On 4/18/20 10:28 AM, Srikrishan Malik wrote:
> LDAP library follows referrals received in ldap response by default.
> This commit adds a param ldap_follow_referrals for umich_schema to control
> the behaviour. The default value of this tunable is 'true' i.e set to
> follow referrals. This is similar to nslcd::referrals param.
>
> Signed-off-by: Srikrishan Malik <srikrishanmalik@xxxxxxxxx>
> ---
> support/nfsidmap/idmapd.conf | 3 +++
> support/nfsidmap/idmapd.conf.5 | 3 +++
> support/nfsidmap/umich_ldap.c | 25 ++++++++++++++++++++++++-
> 3 files changed, 30 insertions(+), 1 deletion(-)
Committed... (tag: nfs-utils-2-4-4-rc4)
steved.
>
> diff --git a/support/nfsidmap/idmapd.conf b/support/nfsidmap/idmapd.conf
> index aeeca1bf..2a2f79a1 100644
> --- a/support/nfsidmap/idmapd.conf
> +++ b/support/nfsidmap/idmapd.conf
> @@ -98,6 +98,9 @@ LDAP_base = dc=local,dc=domain,dc=edu
> # absolute search base for groups
> #LDAP_group_base = <LDAP_base>
>
> +# Whether to follow ldap referrals
> +#LDAP_follow_referrals = true
> +
> # Set to true to enable SSL - anything else is not enabled
> #LDAP_use_ssl = false
>
> diff --git a/support/nfsidmap/idmapd.conf.5 b/support/nfsidmap/idmapd.conf.5
> index d2fd3a20..f5b18167 100644
> --- a/support/nfsidmap/idmapd.conf.5
> +++ b/support/nfsidmap/idmapd.conf.5
> @@ -239,6 +239,9 @@ name given as
> .B LDAP_server
> (Default: "true")
> .TP
> +.B LDAP_follow_referrals
> +Whether or not to follow ldap referrals. (Default: "true")
> +.TP
> .B LDAP_use_ssl
> Set to "true" to enable SSL communication with the LDAP server.
> (Default: "false")
> diff --git a/support/nfsidmap/umich_ldap.c b/support/nfsidmap/umich_ldap.c
> index d5a7731a..c475d379 100644
> --- a/support/nfsidmap/umich_ldap.c
> +++ b/support/nfsidmap/umich_ldap.c
> @@ -115,6 +115,7 @@ struct umich_ldap_info {
> looking up user groups */
> int ldap_timeout; /* Timeout in seconds for searches
> by ldap_search_st */
> + int follow_referrals; /* whether to follow ldap referrals */
> char *sasl_mech; /* sasl mech to be used */
> char *sasl_realm; /* SASL realm for SASL authentication */
> char *sasl_authcid; /* authentication identity to be used */
> @@ -139,6 +140,7 @@ static struct umich_ldap_info ldap_info = {
> .tls_reqcert = LDAP_OPT_X_TLS_HARD,
> .memberof_for_groups = 0,
> .ldap_timeout = DEFAULT_UMICH_SEARCH_TIMEOUT,
> + .follow_referrals = 1,
> .sasl_mech = NULL,
> .sasl_realm = NULL,
> .sasl_authcid = NULL,
> @@ -346,6 +348,15 @@ ldap_init_and_bind(LDAP **pld,
> ldap_set_option(ld, LDAP_OPT_SIZELIMIT, (void *)sizelimit);
> }
>
> + lerr = ldap_set_option(ld, LDAP_OPT_REFERRALS,
> + linfo->follow_referrals ? (void *)LDAP_OPT_ON :
> + (void *)LDAP_OPT_OFF);
> + if (lerr != LDAP_SUCCESS) {
> + IDMAP_LOG(2, ("ldap_init_and_bind: setting LDAP_OPT_REFERRALS "
> + "failed: %s (%d)", ldap_err2string(lerr), lerr));
> + goto out;
> + }
> +
> /* Set option to to use SSL/TLS if requested */
> if (linfo->use_ssl) {
> int tls_type = LDAP_OPT_X_TLS_HARD;
> @@ -1310,7 +1321,7 @@ out_err:
> static int
> umichldap_init(void)
> {
> - char *tssl, *canonicalize, *memberof, *cert_req;
> + char *tssl, *canonicalize, *memberof, *cert_req, *follow_referrals;
> char missing_msg[128] = "";
> char *server_in, *canon_name;
>
> @@ -1378,6 +1389,16 @@ umichldap_init(void)
> ldap_info.sasl_krb5_ccname = conf_get_str(LDAP_SECTION,
> "LDAP_sasl_krb5_ccname");
>
> + follow_referrals = conf_get_str_with_def(LDAP_SECTION,
> + "LDAP_follow_referrals",
> + "true");
> + if ((strcasecmp(follow_referrals, "true") == 0) ||
> + (strcasecmp(follow_referrals, "on") == 0) ||
> + (strcasecmp(follow_referrals, "yes") == 0))
> + ldap_info.follow_referrals = 1;
> + else
> + ldap_info.follow_referrals = 0;
> +
> /* Verify required information is supplied */
> if (server_in == NULL || strlen(server_in) == 0)
> strncat(missing_msg, "LDAP_server ", sizeof(missing_msg)-1);
> @@ -1542,6 +1563,8 @@ umichldap_init(void)
> ldap_info.sasl_canonicalize));
> IDMAP_LOG(1, ("umichldap_init: sasl_krb5_ccname: %s",
> ldap_info.sasl_krb5_ccname));
> + IDMAP_LOG(1, ("umichldap_init: follow_referrals: %s",
> + ldap_info.follow_referrals ? "yes" : "no"));
>
> IDMAP_LOG(1, ("umichldap_init: NFSv4_person_objectclass : %s",
> ldap_map.NFSv4_person_objcls));
>
