Add support for --enable-sasl and --disable-sasl to make it possible
to enable/disable support for LDAP with SASL authentication. Sudo compiles in support for SASL authentiation by default if the ldap_sasl_interactive_bind_s() function is detected. Bug #788
This commit is contained in:
Todd C. Miller
6
INSTALL
6
INSTALL
@@ -312,6 +312,12 @@ Optional features:
|
||||
this file instead of /etc/ldap.secret to read the secret password
|
||||
when rootbinddn is specified in the ldap config file.
|
||||
|
||||
--disable-sasl
|
||||
Disable SASL authentication for LDAP. By default, sudo
|
||||
will compile in support for SASL authentication if the
|
||||
ldap_sasl_interactive_bind_s() function is present in the
|
||||
LDAP libraries.
|
||||
|
||||
--with-logincap
|
||||
This adds support for login classes specified in /etc/login.conf.
|
||||
It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and
|
||||
|
||||
28
configure
vendored
28
configure
vendored
@@ -962,6 +962,7 @@ enable_shared_libutil
|
||||
enable_tmpfiles_d
|
||||
enable_devsearch
|
||||
with_selinux
|
||||
enable_sasl
|
||||
enable_gss_krb5_ccache_name
|
||||
enable_shared
|
||||
enable_static
|
||||
@@ -1645,6 +1646,7 @@ Optional Features:
|
||||
--enable-tmpfiles.d=DIR Set the path to the systemd tmpfiles.d directory.
|
||||
--enable-devsearch=PATH The colon-delimited path to search for device nodes
|
||||
when determing the tty name.
|
||||
--enable-sasl Enable/disable LDAP SASL support
|
||||
--enable-gss-krb5-ccache-name
|
||||
Use GSS-API to set the Kerberos V cred cache name
|
||||
--enable-shared[=PKGS] build shared libraries [default=yes]
|
||||
@@ -6751,6 +6753,18 @@ else
|
||||
fi
|
||||
|
||||
|
||||
# Check whether --enable-sasl was given.
|
||||
if test "${enable_sasl+set}" = set; then :
|
||||
enableval=$enable_sasl; case "$enableval" in
|
||||
yes|no) ;;
|
||||
*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-sasl: $enableval" >&5
|
||||
$as_echo "$as_me: WARNING: Ignoring unknown argument to --enable-sasl: $enableval" >&2;}
|
||||
;;
|
||||
esac
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# Check whether --enable-gss_krb5_ccache_name was given.
|
||||
if test "${enable_gss_krb5_ccache_name+set}" = set; then :
|
||||
enableval=$enable_gss_krb5_ccache_name; check_gss_krb5_ccache_name=$enableval
|
||||
@@ -22552,7 +22566,7 @@ if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
|
||||
fi
|
||||
|
||||
#
|
||||
# Some PAM implementations (MacOS X for example) put the PAM headers
|
||||
# Some PAM implementations (macOS for example) put the PAM headers
|
||||
# in /usr/include/pam instead of /usr/include/security...
|
||||
#
|
||||
found_pam_hdrs=no
|
||||
@@ -24695,6 +24709,8 @@ fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
|
||||
if test ${enable_sasl-'yes'} = "yes"; then
|
||||
found_sasl_h=no
|
||||
for ac_header in sasl/sasl.h sasl.h
|
||||
do :
|
||||
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
|
||||
@@ -24704,6 +24720,7 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
|
||||
#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
|
||||
_ACEOF
|
||||
|
||||
found_sasl_h=yes
|
||||
for ac_func in ldap_sasl_interactive_bind_s
|
||||
do :
|
||||
ac_fn_c_check_func "$LINENO" "ldap_sasl_interactive_bind_s" "ac_cv_func_ldap_sasl_interactive_bind_s"
|
||||
@@ -24721,6 +24738,15 @@ fi
|
||||
|
||||
done
|
||||
|
||||
if test X${enable_sasl} = X"yes"; then
|
||||
if test X"$found_sasl_h" != X"yes"; then
|
||||
as_fn_error $? "\"--enable-sasl specified but unable to locate SASL development headers.\"" "$LINENO" 5
|
||||
fi
|
||||
if test X"$ac_cv_func_ldap_sasl_interactive_bind_s" != X"yes"; then :
|
||||
as_fn_error $? "\"--enable-sasl specified but SASL support is missing in your LDAP library\"" "$LINENO" 5
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
for ac_header in ldap_ssl.h mps/ldap_ssl.h
|
||||
do :
|
||||
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
|
||||
|
||||
21
configure.ac
21
configure.ac
@@ -1562,6 +1562,15 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])
|
||||
;;
|
||||
esac], [with_selinux=no])
|
||||
|
||||
AC_ARG_ENABLE(sasl,
|
||||
[AS_HELP_STRING([--enable-sasl], [Enable/disable LDAP SASL support])],
|
||||
[ case "$enableval" in
|
||||
yes|no) ;;
|
||||
*) AC_MSG_WARN([Ignoring unknown argument to --enable-sasl: $enableval])
|
||||
;;
|
||||
esac
|
||||
])
|
||||
|
||||
dnl
|
||||
dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default
|
||||
dnl
|
||||
@@ -3745,10 +3754,22 @@ if test ${with_ldap-'no'} != "no"; then
|
||||
AC_MSG_RESULT([yes])
|
||||
AC_DEFINE(HAVE_LBER_H)])
|
||||
|
||||
if test ${enable_sasl-'yes'} = "yes"; then
|
||||
found_sasl_h=no
|
||||
AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [
|
||||
found_sasl_h=yes
|
||||
AC_CHECK_FUNCS([ldap_sasl_interactive_bind_s])
|
||||
break
|
||||
])
|
||||
if test X${enable_sasl} = X"yes"; then
|
||||
if test X"$found_sasl_h" != X"yes"; then
|
||||
AC_MSG_ERROR(["--enable-sasl specified but unable to locate SASL development headers."])
|
||||
fi
|
||||
if test X"$ac_cv_func_ldap_sasl_interactive_bind_s" != X"yes"; then :
|
||||
AC_MSG_ERROR(["--enable-sasl specified but SASL support is missing in your LDAP library"])
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
|
||||
AC_CHECK_FUNCS([ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_init ldap_ssl_client_init ldap_start_tls_s_np])
|
||||
AC_CHECK_FUNCS([ldap_search_ext_s ldap_search_st], [break])
|
||||
|
||||
Reference in New Issue
Block a user