isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Add support for --enable-sasl and --disable-sasl to make it possible

Browse Source 
to enable/disable support for LDAP with SASL authentication.  Sudo
compiles in support for SASL authentiation by default if the
ldap_sasl_interactive_bind_s() function is detected.
Bug #788
This commit is contained in:
Todd C. Miller
2017-07-28 13:52:55 -06:00
parent ad81862b07
commit beece91719
3 changed files with 61 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
INSTALL
View File

@@ -312,6 +312,12 @@ Optional features:
this file instead of /etc/ldap.secret to read the secret password this file instead of /etc/ldap.secret to read the secret password
when rootbinddn is specified in the ldap config file. when rootbinddn is specified in the ldap config file.
--disable-sasl
Disable SASL authentication for LDAP. By default, sudo
will compile in support for SASL authentication if the
ldap_sasl_interactive_bind_s() function is present in the
LDAP libraries.
--with-logincap --with-logincap
This adds support for login classes specified in /etc/login.conf. This adds support for login classes specified in /etc/login.conf.
It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and

34
configure vendored
View File

@@ -962,6 +962,7 @@ enable_shared_libutil
enable_tmpfiles_d enable_tmpfiles_d
enable_devsearch enable_devsearch
with_selinux with_selinux
enable_sasl
enable_gss_krb5_ccache_name enable_gss_krb5_ccache_name
enable_shared enable_shared
enable_static enable_static
@@ -1645,6 +1646,7 @@ Optional Features:
--enable-tmpfiles.d=DIR Set the path to the systemd tmpfiles.d directory. --enable-tmpfiles.d=DIR Set the path to the systemd tmpfiles.d directory.
--enable-devsearch=PATH The colon-delimited path to search for device nodes --enable-devsearch=PATH The colon-delimited path to search for device nodes
when determing the tty name. when determing the tty name.
--enable-sasl Enable/disable LDAP SASL support
--enable-gss-krb5-ccache-name --enable-gss-krb5-ccache-name
Use GSS-API to set the Kerberos V cred cache name Use GSS-API to set the Kerberos V cred cache name
--enable-shared[=PKGS] build shared libraries [default=yes] --enable-shared[=PKGS] build shared libraries [default=yes]
@@ -6751,6 +6753,18 @@ else
fi fi
# Check whether --enable-sasl was given.
if test "${enable_sasl+set}" = set; then :
enableval=$enable_sasl; case "$enableval" in
yes|no) ;;
*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-sasl: $enableval" >&5
$as_echo "$as_me: WARNING: Ignoring unknown argument to --enable-sasl: $enableval" >&2;}
;;
esac
fi
# Check whether --enable-gss_krb5_ccache_name was given. # Check whether --enable-gss_krb5_ccache_name was given.
if test "${enable_gss_krb5_ccache_name+set}" = set; then : if test "${enable_gss_krb5_ccache_name+set}" = set; then :
enableval=$enable_gss_krb5_ccache_name; check_gss_krb5_ccache_name=$enableval enableval=$enable_gss_krb5_ccache_name; check_gss_krb5_ccache_name=$enableval
@@ -22552,7 +22566,7 @@ if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
fi fi
# #
# Some PAM implementations (MacOS X for example) put the PAM headers # Some PAM implementations (macOS for example) put the PAM headers
# in /usr/include/pam instead of /usr/include/security... # in /usr/include/pam instead of /usr/include/security...
# #
found_pam_hdrs=no found_pam_hdrs=no
@@ -24695,7 +24709,9 @@ fi
rm -f core conftest.err conftest.$ac_objext \ rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext conftest$ac_exeext conftest.$ac_ext
for ac_header in sasl/sasl.h sasl.h if test ${enable_sasl-'yes'} = "yes"; then
found_sasl_h=no
for ac_header in sasl/sasl.h sasl.h
do : do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@@ -24704,7 +24720,8 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
_ACEOF _ACEOF
for ac_func in ldap_sasl_interactive_bind_s found_sasl_h=yes
for ac_func in ldap_sasl_interactive_bind_s
do : do :
ac_fn_c_check_func "$LINENO" "ldap_sasl_interactive_bind_s" "ac_cv_func_ldap_sasl_interactive_bind_s" ac_fn_c_check_func "$LINENO" "ldap_sasl_interactive_bind_s" "ac_cv_func_ldap_sasl_interactive_bind_s"
if test "x$ac_cv_func_ldap_sasl_interactive_bind_s" = xyes; then : if test "x$ac_cv_func_ldap_sasl_interactive_bind_s" = xyes; then :
@@ -24715,12 +24732,21 @@ _ACEOF
fi fi
done done
break break
fi fi
done done
if test X${enable_sasl} = X"yes"; then
if test X"$found_sasl_h" != X"yes"; then
as_fn_error $? "\"--enable-sasl specified but unable to locate SASL development headers.\"" "$LINENO" 5
fi
if test X"$ac_cv_func_ldap_sasl_interactive_bind_s" != X"yes"; then :
as_fn_error $? "\"--enable-sasl specified but SASL support is missing in your LDAP library\"" "$LINENO" 5
fi
fi
fi
for ac_header in ldap_ssl.h mps/ldap_ssl.h for ac_header in ldap_ssl.h mps/ldap_ssl.h
do : do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`

29
configure.ac
View File

@@ -1562,6 +1562,15 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])
;; ;;
esac], [with_selinux=no]) esac], [with_selinux=no])
AC_ARG_ENABLE(sasl,
[AS_HELP_STRING([--enable-sasl], [Enable/disable LDAP SASL support])],
[ case "$enableval" in
yes|no) ;;
*) AC_MSG_WARN([Ignoring unknown argument to --enable-sasl: $enableval])
;;
esac
])
dnl dnl
dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default
dnl dnl
@@ -3745,10 +3754,22 @@ if test ${with_ldap-'no'} != "no"; then
AC_MSG_RESULT([yes]) AC_MSG_RESULT([yes])
AC_DEFINE(HAVE_LBER_H)]) AC_DEFINE(HAVE_LBER_H)])
AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [ if test ${enable_sasl-'yes'} = "yes"; then
AC_CHECK_FUNCS([ldap_sasl_interactive_bind_s]) found_sasl_h=no
break AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [
]) found_sasl_h=yes
AC_CHECK_FUNCS([ldap_sasl_interactive_bind_s])
break
])
if test X${enable_sasl} = X"yes"; then
if test X"$found_sasl_h" != X"yes"; then
AC_MSG_ERROR(["--enable-sasl specified but unable to locate SASL development headers."])
fi
if test X"$ac_cv_func_ldap_sasl_interactive_bind_s" != X"yes"; then :
AC_MSG_ERROR(["--enable-sasl specified but SASL support is missing in your LDAP library"])
fi
fi
fi
AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>]) AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
AC_CHECK_FUNCS([ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_init ldap_ssl_client_init ldap_start_tls_s_np]) AC_CHECK_FUNCS([ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_init ldap_ssl_client_init ldap_start_tls_s_np])
AC_CHECK_FUNCS([ldap_search_ext_s ldap_search_st], [break]) AC_CHECK_FUNCS([ldap_search_ext_s ldap_search_st], [break])