--- lighttpd-1.4.16/src/mod_auth.c	2007-01-14 11:40:02.000000000 +0200
+++ lighttpd-1.4.16_patched/src/mod_auth.c	2007-08-18 04:50:17.000000000 +0300
@@ -75,10 +75,13 @@
 			buffer_free(s->auth_ldap_bindpw);
 			buffer_free(s->auth_ldap_filter);
 			buffer_free(s->auth_ldap_cafile);
+			buffer_free(s->auth_ldap_deref_conf);
 
 #ifdef USE_LDAP
+			
 			buffer_free(s->ldap_filter_pre);
 			buffer_free(s->ldap_filter_post);
+			
 
 			if (s->ldap) ldap_unbind_s(s->ldap);
 #endif
@@ -114,10 +117,13 @@
 	PATCH(auth_ldap_cafile);
 	PATCH(auth_ldap_starttls);
 	PATCH(auth_ldap_allow_empty_pw);
+	PATCH(auth_ldap_deref_conf);
+	
 #ifdef USE_LDAP
 	PATCH(ldap);
 	PATCH(ldap_filter_pre);
 	PATCH(ldap_filter_post);
+	PATCH(auth_ldap_deref);
 #endif
 
 	/* skip the first, the global context */
@@ -163,6 +169,11 @@
 				PATCH(auth_ldap_starttls);
 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.allow-empty-pw"))) {
 				PATCH(auth_ldap_allow_empty_pw);
+			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.deref"))) {
+				PATCH(auth_ldap_deref_conf);
+#ifdef USE_LDAP
+				PATCH(auth_ldap_deref);
+#endif
 			}
 		}
 	}
@@ -316,9 +327,10 @@
  		{ "auth.backend.ldap.bind-dn",      NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
  		{ "auth.backend.ldap.bind-pw",      NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 10 */
 		{ "auth.backend.ldap.allow-empty-pw",     NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION },
+		{ "auth.backend.ldap.deref",        NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
 		{ "auth.backend.htdigest.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
 		{ "auth.backend.htpasswd.userfile", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },
-		{ "auth.debug",                     NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION },  /* 13 */
+		{ "auth.debug",                     NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION },  /* 15 */
 		{ NULL,                             NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
 	};
 
@@ -343,6 +355,7 @@
 		s->auth_ldap_bindpw = buffer_init();
 		s->auth_ldap_filter = buffer_init();
 		s->auth_ldap_cafile = buffer_init();
+		s->auth_ldap_deref_conf = buffer_init();
 		s->auth_ldap_starttls = 0;
 		s->auth_debug = 0;
 
@@ -352,6 +365,7 @@
 		s->ldap_filter_pre = buffer_init();
 		s->ldap_filter_post = buffer_init();
 		s->ldap = NULL;
+		s->auth_ldap_deref = 0;
 #endif
 
 		cv[0].destination = s->auth_backend_conf;
@@ -366,9 +380,10 @@
 		cv[9].destination = s->auth_ldap_binddn;
 		cv[10].destination = s->auth_ldap_bindpw;
 		cv[11].destination = &(s->auth_ldap_allow_empty_pw);
-		cv[12].destination = s->auth_htdigest_userfile;
-		cv[13].destination = s->auth_htpasswd_userfile;
-		cv[14].destination = &(s->auth_debug);
+		cv[12].destination = s->auth_ldap_deref_conf;
+		cv[13].destination = s->auth_htdigest_userfile;
+		cv[14].destination = s->auth_htpasswd_userfile;
+		cv[15].destination = &(s->auth_debug);
 
 		p->config_storage[i] = s;
 		ca = ((data_config *)srv->config_context->data[i])->value;
@@ -588,6 +603,22 @@
 
 					return HANDLER_ERROR;
 				}
+					
+				if (s->auth_ldap_deref_conf->used) {
+					if (0 == strcmp(s->auth_ldap_deref_conf->ptr, "always")) {
+						s->auth_ldap_deref = LDAP_DEREF_ALWAYS;
+					} else if (0 == strcmp(s->auth_ldap_deref_conf->ptr, "never")) {
+						s->auth_ldap_deref = LDAP_DEREF_NEVER;
+					} else if (0 == strcmp(s->auth_ldap_deref_conf->ptr, "search")) {
+						s->auth_ldap_deref = LDAP_DEREF_SEARCHING;
+					} else if (0 == strcmp(s->auth_ldap_deref_conf->ptr, "find")) {
+						s->auth_ldap_deref = LDAP_DEREF_FINDING;
+					} else {
+						log_error_write(srv, __FILE__, __LINE__, "s", "ldap: option auth.backend.ldap.deref has to be one of 'always', 'never', 'search' or 'find'.");
+		
+						return HANDLER_ERROR;
+					}
+				}
 
 				ret = LDAP_VERSION3;
 				if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(s->ldap, LDAP_OPT_PROTOCOL_VERSION, &ret))) {
--- lighttpd-1.4.16/src/http_auth.c	2007-06-15 19:22:30.000000000 +0300
+++ lighttpd-1.4.16_patched/src/http_auth.c	2007-08-18 16:45:51.000000000 +0300
@@ -743,6 +743,17 @@
 
 
 		/* 2. */
+		
+		/* Set dereference option */
+		if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(p->conf.ldap, LDAP_OPT_DEREF, &p->conf.auth_ldap_deref))) {
+			log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
+
+			if (p->conf.ldap != NULL)
+				ldap_unbind_s(p->conf.ldap);
+
+			return -1;
+		}
+
 		if (p->conf.ldap == NULL ||
 		    LDAP_SUCCESS != (ret = ldap_search_s(p->conf.ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
 			if (auth_ldap_init(srv, &p->conf) != HANDLER_GO_ON)
--- lighttpd-1.4.16/src/http_auth.h	2007-01-14 11:40:02.000000000 +0200
+++ lighttpd-1.4.16_patched/src/http_auth.h	2007-08-18 02:54:42.000000000 +0300
@@ -37,6 +37,7 @@
 	buffer *auth_ldap_cafile;
 	unsigned short auth_ldap_starttls;
 	unsigned short auth_ldap_allow_empty_pw;
+	buffer *auth_ldap_deref_conf;
 
 	unsigned short auth_debug;
 
@@ -48,6 +49,8 @@
 
 	buffer *ldap_filter_pre;
 	buffer *ldap_filter_post;
+
+	unsigned short auth_ldap_deref;
 #endif
 } mod_auth_plugin_config;