Add support for OpenLDAP's TLS_REQCERT setting in ldap.conf.

diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat
index cf55e628a9966b85f76c4b704598e784d359c9cf..a0f8622531134b74f6d63c59d0ea9fcc3a1af5ba 100644 (file)
--- a/doc/sudoers.ldap.cat
+++ b/doc/sudoers.ldap.cat
@@ -660,6 +660,32 @@ D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
            key database and create a _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be.  This option is only
            supported by the Tivoli LDAP libraries.
 
+     T\bTL\bLS\bS_\b_R\bRE\bEQ\bQC\bCE\bER\bRT\bT _\bl_\be_\bv_\be_\bl
+           The T\bTL\bLS\bS_\b_R\bRE\bEQ\bQC\bCE\bER\bRT\bT parameter controls how the LDAP server's TLS
+           certificated will be verified (if at all).  If the server's TLS
+           certificate cannot be verified (usually because it is signed by an
+           unknown certificate authority), s\bsu\bud\bdo\bo will be unable to connect to
+           it.  The following _\bl_\be_\bv_\be_\bl values are supported:
+
+               never     The server certificate will not be requested or
+                         checked.
+
+               allow     The server certificate will be requested.  A missing
+                         or invalid certificate is ignored and not considered
+                         an error.
+
+               try       The server certificate will be requested.  A missing
+                         certificate is ignored but an invalid certificate
+                         will result in a connection error.
+
+               demand | _\bh_\ba_\br_\bd
+                         The server certificate will be requested.  A missing
+                         or invalid certificate will result in a connection
+                         error.  This is the default behavior.
+
+           This option is only supported by the OpenLDAP libraries.  Other
+           LDAP libraries only support the T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR parameter.
+
      T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
            The T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE parameter specifies the path to an entropy source
            for systems that lack a random device.  It is generally used in
@@ -985,4 +1011,4 @@ D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
      file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.25                      June 25, 2018                     Sudo 1.8.25
+Sudo 1.8.26                   September 27, 2018                   Sudo 1.8.26

diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in
index 979e83d7575566da7fa5996d739d784d50c584d1..cba93b918e0a4a48563bccd51b3f2987b8788f05 100644 (file)
--- a/doc/sudoers.ldap.man.in
+++ b/doc/sudoers.ldap.man.in
@@ -15,7 +15,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDOERS.LDAP" "5" "June 25, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS.LDAP" "5" "September 27, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -1165,6 +1165,45 @@ utility can be used to manage the key database and create a
 This option is only supported by the Tivoli LDAP libraries.
 .RE
 .TP 6n
+\fBTLS_REQCERT\fR \fIlevel\fR
+The
+\fBTLS_REQCERT\fR
+parameter controls how the LDAP server's TLS certificated will be
+verified (if at all).
+If the server's TLS certificate cannot be verified (usually because it
+is signed by an unknown certificate authority),
+\fBsudo\fR
+will be unable to connect to it.
+The following
+\fIlevel\fR
+values are supported:
+.RS 10n
+.TP 10n
+never
+The server certificate will not be requested or checked.
+.TP 10n
+allow
+The server certificate will be requested.
+A missing or invalid certificate is ignored and not considered an error.
+.TP 10n
+try
+The server certificate will be requested.
+A missing certificate is ignored but an invalid certificate will
+result in a connection error.
+.TP 10n
+demand | \fIhard\fR
+The server certificate will be requested.
+A missing or invalid certificate will result in a connection error.
+This is the default behavior.
+.RE
+.RS 6n
+.sp
+This option is only supported by the OpenLDAP libraries.
+Other LDAP libraries only support the
+\fBTLS_CHECKPEER\fR
+parameter.
+.RE
+.TP 6n
 \fBTLS_RANDFILE\fR \fIfile name\fR
 The
 \fBTLS_RANDFILE\fR

diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in
index 982b80fb455f01e8a0efea0ff7d3621f0d0c3aa9..06dd833f52fc9013efe5866d714308c7fc7a7b59 100644 (file)
--- a/doc/sudoers.ldap.mdoc.in
+++ b/doc/sudoers.ldap.mdoc.in
@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd June 25, 2018
+.Dd September 27, 2018
 .Dt SUDOERS.LDAP @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -1063,6 +1063,38 @@ The
 utility can be used to manage the key database and create a
 .Em stash file .
 This option is only supported by the Tivoli LDAP libraries.
+.It Sy TLS_REQCERT Ar level
+The
+.Sy TLS_REQCERT
+parameter controls how the LDAP server's TLS certificated will be
+verified (if at all).
+If the server's TLS certificate cannot be verified (usually because it
+is signed by an unknown certificate authority),
+.Nm sudo
+will be unable to connect to it.
+The following
+.Ar level
+values are supported:
+.Bl -tag -width 8n -offset 4n
+.It never
+The server certificate will not be requested or checked.
+.It allow
+The server certificate will be requested.
+A missing or invalid certificate is ignored and not considered an error.
+.It try
+The server certificate will be requested.
+A missing certificate is ignored but an invalid certificate will
+result in a connection error.
+.It demand No | Ar hard
+The server certificate will be requested.
+A missing or invalid certificate will result in a connection error.
+This is the default behavior.
+.El
+.Pp
+This option is only supported by the OpenLDAP libraries.
+Other LDAP libraries only support the
+.Sy TLS_CHECKPEER
+parameter.
 .It Sy TLS_RANDFILE Ar file name
 The
 .Sy TLS_RANDFILE

diff --git a/plugins/sudoers/ldap_conf.c b/plugins/sudoers/ldap_conf.c
index 31c8babe5e73920f6fa2469f21d8330ac9b5555e..9d18f6d8aae84d2213bf4868c9d1b04646dcf12a 100644 (file)
--- a/plugins/sudoers/ldap_conf.c
+++ b/plugins/sudoers/ldap_conf.c
@@ -87,6 +87,8 @@ static struct ldap_config_table ldap_conf_global[] = {
 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
     { "tls_checkpeer", CONF_BOOL, LDAP_OPT_X_TLS_REQUIRE_CERT,
        &ldap_conf.tls_checkpeer },
+    { "tls_reqcert", CONF_REQCERT_VAL, LDAP_OPT_X_TLS_REQUIRE_CERT,
+       &ldap_conf.tls_reqcert },
 #else
     { "tls_checkpeer", CONF_BOOL, -1, &ldap_conf.tls_checkpeer },
 #endif
@@ -403,6 +405,20 @@ sudo_ldap_parse_keyword(const char *keyword, const char *value,
                else
                    *(int *)(cur->valp) = LDAP_DEREF_NEVER;
                break;
+           case CONF_REQCERT_VAL:
+#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+               if (strcasecmp(value, "never") == 0)
+                   *(int *)(cur->valp) = LDAP_OPT_X_TLS_NEVER;
+               else if (strcasecmp(value, "allow") == 0)
+                   *(int *)(cur->valp) = LDAP_OPT_X_TLS_ALLOW;
+               else if (strcasecmp(value, "try") == 0)
+                   *(int *)(cur->valp) = LDAP_OPT_X_TLS_TRY;
+               else if (strcasecmp(value, "hard") == 0)
+                   *(int *)(cur->valp) = LDAP_OPT_X_TLS_HARD;
+               else if (strcasecmp(value, "demand") == 0)
+                   *(int *)(cur->valp) = LDAP_OPT_X_TLS_DEMAND;
+#endif
+               break;
            case CONF_BOOL:
                *(int *)(cur->valp) = sudo_strtobool(value) == true;
                break;
@@ -517,6 +533,7 @@ sudo_ldap_read_config(void)
     ldap_conf.version = 3;
     ldap_conf.port = -1;
     ldap_conf.tls_checkpeer = -1;
+    ldap_conf.tls_reqcert = -1;
     ldap_conf.timelimit = -1;
     ldap_conf.timeout = -1;
     ldap_conf.bind_timelimit = -1;
@@ -619,6 +636,15 @@ sudo_ldap_read_config(void)
        DPRINTF1("tls_checkpeer    %s",
            ldap_conf.tls_checkpeer ? "(yes)" : "(no)");
     }
+    if (ldap_conf.tls_reqcert != -1) {
+       DPRINTF1("tls_reqcert    %s",
+           ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_NEVER ? "hard" :
+           ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_ALLOW ? "allow" :
+           ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_TRY ? "try" :
+           ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_HARD ? "hard" :
+           ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_DEMAND ? "demand" :
+           "unknown");
+    }
     if (ldap_conf.tls_cacertfile != NULL) {
        DPRINTF1("tls_cacertfile   %s", ldap_conf.tls_cacertfile);
     }

diff --git a/plugins/sudoers/sudo_ldap_conf.h b/plugins/sudoers/sudo_ldap_conf.h
index 49c7f1eef2317e5981c86a953fb15bcc5db4639d..363ab43cb53aea803f05c87ac9c6029b82adc895 100644 (file)
--- a/plugins/sudoers/sudo_ldap_conf.h
+++ b/plugins/sudoers/sudo_ldap_conf.h
@@ -55,11 +55,12 @@
 } while (0)
 #endif
 
-#define CONF_BOOL      0
-#define CONF_INT       1
-#define CONF_STR       2
-#define CONF_LIST_STR  4
-#define CONF_DEREF_VAL 5
+#define CONF_BOOL              0
+#define CONF_INT               1
+#define CONF_STR               2
+#define CONF_LIST_STR          4
+#define CONF_DEREF_VAL         5
+#define CONF_REQCERT_VAL       6
 
 #define SUDO_LDAP_CLEAR                0
 #define SUDO_LDAP_SSL          1
@@ -85,6 +86,7 @@ struct ldap_config {
     int debug;
     int ldap_debug;
     int tls_checkpeer;
+    int tls_reqcert;
     int timelimit;
     int timeout;
     int bind_timelimit;