bmh10 / rpms / openssh

Forked from rpms/openssh 2 days ago
Clone
b58e57
diff -up openssh-7.4p1/HOWTO.ldap-keys.ldap openssh-7.4p1/HOWTO.ldap-keys
b58e57
--- openssh-7.4p1/HOWTO.ldap-keys.ldap	2017-02-08 14:26:19.935750452 +0100
b58e57
+++ openssh-7.4p1/HOWTO.ldap-keys	2017-02-08 14:26:19.935750452 +0100
b58e57
@@ -0,0 +1,125 @@
b58e57
+
b58e57
+HOW TO START
b58e57
+
b58e57
+1) configure LDAP server
b58e57
+  * Use LDAP server documentation
b58e57
+2) add appropriate LDAP schema
b58e57
+  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
b58e57
+  * LDAP user entry
b58e57
+        User entry:
b58e57
+	- attached to the 'ldapPublicKey' objectclass
b58e57
+	- attached to the 'posixAccount' objectclass
b58e57
+	- with a filled 'sshPublicKey' attribute 
b58e57
+3) insert users into LDAP
b58e57
+  * Use LDAP Tree management tool as useful
b58e57
+  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
b58e57
+  * Example:
b58e57
+	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
b58e57
+	objectclass: top
b58e57
+	objectclass: person
b58e57
+	objectclass: organizationalPerson
b58e57
+	objectclass: posixAccount
b58e57
+	objectclass: ldapPublicKey
b58e57
+	description: Jonathan Archer
b58e57
+	userPassword: Porthos
b58e57
+	cn: onathan Archer
b58e57
+	sn: onathan Archer
b58e57
+	uid: captain
b58e57
+	uidNumber: 1001
b58e57
+	gidNumber: 1001
b58e57
+	homeDirectory: /home/captain
b58e57
+	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
b58e57
+	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
b58e57
+4) on the ssh side set in sshd_config
b58e57
+  * Set up the backend
b58e57
+	AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
b58e57
+	AuthorizedKeysCommandUser <appropriate user to run LDAP>
b58e57
+  * Do not forget to set
b58e57
+	PubkeyAuthentication yes
b58e57
+  * Swith off unnecessary auth methods
b58e57
+5) confugure ldap.conf
b58e57
+  * Default ldap.conf is placed in /etc/ssh
b58e57
+  * The configuration style is the same as other ldap based aplications
b58e57
+6) if necessary edit ssh-ldap-wrapper
b58e57
+  * There is a possibility to change ldap.conf location
b58e57
+  * There are some debug options
b58e57
+  * Example
b58e57
+	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
b58e57
+7) Configure SELinux boolean which allows ldap-helper to bind ldap server
b58e57
+  Run this command
b58e57
+  # setsebool -P authlogin_nsswitch_use_ldap on
b58e57
+
b58e57
+HOW TO MIGRATE FROM LPK
b58e57
+
b58e57
+1) goto HOW TO START 4) .... the ldap schema is the same
b58e57
+
b58e57
+2) convert the group requests to the appropriate LDAP requests
b58e57
+
b58e57
+HOW TO SOLVE PROBLEMS
b58e57
+
b58e57
+1) use debug in sshd
b58e57
+  * /usr/sbin/sshd -d -d -d -d
b58e57
+2) use debug in ssh-ldap-helper
b58e57
+  * ssh-ldap-helper -d -d -d -d -s <username>
b58e57
+3) use tcpdump ... other ldap client etc.
b58e57
+
b58e57
+HOW TO CONFIGURE SSH FOR OTHER LDAP CONFIGURATION / SERVER /SCHEMA
b58e57
+
b58e57
+You can adjust search format string in /etc/ldap.conf using
b58e57
+ 1) SSH_Filter option to limit results for only specified users
b58e57
+    (this appends search condition after original query)
b58e57
+ 2) Account_Class option to define own user class name
b58e57
+    (default is posixAccount)
b58e57
+ 3) Search_Format option to define your own search string using expansion
b58e57
+    characters %u for username and %f for above mentioned filter and
b58e57
+    %c for above mentioned object class.
b58e57
+
b58e57
+Example:
b58e57
+Search_Format (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
b58e57
+
b58e57
+ADVANTAGES
b58e57
+
b58e57
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
b58e57
+
b58e57
+DISADVANTAGES
b58e57
+
b58e57
+1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
b58e57
+  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
b58e57
+  of your users in all your server farm -- be VERY CAREFUL.
b58e57
+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
b58e57
+  as the impersonated user.
b58e57
+3) If LDAP server is down there may be no fallback on passwd auth.
b58e57
+  
b58e57
+MISC.
b58e57
+  
b58e57
+1) todo
b58e57
+  * Possibility to reuse the ssh-ldap-helper.
b58e57
+  * Tune the LDAP part to accept  all possible LDAP configurations.
b58e57
+
b58e57
+2) differences from original lpk
b58e57
+  * No LDAP code in sshd.
b58e57
+  * Support for various LDAP platforms and configurations.
b58e57
+  * LDAP is configured in separate ldap.conf file.
b58e57
+
b58e57
+3) docs/link 
b58e57
+  * http://pacsec.jp/core05/psj05-barisani-en.pdf
b58e57
+  * http://fritz.potsdam.edu/projects/openssh-lpk/
b58e57
+  * http://fritz.potsdam.edu/projects/sshgate/
b58e57
+  * http://dev.inversepath.com/trac/openssh-lpk
b58e57
+  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
b58e57
+
b58e57
+4) contributors/ideas/greets
b58e57
+  - Eric AUGE <eau@phear.org>
b58e57
+  - Andrea Barisani <andrea@inversepath.com>
b58e57
+  - Falk Siemonsmeier.
b58e57
+  - Jacob Rief.
b58e57
+  - Michael Durchgraf.
b58e57
+  - frederic peters.
b58e57
+  - Finlay dobbie.
b58e57
+  - Stefan Fisher.
b58e57
+  - Robin H. Johnson.
b58e57
+  - Adrian Bridgett.
b58e57
+
b58e57
+5) Author
b58e57
+    Jan F. Chadima <jchadima@redhat.com>
b58e57
+
b58e57
diff -up openssh-7.4p1/Makefile.in.ldap openssh-7.4p1/Makefile.in
b58e57
--- openssh-7.4p1/Makefile.in.ldap	2016-12-19 05:59:41.000000000 +0100
b58e57
+++ openssh-7.4p1/Makefile.in	2017-02-08 14:31:36.851624797 +0100
b58e57
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
b58e57
 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
b58e57
 SFTP_SERVER=$(libexecdir)/sftp-server
b58e57
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
b58e57
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
b58e57
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
b58e57
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
b58e57
 PRIVSEP_PATH=@PRIVSEP_PATH@
b58e57
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
b58e57
@@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@
b58e57
 LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
b58e57
 EXEEXT=@EXEEXT@
b58e57
 MANFMT=@MANFMT@
b58e57
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
b58e57
 
b58e57
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
b58e57
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
b58e57
 
b58e57
 LIBOPENSSH_OBJS=\
b58e57
 	ssh_api.o \
b58e57
@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
b58e57
 	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
b58e57
 	sandbox-solaris.o
b58e57
 
b58e57
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
b58e57
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
b58e57
+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
b58e57
+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
b58e57
 MANTYPE		= @MANTYPE@
b58e57
 
b58e57
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
b58e57
@@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
b58e57
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
b58e57
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
b58e57
 
b58e57
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
b58e57
+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS)
b58e57
+
b58e57
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
b58e57
 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
b58e57
 
b58e57
@@ -322,6 +328,10 @@ install-files:
b58e57
 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
b58e57
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
b58e57
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
b58e57
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
b58e57
+		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
b58e57
+		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
b58e57
+	fi
b58e57
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
b58e57
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
b58e57
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
b58e57
@@ -338,6 +348,10 @@ install-files:
b58e57
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
b58e57
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
b58e57
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
b58e57
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
b58e57
+		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
b58e57
+		$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
b58e57
+	fi
b58e57
 
b58e57
 install-sysconf:
b58e57
 	if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
b58e57
@@ -363,6 +377,13 @@ install-sysconf:
b58e57
 	else \
b58e57
 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
b58e57
 	fi
b58e57
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
b58e57
+		if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
b58e57
+			$(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
b58e57
+		else \
b58e57
+			echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
b58e57
+		fi ; \
b58e57
+	fi
b58e57
 
b58e57
 host-key: ssh-keygen$(EXEEXT)
b58e57
 	@if [ -z "$(DESTDIR)" ] ; then \
b58e57
@@ -403,6 +424,8 @@ uninstall:
b58e57
 	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
b58e57
 	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
b58e57
 	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
b58e57
+	-rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
b58e57
+	-rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
b58e57
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
b58e57
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
b58e57
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
b58e57
@@ -414,6 +437,7 @@ uninstall:
b58e57
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
b58e57
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
b58e57
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
b58e57
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
b58e57
 
b58e57
 regress-prep:
b58e57
 	[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
b58e57
diff -up openssh-7.4p1/configure.ac.ldap openssh-7.4p1/configure.ac
b58e57
--- openssh-7.4p1/configure.ac.ldap	2016-12-19 05:59:41.000000000 +0100
b58e57
+++ openssh-7.4p1/configure.ac	2017-02-08 14:26:19.936750452 +0100
b58e57
@@ -1656,6 +1656,106 @@ if test "x$use_pie" != "xno"; then
b58e57
 	fi
b58e57
 fi
b58e57
 
b58e57
+# Check whether user wants LDAP support
b58e57
+LDAP_MSG="no"
b58e57
+INSTALL_SSH_LDAP_HELPER=""
b58e57
+AC_ARG_WITH(ldap,
b58e57
+	[  --with-ldap[[=PATH]]      Enable LDAP pubkey support (optionally in PATH)],
b58e57
+	[
b58e57
+		if test "x$withval" != "xno" ; then
b58e57
+
b58e57
+			INSTALL_SSH_LDAP_HELPER="yes"
b58e57
+			CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
b58e57
+
b58e57
+			if test "x$withval" != "xyes" ; then
b58e57
+				CPPFLAGS="$CPPFLAGS -I${withval}/include"
b58e57
+				LDFLAGS="$LDFLAGS -L${withval}/lib"
b58e57
+			fi
b58e57
+
b58e57
+			AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
b58e57
+			LDAP_MSG="yes"
b58e57
+
b58e57
+			AC_CHECK_HEADERS(lber.h)
b58e57
+			AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
b58e57
+			AC_CHECK_HEADERS(ldap_ssl.h)
b58e57
+
b58e57
+			AC_ARG_WITH(ldap-lib,
b58e57
+				[  --with-ldap-lib=type    select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
b58e57
+
b58e57
+			if test -z "$with_ldap_lib"; then
b58e57
+				with_ldap_lib=auto
b58e57
+			fi
b58e57
+
b58e57
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
b58e57
+				AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
b58e57
+				AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
b58e57
+			fi
b58e57
+
b58e57
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
b58e57
+				AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
b58e57
+			fi
b58e57
+
b58e57
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
b58e57
+				AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
b58e57
+				if test -z "$found_ldap_lib"; then
b58e57
+					AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
b58e57
+				fi
b58e57
+				if test -z "$found_ldap_lib"; then
b58e57
+					AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
b58e57
+				fi
b58e57
+				if test -z "$found_ldap_lib"; then
b58e57
+					AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
b58e57
+				fi
b58e57
+			fi
b58e57
+
b58e57
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
b58e57
+				AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
b58e57
+			fi
b58e57
+
b58e57
+			if test -z "$found_ldap_lib"; then
b58e57
+				AC_MSG_ERROR(could not locate a valid LDAP library)
b58e57
+			fi
b58e57
+
b58e57
+			AC_MSG_CHECKING([for working LDAP support])
b58e57
+			AC_TRY_COMPILE(
b58e57
+				[#include <sys/types.h>
b58e57
+				 #include <ldap.h>],
b58e57
+				[(void)ldap_init(0, 0);],
b58e57
+				[AC_MSG_RESULT(yes)],
b58e57
+				[
b58e57
+				    AC_MSG_RESULT(no) 
b58e57
+					AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
b58e57
+				])
b58e57
+			AC_CHECK_FUNCS( \
b58e57
+				ldap_init \
b58e57
+				ldap_get_lderrno \
b58e57
+				ldap_set_lderrno \
b58e57
+				ldap_parse_result \
b58e57
+				ldap_memfree \
b58e57
+				ldap_controls_free \
b58e57
+				ldap_set_option \
b58e57
+				ldap_get_option \
b58e57
+				ldapssl_init \
b58e57
+				ldap_start_tls_s \
b58e57
+				ldap_pvt_tls_set_option \
b58e57
+				ldap_initialize \
b58e57
+			)
b58e57
+			AC_CHECK_FUNCS(ldap_set_rebind_proc,
b58e57
+				AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
b58e57
+				AC_TRY_COMPILE(
b58e57
+					[#include <lber.h>
b58e57
+					#include <ldap.h>],
b58e57
+					[ldap_set_rebind_proc(0, 0, 0);],
b58e57
+					[ac_cv_ldap_set_rebind_proc=3],
b58e57
+					[ac_cv_ldap_set_rebind_proc=2])
b58e57
+				AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
b58e57
+				AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
b58e57
+			)
b58e57
+		fi
b58e57
+	]
b58e57
+)
b58e57
+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
b58e57
+
b58e57
 dnl    Checks for library functions. Please keep in alphabetical order
b58e57
 AC_CHECK_FUNCS([ \
b58e57
 	Blowfish_initstate \
b58e57
diff -up openssh-7.4p1/ldap-helper.c.ldap openssh-7.4p1/ldap-helper.c
b58e57
--- openssh-7.4p1/ldap-helper.c.ldap	2017-02-08 14:26:19.936750452 +0100
b58e57
+++ openssh-7.4p1/ldap-helper.c	2017-02-08 14:26:19.936750452 +0100
b58e57
@@ -0,0 +1,155 @@
b58e57
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
b58e57
+/*
b58e57
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
b58e57
+ *
b58e57
+ * Redistribution and use in source and binary forms, with or without
b58e57
+ * modification, are permitted provided that the following conditions
b58e57
+ * are met:
b58e57
+ * 1. Redistributions of source code must retain the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer.
b58e57
+ * 2. Redistributions in binary form must reproduce the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer in the
b58e57
+ *    documentation and/or other materials provided with the distribution.
b58e57
+ *
b58e57
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
b58e57
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
b58e57
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
b58e57
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
b58e57
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
b58e57
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
b58e57
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
b58e57
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
b58e57
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
b58e57
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
b58e57
+ */
b58e57
+
b58e57
+#include "ldapincludes.h"
b58e57
+#include "log.h"
b58e57
+#include "misc.h"
b58e57
+#include "xmalloc.h"
b58e57
+#include "ldapconf.h"
b58e57
+#include "ldapbody.h"
b58e57
+#include <string.h>
b58e57
+#include <unistd.h>
b58e57
+
b58e57
+static int config_debug = 0;
b58e57
+int config_exclusive_config_file = 0;
b58e57
+static char *config_file_name = "/etc/ssh/ldap.conf";
b58e57
+static char *config_single_user = NULL;
b58e57
+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
b58e57
+int config_warning_config_file = 0;
b58e57
+extern char *__progname;
b58e57
+
b58e57
+static void
b58e57
+usage(void)
b58e57
+{
b58e57
+	fprintf(stderr, "usage: %s [options]\n",
b58e57
+	    __progname);
b58e57
+	fprintf(stderr, "Options:\n");
b58e57
+	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
b58e57
+	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
b58e57
+	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ssh/ldap.conf).\n");
b58e57
+	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
b58e57
+	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
b58e57
+	fprintf(stderr, "  -w          Warn on unknown commands in the config file.\n");
b58e57
+	exit(1);
b58e57
+}
b58e57
+
b58e57
+/*
b58e57
+ * Main program for the ssh pka ldap agent.
b58e57
+ */
b58e57
+
b58e57
+int
b58e57
+main(int ac, char **av)
b58e57
+{
b58e57
+	int opt;
b58e57
+	FILE *outfile = NULL;
b58e57
+
b58e57
+	__progname = ssh_get_progname(av[0]);
b58e57
+
b58e57
+	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
b58e57
+
b58e57
+	/*
b58e57
+	 * Initialize option structure to indicate that no values have been
b58e57
+	 * set.
b58e57
+	 */
b58e57
+	initialize_options();
b58e57
+
b58e57
+	/* Parse command-line arguments. */
b58e57
+	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
b58e57
+		switch (opt) {
b58e57
+		case 'd':
b58e57
+			config_debug = 1;
b58e57
+			break;
b58e57
+
b58e57
+		case 'e':
b58e57
+			config_exclusive_config_file = 1;
b58e57
+			config_warning_config_file = 1;
b58e57
+			break;
b58e57
+
b58e57
+		case 'f':
b58e57
+			config_file_name = optarg;
b58e57
+			break;
b58e57
+
b58e57
+		case 's':
b58e57
+			config_single_user = optarg;
b58e57
+			outfile = fdopen (dup (fileno (stdout)), "w");
b58e57
+			break;
b58e57
+
b58e57
+		case 'v':
b58e57
+			config_debug = 1;
b58e57
+			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
b58e57
+			    config_verbose++;
b58e57
+			break;
b58e57
+
b58e57
+		case 'w':
b58e57
+			config_warning_config_file = 1;
b58e57
+			break;
b58e57
+
b58e57
+		case '?':
b58e57
+		default:
b58e57
+			usage();
b58e57
+			break;
b58e57
+		}
b58e57
+	}
b58e57
+
b58e57
+	/* Initialize loging */
b58e57
+	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
b58e57
+
b58e57
+	if (ac != optind)
b58e57
+	    fatal ("illegal extra parameter %s", av[1]);
b58e57
+
b58e57
+	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
b58e57
+	if (config_debug == 0)
b58e57
+	    sanitise_stdfd();
b58e57
+
b58e57
+	/* Read config file */
b58e57
+	read_config_file(config_file_name);
b58e57
+	fill_default_options();
b58e57
+	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
b58e57
+		debug3 ("=== Configuration ===");
b58e57
+		dump_config();
b58e57
+		debug3 ("=== *** ===");
b58e57
+	}
b58e57
+
b58e57
+	ldap_checkconfig();
b58e57
+	ldap_do_connect();
b58e57
+
b58e57
+	if (config_single_user) {
b58e57
+		process_user (config_single_user, outfile);
b58e57
+	} else {
b58e57
+		usage();
b58e57
+		fatal ("Not yet implemented");
b58e57
+/* TODO
b58e57
+ * open unix socket a run the loop on it
b58e57
+ */
b58e57
+	}
b58e57
+
b58e57
+	ldap_do_close();
b58e57
+	return 0;
b58e57
+}
b58e57
+
b58e57
+/* Ugly hack */
b58e57
+void   *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
b58e57
+void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
b58e57
+
b58e57
diff -up openssh-7.4p1/ldap-helper.h.ldap openssh-7.4p1/ldap-helper.h
b58e57
--- openssh-7.4p1/ldap-helper.h.ldap	2017-02-08 14:26:19.936750452 +0100
b58e57
+++ openssh-7.4p1/ldap-helper.h	2017-02-08 14:26:19.936750452 +0100
b58e57
@@ -0,0 +1,32 @@
b58e57
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
b58e57
+/*
b58e57
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
b58e57
+ *
b58e57
+ * Redistribution and use in source and binary forms, with or without
b58e57
+ * modification, are permitted provided that the following conditions
b58e57
+ * are met:
b58e57
+ * 1. Redistributions of source code must retain the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer.
b58e57
+ * 2. Redistributions in binary form must reproduce the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer in the
b58e57
+ *    documentation and/or other materials provided with the distribution.
b58e57
+ *
b58e57
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
b58e57
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
b58e57
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
b58e57
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
b58e57
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
b58e57
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
b58e57
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
b58e57
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
b58e57
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
b58e57
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
b58e57
+ */
b58e57
+
b58e57
+#ifndef LDAP_HELPER_H
b58e57
+#define LDAP_HELPER_H
b58e57
+
b58e57
+extern int config_exclusive_config_file;
b58e57
+extern int config_warning_config_file;
b58e57
+
b58e57
+#endif /* LDAP_HELPER_H */
b58e57
diff -up openssh-7.4p1/ldap.conf.ldap openssh-7.4p1/ldap.conf
b58e57
--- openssh-7.4p1/ldap.conf.ldap	2017-02-08 14:26:19.936750452 +0100
b58e57
+++ openssh-7.4p1/ldap.conf	2017-02-08 14:26:19.936750452 +0100
b58e57
@@ -0,0 +1,94 @@
b58e57
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
b58e57
+#
b58e57
+# This is the example configuration file for the OpenSSH
b58e57
+# LDAP backend
b58e57
+# 
b58e57
+# see ssh-ldap.conf(5)
b58e57
+#
b58e57
+
b58e57
+# URI with your LDAP server name. This allows to use
b58e57
+# Unix Domain Sockets to connect to a local LDAP Server.
b58e57
+#uri ldap://127.0.0.1/
b58e57
+#uri ldaps://127.0.0.1/   
b58e57
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
b58e57
+# Note: %2f encodes the '/' used as directory separator
b58e57
+
b58e57
+# Another way to specify your LDAP server is to provide an
b58e57
+# host name and the port of our LDAP server. Host name
b58e57
+# must be resolvable without using LDAP.
b58e57
+# Multiple hosts may be specified, each separated by a 
b58e57
+# space. How long nss_ldap takes to failover depends on
b58e57
+# whether your LDAP client library supports configurable
b58e57
+# network or connect timeouts (see bind_timelimit).
b58e57
+#host 127.0.0.1
b58e57
+
b58e57
+# The port.
b58e57
+# Optional: default is 389.
b58e57
+#port 389
b58e57
+
b58e57
+# The distinguished name to bind to the server with.
b58e57
+# Optional: default is to bind anonymously.
b58e57
+#binddn cn=openssh_keys,dc=example,dc=org
b58e57
+
b58e57
+# The credentials to bind with. 
b58e57
+# Optional: default is no credential.
b58e57
+#bindpw TopSecret
b58e57
+
b58e57
+# The distinguished name of the search base.
b58e57
+#base dc=example,dc=org
b58e57
+
b58e57
+# The LDAP version to use (defaults to 3
b58e57
+# if supported by client library)
b58e57
+#ldap_version 3
b58e57
+
b58e57
+# The search scope.
b58e57
+#scope sub
b58e57
+#scope one
b58e57
+#scope base
b58e57
+
b58e57
+# Search timelimit
b58e57
+#timelimit 30
b58e57
+
b58e57
+# Bind/connect timelimit
b58e57
+#bind_timelimit 30
b58e57
+
b58e57
+# Reconnect policy: hard (default) will retry connecting to
b58e57
+# the software with exponential backoff, soft will fail
b58e57
+# immediately.
b58e57
+#bind_policy hard
b58e57
+
b58e57
+# SSL setup, may be implied by URI also.
b58e57
+#ssl no
b58e57
+#ssl on
b58e57
+#ssl start_tls
b58e57
+
b58e57
+# OpenLDAP SSL options
b58e57
+# Require and verify server certificate (yes/no)
b58e57
+# Default is to use libldap's default behavior, which can be configured in
b58e57
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
b58e57
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
b58e57
+#tls_checkpeer hard
b58e57
+
b58e57
+# CA certificates for server certificate verification
b58e57
+# At least one of these are required if tls_checkpeer is "yes"
b58e57
+#tls_cacertfile /etc/ssl/ca.cert
b58e57
+#tls_cacertdir /etc/pki/tls/certs
b58e57
+
b58e57
+# Seed the PRNG if /dev/urandom is not provided
b58e57
+#tls_randfile /var/run/egd-pool
b58e57
+
b58e57
+# SSL cipher suite
b58e57
+# See man ciphers for syntax
b58e57
+#tls_ciphers TLSv1
b58e57
+
b58e57
+# Client certificate and key
b58e57
+# Use these, if your server requires client authentication.
b58e57
+#tls_cert
b58e57
+#tls_key
b58e57
+
b58e57
+# OpenLDAP search_format
b58e57
+# format used to search for users in LDAP directory using substitution
b58e57
+# for %u for user name and %f for SSH_Filter option (optional, empty by default)
b58e57
+#search_format (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
b58e57
+
b58e57
+#AccountClass posixAccount
b58e57
diff -up openssh-7.4p1/ldapbody.c.ldap openssh-7.4p1/ldapbody.c
b58e57
--- openssh-7.4p1/ldapbody.c.ldap	2017-02-08 14:26:19.937750451 +0100
b58e57
+++ openssh-7.4p1/ldapbody.c	2017-02-08 14:26:19.937750451 +0100
b58e57
@@ -0,0 +1,493 @@
b58e57
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
b58e57
+/*
b58e57
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
b58e57
+ *
b58e57
+ * Redistribution and use in source and binary forms, with or without
b58e57
+ * modification, are permitted provided that the following conditions
b58e57
+ * are met:
b58e57
+ * 1. Redistributions of source code must retain the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer.
b58e57
+ * 2. Redistributions in binary form must reproduce the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer in the
b58e57
+ *    documentation and/or other materials provided with the distribution.
b58e57
+ *
b58e57
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
b58e57
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
b58e57
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
b58e57
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
b58e57
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
b58e57
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
b58e57
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
b58e57
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
b58e57
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
b58e57
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
b58e57
+ */
b58e57
+
b58e57
+#include "ldapincludes.h"
b58e57
+#include "log.h"
b58e57
+#include "xmalloc.h"
b58e57
+#include "ldapconf.h"
b58e57
+#include "ldapmisc.h"
b58e57
+#include "ldapbody.h"
b58e57
+#include <stdio.h>
b58e57
+#include <unistd.h>
b58e57
+#include "misc.h"
b58e57
+
b58e57
+#define LDAPSEARCH_FORMAT "(&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)"
b58e57
+#define PUBKEYATTR "sshPublicKey"
b58e57
+#define LDAP_LOGFILE	"%s/ldap.%d"
b58e57
+
b58e57
+static FILE *logfile = NULL;
b58e57
+static LDAP *ld;
b58e57
+
b58e57
+static char *attrs[] = {
b58e57
+    PUBKEYATTR,
b58e57
+    NULL
b58e57
+};
b58e57
+
b58e57
+void
b58e57
+ldap_checkconfig (void)
b58e57
+{
b58e57
+#ifdef HAVE_LDAP_INITIALIZE
b58e57
+		if (options.host == NULL && options.uri == NULL)
b58e57
+#else
b58e57
+		if (options.host == NULL)
b58e57
+#endif
b58e57
+		    fatal ("missing  \"host\" in config file");
b58e57
+}
b58e57
+
b58e57
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
b58e57
+static int
b58e57
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
b58e57
+{
b58e57
+	struct timeval timeout;
b58e57
+	int rc;
b58e57
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
b58e57
+	LDAPMessage *result;
b58e57
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
b58e57
+
b58e57
+	debug2 ("Doing LDAP rebind to %s", options.binddn);
b58e57
+	if (options.ssl == SSL_START_TLS) {
b58e57
+		if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
b58e57
+			error ("ldap_starttls_s: %s", ldap_err2string (rc));
b58e57
+			return LDAP_OPERATIONS_ERROR;
b58e57
+		}
b58e57
+	}
b58e57
+
b58e57
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
b58e57
+	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
b58e57
+#else
b58e57
+	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
b58e57
+	    fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
b58e57
+
b58e57
+	timeout.tv_sec = options.bind_timelimit;
b58e57
+	timeout.tv_usec = 0;
b58e57
+	result = NULL;
b58e57
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
b58e57
+		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
b58e57
+		ldap_msgfree (result);
b58e57
+		return LDAP_OPERATIONS_ERROR;
b58e57
+	}
b58e57
+	debug3 ("LDAP rebind to %s succesfull", options.binddn);
b58e57
+	return rc;
b58e57
+#endif
b58e57
+}
b58e57
+#else
b58e57
+
b58e57
+static int
b58e57
+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
b58e57
+{
b58e57
+	if (freeit)
b58e57
+	    return LDAP_SUCCESS;
b58e57
+
b58e57
+	*whop = strdup (options.binddn);
b58e57
+	*credp = strdup (options.bindpw);
b58e57
+	*methodp = LDAP_AUTH_SIMPLE;
b58e57
+	debug2 ("Doing LDAP rebind for %s", *whop);
b58e57
+	return LDAP_SUCCESS;
b58e57
+}
b58e57
+#endif
b58e57
+
b58e57
+void
b58e57
+ldap_do_connect(void)
b58e57
+{
b58e57
+	int rc, msgid, ld_errno = 0;
b58e57
+	struct timeval timeout;
b58e57
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
b58e57
+	int parserc;
b58e57
+	LDAPMessage *result;
b58e57
+	LDAPControl **controls;
b58e57
+	int reconnect = 0;
b58e57
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
b58e57
+
b58e57
+	debug ("LDAP do connect");
b58e57
+
b58e57
+retry:
b58e57
+	if (reconnect) {
b58e57
+		debug3 ("Reconnecting with ld_errno %d", ld_errno);
b58e57
+		if (options.bind_policy == 0 ||
b58e57
+		    (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
b58e57
+			reconnect > 5)
b58e57
+			    fatal ("Cannot connect to LDAP server");
b58e57
+	
b58e57
+		if (reconnect > 1)
b58e57
+			sleep (reconnect - 1);
b58e57
+
b58e57
+		if (ld != NULL) {
b58e57
+			ldap_unbind (ld);
b58e57
+			ld = NULL;
b58e57
+		}
b58e57
+		logit("reconnecting to LDAP server...");
b58e57
+	}
b58e57
+
b58e57
+	if (ld == NULL) {
b58e57
+		int rc;
b58e57
+		struct timeval tv;
b58e57
+
b58e57
+#ifdef HAVE_LDAP_SET_OPTION
b58e57
+		if (options.debug > 0) {
b58e57
+#ifdef LBER_OPT_LOG_PRINT_FILE
b58e57
+			if (options.logdir) {
b58e57
+				char *logfilename;
b58e57
+				int logfilenamelen;
b58e57
+
b58e57
+				logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
b58e57
+				logfilename = xmalloc (logfilenamelen);
b58e57
+				snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
b58e57
+				logfilename[logfilenamelen - 1] = 0;
b58e57
+				if ((logfile = fopen (logfilename, "a")) == NULL)
b58e57
+				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
b58e57
+				debug3 ("LDAP debug into %s", logfilename);
b58e57
+				free (logfilename);
b58e57
+				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
b58e57
+			}
b58e57
+#endif
b58e57
+			if (options.debug) {
b58e57
+#ifdef LBER_OPT_DEBUG_LEVEL
b58e57
+				ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
b58e57
+#endif /* LBER_OPT_DEBUG_LEVEL */
b58e57
+#ifdef LDAP_OPT_DEBUG_LEVEL
b58e57
+				(void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
b58e57
+#endif /* LDAP_OPT_DEBUG_LEVEL */
b58e57
+				debug3 ("Set LDAP debug to %d", options.debug);
b58e57
+			}
b58e57
+		}
b58e57
+#endif /* HAVE_LDAP_SET_OPTION */
b58e57
+
b58e57
+		ld = NULL;
b58e57
+#ifdef HAVE_LDAPSSL_INIT
b58e57
+		if (options.host != NULL) {
b58e57
+			if (options.ssl_on == SSL_LDAPS) {
b58e57
+				if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
b58e57
+				    fatal ("ldapssl_client_init %s", ldap_err2string (rc));
b58e57
+				debug3 ("LDAPssl client init");
b58e57
+			}
b58e57
+
b58e57
+			if (options.ssl_on != SSL_OFF) {
b58e57
+				if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
b58e57
+				    fatal ("ldapssl_init failed");
b58e57
+				debug3 ("LDAPssl init");
b58e57
+			}
b58e57
+		}
b58e57
+#endif /* HAVE_LDAPSSL_INIT */
b58e57
+
b58e57
+		/* continue with opening */
b58e57
+		if (ld == NULL) {
b58e57
+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
b58e57
+			/* Some global TLS-specific options need to be set before we create our
b58e57
+			 * session context, so we set them here. */
b58e57
+
b58e57
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
b58e57
+			/* rand file */
b58e57
+			if (options.tls_randfile != NULL) {
b58e57
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
b58e57
+				    options.tls_randfile)) != LDAP_SUCCESS)
b58e57
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
b58e57
+					    ldap_err2string (rc));
b58e57
+				debug3 ("Set TLS random file %s", options.tls_randfile);
b58e57
+			}
b58e57
+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
b58e57
+
b58e57
+			/* ca cert file */
b58e57
+			if (options.tls_cacertfile != NULL) {
b58e57
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
b58e57
+				    options.tls_cacertfile)) != LDAP_SUCCESS)
b58e57
+					error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
b58e57
+					    ldap_err2string (rc));
b58e57
+				debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
b58e57
+			}
b58e57
+
b58e57
+			/* ca cert directory */
b58e57
+			if (options.tls_cacertdir != NULL) {
b58e57
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
b58e57
+				    options.tls_cacertdir)) != LDAP_SUCCESS)
b58e57
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
b58e57
+					    ldap_err2string (rc));
b58e57
+				debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
b58e57
+			}
b58e57
+
b58e57
+			/* require cert? */
b58e57
+			if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
b58e57
+			    &options.tls_checkpeer)) != LDAP_SUCCESS)
b58e57
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
b58e57
+				    ldap_err2string (rc));
b58e57
+			debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
b58e57
+
b58e57
+			/* set cipher suite, certificate and private key: */
b58e57
+			if (options.tls_ciphers != NULL) {
b58e57
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
b58e57
+				    options.tls_ciphers)) != LDAP_SUCCESS)
b58e57
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
b58e57
+					    ldap_err2string (rc));
b58e57
+				debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
b58e57
+			}
b58e57
+
b58e57
+			/* cert file */
b58e57
+			if (options.tls_cert != NULL) {
b58e57
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
b58e57
+				    options.tls_cert)) != LDAP_SUCCESS)
b58e57
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
b58e57
+					    ldap_err2string (rc));
b58e57
+				debug3 ("Set TLS cert file %s ", options.tls_cert);
b58e57
+			}
b58e57
+
b58e57
+			/* key file */
b58e57
+			if (options.tls_key != NULL) {
b58e57
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
b58e57
+				    options.tls_key)) != LDAP_SUCCESS)
b58e57
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
b58e57
+					    ldap_err2string (rc));
b58e57
+				debug3 ("Set TLS key file %s ", options.tls_key);
b58e57
+			}
b58e57
+#endif
b58e57
+#ifdef HAVE_LDAP_INITIALIZE
b58e57
+			if (options.uri != NULL) {
b58e57
+				if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
b58e57
+					fatal ("ldap_initialize %s", ldap_err2string (rc));
b58e57
+				debug3 ("LDAP initialize %s", options.uri);
b58e57
+			}
b58e57
+	}
b58e57
+#endif /* HAVE_LDAP_INTITIALIZE */
b58e57
+
b58e57
+		/* continue with opening */
b58e57
+		if ((ld == NULL) && (options.host != NULL)) {
b58e57
+#ifdef HAVE_LDAP_INIT
b58e57
+			if ((ld = ldap_init (options.host, options.port)) == NULL)
b58e57
+			    fatal ("ldap_init failed");
b58e57
+			debug3 ("LDAP init %s:%d", options.host, options.port);
b58e57
+#else
b58e57
+			if ((ld = ldap_open (options.host, options.port)) == NULL)
b58e57
+			    fatal ("ldap_open failed");
b58e57
+			debug3 ("LDAP open %s:%d", options.host, options.port);
b58e57
+#endif /* HAVE_LDAP_INIT */
b58e57
+		}
b58e57
+
b58e57
+		if (ld == NULL)
b58e57
+			fatal ("no way to open ldap");
b58e57
+
b58e57
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
b58e57
+		if (options.ssl == SSL_LDAPS) {
b58e57
+			if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
b58e57
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
b58e57
+			debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
b58e57
+		}
b58e57
+#endif /* LDAP_OPT_X_TLS */
b58e57
+
b58e57
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
b58e57
+		(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
b58e57
+		    &options.ldap_version);
b58e57
+#else
b58e57
+		ld->ld_version = options.ldap_version;
b58e57
+#endif
b58e57
+		debug3 ("LDAP set version to %d", options.ldap_version);
b58e57
+
b58e57
+#if LDAP_SET_REBIND_PROC_ARGS == 3
b58e57
+		ldap_set_rebind_proc (ld, _rebind_proc, NULL);
b58e57
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
b58e57
+		ldap_set_rebind_proc (ld, _rebind_proc);
b58e57
+#else
b58e57
+#warning unknown LDAP_SET_REBIND_PROC_ARGS
b58e57
+#endif
b58e57
+		debug3 ("LDAP set rebind proc");
b58e57
+
b58e57
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
b58e57
+		(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
b58e57
+#else
b58e57
+		ld->ld_deref = options.deref;
b58e57
+#endif
b58e57
+		debug3 ("LDAP set deref to %d", options.deref);
b58e57
+
b58e57
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
b58e57
+		(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
b58e57
+		    &options.timelimit);
b58e57
+#else
b58e57
+		ld->ld_timelimit = options.timelimit;
b58e57
+#endif
b58e57
+		debug3 ("LDAP set timelimit to %d", options.timelimit);
b58e57
+
b58e57
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
b58e57
+		/*
b58e57
+		 * This is a new option in the Netscape SDK which sets 
b58e57
+		 * the TCP connect timeout. For want of a better value,
b58e57
+		 * we use the bind_timelimit to control this.
b58e57
+		 */
b58e57
+		timeout = options.bind_timelimit * 1000;
b58e57
+		(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
b58e57
+		debug3 ("LDAP set opt connect timeout to %d", timeout);
b58e57
+#endif
b58e57
+
b58e57
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
b58e57
+		tv.tv_sec = options.bind_timelimit;
b58e57
+		tv.tv_usec = 0;
b58e57
+		(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv;;
b58e57
+		debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
b58e57
+#endif
b58e57
+
b58e57
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
b58e57
+		(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
b58e57
+		    options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
b58e57
+		debug3 ("LDAP set referrals to %d", options.referrals);
b58e57
+#endif
b58e57
+
b58e57
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
b58e57
+		(void) ldap_set_option (ld, LDAP_OPT_RESTART,
b58e57
+		    options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
b58e57
+		debug3 ("LDAP set restart to %d", options.restart);
b58e57
+#endif
b58e57
+
b58e57
+#ifdef HAVE_LDAP_START_TLS_S
b58e57
+		if (options.ssl == SSL_START_TLS) {
b58e57
+			int version;
b58e57
+
b58e57
+			if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
b58e57
+			    == LDAP_SUCCESS) {
b58e57
+				if (version < LDAP_VERSION3) {
b58e57
+					version = LDAP_VERSION3;
b58e57
+					(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
b58e57
+					    &version);
b58e57
+					debug3 ("LDAP set version to %d", version);
b58e57
+				}
b58e57
+			}
b58e57
+
b58e57
+			if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
b58e57
+			    fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
b58e57
+			debug3 ("LDAP start TLS");
b58e57
+		}
b58e57
+#endif /* HAVE_LDAP_START_TLS_S */
b58e57
+	}
b58e57
+
b58e57
+	if ((msgid = ldap_simple_bind (ld, options.binddn,
b58e57
+	    options.bindpw)) == -1) {
b58e57
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
b58e57
+
b58e57
+		error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
b58e57
+		reconnect++;
b58e57
+		goto retry;
b58e57
+	}
b58e57
+	debug3 ("LDAP simple bind (%s)", options.binddn);
b58e57
+
b58e57
+	timeout.tv_sec = options.bind_timelimit;
b58e57
+	timeout.tv_usec = 0;
b58e57
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
b58e57
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
b58e57
+
b58e57
+		error ("ldap_result %s", ldap_err2string (ld_errno));
b58e57
+		reconnect++;
b58e57
+		goto retry;
b58e57
+	}
b58e57
+	debug3 ("LDAP result in time");
b58e57
+
b58e57
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
b58e57
+	controls = NULL;
b58e57
+	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
b58e57
+	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
b58e57
+	debug3 ("LDAP parse result OK");
b58e57
+
b58e57
+	if (controls != NULL) {
b58e57
+		ldap_controls_free (controls);
b58e57
+	}
b58e57
+#else
b58e57
+	rc = ldap_result2error (session->ld, result, TRUE);
b58e57
+#endif
b58e57
+	if (rc != LDAP_SUCCESS)
b58e57
+	    fatal ("error trying to bind as user \"%s\" (%s)",
b58e57
+		options.binddn, ldap_err2string (rc));
b58e57
+
b58e57
+	debug2 ("LDAP do connect OK");
b58e57
+}
b58e57
+
b58e57
+void
b58e57
+process_user (const char *user, FILE *output)
b58e57
+{
b58e57
+	LDAPMessage *res, *e;
b58e57
+	char *buffer, *format;
b58e57
+	int rc, i;
b58e57
+	struct timeval timeout;
b58e57
+
b58e57
+	debug ("LDAP process user");
b58e57
+
b58e57
+	/* quick check for attempts to be evil */
b58e57
+	if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
b58e57
+	    (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
b58e57
+		logit ("illegal user name %s not processed", user);
b58e57
+		return;
b58e57
+	}
b58e57
+
b58e57
+	/* build  filter for LDAP request */
b58e57
+	format = LDAPSEARCH_FORMAT;
b58e57
+	if (options.search_format != NULL)
b58e57
+		format = options.search_format;
b58e57
+	buffer = percent_expand(format, "c", options.account_class, "u", user, "f", options.ssh_filter, (char *)NULL);
b58e57
+
b58e57
+	debug3 ("LDAP search scope = %d %s", options.scope, buffer);
b58e57
+
b58e57
+	timeout.tv_sec = options.timelimit;
b58e57
+	timeout.tv_usec = 0;
b58e57
+	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
b58e57
+		error ("ldap_search_st(): %s", ldap_err2string (rc));
b58e57
+		free (buffer);
b58e57
+		return;
b58e57
+	}
b58e57
+
b58e57
+	/* free */
b58e57
+	free (buffer);
b58e57
+
b58e57
+	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
b58e57
+		int num;
b58e57
+		struct berval **keys;
b58e57
+
b58e57
+		keys = ldap_get_values_len(ld, e, PUBKEYATTR);
b58e57
+		num = ldap_count_values_len(keys);
b58e57
+		for (i = 0 ; i < num ; i++) {
b58e57
+			char *cp; //, *options = NULL;
b58e57
+
b58e57
+			for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
b58e57
+			if (!*cp || *cp == '\n' || *cp == '#')
b58e57
+			    continue;
b58e57
+
b58e57
+			/* We have found the desired key. */
b58e57
+			fprintf (output, "%s\n", keys[i]->bv_val);
b58e57
+		}
b58e57
+
b58e57
+		ldap_value_free_len(keys);
b58e57
+	}
b58e57
+
b58e57
+	ldap_msgfree(res);
b58e57
+	debug2 ("LDAP process user finished");
b58e57
+}
b58e57
+
b58e57
+void
b58e57
+ldap_do_close(void)
b58e57
+{
b58e57
+	int rc;
b58e57
+
b58e57
+	debug ("LDAP do close");
b58e57
+	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
b58e57
+	    fatal ("ldap_unbind_ext: %s",
b58e57
+                                    ldap_err2string (rc));
b58e57
+
b58e57
+	ld = NULL;
b58e57
+	debug2 ("LDAP do close OK");
b58e57
+	return;
b58e57
+}
b58e57
+
b58e57
diff -up openssh-7.4p1/ldapbody.h.ldap openssh-7.4p1/ldapbody.h
b58e57
--- openssh-7.4p1/ldapbody.h.ldap	2017-02-08 14:26:19.937750451 +0100
b58e57
+++ openssh-7.4p1/ldapbody.h	2017-02-08 14:26:19.937750451 +0100
b58e57
@@ -0,0 +1,37 @@
b58e57
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
b58e57
+/*
b58e57
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
b58e57
+ *
b58e57
+ * Redistribution and use in source and binary forms, with or without
b58e57
+ * modification, are permitted provided that the following conditions
b58e57
+ * are met:
b58e57
+ * 1. Redistributions of source code must retain the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer.
b58e57
+ * 2. Redistributions in binary form must reproduce the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer in the
b58e57
+ *    documentation and/or other materials provided with the distribution.
b58e57
+ *
b58e57
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
b58e57
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
b58e57
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
b58e57
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
b58e57
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
b58e57
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
b58e57
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
b58e57
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
b58e57
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
b58e57
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
b58e57
+ */
b58e57
+
b58e57
+#ifndef LDAPBODY_H
b58e57
+#define LDAPBODY_H
b58e57
+
b58e57
+#include <stdio.h>
b58e57
+
b58e57
+void ldap_checkconfig(void);
b58e57
+void ldap_do_connect(void);
b58e57
+void process_user(const char *, FILE *);
b58e57
+void ldap_do_close(void);
b58e57
+
b58e57
+#endif /* LDAPBODY_H */
b58e57
+
b58e57
diff -up openssh-7.4p1/ldapconf.c.ldap openssh-7.4p1/ldapconf.c
b58e57
--- openssh-7.4p1/ldapconf.c.ldap	2017-02-08 14:26:19.937750451 +0100
b58e57
+++ openssh-7.4p1/ldapconf.c	2017-02-08 14:26:19.937750451 +0100
b58e57
@@ -0,0 +1,728 @@
b58e57
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
b58e57
+/*
b58e57
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
b58e57
+ *
b58e57
+ * Redistribution and use in source and binary forms, with or without
b58e57
+ * modification, are permitted provided that the following conditions
b58e57
+ * are met:
b58e57
+ * 1. Redistributions of source code must retain the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer.
b58e57
+ * 2. Redistributions in binary form must reproduce the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer in the
b58e57
+ *    documentation and/or other materials provided with the distribution.
b58e57
+ *
b58e57
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
b58e57
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
b58e57
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
b58e57
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
b58e57
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
b58e57
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
b58e57
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
b58e57
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
b58e57
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
b58e57
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
b58e57
+ */
b58e57
+
b58e57
+#include "ldapincludes.h"
b58e57
+#include "ldap-helper.h"
b58e57
+#include "log.h"
b58e57
+#include "misc.h"
b58e57
+#include "xmalloc.h"
b58e57
+#include "ldapconf.h"
b58e57
+#include <unistd.h>
b58e57
+#include <string.h>
b58e57
+
b58e57
+/* Keyword tokens. */
b58e57
+
b58e57
+typedef enum {
b58e57
+	lBadOption,
b58e57
+	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
b58e57
+	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
b58e57
+	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
b58e57
+	lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
b58e57
+	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
b58e57
+	lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, lSearch_Format,
b58e57
+	lAccountClass, lDeprecated, lUnsupported
b58e57
+} OpCodes;
b58e57
+
b58e57
+/* Textual representations of the tokens. */
b58e57
+
b58e57
+static struct {
b58e57
+	const char *name;
b58e57
+	OpCodes opcode;
b58e57
+} keywords[] = {
b58e57
+	{ "URI", lURI },
b58e57
+	{ "Base", lBase },
b58e57
+	{ "BindDN", lBindDN },
b58e57
+	{ "BindPW", lBindPW },
b58e57
+	{ "RootBindDN", lRootBindDN },
b58e57
+	{ "Host", lHost },
b58e57
+	{ "Port", lPort },
b58e57
+	{ "Scope", lScope },
b58e57
+	{ "Deref", lDeref },
b58e57
+	{ "TimeLimit", lTimeLimit },
b58e57
+	{ "TimeOut", lTimeLimit },
b58e57
+	{ "Bind_Timelimit", lBind_TimeLimit },
b58e57
+	{ "Network_TimeOut", lBind_TimeLimit },
b58e57
+/*
b58e57
+ * Todo
b58e57
+ * SIZELIMIT
b58e57
+ */
b58e57
+	{ "Ldap_Version", lLdap_Version },
b58e57
+	{ "Version", lLdap_Version },
b58e57
+	{ "Bind_Policy", lBind_Policy },
b58e57
+	{ "SSLPath", lSSLPath },
b58e57
+	{ "SSL", lSSL },
b58e57
+	{ "Referrals", lReferrals },
b58e57
+	{ "Restart", lRestart },
b58e57
+	{ "TLS_CheckPeer", lTLS_CheckPeer },
b58e57
+	{ "TLS_ReqCert", lTLS_CheckPeer },
b58e57
+	{ "TLS_CaCertFile", lTLS_CaCertFile },
b58e57
+	{ "TLS_CaCert", lTLS_CaCertFile },
b58e57
+	{ "TLS_CaCertDir", lTLS_CaCertDir },
b58e57
+	{ "TLS_Ciphers", lTLS_Ciphers },
b58e57
+	{ "TLS_Cipher_Suite", lTLS_Ciphers },
b58e57
+	{ "TLS_Cert", lTLS_Cert },
b58e57
+	{ "TLS_Certificate", lTLS_Cert },
b58e57
+	{ "TLS_Key", lTLS_Key },
b58e57
+	{ "TLS_RandFile", lTLS_RandFile },
b58e57
+/*
b58e57
+ * Todo
b58e57
+ * TLS_CRLCHECK
b58e57
+ * TLS_CRLFILE
b58e57
+ */
b58e57
+	{ "LogDir", lLogDir },
b58e57
+	{ "Debug", lDebug },
b58e57
+	{ "SSH_Filter", lSSH_Filter },
b58e57
+	{ "Search_Format", lSearch_Format },
b58e57
+	{ "AccountClass", lAccountClass },
b58e57
+	{ NULL, lBadOption }
b58e57
+};
b58e57
+
b58e57
+/* Configuration ptions. */
b58e57
+
b58e57
+Options options;
b58e57
+
b58e57
+/*
b58e57
+ * Returns the number of the token pointed to by cp or oBadOption.
b58e57
+ */
b58e57
+
b58e57
+static OpCodes
b58e57
+parse_token(const char *cp, const char *filename, int linenum)
b58e57
+{
b58e57
+	u_int i;
b58e57
+
b58e57
+	for (i = 0; keywords[i].name; i++)
b58e57
+		if (strcasecmp(cp, keywords[i].name) == 0)
b58e57
+			return keywords[i].opcode;
b58e57
+
b58e57
+	if (config_warning_config_file) 
b58e57
+	    logit("%s: line %d: Bad configuration option: %s",
b58e57
+		filename, linenum, cp);
b58e57
+	return lBadOption;
b58e57
+}
b58e57
+
b58e57
+/* Characters considered whitespace in strsep calls. */
b58e57
+#define WHITESPACE " \t\r\n"
b58e57
+
b58e57
+/* return next token in configuration line */
b58e57
+static char *
b58e57
+ldap_strdelim(char **s)
b58e57
+{
b58e57
+      char *old;
b58e57
+      int wspace = 0;
b58e57
+
b58e57
+      if (*s == NULL)
b58e57
+              return NULL;
b58e57
+
b58e57
+      old = *s;
b58e57
+
b58e57
+      *s = strpbrk(*s, WHITESPACE);
b58e57
+      if (*s == NULL)
b58e57
+              return (old);
b58e57
+
b58e57
+      *s[0] = '\0';
b58e57
+
b58e57
+      /* Skip any extra whitespace after first token */
b58e57
+      *s += strspn(*s + 1, WHITESPACE) + 1;
b58e57
+      if (*s[0] == '=' && !wspace)
b58e57
+              *s += strspn(*s + 1, WHITESPACE) + 1;
b58e57
+
b58e57
+      return (old);
b58e57
+}
b58e57
+
b58e57
+/*
b58e57
+ * Processes a single option line as used in the configuration files. This
b58e57
+ * only sets those values that have not already been set.
b58e57
+ */
b58e57
+#define WHITESPACE " \t\r\n"
b58e57
+
b58e57
+static int
b58e57
+process_config_line(char *line, const char *filename, int linenum)
b58e57
+{
b58e57
+	char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
b58e57
+	char *rootbinddn = NULL;
b58e57
+	int opcode, *intptr, value;
b58e57
+	size_t len;
b58e57
+
b58e57
+	/* Strip trailing whitespace */
b58e57
+	for (len = strlen(line) - 1; len > 0; len--) {
b58e57
+		if (strchr(WHITESPACE, line[len]) == NULL)
b58e57
+			break;
b58e57
+		line[len] = '\0';
b58e57
+	}
b58e57
+
b58e57
+	s = line;
b58e57
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
b58e57
+	if ((keyword = ldap_strdelim(&s)) == NULL)
b58e57
+		return 0;
b58e57
+	/* Ignore leading whitespace. */
b58e57
+	if (*keyword == '\0')
b58e57
+		keyword = ldap_strdelim(&s);
b58e57
+	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
b58e57
+		return 0;
b58e57
+
b58e57
+	opcode = parse_token(keyword, filename, linenum);
b58e57
+
b58e57
+	switch (opcode) {
b58e57
+	case lBadOption:
b58e57
+		/* don't panic, but count bad options */
b58e57
+		return -1;
b58e57
+		/* NOTREACHED */
b58e57
+
b58e57
+	case lHost:
b58e57
+		xstringptr = &options.host;
b58e57
+parse_xstring:
b58e57
+		if (!s || *s == '\0')
b58e57
+		    fatal("%s line %d: missing dn",filename,linenum);
b58e57
+		if (*xstringptr == NULL)
b58e57
+		    *xstringptr = xstrdup(s);
b58e57
+		return 0;
b58e57
+
b58e57
+	case lURI:
b58e57
+		xstringptr = &options.uri;
b58e57
+		goto parse_xstring;
b58e57
+
b58e57
+	case lBase:
b58e57
+		xstringptr = &options.base;
b58e57
+		goto parse_xstring;
b58e57
+
b58e57
+	case lBindDN:
b58e57
+		xstringptr = &options.binddn;
b58e57
+		goto parse_xstring;
b58e57
+
b58e57
+	case lBindPW:
b58e57
+		charptr = &options.bindpw;
b58e57
+parse_string:
b58e57
+		arg = ldap_strdelim(&s);
b58e57
+		if (!arg || *arg == '\0')
b58e57
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
b58e57
+		if (*charptr == NULL)
b58e57
+			*charptr = xstrdup(arg);
b58e57
+		break;
b58e57
+
b58e57
+	case lRootBindDN:
b58e57
+		xstringptr = &rootbinddn;
b58e57
+		goto parse_xstring;
b58e57
+
b58e57
+	case lScope:
b58e57
+		intptr = &options.scope;
b58e57
+		arg = ldap_strdelim(&s);
b58e57
+		if (!arg || *arg == '\0')
b58e57
+			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
b58e57
+		value = 0;	/* To avoid compiler warning... */
b58e57
+		if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
b58e57
+			value = LDAP_SCOPE_SUBTREE;
b58e57
+		else if (strcasecmp (arg, "one") == 0)
b58e57
+			value = LDAP_SCOPE_ONELEVEL;
b58e57
+		else if (strcasecmp (arg, "base") == 0)
b58e57
+			value = LDAP_SCOPE_BASE;
b58e57
+		else
b58e57
+			fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
b58e57
+		if (*intptr == -1)
b58e57
+			*intptr = value;
b58e57
+		break;
b58e57
+
b58e57
+	case lDeref:
b58e57
+		intptr = &options.scope;
b58e57
+		arg = ldap_strdelim(&s);
b58e57
+		if (!arg || *arg == '\0')
b58e57
+			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
b58e57
+		value = 0;	/* To avoid compiler warning... */
b58e57
+		if (!strcasecmp (arg, "never"))
b58e57
+			value = LDAP_DEREF_NEVER;
b58e57
+		else if (!strcasecmp (arg, "searching"))
b58e57
+			value = LDAP_DEREF_SEARCHING;
b58e57
+		else if (!strcasecmp (arg, "finding"))
b58e57
+			value = LDAP_DEREF_FINDING;
b58e57
+		else if (!strcasecmp (arg, "always"))
b58e57
+			value = LDAP_DEREF_ALWAYS;
b58e57
+		else
b58e57
+			fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
b58e57
+		if (*intptr == -1)
b58e57
+			*intptr = value;
b58e57
+		break;
b58e57
+
b58e57
+	case lPort:
b58e57
+		intptr = &options.port;
b58e57
+parse_int:
b58e57
+		arg = ldap_strdelim(&s);
b58e57
+		if (!arg || *arg == '\0')
b58e57
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
b58e57
+		if (arg[0] < '0' || arg[0] > '9')
b58e57
+			fatal("%.200s line %d: Bad number.", filename, linenum);
b58e57
+
b58e57
+		/* Octal, decimal, or hex format? */
b58e57
+		value = strtol(arg, &endofnumber, 0);
b58e57
+		if (arg == endofnumber)
b58e57
+			fatal("%.200s line %d: Bad number.", filename, linenum);
b58e57
+		if (*intptr == -1)
b58e57
+			*intptr = value;
b58e57
+		break;
b58e57
+
b58e57
+	case lTimeLimit:
b58e57
+		intptr = &options.timelimit;
b58e57
+parse_time:
b58e57
+		arg = ldap_strdelim(&s);
b58e57
+		if (!arg || *arg == '\0')
b58e57
+			fatal("%s line %d: missing time value.",
b58e57
+			    filename, linenum);
b58e57
+		if ((value = convtime(arg)) == -1)
b58e57
+			fatal("%s line %d: invalid time value.",
b58e57
+			    filename, linenum);
b58e57
+		if (*intptr == -1)
b58e57
+			*intptr = value;
b58e57
+		break;
b58e57
+
b58e57
+	case lBind_TimeLimit:
b58e57
+		intptr = &options.bind_timelimit;
b58e57
+		goto parse_time;
b58e57
+
b58e57
+	case lLdap_Version:
b58e57
+		intptr = &options.ldap_version;
b58e57
+		goto parse_int;
b58e57
+
b58e57
+	case lBind_Policy:
b58e57
+		intptr = &options.bind_policy;
b58e57
+		arg = ldap_strdelim(&s);
b58e57
+		if (!arg || *arg == '\0')
b58e57
+			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
b58e57
+		value = 0;	/* To avoid compiler warning... */
b58e57
+		if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
b58e57
+			value = 1;
b58e57
+		else if (strcasecmp(arg, "soft") == 0)
b58e57
+			value = 0;
b58e57
+		else
b58e57
+			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
b58e57
+		if (*intptr == -1)
b58e57
+			*intptr = value;
b58e57
+		break;
b58e57
+
b58e57
+	case lSSLPath:
b58e57
+		charptr = &options.sslpath;
b58e57
+		goto parse_string;
b58e57
+
b58e57
+	case lSSL:
b58e57
+		intptr = &options.ssl;
b58e57
+		arg = ldap_strdelim(&s);
b58e57
+		if (!arg || *arg == '\0')
b58e57
+			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
b58e57
+		value = 0;	/* To avoid compiler warning... */
b58e57
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
b58e57
+			value = SSL_LDAPS;
b58e57
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
b58e57
+			value = SSL_OFF;
b58e57
+		else if (!strcasecmp (arg, "start_tls"))
b58e57
+			value = SSL_START_TLS;
b58e57
+		else
b58e57
+			fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
b58e57
+		if (*intptr == -1)
b58e57
+			*intptr = value;
b58e57
+		break;
b58e57
+
b58e57
+	case lReferrals:
b58e57
+		intptr = &options.referrals;
b58e57
+parse_flag:
b58e57
+		arg = ldap_strdelim(&s);
b58e57
+		if (!arg || *arg == '\0')
b58e57
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
b58e57
+		value = 0;	/* To avoid compiler warning... */
b58e57
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
b58e57
+			value = 1;
b58e57
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
b58e57
+			value = 0;
b58e57
+		else
b58e57
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
b58e57
+		if (*intptr == -1)
b58e57
+			*intptr = value;
b58e57
+		break;
b58e57
+
b58e57
+	case lRestart:
b58e57
+		intptr = &options.restart;
b58e57
+		goto parse_flag;
b58e57
+
b58e57
+	case lTLS_CheckPeer:
b58e57
+		intptr = &options.tls_checkpeer;
b58e57
+		arg = ldap_strdelim(&s);
b58e57
+		if (!arg || *arg == '\0')
b58e57
+			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
b58e57
+		value = 0;	/* To avoid compiler warning... */
b58e57
+		if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
b58e57
+			value = LDAP_OPT_X_TLS_NEVER;
b58e57
+		else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
b58e57
+			value = LDAP_OPT_X_TLS_HARD;
b58e57
+		else if (strcasecmp(arg, "demand") == 0)
b58e57
+			value = LDAP_OPT_X_TLS_DEMAND;
b58e57
+		else if (strcasecmp(arg, "allow") == 0)
b58e57
+			value = LDAP_OPT_X_TLS_ALLOW;
b58e57
+		else if (strcasecmp(arg, "try") == 0)
b58e57
+			value = LDAP_OPT_X_TLS_TRY;
b58e57
+		else
b58e57
+			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
b58e57
+		if (*intptr == -1)
b58e57
+			*intptr = value;
b58e57
+		break;
b58e57
+
b58e57
+	case lTLS_CaCertFile:
b58e57
+		charptr = &options.tls_cacertfile;
b58e57
+		goto parse_string;
b58e57
+
b58e57
+	case lTLS_CaCertDir:
b58e57
+		charptr = &options.tls_cacertdir;
b58e57
+		goto parse_string;
b58e57
+
b58e57
+	case lTLS_Ciphers:
b58e57
+		xstringptr = &options.tls_ciphers;
b58e57
+		goto parse_xstring;
b58e57
+
b58e57
+	case lTLS_Cert:
b58e57
+		charptr = &options.tls_cert;
b58e57
+		goto parse_string;
b58e57
+
b58e57
+	case lTLS_Key:
b58e57
+		charptr = &options.tls_key;
b58e57
+		goto parse_string;
b58e57
+
b58e57
+	case lTLS_RandFile:
b58e57
+		charptr = &options.tls_randfile;
b58e57
+		goto parse_string;
b58e57
+
b58e57
+	case lLogDir:
b58e57
+		charptr = &options.logdir;
b58e57
+		goto parse_string;
b58e57
+
b58e57
+	case lDebug:
b58e57
+		intptr = &options.debug;
b58e57
+		goto parse_int;
b58e57
+
b58e57
+	case lSSH_Filter:
b58e57
+		xstringptr = &options.ssh_filter;
b58e57
+		goto parse_xstring;
b58e57
+
b58e57
+	case lSearch_Format:
b58e57
+		charptr = &options.search_format;
b58e57
+		goto parse_string;
b58e57
+
b58e57
+	case lAccountClass:
b58e57
+		charptr = &options.account_class;
b58e57
+		goto parse_string;
b58e57
+
b58e57
+	case lDeprecated:
b58e57
+		debug("%s line %d: Deprecated option \"%s\"",
b58e57
+		    filename, linenum, keyword);
b58e57
+		return 0;
b58e57
+
b58e57
+	case lUnsupported:
b58e57
+		error("%s line %d: Unsupported option \"%s\"",
b58e57
+		    filename, linenum, keyword);
b58e57
+		return 0;
b58e57
+
b58e57
+	default:
b58e57
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
b58e57
+	}
b58e57
+
b58e57
+	/* Check that there is no garbage at end of line. */
b58e57
+	if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') {
b58e57
+		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
b58e57
+		    filename, linenum, arg);
b58e57
+	}
b58e57
+	return 0;
b58e57
+}
b58e57
+
b58e57
+/*
b58e57
+ * Reads the config file and modifies the options accordingly.  Options
b58e57
+ * should already be initialized before this call.  This never returns if
b58e57
+ * there is an error.  If the file does not exist, this returns 0.
b58e57
+ */
b58e57
+
b58e57
+void
b58e57
+read_config_file(const char *filename)
b58e57
+{
b58e57
+	FILE *f;
b58e57
+	char line[1024];
b58e57
+	int linenum;
b58e57
+	int bad_options = 0;
b58e57
+	struct stat sb;
b58e57
+
b58e57
+	if ((f = fopen(filename, "r")) == NULL)
b58e57
+		fatal("fopen %s: %s", filename, strerror(errno));
b58e57
+
b58e57
+	if (fstat(fileno(f), &sb) == -1)
b58e57
+		fatal("fstat %s: %s", filename, strerror(errno));
b58e57
+	if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
b58e57
+	    (sb.st_mode & 022) != 0))
b58e57
+		fatal("Bad owner or permissions on %s", filename);
b58e57
+
b58e57
+	debug("Reading configuration data %.200s", filename);
b58e57
+
b58e57
+	/*
b58e57
+	 * Mark that we are now processing the options.  This flag is turned
b58e57
+	 * on/off by Host specifications.
b58e57
+	 */
b58e57
+	linenum = 0;
b58e57
+	while (fgets(line, sizeof(line), f)) {
b58e57
+		/* Update line number counter. */
b58e57
+		linenum++;
b58e57
+		if (process_config_line(line, filename, linenum) != 0)
b58e57
+			bad_options++;
b58e57
+	}
b58e57
+	fclose(f);
b58e57
+	if ((bad_options > 0) && config_exclusive_config_file) 
b58e57
+		fatal("%s: terminating, %d bad configuration options",
b58e57
+		    filename, bad_options);
b58e57
+}
b58e57
+
b58e57
+/*
b58e57
+ * Initializes options to special values that indicate that they have not yet
b58e57
+ * been set.  Read_config_file will only set options with this value. Options
b58e57
+ * are processed in the following order: command line, user config file,
b58e57
+ * system config file.  Last, fill_default_options is called.
b58e57
+ */
b58e57
+
b58e57
+void
b58e57
+initialize_options(void)
b58e57
+{
b58e57
+	memset(&options, 'X', sizeof(options));
b58e57
+	options.host = NULL;
b58e57
+	options.uri = NULL;
b58e57
+	options.base = NULL;
b58e57
+	options.binddn = NULL;
b58e57
+	options.bindpw = NULL;
b58e57
+	options.scope = -1;
b58e57
+	options.deref = -1;
b58e57
+	options.port = -1;
b58e57
+	options.timelimit = -1;
b58e57
+	options.bind_timelimit = -1;
b58e57
+	options.ldap_version = -1;
b58e57
+	options.bind_policy = -1;
b58e57
+	options.sslpath = NULL;
b58e57
+	options.ssl = -1;
b58e57
+	options.referrals = -1;
b58e57
+	options.restart = -1;
b58e57
+	options.tls_checkpeer = -1;
b58e57
+	options.tls_cacertfile = NULL;
b58e57
+	options.tls_cacertdir = NULL;
b58e57
+	options.tls_ciphers = NULL;
b58e57
+	options.tls_cert = NULL;
b58e57
+	options.tls_key = NULL;
b58e57
+	options.tls_randfile = NULL;
b58e57
+	options.logdir = NULL;
b58e57
+	options.debug = -1;
b58e57
+	options.ssh_filter = NULL;
b58e57
+	options.search_format = NULL;
b58e57
+	options.account_class = NULL;
b58e57
+}
b58e57
+
b58e57
+/*
b58e57
+ * Called after processing other sources of option data, this fills those
b58e57
+ * options for which no value has been specified with their default values.
b58e57
+ */
b58e57
+
b58e57
+void
b58e57
+fill_default_options(void)
b58e57
+{
b58e57
+	if (options.uri != NULL) {
b58e57
+		LDAPURLDesc *ludp;
b58e57
+
b58e57
+		if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
b58e57
+			if (options.ssl == -1) {
b58e57
+				if (strcmp (ludp->lud_scheme, "ldap") == 0)
b58e57
+				    options.ssl = 2;
b58e57
+				if (strcmp (ludp->lud_scheme, "ldapi") == 0)
b58e57
+				    options.ssl = 0;
b58e57
+				else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
b58e57
+				    options.ssl = 1;
b58e57
+			}
b58e57
+			if (options.host == NULL)
b58e57
+			    options.host = xstrdup (ludp->lud_host);
b58e57
+			if (options.port == -1)
b58e57
+			    options.port = ludp->lud_port;
b58e57
+
b58e57
+			ldap_free_urldesc (ludp);
b58e57
+		}
b58e57
+	} 
b58e57
+	if (options.ssl == -1)
b58e57
+	    options.ssl = SSL_START_TLS;
b58e57
+	if (options.port == -1)
b58e57
+	    options.port = (options.ssl == 0) ? 389 : 636;
b58e57
+	if (options.uri == NULL) {
b58e57
+		int len;
b58e57
+#define MAXURILEN 4096
b58e57
+
b58e57
+		options.uri = xmalloc (MAXURILEN);
b58e57
+		len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
b58e57
+		    (options.ssl == 0) ? "" : "s", options.host, options.port);
b58e57
+		options.uri[MAXURILEN - 1] = 0;
b58e57
+		options.uri = xreallocarray(options.uri, len + 1, 1);
b58e57
+	}
b58e57
+	if (options.binddn == NULL)
b58e57
+	    options.binddn = "";
b58e57
+	if (options.bindpw == NULL)
b58e57
+	    options.bindpw = "";
b58e57
+	if (options.scope == -1)
b58e57
+	    options.scope = LDAP_SCOPE_SUBTREE;
b58e57
+	if (options.deref == -1)
b58e57
+	    options.deref = LDAP_DEREF_NEVER;
b58e57
+	if (options.timelimit == -1)
b58e57
+	    options.timelimit = 10;
b58e57
+	if (options.bind_timelimit == -1)
b58e57
+	    options.bind_timelimit = 10;
b58e57
+	if (options.ldap_version == -1)
b58e57
+	    options.ldap_version = 3;
b58e57
+	if (options.bind_policy == -1)
b58e57
+	    options.bind_policy = 1;
b58e57
+	if (options.referrals == -1)
b58e57
+	    options.referrals = 1;
b58e57
+	if (options.restart == -1)
b58e57
+	    options.restart = 1;
b58e57
+	if (options.tls_checkpeer == -1)
b58e57
+	    options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
b58e57
+	if (options.debug == -1)
b58e57
+	    options.debug = 0;
b58e57
+	if (options.ssh_filter == NULL)
b58e57
+	    options.ssh_filter = "";
b58e57
+	if (options.account_class == NULL)
b58e57
+	    options.account_class = "posixAccount";
b58e57
+}
b58e57
+
b58e57
+static const char *
b58e57
+lookup_opcode_name(OpCodes code)
b58e57
+{
b58e57
+	u_int i;
b58e57
+
b58e57
+	for (i = 0; keywords[i].name != NULL; i++)
b58e57
+	    if (keywords[i].opcode == code)
b58e57
+		return(keywords[i].name);
b58e57
+	return "UNKNOWN";
b58e57
+}
b58e57
+
b58e57
+static void
b58e57
+dump_cfg_string(OpCodes code, const char *val)
b58e57
+{
b58e57
+	if (val == NULL)
b58e57
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
b58e57
+	else
b58e57
+	    debug3("%s %s", lookup_opcode_name(code), val);
b58e57
+}
b58e57
+
b58e57
+static void
b58e57
+dump_cfg_int(OpCodes code, int val)
b58e57
+{
b58e57
+	if (val == -1)
b58e57
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
b58e57
+	else
b58e57
+	    debug3("%s %d", lookup_opcode_name(code), val);
b58e57
+}
b58e57
+
b58e57
+struct names {
b58e57
+	int value;
b58e57
+	char *name;
b58e57
+};
b58e57
+
b58e57
+static void
b58e57
+dump_cfg_namedint(OpCodes code, int val, struct names *names)
b58e57
+{
b58e57
+	u_int i;
b58e57
+
b58e57
+	if (val == -1)
b58e57
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
b58e57
+	else {
b58e57
+		for (i = 0; names[i].value != -1; i++)
b58e57
+	 	    if (names[i].value == val) {
b58e57
+	    		debug3("%s %s", lookup_opcode_name(code), names[i].name);
b58e57
+			    return;
b58e57
+		}
b58e57
+		debug3("%s unknown: %d", lookup_opcode_name(code), val);
b58e57
+	}
b58e57
+}
b58e57
+
b58e57
+static struct names _yesnotls[] = {
b58e57
+	{ 0, "No" },
b58e57
+	{ 1, "Yes" },
b58e57
+	{ 2, "Start_TLS" },
b58e57
+	{ -1, NULL }};
b58e57
+
b58e57
+static struct names _scope[] = {
b58e57
+	{ LDAP_SCOPE_BASE, "Base" },
b58e57
+	{ LDAP_SCOPE_ONELEVEL, "One" },
b58e57
+	{ LDAP_SCOPE_SUBTREE, "Sub"},
b58e57
+	{ -1, NULL }};
b58e57
+
b58e57
+static struct names _deref[] = {
b58e57
+	{ LDAP_DEREF_NEVER, "Never" },
b58e57
+	{ LDAP_DEREF_SEARCHING, "Searching" },
b58e57
+	{ LDAP_DEREF_FINDING, "Finding" },
b58e57
+	{ LDAP_DEREF_ALWAYS, "Always" },
b58e57
+	{ -1, NULL }};
b58e57
+
b58e57
+static struct names _yesno[] = {
b58e57
+	{ 0, "No" },
b58e57
+	{ 1, "Yes" },
b58e57
+	{ -1, NULL }};
b58e57
+
b58e57
+static struct names _bindpolicy[] = {
b58e57
+	{ 0, "Soft" },
b58e57
+	{ 1, "Hard" },
b58e57
+	{ -1, NULL }};
b58e57
+
b58e57
+static struct names _checkpeer[] = {
b58e57
+	{ LDAP_OPT_X_TLS_NEVER, "Never" },
b58e57
+	{ LDAP_OPT_X_TLS_HARD, "Hard" },
b58e57
+	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
b58e57
+	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
b58e57
+	{ LDAP_OPT_X_TLS_TRY, "TRY" },
b58e57
+	{ -1, NULL }};
b58e57
+
b58e57
+void
b58e57
+dump_config(void)
b58e57
+{
b58e57
+	dump_cfg_string(lURI, options.uri);
b58e57
+	dump_cfg_string(lHost, options.host);
b58e57
+	dump_cfg_int(lPort, options.port);
b58e57
+	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
b58e57
+	dump_cfg_int(lLdap_Version, options.ldap_version);
b58e57
+	dump_cfg_int(lTimeLimit, options.timelimit);
b58e57
+	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
b58e57
+	dump_cfg_string(lBase, options.base);
b58e57
+	dump_cfg_string(lBindDN, options.binddn);
b58e57
+	dump_cfg_string(lBindPW, options.bindpw);
b58e57
+	dump_cfg_namedint(lScope, options.scope, _scope);
b58e57
+	dump_cfg_namedint(lDeref, options.deref, _deref);
b58e57
+	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
b58e57
+	dump_cfg_namedint(lRestart, options.restart, _yesno);
b58e57
+	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
b58e57
+	dump_cfg_string(lSSLPath, options.sslpath);
b58e57
+	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
b58e57
+	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
b58e57
+	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
b58e57
+	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
b58e57
+	dump_cfg_string(lTLS_Cert, options.tls_cert);
b58e57
+	dump_cfg_string(lTLS_Key, options.tls_key);
b58e57
+	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
b58e57
+	dump_cfg_string(lLogDir, options.logdir);
b58e57
+	dump_cfg_int(lDebug, options.debug);
b58e57
+	dump_cfg_string(lSSH_Filter, options.ssh_filter);
b58e57
+	dump_cfg_string(lSearch_Format, options.search_format);
b58e57
+	dump_cfg_string(lAccountClass, options.account_class);
b58e57
+}
b58e57
+
b58e57
diff -up openssh-7.4p1/ldapconf.h.ldap openssh-7.4p1/ldapconf.h
b58e57
--- openssh-7.4p1/ldapconf.h.ldap	2017-02-08 14:26:19.937750451 +0100
b58e57
+++ openssh-7.4p1/ldapconf.h	2017-02-08 14:26:19.937750451 +0100
b58e57
@@ -0,0 +1,73 @@
b58e57
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
b58e57
+/*
b58e57
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
b58e57
+ *
b58e57
+ * Redistribution and use in source and binary forms, with or without
b58e57
+ * modification, are permitted provided that the following conditions
b58e57
+ * are met:
b58e57
+ * 1. Redistributions of source code must retain the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer.
b58e57
+ * 2. Redistributions in binary form must reproduce the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer in the
b58e57
+ *    documentation and/or other materials provided with the distribution.
b58e57
+ *
b58e57
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
b58e57
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
b58e57
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
b58e57
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
b58e57
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
b58e57
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
b58e57
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
b58e57
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
b58e57
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
b58e57
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
b58e57
+ */
b58e57
+
b58e57
+#ifndef LDAPCONF_H
b58e57
+#define LDAPCONF_H
b58e57
+
b58e57
+#define SSL_OFF          0
b58e57
+#define SSL_LDAPS        1
b58e57
+#define SSL_START_TLS    2
b58e57
+
b58e57
+/* Data structure for representing option data. */
b58e57
+
b58e57
+typedef struct {
b58e57
+	char *host;
b58e57
+	char *uri;
b58e57
+	char *base;
b58e57
+	char *binddn;
b58e57
+	char *bindpw;
b58e57
+	int scope;
b58e57
+	int deref;
b58e57
+	int port;
b58e57
+	int timelimit;
b58e57
+	int bind_timelimit;
b58e57
+	int ldap_version;
b58e57
+	int bind_policy;
b58e57
+	char *sslpath;
b58e57
+	int ssl;
b58e57
+	int referrals;
b58e57
+	int restart;
b58e57
+	int tls_checkpeer;
b58e57
+	char *tls_cacertfile;
b58e57
+	char *tls_cacertdir;
b58e57
+	char *tls_ciphers;
b58e57
+	char *tls_cert;
b58e57
+	char *tls_key;
b58e57
+	char *tls_randfile;
b58e57
+	char *logdir;
b58e57
+	int debug;
b58e57
+	char *ssh_filter;
b58e57
+	char *search_format;
b58e57
+	char *account_class;
b58e57
+}       Options;
b58e57
+
b58e57
+extern Options options;
b58e57
+
b58e57
+void read_config_file(const char *);
b58e57
+void initialize_options(void);
b58e57
+void fill_default_options(void);
b58e57
+void dump_config(void);
b58e57
+
b58e57
+#endif /* LDAPCONF_H */
b58e57
diff -up openssh-7.4p1/ldapincludes.h.ldap openssh-7.4p1/ldapincludes.h
b58e57
--- openssh-7.4p1/ldapincludes.h.ldap	2017-02-08 14:26:19.937750451 +0100
b58e57
+++ openssh-7.4p1/ldapincludes.h	2017-02-08 14:26:19.937750451 +0100
b58e57
@@ -0,0 +1,41 @@
b58e57
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
b58e57
+/*
b58e57
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
b58e57
+ *
b58e57
+ * Redistribution and use in source and binary forms, with or without
b58e57
+ * modification, are permitted provided that the following conditions
b58e57
+ * are met:
b58e57
+ * 1. Redistributions of source code must retain the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer.
b58e57
+ * 2. Redistributions in binary form must reproduce the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer in the
b58e57
+ *    documentation and/or other materials provided with the distribution.
b58e57
+ *
b58e57
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
b58e57
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
b58e57
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
b58e57
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
b58e57
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
b58e57
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
b58e57
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
b58e57
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
b58e57
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
b58e57
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
b58e57
+ */
b58e57
+
b58e57
+#ifndef LDAPINCLUDES_H
b58e57
+#define LDAPINCLUDES_H
b58e57
+
b58e57
+#include "includes.h"
b58e57
+
b58e57
+#ifdef HAVE_LBER_H
b58e57
+#include <lber.h>
b58e57
+#endif
b58e57
+#ifdef HAVE_LDAP_H
b58e57
+#include <ldap.h>
b58e57
+#endif
b58e57
+#ifdef HAVE_LDAP_SSL_H
b58e57
+#include <ldap_ssl.h>
b58e57
+#endif
b58e57
+
b58e57
+#endif /* LDAPINCLUDES_H */
b58e57
diff -up openssh-7.4p1/ldapmisc.c.ldap openssh-7.4p1/ldapmisc.c
b58e57
--- openssh-7.4p1/ldapmisc.c.ldap	2017-02-08 14:26:19.937750451 +0100
b58e57
+++ openssh-7.4p1/ldapmisc.c	2017-02-08 14:26:19.937750451 +0100
b58e57
@@ -0,0 +1,79 @@
b58e57
+
b58e57
+#include "ldapincludes.h"
b58e57
+#include "ldapmisc.h"
b58e57
+
b58e57
+#ifndef HAVE_LDAP_GET_LDERRNO
b58e57
+int
b58e57
+ldap_get_lderrno (LDAP * ld, char **m, char **s)
b58e57
+{
b58e57
+#ifdef HAVE_LDAP_GET_OPTION
b58e57
+	int rc;
b58e57
+#endif
b58e57
+	int lderrno;
b58e57
+
b58e57
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
b58e57
+	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
b58e57
+	    return rc;
b58e57
+#else
b58e57
+	lderrno = ld->ld_errno;
b58e57
+#endif
b58e57
+
b58e57
+	if (s != NULL) {
b58e57
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
b58e57
+		if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
b58e57
+		    return rc;
b58e57
+#else
b58e57
+		*s = ld->ld_error;
b58e57
+#endif
b58e57
+	}
b58e57
+
b58e57
+	if (m != NULL) {
b58e57
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
b58e57
+		if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
b58e57
+		    return rc;
b58e57
+#else
b58e57
+		*m = ld->ld_matched;
b58e57
+#endif
b58e57
+	}
b58e57
+
b58e57
+	return lderrno;
b58e57
+}
b58e57
+#endif
b58e57
+
b58e57
+#ifndef HAVE_LDAP_SET_LDERRNO
b58e57
+int
b58e57
+ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
b58e57
+{
b58e57
+#ifdef HAVE_LDAP_SET_OPTION
b58e57
+	int rc;
b58e57
+#endif
b58e57
+
b58e57
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
b58e57
+	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
b58e57
+	    return rc;
b58e57
+#else
b58e57
+	ld->ld_errno = lderrno;
b58e57
+#endif
b58e57
+
b58e57
+	if (s != NULL) {
b58e57
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
b58e57
+		if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
b58e57
+		    return rc;
b58e57
+#else
b58e57
+		ld->ld_error = s;
b58e57
+#endif
b58e57
+	}
b58e57
+
b58e57
+	if (m != NULL) {
b58e57
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
b58e57
+		if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
b58e57
+		    return rc;
b58e57
+#else
b58e57
+		ld->ld_matched = m;
b58e57
+#endif
b58e57
+	}
b58e57
+
b58e57
+	return LDAP_SUCCESS;
b58e57
+}
b58e57
+#endif
b58e57
+
b58e57
diff -up openssh-7.4p1/ldapmisc.h.ldap openssh-7.4p1/ldapmisc.h
b58e57
--- openssh-7.4p1/ldapmisc.h.ldap	2017-02-08 14:26:19.937750451 +0100
b58e57
+++ openssh-7.4p1/ldapmisc.h	2017-02-08 14:26:19.937750451 +0100
b58e57
@@ -0,0 +1,35 @@
b58e57
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
b58e57
+/*
b58e57
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
b58e57
+ *
b58e57
+ * Redistribution and use in source and binary forms, with or without
b58e57
+ * modification, are permitted provided that the following conditions
b58e57
+ * are met:
b58e57
+ * 1. Redistributions of source code must retain the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer.
b58e57
+ * 2. Redistributions in binary form must reproduce the above copyright
b58e57
+ *    notice, this list of conditions and the following disclaimer in the
b58e57
+ *    documentation and/or other materials provided with the distribution.
b58e57
+ *
b58e57
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
b58e57
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
b58e57
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
b58e57
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
b58e57
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
b58e57
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
b58e57
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
b58e57
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
b58e57
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
b58e57
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
b58e57
+ */
b58e57
+
b58e57
+#ifndef LDAPMISC_H
b58e57
+#define LDAPMISC_H
b58e57
+
b58e57
+#include "ldapincludes.h"
b58e57
+
b58e57
+int ldap_get_lderrno (LDAP *, char **, char **);
b58e57
+int ldap_set_lderrno (LDAP *, int, const char *, const char *);
b58e57
+
b58e57
+#endif /* LDAPMISC_H */
b58e57
+
b58e57
diff -up openssh-7.4p1/openssh-lpk-openldap.schema.ldap openssh-7.4p1/openssh-lpk-openldap.schema
b58e57
--- openssh-7.4p1/openssh-lpk-openldap.schema.ldap	2017-02-08 14:26:19.937750451 +0100
b58e57
+++ openssh-7.4p1/openssh-lpk-openldap.schema	2017-02-08 14:26:19.937750451 +0100
b58e57
@@ -0,0 +1,21 @@
b58e57
+#
b58e57
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
b58e57
+#                              useful with PKA-LDAP also
b58e57
+#
b58e57
+# Author: Eric AUGE <eau@phear.org>
b58e57
+# 
b58e57
+# Based on the proposal of : Mark Ruijter
b58e57
+#
b58e57
+
b58e57
+
b58e57
+# octetString SYNTAX
b58e57
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
b58e57
+	DESC 'MANDATORY: OpenSSH Public key' 
b58e57
+	EQUALITY octetStringMatch
b58e57
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
b58e57
+
b58e57
+# printableString SYNTAX yes|no
b58e57
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
b58e57
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
b58e57
+	MUST ( sshPublicKey $ uid ) 
b58e57
+	)
b58e57
diff -up openssh-7.4p1/openssh-lpk-sun.schema.ldap openssh-7.4p1/openssh-lpk-sun.schema
b58e57
--- openssh-7.4p1/openssh-lpk-sun.schema.ldap	2017-02-08 14:26:19.938750451 +0100
b58e57
+++ openssh-7.4p1/openssh-lpk-sun.schema	2017-02-08 14:26:19.938750451 +0100
b58e57
@@ -0,0 +1,23 @@
b58e57
+#
b58e57
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
b58e57
+#                              useful with PKA-LDAP also
b58e57
+#
b58e57
+# Author: Eric AUGE <eau@phear.org>
b58e57
+# 
b58e57
+# Schema for Sun Directory Server.
b58e57
+# Based on the original schema, modified by Stefan Fischer.
b58e57
+#
b58e57
+
b58e57
+dn: cn=schema
b58e57
+
b58e57
+# octetString SYNTAX
b58e57
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
b58e57
+	DESC 'MANDATORY: OpenSSH Public key' 
b58e57
+	EQUALITY octetStringMatch
b58e57
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
b58e57
+
b58e57
+# printableString SYNTAX yes|no
b58e57
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
b58e57
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
b58e57
+	MUST ( sshPublicKey $ uid ) 
b58e57
+	)
b58e57
diff -up openssh-7.4p1/ssh-ldap-helper.8.ldap openssh-7.4p1/ssh-ldap-helper.8
b58e57
--- openssh-7.4p1/ssh-ldap-helper.8.ldap	2017-02-08 14:26:19.938750451 +0100
b58e57
+++ openssh-7.4p1/ssh-ldap-helper.8	2017-02-08 14:26:19.938750451 +0100
b58e57
@@ -0,0 +1,79 @@
b58e57
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
b58e57
+.\"
b58e57
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
b58e57
+.\"
b58e57
+.\" Permission to use, copy, modify, and distribute this software for any
b58e57
+.\" purpose with or without fee is hereby granted, provided that the above
b58e57
+.\" copyright notice and this permission notice appear in all copies.
b58e57
+.\"
b58e57
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
b58e57
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
b58e57
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
b58e57
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
b58e57
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
b58e57
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
b58e57
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
b58e57
+.\"
b58e57
+.Dd $Mdocdate: April 29 2010 $
b58e57
+.Dt SSH-LDAP-HELPER 8
b58e57
+.Os
b58e57
+.Sh NAME
b58e57
+.Nm ssh-ldap-helper
b58e57
+.Nd sshd helper program for ldap support
b58e57
+.Sh SYNOPSIS
b58e57
+.Nm ssh-ldap-helper
b58e57
+.Op Fl devw
b58e57
+.Op Fl f Ar file
b58e57
+.Op Fl s Ar user
b58e57
+.Sh DESCRIPTION
b58e57
+.Nm
b58e57
+is used by
b58e57
+.Xr sshd 1
b58e57
+to access keys provided by an LDAP.
b58e57
+.Nm
b58e57
+is disabled by default and can only be enabled in the
b58e57
+sshd configuration file
b58e57
+.Pa /etc/ssh/sshd_config
b58e57
+by setting
b58e57
+.Cm AuthorizedKeysCommand
b58e57
+to
b58e57
+.Dq /usr/libexec/ssh-ldap-wrapper .
b58e57
+.Pp
b58e57
+.Nm
b58e57
+is not intended to be invoked by the user, but from
b58e57
+.Xr sshd 8 via
b58e57
+.Xr ssh-ldap-wrapper .
b58e57
+.Pp
b58e57
+The options are as follows:
b58e57
+.Bl -tag -width Ds
b58e57
+.It Fl d
b58e57
+Set the debug mode; 
b58e57
+.Nm
b58e57
+prints all logs to stderr instead of syslog.
b58e57
+.It Fl e
b58e57
+Implies \-w;
b58e57
+.Nm
b58e57
+halts if it encounters an unknown item in the ldap.conf file.
b58e57
+.It Fl f
b58e57
+.Nm
b58e57
+uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
b58e57
+.It Fl s
b58e57
+.Nm
b58e57
+prints out the user's keys to stdout and exits.
b58e57
+.It Fl v
b58e57
+Implies \-d;
b58e57
+increases verbosity.
b58e57
+.It Fl w
b58e57
+.Nm
b58e57
+writes warnings about unknown items in the ldap.conf configuration file.
b58e57
+.El
b58e57
+.Sh SEE ALSO
b58e57
+.Xr sshd 8 ,
b58e57
+.Xr sshd_config 5 ,
b58e57
+.Xr ssh-ldap.conf 5 ,
b58e57
+.Sh HISTORY
b58e57
+.Nm
b58e57
+first appeared in
b58e57
+OpenSSH 5.5 + PKA-LDAP .
b58e57
+.Sh AUTHORS
b58e57
+.An Jan F. Chadima Aq jchadima@redhat.com
b58e57
diff -up openssh-7.4p1/ssh-ldap-wrapper.ldap openssh-7.4p1/ssh-ldap-wrapper
b58e57
--- openssh-7.4p1/ssh-ldap-wrapper.ldap	2017-02-08 14:26:19.938750451 +0100
b58e57
+++ openssh-7.4p1/ssh-ldap-wrapper	2017-02-08 14:26:19.938750451 +0100
b58e57
@@ -0,0 +1,4 @@
b58e57
+#!/bin/sh
b58e57
+
b58e57
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
b58e57
+
b58e57
diff -up openssh-7.4p1/ssh-ldap.conf.5.ldap openssh-7.4p1/ssh-ldap.conf.5
b58e57
--- openssh-7.4p1/ssh-ldap.conf.5.ldap	2017-02-08 14:26:19.938750451 +0100
b58e57
+++ openssh-7.4p1/ssh-ldap.conf.5	2017-02-08 14:26:19.938750451 +0100
b58e57
@@ -0,0 +1,379 @@
b58e57
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
b58e57
+.\"
b58e57
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
b58e57
+.\"
b58e57
+.\" Permission to use, copy, modify, and distribute this software for any
b58e57
+.\" purpose with or without fee is hereby granted, provided that the above
b58e57
+.\" copyright notice and this permission notice appear in all copies.
b58e57
+.\"
b58e57
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
b58e57
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
b58e57
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
b58e57
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
b58e57
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
b58e57
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
b58e57
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
b58e57
+.\"
b58e57
+.Dd $Mdocdate: may 12 2010 $
b58e57
+.Dt SSH-LDAP.CONF 5
b58e57
+.Os
b58e57
+.Sh NAME
b58e57
+.Nm ssh-ldap.conf
b58e57
+.Nd configuration file for ssh-ldap-helper
b58e57
+.Sh SYNOPSIS
b58e57
+.Nm /etc/ssh/ldap.conf
b58e57
+.Sh DESCRIPTION
b58e57
+.Xr ssh-ldap-helper 8
b58e57
+reads configuration data from
b58e57
+.Pa /etc/ssh/ldap.conf
b58e57
+(or the file specified with
b58e57
+.Fl f
b58e57
+on the command line).
b58e57
+The file contains keyword-argument pairs, one per line.
b58e57
+Lines starting with
b58e57
+.Ql #
b58e57
+and empty lines are interpreted as comments.
b58e57
+.Pp
b58e57
+The value starts with the first non-blank character after 
b58e57
+the keyword's name, and terminates at the end of the line, 
b58e57
+or at the last sequence of blanks before the end of the line.
b58e57
+Quoting values that contain blanks 
b58e57
+may be incorrect, as the quotes would become part of the value.
b58e57
+The possible keywords and their meanings are as follows (note that
b58e57
+keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
b58e57
+.Bl -tag -width Ds
b58e57
+.It Cm URI
b58e57
+The argument(s) are in the form
b58e57
+.Pa ldap[si]://[name[:port]]
b58e57
+and specify the URI(s) of an LDAP server(s) to which the
b58e57
+.Xr ssh-ldap-helper 8 
b58e57
+should connect. The URI scheme may be any of
b58e57
+.Dq ldap ,
b58e57
+.Dq ldaps 
b58e57
+or
b58e57
+.Dq ldapi ,
b58e57
+which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
b58e57
+over IPC (UNIX domain sockets), respectively.
b58e57
+Each server's name can be specified as a
b58e57
+domain-style name or an IP address literal.  Optionally, the
b58e57
+server's name can followed by a ':' and the port number the LDAP
b58e57
+server is listening on.  If no port number is provided, the default
b58e57
+port for the scheme is used (389 for ldap://, 636 for ldaps://).
b58e57
+For LDAP over IPC, name is the name of the socket, and no port
b58e57
+is required, nor allowed; note that directory separators must be 
b58e57
+URL-encoded, like any other characters that are special to URLs; 
b58e57
+A space separated list of URIs may be provided.
b58e57
+There is no default.
b58e57
+.It Cm Base
b58e57
+Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
b58e57
+The base must be specified as a DN in LDAP format.
b58e57
+There is no default.
b58e57
+.It Cm BindDN
b58e57
+Specifies the default BIND DN to use when connecting to the ldap server.
b58e57
+The bind DN must be specified as a Distinguished Name in LDAP format.
b58e57
+There is no default.
b58e57
+.It Cm BindPW
b58e57
+Specifies the default password to use when connecting to the ldap server via
b58e57
+.Cm BindDN .
b58e57
+There is no default.
b58e57
+.It Cm RootBindDN
b58e57
+Intentionaly does nothing. Recognized for compatibility reasons.
b58e57
+.It Cm Host
b58e57
+The argument(s) specifies the name(s) of an LDAP server(s) to which the
b58e57
+.Xr ssh-ldap-helper 8
b58e57
+should connect.  Each server's name can be specified as a
b58e57
+domain-style name or an IP address and optionally followed by a ':' and
b58e57
+the port number the ldap server is listening on.  A space-separated
b58e57
+list of hosts may be provided.
b58e57
+There is no default.
b58e57
+.Cm Host
b58e57
+is deprecated in favor of
b58e57
+.Cm URI .
b58e57
+.It Cm Port
b58e57
+Specifies the default port used when connecting to LDAP servers(s).
b58e57
+The port may be specified as a number.
b58e57
+The default port is 389 for ldap:// or 636 for ldaps:// respectively.
b58e57
+.Cm Port
b58e57
+is deprecated in favor of
b58e57
+.Cm URI .
b58e57
+.It Cm Scope
b58e57
+Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
b58e57
+There are three options (values) that can be assigned to the
b58e57
+.Cm Scope parameter:
b58e57
+.Dq base ,
b58e57
+.Dq one
b58e57
+and
b58e57
+.Dq subtree .
b58e57
+Alias for the subtree is
b58e57
+.Dq sub .
b58e57
+The value
b58e57
+.Dq base
b58e57
+is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
b58e57
+The value
b58e57
+.Dq one
b58e57
+is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
b58e57
+The value
b58e57
+.Dq subtree
b58e57
+is used to indicate searching of all entries at all levels under and including the specified base DN.
b58e57
+The default is
b58e57
+.Dq subtree .
b58e57
+.It Cm Deref
b58e57
+Specifies how alias dereferencing is done when performing a search. There are four
b58e57
+possible values that can be assigned to the
b58e57
+.Cm Deref
b58e57
+parameter:
b58e57
+.Dq never ,
b58e57
+.Dq searching ,
b58e57
+.Dq finding ,
b58e57
+and
b58e57
+.Dq always .
b58e57
+The value
b58e57
+.Dq never
b58e57
+means that the aliases are never dereferenced.
b58e57
+The value
b58e57
+.Dq searching
b58e57
+means that the aliases are dereferenced in subordinates of the base object, but
b58e57
+not in locating the base object of the search.
b58e57
+The value
b58e57
+.Dq finding
b58e57
+means that the aliases are only dereferenced when locating the base object of the search.
b58e57
+The value
b58e57
+.Dq always
b58e57
+means that the aliases are dereferenced both in searching and in locating the base object
b58e57
+of the search.
b58e57
+The default is
b58e57
+.Dq never .
b58e57
+.It Cm TimeLimit
b58e57
+Specifies a time limit (in seconds) to use when performing searches.
b58e57
+The number should be a non-negative integer. A
b58e57
+.Cm TimeLimit
b58e57
+of zero (0) specifies that the search time is unlimited. Please note that the server
b58e57
+may still apply any server-side limit on the duration of a search operation.
b58e57
+The default value is 10.
b58e57
+.It Cm TimeOut
b58e57
+Is an aliast to
b58e57
+.Cm TimeLimit .
b58e57
+.It Cm Bind_TimeLimit
b58e57
+Specifies the timeout (in seconds) after which the poll(2)/select(2)
b58e57
+following a connect(2) returns in case of no activity.
b58e57
+The default value is 10.
b58e57
+.It Cm Network_TimeOut
b58e57
+Is an alias to
b58e57
+.Cm Bind_TimeLimit .
b58e57
+.It Cm Ldap_Version
b58e57
+Specifies what version of the LDAP protocol should be used.
b58e57
+The allowed values are 2 or 3. The default is 3.
b58e57
+.It Cm Version
b58e57
+Is an alias to
b58e57
+.Cm Ldap_Version .
b58e57
+.It Cm Bind_Policy
b58e57
+Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
b58e57
+.Dq hard
b58e57
+and
b58e57
+.Dq soft.
b58e57
+.Dq hard has 2 aliases
b58e57
+.Dq hard_open
b58e57
+and
b58e57
+.Dq hard_init .
b58e57
+The value
b58e57
+.Dq hard
b58e57
+means that reconects that the
b58e57
+.Xr ssh-ldap-helper 8
b58e57
+tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
b58e57
+The value
b58e57
+.Dq soft
b58e57
+means that
b58e57
+.Xr ssh-ldap-helper 8
b58e57
+fails immediately when it cannot connect to the LDAP seerver.
b58e57
+The deault is
b58e57
+.Dq hard .
b58e57
+.It Cm SSLPath
b58e57
+Specifies the path to the X.509 certificate database.
b58e57
+There is no default.
b58e57
+.It Cm SSL
b58e57
+Specifies whether to use SSL/TLS or not.
b58e57
+There are three allowed values:
b58e57
+.Dq yes ,
b58e57
+.Dq no
b58e57
+and
b58e57
+.Dq start_tls
b58e57
+Both
b58e57
+.Dq true
b58e57
+and
b58e57
+.Dq on
b58e57
+are the aliases for
b58e57
+.Dq yes .
b58e57
+.Dq false
b58e57
+and
b58e57
+.Dq off
b58e57
+are the aliases for
b58e57
+.Dq no .
b58e57
+If
b58e57
+.Dq start_tls
b58e57
+is specified then StartTLS is used rather than raw LDAP over SSL.
b58e57
+The default for ldap:// is
b58e57
+.Dq start_tls ,
b58e57
+for ldaps://
b58e57
+.Dq yes
b58e57
+and
b58e57
+.Dq no
b58e57
+for the ldapi:// .
b58e57
+In case of host based configuration the default is
b58e57
+.Dq start_tls .
b58e57
+.It Cm Referrals
b58e57
+Specifies if the client should automatically follow referrals returned
b58e57
+by LDAP servers.
b58e57
+The value can be or
b58e57
+.Dq yes
b58e57
+or
b58e57
+.Dq no .
b58e57
+.Dq true
b58e57
+and
b58e57
+.Dq on
b58e57
+are the aliases for
b58e57
+.Dq yes .
b58e57
+.Dq false
b58e57
+and
b58e57
+.Dq off
b58e57
+are the aliases for
b58e57
+.Dq no .
b58e57
+The default is yes.
b58e57
+.It Cm Restart
b58e57
+Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
b58e57
+The value can be or
b58e57
+.Dq yes
b58e57
+or
b58e57
+.Dq no .
b58e57
+.Dq true
b58e57
+and
b58e57
+.Dq on
b58e57
+are the aliases for
b58e57
+.Dq yes .
b58e57
+.Dq false
b58e57
+and
b58e57
+.Dq off
b58e57
+are the aliases for
b58e57
+.Dq no .
b58e57
+The default is yes.
b58e57
+.It Cm TLS_CheckPeer
b58e57
+Specifies what checks to perform on server certificates in a TLS session,
b58e57
+if any. The value
b58e57
+can be specified as one of the following keywords:
b58e57
+.Dq never ,
b58e57
+.Dq hard ,
b58e57
+.Dq demand ,
b58e57
+.Dq allow
b58e57
+and
b58e57
+.Dq try .
b58e57
+.Dq true ,
b58e57
+.Dq on
b58e57
+and
b58e57
+.Dq yes
b58e57
+are aliases for
b58e57
+.Dq hard .
b58e57
+.Dq false ,
b58e57
+.Dq off
b58e57
+and
b58e57
+.Dq no
b58e57
+are the aliases for
b58e57
+.Dq never .
b58e57
+The value
b58e57
+.Dq never
b58e57
+means that the client will not request or check any server certificate.
b58e57
+The value
b58e57
+.Dq allow
b58e57
+means that the server certificate is requested. If no certificate is provided,
b58e57
+the session proceeds normally. If a bad certificate is provided, it will
b58e57
+be ignored and the session proceeds normally.
b58e57
+The value
b58e57
+.Dq try
b58e57
+means that the server certificate is requested. If no certificate is provided,
b58e57
+the session proceeds normally. If a bad certificate is provided,
b58e57
+the session is immediately terminated.
b58e57
+The value
b58e57
+.Dq demand
b58e57
+means that the server certificate is requested. If no
b58e57
+certificate is provided, or a bad certificate is provided, the session
b58e57
+is immediately terminated.
b58e57
+The value
b58e57
+.Dq hard
b58e57
+is the same as
b58e57
+.Dq demand .
b58e57
+It requires an SSL connection. In the case of the plain conection the
b58e57
+session is immediately terminated.
b58e57
+The default is
b58e57
+.Dq hard .
b58e57
+.It Cm TLS_ReqCert
b58e57
+Is an alias for 
b58e57
+.Cm TLS_CheckPeer .
b58e57
+.It Cm TLS_CACertFile
b58e57
+Specifies the file that contains certificates for all of the Certificate
b58e57
+Authorities the client will recognize.
b58e57
+There is no default.
b58e57
+.It Cm TLS_CACert
b58e57
+Is an alias for
b58e57
+.Cm TLS_CACertFile .
b58e57
+.It Cm TLS_CACertDIR
b58e57
+Specifies the path of a directory that contains Certificate Authority
b58e57
+certificates in separate individual files. The
b58e57
+.Cm TLS_CACert
b58e57
+is always used before
b58e57
+.Cm TLS_CACertDir .
b58e57
+The specified directory must be managed with the OpenSSL c_rehash utility.
b58e57
+There is no default.
b58e57
+.It Cm TLS_Ciphers
b58e57
+Specifies acceptable cipher suite and preference order.
b58e57
+The value should be a cipher specification for OpenSSL,
b58e57
+e.g.,
b58e57
+.Dq HIGH:MEDIUM:+SSLv2 .
b58e57
+The default is
b58e57
+.Dq ALL .
b58e57
+.It Cm TLS_Cipher_Suite
b58e57
+Is an alias for
b58e57
+.Cm TLS_Ciphers .
b58e57
+.It Cm TLS_Cert
b58e57
+Specifies the file that contains the client certificate.
b58e57
+There is no default.
b58e57
+.It Cm TLS_Certificate
b58e57
+Is an alias for
b58e57
+.Cm TLS_Cert .
b58e57
+.It Cm TLS_Key
b58e57
+Specifies the file that contains the private key that matches the certificate
b58e57
+stored in the
b58e57
+.Cm TLS_Cert
b58e57
+file. Currently, the private key must not be protected with a password, so
b58e57
+it is of critical importance that the key file is protected carefully.
b58e57
+There is no default.
b58e57
+.It Cm TLS_RandFile
b58e57
+Specifies the file to obtain random bits from when /dev/[u]random is
b58e57
+not available. Generally set to the name of the EGD/PRNGD socket.
b58e57
+The environment variable RANDFILE can also be used to specify the filename.
b58e57
+There is no default.
b58e57
+.It Cm LogDir
b58e57
+Specifies the directory used for logging by the LDAP client library.
b58e57
+There is no default.
b58e57
+.It Cm Debug
b58e57
+Specifies the debug level used for logging by the LDAP client library.
b58e57
+There is no default.
b58e57
+.It Cm SSH_Filter
b58e57
+Specifies the user filter applied on the LDAP search.
b58e57
+The default is no filter.
b58e57
+.It Cm search_format
b58e57
+Specifies the user format of search string in LDAP substituting %u for user name
b58e57
+and %f for additional ssh filter
b58e57
+.Cm SSH_Filter
b58e57
+(optional).
b58e57
+The default value is (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%u)%f)
b58e57
+.It Cm AccountClass
b58e57
+Specifies the LDAP class used to find user accounts.
b58e57
+The default is posixAccount.
b58e57
+.El
b58e57
+.Sh FILES
b58e57
+.Bl -tag -width Ds
b58e57
+.It Pa  /etc/ssh/ldap.conf
b58e57
+Ldap configuration file for
b58e57
+.Xr ssh-ldap-helper 8 .
b58e57
+.El
b58e57
+.Sh "SEE ALSO"
b58e57
+.Xr ldap.conf 5 ,
b58e57
+.Xr ssh-ldap-helper 8
b58e57
+.Sh HISTORY
b58e57
+.Nm
b58e57
+first appeared in
b58e57
+OpenSSH 5.5 + PKA-LDAP .
b58e57
+.Sh AUTHORS
b58e57
+.An Jan F. Chadima Aq jchadima@redhat.com
b58e57
diff -up openssh-7.4p1/openssh-lpk-openldap.ldif.ldap openssh-7.4p1/openssh-lpk-openldap.ldif
b58e57
--- openssh-7.4p1/openssh-lpk-openldap.ldif.ldap	2017-02-08 14:26:19.938750451 +0100
b58e57
+++ openssh-7.4p1/openssh-lpk-openldap.ldif	2017-02-08 14:26:19.938750451 +0100
b58e57
@@ -0,0 +1,19 @@
b58e57
+#
b58e57
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
b58e57
+#                              useful with PKA-LDAP also
b58e57
+#
b58e57
+# Author: Eric AUGE <eau@phear.org>
b58e57
+#
b58e57
+# LDIF for openLDAP Directory Server.
b58e57
+# Based on the original schema, modified by Jakub Jelen.
b58e57
+#
b58e57
+
b58e57
+dn: cn=openssh-lpk,cn=schema,cn=config
b58e57
+objectClass: olcSchemaConfig
b58e57
+cn: openssh-lpk
b58e57
+olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13
b58e57
+  NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key'
b58e57
+  EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
b58e57
+olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0
b58e57
+  NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass'
b58e57
+  SUP top AUXILIARY MUST ( sshPublicKey $ uid ) )
b58e57
diff -up openssh-7.4p1/openssh-lpk-sun.ldif.ldap openssh-7.4p1/openssh-lpk-sun.ldif
b58e57
--- openssh-7.4p1/openssh-lpk-sun.ldif.ldap	2017-02-08 14:26:19.938750451 +0100
b58e57
+++ openssh-7.4p1/openssh-lpk-sun.ldif	2017-02-08 14:26:19.938750451 +0100
b58e57
@@ -0,0 +1,17 @@
b58e57
+#
b58e57
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
b58e57
+#                              useful with PKA-LDAP also
b58e57
+#
b58e57
+# Author: Eric AUGE <eau@phear.org>
b58e57
+#
b58e57
+# LDIF for Sun Directory Server.
b58e57
+# Based on the original schema, modified by Jakub Jelen.
b58e57
+#
b58e57
+
b58e57
+dn: cn=schema
b58e57
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13
b58e57
+  NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key'
b58e57
+  EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
b58e57
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0
b58e57
+  NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass'
b58e57
+  SUP top AUXILIARY MUST ( sshPublicKey $ uid ) )