version 1.1.1.2, 2012/05/29 12:26:49
|
version 1.1.1.3, 2012/10/09 09:29:52
|
Line 85
|
Line 85
|
extern int ldapssl_set_strength(LDAP *ldap, int strength); |
extern int ldapssl_set_strength(LDAP *ldap, int strength); |
#endif |
#endif |
|
|
|
#if !defined(LDAP_OPT_NETWORK_TIMEOUT) && defined(LDAP_OPT_CONNECT_TIMEOUT) |
|
# define LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_CONNECT_TIMEOUT |
|
#endif |
|
|
#ifndef LDAP_OPT_SUCCESS |
#ifndef LDAP_OPT_SUCCESS |
# define LDAP_OPT_SUCCESS LDAP_SUCCESS |
# define LDAP_OPT_SUCCESS LDAP_SUCCESS |
#endif |
#endif |
Line 128 extern int ldapssl_set_strength(LDAP *ldap, int streng
|
Line 132 extern int ldapssl_set_strength(LDAP *ldap, int streng
|
#define SUDO_LDAP_SSL 1 |
#define SUDO_LDAP_SSL 1 |
#define SUDO_LDAP_STARTTLS 2 |
#define SUDO_LDAP_STARTTLS 2 |
|
|
/* The TIMEFILTER_LENGTH includes the filter itself plus the global AND | /* The TIMEFILTER_LENGTH is the length of the filter when timed entries |
wrapped around the user filter and the time filter when timed entries | |
are used. The length is computed as follows: |
are used. The length is computed as follows: |
85 for the filter | 81 for the filter itself |
+ 2 * 13 for the now timestamp | + 2 * 17 for the now timestamp |
+ 3 for the global AND | |
*/ |
*/ |
#define TIMEFILTER_LENGTH 114 | #define TIMEFILTER_LENGTH 115 |
|
|
/* |
/* |
* The ldap_search structure implements a linked list of ldap and |
* The ldap_search structure implements a linked list of ldap and |
Line 216 static struct ldap_config {
|
Line 218 static struct ldap_config {
|
char *tls_cipher_suite; |
char *tls_cipher_suite; |
char *tls_certfile; |
char *tls_certfile; |
char *tls_keyfile; |
char *tls_keyfile; |
|
char *tls_keypw; |
char *sasl_auth_id; |
char *sasl_auth_id; |
char *rootsasl_auth_id; |
char *rootsasl_auth_id; |
char *sasl_secprops; |
char *sasl_secprops; |
Line 255 static struct ldap_config_table ldap_conf_global[] = {
|
Line 258 static struct ldap_config_table ldap_conf_global[] = {
|
#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE |
#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE |
{ "tls_ciphers", CONF_STR, LDAP_OPT_X_TLS_CIPHER_SUITE, |
{ "tls_ciphers", CONF_STR, LDAP_OPT_X_TLS_CIPHER_SUITE, |
&ldap_conf.tls_cipher_suite }, |
&ldap_conf.tls_cipher_suite }, |
|
#elif defined(LDAP_OPT_SSL_CIPHER) |
|
{ "tls_ciphers", CONF_STR, LDAP_OPT_SSL_CIPHER, |
|
&ldap_conf.tls_cipher_suite }, |
#endif |
#endif |
#ifdef LDAP_OPT_X_TLS_CERTFILE |
#ifdef LDAP_OPT_X_TLS_CERTFILE |
{ "tls_cert", CONF_STR, LDAP_OPT_X_TLS_CERTFILE, |
{ "tls_cert", CONF_STR, LDAP_OPT_X_TLS_CERTFILE, |
Line 268 static struct ldap_config_table ldap_conf_global[] = {
|
Line 274 static struct ldap_config_table ldap_conf_global[] = {
|
#else |
#else |
{ "tls_key", CONF_STR, -1, &ldap_conf.tls_keyfile }, |
{ "tls_key", CONF_STR, -1, &ldap_conf.tls_keyfile }, |
#endif |
#endif |
|
#ifdef HAVE_LDAP_SSL_CLIENT_INIT |
|
{ "tls_keypw", CONF_STR, -1, &ldap_conf.tls_keypw }, |
|
#endif |
{ "binddn", CONF_STR, -1, &ldap_conf.binddn }, |
{ "binddn", CONF_STR, -1, &ldap_conf.binddn }, |
{ "bindpw", CONF_STR, -1, &ldap_conf.bindpw }, |
{ "bindpw", CONF_STR, -1, &ldap_conf.bindpw }, |
{ "rootbinddn", CONF_STR, -1, &ldap_conf.rootbinddn }, |
{ "rootbinddn", CONF_STR, -1, &ldap_conf.rootbinddn }, |
Line 572 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
Line 581 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
if ((ld = ldapssl_init(host, port, defsecure)) != NULL) |
if ((ld = ldapssl_init(host, port, defsecure)) != NULL) |
rc = LDAP_SUCCESS; |
rc = LDAP_SUCCESS; |
} else |
} else |
|
#elif defined(HAVE_LDAP_SSL_INIT) && defined(HAVE_LDAP_SSL_CLIENT_INIT) |
|
if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { |
|
if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) { |
|
warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc)); |
|
debug_return_int(-1); |
|
} |
|
DPRINTF(("ldap_ssl_init(%s, %d, NULL)", host, port), 2); |
|
if ((ld = ldap_ssl_init((char *)host, port, NULL)) != NULL) |
|
rc = LDAP_SUCCESS; |
|
} else |
#endif |
#endif |
{ |
{ |
#ifdef HAVE_LDAP_CREATE |
#ifdef HAVE_LDAP_CREATE |
Line 582 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
Line 601 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
rc = ldap_set_option(ld, LDAP_OPT_HOST_NAME, host); |
rc = ldap_set_option(ld, LDAP_OPT_HOST_NAME, host); |
#else |
#else |
DPRINTF(("ldap_init(%s, %d)", host, port), 2); |
DPRINTF(("ldap_init(%s, %d)", host, port), 2); |
if ((ld = ldap_init(host, port)) != NULL) | if ((ld = ldap_init((char *)host, port)) != NULL) |
rc = LDAP_SUCCESS; |
rc = LDAP_SUCCESS; |
#endif |
#endif |
} |
} |
Line 963 sudo_ldap_timefilter(char *buffer, size_t buffersize)
|
Line 982 sudo_ldap_timefilter(char *buffer, size_t buffersize)
|
{ |
{ |
struct tm *tp; |
struct tm *tp; |
time_t now; |
time_t now; |
char timebuffer[16]; | char timebuffer[sizeof("20120727121554.0Z")]; |
int bytes = 0; |
int bytes = 0; |
debug_decl(sudo_ldap_timefilter, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_timefilter, SUDO_DEBUG_LDAP) |
|
|
Line 975 sudo_ldap_timefilter(char *buffer, size_t buffersize)
|
Line 994 sudo_ldap_timefilter(char *buffer, size_t buffersize)
|
} |
} |
|
|
/* Format the timestamp according to the RFC. */ |
/* Format the timestamp according to the RFC. */ |
if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%SZ", tp) == 0) { | if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%S.0Z", tp) == 0) { |
warning(_("unable to format timestamp")); | warningx(_("unable to format timestamp")); |
goto done; |
goto done; |
} |
} |
|
|
Line 1108 static char *
|
Line 1127 static char *
|
sudo_ldap_build_pass1(struct passwd *pw) |
sudo_ldap_build_pass1(struct passwd *pw) |
{ |
{ |
struct group *grp; |
struct group *grp; |
char *buf, timebuffer[TIMEFILTER_LENGTH], gidbuf[MAX_UID_T_LEN]; | char *buf, timebuffer[TIMEFILTER_LENGTH + 1], gidbuf[MAX_UID_T_LEN + 1]; |
struct group_list *grlist; |
struct group_list *grlist; |
size_t sz = 0; |
size_t sz = 0; |
int i; |
int i; |
debug_decl(sudo_ldap_build_pass1, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_build_pass1, SUDO_DEBUG_LDAP) |
|
|
/* Start with LDAP search filter length + 3 */ | /* If there is a filter, allocate space for the global AND. */ |
| if (ldap_conf.timed || ldap_conf.search_filter) |
| sz += 3; |
| |
| /* Add LDAP search filter if present. */ |
if (ldap_conf.search_filter) |
if (ldap_conf.search_filter) |
sz += strlen(ldap_conf.search_filter) + 3; | sz += strlen(ldap_conf.search_filter); |
|
|
/* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ |
/* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ |
sz += 29 + sudo_ldap_value_len(pw->pw_name); |
sz += 29 + sudo_ldap_value_len(pw->pw_name); |
Line 1126 sudo_ldap_build_pass1(struct passwd *pw)
|
Line 1149 sudo_ldap_build_pass1(struct passwd *pw)
|
sz += 12 + sudo_ldap_value_len(grp->gr_name); |
sz += 12 + sudo_ldap_value_len(grp->gr_name); |
} |
} |
sz += 13 + MAX_UID_T_LEN; |
sz += 13 + MAX_UID_T_LEN; |
if ((grlist = get_group_list(pw)) != NULL) { | if ((grlist = sudo_get_grlist(pw)) != NULL) { |
for (i = 0; i < grlist->ngroups; i++) { |
for (i = 0; i < grlist->ngroups; i++) { |
if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0) |
if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0) |
continue; |
continue; |
Line 1193 sudo_ldap_build_pass1(struct passwd *pw)
|
Line 1216 sudo_ldap_build_pass1(struct passwd *pw)
|
|
|
/* Done with groups. */ |
/* Done with groups. */ |
if (grlist != NULL) |
if (grlist != NULL) |
grlist_delref(grlist); | sudo_grlist_delref(grlist); |
if (grp != NULL) |
if (grp != NULL) |
gr_delref(grp); | sudo_gr_delref(grp); |
|
|
/* Add ALL to list and end the global OR */ |
/* Add ALL to list and end the global OR */ |
if (strlcat(buf, "(sudoUser=ALL)", sz) >= sz) |
if (strlcat(buf, "(sudoUser=ALL)", sz) >= sz) |
Line 1220 sudo_ldap_build_pass1(struct passwd *pw)
|
Line 1243 sudo_ldap_build_pass1(struct passwd *pw)
|
static char * |
static char * |
sudo_ldap_build_pass2(void) |
sudo_ldap_build_pass2(void) |
{ |
{ |
char *filt, timebuffer[TIMEFILTER_LENGTH]; | char *filt, timebuffer[TIMEFILTER_LENGTH + 1]; |
debug_decl(sudo_ldap_build_pass2, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_build_pass2, SUDO_DEBUG_LDAP) |
|
|
if (ldap_conf.timed) |
if (ldap_conf.timed) |
Line 1911 static int
|
Line 1934 static int
|
sudo_ldap_set_options_table(LDAP *ld, struct ldap_config_table *table) |
sudo_ldap_set_options_table(LDAP *ld, struct ldap_config_table *table) |
{ |
{ |
struct ldap_config_table *cur; |
struct ldap_config_table *cur; |
int ival, rc; | int ival, rc, errors = 0; |
char *sval; |
char *sval; |
debug_decl(sudo_ldap_set_options_table, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_set_options_table, SUDO_DEBUG_LDAP) |
|
|
Line 1924 sudo_ldap_set_options_table(LDAP *ld, struct ldap_conf
|
Line 1947 sudo_ldap_set_options_table(LDAP *ld, struct ldap_conf
|
case CONF_INT: |
case CONF_INT: |
ival = *(int *)(cur->valp); |
ival = *(int *)(cur->valp); |
if (ival >= 0) { |
if (ival >= 0) { |
|
DPRINTF(("ldap_set_option: %s -> %d", cur->conf_str, ival), 1); |
rc = ldap_set_option(ld, cur->opt_val, &ival); |
rc = ldap_set_option(ld, cur->opt_val, &ival); |
if (rc != LDAP_OPT_SUCCESS) { |
if (rc != LDAP_OPT_SUCCESS) { |
warningx("ldap_set_option: %s -> %d: %s", |
warningx("ldap_set_option: %s -> %d: %s", |
cur->conf_str, ival, ldap_err2string(rc)); |
cur->conf_str, ival, ldap_err2string(rc)); |
debug_return_int(-1); | errors++; |
} |
} |
DPRINTF(("ldap_set_option: %s -> %d", cur->conf_str, ival), 1); |
|
} |
} |
break; |
break; |
case CONF_STR: |
case CONF_STR: |
sval = *(char **)(cur->valp); |
sval = *(char **)(cur->valp); |
if (sval != NULL) { |
if (sval != NULL) { |
|
DPRINTF(("ldap_set_option: %s -> %s", cur->conf_str, sval), 1); |
rc = ldap_set_option(ld, cur->opt_val, sval); |
rc = ldap_set_option(ld, cur->opt_val, sval); |
if (rc != LDAP_OPT_SUCCESS) { |
if (rc != LDAP_OPT_SUCCESS) { |
warningx("ldap_set_option: %s -> %s: %s", |
warningx("ldap_set_option: %s -> %s: %s", |
cur->conf_str, sval, ldap_err2string(rc)); |
cur->conf_str, sval, ldap_err2string(rc)); |
debug_return_int(-1); | errors++; |
} |
} |
DPRINTF(("ldap_set_option: %s -> %s", cur->conf_str, sval), 1); |
|
} |
} |
break; |
break; |
} |
} |
} |
} |
debug_return_int(0); | debug_return_int(errors ? -1 : 0); |
} |
} |
|
|
/* |
/* |
Line 1992 sudo_ldap_set_options_conn(LDAP *ld)
|
Line 2015 sudo_ldap_set_options_conn(LDAP *ld)
|
struct timeval tv; |
struct timeval tv; |
tv.tv_sec = ldap_conf.timeout; |
tv.tv_sec = ldap_conf.timeout; |
tv.tv_usec = 0; |
tv.tv_usec = 0; |
|
DPRINTF(("ldap_set_option(LDAP_OPT_TIMEOUT, %ld)", |
|
(long)tv.tv_sec), 1); |
rc = ldap_set_option(ld, LDAP_OPT_TIMEOUT, &tv); |
rc = ldap_set_option(ld, LDAP_OPT_TIMEOUT, &tv); |
if (rc != LDAP_OPT_SUCCESS) { |
if (rc != LDAP_OPT_SUCCESS) { |
warningx("ldap_set_option(TIMEOUT, %ld): %s", |
warningx("ldap_set_option(TIMEOUT, %ld): %s", |
(long)tv.tv_sec, ldap_err2string(rc)); |
(long)tv.tv_sec, ldap_err2string(rc)); |
debug_return_int(-1); |
|
} |
} |
DPRINTF(("ldap_set_option(LDAP_OPT_TIMEOUT, %ld)", |
|
(long)tv.tv_sec), 1); |
|
} |
} |
#endif |
#endif |
#ifdef LDAP_OPT_NETWORK_TIMEOUT |
#ifdef LDAP_OPT_NETWORK_TIMEOUT |
Line 2008 sudo_ldap_set_options_conn(LDAP *ld)
|
Line 2030 sudo_ldap_set_options_conn(LDAP *ld)
|
struct timeval tv; |
struct timeval tv; |
tv.tv_sec = ldap_conf.bind_timelimit / 1000; |
tv.tv_sec = ldap_conf.bind_timelimit / 1000; |
tv.tv_usec = 0; |
tv.tv_usec = 0; |
|
DPRINTF(("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)", |
|
(long)tv.tv_sec), 1); |
rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); |
rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); |
|
# if !defined(LDAP_OPT_CONNECT_TIMEOUT) || LDAP_VENDOR_VERSION != 510 |
|
/* Tivoli Directory Server 6.3 libs always return a (bogus) error. */ |
if (rc != LDAP_OPT_SUCCESS) { |
if (rc != LDAP_OPT_SUCCESS) { |
warningx("ldap_set_option(NETWORK_TIMEOUT, %ld): %s", |
warningx("ldap_set_option(NETWORK_TIMEOUT, %ld): %s", |
(long)tv.tv_sec, ldap_err2string(rc)); |
(long)tv.tv_sec, ldap_err2string(rc)); |
debug_return_int(-1); |
|
} |
} |
DPRINTF(("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)", | # endif |
(long)tv.tv_sec), 1); | |
} |
} |
#endif |
#endif |
|
|
#if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT) |
#if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT) |
if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { |
if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { |
int val = LDAP_OPT_X_TLS_HARD; |
int val = LDAP_OPT_X_TLS_HARD; |
|
DPRINTF(("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)"), 1); |
rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val); |
rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val); |
if (rc != LDAP_SUCCESS) { |
if (rc != LDAP_SUCCESS) { |
warningx("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD): %s", |
warningx("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD): %s", |
ldap_err2string(rc)); |
ldap_err2string(rc)); |
debug_return_int(-1); |
debug_return_int(-1); |
} |
} |
DPRINTF(("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)"), 1); |
|
} |
} |
#endif |
#endif |
debug_return_int(0); |
debug_return_int(0); |
Line 2236 sudo_ldap_open(struct sudo_nss *nss)
|
Line 2260 sudo_ldap_open(struct sudo_nss *nss)
|
} |
} |
DPRINTF(("ldap_start_tls_s() ok"), 1); |
DPRINTF(("ldap_start_tls_s() ok"), 1); |
#elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP) |
#elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP) |
if (ldap_ssl_client_init(NULL, NULL, 0, &rc) != LDAP_SUCCESS) { | if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) { |
warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc)); |
warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc)); |
debug_return_int(-1); |
debug_return_int(-1); |
} |
} |