Commit f56178b6 authored by Vladimir Homutov's avatar Vladimir Homutov
Browse files

Added configuration option to disable referrals. 

The options is boolean, header name is  'X-Ldap-DisableReferrals' and
the command-line switch is '--disable-referrals', default value is
false.
parent 732eb15f

nginx-ldap-auth-daemon.py

+8 −3
Original line number Diff line number Diff line
@@ -149,6 +149,7 @@ class LDAPAuthHandler(AuthHandler): 
             'realm': ('X-Ldap-Realm', 'Restricted'),

             'url': ('X-Ldap-URL', None),

             'starttls': ('X-Ldap-Starttls', 'false'),

             'disable_referrals': ('X-Ldap-DisableReferrals', 'false'),

             'basedn': ('X-Ldap-BaseDN', None),

             'template': ('X-Ldap-Template', '(cn=%(username)s)'),

             'binddn': ('X-Ldap-BindDN', ''),
@@ -208,9 +209,9 @@ class LDAPAuthHandler(AuthHandler): 
            if ctx['starttls'] == 'true':

                ldap_obj.start_tls_s()



            # See http://www.python-ldap.org/faq.shtml

            # uncomment, if required

            # ldap_obj.set_option(ldap.OPT_REFERRALS, 0)

            # See https://www.python-ldap.org/en/latest/faq.html

            if ctx['disable_referrals'] == 'true':

                ldap_obj.set_option(ldap.OPT_REFERRALS, 0)



            ctx['action'] = 'binding as search user'

            ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)
@@ -275,6 +276,9 @@ if __name__ == '__main__': 
    group.add_argument('-s', '--starttls', metavar="starttls",

        default="false",

        help=("Establish a STARTTLS protected session (Default: false)"))

    group.add_argument('--disable-referrals', metavar="disable_referrals",

        default="false",

        help=("Sets ldap.OPT_REFERRALS to zero (Default: false)"))

    group.add_argument('-b', metavar="baseDn", dest="basedn", default='',

        help="LDAP base dn (Default: unset)")

    group.add_argument('-D', metavar="bindDn", dest="binddn", default='',
@@ -298,6 +302,7 @@ if __name__ == '__main__': 
             'realm': ('X-Ldap-Realm', args.realm),

             'url': ('X-Ldap-URL', args.url),

             'starttls': ('X-Ldap-Starttls', args.starttls),

             'disable_referrals': ('X-Ldap-DisableReferrals', args.disable_referrals),

             'basedn': ('X-Ldap-BaseDN', args.basedn),

             'template': ('X-Ldap-Template', args.filter),

             'binddn': ('X-Ldap-BindDN', args.binddn),

nginx-ldap-auth.conf

+5 −0
Original line number Diff line number Diff line
@@ -103,6 +103,11 @@ http { 
            # Set the LDAP template by uncommenting the following directive.

            #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";



            # (May be required if using Microsoft Active Directory and

            # getting "In order to perform this operation a successful bind

            # must be completed on the connection." errror)

            #proxy_set_header X-Ldap-DisableReferrals "true";



            # (Optional if using OpenLDAP as the LDAP server) Set the LDAP

            # template by uncommenting the following directive and replacing

            # '(cn=%(username)s)' which is the default set in