]> granicus.if.org Git - apache/blobdiff - modules/ldap/util_ldap.c
* mod_ldap: Correctly return all requested attribute values
[apache] / modules / ldap / util_ldap.c
index 2f18ff83220a82fdd1121a8b02c2e1137aae93c1..5d41aa6f5ae568e3ef4a90162d7944d2ce5b0cf5 100644 (file)
@@ -106,7 +106,7 @@ static int util_ldap_handler(request_rec *r)
         return DECLINED;
     }
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     if (r->header_only)
         return OK;
@@ -187,6 +187,8 @@ static apr_status_t uldap_connection_cleanup(void *param)
     util_ldap_connection_t *ldc = param;
 
     if (ldc) {
+        /* Release the rebind info for this connection. No more referral rebinds required. */
+        apr_ldap_rebind_remove(ldc->ldap);
 
         /* unbind and disconnect from the LDAP server */
         uldap_connection_unbind(ldc);
@@ -198,7 +200,10 @@ static apr_status_t uldap_connection_cleanup(void *param)
         if (ldc->binddn) {
             free((void*)ldc->binddn);
         }
-
+        /* ldc->reason is allocated from r->pool */
+        if (ldc->reason) {
+            ldc->reason = NULL;
+        }
         /* unlock this entry */
         uldap_connection_close(ldc);
 
@@ -263,12 +268,14 @@ static apr_status_t util_ldap_connection_remove (void *param) {
 }
 
 static int uldap_connection_init(request_rec *r,
-                                 util_ldap_connection_t *ldc )
+                                 util_ldap_connection_t *ldc)
 {
     int rc = 0, ldap_option = 0;
     int version  = LDAP_VERSION3;
     apr_ldap_err_t *result = NULL;
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
     struct timeval timeOut = {10,0};    /* 10 second connection timeout */
+#endif
     util_ldap_state_t *st =
         (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
         &ldap_module);
@@ -285,7 +292,6 @@ static int uldap_connection_init(request_rec *r,
                   APR_LDAP_NONE,
                   &(result));
 
-
     if (result != NULL && result->rc) {
         ldc->reason = result->reason;
     }
@@ -302,6 +308,16 @@ static int uldap_connection_init(request_rec *r,
         return(result->rc);
     }
 
+    /* Now that we have an ldap struct, add it to the referral list for rebinds. */
+    rc = apr_ldap_rebind_add(ldc->pool, ldc->ldap, ldc->binddn, ldc->bindpw);
+    if (rc != APR_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                     "LDAP: Unable to add rebind cross reference entry. Out of memory?");
+        uldap_connection_unbind(ldc);
+        ldc->reason = "LDAP: Unable to add rebind cross reference entry.";
+        return(rc);
+    }
+
     /* always default to LDAP V3 */
     ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
 
@@ -331,6 +347,45 @@ static int uldap_connection_init(request_rec *r,
     ldap_option = ldc->deref;
     ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &ldap_option);
 
+    /* Set options for rebind and referrals. */
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                 "LDAP: Setting referrals to %s.",
+                 ((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ? "On" : "Off"));
+    apr_ldap_set_option(r->pool, ldc->ldap,
+                        APR_LDAP_OPT_REFERRALS,
+                        (void *)((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ?
+                                 LDAP_OPT_ON : LDAP_OPT_OFF),
+                        &(result));
+    if (result->rc != LDAP_SUCCESS) {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                     "Unable to set LDAP_OPT_REFERRALS option to %s: %d.",
+                     ((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ? "On" : "Off"),
+                     result->rc);
+        result->reason = "Unable to set LDAP_OPT_REFERRALS.";
+        uldap_connection_unbind(ldc);
+        return(result->rc);
+    }
+
+    if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) {
+        /* Referral hop limit - only if referrals are enabled */
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                     "Setting referral hop limit to %d.",
+                     ldc->ReferralHopLimit);
+        apr_ldap_set_option(r->pool, ldc->ldap,
+                            APR_LDAP_OPT_REFHOPLIMIT,
+                            (void *)&ldc->ReferralHopLimit,
+                            &(result));
+        if (result->rc != LDAP_SUCCESS) {
+          ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                       "Unable to set LDAP_OPT_REFHOPLIMIT option to %d: %d.",
+                       ldc->ReferralHopLimit,
+                       result->rc);
+          result->reason = "Unable to set LDAP_OPT_REFHOPLIMIT.";
+          uldap_connection_unbind(ldc);
+          return(result->rc);
+        }
+    }
+
 /*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */
 #ifdef APR_LDAP_OPT_VERIFY_CERT
     apr_ldap_set_option(r->pool, ldc->ldap, APR_LDAP_OPT_VERIFY_CERT,
@@ -425,7 +480,7 @@ static int uldap_connection_open(request_rec *r,
         rc = ldap_simple_bind_s(ldc->ldap,
                                 (char *)ldc->binddn,
                                 (char *)ldc->bindpw);
-        if (LDAP_SERVER_DOWN != rc) {
+        if (!AP_LDAP_IS_SERVER_DOWN(rc)) {
             break;
         } else if (failures == 5) {
            /* attempt to init the connection once again */
@@ -512,7 +567,8 @@ static util_ldap_connection_t *
     util_ldap_state_t *st =
         (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
         &ldap_module);
-
+    util_ldap_config_t *dc =
+        (util_ldap_config_t *) ap_get_module_config(r->per_dir_config, &ldap_module);
 
 #if APR_HAS_THREADS
     /* mutex lock this function */
@@ -583,12 +639,12 @@ static util_ldap_connection_t *
 /* artificially disable cache */
 /* l = NULL; */
 
-    /* If no connection what found after the second search, we
+    /* If no connection was found after the second search, we
      * must create one.
      */
     if (!l) {
         apr_pool_t *newpool;
-        if (apr_pool_create(&newpool, NULL) != APR_SUCCESS) { 
+        if (apr_pool_create(&newpool, NULL) != APR_SUCCESS) {
             ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
                           "util_ldap: Failed to create memory pool");
 #if APR_HAS_THREADS
@@ -597,7 +653,6 @@ static util_ldap_connection_t *
             return NULL;
         }
  
-
         /*
          * Add the new connection entry to the linked list. Note that we
          * don't actually establish an LDAP connection yet; that happens
@@ -608,7 +663,7 @@ static util_ldap_connection_t *
         l = apr_pcalloc(newpool, sizeof(util_ldap_connection_t));
         l->pool = newpool;
         l->st = st;
-   
+
 #if APR_HAS_THREADS
         apr_thread_mutex_create(&l->lock, APR_THREAD_MUTEX_DEFAULT, l->pool);
         apr_thread_mutex_lock(l->lock);
@@ -619,6 +674,8 @@ static util_ldap_connection_t *
         l->deref = deref;
         util_ldap_strdup((char**)&(l->binddn), binddn);
         util_ldap_strdup((char**)&(l->bindpw), bindpw);
+        l->ChaseReferrals = dc->ChaseReferrals;
+        l->ReferralHopLimit = dc->ReferralHopLimit;
 
         /* The security mode after parsing the URL will always be either
          * APR_LDAP_NONE (ldap://) or APR_LDAP_SSL (ldaps://).
@@ -729,10 +786,10 @@ start_over:
     }
 
     /* search for reqdn */
-    if ((result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
-                                    "(objectclass=*)", NULL, 1,
-                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
-            == LDAP_SERVER_DOWN)
+    result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
+                               "(objectclass=*)", NULL, 1,
+                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+    if (AP_LDAP_IS_SERVER_DOWN(result))
     {
         ldc->reason = "DN Comparison ldap_search_ext_s() "
                       "failed with server down";
@@ -869,11 +926,11 @@ start_over:
         return result;
     }
 
-    if ((result = ldap_compare_s(ldc->ldap,
-                                 (char *)dn,
-                                 (char *)attrib,
-                                 (char *)value))
-                                               == LDAP_SERVER_DOWN) {
+    result = ldap_compare_s(ldc->ldap,
+                            (char *)dn,
+                            (char *)attrib,
+                            (char *)value);
+    if (AP_LDAP_IS_SERVER_DOWN(result)) { 
         /* connection failed - try again */
         ldc->reason = "ldap_compare_s() failed with server down";
         uldap_connection_unbind(ldc);
@@ -973,7 +1030,7 @@ start_over:
     result = ldap_search_ext_s(ldc->ldap, (char *)dn, LDAP_SCOPE_BASE,
                                (char *)"cn=*", subgroupAttrs, 0,
                                NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &sga_res);
-    if (result == LDAP_SERVER_DOWN) {
+    if (AP_LDAP_IS_SERVER_DOWN(result)) {
         ldc->reason = "ldap_search_ext_s() for subgroups failed with server"
                       " down";
         uldap_connection_unbind(ldc);
@@ -1111,11 +1168,9 @@ static int uldap_cache_check_subgroups(request_rec *r,
     util_compare_node_t *compare_nodep;
     util_compare_node_t the_compare_node;
     util_compare_subgroup_t *tmp_local_sgl = NULL;
-    int lcl_sgl_processedFlag = 0, sgindex = 0, base_sgcIndex = 0;
-    struct mod_auth_ldap_groupattr_entry_t *sgc_ents;
-
-    sgc_ents = (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
-
+    int sgl_cached_empty = 0, sgindex = 0, base_sgcIndex = 0;
+    struct mod_auth_ldap_groupattr_entry_t *sgc_ents =
+            (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
     util_ldap_state_t *st = (util_ldap_state_t *)
                             ap_get_module_config(r->server->module_config,
                                                  &ldap_module);
@@ -1179,37 +1234,37 @@ static int uldap_cache_check_subgroups(request_rec *r,
              * Found the generic group entry... but the user isn't in this
              * group or we wouldn't be here.
              */
-            lcl_sgl_processedFlag = compare_nodep->sgl_processed;
-            if(compare_nodep->sgl_processed && compare_nodep->subgroupList) {
-                /* Make a local copy of the subgroup list */
-                int i;
-                tmp_local_sgl = apr_pcalloc(r->pool,
-                                            sizeof(util_compare_subgroup_t));
-                tmp_local_sgl->len = compare_nodep->subgroupList->len;
-                tmp_local_sgl->subgroupDNs =
-                   apr_pcalloc(r->pool,
-                               sizeof(char *) * compare_nodep->subgroupList->len);
-                for (i = 0; i < compare_nodep->subgroupList->len; i++) {
-                    tmp_local_sgl->subgroupDNs[i] =
-                       apr_pstrdup(r->pool,
-                                   compare_nodep->subgroupList->subgroupDNs[i]);
+            if (compare_nodep->sgl_processed) {
+                if (compare_nodep->subgroupList) {
+                    /* Make a local copy of the subgroup list */
+                    int i;
+                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                                  "[%" APR_PID_T_FMT "] util_ldap:"
+                                  " Making local copy of SGL for "
+                                  "group (%s)(objectClass=%s) ",
+                                  getpid(), dn,
+                                  (char *)sgc_ents[base_sgcIndex].name);
+                    tmp_local_sgl = apr_pcalloc(r->pool,
+                                                sizeof(util_compare_subgroup_t));
+                    tmp_local_sgl->len = compare_nodep->subgroupList->len;
+                    tmp_local_sgl->subgroupDNs =
+                        apr_pcalloc(r->pool,
+                                    sizeof(char *) * compare_nodep->subgroupList->len);
+                    for (i = 0; i < compare_nodep->subgroupList->len; i++) {
+                        tmp_local_sgl->subgroupDNs[i] =
+                            apr_pstrdup(r->pool,
+                                        compare_nodep->subgroupList->subgroupDNs[i]);
+                    }
+                }
+                else {
+                    sgl_cached_empty = 1;
                 }
             }
         }
         LDAP_CACHE_UNLOCK();
     }
-    else {
-          /*
-           * If we get here, something is wrong. Caches should have been
-           * created and this group entry should be found in the cache.
-           */
-        ldc->reason = "check_subgroups failed to find any caches.";
-        return LDAP_COMPARE_FALSE;
-    }
 
-    result = LDAP_COMPARE_FALSE;
-
-    if ((lcl_sgl_processedFlag == 0) && (!tmp_local_sgl)) {
+    if (!tmp_local_sgl && !sgl_cached_empty) {
         /* No Cached SGL, retrieve from LDAP */
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                       "[%" APR_PID_T_FMT "] util_ldap: no cached SGL for %s,"
@@ -1221,8 +1276,8 @@ static int uldap_cache_check_subgroups(request_rec *r,
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "]"
                           " util_ldap: no subgroups for %s" , getpid(), dn);
         }
-        lcl_sgl_processedFlag = 1;
 
+      if (curl && curl->compare_cache) {
         /*
          * Find the generic group cache entry and add the sgl we just retrieved.
          */
@@ -1240,30 +1295,61 @@ static int uldap_cache_check_subgroups(request_rec *r,
 
         if (compare_nodep == NULL) {
             /*
-             * Didn't find it. This shouldn't happen since we just called
-             * uldap_cache_compare.
+             * The group entry we want to attach our SGL to doesn't exist.
+             * We only got here if we verified this DN was actually a group
+             * based on the objectClass, but we can't call the compare function
+             * while we already hold the cache lock -- only the insert.
              */
-            LDAP_CACHE_UNLOCK();
-            ldc->reason = "check_subgroups failed to find the cache entry to"
-                          " add sub-group list to.";
-            return LDAP_COMPARE_FALSE;
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                          "[%" APR_PID_T_FMT "] util_ldap: Cache entry "
+                          "for %s doesn't exist",
+                           getpid(), dn);
+            the_compare_node.result = LDAP_COMPARE_TRUE;
+            util_ald_cache_insert(curl->compare_cache, &the_compare_node);
+            compare_nodep = util_ald_cache_fetch(curl->compare_cache,
+                                                 &the_compare_node);
+            if (compare_nodep == NULL) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "[%" APR_PID_T_FMT "] util_ldap: Couldn't "
+                              "retrieve group entry for %s from cache",
+                               getpid(), dn);
+            }
         }
+
         /*
-         * overwrite SGL if it was previously updated between the last
-         * two times we looked at the cache
+         * We have a valid cache entry and a locally generated SGL.
+         * Attach the SGL to the cache entry
          */
-        compare_nodep->sgl_processed = 1;
-        if (tmp_local_sgl) {
-            compare_nodep->subgroupList = util_ald_sgl_dup(curl->compare_cache,
-                                                           tmp_local_sgl);
-        }
-        else {
-            /*
-             * We didn't find a single subgroup, next time save us from looking
-             */
-            compare_nodep->subgroupList = NULL;
+        if (compare_nodep && !compare_nodep->sgl_processed) {
+            if (!tmp_local_sgl) {
+                /* We looked up an SGL for a group and found it to be empty */
+                if (compare_nodep->subgroupList == NULL) {
+                    compare_nodep->sgl_processed = 1;
+                }
+            }
+            else {
+                util_compare_subgroup_t *sgl_copy =
+                    util_ald_sgl_dup(curl->compare_cache, tmp_local_sgl);
+                ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                             "Copying local SGL of len %d for group %s into cache",
+                             tmp_local_sgl->len, dn);
+                if (sgl_copy) {
+                    if (compare_nodep->subgroupList) {
+                        util_ald_sgl_free(curl->compare_cache,
+                                          &(compare_nodep->subgroupList));
+                    }
+                    compare_nodep->subgroupList = sgl_copy;
+                    compare_nodep->sgl_processed = 1;
+                }
+                else {
+                    ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                                 "Copy of SGL failed to obtain shared memory, "
+                                 "couldn't update cache");
+                }
+            }
         }
         LDAP_CACHE_UNLOCK();
+      }
     }
 
     /*
@@ -1376,13 +1462,10 @@ static int uldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
                 /* ...and entry is valid */
                 *binddn = apr_pstrdup(r->pool, search_nodep->dn);
                 if (attrs) {
-                    int i = 0, k = 0;
-                    while (attrs[k++]);
-                    *retvals = apr_pcalloc(r->pool, sizeof(char *) * k);
-                    while (search_nodep->vals[i]) {
-                        (*retvals)[i] = apr_pstrdup(r->pool,
-                                                    search_nodep->vals[i]);
-                        i++;
+                    int i;
+                    *retvals = apr_pcalloc(r->pool, sizeof(char *) * search_nodep->numvals);
+                    for (i = 0; i < search_nodep->numvals; i++) {
+                        (*retvals)[i] = apr_pstrdup(r->pool, search_nodep->vals[i]);
                     }
                 }
                 LDAP_CACHE_UNLOCK();
@@ -1410,11 +1493,11 @@ start_over:
     }
 
     /* try do the search */
-    if ((result = ldap_search_ext_s(ldc->ldap,
-                                    (char *)basedn, scope,
-                                    (char *)filter, attrs, 0,
-                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
-            == LDAP_SERVER_DOWN)
+    result = ldap_search_ext_s(ldc->ldap,
+                               (char *)basedn, scope,
+                               (char *)filter, attrs, 0,
+                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+    if (AP_LDAP_IS_SERVER_DOWN(result))
     {
         ldc->reason = "ldap_search_ext_s() for user failed with server down";
         uldap_connection_unbind(ldc);
@@ -1468,9 +1551,10 @@ start_over:
      * fails, it means that the password is wrong (the dn obviously
      * exists, since we just retrieved it)
      */
-    if ((result = ldap_simple_bind_s(ldc->ldap,
-                                     (char *)*binddn,
-                                     (char *)bindpw)) == LDAP_SERVER_DOWN) {
+    result = ldap_simple_bind_s(ldc->ldap,
+                                (char *)*binddn,
+                                (char *)bindpw);
+    if (AP_LDAP_IS_SERVER_DOWN(result)) {
         ldc->reason = "ldap_simple_bind_s() to check user credentials "
                       "failed with server down";
         ldap_msgfree(res);
@@ -1625,13 +1709,10 @@ static int uldap_cache_getuserdn(request_rec *r, util_ldap_connection_t *ldc,
                 /* ...and entry is valid */
                 *binddn = apr_pstrdup(r->pool, search_nodep->dn);
                 if (attrs) {
-                    int i = 0, k = 0;
-                    while (attrs[k++]);
-                    *retvals = apr_pcalloc(r->pool, sizeof(char *) * k);
-                    while (search_nodep->vals[i]) {
-                        (*retvals)[i] = apr_pstrdup(r->pool,
-                                                    search_nodep->vals[i]);
-                        i++;
+                    int i;
+                    *retvals = apr_pcalloc(r->pool, sizeof(char *) * search_nodep->numvals);
+                    for (i = 0; i < search_nodep->numvals; i++) {
+                        (*retvals)[i] = apr_pstrdup(r->pool, search_nodep->vals[i]);
                     }
                 }
                 LDAP_CACHE_UNLOCK();
@@ -1659,11 +1740,11 @@ start_over:
     }
 
     /* try do the search */
-    if ((result = ldap_search_ext_s(ldc->ldap,
-                                    (char *)basedn, scope,
-                                    (char *)filter, attrs, 0,
-                                    NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
-            == LDAP_SERVER_DOWN)
+    result = ldap_search_ext_s(ldc->ldap,
+                               (char *)basedn, scope,
+                               (char *)filter, attrs, 0,
+                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+    if (AP_LDAP_IS_SERVER_DOWN(result))
     {
         ldc->reason = "ldap_search_ext_s() for user failed with server down";
         uldap_connection_unbind(ldc);
@@ -2227,9 +2308,11 @@ static const char *util_ldap_set_connection_timeout(cmd_parms *cmd,
                                                     void *dummy,
                                                     const char *ttl)
 {
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
     util_ldap_state_t *st =
         (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
                                                   &ldap_module);
+#endif
     const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
 
     if (err != NULL) {
@@ -2244,7 +2327,7 @@ static const char *util_ldap_set_connection_timeout(cmd_parms *cmd,
                  " timeout to %ld seconds.", getpid(), st->connectionTimeout);
 #else
     ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server,
-                 "LDAP: Connection timout option not supported by the "
+                 "LDAP: Connection timeout option not supported by the "
                  "LDAP SDK in use." );
 #endif
 
@@ -2252,6 +2335,48 @@ static const char *util_ldap_set_connection_timeout(cmd_parms *cmd,
 }
 
 
+static const char *util_ldap_set_chase_referrals(cmd_parms *cmd,
+                                                 void *config,
+                                                 int mode)
+{
+    util_ldap_config_t *dc =  config;
+
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
+                      "LDAP: Setting refferal chasing %s",
+                      (mode == AP_LDAP_CHASEREFERRALS_ON) ? "ON" : "OFF");
+
+    dc->ChaseReferrals = mode;
+
+    return(NULL);
+}
+
+static const char *util_ldap_set_referral_hop_limit(cmd_parms *cmd,
+                                                    void *config,
+                                                    const char *hop_limit)
+{
+    util_ldap_config_t *dc =  config;
+
+    dc->ReferralHopLimit = atol(hop_limit);
+
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
+                 "LDAP: Limit chased referrals to maximum of %d hops.",
+                 dc->ReferralHopLimit);
+
+    return NULL;
+}
+
+static void *util_ldap_create_dir_config(apr_pool_t *p, char *d) {
+   util_ldap_config_t *dc =
+       (util_ldap_config_t *) apr_pcalloc(p,sizeof(util_ldap_config_t));
+
+   /* defaults are AP_LDAP_CHASEREFERRALS_ON and AP_LDAP_DEFAULT_HOPLIMIT */
+   dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_ON;
+   dc->ReferralHopLimit = AP_LDAP_DEFAULT_HOPLIMIT;
+
+   return dc;
+}
+
+
 static void *util_ldap_create_config(apr_pool_t *p, server_rec *s)
 {
     util_ldap_state_t *st =
@@ -2280,6 +2405,9 @@ static void *util_ldap_create_config(apr_pool_t *p, server_rec *s)
     st->connectionTimeout = 10;
     st->verify_svr_cert = 1;
 
+    /* Initialize the rebind callback's cross reference list. */
+    apr_ldap_rebind_init (p);
+
     return st;
 }
 
@@ -2544,23 +2672,25 @@ static const command_rec util_ldap_cmds[] = {
 
     AP_INIT_TAKE23("LDAPTrustedGlobalCert", util_ldap_set_trusted_global_cert,
                    NULL, RSRC_CONF,
-                   "Takes three args; the file and/or directory containing "
-                   "the trusted CA certificates (and global client certs "
-                   "for Netware) used to validate the LDAP server.  Second "
-                   "arg is the cert type for the first arg, one of CA_DER, "
-                   "CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, "
-                   "CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, or KEY_BASE64. "
-                   "Third arg is an optional passphrase if applicable."),
+                   "Takes three arguments; the first argument is the cert "
+                   "type of the second argument, one of CA_DER, CA_BASE64, "
+                   "CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
+                   "CERT_NICKNAME, KEY_DER, or KEY_BASE64. The second argument "
+                   "specifes the file and/or directory containing the trusted CA "
+                   "certificates (and global client certs for Netware) used to "
+                   "validate the LDAP server. The third argument is an optional "
+                   "passphrase if applicable."),
 
     AP_INIT_TAKE23("LDAPTrustedClientCert", util_ldap_set_trusted_client_cert,
                    NULL, RSRC_CONF,
-                   "Takes three args; the file and/or directory containing "
-                   "the client certificate, or certificate ID used to "
-                   "validate this LDAP client.  Second arg is the cert type "
-                   "for the first arg, one of CA_DER, CA_BASE64, CA_CERT7_DB, "
-                   "CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
-                   "CERT_NICKNAME, KEY_DER, or KEY_BASE64. Third arg is an "
-                   "optional passphrase if applicable."),
+                   "Takes three arguments: the first argument is the certificate "
+                   "type of the second argument, one of CA_DER, CA_BASE64, "
+                   "CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
+                   "CERT_NICKNAME, KEY_DER, or KEY_BASE64. The second argument "
+                   "specifies the file and/or directory containing the client "
+                   "certificate, or certificate ID used to validate this LDAP "
+                   "client.  The third argument is an optional passphrase if "
+                   "applicable."),
 
     AP_INIT_TAKE1("LDAPTrustedMode", util_ldap_set_trusted_mode,
                   NULL, RSRC_CONF,
@@ -2578,6 +2708,15 @@ static const command_rec util_ldap_cmds[] = {
                   "Specify the LDAP socket connection timeout in seconds "
                   "(default: 10)"),
 
+    AP_INIT_FLAG("LDAPReferrals", util_ldap_set_chase_referrals,
+                  NULL, OR_AUTHCFG,
+                  "Choose whether referrals are chased ['ON'|'OFF'].  Default 'ON'"),
+
+    AP_INIT_TAKE1("LDAPReferralHopLimit", util_ldap_set_referral_hop_limit,
+                  NULL, OR_AUTHCFG,
+                  "Limit the number of referral hops that LDAP can follow. "
+                  "(Integer value, default=" AP_LDAP_DEFAULT_HOPLIMIT_STR ")"),
+
     {NULL}
 };
 
@@ -2602,7 +2741,7 @@ static void util_ldap_register_hooks(apr_pool_t *p)
 
 module AP_MODULE_DECLARE_DATA ldap_module = {
    STANDARD20_MODULE_STUFF,
-   NULL,                        /* create dir config */
+   util_ldap_create_dir_config, /* create dir config */
    NULL,                        /* merge dir config */
    util_ldap_create_config,     /* create server config */
    util_ldap_merge_config,      /* merge server config */