LDAP library follows referrals received in ldap response by default.
This commit adds a param ldap_follow_referrals for umich_schema to control
the behaviour. The default value of this tunable is 'true' i.e set to
follow referrals. This is similar to nslcd::referrals param.
Signed-off-by: Srikrishan Malik <[email protected]>
---
support/nfsidmap/idmapd.conf | 3 +++
support/nfsidmap/idmapd.conf.5 | 3 +++
support/nfsidmap/umich_ldap.c | 25 ++++++++++++++++++++++++-
3 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/support/nfsidmap/idmapd.conf b/support/nfsidmap/idmapd.conf
index aeeca1bf..2a2f79a1 100644
--- a/support/nfsidmap/idmapd.conf
+++ b/support/nfsidmap/idmapd.conf
@@ -98,6 +98,9 @@ LDAP_base = dc=local,dc=domain,dc=edu
# absolute search base for groups
#LDAP_group_base = <LDAP_base>
+# Whether to follow ldap referrals
+#LDAP_follow_referrals = true
+
# Set to true to enable SSL - anything else is not enabled
#LDAP_use_ssl = false
diff --git a/support/nfsidmap/idmapd.conf.5 b/support/nfsidmap/idmapd.conf.5
index d2fd3a20..f5b18167 100644
--- a/support/nfsidmap/idmapd.conf.5
+++ b/support/nfsidmap/idmapd.conf.5
@@ -239,6 +239,9 @@ name given as
.B LDAP_server
(Default: "true")
.TP
+.B LDAP_follow_referrals
+Whether or not to follow ldap referrals. (Default: "true")
+.TP
.B LDAP_use_ssl
Set to "true" to enable SSL communication with the LDAP server.
(Default: "false")
diff --git a/support/nfsidmap/umich_ldap.c b/support/nfsidmap/umich_ldap.c
index d5a7731a..c475d379 100644
--- a/support/nfsidmap/umich_ldap.c
+++ b/support/nfsidmap/umich_ldap.c
@@ -115,6 +115,7 @@ struct umich_ldap_info {
looking up user groups */
int ldap_timeout; /* Timeout in seconds for searches
by ldap_search_st */
+ int follow_referrals; /* whether to follow ldap referrals */
char *sasl_mech; /* sasl mech to be used */
char *sasl_realm; /* SASL realm for SASL authentication */
char *sasl_authcid; /* authentication identity to be used */
@@ -139,6 +140,7 @@ static struct umich_ldap_info ldap_info = {
.tls_reqcert = LDAP_OPT_X_TLS_HARD,
.memberof_for_groups = 0,
.ldap_timeout = DEFAULT_UMICH_SEARCH_TIMEOUT,
+ .follow_referrals = 1,
.sasl_mech = NULL,
.sasl_realm = NULL,
.sasl_authcid = NULL,
@@ -346,6 +348,15 @@ ldap_init_and_bind(LDAP **pld,
ldap_set_option(ld, LDAP_OPT_SIZELIMIT, (void *)sizelimit);
}
+ lerr = ldap_set_option(ld, LDAP_OPT_REFERRALS,
+ linfo->follow_referrals ? (void *)LDAP_OPT_ON :
+ (void *)LDAP_OPT_OFF);
+ if (lerr != LDAP_SUCCESS) {
+ IDMAP_LOG(2, ("ldap_init_and_bind: setting LDAP_OPT_REFERRALS "
+ "failed: %s (%d)", ldap_err2string(lerr), lerr));
+ goto out;
+ }
+
/* Set option to to use SSL/TLS if requested */
if (linfo->use_ssl) {
int tls_type = LDAP_OPT_X_TLS_HARD;
@@ -1310,7 +1321,7 @@ out_err:
static int
umichldap_init(void)
{
- char *tssl, *canonicalize, *memberof, *cert_req;
+ char *tssl, *canonicalize, *memberof, *cert_req, *follow_referrals;
char missing_msg[128] = "";
char *server_in, *canon_name;
@@ -1378,6 +1389,16 @@ umichldap_init(void)
ldap_info.sasl_krb5_ccname = conf_get_str(LDAP_SECTION,
"LDAP_sasl_krb5_ccname");
+ follow_referrals = conf_get_str_with_def(LDAP_SECTION,
+ "LDAP_follow_referrals",
+ "true");
+ if ((strcasecmp(follow_referrals, "true") == 0) ||
+ (strcasecmp(follow_referrals, "on") == 0) ||
+ (strcasecmp(follow_referrals, "yes") == 0))
+ ldap_info.follow_referrals = 1;
+ else
+ ldap_info.follow_referrals = 0;
+
/* Verify required information is supplied */
if (server_in == NULL || strlen(server_in) == 0)
strncat(missing_msg, "LDAP_server ", sizeof(missing_msg)-1);
@@ -1542,6 +1563,8 @@ umichldap_init(void)
ldap_info.sasl_canonicalize));
IDMAP_LOG(1, ("umichldap_init: sasl_krb5_ccname: %s",
ldap_info.sasl_krb5_ccname));
+ IDMAP_LOG(1, ("umichldap_init: follow_referrals: %s",
+ ldap_info.follow_referrals ? "yes" : "no"));
IDMAP_LOG(1, ("umichldap_init: NFSv4_person_objectclass : %s",
ldap_map.NFSv4_person_objcls));
--
2.25.1
On 4/18/20 10:28 AM, Srikrishan Malik wrote:
> LDAP library follows referrals received in ldap response by default.
> This commit adds a param ldap_follow_referrals for umich_schema to control
> the behaviour. The default value of this tunable is 'true' i.e set to
> follow referrals. This is similar to nslcd::referrals param.
>
> Signed-off-by: Srikrishan Malik <[email protected]>
> ---
> support/nfsidmap/idmapd.conf | 3 +++
> support/nfsidmap/idmapd.conf.5 | 3 +++
> support/nfsidmap/umich_ldap.c | 25 ++++++++++++++++++++++++-
> 3 files changed, 30 insertions(+), 1 deletion(-)
Committed... (tag: nfs-utils-2-4-4-rc4)
steved.
>
> diff --git a/support/nfsidmap/idmapd.conf b/support/nfsidmap/idmapd.conf
> index aeeca1bf..2a2f79a1 100644
> --- a/support/nfsidmap/idmapd.conf
> +++ b/support/nfsidmap/idmapd.conf
> @@ -98,6 +98,9 @@ LDAP_base = dc=local,dc=domain,dc=edu
> # absolute search base for groups
> #LDAP_group_base = <LDAP_base>
>
> +# Whether to follow ldap referrals
> +#LDAP_follow_referrals = true
> +
> # Set to true to enable SSL - anything else is not enabled
> #LDAP_use_ssl = false
>
> diff --git a/support/nfsidmap/idmapd.conf.5 b/support/nfsidmap/idmapd.conf.5
> index d2fd3a20..f5b18167 100644
> --- a/support/nfsidmap/idmapd.conf.5
> +++ b/support/nfsidmap/idmapd.conf.5
> @@ -239,6 +239,9 @@ name given as
> .B LDAP_server
> (Default: "true")
> .TP
> +.B LDAP_follow_referrals
> +Whether or not to follow ldap referrals. (Default: "true")
> +.TP
> .B LDAP_use_ssl
> Set to "true" to enable SSL communication with the LDAP server.
> (Default: "false")
> diff --git a/support/nfsidmap/umich_ldap.c b/support/nfsidmap/umich_ldap.c
> index d5a7731a..c475d379 100644
> --- a/support/nfsidmap/umich_ldap.c
> +++ b/support/nfsidmap/umich_ldap.c
> @@ -115,6 +115,7 @@ struct umich_ldap_info {
> looking up user groups */
> int ldap_timeout; /* Timeout in seconds for searches
> by ldap_search_st */
> + int follow_referrals; /* whether to follow ldap referrals */
> char *sasl_mech; /* sasl mech to be used */
> char *sasl_realm; /* SASL realm for SASL authentication */
> char *sasl_authcid; /* authentication identity to be used */
> @@ -139,6 +140,7 @@ static struct umich_ldap_info ldap_info = {
> .tls_reqcert = LDAP_OPT_X_TLS_HARD,
> .memberof_for_groups = 0,
> .ldap_timeout = DEFAULT_UMICH_SEARCH_TIMEOUT,
> + .follow_referrals = 1,
> .sasl_mech = NULL,
> .sasl_realm = NULL,
> .sasl_authcid = NULL,
> @@ -346,6 +348,15 @@ ldap_init_and_bind(LDAP **pld,
> ldap_set_option(ld, LDAP_OPT_SIZELIMIT, (void *)sizelimit);
> }
>
> + lerr = ldap_set_option(ld, LDAP_OPT_REFERRALS,
> + linfo->follow_referrals ? (void *)LDAP_OPT_ON :
> + (void *)LDAP_OPT_OFF);
> + if (lerr != LDAP_SUCCESS) {
> + IDMAP_LOG(2, ("ldap_init_and_bind: setting LDAP_OPT_REFERRALS "
> + "failed: %s (%d)", ldap_err2string(lerr), lerr));
> + goto out;
> + }
> +
> /* Set option to to use SSL/TLS if requested */
> if (linfo->use_ssl) {
> int tls_type = LDAP_OPT_X_TLS_HARD;
> @@ -1310,7 +1321,7 @@ out_err:
> static int
> umichldap_init(void)
> {
> - char *tssl, *canonicalize, *memberof, *cert_req;
> + char *tssl, *canonicalize, *memberof, *cert_req, *follow_referrals;
> char missing_msg[128] = "";
> char *server_in, *canon_name;
>
> @@ -1378,6 +1389,16 @@ umichldap_init(void)
> ldap_info.sasl_krb5_ccname = conf_get_str(LDAP_SECTION,
> "LDAP_sasl_krb5_ccname");
>
> + follow_referrals = conf_get_str_with_def(LDAP_SECTION,
> + "LDAP_follow_referrals",
> + "true");
> + if ((strcasecmp(follow_referrals, "true") == 0) ||
> + (strcasecmp(follow_referrals, "on") == 0) ||
> + (strcasecmp(follow_referrals, "yes") == 0))
> + ldap_info.follow_referrals = 1;
> + else
> + ldap_info.follow_referrals = 0;
> +
> /* Verify required information is supplied */
> if (server_in == NULL || strlen(server_in) == 0)
> strncat(missing_msg, "LDAP_server ", sizeof(missing_msg)-1);
> @@ -1542,6 +1563,8 @@ umichldap_init(void)
> ldap_info.sasl_canonicalize));
> IDMAP_LOG(1, ("umichldap_init: sasl_krb5_ccname: %s",
> ldap_info.sasl_krb5_ccname));
> + IDMAP_LOG(1, ("umichldap_init: follow_referrals: %s",
> + ldap_info.follow_referrals ? "yes" : "no"));
>
> IDMAP_LOG(1, ("umichldap_init: NFSv4_person_objectclass : %s",
> ldap_map.NFSv4_person_objcls));
>