Merge pull request #153 from mihu/referral

add referral option
main
Valery Komarov 8 years ago committed by GitHub
commit 1d1e6d8b68
  1. 8
      README.md
  2. 37
      ngx_http_auth_ldap_module.c

@ -122,3 +122,11 @@ Trust all CA certificates in this directory (see ssl_check_cert above).
Note that you need to provide hash-based symlinks in the directory for this to work; Note that you need to provide hash-based symlinks in the directory for this to work;
you'll basically need to run OpenSSL's c_rehash command in this directory. you'll basically need to run OpenSSL's c_rehash command in this directory.
## referral
expected value: on, off
LDAP library default is on. This option disables usage of referral messages from
LDAP server. Usefull for authenticating against read only AD server without access
to read write.

@ -86,6 +86,7 @@ typedef struct {
ngx_flag_t require_valid_user; ngx_flag_t require_valid_user;
ngx_http_complex_value_t require_valid_user_dn; ngx_http_complex_value_t require_valid_user_dn;
ngx_flag_t satisfy_all; ngx_flag_t satisfy_all;
ngx_flag_t referral;
ngx_uint_t connections; ngx_uint_t connections;
ngx_msec_t connect_timeout; ngx_msec_t connect_timeout;
@ -191,6 +192,7 @@ static char * ngx_http_auth_ldap_servers(ngx_conf_t *cf, ngx_command_t *cmd, voi
static char * ngx_http_auth_ldap_parse_url(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server); static char * ngx_http_auth_ldap_parse_url(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server);
static char * ngx_http_auth_ldap_parse_require(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server); static char * ngx_http_auth_ldap_parse_require(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server);
static char * ngx_http_auth_ldap_parse_satisfy(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server); static char * ngx_http_auth_ldap_parse_satisfy(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server);
static char * ngx_http_auth_ldap_parse_referral(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server);
static void * ngx_http_auth_ldap_create_main_conf(ngx_conf_t *cf); static void * ngx_http_auth_ldap_create_main_conf(ngx_conf_t *cf);
static char * ngx_http_auth_ldap_init_main_conf(ngx_conf_t *cf, void *parent); static char * ngx_http_auth_ldap_init_main_conf(ngx_conf_t *cf, void *parent);
static void * ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *); static void * ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *);
@ -335,6 +337,7 @@ ngx_http_auth_ldap_ldap_server_block(ngx_conf_t *cf, ngx_command_t *cmd, void *c
server->bind_timeout = 5000; server->bind_timeout = 5000;
server->request_timeout = 10000; server->request_timeout = 10000;
server->alias = name; server->alias = name;
server->referral = 1;
save = *cf; save = *cf;
cf->handler = ngx_http_auth_ldap_ldap_server; cf->handler = ngx_http_auth_ldap_ldap_server;
@ -390,6 +393,8 @@ ngx_http_auth_ldap_ldap_server(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
return ngx_http_auth_ldap_parse_require(cf, server); return ngx_http_auth_ldap_parse_require(cf, server);
} else if (ngx_strcmp(value[0].data, "satisfy") == 0) { } else if (ngx_strcmp(value[0].data, "satisfy") == 0) {
return ngx_http_auth_ldap_parse_satisfy(cf, server); return ngx_http_auth_ldap_parse_satisfy(cf, server);
} else if (ngx_strcmp(value[0].data, "referral") == 0) {
return ngx_http_auth_ldap_parse_referral(cf, server);
} else if (ngx_strcmp(value[0].data, "connections") == 0) { } else if (ngx_strcmp(value[0].data, "connections") == 0) {
i = ngx_atoi(value[1].data, value[1].len); i = ngx_atoi(value[1].data, value[1].len);
if (i == NGX_ERROR || i == 0) { if (i == NGX_ERROR || i == 0) {
@ -690,6 +695,29 @@ ngx_http_auth_ldap_parse_satisfy(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *se
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
/**
* Parse "referral" conf parameter
*/
static char *
ngx_http_auth_ldap_parse_referral(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server)
{
ngx_str_t *value;
value = cf->args->elts;
if (ngx_strcmp(value[1].data, "on") == 0) {
server->referral = 1;
return NGX_CONF_OK;
}
if (ngx_strcmp(value[1].data, "off") == 0) {
server->referral = 0;
return NGX_CONF_OK;
}
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Incorrect value for referral");
return NGX_CONF_ERROR;
}
/** /**
* Create main config which will store ldap_servers array * Create main config which will store ldap_servers array
*/ */
@ -1221,6 +1249,15 @@ ngx_http_auth_ldap_connection_established(ngx_http_auth_ldap_connection_t *c)
return; return;
} }
if (c->server->referral == 0) {
rc = ldap_set_option(c->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
if (rc != LDAP_OPT_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_set_option() failed (%d: %s)", rc, ldap_err2string(rc));
ngx_http_auth_ldap_close_connection(c);
return;
}
}
rc = ldap_get_option(c->ld, LDAP_OPT_SOCKBUF, (void *) &sb); rc = ldap_get_option(c->ld, LDAP_OPT_SOCKBUF, (void *) &sb);
if (rc != LDAP_OPT_SUCCESS) { if (rc != LDAP_OPT_SUCCESS) {
ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_get_option() failed (%d: %s)", rc, ldap_err2string(rc)); ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_get_option() failed (%d: %s)", rc, ldap_err2string(rc));

Loading…
Cancel
Save