isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,614 Commits 1 Branch 0 Tags
3bb69ffe816d228dde170b2ef0fecf43f7f4aee5
Commit Graph

108 Commits

Author SHA1 Message Date
Todd C. Miller
3bb69ffe81 Remove CVS $Sudo$ tags. 2010-01-17 19:51:28 -05:00
Todd C. Miller
9606d21653 For netscape-derived LDAP SDKs the cert and key paths may be a 
directory or a file.  However, version 5.0 of the SDK only seems
to support using a directory.  If ldapssl_clientauth_init fails and
the cert or key paths look like they could be files, strip off the
last path element and try again.
 2009-05-29 13:43:12 +00:00
Todd C. Miller
62b89f9dfc Update copyright years. 2009-05-25 12:02:42 +00:00
Todd C. Miller
322abc61e3 Back out rev 1.105 for now. Real ldapux_client.conf support will be 
done later after some refactoring.
 2009-03-16 16:11:28 +00:00
Todd C. Miller
c07c11f6b6 Treat ldap_hostport the same as "host" for ldapux. 2009-03-14 16:02:11 +00:00
Todd C. Miller
4210f536c6 tivoli-based ldap does not have ldapssl_err2string 2009-03-02 12:36:06 +00:00
Todd C. Miller
ef071fa655 Add support for Tivoli-based LDAP start TLS as seen in AIX. Untested. 2009-03-01 21:20:37 +00:00
Todd C. Miller
6fed38f323 Replace sudo_setenv/sudo_unsetenv with calls to setenv/unsetenv and 
provide our own setenv/unsetenv/putenv that operates on own env pointer.
Make sync_env() inline in setenv/unsetenv/putenv functions.
 2009-03-01 00:58:41 +00:00
Todd C. Miller
da769cd429 For ldap_search_ext_s() the sizelimit param should be 0, not -1, to 
indicate no limit.  From Mark Janssen.
 2009-01-27 16:54:23 +00:00
Todd C. Miller
25aa1b5bf1 Fix typo/think in sudo_ldap_read_secret() when storing the secret. 2008-04-23 12:30:07 +00:00
Todd C. Miller
3fa2f32928 define LDAPS_PORT if the system headers do not 2008-04-11 14:03:30 +00:00
Todd C. Miller
4f5d9371a3 Add debugging so we can tell if the krb5 ccache is accessible 2008-02-10 23:06:19 +00:00
Todd C. Miller
f2b70188b6 Add support for SELinux RBAC. Sudoers entries may specify a role and type. 
There are also role and type defaults that may be used.  To make sure a
transition occurs, when using RBAC commands are executed via the new sesh
binary.  Based on initial changes from Dan Walsh.
 2008-02-09 14:30:06 +00:00
Todd C. Miller
5d20923c2f Add long list (sudo -ll) support for printing verbose LDAP and sudoers 
file entries.  Still need to update manual.
 2008-02-08 13:18:12 +00:00
Todd C. Miller
3c7b76bb54 Unify the -l output for file and ldap based sudoers and use lbufs for both. 
The ldap output does not currently include options that cannot be represented
as tags.  This will be remedied in a long list output mode to come.
 2008-02-03 15:43:38 +00:00
Todd C. Miller
a3e6610e01 Include ldap_ssl.h if we can find it. Needed for the ldapssl_set_strength 
defines on HP-UX at least.
 2008-01-21 16:07:42 +00:00
Todd C. Miller
09c1189d1b Fix a typo/thinko in one of the calls to sudo_ldap_check_user_netgroup(). 
From Marco van Wieringen.
 2008-01-18 21:47:05 +00:00
Todd C. Miller
0f6101bb26 include <mps/ldap_ssl.h> in ldap.c if available 2008-01-17 20:44:28 +00:00
Todd C. Miller
6131e9f36e fix typo 2008-01-14 11:40:08 +00:00
Todd C. Miller
9a07c1a7f1 For netscape-based LDAP, use ldapssl_set_strength() to implement 
the checkpeer ldap.conf option.
 2008-01-13 19:22:11 +00:00
Todd C. Miller
00030b9ad2 Move ldap.secret reading into a separate function. 2008-01-06 12:56:46 +00:00
Todd C. Miller
9998419d7a Check strlcpy() return values. 2008-01-05 23:25:58 +00:00
Todd C. Miller
4bb2167453 refactor ldap binding code into sudo_ldap_bind_s() 2008-01-05 23:12:19 +00:00
Todd C. Miller
28ed51b441 Improve chaining of multiple sudoers sources by passing in the previous return value to the next in the chain 2008-01-05 18:27:18 +00:00
Todd C. Miller
e4370acaa4 Parse uri ourself if no ldap_initialize() is present 
Use ldap_create() instead of deprecated ldap_init()
Use ldap_sasl_bind_s() instead of deprecated ldap_simple_bind_s()
 2008-01-05 12:59:05 +00:00
Todd C. Miller
86bd55fc6d Add sudo_ldap_get_first_rdn() to return the first rdn of an entry's dn 
using the mechanism appropriate for the LDAP SDK in use.
Use ldap_unbind_ext_s() instead of deprecated ldap_unbind_s().
Emulate ldap_unbind_ext_s() and ldap_search_ext_s() for SDK's without them.
 2008-01-03 21:11:33 +00:00
Todd C. Miller
e238133159 use ldap_search_ext_s instead of deprecated ldap_search_s 2008-01-02 16:05:50 +00:00
Todd C. Miller
5173bbb95d Replace deprecated ldap_explode_dn() with calls to ldap_str2dn() 
and ldap_rdn2str().
 2008-01-02 00:04:50 +00:00
Todd C. Miller
8a2db8bd08 Use ldap_get_values_len()/ldap_value_free_len() instead of the 
deprecated ldap_get_values()/ldap_value_free().
 2008-01-01 23:37:51 +00:00
Todd C. Miller
aa562c8f69 Same return value as non-existent sudoers if LDAP was unable to connect. 2008-01-01 22:03:54 +00:00
Todd C. Miller
a7fb2f3e36 When building up a query don't list groups in the aux group vector 
that are the same as the passwd file group.  On most systems the
first gid in the group vector is the same as the passwd entry gid.
 2008-01-01 21:25:23 +00:00
Todd C. Miller
cd30e84743 Define LDAPNOINIT before calling ldap_init(), etc. to disable user 
ldaprc and system defaults that could affect how LDAP works.
 2008-01-01 19:01:42 +00:00
Todd C. Miller
d6e9445a6a no longer need to check def_ignore_local_sudoers here 2007-12-31 21:44:46 +00:00
Todd C. Miller
b289130680 belt and suspenders; zero out result after freeing it 2007-12-31 21:10:49 +00:00
Todd C. Miller
926dcd0bcc Refactor line reading into a separate function, sudo_parseln(), 
which removes comments, leading/trailing whitespace and newlines.
May want to rethink the use of sudo_parseln() for /etc/ldap.secret
 2007-12-31 20:04:46 +00:00
Todd C. Miller
09439030f6 make it clear that the global options are from LDAP 2007-12-31 19:24:10 +00:00
Todd C. Miller
adfaebdb4d nss-ify display_privs and display_cmnd. 2007-12-31 15:08:30 +00:00
Todd C. Miller
ae2ae34528 Use nsswitch to hide some sudoers vs. ldap implementation details 
and reduce the number of #ifdef LDAP
TODO: fix display routines and error handling
 2007-12-31 12:39:52 +00:00
Todd C. Miller
7f323157a2 First cut at nsswitch.conf support. 
Further reorganizaton and related changes are forthcoming.
 2007-12-28 16:20:45 +00:00
Todd C. Miller
1a69e42d95 include limits.h 2007-12-21 21:20:30 +00:00
Todd C. Miller
56729b9a63 Use ldapssl_init() for ldaps support instead of trying 
to do it manually with ldap_init() + ldapssl_install_routines().
Use tls_cert and tls_key for cert7.db and key3.db respectively.
Don't print debugging info for options that are not set.
Add warning if start_tls specified when not supported.
 2007-12-19 19:28:57 +00:00
Todd C. Miller
f60e1d3cb7 fix compilation on solaris 2007-12-19 19:25:10 +00:00
Todd C. Miller
dbe2b9e4f3 fix LDAP_OPT_NETWORK_TIMEOUT setting 2007-12-18 14:54:45 +00:00
Todd C. Miller
3be9fcbedb fix compilation on Solaris 2007-12-18 01:10:10 +00:00
Todd C. Miller
b409499304 Add support for "ssl on" in both netscape and openldap flavors. 
Only the OpenLDAP flavor has been tested.
 2007-12-17 12:31:40 +00:00
Todd C. Miller
c5b5f0cfd7 Distinguish between LDAP conf settings that are connection-specific 
(which take an ld pointer) and those that are default settings (which do not).
 2007-12-16 19:08:05 +00:00
Todd C. Miller
06e6097a49 Improved warnings on error. 2007-12-14 21:46:31 +00:00
Todd C. Miller
7c1889af15 Make ldap config table driven and set the config *after* we open the 
connection.
 2007-12-14 20:59:17 +00:00
Todd C. Miller
6acbe17288 fix LDAP_OPT_X_CONNECT_TIMEOUT compat define 2007-12-13 21:41:58 +00:00
Todd C. Miller
ae98617dfe add -g support for LDAP 2007-12-08 00:09:28 +00:00