]> granicus.if.org Git - sudo/commitdiff
Add support for DEREF in ldap.conf.
authorTodd C. Miller <Todd.Miller@courtesan.com>
Sat, 17 Sep 2011 00:10:21 +0000 (20:10 -0400)
committerTodd C. Miller <Todd.Miller@courtesan.com>
Sat, 17 Sep 2011 00:10:21 +0000 (20:10 -0400)
--HG--
branch : 1.7

ldap.c
sudoers.ldap.pod

diff --git a/ldap.c b/ldap.c
index 700b410a820583e244cb37b7de59de616e3e77d7..47aa9f981f00665e12e0b3034ca3e2510ae403e1 100644 (file)
--- a/ldap.c
+++ b/ldap.c
 #define CONF_INT       1
 #define CONF_STR       2
 #define CONF_LIST_STR  4
+#define CONF_DEREF_VAL 5
 
 #define SUDO_LDAP_SSL          1
 #define SUDO_LDAP_STARTTLS     2
@@ -195,6 +196,7 @@ static struct ldap_config {
     int rootuse_sasl;
     int ssl_mode;
     int timed;
+    int deref;
     char *host;
     struct ldap_config_list_str *uri;
     char *binddn;
@@ -280,6 +282,9 @@ static struct ldap_config_table ldap_conf_table[] = {
 #ifdef LDAP_OPT_TIMEOUT
     { "timeout", CONF_INT, TRUE, -1 /* needs timeval, set manually */,
        &ldap_conf.timeout },
+#endif
+#ifdef LDAP_OPT_DEREF
+    { "deref", CONF_DEREF_VAL, TRUE, LDAP_OPT_DEREF, &ldap_conf.deref },
 #endif
     { "binddn", CONF_STR, FALSE, -1, &ldap_conf.binddn },
     { "bindpw", CONF_STR, FALSE, -1, &ldap_conf.bindpw },
@@ -1186,6 +1191,7 @@ sudo_ldap_read_config()
     ldap_conf.bind_timelimit = -1;
     ldap_conf.use_sasl = -1;
     ldap_conf.rootuse_sasl = -1;
+    ldap_conf.deref = -1;
 
     if ((fp = fopen(_PATH_LDAP_CONF, "r")) == NULL)
        return FALSE;
@@ -1210,6 +1216,16 @@ sudo_ldap_read_config()
        for (cur = ldap_conf_table; cur->conf_str != NULL; cur++) {
            if (strcasecmp(keyword, cur->conf_str) == 0) {
                switch (cur->type) {
+               case CONF_DEREF_VAL:
+                   if (strcasecmp(value, "searching") == 0)
+                       *(int *)(cur->valp) = LDAP_DEREF_SEARCHING;
+                   else if (strcasecmp(value, "finding") == 0)
+                       *(int *)(cur->valp) = LDAP_DEREF_FINDING;
+                   else if (strcasecmp(value, "always") == 0)
+                       *(int *)(cur->valp) = LDAP_DEREF_ALWAYS;
+                   else
+                       *(int *)(cur->valp) = LDAP_DEREF_NEVER;
+                   break;
                case CONF_BOOL:
                    *(int *)(cur->valp) = _atobool(value);
                    break;
@@ -1282,6 +1298,8 @@ sudo_ldap_read_config()
            fprintf(stderr, "timelimit        %d\n", ldap_conf.timelimit);
        if (ldap_conf.timeout > 0)
            fprintf(stderr, "timeout          %d\n", ldap_conf.timeout);
+       if (ldap_conf.deref != -1)
+           fprintf(stderr, "deref            %d\n", ldap_conf.deref);
        fprintf(stderr, "ssl              %s\n", ldap_conf.ssl ?
            ldap_conf.ssl : "(no)");
        if (ldap_conf.tls_checkpeer != -1)
index b12c6e6bb260c45aa7f12c9dcf0745be3da1cb01..88c60155ceabe3bd1ae65f937ebc595c2600724a 100644 (file)
@@ -536,6 +536,11 @@ SASL programmer's manual for details.
 The path to the Kerberos 5 credential cache to use when authenticating
 with the remote server.
 
+=item B<DEREF> never/searching/finding/always
+
+How alias dereferencing is to be performed when searching.  See the
+L<ldap.conf(5)> manual for a full description of this option.
+
 =back
 
 See the C<ldap.conf> entry in the L<EXAMPLES> section.