Added configuration option to disable referrals.

vl-homutov · vl-homutov · commit f56178b6ee1a · 2018-08-20T12:31:55.000+03:00
The options is boolean, header name is  'X-Ldap-DisableReferrals' and
the command-line switch is '--disable-referrals', default value is
false.
diff --git a/nginx-ldap-auth-daemon.py b/nginx-ldap-auth-daemon.py
@@ -149,6 +149,7 @@ class LDAPAuthHandler(AuthHandler):
              'realm': ('X-Ldap-Realm', 'Restricted'),
              'url': ('X-Ldap-URL', None),
              'starttls': ('X-Ldap-Starttls', 'false'),
+             'disable_referrals': ('X-Ldap-DisableReferrals', 'false'),
              'basedn': ('X-Ldap-BaseDN', None),
              'template': ('X-Ldap-Template', '(cn=%(username)s)'),
              'binddn': ('X-Ldap-BindDN', ''),
@@ -208,9 +209,9 @@ def do_GET(self):
             if ctx['starttls'] == 'true':
                 ldap_obj.start_tls_s()
 
-            # See http://www.python-ldap.org/faq.shtml
-            # uncomment, if required
-            # ldap_obj.set_option(ldap.OPT_REFERRALS, 0)
+            # See https://www.python-ldap.org/en/latest/faq.html
+            if ctx['disable_referrals'] == 'true':
+                ldap_obj.set_option(ldap.OPT_REFERRALS, 0)
 
             ctx['action'] = 'binding as search user'
             ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)
@@ -275,6 +276,9 @@ def exit_handler(signal, frame):
     group.add_argument('-s', '--starttls', metavar="starttls",
         default="false",
         help=("Establish a STARTTLS protected session (Default: false)"))
+    group.add_argument('--disable-referrals', metavar="disable_referrals",
+        default="false",
+        help=("Sets ldap.OPT_REFERRALS to zero (Default: false)"))
     group.add_argument('-b', metavar="baseDn", dest="basedn", default='',
         help="LDAP base dn (Default: unset)")
     group.add_argument('-D', metavar="bindDn", dest="binddn", default='',
@@ -298,6 +302,7 @@ def exit_handler(signal, frame):
              'realm': ('X-Ldap-Realm', args.realm),
              'url': ('X-Ldap-URL', args.url),
              'starttls': ('X-Ldap-Starttls', args.starttls),
+             'disable_referrals': ('X-Ldap-DisableReferrals', args.disable_referrals),
              'basedn': ('X-Ldap-BaseDN', args.basedn),
              'template': ('X-Ldap-Template', args.filter),
              'binddn': ('X-Ldap-BindDN', args.binddn),
diff --git a/nginx-ldap-auth.conf b/nginx-ldap-auth.conf
@@ -103,6 +103,11 @@ http {
             # Set the LDAP template by uncommenting the following directive.
             #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
 
+            # (May be required if using Microsoft Active Directory and
+            # getting "In order to perform this operation a successful bind
+            # must be completed on the connection." errror)
+            #proxy_set_header X-Ldap-DisableReferrals "true";
+
             # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
             # template by uncommenting the following directive and replacing
             # '(cn=%(username)s)' which is the default set in
