|
version 1.1.1.2, 2012/05/29 12:26:49
|
version 1.1.1.3, 2012/10/09 09:29:52
|
|
Line 85
|
Line 85
|
| extern int ldapssl_set_strength(LDAP *ldap, int strength); |
extern int ldapssl_set_strength(LDAP *ldap, int strength); |
| #endif |
#endif |
| |
|
| |
#if !defined(LDAP_OPT_NETWORK_TIMEOUT) && defined(LDAP_OPT_CONNECT_TIMEOUT) |
| |
# define LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_CONNECT_TIMEOUT |
| |
#endif |
| |
|
| #ifndef LDAP_OPT_SUCCESS |
#ifndef LDAP_OPT_SUCCESS |
| # define LDAP_OPT_SUCCESS LDAP_SUCCESS |
# define LDAP_OPT_SUCCESS LDAP_SUCCESS |
| #endif |
#endif |
|
Line 128 extern int ldapssl_set_strength(LDAP *ldap, int streng
|
Line 132 extern int ldapssl_set_strength(LDAP *ldap, int streng
|
| #define SUDO_LDAP_SSL 1 |
#define SUDO_LDAP_SSL 1 |
| #define SUDO_LDAP_STARTTLS 2 |
#define SUDO_LDAP_STARTTLS 2 |
| |
|
| /* The TIMEFILTER_LENGTH includes the filter itself plus the global AND | /* The TIMEFILTER_LENGTH is the length of the filter when timed entries |
| wrapped around the user filter and the time filter when timed entries | |
| are used. The length is computed as follows: |
are used. The length is computed as follows: |
| 85 for the filter | 81 for the filter itself |
| + 2 * 13 for the now timestamp | + 2 * 17 for the now timestamp |
| + 3 for the global AND | |
| */ |
*/ |
| #define TIMEFILTER_LENGTH 114 | #define TIMEFILTER_LENGTH 115 |
| |
|
| /* |
/* |
| * The ldap_search structure implements a linked list of ldap and |
* The ldap_search structure implements a linked list of ldap and |
|
Line 216 static struct ldap_config {
|
Line 218 static struct ldap_config {
|
| char *tls_cipher_suite; |
char *tls_cipher_suite; |
| char *tls_certfile; |
char *tls_certfile; |
| char *tls_keyfile; |
char *tls_keyfile; |
| |
char *tls_keypw; |
| char *sasl_auth_id; |
char *sasl_auth_id; |
| char *rootsasl_auth_id; |
char *rootsasl_auth_id; |
| char *sasl_secprops; |
char *sasl_secprops; |
|
Line 255 static struct ldap_config_table ldap_conf_global[] = {
|
Line 258 static struct ldap_config_table ldap_conf_global[] = {
|
| #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE |
#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE |
| { "tls_ciphers", CONF_STR, LDAP_OPT_X_TLS_CIPHER_SUITE, |
{ "tls_ciphers", CONF_STR, LDAP_OPT_X_TLS_CIPHER_SUITE, |
| &ldap_conf.tls_cipher_suite }, |
&ldap_conf.tls_cipher_suite }, |
| |
#elif defined(LDAP_OPT_SSL_CIPHER) |
| |
{ "tls_ciphers", CONF_STR, LDAP_OPT_SSL_CIPHER, |
| |
&ldap_conf.tls_cipher_suite }, |
| #endif |
#endif |
| #ifdef LDAP_OPT_X_TLS_CERTFILE |
#ifdef LDAP_OPT_X_TLS_CERTFILE |
| { "tls_cert", CONF_STR, LDAP_OPT_X_TLS_CERTFILE, |
{ "tls_cert", CONF_STR, LDAP_OPT_X_TLS_CERTFILE, |
|
Line 268 static struct ldap_config_table ldap_conf_global[] = {
|
Line 274 static struct ldap_config_table ldap_conf_global[] = {
|
| #else |
#else |
| { "tls_key", CONF_STR, -1, &ldap_conf.tls_keyfile }, |
{ "tls_key", CONF_STR, -1, &ldap_conf.tls_keyfile }, |
| #endif |
#endif |
| |
#ifdef HAVE_LDAP_SSL_CLIENT_INIT |
| |
{ "tls_keypw", CONF_STR, -1, &ldap_conf.tls_keypw }, |
| |
#endif |
| { "binddn", CONF_STR, -1, &ldap_conf.binddn }, |
{ "binddn", CONF_STR, -1, &ldap_conf.binddn }, |
| { "bindpw", CONF_STR, -1, &ldap_conf.bindpw }, |
{ "bindpw", CONF_STR, -1, &ldap_conf.bindpw }, |
| { "rootbinddn", CONF_STR, -1, &ldap_conf.rootbinddn }, |
{ "rootbinddn", CONF_STR, -1, &ldap_conf.rootbinddn }, |
|
Line 572 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
Line 581 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
| if ((ld = ldapssl_init(host, port, defsecure)) != NULL) |
if ((ld = ldapssl_init(host, port, defsecure)) != NULL) |
| rc = LDAP_SUCCESS; |
rc = LDAP_SUCCESS; |
| } else |
} else |
| |
#elif defined(HAVE_LDAP_SSL_INIT) && defined(HAVE_LDAP_SSL_CLIENT_INIT) |
| |
if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { |
| |
if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) { |
| |
warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc)); |
| |
debug_return_int(-1); |
| |
} |
| |
DPRINTF(("ldap_ssl_init(%s, %d, NULL)", host, port), 2); |
| |
if ((ld = ldap_ssl_init((char *)host, port, NULL)) != NULL) |
| |
rc = LDAP_SUCCESS; |
| |
} else |
| #endif |
#endif |
| { |
{ |
| #ifdef HAVE_LDAP_CREATE |
#ifdef HAVE_LDAP_CREATE |
|
Line 582 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
Line 601 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
| rc = ldap_set_option(ld, LDAP_OPT_HOST_NAME, host); |
rc = ldap_set_option(ld, LDAP_OPT_HOST_NAME, host); |
| #else |
#else |
| DPRINTF(("ldap_init(%s, %d)", host, port), 2); |
DPRINTF(("ldap_init(%s, %d)", host, port), 2); |
| if ((ld = ldap_init(host, port)) != NULL) | if ((ld = ldap_init((char *)host, port)) != NULL) |
| rc = LDAP_SUCCESS; |
rc = LDAP_SUCCESS; |
| #endif |
#endif |
| } |
} |
|
Line 963 sudo_ldap_timefilter(char *buffer, size_t buffersize)
|
Line 982 sudo_ldap_timefilter(char *buffer, size_t buffersize)
|
| { |
{ |
| struct tm *tp; |
struct tm *tp; |
| time_t now; |
time_t now; |
| char timebuffer[16]; | char timebuffer[sizeof("20120727121554.0Z")]; |
| int bytes = 0; |
int bytes = 0; |
| debug_decl(sudo_ldap_timefilter, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_timefilter, SUDO_DEBUG_LDAP) |
| |
|
|
Line 975 sudo_ldap_timefilter(char *buffer, size_t buffersize)
|
Line 994 sudo_ldap_timefilter(char *buffer, size_t buffersize)
|
| } |
} |
| |
|
| /* Format the timestamp according to the RFC. */ |
/* Format the timestamp according to the RFC. */ |
| if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%SZ", tp) == 0) { | if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%S.0Z", tp) == 0) { |
| warning(_("unable to format timestamp")); | warningx(_("unable to format timestamp")); |
| goto done; |
goto done; |
| } |
} |
| |
|
|
Line 1108 static char *
|
Line 1127 static char *
|
| sudo_ldap_build_pass1(struct passwd *pw) |
sudo_ldap_build_pass1(struct passwd *pw) |
| { |
{ |
| struct group *grp; |
struct group *grp; |
| char *buf, timebuffer[TIMEFILTER_LENGTH], gidbuf[MAX_UID_T_LEN]; | char *buf, timebuffer[TIMEFILTER_LENGTH + 1], gidbuf[MAX_UID_T_LEN + 1]; |
| struct group_list *grlist; |
struct group_list *grlist; |
| size_t sz = 0; |
size_t sz = 0; |
| int i; |
int i; |
| debug_decl(sudo_ldap_build_pass1, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_build_pass1, SUDO_DEBUG_LDAP) |
| |
|
| /* Start with LDAP search filter length + 3 */ | /* If there is a filter, allocate space for the global AND. */ |
| | if (ldap_conf.timed || ldap_conf.search_filter) |
| | sz += 3; |
| | |
| | /* Add LDAP search filter if present. */ |
| if (ldap_conf.search_filter) |
if (ldap_conf.search_filter) |
| sz += strlen(ldap_conf.search_filter) + 3; | sz += strlen(ldap_conf.search_filter); |
| |
|
| /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ |
/* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ |
| sz += 29 + sudo_ldap_value_len(pw->pw_name); |
sz += 29 + sudo_ldap_value_len(pw->pw_name); |
|
Line 1126 sudo_ldap_build_pass1(struct passwd *pw)
|
Line 1149 sudo_ldap_build_pass1(struct passwd *pw)
|
| sz += 12 + sudo_ldap_value_len(grp->gr_name); |
sz += 12 + sudo_ldap_value_len(grp->gr_name); |
| } |
} |
| sz += 13 + MAX_UID_T_LEN; |
sz += 13 + MAX_UID_T_LEN; |
| if ((grlist = get_group_list(pw)) != NULL) { | if ((grlist = sudo_get_grlist(pw)) != NULL) { |
| for (i = 0; i < grlist->ngroups; i++) { |
for (i = 0; i < grlist->ngroups; i++) { |
| if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0) |
if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0) |
| continue; |
continue; |
|
Line 1193 sudo_ldap_build_pass1(struct passwd *pw)
|
Line 1216 sudo_ldap_build_pass1(struct passwd *pw)
|
| |
|
| /* Done with groups. */ |
/* Done with groups. */ |
| if (grlist != NULL) |
if (grlist != NULL) |
| grlist_delref(grlist); | sudo_grlist_delref(grlist); |
| if (grp != NULL) |
if (grp != NULL) |
| gr_delref(grp); | sudo_gr_delref(grp); |
| |
|
| /* Add ALL to list and end the global OR */ |
/* Add ALL to list and end the global OR */ |
| if (strlcat(buf, "(sudoUser=ALL)", sz) >= sz) |
if (strlcat(buf, "(sudoUser=ALL)", sz) >= sz) |
|
Line 1220 sudo_ldap_build_pass1(struct passwd *pw)
|
Line 1243 sudo_ldap_build_pass1(struct passwd *pw)
|
| static char * |
static char * |
| sudo_ldap_build_pass2(void) |
sudo_ldap_build_pass2(void) |
| { |
{ |
| char *filt, timebuffer[TIMEFILTER_LENGTH]; | char *filt, timebuffer[TIMEFILTER_LENGTH + 1]; |
| debug_decl(sudo_ldap_build_pass2, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_build_pass2, SUDO_DEBUG_LDAP) |
| |
|
| if (ldap_conf.timed) |
if (ldap_conf.timed) |
|
Line 1911 static int
|
Line 1934 static int
|
| sudo_ldap_set_options_table(LDAP *ld, struct ldap_config_table *table) |
sudo_ldap_set_options_table(LDAP *ld, struct ldap_config_table *table) |
| { |
{ |
| struct ldap_config_table *cur; |
struct ldap_config_table *cur; |
| int ival, rc; | int ival, rc, errors = 0; |
| char *sval; |
char *sval; |
| debug_decl(sudo_ldap_set_options_table, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_set_options_table, SUDO_DEBUG_LDAP) |
| |
|
|
Line 1924 sudo_ldap_set_options_table(LDAP *ld, struct ldap_conf
|
Line 1947 sudo_ldap_set_options_table(LDAP *ld, struct ldap_conf
|
| case CONF_INT: |
case CONF_INT: |
| ival = *(int *)(cur->valp); |
ival = *(int *)(cur->valp); |
| if (ival >= 0) { |
if (ival >= 0) { |
| |
DPRINTF(("ldap_set_option: %s -> %d", cur->conf_str, ival), 1); |
| rc = ldap_set_option(ld, cur->opt_val, &ival); |
rc = ldap_set_option(ld, cur->opt_val, &ival); |
| if (rc != LDAP_OPT_SUCCESS) { |
if (rc != LDAP_OPT_SUCCESS) { |
| warningx("ldap_set_option: %s -> %d: %s", |
warningx("ldap_set_option: %s -> %d: %s", |
| cur->conf_str, ival, ldap_err2string(rc)); |
cur->conf_str, ival, ldap_err2string(rc)); |
| debug_return_int(-1); | errors++; |
| } |
} |
| DPRINTF(("ldap_set_option: %s -> %d", cur->conf_str, ival), 1); |
|
| } |
} |
| break; |
break; |
| case CONF_STR: |
case CONF_STR: |
| sval = *(char **)(cur->valp); |
sval = *(char **)(cur->valp); |
| if (sval != NULL) { |
if (sval != NULL) { |
| |
DPRINTF(("ldap_set_option: %s -> %s", cur->conf_str, sval), 1); |
| rc = ldap_set_option(ld, cur->opt_val, sval); |
rc = ldap_set_option(ld, cur->opt_val, sval); |
| if (rc != LDAP_OPT_SUCCESS) { |
if (rc != LDAP_OPT_SUCCESS) { |
| warningx("ldap_set_option: %s -> %s: %s", |
warningx("ldap_set_option: %s -> %s: %s", |
| cur->conf_str, sval, ldap_err2string(rc)); |
cur->conf_str, sval, ldap_err2string(rc)); |
| debug_return_int(-1); | errors++; |
| } |
} |
| DPRINTF(("ldap_set_option: %s -> %s", cur->conf_str, sval), 1); |
|
| } |
} |
| break; |
break; |
| } |
} |
| } |
} |
| debug_return_int(0); | debug_return_int(errors ? -1 : 0); |
| } |
} |
| |
|
| /* |
/* |
|
Line 1992 sudo_ldap_set_options_conn(LDAP *ld)
|
Line 2015 sudo_ldap_set_options_conn(LDAP *ld)
|
| struct timeval tv; |
struct timeval tv; |
| tv.tv_sec = ldap_conf.timeout; |
tv.tv_sec = ldap_conf.timeout; |
| tv.tv_usec = 0; |
tv.tv_usec = 0; |
| |
DPRINTF(("ldap_set_option(LDAP_OPT_TIMEOUT, %ld)", |
| |
(long)tv.tv_sec), 1); |
| rc = ldap_set_option(ld, LDAP_OPT_TIMEOUT, &tv); |
rc = ldap_set_option(ld, LDAP_OPT_TIMEOUT, &tv); |
| if (rc != LDAP_OPT_SUCCESS) { |
if (rc != LDAP_OPT_SUCCESS) { |
| warningx("ldap_set_option(TIMEOUT, %ld): %s", |
warningx("ldap_set_option(TIMEOUT, %ld): %s", |
| (long)tv.tv_sec, ldap_err2string(rc)); |
(long)tv.tv_sec, ldap_err2string(rc)); |
| debug_return_int(-1); |
|
| } |
} |
| DPRINTF(("ldap_set_option(LDAP_OPT_TIMEOUT, %ld)", |
|
| (long)tv.tv_sec), 1); |
|
| } |
} |
| #endif |
#endif |
| #ifdef LDAP_OPT_NETWORK_TIMEOUT |
#ifdef LDAP_OPT_NETWORK_TIMEOUT |
|
Line 2008 sudo_ldap_set_options_conn(LDAP *ld)
|
Line 2030 sudo_ldap_set_options_conn(LDAP *ld)
|
| struct timeval tv; |
struct timeval tv; |
| tv.tv_sec = ldap_conf.bind_timelimit / 1000; |
tv.tv_sec = ldap_conf.bind_timelimit / 1000; |
| tv.tv_usec = 0; |
tv.tv_usec = 0; |
| |
DPRINTF(("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)", |
| |
(long)tv.tv_sec), 1); |
| rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); |
rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); |
| |
# if !defined(LDAP_OPT_CONNECT_TIMEOUT) || LDAP_VENDOR_VERSION != 510 |
| |
/* Tivoli Directory Server 6.3 libs always return a (bogus) error. */ |
| if (rc != LDAP_OPT_SUCCESS) { |
if (rc != LDAP_OPT_SUCCESS) { |
| warningx("ldap_set_option(NETWORK_TIMEOUT, %ld): %s", |
warningx("ldap_set_option(NETWORK_TIMEOUT, %ld): %s", |
| (long)tv.tv_sec, ldap_err2string(rc)); |
(long)tv.tv_sec, ldap_err2string(rc)); |
| debug_return_int(-1); |
|
| } |
} |
| DPRINTF(("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)", | # endif |
| (long)tv.tv_sec), 1); | |
| } |
} |
| #endif |
#endif |
| |
|
| #if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT) |
#if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT) |
| if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { |
if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { |
| int val = LDAP_OPT_X_TLS_HARD; |
int val = LDAP_OPT_X_TLS_HARD; |
| |
DPRINTF(("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)"), 1); |
| rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val); |
rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val); |
| if (rc != LDAP_SUCCESS) { |
if (rc != LDAP_SUCCESS) { |
| warningx("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD): %s", |
warningx("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD): %s", |
| ldap_err2string(rc)); |
ldap_err2string(rc)); |
| debug_return_int(-1); |
debug_return_int(-1); |
| } |
} |
| DPRINTF(("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)"), 1); |
|
| } |
} |
| #endif |
#endif |
| debug_return_int(0); |
debug_return_int(0); |
|
Line 2236 sudo_ldap_open(struct sudo_nss *nss)
|
Line 2260 sudo_ldap_open(struct sudo_nss *nss)
|
| } |
} |
| DPRINTF(("ldap_start_tls_s() ok"), 1); |
DPRINTF(("ldap_start_tls_s() ok"), 1); |
| #elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP) |
#elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP) |
| if (ldap_ssl_client_init(NULL, NULL, 0, &rc) != LDAP_SUCCESS) { | if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) { |
| warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc)); |
warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc)); |
| debug_return_int(-1); |
debug_return_int(-1); |
| } |
} |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ldap.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / plugins / sudoers