0, it is not possible for the gssapi libs to find the user's krb5
credential cache file. To work around this, we make a temporary
copy of the user's credential cache specified by KRB5CCNAME (opened
with the user's effective uid) and point gssapi to it. To set the
credential cache file name, we dynamically look up gss_krb5_ccache_name()
and use it if available, otherwise fall back to setting KRB5CCNAME.
SUDO_DEBUG_DIAG and SUDO_DEBUG_INFO respectively for logging to the
debug file with the ldap subsystem.
The sudoers_debug setting in ldap.conf is still honored for now but
will be removed in a future release.
Currently supports SHA-224, SHA-256, SHA-384, SHA-512.
TODO: checksum format validation in parser and base64 support.
checksum support for ldap sudoers
MAXHOSTNAMELEN and the MIN/MAX macros. We now use PATH_MAX and
HOST_NAME_MAX throughout without falling back on MAXPATHLEN or
MAXHOSTNAMELEN and define our own MIN/MAX macros as needed.
present in a date so append .0 to the "now" value in the time filter.
Also remove space for the global AND from TIMEFILTER_LENGTH since
it was not being used consistently. Buffers of TIMEFILTER_LENGTH
now need to account for the terminating NUL byte.
Set global LDAP options before calling ldap_initialize() or ldap_init().
After we have an LDAP handle, set the per-connection options.
Fixes a problem with OpenLDAP using the nss crypto backend; bug #342
hooks for getenv, putenv, setenv and unsetenv. This makes it
possible for the plugin to trap changes to the environment made by
authentication methods such as PAM or BSD auth so that such changes
are reflected in the environment passed back to sudo for execve().
group_info and use it to store both, along with a count for each.
Cache group info on a per-user basis using getgrouplist() to get
the groups. We no longer need special to special case the user or
list user for user_in_group() and thus no longer need to reset the
groups list when listing another user.
result of getgroups()) to names and store both the group names and
ids in the sudo_user struct. When matching groups in the sudoers
file, match based on the names in the groups list first and
only do a gid-based match when we absolutely have to. By matching
on the group name (as it is listed in sudoers) instead of id
(which we would have to resolve) we save a lot of group lookups
for sudoers files with a lot of groups in them.
