Add support for sasl_secprops in ldap.conf

2025-08-22 18:08:23 +00:00 · 2007-07-16 22:44:07 +00:00 · 2007-07-16 22:44:07 +00:00 · f5ad187edf
commit f5ad187edf
parent 436e3b631b
2 changed files with 37 additions and 21 deletions
--- a/README.LDAP
+++ b/README.LDAP
@ -256,9 +256,10 @@ when you imported the sudoers.  Below is an example /etc/ldap.conf
  #
  # If using SASL authentication for LDAP
  # use_sasl yes
-  # sasl_auth_id <SASL password>
+  # sasl_auth_id <SASL username>
  # rootuse_sasl yes
-  # rootsasl_auth_id <SASL password for root access>
+  # rootsasl_auth_id <SASL username for root access>
+  # sasl_secprops none
  #

 Debugging your LDAP configuration
--- a/ldap.c
+++ b/ldap.c
@ -114,6 +114,7 @@ struct ldap_config {
    char *tls_keyfile;
    char *sasl_auth_id;
    char *rootsasl_auth_id;
+    char *sasl_secprops;
    char *krb5_ccname;
 } ldap_conf;

@ -581,6 +582,8 @@ sudo_ldap_read_config()
 	    else
 	MATCH_S("rootsasl_auth_id", ldap_conf.rootsasl_auth_id)
 	    else
+	MATCH_S("sasl_secprops", ldap_conf.sasl_secprops)
+	    else
 	MATCH_S("krb5_ccname", ldap_conf.krb5_ccname)
 #endif
 	    else {
@ -632,9 +635,13 @@ sudo_ldap_read_config()
 	fprintf(stderr, "use_sasl         %d\n", ldap_conf.use_sasl);
 	fprintf(stderr, "sasl_auth_id     %s\n", ldap_conf.sasl_auth_id ?
 	    ldap_conf.sasl_auth_id : "(NONE)");
-	fprintf(stderr, "use_sasl     %d\n", ldap_conf.use_sasl);
+	fprintf(stderr, "rootuse_sasl     %d\n", ldap_conf.rootuse_sasl);
 	fprintf(stderr, "rootsasl_auth_id %s\n", ldap_conf.rootsasl_auth_id ?
 	    ldap_conf.rootsasl_auth_id : "(NONE)");
+	fprintf(stderr, "sasl_secprops    %s\n", ldap_conf.sasl_secprops ?
+	    ldap_conf.sasl_secprops : "(NONE)");
+	fprintf(stderr, "krb5_ccname      %s\n", ldap_conf.krb5_ccname ?
+	    ldap_conf.krb5_ccname : "(NONE)");
 #endif
 	fprintf(stderr, "===================\n");
    }
@ -887,16 +894,16 @@ sudo_ldap_display_cmnd(ldv, pw)

 #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
 static int
-sudo_ldap_sasl_interact(ld, flags, v_auth_id, v_interact)
+sudo_ldap_sasl_interact(ld, flags, _auth_id, _interact)
    LDAP *ld;
    unsigned int flags;
-    void *v_auth_id;
-    void *v_interact;
+    void *_auth_id;
+    void *_interact;
 {
-    char *auth_id = (char *)v_auth_id;
-    sasl_interact_t *interact = (sasl_interact_t *)v_interact;
+    char *auth_id = (char *)_auth_id;
+    sasl_interact_t *interact = (sasl_interact_t *)_interact;

-    for (;interact->id != SASL_CB_LIST_END; interact++) {
+    for (; interact->id != SASL_CB_LIST_END; interact++) {
 	if (interact->id != SASL_CB_USER)
 	    return(LDAP_PARAM_ERROR);

@ -906,7 +913,11 @@ sudo_ldap_sasl_interact(ld, flags, v_auth_id, v_interact)
 	    interact->result = interact->defresult;
 	else
 	    interact->result = "";
+
 	interact->len = strlen(interact->result);
+#if SASL_VERSION_MAJOR < 2
+	interact->result = estrdup(interact->result);
+#endif /* SASL_VERSION_MAJOR < 2 */
    }
    return(LDAP_SUCCESS);
 }
@ -961,6 +972,10 @@ sudo_ldap_open()
    SET_OPTI(X_CONNECT_TIMEOUT, bind_timeout);
 #endif  

+#ifdef LDAP_OPT_X_SASL_SECPROPS
+    SET_OPTS(X_SASL_SECPROPS, sasl_secprops);
+#endif
+
 #ifdef LDAP_OPT_NETWORK_TIMEOUT
    if (ldap_conf.bind_timelimit > 0) {
 	struct timeval tv;