From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Sat, 25 Jun 2005 22:03:10 +0000 (+0000)
Subject: Support rootbinddn in ldap.conf
X-Git-Tag: SUDO_1_7_0~626
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3b30d7514afa75972957affa7a446e77baf59556;p=sudo

Support rootbinddn in ldap.conf
---

diff --git a/INSTALL b/INSTALL
index 2e98bbb5c..1e5a53a5b 100644
--- a/INSTALL
+++ b/INSTALL
@@ -180,10 +180,15 @@ Special features/options:
 	containing the LDAP include and lib directories.  Please see
 	README.LDAP for more information.
 
-  --with-ldap-conf-file
+  --with-ldap-conf-file=filename
 	Path to LDAP configuration file.  If specified, sudo reads
 	this file instead of /etc/ldap.conf to locate the LDAP server.
 
+  --with-ldap-secret-file=filename
+	Path to LDAP secret password file.  If specified, sudo uses
+	this file instead of /etc/ldap.secret to read the secret password
+	when rootbinddn is specified in the ldap config file.
+
   --with-aixauth
 	Enable support for the AIX 4.x general authentication function.
 	This will use the authentication scheme specified for the user
diff --git a/configure b/configure
index 3e7204e9f..b9fb01ce7 100755
--- a/configure
+++ b/configure
@@ -1087,6 +1087,7 @@ Optional Packages:
   --with-goons-insults    include the insults from the "Goon Show"
   --with-ldap[=DIR]       enable LDAP support
   --with-ldap-conf-file   path to LDAP configuration file
+  --with-ldap-secret-file path to LDAP secret pasdword file
   --with-pc-insults       replace politically incorrect insults with less offensive ones
   --with-secure-path      override the user's path with a built-in one
   --without-interfaces    don't try to read the ip addr of ether interfaces
@@ -3092,6 +3093,16 @@ _ACEOF
 
 fi;
 
+# Check whether --with-ldap-secret-file or --without-ldap-secret-file was given.
+if test "${with_ldap_secret_file+set}" = set; then
+  withval="$with_ldap_secret_file"
+
+cat >>confdefs.h <<_ACEOF
+#define _PATH_LDAP_SECRET "$with_ldap_secret_file"
+_ACEOF
+
+fi;
+
 
 # Check whether --with-pc-insults or --without-pc-insults was given.
 if test "${with_pc_insults+set}" = set; then
@@ -6982,7 +6993,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 6985 "configure"
+#line 6996 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -7080,7 +7091,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 7083 "configure"
+#line 7094 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -7229,7 +7240,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  $ECHO '#line 7232 "configure"' > conftest.$ac_ext
+  $ECHO '#line 7243 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -7880,11 +7891,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7883: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7894: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7887: \$? = $ac_status" >&5
+   echo "$as_me:7898: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -8155,11 +8166,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8158: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8169: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8162: \$? = $ac_status" >&5
+   echo "$as_me:8173: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -8252,11 +8263,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8255: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8266: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:8259: \$? = $ac_status" >&5
+   echo "$as_me:8270: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -8306,11 +8317,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8309: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8320: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:8313: \$? = $ac_status" >&5
+   echo "$as_me:8324: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
diff --git a/configure.in b/configure.in
index cb763a623..5c8caf4ea 100644
--- a/configure.in
+++ b/configure.in
@@ -925,6 +925,8 @@ AC_ARG_WITH(ldap, [  --with-ldap[[=DIR]]       enable LDAP support],
 esac])
 AC_ARG_WITH(ldap-conf-file, [  --with-ldap-conf-file   path to LDAP configuration file],
 [AC_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "$with_ldap_conf_file", [Path to the ldap.conf file])])
+AC_ARG_WITH(ldap-secret-file, [  --with-ldap-secret-file path to LDAP secret pasdword file],
+[AC_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$with_ldap_secret_file", [Path to the ldap.secret file])])
 
 AC_ARG_WITH(pc-insults, [  --with-pc-insults       replace politically incorrect insults with less offensive ones],
 [case $with_pc_insults in
diff --git a/ldap.c b/ldap.c
index de176dbae..b3abe7e03 100644
--- a/ldap.c
+++ b/ldap.c
@@ -85,6 +85,7 @@ struct ldap_config {
     char *uri;
     char *binddn;
     char *bindpw;
+    char *rootbinddn;
     char *base;
     char *ssl;
     int tls_checkpeer;
@@ -578,6 +579,8 @@ sudo_ldap_read_config()
 	    else
 	MATCH_S("bindpw", ldap_conf.bindpw)
 	    else
+	MATCH_S("rootbinddn", ldap_conf.rootbinddn)
+	    else
 	MATCH_S("sudoers_base", ldap_conf.base)
 	    else
 	MATCH_I("sudoers_debug", ldap_conf.debug)
@@ -630,6 +633,25 @@ sudo_ldap_read_config()
     }
     if (!ldap_conf.base)
 	return(FALSE);		/* if no base is defined, ignore LDAP */
+
+    /* If rootbinddn set, read in /etc/ldap.secret if it exists. */
+    if (ldap_conf.rootbinddn) {
+	if ((f = fopen(_PATH_LDAP_SECRET, "r")) != NULL) {
+	    if (fgets(buf, sizeof(buf), f) != NULL) {
+		/* removing trailing newlines */
+		for (c = buf; *c != '\0'; c++)
+		    continue;
+		while (--c > buf && *c == '\n')
+		    *c = '\0';
+		/* copy to bindpw and binddn */
+		efree(ldap_conf.bindpw);
+		ldap_conf.bindpw = estrdup(buf);
+		efree(ldap_conf.binddn);
+		ldap_conf.binddn = ldap_conf.rootbinddn;
+		ldap_conf.rootbinddn = NULL;
+	    }
+	}
+    }
     return(TRUE);
 }