Annotation of embedaddon/sudo/plugins/sudoers/ldap.c, revision 1.1.1.5
1.1 misho 1: /*
1.1.1.4 misho 2: * Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com>
1.1 misho 3: *
4: * This code is derived from software contributed by Aaron Spangler.
5: *
6: * Permission to use, copy, modify, and distribute this software for any
7: * purpose with or without fee is hereby granted, provided that the above
8: * copyright notice and this permission notice appear in all copies.
9: *
10: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17: */
18:
19: #include <config.h>
20:
21: #include <sys/types.h>
22: #include <sys/time.h>
23: #include <sys/stat.h>
24: #include <stdio.h>
25: #ifdef STDC_HEADERS
26: # include <stdlib.h>
27: # include <stddef.h>
28: #else
29: # ifdef HAVE_STDLIB_H
30: # include <stdlib.h>
31: # endif
32: #endif /* STDC_HEADERS */
33: #ifdef HAVE_STRING_H
34: # include <string.h>
35: #endif /* HAVE_STRING_H */
36: #ifdef HAVE_STRINGS_H
37: # include <strings.h>
38: #endif /* HAVE_STRINGS_H */
39: #ifdef HAVE_UNISTD_H
40: # include <unistd.h>
41: #endif /* HAVE_UNISTD_H */
42: #if TIME_WITH_SYS_TIME
43: # include <time.h>
44: #endif
45: #include <ctype.h>
1.1.1.5 ! misho 46: #include <fcntl.h>
1.1 misho 47: #include <pwd.h>
48: #include <grp.h>
49: #include <netinet/in.h>
50: #include <arpa/inet.h>
51: #ifdef HAVE_LBER_H
52: # include <lber.h>
53: #endif
54: #include <ldap.h>
55: #if defined(HAVE_LDAP_SSL_H)
56: # include <ldap_ssl.h>
57: #elif defined(HAVE_MPS_LDAP_SSL_H)
58: # include <mps/ldap_ssl.h>
59: #endif
60: #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
61: # ifdef HAVE_SASL_SASL_H
62: # include <sasl/sasl.h>
63: # else
64: # include <sasl.h>
65: # endif
1.1.1.5 ! misho 66: # ifdef HAVE_DLOPEN
! 67: # include <dlfcn.h>
! 68: # else
! 69: # include "compat/dlfcn.h"
1.1 misho 70: # endif
1.1.1.5 ! misho 71: #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
1.1 misho 72:
73: #include "sudoers.h"
74: #include "parse.h"
75: #include "lbuf.h"
76:
1.1.1.2 misho 77: /* Older Netscape LDAP SDKs don't prototype ldapssl_set_strength() */
78: #if defined(HAVE_LDAPSSL_SET_STRENGTH) && !defined(HAVE_LDAP_SSL_H) && !defined(HAVE_MPS_LDAP_SSL_H)
79: extern int ldapssl_set_strength(LDAP *ldap, int strength);
80: #endif
81:
1.1.1.3 misho 82: #if !defined(LDAP_OPT_NETWORK_TIMEOUT) && defined(LDAP_OPT_CONNECT_TIMEOUT)
83: # define LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_CONNECT_TIMEOUT
84: #endif
85:
1.1 misho 86: #ifndef LDAP_OPT_SUCCESS
87: # define LDAP_OPT_SUCCESS LDAP_SUCCESS
88: #endif
89:
90: #ifndef LDAPS_PORT
91: # define LDAPS_PORT 636
92: #endif
93:
94: #if defined(HAVE_LDAP_SASL_INTERACTIVE_BIND_S) && !defined(LDAP_SASL_QUIET)
95: # define LDAP_SASL_QUIET 0
96: #endif
97:
98: #ifndef HAVE_LDAP_UNBIND_EXT_S
99: #define ldap_unbind_ext_s(a, b, c) ldap_unbind_s(a)
100: #endif
101:
102: #ifndef HAVE_LDAP_SEARCH_EXT_S
103: # ifdef HAVE_LDAP_SEARCH_ST
104: # define ldap_search_ext_s(a, b, c, d, e, f, g, h, i, j, k) \
105: ldap_search_st(a, b, c, d, e, f, i, k)
106: # else
107: # define ldap_search_ext_s(a, b, c, d, e, f, g, h, i, j, k) \
108: ldap_search_s(a, b, c, d, e, f, k)
109: # endif
110: #endif
111:
112: #define LDAP_FOREACH(var, ld, res) \
113: for ((var) = ldap_first_entry((ld), (res)); \
114: (var) != NULL; \
115: (var) = ldap_next_entry((ld), (var)))
116:
1.1.1.4 misho 117: #if defined(__GNUC__) && __GNUC__ == 2
118: # define DPRINTF1(fmt...) do { \
119: if (ldap_conf.debug >= 1) \
120: warningx(__VA_ARGS__); \
121: sudo_debug_printf(SUDO_DEBUG_DIAG, fmt); \
122: } while (0)
123: # define DPRINTF2(fmt...) do { \
124: if (ldap_conf.debug >= 2) \
125: warningx(__VA_ARGS__); \
126: sudo_debug_printf(SUDO_DEBUG_INFO, fmt); \
127: } while (0)
128: #else
129: # define DPRINTF1(...) do { \
130: if (ldap_conf.debug >= 1) \
131: warningx(__VA_ARGS__); \
132: sudo_debug_printf(SUDO_DEBUG_DIAG, __VA_ARGS__); \
133: } while (0)
134: # define DPRINTF2(...) do { \
135: if (ldap_conf.debug >= 2) \
136: warningx(__VA_ARGS__); \
137: sudo_debug_printf(SUDO_DEBUG_INFO, __VA_ARGS__); \
138: } while (0)
139: #endif
1.1 misho 140:
141: #define CONF_BOOL 0
142: #define CONF_INT 1
143: #define CONF_STR 2
144: #define CONF_LIST_STR 4
145: #define CONF_DEREF_VAL 5
146:
1.1.1.2 misho 147: #define SUDO_LDAP_CLEAR 0
1.1 misho 148: #define SUDO_LDAP_SSL 1
149: #define SUDO_LDAP_STARTTLS 2
150:
1.1.1.3 misho 151: /* The TIMEFILTER_LENGTH is the length of the filter when timed entries
1.1 misho 152: are used. The length is computed as follows:
1.1.1.3 misho 153: 81 for the filter itself
154: + 2 * 17 for the now timestamp
1.1 misho 155: */
1.1.1.3 misho 156: #define TIMEFILTER_LENGTH 115
1.1 misho 157:
158: /*
159: * The ldap_search structure implements a linked list of ldap and
160: * search result pointers, which allows us to remove them after
161: * all search results have been combined in memory.
162: * XXX - should probably be a tailq since we do appends
163: */
164: struct ldap_search_list {
165: LDAP *ldap;
166: LDAPMessage *searchresult;
167: struct ldap_search_list *next;
168: };
169:
170: /*
171: * The ldap_entry_wrapper structure is used to implement sorted result entries.
172: * A double is used for the order to allow for insertion of new entries
173: * without having to renumber everything.
174: * Note: there is no standard floating point type in LDAP.
175: * As a result, some LDAP servers will only allow an integer.
176: */
177: struct ldap_entry_wrapper {
178: LDAPMessage *entry;
179: double order;
180: };
181:
182: /*
183: * The ldap_result structure contains the list of matching searches as
184: * well as an array of all result entries sorted by the sudoOrder attribute.
185: */
186: struct ldap_result {
187: struct ldap_search_list *searches;
188: struct ldap_entry_wrapper *entries;
189: int allocated_entries;
190: int nentries;
191: int user_matches;
192: int host_matches;
193: };
194: #define ALLOCATION_INCREMENT 100
195:
196: struct ldap_config_table {
197: const char *conf_str; /* config file string */
1.1.1.2 misho 198: int type; /* CONF_BOOL, CONF_INT, CONF_STR */
1.1 misho 199: int opt_val; /* LDAP_OPT_* (or -1 for sudo internal) */
200: void *valp; /* pointer into ldap_conf */
201: };
202:
203: struct ldap_config_list_str {
204: struct ldap_config_list_str *next;
205: char val[1];
206: };
207:
208: /* LDAP configuration structure */
209: static struct ldap_config {
210: int port;
211: int version;
212: int debug;
213: int ldap_debug;
214: int tls_checkpeer;
215: int timelimit;
216: int timeout;
217: int bind_timelimit;
218: int use_sasl;
219: int rootuse_sasl;
220: int ssl_mode;
221: int timed;
222: int deref;
223: char *host;
224: struct ldap_config_list_str *uri;
225: char *binddn;
226: char *bindpw;
227: char *rootbinddn;
228: struct ldap_config_list_str *base;
229: char *search_filter;
230: char *ssl;
231: char *tls_cacertfile;
232: char *tls_cacertdir;
233: char *tls_random_file;
234: char *tls_cipher_suite;
235: char *tls_certfile;
236: char *tls_keyfile;
1.1.1.3 misho 237: char *tls_keypw;
1.1 misho 238: char *sasl_auth_id;
239: char *rootsasl_auth_id;
240: char *sasl_secprops;
241: char *krb5_ccname;
242: } ldap_conf;
243:
1.1.1.2 misho 244: static struct ldap_config_table ldap_conf_global[] = {
245: { "sudoers_debug", CONF_INT, -1, &ldap_conf.debug },
246: { "host", CONF_STR, -1, &ldap_conf.host },
247: { "port", CONF_INT, -1, &ldap_conf.port },
248: { "ssl", CONF_STR, -1, &ldap_conf.ssl },
249: { "sslpath", CONF_STR, -1, &ldap_conf.tls_certfile },
250: { "uri", CONF_LIST_STR, -1, &ldap_conf.uri },
1.1 misho 251: #ifdef LDAP_OPT_DEBUG_LEVEL
1.1.1.2 misho 252: { "debug", CONF_INT, LDAP_OPT_DEBUG_LEVEL, &ldap_conf.ldap_debug },
1.1 misho 253: #endif
254: #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
1.1.1.2 misho 255: { "tls_checkpeer", CONF_BOOL, LDAP_OPT_X_TLS_REQUIRE_CERT,
1.1 misho 256: &ldap_conf.tls_checkpeer },
257: #else
1.1.1.2 misho 258: { "tls_checkpeer", CONF_BOOL, -1, &ldap_conf.tls_checkpeer },
1.1 misho 259: #endif
260: #ifdef LDAP_OPT_X_TLS_CACERTFILE
1.1.1.2 misho 261: { "tls_cacertfile", CONF_STR, LDAP_OPT_X_TLS_CACERTFILE,
1.1 misho 262: &ldap_conf.tls_cacertfile },
1.1.1.2 misho 263: { "tls_cacert", CONF_STR, LDAP_OPT_X_TLS_CACERTFILE,
1.1 misho 264: &ldap_conf.tls_cacertfile },
265: #endif
266: #ifdef LDAP_OPT_X_TLS_CACERTDIR
1.1.1.2 misho 267: { "tls_cacertdir", CONF_STR, LDAP_OPT_X_TLS_CACERTDIR,
1.1 misho 268: &ldap_conf.tls_cacertdir },
269: #endif
270: #ifdef LDAP_OPT_X_TLS_RANDOM_FILE
1.1.1.2 misho 271: { "tls_randfile", CONF_STR, LDAP_OPT_X_TLS_RANDOM_FILE,
1.1 misho 272: &ldap_conf.tls_random_file },
273: #endif
274: #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
1.1.1.2 misho 275: { "tls_ciphers", CONF_STR, LDAP_OPT_X_TLS_CIPHER_SUITE,
1.1 misho 276: &ldap_conf.tls_cipher_suite },
1.1.1.3 misho 277: #elif defined(LDAP_OPT_SSL_CIPHER)
278: { "tls_ciphers", CONF_STR, LDAP_OPT_SSL_CIPHER,
279: &ldap_conf.tls_cipher_suite },
1.1 misho 280: #endif
281: #ifdef LDAP_OPT_X_TLS_CERTFILE
1.1.1.2 misho 282: { "tls_cert", CONF_STR, LDAP_OPT_X_TLS_CERTFILE,
1.1 misho 283: &ldap_conf.tls_certfile },
284: #else
1.1.1.2 misho 285: { "tls_cert", CONF_STR, -1, &ldap_conf.tls_certfile },
1.1 misho 286: #endif
287: #ifdef LDAP_OPT_X_TLS_KEYFILE
1.1.1.2 misho 288: { "tls_key", CONF_STR, LDAP_OPT_X_TLS_KEYFILE,
1.1 misho 289: &ldap_conf.tls_keyfile },
290: #else
1.1.1.2 misho 291: { "tls_key", CONF_STR, -1, &ldap_conf.tls_keyfile },
292: #endif
1.1.1.3 misho 293: #ifdef HAVE_LDAP_SSL_CLIENT_INIT
294: { "tls_keypw", CONF_STR, -1, &ldap_conf.tls_keypw },
295: #endif
1.1.1.2 misho 296: { "binddn", CONF_STR, -1, &ldap_conf.binddn },
297: { "bindpw", CONF_STR, -1, &ldap_conf.bindpw },
298: { "rootbinddn", CONF_STR, -1, &ldap_conf.rootbinddn },
299: { "sudoers_base", CONF_LIST_STR, -1, &ldap_conf.base },
300: { "sudoers_timed", CONF_BOOL, -1, &ldap_conf.timed },
301: { "sudoers_search_filter", CONF_STR, -1, &ldap_conf.search_filter },
302: #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
303: { "use_sasl", CONF_BOOL, -1, &ldap_conf.use_sasl },
304: { "sasl_auth_id", CONF_STR, -1, &ldap_conf.sasl_auth_id },
305: { "rootuse_sasl", CONF_BOOL, -1, &ldap_conf.rootuse_sasl },
306: { "rootsasl_auth_id", CONF_STR, -1, &ldap_conf.rootsasl_auth_id },
307: { "krb5_ccname", CONF_STR, -1, &ldap_conf.krb5_ccname },
308: #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
309: { NULL }
310: };
311:
312: static struct ldap_config_table ldap_conf_conn[] = {
313: #ifdef LDAP_OPT_PROTOCOL_VERSION
314: { "ldap_version", CONF_INT, LDAP_OPT_PROTOCOL_VERSION,
315: &ldap_conf.version },
1.1 misho 316: #endif
317: #ifdef LDAP_OPT_NETWORK_TIMEOUT
1.1.1.2 misho 318: { "bind_timelimit", CONF_INT, -1 /* needs timeval, set manually */,
1.1 misho 319: &ldap_conf.bind_timelimit },
1.1.1.2 misho 320: { "network_timeout", CONF_INT, -1 /* needs timeval, set manually */,
1.1 misho 321: &ldap_conf.bind_timelimit },
322: #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
1.1.1.2 misho 323: { "bind_timelimit", CONF_INT, LDAP_X_OPT_CONNECT_TIMEOUT,
1.1 misho 324: &ldap_conf.bind_timelimit },
1.1.1.2 misho 325: { "network_timeout", CONF_INT, LDAP_X_OPT_CONNECT_TIMEOUT,
1.1 misho 326: &ldap_conf.bind_timelimit },
327: #endif
1.1.1.2 misho 328: { "timelimit", CONF_INT, LDAP_OPT_TIMELIMIT, &ldap_conf.timelimit },
1.1 misho 329: #ifdef LDAP_OPT_TIMEOUT
1.1.1.2 misho 330: { "timeout", CONF_INT, -1 /* needs timeval, set manually */,
1.1 misho 331: &ldap_conf.timeout },
332: #endif
333: #ifdef LDAP_OPT_DEREF
1.1.1.2 misho 334: { "deref", CONF_DEREF_VAL, LDAP_OPT_DEREF, &ldap_conf.deref },
1.1 misho 335: #endif
1.1.1.2 misho 336: #ifdef LDAP_OPT_X_SASL_SECPROPS
337: { "sasl_secprops", CONF_STR, LDAP_OPT_X_SASL_SECPROPS,
1.1 misho 338: &ldap_conf.sasl_secprops },
1.1.1.2 misho 339: #endif
1.1 misho 340: { NULL }
341: };
342:
343: /* sudo_nss implementation */
344: static int sudo_ldap_open(struct sudo_nss *nss);
345: static int sudo_ldap_close(struct sudo_nss *nss);
346: static int sudo_ldap_parse(struct sudo_nss *nss);
347: static int sudo_ldap_setdefs(struct sudo_nss *nss);
348: static int sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag);
349: static int sudo_ldap_display_cmnd(struct sudo_nss *nss, struct passwd *pw);
350: static int sudo_ldap_display_defaults(struct sudo_nss *nss, struct passwd *pw,
351: struct lbuf *lbuf);
352: static int sudo_ldap_display_bound_defaults(struct sudo_nss *nss,
353: struct passwd *pw, struct lbuf *lbuf);
354: static int sudo_ldap_display_privs(struct sudo_nss *nss, struct passwd *pw,
355: struct lbuf *lbuf);
356: static struct ldap_result *sudo_ldap_result_get(struct sudo_nss *nss,
357: struct passwd *pw);
358:
359: /*
360: * LDAP sudo_nss handle.
361: * We store the connection to the LDAP server, the cached ldap_result object
362: * (if any), and the name of the user the query was performed for.
363: * If a new query is launched with sudo_ldap_result_get() that specifies a
364: * different user, the old cached result is freed before the new query is run.
365: */
366: struct sudo_ldap_handle {
367: LDAP *ld;
368: struct ldap_result *result;
369: char *username;
370: struct group_list *grlist;
371: };
372:
373: struct sudo_nss sudo_nss_ldap = {
374: &sudo_nss_ldap,
375: NULL,
376: sudo_ldap_open,
377: sudo_ldap_close,
378: sudo_ldap_parse,
379: sudo_ldap_setdefs,
380: sudo_ldap_lookup,
381: sudo_ldap_display_cmnd,
382: sudo_ldap_display_defaults,
383: sudo_ldap_display_bound_defaults,
384: sudo_ldap_display_privs
385: };
386:
387: #ifdef HAVE_LDAP_CREATE
388: /*
389: * Rebuild the hosts list and include a specific port for each host.
390: * ldap_create() does not take a default port parameter so we must
391: * append one if we want something other than LDAP_PORT.
392: */
393: static void
394: sudo_ldap_conf_add_ports(void)
395: {
396:
397: char *host, *port, defport[13];
398: char hostbuf[LINE_MAX * 2];
1.1.1.2 misho 399: debug_decl(sudo_ldap_conf_add_ports, SUDO_DEBUG_LDAP)
1.1 misho 400:
401: hostbuf[0] = '\0';
402: if (snprintf(defport, sizeof(defport), ":%d", ldap_conf.port) >= sizeof(defport))
1.1.1.4 misho 403: fatalx(_("sudo_ldap_conf_add_ports: port too large"));
1.1 misho 404:
405: for ((host = strtok(ldap_conf.host, " \t")); host; (host = strtok(NULL, " \t"))) {
406: if (hostbuf[0] != '\0') {
407: if (strlcat(hostbuf, " ", sizeof(hostbuf)) >= sizeof(hostbuf))
408: goto toobig;
409: }
410:
411: if (strlcat(hostbuf, host, sizeof(hostbuf)) >= sizeof(hostbuf))
412: goto toobig;
413: /* Append port if there is not one already. */
414: if ((port = strrchr(host, ':')) == NULL ||
415: !isdigit((unsigned char)port[1])) {
416: if (strlcat(hostbuf, defport, sizeof(hostbuf)) >= sizeof(hostbuf))
417: goto toobig;
418: }
419: }
420:
421: efree(ldap_conf.host);
422: ldap_conf.host = estrdup(hostbuf);
1.1.1.2 misho 423: debug_return;
1.1 misho 424:
425: toobig:
1.1.1.4 misho 426: fatalx(_("sudo_ldap_conf_add_ports: out of space expanding hostbuf"));
1.1 misho 427: }
428: #endif
429:
430: #ifndef HAVE_LDAP_INITIALIZE
431: /*
432: * For each uri, convert to host:port pairs. For ldaps:// enable SSL
433: * Accepts: uris of the form ldap:/// or ldap://hostname:portnum/
434: * where the trailing slash is optional.
435: */
436: static int
437: sudo_ldap_parse_uri(const struct ldap_config_list_str *uri_list)
438: {
439: char *buf, *uri, *host, *cp, *port;
440: char hostbuf[LINE_MAX];
441: int nldap = 0, nldaps = 0;
442: int rc = -1;
1.1.1.2 misho 443: debug_decl(sudo_ldap_parse_uri, SUDO_DEBUG_LDAP)
1.1 misho 444:
445: do {
446: buf = estrdup(uri_list->val);
447: hostbuf[0] = '\0';
448: for ((uri = strtok(buf, " \t")); uri != NULL; (uri = strtok(NULL, " \t"))) {
449: if (strncasecmp(uri, "ldap://", 7) == 0) {
450: nldap++;
451: host = uri + 7;
452: } else if (strncasecmp(uri, "ldaps://", 8) == 0) {
453: nldaps++;
454: host = uri + 8;
455: } else {
456: warningx(_("unsupported LDAP uri type: %s"), uri);
457: goto done;
458: }
459:
460: /* trim optional trailing slash */
461: if ((cp = strrchr(host, '/')) != NULL && cp[1] == '\0') {
462: *cp = '\0';
463: }
464:
465: if (hostbuf[0] != '\0') {
466: if (strlcat(hostbuf, " ", sizeof(hostbuf)) >= sizeof(hostbuf))
467: goto toobig;
468: }
469:
470: if (*host == '\0')
471: host = "localhost"; /* no host specified, use localhost */
472:
473: if (strlcat(hostbuf, host, sizeof(hostbuf)) >= sizeof(hostbuf))
474: goto toobig;
475:
476: /* If using SSL and no port specified, add port 636 */
477: if (nldaps) {
478: if ((port = strrchr(host, ':')) == NULL ||
479: !isdigit((unsigned char)port[1]))
480: if (strlcat(hostbuf, ":636", sizeof(hostbuf)) >= sizeof(hostbuf))
481: goto toobig;
482: }
483: }
484: if (hostbuf[0] == '\0') {
1.1.1.2 misho 485: warningx(_("invalid uri: %s"), uri_list->val);
1.1 misho 486: goto done;
487: }
488:
489: if (nldaps != 0) {
490: if (nldap != 0) {
491: warningx(_("unable to mix ldap and ldaps URIs"));
492: goto done;
493: }
494: if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
495: warningx(_("unable to mix ldaps and starttls"));
496: goto done;
497: }
498: ldap_conf.ssl_mode = SUDO_LDAP_SSL;
499: }
500:
501: efree(ldap_conf.host);
502: ldap_conf.host = estrdup(hostbuf);
503: efree(buf);
504: } while ((uri_list = uri_list->next));
505:
506: buf = NULL;
507: rc = 0;
508:
509: done:
510: efree(buf);
1.1.1.2 misho 511: debug_return_int(rc);
1.1 misho 512:
513: toobig:
1.1.1.4 misho 514: fatalx(_("sudo_ldap_parse_uri: out of space building hostbuf"));
1.1 misho 515: }
516: #else
517: static char *
518: sudo_ldap_join_uri(struct ldap_config_list_str *uri_list)
519: {
520: struct ldap_config_list_str *uri;
521: size_t len = 0;
522: char *buf, *cp;
1.1.1.2 misho 523: debug_decl(sudo_ldap_join_uri, SUDO_DEBUG_LDAP)
1.1 misho 524:
525: /* Usually just a single entry. */
526: if (uri_list->next == NULL)
1.1.1.2 misho 527: debug_return_str(estrdup(uri_list->val));
1.1 misho 528:
529: for (uri = uri_list; uri != NULL; uri = uri->next) {
530: len += strlen(uri->val) + 1;
531: }
532: buf = cp = emalloc(len);
533: buf[0] = '\0';
534: for (uri = uri_list; uri != NULL; uri = uri->next) {
535: cp += strlcpy(cp, uri->val, len - (cp - buf));
536: *cp++ = ' ';
537: }
538: cp[-1] = '\0';
1.1.1.2 misho 539: debug_return_str(buf);
1.1 misho 540: }
541: #endif /* HAVE_LDAP_INITIALIZE */
542:
543: static int
544: sudo_ldap_init(LDAP **ldp, const char *host, int port)
545: {
546: LDAP *ld = NULL;
547: int rc = LDAP_CONNECT_ERROR;
1.1.1.2 misho 548: debug_decl(sudo_ldap_init, SUDO_DEBUG_LDAP)
1.1 misho 549:
550: #ifdef HAVE_LDAPSSL_INIT
1.1.1.2 misho 551: if (ldap_conf.ssl_mode != SUDO_LDAP_CLEAR) {
552: const int defsecure = ldap_conf.ssl_mode == SUDO_LDAP_SSL;
1.1.1.4 misho 553: DPRINTF2("ldapssl_clientauth_init(%s, %s)",
1.1 misho 554: ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
1.1.1.4 misho 555: ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL");
1.1 misho 556: rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
557: ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
558: /*
1.1.1.2 misho 559: * Starting with version 5.0, Mozilla-derived LDAP SDKs require
560: * the cert and key paths to be a directory, not a file.
561: * If the user specified a file and it fails, try the parent dir.
1.1 misho 562: */
563: if (rc != LDAP_SUCCESS) {
1.1.1.2 misho 564: bool retry = false;
565: if (ldap_conf.tls_certfile != NULL) {
566: char *cp = strrchr(ldap_conf.tls_certfile, '/');
567: if (cp != NULL && strncmp(cp + 1, "cert", 4) == 0) {
1.1 misho 568: *cp = '\0';
1.1.1.2 misho 569: retry = true;
570: }
1.1 misho 571: }
1.1.1.2 misho 572: if (ldap_conf.tls_keyfile != NULL) {
573: char *cp = strrchr(ldap_conf.tls_keyfile, '/');
574: if (cp != NULL && strncmp(cp + 1, "key", 3) == 0) {
1.1 misho 575: *cp = '\0';
1.1.1.2 misho 576: retry = true;
577: }
1.1 misho 578: }
1.1.1.2 misho 579: if (retry) {
1.1.1.4 misho 580: DPRINTF2("ldapssl_clientauth_init(%s, %s)",
1.1.1.2 misho 581: ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
1.1.1.4 misho 582: ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL");
1.1.1.2 misho 583: rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
584: ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
1.1 misho 585: }
586: }
1.1.1.2 misho 587: if (rc != LDAP_SUCCESS) {
588: warningx(_("unable to initialize SSL cert and key db: %s"),
589: ldapssl_err2string(rc));
590: if (ldap_conf.tls_certfile == NULL)
591: warningx(_("you must set TLS_CERT in %s to use SSL"),
1.1.1.4 misho 592: path_ldap_conf);
1.1.1.2 misho 593: goto done;
594: }
1.1 misho 595:
1.1.1.4 misho 596: DPRINTF2("ldapssl_init(%s, %d, %d)", host, port, defsecure);
1.1.1.2 misho 597: if ((ld = ldapssl_init(host, port, defsecure)) != NULL)
1.1 misho 598: rc = LDAP_SUCCESS;
599: } else
1.1.1.3 misho 600: #elif defined(HAVE_LDAP_SSL_INIT) && defined(HAVE_LDAP_SSL_CLIENT_INIT)
601: if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
1.1.1.5 ! misho 602: int sslrc;
! 603: rc = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
! 604: 0, &sslrc);
! 605: if (rc != LDAP_SUCCESS) {
! 606: warningx("ldap_ssl_client_init(): %s (SSL reason code %d)",
! 607: ldap_err2string(rc), sslrc);
1.1.1.3 misho 608: debug_return_int(-1);
609: }
1.1.1.4 misho 610: DPRINTF2("ldap_ssl_init(%s, %d, NULL)", host, port);
1.1.1.3 misho 611: if ((ld = ldap_ssl_init((char *)host, port, NULL)) != NULL)
612: rc = LDAP_SUCCESS;
613: } else
1.1 misho 614: #endif
615: {
616: #ifdef HAVE_LDAP_CREATE
1.1.1.4 misho 617: DPRINTF2("ldap_create()");
1.1 misho 618: if ((rc = ldap_create(&ld)) != LDAP_SUCCESS)
619: goto done;
1.1.1.4 misho 620: DPRINTF2("ldap_set_option(LDAP_OPT_HOST_NAME, %s)", host);
1.1 misho 621: rc = ldap_set_option(ld, LDAP_OPT_HOST_NAME, host);
622: #else
1.1.1.4 misho 623: DPRINTF2("ldap_init(%s, %d)", host, port);
1.1.1.3 misho 624: if ((ld = ldap_init((char *)host, port)) != NULL)
1.1 misho 625: rc = LDAP_SUCCESS;
626: #endif
627: }
628:
629: done:
630: *ldp = ld;
1.1.1.2 misho 631: debug_return_int(rc);
1.1 misho 632: }
633:
634: /*
1.1.1.2 misho 635: * Walk through search results and return true if we have a matching
1.1.1.4 misho 636: * non-Unix group (including netgroups), else false.
1.1 misho 637: */
1.1.1.2 misho 638: static bool
1.1.1.4 misho 639: sudo_ldap_check_non_unix_group(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
1.1 misho 640: {
641: struct berval **bv, **p;
642: char *val;
1.1.1.2 misho 643: int ret = false;
1.1.1.4 misho 644: debug_decl(sudo_ldap_check_non_unix_group, SUDO_DEBUG_LDAP)
1.1 misho 645:
646: if (!entry)
1.1.1.2 misho 647: debug_return_bool(ret);
1.1 misho 648:
649: /* get the values from the entry */
650: bv = ldap_get_values_len(ld, entry, "sudoUser");
651: if (bv == NULL)
1.1.1.2 misho 652: debug_return_bool(ret);
1.1 misho 653:
654: /* walk through values */
655: for (p = bv; *p != NULL && !ret; p++) {
656: val = (*p)->bv_val;
1.1.1.4 misho 657: if (*val == '+') {
658: if (netgr_matches(val, NULL, NULL, pw->pw_name))
659: ret = true;
660: DPRINTF2("ldap sudoUser netgroup '%s' ... %s", val,
661: ret ? "MATCH!" : "not");
662: } else {
663: if (group_plugin_query(pw->pw_name, val + 2, pw))
664: ret = true;
665: DPRINTF2("ldap sudoUser non-Unix group '%s' ... %s", val,
666: ret ? "MATCH!" : "not");
667: }
1.1 misho 668: }
669:
670: ldap_value_free_len(bv); /* cleanup */
671:
1.1.1.2 misho 672: debug_return_bool(ret);
1.1 misho 673: }
674:
675: /*
1.1.1.2 misho 676: * Walk through search results and return true if we have a
677: * host match, else false.
678: */
679: static bool
1.1 misho 680: sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry)
681: {
682: struct berval **bv, **p;
683: char *val;
1.1.1.2 misho 684: bool ret = false;
685: debug_decl(sudo_ldap_check_host, SUDO_DEBUG_LDAP)
1.1 misho 686:
687: if (!entry)
1.1.1.2 misho 688: debug_return_bool(ret);
1.1 misho 689:
690: /* get the values from the entry */
691: bv = ldap_get_values_len(ld, entry, "sudoHost");
692: if (bv == NULL)
1.1.1.2 misho 693: debug_return_bool(ret);
1.1 misho 694:
695: /* walk through values */
696: for (p = bv; *p != NULL && !ret; p++) {
697: val = (*p)->bv_val;
698: /* match any or address or netgroup or hostname */
699: if (!strcmp(val, "ALL") || addr_matches(val) ||
700: netgr_matches(val, user_host, user_shost, NULL) ||
701: hostname_matches(user_shost, user_host, val))
1.1.1.2 misho 702: ret = true;
1.1.1.4 misho 703: DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
1.1 misho 704: }
705:
706: ldap_value_free_len(bv); /* cleanup */
707:
1.1.1.2 misho 708: debug_return_bool(ret);
1.1 misho 709: }
710:
711: static int
712: sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry)
713: {
714: struct berval **bv, **p;
715: char *val;
1.1.1.2 misho 716: bool ret = false;
717: debug_decl(sudo_ldap_check_runas_user, SUDO_DEBUG_LDAP)
1.1 misho 718:
719: if (!runas_pw)
1.1.1.2 misho 720: debug_return_bool(UNSPEC);
1.1 misho 721:
722: /* get the runas user from the entry */
723: bv = ldap_get_values_len(ld, entry, "sudoRunAsUser");
724: if (bv == NULL)
725: bv = ldap_get_values_len(ld, entry, "sudoRunAs"); /* old style */
726:
727: /*
728: * BUG:
729: *
730: * if runas is not specified on the command line, the only information
731: * as to which user to run as is in the runas_default option. We should
732: * check to see if we have the local option present. Unfortunately we
733: * don't parse these options until after this routine says yes or no.
734: * The query has already returned, so we could peek at the attribute
735: * values here though.
736: *
737: * For now just require users to always use -u option unless its set
738: * in the global defaults. This behaviour is no different than the global
739: * /etc/sudoers.
740: *
741: * Sigh - maybe add this feature later
742: */
743:
744: /*
745: * If there are no runas entries, match runas_default against
746: * what the user specified on the command line.
747: */
748: if (bv == NULL)
1.1.1.2 misho 749: debug_return_bool(!strcasecmp(runas_pw->pw_name, def_runas_default));
1.1 misho 750:
751: /* walk through values returned, looking for a match */
752: for (p = bv; *p != NULL && !ret; p++) {
753: val = (*p)->bv_val;
754: switch (val[0]) {
755: case '+':
756: if (netgr_matches(val, NULL, NULL, runas_pw->pw_name))
1.1.1.2 misho 757: ret = true;
1.1 misho 758: break;
759: case '%':
760: if (usergr_matches(val, runas_pw->pw_name, runas_pw))
1.1.1.2 misho 761: ret = true;
1.1 misho 762: break;
763: case 'A':
764: if (strcmp(val, "ALL") == 0) {
1.1.1.2 misho 765: ret = true;
1.1 misho 766: break;
767: }
768: /* FALLTHROUGH */
769: default:
1.1.1.4 misho 770: if (userpw_matches(val, runas_pw->pw_name, runas_pw))
1.1.1.2 misho 771: ret = true;
1.1 misho 772: break;
773: }
1.1.1.4 misho 774: DPRINTF2("ldap sudoRunAsUser '%s' ... %s", val, ret ? "MATCH!" : "not");
1.1 misho 775: }
776:
777: ldap_value_free_len(bv); /* cleanup */
778:
1.1.1.2 misho 779: debug_return_bool(ret);
1.1 misho 780: }
781:
782: static int
783: sudo_ldap_check_runas_group(LDAP *ld, LDAPMessage *entry)
784: {
785: struct berval **bv, **p;
786: char *val;
1.1.1.2 misho 787: bool ret = false;
788: debug_decl(sudo_ldap_check_runas_group, SUDO_DEBUG_LDAP)
1.1 misho 789:
790: /* runas_gr is only set if the user specified the -g flag */
791: if (!runas_gr)
1.1.1.2 misho 792: debug_return_bool(UNSPEC);
1.1 misho 793:
794: /* get the values from the entry */
795: bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup");
796: if (bv == NULL)
1.1.1.2 misho 797: debug_return_bool(ret);
1.1 misho 798:
799: /* walk through values returned, looking for a match */
800: for (p = bv; *p != NULL && !ret; p++) {
801: val = (*p)->bv_val;
802: if (strcmp(val, "ALL") == 0 || group_matches(val, runas_gr))
1.1.1.2 misho 803: ret = true;
1.1.1.4 misho 804: DPRINTF2("ldap sudoRunAsGroup '%s' ... %s",
805: val, ret ? "MATCH!" : "not");
1.1 misho 806: }
807:
808: ldap_value_free_len(bv); /* cleanup */
809:
1.1.1.2 misho 810: debug_return_bool(ret);
1.1 misho 811: }
812:
813: /*
1.1.1.2 misho 814: * Walk through search results and return true if we have a runas match,
815: * else false. RunAs info is optional.
1.1 misho 816: */
1.1.1.2 misho 817: static bool
1.1 misho 818: sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry)
819: {
1.1.1.2 misho 820: bool ret;
821: debug_decl(sudo_ldap_check_runas, SUDO_DEBUG_LDAP)
1.1 misho 822:
823: if (!entry)
1.1.1.2 misho 824: debug_return_bool(false);
1.1 misho 825:
1.1.1.2 misho 826: ret = sudo_ldap_check_runas_user(ld, entry) != false &&
827: sudo_ldap_check_runas_group(ld, entry) != false;
1.1 misho 828:
1.1.1.2 misho 829: debug_return_bool(ret);
1.1 misho 830: }
831:
1.1.1.4 misho 832: static struct sudo_digest *
833: sudo_ldap_extract_digest(char **cmnd, struct sudo_digest *digest)
834: {
835: char *ep, *cp = *cmnd;
836: int digest_type = SUDO_DIGEST_INVALID;
837: debug_decl(sudo_ldap_check_command, SUDO_DEBUG_LDAP)
838:
839: /*
840: * Check for and extract a digest prefix, e.g.
841: * sha224:d06a2617c98d377c250edd470fd5e576327748d82915d6e33b5f8db1 /bin/ls
842: */
843: if (cp[0] == 's' && cp[1] == 'h' && cp[2] == 'a') {
844: switch (cp[3]) {
845: case '2':
846: if (cp[4] == '2' && cp[5] == '4')
847: digest_type = SUDO_DIGEST_SHA224;
848: else if (cp[4] == '5' && cp[5] == '6')
849: digest_type = SUDO_DIGEST_SHA256;
850: break;
851: case '3':
852: if (cp[4] == '8' && cp[5] == '4')
853: digest_type = SUDO_DIGEST_SHA384;
854: break;
855: case '5':
856: if (cp[4] == '1' && cp[5] == '2')
857: digest_type = SUDO_DIGEST_SHA512;
858: break;
859: }
860: if (digest_type != SUDO_DIGEST_INVALID) {
861: cp += 6;
862: while (isblank((unsigned char)*cp))
863: cp++;
864: if (*cp == ':') {
865: cp++;
866: while (isblank((unsigned char)*cp))
867: cp++;
868: ep = cp;
869: while (*ep != '\0' && !isblank((unsigned char)*ep))
870: ep++;
871: if (*ep != '\0') {
872: digest->digest_type = digest_type;
873: digest->digest_str = estrndup(cp, (size_t)(ep - cp));
874: cp = ep + 1;
875: while (isblank((unsigned char)*cp))
876: cp++;
877: *cmnd = cp;
878: DPRINTF1("%s digest %s for %s",
879: digest_type == SUDO_DIGEST_SHA224 ? "sha224" :
880: digest_type == SUDO_DIGEST_SHA256 ? "sha256" :
881: digest_type == SUDO_DIGEST_SHA384 ? "sha384" :
882: "sha512", digest->digest_str, cp);
883: debug_return_ptr(digest);
884: }
885: }
886: }
887: }
888: debug_return_ptr(NULL);
889: }
890:
1.1 misho 891: /*
1.1.1.2 misho 892: * Walk through search results and return true if we have a command match,
893: * false if disallowed and UNSPEC if not matched.
1.1 misho 894: */
895: static int
896: sudo_ldap_check_command(LDAP *ld, LDAPMessage *entry, int *setenv_implied)
897: {
1.1.1.4 misho 898: struct sudo_digest digest, *allowed_digest = NULL;
1.1 misho 899: struct berval **bv, **p;
900: char *allowed_cmnd, *allowed_args, *val;
1.1.1.2 misho 901: bool foundbang;
902: int ret = UNSPEC;
903: debug_decl(sudo_ldap_check_command, SUDO_DEBUG_LDAP)
1.1 misho 904:
905: if (!entry)
1.1.1.2 misho 906: debug_return_bool(ret);
1.1 misho 907:
908: bv = ldap_get_values_len(ld, entry, "sudoCommand");
909: if (bv == NULL)
1.1.1.2 misho 910: debug_return_bool(ret);
1.1 misho 911:
1.1.1.2 misho 912: for (p = bv; *p != NULL && ret != false; p++) {
1.1 misho 913: val = (*p)->bv_val;
914: /* Match against ALL ? */
915: if (!strcmp(val, "ALL")) {
1.1.1.2 misho 916: ret = true;
1.1 misho 917: if (setenv_implied != NULL)
1.1.1.2 misho 918: *setenv_implied = true;
1.1.1.4 misho 919: DPRINTF2("ldap sudoCommand '%s' ... MATCH!", val);
1.1 misho 920: continue;
921: }
922:
1.1.1.4 misho 923: /* check for sha-2 digest */
924: allowed_digest = sudo_ldap_extract_digest(&val, &digest);
925:
1.1 misho 926: /* check for !command */
927: if (*val == '!') {
1.1.1.2 misho 928: foundbang = true;
1.1 misho 929: allowed_cmnd = estrdup(1 + val); /* !command */
930: } else {
1.1.1.2 misho 931: foundbang = false;
1.1 misho 932: allowed_cmnd = estrdup(val); /* command */
933: }
934:
935: /* split optional args away from command */
936: allowed_args = strchr(allowed_cmnd, ' ');
937: if (allowed_args)
938: *allowed_args++ = '\0';
939:
940: /* check the command like normal */
1.1.1.4 misho 941: if (command_matches(allowed_cmnd, allowed_args, allowed_digest)) {
1.1 misho 942: /*
943: * If allowed (no bang) set ret but keep on checking.
944: * If disallowed (bang), exit loop.
945: */
1.1.1.2 misho 946: ret = foundbang ? false : true;
1.1 misho 947: }
1.1.1.4 misho 948: DPRINTF2("ldap sudoCommand '%s' ... %s",
949: val, ret == true ? "MATCH!" : "not");
1.1 misho 950:
951: efree(allowed_cmnd); /* cleanup */
1.1.1.4 misho 952: if (allowed_digest != NULL)
953: efree(allowed_digest->digest_str);
1.1 misho 954: }
955:
956: ldap_value_free_len(bv); /* more cleanup */
957:
1.1.1.2 misho 958: debug_return_bool(ret);
1.1 misho 959: }
960:
961: /*
962: * Search for boolean "option" in sudoOption.
1.1.1.2 misho 963: * Returns true if found and allowed, false if negated, else UNSPEC.
1.1 misho 964: */
965: static int
966: sudo_ldap_check_bool(LDAP *ld, LDAPMessage *entry, char *option)
967: {
968: struct berval **bv, **p;
969: char ch, *var;
970: int ret = UNSPEC;
1.1.1.2 misho 971: debug_decl(sudo_ldap_check_bool, SUDO_DEBUG_LDAP)
1.1 misho 972:
973: if (entry == NULL)
1.1.1.2 misho 974: debug_return_bool(ret);
1.1 misho 975:
976: bv = ldap_get_values_len(ld, entry, "sudoOption");
977: if (bv == NULL)
1.1.1.2 misho 978: debug_return_bool(ret);
1.1 misho 979:
980: /* walk through options */
981: for (p = bv; *p != NULL; p++) {
982: var = (*p)->bv_val;;
1.1.1.4 misho 983: DPRINTF2("ldap sudoOption: '%s'", var);
1.1 misho 984:
985: if ((ch = *var) == '!')
986: var++;
987: if (strcmp(var, option) == 0)
988: ret = (ch != '!');
989: }
990:
991: ldap_value_free_len(bv);
992:
1.1.1.2 misho 993: debug_return_bool(ret);
1.1 misho 994: }
995:
996: /*
997: * Read sudoOption and modify the defaults as we go. This is used once
998: * from the cn=defaults entry and also once when a final sudoRole is matched.
999: */
1000: static void
1001: sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry)
1002: {
1003: struct berval **bv, **p;
1004: char op, *var, *val;
1.1.1.2 misho 1005: debug_decl(sudo_ldap_parse_options, SUDO_DEBUG_LDAP)
1.1 misho 1006:
1007: if (entry == NULL)
1.1.1.2 misho 1008: debug_return;
1.1 misho 1009:
1010: bv = ldap_get_values_len(ld, entry, "sudoOption");
1011: if (bv == NULL)
1.1.1.2 misho 1012: debug_return;
1.1 misho 1013:
1014: /* walk through options */
1015: for (p = bv; *p != NULL; p++) {
1016: var = estrdup((*p)->bv_val);
1.1.1.4 misho 1017: DPRINTF2("ldap sudoOption: '%s'", var);
1.1 misho 1018:
1019: /* check for equals sign past first char */
1020: val = strchr(var, '=');
1021: if (val > var) {
1022: *val++ = '\0'; /* split on = and truncate var */
1023: op = *(val - 2); /* peek for += or -= cases */
1024: if (op == '+' || op == '-') {
1025: *(val - 2) = '\0'; /* found, remove extra char */
1026: /* case var+=val or var-=val */
1027: set_default(var, val, (int) op);
1028: } else {
1029: /* case var=val */
1.1.1.2 misho 1030: set_default(var, val, true);
1.1 misho 1031: }
1032: } else if (*var == '!') {
1033: /* case !var Boolean False */
1.1.1.2 misho 1034: set_default(var + 1, NULL, false);
1.1 misho 1035: } else {
1036: /* case var Boolean True */
1.1.1.2 misho 1037: set_default(var, NULL, true);
1.1 misho 1038: }
1039: efree(var);
1040: }
1041:
1042: ldap_value_free_len(bv);
1.1.1.2 misho 1043:
1044: debug_return;
1.1 misho 1045: }
1046:
1047: /*
1048: * Build an LDAP timefilter.
1049: *
1050: * Stores a filter in the buffer that makes sure only entries
1051: * are selected that have a sudoNotBefore in the past and a
1052: * sudoNotAfter in the future, i.e. a filter of the following
1053: * structure (spaced out a little more for better readability:
1054: *
1055: * (&
1056: * (|
1057: * (!(sudoNotAfter=*))
1058: * (sudoNotAfter>__now__)
1059: * )
1060: * (|
1061: * (!(sudoNotBefore=*))
1062: * (sudoNotBefore<__now__)
1063: * )
1064: * )
1065: *
1066: * If either the sudoNotAfter or sudoNotBefore attributes are missing,
1067: * no time restriction shall be imposed.
1068: */
1069: static int
1070: sudo_ldap_timefilter(char *buffer, size_t buffersize)
1071: {
1072: struct tm *tp;
1073: time_t now;
1.1.1.3 misho 1074: char timebuffer[sizeof("20120727121554.0Z")];
1.1 misho 1075: int bytes = 0;
1.1.1.2 misho 1076: debug_decl(sudo_ldap_timefilter, SUDO_DEBUG_LDAP)
1.1 misho 1077:
1078: /* Make sure we have a formatted timestamp for __now__. */
1079: time(&now);
1080: if ((tp = gmtime(&now)) == NULL) {
1081: warning(_("unable to get GMT time"));
1082: goto done;
1083: }
1084:
1085: /* Format the timestamp according to the RFC. */
1.1.1.3 misho 1086: if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%S.0Z", tp) == 0) {
1087: warningx(_("unable to format timestamp"));
1.1 misho 1088: goto done;
1089: }
1090:
1091: /* Build filter. */
1092: bytes = snprintf(buffer, buffersize, "(&(|(!(sudoNotAfter=*))(sudoNotAfter>=%s))(|(!(sudoNotBefore=*))(sudoNotBefore<=%s)))",
1093: timebuffer, timebuffer);
1094: if (bytes < 0 || bytes >= buffersize) {
1095: warning(_("unable to build time filter"));
1096: bytes = 0;
1097: }
1098:
1099: done:
1.1.1.2 misho 1100: debug_return_int(bytes);
1.1 misho 1101: }
1102:
1103: /*
1104: * Builds up a filter to search for default settings
1105: */
1106: static char *
1.1.1.2 misho 1107: sudo_ldap_build_default_filter(void)
1.1 misho 1108: {
1109: char *filt;
1.1.1.2 misho 1110: debug_decl(sudo_ldap_build_default_filter, SUDO_DEBUG_LDAP)
1.1 misho 1111:
1112: if (ldap_conf.search_filter)
1113: easprintf(&filt, "(&%s(cn=defaults))", ldap_conf.search_filter);
1114: else
1115: filt = estrdup("cn=defaults");
1.1.1.2 misho 1116: debug_return_str(filt);
1117: }
1118:
1119: /*
1120: * Determine length of query value after escaping characters
1121: * as per RFC 4515.
1122: */
1123: static size_t
1124: sudo_ldap_value_len(const char *value)
1125: {
1126: const char *s;
1127: size_t len = 0;
1128:
1129: for (s = value; *s != '\0'; s++) {
1130: switch (*s) {
1131: case '\\':
1132: case '(':
1133: case ')':
1134: case '*':
1135: len += 2;
1136: break;
1137: }
1138: }
1139: len += (size_t)(s - value);
1140: return len;
1141: }
1142:
1143: /*
1144: * Like strlcat() but escapes characters as per RFC 4515.
1145: */
1146: static size_t
1147: sudo_ldap_value_cat(char *dst, const char *src, size_t size)
1148: {
1149: char *d = dst;
1150: const char *s = src;
1151: size_t n = size;
1152: size_t dlen;
1153:
1154: /* Find the end of dst and adjust bytes left but don't go past end */
1155: while (n-- != 0 && *d != '\0')
1156: d++;
1157: dlen = d - dst;
1158: n = size - dlen;
1159:
1160: if (n == 0)
1161: return dlen + strlen(s);
1162: while (*s != '\0') {
1163: switch (*s) {
1164: case '\\':
1165: if (n < 3)
1166: goto done;
1167: *d++ = '\\';
1168: *d++ = '5';
1169: *d++ = 'c';
1170: n -= 3;
1171: break;
1172: case '(':
1173: if (n < 3)
1174: goto done;
1175: *d++ = '\\';
1176: *d++ = '2';
1177: *d++ = '8';
1178: n -= 3;
1179: break;
1180: case ')':
1181: if (n < 3)
1182: goto done;
1183: *d++ = '\\';
1184: *d++ = '2';
1185: *d++ = '9';
1186: n -= 3;
1187: break;
1188: case '*':
1189: if (n < 3)
1190: goto done;
1191: *d++ = '\\';
1192: *d++ = '2';
1193: *d++ = 'a';
1194: n -= 3;
1195: break;
1196: default:
1197: if (n < 1)
1198: goto done;
1199: *d++ = *s;
1200: n--;
1201: break;
1202: }
1203: s++;
1204: }
1205: done:
1206: *d = '\0';
1207: while (*s != '\0')
1208: s++;
1209: return dlen + (s - src); /* count does not include NUL */
1.1 misho 1210: }
1211:
1212: /*
1213: * Builds up a filter to check against LDAP.
1214: */
1215: static char *
1216: sudo_ldap_build_pass1(struct passwd *pw)
1217: {
1218: struct group *grp;
1.1.1.3 misho 1219: char *buf, timebuffer[TIMEFILTER_LENGTH + 1], gidbuf[MAX_UID_T_LEN + 1];
1.1 misho 1220: struct group_list *grlist;
1221: size_t sz = 0;
1222: int i;
1.1.1.2 misho 1223: debug_decl(sudo_ldap_build_pass1, SUDO_DEBUG_LDAP)
1.1 misho 1224:
1.1.1.3 misho 1225: /* If there is a filter, allocate space for the global AND. */
1226: if (ldap_conf.timed || ldap_conf.search_filter)
1227: sz += 3;
1228:
1229: /* Add LDAP search filter if present. */
1.1 misho 1230: if (ldap_conf.search_filter)
1.1.1.3 misho 1231: sz += strlen(ldap_conf.search_filter);
1.1 misho 1232:
1233: /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
1.1.1.2 misho 1234: sz += 29 + sudo_ldap_value_len(pw->pw_name);
1.1 misho 1235:
1.1.1.2 misho 1236: /* Add space for primary and supplementary groups and gids */
1.1 misho 1237: if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
1.1.1.2 misho 1238: sz += 12 + sudo_ldap_value_len(grp->gr_name);
1.1 misho 1239: }
1.1.1.2 misho 1240: sz += 13 + MAX_UID_T_LEN;
1.1.1.3 misho 1241: if ((grlist = sudo_get_grlist(pw)) != NULL) {
1.1 misho 1242: for (i = 0; i < grlist->ngroups; i++) {
1243: if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
1244: continue;
1.1.1.2 misho 1245: sz += 12 + sudo_ldap_value_len(grlist->groups[i]);
1246: }
1247: for (i = 0; i < grlist->ngids; i++) {
1248: if (pw->pw_gid == grlist->gids[i])
1249: continue;
1250: sz += 13 + MAX_UID_T_LEN;
1.1 misho 1251: }
1252: }
1253:
1254: /* If timed, add space for time limits. */
1255: if (ldap_conf.timed)
1256: sz += TIMEFILTER_LENGTH;
1257: buf = emalloc(sz);
1258: *buf = '\0';
1259:
1260: /*
1261: * If timed or using a search filter, start a global AND clause to
1262: * contain the search filter, search criteria, and time restriction.
1263: */
1264: if (ldap_conf.timed || ldap_conf.search_filter)
1265: (void) strlcpy(buf, "(&", sz);
1266:
1267: if (ldap_conf.search_filter)
1268: (void) strlcat(buf, ldap_conf.search_filter, sz);
1269:
1270: /* Global OR + sudoUser=user_name filter */
1271: (void) strlcat(buf, "(|(sudoUser=", sz);
1.1.1.2 misho 1272: (void) sudo_ldap_value_cat(buf, pw->pw_name, sz);
1.1 misho 1273: (void) strlcat(buf, ")", sz);
1274:
1.1.1.2 misho 1275: /* Append primary group and gid */
1.1 misho 1276: if (grp != NULL) {
1277: (void) strlcat(buf, "(sudoUser=%", sz);
1.1.1.2 misho 1278: (void) sudo_ldap_value_cat(buf, grp->gr_name, sz);
1.1 misho 1279: (void) strlcat(buf, ")", sz);
1280: }
1.1.1.2 misho 1281: (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_gid);
1282: (void) strlcat(buf, "(sudoUser=%#", sz);
1283: (void) strlcat(buf, gidbuf, sz);
1284: (void) strlcat(buf, ")", sz);
1.1 misho 1285:
1.1.1.2 misho 1286: /* Append supplementary groups and gids */
1.1 misho 1287: if (grlist != NULL) {
1288: for (i = 0; i < grlist->ngroups; i++) {
1289: if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
1290: continue;
1291: (void) strlcat(buf, "(sudoUser=%", sz);
1.1.1.2 misho 1292: (void) sudo_ldap_value_cat(buf, grlist->groups[i], sz);
1293: (void) strlcat(buf, ")", sz);
1294: }
1295: for (i = 0; i < grlist->ngids; i++) {
1296: if (pw->pw_gid == grlist->gids[i])
1297: continue;
1298: (void) snprintf(gidbuf, sizeof(gidbuf), "%u",
1299: (unsigned int)grlist->gids[i]);
1300: (void) strlcat(buf, "(sudoUser=%#", sz);
1301: (void) strlcat(buf, gidbuf, sz);
1.1 misho 1302: (void) strlcat(buf, ")", sz);
1303: }
1304: }
1305:
1306: /* Done with groups. */
1307: if (grlist != NULL)
1.1.1.3 misho 1308: sudo_grlist_delref(grlist);
1.1 misho 1309: if (grp != NULL)
1.1.1.3 misho 1310: sudo_gr_delref(grp);
1.1 misho 1311:
1312: /* Add ALL to list and end the global OR */
1313: if (strlcat(buf, "(sudoUser=ALL)", sz) >= sz)
1.1.1.4 misho 1314: fatalx(_("sudo_ldap_build_pass1 allocation mismatch"));
1.1 misho 1315:
1316: /* Add the time restriction, or simply end the global OR. */
1317: if (ldap_conf.timed) {
1318: strlcat(buf, ")", sz); /* closes the global OR */
1319: sudo_ldap_timefilter(timebuffer, sizeof(timebuffer));
1320: strlcat(buf, timebuffer, sz);
1321: } else if (ldap_conf.search_filter) {
1322: strlcat(buf, ")", sz); /* closes the global OR */
1323: }
1324: strlcat(buf, ")", sz); /* closes the global OR or the global AND */
1325:
1.1.1.2 misho 1326: debug_return_str(buf);
1.1 misho 1327: }
1328:
1329: /*
1.1.1.4 misho 1330: * Builds up a filter to check against non-Unix group
1331: * entries in LDAP, including netgroups.
1.1 misho 1332: */
1333: static char *
1334: sudo_ldap_build_pass2(void)
1335: {
1.1.1.3 misho 1336: char *filt, timebuffer[TIMEFILTER_LENGTH + 1];
1.1.1.2 misho 1337: debug_decl(sudo_ldap_build_pass2, SUDO_DEBUG_LDAP)
1.1 misho 1338:
1339: if (ldap_conf.timed)
1340: sudo_ldap_timefilter(timebuffer, sizeof(timebuffer));
1341:
1342: /*
1.1.1.4 misho 1343: * Match all sudoUsers beginning with '+' or '%:'.
1.1 misho 1344: * If a search filter or time restriction is specified,
1345: * those get ANDed in to the expression.
1346: */
1.1.1.4 misho 1347: if (def_group_plugin) {
1348: easprintf(&filt, "%s%s(|(sudoUser=+*)(sudoUser=%%:*))%s%s",
1349: (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
1350: ldap_conf.search_filter ? ldap_conf.search_filter : "",
1351: ldap_conf.timed ? timebuffer : "",
1352: (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
1353: } else {
1354: easprintf(&filt, "%s%s(sudoUser=+*)%s%s",
1355: (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
1356: ldap_conf.search_filter ? ldap_conf.search_filter : "",
1357: ldap_conf.timed ? timebuffer : "",
1358: (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
1359: }
1.1 misho 1360:
1.1.1.2 misho 1361: debug_return_str(filt);
1.1 misho 1362: }
1363:
1364: static void
1365: sudo_ldap_read_secret(const char *path)
1366: {
1367: FILE *fp;
1368: char buf[LINE_MAX], *cp;
1.1.1.2 misho 1369: debug_decl(sudo_ldap_read_secret, SUDO_DEBUG_LDAP)
1.1 misho 1370:
1.1.1.4 misho 1371: if ((fp = fopen(path_ldap_secret, "r")) != NULL) {
1.1 misho 1372: if (fgets(buf, sizeof(buf), fp) != NULL) {
1373: if ((cp = strchr(buf, '\n')) != NULL)
1374: *cp = '\0';
1375: /* copy to bindpw and binddn */
1376: efree(ldap_conf.bindpw);
1377: ldap_conf.bindpw = estrdup(buf);
1378: efree(ldap_conf.binddn);
1379: ldap_conf.binddn = ldap_conf.rootbinddn;
1380: ldap_conf.rootbinddn = NULL;
1381: }
1382: fclose(fp);
1383: }
1.1.1.2 misho 1384: debug_return;
1.1 misho 1385: }
1386:
1.1.1.2 misho 1387: /*
1388: * Look up keyword in config tables.
1389: * Returns true if found, else false.
1390: */
1391: static bool
1392: sudo_ldap_parse_keyword(const char *keyword, const char *value,
1393: struct ldap_config_table *table)
1394: {
1395: struct ldap_config_table *cur;
1396: debug_decl(sudo_ldap_parse_keyword, SUDO_DEBUG_LDAP)
1397:
1398: /* Look up keyword in config tables */
1399: for (cur = table; cur->conf_str != NULL; cur++) {
1400: if (strcasecmp(keyword, cur->conf_str) == 0) {
1401: switch (cur->type) {
1402: case CONF_DEREF_VAL:
1403: if (strcasecmp(value, "searching") == 0)
1404: *(int *)(cur->valp) = LDAP_DEREF_SEARCHING;
1405: else if (strcasecmp(value, "finding") == 0)
1406: *(int *)(cur->valp) = LDAP_DEREF_FINDING;
1407: else if (strcasecmp(value, "always") == 0)
1408: *(int *)(cur->valp) = LDAP_DEREF_ALWAYS;
1409: else
1410: *(int *)(cur->valp) = LDAP_DEREF_NEVER;
1411: break;
1412: case CONF_BOOL:
1413: *(int *)(cur->valp) = atobool(value) == true;
1414: break;
1415: case CONF_INT:
1416: *(int *)(cur->valp) = atoi(value);
1417: break;
1418: case CONF_STR:
1419: efree(*(char **)(cur->valp));
1420: *(char **)(cur->valp) = estrdup(value);
1421: break;
1422: case CONF_LIST_STR:
1423: {
1424: struct ldap_config_list_str **p;
1425: size_t len = strlen(value);
1426:
1427: if (len > 0) {
1428: p = (struct ldap_config_list_str **)cur->valp;
1429: while (*p != NULL)
1430: p = &(*p)->next;
1431: *p = emalloc(sizeof(struct ldap_config_list_str) + len);
1432: memcpy((*p)->val, value, len + 1);
1433: (*p)->next = NULL;
1434: }
1435: }
1436: break;
1437: }
1438: debug_return_bool(true);
1439: }
1440: }
1441: debug_return_bool(false);
1442: }
1443:
1.1.1.5 ! misho 1444: #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
! 1445: static const char *
! 1446: sudo_krb5_ccname_path(const char *old_ccname)
! 1447: {
! 1448: const char *ccname = old_ccname;
! 1449: debug_decl(sudo_krb5_ccname_path, SUDO_DEBUG_LDAP)
! 1450:
! 1451: /* Strip off leading FILE: or WRFILE: prefix. */
! 1452: switch (ccname[0]) {
! 1453: case 'F':
! 1454: case 'f':
! 1455: if (strncasecmp(ccname, "FILE:", 5) == 0)
! 1456: ccname += 5;
! 1457: break;
! 1458: case 'W':
! 1459: case 'w':
! 1460: if (strncasecmp(ccname, "WRFILE:", 7) == 0)
! 1461: ccname += 7;
! 1462: break;
! 1463: }
! 1464: sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
! 1465: "ccache %s -> %s", old_ccname, ccname);
! 1466:
! 1467: /* Credential cache must be a fully-qualified path name. */
! 1468: debug_return_str(*ccname == '/' ? ccname : NULL);
! 1469: }
! 1470:
! 1471: static bool
! 1472: sudo_check_krb5_ccname(const char *ccname)
! 1473: {
! 1474: int fd = -1;
! 1475: const char *ccname_path;
! 1476: debug_decl(sudo_check_krb5_ccname, SUDO_DEBUG_LDAP)
! 1477:
! 1478: /* Strip off prefix to get path name. */
! 1479: ccname_path = sudo_krb5_ccname_path(ccname);
! 1480: if (ccname_path == NULL) {
! 1481: sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
! 1482: "unsupported krb5 credential cache path: %s", ccname);
! 1483: debug_return_bool(false);
! 1484: }
! 1485: /* Make sure credential cache is fully-qualified and exists. */
! 1486: fd = open(ccname_path, O_RDONLY|O_NONBLOCK, 0);
! 1487: if (fd == -1) {
! 1488: sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
! 1489: "unable to open krb5 credential cache: %s", ccname_path);
! 1490: debug_return_bool(false);
! 1491: }
! 1492: close(fd);
! 1493: sudo_debug_printf(SUDO_DEBUG_INFO,
! 1494: "using krb5 credential cache: %s", ccname_path);
! 1495: debug_return_bool(true);
! 1496: }
! 1497: #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
! 1498:
1.1.1.2 misho 1499: static bool
1.1 misho 1500: sudo_ldap_read_config(void)
1501: {
1502: FILE *fp;
1.1.1.4 misho 1503: char *cp, *keyword, *value, *line = NULL;
1504: size_t linesize = 0;
1.1.1.2 misho 1505: debug_decl(sudo_ldap_read_config, SUDO_DEBUG_LDAP)
1.1 misho 1506:
1507: /* defaults */
1508: ldap_conf.version = 3;
1509: ldap_conf.port = -1;
1510: ldap_conf.tls_checkpeer = -1;
1511: ldap_conf.timelimit = -1;
1512: ldap_conf.timeout = -1;
1513: ldap_conf.bind_timelimit = -1;
1514: ldap_conf.use_sasl = -1;
1515: ldap_conf.rootuse_sasl = -1;
1516: ldap_conf.deref = -1;
1517:
1.1.1.4 misho 1518: if ((fp = fopen(path_ldap_conf, "r")) == NULL)
1.1.1.2 misho 1519: debug_return_bool(false);
1.1 misho 1520:
1.1.1.4 misho 1521: while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
1522: if (*line == '\0')
1.1 misho 1523: continue; /* skip empty line */
1524:
1525: /* split into keyword and value */
1.1.1.4 misho 1526: keyword = cp = line;
1.1 misho 1527: while (*cp && !isblank((unsigned char) *cp))
1528: cp++;
1529: if (*cp)
1530: *cp++ = '\0'; /* terminate keyword */
1531:
1532: /* skip whitespace before value */
1533: while (isblank((unsigned char) *cp))
1534: cp++;
1535: value = cp;
1536:
1.1.1.2 misho 1537: /* Look up keyword in config tables */
1538: if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
1539: sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
1.1 misho 1540: }
1.1.1.4 misho 1541: free(line);
1.1 misho 1542: fclose(fp);
1543:
1544: if (!ldap_conf.host)
1545: ldap_conf.host = estrdup("localhost");
1546:
1.1.1.4 misho 1547: DPRINTF1("LDAP Config Summary");
1548: DPRINTF1("===================");
1549: if (ldap_conf.uri) {
1550: struct ldap_config_list_str *uri = ldap_conf.uri;
1551:
1552: do {
1553: DPRINTF1("uri %s", uri->val);
1554: } while ((uri = uri->next) != NULL);
1555: } else {
1556: DPRINTF1("host %s",
1557: ldap_conf.host ? ldap_conf.host : "(NONE)");
1558: DPRINTF1("port %d", ldap_conf.port);
1559: }
1560: DPRINTF1("ldap_version %d", ldap_conf.version);
1561:
1562: if (ldap_conf.base) {
1563: struct ldap_config_list_str *base = ldap_conf.base;
1564: do {
1565: DPRINTF1("sudoers_base %s", base->val);
1566: } while ((base = base->next) != NULL);
1567: } else {
1568: DPRINTF1("sudoers_base %s", "(NONE: LDAP disabled)");
1569: }
1570: if (ldap_conf.search_filter) {
1571: DPRINTF1("search_filter %s", ldap_conf.search_filter);
1572: }
1573: DPRINTF1("binddn %s",
1574: ldap_conf.binddn ? ldap_conf.binddn : "(anonymous)");
1575: DPRINTF1("bindpw %s",
1576: ldap_conf.bindpw ? ldap_conf.bindpw : "(anonymous)");
1577: if (ldap_conf.bind_timelimit > 0) {
1578: DPRINTF1("bind_timelimit %d", ldap_conf.bind_timelimit);
1579: }
1580: if (ldap_conf.timelimit > 0) {
1581: DPRINTF1("timelimit %d", ldap_conf.timelimit);
1582: }
1583: if (ldap_conf.deref != -1) {
1584: DPRINTF1("deref %d", ldap_conf.deref);
1585: }
1586: DPRINTF1("ssl %s", ldap_conf.ssl ? ldap_conf.ssl : "(no)");
1587: if (ldap_conf.tls_checkpeer != -1) {
1588: DPRINTF1("tls_checkpeer %s",
1589: ldap_conf.tls_checkpeer ? "(yes)" : "(no)");
1590: }
1591: if (ldap_conf.tls_cacertfile != NULL) {
1592: DPRINTF1("tls_cacertfile %s", ldap_conf.tls_cacertfile);
1593: }
1594: if (ldap_conf.tls_cacertdir != NULL) {
1595: DPRINTF1("tls_cacertdir %s", ldap_conf.tls_cacertdir);
1596: }
1597: if (ldap_conf.tls_random_file != NULL) {
1598: DPRINTF1("tls_random_file %s", ldap_conf.tls_random_file);
1599: }
1600: if (ldap_conf.tls_cipher_suite != NULL) {
1601: DPRINTF1("tls_cipher_suite %s", ldap_conf.tls_cipher_suite);
1602: }
1603: if (ldap_conf.tls_certfile != NULL) {
1604: DPRINTF1("tls_certfile %s", ldap_conf.tls_certfile);
1605: }
1606: if (ldap_conf.tls_keyfile != NULL) {
1607: DPRINTF1("tls_keyfile %s", ldap_conf.tls_keyfile);
1608: }
1.1 misho 1609: #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
1.1.1.4 misho 1610: if (ldap_conf.use_sasl != -1) {
1611: DPRINTF1("use_sasl %s", ldap_conf.use_sasl ? "yes" : "no");
1612: DPRINTF1("sasl_auth_id %s",
1613: ldap_conf.sasl_auth_id ? ldap_conf.sasl_auth_id : "(NONE)");
1614: DPRINTF1("rootuse_sasl %d",
1615: ldap_conf.rootuse_sasl);
1616: DPRINTF1("rootsasl_auth_id %s",
1617: ldap_conf.rootsasl_auth_id ? ldap_conf.rootsasl_auth_id : "(NONE)");
1618: DPRINTF1("sasl_secprops %s",
1619: ldap_conf.sasl_secprops ? ldap_conf.sasl_secprops : "(NONE)");
1620: DPRINTF1("krb5_ccname %s",
1621: ldap_conf.krb5_ccname ? ldap_conf.krb5_ccname : "(NONE)");
1.1 misho 1622: }
1.1.1.4 misho 1623: #endif
1624: DPRINTF1("===================");
1625:
1.1 misho 1626: if (!ldap_conf.base)
1.1.1.2 misho 1627: debug_return_bool(false); /* if no base is defined, ignore LDAP */
1.1 misho 1628:
1629: if (ldap_conf.bind_timelimit > 0)
1630: ldap_conf.bind_timelimit *= 1000; /* convert to ms */
1631:
1632: /*
1633: * Interpret SSL option
1634: */
1635: if (ldap_conf.ssl != NULL) {
1636: if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
1637: ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
1.1.1.2 misho 1638: else if (atobool(ldap_conf.ssl) == true)
1.1 misho 1639: ldap_conf.ssl_mode = SUDO_LDAP_SSL;
1640: }
1641:
1642: #if defined(HAVE_LDAPSSL_SET_STRENGTH) && !defined(LDAP_OPT_X_TLS_REQUIRE_CERT)
1643: if (ldap_conf.tls_checkpeer != -1) {
1644: ldapssl_set_strength(NULL,
1645: ldap_conf.tls_checkpeer ? LDAPSSL_AUTH_CERT : LDAPSSL_AUTH_WEAK);
1646: }
1647: #endif
1648:
1649: #ifndef HAVE_LDAP_INITIALIZE
1650: /* Convert uri list to host list if no ldap_initialize(). */
1651: if (ldap_conf.uri) {
1652: struct ldap_config_list_str *uri = ldap_conf.uri;
1653: if (sudo_ldap_parse_uri(uri) != 0)
1.1.1.2 misho 1654: debug_return_bool(false);
1.1 misho 1655: do {
1656: ldap_conf.uri = uri->next;
1657: efree(uri);
1658: } while ((uri = ldap_conf.uri));
1659: ldap_conf.port = LDAP_PORT;
1660: }
1661: #endif
1662:
1663: if (!ldap_conf.uri) {
1664: /* Use port 389 for plaintext LDAP and port 636 for SSL LDAP */
1665: if (ldap_conf.port < 0)
1666: ldap_conf.port =
1667: ldap_conf.ssl_mode == SUDO_LDAP_SSL ? LDAPS_PORT : LDAP_PORT;
1668:
1669: #ifdef HAVE_LDAP_CREATE
1670: /*
1671: * Cannot specify port directly to ldap_create(), each host must
1672: * include :port to override the default.
1673: */
1674: if (ldap_conf.port != LDAP_PORT)
1675: sudo_ldap_conf_add_ports();
1676: #endif
1677: }
1678:
1679: /* If search filter is not parenthesized, make it so. */
1680: if (ldap_conf.search_filter && ldap_conf.search_filter[0] != '(') {
1681: size_t len = strlen(ldap_conf.search_filter);
1682: cp = ldap_conf.search_filter;
1683: ldap_conf.search_filter = emalloc(len + 3);
1684: ldap_conf.search_filter[0] = '(';
1685: memcpy(ldap_conf.search_filter + 1, cp, len);
1686: ldap_conf.search_filter[len + 1] = ')';
1687: ldap_conf.search_filter[len + 2] = '\0';
1688: efree(cp);
1689: }
1690:
1691: /* If rootbinddn set, read in /etc/ldap.secret if it exists. */
1692: if (ldap_conf.rootbinddn)
1.1.1.4 misho 1693: sudo_ldap_read_secret(path_ldap_secret);
1.1 misho 1694:
1695: #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
1696: /*
1697: * Make sure we can open the file specified by krb5_ccname.
1698: */
1699: if (ldap_conf.krb5_ccname != NULL) {
1.1.1.5 ! misho 1700: if (!sudo_check_krb5_ccname(ldap_conf.krb5_ccname))
! 1701: ldap_conf.krb5_ccname = NULL;
1.1 misho 1702: }
1703: #endif
1.1.1.5 ! misho 1704:
1.1.1.2 misho 1705: debug_return_bool(true);
1.1 misho 1706: }
1707:
1708: /*
1709: * Extract the dn from an entry and return the first rdn from it.
1710: */
1711: static char *
1712: sudo_ldap_get_first_rdn(LDAP *ld, LDAPMessage *entry)
1713: {
1714: #ifdef HAVE_LDAP_STR2DN
1715: char *dn, *rdn = NULL;
1716: LDAPDN tmpDN;
1.1.1.2 misho 1717: debug_decl(sudo_ldap_get_first_rdn, SUDO_DEBUG_LDAP)
1.1 misho 1718:
1719: if ((dn = ldap_get_dn(ld, entry)) == NULL)
1.1.1.2 misho 1720: debug_return_str(NULL);
1.1 misho 1721: if (ldap_str2dn(dn, &tmpDN, LDAP_DN_FORMAT_LDAP) == LDAP_SUCCESS) {
1722: ldap_rdn2str(tmpDN[0], &rdn, LDAP_DN_FORMAT_UFN);
1723: ldap_dnfree(tmpDN);
1724: }
1725: ldap_memfree(dn);
1.1.1.2 misho 1726: debug_return_str(rdn);
1.1 misho 1727: #else
1728: char *dn, **edn;
1.1.1.2 misho 1729: debug_decl(sudo_ldap_get_first_rdn, SUDO_DEBUG_LDAP)
1.1 misho 1730:
1731: if ((dn = ldap_get_dn(ld, entry)) == NULL)
1732: return NULL;
1733: edn = ldap_explode_dn(dn, 1);
1734: ldap_memfree(dn);
1.1.1.2 misho 1735: debug_return_str(edn ? edn[0] : NULL);
1.1 misho 1736: #endif
1737: }
1738:
1739: /*
1740: * Fetch and display the global Options.
1741: */
1742: static int
1743: sudo_ldap_display_defaults(struct sudo_nss *nss, struct passwd *pw,
1744: struct lbuf *lbuf)
1745: {
1746: struct berval **bv, **p;
1747: struct timeval tv, *tvp = NULL;
1748: struct ldap_config_list_str *base;
1749: struct sudo_ldap_handle *handle = nss->handle;
1750: LDAP *ld;
1751: LDAPMessage *entry, *result;
1752: char *prefix, *filt;
1753: int rc, count = 0;
1.1.1.2 misho 1754: debug_decl(sudo_ldap_display_defaults, SUDO_DEBUG_LDAP)
1.1 misho 1755:
1756: if (handle == NULL || handle->ld == NULL)
1757: goto done;
1758: ld = handle->ld;
1759:
1760: filt = sudo_ldap_build_default_filter();
1761: for (base = ldap_conf.base; base != NULL; base = base->next) {
1762: if (ldap_conf.timeout > 0) {
1763: tv.tv_sec = ldap_conf.timeout;
1764: tv.tv_usec = 0;
1765: tvp = &tv;
1766: }
1767: result = NULL;
1768: rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE,
1769: filt, NULL, 0, NULL, NULL, tvp, 0, &result);
1770: if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) {
1771: bv = ldap_get_values_len(ld, entry, "sudoOption");
1772: if (bv != NULL) {
1773: if (lbuf->len == 0 || isspace((unsigned char)lbuf->buf[lbuf->len - 1]))
1774: prefix = " ";
1775: else
1776: prefix = ", ";
1777: for (p = bv; *p != NULL; p++) {
1778: lbuf_append(lbuf, "%s%s", prefix, (*p)->bv_val);
1779: prefix = ", ";
1780: count++;
1781: }
1782: ldap_value_free_len(bv);
1783: }
1784: }
1785: if (result)
1786: ldap_msgfree(result);
1787: }
1788: efree(filt);
1789: done:
1.1.1.2 misho 1790: debug_return_int(count);
1.1 misho 1791: }
1792:
1793: /*
1794: * STUB
1795: */
1796: static int
1797: sudo_ldap_display_bound_defaults(struct sudo_nss *nss, struct passwd *pw,
1798: struct lbuf *lbuf)
1799: {
1.1.1.2 misho 1800: debug_decl(sudo_ldap_display_bound_defaults, SUDO_DEBUG_LDAP)
1801: debug_return_int(0);
1.1 misho 1802: }
1803:
1804: /*
1805: * Print a record in the short form, ala file sudoers.
1806: */
1807: static int
1808: sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct lbuf *lbuf)
1809: {
1810: struct berval **bv, **p;
1811: int count = 0;
1.1.1.2 misho 1812: debug_decl(sudo_ldap_display_entry_short, SUDO_DEBUG_LDAP)
1.1 misho 1813:
1814: lbuf_append(lbuf, " (");
1815:
1816: /* get the RunAsUser Values from the entry */
1817: bv = ldap_get_values_len(ld, entry, "sudoRunAsUser");
1818: if (bv == NULL)
1819: bv = ldap_get_values_len(ld, entry, "sudoRunAs");
1820: if (bv != NULL) {
1821: for (p = bv; *p != NULL; p++) {
1822: lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val);
1823: }
1824: ldap_value_free_len(bv);
1825: } else
1826: lbuf_append(lbuf, "%s", def_runas_default);
1827:
1828: /* get the RunAsGroup Values from the entry */
1829: bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup");
1830: if (bv != NULL) {
1831: lbuf_append(lbuf, " : ");
1832: for (p = bv; *p != NULL; p++) {
1833: lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val);
1834: }
1835: ldap_value_free_len(bv);
1836: }
1837: lbuf_append(lbuf, ") ");
1838:
1839: /* get the Option Values from the entry */
1840: bv = ldap_get_values_len(ld, entry, "sudoOption");
1841: if (bv != NULL) {
1842: for (p = bv; *p != NULL; p++) {
1843: char *cp = (*p)->bv_val;
1844: if (*cp == '!')
1845: cp++;
1846: if (strcmp(cp, "authenticate") == 0)
1847: lbuf_append(lbuf, (*p)->bv_val[0] == '!' ?
1848: "NOPASSWD: " : "PASSWD: ");
1849: else if (strcmp(cp, "noexec") == 0)
1850: lbuf_append(lbuf, (*p)->bv_val[0] == '!' ?
1851: "EXEC: " : "NOEXEC: ");
1852: else if (strcmp(cp, "setenv") == 0)
1853: lbuf_append(lbuf, (*p)->bv_val[0] == '!' ?
1854: "NOSETENV: " : "SETENV: ");
1855: }
1856: ldap_value_free_len(bv);
1857: }
1858:
1859: /* get the Command Values from the entry */
1860: bv = ldap_get_values_len(ld, entry, "sudoCommand");
1861: if (bv != NULL) {
1862: for (p = bv; *p != NULL; p++) {
1863: lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val);
1864: count++;
1865: }
1866: ldap_value_free_len(bv);
1867: }
1868: lbuf_append(lbuf, "\n");
1869:
1.1.1.2 misho 1870: debug_return_int(count);
1.1 misho 1871: }
1872:
1873: /*
1874: * Print a record in the long form.
1875: */
1876: static int
1877: sudo_ldap_display_entry_long(LDAP *ld, LDAPMessage *entry, struct lbuf *lbuf)
1878: {
1879: struct berval **bv, **p;
1880: char *rdn;
1881: int count = 0;
1.1.1.2 misho 1882: debug_decl(sudo_ldap_display_entry_long, SUDO_DEBUG_LDAP)
1.1 misho 1883:
1884: /* extract the dn, only show the first rdn */
1885: rdn = sudo_ldap_get_first_rdn(ld, entry);
1886: if (rdn != NULL)
1887: lbuf_append(lbuf, _("\nLDAP Role: %s\n"), rdn);
1888: else
1889: lbuf_append(lbuf, _("\nLDAP Role: UNKNOWN\n"));
1890: if (rdn)
1891: ldap_memfree(rdn);
1892:
1893: /* get the RunAsUser Values from the entry */
1894: lbuf_append(lbuf, " RunAsUsers: ");
1895: bv = ldap_get_values_len(ld, entry, "sudoRunAsUser");
1896: if (bv == NULL)
1897: bv = ldap_get_values_len(ld, entry, "sudoRunAs");
1898: if (bv != NULL) {
1899: for (p = bv; *p != NULL; p++) {
1900: lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val);
1901: }
1902: ldap_value_free_len(bv);
1903: } else
1904: lbuf_append(lbuf, "%s", def_runas_default);
1905: lbuf_append(lbuf, "\n");
1906:
1907: /* get the RunAsGroup Values from the entry */
1908: bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup");
1909: if (bv != NULL) {
1910: lbuf_append(lbuf, " RunAsGroups: ");
1911: for (p = bv; *p != NULL; p++) {
1912: lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val);
1913: }
1914: ldap_value_free_len(bv);
1915: lbuf_append(lbuf, "\n");
1916: }
1917:
1918: /* get the Option Values from the entry */
1919: bv = ldap_get_values_len(ld, entry, "sudoOption");
1920: if (bv != NULL) {
1921: lbuf_append(lbuf, " Options: ");
1922: for (p = bv; *p != NULL; p++) {
1923: lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val);
1924: }
1925: ldap_value_free_len(bv);
1926: lbuf_append(lbuf, "\n");
1927: }
1928:
1929: /*
1930: * Display order attribute if present. This attribute is single valued,
1931: * so there is no need for a loop.
1932: */
1933: bv = ldap_get_values_len(ld, entry, "sudoOrder");
1934: if (bv != NULL) {
1935: if (*bv != NULL) {
1936: lbuf_append(lbuf, _(" Order: %s\n"), (*bv)->bv_val);
1937: }
1938: ldap_value_free_len(bv);
1939: }
1940:
1941: /* Get the command values from the entry. */
1942: bv = ldap_get_values_len(ld, entry, "sudoCommand");
1943: if (bv != NULL) {
1944: lbuf_append(lbuf, _(" Commands:\n"));
1945: for (p = bv; *p != NULL; p++) {
1946: lbuf_append(lbuf, "\t%s\n", (*p)->bv_val);
1947: count++;
1948: }
1949: ldap_value_free_len(bv);
1950: }
1951:
1.1.1.2 misho 1952: debug_return_int(count);
1.1 misho 1953: }
1954:
1955: /*
1956: * Like sudo_ldap_lookup(), except we just print entries.
1957: */
1958: static int
1959: sudo_ldap_display_privs(struct sudo_nss *nss, struct passwd *pw,
1960: struct lbuf *lbuf)
1961: {
1962: struct sudo_ldap_handle *handle = nss->handle;
1963: LDAP *ld;
1964: struct ldap_result *lres;
1965: LDAPMessage *entry;
1966: int i, count = 0;
1.1.1.2 misho 1967: debug_decl(sudo_ldap_display_privs, SUDO_DEBUG_LDAP)
1.1 misho 1968:
1969: if (handle == NULL || handle->ld == NULL)
1970: goto done;
1971: ld = handle->ld;
1972:
1.1.1.4 misho 1973: DPRINTF1("ldap search for command list");
1.1 misho 1974: lres = sudo_ldap_result_get(nss, pw);
1975:
1976: /* Display all matching entries. */
1977: for (i = 0; i < lres->nentries; i++) {
1978: entry = lres->entries[i].entry;
1979: if (long_list)
1980: count += sudo_ldap_display_entry_long(ld, entry, lbuf);
1981: else
1982: count += sudo_ldap_display_entry_short(ld, entry, lbuf);
1983: }
1984:
1985: done:
1.1.1.2 misho 1986: debug_return_int(count);
1.1 misho 1987: }
1988:
1989: static int
1990: sudo_ldap_display_cmnd(struct sudo_nss *nss, struct passwd *pw)
1991: {
1992: struct sudo_ldap_handle *handle = nss->handle;
1993: LDAP *ld;
1994: struct ldap_result *lres;
1995: LDAPMessage *entry;
1.1.1.2 misho 1996: bool found = false;
1997: int i;
1998: debug_decl(sudo_ldap_display_cmnd, SUDO_DEBUG_LDAP)
1.1 misho 1999:
2000: if (handle == NULL || handle->ld == NULL)
2001: goto done;
2002: ld = handle->ld;
2003:
2004: /*
2005: * The sudo_ldap_result_get() function returns all nodes that match
2006: * the user and the host.
2007: */
1.1.1.4 misho 2008: DPRINTF1("ldap search for command list");
1.1 misho 2009: lres = sudo_ldap_result_get(nss, pw);
2010: for (i = 0; i < lres->nentries; i++) {
2011: entry = lres->entries[i].entry;
2012: if (sudo_ldap_check_command(ld, entry, NULL) &&
2013: sudo_ldap_check_runas(ld, entry)) {
1.1.1.2 misho 2014: found = true;
1.1 misho 2015: goto done;
2016: }
2017: }
2018:
2019: done:
2020: if (found)
2021: printf("%s%s%s\n", safe_cmnd ? safe_cmnd : user_cmnd,
2022: user_args ? " " : "", user_args ? user_args : "");
1.1.1.2 misho 2023: debug_return_bool(!found);
1.1 misho 2024: }
2025:
2026: #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
1.1.1.5 ! misho 2027: static unsigned int (*sudo_gss_krb5_ccache_name)(unsigned int *minor_status, const char *name, const char **old_name);
! 2028:
! 2029: static int
! 2030: sudo_set_krb5_ccache_name(const char *name, const char **old_name)
! 2031: {
! 2032: int rc = 0;
! 2033: unsigned int junk;
! 2034: static bool initialized;
! 2035: debug_decl(sudo_set_krb5_ccache_name, SUDO_DEBUG_LDAP)
! 2036:
! 2037: if (!initialized) {
! 2038: sudo_gss_krb5_ccache_name = dlsym(RTLD_DEFAULT, "gss_krb5_ccache_name");
! 2039: initialized = true;
! 2040: }
! 2041:
! 2042: /*
! 2043: * Try to use gss_krb5_ccache_name() if possible.
! 2044: * We also need to set KRB5CCNAME since some LDAP libs may not use
! 2045: * gss_krb5_ccache_name().
! 2046: */
! 2047: if (sudo_gss_krb5_ccache_name != NULL) {
! 2048: rc = sudo_gss_krb5_ccache_name(&junk, name, old_name);
! 2049: } else {
! 2050: /* No gss_krb5_ccache_name(), fall back on KRB5CCNAME. */
! 2051: if (old_name != NULL)
! 2052: *old_name = sudo_getenv("KRB5CCNAME");
! 2053: }
! 2054: if (name != NULL && *name != '\0')
! 2055: sudo_setenv("KRB5CCNAME", name, true);
! 2056: else
! 2057: sudo_unsetenv("KRB5CCNAME");
! 2058:
! 2059: debug_return_int(rc);
! 2060: }
! 2061:
! 2062: /*
! 2063: * Make a copy of the credential cache file specified by KRB5CCNAME
! 2064: * which must be readable by the user. The resulting cache file
! 2065: * is root-owned and will be removed after authenticating via SASL.
! 2066: */
! 2067: static char *
! 2068: sudo_krb5_copy_cc_file(const char *old_ccname)
! 2069: {
! 2070: int ofd, nfd;
! 2071: ssize_t nread, nwritten = -1;
! 2072: static char new_ccname[sizeof(_PATH_TMP) + sizeof("sudocc_XXXXXXXX") - 1];
! 2073: char buf[10240], *ret = NULL;
! 2074: debug_decl(sudo_krb5_copy_cc_file, SUDO_DEBUG_LDAP)
! 2075:
! 2076: old_ccname = sudo_krb5_ccname_path(old_ccname);
! 2077: if (old_ccname != NULL) {
! 2078: /* Open credential cache as user to prevent stolen creds. */
! 2079: set_perms(PERM_USER);
! 2080: ofd = open(old_ccname, O_RDONLY|O_NONBLOCK);
! 2081: restore_perms();
! 2082:
! 2083: if (ofd != -1) {
! 2084: (void) fcntl(ofd, F_SETFL, 0);
! 2085: if (lock_file(ofd, SUDO_LOCK)) {
! 2086: snprintf(new_ccname, sizeof(new_ccname), "%s%s",
! 2087: _PATH_TMP, "sudocc_XXXXXXXX");
! 2088: nfd = mkstemp(new_ccname);
! 2089: if (nfd != -1) {
! 2090: sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
! 2091: "copy ccache %s -> %s", old_ccname, new_ccname);
! 2092: while ((nread = read(ofd, buf, sizeof(buf))) > 0) {
! 2093: ssize_t off = 0;
! 2094: do {
! 2095: nwritten = write(nfd, buf + off, nread - off);
! 2096: if (nwritten == -1) {
! 2097: warning("error writing to %s", new_ccname);
! 2098: goto write_error;
! 2099: }
! 2100: off += nwritten;
! 2101: } while (off < nread);
! 2102: }
! 2103: if (nread == -1)
! 2104: warning("unable to read %s", new_ccname);
! 2105: write_error:
! 2106: close(nfd);
! 2107: if (nread != -1 && nwritten != -1) {
! 2108: ret = new_ccname; /* success! */
! 2109: } else {
! 2110: unlink(new_ccname); /* failed */
! 2111: }
! 2112: } else {
! 2113: warning("unable to create temp file %s", new_ccname);
! 2114: }
! 2115: }
! 2116: close(ofd);
! 2117: } else {
! 2118: sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
! 2119: "unable to open %s", old_ccname);
! 2120: }
! 2121: }
! 2122: debug_return_str(ret);
! 2123: }
! 2124:
1.1 misho 2125: static int
2126: sudo_ldap_sasl_interact(LDAP *ld, unsigned int flags, void *_auth_id,
2127: void *_interact)
2128: {
2129: char *auth_id = (char *)_auth_id;
2130: sasl_interact_t *interact = (sasl_interact_t *)_interact;
1.1.1.5 ! misho 2131: int rc = LDAP_SUCCESS;
1.1.1.2 misho 2132: debug_decl(sudo_ldap_sasl_interact, SUDO_DEBUG_LDAP)
1.1 misho 2133:
2134: for (; interact->id != SASL_CB_LIST_END; interact++) {
1.1.1.5 ! misho 2135: if (interact->id != SASL_CB_USER) {
! 2136: warningx("sudo_ldap_sasl_interact: unexpected interact id %lu",
! 2137: interact->id);
! 2138: rc = LDAP_PARAM_ERROR;
! 2139: break;
! 2140: }
1.1 misho 2141:
2142: if (auth_id != NULL)
2143: interact->result = auth_id;
2144: else if (interact->defresult != NULL)
2145: interact->result = interact->defresult;
2146: else
2147: interact->result = "";
2148:
2149: interact->len = strlen(interact->result);
2150: #if SASL_VERSION_MAJOR < 2
1.1.1.5 ! misho 2151: interact->result = strdup(interact->result);
! 2152: if (interact->result == NULL) {
! 2153: rc = LDAP_NO_MEMORY;
! 2154: break;
! 2155: }
1.1 misho 2156: #endif /* SASL_VERSION_MAJOR < 2 */
1.1.1.5 ! misho 2157: DPRINTF2("sudo_ldap_sasl_interact: SASL_CB_USER %s",
! 2158: (const char *)interact->result);
1.1 misho 2159: }
1.1.1.5 ! misho 2160: debug_return_int(rc);
1.1 misho 2161: }
2162: #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
2163:
2164: /*
1.1.1.2 misho 2165: * Set LDAP options from the specified options table
1.1 misho 2166: */
2167: static int
1.1.1.2 misho 2168: sudo_ldap_set_options_table(LDAP *ld, struct ldap_config_table *table)
1.1 misho 2169: {
2170: struct ldap_config_table *cur;
1.1.1.3 misho 2171: int ival, rc, errors = 0;
1.1.1.2 misho 2172: char *sval;
2173: debug_decl(sudo_ldap_set_options_table, SUDO_DEBUG_LDAP)
1.1 misho 2174:
1.1.1.2 misho 2175: for (cur = table; cur->conf_str != NULL; cur++) {
1.1 misho 2176: if (cur->opt_val == -1)
2177: continue;
2178:
2179: switch (cur->type) {
2180: case CONF_BOOL:
2181: case CONF_INT:
2182: ival = *(int *)(cur->valp);
2183: if (ival >= 0) {
1.1.1.4 misho 2184: DPRINTF1("ldap_set_option: %s -> %d", cur->conf_str, ival);
1.1.1.2 misho 2185: rc = ldap_set_option(ld, cur->opt_val, &ival);
1.1 misho 2186: if (rc != LDAP_OPT_SUCCESS) {
2187: warningx("ldap_set_option: %s -> %d: %s",
2188: cur->conf_str, ival, ldap_err2string(rc));
1.1.1.3 misho 2189: errors++;
1.1 misho 2190: }
2191: }
2192: break;
2193: case CONF_STR:
2194: sval = *(char **)(cur->valp);
2195: if (sval != NULL) {
1.1.1.4 misho 2196: DPRINTF1("ldap_set_option: %s -> %s", cur->conf_str, sval);
1.1.1.2 misho 2197: rc = ldap_set_option(ld, cur->opt_val, sval);
1.1 misho 2198: if (rc != LDAP_OPT_SUCCESS) {
2199: warningx("ldap_set_option: %s -> %s: %s",
2200: cur->conf_str, sval, ldap_err2string(rc));
1.1.1.3 misho 2201: errors++;
1.1 misho 2202: }
2203: }
2204: break;
2205: }
2206: }
1.1.1.3 misho 2207: debug_return_int(errors ? -1 : 0);
1.1.1.2 misho 2208: }
2209:
2210: /*
2211: * Set LDAP options based on the global config table.
2212: */
2213: static int
2214: sudo_ldap_set_options_global(void)
2215: {
2216: int rc;
2217: debug_decl(sudo_ldap_set_options_global, SUDO_DEBUG_LDAP)
2218:
2219: /* Set ber options */
2220: #ifdef LBER_OPT_DEBUG_LEVEL
2221: if (ldap_conf.ldap_debug)
2222: ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &ldap_conf.ldap_debug);
2223: #endif
2224:
2225: /* Parse global LDAP options table. */
2226: rc = sudo_ldap_set_options_table(NULL, ldap_conf_global);
2227: if (rc == -1)
2228: debug_return_int(-1);
2229: debug_return_int(0);
2230: }
2231:
2232: /*
2233: * Set LDAP options based on the per-connection config table.
2234: */
2235: static int
2236: sudo_ldap_set_options_conn(LDAP *ld)
2237: {
2238: int rc;
2239: debug_decl(sudo_ldap_set_options_conn, SUDO_DEBUG_LDAP)
2240:
2241: /* Parse per-connection LDAP options table. */
2242: rc = sudo_ldap_set_options_table(ld, ldap_conf_conn);
2243: if (rc == -1)
2244: debug_return_int(-1);
1.1 misho 2245:
2246: #ifdef LDAP_OPT_TIMEOUT
2247: /* Convert timeout to a timeval */
2248: if (ldap_conf.timeout > 0) {
2249: struct timeval tv;
2250: tv.tv_sec = ldap_conf.timeout;
2251: tv.tv_usec = 0;
1.1.1.4 misho 2252: DPRINTF1("ldap_set_option(LDAP_OPT_TIMEOUT, %d)", ldap_conf.timeout);
1.1 misho 2253: rc = ldap_set_option(ld, LDAP_OPT_TIMEOUT, &tv);
2254: if (rc != LDAP_OPT_SUCCESS) {
1.1.1.4 misho 2255: warningx("ldap_set_option(TIMEOUT, %d): %s",
2256: ldap_conf.timeout, ldap_err2string(rc));
1.1 misho 2257: }
2258: }
2259: #endif
2260: #ifdef LDAP_OPT_NETWORK_TIMEOUT
2261: /* Convert bind_timelimit to a timeval */
2262: if (ldap_conf.bind_timelimit > 0) {
2263: struct timeval tv;
2264: tv.tv_sec = ldap_conf.bind_timelimit / 1000;
2265: tv.tv_usec = 0;
1.1.1.4 misho 2266: DPRINTF1("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %d)",
2267: ldap_conf.bind_timelimit / 1000);
1.1 misho 2268: rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
1.1.1.3 misho 2269: # if !defined(LDAP_OPT_CONNECT_TIMEOUT) || LDAP_VENDOR_VERSION != 510
2270: /* Tivoli Directory Server 6.3 libs always return a (bogus) error. */
1.1 misho 2271: if (rc != LDAP_OPT_SUCCESS) {
1.1.1.4 misho 2272: warningx("ldap_set_option(NETWORK_TIMEOUT, %d): %s",
2273: ldap_conf.bind_timelimit / 1000, ldap_err2string(rc));
1.1 misho 2274: }
1.1.1.3 misho 2275: # endif
1.1 misho 2276: }
2277: #endif
2278:
2279: #if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT)
2280: if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
2281: int val = LDAP_OPT_X_TLS_HARD;
1.1.1.4 misho 2282: DPRINTF1("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)");
1.1 misho 2283: rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val);
2284: if (rc != LDAP_SUCCESS) {
2285: warningx("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD): %s",
2286: ldap_err2string(rc));
1.1.1.2 misho 2287: debug_return_int(-1);
1.1 misho 2288: }
2289: }
2290: #endif
1.1.1.2 misho 2291: debug_return_int(0);
1.1 misho 2292: }
2293:
2294: /*
2295: * Create a new sudo_ldap_result structure.
2296: */
2297: static struct ldap_result *
2298: sudo_ldap_result_alloc(void)
2299: {
2300: struct ldap_result *result;
1.1.1.2 misho 2301: debug_decl(sudo_ldap_result_alloc, SUDO_DEBUG_LDAP)
1.1 misho 2302:
1.1.1.2 misho 2303: debug_return_ptr(ecalloc(1, sizeof(*result)));
1.1 misho 2304: }
2305:
2306: /*
2307: * Free the ldap result structure
2308: */
2309: static void
2310: sudo_ldap_result_free(struct ldap_result *lres)
2311: {
2312: struct ldap_search_list *s;
1.1.1.2 misho 2313: debug_decl(sudo_ldap_result_free, SUDO_DEBUG_LDAP)
1.1 misho 2314:
2315: if (lres != NULL) {
2316: if (lres->nentries) {
2317: efree(lres->entries);
2318: lres->entries = NULL;
2319: }
2320: if (lres->searches) {
2321: while ((s = lres->searches) != NULL) {
2322: ldap_msgfree(s->searchresult);
2323: lres->searches = s->next;
2324: efree(s);
2325: }
2326: }
2327: efree(lres);
2328: }
1.1.1.2 misho 2329: debug_return;
1.1 misho 2330: }
2331:
2332: /*
2333: * Add a search result to the ldap_result structure.
2334: */
2335: static struct ldap_search_list *
2336: sudo_ldap_result_add_search(struct ldap_result *lres, LDAP *ldap,
2337: LDAPMessage *searchresult)
2338: {
2339: struct ldap_search_list *s, *news;
1.1.1.2 misho 2340: debug_decl(sudo_ldap_result_add_search, SUDO_DEBUG_LDAP)
1.1 misho 2341:
1.1.1.2 misho 2342: news = ecalloc(1, sizeof(struct ldap_search_list));
1.1 misho 2343: news->ldap = ldap;
2344: news->searchresult = searchresult;
1.1.1.2 misho 2345: /* news->next = NULL; */
1.1 misho 2346:
2347: /* Add entry to the end of the chain (XXX - tailq instead?). */
2348: if (lres->searches) {
2349: for (s = lres->searches; s->next != NULL; s = s->next)
2350: continue;
2351: s->next = news;
2352: } else {
2353: lres->searches = news;
2354: }
1.1.1.2 misho 2355: debug_return_ptr(news);
1.1 misho 2356: }
2357:
2358: /*
2359: * Connect to the LDAP server specified by ld
2360: */
2361: static int
2362: sudo_ldap_bind_s(LDAP *ld)
2363: {
2364: int rc;
1.1.1.2 misho 2365: debug_decl(sudo_ldap_bind_s, SUDO_DEBUG_LDAP)
1.1 misho 2366:
2367: #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
1.1.1.2 misho 2368: if (ldap_conf.rootuse_sasl == true ||
2369: (ldap_conf.rootuse_sasl != false && ldap_conf.use_sasl == true)) {
1.1.1.5 ! misho 2370: const char *old_ccname = NULL;
! 2371: const char *new_ccname = ldap_conf.krb5_ccname;
! 2372: const char *tmp_ccname = NULL;
1.1 misho 2373: void *auth_id = ldap_conf.rootsasl_auth_id ?
2374: ldap_conf.rootsasl_auth_id : ldap_conf.sasl_auth_id;
2375:
1.1.1.5 ! misho 2376: /* Make temp copy of the user's credential cache as needed. */
! 2377: if (ldap_conf.krb5_ccname == NULL && user_ccname != NULL) {
! 2378: new_ccname = tmp_ccname = sudo_krb5_copy_cc_file(user_ccname);
! 2379: if (tmp_ccname == NULL) {
! 2380: sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
! 2381: "unable to copy user ccache %s", user_ccname);
! 2382: }
! 2383: }
! 2384:
! 2385: if (new_ccname != NULL) {
! 2386: rc = sudo_set_krb5_ccache_name(new_ccname, &old_ccname);
! 2387: if (rc == 0) {
! 2388: sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
! 2389: "set ccache name %s -> %s",
! 2390: old_ccname ? old_ccname : "(none)", new_ccname);
! 2391: } else {
1.1.1.4 misho 2392: sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
1.1.1.5 ! misho 2393: "gss_krb5_ccache_name() failed: %d", rc);
1.1 misho 2394: }
2395: }
2396: rc = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI",
2397: NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, auth_id);
1.1.1.5 ! misho 2398: if (new_ccname != NULL) {
! 2399: rc = sudo_set_krb5_ccache_name(old_ccname, NULL);
! 2400: if (rc == 0) {
! 2401: sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
! 2402: "restore ccache name %s -> %s", new_ccname, old_ccname);
! 2403: } else {
! 2404: sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
! 2405: "gss_krb5_ccache_name() failed: %d", rc);
! 2406: }
! 2407: /* Remove temporary copy of user's credential cache. */
! 2408: if (tmp_ccname != NULL)
! 2409: unlink(tmp_ccname);
1.1 misho 2410: }
2411: if (rc != LDAP_SUCCESS) {
2412: warningx("ldap_sasl_interactive_bind_s(): %s",
2413: ldap_err2string(rc));
1.1.1.2 misho 2414: debug_return_int(-1);
1.1 misho 2415: }
1.1.1.4 misho 2416: DPRINTF1("ldap_sasl_interactive_bind_s() ok");
1.1 misho 2417: } else
2418: #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
2419: #ifdef HAVE_LDAP_SASL_BIND_S
2420: {
2421: struct berval bv;
2422:
2423: bv.bv_val = ldap_conf.bindpw ? ldap_conf.bindpw : "";
2424: bv.bv_len = strlen(bv.bv_val);
2425:
2426: rc = ldap_sasl_bind_s(ld, ldap_conf.binddn, LDAP_SASL_SIMPLE, &bv,
2427: NULL, NULL, NULL);
2428: if (rc != LDAP_SUCCESS) {
2429: warningx("ldap_sasl_bind_s(): %s", ldap_err2string(rc));
1.1.1.2 misho 2430: debug_return_int(-1);
1.1 misho 2431: }
1.1.1.4 misho 2432: DPRINTF1("ldap_sasl_bind_s() ok");
1.1 misho 2433: }
2434: #else
2435: {
2436: rc = ldap_simple_bind_s(ld, ldap_conf.binddn, ldap_conf.bindpw);
2437: if (rc != LDAP_SUCCESS) {
2438: warningx("ldap_simple_bind_s(): %s", ldap_err2string(rc));
1.1.1.2 misho 2439: debug_return_int(-1);
1.1 misho 2440: }
1.1.1.4 misho 2441: DPRINTF1("ldap_simple_bind_s() ok");
1.1 misho 2442: }
2443: #endif
1.1.1.2 misho 2444: debug_return_int(0);
1.1 misho 2445: }
2446:
2447: /*
2448: * Open a connection to the LDAP server.
2449: * Returns 0 on success and non-zero on failure.
2450: */
2451: static int
2452: sudo_ldap_open(struct sudo_nss *nss)
2453: {
2454: LDAP *ld;
1.1.1.2 misho 2455: int rc;
2456: bool ldapnoinit = false;
2457: struct sudo_ldap_handle *handle;
2458: debug_decl(sudo_ldap_open, SUDO_DEBUG_LDAP)
1.1 misho 2459:
2460: if (!sudo_ldap_read_config())
1.1.1.2 misho 2461: debug_return_int(-1);
1.1 misho 2462:
2463: /* Prevent reading of user ldaprc and system defaults. */
1.1.1.2 misho 2464: if (sudo_getenv("LDAPNOINIT") == NULL) {
2465: ldapnoinit = true;
2466: sudo_setenv("LDAPNOINIT", "1", true);
1.1 misho 2467: }
2468:
1.1.1.2 misho 2469: /* Set global LDAP options */
2470: if (sudo_ldap_set_options_global() < 0)
2471: debug_return_int(-1);
2472:
1.1 misho 2473: /* Connect to LDAP server */
2474: #ifdef HAVE_LDAP_INITIALIZE
2475: if (ldap_conf.uri != NULL) {
2476: char *buf = sudo_ldap_join_uri(ldap_conf.uri);
1.1.1.4 misho 2477: DPRINTF2("ldap_initialize(ld, %s)", buf);
1.1 misho 2478: rc = ldap_initialize(&ld, buf);
2479: efree(buf);
1.1.1.2 misho 2480: if (rc != LDAP_SUCCESS)
2481: warningx(_("unable to initialize LDAP: %s"), ldap_err2string(rc));
1.1 misho 2482: } else
2483: #endif
2484: rc = sudo_ldap_init(&ld, ldap_conf.host, ldap_conf.port);
1.1.1.2 misho 2485: if (rc != LDAP_SUCCESS)
2486: debug_return_int(-1);
1.1 misho 2487:
1.1.1.2 misho 2488: /* Set LDAP per-connection options */
2489: if (sudo_ldap_set_options_conn(ld) < 0)
2490: debug_return_int(-1);
1.1 misho 2491:
1.1.1.2 misho 2492: if (ldapnoinit)
2493: sudo_unsetenv("LDAPNOINIT");
1.1 misho 2494:
2495: if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
2496: #if defined(HAVE_LDAP_START_TLS_S)
2497: rc = ldap_start_tls_s(ld, NULL, NULL);
2498: if (rc != LDAP_SUCCESS) {
2499: warningx("ldap_start_tls_s(): %s", ldap_err2string(rc));
1.1.1.2 misho 2500: debug_return_int(-1);
1.1 misho 2501: }
1.1.1.4 misho 2502: DPRINTF1("ldap_start_tls_s() ok");
1.1 misho 2503: #elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP)
1.1.1.5 ! misho 2504: int sslrc;
! 2505: rc = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
! 2506: 0, &sslrc);
! 2507: if (rc != LDAP_SUCCESS) {
! 2508: warningx("ldap_ssl_client_init(): %s (SSL reason code %d)",
! 2509: ldap_err2string(rc), sslrc);
1.1.1.2 misho 2510: debug_return_int(-1);
1.1 misho 2511: }
2512: rc = ldap_start_tls_s_np(ld, NULL);
2513: if (rc != LDAP_SUCCESS) {
2514: warningx("ldap_start_tls_s_np(): %s", ldap_err2string(rc));
1.1.1.2 misho 2515: debug_return_int(-1);
1.1 misho 2516: }
1.1.1.4 misho 2517: DPRINTF1("ldap_start_tls_s_np() ok");
1.1 misho 2518: #else
2519: warningx(_("start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"));
2520: #endif /* !HAVE_LDAP_START_TLS_S && !HAVE_LDAP_START_TLS_S_NP */
2521: }
2522:
2523: /* Actually connect */
2524: if (sudo_ldap_bind_s(ld) != 0)
1.1.1.2 misho 2525: debug_return_int(-1);
1.1 misho 2526:
2527: /* Create a handle container. */
1.1.1.2 misho 2528: handle = ecalloc(1, sizeof(struct sudo_ldap_handle));
1.1 misho 2529: handle->ld = ld;
1.1.1.2 misho 2530: /* handle->result = NULL; */
2531: /* handle->username = NULL; */
2532: /* handle->grlist = NULL; */
1.1 misho 2533: nss->handle = handle;
2534:
1.1.1.2 misho 2535: debug_return_int(0);
1.1 misho 2536: }
2537:
2538: static int
2539: sudo_ldap_setdefs(struct sudo_nss *nss)
2540: {
2541: struct ldap_config_list_str *base;
2542: struct sudo_ldap_handle *handle = nss->handle;
2543: struct timeval tv, *tvp = NULL;
2544: LDAP *ld;
2545: LDAPMessage *entry, *result;
2546: char *filt;
2547: int rc;
1.1.1.2 misho 2548: debug_decl(sudo_ldap_setdefs, SUDO_DEBUG_LDAP)
1.1 misho 2549:
2550: if (handle == NULL || handle->ld == NULL)
1.1.1.2 misho 2551: debug_return_int(-1);
1.1 misho 2552: ld = handle->ld;
2553:
2554: filt = sudo_ldap_build_default_filter();
1.1.1.4 misho 2555: DPRINTF1("Looking for cn=defaults: %s", filt);
1.1 misho 2556:
2557: for (base = ldap_conf.base; base != NULL; base = base->next) {
2558: if (ldap_conf.timeout > 0) {
2559: tv.tv_sec = ldap_conf.timeout;
2560: tv.tv_usec = 0;
2561: tvp = &tv;
2562: }
2563: result = NULL;
2564: rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE,
2565: filt, NULL, 0, NULL, NULL, tvp, 0, &result);
2566: if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) {
1.1.1.4 misho 2567: DPRINTF1("found:%s", ldap_get_dn(ld, entry));
1.1 misho 2568: sudo_ldap_parse_options(ld, entry);
1.1.1.4 misho 2569: } else {
2570: DPRINTF1("no default options found in %s", base->val);
2571: }
1.1 misho 2572: if (result)
2573: ldap_msgfree(result);
2574: }
2575: efree(filt);
2576:
1.1.1.2 misho 2577: debug_return_int(0);
1.1 misho 2578: }
2579:
2580: /*
2581: * like sudoers_lookup() - only LDAP style
2582: */
2583: static int
2584: sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
2585: {
2586: struct sudo_ldap_handle *handle = nss->handle;
2587: LDAP *ld;
2588: LDAPMessage *entry;
2589: int i, rc, setenv_implied;
2590: struct ldap_result *lres = NULL;
1.1.1.2 misho 2591: debug_decl(sudo_ldap_lookup, SUDO_DEBUG_LDAP)
1.1 misho 2592:
2593: if (handle == NULL || handle->ld == NULL)
1.1.1.2 misho 2594: debug_return_int(ret);
1.1 misho 2595: ld = handle->ld;
2596:
2597: /* Fetch list of sudoRole entries that match user and host. */
2598: lres = sudo_ldap_result_get(nss, sudo_user.pw);
2599:
2600: /*
2601: * The following queries are only determine whether or not a
2602: * password is required, so the order of the entries doesn't matter.
2603: */
2604: if (pwflag) {
2605: int doauth = UNSPEC;
2606: int matched = UNSPEC;
2607: enum def_tuple pwcheck =
2608: (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
2609:
1.1.1.4 misho 2610: DPRINTF1("perform search for pwflag %d", pwflag);
1.1 misho 2611: for (i = 0; i < lres->nentries; i++) {
2612: entry = lres->entries[i].entry;
1.1.1.2 misho 2613: if ((pwcheck == any && doauth != false) ||
2614: (pwcheck == all && doauth == false)) {
1.1 misho 2615: doauth = sudo_ldap_check_bool(ld, entry, "authenticate");
2616: }
2617: /* Only check the command when listing another user. */
2618: if (user_uid == 0 || list_pw == NULL ||
2619: user_uid == list_pw->pw_uid ||
2620: sudo_ldap_check_command(ld, entry, NULL)) {
1.1.1.2 misho 2621: matched = true;
1.1 misho 2622: break;
2623: }
2624: }
2625: if (matched || user_uid == 0) {
2626: SET(ret, VALIDATE_OK);
2627: CLR(ret, VALIDATE_NOT_OK);
2628: if (def_authenticate) {
2629: switch (pwcheck) {
2630: case always:
2631: SET(ret, FLAG_CHECK_USER);
2632: break;
2633: case all:
2634: case any:
1.1.1.2 misho 2635: if (doauth == false)
2636: def_authenticate = false;
1.1 misho 2637: break;
2638: case never:
1.1.1.2 misho 2639: def_authenticate = false;
1.1 misho 2640: break;
2641: default:
2642: break;
2643: }
2644: }
2645: }
2646: goto done;
2647: }
2648:
1.1.1.4 misho 2649: DPRINTF1("searching LDAP for sudoers entries");
1.1 misho 2650:
1.1.1.2 misho 2651: setenv_implied = false;
1.1 misho 2652: for (i = 0; i < lres->nentries; i++) {
2653: entry = lres->entries[i].entry;
2654: if (!sudo_ldap_check_runas(ld, entry))
2655: continue;
2656: rc = sudo_ldap_check_command(ld, entry, &setenv_implied);
2657: if (rc != UNSPEC) {
2658: /* We have a match. */
1.1.1.4 misho 2659: DPRINTF1("Command %sallowed", rc == true ? "" : "NOT ");
1.1.1.2 misho 2660: if (rc == true) {
1.1.1.4 misho 2661: DPRINTF1("LDAP entry: %p", entry);
1.1 misho 2662: /* Apply entry-specific options. */
2663: if (setenv_implied)
1.1.1.2 misho 2664: def_setenv = true;
1.1 misho 2665: sudo_ldap_parse_options(ld, entry);
2666: #ifdef HAVE_SELINUX
2667: /* Set role and type if not specified on command line. */
2668: if (user_role == NULL)
2669: user_role = def_role;
2670: if (user_type == NULL)
2671: user_type = def_type;
2672: #endif /* HAVE_SELINUX */
2673: SET(ret, VALIDATE_OK);
2674: CLR(ret, VALIDATE_NOT_OK);
2675: } else {
2676: SET(ret, VALIDATE_NOT_OK);
2677: CLR(ret, VALIDATE_OK);
2678: }
2679: break;
2680: }
2681: }
2682:
2683: done:
1.1.1.4 misho 2684: DPRINTF1("done with LDAP searches");
2685: DPRINTF1("user_matches=%d", lres->user_matches);
2686: DPRINTF1("host_matches=%d", lres->host_matches);
1.1 misho 2687:
2688: if (!ISSET(ret, VALIDATE_OK)) {
2689: /* No matching entries. */
2690: if (pwflag && list_pw == NULL)
2691: SET(ret, FLAG_NO_CHECK);
2692: }
2693: if (lres->user_matches)
2694: CLR(ret, FLAG_NO_USER);
2695: if (lres->host_matches)
2696: CLR(ret, FLAG_NO_HOST);
1.1.1.4 misho 2697: DPRINTF1("sudo_ldap_lookup(%d)=0x%02x", pwflag, ret);
1.1 misho 2698:
1.1.1.2 misho 2699: debug_return_int(ret);
1.1 misho 2700: }
2701:
2702: /*
2703: * Comparison function for ldap_entry_wrapper structures, descending order.
2704: */
2705: static int
2706: ldap_entry_compare(const void *a, const void *b)
2707: {
2708: const struct ldap_entry_wrapper *aw = a;
2709: const struct ldap_entry_wrapper *bw = b;
1.1.1.2 misho 2710: debug_decl(ldap_entry_compare, SUDO_DEBUG_LDAP)
1.1 misho 2711:
1.1.1.2 misho 2712: debug_return_int(bw->order < aw->order ? -1 :
2713: (bw->order > aw->order ? 1 : 0));
1.1 misho 2714: }
2715:
2716: /*
2717: * Find the last entry in the list of searches, usually the
2718: * one currently being used to add entries.
2719: * XXX - use a tailq instead?
2720: */
2721: static struct ldap_search_list *
2722: sudo_ldap_result_last_search(struct ldap_result *lres)
2723: {
2724: struct ldap_search_list *result = lres->searches;
1.1.1.2 misho 2725: debug_decl(sudo_ldap_result_last_search, SUDO_DEBUG_LDAP)
1.1 misho 2726:
2727: if (result) {
2728: while (result->next)
2729: result = result->next;
2730: }
1.1.1.2 misho 2731: debug_return_ptr(result);
1.1 misho 2732: }
2733:
2734: /*
2735: * Add an entry to the result structure.
2736: */
2737: static struct ldap_entry_wrapper *
2738: sudo_ldap_result_add_entry(struct ldap_result *lres, LDAPMessage *entry)
2739: {
2740: struct ldap_search_list *last;
2741: struct berval **bv;
2742: double order = 0.0;
2743: char *ep;
1.1.1.2 misho 2744: debug_decl(sudo_ldap_result_add_entry, SUDO_DEBUG_LDAP)
1.1 misho 2745:
2746: /* Determine whether the entry has the sudoOrder attribute. */
2747: last = sudo_ldap_result_last_search(lres);
2748: bv = ldap_get_values_len(last->ldap, entry, "sudoOrder");
2749: if (bv != NULL) {
2750: if (ldap_count_values_len(bv) > 0) {
2751: /* Get the value of this attribute, 0 if not present. */
1.1.1.4 misho 2752: DPRINTF2("order attribute raw: %s", (*bv)->bv_val);
1.1 misho 2753: order = strtod((*bv)->bv_val, &ep);
2754: if (ep == (*bv)->bv_val || *ep != '\0') {
2755: warningx(_("invalid sudoOrder attribute: %s"), (*bv)->bv_val);
2756: order = 0.0;
2757: }
1.1.1.4 misho 2758: DPRINTF2("order attribute: %f", order);
1.1 misho 2759: }
2760: ldap_value_free_len(bv);
2761: }
2762:
2763: /*
2764: * Enlarge the array of entry wrappers as needed, preallocating blocks
2765: * of 100 entries to save on allocation time.
2766: */
2767: if (++lres->nentries > lres->allocated_entries) {
2768: lres->allocated_entries += ALLOCATION_INCREMENT;
2769: lres->entries = erealloc3(lres->entries, lres->allocated_entries,
2770: sizeof(lres->entries[0]));
2771: }
2772:
2773: /* Fill in the new entry and return it. */
2774: lres->entries[lres->nentries - 1].entry = entry;
2775: lres->entries[lres->nentries - 1].order = order;
2776:
1.1.1.2 misho 2777: debug_return_ptr(&lres->entries[lres->nentries - 1]);
1.1 misho 2778: }
2779:
2780: /*
2781: * Free the ldap result structure in the sudo_nss handle.
2782: */
2783: static void
2784: sudo_ldap_result_free_nss(struct sudo_nss *nss)
2785: {
2786: struct sudo_ldap_handle *handle = nss->handle;
1.1.1.2 misho 2787: debug_decl(sudo_ldap_result_free_nss, SUDO_DEBUG_LDAP)
1.1 misho 2788:
2789: if (handle->result != NULL) {
1.1.1.4 misho 2790: DPRINTF1("removing reusable search result");
1.1 misho 2791: sudo_ldap_result_free(handle->result);
2792: if (handle->username) {
2793: efree(handle->username);
2794: handle->username = NULL;
2795: }
2796: handle->grlist = NULL;
2797: handle->result = NULL;
2798: }
1.1.1.2 misho 2799: debug_return;
1.1 misho 2800: }
2801:
2802: /*
2803: * Perform the LDAP query for the user or return a cached query if
2804: * there is one for this user.
2805: */
2806: static struct ldap_result *
2807: sudo_ldap_result_get(struct sudo_nss *nss, struct passwd *pw)
2808: {
2809: struct sudo_ldap_handle *handle = nss->handle;
2810: struct ldap_config_list_str *base;
2811: struct ldap_result *lres;
2812: struct timeval tv, *tvp = NULL;
2813: LDAPMessage *entry, *result;
2814: LDAP *ld = handle->ld;
1.1.1.4 misho 2815: int pass, rc;
1.1 misho 2816: char *filt;
1.1.1.2 misho 2817: debug_decl(sudo_ldap_result_get, SUDO_DEBUG_LDAP)
1.1 misho 2818:
2819: /*
2820: * If we already have a cached result, return it so we don't have to
2821: * have to contact the LDAP server again.
2822: */
2823: if (handle->result) {
2824: if (handle->grlist == user_group_list &&
2825: strcmp(pw->pw_name, handle->username) == 0) {
1.1.1.4 misho 2826: DPRINTF1("reusing previous result (user %s) with %d entries",
2827: handle->username, handle->result->nentries);
1.1.1.2 misho 2828: debug_return_ptr(handle->result);
1.1 misho 2829: }
2830: /* User mismatch, cached result cannot be used. */
1.1.1.4 misho 2831: DPRINTF1("removing result (user %s), new search (user %s)",
2832: handle->username, pw->pw_name);
1.1 misho 2833: sudo_ldap_result_free_nss(nss);
2834: }
2835:
2836: /*
2837: * Okay - time to search for anything that matches this user
2838: * Lets limit it to only two queries of the LDAP server
2839: *
2840: * The first pass will look by the username, groups, and
2841: * the keyword ALL. We will then inspect the results that
2842: * came back from the query. We don't need to inspect the
2843: * sudoUser in this pass since the LDAP server already scanned
2844: * it for us.
2845: *
1.1.1.4 misho 2846: * The second pass will return all the entries that contain non-
2847: * Unix groups, including netgroups. Then we take the non-Unix
2848: * groups returned and try to match them against the username.
1.1 misho 2849: *
2850: * Since we have to sort the possible entries before we make a
2851: * decision, we perform the queries and store all of the results in
2852: * an ldap_result object. The results are then sorted by sudoOrder.
2853: */
2854: lres = sudo_ldap_result_alloc();
1.1.1.4 misho 2855: for (pass = 0; pass < 2; pass++) {
2856: filt = pass ? sudo_ldap_build_pass2() : sudo_ldap_build_pass1(pw);
2857: DPRINTF1("ldap search '%s'", filt);
1.1 misho 2858: for (base = ldap_conf.base; base != NULL; base = base->next) {
1.1.1.4 misho 2859: DPRINTF1("searching from base '%s'",
2860: base->val);
1.1 misho 2861: if (ldap_conf.timeout > 0) {
2862: tv.tv_sec = ldap_conf.timeout;
2863: tv.tv_usec = 0;
2864: tvp = &tv;
2865: }
2866: result = NULL;
2867: rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
2868: NULL, 0, NULL, NULL, tvp, 0, &result);
2869: if (rc != LDAP_SUCCESS) {
1.1.1.4 misho 2870: DPRINTF1("nothing found for '%s'", filt);
1.1 misho 2871: continue;
2872: }
1.1.1.2 misho 2873: lres->user_matches = true;
1.1 misho 2874:
2875: /* Add the seach result to list of search results. */
1.1.1.4 misho 2876: DPRINTF1("adding search result");
1.1 misho 2877: sudo_ldap_result_add_search(lres, ld, result);
2878: LDAP_FOREACH(entry, ld, result) {
1.1.1.4 misho 2879: if ((!pass ||
2880: sudo_ldap_check_non_unix_group(ld, entry, pw)) &&
1.1 misho 2881: sudo_ldap_check_host(ld, entry)) {
1.1.1.2 misho 2882: lres->host_matches = true;
1.1 misho 2883: sudo_ldap_result_add_entry(lres, entry);
2884: }
2885: }
1.1.1.4 misho 2886: DPRINTF1("result now has %d entries", lres->nentries);
1.1 misho 2887: }
2888: efree(filt);
2889: }
2890:
2891: /* Sort the entries by the sudoOrder attribute. */
1.1.1.4 misho 2892: DPRINTF1("sorting remaining %d entries", lres->nentries);
1.1 misho 2893: qsort(lres->entries, lres->nentries, sizeof(lres->entries[0]),
2894: ldap_entry_compare);
2895:
2896: /* Store everything in the sudo_nss handle. */
2897: handle->result = lres;
2898: handle->username = estrdup(pw->pw_name);
2899: handle->grlist = user_group_list;
2900:
1.1.1.2 misho 2901: debug_return_ptr(lres);
1.1 misho 2902: }
2903:
2904: /*
2905: * Shut down the LDAP connection.
2906: */
2907: static int
2908: sudo_ldap_close(struct sudo_nss *nss)
2909: {
2910: struct sudo_ldap_handle *handle = nss->handle;
1.1.1.2 misho 2911: debug_decl(sudo_ldap_close, SUDO_DEBUG_LDAP)
1.1 misho 2912:
2913: if (handle != NULL) {
2914: /* Free the result before unbinding; it may use the LDAP connection. */
2915: sudo_ldap_result_free_nss(nss);
2916:
2917: /* Unbind and close the LDAP connection. */
2918: if (handle->ld != NULL) {
2919: ldap_unbind_ext_s(handle->ld, NULL, NULL);
2920: handle->ld = NULL;
2921: }
2922:
2923: /* Free the handle container. */
2924: efree(nss->handle);
2925: nss->handle = NULL;
2926: }
1.1.1.2 misho 2927: debug_return_int(0);
1.1 misho 2928: }
2929:
2930: /*
2931: * STUB
2932: */
2933: static int
2934: sudo_ldap_parse(struct sudo_nss *nss)
2935: {
2936: return 0;
2937: }
2938:
2939: #if 0
2940: /*
2941: * Create an ldap_result from an LDAP search result.
2942: *
2943: * This function is currently not used anywhere, it is left here as
2944: * an example of how to use the cached searches.
2945: */
2946: static struct ldap_result *
2947: sudo_ldap_result_from_search(LDAP *ldap, LDAPMessage *searchresult)
2948: {
2949: /*
2950: * An ldap_result is built from several search results, which are
2951: * organized in a list. The head of the list is maintained in the
2952: * ldap_result structure, together with the wrappers that point
2953: * to individual entries, this has to be initialized first.
2954: */
2955: struct ldap_result *result = sudo_ldap_result_alloc();
2956:
2957: /*
2958: * Build a new list node for the search result, this creates the
2959: * list node.
2960: */
2961: struct ldap_search_list *last = sudo_ldap_result_add_search(result,
2962: ldap, searchresult);
2963:
2964: /*
2965: * Now add each entry in the search result to the array of of entries
2966: * in the ldap_result object.
2967: */
2968: LDAPMessage *entry;
2969: LDAP_FOREACH(entry, last->ldap, last->searchresult) {
2970: sudo_ldap_result_add_entry(result, entry);
2971: }
1.1.1.4 misho 2972: DPRINTF1("sudo_ldap_result_from_search: %d entries found", result->nentries);
1.1 misho 2973: return result;
2974: }
2975: #endif
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>