2 * Copyright (c) 2003-2008 Todd C. Miller <Todd.Miller@courtesan.com>
4 * This code is derived from software contributed by Aaron Spangler.
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 #include <sys/types.h>
23 #include <sys/param.h>
33 #endif /* STDC_HEADERS */
37 # ifdef HAVE_STRINGS_H
40 #endif /* HAVE_STRING_H */
41 #if defined(HAVE_MALLOC_H) && !defined(STDC_HEADERS)
43 #endif /* HAVE_MALLOC_H && !STDC_HEADERS */
46 #endif /* HAVE_UNISTD_H */
51 #include <netinet/in.h>
52 #include <arpa/inet.h>
57 # include "emul/err.h"
58 #endif /* HAVE_ERR_H */
64 #if defined(HAVE_LDAP_SSL_H)
65 # include <ldap_ssl.h>
66 #elif defined(HAVE_MPS_LDAP_SSL_H)
67 # include <mps/ldap_ssl.h>
74 __unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.36 2008/01/21 16:08:26 millert Exp $";
78 # define LINE_MAX 2048
81 #ifndef LDAP_OPT_SUCCESS
82 # define LDAP_OPT_SUCCESS LDAP_SUCCESS
85 #define DPRINTF(args, level) if (ldap_conf.debug >= level) warnx args
91 #define SUDO_LDAP_SSL 1
92 #define SUDO_LDAP_STARTTLS 2
94 struct ldap_config_table {
95 const char *conf_str; /* config file string */
96 short type; /* CONF_BOOL, CONF_INT, CONF_STR */
97 short connected; /* connection-specific value? */
98 int opt_val; /* LDAP_OPT_* (or -1 for sudo internal) */
99 void *valp; /* pointer into ldap_conf */
102 /* ldap configuration structure */
119 char *tls_cacertfile;
121 char *tls_random_file;
122 char *tls_cipher_suite;
127 struct ldap_config_table ldap_conf_table[] = {
128 { "sudoers_debug", CONF_INT, FALSE, -1, &ldap_conf.debug },
129 { "host", CONF_STR, FALSE, -1, &ldap_conf.host },
130 { "port", CONF_INT, FALSE, -1, &ldap_conf.port },
131 { "ssl", CONF_STR, FALSE, -1, &ldap_conf.ssl },
132 { "sslpath", CONF_STR, FALSE, -1, &ldap_conf.tls_certfile },
133 { "uri", CONF_STR, FALSE, -1, &ldap_conf.uri },
134 #ifdef LDAP_OPT_DEBUG_LEVEL
135 { "debug", CONF_INT, FALSE, LDAP_OPT_DEBUG_LEVEL, &ldap_conf.ldap_debug },
137 #ifdef LDAP_OPT_PROTOCOL_VERSION
138 { "ldap_version", CONF_INT, TRUE, LDAP_OPT_PROTOCOL_VERSION,
139 &ldap_conf.version },
141 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
142 { "tls_checkpeer", CONF_BOOL, FALSE, LDAP_OPT_X_TLS_REQUIRE_CERT,
143 &ldap_conf.tls_checkpeer },
145 { "tls_checkpeer", CONF_BOOL, FALSE, -1, &ldap_conf.tls_checkpeer },
147 #ifdef LDAP_OPT_X_TLS_CACERTFILE
148 { "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE,
149 &ldap_conf.tls_cacertfile },
151 #ifdef LDAP_OPT_X_TLS_CACERTDIR
152 { "tls_cacertdir", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTDIR,
153 &ldap_conf.tls_cacertdir },
155 #ifdef LDAP_OPT_X_TLS_RANDOM_FILE
156 { "tls_randfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_RANDOM_FILE,
157 &ldap_conf.tls_random_file },
159 #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
160 { "tls_ciphers", CONF_STR, FALSE, LDAP_OPT_X_TLS_CIPHER_SUITE,
161 &ldap_conf.tls_cipher_suite },
163 #ifdef LDAP_OPT_X_TLS_CERTFILE
164 { "tls_cert", CONF_STR, FALSE, LDAP_OPT_X_TLS_CERTFILE,
165 &ldap_conf.tls_certfile },
167 { "tls_cert", CONF_STR, FALSE, -1, &ldap_conf.tls_certfile },
169 #ifdef LDAP_OPT_X_TLS_KEYFILE
170 { "tls_key", CONF_STR, FALSE, LDAP_OPT_X_TLS_KEYFILE,
171 &ldap_conf.tls_keyfile },
173 { "tls_key", CONF_STR, FALSE, -1, &ldap_conf.tls_keyfile },
175 #ifdef LDAP_OPT_NETWORK_TIMEOUT
176 { "bind_timelimit", CONF_INT, TRUE, -1 /* needs timeval, set manually */,
177 &ldap_conf.bind_timelimit },
178 #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
179 { "bind_timelimit", CONF_INT, TRUE, LDAP_X_OPT_CONNECT_TIMEOUT,
180 &ldap_conf.bind_timelimit },
182 { "timelimit", CONF_INT, TRUE, LDAP_OPT_TIMELIMIT, &ldap_conf.timelimit },
183 { "binddn", CONF_STR, FALSE, -1, &ldap_conf.binddn },
184 { "bindpw", CONF_STR, FALSE, -1, &ldap_conf.bindpw },
185 { "rootbinddn", CONF_STR, FALSE, -1, &ldap_conf.rootbinddn },
186 { "sudoers_base", CONF_STR, FALSE, -1, &ldap_conf.base },
190 static void sudo_ldap_update_defaults __P((LDAP *));
191 static void sudo_ldap_close __P((LDAP *));
192 static LDAP *sudo_ldap_open __P((void));
194 #ifndef HAVE_LDAP_INITIALIZE
196 * For each uri, convert to host:port pairs. For ldaps:// enable SSL
197 * Accepts: uris of the form ldap:/// or ldap://hostname:portnum/
198 * where the trailing slash is optional.
201 sudo_ldap_parse_uri(uri_list)
202 const char *uri_list;
204 char *buf, *uri, *host, *cp, *port;
205 char hostbuf[LINE_MAX];
206 int nldap = 0, nldaps = 0;
209 buf = estrdup(uri_list);
211 for ((uri = strtok(buf, " \t")); uri != NULL; (uri = strtok(NULL, " \t"))) {
212 if (strncasecmp(uri, "ldap://", 7) == 0) {
215 } else if (strncasecmp(uri, "ldaps://", 8) == 0) {
219 warnx("unsupported LDAP uri type: %s", uri);
223 /* trim optional trailing slash */
224 if ((cp = strrchr(host, '/')) != NULL && cp[1] == '\0') {
228 if (hostbuf[0] != '\0') {
229 if (strlcat(hostbuf, " ", sizeof(hostbuf)) >= sizeof(hostbuf))
234 host = "localhost"; /* no host specified, use localhost */
236 if (strlcat(hostbuf, host, sizeof(hostbuf)) >= sizeof(hostbuf))
239 /* If using SSL and no port specified, add port 636 */
241 if ((port = strrchr(host, ':')) == NULL || !isdigit(port[1]))
242 if (strlcat(hostbuf, ":636", sizeof(hostbuf)) >= sizeof(hostbuf))
246 if (hostbuf[0] == '\0') {
247 warnx("invalid uri: %s", uri_list);
253 warnx("cannot mix ldap and ldaps URIs");
256 if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
257 warnx("cannot mix ldaps and starttls");
260 ldap_conf.ssl_mode = SUDO_LDAP_SSL;
263 free(ldap_conf.host);
264 ldap_conf.host = estrdup(hostbuf);
272 errx(1, "sudo_ldap_parse_uri: out of space building hostbuf");
274 #endif /* HAVE_LDAP_INITIALIZE */
277 sudo_ldap_init(ldp, host, port)
283 int rc = LDAP_CONNECT_ERROR;
285 #ifdef HAVE_LDAPSSL_INIT
286 if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
287 DPRINTF(("ldapssl_clientauth_init(%s, %s)",
288 ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
289 ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
290 rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
291 ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
292 if (rc != LDAP_SUCCESS) {
293 warnx("unable to initialize SSL cert and key db: %s",
294 ldapssl_err2string(rc));
298 DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2);
299 if ((ld = ldapssl_init(host, port, 1)) == NULL)
304 DPRINTF(("ldap_init(%s, %d)", host, port), 2);
305 if ((ld = ldap_init(host, port)) == NULL)
316 * Walk through search results and return TRUE if we have a matching
317 * netgroup, else FALSE.
320 sudo_ldap_check_user_netgroup(ld, entry)
324 char **v = NULL, **p = NULL;
330 /* get the values from the entry */
331 v = ldap_get_values(ld, entry, "sudoUser");
333 /* walk through values */
334 for (p = v; p && *p && !ret; p++) {
336 if (netgr_matches(*p, NULL, NULL, user_name))
338 DPRINTF(("ldap sudoUser netgroup '%s' ... %s", *p,
339 ret ? "MATCH!" : "not"), 2);
343 ldap_value_free(v); /* cleanup */
349 * Walk through search results and return TRUE if we have a
350 * host match, else FALSE.
353 sudo_ldap_check_host(ld, entry)
357 char **v = NULL, **p = NULL;
363 /* get the values from the entry */
364 v = ldap_get_values(ld, entry, "sudoHost");
366 /* walk through values */
367 for (p = v; p && *p && !ret; p++) {
368 /* match any or address or netgroup or hostname */
369 if (!strcmp(*p, "ALL") || addr_matches(*p) ||
370 netgr_matches(*p, user_host, user_shost, NULL) ||
371 !hostname_matches(user_shost, user_host, *p))
373 DPRINTF(("ldap sudoHost '%s' ... %s", *p,
374 ret ? "MATCH!" : "not"), 2);
378 ldap_value_free(v); /* cleanup */
384 * Walk through search results and return TRUE if we have a runas match,
386 * Since the runas directive in /etc/sudoers is optional, so is sudoRunAs.
389 sudo_ldap_check_runas(ld, entry)
393 char **v = NULL, **p = NULL;
399 /* get the values from the entry */
400 v = ldap_get_values(ld, entry, "sudoRunAs");
405 * if runas is not specified on the command line, the only information
406 * as to which user to run as is in the runas_default option. We should
407 * check to see if we have the local option present. Unfortunately we
408 * don't parse these options until after this routine says yes or no.
409 * The query has already returned, so we could peek at the attribute
410 * values here though.
412 * For now just require users to always use -u option unless its set
413 * in the global defaults. This behaviour is no different than the global
416 * Sigh - maybe add this feature later
421 * If there are no runas entries, match runas_default against
422 * what the user specified on the command line.
425 ret = !strcasecmp(runas_pw->pw_name, def_runas_default);
427 /* walk through values returned, looking for a match */
428 for (p = v; p && *p && !ret; p++) {
431 if (netgr_matches(*p, NULL, NULL, runas_pw->pw_name))
435 if (usergr_matches(*p, runas_pw->pw_name, runas_pw))
439 if (strcmp(*p, "ALL") == 0) {
445 if (strcasecmp(*p, runas_pw->pw_name) == 0)
449 DPRINTF(("ldap sudoRunAs '%s' ... %s", *p,
450 ret ? "MATCH!" : "not"), 2);
454 ldap_value_free(v); /* cleanup */
460 * Walk through search results and return TRUE if we have a command match.
463 sudo_ldap_check_command(ld, entry, setenv_implied)
468 char *allowed_cmnd, *allowed_args, **v = NULL, **p = NULL;
469 int foundbang, ret = FALSE;
474 v = ldap_get_values(ld, entry, "sudoCommand");
476 /* get_first_entry */
477 for (p = v; p && *p && ret >= 0; p++) {
478 /* Match against ALL ? */
479 if (!strcmp(*p, "ALL")) {
481 if (setenv_implied != NULL)
482 *setenv_implied = TRUE;
483 DPRINTF(("ldap sudoCommand '%s' ... MATCH!", *p), 2);
487 /* check for !command */
490 allowed_cmnd = estrdup(1 + *p); /* !command */
493 allowed_cmnd = estrdup(*p); /* command */
496 /* split optional args away from command */
497 allowed_args = strchr(allowed_cmnd, ' ');
499 *allowed_args++ = '\0';
501 /* check the command like normal */
502 if (command_matches(allowed_cmnd, allowed_args)) {
504 * If allowed (no bang) set ret but keep on checking.
505 * If disallowed (bang), exit loop.
507 ret = foundbang ? -1 : TRUE;
509 DPRINTF(("ldap sudoCommand '%s' ... %s", *p,
510 ret == TRUE ? "MATCH!" : "not"), 2);
512 efree(allowed_cmnd); /* cleanup */
516 ldap_value_free(v); /* more cleanup */
518 /* return TRUE if we found at least one ALLOW and no DENY */
523 * Read sudoOption and modify the defaults as we go. This is used once
524 * from the cn=defaults entry and also once when a final sudoRole is matched.
527 sudo_ldap_parse_options(ld, entry)
531 char op, *var, *val, **v = NULL, **p = NULL;
536 v = ldap_get_values(ld, entry, "sudoOption");
538 /* walk through options */
539 for (p = v; p && *p; p++) {
541 DPRINTF(("ldap sudoOption: '%s'", *p), 2);
544 /* check for equals sign past first char */
545 val = strchr(var, '=');
547 *val++ = '\0'; /* split on = and truncate var */
548 op = *(val - 2); /* peek for += or -= cases */
549 if (op == '+' || op == '-') {
550 *(val - 2) = '\0'; /* found, remove extra char */
551 /* case var+=val or var-=val */
552 set_default(var, val, (int) op);
555 set_default(var, val, TRUE);
557 } else if (*var == '!') {
558 /* case !var Boolean False */
559 set_default(var + 1, NULL, FALSE);
561 /* case var Boolean True */
562 set_default(var, NULL, TRUE);
572 * Concatenate strings, dynamically growing them as necessary.
573 * Strings can be arbitrarily long and are allocated/reallocated on
574 * the fly. Make sure to free them when you are done.
581 * ncat(&s,&sz,"This ");
582 * ncat(&s,&sz,"is ");
583 * ncat(&s,&sz,"an ");
584 * ncat(&s,&sz,"arbitrarily ");
585 * ncat(&s,&sz,"long ");
586 * ncat(&s,&sz,"string!");
588 * printf("String Value='%s', but has %d bytes allocated\n",s,sz);
599 /* handle initial alloc */
602 *sz = strlen(src) + 1;
606 nsz = strlen(*s) + strlen(src) + 1;
608 *s = erealloc((void *) *s, *sz = nsz * 2);
609 strlcat(*s, src, *sz);
613 * builds together a filter to check against ldap
616 sudo_ldap_build_pass1()
626 /* build filter sudoUser=user_name */
627 ncat(&b, &sz, "(sudoUser=");
628 ncat(&b, &sz, user_name);
631 /* Append primary group */
632 grp = getgrgid(user_gid);
634 ncat(&b, &sz, "(sudoUser=%");
635 ncat(&b, &sz, grp -> gr_name);
639 /* Append supplementary groups */
640 for (i = 0; i < user_ngroups; i++) {
641 if (user_groups[i] == user_gid)
643 if ((grp = getgrgid(user_groups[i])) != NULL) {
644 ncat(&b, &sz, "(sudoUser=%");
645 ncat(&b, &sz, grp -> gr_name);
650 /* Add ALL to list */
651 ncat(&b, &sz, "(sudoUser=ALL)");
660 * Map yes/true/on to TRUE, no/false/off to FALSE, else -1
669 if (strcasecmp(s, "yes") == 0)
674 if (strcasecmp(s, "true") == 0)
679 if (strcasecmp(s, "on") == 0)
681 if (strcasecmp(s, "off") == 0)
686 if (strcasecmp(s, "no") == 0)
691 if (strcasecmp(s, "false") == 0)
699 sudo_ldap_read_config()
702 char buf[LINE_MAX], *c, *keyword, *value;
703 struct ldap_config_table *cur;
706 ldap_conf.version = 3;
708 ldap_conf.tls_checkpeer = -1;
709 ldap_conf.timelimit = -1;
710 ldap_conf.bind_timelimit = -1;
712 if ((f = fopen(_PATH_LDAP_CONF, "r")) == NULL)
715 while (fgets(buf, sizeof(buf), f)) {
716 /* ignore text after comment character */
717 if ((c = strchr(buf, '#')) != NULL)
720 /* skip leading whitespace */
721 for (c = buf; isspace((unsigned char) *c); c++)
724 if (*c == '\0' || *c == '\n')
725 continue; /* skip empty line */
727 /* properly terminate keyword string */
729 while (*c && !isspace((unsigned char) *c))
732 *c++ = '\0'; /* terminate keyword */
734 /* skip whitespace before value */
735 while (isspace((unsigned char) *c))
739 /* trim whitespace after value */
741 c++; /* wind to end */
742 while (--c > value && isspace((unsigned char) *c))
745 /* Look up keyword in config table. */
746 for (cur = ldap_conf_table; cur->conf_str != NULL; cur++) {
747 if (strcasecmp(keyword, cur->conf_str) == 0) {
750 *(int *)(cur->valp) = _atobool(value);
753 *(int *)(cur->valp) = atoi(value);
756 efree(*(char **)(cur->valp));
757 *(char **)(cur->valp) = estrdup(value);
767 ldap_conf.host = "localhost";
769 if (ldap_conf.bind_timelimit > 0)
770 ldap_conf.bind_timelimit *= 1000; /* convert to ms */
772 if (ldap_conf.debug > 1) {
773 fprintf(stderr, "LDAP Config Summary\n");
774 fprintf(stderr, "===================\n");
776 fprintf(stderr, "uri %s\n", ldap_conf.uri);
778 fprintf(stderr, "host %s\n", ldap_conf.host ?
779 ldap_conf.host : "(NONE)");
780 fprintf(stderr, "port %d\n", ldap_conf.port);
782 fprintf(stderr, "ldap_version %d\n", ldap_conf.version);
784 fprintf(stderr, "sudoers_base %s\n", ldap_conf.base ?
785 ldap_conf.base : "(NONE) <---Sudo will ignore ldap)");
786 fprintf(stderr, "binddn %s\n", ldap_conf.binddn ?
787 ldap_conf.binddn : "(anonymous)");
788 fprintf(stderr, "bindpw %s\n", ldap_conf.bindpw ?
789 ldap_conf.bindpw : "(anonymous)");
790 if (ldap_conf.bind_timelimit > 0)
791 fprintf(stderr, "bind_timelimit %d\n", ldap_conf.bind_timelimit);
792 if (ldap_conf.timelimit > 0)
793 fprintf(stderr, "timelimit %d\n", ldap_conf.timelimit);
794 fprintf(stderr, "ssl %s\n", ldap_conf.ssl ?
795 ldap_conf.ssl : "(no)");
796 if (ldap_conf.tls_checkpeer != -1)
797 fprintf(stderr, "tls_checkpeer %s\n", ldap_conf.tls_checkpeer ?
799 if (ldap_conf.tls_cacertfile != NULL)
800 fprintf(stderr, "tls_cacertfile %s\n", ldap_conf.tls_cacertfile);
801 if (ldap_conf.tls_cacertdir != NULL)
802 fprintf(stderr, "tls_cacertdir %s\n", ldap_conf.tls_cacertdir);
803 if (ldap_conf.tls_random_file != NULL)
804 fprintf(stderr, "tls_random_file %s\n", ldap_conf.tls_random_file);
805 if (ldap_conf.tls_cipher_suite != NULL)
806 fprintf(stderr, "tls_cipher_suite %s\n", ldap_conf.tls_cipher_suite);
807 if (ldap_conf.tls_certfile != NULL)
808 fprintf(stderr, "tls_certfile %s\n", ldap_conf.tls_certfile);
809 if (ldap_conf.tls_keyfile != NULL)
810 fprintf(stderr, "tls_keyfile %s\n", ldap_conf.tls_keyfile);
811 fprintf(stderr, "===================\n");
814 return(FALSE); /* if no base is defined, ignore LDAP */
817 * Interpret SSL option
819 if (ldap_conf.ssl != NULL) {
820 if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
821 ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
822 else if (_atobool(ldap_conf.ssl))
823 ldap_conf.ssl_mode = SUDO_LDAP_SSL;
826 #if defined(HAVE_LDAPSSL_SET_STRENGTH) && !defined(LDAP_OPT_X_TLS_REQUIRE_CERT)
827 if (ldap_conf.tls_checkpeer != -1) {
828 ldapssl_set_strength(NULL,
829 ldap_conf.tls_checkpeer ? LDAPSSL_AUTH_CERT : LDAPSSL_AUTH_WEAK);
833 #ifndef HAVE_LDAP_INITIALIZE
834 /* Convert uri list to host list if no ldap_initialize(). */
836 if (sudo_ldap_parse_uri(ldap_conf.uri) != 0)
839 ldap_conf.uri = NULL;
840 ldap_conf.port = LDAP_PORT;
844 /* Use port 389 for plaintext LDAP and port 636 for SSL LDAP */
845 if (!ldap_conf.uri && ldap_conf.port < 0)
847 ldap_conf.ssl_mode == SUDO_LDAP_SSL ? LDAPS_PORT : LDAP_PORT;
849 /* If rootbinddn set, read in /etc/ldap.secret if it exists. */
850 if (ldap_conf.rootbinddn) {
851 if ((f = fopen(_PATH_LDAP_SECRET, "r")) != NULL) {
852 if (fgets(buf, sizeof(buf), f) != NULL) {
853 /* removing trailing newlines */
854 for (c = buf; *c != '\0'; c++)
856 while (--c > buf && *c == '\n')
858 /* copy to bindpw and binddn */
859 efree(ldap_conf.bindpw);
860 ldap_conf.bindpw = estrdup(buf);
861 efree(ldap_conf.binddn);
862 ldap_conf.binddn = ldap_conf.rootbinddn;
863 ldap_conf.rootbinddn = NULL;
872 * like perl's join(sep,@ARGS)
875 _ldap_join_values(sep, v)
879 char *b = NULL, **p = NULL;
882 /* paste values together */
883 for (p = v; p && *p; p++) {
884 if (p != v && sep != NULL)
885 ncat(&b, &sz, sep); /* append separator */
886 ncat(&b, &sz, *p); /* append value */
891 /* something went wrong, put something here */
892 ncat(&b, &sz, "(empty list)"); /* append value */
898 char *sudo_ldap_cm_list = NULL;
899 size_t sudo_ldap_cm_list_size;
901 #define SAVE_LIST(x) ncat(&sudo_ldap_cm_list,&sudo_ldap_cm_list_size,(x))
903 * Walks through search result and returns TRUE if we have a
907 sudo_ldap_add_match(ld, entry, pwflag)
912 char *dn, **edn, **v = NULL;
914 /* if we are not collecting matches, then don't save them */
915 if (pwflag != I_LISTPW)
918 /* collect the dn, only show the rdn */
919 dn = ldap_get_dn(ld, entry);
920 edn = dn ? ldap_explode_dn(dn, 1) : NULL;
921 SAVE_LIST("\nLDAP Role: ");
922 SAVE_LIST((edn && *edn) ? *edn : "UNKNOWN");
927 ldap_value_free(edn);
929 /* get the Runas Values from the entry */
930 v = ldap_get_values(ld, entry, "sudoRunAs");
932 SAVE_LIST(" RunAs: (");
933 SAVE_LIST(_ldap_join_values(", ", v));
939 /* get the Command Values from the entry */
940 v = ldap_get_values(ld, entry, "sudoCommand");
942 SAVE_LIST(" Commands:\n ");
943 SAVE_LIST(_ldap_join_values("\n ", v));
946 SAVE_LIST(" Commands: NONE\n");
951 return(FALSE); /* Don't stop at the first match */
956 sudo_ldap_list_matches()
958 if (sudo_ldap_cm_list != NULL)
959 printf("%s", sudo_ldap_cm_list);
963 * Set LDAP options based on the config table.
966 sudo_ldap_set_options(ld)
969 struct ldap_config_table *cur;
972 /* Set ber options */
973 #ifdef LBER_OPT_DEBUG_LEVEL
974 if (ldap_conf.ldap_debug)
975 ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &ldap_conf.ldap_debug);
978 /* Set simple LDAP options */
979 for (cur = ldap_conf_table; cur->conf_str != NULL; cur++) {
984 if (cur->opt_val == -1)
987 conn = cur->connected ? ld : NULL;
991 ival = *(int *)(cur->valp);
993 rc = ldap_set_option(conn, cur->opt_val, &ival);
994 if (rc != LDAP_OPT_SUCCESS) {
995 warnx("ldap_set_option: %s -> %d: %s",
996 cur->conf_str, ival, ldap_err2string(rc));
999 DPRINTF(("ldap_set_option: %s -> %d", cur->conf_str, ival), 1);
1003 sval = *(char **)(cur->valp);
1005 rc = ldap_set_option(conn, cur->opt_val, sval);
1006 if (rc != LDAP_OPT_SUCCESS) {
1007 warnx("ldap_set_option: %s -> %s: %s",
1008 cur->conf_str, sval, ldap_err2string(rc));
1011 DPRINTF(("ldap_set_option: %s -> %s", cur->conf_str, sval), 1);
1017 #ifdef LDAP_OPT_NETWORK_TIMEOUT
1018 /* Convert bind_timelimit to a timeval */
1019 if (ldap_conf.bind_timelimit > 0) {
1021 tv.tv_sec = ldap_conf.bind_timelimit / 1000;
1023 rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
1024 if (rc != LDAP_OPT_SUCCESS) {
1025 warnx("ldap_set_option(NETWORK_TIMEOUT, %ld): %s",
1026 (long)tv.tv_sec, ldap_err2string(rc));
1029 DPRINTF(("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)\n",
1030 (long)tv.tv_sec), 1);
1034 #if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT)
1035 if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
1036 int val = LDAP_OPT_X_TLS_HARD;
1037 rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val);
1038 if (rc != LDAP_SUCCESS) {
1039 warnx("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD): %s",
1040 ldap_err2string(rc));
1043 DPRINTF(("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)\n"), 1);
1050 * Open a connection to the LDAP server.
1058 if (!sudo_ldap_read_config())
1061 /* Connect to LDAP server */
1062 #ifdef HAVE_LDAP_INITIALIZE
1063 if (ldap_conf.uri != NULL) {
1064 DPRINTF(("ldap_initialize(ld, %s)", ldap_conf.uri), 2);
1065 rc = ldap_initialize(&ld, ldap_conf.uri);
1067 #endif /* HAVE_LDAP_INITIALIZE */
1068 rc = sudo_ldap_init(&ld, ldap_conf.host, ldap_conf.port);
1069 if (rc != LDAP_SUCCESS) {
1070 warnx("unable to initialize LDAP: %s", ldap_err2string(rc));
1074 /* Set LDAP options */
1075 if (sudo_ldap_set_options(ld) < 0)
1078 if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
1079 #ifdef HAVE_LDAP_START_TLS_S
1080 rc = ldap_start_tls_s(ld, NULL, NULL);
1081 if (rc != LDAP_SUCCESS) {
1082 warnx("ldap_start_tls_s(): %s", ldap_err2string(rc));
1086 DPRINTF(("ldap_start_tls_s() ok"), 1);
1088 warnx("start_tls specified but LDAP libs do not support ldap_start_tls_s()");
1089 #endif /* HAVE_LDAP_START_TLS_S */
1092 /* Actually connect */
1093 if ((rc = ldap_simple_bind_s(ld, ldap_conf.binddn, ldap_conf.bindpw))) {
1094 warnx("ldap_simple_bind_s: %s", ldap_err2string(rc));
1097 DPRINTF(("ldap_simple_bind_s() ok"), 1);
1103 sudo_ldap_update_defaults(ld)
1106 LDAPMessage *entry = NULL, *result = NULL; /* used for searches */
1107 int rc; /* temp return value */
1109 rc = ldap_search_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE,
1110 "cn=defaults", NULL, 0, &result);
1111 if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) {
1112 DPRINTF(("found:%s", ldap_get_dn(ld, entry)), 1);
1113 sudo_ldap_parse_options(ld, entry);
1115 DPRINTF(("no default options found!"), 1);
1118 ldap_msgfree(result);
1122 * like sudoers_lookup() - only LDAP style
1125 sudo_ldap_check(pwflag)
1129 LDAPMessage *entry = NULL, *result = NULL; /* used for searches */
1130 char *filt; /* used to parse attributes */
1131 int rc, ret = FALSE, do_netgr; /* temp/final return values */
1133 int ldap_user_matches = FALSE, ldap_host_matches = FALSE; /* flags */
1135 /* Open a connection to the LDAP server. */
1136 if ((ld = sudo_ldap_open()) == NULL)
1137 return(VALIDATE_ERROR);
1139 /* Parse Default options. */
1140 sudo_ldap_update_defaults(ld);
1143 * Okay - time to search for anything that matches this user
1144 * Lets limit it to only two queries of the LDAP server
1146 * The first pass will look by the username, groups, and
1147 * the keyword ALL. We will then inspect the results that
1148 * came back from the query. We don't need to inspect the
1149 * sudoUser in this pass since the LDAP server already scanned
1152 * The second pass will return all the entries that contain
1153 * user netgroups. Then we take the netgroups returned and
1154 * try to match them against the username.
1156 setenv_implied = FALSE;
1157 for (do_netgr = 0; !ret && do_netgr < 2; do_netgr++) {
1158 filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1();
1159 DPRINTF(("ldap search '%s'", filt), 1);
1160 rc = ldap_search_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt,
1162 if (rc != LDAP_SUCCESS)
1163 DPRINTF(("nothing found for '%s'", filt), 1);
1166 /* parse each entry returned from this most recent search */
1167 entry = rc ? NULL : ldap_first_entry(ld, result);
1168 while (entry != NULL) {
1169 DPRINTF(("found:%s", ldap_get_dn(ld, entry)), 1);
1171 /* first verify user netgroup matches - only if in pass 2 */
1172 (!do_netgr || sudo_ldap_check_user_netgroup(ld, entry)) &&
1173 /* remember that user matched */
1174 (ldap_user_matches = -1) &&
1175 /* verify host match */
1176 sudo_ldap_check_host(ld, entry) &&
1177 /* remember that host matched */
1178 (ldap_host_matches = -1) &&
1179 /* add matches for listing later */
1180 sudo_ldap_add_match(ld, entry, pwflag) &&
1181 /* verify command match */
1182 sudo_ldap_check_command(ld, entry, &setenv_implied) &&
1183 /* verify runas match */
1184 sudo_ldap_check_runas(ld, entry)
1186 /* We have a match! */
1187 DPRINTF(("Perfect Matched!"), 1);
1188 /* pick up any options */
1191 sudo_ldap_parse_options(ld, entry);
1192 /* make sure we don't reenter loop */
1194 /* break from inside for loop */
1197 entry = ldap_next_entry(ld, entry);
1200 ldap_msgfree(result);
1204 sudo_ldap_close(ld); /* shut down connection */
1206 DPRINTF(("user_matches=%d", ldap_user_matches), 1);
1207 DPRINTF(("host_matches=%d", ldap_host_matches), 1);
1209 /* Check for special case for -v, -k, -l options */
1210 if (pwflag && ldap_user_matches && ldap_host_matches) {
1212 * Handle verifypw & listpw
1214 * To be extra paranoid, since we haven't read any NOPASSWD options
1215 * in /etc/sudoers yet, but we have to make the decission now, lets
1216 * assume the worst and prefer to prompt for password unless the setting
1217 * is "never". (example verifypw=never or listpw=never)
1222 SET(ret, FLAG_NOPASS); /* -k or -K */
1224 switch (sudo_defs_table[pwflag].sd_un.tuple) {
1226 SET(ret, FLAG_NOPASS);
1229 if (def_authenticate)
1230 SET(ret, FLAG_CHECK_USER);
1237 if (ISSET(ret, VALIDATE_OK)) {
1238 /* we have a match, should we check the password? */
1239 if (!def_authenticate)
1240 SET(ret, FLAG_NOPASS);
1242 SET(ret, FLAG_NOEXEC);
1244 SET(ret, FLAG_SETENV);
1246 /* we do not have a match */
1247 ret = VALIDATE_NOT_OK;
1249 SET(ret, FLAG_NO_CHECK);
1250 else if (!ldap_user_matches)
1251 SET(ret, FLAG_NO_USER);
1252 else if (!ldap_host_matches)
1253 SET(ret, FLAG_NO_HOST);
1255 DPRINTF(("sudo_ldap_check(%d)=0x%02x", pwflag, ret), 1);
1261 * shut down LDAP connection
1264 sudo_ldap_close(LDAP *ld)