rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
f09e2e
diff -up openssh-6.2p1/configure.ac.ldap openssh-6.2p1/configure.ac
f09e2e
--- openssh-6.2p1/configure.ac.ldap	2013-03-20 02:55:15.000000000 +0100
f09e2e
+++ openssh-6.2p1/configure.ac	2013-03-25 21:27:15.888248071 +0100
f09e2e
@@ -1509,6 +1509,106 @@ AC_ARG_WITH([audit],
f09e2e
 	esac ]
f09e2e
 )
f09e2e
 
f09e2e
+# Check whether user wants LDAP support
f09e2e
+LDAP_MSG="no"
f09e2e
+INSTALL_SSH_LDAP_HELPER=""
f09e2e
+AC_ARG_WITH(ldap,
f09e2e
+	[  --with-ldap[[=PATH]]      Enable LDAP pubkey support (optionally in PATH)],
f09e2e
+	[
f09e2e
+		if test "x$withval" != "xno" ; then
f09e2e
+
f09e2e
+			INSTALL_SSH_LDAP_HELPER="yes"
f09e2e
+			CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
f09e2e
+
f09e2e
+			if test "x$withval" != "xyes" ; then
f09e2e
+				CPPFLAGS="$CPPFLAGS -I${withval}/include"
f09e2e
+				LDFLAGS="$LDFLAGS -L${withval}/lib"
f09e2e
+			fi
f09e2e
+
f09e2e
+			AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
f09e2e
+			LDAP_MSG="yes"
f09e2e
+
f09e2e
+			AC_CHECK_HEADERS(lber.h)
f09e2e
+			AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
f09e2e
+			AC_CHECK_HEADERS(ldap_ssl.h)
f09e2e
+
f09e2e
+			AC_ARG_WITH(ldap-lib,
f09e2e
+				[  --with-ldap-lib=type    select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
f09e2e
+
f09e2e
+			if test -z "$with_ldap_lib"; then
f09e2e
+				with_ldap_lib=auto
f09e2e
+			fi
f09e2e
+
f09e2e
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
f09e2e
+				AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
f09e2e
+				AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
f09e2e
+			fi
f09e2e
+
f09e2e
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
f09e2e
+				AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
f09e2e
+			fi
f09e2e
+
f09e2e
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
f09e2e
+				AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
f09e2e
+				if test -z "$found_ldap_lib"; then
f09e2e
+					AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
f09e2e
+				fi
f09e2e
+				if test -z "$found_ldap_lib"; then
f09e2e
+					AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
f09e2e
+				fi
f09e2e
+				if test -z "$found_ldap_lib"; then
f09e2e
+					AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
f09e2e
+				fi
f09e2e
+			fi
f09e2e
+
f09e2e
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
f09e2e
+				AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
f09e2e
+			fi
f09e2e
+
f09e2e
+			if test -z "$found_ldap_lib"; then
f09e2e
+				AC_MSG_ERROR(could not locate a valid LDAP library)
f09e2e
+			fi
f09e2e
+
f09e2e
+			AC_MSG_CHECKING([for working LDAP support])
f09e2e
+			AC_TRY_COMPILE(
f09e2e
+				[#include <sys/types.h>
f09e2e
+				 #include <ldap.h>],
f09e2e
+				[(void)ldap_init(0, 0);],
f09e2e
+				[AC_MSG_RESULT(yes)],
f09e2e
+				[
f09e2e
+				    AC_MSG_RESULT(no) 
f09e2e
+					AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
f09e2e
+				])
f09e2e
+			AC_CHECK_FUNCS( \
f09e2e
+				ldap_init \
f09e2e
+				ldap_get_lderrno \
f09e2e
+				ldap_set_lderrno \
f09e2e
+				ldap_parse_result \
f09e2e
+				ldap_memfree \
f09e2e
+				ldap_controls_free \
f09e2e
+				ldap_set_option \
f09e2e
+				ldap_get_option \
f09e2e
+				ldapssl_init \
f09e2e
+				ldap_start_tls_s \
f09e2e
+				ldap_pvt_tls_set_option \
f09e2e
+				ldap_initialize \
f09e2e
+			)
f09e2e
+			AC_CHECK_FUNCS(ldap_set_rebind_proc,
f09e2e
+				AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
f09e2e
+				AC_TRY_COMPILE(
f09e2e
+					[#include <lber.h>
f09e2e
+					#include <ldap.h>],
f09e2e
+					[ldap_set_rebind_proc(0, 0, 0);],
f09e2e
+					[ac_cv_ldap_set_rebind_proc=3],
f09e2e
+					[ac_cv_ldap_set_rebind_proc=2])
f09e2e
+				AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
f09e2e
+				AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
f09e2e
+			)
f09e2e
+		fi
f09e2e
+	]
f09e2e
+)
f09e2e
+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
f09e2e
+
f09e2e
 dnl    Checks for library functions. Please keep in alphabetical order
f09e2e
 AC_CHECK_FUNCS([ \
f09e2e
 	arc4random \
f09e2e
diff -up openssh-6.2p1/HOWTO.ldap-keys.ldap openssh-6.2p1/HOWTO.ldap-keys
f09e2e
--- openssh-6.2p1/HOWTO.ldap-keys.ldap	2013-03-25 21:27:15.889248078 +0100
f09e2e
+++ openssh-6.2p1/HOWTO.ldap-keys	2013-03-25 21:27:15.889248078 +0100
f09e2e
@@ -0,0 +1,108 @@
f09e2e
+
f09e2e
+HOW TO START
f09e2e
+
f09e2e
+1) configure LDAP server
f09e2e
+  * Use LDAP server documentation
f09e2e
+2) add appropriate LDAP schema
f09e2e
+  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
f09e2e
+  * LDAP user entry
f09e2e
+        User entry:
f09e2e
+	- attached to the 'ldapPublicKey' objectclass
f09e2e
+	- attached to the 'posixAccount' objectclass
f09e2e
+	- with a filled 'sshPublicKey' attribute 
f09e2e
+3) insert users into LDAP
f09e2e
+  * Use LDAP Tree management tool as useful
f09e2e
+  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
f09e2e
+  * Example:
f09e2e
+	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
f09e2e
+	objectclass: top
f09e2e
+	objectclass: person
f09e2e
+	objectclass: organizationalPerson
f09e2e
+	objectclass: posixAccount
f09e2e
+	objectclass: ldapPublicKey
f09e2e
+	description: Jonathan Archer
f09e2e
+	userPassword: Porthos
f09e2e
+	cn: onathan Archer
f09e2e
+	sn: onathan Archer
f09e2e
+	uid: captain
f09e2e
+	uidNumber: 1001
f09e2e
+	gidNumber: 1001
f09e2e
+	homeDirectory: /home/captain
f09e2e
+	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
f09e2e
+	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
f09e2e
+4) on the ssh side set in sshd_config
f09e2e
+  * Set up the backend
f09e2e
+	AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
f09e2e
+	AuthorizedKeysCommandUser <appropriate user to run LDAP>
f09e2e
+  * Do not forget to set
f09e2e
+	PubkeyAuthentication yes
f09e2e
+  * Swith off unnecessary auth methods
f09e2e
+5) confugure ldap.conf
f09e2e
+  * Default ldap.conf is placed in /etc/ssh
f09e2e
+  * The configuration style is the same as other ldap based aplications
f09e2e
+6) if necessary edit ssh-ldap-wrapper
f09e2e
+  * There is a possibility to change ldap.conf location
f09e2e
+  * There are some debug options
f09e2e
+  * Example
f09e2e
+	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
f09e2e
+
f09e2e
+HOW TO MIGRATE FROM LPK
f09e2e
+
f09e2e
+1) goto HOW TO START 4) .... the ldap schema is the same
f09e2e
+
f09e2e
+2) convert the group requests to the appropriate LDAP requests
f09e2e
+
f09e2e
+HOW TO SOLVE PROBLEMS
f09e2e
+
f09e2e
+1) use debug in sshd
f09e2e
+  * /usr/sbin/sshd -d -d -d -d
f09e2e
+2) use debug in ssh-ldap-helper
f09e2e
+  * ssh-ldap-helper -d -d -d -d -s <username>
f09e2e
+3) use tcpdump ... other ldap client etc.
f09e2e
+
f09e2e
+ADVANTAGES
f09e2e
+
f09e2e
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
f09e2e
+
f09e2e
+DISADVANTAGES
f09e2e
+
f09e2e
+1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
f09e2e
+  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
f09e2e
+  of your users in all your server farm -- be VERY CAREFUL.
f09e2e
+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
f09e2e
+  as the impersonated user.
f09e2e
+3) If LDAP server is down there may be no fallback on passwd auth.
f09e2e
+  
f09e2e
+MISC.
f09e2e
+  
f09e2e
+1) todo
f09e2e
+  * Possibility to reuse the ssh-ldap-helper.
f09e2e
+  * Tune the LDAP part to accept  all possible LDAP configurations.
f09e2e
+
f09e2e
+2) differences from original lpk
f09e2e
+  * No LDAP code in sshd.
f09e2e
+  * Support for various LDAP platforms and configurations.
f09e2e
+  * LDAP is configured in separate ldap.conf file.
f09e2e
+
f09e2e
+3) docs/link 
f09e2e
+  * http://pacsec.jp/core05/psj05-barisani-en.pdf
f09e2e
+  * http://fritz.potsdam.edu/projects/openssh-lpk/
f09e2e
+  * http://fritz.potsdam.edu/projects/sshgate/
f09e2e
+  * http://dev.inversepath.com/trac/openssh-lpk
f09e2e
+  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
f09e2e
+
f09e2e
+4) contributors/ideas/greets
f09e2e
+  - Eric AUGE <eau@phear.org>
f09e2e
+  - Andrea Barisani <andrea@inversepath.com>
f09e2e
+  - Falk Siemonsmeier.
f09e2e
+  - Jacob Rief.
f09e2e
+  - Michael Durchgraf.
f09e2e
+  - frederic peters.
f09e2e
+  - Finlay dobbie.
f09e2e
+  - Stefan Fisher.
f09e2e
+  - Robin H. Johnson.
f09e2e
+  - Adrian Bridgett.
f09e2e
+
f09e2e
+5) Author
f09e2e
+    Jan F. Chadima <jchadima@redhat.com>
f09e2e
+
f09e2e
diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
f09e2e
--- openssh-6.2p1/ldapbody.c.ldap	2013-03-25 21:27:15.889248078 +0100
f09e2e
+++ openssh-6.2p1/ldapbody.c	2013-03-25 21:27:15.889248078 +0100
f09e2e
@@ -0,0 +1,494 @@
f09e2e
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
f09e2e
+/*
f09e2e
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
f09e2e
+ *
f09e2e
+ * Redistribution and use in source and binary forms, with or without
f09e2e
+ * modification, are permitted provided that the following conditions
f09e2e
+ * are met:
f09e2e
+ * 1. Redistributions of source code must retain the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer.
f09e2e
+ * 2. Redistributions in binary form must reproduce the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer in the
f09e2e
+ *    documentation and/or other materials provided with the distribution.
f09e2e
+ *
f09e2e
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
f09e2e
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
f09e2e
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
f09e2e
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
f09e2e
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
f09e2e
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
f09e2e
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
f09e2e
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
f09e2e
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
f09e2e
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f09e2e
+ */
f09e2e
+
f09e2e
+#include "ldapincludes.h"
f09e2e
+#include "log.h"
f09e2e
+#include "xmalloc.h"
f09e2e
+#include "ldapconf.h"
f09e2e
+#include "ldapmisc.h"
f09e2e
+#include "ldapbody.h"
f09e2e
+#include <stdio.h>
f09e2e
+#include <unistd.h>
f09e2e
+
f09e2e
+#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)"
f09e2e
+#define PUBKEYATTR "sshPublicKey"
f09e2e
+#define LDAP_LOGFILE	"%s/ldap.%d"
f09e2e
+
f09e2e
+static FILE *logfile = NULL;
f09e2e
+static LDAP *ld;
f09e2e
+
f09e2e
+static char *attrs[] = {
f09e2e
+    PUBKEYATTR,
f09e2e
+    NULL
f09e2e
+};
f09e2e
+
f09e2e
+void
f09e2e
+ldap_checkconfig (void)
f09e2e
+{
f09e2e
+#ifdef HAVE_LDAP_INITIALIZE
f09e2e
+		if (options.host == NULL && options.uri == NULL)
f09e2e
+#else
f09e2e
+		if (options.host == NULL)
f09e2e
+#endif
f09e2e
+		    fatal ("missing  \"host\" in config file");
f09e2e
+}
f09e2e
+
f09e2e
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
f09e2e
+static int
f09e2e
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
f09e2e
+{
f09e2e
+	struct timeval timeout;
f09e2e
+	int rc;
f09e2e
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
f09e2e
+	LDAPMessage *result;
f09e2e
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
f09e2e
+
f09e2e
+	debug2 ("Doing LDAP rebind to %s", options.binddn);
f09e2e
+	if (options.ssl == SSL_START_TLS) {
f09e2e
+		if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
f09e2e
+			error ("ldap_starttls_s: %s", ldap_err2string (rc));
f09e2e
+			return LDAP_OPERATIONS_ERROR;
f09e2e
+		}
f09e2e
+	}
f09e2e
+
f09e2e
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
f09e2e
+	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
f09e2e
+#else
f09e2e
+	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
f09e2e
+	    fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
f09e2e
+
f09e2e
+	timeout.tv_sec = options.bind_timelimit;
f09e2e
+	timeout.tv_usec = 0;
f09e2e
+	result = NULL;
f09e2e
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
f09e2e
+		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
f09e2e
+		ldap_msgfree (result);
f09e2e
+		return LDAP_OPERATIONS_ERROR;
f09e2e
+	}
f09e2e
+	debug3 ("LDAP rebind to %s succesfull", options.binddn);
f09e2e
+	return rc;
f09e2e
+#endif
f09e2e
+}
f09e2e
+#else
f09e2e
+
f09e2e
+static int
f09e2e
+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
f09e2e
+{
f09e2e
+	if (freeit)
f09e2e
+	    return LDAP_SUCCESS;
f09e2e
+
f09e2e
+	*whop = strdup (options.binddn);
f09e2e
+	*credp = strdup (options.bindpw);
f09e2e
+	*methodp = LDAP_AUTH_SIMPLE;
f09e2e
+	debug2 ("Doing LDAP rebind for %s", *whop);
f09e2e
+	return LDAP_SUCCESS;
f09e2e
+}
f09e2e
+#endif
f09e2e
+
f09e2e
+void
f09e2e
+ldap_do_connect(void)
f09e2e
+{
f09e2e
+	int rc, msgid, ld_errno = 0;
f09e2e
+	struct timeval timeout;
f09e2e
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
f09e2e
+	int parserc;
f09e2e
+	LDAPMessage *result;
f09e2e
+	LDAPControl **controls;
f09e2e
+	int reconnect = 0;
f09e2e
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
f09e2e
+
f09e2e
+	debug ("LDAP do connect");
f09e2e
+
f09e2e
+retry:
f09e2e
+	if (reconnect) {
f09e2e
+		debug3 ("Reconnecting with ld_errno %d", ld_errno);
f09e2e
+		if (options.bind_policy == 0 ||
f09e2e
+		    (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
f09e2e
+			reconnect > 5)
f09e2e
+			    fatal ("Cannot connect to LDAP server");
f09e2e
+	
f09e2e
+		if (reconnect > 1)
f09e2e
+			sleep (reconnect - 1);
f09e2e
+
f09e2e
+		if (ld != NULL) {
f09e2e
+			ldap_unbind (ld);
f09e2e
+			ld = NULL;
f09e2e
+		}
f09e2e
+		logit("reconnecting to LDAP server...");
f09e2e
+	}
f09e2e
+
f09e2e
+	if (ld == NULL) {
f09e2e
+		int rc;
f09e2e
+		struct timeval tv;
f09e2e
+
f09e2e
+#ifdef HAVE_LDAP_SET_OPTION
f09e2e
+		if (options.debug > 0) {
f09e2e
+#ifdef LBER_OPT_LOG_PRINT_FILE
f09e2e
+			if (options.logdir) {
f09e2e
+				char *logfilename;
f09e2e
+				int logfilenamelen;
f09e2e
+
f09e2e
+				logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
f09e2e
+				logfilename = xmalloc (logfilenamelen);
f09e2e
+				snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
f09e2e
+				logfilename[logfilenamelen - 1] = 0;
f09e2e
+				if ((logfile = fopen (logfilename, "a")) == NULL)
f09e2e
+				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
f09e2e
+				debug3 ("LDAP debug into %s", logfilename);
f09e2e
+				free (logfilename);
f09e2e
+				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
f09e2e
+			}
f09e2e
+#endif
f09e2e
+			if (options.debug) {
f09e2e
+#ifdef LBER_OPT_DEBUG_LEVEL
f09e2e
+				ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
f09e2e
+#endif /* LBER_OPT_DEBUG_LEVEL */
f09e2e
+#ifdef LDAP_OPT_DEBUG_LEVEL
f09e2e
+				(void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
f09e2e
+#endif /* LDAP_OPT_DEBUG_LEVEL */
f09e2e
+				debug3 ("Set LDAP debug to %d", options.debug);
f09e2e
+			}
f09e2e
+		}
f09e2e
+#endif /* HAVE_LDAP_SET_OPTION */
f09e2e
+
f09e2e
+		ld = NULL;
f09e2e
+#ifdef HAVE_LDAPSSL_INIT
f09e2e
+		if (options.host != NULL) {
f09e2e
+			if (options.ssl_on == SSL_LDAPS) {
f09e2e
+				if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
f09e2e
+				    fatal ("ldapssl_client_init %s", ldap_err2string (rc));
f09e2e
+				debug3 ("LDAPssl client init");
f09e2e
+			}
f09e2e
+
f09e2e
+			if (options.ssl_on != SSL_OFF) {
f09e2e
+				if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
f09e2e
+				    fatal ("ldapssl_init failed");
f09e2e
+				debug3 ("LDAPssl init");
f09e2e
+			}
f09e2e
+		}
f09e2e
+#endif /* HAVE_LDAPSSL_INIT */
f09e2e
+
f09e2e
+		/* continue with opening */
f09e2e
+		if (ld == NULL) {
f09e2e
+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
f09e2e
+			/* Some global TLS-specific options need to be set before we create our
f09e2e
+			 * session context, so we set them here. */
f09e2e
+
f09e2e
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
f09e2e
+			/* rand file */
f09e2e
+			if (options.tls_randfile != NULL) {
f09e2e
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
f09e2e
+				    options.tls_randfile)) != LDAP_SUCCESS)
f09e2e
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
f09e2e
+					    ldap_err2string (rc));
f09e2e
+				debug3 ("Set TLS random file %s", options.tls_randfile);
f09e2e
+			}
f09e2e
+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
f09e2e
+
f09e2e
+			/* ca cert file */
f09e2e
+			if (options.tls_cacertfile != NULL) {
f09e2e
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
f09e2e
+				    options.tls_cacertfile)) != LDAP_SUCCESS)
f09e2e
+					error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
f09e2e
+					    ldap_err2string (rc));
f09e2e
+				debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
f09e2e
+			}
f09e2e
+
f09e2e
+			/* ca cert directory */
f09e2e
+			if (options.tls_cacertdir != NULL) {
f09e2e
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
f09e2e
+				    options.tls_cacertdir)) != LDAP_SUCCESS)
f09e2e
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
f09e2e
+					    ldap_err2string (rc));
f09e2e
+				debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
f09e2e
+			}
f09e2e
+
f09e2e
+			/* require cert? */
f09e2e
+			if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
f09e2e
+			    &options.tls_checkpeer)) != LDAP_SUCCESS)
f09e2e
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
f09e2e
+				    ldap_err2string (rc));
f09e2e
+			debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
f09e2e
+
f09e2e
+			/* set cipher suite, certificate and private key: */
f09e2e
+			if (options.tls_ciphers != NULL) {
f09e2e
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
f09e2e
+				    options.tls_ciphers)) != LDAP_SUCCESS)
f09e2e
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
f09e2e
+					    ldap_err2string (rc));
f09e2e
+				debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
f09e2e
+			}
f09e2e
+
f09e2e
+			/* cert file */
f09e2e
+			if (options.tls_cert != NULL) {
f09e2e
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
f09e2e
+				    options.tls_cert)) != LDAP_SUCCESS)
f09e2e
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
f09e2e
+					    ldap_err2string (rc));
f09e2e
+				debug3 ("Set TLS cert file %s ", options.tls_cert);
f09e2e
+			}
f09e2e
+
f09e2e
+			/* key file */
f09e2e
+			if (options.tls_key != NULL) {
f09e2e
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
f09e2e
+				    options.tls_key)) != LDAP_SUCCESS)
f09e2e
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
f09e2e
+					    ldap_err2string (rc));
f09e2e
+				debug3 ("Set TLS key file %s ", options.tls_key);
f09e2e
+			}
f09e2e
+#endif
f09e2e
+#ifdef HAVE_LDAP_INITIALIZE
f09e2e
+			if (options.uri != NULL) {
f09e2e
+				if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
f09e2e
+					fatal ("ldap_initialize %s", ldap_err2string (rc));
f09e2e
+				debug3 ("LDAP initialize %s", options.uri);
f09e2e
+			}
f09e2e
+	}
f09e2e
+#endif /* HAVE_LDAP_INTITIALIZE */
f09e2e
+
f09e2e
+		/* continue with opening */
f09e2e
+		if ((ld == NULL) && (options.host != NULL)) {
f09e2e
+#ifdef HAVE_LDAP_INIT
f09e2e
+			if ((ld = ldap_init (options.host, options.port)) == NULL)
f09e2e
+			    fatal ("ldap_init failed");
f09e2e
+			debug3 ("LDAP init %s:%d", options.host, options.port);
f09e2e
+#else
f09e2e
+			if ((ld = ldap_open (options.host, options.port)) == NULL)
f09e2e
+			    fatal ("ldap_open failed");
f09e2e
+			debug3 ("LDAP open %s:%d", options.host, options.port);
f09e2e
+#endif /* HAVE_LDAP_INIT */
f09e2e
+		}
f09e2e
+
f09e2e
+		if (ld == NULL)
f09e2e
+			fatal ("no way to open ldap");
f09e2e
+
f09e2e
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
f09e2e
+		if (options.ssl == SSL_LDAPS) {
f09e2e
+			if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
f09e2e
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
f09e2e
+			debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
f09e2e
+		}
f09e2e
+#endif /* LDAP_OPT_X_TLS */
f09e2e
+
f09e2e
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
f09e2e
+		(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
f09e2e
+		    &options.ldap_version);
f09e2e
+#else
f09e2e
+		ld->ld_version = options.ldap_version;
f09e2e
+#endif
f09e2e
+		debug3 ("LDAP set version to %d", options.ldap_version);
f09e2e
+
f09e2e
+#if LDAP_SET_REBIND_PROC_ARGS == 3
f09e2e
+		ldap_set_rebind_proc (ld, _rebind_proc, NULL);
f09e2e
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
f09e2e
+		ldap_set_rebind_proc (ld, _rebind_proc);
f09e2e
+#else
f09e2e
+#warning unknown LDAP_SET_REBIND_PROC_ARGS
f09e2e
+#endif
f09e2e
+		debug3 ("LDAP set rebind proc");
f09e2e
+
f09e2e
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
f09e2e
+		(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
f09e2e
+#else
f09e2e
+		ld->ld_deref = options.deref;
f09e2e
+#endif
f09e2e
+		debug3 ("LDAP set deref to %d", options.deref);
f09e2e
+
f09e2e
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
f09e2e
+		(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
f09e2e
+		    &options.timelimit);
f09e2e
+#else
f09e2e
+		ld->ld_timelimit = options.timelimit;
f09e2e
+#endif
f09e2e
+		debug3 ("LDAP set timelimit to %d", options.timelimit);
f09e2e
+
f09e2e
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
f09e2e
+		/*
f09e2e
+		 * This is a new option in the Netscape SDK which sets 
f09e2e
+		 * the TCP connect timeout. For want of a better value,
f09e2e
+		 * we use the bind_timelimit to control this.
f09e2e
+		 */
f09e2e
+		timeout = options.bind_timelimit * 1000;
f09e2e
+		(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
f09e2e
+		debug3 ("LDAP set opt connect timeout to %d", timeout);
f09e2e
+#endif
f09e2e
+
f09e2e
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
f09e2e
+		tv.tv_sec = options.bind_timelimit;
f09e2e
+		tv.tv_usec = 0;
f09e2e
+		(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv;;
f09e2e
+		debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
f09e2e
+#endif
f09e2e
+
f09e2e
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
f09e2e
+		(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
f09e2e
+		    options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
f09e2e
+		debug3 ("LDAP set referrals to %d", options.referrals);
f09e2e
+#endif
f09e2e
+
f09e2e
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
f09e2e
+		(void) ldap_set_option (ld, LDAP_OPT_RESTART,
f09e2e
+		    options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
f09e2e
+		debug3 ("LDAP set restart to %d", options.restart);
f09e2e
+#endif
f09e2e
+
f09e2e
+#ifdef HAVE_LDAP_START_TLS_S
f09e2e
+		if (options.ssl == SSL_START_TLS) {
f09e2e
+			int version;
f09e2e
+
f09e2e
+			if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
f09e2e
+			    == LDAP_SUCCESS) {
f09e2e
+				if (version < LDAP_VERSION3) {
f09e2e
+					version = LDAP_VERSION3;
f09e2e
+					(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
f09e2e
+					    &version);
f09e2e
+					debug3 ("LDAP set version to %d", version);
f09e2e
+				}
f09e2e
+			}
f09e2e
+
f09e2e
+			if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
f09e2e
+			    fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
f09e2e
+			debug3 ("LDAP start TLS");
f09e2e
+		}
f09e2e
+#endif /* HAVE_LDAP_START_TLS_S */
f09e2e
+	}
f09e2e
+
f09e2e
+	if ((msgid = ldap_simple_bind (ld, options.binddn,
f09e2e
+	    options.bindpw)) == -1) {
f09e2e
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
f09e2e
+
f09e2e
+		error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
f09e2e
+		reconnect++;
f09e2e
+		goto retry;
f09e2e
+	}
f09e2e
+	debug3 ("LDAP simple bind (%s)", options.binddn);
f09e2e
+
f09e2e
+	timeout.tv_sec = options.bind_timelimit;
f09e2e
+	timeout.tv_usec = 0;
f09e2e
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
f09e2e
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
f09e2e
+
f09e2e
+		error ("ldap_result %s", ldap_err2string (ld_errno));
f09e2e
+		reconnect++;
f09e2e
+		goto retry;
f09e2e
+	}
f09e2e
+	debug3 ("LDAP result in time");
f09e2e
+
f09e2e
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
f09e2e
+	controls = NULL;
f09e2e
+	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
f09e2e
+	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
f09e2e
+	debug3 ("LDAP parse result OK");
f09e2e
+
f09e2e
+	if (controls != NULL) {
f09e2e
+		ldap_controls_free (controls);
f09e2e
+	}
f09e2e
+#else
f09e2e
+	rc = ldap_result2error (session->ld, result, TRUE);
f09e2e
+#endif
f09e2e
+	if (rc != LDAP_SUCCESS)
f09e2e
+	    fatal ("error trying to bind as user \"%s\" (%s)",
f09e2e
+		options.binddn, ldap_err2string (rc));
f09e2e
+
f09e2e
+	debug2 ("LDAP do connect OK");
f09e2e
+}
f09e2e
+
f09e2e
+void
f09e2e
+process_user (const char *user, FILE *output)
f09e2e
+{
f09e2e
+	LDAPMessage *res, *e;
f09e2e
+	char *buffer;
f09e2e
+	int bufflen, rc, i;
f09e2e
+	struct timeval timeout;
f09e2e
+
f09e2e
+	debug ("LDAP process user");
f09e2e
+
f09e2e
+	/* quick check for attempts to be evil */
f09e2e
+	if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
f09e2e
+	    (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
f09e2e
+		logit ("illegal user name %s not processed", user);
f09e2e
+		return;
f09e2e
+	}
f09e2e
+
f09e2e
+	/* build  filter for LDAP request */
f09e2e
+	bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user);
f09e2e
+	if (options.ssh_filter != NULL)
f09e2e
+	    bufflen += strlen (options.ssh_filter);
f09e2e
+	buffer = xmalloc (bufflen);
f09e2e
+	snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
f09e2e
+	buffer[bufflen - 1] = 0;
f09e2e
+
f09e2e
+	debug3 ("LDAP search scope = %d %s", options.scope, buffer);
f09e2e
+
f09e2e
+	timeout.tv_sec = options.timelimit;
f09e2e
+	timeout.tv_usec = 0;
f09e2e
+	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
f09e2e
+		error ("ldap_search_st(): %s", ldap_err2string (rc));
f09e2e
+		free (buffer);
f09e2e
+		return;
f09e2e
+	}
f09e2e
+
f09e2e
+	/* free */
f09e2e
+	free (buffer);
f09e2e
+
f09e2e
+	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
f09e2e
+		int num;
f09e2e
+		struct berval **keys;
f09e2e
+
f09e2e
+		keys = ldap_get_values_len(ld, e, PUBKEYATTR);
f09e2e
+		num = ldap_count_values_len(keys);
f09e2e
+		for (i = 0 ; i < num ; i++) {
f09e2e
+			char *cp; //, *options = NULL;
f09e2e
+
f09e2e
+			for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
f09e2e
+			if (!*cp || *cp == '\n' || *cp == '#')
f09e2e
+			    continue;
f09e2e
+
f09e2e
+			/* We have found the desired key. */
f09e2e
+			fprintf (output, "%s\n", keys[i]->bv_val);
f09e2e
+		}
f09e2e
+
f09e2e
+		ldap_value_free_len(keys);
f09e2e
+	}
f09e2e
+
f09e2e
+	ldap_msgfree(res);
f09e2e
+	debug2 ("LDAP process user finished");
f09e2e
+}
f09e2e
+
f09e2e
+void
f09e2e
+ldap_do_close(void)
f09e2e
+{
f09e2e
+	int rc;
f09e2e
+
f09e2e
+	debug ("LDAP do close");
f09e2e
+	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
f09e2e
+	    fatal ("ldap_unbind_ext: %s",
f09e2e
+                                    ldap_err2string (rc));
f09e2e
+
f09e2e
+	ld = NULL;
f09e2e
+	debug2 ("LDAP do close OK");
f09e2e
+	return;
f09e2e
+}
f09e2e
+
f09e2e
diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
f09e2e
--- openssh-6.2p1/ldapbody.h.ldap	2013-03-25 21:27:15.889248078 +0100
f09e2e
+++ openssh-6.2p1/ldapbody.h	2013-03-25 21:27:15.889248078 +0100
f09e2e
@@ -0,0 +1,37 @@
f09e2e
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
f09e2e
+/*
f09e2e
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
f09e2e
+ *
f09e2e
+ * Redistribution and use in source and binary forms, with or without
f09e2e
+ * modification, are permitted provided that the following conditions
f09e2e
+ * are met:
f09e2e
+ * 1. Redistributions of source code must retain the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer.
f09e2e
+ * 2. Redistributions in binary form must reproduce the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer in the
f09e2e
+ *    documentation and/or other materials provided with the distribution.
f09e2e
+ *
f09e2e
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
f09e2e
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
f09e2e
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
f09e2e
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
f09e2e
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
f09e2e
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
f09e2e
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
f09e2e
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
f09e2e
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
f09e2e
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f09e2e
+ */
f09e2e
+
f09e2e
+#ifndef LDAPBODY_H
f09e2e
+#define LDAPBODY_H
f09e2e
+
f09e2e
+#include <stdio.h>
f09e2e
+
f09e2e
+void ldap_checkconfig(void);
f09e2e
+void ldap_do_connect(void);
f09e2e
+void process_user(const char *, FILE *);
f09e2e
+void ldap_do_close(void);
f09e2e
+
f09e2e
+#endif /* LDAPBODY_H */
f09e2e
+
770374
--- openssh-6.4p1/ldapconf.c.ldap	2013-11-26 10:31:03.513794385 +0100
770374
+++ openssh-6.4p1/ldapconf.c	2013-11-26 10:38:15.474635149 +0100
770374
@@ -0,0 +1,720 @@
f09e2e
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
f09e2e
+/*
f09e2e
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
f09e2e
+ *
f09e2e
+ * Redistribution and use in source and binary forms, with or without
f09e2e
+ * modification, are permitted provided that the following conditions
f09e2e
+ * are met:
f09e2e
+ * 1. Redistributions of source code must retain the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer.
f09e2e
+ * 2. Redistributions in binary form must reproduce the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer in the
f09e2e
+ *    documentation and/or other materials provided with the distribution.
f09e2e
+ *
f09e2e
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
f09e2e
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
f09e2e
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
f09e2e
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
f09e2e
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
f09e2e
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
f09e2e
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
f09e2e
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
f09e2e
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
f09e2e
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f09e2e
+ */
f09e2e
+
f09e2e
+#include "ldapincludes.h"
f09e2e
+#include "ldap-helper.h"
f09e2e
+#include "log.h"
f09e2e
+#include "misc.h"
f09e2e
+#include "xmalloc.h"
f09e2e
+#include "ldapconf.h"
f09e2e
+#include <unistd.h>
f09e2e
+#include <string.h>
f09e2e
+
f09e2e
+/* Keyword tokens. */
f09e2e
+
f09e2e
+typedef enum {
f09e2e
+	lBadOption,
f09e2e
+	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
f09e2e
+	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
f09e2e
+	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
f09e2e
+	lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
f09e2e
+	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
f09e2e
+	lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
f09e2e
+	lAccountClass, lDeprecated, lUnsupported
f09e2e
+} OpCodes;
f09e2e
+
f09e2e
+/* Textual representations of the tokens. */
f09e2e
+
f09e2e
+static struct {
f09e2e
+	const char *name;
f09e2e
+	OpCodes opcode;
f09e2e
+} keywords[] = {
f09e2e
+	{ "URI", lURI },
f09e2e
+	{ "Base", lBase },
f09e2e
+	{ "BindDN", lBindDN },
f09e2e
+	{ "BindPW", lBindPW },
f09e2e
+	{ "RootBindDN", lRootBindDN },
f09e2e
+	{ "Host", lHost },
f09e2e
+	{ "Port", lPort },
f09e2e
+	{ "Scope", lScope },
f09e2e
+	{ "Deref", lDeref },
f09e2e
+	{ "TimeLimit", lTimeLimit },
f09e2e
+	{ "TimeOut", lTimeLimit },
f09e2e
+	{ "Bind_Timelimit", lBind_TimeLimit },
f09e2e
+	{ "Network_TimeOut", lBind_TimeLimit },
f09e2e
+/*
f09e2e
+ * Todo
f09e2e
+ * SIZELIMIT
f09e2e
+ */
f09e2e
+	{ "Ldap_Version", lLdap_Version },
f09e2e
+	{ "Version", lLdap_Version },
f09e2e
+	{ "Bind_Policy", lBind_Policy },
f09e2e
+	{ "SSLPath", lSSLPath },
f09e2e
+	{ "SSL", lSSL },
f09e2e
+	{ "Referrals", lReferrals },
f09e2e
+	{ "Restart", lRestart },
f09e2e
+	{ "TLS_CheckPeer", lTLS_CheckPeer },
f09e2e
+	{ "TLS_ReqCert", lTLS_CheckPeer },
f09e2e
+	{ "TLS_CaCertFile", lTLS_CaCertFile },
f09e2e
+	{ "TLS_CaCert", lTLS_CaCertFile },
f09e2e
+	{ "TLS_CaCertDir", lTLS_CaCertDir },
f09e2e
+	{ "TLS_Ciphers", lTLS_Ciphers },
f09e2e
+	{ "TLS_Cipher_Suite", lTLS_Ciphers },
f09e2e
+	{ "TLS_Cert", lTLS_Cert },
f09e2e
+	{ "TLS_Certificate", lTLS_Cert },
f09e2e
+	{ "TLS_Key", lTLS_Key },
f09e2e
+	{ "TLS_RandFile", lTLS_RandFile },
f09e2e
+/*
f09e2e
+ * Todo
f09e2e
+ * TLS_CRLCHECK
f09e2e
+ * TLS_CRLFILE
f09e2e
+ */
f09e2e
+	{ "LogDir", lLogDir },
f09e2e
+	{ "Debug", lDebug },
f09e2e
+	{ "SSH_Filter", lSSH_Filter },
f09e2e
+	{ "AccountClass", lAccountClass },
f09e2e
+	{ NULL, lBadOption }
f09e2e
+};
f09e2e
+
f09e2e
+/* Configuration ptions. */
f09e2e
+
f09e2e
+Options options;
f09e2e
+
f09e2e
+/*
f09e2e
+ * Returns the number of the token pointed to by cp or oBadOption.
f09e2e
+ */
f09e2e
+
f09e2e
+static OpCodes
f09e2e
+parse_token(const char *cp, const char *filename, int linenum)
f09e2e
+{
f09e2e
+	u_int i;
f09e2e
+
f09e2e
+	for (i = 0; keywords[i].name; i++)
f09e2e
+		if (strcasecmp(cp, keywords[i].name) == 0)
f09e2e
+			return keywords[i].opcode;
f09e2e
+
f09e2e
+	if (config_warning_config_file) 
f09e2e
+	    logit("%s: line %d: Bad configuration option: %s",
f09e2e
+		filename, linenum, cp);
f09e2e
+	return lBadOption;
f09e2e
+}
f09e2e
+
770374
+/* Characters considered whitespace in strsep calls. */
770374
+#define WHITESPACE " \t\r\n"
770374
+
770374
+/* return next token in configuration line */
770374
+static char *
770374
+ldap_strdelim(char **s)
770374
+{
770374
+      char *old;
770374
+      int wspace = 0;
770374
+
770374
+      if (*s == NULL)
770374
+              return NULL;
770374
+
770374
+      old = *s;
770374
+
770374
+      *s = strpbrk(*s, WHITESPACE);
770374
+      if (*s == NULL)
770374
+              return (old);
770374
+
770374
+      *s[0] = '\0';
770374
+
770374
+      /* Skip any extra whitespace after first token */
770374
+      *s += strspn(*s + 1, WHITESPACE) + 1;
770374
+      if (*s[0] == '=' && !wspace)
770374
+              *s += strspn(*s + 1, WHITESPACE) + 1;
770374
+
770374
+      return (old);
770374
+}
770374
+
f09e2e
+/*
f09e2e
+ * Processes a single option line as used in the configuration files. This
f09e2e
+ * only sets those values that have not already been set.
f09e2e
+ */
f09e2e
+#define WHITESPACE " \t\r\n"
f09e2e
+
f09e2e
+static int
f09e2e
+process_config_line(char *line, const char *filename, int linenum)
f09e2e
+{
f09e2e
+	char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
f09e2e
+	char *rootbinddn = NULL;
f09e2e
+	int opcode, *intptr, value;
f09e2e
+	size_t len;
f09e2e
+
f09e2e
+	/* Strip trailing whitespace */
f09e2e
+	for (len = strlen(line) - 1; len > 0; len--) {
f09e2e
+		if (strchr(WHITESPACE, line[len]) == NULL)
f09e2e
+			break;
f09e2e
+		line[len] = '\0';
f09e2e
+	}
f09e2e
+
f09e2e
+	s = line;
f09e2e
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
770374
+	if ((keyword = ldap_strdelim(&s)) == NULL)
f09e2e
+		return 0;
f09e2e
+	/* Ignore leading whitespace. */
f09e2e
+	if (*keyword == '\0')
770374
+		keyword = ldap_strdelim(&s);
f09e2e
+	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
f09e2e
+		return 0;
f09e2e
+
f09e2e
+	opcode = parse_token(keyword, filename, linenum);
f09e2e
+
f09e2e
+	switch (opcode) {
f09e2e
+	case lBadOption:
f09e2e
+		/* don't panic, but count bad options */
f09e2e
+		return -1;
f09e2e
+		/* NOTREACHED */
f09e2e
+
f09e2e
+	case lHost:
f09e2e
+		xstringptr = &options.host;
f09e2e
+parse_xstring:
f09e2e
+		if (!s || *s == '\0')
f09e2e
+		    fatal("%s line %d: missing dn",filename,linenum);
f09e2e
+		if (*xstringptr == NULL)
f09e2e
+		    *xstringptr = xstrdup(s);
f09e2e
+		return 0;
f09e2e
+
f09e2e
+	case lURI:
f09e2e
+		xstringptr = &options.uri;
f09e2e
+		goto parse_xstring;
f09e2e
+
f09e2e
+	case lBase:
f09e2e
+		xstringptr = &options.base;
f09e2e
+		goto parse_xstring;
f09e2e
+
f09e2e
+	case lBindDN:
f09e2e
+		xstringptr = &options.binddn;
f09e2e
+		goto parse_xstring;
f09e2e
+
f09e2e
+	case lBindPW:
f09e2e
+		charptr = &options.bindpw;
f09e2e
+parse_string:
770374
+		arg = ldap_strdelim(&s);
f09e2e
+		if (!arg || *arg == '\0')
f09e2e
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
f09e2e
+		if (*charptr == NULL)
f09e2e
+			*charptr = xstrdup(arg);
f09e2e
+		break;
f09e2e
+
f09e2e
+	case lRootBindDN:
f09e2e
+		xstringptr = &rootbinddn;
f09e2e
+		goto parse_xstring;
f09e2e
+
f09e2e
+	case lScope:
f09e2e
+		intptr = &options.scope;
770374
+		arg = ldap_strdelim(&s);
f09e2e
+		if (!arg || *arg == '\0')
f09e2e
+			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
f09e2e
+		value = 0;	/* To avoid compiler warning... */
f09e2e
+		if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
f09e2e
+			value = LDAP_SCOPE_SUBTREE;
f09e2e
+		else if (strcasecmp (arg, "one") == 0)
f09e2e
+			value = LDAP_SCOPE_ONELEVEL;
f09e2e
+		else if (strcasecmp (arg, "base") == 0)
f09e2e
+			value = LDAP_SCOPE_BASE;
f09e2e
+		else
f09e2e
+			fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
f09e2e
+		if (*intptr == -1)
f09e2e
+			*intptr = value;
f09e2e
+		break;
f09e2e
+
f09e2e
+	case lDeref:
f09e2e
+		intptr = &options.scope;
770374
+		arg = ldap_strdelim(&s);
f09e2e
+		if (!arg || *arg == '\0')
f09e2e
+			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
f09e2e
+		value = 0;	/* To avoid compiler warning... */
f09e2e
+		if (!strcasecmp (arg, "never"))
f09e2e
+			value = LDAP_DEREF_NEVER;
f09e2e
+		else if (!strcasecmp (arg, "searching"))
f09e2e
+			value = LDAP_DEREF_SEARCHING;
f09e2e
+		else if (!strcasecmp (arg, "finding"))
f09e2e
+			value = LDAP_DEREF_FINDING;
f09e2e
+		else if (!strcasecmp (arg, "always"))
f09e2e
+			value = LDAP_DEREF_ALWAYS;
f09e2e
+		else
f09e2e
+			fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
f09e2e
+		if (*intptr == -1)
f09e2e
+			*intptr = value;
f09e2e
+		break;
f09e2e
+
f09e2e
+	case lPort:
f09e2e
+		intptr = &options.port;
f09e2e
+parse_int:
770374
+		arg = ldap_strdelim(&s);
f09e2e
+		if (!arg || *arg == '\0')
f09e2e
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
f09e2e
+		if (arg[0] < '0' || arg[0] > '9')
f09e2e
+			fatal("%.200s line %d: Bad number.", filename, linenum);
f09e2e
+
f09e2e
+		/* Octal, decimal, or hex format? */
f09e2e
+		value = strtol(arg, &endofnumber, 0);
f09e2e
+		if (arg == endofnumber)
f09e2e
+			fatal("%.200s line %d: Bad number.", filename, linenum);
f09e2e
+		if (*intptr == -1)
f09e2e
+			*intptr = value;
f09e2e
+		break;
f09e2e
+
f09e2e
+	case lTimeLimit:
f09e2e
+		intptr = &options.timelimit;
f09e2e
+parse_time:
770374
+		arg = ldap_strdelim(&s);
f09e2e
+		if (!arg || *arg == '\0')
f09e2e
+			fatal("%s line %d: missing time value.",
f09e2e
+			    filename, linenum);
f09e2e
+		if ((value = convtime(arg)) == -1)
f09e2e
+			fatal("%s line %d: invalid time value.",
f09e2e
+			    filename, linenum);
f09e2e
+		if (*intptr == -1)
f09e2e
+			*intptr = value;
f09e2e
+		break;
f09e2e
+
f09e2e
+	case lBind_TimeLimit:
f09e2e
+		intptr = &options.bind_timelimit;
f09e2e
+		goto parse_time;
f09e2e
+
f09e2e
+	case lLdap_Version:
f09e2e
+		intptr = &options.ldap_version;
f09e2e
+		goto parse_int;
f09e2e
+
f09e2e
+	case lBind_Policy:
f09e2e
+		intptr = &options.bind_policy;
770374
+		arg = ldap_strdelim(&s);
f09e2e
+		if (!arg || *arg == '\0')
f09e2e
+			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
f09e2e
+		value = 0;	/* To avoid compiler warning... */
f09e2e
+		if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
f09e2e
+			value = 1;
f09e2e
+		else if (strcasecmp(arg, "soft") == 0)
f09e2e
+			value = 0;
f09e2e
+		else
f09e2e
+			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
f09e2e
+		if (*intptr == -1)
f09e2e
+		break;
f09e2e
+
f09e2e
+	case lSSLPath:
f09e2e
+		charptr = &options.sslpath;
f09e2e
+		goto parse_string;
f09e2e
+
f09e2e
+	case lSSL:
f09e2e
+		intptr = &options.ssl;
770374
+		arg = ldap_strdelim(&s);
f09e2e
+		if (!arg || *arg == '\0')
f09e2e
+			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
f09e2e
+		value = 0;	/* To avoid compiler warning... */
f09e2e
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
f09e2e
+			value = SSL_LDAPS;
f09e2e
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
f09e2e
+			value = SSL_OFF;
f09e2e
+		else if (!strcasecmp (arg, "start_tls"))
f09e2e
+			value = SSL_START_TLS;
f09e2e
+		else
f09e2e
+			fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
f09e2e
+		if (*intptr == -1)
f09e2e
+			*intptr = value;
f09e2e
+		break;
f09e2e
+
f09e2e
+	case lReferrals:
f09e2e
+		intptr = &options.referrals;
f09e2e
+parse_flag:
770374
+		arg = ldap_strdelim(&s);
f09e2e
+		if (!arg || *arg == '\0')
f09e2e
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
f09e2e
+		value = 0;	/* To avoid compiler warning... */
f09e2e
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
f09e2e
+			value = 1;
f09e2e
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
f09e2e
+			value = 0;
f09e2e
+		else
f09e2e
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
f09e2e
+		if (*intptr == -1)
f09e2e
+			*intptr = value;
f09e2e
+		break;
f09e2e
+
f09e2e
+	case lRestart:
f09e2e
+		intptr = &options.restart;
f09e2e
+		goto parse_flag;
f09e2e
+
f09e2e
+	case lTLS_CheckPeer:
f09e2e
+		intptr = &options.tls_checkpeer;
770374
+		arg = ldap_strdelim(&s);
f09e2e
+		if (!arg || *arg == '\0')
f09e2e
+			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
f09e2e
+		value = 0;	/* To avoid compiler warning... */
f09e2e
+		if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
f09e2e
+			value = LDAP_OPT_X_TLS_NEVER;
f09e2e
+		else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
f09e2e
+			value = LDAP_OPT_X_TLS_HARD;
f09e2e
+		else if (strcasecmp(arg, "demand") == 0)
f09e2e
+			value = LDAP_OPT_X_TLS_DEMAND;
f09e2e
+		else if (strcasecmp(arg, "allow") == 0)
f09e2e
+			value = LDAP_OPT_X_TLS_ALLOW;
f09e2e
+		else if (strcasecmp(arg, "try") == 0)
f09e2e
+			value = LDAP_OPT_X_TLS_TRY;
f09e2e
+		else
f09e2e
+			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
f09e2e
+		if (*intptr == -1)
f09e2e
+		break;
f09e2e
+
f09e2e
+	case lTLS_CaCertFile:
f09e2e
+		charptr = &options.tls_cacertfile;
f09e2e
+		goto parse_string;
f09e2e
+
f09e2e
+	case lTLS_CaCertDir:
f09e2e
+		charptr = &options.tls_cacertdir;
f09e2e
+		goto parse_string;
f09e2e
+
f09e2e
+	case lTLS_Ciphers:
f09e2e
+		xstringptr = &options.tls_ciphers;
f09e2e
+		goto parse_xstring;
f09e2e
+
f09e2e
+	case lTLS_Cert:
f09e2e
+		charptr = &options.tls_cert;
f09e2e
+		goto parse_string;
f09e2e
+
f09e2e
+	case lTLS_Key:
f09e2e
+		charptr = &options.tls_key;
f09e2e
+		goto parse_string;
f09e2e
+
f09e2e
+	case lTLS_RandFile:
f09e2e
+		charptr = &options.tls_randfile;
f09e2e
+		goto parse_string;
f09e2e
+
f09e2e
+	case lLogDir:
f09e2e
+		charptr = &options.logdir;
f09e2e
+		goto parse_string;
f09e2e
+
f09e2e
+	case lDebug:
f09e2e
+		intptr = &options.debug;
f09e2e
+		goto parse_int;
f09e2e
+
f09e2e
+	case lSSH_Filter:
f09e2e
+		xstringptr = &options.ssh_filter;
f09e2e
+		goto parse_xstring;
f09e2e
+
f09e2e
+	case lAccountClass:
f09e2e
+		charptr = &options.account_class;
f09e2e
+		goto parse_string;
f09e2e
+
f09e2e
+	case lDeprecated:
f09e2e
+		debug("%s line %d: Deprecated option \"%s\"",
f09e2e
+		    filename, linenum, keyword);
f09e2e
+		return 0;
f09e2e
+
f09e2e
+	case lUnsupported:
f09e2e
+		error("%s line %d: Unsupported option \"%s\"",
f09e2e
+		    filename, linenum, keyword);
f09e2e
+		return 0;
f09e2e
+
f09e2e
+	default:
f09e2e
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
f09e2e
+	}
f09e2e
+
f09e2e
+	/* Check that there is no garbage at end of line. */
770374
+	if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') {
f09e2e
+		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
f09e2e
+		    filename, linenum, arg);
f09e2e
+	}
f09e2e
+	return 0;
f09e2e
+}
f09e2e
+
f09e2e
+/*
f09e2e
+ * Reads the config file and modifies the options accordingly.  Options
f09e2e
+ * should already be initialized before this call.  This never returns if
f09e2e
+ * there is an error.  If the file does not exist, this returns 0.
f09e2e
+ */
f09e2e
+
f09e2e
+void
f09e2e
+read_config_file(const char *filename)
f09e2e
+{
f09e2e
+	FILE *f;
f09e2e
+	char line[1024];
f09e2e
+	int active, linenum;
f09e2e
+	int bad_options = 0;
f09e2e
+	struct stat sb;
f09e2e
+
f09e2e
+	if ((f = fopen(filename, "r")) == NULL)
f09e2e
+		fatal("fopen %s: %s", filename, strerror(errno));
f09e2e
+
f09e2e
+	if (fstat(fileno(f), &sb) == -1)
f09e2e
+		fatal("fstat %s: %s", filename, strerror(errno));
f09e2e
+	if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
f09e2e
+	    (sb.st_mode & 022) != 0))
f09e2e
+		fatal("Bad owner or permissions on %s", filename);
f09e2e
+
f09e2e
+	debug("Reading configuration data %.200s", filename);
f09e2e
+
f09e2e
+	/*
f09e2e
+	 * Mark that we are now processing the options.  This flag is turned
f09e2e
+	 * on/off by Host specifications.
f09e2e
+	 */
f09e2e
+	active = 1;
f09e2e
+	linenum = 0;
f09e2e
+	while (fgets(line, sizeof(line), f)) {
f09e2e
+		/* Update line number counter. */
f09e2e
+		linenum++;
f09e2e
+		if (process_config_line(line, filename, linenum) != 0)
f09e2e
+			bad_options++;
f09e2e
+	}
f09e2e
+	fclose(f);
f09e2e
+	if ((bad_options > 0) && config_exclusive_config_file) 
f09e2e
+		fatal("%s: terminating, %d bad configuration options",
f09e2e
+		    filename, bad_options);
f09e2e
+}
f09e2e
+
f09e2e
+/*
f09e2e
+ * Initializes options to special values that indicate that they have not yet
f09e2e
+ * been set.  Read_config_file will only set options with this value. Options
f09e2e
+ * are processed in the following order: command line, user config file,
f09e2e
+ * system config file.  Last, fill_default_options is called.
f09e2e
+ */
f09e2e
+
f09e2e
+void
f09e2e
+initialize_options(void)
f09e2e
+{
f09e2e
+	memset(&options, 'X', sizeof(options));
f09e2e
+	options.host = NULL;
f09e2e
+	options.uri = NULL;
f09e2e
+	options.base = NULL;
f09e2e
+	options.binddn = NULL;
f09e2e
+	options.bindpw = NULL;
f09e2e
+	options.scope = -1;
f09e2e
+	options.deref = -1;
f09e2e
+	options.port = -1;
f09e2e
+	options.timelimit = -1;
f09e2e
+	options.bind_timelimit = -1;
f09e2e
+	options.ldap_version = -1;
f09e2e
+	options.bind_policy = -1;
f09e2e
+	options.sslpath = NULL;
f09e2e
+	options.ssl = -1;
f09e2e
+	options.referrals = -1;
f09e2e
+	options.restart = -1;
f09e2e
+	options.tls_checkpeer = -1;
f09e2e
+	options.tls_cacertfile = NULL;
f09e2e
+	options.tls_cacertdir = NULL;
f09e2e
+	options.tls_ciphers = NULL;
f09e2e
+	options.tls_cert = NULL;
f09e2e
+	options.tls_key = NULL;
f09e2e
+	options.tls_randfile = NULL;
f09e2e
+	options.logdir = NULL;
f09e2e
+	options.debug = -1;
f09e2e
+	options.ssh_filter = NULL;
f09e2e
+	options.account_class = NULL;
f09e2e
+}
f09e2e
+
f09e2e
+/*
f09e2e
+ * Called after processing other sources of option data, this fills those
f09e2e
+ * options for which no value has been specified with their default values.
f09e2e
+ */
f09e2e
+
f09e2e
+void
f09e2e
+fill_default_options(void)
f09e2e
+{
f09e2e
+	if (options.uri != NULL) {
f09e2e
+		LDAPURLDesc *ludp;
f09e2e
+
f09e2e
+		if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
f09e2e
+			if (options.ssl == -1) {
f09e2e
+				if (strcmp (ludp->lud_scheme, "ldap") == 0)
f09e2e
+				    options.ssl = 2;
f09e2e
+				if (strcmp (ludp->lud_scheme, "ldapi") == 0)
f09e2e
+				    options.ssl = 0;
f09e2e
+				else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
f09e2e
+				    options.ssl = 1;
f09e2e
+			}
f09e2e
+			if (options.host == NULL)
f09e2e
+			    options.host = xstrdup (ludp->lud_host);
f09e2e
+			if (options.port == -1)
f09e2e
+			    options.port = ludp->lud_port;
f09e2e
+
f09e2e
+			ldap_free_urldesc (ludp);
f09e2e
+		}
f09e2e
+	} 
f09e2e
+	if (options.ssl == -1)
f09e2e
+	    options.ssl = SSL_START_TLS;
f09e2e
+	if (options.port == -1)
f09e2e
+	    options.port = (options.ssl == 0) ? 389 : 636;
f09e2e
+	if (options.uri == NULL) {
f09e2e
+		int len;
f09e2e
+#define MAXURILEN 4096
f09e2e
+
f09e2e
+		options.uri = xmalloc (MAXURILEN);
f09e2e
+		len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
f09e2e
+		    (options.ssl == 0) ? "" : "s", options.host, options.port);
f09e2e
+		options.uri[MAXURILEN - 1] = 0;
f09e2e
+		options.uri = xrealloc (options.uri, len + 1, 1);
f09e2e
+	}
f09e2e
+	if (options.binddn == NULL)
f09e2e
+	    options.binddn = "";
f09e2e
+	if (options.bindpw == NULL)
f09e2e
+	    options.bindpw = "";
f09e2e
+	if (options.scope == -1)
f09e2e
+	    options.scope = LDAP_SCOPE_SUBTREE;
f09e2e
+	if (options.deref == -1)
f09e2e
+	    options.deref = LDAP_DEREF_NEVER;
f09e2e
+	if (options.timelimit == -1)
f09e2e
+	    options.timelimit = 10;
f09e2e
+	if (options.bind_timelimit == -1)
f09e2e
+	    options.bind_timelimit = 10;
f09e2e
+	if (options.ldap_version == -1)
f09e2e
+	    options.ldap_version = 3;
f09e2e
+	if (options.bind_policy == -1)
f09e2e
+	    options.bind_policy = 1;
f09e2e
+	if (options.referrals == -1)
f09e2e
+	    options.referrals = 1;
f09e2e
+	if (options.restart == -1)
f09e2e
+	    options.restart = 1;
f09e2e
+	if (options.tls_checkpeer == -1)
f09e2e
+	    options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
f09e2e
+	if (options.debug == -1)
f09e2e
+	    options.debug = 0;
f09e2e
+	if (options.ssh_filter == NULL)
f09e2e
+	    options.ssh_filter = "";
f09e2e
+	if (options.account_class == NULL)
f09e2e
+	    options.account_class = "posixAccount";
f09e2e
+}
f09e2e
+
f09e2e
+static const char *
f09e2e
+lookup_opcode_name(OpCodes code)
f09e2e
+{
f09e2e
+	u_int i;
f09e2e
+
f09e2e
+	for (i = 0; keywords[i].name != NULL; i++)
f09e2e
+	    if (keywords[i].opcode == code)
f09e2e
+		return(keywords[i].name);
f09e2e
+	return "UNKNOWN";
f09e2e
+}
f09e2e
+
f09e2e
+static void
f09e2e
+dump_cfg_string(OpCodes code, const char *val)
f09e2e
+{
f09e2e
+	if (val == NULL)
f09e2e
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
f09e2e
+	else
f09e2e
+	    debug3("%s %s", lookup_opcode_name(code), val);
f09e2e
+}
f09e2e
+
f09e2e
+static void
f09e2e
+dump_cfg_int(OpCodes code, int val)
f09e2e
+{
f09e2e
+	if (val == -1)
f09e2e
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
f09e2e
+	else
f09e2e
+	    debug3("%s %d", lookup_opcode_name(code), val);
f09e2e
+}
f09e2e
+
f09e2e
+struct names {
f09e2e
+	int value;
f09e2e
+	char *name;
f09e2e
+};
f09e2e
+
f09e2e
+static void
f09e2e
+dump_cfg_namedint(OpCodes code, int val, struct names *names)
f09e2e
+{
f09e2e
+	u_int i;
f09e2e
+
f09e2e
+	if (val == -1)
f09e2e
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
f09e2e
+	else {
f09e2e
+		for (i = 0; names[i].value != -1; i++)
f09e2e
+	 	    if (names[i].value == val) {
f09e2e
+	    		debug3("%s %s", lookup_opcode_name(code), names[i].name);
f09e2e
+			    return;
f09e2e
+		}
f09e2e
+		debug3("%s unknown: %d", lookup_opcode_name(code), val);
f09e2e
+	}
f09e2e
+}
f09e2e
+
f09e2e
+static struct names _yesnotls[] = {
f09e2e
+	{ 0, "No" },
f09e2e
+	{ 1, "Yes" },
f09e2e
+	{ 2, "Start_TLS" },
f09e2e
+	{ -1, NULL }};
f09e2e
+
f09e2e
+static struct names _scope[] = {
f09e2e
+	{ LDAP_SCOPE_BASE, "Base" },
f09e2e
+	{ LDAP_SCOPE_ONELEVEL, "One" },
f09e2e
+	{ LDAP_SCOPE_SUBTREE, "Sub"},
f09e2e
+	{ -1, NULL }};
f09e2e
+
f09e2e
+static struct names _deref[] = {
f09e2e
+	{ LDAP_DEREF_NEVER, "Never" },
f09e2e
+	{ LDAP_DEREF_SEARCHING, "Searching" },
f09e2e
+	{ LDAP_DEREF_FINDING, "Finding" },
f09e2e
+	{ LDAP_DEREF_ALWAYS, "Always" },
f09e2e
+	{ -1, NULL }};
f09e2e
+
f09e2e
+static struct names _yesno[] = {
f09e2e
+	{ 0, "No" },
f09e2e
+	{ 1, "Yes" },
f09e2e
+	{ -1, NULL }};
f09e2e
+
f09e2e
+static struct names _bindpolicy[] = {
f09e2e
+	{ 0, "Soft" },
f09e2e
+	{ 1, "Hard" },
f09e2e
+	{ -1, NULL }};
f09e2e
+
f09e2e
+static struct names _checkpeer[] = {
f09e2e
+	{ LDAP_OPT_X_TLS_NEVER, "Never" },
f09e2e
+	{ LDAP_OPT_X_TLS_HARD, "Hard" },
f09e2e
+	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
f09e2e
+	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
f09e2e
+	{ LDAP_OPT_X_TLS_TRY, "TRY" },
f09e2e
+	{ -1, NULL }};
f09e2e
+
f09e2e
+void
f09e2e
+dump_config(void)
f09e2e
+{
f09e2e
+	dump_cfg_string(lURI, options.uri);
f09e2e
+	dump_cfg_string(lHost, options.host);
f09e2e
+	dump_cfg_int(lPort, options.port);
f09e2e
+	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
f09e2e
+	dump_cfg_int(lLdap_Version, options.ldap_version);
f09e2e
+	dump_cfg_int(lTimeLimit, options.timelimit);
f09e2e
+	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
f09e2e
+	dump_cfg_string(lBase, options.base);
f09e2e
+	dump_cfg_string(lBindDN, options.binddn);
f09e2e
+	dump_cfg_string(lBindPW, options.bindpw);
f09e2e
+	dump_cfg_namedint(lScope, options.scope, _scope);
f09e2e
+	dump_cfg_namedint(lDeref, options.deref, _deref);
f09e2e
+	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
f09e2e
+	dump_cfg_namedint(lRestart, options.restart, _yesno);
f09e2e
+	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
f09e2e
+	dump_cfg_string(lSSLPath, options.sslpath);
f09e2e
+	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
f09e2e
+	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
f09e2e
+	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
f09e2e
+	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
f09e2e
+	dump_cfg_string(lTLS_Cert, options.tls_cert);
f09e2e
+	dump_cfg_string(lTLS_Key, options.tls_key);
f09e2e
+	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
f09e2e
+	dump_cfg_string(lLogDir, options.logdir);
f09e2e
+	dump_cfg_int(lDebug, options.debug);
f09e2e
+	dump_cfg_string(lSSH_Filter, options.ssh_filter);
f09e2e
+	dump_cfg_string(lAccountClass, options.logdir);
f09e2e
+}
f09e2e
+
f09e2e
diff -up openssh-6.2p2/ldapconf.h.ldap openssh-6.2p2/ldapconf.h
f09e2e
--- openssh-6.2p2/ldapconf.h.ldap	2013-06-07 15:10:05.602942689 +0200
f09e2e
+++ openssh-6.2p2/ldapconf.h	2013-06-07 15:10:24.928857566 +0200
f09e2e
@@ -0,0 +1,72 @@
f09e2e
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
f09e2e
+/*
f09e2e
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
f09e2e
+ *
f09e2e
+ * Redistribution and use in source and binary forms, with or without
f09e2e
+ * modification, are permitted provided that the following conditions
f09e2e
+ * are met:
f09e2e
+ * 1. Redistributions of source code must retain the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer.
f09e2e
+ * 2. Redistributions in binary form must reproduce the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer in the
f09e2e
+ *    documentation and/or other materials provided with the distribution.
f09e2e
+ *
f09e2e
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
f09e2e
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
f09e2e
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
f09e2e
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
f09e2e
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
f09e2e
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
f09e2e
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
f09e2e
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
f09e2e
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
f09e2e
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f09e2e
+ */
f09e2e
+
f09e2e
+#ifndef LDAPCONF_H
f09e2e
+#define LDAPCONF_H
f09e2e
+
f09e2e
+#define SSL_OFF          0
f09e2e
+#define SSL_LDAPS        1
f09e2e
+#define SSL_START_TLS    2
f09e2e
+
f09e2e
+/* Data structure for representing option data. */
f09e2e
+
f09e2e
+typedef struct {
f09e2e
+	char *host;
f09e2e
+	char *uri;
f09e2e
+	char *base;
f09e2e
+	char *binddn;
f09e2e
+	char *bindpw;
f09e2e
+	int scope;
f09e2e
+	int deref;
f09e2e
+	int port;
f09e2e
+	int timelimit;
f09e2e
+	int bind_timelimit;
f09e2e
+	int ldap_version;
f09e2e
+	int bind_policy;
f09e2e
+	char *sslpath;
f09e2e
+	int ssl;
f09e2e
+	int referrals;
f09e2e
+	int restart;
f09e2e
+	int tls_checkpeer;
f09e2e
+	char *tls_cacertfile;
f09e2e
+	char *tls_cacertdir;
f09e2e
+	char *tls_ciphers;
f09e2e
+	char *tls_cert;
f09e2e
+	char *tls_key;
f09e2e
+	char *tls_randfile;
f09e2e
+	char *logdir;
f09e2e
+	int debug;
f09e2e
+	char *ssh_filter;
f09e2e
+	char *account_class;
f09e2e
+}       Options;
f09e2e
+
f09e2e
+extern Options options;
f09e2e
+
f09e2e
+void read_config_file(const char *);
f09e2e
+void initialize_options(void);
f09e2e
+void fill_default_options(void);
f09e2e
+void dump_config(void);
f09e2e
+
f09e2e
+#endif /* LDAPCONF_H */
f09e2e
diff -up openssh-6.2p1/ldap.conf.ldap openssh-6.2p1/ldap.conf
f09e2e
--- openssh-6.2p1/ldap.conf.ldap	2013-03-25 21:27:15.891248091 +0100
f09e2e
+++ openssh-6.2p1/ldap.conf	2013-03-25 21:27:15.891248091 +0100
f09e2e
@@ -0,0 +1,88 @@
f09e2e
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
f09e2e
+#
f09e2e
+# This is the example configuration file for the OpenSSH
f09e2e
+# LDAP backend
f09e2e
+# 
f09e2e
+# see ssh-ldap.conf(5)
f09e2e
+#
f09e2e
+
f09e2e
+# URI with your LDAP server name. This allows to use
f09e2e
+# Unix Domain Sockets to connect to a local LDAP Server.
f09e2e
+#uri ldap://127.0.0.1/
f09e2e
+#uri ldaps://127.0.0.1/   
f09e2e
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
f09e2e
+# Note: %2f encodes the '/' used as directory separator
f09e2e
+
f09e2e
+# Another way to specify your LDAP server is to provide an
f09e2e
+# host name and the port of our LDAP server. Host name
f09e2e
+# must be resolvable without using LDAP.
f09e2e
+# Multiple hosts may be specified, each separated by a 
f09e2e
+# space. How long nss_ldap takes to failover depends on
f09e2e
+# whether your LDAP client library supports configurable
f09e2e
+# network or connect timeouts (see bind_timelimit).
f09e2e
+#host 127.0.0.1
f09e2e
+
f09e2e
+# The port.
f09e2e
+# Optional: default is 389.
f09e2e
+#port 389
f09e2e
+
f09e2e
+# The distinguished name to bind to the server with.
f09e2e
+# Optional: default is to bind anonymously.
f09e2e
+#binddn cn=openssh_keys,dc=example,dc=org
f09e2e
+
f09e2e
+# The credentials to bind with. 
f09e2e
+# Optional: default is no credential.
f09e2e
+#bindpw TopSecret
f09e2e
+
f09e2e
+# The distinguished name of the search base.
f09e2e
+#base dc=example,dc=org
f09e2e
+
f09e2e
+# The LDAP version to use (defaults to 3
f09e2e
+# if supported by client library)
f09e2e
+#ldap_version 3
f09e2e
+
f09e2e
+# The search scope.
f09e2e
+#scope sub
f09e2e
+#scope one
f09e2e
+#scope base
f09e2e
+
f09e2e
+# Search timelimit
f09e2e
+#timelimit 30
f09e2e
+
f09e2e
+# Bind/connect timelimit
f09e2e
+#bind_timelimit 30
f09e2e
+
f09e2e
+# Reconnect policy: hard (default) will retry connecting to
f09e2e
+# the software with exponential backoff, soft will fail
f09e2e
+# immediately.
f09e2e
+#bind_policy hard
f09e2e
+
f09e2e
+# SSL setup, may be implied by URI also.
f09e2e
+#ssl no
f09e2e
+#ssl on
f09e2e
+#ssl start_tls
f09e2e
+
f09e2e
+# OpenLDAP SSL options
f09e2e
+# Require and verify server certificate (yes/no)
f09e2e
+# Default is to use libldap's default behavior, which can be configured in
f09e2e
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
f09e2e
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
f09e2e
+#tls_checkpeer hard
f09e2e
+
f09e2e
+# CA certificates for server certificate verification
f09e2e
+# At least one of these are required if tls_checkpeer is "yes"
f09e2e
+#tls_cacertfile /etc/ssl/ca.cert
f09e2e
+#tls_cacertdir /etc/pki/tls/certs
f09e2e
+
f09e2e
+# Seed the PRNG if /dev/urandom is not provided
f09e2e
+#tls_randfile /var/run/egd-pool
f09e2e
+
f09e2e
+# SSL cipher suite
f09e2e
+# See man ciphers for syntax
f09e2e
+#tls_ciphers TLSv1
f09e2e
+
f09e2e
+# Client certificate and key
f09e2e
+# Use these, if your server requires client authentication.
f09e2e
+#tls_cert
f09e2e
+#tls_key
f09e2e
+
f09e2e
diff -up openssh-6.2p1/ldap-helper.c.ldap openssh-6.2p1/ldap-helper.c
f09e2e
--- openssh-6.2p1/ldap-helper.c.ldap	2013-03-25 21:27:15.892248097 +0100
f09e2e
+++ openssh-6.2p1/ldap-helper.c	2013-03-25 21:27:15.892248097 +0100
f09e2e
@@ -0,0 +1,155 @@
f09e2e
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
f09e2e
+/*
f09e2e
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
f09e2e
+ *
f09e2e
+ * Redistribution and use in source and binary forms, with or without
f09e2e
+ * modification, are permitted provided that the following conditions
f09e2e
+ * are met:
f09e2e
+ * 1. Redistributions of source code must retain the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer.
f09e2e
+ * 2. Redistributions in binary form must reproduce the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer in the
f09e2e
+ *    documentation and/or other materials provided with the distribution.
f09e2e
+ *
f09e2e
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
f09e2e
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
f09e2e
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
f09e2e
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
f09e2e
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
f09e2e
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
f09e2e
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
f09e2e
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
f09e2e
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
f09e2e
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f09e2e
+ */
f09e2e
+
f09e2e
+#include "ldapincludes.h"
f09e2e
+#include "log.h"
f09e2e
+#include "misc.h"
f09e2e
+#include "xmalloc.h"
f09e2e
+#include "ldapconf.h"
f09e2e
+#include "ldapbody.h"
f09e2e
+#include <string.h>
f09e2e
+#include <unistd.h>
f09e2e
+
f09e2e
+static int config_debug = 0;
f09e2e
+int config_exclusive_config_file = 0;
f09e2e
+static char *config_file_name = "/etc/ssh/ldap.conf";
f09e2e
+static char *config_single_user = NULL;
f09e2e
+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
f09e2e
+int config_warning_config_file = 0;
f09e2e
+extern char *__progname;
f09e2e
+
f09e2e
+static void
f09e2e
+usage(void)
f09e2e
+{
f09e2e
+	fprintf(stderr, "usage: %s [options]\n",
f09e2e
+	    __progname);
f09e2e
+	fprintf(stderr, "Options:\n");
f09e2e
+	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
f09e2e
+	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
f09e2e
+	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ssh/ldap.conf).\n");
f09e2e
+	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
f09e2e
+	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
f09e2e
+	fprintf(stderr, "  -w          Warn on unknown commands in the config file.\n");
f09e2e
+	exit(1);
f09e2e
+}
f09e2e
+
f09e2e
+/*
f09e2e
+ * Main program for the ssh pka ldap agent.
f09e2e
+ */
f09e2e
+
f09e2e
+int
f09e2e
+main(int ac, char **av)
f09e2e
+{
f09e2e
+	int opt;
f09e2e
+	FILE *outfile = NULL;
f09e2e
+
f09e2e
+	__progname = ssh_get_progname(av[0]);
f09e2e
+
f09e2e
+	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
f09e2e
+
f09e2e
+	/*
f09e2e
+	 * Initialize option structure to indicate that no values have been
f09e2e
+	 * set.
f09e2e
+	 */
f09e2e
+	initialize_options();
f09e2e
+
f09e2e
+	/* Parse command-line arguments. */
f09e2e
+	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
f09e2e
+		switch (opt) {
f09e2e
+		case 'd':
f09e2e
+			config_debug = 1;
f09e2e
+			break;
f09e2e
+
f09e2e
+		case 'e':
f09e2e
+			config_exclusive_config_file = 1;
f09e2e
+			config_warning_config_file = 1;
f09e2e
+			break;
f09e2e
+
f09e2e
+		case 'f':
f09e2e
+			config_file_name = optarg;
f09e2e
+			break;
f09e2e
+
f09e2e
+		case 's':
f09e2e
+			config_single_user = optarg;
f09e2e
+			outfile = fdopen (dup (fileno (stdout)), "w");
f09e2e
+			break;
f09e2e
+
f09e2e
+		case 'v':
f09e2e
+			config_debug = 1;
f09e2e
+			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
f09e2e
+			    config_verbose++;
f09e2e
+			break;
f09e2e
+
f09e2e
+		case 'w':
f09e2e
+			config_warning_config_file = 1;
f09e2e
+			break;
f09e2e
+
f09e2e
+		case '?':
f09e2e
+		default:
f09e2e
+			usage();
f09e2e
+			break;
f09e2e
+		}
f09e2e
+	}
f09e2e
+
f09e2e
+	/* Initialize loging */
f09e2e
+	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
f09e2e
+
f09e2e
+	if (ac != optind)
f09e2e
+	    fatal ("illegal extra parameter %s", av[1]);
f09e2e
+
f09e2e
+	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
f09e2e
+	if (config_debug == 0)
f09e2e
+	    sanitise_stdfd();
f09e2e
+
f09e2e
+	/* Read config file */
f09e2e
+	read_config_file(config_file_name);
f09e2e
+	fill_default_options();
f09e2e
+	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
f09e2e
+		debug3 ("=== Configuration ===");
f09e2e
+		dump_config();
f09e2e
+		debug3 ("=== *** ===");
f09e2e
+	}
f09e2e
+
f09e2e
+	ldap_checkconfig();
f09e2e
+	ldap_do_connect();
f09e2e
+
f09e2e
+	if (config_single_user) {
f09e2e
+		process_user (config_single_user, outfile);
f09e2e
+	} else {
f09e2e
+		usage();
f09e2e
+		fatal ("Not yet implemented");
f09e2e
+/* TODO
f09e2e
+ * open unix socket a run the loop on it
f09e2e
+ */
f09e2e
+	}
f09e2e
+
f09e2e
+	ldap_do_close();
f09e2e
+	return 0;
f09e2e
+}
f09e2e
+
f09e2e
+/* Ugly hack */
f09e2e
+void   *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
f09e2e
+void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
f09e2e
+
f09e2e
diff -up openssh-6.2p1/ldap-helper.h.ldap openssh-6.2p1/ldap-helper.h
f09e2e
--- openssh-6.2p1/ldap-helper.h.ldap	2013-03-25 21:27:15.892248097 +0100
f09e2e
+++ openssh-6.2p1/ldap-helper.h	2013-03-25 21:27:15.892248097 +0100
f09e2e
@@ -0,0 +1,32 @@
f09e2e
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
f09e2e
+/*
f09e2e
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
f09e2e
+ *
f09e2e
+ * Redistribution and use in source and binary forms, with or without
f09e2e
+ * modification, are permitted provided that the following conditions
f09e2e
+ * are met:
f09e2e
+ * 1. Redistributions of source code must retain the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer.
f09e2e
+ * 2. Redistributions in binary form must reproduce the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer in the
f09e2e
+ *    documentation and/or other materials provided with the distribution.
f09e2e
+ *
f09e2e
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
f09e2e
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
f09e2e
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
f09e2e
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
f09e2e
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
f09e2e
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
f09e2e
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
f09e2e
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
f09e2e
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
f09e2e
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f09e2e
+ */
f09e2e
+
f09e2e
+#ifndef LDAP_HELPER_H
f09e2e
+#define LDAP_HELPER_H
f09e2e
+
f09e2e
+extern int config_exclusive_config_file;
f09e2e
+extern int config_warning_config_file;
f09e2e
+
f09e2e
+#endif /* LDAP_HELPER_H */
f09e2e
diff -up openssh-6.2p1/ldapincludes.h.ldap openssh-6.2p1/ldapincludes.h
f09e2e
--- openssh-6.2p1/ldapincludes.h.ldap	2013-03-25 21:27:15.892248097 +0100
f09e2e
+++ openssh-6.2p1/ldapincludes.h	2013-03-25 21:27:15.892248097 +0100
f09e2e
@@ -0,0 +1,41 @@
f09e2e
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
f09e2e
+/*
f09e2e
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
f09e2e
+ *
f09e2e
+ * Redistribution and use in source and binary forms, with or without
f09e2e
+ * modification, are permitted provided that the following conditions
f09e2e
+ * are met:
f09e2e
+ * 1. Redistributions of source code must retain the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer.
f09e2e
+ * 2. Redistributions in binary form must reproduce the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer in the
f09e2e
+ *    documentation and/or other materials provided with the distribution.
f09e2e
+ *
f09e2e
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
f09e2e
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
f09e2e
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
f09e2e
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
f09e2e
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
f09e2e
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
f09e2e
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
f09e2e
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
f09e2e
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
f09e2e
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f09e2e
+ */
f09e2e
+
f09e2e
+#ifndef LDAPINCLUDES_H
f09e2e
+#define LDAPINCLUDES_H
f09e2e
+
f09e2e
+#include "includes.h"
f09e2e
+
f09e2e
+#ifdef HAVE_LBER_H
f09e2e
+#include <lber.h>
f09e2e
+#endif
f09e2e
+#ifdef HAVE_LDAP_H
f09e2e
+#include <ldap.h>
f09e2e
+#endif
f09e2e
+#ifdef HAVE_LDAP_SSL_H
f09e2e
+#include <ldap_ssl.h>
f09e2e
+#endif
f09e2e
+
f09e2e
+#endif /* LDAPINCLUDES_H */
f09e2e
diff -up openssh-6.2p1/ldapmisc.c.ldap openssh-6.2p1/ldapmisc.c
f09e2e
--- openssh-6.2p1/ldapmisc.c.ldap	2013-03-25 21:27:15.893248104 +0100
f09e2e
+++ openssh-6.2p1/ldapmisc.c	2013-03-25 21:27:15.893248104 +0100
f09e2e
@@ -0,0 +1,79 @@
f09e2e
+
f09e2e
+#include "ldapincludes.h"
f09e2e
+#include "ldapmisc.h"
f09e2e
+
f09e2e
+#ifndef HAVE_LDAP_GET_LDERRNO
f09e2e
+int
f09e2e
+ldap_get_lderrno (LDAP * ld, char **m, char **s)
f09e2e
+{
f09e2e
+#ifdef HAVE_LDAP_GET_OPTION
f09e2e
+	int rc;
f09e2e
+#endif
f09e2e
+	int lderrno;
f09e2e
+
f09e2e
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
f09e2e
+	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
f09e2e
+	    return rc;
f09e2e
+#else
f09e2e
+	lderrno = ld->ld_errno;
f09e2e
+#endif
f09e2e
+
f09e2e
+	if (s != NULL) {
f09e2e
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
f09e2e
+		if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
f09e2e
+		    return rc;
f09e2e
+#else
f09e2e
+		*s = ld->ld_error;
f09e2e
+#endif
f09e2e
+	}
f09e2e
+
f09e2e
+	if (m != NULL) {
f09e2e
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
f09e2e
+		if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
f09e2e
+		    return rc;
f09e2e
+#else
f09e2e
+		*m = ld->ld_matched;
f09e2e
+#endif
f09e2e
+	}
f09e2e
+
f09e2e
+	return lderrno;
f09e2e
+}
f09e2e
+#endif
f09e2e
+
f09e2e
+#ifndef HAVE_LDAP_SET_LDERRNO
f09e2e
+int
f09e2e
+ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
f09e2e
+{
f09e2e
+#ifdef HAVE_LDAP_SET_OPTION
f09e2e
+	int rc;
f09e2e
+#endif
f09e2e
+
f09e2e
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
f09e2e
+	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
f09e2e
+	    return rc;
f09e2e
+#else
f09e2e
+	ld->ld_errno = lderrno;
f09e2e
+#endif
f09e2e
+
f09e2e
+	if (s != NULL) {
f09e2e
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
f09e2e
+		if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
f09e2e
+		    return rc;
f09e2e
+#else
f09e2e
+		ld->ld_error = s;
f09e2e
+#endif
f09e2e
+	}
f09e2e
+
f09e2e
+	if (m != NULL) {
f09e2e
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
f09e2e
+		if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
f09e2e
+		    return rc;
f09e2e
+#else
f09e2e
+		ld->ld_matched = m;
f09e2e
+#endif
f09e2e
+	}
f09e2e
+
f09e2e
+	return LDAP_SUCCESS;
f09e2e
+}
f09e2e
+#endif
f09e2e
+
f09e2e
diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h
f09e2e
--- openssh-6.2p1/ldapmisc.h.ldap	2013-03-25 21:27:15.893248104 +0100
f09e2e
+++ openssh-6.2p1/ldapmisc.h	2013-03-25 21:27:15.893248104 +0100
f09e2e
@@ -0,0 +1,35 @@
f09e2e
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
f09e2e
+/*
f09e2e
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
f09e2e
+ *
f09e2e
+ * Redistribution and use in source and binary forms, with or without
f09e2e
+ * modification, are permitted provided that the following conditions
f09e2e
+ * are met:
f09e2e
+ * 1. Redistributions of source code must retain the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer.
f09e2e
+ * 2. Redistributions in binary form must reproduce the above copyright
f09e2e
+ *    notice, this list of conditions and the following disclaimer in the
f09e2e
+ *    documentation and/or other materials provided with the distribution.
f09e2e
+ *
f09e2e
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
f09e2e
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
f09e2e
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
f09e2e
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
f09e2e
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
f09e2e
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
f09e2e
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
f09e2e
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
f09e2e
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
f09e2e
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
f09e2e
+ */
f09e2e
+
f09e2e
+#ifndef LDAPMISC_H
f09e2e
+#define LDAPMISC_H
f09e2e
+
f09e2e
+#include "ldapincludes.h"
f09e2e
+
f09e2e
+int ldap_get_lderrno (LDAP *, char **, char **);
f09e2e
+int ldap_set_lderrno (LDAP *, int, const char *, const char *);
f09e2e
+
f09e2e
+#endif /* LDAPMISC_H */
f09e2e
+
f09e2e
diff -up openssh-6.2p1/Makefile.in.ldap openssh-6.2p1/Makefile.in
f09e2e
--- openssh-6.2p1/Makefile.in.ldap	2013-03-25 21:27:15.850247822 +0100
f09e2e
+++ openssh-6.2p1/Makefile.in	2013-03-25 21:27:57.356518817 +0100
f09e2e
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
f09e2e
 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
f09e2e
 SFTP_SERVER=$(libexecdir)/sftp-server
f09e2e
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
f09e2e
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
f09e2e
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
f09e2e
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
f09e2e
 PRIVSEP_PATH=@PRIVSEP_PATH@
f09e2e
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
f09e2e
@@ -60,8 +62,9 @@ XAUTH_PATH=@XAUTH_PATH@
f09e2e
 LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
f09e2e
 EXEEXT=@EXEEXT@
f09e2e
 MANFMT=@MANFMT@
f09e2e
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
f09e2e
 
f09e2e
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
f09e2e
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
f09e2e
 
f09e2e
 LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
f09e2e
 	canohost.o channels.o cipher.o cipher-aes.o \
f09e2e
@@ -95,8 +98,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
f09e2e
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
f09e2e
 	sandbox-seccomp-filter.o
f09e2e
 
f09e2e
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
f09e2e
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
f09e2e
+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
f09e2e
+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
f09e2e
 MANTYPE		= @MANTYPE@
f09e2e
 
f09e2e
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
f09e2e
@@ -164,6 +167,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
f09e2e
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
f09e2e
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
f09e2e
 
f09e2e
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
f09e2e
+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
f09e2e
+
f09e2e
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
f09e2e
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
f09e2e
 
f09e2e
@@ -266,6 +272,10 @@ install-files:
f09e2e
 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
f09e2e
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
f09e2e
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
f09e2e
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
f09e2e
+		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
f09e2e
+		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
f09e2e
+	fi
f09e2e
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
f09e2e
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
f09e2e
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
f09e2e
@@ -282,6 +292,10 @@ install-files:
f09e2e
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
f09e2e
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
f09e2e
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
f09e2e
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
f09e2e
+		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
f09e2e
+		$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
f09e2e
+	fi
f09e2e
 	-rm -f $(DESTDIR)$(bindir)/slogin
f09e2e
 	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
f09e2e
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
f09e2e
@@ -311,6 +325,13 @@ install-sysconf:
f09e2e
 	else \
f09e2e
 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
f09e2e
 	fi
f09e2e
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
f09e2e
+		if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
f09e2e
+			$(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
f09e2e
+		else \
f09e2e
+			echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
f09e2e
+		fi ; \
f09e2e
+	fi
f09e2e
 
f09e2e
 host-key: ssh-keygen$(EXEEXT)
f09e2e
 	@if [ -z "$(DESTDIR)" ] ; then \
f09e2e
@@ -368,6 +389,8 @@ uninstall:
f09e2e
 	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
f09e2e
 	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
f09e2e
 	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
f09e2e
+	-rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
f09e2e
+	-rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
f09e2e
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
f09e2e
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
f09e2e
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
f09e2e
@@ -379,6 +402,7 @@ uninstall:
f09e2e
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
f09e2e
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
f09e2e
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
f09e2e
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
f09e2e
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
f09e2e
 
f09e2e
 regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
f09e2e
diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lpk-openldap.schema
f09e2e
--- openssh-6.2p1/openssh-lpk-openldap.schema.ldap	2013-03-25 21:27:15.894248110 +0100
f09e2e
+++ openssh-6.2p1/openssh-lpk-openldap.schema	2013-03-25 21:27:15.894248110 +0100
f09e2e
@@ -0,0 +1,21 @@
f09e2e
+#
f09e2e
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
f09e2e
+#                              useful with PKA-LDAP also
f09e2e
+#
f09e2e
+# Author: Eric AUGE <eau@phear.org>
f09e2e
+# 
f09e2e
+# Based on the proposal of : Mark Ruijter
f09e2e
+#
f09e2e
+
f09e2e
+
f09e2e
+# octetString SYNTAX
f09e2e
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
f09e2e
+	DESC 'MANDATORY: OpenSSH Public key' 
f09e2e
+	EQUALITY octetStringMatch
f09e2e
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
f09e2e
+
f09e2e
+# printableString SYNTAX yes|no
f09e2e
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
f09e2e
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
f09e2e
+	MUST ( sshPublicKey $ uid ) 
f09e2e
+	)
f09e2e
diff -up openssh-6.2p1/openssh-lpk-sun.schema.ldap openssh-6.2p1/openssh-lpk-sun.schema
f09e2e
--- openssh-6.2p1/openssh-lpk-sun.schema.ldap	2013-03-25 21:27:15.894248110 +0100
f09e2e
+++ openssh-6.2p1/openssh-lpk-sun.schema	2013-03-25 21:27:15.894248110 +0100
f09e2e
@@ -0,0 +1,23 @@
f09e2e
+#
f09e2e
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
f09e2e
+#                              useful with PKA-LDAP also
f09e2e
+#
f09e2e
+# Author: Eric AUGE <eau@phear.org>
f09e2e
+# 
f09e2e
+# Schema for Sun Directory Server.
f09e2e
+# Based on the original schema, modified by Stefan Fischer.
f09e2e
+#
f09e2e
+
f09e2e
+dn: cn=schema
f09e2e
+
f09e2e
+# octetString SYNTAX
f09e2e
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
f09e2e
+	DESC 'MANDATORY: OpenSSH Public key' 
f09e2e
+	EQUALITY octetStringMatch
f09e2e
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
f09e2e
+
f09e2e
+# printableString SYNTAX yes|no
f09e2e
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
f09e2e
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
f09e2e
+	MUST ( sshPublicKey $ uid ) 
f09e2e
+	)
f09e2e
diff -up openssh-6.2p2/ssh-ldap.conf.5.ldap openssh-6.2p2/ssh-ldap.conf.5
f09e2e
--- openssh-6.2p2/ssh-ldap.conf.5.ldap	2013-06-07 15:10:05.604942680 +0200
f09e2e
+++ openssh-6.2p2/ssh-ldap.conf.5	2013-06-07 15:10:24.928857566 +0200
f09e2e
@@ -0,0 +1,379 @@
f09e2e
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
f09e2e
+.\"
f09e2e
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
f09e2e
+.\"
f09e2e
+.\" Permission to use, copy, modify, and distribute this software for any
f09e2e
+.\" purpose with or without fee is hereby granted, provided that the above
f09e2e
+.\" copyright notice and this permission notice appear in all copies.
f09e2e
+.\"
f09e2e
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
f09e2e
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
f09e2e
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
f09e2e
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
f09e2e
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
f09e2e
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
f09e2e
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
f09e2e
+.\"
f09e2e
+.Dd $Mdocdate: may 12 2010 $
f09e2e
+.Dt SSH-LDAP.CONF 5
f09e2e
+.Os
f09e2e
+.Sh NAME
f09e2e
+.Nm ssh-ldap.conf
f09e2e
+.Nd configuration file for ssh-ldap-helper
f09e2e
+.Sh SYNOPSIS
f09e2e
+.Nm /etc/ssh/ldap.conf
f09e2e
+.Sh DESCRIPTION
f09e2e
+.Xr ssh-ldap-helper 8
f09e2e
+reads configuration data from
f09e2e
+.Pa /etc/ssh/ldap.conf
f09e2e
+(or the file specified with
f09e2e
+.Fl f
f09e2e
+on the command line).
f09e2e
+The file contains keyword-argument pairs, one per line.
f09e2e
+Lines starting with
f09e2e
+.Ql #
f09e2e
+and empty lines are interpreted as comments.
f09e2e
+.Pp
f09e2e
+The value starts with the first non-blank character after 
f09e2e
+the keyword's name, and terminates at the end of the line, 
f09e2e
+or at the last sequence of blanks before the end of the line.
f09e2e
+Quoting values that contain blanks 
f09e2e
+may be incorrect, as the quotes would become part of the value.
f09e2e
+The possible keywords and their meanings are as follows (note that
f09e2e
+keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
f09e2e
+.Bl -tag -width Ds
f09e2e
+.It Cm URI
f09e2e
+The argument(s) are in the form
f09e2e
+.Pa ldap[si]://[name[:port]]
f09e2e
+and specify the URI(s) of an LDAP server(s) to which the
f09e2e
+.Xr ssh-ldap-helper 8 
f09e2e
+should connect. The URI scheme may be any of
f09e2e
+.Dq ldap ,
f09e2e
+.Dq ldaps 
f09e2e
+or
f09e2e
+.Dq ldapi ,
f09e2e
+which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
f09e2e
+over IPC (UNIX domain sockets), respectively.
f09e2e
+Each server's name can be specified as a
f09e2e
+domain-style name or an IP address literal.  Optionally, the
f09e2e
+server's name can followed by a ':' and the port number the LDAP
f09e2e
+server is listening on.  If no port number is provided, the default
f09e2e
+port for the scheme is used (389 for ldap://, 636 for ldaps://).
f09e2e
+For LDAP over IPC, name is the name of the socket, and no port
f09e2e
+is required, nor allowed; note that directory separators must be 
f09e2e
+URL-encoded, like any other characters that are special to URLs; 
f09e2e
+A space separated list of URIs may be provided.
f09e2e
+There is no default.
f09e2e
+.It Cm Base
f09e2e
+Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
f09e2e
+The base must be specified as a DN in LDAP format.
f09e2e
+There is no default.
f09e2e
+.It Cm BindDN
f09e2e
+Specifies the default BIND DN to use when connecting to the ldap server.
f09e2e
+The bind DN must be specified as a Distinguished Name in LDAP format.
f09e2e
+There is no default.
f09e2e
+.It Cm BindPW
f09e2e
+Specifies the default password to use when connecting to the ldap server via
f09e2e
+.Cm BindDN .
f09e2e
+There is no default.
f09e2e
+.It Cm RootBindDN
f09e2e
+Intentionaly does nothing. Recognized for compatibility reasons.
f09e2e
+.It Cm Host
f09e2e
+The argument(s) specifies the name(s) of an LDAP server(s) to which the
f09e2e
+.Xr ssh-ldap-helper 8
f09e2e
+should connect.  Each server's name can be specified as a
f09e2e
+domain-style name or an IP address and optionally followed by a ':' and
f09e2e
+the port number the ldap server is listening on.  A space-separated
f09e2e
+list of hosts may be provided.
f09e2e
+There is no default.
f09e2e
+.Cm Host
f09e2e
+is deprecated in favor of
f09e2e
+.Cm URI .
f09e2e
+.It Cm Port
f09e2e
+Specifies the default port used when connecting to LDAP servers(s).
f09e2e
+The port may be specified as a number.
f09e2e
+The default port is 389 for ldap:// or 636 for ldaps:// respectively.
f09e2e
+.Cm Port
f09e2e
+is deprecated in favor of
f09e2e
+.Cm URI .
f09e2e
+.It Cm Scope
f09e2e
+Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
f09e2e
+There are three options (values) that can be assigned to the
f09e2e
+.Cm Scope parameter:
f09e2e
+.Dq base ,
f09e2e
+.Dq one
f09e2e
+and
f09e2e
+.Dq subtree .
f09e2e
+Alias for the subtree is
f09e2e
+.Dq sub .
f09e2e
+The value
f09e2e
+.Dq base
f09e2e
+is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
f09e2e
+The value
f09e2e
+.Dq one
f09e2e
+is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
f09e2e
+The value
f09e2e
+.Dq subtree
f09e2e
+is used to indicate searching of all entries at all levels under and including the specified base DN.
f09e2e
+The default is
f09e2e
+.Dq subtree .
f09e2e
+.It Cm Deref
f09e2e
+Specifies how alias dereferencing is done when performing a search. There are four
f09e2e
+possible values that can be assigned to the
f09e2e
+.Cm Deref
f09e2e
+parameter:
f09e2e
+.Dq never ,
f09e2e
+.Dq searching ,
f09e2e
+.Dq finding ,
f09e2e
+and
f09e2e
+.Dq always .
f09e2e
+The value
f09e2e
+.Dq never
f09e2e
+means that the aliases are never dereferenced.
f09e2e
+The value
f09e2e
+.Dq searching
f09e2e
+means that the aliases are dereferenced in subordinates of the base object, but
f09e2e
+not in locating the base object of the search.
f09e2e
+The value
f09e2e
+.Dq finding
f09e2e
+means that the aliases are only dereferenced when locating the base object of the search.
f09e2e
+The value
f09e2e
+.Dq always
f09e2e
+means that the aliases are dereferenced both in searching and in locating the base object
f09e2e
+of the search.
f09e2e
+The default is
f09e2e
+.Dq never .
f09e2e
+.It Cm TimeLimit
f09e2e
+Specifies a time limit (in seconds) to use when performing searches.
f09e2e
+The number should be a non-negative integer. A
f09e2e
+.Cm TimeLimit
f09e2e
+of zero (0) specifies that the search time is unlimited. Please note that the server
f09e2e
+may still apply any server-side limit on the duration of a search operation.
f09e2e
+The default value is 10.
f09e2e
+.It Cm TimeOut
f09e2e
+Is an aliast to
f09e2e
+.Cm TimeLimit .
f09e2e
+.It Cm Bind_TimeLimit
f09e2e
+Specifies the timeout (in seconds) after which the poll(2)/select(2)
f09e2e
+following a connect(2) returns in case of no activity.
f09e2e
+The default value is 10.
f09e2e
+.It Cm Network_TimeOut
f09e2e
+Is an alias to
f09e2e
+.Cm Bind_TimeLimit .
f09e2e
+.It Cm Ldap_Version
f09e2e
+Specifies what version of the LDAP protocol should be used.
f09e2e
+The allowed values are 2 or 3. The default is 3.
f09e2e
+.It Cm Version
f09e2e
+Is an alias to
f09e2e
+.Cm Ldap_Version .
f09e2e
+.It Cm Bind_Policy
f09e2e
+Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
f09e2e
+.Dq hard
f09e2e
+and
f09e2e
+.Dq soft.
f09e2e
+.Dq hard has 2 aliases
f09e2e
+.Dq hard_open
f09e2e
+and
f09e2e
+.Dq hard_init .
f09e2e
+The value
f09e2e
+.Dq hard
f09e2e
+means that reconects that the
f09e2e
+.Xr ssh-ldap-helper 8
f09e2e
+tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
f09e2e
+The value
f09e2e
+.Dq soft
f09e2e
+means that
f09e2e
+.Xr ssh-ldap-helper 8
f09e2e
+fails immediately when it cannot connect to the LDAP seerver.
f09e2e
+The deault is
f09e2e
+.Dq hard .
f09e2e
+.It Cm SSLPath
f09e2e
+Specifies the path to the X.509 certificate database.
f09e2e
+There is no default.
f09e2e
+.It Cm SSL
f09e2e
+Specifies whether to use SSL/TLS or not.
f09e2e
+There are three allowed values:
f09e2e
+.Dq yes ,
f09e2e
+.Dq no
f09e2e
+and
f09e2e
+.Dq start_tls
f09e2e
+Both
f09e2e
+.Dq true
f09e2e
+and
f09e2e
+.Dq on
f09e2e
+are the aliases for
f09e2e
+.Dq yes .
f09e2e
+.Dq false
f09e2e
+and
f09e2e
+.Dq off
f09e2e
+are the aliases for
f09e2e
+.Dq no .
f09e2e
+If
f09e2e
+.Dq start_tls
f09e2e
+is specified then StartTLS is used rather than raw LDAP over SSL.
f09e2e
+The default for ldap:// is
f09e2e
+.Dq start_tls ,
f09e2e
+for ldaps://
f09e2e
+.Dq yes
f09e2e
+and
f09e2e
+.Dq no
f09e2e
+for the ldapi:// .
f09e2e
+In case of host based configuration the default is
f09e2e
+.Dq start_tls .
f09e2e
+.It Cm Referrals
f09e2e
+Specifies if the client should automatically follow referrals returned
f09e2e
+by LDAP servers.
f09e2e
+The value can be or
f09e2e
+.Dq yes
f09e2e
+or
f09e2e
+.Dq no .
f09e2e
+.Dq true
f09e2e
+and
f09e2e
+.Dq on
f09e2e
+are the aliases for
f09e2e
+.Dq yes .
f09e2e
+.Dq false
f09e2e
+and
f09e2e
+.Dq off
f09e2e
+are the aliases for
f09e2e
+.Dq no .
f09e2e
+The default is yes.
f09e2e
+.It Cm Restart
f09e2e
+Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
f09e2e
+The value can be or
f09e2e
+.Dq yes
f09e2e
+or
f09e2e
+.Dq no .
f09e2e
+.Dq true
f09e2e
+and
f09e2e
+.Dq on
f09e2e
+are the aliases for
f09e2e
+.Dq yes .
f09e2e
+.Dq false
f09e2e
+and
f09e2e
+.Dq off
f09e2e
+are the aliases for
f09e2e
+.Dq no .
f09e2e
+The default is yes.
f09e2e
+.It Cm TLS_CheckPeer
f09e2e
+Specifies what checks to perform on server certificates in a TLS session,
f09e2e
+if any. The value
f09e2e
+can be specified as one of the following keywords:
f09e2e
+.Dq never ,
f09e2e
+.Dq hard ,
f09e2e
+.Dq demand ,
f09e2e
+.Dq allow
f09e2e
+and
f09e2e
+.Dq try .
f09e2e
+.Dq true ,
f09e2e
+.Dq on
f09e2e
+and
f09e2e
+.Dq yes
f09e2e
+are aliases for
f09e2e
+.Dq hard .
f09e2e
+.Dq false ,
f09e2e
+.Dq off
f09e2e
+and
f09e2e
+.Dq no
f09e2e
+are the aliases for
f09e2e
+.Dq never .
f09e2e
+The value
f09e2e
+.Dq never
f09e2e
+means that the client will not request or check any server certificate.
f09e2e
+The value
f09e2e
+.Dq allow
f09e2e
+means that the server certificate is requested. If no certificate is provided,
f09e2e
+the session proceeds normally. If a bad certificate is provided, it will
f09e2e
+be ignored and the session proceeds normally.
f09e2e
+The value
f09e2e
+.Dq try
f09e2e
+means that the server certificate is requested. If no certificate is provided,
f09e2e
+the session proceeds normally. If a bad certificate is provided,
f09e2e
+the session is immediately terminated.
f09e2e
+The value
f09e2e
+.Dq demand
f09e2e
+means that the server certificate is requested. If no
f09e2e
+certificate is provided, or a bad certificate is provided, the session
f09e2e
+is immediately terminated.
f09e2e
+The value
f09e2e
+.Dq hard
f09e2e
+is the same as
f09e2e
+.Dq demand .
f09e2e
+It requires an SSL connection. In the case of the plain conection the
f09e2e
+session is immediately terminated.
f09e2e
+The default is
f09e2e
+.Dq hard .
f09e2e
+.It Cm TLS_ReqCert
f09e2e
+Is an alias for 
f09e2e
+.Cm TLS_CheckPeer .
f09e2e
+.It Cm TLS_CACertFile
f09e2e
+Specifies the file that contains certificates for all of the Certificate
f09e2e
+Authorities the client will recognize.
f09e2e
+There is no default.
f09e2e
+.It Cm TLS_CACert
f09e2e
+Is an alias for
f09e2e
+.Cm TLS_CACertFile .
f09e2e
+.It Cm TLS_CACertDIR
f09e2e
+Specifies the path of a directory that contains Certificate Authority
f09e2e
+certificates in separate individual files. The
f09e2e
+.Cm TLS_CACert
f09e2e
+is always used before
f09e2e
+.Cm TLS_CACertDir .
f09e2e
+The specified directory must be managed with the OpenSSL c_rehash utility.
f09e2e
+There is no default.
f09e2e
+.It Cm TLS_Ciphers
f09e2e
+Specifies acceptable cipher suite and preference order.
f09e2e
+The value should be a cipher specification for OpenSSL,
f09e2e
+e.g.,
f09e2e
+.Dq HIGH:MEDIUM:+SSLv2 .
f09e2e
+The default is
f09e2e
+.Dq ALL .
f09e2e
+.It Cm TLS_Cipher_Suite
f09e2e
+Is an alias for
f09e2e
+.Cm TLS_Ciphers .
f09e2e
+.It Cm TLS_Cert
f09e2e
+Specifies the file that contains the client certificate.
f09e2e
+There is no default.
f09e2e
+.It Cm TLS_Certificate
f09e2e
+Is an alias for
f09e2e
+.Cm TLS_Cert .
f09e2e
+.It Cm TLS_Key
f09e2e
+Specifies the file that contains the private key that matches the certificate
f09e2e
+stored in the
f09e2e
+.Cm TLS_Cert
f09e2e
+file. Currently, the private key must not be protected with a password, so
f09e2e
+it is of critical importance that the key file is protected carefully.
f09e2e
+There is no default.
f09e2e
+.It Cm TLS_RandFile
f09e2e
+Specifies the file to obtain random bits from when /dev/[u]random is
f09e2e
+not available. Generally set to the name of the EGD/PRNGD socket.
f09e2e
+The environment variable RANDFILE can also be used to specify the filename.
f09e2e
+There is no default.
f09e2e
+.It Cm LogDir
f09e2e
+Specifies the directory used for logging by the LDAP client library.
f09e2e
+There is no default.
f09e2e
+.It Cm Debug
f09e2e
+Specifies the debug level used for logging by the LDAP client library.
f09e2e
+There is no default.
f09e2e
+.It Cm SSH_Filter
f09e2e
+Specifies the user filter applied on the LDAP serch.
f09e2e
+The default is no filter.
f09e2e
+.It Cm AccountClass
f09e2e
+Specifies the LDAP class used to find user accounts.
f09e2e
+The default is posixAccount.
f09e2e
+.El
f09e2e
+.Sh FILES
f09e2e
+.Bl -tag -width Ds
f09e2e
+.It Pa  /etc/ssh/ldap.conf
f09e2e
+Ldap configuration file for
f09e2e
+.Xr ssh-ldap-helper 8 .
f09e2e
+.El
f09e2e
+.Sh "SEE ALSO"
f09e2e
+.Xr ldap.conf 5 ,
f09e2e
+.Xr ssh-ldap-helper 8
f09e2e
+.Sh HISTORY
f09e2e
+.Nm
f09e2e
+first appeared in
f09e2e
+OpenSSH 5.5 + PKA-LDAP .
f09e2e
+.Sh AUTHORS
f09e2e
+.An Jan F. Chadima Aq jchadima@redhat.com
f09e2e
diff -up openssh-6.2p1/ssh-ldap-helper.8.ldap openssh-6.2p1/ssh-ldap-helper.8
f09e2e
--- openssh-6.2p1/ssh-ldap-helper.8.ldap	2013-03-25 21:27:15.895248117 +0100
f09e2e
+++ openssh-6.2p1/ssh-ldap-helper.8	2013-03-25 21:27:15.895248117 +0100
f09e2e
@@ -0,0 +1,79 @@
f09e2e
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
f09e2e
+.\"
f09e2e
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
f09e2e
+.\"
f09e2e
+.\" Permission to use, copy, modify, and distribute this software for any
f09e2e
+.\" purpose with or without fee is hereby granted, provided that the above
f09e2e
+.\" copyright notice and this permission notice appear in all copies.
f09e2e
+.\"
f09e2e
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
f09e2e
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
f09e2e
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
f09e2e
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
f09e2e
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
f09e2e
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
f09e2e
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
f09e2e
+.\"
f09e2e
+.Dd $Mdocdate: April 29 2010 $
f09e2e
+.Dt SSH-LDAP-HELPER 8
f09e2e
+.Os
f09e2e
+.Sh NAME
f09e2e
+.Nm ssh-ldap-helper
f09e2e
+.Nd sshd helper program for ldap support
f09e2e
+.Sh SYNOPSIS
f09e2e
+.Nm ssh-ldap-helper
f09e2e
+.Op Fl devw
f09e2e
+.Op Fl f Ar file
f09e2e
+.Op Fl s Ar user
f09e2e
+.Sh DESCRIPTION
f09e2e
+.Nm
f09e2e
+is used by
f09e2e
+.Xr sshd 1
f09e2e
+to access keys provided by an LDAP.
f09e2e
+.Nm
f09e2e
+is disabled by default and can only be enabled in the
f09e2e
+sshd configuration file
f09e2e
+.Pa /etc/ssh/sshd_config
f09e2e
+by setting
f09e2e
+.Cm AuthorizedKeysCommand
f09e2e
+to
f09e2e
+.Dq /usr/libexec/ssh-ldap-wrapper .
f09e2e
+.Pp
f09e2e
+.Nm
f09e2e
+is not intended to be invoked by the user, but from
f09e2e
+.Xr sshd 8 via
f09e2e
+.Xr ssh-ldap-wrapper .
f09e2e
+.Pp
f09e2e
+The options are as follows:
f09e2e
+.Bl -tag -width Ds
f09e2e
+.It Fl d
f09e2e
+Set the debug mode; 
f09e2e
+.Nm
f09e2e
+prints all logs to stderr instead of syslog.
f09e2e
+.It Fl e
f09e2e
+Implies \-w;
f09e2e
+.Nm
f09e2e
+halts if it encounters an unknown item in the ldap.conf file.
f09e2e
+.It Fl f
f09e2e
+.Nm
f09e2e
+uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
f09e2e
+.It Fl s
f09e2e
+.Nm
f09e2e
+prints out the user's keys to stdout and exits.
f09e2e
+.It Fl v
f09e2e
+Implies \-d;
f09e2e
+increases verbosity.
f09e2e
+.It Fl w
f09e2e
+.Nm
f09e2e
+writes warnings about unknown items in the ldap.conf configuration file.
f09e2e
+.El
f09e2e
+.Sh SEE ALSO
f09e2e
+.Xr sshd 8 ,
f09e2e
+.Xr sshd_config 5 ,
f09e2e
+.Xr ssh-ldap.conf 5 ,
f09e2e
+.Sh HISTORY
f09e2e
+.Nm
f09e2e
+first appeared in
f09e2e
+OpenSSH 5.5 + PKA-LDAP .
f09e2e
+.Sh AUTHORS
f09e2e
+.An Jan F. Chadima Aq jchadima@redhat.com
f09e2e
diff -up openssh-6.2p1/ssh-ldap-wrapper.ldap openssh-6.2p1/ssh-ldap-wrapper
f09e2e
--- openssh-6.2p1/ssh-ldap-wrapper.ldap	2013-03-25 21:27:15.896248124 +0100
f09e2e
+++ openssh-6.2p1/ssh-ldap-wrapper	2013-03-25 21:27:15.896248124 +0100
f09e2e
@@ -0,0 +1,4 @@
f09e2e
+#!/bin/sh
f09e2e
+
f09e2e
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
f09e2e
+