diff --git a/doc/sudoers.ldap.pod b/doc/sudoers.ldap.pod index b12c6e6bb..88c60155c 100644 --- a/doc/sudoers.ldap.pod +++ b/doc/sudoers.ldap.pod @@ -536,6 +536,11 @@ SASL programmer's manual for details. The path to the Kerberos 5 credential cache to use when authenticating with the remote server. +=item B never/searching/finding/always + +How alias dereferencing is to be performed when searching. See the +L manual for a full description of this option. + =back See the C entry in the L section. diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index a788543ac..e8e63117d 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -117,6 +117,7 @@ #define CONF_INT 1 #define CONF_STR 2 #define CONF_LIST_STR 4 +#define CONF_DEREF_VAL 5 #define SUDO_LDAP_SSL 1 #define SUDO_LDAP_STARTTLS 2 @@ -195,6 +196,7 @@ static struct ldap_config { int rootuse_sasl; int ssl_mode; int timed; + int deref; char *host; struct ldap_config_list_str *uri; char *binddn; @@ -280,6 +282,9 @@ static struct ldap_config_table ldap_conf_table[] = { #ifdef LDAP_OPT_TIMEOUT { "timeout", CONF_INT, TRUE, -1 /* needs timeval, set manually */, &ldap_conf.timeout }, +#endif +#ifdef LDAP_OPT_DEREF + { "deref", CONF_DEREF_VAL, TRUE, LDAP_OPT_DEREF, &ldap_conf.deref }, #endif { "binddn", CONF_STR, FALSE, -1, &ldap_conf.binddn }, { "bindpw", CONF_STR, FALSE, -1, &ldap_conf.bindpw }, @@ -1121,6 +1126,7 @@ sudo_ldap_read_config(void) ldap_conf.bind_timelimit = -1; ldap_conf.use_sasl = -1; ldap_conf.rootuse_sasl = -1; + ldap_conf.deref = -1; if ((fp = fopen(_PATH_LDAP_CONF, "r")) == NULL) return FALSE; @@ -1145,6 +1151,16 @@ sudo_ldap_read_config(void) for (cur = ldap_conf_table; cur->conf_str != NULL; cur++) { if (strcasecmp(keyword, cur->conf_str) == 0) { switch (cur->type) { + case CONF_DEREF_VAL: + if (strcasecmp(value, "searching") == 0) + *(int *)(cur->valp) = LDAP_DEREF_SEARCHING; + else if (strcasecmp(value, "finding") == 0) + *(int *)(cur->valp) = LDAP_DEREF_FINDING; + else if (strcasecmp(value, "always") == 0) + *(int *)(cur->valp) = LDAP_DEREF_ALWAYS; + else + *(int *)(cur->valp) = LDAP_DEREF_NEVER; + break; case CONF_BOOL: *(int *)(cur->valp) = atobool(value) == TRUE; break; @@ -1225,6 +1241,10 @@ sudo_ldap_read_config(void) sudo_printf(SUDO_CONV_ERROR_MSG, "timelimit %d\n", ldap_conf.timelimit); } + if (ldap_conf.deref != -1) { + sudo_printf(SUDO_CONV_ERROR_MSG, "deref %d\n", + ldap_conf.deref); + } sudo_printf(SUDO_CONV_ERROR_MSG, "ssl %s\n", ldap_conf.ssl ? ldap_conf.ssl : "(no)"); if (ldap_conf.tls_checkpeer != -1) {