From 0523c4a1859871fc741f45073239aea7d88bcab2 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Fri, 26 Oct 2012 10:31:03 +0000
Subject: [PATCH] ldap: Add option to disable following referrals.

Thanks to Daniel Tsosie for implementing this!

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3196 44740490-163a-0410-bde0-09ae8108e29a
---
 config-templates/authsources.php  |  3 +++
 lib/SimpleSAML/Auth/LDAP.php      | 10 ++++++++--
 modules/ldap/lib/ConfigHelper.php | 16 +++++++++++++---
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/config-templates/authsources.php b/config-templates/authsources.php
index 723c76978..af52cfb6e 100644
--- a/config-templates/authsources.php
+++ b/config-templates/authsources.php
@@ -238,6 +238,9 @@ $config = array(
 		// The default is 0, which means no timeout.
 		'timeout' => 0,
 
+		// Set whether to follow referrals. AD Controllers may require FALSE to function.
+		'referrals' => TRUE,
+
 		// Which attributes should be retrieved from the LDAP server.
 		// This can be an array of attribute names, or NULL, in which case
 		// all attributes are fetched.
diff --git a/lib/SimpleSAML/Auth/LDAP.php b/lib/SimpleSAML/Auth/LDAP.php
index e1cc2282a..3d07640db 100644
--- a/lib/SimpleSAML/Auth/LDAP.php
+++ b/lib/SimpleSAML/Auth/LDAP.php
@@ -49,16 +49,18 @@ class SimpleSAML_Auth_LDAP {
 	 * @param bool $debug
 	 * @param int $timeout
 	 * @param int $port
+	 * @param bool $referrals
 	 */
 	// TODO: Flesh out documentation.
-	public function __construct($hostname, $enable_tls = TRUE, $debug = FALSE, $timeout = 0, $port = 389) {
+	public function __construct($hostname, $enable_tls = TRUE, $debug = FALSE, $timeout = 0, $port = 389, $referrals = TRUE) {
 
 		// Debug.
 		SimpleSAML_Logger::debug('Library - LDAP __construct(): Setup LDAP with ' .
 			'host=\'' . $hostname .
 			'\', tls=' . var_export($enable_tls, true) .
 			', debug=' . var_export($debug, true) .
-			', timeout=' . var_export($timeout, true));
+			', timeout=' . var_export($timeout, true) .
+			', referrals=' . var_export($referrals, true));
 
 		/*
 		 * Set debug level before calling connect. Note that this passes
@@ -81,6 +83,10 @@ class SimpleSAML_Auth_LDAP {
 		if (!@ldap_set_option($this->ldap, LDAP_OPT_PROTOCOL_VERSION, 3))
 			throw $this->makeException('Library - LDAP __construct(): Failed to set LDAP Protocol version (LDAP_OPT_PROTOCOL_VERSION) to 3', ERR_INTERNAL);
 
+		/* Set referral option */
+		if (!@ldap_set_option($this->ldap, LDAP_OPT_REFERRALS, $referrals))
+			throw $this->makeException('Library - LDAP __construct(): Failed to set LDAP Referrals (LDAP_OPT_REFERRALS) to '.$referrals, ERR_INTERNAL);
+
 		// Set timeouts, if supported.
 		// (OpenLDAP 2.x.x or Netscape Directory SDK x.x needed).
 		$this->timeout = $timeout;
diff --git a/modules/ldap/lib/ConfigHelper.php b/modules/ldap/lib/ConfigHelper.php
index f9aef64db..742997ba9 100644
--- a/modules/ldap/lib/ConfigHelper.php
+++ b/modules/ldap/lib/ConfigHelper.php
@@ -46,6 +46,11 @@ class sspmod_ldap_ConfigHelper {
 	 */
 	private $timeout;
 
+	/**
+	 * Whether to follow referrals
+	 */
+	private $referrals;
+
 
 	/**
 	 * Whether we need to search for the users DN.
@@ -126,6 +131,7 @@ class sspmod_ldap_ConfigHelper {
 		$this->enableTLS = $config->getBoolean('enable_tls', FALSE);
 		$this->debug = $config->getBoolean('debug', FALSE);
 		$this->timeout = $config->getInteger('timeout', 0);
+		$this->referrals = $config->getBoolean('referrals', TRUE);
 		$this->searchEnable = $config->getBoolean('search.enable', FALSE);
 		$this->privRead = $config->getBoolean('priv.read', FALSE);
 
@@ -172,7 +178,7 @@ class sspmod_ldap_ConfigHelper {
 			throw new SimpleSAML_Error_Error('WRONGUSERPASS');
 		}
 
-		$ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout);
+		$ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout, 389, $this->referrals);
 
 		if (!$this->searchEnable) {
 			$ldapusername = addcslashes($username, ',+"\\<>;*');
@@ -239,7 +245,9 @@ class sspmod_ldap_ConfigHelper {
 		$ldap = new SimpleSAML_Auth_LDAP($this->hostname,
 			$this->enableTLS,
 			$this->debug,
-			$this->timeout);
+			$this->timeout,
+			389,
+			$this->referrals);
 
 		if ($attribute == NULL)
 			$attribute = $this->searchAttributes;
@@ -255,7 +263,9 @@ class sspmod_ldap_ConfigHelper {
 		$ldap = new SimpleSAML_Auth_LDAP($this->hostname,
 			$this->enableTLS,
 			$this->debug,
-			$this->timeout);
+			$this->timeout,
+			389,
+			$this->referrals);
 
 		return $ldap->getAttributes($dn, $attributes);
 	}
-- 
GitLab