Define LDAPNOINIT before calling ldap_init(), etc. to disable user

ldaprc and system defaults that could affect how LDAP works.

diff --git a/env.c b/env.c
index baa46749378d94a2afcd9c7d3e487f101c05d639..13272c73a85aad2e26490060407c446e800534bd 100644 (file)
--- a/env.c
+++ b/env.c
@@ -261,7 +261,7 @@ _sudo_setenv(var, val, dupcheck)
     insert_env(estring, dupcheck, FALSE);
 }
 
-#if defined(HAVE_LDAP_SASL_INTERACTIVE_BIND_S) && !defined(HAVE_GSS_KRB5_CCACHE_NAME)
+#ifdef HAVE_LDAP
 /*
  * External version of sudo_setenv() that keeps things in sync with
  * the environ pointer.
@@ -318,7 +318,7 @@ sudo_unsetenv(var)
        }
     }
 }
-#endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S && !HAVE_GSS_KRB5_CCACHE_NAME */
+#endif /* HAVE_LDAP */
 
 /*
  * Insert str into env.envp, assumes str has an '=' in it.

diff --git a/ldap.c b/ldap.c
index 7587fda97252ac90b31bb76a9eaf2c7853505209..530ff92c532b2274a7e39ac21cc18b589420e290 100644 (file)
--- a/ldap.c
+++ b/ldap.c
@@ -1150,7 +1150,7 @@ sudo_ldap_open(nss)
 {
     LDAP *ld;
     const char *old_ccname = user_ccname;
-    int rc;
+    int rc, ldapnoinit = FALSE;
 #ifdef HAVE_GSS_KRB5_CCACHE_NAME
     unsigned int status;
 #endif
@@ -1158,6 +1158,12 @@ sudo_ldap_open(nss)
     if (!sudo_ldap_read_config())
        return(-1);
 
+    /* Prevent reading of user ldaprc and system defaults. */
+    if (getenv("LDAPNOINIT") == NULL) {
+       ldapnoinit = TRUE;
+       sudo_setenv("LDAPNOINIT", "1", TRUE);
+    }
+
 #ifdef HAVE_LDAPSSL_INIT
     if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
        DPRINTF(("ldapssl_clientauth_init(%s, %s)",
@@ -1200,6 +1206,9 @@ sudo_ldap_open(nss)
        }
     }
 
+    if (ldapnoinit)
+       sudo_unsetenv("LDAPNOINIT");
+
     /* Set LDAP options */
     if (sudo_ldap_set_options(ld) < 0)
        return(-1);