From 3a96b6de4f58047fdd2563883edc5430e7e90284 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Mon, 16 Jul 2007 23:40:54 +0000
Subject: [PATCH] Add support for using gss_krb5_ccache_name() instead of
 setting KRB5CCNAME.  Also use sudo_unsetenv() in the
 non-gss_krb5_ccache_name() case if there was no KRB5CCNAME in the original
 environment. TODO: configure setup for gss_krb5_ccache_name()

---
 ldap.c | 35 +++++++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/ldap.c b/ldap.c
index 9fa55e424..2f33bd625 100644
--- a/ldap.c
+++ b/ldap.c
@@ -61,6 +61,12 @@
 # else
 #  include <sasl.h>
 # endif
+# ifdef HAVE_GSSAPI_H
+#  include <gssapi.h>
+# elif defined(HAVE_GSSAPI_GSSAPI_KRB5_H)
+#  include <gssapi/gssapi.h>
+#  include <gssapi/gssapi_krb5.h>
+# endif
 #endif
 
 #include "sudo.h"
@@ -930,7 +936,11 @@ VOID *
 sudo_ldap_open()
 {
     LDAP *ld = NULL;
+    const char *old_ccname = user_ccname;
     int rc;
+#ifdef HAVE_GSS_KRB5_CCACHE_NAME
+    unsigned int status;
+#endif
 
     if (!sudo_ldap_read_config())
 	return(NULL);
@@ -1040,13 +1050,30 @@ sudo_ldap_open()
 	void *auth_id = ldap_conf.rootsasl_auth_id ?
 	    ldap_conf.rootsasl_auth_id : ldap_conf.sasl_auth_id;
 
-	if (ldap_conf.krb5_ccname != NULL)
+	if (ldap_conf.krb5_ccname != NULL) {
+#ifdef HAVE_GSS_KRB5_CCACHE_NAME
+	    if (gss_krb5_ccache_name(&status, ldap_conf.krb5_ccname, &old_ccname)
+		!= GSS_S_COMPLETE) {
+		old_ccname = NULL;
+		DPRINTF(("gss_krb5_ccache_name() failed: %d", status), 1);
+	    }
+#else
 	    sudo_setenv("KRB5CCNAME", ldap_conf.krb5_ccname, TRUE);
+#endif
+	}
 	rc = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI",
 	    NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, auth_id);
-	/* XXX - should unset  if no user_ccname */
-	if (user_ccname != NULL)
-	    sudo_setenv("KRB5CCNAME", user_ccname, TRUE);
+	if (ldap_conf.krb5_ccname != NULL) {
+#ifdef HAVE_GSS_KRB5_CCACHE_NAME
+	    if (gss_krb5_ccache_name(&status, old_ccname, NULL) != GSS_S_COMPLETE)
+		    DPRINTF(("gss_krb5_ccache_name() failed: %d", status), 1);
+#else
+	    if (old_ccname != NULL)
+		sudo_setenv("KRB5CCNAME", old_ccname, TRUE);
+	    else
+		sudo_unsetenv("KRB5CCNAME");
+#endif
+	}
 	if (rc != LDAP_SUCCESS) {
 	    fprintf(stderr, "ldap_sasl_interactive_bind_s(): %d : %s\n",
 		rc, ldap_err2string(rc));
-- 
2.40.0