Add support for SASL_MECH in ldap.conf; Bug #764

doc/sudoers.ldap.cat

@@ -425,6 +425,10 @@ DDEESSCCRRIIPPTTIIOONN
            default, ssuuddoo will use an anonymous connection.  This option is
            only relevant when using SASL authentication.
 
+     SSAASSLL__MMEECCHH _m_e_c_h_a_n_i_s_m_s
+           A white space-delimited list of SASL authentication mechanisms to
+           use.  By default, ssuuddoo will use GSSAPI authentication.
+
      SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s
            SASL security properties or _n_o_n_e for no properties.  See the SASL
            programmer's manual for details.  This option is only relevant when
@@ -907,4 +911,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.19                    September 1, 2016                   Sudo 1.8.19
+Sudo 1.8.19                    January 17, 2017                    Sudo 1.8.19

doc/sudoers.ldap.man.in

@@ -1,7 +1,7 @@
 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
 .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
 .\"
-.\" Copyright (c) 2003-2016 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2003-2017 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDOERS.LDAP" "5" "September 1, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS.LDAP" "5" "January 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -766,6 +766,14 @@ By default,
 will use an anonymous connection.
 This option is only relevant when using SASL authentication.
 .TP 6n
+\fBSASL_MECH\fR \fImechanisms\fR
+A white space-delimited list of SASL authentication mechanisms to use.
+By default,
+\fBsudo\fR
+will use
+\fRGSSAPI\fR
+authentication.
+.TP 6n
 \fBSASL_SECPROPS\fR \fInone/properties\fR
 SASL security properties or
 \fInone\fR

doc/sudoers.ldap.mdoc.in

@@ -1,5 +1,5 @@
 .\"
-.\" Copyright (c) 2003-2016 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2003-2017 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd September 1, 2016
+.Dd January 17, 2017
 .Dt SUDOERS.LDAP @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -716,6 +716,13 @@ By default,
 .Nm sudo
 will use an anonymous connection.
 This option is only relevant when using SASL authentication.
+.It Sy SASL_MECH Ar mechanisms
+A white space-delimited list of SASL authentication mechanisms to use.
+By default,
+.Nm sudo
+will use
+.Dv GSSAPI
+authentication.
 .It Sy SASL_SECPROPS Ar none/properties
 SASL security properties or
 .Em none

plugins/sudoers/ldap.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003-2016 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2003-2017 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * This code is derived from software contributed by Aaron Spangler.
  *
@@ -258,6 +258,7 @@ static struct ldap_config {
     char *tls_certfile;
     char *tls_keyfile;
     char *tls_keypw;
+    char *sasl_mech;
     char *sasl_auth_id;
     char *rootsasl_auth_id;
     char *sasl_secprops;
@@ -326,6 +327,7 @@ static struct ldap_config_table ldap_conf_global[] = {
     { "netgroup_search_filter", CONF_STR, -1, &ldap_conf.netgroup_search_filter },
 #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
     { "use_sasl", CONF_BOOL, -1, &ldap_conf.use_sasl },
+    { "sasl_mech", CONF_STR, -1, &ldap_conf.sasl_mech },
     { "sasl_auth_id", CONF_STR, -1, &ldap_conf.sasl_auth_id },
     { "rootuse_sasl", CONF_BOOL, -1, &ldap_conf.rootuse_sasl },
     { "rootsasl_auth_id", CONF_STR, -1, &ldap_conf.rootsasl_auth_id },
@@ -2183,7 +2185,17 @@ sudo_ldap_read_config(void)
     }
 #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
     if (ldap_conf.use_sasl != -1) {
+	if (ldap_conf.sasl_mech == NULL) {
+	    /* Default mechanism is GSSAPI. */
+	    ldap_conf.sasl_mech = strdup("GSSAPI");
+	    if (ldap_conf.sasl_mech == NULL) {
+		sudo_warnx(U_("%s: %s"), __func__,
+		    U_("unable to allocate memory"));
+		debug_return_bool(false);
+	    }
+	}
 	DPRINTF1("use_sasl         %s", ldap_conf.use_sasl ? "yes" : "no");
+	DPRINTF1("sasl_mech        %s", ldap_conf.sasl_mech);
 	DPRINTF1("sasl_auth_id     %s",
 	    ldap_conf.sasl_auth_id ? ldap_conf.sasl_auth_id : "(NONE)");
 	DPRINTF1("rootuse_sasl     %d",
@@ -3035,8 +3047,9 @@ sudo_ldap_bind_s(LDAP *ld)
 		    "sudo_set_krb5_ccache_name() failed: %d", rc);
 	    }
 	}
-	ret = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI",
-	    NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, auth_id);
+	ret = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn,
+	    ldap_conf.sasl_mech, NULL, NULL, LDAP_SASL_QUIET,
+	    sudo_ldap_sasl_interact, auth_id);
 	if (new_ccname != NULL) {
 	    rc = sudo_set_krb5_ccache_name(old_ccname ? old_ccname : "", NULL);
 	    if (rc == 0) {