Add support for ldaps using Tivoli LDAP libraries.
Add ldap.conf option to specify Tivoli key db password. Allow TLS ciphers to be configured for Tivoli.
This commit is contained in:
Todd C. Miller
@@ -297,6 +297,9 @@
|
|||||||
/* Define to 1 if you have the <ldap_ssl.h> header file. */
|
/* Define to 1 if you have the <ldap_ssl.h> header file. */
|
||||||
#undef HAVE_LDAP_SSL_H
|
#undef HAVE_LDAP_SSL_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `ldap_ssl_init' function. */
|
||||||
|
#undef HAVE_LDAP_SSL_INIT
|
||||||
|
|
||||||
/* Define to 1 if you have the `ldap_start_tls_s' function. */
|
/* Define to 1 if you have the `ldap_start_tls_s' function. */
|
||||||
#undef HAVE_LDAP_START_TLS_S
|
#undef HAVE_LDAP_START_TLS_S
|
||||||
|
|
||||||
|
|||||||
2
configure
vendored
2
configure
vendored
@@ -19673,7 +19673,7 @@ fi
|
|||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np
|
for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_init ldap_ssl_client_init ldap_start_tls_s_np
|
||||||
do :
|
do :
|
||||||
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
||||||
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
||||||
|
|||||||
@@ -3053,7 +3053,7 @@ if test ${with_ldap-'no'} != "no"; then
|
|||||||
|
|
||||||
AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break])
|
AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break])
|
||||||
AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
|
AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
|
||||||
AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np)
|
AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_init ldap_ssl_client_init ldap_start_tls_s_np)
|
||||||
AC_CHECK_FUNCS(ldap_search_ext_s ldap_search_st, [break])
|
AC_CHECK_FUNCS(ldap_search_ext_s ldap_search_st, [break])
|
||||||
|
|
||||||
if test X"$check_gss_krb5_ccache_name" = X"yes"; then
|
if test X"$check_gss_krb5_ccache_name" = X"yes"; then
|
||||||
|
|||||||
@@ -220,6 +220,7 @@ static struct ldap_config {
|
|||||||
char *tls_cipher_suite;
|
char *tls_cipher_suite;
|
||||||
char *tls_certfile;
|
char *tls_certfile;
|
||||||
char *tls_keyfile;
|
char *tls_keyfile;
|
||||||
|
char *tls_keypw;
|
||||||
char *sasl_auth_id;
|
char *sasl_auth_id;
|
||||||
char *rootsasl_auth_id;
|
char *rootsasl_auth_id;
|
||||||
char *sasl_secprops;
|
char *sasl_secprops;
|
||||||
@@ -259,6 +260,9 @@ static struct ldap_config_table ldap_conf_global[] = {
|
|||||||
#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
|
#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
|
||||||
{ "tls_ciphers", CONF_STR, LDAP_OPT_X_TLS_CIPHER_SUITE,
|
{ "tls_ciphers", CONF_STR, LDAP_OPT_X_TLS_CIPHER_SUITE,
|
||||||
&ldap_conf.tls_cipher_suite },
|
&ldap_conf.tls_cipher_suite },
|
||||||
|
#elif defined(LDAP_OPT_SSL_CIPHER)
|
||||||
|
{ "tls_ciphers", CONF_STR, LDAP_OPT_SSL_CIPHER,
|
||||||
|
&ldap_conf.tls_cipher_suite },
|
||||||
#endif
|
#endif
|
||||||
#ifdef LDAP_OPT_X_TLS_CERTFILE
|
#ifdef LDAP_OPT_X_TLS_CERTFILE
|
||||||
{ "tls_cert", CONF_STR, LDAP_OPT_X_TLS_CERTFILE,
|
{ "tls_cert", CONF_STR, LDAP_OPT_X_TLS_CERTFILE,
|
||||||
@@ -271,6 +275,9 @@ static struct ldap_config_table ldap_conf_global[] = {
|
|||||||
&ldap_conf.tls_keyfile },
|
&ldap_conf.tls_keyfile },
|
||||||
#else
|
#else
|
||||||
{ "tls_key", CONF_STR, -1, &ldap_conf.tls_keyfile },
|
{ "tls_key", CONF_STR, -1, &ldap_conf.tls_keyfile },
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_LDAP_SSL_CLIENT_INIT
|
||||||
|
{ "tls_keypw", CONF_STR, -1, &ldap_conf.tls_keypw },
|
||||||
#endif
|
#endif
|
||||||
{ "binddn", CONF_STR, -1, &ldap_conf.binddn },
|
{ "binddn", CONF_STR, -1, &ldap_conf.binddn },
|
||||||
{ "bindpw", CONF_STR, -1, &ldap_conf.bindpw },
|
{ "bindpw", CONF_STR, -1, &ldap_conf.bindpw },
|
||||||
@@ -576,6 +583,16 @@ sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
|||||||
if ((ld = ldapssl_init(host, port, defsecure)) != NULL)
|
if ((ld = ldapssl_init(host, port, defsecure)) != NULL)
|
||||||
rc = LDAP_SUCCESS;
|
rc = LDAP_SUCCESS;
|
||||||
} else
|
} else
|
||||||
|
#elif defined(HAVE_LDAP_SSL_INIT) && defined(HAVE_LDAP_SSL_CLIENT_INIT)
|
||||||
|
if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
|
||||||
|
if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
|
||||||
|
warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
|
||||||
|
debug_return_int(-1);
|
||||||
|
}
|
||||||
|
DPRINTF(("ldap_ssl_init(%s, %d, NULL)", host, port), 2);
|
||||||
|
if ((ld = ldap_ssl_init((char *)host, port, NULL)) != NULL)
|
||||||
|
rc = LDAP_SUCCESS;
|
||||||
|
} else
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
#ifdef HAVE_LDAP_CREATE
|
#ifdef HAVE_LDAP_CREATE
|
||||||
@@ -586,7 +603,7 @@ sudo_ldap_init(LDAP **ldp, const char *host, int port)
|
|||||||
rc = ldap_set_option(ld, LDAP_OPT_HOST_NAME, host);
|
rc = ldap_set_option(ld, LDAP_OPT_HOST_NAME, host);
|
||||||
#else
|
#else
|
||||||
DPRINTF(("ldap_init(%s, %d)", host, port), 2);
|
DPRINTF(("ldap_init(%s, %d)", host, port), 2);
|
||||||
if ((ld = ldap_init(host, port)) != NULL)
|
if ((ld = ldap_init((char *)host, port)) != NULL)
|
||||||
rc = LDAP_SUCCESS;
|
rc = LDAP_SUCCESS;
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
@@ -2241,7 +2258,7 @@ sudo_ldap_open(struct sudo_nss *nss)
|
|||||||
}
|
}
|
||||||
DPRINTF(("ldap_start_tls_s() ok"), 1);
|
DPRINTF(("ldap_start_tls_s() ok"), 1);
|
||||||
#elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP)
|
#elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP)
|
||||||
if (ldap_ssl_client_init(NULL, NULL, 0, &rc) != LDAP_SUCCESS) {
|
if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
|
||||||
warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
|
warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
|
||||||
debug_return_int(-1);
|
debug_return_int(-1);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user