Added configuration option to disable referrals.

The options is boolean, header name is 'X-Ldap-DisableReferrals' and the command-line switch is '--disable-referrals', default value is false.
2018-08-20 12:31:55 +03:00 · 2018-08-20 12:31:55 +03:00 · f56178b6ee
parent 732eb15f07
commit f56178b6ee
2 changed files with 13 additions and 3 deletions
--- a/nginx-ldap-auth-daemon.py
+++ b/nginx-ldap-auth-daemon.py
@ -149,6 +149,7 @@ class LDAPAuthHandler(AuthHandler):
             'realm': ('X-Ldap-Realm', 'Restricted'),
             'url': ('X-Ldap-URL', None),
             'starttls': ('X-Ldap-Starttls', 'false'),
+             'disable_referrals': ('X-Ldap-DisableReferrals', 'false'),
             'basedn': ('X-Ldap-BaseDN', None),
             'template': ('X-Ldap-Template', '(cn=%(username)s)'),
             'binddn': ('X-Ldap-BindDN', ''),
@ -208,9 +209,9 @@ class LDAPAuthHandler(AuthHandler):
            if ctx['starttls'] == 'true':
                ldap_obj.start_tls_s()

-            # See http://www.python-ldap.org/faq.shtml
-            # uncomment, if required
-            # ldap_obj.set_option(ldap.OPT_REFERRALS, 0)
+            # See https://www.python-ldap.org/en/latest/faq.html
+            if ctx['disable_referrals'] == 'true':
+                ldap_obj.set_option(ldap.OPT_REFERRALS, 0)

            ctx['action'] = 'binding as search user'
            ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)
@ -275,6 +276,9 @@ if __name__ == '__main__':
    group.add_argument('-s', '--starttls', metavar="starttls",
        default="false",
        help=("Establish a STARTTLS protected session (Default: false)"))
+    group.add_argument('--disable-referrals', metavar="disable_referrals",
+        default="false",
+        help=("Sets ldap.OPT_REFERRALS to zero (Default: false)"))
    group.add_argument('-b', metavar="baseDn", dest="basedn", default='',
        help="LDAP base dn (Default: unset)")
    group.add_argument('-D', metavar="bindDn", dest="binddn", default='',
@ -298,6 +302,7 @@ if __name__ == '__main__':
             'realm': ('X-Ldap-Realm', args.realm),
             'url': ('X-Ldap-URL', args.url),
             'starttls': ('X-Ldap-Starttls', args.starttls),
+             'disable_referrals': ('X-Ldap-DisableReferrals', args.disable_referrals),
             'basedn': ('X-Ldap-BaseDN', args.basedn),
             'template': ('X-Ldap-Template', args.filter),
             'binddn': ('X-Ldap-BindDN', args.binddn),
--- a/nginx-ldap-auth.conf
+++ b/nginx-ldap-auth.conf
@ -103,6 +103,11 @@ http {
            # Set the LDAP template by uncommenting the following directive.
            #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";

+            # (May be required if using Microsoft Active Directory and
+            # getting "In order to perform this operation a successful bind
+            # must be completed on the connection." errror)
+            #proxy_set_header X-Ldap-DisableReferrals "true";
+
            # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
            # template by uncommenting the following directive and replacing
            # '(cn=%(username)s)' which is the default set in