(SUDO) Re: Bug in ldap.c - Fixed
Aaron Spangler
aaron at spangler.ods.org
Wed Dec 17 23:23:24 EST 2003
Andreas,
I added the HAVE_LBER & HAVE_LDAP_INITIALIZE.
You need to tweek config.h after running ./config. Eventually config.h will
autosense which LDAP library you have.
I also fixed the null pointer bug while debugging and you don't have (or don't
have access to) the cn=defaults,ou=Sudoers. The fix is slightly different
than what you submitted.
^^^ Please test the new code if you could.
Also I added a runtime option of ldap_version which defaults to LDAPv3. This
my default mimics pam_ldap and nss_ldap better now and makes OpenLDAP server
work out of the box.
I did not implement a timeout option yet. I can put it in with the failover
stuff. Please give me an example of how your /etc/ldap.conf lists failover
so that I can write failover code.
Thanks again for all your hard work.
-Aaron
On Thursday 13 November 2003 04:46 am, Andreas.Bussjaeger at t-systems.com wrote:
> Hi Aaron,
>
> I found a little bug in ldap.c while testing ACI's for my sudoers tree
> (only a special sudo-LDAP-User is allowed to browse the sudoers tree) and
> having the wrong ACI settings (which means I get no result searching for
> cn=defaults,$SUDOERS_BASE).
>
> My diffs (including the ldap_initialize stuff):
>
> Addition to config.h:
>
> #define HAVE_LBER
>
> We should add this and "#define HAVE_LDAP_INITIALIZE" via configure script
> later.
>
> diff -c ldap.c.orig ldap.c
> *** ldap.c.orig Fri Nov 7 09:47:24 2003
> --- ldap.c Thu Nov 13 10:44:49 2003
> ***************
> *** 74,79 ****
> --- 74,82 ----
>
>
> #ifdef HAVE_LDAP
> + #ifdef HAVE_LBER
> + #include <lber.h>
> + #endif
> #include <ldap.h>
>
> #ifndef LDAP_CONFIG
> ***************
> *** 537,542 ****
> --- 540,546 ----
> /* Used for searches */
> LDAPMessage *result=NULL;
> LDAPMessage *entry=NULL;
> + char *dn;
> /* used to parse attributes */
> char *f;
> /* temp/final return values */
> ***************
> *** 551,557 ****
>
>
> /* attempt connect */
> ! if (ldap_conf.uri) {
>
> if (ldap_conf.debug>1) fprintf(stderr,
> "ldap_initialize(ld,%s)\n",ldap_conf.uri);
> --- 555,562 ----
>
>
> /* attempt connect */
> ! #ifdef HAVE_LDAP_INITIALIZE
> ! if (ldap_conf.uri) {
>
> if (ldap_conf.debug>1) fprintf(stderr,
> "ldap_initialize(ld,%s)\n",ldap_conf.uri);
> ***************
> *** 562,569 ****
> rc,ldap_err2string(rc));
> return VALIDATE_ERROR;
> }
> ! } else if (ldap_conf.host) {
> !
> if (ldap_conf.debug>1) fprintf(stderr,
> "ldap_init(%s,%d)\n",ldap_conf.host,ldap_conf.port);
>
> --- 567,576 ----
> rc,ldap_err2string(rc));
> return VALIDATE_ERROR;
> }
> ! } else if (ldap_conf.host) {
> ! #else
> ! if (ldap_conf.host) {
> ! #endif /* HAVE_LDAP_INITIALIZE */
> if (ldap_conf.debug>1) fprintf(stderr,
> "ldap_init(%s,%d)\n",ldap_conf.host,ldap_conf.port);
>
> ***************
> *** 575,581 ****
> }
> }
>
> ! /* Acutally connect */
>
> rc=ldap_simple_bind_s(ld,ldap_conf.binddn,ldap_conf.bindpw);
> if(rc){
> --- 582,588 ----
> }
> }
>
> ! /* Actually connect */
>
> rc=ldap_simple_bind_s(ld,ldap_conf.binddn,ldap_conf.bindpw);
> if(rc){
> ***************
> *** 586,592 ****
>
> if (ldap_conf.debug) printf("ldap_bind() ok\n");
>
> -
> /* Parse Default Options */
>
> rc=ldap_search_s(ld,ldap_conf.base,LDAP_SCOPE_ONELEVEL,
> --- 593,598 ----
> ***************
> *** 593,603 ****
> "cn=defaults",NULL,0,&result);
> if (!rc) {
> entry=ldap_first_entry(ld,result);
> ! if (ldap_conf.debug) printf("found:%s\n",ldap_get_dn(ld,entry));
> ! sudo_ldap_parse_options(ld,entry);
> ! } else {
> ! if (ldap_conf.debug) printf("no options found\n");
> }
>
> if (result) ldap_msgfree(result);
> result=NULL;
> --- 599,618 ----
> "cn=defaults",NULL,0,&result);
> if (!rc) {
> entry=ldap_first_entry(ld,result);
> ! dn=ldap_get_dn(ld,entry);
> ! if (dn) {
> ! if (ldap_conf.debug) {
> ! printf("found:%s\n",dn);
> ! }
> ! sudo_ldap_parse_options(ld,entry);
> ! }
> ! else {
> ! rc=1;
> ! }
> }
> + if (rc) {
> + if (ldap_conf.debug) printf("no options found !\n");
> + }
>
> if (result) ldap_msgfree(result);
> result=NULL;
>
> Your "printf("found:%s\n",ldap_get_dn(ld,entry));" without checking the
> search result correctly caused a segmentation fault.
>
> What do you think about using the "timout"-version of ldap_search_s (just
> to be save when the ldap server crashes or is no longer connectable via
> network) ?
>
> int ldap_search_st(LDAP *ld, char *base, int scope, char
> *filter, char *attrs[], int attrsonly, struct timeval
> *timeout, LDAPMessage **res);
>
> Another idea: We should be able to define a couple of ldap servers (we
> actually have one master and three slaves) in ldap.conf and failover when
> using ldap_init(), etc.
>
> Regards,
>
> Andreas
> ---
> Andreas Bußjäger
> für
> Special Tasks & Projects (ST&P)
> Projekt Toll-Collect - UNIX
> T-Systems International GmbH
> Hausadresse: Dachauer Straße 651, 80995 München
> Postanschrift: Postfach 50 01 30, 80971 München
> Telefon: +49 89 1011-3034
> Telefax: +49 89 1011-2622
> E-Fax: +49 1805 3344911312
> E-Mail: Andreas.Bussjaeger at t-systems.com
> Internet: http://www.t-systems.com <http://www.t-systems.com>
More information about the sudo-users
mailing list