From beece91719621de4dfd86685f63337a14dfa35be Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 28 Jul 2017 13:52:55 -0600 Subject: [PATCH] Add support for --enable-sasl and --disable-sasl to make it possible to enable/disable support for LDAP with SASL authentication. Sudo compiles in support for SASL authentiation by default if the ldap_sasl_interactive_bind_s() function is detected. Bug #788 --- INSTALL | 6 ++++++ configure | 34 ++++++++++++++++++++++++++++++---- configure.ac | 29 +++++++++++++++++++++++++---- 3 files changed, 61 insertions(+), 8 deletions(-) diff --git a/INSTALL b/INSTALL index e1d3ba658..11ac4ea64 100644 --- a/INSTALL +++ b/INSTALL @@ -312,6 +312,12 @@ Optional features: this file instead of /etc/ldap.secret to read the secret password when rootbinddn is specified in the ldap config file. + --disable-sasl + Disable SASL authentication for LDAP. By default, sudo + will compile in support for SASL authentication if the + ldap_sasl_interactive_bind_s() function is present in the + LDAP libraries. + --with-logincap This adds support for login classes specified in /etc/login.conf. It is enabled by default on BSD/OS, Darwin, FreeBSD, OpenBSD and diff --git a/configure b/configure index 4cc93c00b..01a41e399 100755 --- a/configure +++ b/configure @@ -962,6 +962,7 @@ enable_shared_libutil enable_tmpfiles_d enable_devsearch with_selinux +enable_sasl enable_gss_krb5_ccache_name enable_shared enable_static @@ -1645,6 +1646,7 @@ Optional Features: --enable-tmpfiles.d=DIR Set the path to the systemd tmpfiles.d directory. --enable-devsearch=PATH The colon-delimited path to search for device nodes when determing the tty name. + --enable-sasl Enable/disable LDAP SASL support --enable-gss-krb5-ccache-name Use GSS-API to set the Kerberos V cred cache name --enable-shared[=PKGS] build shared libraries [default=yes] @@ -6751,6 +6753,18 @@ else fi +# Check whether --enable-sasl was given. +if test "${enable_sasl+set}" = set; then : + enableval=$enable_sasl; case "$enableval" in + yes|no) ;; + *) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-sasl: $enableval" >&5 +$as_echo "$as_me: WARNING: Ignoring unknown argument to --enable-sasl: $enableval" >&2;} + ;; + esac + +fi + + # Check whether --enable-gss_krb5_ccache_name was given. if test "${enable_gss_krb5_ccache_name+set}" = set; then : enableval=$enable_gss_krb5_ccache_name; check_gss_krb5_ccache_name=$enableval @@ -22552,7 +22566,7 @@ if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then : fi # - # Some PAM implementations (MacOS X for example) put the PAM headers + # Some PAM implementations (macOS for example) put the PAM headers # in /usr/include/pam instead of /usr/include/security... # found_pam_hdrs=no @@ -24695,7 +24709,9 @@ fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext - for ac_header in sasl/sasl.h sasl.h + if test ${enable_sasl-'yes'} = "yes"; then + found_sasl_h=no + for ac_header in sasl/sasl.h sasl.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" @@ -24704,7 +24720,8 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF - for ac_func in ldap_sasl_interactive_bind_s + found_sasl_h=yes + for ac_func in ldap_sasl_interactive_bind_s do : ac_fn_c_check_func "$LINENO" "ldap_sasl_interactive_bind_s" "ac_cv_func_ldap_sasl_interactive_bind_s" if test "x$ac_cv_func_ldap_sasl_interactive_bind_s" = xyes; then : @@ -24715,12 +24732,21 @@ _ACEOF fi done - break + break fi done + if test X${enable_sasl} = X"yes"; then + if test X"$found_sasl_h" != X"yes"; then + as_fn_error $? "\"--enable-sasl specified but unable to locate SASL development headers.\"" "$LINENO" 5 + fi + if test X"$ac_cv_func_ldap_sasl_interactive_bind_s" != X"yes"; then : + as_fn_error $? "\"--enable-sasl specified but SASL support is missing in your LDAP library\"" "$LINENO" 5 + fi + fi + fi for ac_header in ldap_ssl.h mps/ldap_ssl.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` diff --git a/configure.ac b/configure.ac index 07d794a56..c7898f450 100644 --- a/configure.ac +++ b/configure.ac @@ -1562,6 +1562,15 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support]) ;; esac], [with_selinux=no]) +AC_ARG_ENABLE(sasl, +[AS_HELP_STRING([--enable-sasl], [Enable/disable LDAP SASL support])], +[ case "$enableval" in + yes|no) ;; + *) AC_MSG_WARN([Ignoring unknown argument to --enable-sasl: $enableval]) + ;; + esac +]) + dnl dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default dnl @@ -3745,10 +3754,22 @@ if test ${with_ldap-'no'} != "no"; then AC_MSG_RESULT([yes]) AC_DEFINE(HAVE_LBER_H)]) - AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [ - AC_CHECK_FUNCS([ldap_sasl_interactive_bind_s]) - break - ]) + if test ${enable_sasl-'yes'} = "yes"; then + found_sasl_h=no + AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [ + found_sasl_h=yes + AC_CHECK_FUNCS([ldap_sasl_interactive_bind_s]) + break + ]) + if test X${enable_sasl} = X"yes"; then + if test X"$found_sasl_h" != X"yes"; then + AC_MSG_ERROR(["--enable-sasl specified but unable to locate SASL development headers."]) + fi + if test X"$ac_cv_func_ldap_sasl_interactive_bind_s" != X"yes"; then : + AC_MSG_ERROR(["--enable-sasl specified but SASL support is missing in your LDAP library"]) + fi + fi + fi AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include ]) AC_CHECK_FUNCS([ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_init ldap_ssl_client_init ldap_start_tls_s_np]) AC_CHECK_FUNCS([ldap_search_ext_s ldap_search_st], [break]) -- 2.40.0