Add support for krb5_ccname in ldap.conf. If specified, it will

override the default value of KRB5CCNAME in the environment for
the duration of the call to ldap_sasl_interactive_bind_s().

diff --git a/ldap.c b/ldap.c
index f965d925ce26ec124c796b8e8f171470f9ff1b2c..57bdb3ef4fb3bb8521fe9c486394f8010690467f 100644 (file)
--- a/ldap.c
+++ b/ldap.c
@@ -114,6 +114,7 @@ struct ldap_config {
     char *tls_keyfile;
     char *sasl_authid;
     char *rootsasl_authid;
+    char *krb5_ccname;
 } ldap_conf;
 
 /*
@@ -570,6 +571,7 @@ sudo_ldap_read_config()
        MATCH_S("sudoers_base", ldap_conf.base)
            else
        MATCH_I("sudoers_debug", ldap_conf.debug)
+#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
            else
        MATCH_B("use_sasl", ldap_conf.use_sasl)
            else
@@ -578,6 +580,9 @@ sudo_ldap_read_config()
        MATCH_B("rootuse_sasl", ldap_conf.rootuse_sasl)
            else
        MATCH_S("rootsasl_authid", ldap_conf.rootsasl_authid)
+           else
+       MATCH_S("krb5_ccname", ldap_conf.krb5_ccname)
+#endif
            else {
 
            /*
@@ -655,6 +660,26 @@ sudo_ldap_read_config()
            fclose(f);
        }
     }
+#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
+    /*
+     * Make sure we can open the file specified by krb5_ccname.
+     */
+    if (ldap_conf.krb5_ccname != NULL) {
+       if (strncasecmp(ldap_conf.krb5_ccname, "FILE:", 5) == 0 ||
+           strncasecmp(ldap_conf.krb5_ccname, "WRFILE:", 7) == 0) {
+           value = ldap_conf.krb5_ccname +
+               (ldap_conf.krb5_ccname[4] == ':' ? 5 : 7);
+           if ((f = fopen(value, "r")) != NULL) {
+               fclose(f);
+           } else {
+               /* Can't open it, just ignore the entry. */
+               efree(ldap_conf.krb5_ccname);
+               ldap_conf.krb5_ccname = NULL;
+           }
+       }
+    }
+#endif
+
     return(TRUE);
 }
 
@@ -873,7 +898,7 @@ sudo_ldap_sasl_interact(ld, flags, v_authid, v_interact)
 
     for (;interact->id != SASL_CB_LIST_END; interact++) {
        if (interact->id != SASL_CB_USER)
-           return (LDAP_PARAM_ERROR);
+           return(LDAP_PARAM_ERROR);
 
        if (authid != NULL)
            interact->result = authid;
@@ -883,7 +908,7 @@ sudo_ldap_sasl_interact(ld, flags, v_authid, v_interact)
            interact->result = "";
        interact->len = strlen(interact->result);
     }
-    return (LDAP_SUCCESS);
+    return(LDAP_SUCCESS);
 }
 #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
 
@@ -995,14 +1020,18 @@ sudo_ldap_open()
 #endif /* HAVE_LDAP_START_TLS_S */
 
 #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
-    /* XXX - should use krb5_ccname from ldap.conf too! */
     if (ldap_conf.rootuse_sasl == TRUE ||
        (ldap_conf.rootuse_sasl != FALSE && ldap_conf.use_sasl == TRUE)) {
        void *authid = ldap_conf.rootsasl_authid ?
            ldap_conf.rootsasl_authid : ldap_conf.sasl_authid;
 
+       if (ldap_conf.krb5_ccname != NULL)
+           sudo_setenv("KRB5CCNAME", ldap_conf.krb5_ccname, TRUE);
        rc = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI",
            NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, authid);
+       /* XXX - should unset  if no user_ccname */
+       if (user_ccname != NULL)
+           sudo_setenv("KRB5CCNAME", user_ccname, TRUE);
        if (rc != LDAP_SUCCESS) {
            fprintf(stderr, "ldap_sasl_interactive_bind_s(): %d : %s\n",
                rc, ldap_err2string(rc));

diff --git a/sudo.c b/sudo.c
index e0d30a59bbb96c08c2bc3d0f510de51e3ec04826..c79b3b841ee0ac143e6ea5eac04956387d783c64 100644 (file)
--- a/sudo.c
+++ b/sudo.c
@@ -565,6 +565,10 @@ init_vars(sudo_mode, envp)
 
     for (ep = envp; *ep; ep++) {
        switch (**ep) {
+           case 'K':
+               if (strncmp("KRB5CCNAME=", *ep, 11) == 0)
+                   user_ccname = *ep + 11;
+               break;
            case 'P':
                if (strncmp("PATH=", *ep, 5) == 0)
                    user_path = *ep + 5;

diff --git a/sudo.h b/sudo.h
index c1438076be7c22c94ca4558d9b5bd5b36d28e746..e9eb05e5b90b09ae8333a02079f130d6c49049cb 100644 (file)
--- a/sudo.h
+++ b/sudo.h
@@ -50,6 +50,7 @@ struct sudo_user {
     char *cmnd_base;
     char *cmnd_safe;
     char *class_name;
+    char *krb5_ccname;
     int   ngroups;
     gid_t *groups;
     struct list_member *env_vars;
@@ -138,6 +139,7 @@ struct sudo_user {
 #define user_prompt            (sudo_user.prompt)
 #define user_host              (sudo_user.host)
 #define user_shost             (sudo_user.shost)
+#define user_ccname            (sudo_user.krb5_ccname)
 #define safe_cmnd              (sudo_user.cmnd_safe)
 #define login_class            (sudo_user.class_name)
 #define runas_pw               (sudo_user._runas_pw)