap_instance,default_allow), NULL, "yes"}, {"chase_referrals", PW_TYPE_BOOLEAN, - offsetof(ldap_instance,chase_referrals), NULL, "no"}, + offsetof(ldap_instance,chase_referrals), NULL, NULL}, + {"rebind", PW_TYPE_BOOLEAN, + offsetof(ldap_instance,chase_referrals), NULL, NULL}, /* * Group checks. These could probably be done @@ -385,6 +388,8 @@ ldap_instantiate(CONF_SECTION * conf, void **instance) return -1; } memset(inst, 0, sizeof(*inst)); + inst->chase_referrals = 2; /* use OpenLDAP defaults */ + inst->rebind = 2; if (cf_section_parse(conf, inst, module_config) < 0) { free(inst); @@ -2160,6 +2165,16 @@ static int ldap_postauth(void *instance, REQUEST * request) } #endif +static int ldap_rebind(LDAP *ld, LDAP_CONST char *url, + UNUSED ber_tag_t request, UNUSED ber_int_t msgid, + void *params ) +{ + ldap_instance *inst = params; + + DEBUG("rlm_ldap: rebind to URL %s",url); + return ldap_bind_s(ld, inst->login, inst->password, LDAP_AUTH_SIMPLE); +} + static LDAP *ldap_connect(void *instance, const char *dn, const char *password, int auth, int *result, char **err) { @@ -2195,14 +2210,27 @@ static LDAP *ldap_connect(void *instance, const char *dn, const char *password, radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_NETWORK_TIMEOUT %d: %s", inst->net_timeout, ldap_err2string(ldap_errno)); } - if (inst->chase_referrals) { - rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON); - } else { - rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); - } - if (rc != LDAP_OPT_SUCCESS) { - ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno); - radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_REFERRALS=%d %s", inst->chase_referrals, ldap_err2string(ldap_errno)); + /* + * Leave "chase_referrals" unset to use the OpenLDAP + * default. + */ + if (inst->chase_referrals != 2) { + if (inst->chase_referrals) { + rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, + LDAP_OPT_ON); + + if (inst->rebind == 1) { + ldap_set_rebind_proc(ld, ldap_rebind, + inst); + } + } else { + rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, + LDAP_OPT_OFF); + } + if (rc != LDAP_OPT_SUCCESS) { + ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno); + radlog(L_ERR, "rlm_ldap: Could not set LDAP_OPT_REFERRALS=%d %s", inst->chase_referrals, ldap_err2string(ldap_errno)); + } } if (ldap_set_option(ld, LDAP_OPT_TIMELIMIT,