apr_global_mutex_unlock(st->util_ldap_cache_lock); \
} while (0)
+static apr_status_t util_ldap_connection_remove (void *param);
+
static void util_ldap_strdup (char **str, const char *newstr)
{
if (*str) {
return DECLINED;
}
- ap_set_content_type(r, "text/html");
+ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
if (r->header_only)
return OK;
return OK;
}
-/* ------------------------------------------------------------------ */
+/* ------------------------------------------------------------------ */
/*
* Closes an LDAP connection by unlocking it. The next time
* uldap_connection_find() is called this connection will be
* we don't have to...
*/
- /* mark our connection as available for reuse */
-
+ if (!ldc->keep) {
+ util_ldap_connection_remove(ldc);
+ }
+ else {
+ /* mark our connection as available for reuse */
#if APR_HAS_THREADS
- apr_thread_mutex_unlock(ldc->lock);
+ apr_thread_mutex_unlock(ldc->lock);
#endif
+ }
}
/*
* Destroys an LDAP connection by unbinding and closing the connection to
* the LDAP server. It is used to bring the connection back to a known
- * state after an error, and during pool cleanup.
+ * state after an error.
*/
static apr_status_t uldap_connection_unbind(void *param)
{
/*
* Clean up an LDAP connection by unbinding and unlocking the connection.
+ * This cleanup does not remove the util_ldap_connection_t from the
+ * per-virtualhost list of connections, does not remove the storage
+ * for the util_ldap_connection_t or it's data, and is NOT run automatically.
*/
static apr_status_t uldap_connection_cleanup(void *param)
{
util_ldap_connection_t *ldc = param;
if (ldc) {
+ /* Release the rebind info for this connection. No more referral rebinds required. */
+ apr_ldap_rebind_remove(ldc->ldap);
/* unbind and disconnect from the LDAP server */
uldap_connection_unbind(ldc);
if (ldc->binddn) {
free((void*)ldc->binddn);
}
-
+ /* ldc->reason is allocated from r->pool */
+ if (ldc->reason) {
+ ldc->reason = NULL;
+ }
/* unlock this entry */
uldap_connection_close(ldc);
+ }
+
+ return APR_SUCCESS;
+}
+
+/*
+ * util_ldap_connection_remove frees all storage associated with the LDAP
+ * connection and removes it completely from the per-virtualhost list of
+ * connections
+ *
+ * The caller should hold the lock for this connection
+ */
+static apr_status_t util_ldap_connection_remove (void *param) {
+ util_ldap_connection_t *ldc = param, *l = NULL, *prev = NULL;
+ util_ldap_state_t *st = ldc->st;
+
+ if (!ldc) return APR_SUCCESS;
+
+ uldap_connection_unbind(ldc);
+
+#if APR_HAS_THREADS
+ apr_thread_mutex_lock(st->mutex);
+#endif
+
+ /* Remove ldc from the list */
+ for (l=st->connections; l; l=l->next) {
+ if (l == ldc) {
+ if (prev) {
+ prev->next = l->next;
+ }
+ else {
+ st->connections = l->next;
+ }
+ break;
+ }
+ prev = l;
+ }
+
+ /* Some unfortunate duplication between this method
+ * and uldap_connection_cleanup()
+ */
+ if (ldc->bindpw) {
+ free((void*)ldc->bindpw);
}
+ if (ldc->binddn) {
+ free((void*)ldc->binddn);
+ }
+
+#if APR_HAS_THREADS
+ apr_thread_mutex_unlock(ldc->lock);
+ apr_thread_mutex_unlock(st->mutex);
+#endif
+
+ /* Destory the pool associated with this connection */
+ apr_pool_destroy(ldc->pool);
+
return APR_SUCCESS;
}
static int uldap_connection_init(request_rec *r,
- util_ldap_connection_t *ldc )
+ util_ldap_connection_t *ldc)
{
int rc = 0, ldap_option = 0;
int version = LDAP_VERSION3;
apr_ldap_err_t *result = NULL;
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
struct timeval timeOut = {10,0}; /* 10 second connection timeout */
+#endif
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(r->server->module_config,
&ldap_module);
APR_LDAP_NONE,
&(result));
-
if (result != NULL && result->rc) {
ldc->reason = result->reason;
}
return(result->rc);
}
+ /* Now that we have an ldap struct, add it to the referral list for rebinds. */
+ rc = apr_ldap_rebind_add(ldc->pool, ldc->ldap, ldc->binddn, ldc->bindpw);
+ if (rc != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "LDAP: Unable to add rebind cross reference entry. Out of memory?");
+ uldap_connection_unbind(ldc);
+ ldc->reason = "LDAP: Unable to add rebind cross reference entry.";
+ return(rc);
+ }
+
/* always default to LDAP V3 */
ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_option = ldc->deref;
ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &ldap_option);
+ /* Set options for rebind and referrals. */
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "LDAP: Setting referrals to %s.",
+ ((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ? "On" : "Off"));
+ apr_ldap_set_option(r->pool, ldc->ldap,
+ APR_LDAP_OPT_REFERRALS,
+ (void *)((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ?
+ LDAP_OPT_ON : LDAP_OPT_OFF),
+ &(result));
+ if (result->rc != LDAP_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "Unable to set LDAP_OPT_REFERRALS option to %s: %d.",
+ ((ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) ? "On" : "Off"),
+ result->rc);
+ result->reason = "Unable to set LDAP_OPT_REFERRALS.";
+ uldap_connection_unbind(ldc);
+ return(result->rc);
+ }
+
+ if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) {
+ /* Referral hop limit - only if referrals are enabled */
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "Setting referral hop limit to %d.",
+ ldc->ReferralHopLimit);
+ apr_ldap_set_option(r->pool, ldc->ldap,
+ APR_LDAP_OPT_REFHOPLIMIT,
+ (void *)&ldc->ReferralHopLimit,
+ &(result));
+ if (result->rc != LDAP_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "Unable to set LDAP_OPT_REFHOPLIMIT option to %d: %d.",
+ ldc->ReferralHopLimit,
+ result->rc);
+ result->reason = "Unable to set LDAP_OPT_REFHOPLIMIT.";
+ uldap_connection_unbind(ldc);
+ return(result->rc);
+ }
+ }
+
/*XXX All of the #ifdef's need to be removed once apr-util 1.2 is released */
#ifdef APR_LDAP_OPT_VERIFY_CERT
apr_ldap_set_option(r->pool, ldc->ldap, APR_LDAP_OPT_VERIFY_CERT,
rc = ldap_simple_bind_s(ldc->ldap,
(char *)ldc->binddn,
(char *)ldc->bindpw);
- if (LDAP_SERVER_DOWN != rc) {
+ if (!AP_LDAP_IS_SERVER_DOWN(rc)) {
break;
} else if (failures == 5) {
/* attempt to init the connection once again */
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(r->server->module_config,
&ldap_module);
-
+ util_ldap_config_t *dc =
+ (util_ldap_config_t *) ap_get_module_config(r->per_dir_config, &ldap_module);
#if APR_HAS_THREADS
/* mutex lock this function */
/* artificially disable cache */
/* l = NULL; */
- /* If no connection what found after the second search, we
+ /* If no connection was found after the second search, we
* must create one.
*/
if (!l) {
-
- /*
- * Add the new connection entry to the linked list. Note that we
- * don't actually establish an LDAP connection yet; that happens
- * the first time authentication is requested.
- */
- /* create the details to the pool in st */
- l = apr_pcalloc(st->pool, sizeof(util_ldap_connection_t));
- if (apr_pool_create(&l->pool, st->pool) != APR_SUCCESS) {
+ apr_pool_t *newpool;
+ if (apr_pool_create(&newpool, NULL) != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"util_ldap: Failed to create memory pool");
#if APR_HAS_THREADS
apr_thread_mutex_unlock(st->mutex);
#endif
return NULL;
-
}
+
+ /*
+ * Add the new connection entry to the linked list. Note that we
+ * don't actually establish an LDAP connection yet; that happens
+ * the first time authentication is requested.
+ */
+
+ /* create the details of this connection in the new pool */
+ l = apr_pcalloc(newpool, sizeof(util_ldap_connection_t));
+ l->pool = newpool;
+ l->st = st;
+
#if APR_HAS_THREADS
- apr_thread_mutex_create(&l->lock, APR_THREAD_MUTEX_DEFAULT, st->pool);
+ apr_thread_mutex_create(&l->lock, APR_THREAD_MUTEX_DEFAULT, l->pool);
apr_thread_mutex_lock(l->lock);
#endif
l->bound = 0;
- l->host = apr_pstrdup(st->pool, host);
+ l->host = apr_pstrdup(l->pool, host);
l->port = port;
l->deref = deref;
util_ldap_strdup((char**)&(l->binddn), binddn);
util_ldap_strdup((char**)&(l->bindpw), bindpw);
+ l->ChaseReferrals = dc->ChaseReferrals;
+ l->ReferralHopLimit = dc->ReferralHopLimit;
/* The security mode after parsing the URL will always be either
* APR_LDAP_NONE (ldap://) or APR_LDAP_SSL (ldaps://).
/* save away a copy of the client cert list that is presently valid */
l->client_certs = apr_array_copy_hdr(l->pool, st->client_certs);
+ l->keep = 1;
+
if (p) {
p->next = l;
}
}
/* search for reqdn */
- if ((result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
- "(objectclass=*)", NULL, 1,
- NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
- == LDAP_SERVER_DOWN)
+ result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
+ "(objectclass=*)", NULL, 1,
+ NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+ if (AP_LDAP_IS_SERVER_DOWN(result))
{
ldc->reason = "DN Comparison ldap_search_ext_s() "
"failed with server down";
return result;
}
- if ((result = ldap_compare_s(ldc->ldap,
- (char *)dn,
- (char *)attrib,
- (char *)value))
- == LDAP_SERVER_DOWN) {
+ result = ldap_compare_s(ldc->ldap,
+ (char *)dn,
+ (char *)attrib,
+ (char *)value);
+ if (AP_LDAP_IS_SERVER_DOWN(result)) {
/* connection failed - try again */
ldc->reason = "ldap_compare_s() failed with server down";
uldap_connection_unbind(ldc);
result = ldap_search_ext_s(ldc->ldap, (char *)dn, LDAP_SCOPE_BASE,
(char *)"cn=*", subgroupAttrs, 0,
NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &sga_res);
- if (result == LDAP_SERVER_DOWN) {
+ if (AP_LDAP_IS_SERVER_DOWN(result)) {
ldc->reason = "ldap_search_ext_s() for subgroups failed with server"
" down";
uldap_connection_unbind(ldc);
util_compare_node_t *compare_nodep;
util_compare_node_t the_compare_node;
util_compare_subgroup_t *tmp_local_sgl = NULL;
- int lcl_sgl_processedFlag = 0, sgindex = 0, base_sgcIndex = 0;
- struct mod_auth_ldap_groupattr_entry_t *sgc_ents;
-
- sgc_ents = (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
-
+ int sgl_cached_empty = 0, sgindex = 0, base_sgcIndex = 0;
+ struct mod_auth_ldap_groupattr_entry_t *sgc_ents =
+ (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts;
util_ldap_state_t *st = (util_ldap_state_t *)
ap_get_module_config(r->server->module_config,
&ldap_module);
* Found the generic group entry... but the user isn't in this
* group or we wouldn't be here.
*/
- lcl_sgl_processedFlag = compare_nodep->sgl_processed;
- if(compare_nodep->sgl_processed && compare_nodep->subgroupList) {
- /* Make a local copy of the subgroup list */
- int i;
- tmp_local_sgl = apr_pcalloc(r->pool,
- sizeof(util_compare_subgroup_t));
- tmp_local_sgl->len = compare_nodep->subgroupList->len;
- tmp_local_sgl->subgroupDNs =
- apr_pcalloc(r->pool,
- sizeof(char *) * compare_nodep->subgroupList->len);
- for (i = 0; i < compare_nodep->subgroupList->len; i++) {
- tmp_local_sgl->subgroupDNs[i] =
- apr_pstrdup(r->pool,
- compare_nodep->subgroupList->subgroupDNs[i]);
+ if (compare_nodep->sgl_processed) {
+ if (compare_nodep->subgroupList) {
+ /* Make a local copy of the subgroup list */
+ int i;
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] util_ldap:"
+ " Making local copy of SGL for "
+ "group (%s)(objectClass=%s) ",
+ getpid(), dn,
+ (char *)sgc_ents[base_sgcIndex].name);
+ tmp_local_sgl = apr_pcalloc(r->pool,
+ sizeof(util_compare_subgroup_t));
+ tmp_local_sgl->len = compare_nodep->subgroupList->len;
+ tmp_local_sgl->subgroupDNs =
+ apr_pcalloc(r->pool,
+ sizeof(char *) * compare_nodep->subgroupList->len);
+ for (i = 0; i < compare_nodep->subgroupList->len; i++) {
+ tmp_local_sgl->subgroupDNs[i] =
+ apr_pstrdup(r->pool,
+ compare_nodep->subgroupList->subgroupDNs[i]);
+ }
+ }
+ else {
+ sgl_cached_empty = 1;
}
}
}
LDAP_CACHE_UNLOCK();
}
- else {
- /*
- * If we get here, something is wrong. Caches should have been
- * created and this group entry should be found in the cache.
- */
- ldc->reason = "check_subgroups failed to find any caches.";
- return LDAP_COMPARE_FALSE;
- }
-
- result = LDAP_COMPARE_FALSE;
- if ((lcl_sgl_processedFlag == 0) && (!tmp_local_sgl)) {
+ if (!tmp_local_sgl && !sgl_cached_empty) {
/* No Cached SGL, retrieve from LDAP */
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] util_ldap: no cached SGL for %s,"
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "]"
" util_ldap: no subgroups for %s" , getpid(), dn);
}
- lcl_sgl_processedFlag = 1;
+ if (curl && curl->compare_cache) {
/*
* Find the generic group cache entry and add the sgl we just retrieved.
*/
if (compare_nodep == NULL) {
/*
- * Didn't find it. This shouldn't happen since we just called
- * uldap_cache_compare.
+ * The group entry we want to attach our SGL to doesn't exist.
+ * We only got here if we verified this DN was actually a group
+ * based on the objectClass, but we can't call the compare function
+ * while we already hold the cache lock -- only the insert.
*/
- LDAP_CACHE_UNLOCK();
- ldc->reason = "check_subgroups failed to find the cache entry to"
- " add sub-group list to.";
- return LDAP_COMPARE_FALSE;
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "[%" APR_PID_T_FMT "] util_ldap: Cache entry "
+ "for %s doesn't exist",
+ getpid(), dn);
+ the_compare_node.result = LDAP_COMPARE_TRUE;
+ util_ald_cache_insert(curl->compare_cache, &the_compare_node);
+ compare_nodep = util_ald_cache_fetch(curl->compare_cache,
+ &the_compare_node);
+ if (compare_nodep == NULL) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "[%" APR_PID_T_FMT "] util_ldap: Couldn't "
+ "retrieve group entry for %s from cache",
+ getpid(), dn);
+ }
}
+
/*
- * overwrite SGL if it was previously updated between the last
- * two times we looked at the cache
+ * We have a valid cache entry and a locally generated SGL.
+ * Attach the SGL to the cache entry
*/
- compare_nodep->sgl_processed = 1;
- if (tmp_local_sgl) {
- compare_nodep->subgroupList = util_ald_sgl_dup(curl->compare_cache,
- tmp_local_sgl);
- }
- else {
- /*
- * We didn't find a single subgroup, next time save us from looking
- */
- compare_nodep->subgroupList = NULL;
+ if (compare_nodep && !compare_nodep->sgl_processed) {
+ if (!tmp_local_sgl) {
+ /* We looked up an SGL for a group and found it to be empty */
+ if (compare_nodep->subgroupList == NULL) {
+ compare_nodep->sgl_processed = 1;
+ }
+ }
+ else {
+ util_compare_subgroup_t *sgl_copy =
+ util_ald_sgl_dup(curl->compare_cache, tmp_local_sgl);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "Copying local SGL of len %d for group %s into cache",
+ tmp_local_sgl->len, dn);
+ if (sgl_copy) {
+ if (compare_nodep->subgroupList) {
+ util_ald_sgl_free(curl->compare_cache,
+ &(compare_nodep->subgroupList));
+ }
+ compare_nodep->subgroupList = sgl_copy;
+ compare_nodep->sgl_processed = 1;
+ }
+ else {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "Copy of SGL failed to obtain shared memory, "
+ "couldn't update cache");
+ }
+ }
}
LDAP_CACHE_UNLOCK();
+ }
}
/*
/* ...and entry is valid */
*binddn = apr_pstrdup(r->pool, search_nodep->dn);
if (attrs) {
- int i = 0, k = 0;
- while (attrs[k++]);
- *retvals = apr_pcalloc(r->pool, sizeof(char *) * k);
- while (search_nodep->vals[i]) {
- (*retvals)[i] = apr_pstrdup(r->pool,
- search_nodep->vals[i]);
- i++;
+ int i;
+ *retvals = apr_pcalloc(r->pool, sizeof(char *) * search_nodep->numvals);
+ for (i = 0; i < search_nodep->numvals; i++) {
+ (*retvals)[i] = apr_pstrdup(r->pool, search_nodep->vals[i]);
}
}
LDAP_CACHE_UNLOCK();
}
/* try do the search */
- if ((result = ldap_search_ext_s(ldc->ldap,
- (char *)basedn, scope,
- (char *)filter, attrs, 0,
- NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
- == LDAP_SERVER_DOWN)
+ result = ldap_search_ext_s(ldc->ldap,
+ (char *)basedn, scope,
+ (char *)filter, attrs, 0,
+ NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+ if (AP_LDAP_IS_SERVER_DOWN(result))
{
ldc->reason = "ldap_search_ext_s() for user failed with server down";
uldap_connection_unbind(ldc);
* fails, it means that the password is wrong (the dn obviously
* exists, since we just retrieved it)
*/
- if ((result = ldap_simple_bind_s(ldc->ldap,
- (char *)*binddn,
- (char *)bindpw)) == LDAP_SERVER_DOWN) {
+ result = ldap_simple_bind_s(ldc->ldap,
+ (char *)*binddn,
+ (char *)bindpw);
+ if (AP_LDAP_IS_SERVER_DOWN(result)) {
ldc->reason = "ldap_simple_bind_s() to check user credentials "
"failed with server down";
ldap_msgfree(res);
/* ...and entry is valid */
*binddn = apr_pstrdup(r->pool, search_nodep->dn);
if (attrs) {
- int i = 0, k = 0;
- while (attrs[k++]);
- *retvals = apr_pcalloc(r->pool, sizeof(char *) * k);
- while (search_nodep->vals[i]) {
- (*retvals)[i] = apr_pstrdup(r->pool,
- search_nodep->vals[i]);
- i++;
+ int i;
+ *retvals = apr_pcalloc(r->pool, sizeof(char *) * search_nodep->numvals);
+ for (i = 0; i < search_nodep->numvals; i++) {
+ (*retvals)[i] = apr_pstrdup(r->pool, search_nodep->vals[i]);
}
}
LDAP_CACHE_UNLOCK();
}
/* try do the search */
- if ((result = ldap_search_ext_s(ldc->ldap,
- (char *)basedn, scope,
- (char *)filter, attrs, 0,
- NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res))
- == LDAP_SERVER_DOWN)
+ result = ldap_search_ext_s(ldc->ldap,
+ (char *)basedn, scope,
+ (char *)filter, attrs, 0,
+ NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);
+ if (AP_LDAP_IS_SERVER_DOWN(result))
{
ldc->reason = "ldap_search_ext_s() for user failed with server down";
uldap_connection_unbind(ldc);
void *dummy,
const char *ttl)
{
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
+#endif
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
if (err != NULL) {
" timeout to %ld seconds.", getpid(), st->connectionTimeout);
#else
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server,
- "LDAP: Connection timout option not supported by the "
+ "LDAP: Connection timeout option not supported by the "
"LDAP SDK in use." );
#endif
}
+static const char *util_ldap_set_chase_referrals(cmd_parms *cmd,
+ void *config,
+ int mode)
+{
+ util_ldap_config_t *dc = config;
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
+ "LDAP: Setting refferal chasing %s",
+ (mode == AP_LDAP_CHASEREFERRALS_ON) ? "ON" : "OFF");
+
+ dc->ChaseReferrals = mode;
+
+ return(NULL);
+}
+
+static const char *util_ldap_set_referral_hop_limit(cmd_parms *cmd,
+ void *config,
+ const char *hop_limit)
+{
+ util_ldap_config_t *dc = config;
+
+ dc->ReferralHopLimit = atol(hop_limit);
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server,
+ "LDAP: Limit chased referrals to maximum of %d hops.",
+ dc->ReferralHopLimit);
+
+ return NULL;
+}
+
+static void *util_ldap_create_dir_config(apr_pool_t *p, char *d) {
+ util_ldap_config_t *dc =
+ (util_ldap_config_t *) apr_pcalloc(p,sizeof(util_ldap_config_t));
+
+ /* defaults are AP_LDAP_CHASEREFERRALS_ON and AP_LDAP_DEFAULT_HOPLIMIT */
+ dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_ON;
+ dc->ReferralHopLimit = AP_LDAP_DEFAULT_HOPLIMIT;
+
+ return dc;
+}
+
+
static void *util_ldap_create_config(apr_pool_t *p, server_rec *s)
{
util_ldap_state_t *st =
st->connectionTimeout = 10;
st->verify_svr_cert = 1;
+ /* Initialize the rebind callback's cross reference list. */
+ apr_ldap_rebind_init (p);
+
return st;
}
AP_INIT_TAKE23("LDAPTrustedGlobalCert", util_ldap_set_trusted_global_cert,
NULL, RSRC_CONF,
- "Takes three args; the file and/or directory containing "
- "the trusted CA certificates (and global client certs "
- "for Netware) used to validate the LDAP server. Second "
- "arg is the cert type for the first arg, one of CA_DER, "
- "CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, "
- "CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, or KEY_BASE64. "
- "Third arg is an optional passphrase if applicable."),
+ "Takes three arguments; the first argument is the cert "
+ "type of the second argument, one of CA_DER, CA_BASE64, "
+ "CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
+ "CERT_NICKNAME, KEY_DER, or KEY_BASE64. The second argument "
+ "specifes the file and/or directory containing the trusted CA "
+ "certificates (and global client certs for Netware) used to "
+ "validate the LDAP server. The third argument is an optional "
+ "passphrase if applicable."),
AP_INIT_TAKE23("LDAPTrustedClientCert", util_ldap_set_trusted_client_cert,
NULL, RSRC_CONF,
- "Takes three args; the file and/or directory containing "
- "the client certificate, or certificate ID used to "
- "validate this LDAP client. Second arg is the cert type "
- "for the first arg, one of CA_DER, CA_BASE64, CA_CERT7_DB, "
- "CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
- "CERT_NICKNAME, KEY_DER, or KEY_BASE64. Third arg is an "
- "optional passphrase if applicable."),
+ "Takes three arguments: the first argument is the certificate "
+ "type of the second argument, one of CA_DER, CA_BASE64, "
+ "CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, "
+ "CERT_NICKNAME, KEY_DER, or KEY_BASE64. The second argument "
+ "specifies the file and/or directory containing the client "
+ "certificate, or certificate ID used to validate this LDAP "
+ "client. The third argument is an optional passphrase if "
+ "applicable."),
AP_INIT_TAKE1("LDAPTrustedMode", util_ldap_set_trusted_mode,
NULL, RSRC_CONF,
"Specify the LDAP socket connection timeout in seconds "
"(default: 10)"),
+ AP_INIT_FLAG("LDAPReferrals", util_ldap_set_chase_referrals,
+ NULL, OR_AUTHCFG,
+ "Choose whether referrals are chased ['ON'|'OFF']. Default 'ON'"),
+
+ AP_INIT_TAKE1("LDAPReferralHopLimit", util_ldap_set_referral_hop_limit,
+ NULL, OR_AUTHCFG,
+ "Limit the number of referral hops that LDAP can follow. "
+ "(Integer value, default=" AP_LDAP_DEFAULT_HOPLIMIT_STR ")"),
+
{NULL}
};
module AP_MODULE_DECLARE_DATA ldap_module = {
STANDARD20_MODULE_STUFF,
- NULL, /* create dir config */
+ util_ldap_create_dir_config, /* create dir config */
NULL, /* merge dir config */
util_ldap_create_config, /* create server config */
util_ldap_merge_config, /* merge server config */
projects / apache / blobdiff