From f7a419b5f99db7803a8246dae9e77d0426f415d2 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Thu, 6 Feb 2014 15:50:08 -0700
Subject: [PATCH] Use a default LDAP search filter of (objectClass=sudoRole). 
 When constructing the netgroup query, add (sudoUser=*) to the query so we
 don't fall below the 3 character OpenLDAP substring threshold. Otherwise the
 index for sudoUser will never be used for that query. Pointed out by Michael
 Stroeder.

---
 doc/sudoers.ldap.cat     | 6 ++++--
 doc/sudoers.ldap.man.in  | 9 +++++++--
 doc/sudoers.ldap.mdoc.in | 9 +++++++--
 plugins/sudoers/ldap.c   | 8 ++++++--
 4 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat
index 3a1b4dfc7..c0b50d67c 100644
--- a/doc/sudoers.ldap.cat
+++ b/doc/sudoers.ldap.cat
@@ -346,7 +346,9 @@ DDEESSCCRRIIPPTTIIOONN
            An LDAP filter which is used to restrict the set of records
            returned when performing a ssuuddoo LDAP query.  Typically, this is of
            the form attribute=value or
-           (&(attribute=value)(attribute2=value2)).
+           (&(attribute=value)(attribute2=value2)).  The default search filter
+           is: objectClass=sudoRole.  If _l_d_a_p___f_i_l_t_e_r is not present, no search
+           filter will be used.
 
      SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
            Whether or not to evaluate the sudoNotBefore and sudoNotAfter
@@ -810,4 +812,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
      complete details.
 
-Sudo 1.8.9                      August 30, 2013                     Sudo 1.8.9
+Sudo 1.8.10b2                  February 6, 2014                  Sudo 1.8.10b2
diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in
index ec27f1359..20807380d 100644
--- a/doc/sudoers.ldap.man.in
+++ b/doc/sudoers.ldap.man.in
@@ -1,7 +1,7 @@
 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
 .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
 .\"
-.\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDOERS.LDAP" "8" "August 30, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
+.TH "SUDOERS.LDAP" "8" "February 6, 2014" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -643,6 +643,11 @@ form
 \fRattribute=value\fR
 or
 \fR(&(attribute=value)(attribute2=value2))\fR.
+The default search filter is:
+\fRobjectClass=sudoRole\fR.
+If
+\fIldap_filter\fR
+is not present, no search filter will be used.
 .TP 6n
 \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR
 Whether or not to evaluate the
diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in
index 70f70a19d..01e0350f8 100644
--- a/doc/sudoers.ldap.mdoc.in
+++ b/doc/sudoers.ldap.mdoc.in
@@ -1,5 +1,5 @@
 .\"
-.\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2003-2014 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 30, 2013
+.Dd February 6, 2014
 .Dt SUDOERS.LDAP @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -604,6 +604,11 @@ form
 .Li attribute=value
 or
 .Li (&(attribute=value)(attribute2=value2)) .
+The default search filter is:
+.Li objectClass=sudoRole .
+If
+.Ar ldap_filter
+is not present, no search filter will be used.
 .It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no
 Whether or not to evaluate the
 .Li sudoNotBefore
diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 626c770b1..68977ea2a 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -145,6 +145,9 @@ extern int ldapssl_set_strength(LDAP *ldap, int strength);
 #define SUDO_LDAP_SSL		1
 #define SUDO_LDAP_STARTTLS	2
 
+/* Default search filter. */
+#define DEFAULT_SEARCH_FILTER	"(objectClass=sudoRole)"
+
 /* The TIMEFILTER_LENGTH is the length of the filter when timed entries
    are used. The length is computed as follows:
        81       for the filter itself
@@ -1356,7 +1359,7 @@ sudo_ldap_build_pass2(void)
 	    ldap_conf.timed ? timebuffer : "",
 	    (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
     } else {
-	easprintf(&filt, "%s%s(sudoUser=+*)%s%s",
+	easprintf(&filt, "%s%s(sudoUser=*)(sudoUser=+*)%s%s",
 	    (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
 	    ldap_conf.search_filter ? ldap_conf.search_filter : "",
 	    ldap_conf.timed ? timebuffer : "",
@@ -1427,7 +1430,7 @@ sudo_ldap_parse_keyword(const char *keyword, const char *value,
 		break;
 	    case CONF_STR:
 		efree(*(char **)(cur->valp));
-		*(char **)(cur->valp) = estrdup(value);
+		*(char **)(cur->valp) = *value ? estrdup(value) : NULL;
 		break;
 	    case CONF_LIST_STR:
 		{
@@ -1523,6 +1526,7 @@ sudo_ldap_read_config(void)
     ldap_conf.use_sasl = -1;
     ldap_conf.rootuse_sasl = -1;
     ldap_conf.deref = -1;
+    ldap_conf.search_filter = estrdup(DEFAULT_SEARCH_FILTER);
     STAILQ_INIT(&ldap_conf.uri);
     STAILQ_INIT(&ldap_conf.base);