added option if referrals should be followed

lam/HISTORY

@@ -1,6 +1,7 @@
 March 2014 4.5
   - IMAP: allow dynamic admin user names by replacing wildcards with LDAP attributes
   - Personal: allow to set fields read-only
+  - Added option to server profile if referrals should be followed (fixes problems with Samba 4 and AD)
 
 18.12.2013 4.4
   - PyKota support: users, groups, printers, billing codes

lam/docs/manual-sources/howto.xml

@@ -713,6 +713,15 @@ Have fun!
       <section id="a_versUpgrade">
         <title>Version specific upgrade instructions</title>
 
+        <section>
+          <title>4.4 -&gt; 4.5</title>
+
+          <para>LAM will no longer follow referrals by default. This is ok for
+          most installations. If you use LDAP referrals please activate
+          referral following for your server profile (tab General settings
+          -&gt; Server settings -&gt; Advanced options).</para>
+        </section>
+
         <section>
           <title>4.3 -&gt; 4.4</title>
 
@@ -1234,6 +1243,10 @@ Have fun!
           linkend="a_accessLevelPasswordReset">this page</link> for details on
           the different access levels.</para>
 
+          <para>By default LAM will not follow LDAP referrals. This is ok for
+          most installations. If you use LDAP referrals please activate the
+          referral option in advanced settings.</para>
+
           <screenshot>
             <mediaobject>
               <imageobject>

lam/help/help.inc

@@ -82,6 +82,8 @@ $helpArray = array (
 						_("dc=yourcompany,dc=com")),
 				"204" => array ("Headline" => _("SSL certificate"),
 					"Text" => _("This is only needed for TLS/SSL connections. By default, LAM will use the certificate authorities installed on your system. If you have a private CA in your company you can upload your CA certificates here and override the system certificates.")),
+				"205" => array ("Headline" => _("Follow referrals"),
+					"Text" => _("Specifies if LAM should automatically follow referrals. Activate if you use referrals in your LDAP directory.")),
 				"206" => array ("Headline" => _("List attributes"),
 					"Text" => _("This is the list of attributes to show in the account list. The entries can either be predefined values, \"#attribute\", or individual ones, \"attribute:description\". Several entries are separated by semicolons.") .
 						"<br><br><br><big><b>" .

lam/lib/config.inc

@@ -258,6 +258,9 @@ class LAMConfig {
 	/** enables/disables TLS encryption */
 	private $useTLS;
 	
+	/** automatically follow referrals */
+	private $followReferrals = 'false';
+	
 	/** Array of string: users with admin rights */
 	private $Admins;
 
@@ -349,7 +352,7 @@ class LAMConfig {
 	private $lamProMailText = '';
 
 	/** List of all settings in config file */
-	private $settings = array("ServerURL", "useTLS", "Passwd", "Admins", "treesuffix",
+	private $settings = array("ServerURL", "useTLS", "followReferrals", "Passwd", "Admins", "treesuffix",
 		"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout",
 		"modules", "activeTypes", "types", "tools", "accessLevel", 'loginMethod', 'loginSearchSuffix',
 		'loginSearchFilter', 'searchLimit', 'lamProMailFrom', 'lamProMailReplyTo', 'lamProMailSubject',
@@ -516,6 +519,7 @@ class LAMConfig {
 			// check if we have to add new entries (e.g. if user upgraded LAM and has an old config file)
 			if (!in_array("ServerURL", $saved)) array_push($file_array, "\n\n# server address (e.g. ldap://localhost:389 or ldaps://localhost:636)\n" . "serverURL: " . $this->ServerURL . "\n");
 			if (!in_array("useTLS", $saved)) array_push($file_array, "\n\n# enable TLS encryption\n" . "useTLS: " . $this->useTLS . "\n");
+			if (!in_array("followReferrals", $saved)) array_push($file_array, "\n\n# follow referrals\n" . "followReferrals: " . $this->followReferrals . "\n");
 			if (!in_array("Passwd", $saved)) array_push($file_array, "\n\n# password to change these preferences via webfrontend\n" . "passwd: " . $this->Passwd . "\n");
 			if (!in_array("Admins", $saved)) array_push($file_array, "\n\n# list of users who are allowed to use LDAP Account Manager\n" .
 								"# names have to be seperated by semicolons\n" .
@@ -638,7 +642,7 @@ class LAMConfig {
 	/**
 	 * Sets if TLS is activated.
 	 * 
-	 * @param String yes or no
+	 * @param String $useTLS yes or no
 	 * @return boolean true if $useTLS has correct format
 	 */
 	public function setUseTLS($useTLS) {
@@ -649,6 +653,23 @@ class LAMConfig {
 		return false;
 	}
 
+	/**
+	 * Returns if referrals should be followed.
+	 * 
+	 * @return String true or false
+	 */
+	public function getFollowReferrals() {
+		return $this->followReferrals;
+	}
+	
+	/**
+	 * Sets if referrals should be followed.
+	 * 
+	 * @param String $followReferrals true or false
+	 */
+	public function setFollowReferrals($followReferrals) {
+		$this->followReferrals = $followReferrals;
+	}
 
 	/**
 	* Returns an array of string with all admin names

lam/lib/ldap.inc

@@ -100,6 +100,9 @@ class Ldap{
 		if ($this->server) {
 			// use LDAPv3
 			ldap_set_option($this->server, LDAP_OPT_PROTOCOL_VERSION, 3);
+			// referral following
+			$followReferrals = ($this->conf->getFollowReferrals() === 'true') ? 1 : 0;
+			ldap_set_option($this->server,LDAP_OPT_REFERRALS, $followReferrals);
 			// start TLS if specified
 			$useTLS = $this->conf->getUseTLS();
 			if (isset($useTLS) && ($useTLS == "yes")) {

lam/templates/3rdParty/pla/lib/ds_myldap.php

@@ -186,7 +186,9 @@ class myldap extends DS {
 		/* Disabling this makes it possible to browse the tree for Active Directory, and seems
 		 * to not affect other LDAP servers (tested with OpenLDAP) as phpLDAPadmin explicitly
 		 * specifies deref behavior for each ldap_search operation. */
-		ldap_set_option($resource,LDAP_OPT_REFERRALS,1);
+		// TODO provide upstream patch if PLA gets active again
+		$followReferrals = ($_SESSION['config']->getFollowReferrals() === 'true') ? 1 : 0;
+		ldap_set_option($resource,LDAP_OPT_REFERRALS, $followReferrals);
 
 		# Try to fire up TLS is specified in the config
 		if ($this->isTLSEnabled())

lam/templates/config/confmain.php

@@ -253,6 +253,7 @@ $searchLimitOptions = array(
 $limitSelect = new htmlTableExtendedSelect('searchLimit', $searchLimitOptions, array($conf->get_searchLimit()), _("LDAP search limit"), '222');
 $limitSelect->setHasDescriptiveElements(true);
 $serverSettingsContent->addElement($limitSelect, true);
+
 // access level is only visible in Pro version
 if (isLAMProVersion()) {
 	$accessOptions = array(
@@ -265,6 +266,17 @@ if (isLAMProVersion()) {
 	$serverSettingsContent->addElement($accessSelect, true);
 }
 
+// advanced options
+$advancedOptionsContent = new htmlTable();
+// referrals
+$followReferrals = ($conf->getFollowReferrals() === 'true');
+$advancedOptionsContent->addElement(new htmlTableExtendedInputCheckbox('followReferrals',$followReferrals , _('Follow referrals'), '205'), true);
+
+// build advanced options box
+$advancedOptions = new htmlAccordion('advancedOptions_server', array(_('Advanced options') => $advancedOptionsContent), false);
+$advancedOptions->colspan = 15;
+$serverSettingsContent->addElement($advancedOptions, true);
+
 $serverSettings = new htmlFieldset($serverSettingsContent, _("Server settings"), '../../graphics/profiles.png');
 $container->addElement($serverSettings, true);
 $container->addElement(new htmlSpacer(null, '10px'), true);
@@ -486,6 +498,12 @@ function checkInput() {
 	if ((strpos($_POST['serverurl'], 'ldaps://') !== false) && ($_POST['useTLS'] == 'yes')) {
 		$errors[] = array("ERROR", _('You cannot use SSL and TLS encryption at the same time. Please use either "ldaps://" or TLS.'));
 	}
+	if (isset($_POST['followReferrals']) && ($_POST['followReferrals'] == 'on')) {
+		$conf->setFollowReferrals('true');
+	}
+	else {
+		$conf->setFollowReferrals('false');
+	}
 /*	if (!$conf->set_cacheTimeout($_POST['cachetimeout'])) {
 		$errors[] = array("ERROR", _("Cache timeout is invalid!"));
 	}*/