Add sudo_ldap_get_first_rdn() to return the first rdn of an entry's dn

using the mechanism appropriate for the LDAP SDK in use.
Use ldap_unbind_ext_s() instead of deprecated ldap_unbind_s().
Emulate ldap_unbind_ext_s() and ldap_search_ext_s() for SDK's without them.

diff --git a/config.h.in b/config.h.in
index ac91cc6cbfd1d8f63f9a410b49e7bcd2c217474d..dfbc189a47d7c39226b6bc05792c89cf9647eddf 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -221,6 +221,9 @@
 /* Define to 1 if you have the `ldap_sasl_interactive_bind_s' function. */
 #undef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
 
+/* Define to 1 if you have the `ldap_search_ext_s' function. */
+#undef HAVE_LDAP_SEARCH_EXT_S
+
 /* Define to 1 if you have the `ldap_start_tls_s' function. */
 #undef HAVE_LDAP_START_TLS_S
 

diff --git a/configure b/configure
index e8401d0e2789232da5bcc611b541a423e082bcfa..7917530aea085926c17d9355ffb73a05b51297d9 100755 (executable)
--- a/configure
+++ b/configure
@@ -21954,7 +21954,8 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
 
 
 
-for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldap_unbind_ext_s ldap_str2dn
+
+for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
 { echo "$as_me:$LINENO: checking for $ac_func" >&5

diff --git a/configure.in b/configure.in
index b97541fa3c59eef2f011b07ebce776d600614f20..50ab17b948bf2f5f1aa8b1294967ae667d50d505 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -2302,7 +2302,7 @@ if test ${with_ldap-'no'} != "no"; then
     AC_MSG_RESULT([yes])
     AC_DEFINE(HAVE_LBER_H)])
 
-    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldap_unbind_ext_s ldap_str2dn)
+    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn)
     AC_CHECK_HEADERS([sasl/sasl.h])
 
     AC_CHECK_LIB(gssapi, gss_krb5_ccache_name,

diff --git a/ldap.c b/ldap.c
index ab4fa7abdbc7c30d1825e2f7b23bbbc3507cf899..5ee1b46ba4472e59fff40283d2c079e1d1b947a4 100644 (file)
--- a/ldap.c
+++ b/ldap.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003-2005 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2003-2008 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * This code is derived from software contributed by Aaron Spangler.
  *
@@ -87,6 +87,15 @@ __unused static const char rcsid[] = "$Sudo$";
 # define LDAP_SASL_QUIET       0
 #endif
 
+#ifndef HAVE_LDAP_UNBIND_EXT_S
+#define ldap_unbind_ext_s(a, b, c)     ldap_unbind_s(a)
+#endif
+
+#ifndef HAVE_LDAP_SEARCH_EXT_S
+#define ldap_search_ext_s(a, b, c, d, e, f, g, h, i, j, k)             \
+       ldap_search_s(a, b, c, d, e, f, k)
+#endif
+
 #define LDAP_FOREACH(var, ld, res)                                     \
     for ((var) = ldap_first_entry((ld), (res));                                \
        (var) != NULL;                                                  \
@@ -846,6 +855,37 @@ sudo_ldap_read_config()
     return(TRUE);
 }
 
+/*
+ * Extract the dn from an entry and return the first rdn from it.
+ */
+static char *
+sudo_ldap_get_first_rdn(ld, entry)
+    LDAP *ld;
+    LDAPMessage *entry;
+{
+#ifdef HAVE_LDAP_STR2DN
+    char *dn, *rdn = NULL;
+    LDAPDN tmpDN;
+
+    if ((dn = ldap_get_dn(ld, entry)) == NULL)
+       return(NULL);
+    if (ldap_str2dn(dn, &tmpDN, LDAP_DN_FORMAT_LDAP) == LDAP_SUCCESS) {
+       ldap_rdn2str(tmpDN[0], &rdn, LDAP_DN_FORMAT_UFN);
+       ldap_dnfree(tmpDN);
+    }
+    ldap_memfree(dn);
+    return(rdn);
+#else
+    char *dn, **edn;
+
+    if ((dn = ldap_get_dn(ld, entry)) == NULL)
+       return(NULL);
+    edn = ldap_explode_dn(dn, 1);
+    ldap_memfree(dn);
+    return(edn ? edn[0] : NULL);
+#endif
+}
+
 /*
  * Like sudo_ldap_lookup(), except we just print entries.
  */
@@ -857,7 +897,7 @@ sudo_ldap_display_privs(nss, pw)
     struct berval **bv, **p;
     LDAP *ld = (LDAP *) nss->handle;
     LDAPMessage *entry = NULL, *result = NULL;
-    char *filt, *dn, *rdn;
+    char *filt, *rdn;
     int rc, do_netgr;
 
     if (ld == NULL)
@@ -915,18 +955,9 @@ sudo_ldap_display_privs(nss, pw)
                sudo_ldap_check_user_netgroup(ld, entry, pw->pw_passwd)) &&
                sudo_ldap_check_host(ld, entry)) {
 
-               /* collect the dn, only show the first rdn */
-               rdn = NULL;
-               if ((dn = ldap_get_dn(ld, entry)) != NULL) {
-                   LDAPDN tmpDN;
-                   if (ldap_str2dn(dn, &tmpDN, LDAP_DN_FORMAT_LDAP) == LDAP_SUCCESS) {
-                       ldap_rdn2str(tmpDN[0], &rdn, LDAP_DN_FORMAT_UFN);
-                       ldap_dnfree(tmpDN);
-                   }
-               }
+               /* extract the dn, only show the first rdn */
+               rdn = sudo_ldap_get_first_rdn(ld, entry);
                printf("\nLDAP Role: %s\n", rdn ? rdn : "UNKNOWN");
-               if (dn)
-                   ldap_memfree(dn);
                if (rdn)
                    ldap_memfree(rdn);
 
@@ -1491,9 +1522,10 @@ int
 sudo_ldap_close(nss)
     struct sudo_nss *nss;
 {
-    if (nss->handle != NULL)
-       ldap_unbind_s((LDAP *) nss->handle);
-    nss->handle = NULL;
+    if (nss->handle != NULL) {
+       ldap_unbind_ext_s((LDAP *) nss->handle, NULL, NULL);
+       nss->handle = NULL;
+    }
     return(0);
 }