Use a default LDAP search filter of (objectClass=sudoRole). When

constructing the netgroup query, add (sudoUser=*) to the query so we don't fall below the 3 character OpenLDAP substring threshold. Otherwise the index for sudoUser will never be used for that query. Pointed out by Michael Stroeder.
2014-02-06 15:50:08 -07:00
parent b299763e34
commit f7a419b5f9
4 changed files with 24 additions and 8 deletions
--- a/doc/sudoers.ldap.cat
+++ b/doc/sudoers.ldap.cat
@@ -346,7 +346,9 @@ DDEESSCCRRIIPPTTIIOONN
           An LDAP filter which is used to restrict the set of records
           returned when performing a ssuuddoo LDAP query.  Typically, this is of
           the form attribute=value or
-           (&(attribute=value)(attribute2=value2)).
+           (&(attribute=value)(attribute2=value2)).  The default search filter
+           is: objectClass=sudoRole.  If _l_d_a_p___f_i_l_t_e_r is not present, no search
+           filter will be used.

     SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
           Whether or not to evaluate the sudoNotBefore and sudoNotAfter
@@ -810,4 +812,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
     complete details.

-Sudo 1.8.9                      August 30, 2013                     Sudo 1.8.9
+Sudo 1.8.10b2                  February 6, 2014                  Sudo 1.8.10b2
--- a/doc/sudoers.ldap.man.in
+++ b/doc/sudoers.ldap.man.in
@@ -1,7 +1,7 @@
 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
 .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
 .\"
-.\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDOERS.LDAP" "8" "August 30, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
+.TH "SUDOERS.LDAP" "8" "February 6, 2014" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -643,6 +643,11 @@ form
 \fRattribute=value\fR
 or
 \fR(&(attribute=value)(attribute2=value2))\fR.
+The default search filter is:
+\fRobjectClass=sudoRole\fR.
+If
+\fIldap_filter\fR
+is not present, no search filter will be used.
 .TP 6n
 \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR
 Whether or not to evaluate the
--- a/doc/sudoers.ldap.mdoc.in
+++ b/doc/sudoers.ldap.mdoc.in
@@ -1,5 +1,5 @@
 .\"
-.\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 30, 2013
+.Dd February 6, 2014
 .Dt SUDOERS.LDAP @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -604,6 +604,11 @@ form
 .Li attribute=value
 or
 .Li (&(attribute=value)(attribute2=value2)) .
+The default search filter is:
+.Li objectClass=sudoRole .
+If
+.Ar ldap_filter
+is not present, no search filter will be used.
 .It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no
 Whether or not to evaluate the
 .Li sudoNotBefore
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -145,6 +145,9 @@ extern int ldapssl_set_strength(LDAP *ldap, int strength);
 #define SUDO_LDAP_SSL		1
 #define SUDO_LDAP_STARTTLS	2

+/* Default search filter. */
+#define DEFAULT_SEARCH_FILTER	"(objectClass=sudoRole)"
+
 /* The TIMEFILTER_LENGTH is the length of the filter when timed entries
   are used. The length is computed as follows:
       81       for the filter itself
@@ -1356,7 +1359,7 @@ sudo_ldap_build_pass2(void)
 	    ldap_conf.timed ? timebuffer : "",
 	    (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
    } else {
-	easprintf(&filt, "%s%s(sudoUser=+*)%s%s",
+	easprintf(&filt, "%s%s(sudoUser=*)(sudoUser=+*)%s%s",
 	    (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
 	    ldap_conf.search_filter ? ldap_conf.search_filter : "",
 	    ldap_conf.timed ? timebuffer : "",
@@ -1427,7 +1430,7 @@ sudo_ldap_parse_keyword(const char *keyword, const char *value,
 		break;
 	    case CONF_STR:
 		efree(*(char **)(cur->valp));
-		*(char **)(cur->valp) = estrdup(value);
+		*(char **)(cur->valp) = *value ? estrdup(value) : NULL;
 		break;
 	    case CONF_LIST_STR:
 		{
@@ -1523,6 +1526,7 @@ sudo_ldap_read_config(void)
    ldap_conf.use_sasl = -1;
    ldap_conf.rootuse_sasl = -1;
    ldap_conf.deref = -1;
+    ldap_conf.search_filter = estrdup(DEFAULT_SEARCH_FILTER);
    STAILQ_INIT(&ldap_conf.uri);
    STAILQ_INIT(&ldap_conf.base);