* NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for
compatibility with OpenLDAP configuration files.
+ * The LDAP API TIMEOUT parameter is now honored in ldap.conf.
+
What's new in Sudo 1.7.4p4?
* A potential security issue has been fixed with respect to the handling
/* Define to 1 if you have the `ldap_search_ext_s' function. */
#undef HAVE_LDAP_SEARCH_EXT_S
+/* Define to 1 if you have the `ldap_search_st' function. */
+#undef HAVE_LDAP_SEARCH_ST
+
/* Define to 1 if you have the `ldap_ssl_client_init' function. */
#undef HAVE_LDAP_SSL_CLIENT_INIT
done
- for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np
+ for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
+fi
+done
+
+ for ac_func in ldap_search_ext_s ldap_search_st
+do :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+eval as_val=\$$as_ac_var
+ if test "x$as_val" = x""yes; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+ break
fi
done
AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break])
AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
- AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np)
+ AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np)
+ AC_CHECK_FUNCS(ldap_search_ext_s ldap_search_st, [break])
if test X"$check_gss_krb5_ccache_name" = X"yes"; then
AC_CHECK_LIB(gssapi, gss_krb5_ccache_name,
The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in seconds,
to wait for a response to an LDAP query.
+ T\bTI\bIM\bME\bEO\bOU\bUT\bT seconds
+ The T\bTI\bIM\bME\bEO\bOU\bUT\bT parameter specifies the amount of time, in seconds, to
+ wait for a response from the various LDAP APIs.
+
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE base
The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries. Typically
this is of the form ou=SUDOers,dc=example,dc=com for the domain
S\bSS\bSL\bL on/true/yes/off/false/no
If the S\bSS\bSL\bL parameter is set to on, true or yes, TLS (SSL)
- encryption is always used when communicating with the LDAP server.
- Typically, this involves connecting to the server on port 636
- (ldaps).
-
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ encryption is always used when communicating with the LDAP server.
+ Typically, this involves connecting to the server on port 636
+ (ldaps).
+
S\bSS\bSL\bL start_tls
If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP server
connection is initiated normally and TLS encryption is begun before
When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates.
- T\bTL\bLS\bS_\b_K\bKE\bEY\bY file name
- The path to a file containing the private key which matches the
- certificate specified by T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT. The private key must not be
-
1.8.0b3 January 10, 2011 7
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ T\bTL\bLS\bS_\b_K\bKE\bEY\bY file name
+ The path to a file containing the private key which matches the
+ certificate specified by T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT. The private key must not be
password-protected. The key type depends on the LDAP libraries
used.
Sudo looks for a line beginning with sudoers: and uses this to
determine the search order. Note that s\bsu\bud\bdo\bo does not stop searching
after the first match and later matches take precedence over earlier
- ones.
-
- The following sources are recognized:
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ ones.
+
+ The following sources are recognized:
+
files read sudoers from F</etc/sudoers>
ldap read sudoers from LDAP
sudoers = files
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
-
-
1.8.0b3 January 10, 2011 9
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
+
_\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
_\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf determines sudoers source order on AIX
# Define if you want to use port 389 and switch to
# encryption before the bind credentials are sent.
# Only supported by LDAP servers that support the start_tls
- # extension such as OpenLDAP.
- #ssl start_tls
- #
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ # extension such as OpenLDAP.
+ #ssl start_tls
+ #
# Additional TLS options follow that allow tweaking of the
# SSL/TLS connection.
#
#tls_cert /var/ldap
#tls_key /var/ldap
#
- # If using SASL authentication for LDAP (OpenSSL)
- # use_sasl yes
- # sasl_auth_id <SASL user name>
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ # If using SASL authentication for LDAP (OpenSSL)
+ # use_sasl yes
+ # sasl_auth_id <SASL user name>
# rootuse_sasl yes
# rootsasl_auth_id <SASL user name for root access>
# sasl_secprops none
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
attributetype ( 1.3.6.1.4.1.15953.9.1.8
NAME 'sudoNotBefore'
DESC 'Start of time interval for which the entry is valid'
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
See the LICENSE file distributed with s\bsu\bud\bdo\bo or
+
+
+
+1.8.0b3 January 10, 2011 13
+
+
+
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+
http://www.sudo.ws/sudo/license.html for complete details.
-1.8.0b3 January 10, 2011 13
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1.8.0b3 January 10, 2011 14
.IX Item "TIMELIMIT seconds"
The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
to wait for a response to an \s-1LDAP\s0 query.
+.IP "\fB\s-1TIMEOUT\s0\fR seconds" 4
+.IX Item "TIMEOUT seconds"
+The \fB\s-1TIMEOUT\s0\fR parameter specifies the amount of time, in seconds,
+to wait for a response from the various \s-1LDAP\s0 APIs.
.IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4
.IX Item "SUDOERS_BASE base"
The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically
The B<TIMELIMIT> parameter specifies the amount of time, in seconds,
to wait for a response to an LDAP query.
+=item B<TIMEOUT> seconds
+
+The B<TIMEOUT> parameter specifies the amount of time, in seconds,
+to wait for a response from the various LDAP APIs.
+
=item B<SUDOERS_BASE> base
The base DN to use when performing B<sudo> LDAP queries. Typically
#endif
#ifndef HAVE_LDAP_SEARCH_EXT_S
-#define ldap_search_ext_s(a, b, c, d, e, f, g, h, i, j, k) \
+# ifdef HAVE_LDAP_SEARCH_ST
+# define ldap_search_ext_s(a, b, c, d, e, f, g, h, i, j, k) \
+ ldap_search_st(a, b, c, d, e, f, i, k)
+# else
+# define ldap_search_ext_s(a, b, c, d, e, f, g, h, i, j, k) \
ldap_search_s(a, b, c, d, e, f, k)
+# endif
#endif
#define LDAP_FOREACH(var, ld, res) \
int ldap_debug;
int tls_checkpeer;
int timelimit;
+ int timeout;
int bind_timelimit;
int use_sasl;
int rootuse_sasl;
&ldap_conf.bind_timelimit },
#endif
{ "timelimit", CONF_INT, TRUE, LDAP_OPT_TIMELIMIT, &ldap_conf.timelimit },
+#ifdef LDAP_OPT_TIMEOUT
+ { "timeout", CONF_INT, TRUE, -1 /* needs timeval, set manually */,
+ &ldap_conf.timeout },
+#endif
{ "binddn", CONF_STR, FALSE, -1, &ldap_conf.binddn },
{ "bindpw", CONF_STR, FALSE, -1, &ldap_conf.bindpw },
{ "rootbinddn", CONF_STR, FALSE, -1, &ldap_conf.rootbinddn },
ldap_conf.port = -1;
ldap_conf.tls_checkpeer = -1;
ldap_conf.timelimit = -1;
+ ldap_conf.timeout = -1;
ldap_conf.bind_timelimit = -1;
ldap_conf.use_sasl = -1;
ldap_conf.rootuse_sasl = -1;
if (!ldap_conf.host)
ldap_conf.host = estrdup("localhost");
- if (ldap_conf.bind_timelimit > 0)
- ldap_conf.bind_timelimit *= 1000; /* convert to ms */
-
if (ldap_conf.debug > 1) {
sudo_printf(SUDO_CONV_ERROR_MSG, "LDAP Config Summary\n");
sudo_printf(SUDO_CONV_ERROR_MSG, "===================\n");
if (!ldap_conf.base)
return(FALSE); /* if no base is defined, ignore LDAP */
+ if (ldap_conf.bind_timelimit > 0)
+ ldap_conf.bind_timelimit *= 1000; /* convert to ms */
+
/*
* Interpret SSL option
*/
struct lbuf *lbuf)
{
struct berval **bv, **p;
+ struct timeval tv, *tvp = NULL;
struct ldap_config_list_str *base;
struct sudo_ldap_handle *handle = nss->handle;
LDAP *ld;
ld = handle->ld;
for (base = ldap_conf.base; base != NULL; base = base->next) {
+ if (ldap_conf.timeout > 0) {
+ tv.tv_sec = ldap_conf.timeout;
+ tv.tv_usec = 0;
+ tvp = &tv;
+ }
result = NULL;
rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE,
- "cn=defaults", NULL, 0, NULL, NULL, NULL, 0, &result);
+ "cn=defaults", NULL, 0, NULL, NULL, tvp, 0, &result);
if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) {
bv = ldap_get_values_len(ld, entry, "sudoOption");
if (bv != NULL) {
}
}
+#ifdef LDAP_OPT_TIMEOUT
+ /* Convert timeout to a timeval */
+ if (ldap_conf.timeout > 0) {
+ struct timeval tv;
+ tv.tv_sec = ldap_conf.timeout;
+ tv.tv_usec = 0;
+ rc = ldap_set_option(ld, LDAP_OPT_TIMEOUT, &tv);
+ if (rc != LDAP_OPT_SUCCESS) {
+ warningx("ldap_set_option(TIMEOUT, %ld): %s",
+ (long)tv.tv_sec, ldap_err2string(rc));
+ return(-1);
+ }
+ DPRINTF(("ldap_set_option(LDAP_OPT_TIMEOUT, %ld)",
+ (long)tv.tv_sec), 1);
+ }
+#endif
#ifdef LDAP_OPT_NETWORK_TIMEOUT
/* Convert bind_timelimit to a timeval */
if (ldap_conf.bind_timelimit > 0) {
{
struct ldap_config_list_str *base;
struct sudo_ldap_handle *handle = nss->handle;
+ struct timeval tv, *tvp = NULL;
LDAP *ld;
LDAPMessage *entry, *result;
int rc;
ld = handle->ld;
for (base = ldap_conf.base; base != NULL; base = base->next) {
+ if (ldap_conf.timeout > 0) {
+ tv.tv_sec = ldap_conf.timeout;
+ tv.tv_usec = 0;
+ tvp = &tv;
+ }
result = NULL;
rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE,
"cn=defaults", NULL, 0, NULL, NULL, NULL, 0, &result);
struct sudo_ldap_handle *handle = nss->handle;
struct ldap_config_list_str *base;
struct ldap_result *lres;
+ struct timeval tv, *tvp = NULL;
LDAPMessage *entry, *result;
LDAP *ld = handle->ld;
int do_netgr, rc;
DPRINTF(("ldap search '%s'", filt), 1);
for (base = ldap_conf.base; base != NULL; base = base->next) {
DPRINTF(("searching from base '%s'", base->val), 1);
+ if (ldap_conf.timeout > 0) {
+ tv.tv_sec = ldap_conf.timeout;
+ tv.tv_usec = 0;
+ tvp = &tv;
+ }
result = NULL;
rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
NULL, 0, NULL, NULL, NULL, 0, &result);
projects / sudo / commitdiff