isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use a default LDAP search filter of (objectClass=sudoRole). When

Browse Source 
constructing the netgroup query, add (sudoUser=*) to the query so
we don't fall below the 3 character OpenLDAP substring threshold.
Otherwise the index for sudoUser will never be used for that query.
Pointed out by Michael Stroeder.
This commit is contained in:
Todd C. Miller
2014-02-06 15:50:08 -07:00
parent b299763e34
commit f7a419b5f9
4 changed files with 24 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
doc/sudoers.ldap.cat
View File

@@ -346,7 +346,9 @@ DDEESSCCRRIIPPTTIIOONN
An LDAP filter which is used to restrict the set of records An LDAP filter which is used to restrict the set of records
returned when performing a ssuuddoo LDAP query. Typically, this is of returned when performing a ssuuddoo LDAP query. Typically, this is of
the form attribute=value or the form attribute=value or
(&(attribute=value)(attribute2=value2)). (&(attribute=value)(attribute2=value2)). The default search filter
is: objectClass=sudoRole. If _l_d_a_p___f_i_l_t_e_r is not present, no search
filter will be used.
SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
Whether or not to evaluate the sudoNotBefore and sudoNotAfter Whether or not to evaluate the sudoNotBefore and sudoNotAfter
@@ -810,4 +812,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details. complete details.
Sudo 1.8.9 August 30, 2013 Sudo 1.8.9 Sudo 1.8.10b2 February 6, 2014 Sudo 1.8.10b2

9
doc/sudoers.ldap.man.in
View File

@@ -1,7 +1,7 @@
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
.\" .\"
.\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com> .\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.TH "SUDOERS.LDAP" "8" "August 30, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual" .TH "SUDOERS.LDAP" "8" "February 6, 2014" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -643,6 +643,11 @@ form
\fRattribute=value\fR \fRattribute=value\fR
or or
\fR(&(attribute=value)(attribute2=value2))\fR. \fR(&(attribute=value)(attribute2=value2))\fR.
The default search filter is:
\fRobjectClass=sudoRole\fR.
If
\fIldap_filter\fR
is not present, no search filter will be used.
.TP 6n .TP 6n
\fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR
Whether or not to evaluate the Whether or not to evaluate the

9
doc/sudoers.ldap.mdoc.in
View File

@@ -1,5 +1,5 @@
.\" .\"
.\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com> .\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd August 30, 2013 .Dd February 6, 2014
.Dt SUDOERS.LDAP @mansectsu@ .Dt SUDOERS.LDAP @mansectsu@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -604,6 +604,11 @@ form
.Li attribute=value .Li attribute=value
or or
.Li (&(attribute=value)(attribute2=value2)) . .Li (&(attribute=value)(attribute2=value2)) .
The default search filter is:
.Li objectClass=sudoRole .
If
.Ar ldap_filter
is not present, no search filter will be used.
.It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no .It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no
Whether or not to evaluate the Whether or not to evaluate the
.Li sudoNotBefore .Li sudoNotBefore

8
plugins/sudoers/ldap.c
View File

@@ -145,6 +145,9 @@ extern int ldapssl_set_strength(LDAP *ldap, int strength);
#define SUDO_LDAP_SSL 1 #define SUDO_LDAP_SSL 1
#define SUDO_LDAP_STARTTLS 2 #define SUDO_LDAP_STARTTLS 2
/* Default search filter. */
#define DEFAULT_SEARCH_FILTER "(objectClass=sudoRole)"
/* The TIMEFILTER_LENGTH is the length of the filter when timed entries /* The TIMEFILTER_LENGTH is the length of the filter when timed entries
are used. The length is computed as follows: are used. The length is computed as follows:
81 for the filter itself 81 for the filter itself
@@ -1356,7 +1359,7 @@ sudo_ldap_build_pass2(void)
ldap_conf.timed ? timebuffer : "", ldap_conf.timed ? timebuffer : "",
(ldap_conf.timed || ldap_conf.search_filter) ? ")" : ""); (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
} else { } else {
easprintf(&filt, "%s%s(sudoUser=+*)%s%s", easprintf(&filt, "%s%s(sudoUser=*)(sudoUser=+*)%s%s",
(ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "", (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
ldap_conf.search_filter ? ldap_conf.search_filter : "", ldap_conf.search_filter ? ldap_conf.search_filter : "",
ldap_conf.timed ? timebuffer : "", ldap_conf.timed ? timebuffer : "",
@@ -1427,7 +1430,7 @@ sudo_ldap_parse_keyword(const char *keyword, const char *value,
break; break;
case CONF_STR: case CONF_STR:
efree(*(char **)(cur->valp)); efree(*(char **)(cur->valp));
*(char **)(cur->valp) = estrdup(value); *(char **)(cur->valp) = *value ? estrdup(value) : NULL;
break; break;
case CONF_LIST_STR: case CONF_LIST_STR:
{ {
@@ -1523,6 +1526,7 @@ sudo_ldap_read_config(void)
ldap_conf.use_sasl = -1; ldap_conf.use_sasl = -1;
ldap_conf.rootuse_sasl = -1; ldap_conf.rootuse_sasl = -1;
ldap_conf.deref = -1; ldap_conf.deref = -1;
ldap_conf.search_filter = estrdup(DEFAULT_SEARCH_FILTER);
STAILQ_INIT(&ldap_conf.uri); STAILQ_INIT(&ldap_conf.uri);
STAILQ_INIT(&ldap_conf.base); STAILQ_INIT(&ldap_conf.base);