[sudo-workers] Please update the LDAP search string for netgroup_base
Steven Soulen
soulen3 at gmail.com
Mon Jun 15 13:17:20 MDT 2015
Hi Todd,
I tried out the netgroup_base option on an AIX hosts and the ldapsearch
didn't run correctly. After some debugging I found that the escape
characters on the parentheses in the search string are not working as
expected.
I then found RFC 2254, which specifies that \( and \) should be entered as
\28 and \29.
https://tools.ietf.org/search/rfc2254
So I updated the search string and I've tested it on RHEL, Solaris and AIX
against a DSEE LDAP server.
I had to test this using Sudo version 1.8.13 as I was unable to build a
clean version from source. Bellow are the configurations options I've
used and the error message I received while running make.
Configure Optoins
# CC="gcc -static-libgcc" ./configure --prefix=/opt/sudo
--exec-prefix=/opt/sudo --mandir=/opt/sudo/man
--sysconfdir=/etc --localstatedir=/var
--datarootdir=/usr/share --with-logging=both --with-logfac=local2
--with-goodpri=info --with-badpri=err --with-editor=/usr/bin/vi
--with-env-editor --with-ignore-dot --with-tty-tickets
--with-pam --with-nsswitch --with-ldap --with-project
--with-ldap-conf-file=/opt/sudo/etc/ldap.conf
--with-ldap-secret-file=/opt/sudo/etc/ldap.secret --disable-zlib
--without-sendmail --with-secure-path
Error message:
/bin/sh ../../libtool --mode=link gcc -static-libgcc -std=gnu99 -o visudo
find_path.o goodpath.o locale.o sudo_printf.o visudo.o visudo_json.o
-Wl,-z,relro -Wc,-fPIE -pie -Wc,-fstack-protector-all libparsesudoers.la
../../lib/util/libsudo_util.la
libtool: link: gcc -static-libgcc -std=gnu99 -o .libs/visudo find_path.o
goodpath.o locale.o sudo_printf.o visudo.o visudo_json.o -Wl,-z -Wl,relro
-fPIE -pie -fstack-protector-all ./.libs/libparsesudoers.a
../../lib/util/.libs/libsudo_util.so -ldl -lrt -Wl,-rpath
-Wl,/opt/sudo/libexec/sudo
./.libs/libparsesudoers.a(pwutil_impl.o): In function
`sudo_make_grlist_item':
/tmp/sudo/plugins/sudoers/./pwutil_impl.c:259: undefined reference to
`sudo_reallocarray'
/tmp/sudo/plugins/sudoers/./pwutil_impl.c:267: undefined reference to
`sudo_reallocarray'
/tmp/sudo/plugins/sudoers/./pwutil_impl.c:272: undefined reference to
`sudo_reallocarray'
./.libs/libparsesudoers.a(toke.o): In function `push_include_int':
/tmp/sudo/plugins/sudoers/toke.l:929: undefined reference to
`sudo_reallocarray'
./.libs/libparsesudoers.a(toke.o): In function `switch_dir':
/tmp/sudo/plugins/sudoers/toke.l:822: undefined reference to
`sudo_reallocarray'
collect2: ld returned 1 exit status
make[1]: *** [visudo] Error 1
make[1]: Leaving directory `/tmp/sudo/plugins/sudoers'
make: *** [all] Error 2
Code diff for ldap.c:
--- ldap.c.orig 2015-06-15 13:45:56.000000000 -0500
+++ ldap.c 2015-06-15 14:12:31.000000000 -0500
@@ -1350,7 +1350,7 @@
/* Build query, using NIS domain if it is set. */
/* XXX - move outside foreach */
if (domain != NULL) {
- filt_len = sizeof("(nisNetgroupTriple=\\(,,\\))") - 1 +
+ filt_len = sizeof("(nisNetgroupTriple=\\28,,\\29)") - 1 +
sudo_ldap_value_len(pw->pw_name);
if (user_host == user_shost) {
filt_len *= 4;
@@ -1366,39 +1366,39 @@
filt = sudo_emalloc(filt_len);
CHECK_STRLCPY(filt, "(&", filt_len);
CHECK_STRLCAT(filt, ldap_conf.netgroup_search_filter, filt_len);
- CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\(,", filt_len);
+ CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\28,", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, domain, filt_len);
- CHECK_STRLCAT(filt, "\\))(nisNetgroupTriple=\\(", filt_len);
+ CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, user_shost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
if (user_host != user_shost) {
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, domain, filt_len);
- CHECK_STRLCAT(filt, "\\))(nisNetgroupTriple=\\(", filt_len);
+ CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28",
filt_len);
CHECK_LDAP_VCAT(filt, user_host, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
}
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, domain, filt_len);
- CHECK_STRLCAT(filt, "\\))(nisNetgroupTriple=\\(,", filt_len);
+ CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28,", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
- CHECK_STRLCAT(filt, ",\\))(nisNetgroupTriple=\\(", filt_len);
+ CHECK_STRLCAT(filt, ",\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, user_shost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
if (user_host != user_shost) {
- CHECK_STRLCAT(filt, ",\\))(nisNetgroupTriple=\\(",
filt_len);
+ CHECK_STRLCAT(filt, ",\\29)(nisNetgroupTriple=\\28",
filt_len);
CHECK_LDAP_VCAT(filt, user_host, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
}
- CHECK_STRLCAT(filt, ",\\))))", filt_len);
+ CHECK_STRLCAT(filt, ",\\29)))", filt_len);
} else {
- filt_len = sizeof("(nisNetgroupTriple=\\(,,*\\))") - 1 +
+ filt_len = sizeof("(nisNetgroupTriple=\\28,,*\\29)") - 1 +
sudo_ldap_value_len(pw->pw_name);
if (user_host == user_shost) {
filt_len *= 2;
@@ -1412,19 +1412,19 @@
filt = sudo_emalloc(filt_len);
CHECK_STRLCPY(filt, "(&", filt_len);
CHECK_STRLCAT(filt, ldap_conf.netgroup_search_filter, filt_len);
- CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\(,", filt_len);
+ CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\28,", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
- CHECK_STRLCAT(filt, ",*\\))(nisNetgroupTriple=\\(", filt_len);
+ CHECK_STRLCAT(filt, ",*\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, user_shost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
if (user_host != user_shost) {
- CHECK_STRLCAT(filt, ",*\\))(nisNetgroupTriple=\\(",
filt_len);
+ CHECK_STRLCAT(filt, ",*\\29)(nisNetgroupTriple=\\28",
filt_len);
CHECK_LDAP_VCAT(filt, user_host, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
}
- CHECK_STRLCAT(filt, ",*\\))))", filt_len);
+ CHECK_STRLCAT(filt, ",*\\29)))", filt_len);
}
DPRINTF1("ldap netgroup search filter: '%s'", filt);
result = NULL;
More information about the sudo-workers
mailing list