isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for SASL auth when connecting to an LDAP server.

Browse Source 
Adapted from a diff by Tom McLaughlin.
This commit is contained in:
Todd C. Miller
2007-07-15 13:23:20 +00:00
parent 38b2dd0a5f
commit 5fdb0649b0
5 changed files with 246 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.LDAP
View File

@@ -254,6 +254,12 @@ when you imported the sudoers. Below is an example /etc/ldap.conf
#tls_cert /etc/certs/client_cert.pem #tls_cert /etc/certs/client_cert.pem
#tls_key /etc/certs/client_key.pem #tls_key /etc/certs/client_key.pem
# #
# If using SASL authentication for LDAP
# use_sasl yes
# sasl_authid <SASL password>
# rootuse_sasl yes
# rootsasl_authid <SASL password for root access>
#
Debugging your LDAP configuration Debugging your LDAP configuration
================================= =================================

6
config.h.in
View File

@@ -212,6 +212,12 @@
/* Define to 1 if you have the <linux/systrace.h> header file. */ /* Define to 1 if you have the <linux/systrace.h> header file. */
#undef HAVE_LINUX_SYSTRACE_H #undef HAVE_LINUX_SYSTRACE_H
/* Define to 1 if you have the `ldap_sasl_interactive_bind_s' function. */
#undef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
/* Define to 1 if you have the <sasl/sasl.h> header file. */
#undef HAVE_SASL_SASL_H
/* Define to 1 if you have the `lockf' function. */ /* Define to 1 if you have the `lockf' function. */
#undef HAVE_LOCKF #undef HAVE_LOCKF

153
configure vendored
View File

@@ -22022,7 +22022,8 @@ rm -f conftest.err conftest.$ac_objext \
for ac_func in ldap_initialize ldap_start_tls_s
for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s
do do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
echo "$as_me:$LINENO: checking for $ac_func" >&5 echo "$as_me:$LINENO: checking for $ac_func" >&5
@@ -22124,6 +22125,156 @@ fi
done done
for ac_header in sasl/sasl.h
do
as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
if eval "test \"\${$as_ac_Header+set}\" = set"; then
echo "$as_me:$LINENO: checking for $ac_header" >&5
echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
if eval "test \"\${$as_ac_Header+set}\" = set"; then
echo $ECHO_N "(cached) $ECHO_C" >&6
fi
echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
else
# Is the header compilable?
echo "$as_me:$LINENO: checking $ac_header usability" >&5
echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
#include <$ac_header>
_ACEOF
rm -f conftest.$ac_objext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } &&
{ ac_try='test -z "$ac_c_werror_flag"
|| test ! -s conftest.err'
{ (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
(eval $ac_try) 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; } &&
{ ac_try='test -s conftest.$ac_objext'
{ (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
(eval $ac_try) 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
ac_header_compiler=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_header_compiler=no
fi
rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
echo "${ECHO_T}$ac_header_compiler" >&6
# Is the header present?
echo "$as_me:$LINENO: checking $ac_header presence" >&5
echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
#include <$ac_header>
_ACEOF
if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
(eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } >/dev/null; then
if test -s conftest.err; then
ac_cpp_err=$ac_c_preproc_warn_flag
ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
else
ac_cpp_err=
fi
else
ac_cpp_err=yes
fi
if test -z "$ac_cpp_err"; then
ac_header_preproc=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_header_preproc=no
fi
rm -f conftest.err conftest.$ac_ext
echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
echo "${ECHO_T}$ac_header_preproc" >&6
# So? What about this header?
case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
yes:no: )
{ echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
{ echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
ac_header_preproc=yes
;;
no:yes:* )
{ echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
{ echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
{ echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
{ echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5
echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;}
{ echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
{ echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
(
cat <<\_ASBOX
## ------------------------------- ##
## Report this to the sudo lists. ##
## ------------------------------- ##
_ASBOX
) |
sed "s/^/$as_me: WARNING: /" >&2
;;
esac
echo "$as_me:$LINENO: checking for $ac_header" >&5
echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
if eval "test \"\${$as_ac_Header+set}\" = set"; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
eval "$as_ac_Header=\$ac_header_preproc"
fi
echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
fi
if test `eval echo '${'$as_ac_Header'}'` = yes; then
cat >>confdefs.h <<_ACEOF
#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
_ACEOF
fi
done
SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}" SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
LIBS="$_LIBS" LIBS="$_LIBS"
LDFLAGS="$_LDFLAGS" LDFLAGS="$_LDFLAGS"

3
configure.in
View File

@@ -2217,7 +2217,8 @@ if test -n "$with_ldap"; then
AC_MSG_RESULT([yes]) AC_MSG_RESULT([yes])
AC_DEFINE(HAVE_LBER_H)]) AC_DEFINE(HAVE_LBER_H)])
AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s) AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s)
AC_CHECK_HEADERS([sasl/sasl.h])
SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}" SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
LIBS="$_LIBS" LIBS="$_LIBS"

86
ldap.c
View File

@@ -55,6 +55,13 @@
# include <lber.h> # include <lber.h>
#endif #endif
#include <ldap.h> #include <ldap.h>
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
# ifdef HAVE_SASL_SASL_H
# include <sasl/sasl.h>
# else
# include <sasl.h>
# endif
#endif
#include "sudo.h" #include "sudo.h"
#include "parse.h" #include "parse.h"
@@ -90,6 +97,8 @@ struct ldap_config {
int tls_checkpeer; int tls_checkpeer;
int timelimit; int timelimit;
int bind_timelimit; int bind_timelimit;
int use_sasl;
int rootuse_sasl;
char *host; char *host;
char *uri; char *uri;
char *binddn; char *binddn;
@@ -103,6 +112,8 @@ struct ldap_config {
char *tls_cipher_suite; char *tls_cipher_suite;
char *tls_certfile; char *tls_certfile;
char *tls_keyfile; char *tls_keyfile;
char *sasl_authid;
char *rootsasl_authid;
} ldap_conf; } ldap_conf;
/* /*
@@ -476,6 +487,8 @@ sudo_ldap_read_config()
ldap_conf.tls_checkpeer = -1; ldap_conf.tls_checkpeer = -1;
ldap_conf.timelimit = -1; ldap_conf.timelimit = -1;
ldap_conf.bind_timelimit = -1; ldap_conf.bind_timelimit = -1;
ldap_conf.use_sasl = -1;
ldap_conf.rootuse_sasl = -1;
if ((f = fopen(_PATH_LDAP_CONF, "r")) == NULL) if ((f = fopen(_PATH_LDAP_CONF, "r")) == NULL)
return(FALSE); return(FALSE);
@@ -557,6 +570,14 @@ sudo_ldap_read_config()
MATCH_S("sudoers_base", ldap_conf.base) MATCH_S("sudoers_base", ldap_conf.base)
else else
MATCH_I("sudoers_debug", ldap_conf.debug) MATCH_I("sudoers_debug", ldap_conf.debug)
else
MATCH_B("use_sasl", ldap_conf.use_sasl)
else
MATCH_S("sasl_authid", ldap_conf.sasl_authid)
else
MATCH_B("rootuse_sasl", ldap_conf.rootuse_sasl)
else
MATCH_S("rootsasl_authid", ldap_conf.rootsasl_authid)
else { else {
/* /*
@@ -601,6 +622,14 @@ sudo_ldap_read_config()
#ifdef HAVE_LDAP_START_TLS_S #ifdef HAVE_LDAP_START_TLS_S
fprintf(stderr, "ssl %s\n", ldap_conf.ssl ? fprintf(stderr, "ssl %s\n", ldap_conf.ssl ?
ldap_conf.ssl : "(no)"); ldap_conf.ssl : "(no)");
#endif
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
fprintf(stderr, "use_sasl %d\n", ldap_conf.use_sasl);
fprintf(stderr, "sasl_authid %s\n", ldap_conf.sasl_authid ?
ldap_conf.sasl_authid : "(NONE)");
fprintf(stderr, "use_sasl %d\n", ldap_conf.use_sasl);
fprintf(stderr, "rootsasl_authid %s\n", ldap_conf.rootsasl_authid ?
ldap_conf.rootsasl_authid : "(NONE)");
#endif #endif
fprintf(stderr, "===================\n"); fprintf(stderr, "===================\n");
} }
@@ -831,6 +860,33 @@ sudo_ldap_display_cmnd(ldv, pw)
} \ } \
} while(0) } while(0)
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
static int
sudo_ldap_sasl_interact(ld, flags, v_authid, v_interact)
LDAP *ld;
unsigned int flags;
void *v_authid;
void *v_interact;
{
char *authid = (char *)v_authid;
sasl_interact_t *interact = (sasl_interact_t *)v_interact;
for (;interact->id != SASL_CB_LIST_END; interact++) {
if (interact->id != SASL_CB_USER)
return (LDAP_PARAM_ERROR);
if (authid != NULL)
interact->result = authid;
else if (interact->defresult != NULL)
interact->result = interact->defresult;
else
interact->result = "";
interact->len = strlen(interact->result);
}
return (LDAP_SUCCESS);
}
#endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
/* /*
* Open a connection to the LDAP server. * Open a connection to the LDAP server.
*/ */
@@ -938,13 +994,31 @@ sudo_ldap_open()
} }
#endif /* HAVE_LDAP_START_TLS_S */ #endif /* HAVE_LDAP_START_TLS_S */
/* Actually connect */ #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
if ((rc = ldap_simple_bind_s(ld, ldap_conf.binddn, ldap_conf.bindpw))) { /* XXX - should use krb5_ccname from ldap.conf too! */
fprintf(stderr, "ldap_simple_bind_s()=%d : %s\n", if (ldap_conf.rootuse_sasl != FALSE && ldap_conf.use_sasl == TRUE) {
rc, ldap_err2string(rc)); void *authid = ldap_conf.rootsasl_authid ?
return(NULL); ldap_conf.rootsasl_authid : ldap_conf.sasl_authid;
rc = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI",
NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, authid);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "ldap_sasl_interactive_bind_s(): %d : %s\n",
rc, ldap_err2string(rc));
return(NULL);
}
DPRINTF(("ldap_sasl_interactive_bind_s() ok"), 1);
} else
#endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
{
/* Actually connect */
if ((rc = ldap_simple_bind_s(ld, ldap_conf.binddn, ldap_conf.bindpw))) {
fprintf(stderr, "ldap_simple_bind_s()=%d : %s\n",
rc, ldap_err2string(rc));
return(NULL);
}
DPRINTF(("ldap_bind() ok"), 1);
} }
DPRINTF(("ldap_bind() ok"), 1);
return((VOID *) ld); return((VOID *) ld);
} }