From f56178b6ee1ae29f4e0b81f88d58cfff7217b039 Mon Sep 17 00:00:00 2001
From: Vladimir Homutov <vl.homutov@gmail.com>
Date: Mon, 20 Aug 2018 12:31:55 +0300
Subject: [PATCH] Added configuration option to disable referrals.

The options is boolean, header name is  'X-Ldap-DisableReferrals' and
the command-line switch is '--disable-referrals', default value is
false.
---
 nginx-ldap-auth-daemon.py | 11 ++++++++---
 nginx-ldap-auth.conf      |  5 +++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/nginx-ldap-auth-daemon.py b/nginx-ldap-auth-daemon.py
index da6f4a7..46daf3b 100755
--- a/nginx-ldap-auth-daemon.py
+++ b/nginx-ldap-auth-daemon.py
@@ -149,6 +149,7 @@ class LDAPAuthHandler(AuthHandler):
              'realm': ('X-Ldap-Realm', 'Restricted'),
              'url': ('X-Ldap-URL', None),
              'starttls': ('X-Ldap-Starttls', 'false'),
+             'disable_referrals': ('X-Ldap-DisableReferrals', 'false'),
              'basedn': ('X-Ldap-BaseDN', None),
              'template': ('X-Ldap-Template', '(cn=%(username)s)'),
              'binddn': ('X-Ldap-BindDN', ''),
@@ -208,9 +209,9 @@ class LDAPAuthHandler(AuthHandler):
             if ctx['starttls'] == 'true':
                 ldap_obj.start_tls_s()
 
-            # See http://www.python-ldap.org/faq.shtml
-            # uncomment, if required
-            # ldap_obj.set_option(ldap.OPT_REFERRALS, 0)
+            # See https://www.python-ldap.org/en/latest/faq.html
+            if ctx['disable_referrals'] == 'true':
+                ldap_obj.set_option(ldap.OPT_REFERRALS, 0)
 
             ctx['action'] = 'binding as search user'
             ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)
@@ -275,6 +276,9 @@ if __name__ == '__main__':
     group.add_argument('-s', '--starttls', metavar="starttls",
         default="false",
         help=("Establish a STARTTLS protected session (Default: false)"))
+    group.add_argument('--disable-referrals', metavar="disable_referrals",
+        default="false",
+        help=("Sets ldap.OPT_REFERRALS to zero (Default: false)"))
     group.add_argument('-b', metavar="baseDn", dest="basedn", default='',
         help="LDAP base dn (Default: unset)")
     group.add_argument('-D', metavar="bindDn", dest="binddn", default='',
@@ -298,6 +302,7 @@ if __name__ == '__main__':
              'realm': ('X-Ldap-Realm', args.realm),
              'url': ('X-Ldap-URL', args.url),
              'starttls': ('X-Ldap-Starttls', args.starttls),
+             'disable_referrals': ('X-Ldap-DisableReferrals', args.disable_referrals),
              'basedn': ('X-Ldap-BaseDN', args.basedn),
              'template': ('X-Ldap-Template', args.filter),
              'binddn': ('X-Ldap-BindDN', args.binddn),
diff --git a/nginx-ldap-auth.conf b/nginx-ldap-auth.conf
index e890444..c5dd551 100644
--- a/nginx-ldap-auth.conf
+++ b/nginx-ldap-auth.conf
@@ -103,6 +103,11 @@ http {
             # Set the LDAP template by uncommenting the following directive.
             #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
 
+            # (May be required if using Microsoft Active Directory and
+            # getting "In order to perform this operation a successful bind
+            # must be completed on the connection." errror)
+            #proxy_set_header X-Ldap-DisableReferrals "true";
+
             # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
             # template by uncommenting the following directive and replacing
             # '(cn=%(username)s)' which is the default set in
-- 
GitLab