version 1.9, 2008/11/14 11:58:08 |
version 1.10, 2009/04/11 11:48:06 |
|
|
#include "lbuf.h" |
#include "lbuf.h" |
|
|
#ifndef lint |
#ifndef lint |
__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.100 2008/04/23 12:30:07 millert Exp $"; |
__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.106 2009/03/16 16:11:28 millert Exp $"; |
#endif /* lint */ |
#endif /* lint */ |
|
|
#ifndef LDAP_OPT_SUCCESS |
#ifndef LDAP_OPT_SUCCESS |
|
|
return(-1); |
return(-1); |
|
|
rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, |
rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, |
"cn=defaults", NULL, 0, NULL, NULL, NULL, -1, &result); |
"cn=defaults", NULL, 0, NULL, NULL, NULL, 0, &result); |
if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) { |
if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) { |
bv = ldap_get_values_len(ld, entry, "sudoOption"); |
bv = ldap_get_values_len(ld, entry, "sudoOption"); |
if (bv != NULL) { |
if (bv != NULL) { |
|
|
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw); |
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw); |
DPRINTF(("ldap search '%s'", filt), 1); |
DPRINTF(("ldap search '%s'", filt), 1); |
rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt, |
rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt, |
NULL, 0, NULL, NULL, NULL, -1, &result); |
NULL, 0, NULL, NULL, NULL, 0, &result); |
efree(filt); |
efree(filt); |
if (rc != LDAP_SUCCESS) |
if (rc != LDAP_SUCCESS) |
continue; /* no entries for this pass */ |
continue; /* no entries for this pass */ |
|
|
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw); |
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw); |
DPRINTF(("ldap search '%s'", filt), 1); |
DPRINTF(("ldap search '%s'", filt), 1); |
rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt, |
rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt, |
NULL, 0, NULL, NULL, NULL, -1, &result); |
NULL, 0, NULL, NULL, NULL, 0, &result); |
efree(filt); |
efree(filt); |
if (rc != LDAP_SUCCESS) |
if (rc != LDAP_SUCCESS) |
continue; /* no entries for this pass */ |
continue; /* no entries for this pass */ |
|
|
DPRINTF(("gss_krb5_ccache_name() failed: %d", status), 1); |
DPRINTF(("gss_krb5_ccache_name() failed: %d", status), 1); |
} |
} |
#else |
#else |
sudo_setenv("KRB5CCNAME", ldap_conf.krb5_ccname, TRUE); |
setenv("KRB5CCNAME", ldap_conf.krb5_ccname, TRUE); |
#endif |
#endif |
} |
} |
rc = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI", |
rc = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI", |
|
|
DPRINTF(("gss_krb5_ccache_name() failed: %d", status), 1); |
DPRINTF(("gss_krb5_ccache_name() failed: %d", status), 1); |
#else |
#else |
if (old_ccname != NULL) |
if (old_ccname != NULL) |
sudo_setenv("KRB5CCNAME", old_ccname, TRUE); |
setenv("KRB5CCNAME", old_ccname, TRUE); |
else |
else |
sudo_unsetenv("KRB5CCNAME"); |
unsetenv("KRB5CCNAME"); |
#endif |
#endif |
} |
} |
if (rc != LDAP_SUCCESS) { |
if (rc != LDAP_SUCCESS) { |
|
|
/* Prevent reading of user ldaprc and system defaults. */ |
/* Prevent reading of user ldaprc and system defaults. */ |
if (getenv("LDAPNOINIT") == NULL) { |
if (getenv("LDAPNOINIT") == NULL) { |
ldapnoinit = TRUE; |
ldapnoinit = TRUE; |
sudo_setenv("LDAPNOINIT", "1", TRUE); |
setenv("LDAPNOINIT", "1", TRUE); |
} |
} |
|
|
/* Connect to LDAP server */ |
/* Connect to LDAP server */ |
|
|
} |
} |
|
|
if (ldapnoinit) |
if (ldapnoinit) |
sudo_unsetenv("LDAPNOINIT"); |
unsetenv("LDAPNOINIT"); |
|
|
/* Set LDAP options */ |
/* Set LDAP options */ |
if (sudo_ldap_set_options(ld) < 0) |
if (sudo_ldap_set_options(ld) < 0) |
return(-1); |
return(-1); |
|
|
if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) { |
if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) { |
#ifdef HAVE_LDAP_START_TLS_S |
#if defined(HAVE_LDAP_START_TLS_S) |
rc = ldap_start_tls_s(ld, NULL, NULL); |
rc = ldap_start_tls_s(ld, NULL, NULL); |
if (rc != LDAP_SUCCESS) { |
if (rc != LDAP_SUCCESS) { |
warningx("ldap_start_tls_s(): %s", ldap_err2string(rc)); |
warningx("ldap_start_tls_s(): %s", ldap_err2string(rc)); |
return(-1); |
return(-1); |
} |
} |
DPRINTF(("ldap_start_tls_s() ok"), 1); |
DPRINTF(("ldap_start_tls_s() ok"), 1); |
|
#elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP) |
|
if (ldap_ssl_client_init(NULL, NULL, 0, &rc) != LDAP_SUCCESS) { |
|
warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc)); |
|
return(-1); |
|
} |
|
rc = ldap_start_tls_s_np(ld, NULL); |
|
if (rc != LDAP_SUCCESS) { |
|
warningx("ldap_start_tls_s_np(): %s", ldap_err2string(rc)); |
|
return(-1); |
|
} |
|
DPRINTF(("ldap_start_tls_s_np() ok"), 1); |
#else |
#else |
warningx("start_tls specified but LDAP libs do not support ldap_start_tls_s()"); |
warningx("start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"); |
#endif /* HAVE_LDAP_START_TLS_S */ |
#endif /* !HAVE_LDAP_START_TLS_S && !HAVE_LDAP_START_TLS_S_NP */ |
} |
} |
|
|
/* Actually connect */ |
/* Actually connect */ |
|
|
return(-1); |
return(-1); |
|
|
rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, |
rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, |
"cn=defaults", NULL, 0, NULL, NULL, NULL, -1, &result); |
"cn=defaults", NULL, 0, NULL, NULL, NULL, 0, &result); |
if (rc == 0 && (entry = ldap_first_entry(ld, result))) { |
if (rc == 0 && (entry = ldap_first_entry(ld, result))) { |
DPRINTF(("found:%s", ldap_get_dn(ld, entry)), 1); |
DPRINTF(("found:%s", ldap_get_dn(ld, entry)), 1); |
sudo_ldap_parse_options(ld, entry); |
sudo_ldap_parse_options(ld, entry); |
|
|
for (matched = 0, do_netgr = 0; !matched && do_netgr < 2; do_netgr++) { |
for (matched = 0, do_netgr = 0; !matched && do_netgr < 2; do_netgr++) { |
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw); |
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw); |
rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt, |
rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt, |
NULL, 0, NULL, NULL, NULL, -1, &result); |
NULL, 0, NULL, NULL, NULL, 0, &result); |
efree(filt); |
efree(filt); |
if (rc != LDAP_SUCCESS) |
if (rc != LDAP_SUCCESS) |
continue; |
continue; |
|
|
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw); |
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(pw); |
DPRINTF(("ldap search '%s'", filt), 1); |
DPRINTF(("ldap search '%s'", filt), 1); |
rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt, |
rc = ldap_search_ext_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt, |
NULL, 0, NULL, NULL, NULL, -1, &result); |
NULL, 0, NULL, NULL, NULL, 0, &result); |
if (rc != LDAP_SUCCESS) |
if (rc != LDAP_SUCCESS) |
DPRINTF(("nothing found for '%s'", filt), 1); |
DPRINTF(("nothing found for '%s'", filt), 1); |
efree(filt); |
efree(filt); |