isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for SASL_MECH in ldap.conf; Bug #764

Browse Source
This commit is contained in:
Todd C. Miller
2017-01-17 11:09:23 -07:00
parent 34ba901baa
commit df03020c4c
4 changed files with 40 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
doc/sudoers.ldap.cat
View File

@@ -425,6 +425,10 @@ DDEESSCCRRIIPPTTIIOONN
default, ssuuddoo will use an anonymous connection. This option is default, ssuuddoo will use an anonymous connection. This option is
only relevant when using SASL authentication. only relevant when using SASL authentication.
SSAASSLL__MMEECCHH _m_e_c_h_a_n_i_s_m_s
A white space-delimited list of SASL authentication mechanisms to
use. By default, ssuuddoo will use GSSAPI authentication.
SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s
SASL security properties or _n_o_n_e for no properties. See the SASL SASL security properties or _n_o_n_e for no properties. See the SASL
programmer's manual for details. This option is only relevant when programmer's manual for details. This option is only relevant when
@@ -907,4 +911,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.19 September 1, 2016 Sudo 1.8.19 Sudo 1.8.19 January 17, 2017 Sudo 1.8.19

12
doc/sudoers.ldap.man.in
View File

@@ -1,7 +1,7 @@
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
.\" .\"
.\" Copyright (c) 2003-2016 Todd C. Miller <Todd.Miller@courtesan.com> .\" Copyright (c) 2003-2017 Todd C. Miller <Todd.Miller@courtesan.com>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.TH "SUDOERS.LDAP" "5" "September 1, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS.LDAP" "5" "January 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -766,6 +766,14 @@ By default,
will use an anonymous connection. will use an anonymous connection.
This option is only relevant when using SASL authentication. This option is only relevant when using SASL authentication.
.TP 6n .TP 6n
\fBSASL_MECH\fR \fImechanisms\fR
A white space-delimited list of SASL authentication mechanisms to use.
By default,
\fBsudo\fR
will use
\fRGSSAPI\fR
authentication.
.TP 6n
\fBSASL_SECPROPS\fR \fInone/properties\fR \fBSASL_SECPROPS\fR \fInone/properties\fR
SASL security properties or SASL security properties or
\fInone\fR \fInone\fR

11
doc/sudoers.ldap.mdoc.in
View File

@@ -1,5 +1,5 @@
.\" .\"
.\" Copyright (c) 2003-2016 Todd C. Miller <Todd.Miller@courtesan.com> .\" Copyright (c) 2003-2017 Todd C. Miller <Todd.Miller@courtesan.com>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd September 1, 2016 .Dd January 17, 2017
.Dt SUDOERS.LDAP @mansectform@ .Dt SUDOERS.LDAP @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -716,6 +716,13 @@ By default,
.Nm sudo .Nm sudo
will use an anonymous connection. will use an anonymous connection.
This option is only relevant when using SASL authentication. This option is only relevant when using SASL authentication.
.It Sy SASL_MECH Ar mechanisms
A white space-delimited list of SASL authentication mechanisms to use.
By default,
.Nm sudo
will use
.Dv GSSAPI
authentication.
.It Sy SASL_SECPROPS Ar none/properties .It Sy SASL_SECPROPS Ar none/properties
SASL security properties or SASL security properties or
.Em none .Em none

19
plugins/sudoers/ldap.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2003-2016 Todd C. Miller <Todd.Miller@courtesan.com> * Copyright (c) 2003-2017 Todd C. Miller <Todd.Miller@courtesan.com>
* *
* This code is derived from software contributed by Aaron Spangler. * This code is derived from software contributed by Aaron Spangler.
* *
@@ -258,6 +258,7 @@ static struct ldap_config {
char *tls_certfile; char *tls_certfile;
char *tls_keyfile; char *tls_keyfile;
char *tls_keypw; char *tls_keypw;
char *sasl_mech;
char *sasl_auth_id; char *sasl_auth_id;
char *rootsasl_auth_id; char *rootsasl_auth_id;
char *sasl_secprops; char *sasl_secprops;
@@ -326,6 +327,7 @@ static struct ldap_config_table ldap_conf_global[] = {
{ "netgroup_search_filter", CONF_STR, -1, &ldap_conf.netgroup_search_filter }, { "netgroup_search_filter", CONF_STR, -1, &ldap_conf.netgroup_search_filter },
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
{ "use_sasl", CONF_BOOL, -1, &ldap_conf.use_sasl }, { "use_sasl", CONF_BOOL, -1, &ldap_conf.use_sasl },
{ "sasl_mech", CONF_STR, -1, &ldap_conf.sasl_mech },
{ "sasl_auth_id", CONF_STR, -1, &ldap_conf.sasl_auth_id }, { "sasl_auth_id", CONF_STR, -1, &ldap_conf.sasl_auth_id },
{ "rootuse_sasl", CONF_BOOL, -1, &ldap_conf.rootuse_sasl }, { "rootuse_sasl", CONF_BOOL, -1, &ldap_conf.rootuse_sasl },
{ "rootsasl_auth_id", CONF_STR, -1, &ldap_conf.rootsasl_auth_id }, { "rootsasl_auth_id", CONF_STR, -1, &ldap_conf.rootsasl_auth_id },
@@ -2183,7 +2185,17 @@ sudo_ldap_read_config(void)
} }
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
if (ldap_conf.use_sasl != -1) { if (ldap_conf.use_sasl != -1) {
if (ldap_conf.sasl_mech == NULL) {
/* Default mechanism is GSSAPI. */
ldap_conf.sasl_mech = strdup("GSSAPI");
if (ldap_conf.sasl_mech == NULL) {
sudo_warnx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
debug_return_bool(false);
}
}
DPRINTF1("use_sasl %s", ldap_conf.use_sasl ? "yes" : "no"); DPRINTF1("use_sasl %s", ldap_conf.use_sasl ? "yes" : "no");
DPRINTF1("sasl_mech %s", ldap_conf.sasl_mech);
DPRINTF1("sasl_auth_id %s", DPRINTF1("sasl_auth_id %s",
ldap_conf.sasl_auth_id ? ldap_conf.sasl_auth_id : "(NONE)"); ldap_conf.sasl_auth_id ? ldap_conf.sasl_auth_id : "(NONE)");
DPRINTF1("rootuse_sasl %d", DPRINTF1("rootuse_sasl %d",
@@ -3035,8 +3047,9 @@ sudo_ldap_bind_s(LDAP *ld)
"sudo_set_krb5_ccache_name() failed: %d", rc); "sudo_set_krb5_ccache_name() failed: %d", rc);
} }
} }
ret = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI", ret = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn,
NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, auth_id); ldap_conf.sasl_mech, NULL, NULL, LDAP_SASL_QUIET,
sudo_ldap_sasl_interact, auth_id);
if (new_ccname != NULL) { if (new_ccname != NULL) {
rc = sudo_set_krb5_ccache_name(old_ccname ? old_ccname : "", NULL); rc = sudo_set_krb5_ccache_name(old_ccname ? old_ccname : "", NULL);
if (rc == 0) { if (rc == 0) {