From: Todd C. Miller Date: Sat, 17 Sep 2011 00:10:21 +0000 (-0400) Subject: Add support for DEREF in ldap.conf. X-Git-Tag: SUDO_1_7_8~12 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2f1d9f05fcc22ad100813aa4130716ac7b9bc4f0;p=sudo Add support for DEREF in ldap.conf. --HG-- branch : 1.7 --- diff --git a/ldap.c b/ldap.c index 700b410a8..47aa9f981 100644 --- a/ldap.c +++ b/ldap.c @@ -117,6 +117,7 @@ #define CONF_INT 1 #define CONF_STR 2 #define CONF_LIST_STR 4 +#define CONF_DEREF_VAL 5 #define SUDO_LDAP_SSL 1 #define SUDO_LDAP_STARTTLS 2 @@ -195,6 +196,7 @@ static struct ldap_config { int rootuse_sasl; int ssl_mode; int timed; + int deref; char *host; struct ldap_config_list_str *uri; char *binddn; @@ -280,6 +282,9 @@ static struct ldap_config_table ldap_conf_table[] = { #ifdef LDAP_OPT_TIMEOUT { "timeout", CONF_INT, TRUE, -1 /* needs timeval, set manually */, &ldap_conf.timeout }, +#endif +#ifdef LDAP_OPT_DEREF + { "deref", CONF_DEREF_VAL, TRUE, LDAP_OPT_DEREF, &ldap_conf.deref }, #endif { "binddn", CONF_STR, FALSE, -1, &ldap_conf.binddn }, { "bindpw", CONF_STR, FALSE, -1, &ldap_conf.bindpw }, @@ -1186,6 +1191,7 @@ sudo_ldap_read_config() ldap_conf.bind_timelimit = -1; ldap_conf.use_sasl = -1; ldap_conf.rootuse_sasl = -1; + ldap_conf.deref = -1; if ((fp = fopen(_PATH_LDAP_CONF, "r")) == NULL) return FALSE; @@ -1210,6 +1216,16 @@ sudo_ldap_read_config() for (cur = ldap_conf_table; cur->conf_str != NULL; cur++) { if (strcasecmp(keyword, cur->conf_str) == 0) { switch (cur->type) { + case CONF_DEREF_VAL: + if (strcasecmp(value, "searching") == 0) + *(int *)(cur->valp) = LDAP_DEREF_SEARCHING; + else if (strcasecmp(value, "finding") == 0) + *(int *)(cur->valp) = LDAP_DEREF_FINDING; + else if (strcasecmp(value, "always") == 0) + *(int *)(cur->valp) = LDAP_DEREF_ALWAYS; + else + *(int *)(cur->valp) = LDAP_DEREF_NEVER; + break; case CONF_BOOL: *(int *)(cur->valp) = _atobool(value); break; @@ -1282,6 +1298,8 @@ sudo_ldap_read_config() fprintf(stderr, "timelimit %d\n", ldap_conf.timelimit); if (ldap_conf.timeout > 0) fprintf(stderr, "timeout %d\n", ldap_conf.timeout); + if (ldap_conf.deref != -1) + fprintf(stderr, "deref %d\n", ldap_conf.deref); fprintf(stderr, "ssl %s\n", ldap_conf.ssl ? ldap_conf.ssl : "(no)"); if (ldap_conf.tls_checkpeer != -1) diff --git a/sudoers.ldap.pod b/sudoers.ldap.pod index b12c6e6bb..88c60155c 100644 --- a/sudoers.ldap.pod +++ b/sudoers.ldap.pod @@ -536,6 +536,11 @@ SASL programmer's manual for details. The path to the Kerberos 5 credential cache to use when authenticating with the remote server. +=item B never/searching/finding/always + +How alias dereferencing is to be performed when searching. See the +L manual for a full description of this option. + =back See the C entry in the L section.