[sudo-workers] [PATCH] support for LDAP timelimit and bind_timelimit options
Andrea Barisani
lcars at gentoo.org
Wed Jun 22 04:36:54 EDT 2005
Hi!
The attached patch adds timelimit and bind_timelimit support.
With the patch sudo has reasonable timeouts when a ldap server is down.
Please consider its inclusion since it's a real requirement in production
environments using sudo+ldap ;) .
Bye and thanks
--
Andrea Barisani <lcars at gentoo.org> .*.
Gentoo Linux Infrastructure Developer V
( )
GPG-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
-------------- next part --------------
diff -urN sudo-1.6.8p8/ldap.c sudo-1.6.8p8-patched/ldap.c
--- sudo-1.6.8p8/ldap.c 2004-12-01 03:28:46.000000000 +0000
+++ sudo-1.6.8p8-patched/ldap.c 2005-06-22 08:14:59.000000000 +0000
@@ -82,6 +82,8 @@
char *bindpw;
char *base;
char *ssl;
+ int bind_timelimit;
+ int timelimit;
int tls_checkpeer;
char *tls_cacertfile;
char *tls_cacertdir;
@@ -545,6 +547,8 @@
else MATCH_S("tls_cert", ldap_conf.tls_certfile)
else MATCH_S("tls_key", ldap_conf.tls_keyfile)
else MATCH_I("ldap_version", ldap_conf.version)
+ else MATCH_I("bind_timelimit", ldap_conf.bind_timelimit)
+ else MATCH_I("timelimit", ldap_conf.timelimit)
else MATCH_S("uri", ldap_conf.uri)
else MATCH_S("binddn", ldap_conf.binddn)
else MATCH_S("bindpw", ldap_conf.bindpw)
@@ -566,6 +570,8 @@
if (!ldap_conf.version) ldap_conf.version=3;
if (!ldap_conf.port) ldap_conf.port=389;
if (!ldap_conf.host) ldap_conf.host=estrdup("localhost");
+ if (!ldap_conf.bind_timelimit) ldap_conf.bind_timelimit=30;
+ if (!ldap_conf.timelimit) ldap_conf.timelimit=30;
if (ldap_conf.debug>1) {
@@ -589,6 +595,10 @@
ldap_conf.binddn : "(anonymous)");
printf("bindpw %s\n", ldap_conf.bindpw ?
ldap_conf.bindpw : "(anonymous)");
+ printf("bind_timelimit %d\n", ldap_conf.bind_timelimit ?
+ ldap_conf.bind_timelimit : 30);
+ printf("timelimit %d\n", ldap_conf.timelimit ?
+ ldap_conf.timelimit : 30);
#ifdef HAVE_LDAP_START_TLS_S
printf("ssl %s\n", ldap_conf.ssl ?
ldap_conf.ssl : "(no)");
@@ -772,6 +782,34 @@
}
#endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */
+ /* setup timelimit options */
+
+SET_OPTI(LDAP_OPT_TIMELIMIT, "TIMELIMIT", timelimit);
+
+#ifdef LDAP_X_OPT_CONNECT_TIMEOUT
+ int timeout;
+ timeout = ldap_conf.bind_timelimit * 1000;
+
+ SET_OPTI(LDAP_X_OPT_CONNECT_TIMEOUT, "X_OPT_CONNECT_TIMEOUT", timeout);
+#endif
+
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
+ if (ldap_conf.debug>1) fprintf(stderr, "setting bind_timelimit to %d\n", \
+ ldap_conf.bind_timelimit);
+
+ struct timeval tv;
+
+ tv.tv_sec = ldap_conf.bind_timelimit;
+ tv.tv_usec = 0;
+
+ rc = ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
+
+ if (rc != LDAP_OPT_SUCCESS) {
+ fprintf(stderr, "bind_timelimit ldap_set_option failed: %s\n", ldap_err2string(rc));
+ return VALIDATE_ERROR;
+ }
+#endif
+
/* attempt connect */
#ifdef HAVE_LDAP_INITIALIZE
if (ldap_conf.uri) {
More information about the sudo-workers
mailing list