=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/sudo/Attic/ldap.c,v retrieving revision 1.5 retrieving revision 1.6 diff -c -r1.5 -r1.6 *** src/usr.bin/sudo/Attic/ldap.c 2007/12/21 01:16:52 1.5 --- src/usr.bin/sudo/Attic/ldap.c 2008/01/07 14:10:08 1.6 *************** *** 1,5 **** /* ! * Copyright (c) 2003-2005 Todd C. Miller * * This code is derived from software contributed by Aaron Spangler. * --- 1,5 ---- /* ! * Copyright (c) 2003-2008 Todd C. Miller * * This code is derived from software contributed by Aaron Spangler. * *************** *** 45,50 **** --- 45,51 ---- # include #endif /* HAVE_UNISTD_H */ #include + #include #include #include #include *************** *** 65,71 **** #include "parse.h" #ifndef lint ! __unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.28 2007/12/19 19:29:32 millert Exp $"; #endif /* lint */ #ifndef LINE_MAX --- 66,72 ---- #include "parse.h" #ifndef lint ! __unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.32 2008/01/05 23:27:10 millert Exp $"; #endif /* lint */ #ifndef LINE_MAX *************** *** 183,189 **** --- 184,311 ---- static void sudo_ldap_close __P((LDAP *)); static LDAP *sudo_ldap_open __P((void)); + #ifndef HAVE_LDAP_INITIALIZE /* + * For each uri, convert to host:port pairs. For ldaps:// enable SSL + * Accepts: uris of the form ldap:/// or ldap://hostname:portnum/ + * where the trailing slash is optional. + */ + static int + sudo_ldap_parse_uri(uri_list) + const char *uri_list; + { + char *buf, *uri, *host, *cp, *port; + char hostbuf[LINE_MAX]; + int nldap = 0, nldaps = 0; + int rc = -1; + + buf = estrdup(uri_list); + hostbuf[0] = '\0'; + for ((uri = strtok(buf, " \t")); uri != NULL; (uri = strtok(NULL, " \t"))) { + if (strncasecmp(uri, "ldap://", 7) == 0) { + nldap++; + host = uri + 7; + } else if (strncasecmp(uri, "ldaps://", 8) == 0) { + nldaps++; + host = uri + 8; + } else { + warnx("unsupported LDAP uri type: %s", uri); + goto done; + } + + /* trim optional trailing slash */ + if ((cp = strrchr(host, '/')) != NULL && cp[1] == '\0') { + *cp = '\0'; + } + + if (hostbuf[0] != '\0') { + if (strlcat(hostbuf, " ", sizeof(hostbuf)) >= sizeof(hostbuf)) + goto toobig; + } + + if (*host == '\0') + host = "localhost"; /* no host specified, use localhost */ + + if (strlcat(hostbuf, host, sizeof(hostbuf)) >= sizeof(hostbuf)) + goto toobig; + + /* If using SSL and no port specified, add port 636 */ + if (nldaps) { + if ((port = strrchr(host, ':')) == NULL || !isdigit(port[1])) + if (strlcat(hostbuf, ":636", sizeof(hostbuf)) >= sizeof(hostbuf)) + goto toobig; + } + } + if (hostbuf[0] == '\0') { + warnx("invalid uri: %s", uri_list); + goto done; + } + + if (nldaps != 0) { + if (nldap != 0) { + warnx("cannot mix ldap and ldaps URIs"); + goto done; + } + if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) { + warnx("cannot mix ldaps and starttls"); + goto done; + } + ldap_conf.ssl_mode = SUDO_LDAP_SSL; + } + + free(ldap_conf.host); + ldap_conf.host = estrdup(hostbuf); + rc = 0; + + done: + efree(buf); + return(rc); + + toobig: + errx(1, "sudo_ldap_parse_uri: out of space building hostbuf"); + } + #endif /* HAVE_LDAP_INITIALIZE */ + + static int + sudo_ldap_init(ldp, host, port) + LDAP **ldp; + const char *host; + int port; + { + LDAP *ld = NULL; + int rc = LDAP_CONNECT_ERROR; + + #ifdef HAVE_LDAPSSL_INIT + if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { + DPRINTF(("ldapssl_clientauth_init(%s, %s)", + ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", + ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2); + rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, + ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); + if (rc != LDAP_SUCCESS) { + warnx("unable to initialize SSL cert and key db: %s", + ldapssl_err2string(rc)); + goto done; + } + + DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2); + if ((ld = ldapssl_init(host, port, 1)) == NULL) + goto done; + } else + #endif + { + DPRINTF(("ldap_init(%s, %d)", host, port), 2); + if ((ld = ldap_init(host, port)) == NULL) + goto done; + } + rc = LDAP_SUCCESS; + + done: + *ldp = ld; + return(rc); + } + + /* * Walk through search results and return TRUE if we have a matching * netgroup, else FALSE. */ *************** *** 509,514 **** --- 631,638 ---- /* Append supplementary groups */ for (i = 0; i < user_ngroups; i++) { + if (user_groups[i] == user_gid) + continue; if ((grp = getgrgid(user_groups[i])) != NULL) { ncat(&b, &sz, "(sudoUser=%"); ncat(&b, &sz, grp -> gr_name); *************** *** 641,652 **** if (ldap_conf.debug > 1) { fprintf(stderr, "LDAP Config Summary\n"); fprintf(stderr, "===================\n"); - #ifdef HAVE_LDAP_INITIALIZE if (ldap_conf.uri) { fprintf(stderr, "uri %s\n", ldap_conf.uri); ! } else ! #endif ! { fprintf(stderr, "host %s\n", ldap_conf.host ? ldap_conf.host : "(NONE)"); fprintf(stderr, "port %d\n", ldap_conf.port); --- 765,773 ---- if (ldap_conf.debug > 1) { fprintf(stderr, "LDAP Config Summary\n"); fprintf(stderr, "===================\n"); if (ldap_conf.uri) { fprintf(stderr, "uri %s\n", ldap_conf.uri); ! } else { fprintf(stderr, "host %s\n", ldap_conf.host ? ldap_conf.host : "(NONE)"); fprintf(stderr, "port %d\n", ldap_conf.port); *************** *** 695,702 **** ldap_conf.ssl_mode = SUDO_LDAP_SSL; } /* Use port 389 for plaintext LDAP and port 636 for SSL LDAP */ ! if (ldap_conf.port < 0) ldap_conf.port = ldap_conf.ssl_mode == SUDO_LDAP_SSL ? LDAPS_PORT : LDAP_PORT; --- 816,834 ---- ldap_conf.ssl_mode = SUDO_LDAP_SSL; } + #ifndef HAVE_LDAP_INITIALIZE + /* Convert uri list to host list if no ldap_initialize(). */ + if (ldap_conf.uri) { + if (sudo_ldap_parse_uri(ldap_conf.uri) != 0) + return(FALSE); + free(ldap_conf.uri); + ldap_conf.uri = NULL; + ldap_conf.port = LDAP_PORT; + } + #endif + /* Use port 389 for plaintext LDAP and port 636 for SSL LDAP */ ! if (!ldap_conf.uri && ldap_conf.port < 0) ldap_conf.port = ldap_conf.ssl_mode == SUDO_LDAP_SSL ? LDAPS_PORT : LDAP_PORT; *************** *** 894,900 **** ldap_err2string(rc)); return(-1); } ! } #endif return(0); --- 1026,1032 ---- ldap_err2string(rc)); return(-1); } ! DPRINTF(("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)\n"), 1); } #endif return(0); *************** *** 912,957 **** if (!sudo_ldap_read_config()) return(NULL); - #ifdef HAVE_LDAPSSL_INIT - if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { - DPRINTF(("ldapssl_clientauth_init(%s, %s)", - ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", - ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2); - rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, - ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); - if (rc != LDAP_SUCCESS) { - warnx("unable to initialize SSL cert and key db: %s", - ldapssl_err2string(rc)); - return(NULL); - } - } - #endif /* HAVE_LDAPSSL_INIT */ - /* Connect to LDAP server */ #ifdef HAVE_LDAP_INITIALIZE ! if (ldap_conf.uri) { DPRINTF(("ldap_initialize(ld, %s)", ldap_conf.uri), 2); rc = ldap_initialize(&ld, ldap_conf.uri); - if (rc != LDAP_SUCCESS) { - warnx("unable to initialize LDAP: %s", ldap_err2string(rc)); - return(NULL); - } } else #endif /* HAVE_LDAP_INITIALIZE */ ! { ! #ifdef HAVE_LDAPSSL_INIT ! DPRINTF(("ldapssl_init(%s, %d, %d)", ldap_conf.host, ldap_conf.port, ! ldap_conf.ssl_mode == SUDO_LDAP_SSL), 2); ! ld = ldapssl_init(ldap_conf.host, ldap_conf.port, ! ldap_conf.ssl_mode == SUDO_LDAP_SSL); ! #else ! DPRINTF(("ldap_init(%s, %d)", ldap_conf.host, ldap_conf.port), 2); ! ld = ldap_init(ldap_conf.host, ldap_conf.port); ! #endif /* HAVE_LDAPSSL_INIT */ ! if (ld == NULL) { ! warn("unable to initialize LDAP"); ! return(NULL); ! } } /* Set LDAP options */ --- 1044,1060 ---- if (!sudo_ldap_read_config()) return(NULL); /* Connect to LDAP server */ #ifdef HAVE_LDAP_INITIALIZE ! if (ldap_conf.uri != NULL) { DPRINTF(("ldap_initialize(ld, %s)", ldap_conf.uri), 2); rc = ldap_initialize(&ld, ldap_conf.uri); } else #endif /* HAVE_LDAP_INITIALIZE */ ! rc = sudo_ldap_init(&ld, ldap_conf.host, ldap_conf.port); ! if (rc != LDAP_SUCCESS) { ! warnx("unable to initialize LDAP: %s", ldap_err2string(rc)); ! return(NULL); } /* Set LDAP options */