#
# Generic valuepair attribute
#
-
+
# If set, this will attribute will be retrieved in addition to any
# mapped attributes.
#
#
# Mapping of LDAP directory attributes to RADIUS dictionary attributes.
#
-
+
# WARNING: Although this format is almost identical to the unlang
# update section format, it does *NOT* mean that you can use other
# unlang constructs in module configuration files.
# control:Auth-Type := ldap
# }
# }
-
+
#
# User object identification.
#
# These options set timeouts, keep-alives, etc. for the connections.
#
options {
+ # Control under which situations aliases are followed.
+ # May be one of 'never', 'searching', 'finding' or 'always'
+ # default: libldap's default which is usually 'never'.
+ #
+ # LDAP_OPT_DEREF is set to this value.
+# dereference = 'always'
+
#
- # The following two configuration items are for Active Directory
- # compatibility. If you set these to "no", then searches
- # will likely return "operations error", instead of a
- # useful result.
+ # The following two configuration items control whether the
+ # server follows references returned by LDAP directory.
+ # They are mostly for Active Directory compatibility.
+ # If you set these to "no", then searches will likely return
+ # "operations error", instead of a useful result.
#
chase_referrals = yes
rebind = yes
}
/*
+ * Leave "dereference" unset to use the OpenLDAP default.
+ */
+ if (inst->dereference_str) {
+ do_ldap_option(LDAP_OPT_DEREF, "dereference", &(inst->dereference));
+ }
+
+ /*
* Leave "chase_referrals" unset to use the OpenLDAP default.
*/
if (!inst->chase_referrals_unset) {
//!< directory.
char const *password; //!< Password used in administrative bind.
+ char const *dereference_str; //!< When to dereference (never, searching, finding, always)
+ int dereference; //!< libldap value specifying dereferencing behaviour.
+
bool chase_referrals; //!< If the LDAP server returns a referral to another server
//!< or point in the tree, follow it, establishing new
//!< connections and binding where necessary.
};
#endif
+FR_NAME_NUMBER const ldap_dereference[] = {
+ { "never", LDAP_DEREF_NEVER },
+ { "searching", LDAP_DEREF_SEARCHING },
+ { "finding", LDAP_DEREF_FINDING },
+ { "always", LDAP_DEREF_ALWAYS }
+
+ { NULL , -1 }
+};
+
/*
* TLS Configuration
*/
*/
{ "ldap_debug", FR_CONF_OFFSET(PW_TYPE_INTEGER, ldap_instance_t, ldap_debug), "0x0000" },
+ { "dereference", FR_CONF_OFFSET(PW_TYPE_STRING, ldap_instance_t, dereference_str), NULL },
+
{ "chase_referrals", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, ldap_instance_t, chase_referrals), NULL },
{ "rebind", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, ldap_instance_t, rebind), NULL },
}
#endif
+ /*
+ * Convert dereference strings to enumerated constants
+ */
+ inst->dereference = fr_str2int(ldap_scope, inst->dereference_str, -1);
+ if (inst->dereference < 0) {
+ LDAP_ERR("Invalid 'dereference' value \"%s\", expected 'never', 'searching', 'finding' or 'always'",
+ inst->dereference_str);
+ goto error;
+ }
+
#if LDAP_SET_REBIND_PROC_ARGS != 3
/*
* The 2-argument rebind doesn't take an instance variable. Our rebind function needs the instance