- added align patch, release 2.1 for tests

[packages/squid.git] / squid-2.5.STABLE4-squid_ldap_group.patch

Index: squid/helpers/external_acl/ldap_group/ChangeLog
diff -c /dev/null squid/helpers/external_acl/ldap_group/ChangeLog:1.1.2.1
*** /dev/null   Fri Nov 21 10:14:58 2003
--- squid/helpers/external_acl/ldap_group/ChangeLog     Wed Nov 19 17:41:37 2003
***************
*** 0 ****
--- 1,172 ----
+ Version 2.12
+ 
+ 2003-03-01 Christoph Lechleitner <lech@ibcl.at>
+         Added -W option to read bindpasswd from file, 
+         e.g. from /etc/ldap.secret
+ 
+ 2003-03-01 Juerg Michel
+ 
+       Added support for ldap URI via the -H option
+ 
+ Version 2.11
+ 
+ 2003-01-31 Henrik Nordstrom <hno@marasystems.com>
+ 
+       Packaged as a distribution, with Makefile, README
+       and INSTALL
+ 
+       Corrected the squid.conf examples in the manpage and
+       some spelling in the same
+ 
+       Separated the changelog/history to a separate
+       ChangeLog file (this file)
+ 
+ 2003-01-27 Henrik Nordstrom <hno@marasystems.com>
+ 
+       Cleaned up error messages shown when a nonexisting
+       user tries to log in
+ 
+ Version 2.10
+ 
+ 2003-01-07 Jon Kinred
+ 
+       Fixed user search mode (-F/-u) when -g is not used
+ 
+ Version 2.9
+ 
+ 2003-01-03 Henrik Nordstrom <hno@marasystems.com>
+ 
+       Fixed missing string termination on ldap_escape_vale,
+       and corrected build problem with LDAPv2 libraries
+ 
+ Version 2.8
+ 
+ 2002-11-27 Henrik Nordstrom <hno@marasystems.com>
+ 
+       Replacement for ldap_build_filter. Also changed
+       the % codes to %u (user) and %g (group) which
+       is a bit more intuitive.
+ 
+ 2002-11-21 Gerard Eviston
+ 
+       Fix ldap_search_s error management. This fixes
+       a core dump if there is a LDAP search filter
+       syntax error (possibly caused by malformed input).
+ 
+ Version 2.7
+ 
+ 2002-10-22: Henrik Nordstrom <hno@marasystems.com>
+ 
+       strwordtok bugfix
+ 
+ Version 2.6
+ 
+ 2002-09-21: Gerard Eviston
+ 
+       -S option to strip NT domain names from
+       login names
+ 
+ Version 2.5
+ 
+ 2002-09-09: Henrik Nordstrom <hno@marasystems.com>
+ 
+       Added support for user DN lookups
+       (-u -B -F options)
+ 
+ Version 2.4
+ 
+ 2002-09-06: Henrik Nordstrom <hno@marasystems.com>
+ 
+       Many bugfixes in connection management
+ 
+       -g option added, and added support
+       for multiple groups. Prior versions
+       only supported one group and an optional
+       group base RDN
+ 
+ Version 2.3
+ 
+ 2002-09-04: Henrik Nordstrom <hno@marasystems.com>
+ 
+       Minor cleanups
+ 
+ Version 2.2
+ 
+ 2002-09-04: Henrik Nordstrom <hno@marasystems.com>
+ 
+       Merged changes from squid_ldap_auth.c
+       - TLS support (Michael Cunningham)
+       - -p option to specify port
+               
+       Documented the % codes to use in -f
+ 
+ Version 2.1
+ 
+ 2002-08-21: Henrik Nordstrom <hno@marasystems.com>
+ 
+       Support groups or usernames having spaces
+ 
+ Version 2.0
+ 
+ 2002-01-22: Henrik Nordstrom <hno@marasystems.com>
+ 
+       Added optional third query argument for search RDN
+ 
+ 2002-01-22: Henrik Nordstrom <hno@marasystems.com>
+ 
+       Removed unused options, and fully changed name
+       to squid_ldap_match.
+ 
+ Version 1.0
+ 
+ 2001-07-17: Flavio Pescuma <flavio@marasystems.com>
+ 
+       Using the main function from squid_ldap_auth
+       wrote squid_ldap_match. This program replaces 
+       the %a and %v (ldapfilter.conf) from the filter 
+       template supplied with -f with the two arguments 
+       sent by squid. Returns OK if the ldap_search 
+       using the composed filter succeeds.
+ 
+ Changes from squid_ldap_auth.c:
+ 
+ 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com>
+ 
+       - Added TLS support and partial ldap version 3 support. 
+ 
+ 2001-09-05: Henrik Nordstrom <hno@squid-cache.org>
+ 
+       - Added ability to specify another default LDAP port to
+         connect to. Persistent connections moved to -P
+ 
+ 2001-05-02: Henrik Nordstrom <hno@squid-cache.org>
+ 
+       - Support newer OpenLDAP 2.x libraries using the
+         revised Internet Draft API which unfortunately
+         is not backwards compatible with RFC1823..
+ 
+ 2001-04-15: Henrik Nordstrom <hno@squid-cache.org>
+ 
+       - Added command line option for basedn
+ 
+       - Added the ability to search for the user DN
+ 
+ 2001-04-16: Henrik Nordstrom <hno@squid-cache.org>
+ 
+       - Added -D binddn -w bindpasswd.
+ 
+ 2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
+ 
+       - Added -R to disable referrals
+ 
+       - Added -a to control alias dereferencing
+ 
+ 2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
+ 
+       - Added -u, DN username attribute name
+ 
+ 2001-04-18: Henrik Nordstrom <hno@squid-cache.org>
+ 
+       - Allow full filter specifications in -f
+ 
+ -- END --
Index: squid/helpers/external_acl/ldap_group/README
diff -c /dev/null squid/helpers/external_acl/ldap_group/README:1.1.2.1
*** /dev/null   Fri Nov 21 10:14:59 2003
--- squid/helpers/external_acl/ldap_group/README        Wed Nov 19 17:41:37 2003
***************
*** 0 ****
--- 1,10 ----
+ This program is a LDAP group helper for Squid.
+ 
+ See the included manpage for documentation.
+ 
+   nroff -man squid_ldap_group.8 | less
+ 
+ See INSTALL for installation instructions
+ 
+ The latest version of this program can always be found from
+ MARA Systems at http://marasystems.com/download/LDAP_Group/
Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.8
diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.2 squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.3
*** squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.2    Wed Nov 27 16:42:22 2002
--- squid/helpers/external_acl/ldap_group/squid_ldap_group.8    Wed Nov 19 17:41:37 2003
***************
*** 1,17 ****
! .TH squid_ldap_group 8 "7 September 2002" "Squid LDAP Match"
  .
  .SH NAME
  squid_ldap_group - Squid LDAP external acl group helper
  .
  .SH SYNOPSIS
! squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...]
  .
  .SH DESCRIPTION
  This helper allows Squid to connect to a LDAP directory to
  authorize users via LDAP groups.
  .P
  The program operates by searching with a search filter based
! on the users login name and requested group, and if a match
  is found it is determined that the user belongs to the group.
  .
  .TP
--- 1,17 ----
! .TH squid_ldap_group 8 "1 Mars 2003" "Squid LDAP Group"
  .
  .SH NAME
  squid_ldap_group - Squid LDAP external acl group helper
  .
  .SH SYNOPSIS
! squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...|URI]
  .
  .SH DESCRIPTION
  This helper allows Squid to connect to a LDAP directory to
  authorize users via LDAP groups.
  .P
  The program operates by searching with a search filter based
! on the users user name and requested group, and if a match
  is found it is determined that the user belongs to the group.
  .
  .TP
***************
*** 25,31 ****
  .TP
  .B "-g"
  Specifies that the first query argument sent to the helper by Squid is
! a extension to the basedn and will be temporarily added infront of the
  global basedn for this query.
  .
  .TP
--- 25,31 ----
  .TP
  .B "-g"
  Specifies that the first query argument sent to the helper by Squid is
! a extension to the basedn and will be temporarily added in front of the
  global basedn for this query.
  .
  .TP
***************
*** 33,39 ****
  LDAP search filter used to search the LDAP directory for any
  matching group memberships.
  .BR
! In the filter %u will be replaced by the user login name (or DN if
  the -F or -u options are used) and %g by the requested group name.
  .
  .TP
--- 33,39 ----
  LDAP search filter used to search the LDAP directory for any
  matching group memberships.
  .BR
! In the filter %u will be replaced by the user name (or DN if
  the -F or -u options are used) and %g by the requested group name.
  .
  .TP
***************
*** 41,53 ****
  LDAP search filter used to search the LDAP directory for any
  matching users.
  .BR
! In the filter %s will be replaced by the user login name. If % is to be
  included literally in the filter then use %%.
  .
  .TP
  .BI "-u " attr
! LDAP attribute used to construct the user DN from the login name and
! base dn.
  .
  .TP
  .BI "-s " base|one|sub
--- 41,53 ----
  LDAP search filter used to search the LDAP directory for any
  matching users.
  .BR
! In the filter %s will be replaced by the user name. If % is to be
  included literally in the filter then use %%.
  .
  .TP
  .BI "-u " attr
! LDAP attribute used to construct the user DN from the user name and
! base dn without needing to search for the user.
  .
  .TP
  .BI "-s " base|one|sub
***************
*** 72,81 ****
  extracts the password used from a process listing.
  .
  .TP
  .BI -P
  Use a persistent LDAP connection. Normally the LDAP connection
! is only open while validating a username to preserve resources
! at the LDAP server. This option causes the LDAP connection to
  be kept open, allowing it to be reused for further user
  validations. Recommended for larger installations.
  .
--- 72,91 ----
  extracts the password used from a process listing.
  .
  .TP
+ .BI "-D " "binddn " "-W " "secretfile "
+ The DN and the name of a file containing the password
+ to bind as while performing searches. 
+ .IP
+ Less insecure version of the former parameter pair with two advantages:
+ The password does not occur in the process listing, 
+ and the password is not being compromised if someone gets the squid 
+ configuration file without getting the secretfile.
+ .
+ .TP
  .BI -P
  Use a persistent LDAP connection. Normally the LDAP connection
! is only open while verifying a users group membership to preserve
! resources at the LDAP server. This option causes the LDAP connection to
  be kept open, allowing it to be reused for further user
  validations. Recommended for larger installations.
  .
***************
*** 97,102 ****
--- 107,116 ----
  the base object
  .
  .TP
+ .BI -H " ldapuri"
+ Specity the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries)
+ .
+ .TP
  .BI -h " ldapserver"
  Specify the LDAP server to connect to
  .TP
***************
*** 105,112 ****
  other than the default LDAP port 389.
  .
  .TP
  .BI -S
! Strip NT domain name component from usernames (/ or \\ separated)
  .
  .SH SQUID CONFIGURATION
  .
--- 119,142 ----
  other than the default LDAP port 389.
  .
  .TP
+ .BI -Z
+ Use TLS encryption
+ .
+ .TP
+ .BI -E certpath
+ Enable LDAP over SSL (requires Netscape LDAP API libraries)
+ .
+ .TP
+ .BI -c connect_timeout
+ Specify timeout used when connecting to LDAP servers (requires
+ Netscape LDAP API libraries)
+ .TP
+ .BI -t search_timeout
+ Specify time limit on LDAP search operations
+ .
+ .TP
  .BI -S
! Strip NT domain name component from user names (/ or \\ separated)
  .
  .SH SQUID CONFIGURATION
  .
***************
*** 117,131 ****
  .nf
  external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
  .br
! acl group1 ldap_group Group1
  .br
! acl group2 ldap_gorup Group2
  .fi
  .ft
  .
  .SH NOTES
  .
! When constructing search filters it is strongly recommended to test the filter
  using ldapsearch before you attempt to use squid_ldap_group. This to verify
  that the filter matches what you expect.
  .
--- 147,161 ----
  .nf
  external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
  .br
! acl group1 external ldap_group Group1
  .br
! acl group2 external ldap_group Group2
  .fi
  .ft
  .
  .SH NOTES
  .
! When constructing search filters it is recommended to first test the filter
  using ldapsearch before you attempt to use squid_ldap_group. This to verify
  that the filter matches what you expect.
  .
***************
*** 141,147 ****
  .I Glen Newton <glen.newton@nrc.ca>
  .
  .SH KNOWN LIMITATIONS
! Max 16 occurances of %s in the -u argument is supported.
  .
  .SH QUESTIONS
  Any questions on usage can be sent to 
--- 171,177 ----
  .I Glen Newton <glen.newton@nrc.ca>
  .
  .SH KNOWN LIMITATIONS
! Max 16 occurrences of %s in the -u argument is supported.
  .
  .SH QUESTIONS
  Any questions on usage can be sent to 
Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.c
diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.11 squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.13
*** squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.11   Sat Jan 11 06:07:08 2003
--- squid/helpers/external_acl/ldap_group/squid_ldap_group.c    Fri Nov 21 10:13:58 2003
***************
*** 13,20 ****
   *  Henrik Nordstrom <hno@marasystems.com>
   *  MARA Systems AB, Sweden <http://www.marasystems.com>
   *
!  * With contributions from others mentioned in the change histor section
!  * below.
   *
   * In part based on squid_ldap_auth by Glen Newton and Henrik Nordstrom.
   *
--- 13,19 ----
   *  Henrik Nordstrom <hno@marasystems.com>
   *  MARA Systems AB, Sweden <http://www.marasystems.com>
   *
!  * With contributions from others mentioned in the ChangeLog file
   *
   * In part based on squid_ldap_auth by Glen Newton and Henrik Nordstrom.
   *
***************
*** 32,124 ****
   * and/or modify it under the terms of the GNU General Public License 
   * as published by the Free Software Foundation; either version 2, 
   * or (at your option) any later version.
-  *
-  * History:
-  *
-  * Version 2.10
-  * 2003-01-07 Jon Kinred
-  *            Fixed user search mode (-F/-u) when -g is not used
-  * Version 2.9
-  * 2003-01-03 Henrik Nordstrom <hno@marasystems.com>
-  *            Fixed missing string termination on ldap_escape_vale,
-  *            and corrected build problem with LDAPv2 libraries
-  * Version 2.8
-  * 2002-11-27 Henrik Nordstrom <hno@marasystems.com>
-  *            Replacement for ldap_build_filter. Also changed
-  *            the % codes to %u (user) and %g (group) which
-  *            is a bit more intuitive.
-  * 2002-11-21 Gerard Eviston
-  *            Fix ldap_search_s error management. This fixes
-  *            a core dump if there is a LDAP search filter
-  *            syntax error (possibly caused by malformed input).
-  * Version 2.7
-  * 2002-10-22: Henrik Nordstrom <hno@marasystems.com>
-  *            strwordtok bugfix
-  * Version 2.6
-  * 2002-09-21: Gerard Eviston
-  *            -S option to strip NT domain names from
-  *            login names
-  * Version 2.5
-  * 2002-09-09: Henrik Nordstrom <hno@marasystems.com>
-  *            Added support for user DN lookups
-  *            (-u -B -F options)
-  * Version 2.4
-  * 2002-09-06: Henrik Nordstrom <hno@marasystems.com>
-  *            Many bugfixes in connection management
-  *            -g option added, and added support
-  *            for multiple groups. Prior versions
-  *            only supported one group and an optional
-  *            group base RDN
-  * Version 2.3
-  * 2002-09-04: Henrik Nordstrom <hno@marasystems.com>
-  *              Minor cleanups
-  * Version 2.2
-  * 2002-09-04: Henrik Nordstrom <hno@marasystems.com>
-  *              Merged changes from squid_ldap_auth.c
-  *              - TLS support (Michael Cunningham)
-  *              - -p option to specify port
-  *              Documented the % codes to use in -f
-  * Version 2.1
-  * 2002-08-21: Henrik Nordstrom <hno@marasystems.com>
-  *              Support groups or usernames having spaces
-  * Version 2.0
-  * 2002-01-22: Henrik Nordstrom <hno@marasystems.com>
-  *              Added optional third query argument for search RDN
-  * 2002-01-22: Henrik Nordstrom <hno@marasystems.com>
-  *              Removed unused options, and fully changed name
-  *              to squid_ldap_group.
-  * Version 1.0
-  * 2001-07-17: Flavio Pescuma <flavio@marasystems.com>
-  *              Using the main function from squid_ldap_auth
-  *              wrote squid_ldap_group. This program replaces 
-  *              the %a and %v (ldapfilter.conf) from the filter 
-  *              template supplied with -f with the two arguments 
-  *              sent by squid. Returns OK if the ldap_search 
-  *              using the composed filter succeeds.
-  *
-  * Changes from squid_ldap_auth.c:
-  *
-  * 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com>
-  *             - Added TLS support and partial ldap version 3 support. 
-  * 2001-09-05: Henrik Nordstrom <hno@squid-cache.org>
-  *             - Added ability to specify another default LDAP port to
-  *               connect to. Persistent connections moved to -P
-  * 2001-05-02: Henrik Nordstrom <hno@squid-cache.org>
-  *             - Support newer OpenLDAP 2.x libraries using the
-  *               revised Internet Draft API which unfortunately
-  *               is not backwards compatible with RFC1823..
-  * 2001-04-15: Henrik Nordstrom <hno@squid-cache.org>
-  *             - Added command line option for basedn
-  *             - Added the ability to search for the user DN
-  * 2001-04-16: Henrik Nordstrom <hno@squid-cache.org>
-  *             - Added -D binddn -w bindpasswd.
-  * 2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
-  *             - Added -R to disable referrals
-  *             - Added -a to control alias dereferencing
-  * 2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
-  *             - Added -u, DN username attribute name
-  * 2001-04-18: Henrik Nordstrom <hno@squid-cache.org>
-  *             - Allow full filter specifications in -f
   */
  
  #include <stdio.h>
--- 31,36 ----
***************
*** 126,133 ****
  #include <stdlib.h>
  #include <ctype.h>
  #include <lber.h>
- #include <ldap_cdefs.h>
  #include <ldap.h>
  
  #define PROGRAM_NAME "squid_ldap_group"
  
--- 38,47 ----
  #include <stdlib.h>
  #include <ctype.h>
  #include <lber.h>
  #include <ldap.h>
+ #if defined(LDAP_OPT_NETWORK_TIMEOUT)
+ #include <sys/time.h>
+ #endif
  
  #define PROGRAM_NAME "squid_ldap_group"
  
***************
*** 145,150 ****
--- 59,70 ----
  static int noreferrals = 0;
  static int debug = 0;
  static int aliasderef = LDAP_DEREF_NEVER;
+ #if defined(NETSCAPE_SSL)
+ static char *sslpath = NULL;
+ static int sslinit = 0;
+ #endif
+ static int connect_timeout = 0;
+ static int timelimit = LDAP_NO_LIMIT;
  
  #ifdef LDAP_VERSION3
  /* Added for TLS support and version 3 */
***************
*** 154,159 ****
--- 74,81 ----
  
  static int searchLDAP(LDAP * ld, char *group, char *user, char *extension_dn);
  
+ static int readSecret(char *filename);
+ 
  /* Yuck.. we need to glue to different versions of the API */
  
  #if defined(LDAP_API_VERSION) && LDAP_API_VERSION > 1823
***************
*** 175,180 ****
--- 97,120 ----
      int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF;
      ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
  }
+ static void
+ squid_ldap_set_timelimit(LDAP *ld, int timelimit)
+ {
+     ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &timelimit);
+ }
+ static void
+ squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
+ {
+ #if defined(LDAP_OPT_NETWORK_TIMEOUT)
+     struct timeval tv;
+     tv.tv_sec = timelimit;
+     tv.tv_usec = 0;
+     ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
+ #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
+     timelimit *= 1000;
+     ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timelimit);
+ #endif
+ }
  static void 
  squid_ldap_memfree(char *p)
  {
***************
*** 199,204 ****
--- 139,154 ----
      else
        ld->ld_options &= ~LDAP_OPT_REFERRALS;
  }
+ static void
+ squid_ldap_set_timelimit(LDAP *ld, int timelimit)
+ {
+     ld->ld_timelimit = timelimit;
+ }
+ static void
+ squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
+ {
+     fprintf(stderr, "Connect timeouts not supported in your LDAP library\n");
+ }
  static void 
  squid_ldap_memfree(char *p)
  {
***************
*** 206,211 ****
--- 156,167 ----
  }
  #endif
  
+ #ifdef LDAP_API_FEATURE_X_OPENLDAP
+   #if LDAP_VENDOR_VERSION > 194
+     #define HAS_URI_SUPPORT 1
+   #endif
+ #endif
+ 
  static char *
  strwordtok(char *buf, char **t)
  {
***************
*** 290,295 ****
--- 246,257 ----
        argv++;
        argc--;
        switch (option) {
+       case 'H':
+ #if !HAS_URI_SUPPORT
+           fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n");
+           exit(1);
+ #endif
+           /* Fall thru to -h */
        case 'h':
            if (ldapServer) {
                int len = strlen(ldapServer) + 1 + strlen(value) + 1;
***************
*** 301,307 ****
                ldapServer = strdup(value);
            }
            break;
- 
        case 'b':
            basedn = value;
            break;
--- 263,268 ----
***************
*** 329,334 ****
--- 290,311 ----
                exit(1);
            }
            break;
+       case 'S':
+ #if defined(NETSCAPE_SSL)
+           sslpath = value;
+           if (port == LDAP_PORT)
+               port = LDAPS_PORT;
+ #else
+           fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n");
+           exit(1);
+ #endif
+           break;
+       case 'c':
+           connect_timeout = atoi(value);
+           break;
+       case 't':
+           timelimit = atoi(value);
+           break;
        case 'a':
            if (strcmp(value, "never") == 0)
                aliasderef = LDAP_DEREF_NEVER;
***************
*** 349,354 ****
--- 326,334 ----
        case 'w':
            bindpasswd = value;
            break;
+       case 'W':
+           readSecret (value);
+           break;
        case 'P':
            persistent = !persistent;
            break;
***************
*** 388,394 ****
        case 'g':
            use_extension_dn = 1;
            break;
!       case 'S':
            strip_nt_domain = 1;
            break;
        default:
--- 368,374 ----
        case 'g':
            use_extension_dn = 1;
            break;
!       case 'E':
            strip_nt_domain = 1;
            break;
        default:
***************
*** 424,440 ****
        fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
        fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
        fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
        fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
        fprintf(stderr, "\t-p port\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT);
        fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
        fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
        fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
!       fprintf(stderr, "\t-v 1|2\t\t\tLDAP version\n");
        fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n");
        fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n");
        fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
        fprintf(stderr, "\n");
!       fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd options\n\n");
        exit(1);
      }
      while (fgets(buf, 256, stdin) != NULL) {
--- 404,431 ----
        fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
        fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
        fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
+       fprintf(stderr, "\t-W secretfile\t\tread password for binddn from file secretfile\n");
+ #if HAS_URI_SUPPORT
+       fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n");
+ #endif
        fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
        fprintf(stderr, "\t-p port\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT);
        fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
+ #if defined(NETSCAPE_SSL)
+       fprintf(stderr, "\t-E sslcertpath\t\tenable LDAP over SSL\n");
+ #endif
+       fprintf(stderr, "\t-c timeout\t\tconnect timeout\n");
+       fprintf(stderr, "\t-t timelimit\t\tsearch time limit\n");
        fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
        fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
! #ifdef LDAP_VERSION3
!       fprintf(stderr, "\t-v 2|3\t\t\tLDAP version\n");
        fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n");
+ #endif
        fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n");
        fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
        fprintf(stderr, "\n");
!       fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
        exit(1);
      }
      while (fgets(buf, 256, stdin) != NULL) {
***************
*** 455,465 ****
  
          recover:
            if (ld == NULL) {
                if ((ld = ldap_init(ldapServer, port)) == NULL) {
!                   fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",
!                       ldapServer, port);
                    break;
                }
  #ifdef LDAP_VERSION3
                if (version == -1) {
                    version = LDAP_VERSION2;
--- 446,484 ----
  
          recover:
            if (ld == NULL) {
+ #if HAS_URI_SUPPORT
+               if (strstr(ldapServer, "://") != NULL) {
+                   rc = ldap_initialize( &ld, ldapServer );
+                   if( rc != LDAP_SUCCESS ) {
+                       fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer);
+                       break;
+                   }
+               } else
+ #endif
+ #if NETSCAPE_SSL
+               if (sslpath) {
+                   if ( !sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) {
+                       fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n",
+                               sslpath);
+                       exit(1);
+                   } else {
+                       sslinit++;
+                   }
+                   if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) {
+                       fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n",
+                               ldapServer, port);
+                       exit(1);
+                   }
+               } else
+ #endif
                if ((ld = ldap_init(ldapServer, port)) == NULL) {
!                   fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",ldapServer, port);
                    break;
                }
+ 
+               if (connect_timeout)
+                   squid_ldap_set_connect_timeout(ld, connect_timeout);
+ 
  #ifdef LDAP_VERSION3
                if (version == -1) {
                    version = LDAP_VERSION2;
***************
*** 479,484 ****
--- 498,504 ----
                    break;
                }
  #endif
+               squid_ldap_set_timelimit(ld, timelimit);
                squid_ldap_set_referrals(ld, !noreferrals);
                squid_ldap_set_aliasderef(ld, aliasderef);
                if (binddn && bindpasswd && *binddn && *bindpasswd) {
***************
*** 622,628 ****
      }
  
      if (debug)
!       fprintf(stderr, "filter %s\n", filter);
  
      rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res);
      if (rc != LDAP_SUCCESS) {
--- 642,648 ----
      }
  
      if (debug)
!       fprintf(stderr, "group filter '%s', searchbase '%s'\n", filter, searchbase);
  
      rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res);
      if (rc != LDAP_SUCCESS) {
***************
*** 632,637 ****
--- 652,663 ----
             */
        } else {
            fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
+ #if defined(NETSCAPE_SSL)
+           if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) {
+               int sslerr = PORT_GetError();
+               fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
+           }
+ #endif
            ldap_msgfree(res);
            return 1;
        }
***************
*** 664,670 ****
        ldap_escape_value(escaped_login, sizeof(escaped_login), login);
        snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
        if (debug)
!           fprintf(stderr, "user filter %s\n", filter);
        rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res);
        if (rc != LDAP_SUCCESS) {
            if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
--- 690,696 ----
        ldap_escape_value(escaped_login, sizeof(escaped_login), login);
        snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
        if (debug)
!           fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, searchbase);
        rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res);
        if (rc != LDAP_SUCCESS) {
            if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
***************
*** 673,685 ****
                 */
            } else {
                fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
                ldap_msgfree(res);
                return 1;
            }
        }
        entry = ldap_first_entry(ld, res);
        if (!entry) {
!           fprintf(stderr, PROGRAM_NAME " WARNING, User '%s' not found\n", filter);
            ldap_msgfree(res);
            return 1;
        }
--- 699,717 ----
                 */
            } else {
                fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc));
+ #if defined(NETSCAPE_SSL)
+               if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) {
+                   int sslerr = PORT_GetError();
+                   fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr));
+               }
+ #endif
                ldap_msgfree(res);
                return 1;
            }
        }
        entry = ldap_first_entry(ld, res);
        if (!entry) {
!           fprintf(stderr, PROGRAM_NAME " WARNING, User '%s' not found in '%s'\n", login, searchbase);
            ldap_msgfree(res);
            return 1;
        }
***************
*** 698,701 ****
--- 730,767 ----
      } else {
        return searchLDAPGroup(ld, group, login, extension_dn);
      }
+ }
+ 
+ 
+ int readSecret(char *filename)
+ {
+   char  buf[BUFSIZ];
+   char  *e=0;
+   FILE  *f;
+ 
+   if(!(f=fopen(filename, "r"))) {
+     fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename);
+     return 1;
+   }
+ 
+   if( !fgets(buf, sizeof(buf)-1, f)) {
+     fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename);
+     fclose(f);
+     return 1;
+   }
+ 
+   /* strip whitespaces on end */
+   if((e = strrchr(buf, '\n'))) *e = 0;
+   if((e = strrchr(buf, '\r'))) *e = 0;
+ 
+   bindpasswd = (char *) calloc(sizeof(char), strlen(buf)+1);
+   if (bindpasswd) {
+     strcpy(bindpasswd, buf);
+   } else {
+     fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); 
+   }
+ 
+   fclose(f);
+ 
+   return 0;
  }
Index: squid/helpers/external_acl/ldap_group/Makefile.in
diff -c squid/helpers/external_acl/ldap_group/Makefile.in:1.1.2.5 squid/helpers/external_acl/ldap_group/Makefile.in:1.1.2.6
*** squid/helpers/external_acl/ldap_group/Makefile.in:1.1.2.5   Tue Feb 11 19:02:43 2003
--- squid/helpers/external_acl/ldap_group/Makefile.in   Wed Nov 19 17:43:41 2003
***************
*** 155,161 ****
  
  NROFF = nroff
  MANS = $(man_MANS)
! DIST_COMMON = Makefile.am Makefile.in
  SOURCES = $(squid_ldap_group_SOURCES)
  
  all: all-am
--- 155,161 ----
  
  NROFF = nroff
  MANS = $(man_MANS)
! DIST_COMMON = README ChangeLog Makefile.am Makefile.in
  SOURCES = $(squid_ldap_group_SOURCES)
  
  all: all-am