"LDAPReferrals off" does not disable LDAPReferrals feature. Default OpenLDAP value...

Changes LDAPReferrals to tri-state:

- "on" - default. Calls apr_ldap_set_option to set referrals on.
- "off" - Calls apr_ldap_set_option to turn referrals off.
- "default" - Does not call apr_ldap_set_option at all.

The default remains ON.  If "default" and SDK defaults to ON, no rebind callback
is used.

Submitted By: Jan Kaluza <kaluze AT redhat.com>
Committed By: covener

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1517388 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 6244354212ffb2fdf71338077a87919b455a0297..e618b1083652bccdc86135a0f2d86131098bc766 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP 
+     SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK 
+     default, sans rebind authentication callback.
+     [Jan Kaluza <kaluze AT redhat.com>]
+
   *) mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663
      from ERROR to DEBUG, since these modules do not know what mod_authz_core
      is doing with their AUTHZ_DENIED return value. [Eric Covener]

diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index a048e934bfd5ff894fa089e58c2463350953e64f..461e48638aa9ec8fcd05d493f4602366be12298c 100644 (file)
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -60,6 +60,7 @@
 #endif
 
 #define AP_LDAP_HOPLIMIT_UNSET -1
+#define AP_LDAP_CHASEREFERRALS_SDKDEFAULT -1
 #define AP_LDAP_CHASEREFERRALS_OFF 0
 #define AP_LDAP_CHASEREFERRALS_ON 1
 
@@ -371,7 +372,7 @@ static int uldap_connection_init(request_rec *r,
     ldap_option = ldc->deref;
     ldap_set_option(ldc->ldap, LDAP_OPT_DEREF, &ldap_option);
 
-    if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) {
+    if (ldc->ChaseReferrals != AP_LDAP_CHASEREFERRALS_SDKDEFAULT) {
         /* Set options for rebind and referrals. */
         ap_log_error(APLOG_MARK, APLOG_TRACE4, 0, r->server, APLOGNO(01278)
                 "LDAP: Setting referrals to %s.",
@@ -391,7 +392,9 @@ static int uldap_connection_init(request_rec *r,
             uldap_connection_unbind(ldc);
             return(result->rc);
         }
+    }
 
+    if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) {
         if ((ldc->ReferralHopLimit != AP_LDAP_HOPLIMIT_UNSET) && ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) {
             /* Referral hop limit - only if referrals are enabled and a hop limit is explicitly requested */
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, APLOGNO(01280)
@@ -2584,15 +2587,25 @@ static const char *util_ldap_set_connection_timeout(cmd_parms *cmd,
 
 static const char *util_ldap_set_chase_referrals(cmd_parms *cmd,
                                                  void *config,
-                                                 int mode)
+                                                 const char *arg)
 {
     util_ldap_config_t *dc =  config;
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01311)
-                      "LDAP: Setting referral chasing %s",
-                      (mode == AP_LDAP_CHASEREFERRALS_ON) ? "ON" : "OFF");
+                      "LDAP: Setting referral chasing %s", arg);
 
-    dc->ChaseReferrals = mode;
+    if (0 == strcasecmp(arg, "on")) {
+        dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_ON;
+    }
+    else if (0 == strcasecmp(arg, "off")) {
+        dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_OFF;
+    }
+    else if (0 == strcasecmp(arg, "default")) {
+        dc->ChaseReferrals = AP_LDAP_CHASEREFERRALS_SDKDEFAULT;
+    }
+    else {
+        return "LDAPReferrals must be 'on', 'off', or 'default'";
+    }
 
     return(NULL);
 }
@@ -3116,9 +3129,9 @@ static const command_rec util_ldap_cmds[] = {
                   "Specify the LDAP socket connection timeout in seconds "
                   "(default: 10)"),
 
-    AP_INIT_FLAG("LDAPReferrals", util_ldap_set_chase_referrals,
+    AP_INIT_TAKE1("LDAPReferrals", util_ldap_set_chase_referrals,
                   NULL, OR_AUTHCFG,
-                  "Choose whether referrals are chased ['ON'|'OFF'].  Default 'ON'"),
+                  "Choose whether referrals are chased ['ON'|'OFF'|'DEFAULT'].  Default 'ON'"),
 
     AP_INIT_TAKE1("LDAPReferralHopLimit", util_ldap_set_referral_hop_limit,
                   NULL, OR_AUTHCFG,