diff --git a/config-templates/authsources.php b/config-templates/authsources.php
index 723c769788428a7e59fb3228f4d52444a5117fb9..af52cfb6e748bbf5af1625dbc01060697f74f2a7 100644
--- a/config-templates/authsources.php
+++ b/config-templates/authsources.php
@@ -238,6 +238,9 @@ $config = array(
// The default is 0, which means no timeout.
'timeout' => 0,
+ // Set whether to follow referrals. AD Controllers may require FALSE to function.
+ 'referrals' => TRUE,
+
// Which attributes should be retrieved from the LDAP server.
// This can be an array of attribute names, or NULL, in which case
// all attributes are fetched.
diff --git a/lib/SimpleSAML/Auth/LDAP.php b/lib/SimpleSAML/Auth/LDAP.php
index e1cc2282af340b4206d9a9a0aa61ba8434f57cf2..3d07640db59145de7c2ae6fce47dbae7a20b7d47 100644
--- a/lib/SimpleSAML/Auth/LDAP.php
+++ b/lib/SimpleSAML/Auth/LDAP.php
@@ -49,16 +49,18 @@ class SimpleSAML_Auth_LDAP {
* @param bool $debug
* @param int $timeout
* @param int $port
+ * @param bool $referrals
*/
// TODO: Flesh out documentation.
- public function __construct($hostname, $enable_tls = TRUE, $debug = FALSE, $timeout = 0, $port = 389) {
+ public function __construct($hostname, $enable_tls = TRUE, $debug = FALSE, $timeout = 0, $port = 389, $referrals = TRUE) {
// Debug.
SimpleSAML_Logger::debug('Library - LDAP __construct(): Setup LDAP with ' .
'host=\'' . $hostname .
'\', tls=' . var_export($enable_tls, true) .
', debug=' . var_export($debug, true) .
- ', timeout=' . var_export($timeout, true));
+ ', timeout=' . var_export($timeout, true) .
+ ', referrals=' . var_export($referrals, true));
/*
* Set debug level before calling connect. Note that this passes
@@ -81,6 +83,10 @@ class SimpleSAML_Auth_LDAP {
if (!@ldap_set_option($this->ldap, LDAP_OPT_PROTOCOL_VERSION, 3))
throw $this->makeException('Library - LDAP __construct(): Failed to set LDAP Protocol version (LDAP_OPT_PROTOCOL_VERSION) to 3', ERR_INTERNAL);
+ /* Set referral option */
+ if (!@ldap_set_option($this->ldap, LDAP_OPT_REFERRALS, $referrals))
+ throw $this->makeException('Library - LDAP __construct(): Failed to set LDAP Referrals (LDAP_OPT_REFERRALS) to '.$referrals, ERR_INTERNAL);
+
// Set timeouts, if supported.
// (OpenLDAP 2.x.x or Netscape Directory SDK x.x needed).
$this->timeout = $timeout;
diff --git a/modules/ldap/lib/ConfigHelper.php b/modules/ldap/lib/ConfigHelper.php
index f9aef64dbcfd0fe9f879aca413cfbd1d7d1b06aa..742997ba96bfcc1f2d1fd37c4c58af5363ed2bdc 100644
--- a/modules/ldap/lib/ConfigHelper.php
+++ b/modules/ldap/lib/ConfigHelper.php
@@ -46,6 +46,11 @@ class sspmod_ldap_ConfigHelper {
*/
private $timeout;
+ /**
+ * Whether to follow referrals
+ */
+ private $referrals;
+
/**
* Whether we need to search for the users DN.
@@ -126,6 +131,7 @@ class sspmod_ldap_ConfigHelper {
$this->enableTLS = $config->getBoolean('enable_tls', FALSE);
$this->debug = $config->getBoolean('debug', FALSE);
$this->timeout = $config->getInteger('timeout', 0);
+ $this->referrals = $config->getBoolean('referrals', TRUE);
$this->searchEnable = $config->getBoolean('search.enable', FALSE);
$this->privRead = $config->getBoolean('priv.read', FALSE);
@@ -172,7 +178,7 @@ class sspmod_ldap_ConfigHelper {
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
- $ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout);
+ $ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout, 389, $this->referrals);
if (!$this->searchEnable) {
$ldapusername = addcslashes($username, ',+"\\<>;*');
@@ -239,7 +245,9 @@ class sspmod_ldap_ConfigHelper {
$ldap = new SimpleSAML_Auth_LDAP($this->hostname,
$this->enableTLS,
$this->debug,
- $this->timeout);
+ $this->timeout,
+ 389,
+ $this->referrals);
if ($attribute == NULL)
$attribute = $this->searchAttributes;
@@ -255,7 +263,9 @@ class sspmod_ldap_ConfigHelper {
$ldap = new SimpleSAML_Auth_LDAP($this->hostname,
$this->enableTLS,
$this->debug,
- $this->timeout);
+ $this->timeout,
+ 389,
+ $this->referrals);
return $ldap->getAttributes($dn, $attributes);
}