From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Thu, 3 Jan 2008 21:11:33 +0000 (+0000)
Subject: Add sudo_ldap_get_first_rdn() to return the first rdn of an entry's dn
X-Git-Tag: SUDO_1_7_0~260
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=86bd55fc6db68d64ee8008fd8cd852620c882383;p=sudo

Add sudo_ldap_get_first_rdn() to return the first rdn of an entry's dn
using the mechanism appropriate for the LDAP SDK in use.
Use ldap_unbind_ext_s() instead of deprecated ldap_unbind_s().
Emulate ldap_unbind_ext_s() and ldap_search_ext_s() for SDK's without them.
---

diff --git a/config.h.in b/config.h.in
index ac91cc6cb..dfbc189a4 100644
--- a/config.h.in
+++ b/config.h.in
@@ -221,6 +221,9 @@
 /* Define to 1 if you have the `ldap_sasl_interactive_bind_s' function. */
 #undef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
 
+/* Define to 1 if you have the `ldap_search_ext_s' function. */
+#undef HAVE_LDAP_SEARCH_EXT_S
+
 /* Define to 1 if you have the `ldap_start_tls_s' function. */
 #undef HAVE_LDAP_START_TLS_S
 
diff --git a/configure b/configure
index e8401d0e2..7917530ae 100755
--- a/configure
+++ b/configure
@@ -21954,7 +21954,8 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
 
 
 
-for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldap_unbind_ext_s ldap_str2dn
+
+for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
 { echo "$as_me:$LINENO: checking for $ac_func" >&5
diff --git a/configure.in b/configure.in
index b97541fa3..50ab17b94 100644
--- a/configure.in
+++ b/configure.in
@@ -2302,7 +2302,7 @@ if test ${with_ldap-'no'} != "no"; then
     AC_MSG_RESULT([yes])
     AC_DEFINE(HAVE_LBER_H)])
 
-    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldap_unbind_ext_s ldap_str2dn)
+    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn)
     AC_CHECK_HEADERS([sasl/sasl.h])
 
     AC_CHECK_LIB(gssapi, gss_krb5_ccache_name,
diff --git a/ldap.c b/ldap.c
index ab4fa7abd..5ee1b46ba 100644
--- a/ldap.c
+++ b/ldap.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003-2005 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2003-2008 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * This code is derived from software contributed by Aaron Spangler.
  *
@@ -87,6 +87,15 @@ __unused static const char rcsid[] = "$Sudo$";
 # define LDAP_SASL_QUIET	0
 #endif
 
+#ifndef HAVE_LDAP_UNBIND_EXT_S
+#define ldap_unbind_ext_s(a, b, c)	ldap_unbind_s(a)
+#endif
+
+#ifndef HAVE_LDAP_SEARCH_EXT_S
+#define ldap_search_ext_s(a, b, c, d, e, f, g, h, i, j, k)		\
+	ldap_search_s(a, b, c, d, e, f, k)
+#endif
+
 #define LDAP_FOREACH(var, ld, res)					\
     for ((var) = ldap_first_entry((ld), (res));				\
 	(var) != NULL;							\
@@ -846,6 +855,37 @@ sudo_ldap_read_config()
     return(TRUE);
 }
 
+/*
+ * Extract the dn from an entry and return the first rdn from it.
+ */
+static char *
+sudo_ldap_get_first_rdn(ld, entry)
+    LDAP *ld;
+    LDAPMessage *entry;
+{
+#ifdef HAVE_LDAP_STR2DN
+    char *dn, *rdn = NULL;
+    LDAPDN tmpDN;
+
+    if ((dn = ldap_get_dn(ld, entry)) == NULL)
+	return(NULL);
+    if (ldap_str2dn(dn, &tmpDN, LDAP_DN_FORMAT_LDAP) == LDAP_SUCCESS) {
+	ldap_rdn2str(tmpDN[0], &rdn, LDAP_DN_FORMAT_UFN);
+	ldap_dnfree(tmpDN);
+    }
+    ldap_memfree(dn);
+    return(rdn);
+#else
+    char *dn, **edn;
+
+    if ((dn = ldap_get_dn(ld, entry)) == NULL)
+	return(NULL);
+    edn = ldap_explode_dn(dn, 1);
+    ldap_memfree(dn);
+    return(edn ? edn[0] : NULL);
+#endif
+}
+
 /*
  * Like sudo_ldap_lookup(), except we just print entries.
  */
@@ -857,7 +897,7 @@ sudo_ldap_display_privs(nss, pw)
     struct berval **bv, **p;
     LDAP *ld = (LDAP *) nss->handle;
     LDAPMessage *entry = NULL, *result = NULL;
-    char *filt, *dn, *rdn;
+    char *filt, *rdn;
     int rc, do_netgr;
 
     if (ld == NULL)
@@ -915,18 +955,9 @@ sudo_ldap_display_privs(nss, pw)
 		sudo_ldap_check_user_netgroup(ld, entry, pw->pw_passwd)) &&
 		sudo_ldap_check_host(ld, entry)) {
 
-		/* collect the dn, only show the first rdn */
-		rdn = NULL;
-		if ((dn = ldap_get_dn(ld, entry)) != NULL) {
-		    LDAPDN tmpDN;
-		    if (ldap_str2dn(dn, &tmpDN, LDAP_DN_FORMAT_LDAP) == LDAP_SUCCESS) {
-			ldap_rdn2str(tmpDN[0], &rdn, LDAP_DN_FORMAT_UFN);
-			ldap_dnfree(tmpDN);
-		    }
-		}
+		/* extract the dn, only show the first rdn */
+		rdn = sudo_ldap_get_first_rdn(ld, entry);
 		printf("\nLDAP Role: %s\n", rdn ? rdn : "UNKNOWN");
-		if (dn)
-		    ldap_memfree(dn);
 		if (rdn)
 		    ldap_memfree(rdn);
 
@@ -1491,9 +1522,10 @@ int
 sudo_ldap_close(nss)
     struct sudo_nss *nss;
 {
-    if (nss->handle != NULL)
-	ldap_unbind_s((LDAP *) nss->handle);
-    nss->handle = NULL;
+    if (nss->handle != NULL) {
+	ldap_unbind_ext_s((LDAP *) nss->handle, NULL, NULL);
+	nss->handle = NULL;
+    }
     return(0);
 }