-/* $Cambridge: exim/src/src/lookups/ldap.c,v 1.2 2004/11/10 14:15:20 ph10 Exp $ */
+/* $Cambridge: exim/src/src/lookups/ldap.c,v 1.11 2006/06/27 13:39:01 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2004 */
+/* Copyright (c) University of Cambridge 1995 - 2006 */
/* See the file NOTICE for conditions of use and distribution. */
/* Many thanks to Stuart Lynne for contributing the original code for this
#else
-/* Include LDAP headers */
+/* Include LDAP headers. The code below uses some "old" LDAP interfaces that
+are deprecated in OpenLDAP. I don't know their status in other LDAP
+implementations. LDAP_DEPRECATED causes their prototypes to be defined in
+ldap.h. */
+
+#define LDAP_DEPRECATED 1
#include <lber.h>
#include <ldap.h>
password password for authentication, or NULL
sizelimit max number of entries returned, or 0 for no limit
timelimit max time to wait, or 0 for no limit
- tcplimit max time to connect, or 0 for OS default
+ tcplimit max time for network activity, e.g. connect, or 0 for OS default
deference the dereference option, which is one of
LDAP_DEREF_{NEVER,SEARCHING,FINDING,ALWAYS}
int attr_count = 0;
int error_yield = DEFER;
int msgid;
-int rc;
+int rc, ldap_rc, ldap_parse_rc;
int port;
int ptr = 0;
int rescount = 0;
if (ldapi || port == lcp->port) break;
}
+/* Use this network timeout in any requests. */
+
+if (tcplimit > 0)
+ {
+ timeout.tv_sec = tcplimit;
+ timeout.tv_usec = 0;
+ timeoutptr = &timeout;
+ }
+
/* If no cached connection found, we must open a connection to the server. If
the server name is actually an absolute path, we set ldapi=TRUE above. This
requests connection via a Unix socket. However, as far as I know, only OpenLDAP
#ifdef LDAP_X_OPT_CONNECT_TIMEOUT
if (tcplimit > 0)
{
- unsigned int timeout1000 = tcplimit*1000;
+ int timeout1000 = tcplimit*1000;
ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)&timeout1000);
}
+ else
+ {
+ int notimeout = LDAP_X_IO_TIMEOUT_NO_TIMEOUT;
+ ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, (void *)¬imeout);
+ }
#endif
/* Set the TCP connect timeout. This works with OpenLDAP 2.2.14. */
#ifdef LDAP_OPT_NETWORK_TIMEOUT
if (tcplimit > 0)
ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, (void *)timeoutptr);
- #endif
+ #endif
/* I could not get TLS to work until I set the version to 3. That version
seems to be the default nowadays. The RFC is dated 1997, so I would hope
host, porttext);
}
-/* Whatever follows, obey this timeout in any requests. */
-
-if (tcplimit > 0)
- {
- timeout.tv_sec = tcplimit;
- timeout.tv_usec = 0;
- timeoutptr = &timeout;
- }
-
/* Bind with the user/password supplied, or an anonymous bind if these values
are NULL, unless a cached connection is already bound with the same values. */
== -1)
{
*errmsg = string_sprintf("failed to bind the LDAP connection to server "
- "%s%s - LDAP error", host, porttext);
+ "%s%s - ldap_bind() returned -1", host, porttext);
goto RETURN_ERROR;
}
if ((rc = ldap_result( lcp->ld, msgid, 1, timeoutptr, &result )) <= 0)
{
*errmsg = string_sprintf("failed to bind the LDAP connection to server "
- "%s%s - LDAP error: %s", host, porttext,
+ "%s%s - LDAP error: %s", host, porttext,
rc == -1 ? "result retrieval failed" : "timeout" );
result = NULL;
goto RETURN_ERROR;
if (msgid == -1)
{
- *errmsg = string_sprintf("ldap search initiation failed");
+ #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
+ int err;
+ ldap_get_option(lcp->ld, LDAP_OPT_ERROR_NUMBER, &err);
+ *errmsg = string_sprintf("ldap_search failed: %d, %s", err,
+ ldap_err2string(err));
+
+ #else
+ *errmsg = string_sprintf("ldap_search failed");
+ #endif
+
goto RETURN_ERROR;
}
}
/* A return code that isn't -1 doesn't necessarily mean there were no problems
-with the search. The message must be an LDAP_RES_SEARCH_RESULT or else it's
-something we can't handle. */
-
-if (rc != LDAP_RES_SEARCH_RESULT)
+with the search. The message must be an LDAP_RES_SEARCH_RESULT or
+LDAP_RES_SEARCH_REFERENCE or else it's something we can't handle. Some versions
+of LDAP do not define LDAP_RES_SEARCH_REFERENCE (LDAP v1 is one, it seems). So
+we don't provide that functionality when we can't. :-) */
+
+if (rc != LDAP_RES_SEARCH_RESULT
+#ifdef LDAP_RES_SEARCH_REFERENCE
+ && rc != LDAP_RES_SEARCH_REFERENCE
+#endif
+ )
{
*errmsg = string_sprintf("ldap_result returned unexpected code %d", rc);
goto RETURN_ERROR;
/* We have a result message from the server. This doesn't yet mean all is well.
We need to parse the message to find out exactly what's happened. */
- #if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
- if (ldap_parse_result(lcp->ld, result, &rc, CSS &matched, CSS &error2, NULL,
- NULL, 0) < 0)
+#if defined LDAP_LIB_SOLARIS || defined LDAP_LIB_OPENLDAP2
+ ldap_rc = rc;
+ ldap_parse_rc = ldap_parse_result(lcp->ld, result, &rc, CSS &matched,
+ CSS &error2, NULL, NULL, 0);
+ DEBUG(D_lookup) debug_printf("ldap_parse_result: %d\n", ldap_parse_rc);
+ if (ldap_parse_rc < 0 &&
+ (ldap_parse_rc != LDAP_NO_RESULTS_RETURNED
+ #ifdef LDAP_RES_SEARCH_REFERENCE
+ || ldap_rc != LDAP_RES_SEARCH_REFERENCE
+ #endif
+ ))
{
- *errmsg = US"ldap_parse_result failed";
+ *errmsg = string_sprintf("ldap_parse_result failed %d", ldap_parse_rc);
goto RETURN_ERROR;
}
error1 = US ldap_err2string(rc);
projects / exim.git / blobdiff