restart slapd. For other LDAP servers, provide this to your LDAP
Administrator. Make sure to index the attribute 'sudoUser'.
-For the SunONE or iPlanet LDAP server, use the schema.iPlanet file.
+For netscape-derived LDAP servers such as SunONE, iPlanet or Fedora
+Directory, use the schema.iPlanet file.
Importing /etc/sudoers to LDAP
==============================
===============================
The equivalent of a sudoer in LDAP is a 'sudoRole'. It contains sudoUser(s),
sudoHost, sudoCommand and optional sudoOption(s) and sudoRunAs(s).
-<put an example here>
+
+The following example allows users in group wheel to run any
+command on any host through sudo:
+
+dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: %wheel
+sudoUser: %wheel
+sudoHost: ALL
+sudoCommand: ALL
Managing LDAP entries
=====================
http://www.mcs.anl.gov/~gawor/ldap
http://ldapmanager.com
- There are dozens of others, some open source, some free, some not.
+ * Apache Directory Studio - Open Source - an Eclipse-based LDAP
+ development platform. Includes an LDAP browser, and LDIF editor,
+ a schema editor and more.
+ http://directory.apache.org/studio
+
+ There are dozens of others, some Open Source, some free, some not.
Configure your /etc/ldap.conf
The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
and other ldap applications and modules. IBM Secureway unfortunately uses
the same filename but has a different syntax. If you need to rename where
-this file is stored, recompile SUDO with the -DLDAP_CONFIG compile option.
+this file is stored, re-run configure with the --with-ldap-conf-file=filename
+option.
Make sure you sudoers_base matches exactly with the location you specified
when you imported the sudoers. Below is an example /etc/ldap.conf
- # Either specify a uri or host & port
+ # Either specify a URI or host and port.
+ # If neither is specified sudo will default to localhost port 389.
#host ldapserver
#port 389
#
- # URI will override host & port settings
- # but only works with LDAP SDK's that support
- # ldap_initialize() such as OpenLDAP
+ # URI will override host & port settings but only works with LDAP
+ # SDK's that support ldap_initialize() such as OpenLDAP.
uri ldap://ldapserver
#uri ldaps://secureldapserver
#
#bindpw <password>
#rootbinddn <who to search as, uses /etc/ldap.passwd for bindpw>
#
- # LDAP Protocol Version defaults to 3
+ # LDAP protocol version, defaults to 3
#ldap_version 3
#
+ # Define if you want to use an encrypted LDAP connection.
+ # Typically, you must also set the port to 636 (ldaps).
+ #ssl on
+ #
# Define if you want to use port 389 and switch to
- # encryption before the bind credentials are sent
+ # encryption before the bind credentials are sent.
+ # Only supported by LDAP servers that support the start_tls
+ # extension such as OpenLDAP.
#ssl start_tls
#
- # Additional TLS options follow that allow tweaking
- # of the SSL/TLS connection
+ # Additional TLS options follow that allow tweaking of the
+ # SSL/TLS connection. Only supported when using OpenLDAP.
#
#tls_checkpeer yes # verify server SSL certificate
#tls_checkpeer no # ignore server SSL certificate
#
# If you enable tls_checkpeer, specify either tls_cacertfile
- # or tls_cacertdir.
+ # or tls_cacertdir. Only supported when using OpenLDAP.
#
#tls_cacertfile /etc/certs/trusted_signers.pem
#tls_cacertdir /etc/certs
# For systems that don't have /dev/random
# use this along with PRNGD or EGD.pl to seed the
# random number pool to generate cryptographic session keys.
+ # Only supported when using OpenLDAP.
#
#tls_randfile /etc/egd-pool
#
# You may restrict which ciphers are used. Consult your SSL
# documentation for which options go here.
+ # Only supported when using OpenLDAP.
#
#tls_ciphers <cipher-list>
#
# * Do not password protect the key file.
# * Ensure the keyfile is only readable by root.
#
+ # For OpenLDAP:
#tls_cert /etc/certs/client_cert.pem
#tls_key /etc/certs/client_key.pem
#
+ # For SunONE or iPlanet LDAP, the file specified by tls_cert may
+ # contain CA certs and/or the client's cert. If the client's
+ # cert is included, tls_key should be specified as well.
+ # For backward compatibility, sslpath may be used in place of tls_cert.
+ #tls_cert /var/ldap/cert7.db
+ #tls_key /var/ldap/key3.db
Debugging your LDAP configuration
=================================
# rather, matches all hosts including web01
sudoHost: ALL
sudoHost: !web01
-
-
-Configure your /etc/nsswitch.conf
-=================================
-At the time of this writing, sudo does not consult nsswitch.conf for the
-search order. But if it did, it would look like this:
-This might be implemented in the future. For now just skip this step.
-
- sudoers: files ldap
#include "parse.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.20 2007/11/27 17:06:54 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.28 2007/12/19 19:29:32 millert Exp $";
#endif /* lint */
#ifndef LINE_MAX
# define LDAP_OPT_SUCCESS LDAP_SUCCESS
#endif
-#if defined(LDAP_X_OPT_CONNECT_TIMEOUT) && !defined(LDAP_OPT_X_CONNECT_TIMEOUT)
-#define LDAP_OPT_X_CONNECT_TIMEOUT LDAP_OPT_X_CONNECT_TIMEOUT
-#endif
-
#define DPRINTF(args, level) if (ldap_conf.debug >= level) warnx args
+#define CONF_BOOL 0
+#define CONF_INT 1
+#define CONF_STR 2
+
+#define SUDO_LDAP_SSL 1
+#define SUDO_LDAP_STARTTLS 2
+
+struct ldap_config_table {
+ const char *conf_str; /* config file string */
+ short type; /* CONF_BOOL, CONF_INT, CONF_STR */
+ short connected; /* connection-specific value? */
+ int opt_val; /* LDAP_OPT_* (or -1 for sudo internal) */
+ void *valp; /* pointer into ldap_conf */
+};
+
/* ldap configuration structure */
struct ldap_config {
int port;
int version;
int debug;
+ int ldap_debug;
int tls_checkpeer;
int timelimit;
int bind_timelimit;
+ int ssl_mode;
char *host;
char *uri;
char *binddn;
char *tls_keyfile;
} ldap_conf;
+struct ldap_config_table ldap_conf_table[] = {
+ { "sudoers_debug", CONF_INT, FALSE, -1, &ldap_conf.debug },
+ { "host", CONF_STR, FALSE, -1, &ldap_conf.host },
+ { "port", CONF_INT, FALSE, -1, &ldap_conf.port },
+ { "ssl", CONF_STR, FALSE, -1, &ldap_conf.ssl },
+ { "sslpath", CONF_STR, FALSE, -1, &ldap_conf.tls_certfile },
+ { "uri", CONF_STR, FALSE, -1, &ldap_conf.uri },
+#ifdef LDAP_OPT_DEBUG_LEVEL
+ { "debug", CONF_INT, FALSE, LDAP_OPT_DEBUG_LEVEL, &ldap_conf.ldap_debug },
+#endif
+#ifdef LDAP_OPT_PROTOCOL_VERSION
+ { "ldap_version", CONF_INT, TRUE, LDAP_OPT_PROTOCOL_VERSION,
+ &ldap_conf.version },
+#endif
+#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+ { "tls_checkpeer", CONF_BOOL, FALSE, LDAP_OPT_X_TLS_REQUIRE_CERT,
+ &ldap_conf.tls_checkpeer },
+#endif
+#ifdef LDAP_OPT_X_TLS_CACERTFILE
+ { "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE,
+ &ldap_conf.tls_cacertfile },
+#endif
+#ifdef LDAP_OPT_X_TLS_CACERTDIR
+ { "tls_cacertdir", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTDIR,
+ &ldap_conf.tls_cacertdir },
+#endif
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
+ { "tls_randfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_RANDOM_FILE,
+ &ldap_conf.tls_random_file },
+#endif
+#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
+ { "tls_ciphers", CONF_STR, FALSE, LDAP_OPT_X_TLS_CIPHER_SUITE,
+ &ldap_conf.tls_cipher_suite },
+#endif
+#ifdef LDAP_OPT_X_TLS_CERTFILE
+ { "tls_cert", CONF_STR, FALSE, LDAP_OPT_X_TLS_CERTFILE,
+ &ldap_conf.tls_certfile },
+#else
+ { "tls_cert", CONF_STR, FALSE, -1, &ldap_conf.tls_certfile },
+#endif
+#ifdef LDAP_OPT_X_TLS_KEYFILE
+ { "tls_key", CONF_STR, FALSE, LDAP_OPT_X_TLS_KEYFILE,
+ &ldap_conf.tls_keyfile },
+#else
+ { "tls_key", CONF_STR, FALSE, -1, &ldap_conf.tls_keyfile },
+#endif
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
+ { "bind_timelimit", CONF_INT, TRUE, -1 /* needs timeval, set manually */,
+ &ldap_conf.bind_timelimit },
+#elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
+ { "bind_timelimit", CONF_INT, TRUE, LDAP_X_OPT_CONNECT_TIMEOUT,
+ &ldap_conf.bind_timelimit },
+#endif
+ { "timelimit", CONF_INT, TRUE, LDAP_OPT_TIMELIMIT, &ldap_conf.timelimit },
+ { "binddn", CONF_STR, FALSE, -1, &ldap_conf.binddn },
+ { "bindpw", CONF_STR, FALSE, -1, &ldap_conf.bindpw },
+ { "rootbinddn", CONF_STR, FALSE, -1, &ldap_conf.rootbinddn },
+ { "sudoers_base", CONF_STR, FALSE, -1, &ldap_conf.base },
+ { NULL }
+};
+
static void sudo_ldap_update_defaults __P((LDAP *));
static void sudo_ldap_close __P((LDAP *));
static LDAP *sudo_ldap_open __P((void));
{
FILE *f;
char buf[LINE_MAX], *c, *keyword, *value;
+ struct ldap_config_table *cur;
/* defaults */
ldap_conf.version = 3;
- ldap_conf.port = 389;
+ ldap_conf.port = -1;
ldap_conf.tls_checkpeer = -1;
ldap_conf.timelimit = -1;
ldap_conf.bind_timelimit = -1;
if ((f = fopen(_PATH_LDAP_CONF, "r")) == NULL)
return(FALSE);
+
while (fgets(buf, sizeof(buf), f)) {
/* ignore text after comment character */
if ((c = strchr(buf, '#')) != NULL)
while (--c > value && isspace((unsigned char) *c))
*c = '\0';
- /* The following macros make the code much more readable */
-
-#define MATCH_S(x,y) if (!strcasecmp(keyword,x)) \
- { efree(y); y=estrdup(value); }
-#define MATCH_I(x,y) if (!strcasecmp(keyword,x)) { y=atoi(value); }
-#define MATCH_B(x,y) if (!strcasecmp(keyword,x)) { y=_atobool(value); }
-
- /*
- * Parse values using a continues chain of if else if else if else if
- * else ...
- */
- MATCH_S("host", ldap_conf.host)
- else
- MATCH_I("port", ldap_conf.port)
- else
- MATCH_S("ssl", ldap_conf.ssl)
- else
- MATCH_B("tls_checkpeer", ldap_conf.tls_checkpeer)
- else
- MATCH_S("tls_cacertfile", ldap_conf.tls_cacertfile)
- else
- MATCH_S("tls_cacertdir", ldap_conf.tls_cacertdir)
- else
- MATCH_S("tls_randfile", ldap_conf.tls_random_file)
- else
- MATCH_S("tls_ciphers", ldap_conf.tls_cipher_suite)
- else
- MATCH_S("tls_cert", ldap_conf.tls_certfile)
- else
- MATCH_S("tls_key", ldap_conf.tls_keyfile)
- else
- MATCH_I("ldap_version", ldap_conf.version)
- else
- MATCH_I("bind_timelimit", ldap_conf.bind_timelimit)
- else
- MATCH_I("timelimit", ldap_conf.timelimit)
- else
- MATCH_S("uri", ldap_conf.uri)
- else
- MATCH_S("binddn", ldap_conf.binddn)
- else
- MATCH_S("bindpw", ldap_conf.bindpw)
- else
- MATCH_S("rootbinddn", ldap_conf.rootbinddn)
- else
- MATCH_S("sudoers_base", ldap_conf.base)
- else
- MATCH_I("sudoers_debug", ldap_conf.debug)
- else {
-
- /*
- * The keyword was unrecognized. Since this config file is
- * shared by multiple programs, it is appropriate to silently
- * ignore options this program does not understand
- */
+ /* Look up keyword in config table. */
+ for (cur = ldap_conf_table; cur->conf_str != NULL; cur++) {
+ if (strcasecmp(keyword, cur->conf_str) == 0) {
+ switch (cur->type) {
+ case CONF_BOOL:
+ *(int *)(cur->valp) = _atobool(value);
+ break;
+ case CONF_INT:
+ *(int *)(cur->valp) = atoi(value);
+ break;
+ case CONF_STR:
+ efree(*(char **)(cur->valp));
+ *(char **)(cur->valp) = estrdup(value);
+ break;
+ }
+ break;
+ }
}
-
}
fclose(f);
if (!ldap_conf.host)
- ldap_conf.host = estrdup("localhost");
+ ldap_conf.host = "localhost";
if (ldap_conf.bind_timelimit > 0)
ldap_conf.bind_timelimit *= 1000; /* convert to ms */
ldap_conf.binddn : "(anonymous)");
fprintf(stderr, "bindpw %s\n", ldap_conf.bindpw ?
ldap_conf.bindpw : "(anonymous)");
- fprintf(stderr, "bind_timelimit %d\n", ldap_conf.bind_timelimit);
- fprintf(stderr, "timelimit %d\n", ldap_conf.timelimit);
-#ifdef HAVE_LDAP_START_TLS_S
+ if (ldap_conf.bind_timelimit > 0)
+ fprintf(stderr, "bind_timelimit %d\n", ldap_conf.bind_timelimit);
+ if (ldap_conf.timelimit > 0)
+ fprintf(stderr, "timelimit %d\n", ldap_conf.timelimit);
fprintf(stderr, "ssl %s\n", ldap_conf.ssl ?
ldap_conf.ssl : "(no)");
-#endif
+ if (ldap_conf.tls_checkpeer != -1)
+ fprintf(stderr, "tls_checkpeer %s\n", ldap_conf.tls_checkpeer ?
+ "(yes)" : "(no)");
+ if (ldap_conf.tls_cacertfile != NULL)
+ fprintf(stderr, "tls_cacertfile %s\n", ldap_conf.tls_cacertfile);
+ if (ldap_conf.tls_cacertdir != NULL)
+ fprintf(stderr, "tls_cacertdir %s\n", ldap_conf.tls_cacertdir);
+ if (ldap_conf.tls_random_file != NULL)
+ fprintf(stderr, "tls_random_file %s\n", ldap_conf.tls_random_file);
+ if (ldap_conf.tls_cipher_suite != NULL)
+ fprintf(stderr, "tls_cipher_suite %s\n", ldap_conf.tls_cipher_suite);
+ if (ldap_conf.tls_certfile != NULL)
+ fprintf(stderr, "tls_certfile %s\n", ldap_conf.tls_certfile);
+ if (ldap_conf.tls_keyfile != NULL)
+ fprintf(stderr, "tls_keyfile %s\n", ldap_conf.tls_keyfile);
fprintf(stderr, "===================\n");
}
if (!ldap_conf.base)
return(FALSE); /* if no base is defined, ignore LDAP */
+ /*
+ * Interpret SSL option
+ */
+ if (ldap_conf.ssl != NULL) {
+ if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
+ ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
+ else if (_atobool(ldap_conf.ssl))
+ ldap_conf.ssl_mode = SUDO_LDAP_SSL;
+ }
+
+ /* Use port 389 for plaintext LDAP and port 636 for SSL LDAP */
+ if (ldap_conf.port < 0)
+ ldap_conf.port =
+ ldap_conf.ssl_mode == SUDO_LDAP_SSL ? LDAPS_PORT : LDAP_PORT;
+
/* If rootbinddn set, read in /etc/ldap.secret if it exists. */
if (ldap_conf.rootbinddn) {
if ((f = fopen(_PATH_LDAP_SECRET, "r")) != NULL) {
printf("%s", sudo_ldap_cm_list);
}
-/* macros to set option, error on failure plus consistent debugging */
-#define SET_OPTS(opt, val) do { \
- if (ldap_conf.val != NULL) { \
- if (ldap_conf.debug > 1) \
- fprintf(stderr, \
- "ldap_set_option(LDAP_OPT_%s, \"%s\")\n", #opt, ldap_conf.val);\
- rc = ldap_set_option(ld, LDAP_OPT_ ## opt, ldap_conf.val); \
- if (rc != LDAP_OPT_SUCCESS) { \
- fprintf(stderr,"ldap_set_option(LDAP_OPT_%s, \"%s\")=%d: %s\n", \
- #opt, ldap_conf.val, rc, ldap_err2string(rc)); \
- return(NULL); \
- } \
- } \
-} while(0)
-#define SET_OPTI(opt, val) do { \
- if (ldap_conf.val >= 0) { \
- if (ldap_conf.debug > 1) \
- fprintf(stderr, \
- "ldap_set_option(LDAP_OPT_%s, %d)\n", #opt, ldap_conf.val); \
- rc = ldap_set_option(ld, LDAP_OPT_ ## opt, &ldap_conf.val); \
- if (rc != LDAP_OPT_SUCCESS) { \
- fprintf(stderr,"ldap_set_option(LDAP_OPT_%s, %d)=%d: %s\n", \
- #opt, ldap_conf.val, rc, ldap_err2string(rc)); \
- return(NULL); \
- } \
- } \
-} while(0)
-
/*
- * Open a connection to the LDAP server.
+ * Set LDAP options based on the config table.
*/
-static LDAP *
-sudo_ldap_open()
+int
+sudo_ldap_set_options(ld)
+ LDAP *ld;
{
- LDAP *ld = NULL;
+ struct ldap_config_table *cur;
int rc;
- if (!sudo_ldap_read_config())
- return(NULL);
-
- /* attempt to setup ssl options */
-#ifdef LDAP_OPT_X_TLS_CACERTFILE
- SET_OPTS(X_TLS_CACERTFILE, tls_cacertfile);
-#endif /* LDAP_OPT_X_TLS_CACERTFILE */
-
-#ifdef LDAP_OPT_X_TLS_CACERTDIR
- SET_OPTS(X_TLS_CACERTDIR, tls_cacertdir);
-#endif /* LDAP_OPT_X_TLS_CACERTDIR */
-
-#ifdef LDAP_OPT_X_TLS_CERTFILE
- SET_OPTS(X_TLS_CERTFILE, tls_certfile);
-#endif /* LDAP_OPT_X_TLS_CERTFILE */
-
-#ifdef LDAP_OPT_X_TLS_KEYFILE
- SET_OPTS(X_TLS_KEYFILE, tls_keyfile);
-#endif /* LDAP_OPT_X_TLS_KEYFILE */
-
-#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
- SET_OPTS(X_TLS_CIPHER_SUITE, tls_cipher_suite);
-#endif /* LDAP_OPT_X_TLS_CIPHER_SUITE */
+ /* Set ber options */
+#ifdef LBER_OPT_DEBUG_LEVEL
+ if (ldap_conf.ldap_debug)
+ ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &ldap_conf.ldap_debug);
+#endif
-#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
- SET_OPTS(X_TLS_RANDOM_FILE, tls_random_file);
-#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
+ /* Set simple LDAP options */
+ for (cur = ldap_conf_table; cur->conf_str != NULL; cur++) {
+ LDAP *conn;
+ int ival;
+ char *sval;
-#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
- /* check the server certificate? */
- SET_OPTI(X_TLS_REQUIRE_CERT, tls_checkpeer);
-#endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */
+ if (cur->opt_val == -1)
+ continue;
- /* set timelimit options */
- SET_OPTI(TIMELIMIT, timelimit);
+ conn = cur->connected ? ld : NULL;
+ switch (cur->type) {
+ case CONF_BOOL:
+ case CONF_INT:
+ ival = *(int *)(cur->valp);
+ if (ival >= 0) {
+ rc = ldap_set_option(conn, cur->opt_val, &ival);
+ if (rc != LDAP_OPT_SUCCESS) {
+ warnx("ldap_set_option: %s -> %d: %s",
+ cur->conf_str, ival, ldap_err2string(rc));
+ return(-1);
+ }
+ DPRINTF(("ldap_set_option: %s -> %d", cur->conf_str, ival), 1);
+ }
+ break;
+ case CONF_STR:
+ sval = *(char **)(cur->valp);
+ if (sval != NULL) {
+ rc = ldap_set_option(conn, cur->opt_val, sval);
+ if (rc != LDAP_OPT_SUCCESS) {
+ warnx("ldap_set_option: %s -> %s: %s",
+ cur->conf_str, sval, ldap_err2string(rc));
+ return(-1);
+ }
+ DPRINTF(("ldap_set_option: %s -> %s", cur->conf_str, sval), 1);
+ }
+ break;
+ }
+ }
#ifdef LDAP_OPT_NETWORK_TIMEOUT
+ /* Convert bind_timelimit to a timeval */
if (ldap_conf.bind_timelimit > 0) {
struct timeval tv;
tv.tv_sec = ldap_conf.bind_timelimit / 1000;
tv.tv_usec = 0;
- if (ldap_conf.debug > 1)
- fprintf(stderr, "ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)\n",
- tv.tv_sec);
rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
if (rc != LDAP_OPT_SUCCESS) {
- fprintf(stderr,"ldap_set_option(NETWORK_TIMEOUT, %ld)=%d: %s\n",
- tv.tv_sec, rc, ldap_err2string(rc));
- return(NULL);
+ warnx("ldap_set_option(NETWORK_TIMEOUT, %ld): %s",
+ (long)tv.tv_sec, ldap_err2string(rc));
+ return(-1);
}
+ DPRINTF(("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)\n",
+ (long)tv.tv_sec), 1);
}
#endif
- /* attempt connect */
-#ifdef HAVE_LDAP_INITIALIZE
- if (ldap_conf.uri) {
+#if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT)
+ if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
+ int val = LDAP_OPT_X_TLS_HARD;
+ rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val);
+ if (rc != LDAP_SUCCESS) {
+ warnx("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD): %s",
+ ldap_err2string(rc));
+ return(-1);
+ }
+
+ }
+#endif
+ return(0);
+}
+
+/*
+ * Open a connection to the LDAP server.
+ */
+static LDAP *
+sudo_ldap_open()
+{
+ LDAP *ld = NULL;
+ int rc;
+
+ if (!sudo_ldap_read_config())
+ return(NULL);
- DPRINTF(("ldap_initialize(ld,%s)", ldap_conf.uri), 2);
+#ifdef HAVE_LDAPSSL_INIT
+ if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
+ DPRINTF(("ldapssl_clientauth_init(%s, %s)",
+ ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
+ ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
+ rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
+ ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
+ if (rc != LDAP_SUCCESS) {
+ warnx("unable to initialize SSL cert and key db: %s",
+ ldapssl_err2string(rc));
+ return(NULL);
+ }
+ }
+#endif /* HAVE_LDAPSSL_INIT */
+ /* Connect to LDAP server */
+#ifdef HAVE_LDAP_INITIALIZE
+ if (ldap_conf.uri) {
+ DPRINTF(("ldap_initialize(ld, %s)", ldap_conf.uri), 2);
rc = ldap_initialize(&ld, ldap_conf.uri);
- if (rc) {
- fprintf(stderr, "ldap_initialize()=%d : %s\n",
- rc, ldap_err2string(rc));
+ if (rc != LDAP_SUCCESS) {
+ warnx("unable to initialize LDAP: %s", ldap_err2string(rc));
return(NULL);
}
} else
#endif /* HAVE_LDAP_INITIALIZE */
- if (ldap_conf.host) {
-
- DPRINTF(("ldap_init(%s,%d)", ldap_conf.host, ldap_conf.port), 2);
-
- if ((ld = ldap_init(ldap_conf.host, ldap_conf.port)) == NULL) {
- fprintf(stderr, "ldap_init(): errno=%d : %s\n",
- errno, strerror(errno));
+ {
+#ifdef HAVE_LDAPSSL_INIT
+ DPRINTF(("ldapssl_init(%s, %d, %d)", ldap_conf.host, ldap_conf.port,
+ ldap_conf.ssl_mode == SUDO_LDAP_SSL), 2);
+ ld = ldapssl_init(ldap_conf.host, ldap_conf.port,
+ ldap_conf.ssl_mode == SUDO_LDAP_SSL);
+#else
+ DPRINTF(("ldap_init(%s, %d)", ldap_conf.host, ldap_conf.port), 2);
+ ld = ldap_init(ldap_conf.host, ldap_conf.port);
+#endif /* HAVE_LDAPSSL_INIT */
+ if (ld == NULL) {
+ warn("unable to initialize LDAP");
return(NULL);
}
}
-#ifdef LDAP_OPT_PROTOCOL_VERSION
-
- /* Set the LDAP Protocol version */
- SET_OPTI(PROTOCOL_VERSION, version);
-#endif /* LDAP_OPT_PROTOCOL_VERSION */
+ /* Set LDAP options */
+ if (sudo_ldap_set_options(ld) < 0)
+ return(NULL);
+ if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
#ifdef HAVE_LDAP_START_TLS_S
- /* Turn on TLS */
- if (ldap_conf.ssl && !strcasecmp(ldap_conf.ssl, "start_tls")) {
rc = ldap_start_tls_s(ld, NULL, NULL);
if (rc != LDAP_SUCCESS) {
- fprintf(stderr, "ldap_start_tls_s(): %d: %s\n", rc,
- ldap_err2string(rc));
+ warnx("ldap_start_tls_s(): %s", ldap_err2string(rc));
ldap_unbind(ld);
return(NULL);
}
DPRINTF(("ldap_start_tls_s() ok"), 1);
- }
+#else
+ warnx("start_tls specified but LDAP libs do not support ldap_start_tls_s()");
#endif /* HAVE_LDAP_START_TLS_S */
+ }
/* Actually connect */
if ((rc = ldap_simple_bind_s(ld, ldap_conf.binddn, ldap_conf.bindpw))) {
- fprintf(stderr, "ldap_simple_bind_s()=%d : %s\n",
- rc, ldap_err2string(rc));
+ warnx("ldap_simple_bind_s: %s", ldap_err2string(rc));
return(NULL);
}
- DPRINTF(("ldap_bind() ok"), 1);
+ DPRINTF(("ldap_simple_bind_s() ok"), 1);
return(ld);
}
rc = ldap_search_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE,
"cn=defaults", NULL, 0, &result);
- if (!rc && (entry = ldap_first_entry(ld, result))) {
+ if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) {
DPRINTF(("found:%s", ldap_get_dn(ld, entry)), 1);
sudo_ldap_parse_options(ld, entry);
} else
DPRINTF(("ldap search '%s'", filt), 1);
rc = ldap_search_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt,
NULL, 0, &result);
- if (rc)
+ if (rc != LDAP_SUCCESS)
DPRINTF(("nothing found for '%s'", filt), 1);
efree(filt);
projects / debian / sudo / commitdiff