4 files changed, 36 insertions, 5 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c
index 49bdeb04fa5..f66ccab1dd5 100644
--- a/source4/dsdb/samdb/ldb_modules/partition.c
+++ b/source4/dsdb/samdb/ldb_modules/partition.c
@@ -902,11 +902,17 @@ static int partition_search(struct ldb_module *module, struct ldb_request *req)
 						 data->partitions[i]->ctrl->dn) == 0) &&
 			    (ldb_dn_compare(req->op.search.base,
 					    data->partitions[i]->ctrl->dn) != 0)) {
-				char *ref = talloc_asprintf(ac,
-							    "ldap://%s/%s%s",
-							    lpcfg_dnsdomain(lp_ctx),
-							    ldb_dn_get_linearized(data->partitions[i]->ctrl->dn),
-							    req->op.search.scope == LDB_SCOPE_ONELEVEL ? "??base" : "");
+				const char *scheme = ldb_get_opaque(
+				    ldb, LDAP_REFERRAL_SCHEME_OPAQUE);
+				char *ref = talloc_asprintf(
+					ac,
+					"%s://%s/%s%s",
+					scheme == NULL ? "ldap" : scheme,
+					lpcfg_dnsdomain(lp_ctx),
+					ldb_dn_get_linearized(
+					    data->partitions[i]->ctrl->dn),
+					req->op.search.scope ==
+					    LDB_SCOPE_ONELEVEL ? "??base" : "");
 
 				if (ref == NULL) {
 					return ldb_oom(ldb);
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index 39f1aa2a2a6..573472c0f7f 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -647,6 +647,24 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
 		call->notification.busy = true;
 	}
 
+	{
+		const char *scheme = NULL;
+		switch (call->conn->referral_scheme) {
+		case LDAP_REFERRAL_SCHEME_LDAPS:
+			scheme = "ldaps";
+			break;
+		default:
+			scheme = "ldap";
+		}
+		ldb_ret = ldb_set_opaque(
+			samdb,
+			LDAP_REFERRAL_SCHEME_OPAQUE,
+			discard_const_p(char *, scheme));
+		if (ldb_ret != LDB_SUCCESS) {
+			goto reply;
+		}
+	}
+
 	ldb_set_timeout(samdb, lreq, req->timelimit);
 
 	if (!call->conn->is_privileged) {
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index bc2f54bc146..9599e0dacac 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -436,6 +436,7 @@ static void ldapsrv_accept_tls_done(struct tevent_req *subreq)
 	}
 
 	conn->sockets.active = conn->sockets.tls;
+	conn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS;
 	ldapsrv_call_read_next(conn);
 }
 
diff --git a/source4/ldap_server/ldap_server.h b/source4/ldap_server/ldap_server.h
index d3e31fb1eec..5b944f5ab9b 100644
--- a/source4/ldap_server/ldap_server.h
+++ b/source4/ldap_server/ldap_server.h
@@ -24,6 +24,11 @@
 #include "system/network.h"
 #include "lib/param/loadparm.h"
 
+enum ldap_server_referral_scheme {
+	LDAP_REFERRAL_SCHEME_LDAP,
+	LDAP_REFERRAL_SCHEME_LDAPS
+};
+
 struct ldapsrv_connection {
 	struct ldapsrv_connection *next, *prev;
 	struct loadparm_context *lp_ctx;
@@ -47,6 +52,7 @@ struct ldapsrv_connection {
 	bool is_privileged;
 	enum ldap_server_require_strong_auth require_strong_auth;
 	bool authz_logged;
+	enum ldap_server_referral_scheme referral_scheme;
 
 	struct {
 		int initial_timeout;