Imported Upstream version 1.6.9p10

diff --git a/CHANGES b/CHANGES
index ad8e0bdc06a5ef48b057402a0d14d27787f38535..8aa51fc76365bef2ca3e03eb2c5d10bb28b424b8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2006,3 +2006,12 @@ Sudo 1.6.9p8 released.
      to be used in all cases.  Also set when the -p flag is used.
 
 Sudo 1.6.9p9 released.
      to be used in all cases.  Also set when the -p flag is used.
 
 Sudo 1.6.9p9 released.

+
+634) Moved LDAP options into a table for simplified parsing/setting.
+
+635) Fixed a problem with how some LDAP options were being applied.
+
+636) Added support for connecting directly to LDAP servers via SSL
+     in addition to the existing start_tls support.
+
+Sudo 1.6.9p10 released.

diff --git a/Makefile.in b/Makefile.in
index 16da662fc03dde0f71776ff439f93d08269f2dbe..8073eb32e2aa4861105e2d107ef273ec458a1c15 100644 (file)
--- a/Makefile.in
+++ b/Makefile.in
@@ -20,7 +20,7 @@
 #
 # @configure_input@
 #
 #
 # @configure_input@
 #

-# $Sudo: Makefile.in,v 1.246.2.20 2007/12/03 10:34:32 millert Exp $
+# $Sudo: Makefile.in,v 1.246.2.21 2007/12/17 19:18:14 millert Exp $

 #
 
 #### Start of system configuration section. ####
 #
 
 #### Start of system configuration section. ####


@@ -131,7 +131,7 @@ TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS)
 
 LIBOBJS = @LIBOBJS@ @ALLOCA@
 
 
 LIBOBJS = @LIBOBJS@ @ALLOCA@
 

-VERSION = 1.6.9p9
+VERSION = 1.6.9p10

 
 DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \
             LICENSE Makefile.in PORTING README README.LDAP \
 
 DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \
             LICENSE Makefile.in PORTING README README.LDAP \

diff --git a/README.LDAP b/README.LDAP
index 030c1f9fe822a08678b2d7758405d87f0065ac52..540df8d41b98d8cc71af6727aceb0889a6f686ae 100644 (file)
--- a/README.LDAP
+++ b/README.LDAP
@@ -124,7 +124,8 @@ For OpenLDAP, simply copy schema.OpenLDAP to the schema directory
 restart slapd.  For other LDAP servers, provide this to your LDAP
 Administrator.  Make sure to index the attribute 'sudoUser'.
 
 restart slapd.  For other LDAP servers, provide this to your LDAP
 Administrator.  Make sure to index the attribute 'sudoUser'.
 

-For the SunONE or iPlanet LDAP server, use the schema.iPlanet file.
+For netscape-derived LDAP servers such as SunONE, iPlanet or Fedora
+Directory, use the schema.iPlanet file.

 
 Importing /etc/sudoers to LDAP
 ==============================
 
 Importing /etc/sudoers to LDAP
 ==============================


@@ -160,7 +161,17 @@ Example sudoers Entries in LDAP
 ===============================
 The equivalent of a sudoer in LDAP is a 'sudoRole'.  It contains sudoUser(s),
 sudoHost, sudoCommand and optional sudoOption(s) and sudoRunAs(s).
 ===============================
 The equivalent of a sudoer in LDAP is a 'sudoRole'.  It contains sudoUser(s),
 sudoHost, sudoCommand and optional sudoOption(s) and sudoRunAs(s).

-<put an example here>
+
+The following example allows users in group wheel to run any
+command on any host through sudo:
+
+dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: %wheel
+sudoUser: %wheel
+sudoHost: ALL
+sudoCommand: ALL

 
 Managing LDAP entries
 =====================
 
 Managing LDAP entries
 =====================


@@ -180,7 +191,12 @@ I recommend using any of the following LDAP browsers to administer your SUDOers.
        http://www.mcs.anl.gov/~gawor/ldap
        http://ldapmanager.com
 
        http://www.mcs.anl.gov/~gawor/ldap
        http://ldapmanager.com
 

-  There are dozens of others, some open source, some free, some not.
+  * Apache Directory Studio - Open Source - an Eclipse-based LDAP
+    development platform.  Includes an LDAP browser, and LDIF editor,
+    a schema editor and more.
+    http://directory.apache.org/studio
+
+  There are dozens of others, some Open Source, some free, some not.

 
 
 Configure your /etc/ldap.conf
 
 
 Configure your /etc/ldap.conf


@@ -188,18 +204,19 @@ Configure your /etc/ldap.conf
 The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
 and other ldap applications and modules.  IBM Secureway unfortunately uses
 the same filename but has a different syntax.  If you need to rename where
 The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
 and other ldap applications and modules.  IBM Secureway unfortunately uses
 the same filename but has a different syntax.  If you need to rename where

-this file is stored, recompile SUDO with the -DLDAP_CONFIG compile option.
+this file is stored, re-run configure with the --with-ldap-conf-file=filename
+option.

 
 Make sure you sudoers_base matches exactly with the location you specified
 when you imported the sudoers.  Below is an example /etc/ldap.conf
 
 
 Make sure you sudoers_base matches exactly with the location you specified
 when you imported the sudoers.  Below is an example /etc/ldap.conf
 

-  # Either specify a uri or host & port
+  # Either specify a URI or host and port.
+  # If neither is specified sudo will default to localhost port 389.

   #host          ldapserver
   #port          389
   #
   #host          ldapserver
   #port          389
   #

-  # URI will override host & port settings
-  # but only works with LDAP SDK's that support
-  # ldap_initialize() such as OpenLDAP
+  # URI will override host & port settings but only works with LDAP
+  # SDK's that support ldap_initialize() such as OpenLDAP.

   uri            ldap://ldapserver
   #uri            ldaps://secureldapserver
   #
   uri            ldap://ldapserver
   #uri            ldaps://secureldapserver
   #


@@ -214,21 +231,27 @@ when you imported the sudoers.  Below is an example /etc/ldap.conf
   #bindpw        <password>
   #rootbinddn    <who to search as, uses /etc/ldap.passwd for bindpw>
   #
   #bindpw        <password>
   #rootbinddn    <who to search as, uses /etc/ldap.passwd for bindpw>
   #

-  # LDAP Protocol Version defaults to 3
+  # LDAP protocol version, defaults to 3

   #ldap_version 3
   #
   #ldap_version 3
   #

+  # Define if you want to use an encrypted LDAP connection.
+  # Typically, you must also set the port to 636 (ldaps).
+  #ssl on
+  #

   # Define if you want to use port 389 and switch to
   # Define if you want to use port 389 and switch to

-  # encryption before the bind credentials are sent
+  # encryption before the bind credentials are sent.
+  # Only supported by LDAP servers that support the start_tls
+  # extension such as OpenLDAP.

   #ssl start_tls
   #
   #ssl start_tls
   #

-  # Additional TLS options follow that allow tweaking
-  # of the SSL/TLS connection
+  # Additional TLS options follow that allow tweaking of the
+  # SSL/TLS connection.  Only supported when using OpenLDAP.

   #
   #tls_checkpeer yes # verify server SSL certificate
   #tls_checkpeer no  # ignore server SSL certificate
   #
   # If you enable tls_checkpeer, specify either tls_cacertfile
   #
   #tls_checkpeer yes # verify server SSL certificate
   #tls_checkpeer no  # ignore server SSL certificate
   #
   # If you enable tls_checkpeer, specify either tls_cacertfile

-  # or tls_cacertdir.
+  # or tls_cacertdir.  Only supported when using OpenLDAP.

   #
   #tls_cacertfile /etc/certs/trusted_signers.pem
   #tls_cacertdir  /etc/certs
   #
   #tls_cacertfile /etc/certs/trusted_signers.pem
   #tls_cacertdir  /etc/certs


@@ -236,11 +259,13 @@ when you imported the sudoers.  Below is an example /etc/ldap.conf
   # For systems that don't have /dev/random
   # use this along with PRNGD or EGD.pl to seed the
   # random number pool to generate cryptographic session keys.
   # For systems that don't have /dev/random
   # use this along with PRNGD or EGD.pl to seed the
   # random number pool to generate cryptographic session keys.

+  # Only supported when using OpenLDAP.

   #
   #tls_randfile /etc/egd-pool
   #
   # You may restrict which ciphers are used.  Consult your SSL
   # documentation for which options go here.
   #
   #tls_randfile /etc/egd-pool
   #
   # You may restrict which ciphers are used.  Consult your SSL
   # documentation for which options go here.

+  # Only supported when using OpenLDAP.

   #
   #tls_ciphers <cipher-list>
   #
   #
   #tls_ciphers <cipher-list>
   #


@@ -251,9 +276,16 @@ when you imported the sudoers.  Below is an example /etc/ldap.conf
   #   * Do not password protect the key file.
   #   * Ensure the keyfile is only readable by root.
   #
   #   * Do not password protect the key file.
   #   * Ensure the keyfile is only readable by root.
   #

+  # For OpenLDAP:

   #tls_cert /etc/certs/client_cert.pem
   #tls_key  /etc/certs/client_key.pem
   #
   #tls_cert /etc/certs/client_cert.pem
   #tls_key  /etc/certs/client_key.pem
   #

+  # For SunONE or iPlanet LDAP, the file specified by tls_cert may
+  # contain CA certs and/or the client's cert.  If the client's
+  # cert is included, tls_key should be specified as well.
+  # For backward compatibility, sslpath may be used in place of tls_cert.
+  #tls_cert /var/ldap/cert7.db
+  #tls_key /var/ldap/key3.db

 
 Debugging your LDAP configuration
 =================================
 
 Debugging your LDAP configuration
 =================================


@@ -321,12 +353,3 @@ seem.  If you desperately want this to be changed, contact Aaron Spangler
   # rather, matches all hosts including web01
   sudoHost: ALL
   sudoHost: !web01
   # rather, matches all hosts including web01
   sudoHost: ALL
   sudoHost: !web01

-
-
-Configure your /etc/nsswitch.conf
-=================================
-At the time of this writing, sudo does not consult nsswitch.conf for the
-search order.  But if it did, it would look like this:
-This might be implemented in the future.  For now just skip this step.
-
-  sudoers: files ldap

diff --git a/config.h.in b/config.h.in
index 2cf853dd0b0a0c2ca1e10599ca3790027cff0442..2d45f3cb6957eedaed2e362c335017f89f3ede8b 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -224,6 +224,9 @@
 /* Define to 1 if you have the `ldap_start_tls_s' function. */
 #undef HAVE_LDAP_START_TLS_S
 
 /* Define to 1 if you have the `ldap_start_tls_s' function. */
 #undef HAVE_LDAP_START_TLS_S
 

+/* Define to 1 if you have the `ldapssl_init' function. */
+#undef HAVE_LDAPSSL_INIT
+

 /* Define to 1 if you have the `lockf' function. */
 #undef HAVE_LOCKF
 
 /* Define to 1 if you have the `lockf' function. */
 #undef HAVE_LOCKF
 

diff --git a/configure b/configure
index dd7fab20b1b02a622ab6a59ed9de00ba2ec6da5c..29b474fc02cf5fc29504445860d7d0d31f3fd6ae 100755 (executable)
--- a/configure
+++ b/configure
@@ -1562,7 +1562,7 @@ Optional Packages:
   --with-goons-insults    include the insults from the "Goon Show"
   --with-ldap[=DIR]       enable LDAP support
   --with-ldap-conf-file   path to LDAP configuration file
   --with-goons-insults    include the insults from the "Goon Show"
   --with-ldap[=DIR]       enable LDAP support
   --with-ldap-conf-file   path to LDAP configuration file

-  --with-ldap-secret-file path to LDAP secret pasdword file
+  --with-ldap-secret-file path to LDAP secret password file

   --with-pc-insults       replace politically incorrect insults with less offensive ones
   --with-secure-path      override the user's path with a built-in one
   --without-interfaces    don't try to read the ip addr of ether interfaces
   --with-pc-insults       replace politically incorrect insults with less offensive ones
   --with-secure-path      override the user's path with a built-in one
   --without-interfaces    don't try to read the ip addr of ether interfaces


@@ -21059,6 +21059,64 @@ sed 's/^/| /' conftest.$ac_ext >&5
            { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
            SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
            { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
            SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"

+           { echo "$as_me:$LINENO: checking for main in -lkrb5support" >&5
+echo $ECHO_N "checking for main in -lkrb5support... $ECHO_C" >&6; }
+if test "${ac_cv_lib_krb5support_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lkrb5support  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+        test -z "$ac_c_werror_flag" ||
+        test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_krb5support_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+       ac_cv_lib_krb5support_main=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_krb5support_main" >&5
+echo "${ECHO_T}$ac_cv_lib_krb5support_main" >&6; }
+if test $ac_cv_lib_krb5support_main = yes; then
+  SUDO_LIBS="${SUDO_LIBS} -lkrb5support,"
+fi

 
 
 fi
 
 
 fi


@@ -22378,7 +22436,8 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
 
 
 
 
 
 

-for ac_func in ldap_initialize ldap_start_tls_s
+
+for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init

 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
 { echo "$as_me:$LINENO: checking for $ac_func" >&5
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
 { echo "$as_me:$LINENO: checking for $ac_func" >&5

diff --git a/configure.in b/configure.in
index b87a8639747f264dece305f71a7a5a1e6e20ab42..a64fb6978cc947788ba81cec4f3e667d7d8ca8f4 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1,6 +1,6 @@
 dnl
 dnl Process this file with GNU autoconf to produce a configure script.
 dnl
 dnl Process this file with GNU autoconf to produce a configure script.

-dnl $Sudo: configure.in,v 1.413.2.30 2007/12/02 00:35:20 millert Exp $
+dnl $Sudo: configure.in,v 1.413.2.34 2007/12/19 19:29:29 millert Exp $

 dnl
 dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller <Todd.Miller@courtesan.com>
 dnl
 dnl
 dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller <Todd.Miller@courtesan.com>
 dnl


@@ -909,7 +909,7 @@ AC_ARG_WITH(ldap, [  --with-ldap[[=DIR]]       enable LDAP support],
 esac])
 AC_ARG_WITH(ldap-conf-file, [  --with-ldap-conf-file   path to LDAP configuration file],
 [AC_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "$with_ldap_conf_file", [Path to the ldap.conf file])])
 esac])
 AC_ARG_WITH(ldap-conf-file, [  --with-ldap-conf-file   path to LDAP configuration file],
 [AC_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "$with_ldap_conf_file", [Path to the ldap.conf file])])

-AC_ARG_WITH(ldap-secret-file, [  --with-ldap-secret-file path to LDAP secret pasdword file],
+AC_ARG_WITH(ldap-secret-file, [  --with-ldap-secret-file path to LDAP secret password file],

 [AC_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$with_ldap_secret_file", [Path to the ldap.secret file])])
 
 AC_ARG_WITH(pc-insults, [  --with-pc-insults       replace politically incorrect insults with less offensive ones],
 [AC_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$with_ldap_secret_file", [Path to the ldap.secret file])])
 
 AC_ARG_WITH(pc-insults, [  --with-pc-insults       replace politically incorrect insults with less offensive ones],


@@ -2064,7 +2064,7 @@ if test ${with_kerb5-'no'} != "no" -a -z "$KRB5CONFIG"; then
        ], [
            AC_MSG_RESULT(no)
            SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
        ], [
            AC_MSG_RESULT(no)
            SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"

-       
+           AC_CHECK_LIB(krb5support, main, [SUDO_LIBS="${SUDO_LIBS} -lkrb5support,"])

     ])
     AUTH_OBJS="$AUTH_OBJS kerb5.o"
     _LIBS="$LIBS"
     ])
     AUTH_OBJS="$AUTH_OBJS kerb5.o"
     _LIBS="$LIBS"


@@ -2284,7 +2284,7 @@ if test ${with_ldap-'no'} != "no"; then
     AC_MSG_RESULT([yes])
     AC_DEFINE(HAVE_LBER_H)])
 
     AC_MSG_RESULT([yes])
     AC_DEFINE(HAVE_LBER_H)])
 

-    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s)
+    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init)

 
     SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
     LIBS="$_LIBS"
 
     SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
     LIBS="$_LIBS"

diff --git a/ldap.c b/ldap.c
index 14d046c74be36990fe3ea4c04ee9830fd9e54bad..85762ab7d990c8486deff5c1e2510afac06f202f 100644 (file)
--- a/ldap.c
+++ b/ldap.c
@@ -65,7 +65,7 @@
 #include "parse.h"
 
 #ifndef lint
 #include "parse.h"
 
 #ifndef lint

-__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.20 2007/11/27 17:06:54 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.28 2007/12/19 19:29:32 millert Exp $";

 #endif /* lint */
 
 #ifndef LINE_MAX
 #endif /* lint */
 
 #ifndef LINE_MAX


@@ -76,20 +76,33 @@ __unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.20 2007/11/27 17:06
 # define LDAP_OPT_SUCCESS LDAP_SUCCESS
 #endif
 
 # define LDAP_OPT_SUCCESS LDAP_SUCCESS
 #endif
 

-#if defined(LDAP_X_OPT_CONNECT_TIMEOUT) && !defined(LDAP_OPT_X_CONNECT_TIMEOUT)
-#define LDAP_OPT_X_CONNECT_TIMEOUT     LDAP_OPT_X_CONNECT_TIMEOUT
-#endif
-

 #define        DPRINTF(args, level)    if (ldap_conf.debug >= level) warnx args
 
 #define        DPRINTF(args, level)    if (ldap_conf.debug >= level) warnx args
 

+#define CONF_BOOL      0
+#define CONF_INT       1
+#define CONF_STR       2
+
+#define SUDO_LDAP_SSL          1
+#define SUDO_LDAP_STARTTLS     2
+
+struct ldap_config_table {
+    const char *conf_str;      /* config file string */
+    short type;                        /* CONF_BOOL, CONF_INT, CONF_STR */
+    short connected;           /* connection-specific value? */
+    int opt_val;               /* LDAP_OPT_* (or -1 for sudo internal) */
+    void *valp;                        /* pointer into ldap_conf */
+};
+

 /* ldap configuration structure */
 struct ldap_config {
     int port;
     int version;
     int debug;
 /* ldap configuration structure */
 struct ldap_config {
     int port;
     int version;
     int debug;

+    int ldap_debug;

     int tls_checkpeer;
     int timelimit;
     int bind_timelimit;
     int tls_checkpeer;
     int timelimit;
     int bind_timelimit;

+    int ssl_mode;

     char *host;
     char *uri;
     char *binddn;
     char *host;
     char *uri;
     char *binddn;


@@ -105,6 +118,67 @@ struct ldap_config {
     char *tls_keyfile;
 } ldap_conf;
 
     char *tls_keyfile;
 } ldap_conf;
 

+struct ldap_config_table ldap_conf_table[] = {
+    { "sudoers_debug", CONF_INT, FALSE, -1, &ldap_conf.debug },
+    { "host", CONF_STR, FALSE, -1, &ldap_conf.host },
+    { "port", CONF_INT, FALSE, -1, &ldap_conf.port },
+    { "ssl", CONF_STR, FALSE, -1, &ldap_conf.ssl },
+    { "sslpath", CONF_STR, FALSE, -1, &ldap_conf.tls_certfile },
+    { "uri", CONF_STR, FALSE, -1, &ldap_conf.uri },
+#ifdef LDAP_OPT_DEBUG_LEVEL
+    { "debug", CONF_INT, FALSE, LDAP_OPT_DEBUG_LEVEL, &ldap_conf.ldap_debug },
+#endif
+#ifdef LDAP_OPT_PROTOCOL_VERSION
+    { "ldap_version", CONF_INT, TRUE, LDAP_OPT_PROTOCOL_VERSION,
+       &ldap_conf.version },
+#endif
+#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+    { "tls_checkpeer", CONF_BOOL, FALSE, LDAP_OPT_X_TLS_REQUIRE_CERT,
+       &ldap_conf.tls_checkpeer },
+#endif
+#ifdef LDAP_OPT_X_TLS_CACERTFILE
+    { "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE,
+       &ldap_conf.tls_cacertfile },
+#endif
+#ifdef LDAP_OPT_X_TLS_CACERTDIR
+    { "tls_cacertdir", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTDIR,
+       &ldap_conf.tls_cacertdir },
+#endif
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
+    { "tls_randfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_RANDOM_FILE,
+       &ldap_conf.tls_random_file },
+#endif
+#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
+    { "tls_ciphers", CONF_STR, FALSE, LDAP_OPT_X_TLS_CIPHER_SUITE,
+       &ldap_conf.tls_cipher_suite },
+#endif
+#ifdef LDAP_OPT_X_TLS_CERTFILE
+    { "tls_cert", CONF_STR, FALSE, LDAP_OPT_X_TLS_CERTFILE,
+       &ldap_conf.tls_certfile },
+#else
+    { "tls_cert", CONF_STR, FALSE, -1, &ldap_conf.tls_certfile },
+#endif
+#ifdef LDAP_OPT_X_TLS_KEYFILE
+    { "tls_key", CONF_STR, FALSE, LDAP_OPT_X_TLS_KEYFILE,
+       &ldap_conf.tls_keyfile },
+#else
+    { "tls_key", CONF_STR, FALSE, -1, &ldap_conf.tls_keyfile },
+#endif
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
+    { "bind_timelimit", CONF_INT, TRUE, -1 /* needs timeval, set manually */,
+       &ldap_conf.bind_timelimit },
+#elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
+    { "bind_timelimit", CONF_INT, TRUE, LDAP_X_OPT_CONNECT_TIMEOUT,
+       &ldap_conf.bind_timelimit },
+#endif
+    { "timelimit", CONF_INT, TRUE, LDAP_OPT_TIMELIMIT, &ldap_conf.timelimit },
+    { "binddn", CONF_STR, FALSE, -1, &ldap_conf.binddn },
+    { "bindpw", CONF_STR, FALSE, -1, &ldap_conf.bindpw },
+    { "rootbinddn", CONF_STR, FALSE, -1, &ldap_conf.rootbinddn },
+    { "sudoers_base", CONF_STR, FALSE, -1, &ldap_conf.base },
+    { NULL }
+};
+

 static void sudo_ldap_update_defaults __P((LDAP *));
 static void sudo_ldap_close __P((LDAP *));
 static LDAP *sudo_ldap_open __P((void));
 static void sudo_ldap_update_defaults __P((LDAP *));
 static void sudo_ldap_close __P((LDAP *));
 static LDAP *sudo_ldap_open __P((void));


@@ -495,16 +569,18 @@ sudo_ldap_read_config()
 {
     FILE *f;
     char buf[LINE_MAX], *c, *keyword, *value;
 {
     FILE *f;
     char buf[LINE_MAX], *c, *keyword, *value;

+    struct ldap_config_table *cur;

 
     /* defaults */
     ldap_conf.version = 3;
 
     /* defaults */
     ldap_conf.version = 3;

-    ldap_conf.port = 389;
+    ldap_conf.port = -1;

     ldap_conf.tls_checkpeer = -1;
     ldap_conf.timelimit = -1;
     ldap_conf.bind_timelimit = -1;
 
     if ((f = fopen(_PATH_LDAP_CONF, "r")) == NULL)
        return(FALSE);
     ldap_conf.tls_checkpeer = -1;
     ldap_conf.timelimit = -1;
     ldap_conf.bind_timelimit = -1;
 
     if ((f = fopen(_PATH_LDAP_CONF, "r")) == NULL)
        return(FALSE);

+

     while (fgets(buf, sizeof(buf), f)) {
        /* ignore text after comment character */
        if ((c = strchr(buf, '#')) != NULL)
     while (fgets(buf, sizeof(buf), f)) {
        /* ignore text after comment character */
        if ((c = strchr(buf, '#')) != NULL)


@@ -535,68 +611,29 @@ sudo_ldap_read_config()
        while (--c > value && isspace((unsigned char) *c))
            *c = '\0';
 
        while (--c > value && isspace((unsigned char) *c))
            *c = '\0';
 

-       /* The following macros make the code much more readable */
-
-#define MATCH_S(x,y) if (!strcasecmp(keyword,x)) \
-    { efree(y); y=estrdup(value); }
-#define MATCH_I(x,y) if (!strcasecmp(keyword,x)) { y=atoi(value); }
-#define MATCH_B(x,y) if (!strcasecmp(keyword,x)) { y=_atobool(value); }
-
-       /*
-        * Parse values using a continues chain of if else if else if else if
-        * else ...
-        */
-       MATCH_S("host", ldap_conf.host)
-           else
-       MATCH_I("port", ldap_conf.port)
-           else
-       MATCH_S("ssl", ldap_conf.ssl)
-           else
-       MATCH_B("tls_checkpeer", ldap_conf.tls_checkpeer)
-           else
-       MATCH_S("tls_cacertfile", ldap_conf.tls_cacertfile)
-           else
-       MATCH_S("tls_cacertdir", ldap_conf.tls_cacertdir)
-           else
-       MATCH_S("tls_randfile", ldap_conf.tls_random_file)
-           else
-       MATCH_S("tls_ciphers", ldap_conf.tls_cipher_suite)
-           else
-       MATCH_S("tls_cert", ldap_conf.tls_certfile)
-           else
-       MATCH_S("tls_key", ldap_conf.tls_keyfile)
-           else
-       MATCH_I("ldap_version", ldap_conf.version)
-           else
-       MATCH_I("bind_timelimit", ldap_conf.bind_timelimit)
-           else
-       MATCH_I("timelimit", ldap_conf.timelimit)
-           else
-       MATCH_S("uri", ldap_conf.uri)
-           else
-       MATCH_S("binddn", ldap_conf.binddn)
-           else
-       MATCH_S("bindpw", ldap_conf.bindpw)
-           else
-       MATCH_S("rootbinddn", ldap_conf.rootbinddn)
-           else
-       MATCH_S("sudoers_base", ldap_conf.base)
-           else
-       MATCH_I("sudoers_debug", ldap_conf.debug)
-           else {
-
-           /*
-            * The keyword was unrecognized.  Since this config file is
-            * shared by multiple programs, it is appropriate to silently
-            * ignore options this program does not understand
-            */
+       /* Look up keyword in config table. */
+       for (cur = ldap_conf_table; cur->conf_str != NULL; cur++) {
+           if (strcasecmp(keyword, cur->conf_str) == 0) {
+               switch (cur->type) {
+               case CONF_BOOL:
+                   *(int *)(cur->valp) = _atobool(value);
+                   break;
+               case CONF_INT:
+                   *(int *)(cur->valp) = atoi(value);
+                   break;
+               case CONF_STR:
+                   efree(*(char **)(cur->valp));
+                   *(char **)(cur->valp) = estrdup(value);
+                   break;
+               }
+               break;
+           }

        }
        }

-

     }
     fclose(f);
 
     if (!ldap_conf.host)
     }
     fclose(f);
 
     if (!ldap_conf.host)

-       ldap_conf.host = estrdup("localhost");
+       ldap_conf.host = "localhost";

 
     if (ldap_conf.bind_timelimit > 0)
        ldap_conf.bind_timelimit *= 1000;       /* convert to ms */
 
     if (ldap_conf.bind_timelimit > 0)
        ldap_conf.bind_timelimit *= 1000;       /* convert to ms */


@@ -622,17 +659,47 @@ sudo_ldap_read_config()
            ldap_conf.binddn : "(anonymous)");
        fprintf(stderr, "bindpw       %s\n", ldap_conf.bindpw ?
            ldap_conf.bindpw : "(anonymous)");
            ldap_conf.binddn : "(anonymous)");
        fprintf(stderr, "bindpw       %s\n", ldap_conf.bindpw ?
            ldap_conf.bindpw : "(anonymous)");

-       fprintf(stderr, "bind_timelimit  %d\n", ldap_conf.bind_timelimit);
-       fprintf(stderr, "timelimit    %d\n", ldap_conf.timelimit);
-#ifdef HAVE_LDAP_START_TLS_S
+       if (ldap_conf.bind_timelimit > 0)
+           fprintf(stderr, "bind_timelimit  %d\n", ldap_conf.bind_timelimit);
+       if (ldap_conf.timelimit > 0)
+           fprintf(stderr, "timelimit    %d\n", ldap_conf.timelimit);

        fprintf(stderr, "ssl          %s\n", ldap_conf.ssl ?
            ldap_conf.ssl : "(no)");
        fprintf(stderr, "ssl          %s\n", ldap_conf.ssl ?
            ldap_conf.ssl : "(no)");

-#endif
+       if (ldap_conf.tls_checkpeer != -1)
+           fprintf(stderr, "tls_checkpeer    %s\n", ldap_conf.tls_checkpeer ?
+               "(yes)" : "(no)");
+       if (ldap_conf.tls_cacertfile != NULL)
+           fprintf(stderr, "tls_cacertfile   %s\n", ldap_conf.tls_cacertfile);
+       if (ldap_conf.tls_cacertdir != NULL)
+           fprintf(stderr, "tls_cacertdir    %s\n", ldap_conf.tls_cacertdir);
+       if (ldap_conf.tls_random_file != NULL)
+           fprintf(stderr, "tls_random_file  %s\n", ldap_conf.tls_random_file);
+       if (ldap_conf.tls_cipher_suite != NULL)
+           fprintf(stderr, "tls_cipher_suite %s\n", ldap_conf.tls_cipher_suite);
+       if (ldap_conf.tls_certfile != NULL)
+           fprintf(stderr, "tls_certfile     %s\n", ldap_conf.tls_certfile);
+       if (ldap_conf.tls_keyfile != NULL)
+           fprintf(stderr, "tls_keyfile      %s\n", ldap_conf.tls_keyfile);

        fprintf(stderr, "===================\n");
     }
     if (!ldap_conf.base)
        return(FALSE);          /* if no base is defined, ignore LDAP */
 
        fprintf(stderr, "===================\n");
     }
     if (!ldap_conf.base)
        return(FALSE);          /* if no base is defined, ignore LDAP */
 

+    /*
+     * Interpret SSL option
+     */
+    if (ldap_conf.ssl != NULL) {
+           if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
+               ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
+           else if (_atobool(ldap_conf.ssl))
+               ldap_conf.ssl_mode = SUDO_LDAP_SSL;
+    }
+
+    /* Use port 389 for plaintext LDAP and port 636 for SSL LDAP */
+    if (ldap_conf.port < 0)
+       ldap_conf.port =
+           ldap_conf.ssl_mode == SUDO_LDAP_SSL ? LDAPS_PORT : LDAP_PORT;
+

     /* If rootbinddn set, read in /etc/ldap.secret if it exists. */
     if (ldap_conf.rootbinddn) {
        if ((f = fopen(_PATH_LDAP_SECRET, "r")) != NULL) {
     /* If rootbinddn set, read in /etc/ldap.secret if it exists. */
     if (ldap_conf.rootbinddn) {
        if ((f = fopen(_PATH_LDAP_SECRET, "r")) != NULL) {


@@ -746,148 +813,171 @@ sudo_ldap_list_matches()
        printf("%s", sudo_ldap_cm_list);
 }
 
        printf("%s", sudo_ldap_cm_list);
 }
 

-/* macros to set option, error on failure plus consistent debugging */
-#define SET_OPTS(opt, val) do { \
-    if (ldap_conf.val != NULL) { \
-       if (ldap_conf.debug > 1) \
-           fprintf(stderr, \
-               "ldap_set_option(LDAP_OPT_%s, \"%s\")\n", #opt, ldap_conf.val);\
-       rc = ldap_set_option(ld, LDAP_OPT_ ## opt, ldap_conf.val); \
-       if (rc != LDAP_OPT_SUCCESS) { \
-           fprintf(stderr,"ldap_set_option(LDAP_OPT_%s, \"%s\")=%d: %s\n", \
-               #opt, ldap_conf.val, rc, ldap_err2string(rc)); \
-           return(NULL); \
-       } \
-    } \
-} while(0)
-#define SET_OPTI(opt, val) do { \
-    if (ldap_conf.val >= 0) { \
-       if (ldap_conf.debug > 1) \
-           fprintf(stderr, \
-               "ldap_set_option(LDAP_OPT_%s, %d)\n", #opt, ldap_conf.val); \
-       rc = ldap_set_option(ld, LDAP_OPT_ ## opt, &ldap_conf.val); \
-       if (rc != LDAP_OPT_SUCCESS) { \
-           fprintf(stderr,"ldap_set_option(LDAP_OPT_%s, %d)=%d: %s\n", \
-               #opt, ldap_conf.val, rc, ldap_err2string(rc)); \
-           return(NULL); \
-       } \
-    } \
-} while(0)
-

 /*
 /*

- * Open a connection to the LDAP server.
+ * Set LDAP options based on the config table.

  */
  */

-static LDAP *
-sudo_ldap_open()
+int
+sudo_ldap_set_options(ld)
+    LDAP *ld;

 {
 {

-    LDAP *ld = NULL;
+    struct ldap_config_table *cur;

     int rc;
 
     int rc;
 

-    if (!sudo_ldap_read_config())
-       return(NULL);
-
-    /* attempt to setup ssl options */
-#ifdef LDAP_OPT_X_TLS_CACERTFILE
-    SET_OPTS(X_TLS_CACERTFILE, tls_cacertfile);
-#endif /* LDAP_OPT_X_TLS_CACERTFILE */
-
-#ifdef LDAP_OPT_X_TLS_CACERTDIR
-    SET_OPTS(X_TLS_CACERTDIR, tls_cacertdir);
-#endif /* LDAP_OPT_X_TLS_CACERTDIR */
-
-#ifdef LDAP_OPT_X_TLS_CERTFILE
-    SET_OPTS(X_TLS_CERTFILE, tls_certfile);
-#endif /* LDAP_OPT_X_TLS_CERTFILE */
-
-#ifdef LDAP_OPT_X_TLS_KEYFILE
-    SET_OPTS(X_TLS_KEYFILE, tls_keyfile);
-#endif /* LDAP_OPT_X_TLS_KEYFILE */
-
-#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
-    SET_OPTS(X_TLS_CIPHER_SUITE, tls_cipher_suite);
-#endif /* LDAP_OPT_X_TLS_CIPHER_SUITE */
+    /* Set ber options */
+#ifdef LBER_OPT_DEBUG_LEVEL
+    if (ldap_conf.ldap_debug)
+       ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &ldap_conf.ldap_debug);
+#endif

 
 

-#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
-    SET_OPTS(X_TLS_RANDOM_FILE, tls_random_file);
-#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
+    /* Set simple LDAP options */
+    for (cur = ldap_conf_table; cur->conf_str != NULL; cur++) {
+       LDAP *conn;
+       int ival;
+       char *sval;

 
 

-#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
-    /* check the server certificate? */
-    SET_OPTI(X_TLS_REQUIRE_CERT, tls_checkpeer);
-#endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */
+       if (cur->opt_val == -1)
+           continue;

 
 

-    /* set timelimit options */
-    SET_OPTI(TIMELIMIT, timelimit);
+       conn = cur->connected ? ld : NULL;
+       switch (cur->type) {
+       case CONF_BOOL:
+       case CONF_INT:
+           ival = *(int *)(cur->valp);
+           if (ival >= 0) {
+               rc = ldap_set_option(conn, cur->opt_val, &ival);
+               if (rc != LDAP_OPT_SUCCESS) {
+                   warnx("ldap_set_option: %s -> %d: %s",
+                       cur->conf_str, ival, ldap_err2string(rc));
+                   return(-1);
+               }
+               DPRINTF(("ldap_set_option: %s -> %d", cur->conf_str, ival), 1);
+           }
+           break;
+       case CONF_STR:
+           sval = *(char **)(cur->valp);
+           if (sval != NULL) {
+               rc = ldap_set_option(conn, cur->opt_val, sval);
+               if (rc != LDAP_OPT_SUCCESS) {
+                   warnx("ldap_set_option: %s -> %s: %s",
+                       cur->conf_str, sval, ldap_err2string(rc));
+                   return(-1);
+               }
+               DPRINTF(("ldap_set_option: %s -> %s", cur->conf_str, sval), 1);
+           }
+           break;
+       }
+    }

 
 #ifdef LDAP_OPT_NETWORK_TIMEOUT
 
 #ifdef LDAP_OPT_NETWORK_TIMEOUT

+    /* Convert bind_timelimit to a timeval */

     if (ldap_conf.bind_timelimit > 0) {
        struct timeval tv;
        tv.tv_sec = ldap_conf.bind_timelimit / 1000;
        tv.tv_usec = 0;
     if (ldap_conf.bind_timelimit > 0) {
        struct timeval tv;
        tv.tv_sec = ldap_conf.bind_timelimit / 1000;
        tv.tv_usec = 0;

-       if (ldap_conf.debug > 1)
-           fprintf(stderr, "ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)\n",
-           tv.tv_sec);

        rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
        if (rc != LDAP_OPT_SUCCESS) {
        rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
        if (rc != LDAP_OPT_SUCCESS) {

-           fprintf(stderr,"ldap_set_option(NETWORK_TIMEOUT, %ld)=%d: %s\n",
-           tv.tv_sec, rc, ldap_err2string(rc));
-           return(NULL);
+           warnx("ldap_set_option(NETWORK_TIMEOUT, %ld): %s",
+               (long)tv.tv_sec, ldap_err2string(rc));
+           return(-1);

        }
        }

+       DPRINTF(("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)\n",
+           (long)tv.tv_sec), 1);

     }
 #endif
 
     }
 #endif
 

-    /* attempt connect */
-#ifdef HAVE_LDAP_INITIALIZE
-    if (ldap_conf.uri) {
+#if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT)
+    if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
+       int val = LDAP_OPT_X_TLS_HARD;
+       rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val);
+       if (rc != LDAP_SUCCESS) {
+           warnx("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD): %s",
+               ldap_err2string(rc));
+           return(-1);
+       }
+
+    }
+#endif
+    return(0);
+}
+
+/*
+ * Open a connection to the LDAP server.
+ */
+static LDAP *
+sudo_ldap_open()
+{
+    LDAP *ld = NULL;
+    int rc;
+
+    if (!sudo_ldap_read_config())
+       return(NULL);

 
 

-       DPRINTF(("ldap_initialize(ld,%s)", ldap_conf.uri), 2);
+#ifdef HAVE_LDAPSSL_INIT
+    if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
+       DPRINTF(("ldapssl_clientauth_init(%s, %s)",
+           ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
+           ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
+       rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
+           ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
+       if (rc != LDAP_SUCCESS) {
+           warnx("unable to initialize SSL cert and key db: %s",
+               ldapssl_err2string(rc));
+           return(NULL);
+       }
+    }
+#endif /* HAVE_LDAPSSL_INIT */

 
 

+    /* Connect to LDAP server */
+#ifdef HAVE_LDAP_INITIALIZE
+    if (ldap_conf.uri) {
+       DPRINTF(("ldap_initialize(ld, %s)", ldap_conf.uri), 2);

        rc = ldap_initialize(&ld, ldap_conf.uri);
        rc = ldap_initialize(&ld, ldap_conf.uri);

-       if (rc) {
-           fprintf(stderr, "ldap_initialize()=%d : %s\n",
-               rc, ldap_err2string(rc));
+       if (rc != LDAP_SUCCESS) {
+           warnx("unable to initialize LDAP: %s", ldap_err2string(rc));

            return(NULL);
        }
     } else
 #endif /* HAVE_LDAP_INITIALIZE */
            return(NULL);
        }
     } else
 #endif /* HAVE_LDAP_INITIALIZE */

-    if (ldap_conf.host) {
-
-       DPRINTF(("ldap_init(%s,%d)", ldap_conf.host, ldap_conf.port), 2);
-
-       if ((ld = ldap_init(ldap_conf.host, ldap_conf.port)) == NULL) {
-           fprintf(stderr, "ldap_init(): errno=%d : %s\n",
-               errno, strerror(errno));
+    {
+#ifdef HAVE_LDAPSSL_INIT
+       DPRINTF(("ldapssl_init(%s, %d, %d)", ldap_conf.host, ldap_conf.port,
+           ldap_conf.ssl_mode == SUDO_LDAP_SSL), 2);
+       ld = ldapssl_init(ldap_conf.host, ldap_conf.port,
+           ldap_conf.ssl_mode == SUDO_LDAP_SSL);
+#else
+       DPRINTF(("ldap_init(%s, %d)", ldap_conf.host, ldap_conf.port), 2);
+       ld = ldap_init(ldap_conf.host, ldap_conf.port);
+#endif /* HAVE_LDAPSSL_INIT */
+       if (ld == NULL) {
+           warn("unable to initialize LDAP");

            return(NULL);
        }
     }
            return(NULL);
        }
     }

-#ifdef LDAP_OPT_PROTOCOL_VERSION
-
-    /* Set the LDAP Protocol version */
-    SET_OPTI(PROTOCOL_VERSION, version);

 
 

-#endif /* LDAP_OPT_PROTOCOL_VERSION */
+    /* Set LDAP options */
+    if (sudo_ldap_set_options(ld) < 0)
+       return(NULL);

 
 

+    if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {

 #ifdef HAVE_LDAP_START_TLS_S
 #ifdef HAVE_LDAP_START_TLS_S

-    /* Turn on TLS */
-    if (ldap_conf.ssl && !strcasecmp(ldap_conf.ssl, "start_tls")) {

        rc = ldap_start_tls_s(ld, NULL, NULL);
        if (rc != LDAP_SUCCESS) {
        rc = ldap_start_tls_s(ld, NULL, NULL);
        if (rc != LDAP_SUCCESS) {

-           fprintf(stderr, "ldap_start_tls_s(): %d: %s\n", rc,
-               ldap_err2string(rc));
+           warnx("ldap_start_tls_s(): %s", ldap_err2string(rc));

            ldap_unbind(ld);
            return(NULL);
        }
        DPRINTF(("ldap_start_tls_s() ok"), 1);
            ldap_unbind(ld);
            return(NULL);
        }
        DPRINTF(("ldap_start_tls_s() ok"), 1);

-    }
+#else
+       warnx("start_tls specified but LDAP libs do not support ldap_start_tls_s()");

 #endif /* HAVE_LDAP_START_TLS_S */
 #endif /* HAVE_LDAP_START_TLS_S */

+    }

 
     /* Actually connect */
     if ((rc = ldap_simple_bind_s(ld, ldap_conf.binddn, ldap_conf.bindpw))) {
 
     /* Actually connect */
     if ((rc = ldap_simple_bind_s(ld, ldap_conf.binddn, ldap_conf.bindpw))) {

-       fprintf(stderr, "ldap_simple_bind_s()=%d : %s\n",
-           rc, ldap_err2string(rc));
+       warnx("ldap_simple_bind_s: %s", ldap_err2string(rc));

        return(NULL);
     }
        return(NULL);
     }

-    DPRINTF(("ldap_bind() ok"), 1);
+    DPRINTF(("ldap_simple_bind_s() ok"), 1);

 
     return(ld);
 }
 
     return(ld);
 }


@@ -901,7 +991,7 @@ sudo_ldap_update_defaults(ld)
 
     rc = ldap_search_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE,
        "cn=defaults", NULL, 0, &result);
 
     rc = ldap_search_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE,
        "cn=defaults", NULL, 0, &result);

-    if (!rc && (entry = ldap_first_entry(ld, result))) {
+    if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) {

        DPRINTF(("found:%s", ldap_get_dn(ld, entry)), 1);
        sudo_ldap_parse_options(ld, entry);
     } else
        DPRINTF(("found:%s", ldap_get_dn(ld, entry)), 1);
        sudo_ldap_parse_options(ld, entry);
     } else


@@ -952,7 +1042,7 @@ sudo_ldap_check(pwflag)
        DPRINTF(("ldap search '%s'", filt), 1);
        rc = ldap_search_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt,
            NULL, 0, &result);
        DPRINTF(("ldap search '%s'", filt), 1);
        rc = ldap_search_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt,
            NULL, 0, &result);

-       if (rc)
+       if (rc != LDAP_SUCCESS)

            DPRINTF(("nothing found for '%s'", filt), 1);
        efree(filt);
 
            DPRINTF(("nothing found for '%s'", filt), 1);
        efree(filt);
 

diff --git a/parse.c b/parse.c
index 68e197987f1fd978c40e0d094dd486418513f118..ce943f64eff1e86c7334bd382b8fff4117fdd457 100644 (file)
--- a/parse.c
+++ b/parse.c
@@ -90,7 +90,7 @@
 #endif /* HAVE_EXTENDED_GLOB */
 
 #ifndef lint
 #endif /* HAVE_EXTENDED_GLOB */
 
 #ifndef lint

-__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.14 2007/10/24 16:43:27 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.15 2007/12/04 15:26:40 millert Exp $";

 #endif /* lint */
 
 /*
 #endif /* lint */
 
 /*


@@ -202,7 +202,7 @@ sudoers_lookup(pwflag)
                    return(VALIDATE_OK |
                        (no_passwd == TRUE ? FLAG_NOPASS : 0) |
                        (no_execve == TRUE ? FLAG_NOEXEC : 0) |
                    return(VALIDATE_OK |
                        (no_passwd == TRUE ? FLAG_NOPASS : 0) |
                        (no_execve == TRUE ? FLAG_NOEXEC : 0) |

-                       (setenv_ok == TRUE ? FLAG_SETENV : 0));
+                       (setenv_ok >= TRUE ? FLAG_SETENV : 0));

                } else if ((runas_matches == TRUE && cmnd_matches == FALSE) ||
                    (runas_matches == FALSE && cmnd_matches == TRUE)) {
                    /*
                } else if ((runas_matches == TRUE && cmnd_matches == FALSE) ||
                    (runas_matches == FALSE && cmnd_matches == TRUE)) {
                    /*


@@ -212,7 +212,7 @@ sudoers_lookup(pwflag)
                    return(VALIDATE_NOT_OK |
                        (no_passwd == TRUE ? FLAG_NOPASS : 0) |
                        (no_execve == TRUE ? FLAG_NOEXEC : 0) |
                    return(VALIDATE_NOT_OK |
                        (no_passwd == TRUE ? FLAG_NOPASS : 0) |
                        (no_execve == TRUE ? FLAG_NOEXEC : 0) |

-                       (setenv_ok == TRUE ? FLAG_SETENV : 0));
+                       (setenv_ok >= TRUE ? FLAG_SETENV : 0));

                }
            }
            top--;
                }
            }
            top--;

diff --git a/sudo.c b/sudo.c
index d98d8c85ff5bc566540ec3e236592ea40ab7eddd..021e0e560b7c6441ce3a193e3b9b2c3c1b1a8706 100644 (file)
--- a/sudo.c
+++ b/sudo.c
@@ -102,7 +102,7 @@
 #include "version.h"
 
 #ifndef lint
 #include "version.h"
 
 #ifndef lint

-__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.33 2007/12/02 17:13:52 millert Exp $";
+__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.34 2007/12/13 14:12:49 millert Exp $";

 #endif /* lint */
 
 /*
 #endif /* lint */
 
 /*


@@ -730,8 +730,10 @@ parse_args(argc, argv)
 
     while (NewArgc > 0) {
        if (NewArgv[0][0] == '-') {
 
     while (NewArgc > 0) {
        if (NewArgv[0][0] == '-') {

-           if (NewArgv[0][1] != '\0' && NewArgv[0][2] != '\0')
+           if (NewArgv[0][1] != '\0' && NewArgv[0][2] != '\0') {

                warnx("please use single character options");
                warnx("please use single character options");

+               usage(1);
+           }

 
            switch (NewArgv[0][1]) {
                case 'p':
 
            switch (NewArgv[0][1]) {
                case 'p':

diff --git a/sudo.cat b/sudo.cat
index b49f5d3b05b6d81c265afb14135ef620e95a4e79..e753c223677a8557b95973074b50649b659bb462 100644 (file)
--- a/sudo.cat
+++ b/sudo.cat
@@ -61,7 +61,7 @@ D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       1
+1.6.9p10                December 17, 2007                       1

 
 
 
 
 
 


@@ -127,7 +127,7 @@ O\bOP\bPT\bTI\bIO\bON\bNS\bS
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       2
+1.6.9p10                December 17, 2007                       2

 
 
 
 
 
 


@@ -193,7 +193,7 @@ SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       3
+1.6.9p10                December 17, 2007                       3

 
 
 
 
 
 


@@ -259,7 +259,7 @@ SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       4
+1.6.9p10                December 17, 2007                       4

 
 
 
 
 
 


@@ -325,7 +325,7 @@ S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       5
+1.6.9p10                December 17, 2007                       5

 
 
 
 
 
 


@@ -391,7 +391,7 @@ SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       6
+1.6.9p10                December 17, 2007                       6

 
 
 
 
 
 


@@ -457,7 +457,7 @@ E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       7
+1.6.9p10                December 17, 2007                       7

 
 
 
 
 
 


@@ -523,7 +523,7 @@ C\bCA\bAV\bVE\bEA\bAT\bTS\bS
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       8
+1.6.9p10                December 17, 2007                       8

 
 
 
 
 
 


@@ -589,6 +589,6 @@ D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       9
+1.6.9p10                December 17, 2007                       9

 
 
 
 

diff --git a/sudo.man.in b/sudo.man.in
index 5738bbbdc6f3fdc7f9d6f8c9be4b47a21147f7f2..d98c9586209e94d7a5bc3ec170f12cc9c0a1c694 100644 (file)
--- a/sudo.man.in
+++ b/sudo.man.in
@@ -18,7 +18,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\" 
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\" 

-.\" $Sudo: sudo.man.in,v 1.29.2.16 2007/12/03 10:27:12 millert Exp $
+.\" $Sudo: sudo.man.in,v 1.29.2.17 2007/12/17 22:11:10 millert Exp $

 .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
 .\"
 .\" Standard preamble:
 .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
 .\"
 .\" Standard preamble:


@@ -150,7 +150,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SUDO @mansectsu@"
 .\" ========================================================================
 .\"
 .IX Title "SUDO @mansectsu@"

-.TH SUDO @mansectsu@ "December  3, 2007" "1.6.9p8" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "December 17, 2007" "1.6.9p10" "MAINTENANCE COMMANDS"

 .SH "NAME"
 sudo, sudoedit \- execute a command as another user
 .SH "SYNOPSIS"
 .SH "NAME"
 sudo, sudoedit \- execute a command as another user
 .SH "SYNOPSIS"

diff --git a/sudoers.cat b/sudoers.cat
index 867f1f8a684b2065db3a0d920554dbe385f1ead2..b35a99fa73c2b461ccb61db2a1ae944f7a849bb1 100644 (file)
--- a/sudoers.cat
+++ b/sudoers.cat
@@ -61,7 +61,7 @@ D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       1
+1.6.9p10                December 17, 2007                       1

 
 
 
 
 
 


@@ -127,7 +127,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       2
+1.6.9p10                December 17, 2007                       2

 
 
 
 
 
 


@@ -193,7 +193,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       3
+1.6.9p10                December 17, 2007                       3

 
 
 
 
 
 


@@ -259,7 +259,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       4
+1.6.9p10                December 17, 2007                       4

 
 
 
 
 
 


@@ -325,7 +325,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       5
+1.6.9p10                December 17, 2007                       5

 
 
 
 
 
 


@@ -391,7 +391,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       6
+1.6.9p10                December 17, 2007                       6

 
 
 
 
 
 


@@ -457,7 +457,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       7
+1.6.9p10                December 17, 2007                       7

 
 
 
 
 
 


@@ -523,7 +523,7 @@ S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       8
+1.6.9p10                December 17, 2007                       8

 
 
 
 
 
 


@@ -589,7 +589,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                       9
+1.6.9p10                December 17, 2007                       9

 
 
 
 
 
 


@@ -655,7 +655,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      10
+1.6.9p10                December 17, 2007                      10

 
 
 
 
 
 


@@ -721,7 +721,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      11
+1.6.9p10                December 17, 2007                      11

 
 
 
 
 
 


@@ -787,7 +787,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      12
+1.6.9p10                December 17, 2007                      12

 
 
 
 
 
 


@@ -853,7 +853,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      13
+1.6.9p10                December 17, 2007                      13

 
 
 
 
 
 


@@ -919,7 +919,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      14
+1.6.9p10                December 17, 2007                      14

 
 
 
 
 
 


@@ -985,7 +985,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      15
+1.6.9p10                December 17, 2007                      15

 
 
 
 
 
 


@@ -1051,7 +1051,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      16
+1.6.9p10                December 17, 2007                      16

 
 
 
 
 
 


@@ -1117,7 +1117,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      17
+1.6.9p10                December 17, 2007                      17

 
 
 
 
 
 


@@ -1183,7 +1183,7 @@ E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      18
+1.6.9p10                December 17, 2007                      18

 
 
 
 
 
 


@@ -1249,7 +1249,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      19
+1.6.9p10                December 17, 2007                      19

 
 
 
 
 
 


@@ -1315,7 +1315,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      20
+1.6.9p10                December 17, 2007                      20

 
 
 
 
 
 


@@ -1381,7 +1381,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      21
+1.6.9p10                December 17, 2007                      21

 
 
 
 
 
 


@@ -1447,7 +1447,7 @@ P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      22
+1.6.9p10                December 17, 2007                      22

 
 
 
 
 
 


@@ -1513,7 +1513,7 @@ C\bCA\bAV\bVE\bEA\bAT\bTS\bS
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      23
+1.6.9p10                December 17, 2007                      23

 
 
 
 
 
 


@@ -1579,6 +1579,6 @@ D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
 
 
 
 
 
 

-1.6.9p8                 December  3, 2007                      24
+1.6.9p10                December 17, 2007                      24

 
 
 
 

diff --git a/sudoers.man.in b/sudoers.man.in
index 7f41f30875d3d677c1d6ce976c2d9d9cf63a881f..016d806798f1d08319664e7706c8f82ca8dc442c 100644 (file)
--- a/sudoers.man.in
+++ b/sudoers.man.in
@@ -18,7 +18,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\" 
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\" 

-.\" $Sudo: sudoers.man.in,v 1.45.2.18 2007/12/03 10:27:12 millert Exp $
+.\" $Sudo: sudoers.man.in,v 1.45.2.19 2007/12/17 22:11:10 millert Exp $

 .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
 .\"
 .\" Standard preamble:
 .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
 .\"
 .\" Standard preamble:


@@ -150,7 +150,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SUDOERS @mansectform@"
 .\" ========================================================================
 .\"
 .IX Title "SUDOERS @mansectform@"

-.TH SUDOERS @mansectform@ "December  3, 2007" "1.6.9p8" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "December 17, 2007" "1.6.9p10" "MAINTENANCE COMMANDS"

 .SH "NAME"
 sudoers \- list of which users may execute what
 .SH "DESCRIPTION"
 .SH "NAME"
 sudoers \- list of which users may execute what
 .SH "DESCRIPTION"

diff --git a/version.h b/version.h
index c02a6d99b49d306afd39a9e6a4de10d920918c29..1c3a4f76d06e02db7b5847fcfe2af965a54be9ef 100644 (file)
--- a/version.h
+++ b/version.h
@@ -17,12 +17,12 @@
  * Agency (DARPA) and Air Force Research Laboratory, Air Force
  * Materiel Command, USAF, under agreement number F39502-99-1-0512.
  *
  * Agency (DARPA) and Air Force Research Laboratory, Air Force
  * Materiel Command, USAF, under agreement number F39502-99-1-0512.
  *

- * $Sudo: version.h,v 1.66.2.12 2007/12/03 10:34:32 millert Exp $
+ * $Sudo: version.h,v 1.66.2.13 2007/12/17 19:18:14 millert Exp $

  */
 
 #ifndef _SUDO_VERSION_H
 #define _SUDO_VERSION_H
 
  */
 
 #ifndef _SUDO_VERSION_H
 #define _SUDO_VERSION_H
 

-static const char version[] = "1.6.9p9";
+static const char version[] = "1.6.9p10";

 
 #endif /* _SUDO_VERSION_H */
 
 #endif /* _SUDO_VERSION_H */

diff --git a/visudo.cat b/visudo.cat
index 1a0be5cd9a3e329a64b9e5438f7a76a6bc7ac326..909e37ae8121a059aac11ec86395600458021494 100644 (file)
--- a/visudo.cat
+++ b/visudo.cat
@@ -61,7 +61,7 @@ O\bOP\bPT\bTI\bIO\bON\bNS\bS
 
 
 
 
 
 

-1.6.9p8                 November  2, 2007                       1
+1.6.9p10                December 17, 2007                       1

 
 
 
 
 
 


@@ -127,7 +127,7 @@ D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
 
 
 
 
 
 

-1.6.9p8                 November  2, 2007                       2
+1.6.9p10                December 17, 2007                       2

 
 
 
 
 
 


@@ -193,6 +193,6 @@ D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
 
 
 
 
 
 

-1.6.9p8                 November  2, 2007                       3
+1.6.9p10                December 17, 2007                       3

 
 
 
 

diff --git a/visudo.man.in b/visudo.man.in
index fe412a2ca987397c0aaa4943424b85848cba0ba9..a6bb1ff7b7b8315e8ecc67b6da6fefd0e0dd58db 100644 (file)
--- a/visudo.man.in
+++ b/visudo.man.in
@@ -17,7 +17,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\" 
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\" 

-.\" $Sudo: visudo.man.in,v 1.20.2.13 2007/11/02 19:15:16 millert Exp $
+.\" $Sudo: visudo.man.in,v 1.20.2.14 2007/12/17 22:11:10 millert Exp $

 .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
 .\"
 .\" Standard preamble:
 .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
 .\"
 .\" Standard preamble:


@@ -149,7 +149,7 @@
 .\" ========================================================================
 .\"
 .IX Title "VISUDO @mansectsu@"
 .\" ========================================================================
 .\"
 .IX Title "VISUDO @mansectsu@"

-.TH VISUDO @mansectsu@ "November  2, 2007" "1.6.9p8" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "December 17, 2007" "1.6.9p10" "MAINTENANCE COMMANDS"

 .SH "NAME"
 visudo \- edit the sudoers file
 .SH "SYNOPSIS"
 .SH "NAME"
 visudo \- edit the sudoers file
 .SH "SYNOPSIS"