Add support for SASL auth when connecting to an LDAP server.

Adapted from a diff by Tom McLaughlin.
2007-07-15 13:23:20 +00:00
parent 38b2dd0a5f
commit 5fdb0649b0
5 changed files with 246 additions and 8 deletions
--- a/README.LDAP
+++ b/README.LDAP
@@ -254,6 +254,12 @@ when you imported the sudoers.  Below is an example /etc/ldap.conf
  #tls_cert /etc/certs/client_cert.pem
  #tls_key  /etc/certs/client_key.pem
  #
+  # If using SASL authentication for LDAP
+  # use_sasl yes
+  # sasl_authid <SASL password>
+  # rootuse_sasl yes
+  # rootsasl_authid <SASL password for root access>
+  #

 Debugging your LDAP configuration
 =================================
--- a/config.h.in
+++ b/config.h.in
@@ -212,6 +212,12 @@
 /* Define to 1 if you have the <linux/systrace.h> header file. */
 #undef HAVE_LINUX_SYSTRACE_H

+/* Define to 1 if you have the `ldap_sasl_interactive_bind_s' function. */
+#undef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
+
+/* Define to 1 if you have the <sasl/sasl.h> header file. */
+#undef HAVE_SASL_SASL_H
+
 /* Define to 1 if you have the `lockf' function. */
 #undef HAVE_LOCKF

--- a/153
+++ b/153
@@ -22022,7 +22022,8 @@ rm -f conftest.err conftest.$ac_objext \



-for ac_func in ldap_initialize ldap_start_tls_s
+
+for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
 echo "$as_me:$LINENO: checking for $ac_func" >&5
@@ -22124,6 +22125,156 @@ fi
 done


+for ac_header in sasl/sasl.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+else
+  # Is the header compilable?
+echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_header_compiler=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6
+
+# Is the header present?
+echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+rm -f conftest.err conftest.$ac_ext
+echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    (
+      cat <<\_ASBOX
+## ------------------------------- ##
+## Report this to the sudo lists.  ##
+## ------------------------------- ##
+_ASBOX
+    ) |
+      sed "s/^/$as_me: WARNING:     /" >&2
+    ;;
+esac
+echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
    SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
    LIBS="$_LIBS"
    LDFLAGS="$_LDFLAGS"
--- a/configure.in
+++ b/configure.in
@@ -2217,7 +2217,8 @@ if test -n "$with_ldap"; then
    AC_MSG_RESULT([yes])
    AC_DEFINE(HAVE_LBER_H)])

-    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s)
+    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s)
+    AC_CHECK_HEADERS([sasl/sasl.h])

    SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
    LIBS="$_LIBS"
--- a/ldap.c
+++ b/ldap.c
@@ -55,6 +55,13 @@
 # include <lber.h>
 #endif
 #include <ldap.h>
+#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
+# ifdef HAVE_SASL_SASL_H
+#  include <sasl/sasl.h>
+# else
+#  include <sasl.h>
+# endif
+#endif

 #include "sudo.h"
 #include "parse.h"
@@ -90,6 +97,8 @@ struct ldap_config {
    int tls_checkpeer;
    int timelimit;
    int bind_timelimit;
+    int use_sasl;
+    int rootuse_sasl;
    char *host;
    char *uri;
    char *binddn;
@@ -103,6 +112,8 @@ struct ldap_config {
    char *tls_cipher_suite;
    char *tls_certfile;
    char *tls_keyfile;
+    char *sasl_authid;
+    char *rootsasl_authid;
 } ldap_conf;

 /*
@@ -476,6 +487,8 @@ sudo_ldap_read_config()
    ldap_conf.tls_checkpeer = -1;
    ldap_conf.timelimit = -1;
    ldap_conf.bind_timelimit = -1;
+    ldap_conf.use_sasl = -1;
+    ldap_conf.rootuse_sasl = -1;

    if ((f = fopen(_PATH_LDAP_CONF, "r")) == NULL)
 	return(FALSE);
@@ -557,6 +570,14 @@ sudo_ldap_read_config()
 	MATCH_S("sudoers_base", ldap_conf.base)
 	    else
 	MATCH_I("sudoers_debug", ldap_conf.debug)
+	    else
+	MATCH_B("use_sasl", ldap_conf.use_sasl)
+	    else
+	MATCH_S("sasl_authid", ldap_conf.sasl_authid)
+	    else
+	MATCH_B("rootuse_sasl", ldap_conf.rootuse_sasl)
+	    else
+	MATCH_S("rootsasl_authid", ldap_conf.rootsasl_authid)
 	    else {

 	    /*
@@ -601,6 +622,14 @@ sudo_ldap_read_config()
 #ifdef HAVE_LDAP_START_TLS_S
 	fprintf(stderr, "ssl          %s\n", ldap_conf.ssl ?
 	    ldap_conf.ssl : "(no)");
+#endif
+#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
+	fprintf(stderr, "use_sasl     %d\n", ldap_conf.use_sasl);
+	fprintf(stderr, "sasl_authid  %s\n", ldap_conf.sasl_authid ?
+	    ldap_conf.sasl_authid : "(NONE)");
+	fprintf(stderr, "use_sasl     %d\n", ldap_conf.use_sasl);
+	fprintf(stderr, "rootsasl_authid %s\n", ldap_conf.rootsasl_authid ?
+	    ldap_conf.rootsasl_authid : "(NONE)");
 #endif
 	fprintf(stderr, "===================\n");
    }
@@ -831,6 +860,33 @@ sudo_ldap_display_cmnd(ldv, pw)
    } \
 } while(0)

+#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
+static int
+sudo_ldap_sasl_interact(ld, flags, v_authid, v_interact)
+    LDAP *ld;
+    unsigned int flags;
+    void *v_authid;
+    void *v_interact;
+{
+    char *authid = (char *)v_authid;
+    sasl_interact_t *interact = (sasl_interact_t *)v_interact;
+
+    for (;interact->id != SASL_CB_LIST_END; interact++) {
+	if (interact->id != SASL_CB_USER)
+	    return (LDAP_PARAM_ERROR);
+
+	if (authid != NULL)
+	    interact->result = authid;
+	else if (interact->defresult != NULL)
+	    interact->result = interact->defresult;
+	else
+	    interact->result = "";
+	interact->len = strlen(interact->result);
+    }
+    return (LDAP_SUCCESS);
+}
+#endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
+
 /*
 * Open a connection to the LDAP server.
 */
@@ -938,13 +994,31 @@ sudo_ldap_open()
    }
 #endif /* HAVE_LDAP_START_TLS_S */

-    /* Actually connect */
-    if ((rc = ldap_simple_bind_s(ld, ldap_conf.binddn, ldap_conf.bindpw))) {
-	fprintf(stderr, "ldap_simple_bind_s()=%d : %s\n",
-	    rc, ldap_err2string(rc));
-	return(NULL);
+#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
+    /* XXX - should use krb5_ccname from ldap.conf too! */
+    if (ldap_conf.rootuse_sasl != FALSE && ldap_conf.use_sasl == TRUE) {
+	void *authid = ldap_conf.rootsasl_authid ?
+	    ldap_conf.rootsasl_authid : ldap_conf.sasl_authid;
+
+	rc = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI",
+	    NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, authid);
+	if (rc != LDAP_SUCCESS) {
+	    fprintf(stderr, "ldap_sasl_interactive_bind_s(): %d : %s\n",
+		rc, ldap_err2string(rc));
+	    return(NULL);
+	}
+	DPRINTF(("ldap_sasl_interactive_bind_s() ok"), 1);
+    } else
+#endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
+    {
+	/* Actually connect */
+	if ((rc = ldap_simple_bind_s(ld, ldap_conf.binddn, ldap_conf.bindpw))) {
+	    fprintf(stderr, "ldap_simple_bind_s()=%d : %s\n",
+		rc, ldap_err2string(rc));
+	    return(NULL);
+	}
+	DPRINTF(("ldap_bind() ok"), 1);
    }
-    DPRINTF(("ldap_bind() ok"), 1);

    return((VOID *) ld);
 }