version 1.1.1.2, 2012/05/29 12:26:49
|
version 1.1.1.4, 2013/07/22 10:46:12
|
Line 1
|
Line 1
|
/* |
/* |
* Copyright (c) 2003-2011 Todd C. Miller <Todd.Miller@courtesan.com> | * Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com> |
* |
* |
* This code is derived from software contributed by Aaron Spangler. |
* This code is derived from software contributed by Aaron Spangler. |
* |
* |
Line 20
|
Line 20
|
|
|
#include <sys/types.h> |
#include <sys/types.h> |
#include <sys/time.h> |
#include <sys/time.h> |
#include <sys/param.h> |
|
#include <sys/stat.h> |
#include <sys/stat.h> |
#include <stdio.h> |
#include <stdio.h> |
#ifdef STDC_HEADERS |
#ifdef STDC_HEADERS |
Line 48
|
Line 47
|
#include <grp.h> |
#include <grp.h> |
#include <netinet/in.h> |
#include <netinet/in.h> |
#include <arpa/inet.h> |
#include <arpa/inet.h> |
#include <netdb.h> |
|
#ifdef HAVE_LBER_H |
#ifdef HAVE_LBER_H |
# include <lber.h> |
# include <lber.h> |
#endif |
#endif |
Line 85
|
Line 83
|
extern int ldapssl_set_strength(LDAP *ldap, int strength); |
extern int ldapssl_set_strength(LDAP *ldap, int strength); |
#endif |
#endif |
|
|
|
#if !defined(LDAP_OPT_NETWORK_TIMEOUT) && defined(LDAP_OPT_CONNECT_TIMEOUT) |
|
# define LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_CONNECT_TIMEOUT |
|
#endif |
|
|
#ifndef LDAP_OPT_SUCCESS |
#ifndef LDAP_OPT_SUCCESS |
# define LDAP_OPT_SUCCESS LDAP_SUCCESS |
# define LDAP_OPT_SUCCESS LDAP_SUCCESS |
#endif |
#endif |
Line 116 extern int ldapssl_set_strength(LDAP *ldap, int streng
|
Line 118 extern int ldapssl_set_strength(LDAP *ldap, int streng
|
(var) != NULL; \ |
(var) != NULL; \ |
(var) = ldap_next_entry((ld), (var))) |
(var) = ldap_next_entry((ld), (var))) |
|
|
#define DPRINTF(args, level) if (ldap_conf.debug >= level) warningx args | #if defined(__GNUC__) && __GNUC__ == 2 |
| # define DPRINTF1(fmt...) do { \ |
| if (ldap_conf.debug >= 1) \ |
| warningx(__VA_ARGS__); \ |
| sudo_debug_printf(SUDO_DEBUG_DIAG, fmt); \ |
| } while (0) |
| # define DPRINTF2(fmt...) do { \ |
| if (ldap_conf.debug >= 2) \ |
| warningx(__VA_ARGS__); \ |
| sudo_debug_printf(SUDO_DEBUG_INFO, fmt); \ |
| } while (0) |
| #else |
| # define DPRINTF1(...) do { \ |
| if (ldap_conf.debug >= 1) \ |
| warningx(__VA_ARGS__); \ |
| sudo_debug_printf(SUDO_DEBUG_DIAG, __VA_ARGS__); \ |
| } while (0) |
| # define DPRINTF2(...) do { \ |
| if (ldap_conf.debug >= 2) \ |
| warningx(__VA_ARGS__); \ |
| sudo_debug_printf(SUDO_DEBUG_INFO, __VA_ARGS__); \ |
| } while (0) |
| #endif |
|
|
#define CONF_BOOL 0 |
#define CONF_BOOL 0 |
#define CONF_INT 1 |
#define CONF_INT 1 |
Line 128 extern int ldapssl_set_strength(LDAP *ldap, int streng
|
Line 152 extern int ldapssl_set_strength(LDAP *ldap, int streng
|
#define SUDO_LDAP_SSL 1 |
#define SUDO_LDAP_SSL 1 |
#define SUDO_LDAP_STARTTLS 2 |
#define SUDO_LDAP_STARTTLS 2 |
|
|
/* The TIMEFILTER_LENGTH includes the filter itself plus the global AND | /* The TIMEFILTER_LENGTH is the length of the filter when timed entries |
wrapped around the user filter and the time filter when timed entries | |
are used. The length is computed as follows: |
are used. The length is computed as follows: |
85 for the filter | 81 for the filter itself |
+ 2 * 13 for the now timestamp | + 2 * 17 for the now timestamp |
+ 3 for the global AND | |
*/ |
*/ |
#define TIMEFILTER_LENGTH 114 | #define TIMEFILTER_LENGTH 115 |
|
|
/* |
/* |
* The ldap_search structure implements a linked list of ldap and |
* The ldap_search structure implements a linked list of ldap and |
Line 216 static struct ldap_config {
|
Line 238 static struct ldap_config {
|
char *tls_cipher_suite; |
char *tls_cipher_suite; |
char *tls_certfile; |
char *tls_certfile; |
char *tls_keyfile; |
char *tls_keyfile; |
|
char *tls_keypw; |
char *sasl_auth_id; |
char *sasl_auth_id; |
char *rootsasl_auth_id; |
char *rootsasl_auth_id; |
char *sasl_secprops; |
char *sasl_secprops; |
Line 255 static struct ldap_config_table ldap_conf_global[] = {
|
Line 278 static struct ldap_config_table ldap_conf_global[] = {
|
#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE |
#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE |
{ "tls_ciphers", CONF_STR, LDAP_OPT_X_TLS_CIPHER_SUITE, |
{ "tls_ciphers", CONF_STR, LDAP_OPT_X_TLS_CIPHER_SUITE, |
&ldap_conf.tls_cipher_suite }, |
&ldap_conf.tls_cipher_suite }, |
|
#elif defined(LDAP_OPT_SSL_CIPHER) |
|
{ "tls_ciphers", CONF_STR, LDAP_OPT_SSL_CIPHER, |
|
&ldap_conf.tls_cipher_suite }, |
#endif |
#endif |
#ifdef LDAP_OPT_X_TLS_CERTFILE |
#ifdef LDAP_OPT_X_TLS_CERTFILE |
{ "tls_cert", CONF_STR, LDAP_OPT_X_TLS_CERTFILE, |
{ "tls_cert", CONF_STR, LDAP_OPT_X_TLS_CERTFILE, |
Line 268 static struct ldap_config_table ldap_conf_global[] = {
|
Line 294 static struct ldap_config_table ldap_conf_global[] = {
|
#else |
#else |
{ "tls_key", CONF_STR, -1, &ldap_conf.tls_keyfile }, |
{ "tls_key", CONF_STR, -1, &ldap_conf.tls_keyfile }, |
#endif |
#endif |
|
#ifdef HAVE_LDAP_SSL_CLIENT_INIT |
|
{ "tls_keypw", CONF_STR, -1, &ldap_conf.tls_keypw }, |
|
#endif |
{ "binddn", CONF_STR, -1, &ldap_conf.binddn }, |
{ "binddn", CONF_STR, -1, &ldap_conf.binddn }, |
{ "bindpw", CONF_STR, -1, &ldap_conf.bindpw }, |
{ "bindpw", CONF_STR, -1, &ldap_conf.bindpw }, |
{ "rootbinddn", CONF_STR, -1, &ldap_conf.rootbinddn }, |
{ "rootbinddn", CONF_STR, -1, &ldap_conf.rootbinddn }, |
Line 375 sudo_ldap_conf_add_ports(void)
|
Line 404 sudo_ldap_conf_add_ports(void)
|
|
|
hostbuf[0] = '\0'; |
hostbuf[0] = '\0'; |
if (snprintf(defport, sizeof(defport), ":%d", ldap_conf.port) >= sizeof(defport)) |
if (snprintf(defport, sizeof(defport), ":%d", ldap_conf.port) >= sizeof(defport)) |
errorx(1, _("sudo_ldap_conf_add_ports: port too large")); | fatalx(_("sudo_ldap_conf_add_ports: port too large")); |
|
|
for ((host = strtok(ldap_conf.host, " \t")); host; (host = strtok(NULL, " \t"))) { |
for ((host = strtok(ldap_conf.host, " \t")); host; (host = strtok(NULL, " \t"))) { |
if (hostbuf[0] != '\0') { |
if (hostbuf[0] != '\0') { |
Line 398 sudo_ldap_conf_add_ports(void)
|
Line 427 sudo_ldap_conf_add_ports(void)
|
debug_return; |
debug_return; |
|
|
toobig: |
toobig: |
errorx(1, _("sudo_ldap_conf_add_ports: out of space expanding hostbuf")); | fatalx(_("sudo_ldap_conf_add_ports: out of space expanding hostbuf")); |
} |
} |
#endif |
#endif |
|
|
Line 486 done:
|
Line 515 done:
|
debug_return_int(rc); |
debug_return_int(rc); |
|
|
toobig: |
toobig: |
errorx(1, _("sudo_ldap_parse_uri: out of space building hostbuf")); | fatalx(_("sudo_ldap_parse_uri: out of space building hostbuf")); |
} |
} |
#else |
#else |
static char * |
static char * |
Line 525 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
Line 554 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
#ifdef HAVE_LDAPSSL_INIT |
#ifdef HAVE_LDAPSSL_INIT |
if (ldap_conf.ssl_mode != SUDO_LDAP_CLEAR) { |
if (ldap_conf.ssl_mode != SUDO_LDAP_CLEAR) { |
const int defsecure = ldap_conf.ssl_mode == SUDO_LDAP_SSL; |
const int defsecure = ldap_conf.ssl_mode == SUDO_LDAP_SSL; |
DPRINTF(("ldapssl_clientauth_init(%s, %s)", | DPRINTF2("ldapssl_clientauth_init(%s, %s)", |
ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", |
ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", |
ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2); | ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"); |
rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, |
rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, |
ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); |
ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); |
/* |
/* |
Line 552 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
Line 581 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
} |
} |
} |
} |
if (retry) { |
if (retry) { |
DPRINTF(("ldapssl_clientauth_init(%s, %s)", | DPRINTF2("ldapssl_clientauth_init(%s, %s)", |
ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", |
ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", |
ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2); | ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"); |
rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, |
rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, |
ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); |
ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); |
} |
} |
Line 564 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
Line 593 sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
ldapssl_err2string(rc)); |
ldapssl_err2string(rc)); |
if (ldap_conf.tls_certfile == NULL) |
if (ldap_conf.tls_certfile == NULL) |
warningx(_("you must set TLS_CERT in %s to use SSL"), |
warningx(_("you must set TLS_CERT in %s to use SSL"), |
_PATH_LDAP_CONF); | path_ldap_conf); |
goto done; |
goto done; |
} |
} |
|
|
DPRINTF(("ldapssl_init(%s, %d, %d)", host, port, defsecure), 2); | DPRINTF2("ldapssl_init(%s, %d, %d)", host, port, defsecure); |
if ((ld = ldapssl_init(host, port, defsecure)) != NULL) |
if ((ld = ldapssl_init(host, port, defsecure)) != NULL) |
rc = LDAP_SUCCESS; |
rc = LDAP_SUCCESS; |
} else |
} else |
|
#elif defined(HAVE_LDAP_SSL_INIT) && defined(HAVE_LDAP_SSL_CLIENT_INIT) |
|
if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { |
|
if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) { |
|
warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc)); |
|
debug_return_int(-1); |
|
} |
|
DPRINTF2("ldap_ssl_init(%s, %d, NULL)", host, port); |
|
if ((ld = ldap_ssl_init((char *)host, port, NULL)) != NULL) |
|
rc = LDAP_SUCCESS; |
|
} else |
#endif |
#endif |
{ |
{ |
#ifdef HAVE_LDAP_CREATE |
#ifdef HAVE_LDAP_CREATE |
DPRINTF(("ldap_create()"), 2); | DPRINTF2("ldap_create()"); |
if ((rc = ldap_create(&ld)) != LDAP_SUCCESS) |
if ((rc = ldap_create(&ld)) != LDAP_SUCCESS) |
goto done; |
goto done; |
DPRINTF(("ldap_set_option(LDAP_OPT_HOST_NAME, %s)", host), 2); | DPRINTF2("ldap_set_option(LDAP_OPT_HOST_NAME, %s)", host); |
rc = ldap_set_option(ld, LDAP_OPT_HOST_NAME, host); |
rc = ldap_set_option(ld, LDAP_OPT_HOST_NAME, host); |
#else |
#else |
DPRINTF(("ldap_init(%s, %d)", host, port), 2); | DPRINTF2("ldap_init(%s, %d)", host, port); |
if ((ld = ldap_init(host, port)) != NULL) | if ((ld = ldap_init((char *)host, port)) != NULL) |
rc = LDAP_SUCCESS; |
rc = LDAP_SUCCESS; |
#endif |
#endif |
} |
} |
Line 594 done:
|
Line 633 done:
|
|
|
/* |
/* |
* Walk through search results and return true if we have a matching |
* Walk through search results and return true if we have a matching |
* netgroup, else false. | * non-Unix group (including netgroups), else false. |
*/ |
*/ |
static bool |
static bool |
sudo_ldap_check_user_netgroup(LDAP *ld, LDAPMessage *entry, char *user) | sudo_ldap_check_non_unix_group(LDAP *ld, LDAPMessage *entry, struct passwd *pw) |
{ |
{ |
struct berval **bv, **p; |
struct berval **bv, **p; |
char *val; |
char *val; |
int ret = false; |
int ret = false; |
debug_decl(sudo_ldap_check_user_netgroup, SUDO_DEBUG_LDAP) | debug_decl(sudo_ldap_check_non_unix_group, SUDO_DEBUG_LDAP) |
|
|
if (!entry) |
if (!entry) |
debug_return_bool(ret); |
debug_return_bool(ret); |
Line 615 sudo_ldap_check_user_netgroup(LDAP *ld, LDAPMessage *e
|
Line 654 sudo_ldap_check_user_netgroup(LDAP *ld, LDAPMessage *e
|
/* walk through values */ |
/* walk through values */ |
for (p = bv; *p != NULL && !ret; p++) { |
for (p = bv; *p != NULL && !ret; p++) { |
val = (*p)->bv_val; |
val = (*p)->bv_val; |
/* match any */ | if (*val == '+') { |
if (netgr_matches(val, NULL, NULL, user)) | if (netgr_matches(val, NULL, NULL, pw->pw_name)) |
ret = true; | ret = true; |
DPRINTF(("ldap sudoUser netgroup '%s' ... %s", val, | DPRINTF2("ldap sudoUser netgroup '%s' ... %s", val, |
ret ? "MATCH!" : "not"), 2 + ((ret) ? 0 : 1)); | ret ? "MATCH!" : "not"); |
| } else { |
| if (group_plugin_query(pw->pw_name, val + 2, pw)) |
| ret = true; |
| DPRINTF2("ldap sudoUser non-Unix group '%s' ... %s", val, |
| ret ? "MATCH!" : "not"); |
| } |
} |
} |
|
|
ldap_value_free_len(bv); /* cleanup */ |
ldap_value_free_len(bv); /* cleanup */ |
Line 655 sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry)
|
Line 700 sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry)
|
netgr_matches(val, user_host, user_shost, NULL) || |
netgr_matches(val, user_host, user_shost, NULL) || |
hostname_matches(user_shost, user_host, val)) |
hostname_matches(user_shost, user_host, val)) |
ret = true; |
ret = true; |
DPRINTF(("ldap sudoHost '%s' ... %s", val, | DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); |
ret ? "MATCH!" : "not"), 2); | |
} |
} |
|
|
ldap_value_free_len(bv); /* cleanup */ |
ldap_value_free_len(bv); /* cleanup */ |
Line 723 sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entr
|
Line 767 sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entr
|
} |
} |
/* FALLTHROUGH */ |
/* FALLTHROUGH */ |
default: |
default: |
if (strcasecmp(val, runas_pw->pw_name) == 0) | if (userpw_matches(val, runas_pw->pw_name, runas_pw)) |
ret = true; |
ret = true; |
break; |
break; |
} |
} |
DPRINTF(("ldap sudoRunAsUser '%s' ... %s", val, | DPRINTF2("ldap sudoRunAsUser '%s' ... %s", val, ret ? "MATCH!" : "not"); |
ret ? "MATCH!" : "not"), 2); | |
} |
} |
|
|
ldap_value_free_len(bv); /* cleanup */ |
ldap_value_free_len(bv); /* cleanup */ |
Line 758 sudo_ldap_check_runas_group(LDAP *ld, LDAPMessage *ent
|
Line 801 sudo_ldap_check_runas_group(LDAP *ld, LDAPMessage *ent
|
val = (*p)->bv_val; |
val = (*p)->bv_val; |
if (strcmp(val, "ALL") == 0 || group_matches(val, runas_gr)) |
if (strcmp(val, "ALL") == 0 || group_matches(val, runas_gr)) |
ret = true; |
ret = true; |
DPRINTF(("ldap sudoRunAsGroup '%s' ... %s", val, | DPRINTF2("ldap sudoRunAsGroup '%s' ... %s", |
ret ? "MATCH!" : "not"), 2); | val, ret ? "MATCH!" : "not"); |
} |
} |
|
|
ldap_value_free_len(bv); /* cleanup */ |
ldap_value_free_len(bv); /* cleanup */ |
Line 786 sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry)
|
Line 829 sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry)
|
debug_return_bool(ret); |
debug_return_bool(ret); |
} |
} |
|
|
|
static struct sudo_digest * |
|
sudo_ldap_extract_digest(char **cmnd, struct sudo_digest *digest) |
|
{ |
|
char *ep, *cp = *cmnd; |
|
int digest_type = SUDO_DIGEST_INVALID; |
|
debug_decl(sudo_ldap_check_command, SUDO_DEBUG_LDAP) |
|
|
|
/* |
|
* Check for and extract a digest prefix, e.g. |
|
* sha224:d06a2617c98d377c250edd470fd5e576327748d82915d6e33b5f8db1 /bin/ls |
|
*/ |
|
if (cp[0] == 's' && cp[1] == 'h' && cp[2] == 'a') { |
|
switch (cp[3]) { |
|
case '2': |
|
if (cp[4] == '2' && cp[5] == '4') |
|
digest_type = SUDO_DIGEST_SHA224; |
|
else if (cp[4] == '5' && cp[5] == '6') |
|
digest_type = SUDO_DIGEST_SHA256; |
|
break; |
|
case '3': |
|
if (cp[4] == '8' && cp[5] == '4') |
|
digest_type = SUDO_DIGEST_SHA384; |
|
break; |
|
case '5': |
|
if (cp[4] == '1' && cp[5] == '2') |
|
digest_type = SUDO_DIGEST_SHA512; |
|
break; |
|
} |
|
if (digest_type != SUDO_DIGEST_INVALID) { |
|
cp += 6; |
|
while (isblank((unsigned char)*cp)) |
|
cp++; |
|
if (*cp == ':') { |
|
cp++; |
|
while (isblank((unsigned char)*cp)) |
|
cp++; |
|
ep = cp; |
|
while (*ep != '\0' && !isblank((unsigned char)*ep)) |
|
ep++; |
|
if (*ep != '\0') { |
|
digest->digest_type = digest_type; |
|
digest->digest_str = estrndup(cp, (size_t)(ep - cp)); |
|
cp = ep + 1; |
|
while (isblank((unsigned char)*cp)) |
|
cp++; |
|
*cmnd = cp; |
|
DPRINTF1("%s digest %s for %s", |
|
digest_type == SUDO_DIGEST_SHA224 ? "sha224" : |
|
digest_type == SUDO_DIGEST_SHA256 ? "sha256" : |
|
digest_type == SUDO_DIGEST_SHA384 ? "sha384" : |
|
"sha512", digest->digest_str, cp); |
|
debug_return_ptr(digest); |
|
} |
|
} |
|
} |
|
} |
|
debug_return_ptr(NULL); |
|
} |
|
|
/* |
/* |
* Walk through search results and return true if we have a command match, |
* Walk through search results and return true if we have a command match, |
* false if disallowed and UNSPEC if not matched. |
* false if disallowed and UNSPEC if not matched. |
Line 793 sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry)
|
Line 895 sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry)
|
static int |
static int |
sudo_ldap_check_command(LDAP *ld, LDAPMessage *entry, int *setenv_implied) |
sudo_ldap_check_command(LDAP *ld, LDAPMessage *entry, int *setenv_implied) |
{ |
{ |
|
struct sudo_digest digest, *allowed_digest = NULL; |
struct berval **bv, **p; |
struct berval **bv, **p; |
char *allowed_cmnd, *allowed_args, *val; |
char *allowed_cmnd, *allowed_args, *val; |
bool foundbang; |
bool foundbang; |
Line 813 sudo_ldap_check_command(LDAP *ld, LDAPMessage *entry,
|
Line 916 sudo_ldap_check_command(LDAP *ld, LDAPMessage *entry,
|
ret = true; |
ret = true; |
if (setenv_implied != NULL) |
if (setenv_implied != NULL) |
*setenv_implied = true; |
*setenv_implied = true; |
DPRINTF(("ldap sudoCommand '%s' ... MATCH!", val), 2); | DPRINTF2("ldap sudoCommand '%s' ... MATCH!", val); |
continue; |
continue; |
} |
} |
|
|
|
/* check for sha-2 digest */ |
|
allowed_digest = sudo_ldap_extract_digest(&val, &digest); |
|
|
/* check for !command */ |
/* check for !command */ |
if (*val == '!') { |
if (*val == '!') { |
foundbang = true; |
foundbang = true; |
Line 832 sudo_ldap_check_command(LDAP *ld, LDAPMessage *entry,
|
Line 938 sudo_ldap_check_command(LDAP *ld, LDAPMessage *entry,
|
*allowed_args++ = '\0'; |
*allowed_args++ = '\0'; |
|
|
/* check the command like normal */ |
/* check the command like normal */ |
if (command_matches(allowed_cmnd, allowed_args)) { | if (command_matches(allowed_cmnd, allowed_args, allowed_digest)) { |
/* |
/* |
* If allowed (no bang) set ret but keep on checking. |
* If allowed (no bang) set ret but keep on checking. |
* If disallowed (bang), exit loop. |
* If disallowed (bang), exit loop. |
*/ |
*/ |
ret = foundbang ? false : true; |
ret = foundbang ? false : true; |
} |
} |
DPRINTF(("ldap sudoCommand '%s' ... %s", val, | DPRINTF2("ldap sudoCommand '%s' ... %s", |
ret == true ? "MATCH!" : "not"), 2); | val, ret == true ? "MATCH!" : "not"); |
|
|
efree(allowed_cmnd); /* cleanup */ |
efree(allowed_cmnd); /* cleanup */ |
|
if (allowed_digest != NULL) |
|
efree(allowed_digest->digest_str); |
} |
} |
|
|
ldap_value_free_len(bv); /* more cleanup */ |
ldap_value_free_len(bv); /* more cleanup */ |
Line 872 sudo_ldap_check_bool(LDAP *ld, LDAPMessage *entry, cha
|
Line 980 sudo_ldap_check_bool(LDAP *ld, LDAPMessage *entry, cha
|
/* walk through options */ |
/* walk through options */ |
for (p = bv; *p != NULL; p++) { |
for (p = bv; *p != NULL; p++) { |
var = (*p)->bv_val;; |
var = (*p)->bv_val;; |
DPRINTF(("ldap sudoOption: '%s'", var), 2); | DPRINTF2("ldap sudoOption: '%s'", var); |
|
|
if ((ch = *var) == '!') |
if ((ch = *var) == '!') |
var++; |
var++; |
Line 906 sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry)
|
Line 1014 sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry)
|
/* walk through options */ |
/* walk through options */ |
for (p = bv; *p != NULL; p++) { |
for (p = bv; *p != NULL; p++) { |
var = estrdup((*p)->bv_val); |
var = estrdup((*p)->bv_val); |
DPRINTF(("ldap sudoOption: '%s'", var), 2); | DPRINTF2("ldap sudoOption: '%s'", var); |
|
|
/* check for equals sign past first char */ |
/* check for equals sign past first char */ |
val = strchr(var, '='); |
val = strchr(var, '='); |
Line 963 sudo_ldap_timefilter(char *buffer, size_t buffersize)
|
Line 1071 sudo_ldap_timefilter(char *buffer, size_t buffersize)
|
{ |
{ |
struct tm *tp; |
struct tm *tp; |
time_t now; |
time_t now; |
char timebuffer[16]; | char timebuffer[sizeof("20120727121554.0Z")]; |
int bytes = 0; |
int bytes = 0; |
debug_decl(sudo_ldap_timefilter, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_timefilter, SUDO_DEBUG_LDAP) |
|
|
Line 975 sudo_ldap_timefilter(char *buffer, size_t buffersize)
|
Line 1083 sudo_ldap_timefilter(char *buffer, size_t buffersize)
|
} |
} |
|
|
/* Format the timestamp according to the RFC. */ |
/* Format the timestamp according to the RFC. */ |
if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%SZ", tp) == 0) { | if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%S.0Z", tp) == 0) { |
warning(_("unable to format timestamp")); | warningx(_("unable to format timestamp")); |
goto done; |
goto done; |
} |
} |
|
|
Line 1108 static char *
|
Line 1216 static char *
|
sudo_ldap_build_pass1(struct passwd *pw) |
sudo_ldap_build_pass1(struct passwd *pw) |
{ |
{ |
struct group *grp; |
struct group *grp; |
char *buf, timebuffer[TIMEFILTER_LENGTH], gidbuf[MAX_UID_T_LEN]; | char *buf, timebuffer[TIMEFILTER_LENGTH + 1], gidbuf[MAX_UID_T_LEN + 1]; |
struct group_list *grlist; |
struct group_list *grlist; |
size_t sz = 0; |
size_t sz = 0; |
int i; |
int i; |
debug_decl(sudo_ldap_build_pass1, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_build_pass1, SUDO_DEBUG_LDAP) |
|
|
/* Start with LDAP search filter length + 3 */ | /* If there is a filter, allocate space for the global AND. */ |
| if (ldap_conf.timed || ldap_conf.search_filter) |
| sz += 3; |
| |
| /* Add LDAP search filter if present. */ |
if (ldap_conf.search_filter) |
if (ldap_conf.search_filter) |
sz += strlen(ldap_conf.search_filter) + 3; | sz += strlen(ldap_conf.search_filter); |
|
|
/* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ |
/* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ |
sz += 29 + sudo_ldap_value_len(pw->pw_name); |
sz += 29 + sudo_ldap_value_len(pw->pw_name); |
Line 1126 sudo_ldap_build_pass1(struct passwd *pw)
|
Line 1238 sudo_ldap_build_pass1(struct passwd *pw)
|
sz += 12 + sudo_ldap_value_len(grp->gr_name); |
sz += 12 + sudo_ldap_value_len(grp->gr_name); |
} |
} |
sz += 13 + MAX_UID_T_LEN; |
sz += 13 + MAX_UID_T_LEN; |
if ((grlist = get_group_list(pw)) != NULL) { | if ((grlist = sudo_get_grlist(pw)) != NULL) { |
for (i = 0; i < grlist->ngroups; i++) { |
for (i = 0; i < grlist->ngroups; i++) { |
if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0) |
if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0) |
continue; |
continue; |
Line 1193 sudo_ldap_build_pass1(struct passwd *pw)
|
Line 1305 sudo_ldap_build_pass1(struct passwd *pw)
|
|
|
/* Done with groups. */ |
/* Done with groups. */ |
if (grlist != NULL) |
if (grlist != NULL) |
grlist_delref(grlist); | sudo_grlist_delref(grlist); |
if (grp != NULL) |
if (grp != NULL) |
gr_delref(grp); | sudo_gr_delref(grp); |
|
|
/* Add ALL to list and end the global OR */ |
/* Add ALL to list and end the global OR */ |
if (strlcat(buf, "(sudoUser=ALL)", sz) >= sz) |
if (strlcat(buf, "(sudoUser=ALL)", sz) >= sz) |
errorx(1, _("sudo_ldap_build_pass1 allocation mismatch")); | fatalx(_("sudo_ldap_build_pass1 allocation mismatch")); |
|
|
/* Add the time restriction, or simply end the global OR. */ |
/* Add the time restriction, or simply end the global OR. */ |
if (ldap_conf.timed) { |
if (ldap_conf.timed) { |
Line 1215 sudo_ldap_build_pass1(struct passwd *pw)
|
Line 1327 sudo_ldap_build_pass1(struct passwd *pw)
|
} |
} |
|
|
/* |
/* |
* Builds up a filter to check against netgroup entries in LDAP. | * Builds up a filter to check against non-Unix group |
| * entries in LDAP, including netgroups. |
*/ |
*/ |
static char * |
static char * |
sudo_ldap_build_pass2(void) |
sudo_ldap_build_pass2(void) |
{ |
{ |
char *filt, timebuffer[TIMEFILTER_LENGTH]; | char *filt, timebuffer[TIMEFILTER_LENGTH + 1]; |
debug_decl(sudo_ldap_build_pass2, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_build_pass2, SUDO_DEBUG_LDAP) |
|
|
if (ldap_conf.timed) |
if (ldap_conf.timed) |
sudo_ldap_timefilter(timebuffer, sizeof(timebuffer)); |
sudo_ldap_timefilter(timebuffer, sizeof(timebuffer)); |
|
|
/* |
/* |
* Match all sudoUsers beginning with a '+'. | * Match all sudoUsers beginning with '+' or '%:'. |
* If a search filter or time restriction is specified, |
* If a search filter or time restriction is specified, |
* those get ANDed in to the expression. |
* those get ANDed in to the expression. |
*/ |
*/ |
easprintf(&filt, "%s%s(sudoUser=+*)%s%s", | if (def_group_plugin) { |
(ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "", | easprintf(&filt, "%s%s(|(sudoUser=+*)(sudoUser=%%:*))%s%s", |
ldap_conf.search_filter ? ldap_conf.search_filter : "", | (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "", |
ldap_conf.timed ? timebuffer : "", | ldap_conf.search_filter ? ldap_conf.search_filter : "", |
(ldap_conf.timed || ldap_conf.search_filter) ? ")" : ""); | ldap_conf.timed ? timebuffer : "", |
| (ldap_conf.timed || ldap_conf.search_filter) ? ")" : ""); |
| } else { |
| easprintf(&filt, "%s%s(sudoUser=+*)%s%s", |
| (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "", |
| ldap_conf.search_filter ? ldap_conf.search_filter : "", |
| ldap_conf.timed ? timebuffer : "", |
| (ldap_conf.timed || ldap_conf.search_filter) ? ")" : ""); |
| } |
|
|
debug_return_str(filt); |
debug_return_str(filt); |
} |
} |
Line 1247 sudo_ldap_read_secret(const char *path)
|
Line 1368 sudo_ldap_read_secret(const char *path)
|
char buf[LINE_MAX], *cp; |
char buf[LINE_MAX], *cp; |
debug_decl(sudo_ldap_read_secret, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_read_secret, SUDO_DEBUG_LDAP) |
|
|
if ((fp = fopen(_PATH_LDAP_SECRET, "r")) != NULL) { | if ((fp = fopen(path_ldap_secret, "r")) != NULL) { |
if (fgets(buf, sizeof(buf), fp) != NULL) { |
if (fgets(buf, sizeof(buf), fp) != NULL) { |
if ((cp = strchr(buf, '\n')) != NULL) |
if ((cp = strchr(buf, '\n')) != NULL) |
*cp = '\0'; |
*cp = '\0'; |
Line 1324 static bool
|
Line 1445 static bool
|
sudo_ldap_read_config(void) |
sudo_ldap_read_config(void) |
{ |
{ |
FILE *fp; |
FILE *fp; |
char *cp, *keyword, *value; | char *cp, *keyword, *value, *line = NULL; |
| size_t linesize = 0; |
debug_decl(sudo_ldap_read_config, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_read_config, SUDO_DEBUG_LDAP) |
|
|
/* defaults */ |
/* defaults */ |
Line 1338 sudo_ldap_read_config(void)
|
Line 1460 sudo_ldap_read_config(void)
|
ldap_conf.rootuse_sasl = -1; |
ldap_conf.rootuse_sasl = -1; |
ldap_conf.deref = -1; |
ldap_conf.deref = -1; |
|
|
if ((fp = fopen(_PATH_LDAP_CONF, "r")) == NULL) | if ((fp = fopen(path_ldap_conf, "r")) == NULL) |
debug_return_bool(false); |
debug_return_bool(false); |
|
|
while ((cp = sudo_parseln(fp)) != NULL) { | while (sudo_parseln(&line, &linesize, NULL, fp) != -1) { |
if (*cp == '\0') | if (*line == '\0') |
continue; /* skip empty line */ |
continue; /* skip empty line */ |
|
|
/* split into keyword and value */ |
/* split into keyword and value */ |
keyword = cp; | keyword = cp = line; |
while (*cp && !isblank((unsigned char) *cp)) |
while (*cp && !isblank((unsigned char) *cp)) |
cp++; |
cp++; |
if (*cp) |
if (*cp) |
Line 1361 sudo_ldap_read_config(void)
|
Line 1483 sudo_ldap_read_config(void)
|
if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global)) |
if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global)) |
sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn); |
sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn); |
} |
} |
|
free(line); |
fclose(fp); |
fclose(fp); |
|
|
if (!ldap_conf.host) |
if (!ldap_conf.host) |
ldap_conf.host = estrdup("localhost"); |
ldap_conf.host = estrdup("localhost"); |
|
|
if (ldap_conf.debug > 1) { | DPRINTF1("LDAP Config Summary"); |
sudo_printf(SUDO_CONV_ERROR_MSG, "LDAP Config Summary\n"); | DPRINTF1("==================="); |
sudo_printf(SUDO_CONV_ERROR_MSG, "===================\n"); | if (ldap_conf.uri) { |
if (ldap_conf.uri) { | struct ldap_config_list_str *uri = ldap_conf.uri; |
struct ldap_config_list_str *uri = ldap_conf.uri; | |
|
|
do { | do { |
sudo_printf(SUDO_CONV_ERROR_MSG, "uri %s\n", | DPRINTF1("uri %s", uri->val); |
uri->val); | } while ((uri = uri->next) != NULL); |
} while ((uri = uri->next) != NULL); | } else { |
} else { | DPRINTF1("host %s", |
sudo_printf(SUDO_CONV_ERROR_MSG, "host %s\n", | ldap_conf.host ? ldap_conf.host : "(NONE)"); |
ldap_conf.host ? ldap_conf.host : "(NONE)"); | DPRINTF1("port %d", ldap_conf.port); |
sudo_printf(SUDO_CONV_ERROR_MSG, "port %d\n", | } |
ldap_conf.port); | DPRINTF1("ldap_version %d", ldap_conf.version); |
} | |
sudo_printf(SUDO_CONV_ERROR_MSG, "ldap_version %d\n", | |
ldap_conf.version); | |
|
|
if (ldap_conf.base) { | if (ldap_conf.base) { |
struct ldap_config_list_str *base = ldap_conf.base; | struct ldap_config_list_str *base = ldap_conf.base; |
do { | do { |
sudo_printf(SUDO_CONV_ERROR_MSG, "sudoers_base %s\n", | DPRINTF1("sudoers_base %s", base->val); |
base->val); | } while ((base = base->next) != NULL); |
} while ((base = base->next) != NULL); | } else { |
} else { | DPRINTF1("sudoers_base %s", "(NONE: LDAP disabled)"); |
sudo_printf(SUDO_CONV_ERROR_MSG, "sudoers_base %s\n", | } |
"(NONE: LDAP disabled)"); | if (ldap_conf.search_filter) { |
} | DPRINTF1("search_filter %s", ldap_conf.search_filter); |
if (ldap_conf.search_filter) { | } |
sudo_printf(SUDO_CONV_ERROR_MSG, "search_filter %s\n", | DPRINTF1("binddn %s", |
ldap_conf.search_filter); | ldap_conf.binddn ? ldap_conf.binddn : "(anonymous)"); |
} | DPRINTF1("bindpw %s", |
sudo_printf(SUDO_CONV_ERROR_MSG, "binddn %s\n", | ldap_conf.bindpw ? ldap_conf.bindpw : "(anonymous)"); |
ldap_conf.binddn ? ldap_conf.binddn : "(anonymous)"); | if (ldap_conf.bind_timelimit > 0) { |
sudo_printf(SUDO_CONV_ERROR_MSG, "bindpw %s\n", | DPRINTF1("bind_timelimit %d", ldap_conf.bind_timelimit); |
ldap_conf.bindpw ? ldap_conf.bindpw : "(anonymous)"); | } |
if (ldap_conf.bind_timelimit > 0) { | if (ldap_conf.timelimit > 0) { |
sudo_printf(SUDO_CONV_ERROR_MSG, "bind_timelimit %d\n", | DPRINTF1("timelimit %d", ldap_conf.timelimit); |
ldap_conf.bind_timelimit); | } |
} | if (ldap_conf.deref != -1) { |
if (ldap_conf.timelimit > 0) { | DPRINTF1("deref %d", ldap_conf.deref); |
sudo_printf(SUDO_CONV_ERROR_MSG, "timelimit %d\n", | } |
ldap_conf.timelimit); | DPRINTF1("ssl %s", ldap_conf.ssl ? ldap_conf.ssl : "(no)"); |
} | if (ldap_conf.tls_checkpeer != -1) { |
if (ldap_conf.deref != -1) { | DPRINTF1("tls_checkpeer %s", |
sudo_printf(SUDO_CONV_ERROR_MSG, "deref %d\n", | ldap_conf.tls_checkpeer ? "(yes)" : "(no)"); |
ldap_conf.deref); | } |
} | if (ldap_conf.tls_cacertfile != NULL) { |
sudo_printf(SUDO_CONV_ERROR_MSG, "ssl %s\n", | DPRINTF1("tls_cacertfile %s", ldap_conf.tls_cacertfile); |
ldap_conf.ssl ? ldap_conf.ssl : "(no)"); | } |
if (ldap_conf.tls_checkpeer != -1) { | if (ldap_conf.tls_cacertdir != NULL) { |
sudo_printf(SUDO_CONV_ERROR_MSG, "tls_checkpeer %s\n", | DPRINTF1("tls_cacertdir %s", ldap_conf.tls_cacertdir); |
ldap_conf.tls_checkpeer ? "(yes)" : "(no)"); | } |
} | if (ldap_conf.tls_random_file != NULL) { |
if (ldap_conf.tls_cacertfile != NULL) { | DPRINTF1("tls_random_file %s", ldap_conf.tls_random_file); |
sudo_printf(SUDO_CONV_ERROR_MSG, "tls_cacertfile %s\n", | } |
ldap_conf.tls_cacertfile); | if (ldap_conf.tls_cipher_suite != NULL) { |
} | DPRINTF1("tls_cipher_suite %s", ldap_conf.tls_cipher_suite); |
if (ldap_conf.tls_cacertdir != NULL) { | } |
sudo_printf(SUDO_CONV_ERROR_MSG, "tls_cacertdir %s\n", | if (ldap_conf.tls_certfile != NULL) { |
ldap_conf.tls_cacertdir); | DPRINTF1("tls_certfile %s", ldap_conf.tls_certfile); |
} | } |
if (ldap_conf.tls_random_file != NULL) { | if (ldap_conf.tls_keyfile != NULL) { |
sudo_printf(SUDO_CONV_ERROR_MSG, "tls_random_file %s\n", | DPRINTF1("tls_keyfile %s", ldap_conf.tls_keyfile); |
ldap_conf.tls_random_file); | } |
} | |
if (ldap_conf.tls_cipher_suite != NULL) { | |
sudo_printf(SUDO_CONV_ERROR_MSG, "tls_cipher_suite %s\n", | |
ldap_conf.tls_cipher_suite); | |
} | |
if (ldap_conf.tls_certfile != NULL) { | |
sudo_printf(SUDO_CONV_ERROR_MSG, "tls_certfile %s\n", | |
ldap_conf.tls_certfile); | |
} | |
if (ldap_conf.tls_keyfile != NULL) { | |
sudo_printf(SUDO_CONV_ERROR_MSG, "tls_keyfile %s\n", | |
ldap_conf.tls_keyfile); | |
} | |
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S |
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S |
if (ldap_conf.use_sasl != -1) { | if (ldap_conf.use_sasl != -1) { |
sudo_printf(SUDO_CONV_ERROR_MSG, "use_sasl %s\n", | DPRINTF1("use_sasl %s", ldap_conf.use_sasl ? "yes" : "no"); |
ldap_conf.use_sasl ? "yes" : "no"); | DPRINTF1("sasl_auth_id %s", |
sudo_printf(SUDO_CONV_ERROR_MSG, "sasl_auth_id %s\n", | ldap_conf.sasl_auth_id ? ldap_conf.sasl_auth_id : "(NONE)"); |
ldap_conf.sasl_auth_id ? ldap_conf.sasl_auth_id : "(NONE)"); | DPRINTF1("rootuse_sasl %d", |
sudo_printf(SUDO_CONV_ERROR_MSG, "rootuse_sasl %d\n", | ldap_conf.rootuse_sasl); |
ldap_conf.rootuse_sasl); | DPRINTF1("rootsasl_auth_id %s", |
sudo_printf(SUDO_CONV_ERROR_MSG, "rootsasl_auth_id %s\n", | ldap_conf.rootsasl_auth_id ? ldap_conf.rootsasl_auth_id : "(NONE)"); |
ldap_conf.rootsasl_auth_id ? ldap_conf.rootsasl_auth_id : "(NONE)"); | DPRINTF1("sasl_secprops %s", |
sudo_printf(SUDO_CONV_ERROR_MSG, "sasl_secprops %s\n", | ldap_conf.sasl_secprops ? ldap_conf.sasl_secprops : "(NONE)"); |
ldap_conf.sasl_secprops ? ldap_conf.sasl_secprops : "(NONE)"); | DPRINTF1("krb5_ccname %s", |
sudo_printf(SUDO_CONV_ERROR_MSG, "krb5_ccname %s\n", | ldap_conf.krb5_ccname ? ldap_conf.krb5_ccname : "(NONE)"); |
ldap_conf.krb5_ccname ? ldap_conf.krb5_ccname : "(NONE)"); | |
} | |
#endif | |
sudo_printf(SUDO_CONV_ERROR_MSG, "===================\n"); | |
} |
} |
|
#endif |
|
DPRINTF1("==================="); |
|
|
if (!ldap_conf.base) |
if (!ldap_conf.base) |
debug_return_bool(false); /* if no base is defined, ignore LDAP */ |
debug_return_bool(false); /* if no base is defined, ignore LDAP */ |
|
|
Line 1530 sudo_ldap_read_config(void)
|
Line 1635 sudo_ldap_read_config(void)
|
|
|
/* If rootbinddn set, read in /etc/ldap.secret if it exists. */ |
/* If rootbinddn set, read in /etc/ldap.secret if it exists. */ |
if (ldap_conf.rootbinddn) |
if (ldap_conf.rootbinddn) |
sudo_ldap_read_secret(_PATH_LDAP_SECRET); | sudo_ldap_read_secret(path_ldap_secret); |
|
|
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S |
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S |
/* |
/* |
Line 1542 sudo_ldap_read_config(void)
|
Line 1647 sudo_ldap_read_config(void)
|
value = ldap_conf.krb5_ccname + |
value = ldap_conf.krb5_ccname + |
(ldap_conf.krb5_ccname[4] == ':' ? 5 : 7); |
(ldap_conf.krb5_ccname[4] == ':' ? 5 : 7); |
if ((fp = fopen(value, "r")) != NULL) { |
if ((fp = fopen(value, "r")) != NULL) { |
DPRINTF(("using krb5 credential cache: %s", value), 1); | sudo_debug_printf(SUDO_DEBUG_INFO, |
| "using krb5 credential cache: %s", value); |
fclose(fp); |
fclose(fp); |
} else { |
} else { |
/* Can't open it, just ignore the entry. */ |
/* Can't open it, just ignore the entry. */ |
DPRINTF(("unable to open krb5 credential cache: %s", value), 1); | sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, |
| "unable to open krb5 credential cache: %s", value); |
efree(ldap_conf.krb5_ccname); |
efree(ldap_conf.krb5_ccname); |
ldap_conf.krb5_ccname = NULL; |
ldap_conf.krb5_ccname = NULL; |
} |
} |
Line 1821 sudo_ldap_display_privs(struct sudo_nss *nss, struct p
|
Line 1928 sudo_ldap_display_privs(struct sudo_nss *nss, struct p
|
goto done; |
goto done; |
ld = handle->ld; |
ld = handle->ld; |
|
|
DPRINTF(("ldap search for command list"), 1); | DPRINTF1("ldap search for command list"); |
lres = sudo_ldap_result_get(nss, pw); |
lres = sudo_ldap_result_get(nss, pw); |
|
|
/* Display all matching entries. */ |
/* Display all matching entries. */ |
Line 1856 sudo_ldap_display_cmnd(struct sudo_nss *nss, struct pa
|
Line 1963 sudo_ldap_display_cmnd(struct sudo_nss *nss, struct pa
|
* The sudo_ldap_result_get() function returns all nodes that match |
* The sudo_ldap_result_get() function returns all nodes that match |
* the user and the host. |
* the user and the host. |
*/ |
*/ |
DPRINTF(("ldap search for command list"), 1); | DPRINTF1("ldap search for command list"); |
lres = sudo_ldap_result_get(nss, pw); |
lres = sudo_ldap_result_get(nss, pw); |
for (i = 0; i < lres->nentries; i++) { |
for (i = 0; i < lres->nentries; i++) { |
entry = lres->entries[i].entry; |
entry = lres->entries[i].entry; |
Line 1911 static int
|
Line 2018 static int
|
sudo_ldap_set_options_table(LDAP *ld, struct ldap_config_table *table) |
sudo_ldap_set_options_table(LDAP *ld, struct ldap_config_table *table) |
{ |
{ |
struct ldap_config_table *cur; |
struct ldap_config_table *cur; |
int ival, rc; | int ival, rc, errors = 0; |
char *sval; |
char *sval; |
debug_decl(sudo_ldap_set_options_table, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_set_options_table, SUDO_DEBUG_LDAP) |
|
|
Line 1924 sudo_ldap_set_options_table(LDAP *ld, struct ldap_conf
|
Line 2031 sudo_ldap_set_options_table(LDAP *ld, struct ldap_conf
|
case CONF_INT: |
case CONF_INT: |
ival = *(int *)(cur->valp); |
ival = *(int *)(cur->valp); |
if (ival >= 0) { |
if (ival >= 0) { |
|
DPRINTF1("ldap_set_option: %s -> %d", cur->conf_str, ival); |
rc = ldap_set_option(ld, cur->opt_val, &ival); |
rc = ldap_set_option(ld, cur->opt_val, &ival); |
if (rc != LDAP_OPT_SUCCESS) { |
if (rc != LDAP_OPT_SUCCESS) { |
warningx("ldap_set_option: %s -> %d: %s", |
warningx("ldap_set_option: %s -> %d: %s", |
cur->conf_str, ival, ldap_err2string(rc)); |
cur->conf_str, ival, ldap_err2string(rc)); |
debug_return_int(-1); | errors++; |
} |
} |
DPRINTF(("ldap_set_option: %s -> %d", cur->conf_str, ival), 1); |
|
} |
} |
break; |
break; |
case CONF_STR: |
case CONF_STR: |
sval = *(char **)(cur->valp); |
sval = *(char **)(cur->valp); |
if (sval != NULL) { |
if (sval != NULL) { |
|
DPRINTF1("ldap_set_option: %s -> %s", cur->conf_str, sval); |
rc = ldap_set_option(ld, cur->opt_val, sval); |
rc = ldap_set_option(ld, cur->opt_val, sval); |
if (rc != LDAP_OPT_SUCCESS) { |
if (rc != LDAP_OPT_SUCCESS) { |
warningx("ldap_set_option: %s -> %s: %s", |
warningx("ldap_set_option: %s -> %s: %s", |
cur->conf_str, sval, ldap_err2string(rc)); |
cur->conf_str, sval, ldap_err2string(rc)); |
debug_return_int(-1); | errors++; |
} |
} |
DPRINTF(("ldap_set_option: %s -> %s", cur->conf_str, sval), 1); |
|
} |
} |
break; |
break; |
} |
} |
} |
} |
debug_return_int(0); | debug_return_int(errors ? -1 : 0); |
} |
} |
|
|
/* |
/* |
Line 1992 sudo_ldap_set_options_conn(LDAP *ld)
|
Line 2099 sudo_ldap_set_options_conn(LDAP *ld)
|
struct timeval tv; |
struct timeval tv; |
tv.tv_sec = ldap_conf.timeout; |
tv.tv_sec = ldap_conf.timeout; |
tv.tv_usec = 0; |
tv.tv_usec = 0; |
|
DPRINTF1("ldap_set_option(LDAP_OPT_TIMEOUT, %d)", ldap_conf.timeout); |
rc = ldap_set_option(ld, LDAP_OPT_TIMEOUT, &tv); |
rc = ldap_set_option(ld, LDAP_OPT_TIMEOUT, &tv); |
if (rc != LDAP_OPT_SUCCESS) { |
if (rc != LDAP_OPT_SUCCESS) { |
warningx("ldap_set_option(TIMEOUT, %ld): %s", | warningx("ldap_set_option(TIMEOUT, %d): %s", |
(long)tv.tv_sec, ldap_err2string(rc)); | ldap_conf.timeout, ldap_err2string(rc)); |
debug_return_int(-1); | |
} |
} |
DPRINTF(("ldap_set_option(LDAP_OPT_TIMEOUT, %ld)", |
|
(long)tv.tv_sec), 1); |
|
} |
} |
#endif |
#endif |
#ifdef LDAP_OPT_NETWORK_TIMEOUT |
#ifdef LDAP_OPT_NETWORK_TIMEOUT |
Line 2008 sudo_ldap_set_options_conn(LDAP *ld)
|
Line 2113 sudo_ldap_set_options_conn(LDAP *ld)
|
struct timeval tv; |
struct timeval tv; |
tv.tv_sec = ldap_conf.bind_timelimit / 1000; |
tv.tv_sec = ldap_conf.bind_timelimit / 1000; |
tv.tv_usec = 0; |
tv.tv_usec = 0; |
|
DPRINTF1("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %d)", |
|
ldap_conf.bind_timelimit / 1000); |
rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); |
rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); |
|
# if !defined(LDAP_OPT_CONNECT_TIMEOUT) || LDAP_VENDOR_VERSION != 510 |
|
/* Tivoli Directory Server 6.3 libs always return a (bogus) error. */ |
if (rc != LDAP_OPT_SUCCESS) { |
if (rc != LDAP_OPT_SUCCESS) { |
warningx("ldap_set_option(NETWORK_TIMEOUT, %ld): %s", | warningx("ldap_set_option(NETWORK_TIMEOUT, %d): %s", |
(long)tv.tv_sec, ldap_err2string(rc)); | ldap_conf.bind_timelimit / 1000, ldap_err2string(rc)); |
debug_return_int(-1); | |
} |
} |
DPRINTF(("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)", | # endif |
(long)tv.tv_sec), 1); | |
} |
} |
#endif |
#endif |
|
|
#if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT) |
#if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT) |
if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { |
if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { |
int val = LDAP_OPT_X_TLS_HARD; |
int val = LDAP_OPT_X_TLS_HARD; |
|
DPRINTF1("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)"); |
rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val); |
rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val); |
if (rc != LDAP_SUCCESS) { |
if (rc != LDAP_SUCCESS) { |
warningx("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD): %s", |
warningx("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD): %s", |
ldap_err2string(rc)); |
ldap_err2string(rc)); |
debug_return_int(-1); |
debug_return_int(-1); |
} |
} |
DPRINTF(("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)"), 1); |
|
} |
} |
#endif |
#endif |
debug_return_int(0); |
debug_return_int(0); |
Line 2124 sudo_ldap_bind_s(LDAP *ld)
|
Line 2231 sudo_ldap_bind_s(LDAP *ld)
|
if (gss_krb5_ccache_name(&status, ldap_conf.krb5_ccname, &old_ccname) |
if (gss_krb5_ccache_name(&status, ldap_conf.krb5_ccname, &old_ccname) |
!= GSS_S_COMPLETE) { |
!= GSS_S_COMPLETE) { |
old_ccname = NULL; |
old_ccname = NULL; |
DPRINTF(("gss_krb5_ccache_name() failed: %d", status), 1); | sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, |
| "gss_krb5_ccache_name() failed: %d", status); |
} |
} |
# else |
# else |
sudo_setenv("KRB5CCNAME", ldap_conf.krb5_ccname, true); |
sudo_setenv("KRB5CCNAME", ldap_conf.krb5_ccname, true); |
Line 2135 sudo_ldap_bind_s(LDAP *ld)
|
Line 2243 sudo_ldap_bind_s(LDAP *ld)
|
if (ldap_conf.krb5_ccname != NULL) { |
if (ldap_conf.krb5_ccname != NULL) { |
# ifdef HAVE_GSS_KRB5_CCACHE_NAME |
# ifdef HAVE_GSS_KRB5_CCACHE_NAME |
if (gss_krb5_ccache_name(&status, old_ccname, NULL) != GSS_S_COMPLETE) |
if (gss_krb5_ccache_name(&status, old_ccname, NULL) != GSS_S_COMPLETE) |
DPRINTF(("gss_krb5_ccache_name() failed: %d", status), 1); | sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, |
| "gss_krb5_ccache_name() failed: %d", status); |
# else |
# else |
if (old_ccname != NULL) |
if (old_ccname != NULL) |
sudo_setenv("KRB5CCNAME", old_ccname, true); |
sudo_setenv("KRB5CCNAME", old_ccname, true); |
Line 2148 sudo_ldap_bind_s(LDAP *ld)
|
Line 2257 sudo_ldap_bind_s(LDAP *ld)
|
ldap_err2string(rc)); |
ldap_err2string(rc)); |
debug_return_int(-1); |
debug_return_int(-1); |
} |
} |
DPRINTF(("ldap_sasl_interactive_bind_s() ok"), 1); | DPRINTF1("ldap_sasl_interactive_bind_s() ok"); |
} else |
} else |
#endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */ |
#endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */ |
#ifdef HAVE_LDAP_SASL_BIND_S |
#ifdef HAVE_LDAP_SASL_BIND_S |
Line 2164 sudo_ldap_bind_s(LDAP *ld)
|
Line 2273 sudo_ldap_bind_s(LDAP *ld)
|
warningx("ldap_sasl_bind_s(): %s", ldap_err2string(rc)); |
warningx("ldap_sasl_bind_s(): %s", ldap_err2string(rc)); |
debug_return_int(-1); |
debug_return_int(-1); |
} |
} |
DPRINTF(("ldap_sasl_bind_s() ok"), 1); | DPRINTF1("ldap_sasl_bind_s() ok"); |
} |
} |
#else |
#else |
{ |
{ |
Line 2173 sudo_ldap_bind_s(LDAP *ld)
|
Line 2282 sudo_ldap_bind_s(LDAP *ld)
|
warningx("ldap_simple_bind_s(): %s", ldap_err2string(rc)); |
warningx("ldap_simple_bind_s(): %s", ldap_err2string(rc)); |
debug_return_int(-1); |
debug_return_int(-1); |
} |
} |
DPRINTF(("ldap_simple_bind_s() ok"), 1); | DPRINTF1("ldap_simple_bind_s() ok"); |
} |
} |
#endif |
#endif |
debug_return_int(0); |
debug_return_int(0); |
Line 2209 sudo_ldap_open(struct sudo_nss *nss)
|
Line 2318 sudo_ldap_open(struct sudo_nss *nss)
|
#ifdef HAVE_LDAP_INITIALIZE |
#ifdef HAVE_LDAP_INITIALIZE |
if (ldap_conf.uri != NULL) { |
if (ldap_conf.uri != NULL) { |
char *buf = sudo_ldap_join_uri(ldap_conf.uri); |
char *buf = sudo_ldap_join_uri(ldap_conf.uri); |
DPRINTF(("ldap_initialize(ld, %s)", buf), 2); | DPRINTF2("ldap_initialize(ld, %s)", buf); |
rc = ldap_initialize(&ld, buf); |
rc = ldap_initialize(&ld, buf); |
efree(buf); |
efree(buf); |
if (rc != LDAP_SUCCESS) |
if (rc != LDAP_SUCCESS) |
Line 2234 sudo_ldap_open(struct sudo_nss *nss)
|
Line 2343 sudo_ldap_open(struct sudo_nss *nss)
|
warningx("ldap_start_tls_s(): %s", ldap_err2string(rc)); |
warningx("ldap_start_tls_s(): %s", ldap_err2string(rc)); |
debug_return_int(-1); |
debug_return_int(-1); |
} |
} |
DPRINTF(("ldap_start_tls_s() ok"), 1); | DPRINTF1("ldap_start_tls_s() ok"); |
#elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP) |
#elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP) |
if (ldap_ssl_client_init(NULL, NULL, 0, &rc) != LDAP_SUCCESS) { | if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) { |
warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc)); |
warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc)); |
debug_return_int(-1); |
debug_return_int(-1); |
} |
} |
Line 2245 sudo_ldap_open(struct sudo_nss *nss)
|
Line 2354 sudo_ldap_open(struct sudo_nss *nss)
|
warningx("ldap_start_tls_s_np(): %s", ldap_err2string(rc)); |
warningx("ldap_start_tls_s_np(): %s", ldap_err2string(rc)); |
debug_return_int(-1); |
debug_return_int(-1); |
} |
} |
DPRINTF(("ldap_start_tls_s_np() ok"), 1); | DPRINTF1("ldap_start_tls_s_np() ok"); |
#else |
#else |
warningx(_("start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()")); |
warningx(_("start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()")); |
#endif /* !HAVE_LDAP_START_TLS_S && !HAVE_LDAP_START_TLS_S_NP */ |
#endif /* !HAVE_LDAP_START_TLS_S && !HAVE_LDAP_START_TLS_S_NP */ |
Line 2283 sudo_ldap_setdefs(struct sudo_nss *nss)
|
Line 2392 sudo_ldap_setdefs(struct sudo_nss *nss)
|
ld = handle->ld; |
ld = handle->ld; |
|
|
filt = sudo_ldap_build_default_filter(); |
filt = sudo_ldap_build_default_filter(); |
DPRINTF(("Looking for cn=defaults: %s", filt), 1); | DPRINTF1("Looking for cn=defaults: %s", filt); |
|
|
for (base = ldap_conf.base; base != NULL; base = base->next) { |
for (base = ldap_conf.base; base != NULL; base = base->next) { |
if (ldap_conf.timeout > 0) { |
if (ldap_conf.timeout > 0) { |
Line 2295 sudo_ldap_setdefs(struct sudo_nss *nss)
|
Line 2404 sudo_ldap_setdefs(struct sudo_nss *nss)
|
rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, |
rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, |
filt, NULL, 0, NULL, NULL, tvp, 0, &result); |
filt, NULL, 0, NULL, NULL, tvp, 0, &result); |
if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) { |
if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) { |
DPRINTF(("found:%s", ldap_get_dn(ld, entry)), 1); | DPRINTF1("found:%s", ldap_get_dn(ld, entry)); |
sudo_ldap_parse_options(ld, entry); |
sudo_ldap_parse_options(ld, entry); |
} else | } else { |
DPRINTF(("no default options found in %s", base->val), 1); | DPRINTF1("no default options found in %s", base->val); |
| } |
if (result) |
if (result) |
ldap_msgfree(result); |
ldap_msgfree(result); |
} |
} |
Line 2338 sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pw
|
Line 2447 sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pw
|
enum def_tuple pwcheck = |
enum def_tuple pwcheck = |
(pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple; |
(pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple; |
|
|
DPRINTF(("perform search for pwflag %d", pwflag), 1); | DPRINTF1("perform search for pwflag %d", pwflag); |
for (i = 0; i < lres->nentries; i++) { |
for (i = 0; i < lres->nentries; i++) { |
entry = lres->entries[i].entry; |
entry = lres->entries[i].entry; |
if ((pwcheck == any && doauth != false) || |
if ((pwcheck == any && doauth != false) || |
Line 2377 sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pw
|
Line 2486 sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pw
|
goto done; |
goto done; |
} |
} |
|
|
DPRINTF(("searching LDAP for sudoers entries"), 1); | DPRINTF1("searching LDAP for sudoers entries"); |
|
|
setenv_implied = false; |
setenv_implied = false; |
for (i = 0; i < lres->nentries; i++) { |
for (i = 0; i < lres->nentries; i++) { |
Line 2387 sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pw
|
Line 2496 sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pw
|
rc = sudo_ldap_check_command(ld, entry, &setenv_implied); |
rc = sudo_ldap_check_command(ld, entry, &setenv_implied); |
if (rc != UNSPEC) { |
if (rc != UNSPEC) { |
/* We have a match. */ |
/* We have a match. */ |
DPRINTF(("Command %sallowed", rc == true ? "" : "NOT "), 1); | DPRINTF1("Command %sallowed", rc == true ? "" : "NOT "); |
if (rc == true) { |
if (rc == true) { |
DPRINTF(("LDAP entry: %p", entry), 1); | DPRINTF1("LDAP entry: %p", entry); |
/* Apply entry-specific options. */ |
/* Apply entry-specific options. */ |
if (setenv_implied) |
if (setenv_implied) |
def_setenv = true; |
def_setenv = true; |
Line 2412 sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pw
|
Line 2521 sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pw
|
} |
} |
|
|
done: |
done: |
DPRINTF(("done with LDAP searches"), 1); | DPRINTF1("done with LDAP searches"); |
DPRINTF(("user_matches=%d", lres->user_matches), 1); | DPRINTF1("user_matches=%d", lres->user_matches); |
DPRINTF(("host_matches=%d", lres->host_matches), 1); | DPRINTF1("host_matches=%d", lres->host_matches); |
|
|
if (!ISSET(ret, VALIDATE_OK)) { |
if (!ISSET(ret, VALIDATE_OK)) { |
/* No matching entries. */ |
/* No matching entries. */ |
Line 2425 done:
|
Line 2534 done:
|
CLR(ret, FLAG_NO_USER); |
CLR(ret, FLAG_NO_USER); |
if (lres->host_matches) |
if (lres->host_matches) |
CLR(ret, FLAG_NO_HOST); |
CLR(ret, FLAG_NO_HOST); |
DPRINTF(("sudo_ldap_lookup(%d)=0x%02x", pwflag, ret), 1); | DPRINTF1("sudo_ldap_lookup(%d)=0x%02x", pwflag, ret); |
|
|
debug_return_int(ret); |
debug_return_int(ret); |
} |
} |
Line 2480 sudo_ldap_result_add_entry(struct ldap_result *lres, L
|
Line 2589 sudo_ldap_result_add_entry(struct ldap_result *lres, L
|
if (bv != NULL) { |
if (bv != NULL) { |
if (ldap_count_values_len(bv) > 0) { |
if (ldap_count_values_len(bv) > 0) { |
/* Get the value of this attribute, 0 if not present. */ |
/* Get the value of this attribute, 0 if not present. */ |
DPRINTF(("order attribute raw: %s", (*bv)->bv_val), 1); | DPRINTF2("order attribute raw: %s", (*bv)->bv_val); |
order = strtod((*bv)->bv_val, &ep); |
order = strtod((*bv)->bv_val, &ep); |
if (ep == (*bv)->bv_val || *ep != '\0') { |
if (ep == (*bv)->bv_val || *ep != '\0') { |
warningx(_("invalid sudoOrder attribute: %s"), (*bv)->bv_val); |
warningx(_("invalid sudoOrder attribute: %s"), (*bv)->bv_val); |
order = 0.0; |
order = 0.0; |
} |
} |
DPRINTF(("order attribute: %f", order), 1); | DPRINTF2("order attribute: %f", order); |
} |
} |
ldap_value_free_len(bv); |
ldap_value_free_len(bv); |
} |
} |
Line 2518 sudo_ldap_result_free_nss(struct sudo_nss *nss)
|
Line 2627 sudo_ldap_result_free_nss(struct sudo_nss *nss)
|
debug_decl(sudo_ldap_result_free_nss, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_result_free_nss, SUDO_DEBUG_LDAP) |
|
|
if (handle->result != NULL) { |
if (handle->result != NULL) { |
DPRINTF(("removing reusable search result"), 1); | DPRINTF1("removing reusable search result"); |
sudo_ldap_result_free(handle->result); |
sudo_ldap_result_free(handle->result); |
if (handle->username) { |
if (handle->username) { |
efree(handle->username); |
efree(handle->username); |
Line 2543 sudo_ldap_result_get(struct sudo_nss *nss, struct pass
|
Line 2652 sudo_ldap_result_get(struct sudo_nss *nss, struct pass
|
struct timeval tv, *tvp = NULL; |
struct timeval tv, *tvp = NULL; |
LDAPMessage *entry, *result; |
LDAPMessage *entry, *result; |
LDAP *ld = handle->ld; |
LDAP *ld = handle->ld; |
int do_netgr, rc; | int pass, rc; |
char *filt; |
char *filt; |
debug_decl(sudo_ldap_result_get, SUDO_DEBUG_LDAP) |
debug_decl(sudo_ldap_result_get, SUDO_DEBUG_LDAP) |
|
|
Line 2554 sudo_ldap_result_get(struct sudo_nss *nss, struct pass
|
Line 2663 sudo_ldap_result_get(struct sudo_nss *nss, struct pass
|
if (handle->result) { |
if (handle->result) { |
if (handle->grlist == user_group_list && |
if (handle->grlist == user_group_list && |
strcmp(pw->pw_name, handle->username) == 0) { |
strcmp(pw->pw_name, handle->username) == 0) { |
DPRINTF(("reusing previous result (user %s) with %d entries", | DPRINTF1("reusing previous result (user %s) with %d entries", |
handle->username, handle->result->nentries), 1); | handle->username, handle->result->nentries); |
debug_return_ptr(handle->result); |
debug_return_ptr(handle->result); |
} |
} |
/* User mismatch, cached result cannot be used. */ |
/* User mismatch, cached result cannot be used. */ |
DPRINTF(("removing result (user %s), new search (user %s)", | DPRINTF1("removing result (user %s), new search (user %s)", |
handle->username, pw->pw_name), 1); | handle->username, pw->pw_name); |
sudo_ldap_result_free_nss(nss); |
sudo_ldap_result_free_nss(nss); |
} |
} |
|
|
Line 2574 sudo_ldap_result_get(struct sudo_nss *nss, struct pass
|
Line 2683 sudo_ldap_result_get(struct sudo_nss *nss, struct pass
|
* sudoUser in this pass since the LDAP server already scanned |
* sudoUser in this pass since the LDAP server already scanned |
* it for us. |
* it for us. |
* |
* |
* The second pass will return all the entries that contain | * The second pass will return all the entries that contain non- |
* user netgroups. Then we take the netgroups returned and | * Unix groups, including netgroups. Then we take the non-Unix |
* try to match them against the username. | * groups returned and try to match them against the username. |
* |
* |
* Since we have to sort the possible entries before we make a |
* Since we have to sort the possible entries before we make a |
* decision, we perform the queries and store all of the results in |
* decision, we perform the queries and store all of the results in |
* an ldap_result object. The results are then sorted by sudoOrder. |
* an ldap_result object. The results are then sorted by sudoOrder. |
*/ |
*/ |
lres = sudo_ldap_result_alloc(); |
lres = sudo_ldap_result_alloc(); |
for (do_netgr = 0; do_netgr < 2; do_netgr++) { | for (pass = 0; pass < 2; pass++) { |
filt = do_netgr ? sudo_ldap_build_pass2() : sudo_ldap_build_pass1(pw); | filt = pass ? sudo_ldap_build_pass2() : sudo_ldap_build_pass1(pw); |
DPRINTF(("ldap search '%s'", filt), 1); | DPRINTF1("ldap search '%s'", filt); |
for (base = ldap_conf.base; base != NULL; base = base->next) { |
for (base = ldap_conf.base; base != NULL; base = base->next) { |
DPRINTF(("searching from base '%s'", base->val), 1); | DPRINTF1("searching from base '%s'", |
| base->val); |
if (ldap_conf.timeout > 0) { |
if (ldap_conf.timeout > 0) { |
tv.tv_sec = ldap_conf.timeout; |
tv.tv_sec = ldap_conf.timeout; |
tv.tv_usec = 0; |
tv.tv_usec = 0; |
Line 2597 sudo_ldap_result_get(struct sudo_nss *nss, struct pass
|
Line 2707 sudo_ldap_result_get(struct sudo_nss *nss, struct pass
|
rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt, |
rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt, |
NULL, 0, NULL, NULL, tvp, 0, &result); |
NULL, 0, NULL, NULL, tvp, 0, &result); |
if (rc != LDAP_SUCCESS) { |
if (rc != LDAP_SUCCESS) { |
DPRINTF(("nothing found for '%s'", filt), 1); | DPRINTF1("nothing found for '%s'", filt); |
continue; |
continue; |
} |
} |
lres->user_matches = true; |
lres->user_matches = true; |
|
|
/* Add the seach result to list of search results. */ |
/* Add the seach result to list of search results. */ |
DPRINTF(("adding search result"), 1); | DPRINTF1("adding search result"); |
sudo_ldap_result_add_search(lres, ld, result); |
sudo_ldap_result_add_search(lres, ld, result); |
LDAP_FOREACH(entry, ld, result) { |
LDAP_FOREACH(entry, ld, result) { |
if ((!do_netgr || | if ((!pass || |
sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) && | sudo_ldap_check_non_unix_group(ld, entry, pw)) && |
sudo_ldap_check_host(ld, entry)) { |
sudo_ldap_check_host(ld, entry)) { |
lres->host_matches = true; |
lres->host_matches = true; |
sudo_ldap_result_add_entry(lres, entry); |
sudo_ldap_result_add_entry(lres, entry); |
} |
} |
} |
} |
DPRINTF(("result now has %d entries", lres->nentries), 1); | DPRINTF1("result now has %d entries", lres->nentries); |
} |
} |
efree(filt); |
efree(filt); |
} |
} |
|
|
/* Sort the entries by the sudoOrder attribute. */ |
/* Sort the entries by the sudoOrder attribute. */ |
DPRINTF(("sorting remaining %d entries", lres->nentries), 1); | DPRINTF1("sorting remaining %d entries", lres->nentries); |
qsort(lres->entries, lres->nentries, sizeof(lres->entries[0]), |
qsort(lres->entries, lres->nentries, sizeof(lres->entries[0]), |
ldap_entry_compare); |
ldap_entry_compare); |
|
|
Line 2699 sudo_ldap_result_from_search(LDAP *ldap, LDAPMessage *
|
Line 2809 sudo_ldap_result_from_search(LDAP *ldap, LDAPMessage *
|
LDAP_FOREACH(entry, last->ldap, last->searchresult) { |
LDAP_FOREACH(entry, last->ldap, last->searchresult) { |
sudo_ldap_result_add_entry(result, entry); |
sudo_ldap_result_add_entry(result, entry); |
} |
} |
DPRINTF(("sudo_ldap_result_from_search: %d entries found", | DPRINTF1("sudo_ldap_result_from_search: %d entries found", result->nentries); |
result->nentries), 2); | |
return result; |
return result; |
} |
} |
#endif |
#endif |