From: Todd C. Miller Date: Tue, 17 Jan 2017 18:09:23 +0000 (-0700) Subject: Add support for SASL_MECH in ldap.conf; Bug #764 X-Git-Tag: SUDO_1_8_20^2~133 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=df03020c4ca0372801dbdf258c5e927de792cbb5;p=sudo Add support for SASL_MECH in ldap.conf; Bug #764 --- diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index 8f1f6cb6f..9984aa822 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -425,6 +425,10 @@ DDEESSCCRRIIPPTTIIOONN default, ssuuddoo will use an anonymous connection. This option is only relevant when using SASL authentication. + SSAASSLL__MMEECCHH _m_e_c_h_a_n_i_s_m_s + A white space-delimited list of SASL authentication mechanisms to + use. By default, ssuuddoo will use GSSAPI authentication. + SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s SASL security properties or _n_o_n_e for no properties. See the SASL programmer's manual for details. This option is only relevant when @@ -907,4 +911,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.19 September 1, 2016 Sudo 1.8.19 +Sudo 1.8.19 January 17, 2017 Sudo 1.8.19 diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index ba4d60292..ffa785129 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -1,7 +1,7 @@ .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in .\" -.\" Copyright (c) 2003-2016 Todd C. Miller +.\" Copyright (c) 2003-2017 Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDOERS.LDAP" "5" "September 1, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS.LDAP" "5" "January 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -766,6 +766,14 @@ By default, will use an anonymous connection. This option is only relevant when using SASL authentication. .TP 6n +\fBSASL_MECH\fR \fImechanisms\fR +A white space-delimited list of SASL authentication mechanisms to use. +By default, +\fBsudo\fR +will use +\fRGSSAPI\fR +authentication. +.TP 6n \fBSASL_SECPROPS\fR \fInone/properties\fR SASL security properties or \fInone\fR diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in index bb7bba04d..90cfced40 100644 --- a/doc/sudoers.ldap.mdoc.in +++ b/doc/sudoers.ldap.mdoc.in @@ -1,5 +1,5 @@ .\" -.\" Copyright (c) 2003-2016 Todd C. Miller +.\" Copyright (c) 2003-2017 Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd September 1, 2016 +.Dd January 17, 2017 .Dt SUDOERS.LDAP @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -716,6 +716,13 @@ By default, .Nm sudo will use an anonymous connection. This option is only relevant when using SASL authentication. +.It Sy SASL_MECH Ar mechanisms +A white space-delimited list of SASL authentication mechanisms to use. +By default, +.Nm sudo +will use +.Dv GSSAPI +authentication. .It Sy SASL_SECPROPS Ar none/properties SASL security properties or .Em none diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index 27bcf558d..72b2f07a2 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003-2016 Todd C. Miller + * Copyright (c) 2003-2017 Todd C. Miller * * This code is derived from software contributed by Aaron Spangler. * @@ -258,6 +258,7 @@ static struct ldap_config { char *tls_certfile; char *tls_keyfile; char *tls_keypw; + char *sasl_mech; char *sasl_auth_id; char *rootsasl_auth_id; char *sasl_secprops; @@ -326,6 +327,7 @@ static struct ldap_config_table ldap_conf_global[] = { { "netgroup_search_filter", CONF_STR, -1, &ldap_conf.netgroup_search_filter }, #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S { "use_sasl", CONF_BOOL, -1, &ldap_conf.use_sasl }, + { "sasl_mech", CONF_STR, -1, &ldap_conf.sasl_mech }, { "sasl_auth_id", CONF_STR, -1, &ldap_conf.sasl_auth_id }, { "rootuse_sasl", CONF_BOOL, -1, &ldap_conf.rootuse_sasl }, { "rootsasl_auth_id", CONF_STR, -1, &ldap_conf.rootsasl_auth_id }, @@ -2183,7 +2185,17 @@ sudo_ldap_read_config(void) } #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S if (ldap_conf.use_sasl != -1) { + if (ldap_conf.sasl_mech == NULL) { + /* Default mechanism is GSSAPI. */ + ldap_conf.sasl_mech = strdup("GSSAPI"); + if (ldap_conf.sasl_mech == NULL) { + sudo_warnx(U_("%s: %s"), __func__, + U_("unable to allocate memory")); + debug_return_bool(false); + } + } DPRINTF1("use_sasl %s", ldap_conf.use_sasl ? "yes" : "no"); + DPRINTF1("sasl_mech %s", ldap_conf.sasl_mech); DPRINTF1("sasl_auth_id %s", ldap_conf.sasl_auth_id ? ldap_conf.sasl_auth_id : "(NONE)"); DPRINTF1("rootuse_sasl %d", @@ -3035,8 +3047,9 @@ sudo_ldap_bind_s(LDAP *ld) "sudo_set_krb5_ccache_name() failed: %d", rc); } } - ret = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI", - NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, auth_id); + ret = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, + ldap_conf.sasl_mech, NULL, NULL, LDAP_SASL_QUIET, + sudo_ldap_sasl_interact, auth_id); if (new_ccname != NULL) { rc = sudo_set_krb5_ccache_name(old_ccname ? old_ccname : "", NULL); if (rc == 0) {