add referral option

Add posibility to turn the processing of LDAP referral messages of.

README.md

@@ -122,3 +122,11 @@ Trust all CA certificates in this directory (see ssl_check_cert above).
 
 Note that you need to provide hash-based symlinks in the directory for this to work;
 you'll basically need to run OpenSSL's c_rehash command in this directory.
+
+## referral
+expected value: on, off
+
+LDAP library default is on. This option disables usage of referral messages from
+LDAP server. Usefull for authenticating against read only AD server without access
+to read write.
+

ngx_http_auth_ldap_module.c

@@ -86,6 +86,7 @@ typedef struct {
     ngx_flag_t require_valid_user;
     ngx_http_complex_value_t require_valid_user_dn;
     ngx_flag_t satisfy_all;
+    ngx_flag_t referral;
 
     ngx_uint_t connections;
     ngx_msec_t connect_timeout;
@@ -191,6 +192,7 @@ static char * ngx_http_auth_ldap_servers(ngx_conf_t *cf, ngx_command_t *cmd, voi
 static char * ngx_http_auth_ldap_parse_url(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server);
 static char * ngx_http_auth_ldap_parse_require(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server);
 static char * ngx_http_auth_ldap_parse_satisfy(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server);
+static char * ngx_http_auth_ldap_parse_referral(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server);
 static void * ngx_http_auth_ldap_create_main_conf(ngx_conf_t *cf);
 static char * ngx_http_auth_ldap_init_main_conf(ngx_conf_t *cf, void *parent);
 static void * ngx_http_auth_ldap_create_loc_conf(ngx_conf_t *);
@@ -335,6 +337,7 @@ ngx_http_auth_ldap_ldap_server_block(ngx_conf_t *cf, ngx_command_t *cmd, void *c
     server->bind_timeout = 5000;
     server->request_timeout = 10000;
     server->alias = name;
+    server->referral = 1;
 
     save = *cf;
     cf->handler = ngx_http_auth_ldap_ldap_server;
@@ -390,6 +393,8 @@ ngx_http_auth_ldap_ldap_server(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
         return ngx_http_auth_ldap_parse_require(cf, server);
     } else if (ngx_strcmp(value[0].data, "satisfy") == 0) {
         return ngx_http_auth_ldap_parse_satisfy(cf, server);
+    } else if (ngx_strcmp(value[0].data, "referral") == 0) {
+        return ngx_http_auth_ldap_parse_referral(cf, server);
     } else if (ngx_strcmp(value[0].data, "connections") == 0) {
         i = ngx_atoi(value[1].data, value[1].len);
         if (i == NGX_ERROR || i == 0) {
@@ -690,6 +695,29 @@ ngx_http_auth_ldap_parse_satisfy(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *se
     return NGX_CONF_ERROR;
 }
 
+/**
+ * Parse "referral" conf parameter
+ */
+static char *
+ngx_http_auth_ldap_parse_referral(ngx_conf_t *cf, ngx_http_auth_ldap_server_t *server)
+{
+    ngx_str_t *value;
+    value = cf->args->elts;
+
+    if (ngx_strcmp(value[1].data, "on") == 0) {
+        server->referral = 1;
+        return NGX_CONF_OK;
+    }
+
+    if (ngx_strcmp(value[1].data, "off") == 0) {
+        server->referral = 0;
+        return NGX_CONF_OK;
+    }
+
+    ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "http_auth_ldap: Incorrect value for referral");
+    return NGX_CONF_ERROR;
+}
+
 /**
  * Create main config which will store ldap_servers array
  */
@@ -1221,6 +1249,15 @@ ngx_http_auth_ldap_connection_established(ngx_http_auth_ldap_connection_t *c)
         return;
     }
 
+    if (c->server->referral == 0) {
+        rc = ldap_set_option(c->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
+        if (rc != LDAP_OPT_SUCCESS) {
+            ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_set_option() failed (%d: %s)", rc, ldap_err2string(rc));
+            ngx_http_auth_ldap_close_connection(c);
+            return;
+        }
+    }
+
     rc = ldap_get_option(c->ld, LDAP_OPT_SOCKBUF, (void *) &sb);
     if (rc != LDAP_OPT_SUCCESS) {
         ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: ldap_get_option() failed (%d: %s)", rc, ldap_err2string(rc));