sudo_ldap_open: Error out if start_tls specified but not supported

millert · millert · commit db82b90aeb07 · 2025-10-30T08:55:42.000-06:00
It is now an error if the ldap.conf file contains "SSL start_tls" but the LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()> Found by the ZeroPath AI Security Engineer <https://zeropath.com>
diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
@@ -1630,6 +1630,7 @@ sudo_ldap_open(struct sudoers_context *ctx, struct sudo_nss *nss)
 #else
 	sudo_warnx("%s",
 	    U_("start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"));
+	goto done;
 #endif /* !HAVE_LDAP_START_TLS_S && !HAVE_LDAP_START_TLS_S_NP */
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1630,6 +1630,7 @@ sudo_ldap_open(struct sudoers_context ctx, struct sudo_nss nss)`
`1630`	`1630`	`#else`
`1631`	`1631`	`sudo_warnx("%s",`
`1632`	`1632`	`U_("start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"));`
	`1633`	`+ goto done;`
`1633`	`1634`	`#endif /* !HAVE_LDAP_START_TLS_S && !HAVE_LDAP_START_TLS_S_NP */`
`1634`	`1635`	`}`
`1635`	`1636`