default, s\bsu\bud\bdo\bo will use an anonymous connection. This option is
only relevant when using SASL authentication.
+ S\bSA\bAS\bSL\bL_\b_M\bME\bEC\bCH\bH _\bm_\be_\bc_\bh_\ba_\bn_\bi_\bs_\bm_\bs
+ A white space-delimited list of SASL authentication mechanisms to
+ use. By default, s\bsu\bud\bdo\bo will use GSSAPI authentication.
+
S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS _\bn_\bo_\bn_\be_\b/_\bp_\br_\bo_\bp_\be_\br_\bt_\bi_\be_\bs
SASL security properties or _\bn_\bo_\bn_\be for no properties. See the SASL
programmer's manual for details. This option is only relevant when
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.19 September 1, 2016 Sudo 1.8.19
+Sudo 1.8.19 January 17, 2017 Sudo 1.8.19
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
.\"
-.\" Copyright (c) 2003-2016 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2003-2017 Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.TH "SUDOERS.LDAP" "5" "September 1, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS.LDAP" "5" "January 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
will use an anonymous connection.
This option is only relevant when using SASL authentication.
.TP 6n
+\fBSASL_MECH\fR \fImechanisms\fR
+A white space-delimited list of SASL authentication mechanisms to use.
+By default,
+\fBsudo\fR
+will use
+\fRGSSAPI\fR
+authentication.
+.TP 6n
\fBSASL_SECPROPS\fR \fInone/properties\fR
SASL security properties or
\fInone\fR
.\"
-.\" Copyright (c) 2003-2016 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2003-2017 Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd September 1, 2016
+.Dd January 17, 2017
.Dt SUDOERS.LDAP @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo
will use an anonymous connection.
This option is only relevant when using SASL authentication.
+.It Sy SASL_MECH Ar mechanisms
+A white space-delimited list of SASL authentication mechanisms to use.
+By default,
+.Nm sudo
+will use
+.Dv GSSAPI
+authentication.
.It Sy SASL_SECPROPS Ar none/properties
SASL security properties or
.Em none
/*
- * Copyright (c) 2003-2016 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2003-2017 Todd C. Miller <Todd.Miller@courtesan.com>
*
* This code is derived from software contributed by Aaron Spangler.
*
char *tls_certfile;
char *tls_keyfile;
char *tls_keypw;
+ char *sasl_mech;
char *sasl_auth_id;
char *rootsasl_auth_id;
char *sasl_secprops;
{ "netgroup_search_filter", CONF_STR, -1, &ldap_conf.netgroup_search_filter },
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
{ "use_sasl", CONF_BOOL, -1, &ldap_conf.use_sasl },
+ { "sasl_mech", CONF_STR, -1, &ldap_conf.sasl_mech },
{ "sasl_auth_id", CONF_STR, -1, &ldap_conf.sasl_auth_id },
{ "rootuse_sasl", CONF_BOOL, -1, &ldap_conf.rootuse_sasl },
{ "rootsasl_auth_id", CONF_STR, -1, &ldap_conf.rootsasl_auth_id },
}
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
if (ldap_conf.use_sasl != -1) {
+ if (ldap_conf.sasl_mech == NULL) {
+ /* Default mechanism is GSSAPI. */
+ ldap_conf.sasl_mech = strdup("GSSAPI");
+ if (ldap_conf.sasl_mech == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__,
+ U_("unable to allocate memory"));
+ debug_return_bool(false);
+ }
+ }
DPRINTF1("use_sasl %s", ldap_conf.use_sasl ? "yes" : "no");
+ DPRINTF1("sasl_mech %s", ldap_conf.sasl_mech);
DPRINTF1("sasl_auth_id %s",
ldap_conf.sasl_auth_id ? ldap_conf.sasl_auth_id : "(NONE)");
DPRINTF1("rootuse_sasl %d",
"sudo_set_krb5_ccache_name() failed: %d", rc);
}
}
- ret = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI",
- NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, auth_id);
+ ret = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn,
+ ldap_conf.sasl_mech, NULL, NULL, LDAP_SASL_QUIET,
+ sudo_ldap_sasl_interact, auth_id);
if (new_ccname != NULL) {
rc = sudo_set_krb5_ccache_name(old_ccname ? old_ccname : "", NULL);
if (rc == 0) {
projects / sudo / commitdiff