the old credential cache file name. This can happen if there was
no old name returned by gss_krb5_ccache_name(). Fixes a crash on
kerberized LDAP on some platforms.
support requires an expensive substring match on the server. If
netgroups are not needed, this option can be disabled to reduce the
load on the LDAP server.
constructing the netgroup query, add (sudoUser=*) to the query so
we don't fall below the 3 character OpenLDAP substring threshold.
Otherwise the index for sudoUser will never be used for that query.
Pointed out by Michael Stroeder.
statically compiling in the sudoers plugin but still allow other
plugins to be loaded. The new --enable-static-sudoers configure
option will cause the sudoers plugin to be compiled statically into
the sudo binary. This does not prevent other plugins from being
loaded as per sudo.conf.
then calls gettext().
Add U_ macro that calls warning_gettext() instead of gettext().
Rename warning2()/error2() back to warning_nodebug()/error_nodebug().
together but it was clearing the host entry each time through the
loop. Fixes a bug with multiple URI entries in ldap.conf where
only the last one was being honored.
queue functions. This includes a private queue.h header derived
from FreeBSD. It is simpler to just use our own header rather than
try to deal with macros that may or may not be present in various
queue.h incarnations.
0, it is not possible for the gssapi libs to find the user's krb5
credential cache file. To work around this, we make a temporary
copy of the user's credential cache specified by KRB5CCNAME (opened
with the user's effective uid) and point gssapi to it. To set the
credential cache file name, we dynamically look up gss_krb5_ccache_name()
and use it if available, otherwise fall back to setting KRB5CCNAME.
SUDO_DEBUG_DIAG and SUDO_DEBUG_INFO respectively for logging to the
debug file with the ldap subsystem.
The sudoers_debug setting in ldap.conf is still honored for now but
will be removed in a future release.
Currently supports SHA-224, SHA-256, SHA-384, SHA-512.
TODO: checksum format validation in parser and base64 support.
checksum support for ldap sudoers
MAXHOSTNAMELEN and the MIN/MAX macros. We now use PATH_MAX and
HOST_NAME_MAX throughout without falling back on MAXPATHLEN or
MAXHOSTNAMELEN and define our own MIN/MAX macros as needed.
present in a date so append .0 to the "now" value in the time filter.
Also remove space for the global AND from TIMEFILTER_LENGTH since
it was not being used consistently. Buffers of TIMEFILTER_LENGTH
now need to account for the terminating NUL byte.
Set global LDAP options before calling ldap_initialize() or ldap_init().
After we have an LDAP handle, set the per-connection options.
Fixes a problem with OpenLDAP using the nss crypto backend; bug #342
