/*
- * Copyright (c) 2003-2008 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2003-2010 Todd C. Miller <Todd.Miller@courtesan.com>
*
* This code is derived from software contributed by Aaron Spangler.
*
#endif /* STDC_HEADERS */
#ifdef HAVE_STRING_H
# include <string.h>
-#else
-# ifdef HAVE_STRINGS_H
-# include <strings.h>
-# endif
#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
#if defined(HAVE_MALLOC_H) && !defined(STDC_HEADERS)
# include <malloc.h>
#endif /* HAVE_MALLOC_H && !STDC_HEADERS */
#include "parse.h"
#include "lbuf.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.100 2008/04/23 12:30:07 millert Exp $";
-#endif /* lint */
-
#ifndef LDAP_OPT_SUCCESS
# define LDAP_OPT_SUCCESS LDAP_SUCCESS
#endif
#define CONF_BOOL 0
#define CONF_INT 1
#define CONF_STR 2
+#define CONF_LIST_STR 4
#define SUDO_LDAP_SSL 1
#define SUDO_LDAP_STARTTLS 2
void *valp; /* pointer into ldap_conf */
};
+struct ldap_config_list_str {
+ struct ldap_config_list_str *next;
+ char val[1];
+};
+
/* ldap configuration structure */
static struct ldap_config {
int port;
int rootuse_sasl;
int ssl_mode;
char *host;
- char *uri;
+ struct ldap_config_list_str *uri;
char *binddn;
char *bindpw;
char *rootbinddn;
- char *base;
+ struct ldap_config_list_str *base;
char *ssl;
char *tls_cacertfile;
char *tls_cacertdir;
{ "port", CONF_INT, FALSE, -1, &ldap_conf.port },
{ "ssl", CONF_STR, FALSE, -1, &ldap_conf.ssl },
{ "sslpath", CONF_STR, FALSE, -1, &ldap_conf.tls_certfile },
- { "uri", CONF_STR, FALSE, -1, &ldap_conf.uri },
+ { "uri", CONF_LIST_STR, FALSE, -1, &ldap_conf.uri },
#ifdef LDAP_OPT_DEBUG_LEVEL
{ "debug", CONF_INT, FALSE, LDAP_OPT_DEBUG_LEVEL, &ldap_conf.ldap_debug },
#endif
#ifdef LDAP_OPT_X_TLS_CACERTFILE
{ "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE,
&ldap_conf.tls_cacertfile },
+ { "tls_cacert", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE,
+ &ldap_conf.tls_cacertfile },
#endif
#ifdef LDAP_OPT_X_TLS_CACERTDIR
{ "tls_cacertdir", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTDIR,
{ "binddn", CONF_STR, FALSE, -1, &ldap_conf.binddn },
{ "bindpw", CONF_STR, FALSE, -1, &ldap_conf.bindpw },
{ "rootbinddn", CONF_STR, FALSE, -1, &ldap_conf.rootbinddn },
- { "sudoers_base", CONF_STR, FALSE, -1, &ldap_conf.base },
+ { "sudoers_base", CONF_LIST_STR, FALSE, -1, &ldap_conf.base },
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
{ "use_sasl", CONF_BOOL, FALSE, -1, &ldap_conf.use_sasl },
{ "sasl_auth_id", CONF_STR, FALSE, -1, &ldap_conf.sasl_auth_id },
{ NULL }
};
+/* sudo_nss implementation */
+static int sudo_ldap_open __P((struct sudo_nss *nss));
+static int sudo_ldap_close __P((struct sudo_nss *nss));
+static int sudo_ldap_parse __P((struct sudo_nss *nss));
+static int sudo_ldap_setdefs __P((struct sudo_nss *nss));
+static int sudo_ldap_lookup __P((struct sudo_nss *nss, int ret, int pwflag));
+static int sudo_ldap_display_cmnd __P((struct sudo_nss *nss,
+ struct passwd *pw));
+static int sudo_ldap_display_defaults __P((struct sudo_nss *nss,
+ struct passwd *pw, struct lbuf *lbuf));
+static int sudo_ldap_display_bound_defaults __P((struct sudo_nss *nss,
+ struct passwd *pw, struct lbuf *lbuf));
+static int sudo_ldap_display_privs __P((struct sudo_nss *nss,
+ struct passwd *pw, struct lbuf *lbuf));
+
struct sudo_nss sudo_nss_ldap = {
&sudo_nss_ldap,
NULL,
if (strlcat(hostbuf, host, sizeof(hostbuf)) >= sizeof(hostbuf))
goto toobig;
/* Append port if there is not one already. */
- if ((port = strrchr(host, ':')) == NULL || !isdigit(port[1])) {
+ if ((port = strrchr(host, ':')) == NULL ||
+ !isdigit((unsigned char)port[1])) {
if (strlcat(hostbuf, defport, sizeof(hostbuf)) >= sizeof(hostbuf))
goto toobig;
}
*/
static int
sudo_ldap_parse_uri(uri_list)
- const char *uri_list;
+ const struct ldap_config_list_str *uri_list;
{
char *buf, *uri, *host, *cp, *port;
char hostbuf[LINE_MAX];
int nldap = 0, nldaps = 0;
int rc = -1;
- buf = estrdup(uri_list);
- hostbuf[0] = '\0';
- for ((uri = strtok(buf, " \t")); uri != NULL; (uri = strtok(NULL, " \t"))) {
- if (strncasecmp(uri, "ldap://", 7) == 0) {
- nldap++;
- host = uri + 7;
- } else if (strncasecmp(uri, "ldaps://", 8) == 0) {
- nldaps++;
- host = uri + 8;
- } else {
- warningx("unsupported LDAP uri type: %s", uri);
- goto done;
- }
+ do {
+ buf = estrdup(uri_list->val);
+ hostbuf[0] = '\0';
+ for ((uri = strtok(buf, " \t")); uri != NULL; (uri = strtok(NULL, " \t"))) {
+ if (strncasecmp(uri, "ldap://", 7) == 0) {
+ nldap++;
+ host = uri + 7;
+ } else if (strncasecmp(uri, "ldaps://", 8) == 0) {
+ nldaps++;
+ host = uri + 8;
+ } else {
+ warningx("unsupported LDAP uri type: %s", uri);
+ goto done;
+ }
- /* trim optional trailing slash */
- if ((cp = strrchr(host, '/')) != NULL && cp[1] == '\0') {
- *cp = '\0';
- }
+ /* trim optional trailing slash */
+ if ((cp = strrchr(host, '/')) != NULL && cp[1] == '\0') {
+ *cp = '\0';
+ }
- if (hostbuf[0] != '\0') {
- if (strlcat(hostbuf, " ", sizeof(hostbuf)) >= sizeof(hostbuf))
- goto toobig;
- }
+ if (hostbuf[0] != '\0') {
+ if (strlcat(hostbuf, " ", sizeof(hostbuf)) >= sizeof(hostbuf))
+ goto toobig;
+ }
- if (*host == '\0')
- host = "localhost"; /* no host specified, use localhost */
+ if (*host == '\0')
+ host = "localhost"; /* no host specified, use localhost */
- if (strlcat(hostbuf, host, sizeof(hostbuf)) >= sizeof(hostbuf))
- goto toobig;
+ if (strlcat(hostbuf, host, sizeof(hostbuf)) >= sizeof(hostbuf))
+ goto toobig;
- /* If using SSL and no port specified, add port 636 */
- if (nldaps) {
- if ((port = strrchr(host, ':')) == NULL || !isdigit(port[1]))
- if (strlcat(hostbuf, ":636", sizeof(hostbuf)) >= sizeof(hostbuf))
- goto toobig;
+ /* If using SSL and no port specified, add port 636 */
+ if (nldaps) {
+ if ((port = strrchr(host, ':')) == NULL ||
+ !isdigit((unsigned char)port[1]))
+ if (strlcat(hostbuf, ":636", sizeof(hostbuf)) >= sizeof(hostbuf))
+ goto toobig;
+ }
}
- }
- if (hostbuf[0] == '\0') {
- warningx("invalid uri: %s", uri_list);
- goto done;
- }
-
- if (nldaps != 0) {
- if (nldap != 0) {
- warningx("cannot mix ldap and ldaps URIs");
+ if (hostbuf[0] == '\0') {
+ warningx("invalid uri: %s", uri_list);
goto done;
}
- if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
- warningx("cannot mix ldaps and starttls");
- goto done;
+
+ if (nldaps != 0) {
+ if (nldap != 0) {
+ warningx("cannot mix ldap and ldaps URIs");
+ goto done;
+ }
+ if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
+ warningx("cannot mix ldaps and starttls");
+ goto done;
+ }
+ ldap_conf.ssl_mode = SUDO_LDAP_SSL;
}
- ldap_conf.ssl_mode = SUDO_LDAP_SSL;
- }
- free(ldap_conf.host);
- ldap_conf.host = estrdup(hostbuf);
+ free(ldap_conf.host);
+ ldap_conf.host = estrdup(hostbuf);
+ efree(buf);
+ } while ((uri_list = uri_list->next));
+
+ buf = NULL;
rc = 0;
done:
toobig:
errorx(1, "sudo_ldap_parse_uri: out of space building hostbuf");
}
+#else
+static char *
+sudo_ldap_join_uri(uri_list)
+ struct ldap_config_list_str *uri_list;
+{
+ struct ldap_config_list_str *uri;
+ size_t len = 0;
+ char *buf, *cp;
+
+ /* Usually just a single entry. */
+ if (uri_list->next == NULL)
+ return(estrdup(uri_list->val));
+
+ for (uri = uri_list; uri != NULL; uri = uri->next) {
+ len += strlen(uri->val) + 1;
+ }
+ buf = cp = emalloc(len);
+ buf[0] = '\0';
+ for (uri = uri_list; uri != NULL; uri = uri->next) {
+ cp += strlcpy(cp, uri->val, len - (cp - buf));
+ *cp++ = ' ';
+ }
+ cp[-1] = '\0';
+ return(buf);
+}
#endif /* HAVE_LDAP_INITIALIZE */
static int
ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
+ /*
+ * Mozilla-derived SDKs have a bug starting with version 5.0
+ * where the path can no longer be a file name and must be a dir.
+ */
if (rc != LDAP_SUCCESS) {
- warningx("unable to initialize SSL cert and key db: %s",
- ldapssl_err2string(rc));
- goto done;
+ char *cp;
+ if (ldap_conf.tls_certfile) {
+ cp = strrchr(ldap_conf.tls_certfile, '/');
+ if (cp != NULL && strncmp(cp + 1, "cert", 4) == 0)
+ *cp = '\0';
+ }
+ if (ldap_conf.tls_keyfile) {
+ cp = strrchr(ldap_conf.tls_keyfile, '/');
+ if (cp != NULL && strncmp(cp + 1, "key", 3) == 0)
+ *cp = '\0';
+ }
+ DPRINTF(("ldapssl_clientauth_init(%s, %s)",
+ ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
+ ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
+ rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
+ ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
+ if (rc != LDAP_SUCCESS) {
+ warningx("unable to initialize SSL cert and key db: %s",
+ ldapssl_err2string(rc));
+ goto done;
+ }
}
DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2);
* Walk through search results and return TRUE if we have a matching
* netgroup, else FALSE.
*/
-int
+static int
sudo_ldap_check_user_netgroup(ld, entry, user)
LDAP *ld;
LDAPMessage *entry;
* Walk through search results and return TRUE if we have a
* host match, else FALSE.
*/
-int
+static int
sudo_ldap_check_host(ld, entry)
LDAP *ld;
LDAPMessage *entry;
return(ret);
}
-int
+static int
sudo_ldap_check_runas_user(ld, entry)
LDAP *ld;
LDAPMessage *entry;
return(ret);
}
-int
+static int
sudo_ldap_check_runas_group(ld, entry)
LDAP *ld;
LDAPMessage *entry;
* Walk through search results and return TRUE if we have a runas match,
* else FALSE. RunAs info is optional.
*/
-int
+static int
sudo_ldap_check_runas(ld, entry)
LDAP *ld;
LDAPMessage *entry;
* Walk through search results and return TRUE if we have a command match,
* FALSE if disallowed and UNSPEC if not matched.
*/
-int
+static int
sudo_ldap_check_command(ld, entry, setenv_implied)
LDAP *ld;
LDAPMessage *entry;
* Search for boolean "option" in sudoOption.
* Returns TRUE if found and allowed, FALSE if negated, else UNSPEC.
*/
-int
+static int
sudo_ldap_check_bool(ld, entry, option)
LDAP *ld;
LDAPMessage *entry;
* Read sudoOption and modify the defaults as we go. This is used once
* from the cn=defaults entry and also once when a final sudoRole is matched.
*/
-void
+static void
sudo_ldap_parse_options(ld, entry)
LDAP *ld;
LDAPMessage *entry;
/*
* builds together a filter to check against ldap
*/
-char *
+static char *
sudo_ldap_build_pass1(pw)
struct passwd *pw;
{
/*
* Map yes/true/on to TRUE, no/false/off to FALSE, else -1
*/
-int
+static int
_atobool(s)
const char *s;
{
}
}
-int
+static int
sudo_ldap_read_config()
{
FILE *fp;
efree(*(char **)(cur->valp));
*(char **)(cur->valp) = estrdup(value);
break;
+ case CONF_LIST_STR:
+ {
+ struct ldap_config_list_str **p;
+ size_t len = strlen(value);
+
+ if (len > 0) {
+ p = (struct ldap_config_list_str **)cur->valp;
+ while (*p != NULL)
+ p = &(*p)->next;
+ *p = emalloc(sizeof(struct ldap_config_list_str) + len);
+ memcpy((*p)->val, value, len + 1);
+ (*p)->next = NULL;
+ }
+ }
+ break;
}
break;
}
fprintf(stderr, "LDAP Config Summary\n");
fprintf(stderr, "===================\n");
if (ldap_conf.uri) {
- fprintf(stderr, "uri %s\n", ldap_conf.uri);
+ struct ldap_config_list_str *uri = ldap_conf.uri;
+
+ do {
+ fprintf(stderr, "uri %s\n", uri->val);
+ } while ((uri = uri->next) != NULL);
} else {
fprintf(stderr, "host %s\n", ldap_conf.host ?
ldap_conf.host : "(NONE)");
fprintf(stderr, "port %d\n", ldap_conf.port);
}
fprintf(stderr, "ldap_version %d\n", ldap_conf.version);
+ if (ldap_conf.base) {
+ struct ldap_config_list_str *base = ldap_conf.base;
- fprintf(stderr, "sudoers_base %s\n", ldap_conf.base ?
- ldap_conf.base : "(NONE) <---Sudo will ignore ldap)");
+ do {
+ fprintf(stderr, "sudoers_base %s\n", base->val);
+ } while ((base = base->next) != NULL);
+ } else {
+ fprintf(stderr, "sudoers_base %s\n",
+ "(NONE) <---Sudo will ignore ldap)");
+ }
fprintf(stderr, "binddn %s\n", ldap_conf.binddn ?
ldap_conf.binddn : "(anonymous)");
fprintf(stderr, "bindpw %s\n", ldap_conf.bindpw ?
#ifndef HAVE_LDAP_INITIALIZE
/* Convert uri list to host list if no ldap_initialize(). */
if (ldap_conf.uri) {
- if (sudo_ldap_parse_uri(ldap_conf.uri) != 0)
+ struct ldap_config_list_str *uri = ldap_conf.uri;
+ if (sudo_ldap_parse_uri(uri) != 0)
return(FALSE);
- free(ldap_conf.uri);
- ldap_conf.uri = NULL;
+ do {
+ ldap_conf.uri = uri->next;
+ efree(uri);
+ } while ((uri = ldap_conf.uri));
ldap_conf.port = LDAP_PORT;
}
#endif
/*
* Fetch and display the global Options.
*/
-int
+static int
sudo_ldap_display_defaults(nss, pw, lbuf)
struct sudo_nss *nss;
struct passwd *pw;
struct lbuf *lbuf;
{
struct berval **bv, **p;
+ struct ldap_config_list_str *base;
LDAP *ld = (LDAP *) nss->handle;
- LDAPMessage *entry = NULL, *result = NULL;
- char *prefix = NULL;
+ LDAPMessage *entry, *result;
+ char *prefix;
int rc, count = 0;
if (ld == NULL)
- return(-1);
+ goto done;
- rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE,
- "cn=defaults", NULL, 0, NULL, NULL, NULL, -1, &result);
- if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) {
- bv = ldap_get_values_len(ld, entry, "sudoOption");
- if (bv != NULL) {
- if (lbuf->len == 0)
- prefix = " ";
- else
- prefix = ", ";
- for (p = bv; *p != NULL; p++) {
- lbuf_append(lbuf, prefix, (*p)->bv_val, NULL);
- prefix = ", ";
- count++;
+ for (base = ldap_conf.base; base != NULL; base = base->next) {
+ result = NULL;
+ rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE,
+ "cn=defaults", NULL, 0, NULL, NULL, NULL, 0, &result);
+ if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) {
+ bv = ldap_get_values_len(ld, entry, "sudoOption");
+ if (bv != NULL) {
+ if (lbuf->len == 0 || isspace((unsigned char)lbuf->buf[lbuf->len - 1]))
+ prefix = " ";
+ else
+ prefix = ", ";
+ for (p = bv; *p != NULL; p++) {
+ lbuf_append(lbuf, prefix, (*p)->bv_val, NULL);
+ prefix = ", ";
+ count++;
+ }
+ ldap_value_free_len(bv);
}
- ldap_value_free_len(bv);
}
+ if (result)
+ ldap_msgfree(result);
}
- if (result)
- ldap_msgfree(result);
+done:
return(count);
}
/*
* STUB
*/
-int
+static int
sudo_ldap_display_bound_defaults(nss, pw, lbuf)
struct sudo_nss *nss;
struct passwd *pw;
struct lbuf *lbuf;
{
- return(1);
+ return(0);
}
/*
* Print a record in the short form, ala file sudoers.
*/
-int
+static int
sudo_ldap_display_entry_short(ld, entry, lbuf)
LDAP *ld;
LDAPMessage *entry;
}
ldap_value_free_len(bv);
}
+ lbuf_append(lbuf, "\n", NULL);
- lbuf_print(lbuf); /* forces a newline */
return(count);
}
/*
* Print a record in the long form.
*/
-int
+static int
sudo_ldap_display_entry_long(ld, entry, lbuf)
LDAP *ld;
LDAPMessage *entry;
/* extract the dn, only show the first rdn */
rdn = sudo_ldap_get_first_rdn(ld, entry);
- lbuf_print(lbuf); /* force a newline */
- lbuf_append(lbuf, "LDAP Role: ", rdn ? rdn : "UNKNOWN", NULL);
- lbuf_print(lbuf);
+ lbuf_append(lbuf, "\nLDAP Role: ", rdn ? rdn : "UNKNOWN", "\n", NULL);
if (rdn)
ldap_memfree(rdn);
ldap_value_free_len(bv);
} else
lbuf_append(lbuf, def_runas_default, NULL);
- lbuf_print(lbuf);
+ lbuf_append(lbuf, "\n", NULL);
/* get the RunAsGroup Values from the entry */
bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup");
lbuf_append(lbuf, (*p)->bv_val, NULL);
}
ldap_value_free_len(bv);
- lbuf_print(lbuf);
+ lbuf_append(lbuf, "\n", NULL);
}
/* get the Option Values from the entry */
lbuf_append(lbuf, (*p)->bv_val, NULL);
}
ldap_value_free_len(bv);
- lbuf_print(lbuf);
+ lbuf_append(lbuf, "\n", NULL);
}
/* get the Command Values from the entry */
bv = ldap_get_values_len(ld, entry, "sudoCommand");
if (bv != NULL) {
- lbuf_append(lbuf, " Commands:", NULL);
- lbuf_print(lbuf);
+ lbuf_append(lbuf, " Commands:\n", NULL);
for (p = bv; *p != NULL; p++) {
- lbuf_append(lbuf, "\t", (*p)->bv_val, NULL);
- lbuf_print(lbuf);
+ lbuf_append(lbuf, "\t", (*p)->bv_val, "\n", NULL);
count++;
}
ldap_value_free_len(bv);
/*
* Like sudo_ldap_lookup(), except we just print entries.
*/
-int
+static int
sudo_ldap_display_privs(nss, pw, lbuf)
struct sudo_nss *nss;
struct passwd *pw;
struct lbuf *lbuf;
{
+ struct ldap_config_list_str *base;
LDAP *ld = (LDAP *) nss->handle;
- LDAPMessage *entry = NULL, *result = NULL;
+ LDAPMessage *entry, *result;
char *filt;
int rc, do_netgr, count = 0;
if (ld == NULL)
- return(-1);
+ goto done;
/*
* Okay - time to search for anything that matches this user
for (do_netgr = 0; do_netgr < 2; do_netgr++) {
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw);
DPRINTF(("ldap search '%s'", filt), 1);
- rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt,
- NULL, 0, NULL, NULL, NULL, -1, &result);
- efree(filt);
- if (rc != LDAP_SUCCESS)
- continue; /* no entries for this pass */
-
- /* print each matching entry */
- LDAP_FOREACH(entry, ld, result) {
- if ((!do_netgr ||
- sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) &&
- sudo_ldap_check_host(ld, entry)) {
+ for (base = ldap_conf.base; base != NULL; base = base->next) {
+ result = NULL;
+ rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
+ NULL, 0, NULL, NULL, NULL, 0, &result);
+ if (rc != LDAP_SUCCESS)
+ continue; /* no entries for this pass */
- if (long_list)
- count += sudo_ldap_display_entry_long(ld, entry, lbuf);
- else
- count += sudo_ldap_display_entry_short(ld, entry, lbuf);
+ /* print each matching entry */
+ LDAP_FOREACH(entry, ld, result) {
+ if ((!do_netgr ||
+ sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) &&
+ sudo_ldap_check_host(ld, entry)) {
+
+ if (long_list)
+ count += sudo_ldap_display_entry_long(ld, entry, lbuf);
+ else
+ count += sudo_ldap_display_entry_short(ld, entry, lbuf);
+ }
}
+ ldap_msgfree(result);
}
- ldap_msgfree(result);
- result = NULL;
+ efree(filt);
}
+done:
return(count);
}
-int
+static int
sudo_ldap_display_cmnd(nss, pw)
struct sudo_nss *nss;
struct passwd *pw;
{
+ struct ldap_config_list_str *base;
LDAP *ld = (LDAP *) nss->handle;
- LDAPMessage *entry = NULL, *result = NULL; /* used for searches */
+ LDAPMessage *entry, *result; /* used for searches */
char *filt; /* used to parse attributes */
int rc, found, do_netgr; /* temp/final return values */
for (found = FALSE, do_netgr = 0; !found && do_netgr < 2; do_netgr++) {
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw);
DPRINTF(("ldap search '%s'", filt), 1);
- rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt,
- NULL, 0, NULL, NULL, NULL, -1, &result);
- efree(filt);
- if (rc != LDAP_SUCCESS)
- continue; /* no entries for this pass */
+ for (base = ldap_conf.base; base != NULL; base = base->next) {
+ result = NULL;
+ rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
+ NULL, 0, NULL, NULL, NULL, 0, &result);
+ if (rc != LDAP_SUCCESS)
+ continue; /* no entries for this pass */
- LDAP_FOREACH(entry, ld, result) {
- if ((!do_netgr ||
- sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) &&
- sudo_ldap_check_host(ld, entry) &&
- sudo_ldap_check_command(ld, entry, NULL) &&
- sudo_ldap_check_runas(ld, entry)) {
+ LDAP_FOREACH(entry, ld, result) {
+ if ((!do_netgr ||
+ sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) &&
+ sudo_ldap_check_host(ld, entry) &&
+ sudo_ldap_check_command(ld, entry, NULL) &&
+ sudo_ldap_check_runas(ld, entry)) {
- found = TRUE;
- break;
+ found = TRUE;
+ break;
+ }
}
+ ldap_msgfree(result);
}
- ldap_msgfree(result);
- result = NULL;
+ efree(filt);
}
if (found)
/*
* Set LDAP options based on the config table.
*/
-int
+static int
sudo_ldap_set_options(ld)
LDAP *ld;
{
(long)tv.tv_sec, ldap_err2string(rc));
return(-1);
}
- DPRINTF(("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)\n",
+ DPRINTF(("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)",
(long)tv.tv_sec), 1);
}
#endif
ldap_err2string(rc));
return(-1);
}
- DPRINTF(("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)\n"), 1);
+ DPRINTF(("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)"), 1);
}
#endif
return(0);
LDAP *ld;
{
int rc;
+#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
const char *old_ccname = user_ccname;
-#ifdef HAVE_GSS_KRB5_CCACHE_NAME
+# ifdef HAVE_GSS_KRB5_CCACHE_NAME
unsigned int status;
+# endif
#endif
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
ldap_conf.rootsasl_auth_id : ldap_conf.sasl_auth_id;
if (ldap_conf.krb5_ccname != NULL) {
-#ifdef HAVE_GSS_KRB5_CCACHE_NAME
+# ifdef HAVE_GSS_KRB5_CCACHE_NAME
if (gss_krb5_ccache_name(&status, ldap_conf.krb5_ccname, &old_ccname)
!= GSS_S_COMPLETE) {
old_ccname = NULL;
DPRINTF(("gss_krb5_ccache_name() failed: %d", status), 1);
}
-#else
- sudo_setenv("KRB5CCNAME", ldap_conf.krb5_ccname, TRUE);
-#endif
+# else
+ setenv("KRB5CCNAME", ldap_conf.krb5_ccname, TRUE);
+# endif
}
rc = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI",
NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, auth_id);
if (ldap_conf.krb5_ccname != NULL) {
-#ifdef HAVE_GSS_KRB5_CCACHE_NAME
+# ifdef HAVE_GSS_KRB5_CCACHE_NAME
if (gss_krb5_ccache_name(&status, old_ccname, NULL) != GSS_S_COMPLETE)
DPRINTF(("gss_krb5_ccache_name() failed: %d", status), 1);
-#else
+# else
if (old_ccname != NULL)
- sudo_setenv("KRB5CCNAME", old_ccname, TRUE);
+ setenv("KRB5CCNAME", old_ccname, TRUE);
else
- sudo_unsetenv("KRB5CCNAME");
-#endif
+ unsetenv("KRB5CCNAME");
+# endif
}
if (rc != LDAP_SUCCESS) {
warningx("ldap_sasl_interactive_bind_s(): %s", ldap_err2string(rc));
* Open a connection to the LDAP server.
* Returns 0 on success and non-zero on failure.
*/
-int
+static int
sudo_ldap_open(nss)
struct sudo_nss *nss;
{
/* Prevent reading of user ldaprc and system defaults. */
if (getenv("LDAPNOINIT") == NULL) {
ldapnoinit = TRUE;
- sudo_setenv("LDAPNOINIT", "1", TRUE);
+ setenv("LDAPNOINIT", "1", TRUE);
}
/* Connect to LDAP server */
#ifdef HAVE_LDAP_INITIALIZE
if (ldap_conf.uri != NULL) {
- DPRINTF(("ldap_initialize(ld, %s)", ldap_conf.uri), 2);
- rc = ldap_initialize(&ld, ldap_conf.uri);
+ char *buf = sudo_ldap_join_uri(ldap_conf.uri);
+ DPRINTF(("ldap_initialize(ld, %s)", buf), 2);
+ rc = ldap_initialize(&ld, buf);
+ efree(buf);
} else
#endif
rc = sudo_ldap_init(&ld, ldap_conf.host, ldap_conf.port);
}
if (ldapnoinit)
- sudo_unsetenv("LDAPNOINIT");
+ unsetenv("LDAPNOINIT");
/* Set LDAP options */
if (sudo_ldap_set_options(ld) < 0)
return(-1);
if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
-#ifdef HAVE_LDAP_START_TLS_S
+#if defined(HAVE_LDAP_START_TLS_S)
rc = ldap_start_tls_s(ld, NULL, NULL);
if (rc != LDAP_SUCCESS) {
warningx("ldap_start_tls_s(): %s", ldap_err2string(rc));
return(-1);
}
DPRINTF(("ldap_start_tls_s() ok"), 1);
+#elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP)
+ if (ldap_ssl_client_init(NULL, NULL, 0, &rc) != LDAP_SUCCESS) {
+ warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
+ return(-1);
+ }
+ rc = ldap_start_tls_s_np(ld, NULL);
+ if (rc != LDAP_SUCCESS) {
+ warningx("ldap_start_tls_s_np(): %s", ldap_err2string(rc));
+ return(-1);
+ }
+ DPRINTF(("ldap_start_tls_s_np() ok"), 1);
#else
- warningx("start_tls specified but LDAP libs do not support ldap_start_tls_s()");
-#endif /* HAVE_LDAP_START_TLS_S */
+ warningx("start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()");
+#endif /* !HAVE_LDAP_START_TLS_S && !HAVE_LDAP_START_TLS_S_NP */
}
/* Actually connect */
return(0);
}
-int
+static int
sudo_ldap_setdefs(nss)
struct sudo_nss *nss;
{
+ struct ldap_config_list_str *base;
LDAP *ld = (LDAP *) nss->handle;
- LDAPMessage *entry = NULL, *result = NULL; /* used for searches */
+ LDAPMessage *entry, *result; /* used for searches */
int rc; /* temp return value */
if (ld == NULL)
return(-1);
- rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE,
- "cn=defaults", NULL, 0, NULL, NULL, NULL, -1, &result);
- if (rc == 0 && (entry = ldap_first_entry(ld, result))) {
- DPRINTF(("found:%s", ldap_get_dn(ld, entry)), 1);
- sudo_ldap_parse_options(ld, entry);
- } else
- DPRINTF(("no default options found!"), 1);
-
- if (result)
- ldap_msgfree(result);
+ for (base = ldap_conf.base; base != NULL; base = base->next) {
+ result = NULL;
+ rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE,
+ "cn=defaults", NULL, 0, NULL, NULL, NULL, 0, &result);
+ if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) {
+ DPRINTF(("found:%s", ldap_get_dn(ld, entry)), 1);
+ sudo_ldap_parse_options(ld, entry);
+ } else
+ DPRINTF(("no default options found in %s", base->val), 1);
+
+ if (result)
+ ldap_msgfree(result);
+ }
return(0);
}
/*
* like sudoers_lookup() - only LDAP style
*/
-int
+static int
sudo_ldap_lookup(nss, ret, pwflag)
struct sudo_nss *nss;
int ret;
int pwflag;
{
+ struct ldap_config_list_str *base;
LDAP *ld = (LDAP *) nss->handle;
- LDAPMessage *entry = NULL, *result = NULL;
+ LDAPMessage *entry, *result;
char *filt;
int do_netgr, rc, matched;
int setenv_implied;
for (matched = 0, do_netgr = 0; !matched && do_netgr < 2; do_netgr++) {
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw);
- rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt,
- NULL, 0, NULL, NULL, NULL, -1, &result);
- efree(filt);
- if (rc != LDAP_SUCCESS)
- continue;
-
- LDAP_FOREACH(entry, ld, result) {
- /* only verify netgroup matches in pass 2 */
- if (do_netgr && !sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name))
+ for (base = ldap_conf.base; base != NULL; base = base->next) {
+ result = NULL;
+ rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
+ NULL, 0, NULL, NULL, NULL, 0, &result);
+ if (rc != LDAP_SUCCESS)
continue;
- ldap_user_matches = TRUE;
- if (sudo_ldap_check_host(ld, entry)) {
- ldap_host_matches = TRUE;
- if ((pwcheck == any && doauth != FALSE) ||
- (pwcheck == all && doauth == FALSE))
- doauth = sudo_ldap_check_bool(ld, entry, "authenticate");
- /* Only check the command when listing another user. */
- if (user_uid == 0 || list_pw == NULL ||
- user_uid == list_pw->pw_uid ||
- sudo_ldap_check_command(ld, entry, NULL)) {
- matched = 1;
- break; /* end foreach */
+ LDAP_FOREACH(entry, ld, result) {
+ /* only verify netgroup matches in pass 2 */
+ if (do_netgr && !sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name))
+ continue;
+
+ ldap_user_matches = TRUE;
+ if (sudo_ldap_check_host(ld, entry)) {
+ ldap_host_matches = TRUE;
+ if ((pwcheck == any && doauth != FALSE) ||
+ (pwcheck == all && doauth == FALSE))
+ doauth = sudo_ldap_check_bool(ld, entry, "authenticate");
+ /* Only check the command when listing another user. */
+ if (user_uid == 0 || list_pw == NULL ||
+ user_uid == list_pw->pw_uid ||
+ sudo_ldap_check_command(ld, entry, NULL)) {
+ matched = 1;
+ break; /* end foreach */
+ }
}
}
+ ldap_msgfree(result);
}
- ldap_msgfree(result);
- result = NULL;
+ efree(filt);
}
if (matched || user_uid == 0) {
SET(ret, VALIDATE_OK);
for (matched = 0, do_netgr = 0; !matched && do_netgr < 2; do_netgr++) {
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw);
DPRINTF(("ldap search '%s'", filt), 1);
- rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt,
- NULL, 0, NULL, NULL, NULL, -1, &result);
- if (rc != LDAP_SUCCESS)
- DPRINTF(("nothing found for '%s'", filt), 1);
- efree(filt);
+ for (base = ldap_conf.base; base != NULL; base = base->next) {
+ result = NULL;
+ rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
+ NULL, 0, NULL, NULL, NULL, 0, &result);
+ if (rc != LDAP_SUCCESS) {
+ DPRINTF(("nothing found for '%s'", filt), 1);
+ continue;
+ }
- /* parse each entry returned from this most recent search */
- if (rc == LDAP_SUCCESS) {
+ /* parse each entry returned from this most recent search */
LDAP_FOREACH(entry, ld, result) {
DPRINTF(("found:%s", ldap_get_dn(ld, entry)), 1);
if (
}
}
ldap_msgfree(result);
- result = NULL;
}
+ efree(filt);
}
done:
/*
* shut down LDAP connection
*/
-int
+static int
sudo_ldap_close(nss)
struct sudo_nss *nss;
{
/*
* STUB
*/
-int
+static int
sudo_ldap_parse(nss)
struct sudo_nss *nss;
{