Add directory name as new arg to EXIM_DBOPEN

[exim.git] / src / src / lookups / ldap.c

diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c
index 461ec15e388ad09a94fd1ef929aaf63165fc16c3..b52ef2221ee1293c1254f9fd990788cdb5007f99 100644 (file)
--- a/src/src/lookups/ldap.c
+++ b/src/src/lookups/ldap.c
@@ -1,14 +1,12 @@
-/* $Cambridge: exim/src/src/lookups/ldap.c,v 1.15 2009/11/16 19:50:38 nm4 Exp $ */
-

 /*************************************************
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 

-/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) University of Cambridge 1995 - 2016 */

 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Many thanks to Stuart Lynne for contributing the original code for this
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Many thanks to Stuart Lynne for contributing the original code for this

-driver. Further contibutions from Michael Haardt, Brian Candler, Barry
+driver. Further contributions from Michael Haardt, Brian Candler, Barry

 Pederson, Peter Savitch and Christian Kellner. Particular thanks to Brian for
 researching how to handle the different kinds of error. */
 
 Pederson, Peter Savitch and Christian Kellner. Particular thanks to Brian for
 researching how to handle the different kinds of error. */
 


@@ -83,6 +81,7 @@ typedef struct ldap_connection {
   uschar *password;
   BOOL  bound;
   int   port;
   uschar *password;
   BOOL  bound;
   int   port;

+  BOOL  is_start_tls_called;

   LDAP *ld;
 } LDAP_CONNECTION;
 
   LDAP *ld;
 } LDAP_CONNECTION;
 


@@ -131,9 +130,10 @@ Returns:        OK or FAIL or DEFER
 */
 
 static int
 */
 
 static int

-perform_ldap_search(uschar *ldap_url, uschar *server, int s_port, int search_type,
-  uschar **res, uschar **errmsg, BOOL *defer_break, uschar *user, uschar *password,
-  int sizelimit, int timelimit, int tcplimit, int dereference, void *referrals)
+perform_ldap_search(const uschar *ldap_url, uschar *server, int s_port,
+  int search_type, uschar **res, uschar **errmsg, BOOL *defer_break,
+  uschar *user, uschar *password, int sizelimit, int timelimit, int tcplimit,
+  int dereference, void *referrals)

 {
 LDAPURLDesc     *ludp = NULL;
 LDAPMessage     *result = NULL;
 {
 LDAPURLDesc     *ludp = NULL;
 LDAPMessage     *result = NULL;


@@ -156,7 +156,7 @@ uschar *error1 = NULL;   /* string representation of errcode (static) */
 uschar *error2 = NULL;   /* error message from the server */
 uschar *matched = NULL;  /* partially matched DN */
 
 uschar *error2 = NULL;   /* error message from the server */
 uschar *matched = NULL;  /* partially matched DN */
 

-int    attr_count = 0;
+int    attrs_requested = 0;

 int    error_yield = DEFER;
 int    msgid;
 int    rc, ldap_rc, ldap_parse_rc;
 int    error_yield = DEFER;
 int    msgid;
 int    rc, ldap_rc, ldap_parse_rc;


@@ -248,7 +248,7 @@ if (host != NULL)
 /* Count the attributes; we need this later to tell us how to format results */
 
 for (attrp = USS ludp->lud_attrs; attrp != NULL && *attrp != NULL; attrp++)
 /* Count the attributes; we need this later to tell us how to format results */
 
 for (attrp = USS ludp->lud_attrs; attrp != NULL && *attrp != NULL; attrp++)

-  attr_count++;
+  attrs_requested++;

 
 /* See if we can find a cached connection to this host. The port is not
 relevant for ldapi. The host name pointer is set to NULL if no host was given
 
 /* See if we can find a cached connection to this host. The port is not
 relevant for ldapi. The host name pointer is set to NULL if no host was given


@@ -281,6 +281,13 @@ if (lcp == NULL)
   {
   LDAP *ld;
 
   {
   LDAP *ld;
 

+  #ifdef LDAP_OPT_X_TLS_NEWCTX
+  int  am_server = 0;
+  LDAP *ldsetctx;
+  #else
+  LDAP *ldsetctx = NULL;
+  #endif
+

 
   /* --------------------------- OpenLDAP ------------------------ */
 
 
   /* --------------------------- OpenLDAP ------------------------ */
 


@@ -366,6 +373,10 @@ if (lcp == NULL)
     goto RETURN_ERROR;
     }
 
     goto RETURN_ERROR;
     }
 

+  #ifdef LDAP_OPT_X_TLS_NEWCTX
+  ldsetctx = ld;
+  #endif
+

   /* Set the TCP connect time limit if available. This is something that is
   in Netscape SDK v4.1; I don't know about other libraries. */
 
   /* Set the TCP connect time limit if available. This is something that is
   in Netscape SDK v4.1; I don't know about other libraries. */
 


@@ -417,20 +428,121 @@ if (lcp == NULL)
   if (!ldapi)
     {
     int tls_option;
   if (!ldapi)
     {
     int tls_option;

+    #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+    if (eldap_require_cert != NULL)
+      {
+      tls_option = LDAP_OPT_X_TLS_NEVER;
+      if (Ustrcmp(eldap_require_cert, "hard") == 0)
+        {
+        tls_option = LDAP_OPT_X_TLS_HARD;
+        }
+      else if (Ustrcmp(eldap_require_cert, "demand") == 0)
+        {
+        tls_option = LDAP_OPT_X_TLS_DEMAND;
+        }
+      else if (Ustrcmp(eldap_require_cert, "allow") == 0)
+        {
+        tls_option = LDAP_OPT_X_TLS_ALLOW;
+        }
+      else if (Ustrcmp(eldap_require_cert, "try") == 0)
+        {
+        tls_option = LDAP_OPT_X_TLS_TRY;
+        }
+      DEBUG(D_lookup)
+        debug_printf("Require certificate overrides LDAP_OPT_X_TLS option (%d)\n",
+                     tls_option);
+      }
+    else
+    #endif  /* LDAP_OPT_X_TLS_REQUIRE_CERT */

     if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
       {
       tls_option = LDAP_OPT_X_TLS_HARD;
     if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
       {
       tls_option = LDAP_OPT_X_TLS_HARD;

-      DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_HARD set\n");
+      DEBUG(D_lookup)
+        debug_printf("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n");

       }
     else
       {
       tls_option = LDAP_OPT_X_TLS_TRY;
       }
     else
       {
       tls_option = LDAP_OPT_X_TLS_TRY;

-      DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_TRY set\n");
+      DEBUG(D_lookup)
+        debug_printf("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n");

       }
     ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
     }
   #endif  /* LDAP_OPT_X_TLS */
 
       }
     ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
     }
   #endif  /* LDAP_OPT_X_TLS */
 

+  #ifdef LDAP_OPT_X_TLS_CACERTFILE
+  if (eldap_ca_cert_file != NULL)
+    {
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
+    }
+  #endif
+  #ifdef LDAP_OPT_X_TLS_CACERTDIR
+  if (eldap_ca_cert_dir != NULL)
+    {
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
+    }
+  #endif
+  #ifdef LDAP_OPT_X_TLS_CERTFILE
+  if (eldap_cert_file != NULL)
+    {
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
+    }
+  #endif
+  #ifdef LDAP_OPT_X_TLS_KEYFILE
+  if (eldap_cert_key != NULL)
+    {
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
+    }
+  #endif
+  #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
+  if (eldap_cipher_suite != NULL)
+    {
+    ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
+    }
+  #endif
+  #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+  if (eldap_require_cert != NULL)
+    {
+    int cert_option = LDAP_OPT_X_TLS_NEVER;
+    if (Ustrcmp(eldap_require_cert, "hard") == 0)
+      {
+      cert_option = LDAP_OPT_X_TLS_HARD;
+      }
+    else if (Ustrcmp(eldap_require_cert, "demand") == 0)
+      {
+      cert_option = LDAP_OPT_X_TLS_DEMAND;
+      }
+    else if (Ustrcmp(eldap_require_cert, "allow") == 0)
+      {
+      cert_option = LDAP_OPT_X_TLS_ALLOW;
+      }
+    else if (Ustrcmp(eldap_require_cert, "try") == 0)
+      {
+      cert_option = LDAP_OPT_X_TLS_TRY;
+      }
+    /* This ldap handle is set at compile time based on client libs. Older
+     * versions want it to be global and newer versions can force a reload
+     * of the TLS context (to reload these settings we are changing from the
+     * default that loaded at instantiation). */
+    rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+    if (rc)
+      {
+      DEBUG(D_lookup)
+        debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n",
+          cert_option, ldap_err2string(rc));
+      }
+    }
+  #endif
+  #ifdef LDAP_OPT_X_TLS_NEWCTX
+  rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server);
+  if (rc)
+    {
+    DEBUG(D_lookup)
+      debug_printf("Unable to reload TLS context %d: %s\n",
+                   rc, ldap_err2string(rc));
+    }
+  #endif
+

   /* Now add this connection to the chain of cached connections */
 
   lcp = store_get(sizeof(LDAP_CONNECTION));
   /* Now add this connection to the chain of cached connections */
 
   lcp = store_get(sizeof(LDAP_CONNECTION));


@@ -441,6 +553,7 @@ if (lcp == NULL)
   lcp->port = port;
   lcp->ld = ld;
   lcp->next = ldap_connections;
   lcp->port = port;
   lcp->ld = ld;
   lcp->next = ldap_connections;

+  lcp->is_start_tls_called = FALSE;

   ldap_connections = lcp;
   }
 
   ldap_connections = lcp;
   }
 


@@ -467,6 +580,26 @@ if (!lcp->bound ||
   {
   DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n",
     (lcp->bound)? "re-" : "", user, password);
   {
   DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n",
     (lcp->bound)? "re-" : "", user, password);

+  if (eldap_start_tls && !lcp->is_start_tls_called && !ldapi)
+    {
+#if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS)
+    /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this.
+     * Note: moreover, they appear to now define LDAP_OPT_X_TLS and still not
+     *       export an ldap_start_tls_s symbol.
+     */
+    if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS)
+      {
+      *errmsg = string_sprintf("failed to initiate TLS processing on an "
+          "LDAP session to server %s%s - ldap_start_tls_s() returned %d:"
+          " %s", host, porttext, rc, ldap_err2string(rc));
+      goto RETURN_ERROR;
+      }
+    lcp->is_start_tls_called = TRUE;
+#else
+    DEBUG(D_lookup)
+      debug_printf("TLS initiation not supported with this Exim and your LDAP library.\n");
+#endif
+    }

   if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))
        == -1)
     {
   if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))
        == -1)
     {


@@ -580,10 +713,15 @@ while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) ==
         LDAP_RES_SEARCH_ENTRY)
   {
   LDAPMessage  *e;
         LDAP_RES_SEARCH_ENTRY)
   {
   LDAPMessage  *e;

+  int valuecount;   /* We can see an attr spread across several
+                    entries. If B is derived from A and we request
+                    A and the directory contains both, A and B,
+                    then we get two entries, one for A and one for B.
+                    Here we just count the values per entry */

 
 

-  DEBUG(D_lookup) debug_printf("ldap_result loop\n");
+  DEBUG(D_lookup) debug_printf("LDAP result loop\n");

 
 

-  for(e = ldap_first_entry(lcp->ld, result);
+  for(e = ldap_first_entry(lcp->ld, result), valuecount = 0;

       e != NULL;
       e = ldap_next_entry(lcp->ld, e))
     {
       e != NULL;
       e = ldap_next_entry(lcp->ld, e))
     {


@@ -596,7 +734,7 @@ while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) ==
 
     /* Results for multiple entries values are separated by newlines. */
 
 
     /* Results for multiple entries values are separated by newlines. */
 

-    if (data != NULL) data = string_cat(data, &size, &ptr, US"\n", 1);
+    if (data != NULL) data = string_catn(data, &size, &ptr, US"\n", 1);

 
     /* Get the DN from the last result. */
 
 
     /* Get the DN from the last result. */
 


@@ -624,7 +762,7 @@ while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) ==
       {                                  /* condition, because of the else */
       if (new_dn != NULL)                /* below, that's for the first only */
         {
       {                                  /* condition, because of the else */
       if (new_dn != NULL)                /* below, that's for the first only */
         {

-        data = string_cat(data, &size, &ptr, new_dn, Ustrlen(new_dn));
+        data = string_cat(data, &size, &ptr, new_dn);

         data[ptr] = 0;
         attribute_found = TRUE;
         }
         data[ptr] = 0;
         attribute_found = TRUE;
         }


@@ -632,15 +770,21 @@ while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) ==
 
     /* Otherwise, loop through the entry, grabbing attribute values. If there's
     only one attribute being retrieved, no attribute name is given, and the
 
     /* Otherwise, loop through the entry, grabbing attribute values. If there's
     only one attribute being retrieved, no attribute name is given, and the

-    result is not quoted. Multiple values are separated by (comma, space).
+    result is not quoted. Multiple values are separated by (comma).

     If more than one attribute is being retrieved, the data is given as a
     If more than one attribute is being retrieved, the data is given as a

-    sequence of name=value pairs, with the value always in quotes. If there are
-    multiple values, they are given within the quotes, comma separated. */
+    sequence of name=value pairs, separated by (space), with the value always in quotes.
+    If there are multiple values, they are given within the quotes, comma separated. */

 
     else for (attr = US ldap_first_attribute(lcp->ld, e, &ber);
               attr != NULL;
               attr = US ldap_next_attribute(lcp->ld, e, ber))
       {
 
     else for (attr = US ldap_first_attribute(lcp->ld, e, &ber);
               attr != NULL;
               attr = US ldap_next_attribute(lcp->ld, e, ber))
       {

+      DEBUG(D_lookup) debug_printf("LDAP attr loop\n");
+
+      /* In case of attrs_requested == 1 we just count the values, in all other cases
+      (0, >1) we count the values per attribute */
+      if (attrs_requested != 1) valuecount = 0;
+

       if (attr[0] != 0)
         {
         /* Get array of values for this attribute. */
       if (attr[0] != 0)
         {
         /* Get array of values for this attribute. */


@@ -648,48 +792,67 @@ while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) ==
         if ((firstval = values = USS ldap_get_values(lcp->ld, e, CS attr))
              != NULL)
           {
         if ((firstval = values = USS ldap_get_values(lcp->ld, e, CS attr))
              != NULL)
           {

-          if (attr_count != 1)
+
+          if (attrs_requested != 1)

             {
             if (insert_space)
             {
             if (insert_space)

-              data = string_cat(data, &size, &ptr, US" ", 1);
+              data = string_catn(data, &size, &ptr, US" ", 1);

             else
               insert_space = TRUE;
             else
               insert_space = TRUE;

-            data = string_cat(data, &size, &ptr, attr, Ustrlen(attr));
-            data = string_cat(data, &size, &ptr, US"=\"", 2);
+            data = string_cat(data, &size, &ptr, attr);
+            data = string_catn(data, &size, &ptr, US"=\"", 2);

             }
 
           while (*values != NULL)
             {
             uschar *value = *values;
             int len = Ustrlen(value);
             }
 
           while (*values != NULL)
             {
             uschar *value = *values;
             int len = Ustrlen(value);

+            ++valuecount;
+
+            DEBUG(D_lookup) debug_printf("LDAP value loop %s:%s\n", attr, value);

 
 

-            DEBUG(D_lookup) debug_printf("LDAP attr loop %s:%s\n", attr, value);
+            /* In case we requested one attribute only but got several times
+            into that attr loop, we need to append the additional values.
+            (This may happen if you derive attributeTypes B and C from A and
+            then query for A.) In all other cases we detect the different
+            attribute and append only every non first value. */

 
 

-            if (values != firstval)
-              data = string_cat(data, &size, &ptr, US", ", 2);
+            if (data && valuecount > 1)
+              data = string_catn(data, &size, &ptr, US",", 1);

 
             /* For multiple attributes, the data is in quotes. We must escape
 
             /* For multiple attributes, the data is in quotes. We must escape

-            internal quotes, backslashes, newlines. */
+            internal quotes, backslashes, newlines, and must double commas. */

 
 

-            if (attr_count != 1)
+            if (attrs_requested != 1)

               {
               int j;
               for (j = 0; j < len; j++)
                 {
                 if (value[j] == '\n')
               {
               int j;
               for (j = 0; j < len; j++)
                 {
                 if (value[j] == '\n')

-                  data = string_cat(data, &size, &ptr, US"\\n", 2);
+                  data = string_catn(data, &size, &ptr, US"\\n", 2);
+                else if (value[j] == ',')
+                  data = string_catn(data, &size, &ptr, US",,", 2);

                 else
                   {
                   if (value[j] == '\"' || value[j] == '\\')
                 else
                   {
                   if (value[j] == '\"' || value[j] == '\\')

-                    data = string_cat(data, &size, &ptr, US"\\", 1);
-                  data = string_cat(data, &size, &ptr, value+j, 1);
+                    data = string_catn(data, &size, &ptr, US"\\", 1);
+                  data = string_catn(data, &size, &ptr, value+j, 1);

                   }
                 }
               }
 
                   }
                 }
               }
 

-            /* For single attributes, copy the value verbatim */
+            /* For single attributes, just double commas */
+
+           else
+             {
+             int j;
+             for (j = 0; j < len; j++)
+               if (value[j] == ',')
+                 data = string_catn(data, &size, &ptr, US",,", 2);
+               else
+                 data = string_catn(data, &size, &ptr, value+j, 1);
+             }

 
 

-            else data = string_cat(data, &size, &ptr, value, len);

 
             /* Move on to the next value */
 
 
             /* Move on to the next value */
 


@@ -699,8 +862,8 @@ while ((rc = ldap_result(lcp->ld, msgid, 0, timeoutptr, &result)) ==
 
           /* Closing quote at the end of the data for a named attribute. */
 
 
           /* Closing quote at the end of the data for a named attribute. */
 

-          if (attr_count != 1)
-            data = string_cat(data, &size, &ptr, US"\"", 1);
+          if (attrs_requested != 1)
+            data = string_catn(data, &size, &ptr, US"\"", 1);

 
           /* Free the values */
 
 
           /* Free the values */
 


@@ -974,7 +1137,7 @@ Returns:        OK or FAIL or DEFER
 */
 
 static int
 */
 
 static int

-control_ldap_search(uschar *ldap_url, int search_type, uschar **res,
+control_ldap_search(const uschar *ldap_url, int search_type, uschar **res,

   uschar **errmsg)
 {
 BOOL defer_break = FALSE;
   uschar **errmsg)
 {
 BOOL defer_break = FALSE;


@@ -984,11 +1147,13 @@ int tcplimit = 0;
 int sep = 0;
 int dereference = LDAP_DEREF_NEVER;
 void* referrals = LDAP_OPT_ON;
 int sep = 0;
 int dereference = LDAP_DEREF_NEVER;
 void* referrals = LDAP_OPT_ON;

-uschar *url = ldap_url;
-uschar *p;
+const uschar *url = ldap_url;
+const uschar *p;

 uschar *user = NULL;
 uschar *password = NULL;
 uschar *user = NULL;
 uschar *password = NULL;

-uschar *server, *list;
+uschar *local_servers = NULL;
+uschar *server;
+const uschar *list;

 uschar buffer[512];
 
 while (isspace(*url)) url++;
 uschar buffer[512];
 
 while (isspace(*url)) url++;


@@ -1000,7 +1165,7 @@ NAME has the value "ldap". */
 
 while (strncmpic(url, US"ldap", 4) != 0)
   {
 
 while (strncmpic(url, US"ldap", 4) != 0)
   {

-  uschar *name = url;
+  const uschar *name = url;

   while (*url != 0 && *url != '=') url++;
   if (*url == '=')
     {
   while (*url != 0 && *url != '=') url++;
   if (*url == '=')
     {


@@ -1016,6 +1181,7 @@ while (strncmpic(url, US"ldap", 4) != 0)
       else if (strncmpic(name, US"TIME=", namelen) == 0) timelimit = Uatoi(value);
       else if (strncmpic(name, US"CONNECT=", namelen) == 0) tcplimit = Uatoi(value);
       else if (strncmpic(name, US"NETTIME=", namelen) == 0) tcplimit = Uatoi(value);
       else if (strncmpic(name, US"TIME=", namelen) == 0) timelimit = Uatoi(value);
       else if (strncmpic(name, US"CONNECT=", namelen) == 0) tcplimit = Uatoi(value);
       else if (strncmpic(name, US"NETTIME=", namelen) == 0) tcplimit = Uatoi(value);

+      else if (strncmpic(name, US"SERVERS=", namelen) == 0) local_servers = value;

 
       /* Don't know if all LDAP libraries have LDAP_OPT_DEREF */
 
 
       /* Don't know if all LDAP libraries have LDAP_OPT_DEREF */
 


@@ -1143,16 +1309,16 @@ if (Ustrncmp(p, "://", 3) != 0)
 
 /* No default servers, or URL contains a server name: just one attempt */
 
 
 /* No default servers, or URL contains a server name: just one attempt */
 

-if (eldap_default_servers == NULL || p[3] != '/')
+if ((eldap_default_servers == NULL && local_servers == NULL) || p[3] != '/')

   {
   return perform_ldap_search(url, NULL, 0, search_type, res, errmsg,
     &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
     referrals);
   }
 
   {
   return perform_ldap_search(url, NULL, 0, search_type, res, errmsg,
     &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
     referrals);
   }
 

-/* Loop through the default servers until OK or FAIL */
-
-list = eldap_default_servers;
+/* Loop through the default servers until OK or FAIL. Use local_servers list
+ * if defined in the lookup, otherwise use the global default list */
+list = (local_servers == NULL) ? eldap_default_servers : local_servers;

 while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
   {
   int rc;
 while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
   {
   int rc;


@@ -1183,8 +1349,8 @@ are handled by a common function, with a flag to differentiate between them.
 The handle and filename arguments are not used. */
 
 static int
 The handle and filename arguments are not used. */
 
 static int

-eldap_find(void *handle, uschar *filename, uschar *ldap_url, int length,
-  uschar **result, uschar **errmsg, BOOL *do_cache)
+eldap_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
+  uschar **result, uschar **errmsg, uint *do_cache)

 {
 /* Keep picky compilers happy */
 do_cache = do_cache;
 {
 /* Keep picky compilers happy */
 do_cache = do_cache;


@@ -1192,8 +1358,8 @@ return(control_ldap_search(ldap_url, SEARCH_LDAP_SINGLE, result, errmsg));
 }
 
 static int
 }
 
 static int

-eldapm_find(void *handle, uschar *filename, uschar *ldap_url, int length,
-  uschar **result, uschar **errmsg, BOOL *do_cache)
+eldapm_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
+  uschar **result, uschar **errmsg, uint *do_cache)

 {
 /* Keep picky compilers happy */
 do_cache = do_cache;
 {
 /* Keep picky compilers happy */
 do_cache = do_cache;


@@ -1201,8 +1367,8 @@ return(control_ldap_search(ldap_url, SEARCH_LDAP_MULTIPLE, result, errmsg));
 }
 
 static int
 }
 
 static int

-eldapdn_find(void *handle, uschar *filename, uschar *ldap_url, int length,
-  uschar **result, uschar **errmsg, BOOL *do_cache)
+eldapdn_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
+  uschar **result, uschar **errmsg, uint *do_cache)

 {
 /* Keep picky compilers happy */
 do_cache = do_cache;
 {
 /* Keep picky compilers happy */
 do_cache = do_cache;


@@ -1210,8 +1376,8 @@ return(control_ldap_search(ldap_url, SEARCH_LDAP_DN, result, errmsg));
 }
 
 int
 }
 
 int

-eldapauth_find(void *handle, uschar *filename, uschar *ldap_url, int length,
-  uschar **result, uschar **errmsg, BOOL *do_cache)
+eldapauth_find(void *handle, uschar *filename, const uschar *ldap_url, int length,
+  uschar **result, uschar **errmsg, uint *do_cache)

 {
 /* Keep picky compilers happy */
 do_cache = do_cache;
 {
 /* Keep picky compilers happy */
 do_cache = do_cache;


@@ -1251,7 +1417,8 @@ while ((lcp = ldap_connections) != NULL)
   {
   DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host,
     lcp->port);
   {
   DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host,
     lcp->port);

-  ldap_unbind(lcp->ld);
+  if(lcp->bound == TRUE)
+    ldap_unbind(lcp->ld);

   ldap_connections = lcp->next;
   }
 }
   ldap_connections = lcp->next;
   }
 }


@@ -1456,6 +1623,25 @@ else
 return quoted;
 }
 
 return quoted;
 }
 

+
+
+/*************************************************
+*         Version reporting entry point          *
+*************************************************/
+
+/* See local README for interface description. */
+
+#include "../version.h"
+
+void
+ldap_version_report(FILE *f)
+{
+#ifdef DYNLOOKUP
+fprintf(f, "Library version: LDAP: Exim version %s\n", EXIM_VERSION_STR);
+#endif
+}
+
+

 static lookup_info ldap_lookup_info = {
   US"ldap",                      /* lookup name */
   lookup_querystyle,             /* query-style lookup */
 static lookup_info ldap_lookup_info = {
   US"ldap",                      /* lookup name */
   lookup_querystyle,             /* query-style lookup */


@@ -1464,7 +1650,8 @@ static lookup_info ldap_lookup_info = {
   eldap_find,                    /* find function */
   NULL,                          /* no close function */
   eldap_tidy,                    /* tidy function */
   eldap_find,                    /* find function */
   NULL,                          /* no close function */
   eldap_tidy,                    /* tidy function */

-  eldap_quote                    /* quoting function */
+  eldap_quote,                   /* quoting function */
+  ldap_version_report            /* version reporting */

 };
 
 static lookup_info ldapdn_lookup_info = {
 };
 
 static lookup_info ldapdn_lookup_info = {


@@ -1475,7 +1662,8 @@ static lookup_info ldapdn_lookup_info = {
   eldapdn_find,                  /* find function */
   NULL,                          /* no close function */
   eldap_tidy,       /* sic */    /* tidy function */
   eldapdn_find,                  /* find function */
   NULL,                          /* no close function */
   eldap_tidy,       /* sic */    /* tidy function */

-  eldap_quote       /* sic */    /* quoting function */
+  eldap_quote,      /* sic */    /* quoting function */
+  NULL                           /* no version reporting (redundant) */

 };
 
 static lookup_info ldapm_lookup_info = {
 };
 
 static lookup_info ldapm_lookup_info = {


@@ -1486,7 +1674,8 @@ static lookup_info ldapm_lookup_info = {
   eldapm_find,                   /* find function */
   NULL,                          /* no close function */
   eldap_tidy,       /* sic */    /* tidy function */
   eldapm_find,                   /* find function */
   NULL,                          /* no close function */
   eldap_tidy,       /* sic */    /* tidy function */

-  eldap_quote       /* sic */    /* quoting function */
+  eldap_quote,      /* sic */    /* quoting function */
+  NULL                           /* no version reporting (redundant) */

 };
 
 #ifdef DYNLOOKUP
 };
 
 #ifdef DYNLOOKUP