+ struct ldap_config_list_str *base;
+ LDAP *ld = (LDAP *) nss->handle;
+ LDAPMessage *entry, *result;
+ char *filt;
+ int rc, do_netgr, count = 0;
+
+ if (ld == NULL)
+ goto done;
+
+ /*
+ * Okay - time to search for anything that matches this user
+ * Lets limit it to only two queries of the LDAP server
+ *
+ * The first pass will look by the username, groups, and
+ * the keyword ALL. We will then inspect the results that
+ * came back from the query. We don't need to inspect the
+ * sudoUser in this pass since the LDAP server already scanned
+ * it for us.
+ *
+ * The second pass will return all the entries that contain
+ * user netgroups. Then we take the netgroups returned and
+ * try to match them against the username.
+ */
+ for (do_netgr = 0; do_netgr < 2; do_netgr++) {
+ filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw);
+ DPRINTF(("ldap search '%s'", filt), 1);
+ for (base = ldap_conf.base; base != NULL; base = base->next) {
+ result = NULL;
+ rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
+ NULL, 0, NULL, NULL, NULL, 0, &result);
+ if (rc != LDAP_SUCCESS)
+ continue; /* no entries for this pass */
+
+ /* print each matching entry */
+ LDAP_FOREACH(entry, ld, result) {
+ if ((!do_netgr ||
+ sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) &&
+ sudo_ldap_check_host(ld, entry)) {
+
+ if (long_list)
+ count += sudo_ldap_display_entry_long(ld, entry, lbuf);
+ else
+ count += sudo_ldap_display_entry_short(ld, entry, lbuf);
+ }
+ }
+ ldap_msgfree(result);
+ }
+ efree(filt);
+ }
+done:
+ return(count);
+}
+
+static int
+sudo_ldap_display_cmnd(nss, pw)
+ struct sudo_nss *nss;
+ struct passwd *pw;
+{
+ struct ldap_config_list_str *base;
+ LDAP *ld = (LDAP *) nss->handle;
+ LDAPMessage *entry, *result; /* used for searches */
+ char *filt; /* used to parse attributes */
+ int rc, found, do_netgr; /* temp/final return values */
+
+ if (ld == NULL)
+ return(1);
+
+ /*
+ * Okay - time to search for anything that matches this user
+ * Lets limit it to only two queries of the LDAP server
+ *
+ * The first pass will look by the username, groups, and
+ * the keyword ALL. We will then inspect the results that
+ * came back from the query. We don't need to inspect the
+ * sudoUser in this pass since the LDAP server already scanned
+ * it for us.
+ *
+ * The second pass will return all the entries that contain
+ * user netgroups. Then we take the netgroups returned and
+ * try to match them against the username.
+ */
+ for (found = FALSE, do_netgr = 0; !found && do_netgr < 2; do_netgr++) {
+ filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw);
+ DPRINTF(("ldap search '%s'", filt), 1);
+ for (base = ldap_conf.base; base != NULL; base = base->next) {
+ result = NULL;
+ rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
+ NULL, 0, NULL, NULL, NULL, 0, &result);
+ if (rc != LDAP_SUCCESS)
+ continue; /* no entries for this pass */
+
+ LDAP_FOREACH(entry, ld, result) {
+ if ((!do_netgr ||
+ sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) &&
+ sudo_ldap_check_host(ld, entry) &&
+ sudo_ldap_check_command(ld, entry, NULL) &&
+ sudo_ldap_check_runas(ld, entry)) {
+
+ found = TRUE;
+ break;
+ }
+ }
+ ldap_msgfree(result);
+ }
+ efree(filt);
+ }
+
+ if (found)
+ printf("%s%s%s\n", safe_cmnd ? safe_cmnd : user_cmnd,
+ user_args ? " " : "", user_args ? user_args : "");
+ return(!found);
+}
+
+#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
+static int
+sudo_ldap_sasl_interact(ld, flags, _auth_id, _interact)
+ LDAP *ld;
+ unsigned int flags;
+ void *_auth_id;
+ void *_interact;
+{
+ char *auth_id = (char *)_auth_id;
+ sasl_interact_t *interact = (sasl_interact_t *)_interact;
+
+ for (; interact->id != SASL_CB_LIST_END; interact++) {
+ if (interact->id != SASL_CB_USER)
+ return(LDAP_PARAM_ERROR);
+
+ if (auth_id != NULL)
+ interact->result = auth_id;
+ else if (interact->defresult != NULL)
+ interact->result = interact->defresult;
+ else
+ interact->result = "";
+
+ interact->len = strlen(interact->result);
+#if SASL_VERSION_MAJOR < 2
+ interact->result = estrdup(interact->result);
+#endif /* SASL_VERSION_MAJOR < 2 */
+ }
+ return(LDAP_SUCCESS);