vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Jan F 1499a2
diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac
Jan F 1f6bdc
--- openssh-5.8p1/configure.ac.ldap	2011-04-01 09:01:18.559688927 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/configure.ac	2011-04-01 09:01:18.972717095 +0200
Jan F 1499a2
@@ -1434,6 +1434,106 @@ AC_ARG_WITH(authorized-keys-command,
Jan F. Chadima 7818e5
 	]
Jan F. Chadima 7e7fb4
 )
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+# Check whether user wants LDAP support
Jan F. Chadima 7e7fb4
+LDAP_MSG="no"
Jan F. Chadima 7e7fb4
+INSTALL_SSH_LDAP_HELPER=""
Jan F. Chadima 7e7fb4
+AC_ARG_WITH(ldap,
Jan F. Chadima 7e7fb4
+	[  --with-ldap[[=PATH]]      Enable LDAP pubkey support (optionally in PATH)],
Jan F. Chadima 7e7fb4
+	[
Jan F. Chadima 7e7fb4
+		if test "x$withval" != "xno" ; then
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			INSTALL_SSH_LDAP_HELPER="yes"
Jan F. Chadima 7e7fb4
+			CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test "x$withval" != "xyes" ; then
Jan F. Chadima 7e7fb4
+				CPPFLAGS="$CPPFLAGS -I${withval}/include"
Jan F. Chadima 7e7fb4
+				LDFLAGS="$LDFLAGS -L${withval}/lib"
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
Jan F. Chadima 7e7fb4
+			LDAP_MSG="yes"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			AC_CHECK_HEADERS(lber.h)
Jan F. Chadima 7e7fb4
+			AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
Jan F. Chadima 7e7fb4
+			AC_CHECK_HEADERS(ldap_ssl.h)
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			AC_ARG_WITH(ldap-lib,
Jan F. Chadima 7e7fb4
+				[  --with-ldap-lib=type    select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test -z "$with_ldap_lib"; then
Jan F. Chadima 7e7fb4
+				with_ldap_lib=auto
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
Jan F. Chadima 7e7fb4
+				AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+				AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
Jan F. Chadima 7e7fb4
+				AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
Jan F. Chadima 7e7fb4
+				AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+				if test -z "$found_ldap_lib"; then
Jan F. Chadima 7e7fb4
+					AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+				fi
Jan F. Chadima 7e7fb4
+				if test -z "$found_ldap_lib"; then
Jan F. Chadima 7e7fb4
+					AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+				fi
Jan F. Chadima 7e7fb4
+				if test -z "$found_ldap_lib"; then
Jan F. Chadima 7e7fb4
+					AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+				fi
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
Jan F. Chadima 7e7fb4
+				AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test -z "$found_ldap_lib"; then
Jan F. Chadima 7e7fb4
+				AC_MSG_ERROR(could not locate a valid LDAP library)
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			AC_MSG_CHECKING([for working LDAP support])
Jan F. Chadima 7e7fb4
+			AC_TRY_COMPILE(
Jan F. Chadima 7e7fb4
+				[#include <sys/types.h>
Jan F. Chadima 7e7fb4
+				 #include <ldap.h>],
Jan F. Chadima 7e7fb4
+				[(void)ldap_init(0, 0);],
Jan F. Chadima 7e7fb4
+				[AC_MSG_RESULT(yes)],
Jan F. Chadima 7e7fb4
+				[
Jan F. Chadima 7e7fb4
+				    AC_MSG_RESULT(no) 
Jan F. Chadima 7e7fb4
+					AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
Jan F. Chadima 7e7fb4
+				])
Jan F. Chadima 7e7fb4
+			AC_CHECK_FUNCS( \
Jan F. Chadima 7e7fb4
+				ldap_init \
Jan F. Chadima 7e7fb4
+				ldap_get_lderrno \
Jan F. Chadima 7e7fb4
+				ldap_set_lderrno \
Jan F. Chadima 7e7fb4
+				ldap_parse_result \
Jan F. Chadima 7e7fb4
+				ldap_memfree \
Jan F. Chadima 7e7fb4
+				ldap_controls_free \
Jan F. Chadima 7e7fb4
+				ldap_set_option \
Jan F. Chadima 7e7fb4
+				ldap_get_option \
Jan F. Chadima 7e7fb4
+				ldapssl_init \
Jan F. Chadima 7e7fb4
+				ldap_start_tls_s \
Jan F. Chadima 7e7fb4
+				ldap_pvt_tls_set_option \
Jan F. Chadima 7e7fb4
+				ldap_initialize \
Jan F. Chadima 7e7fb4
+			)
Jan F. Chadima 7e7fb4
+			AC_CHECK_FUNCS(ldap_set_rebind_proc,
Jan F. Chadima 7e7fb4
+				AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
Jan F. Chadima 7e7fb4
+				AC_TRY_COMPILE(
Jan F. Chadima 7e7fb4
+					[#include <lber.h>
Jan F. Chadima 7e7fb4
+					#include <ldap.h>],
Jan F. Chadima 7e7fb4
+					[ldap_set_rebind_proc(0, 0, 0);],
Jan F. Chadima 7e7fb4
+					[ac_cv_ldap_set_rebind_proc=3],
Jan F. Chadima 7e7fb4
+					[ac_cv_ldap_set_rebind_proc=2])
Jan F. Chadima 7e7fb4
+				AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
Jan F. Chadima 7e7fb4
+				AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
Jan F. Chadima 7e7fb4
+			)
Jan F. Chadima 7e7fb4
+		fi
Jan F. Chadima 7e7fb4
+	]
Jan F. Chadima 7e7fb4
+)
Jan F. Chadima 7e7fb4
+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
 dnl    Checks for library functions. Please keep in alphabetical order
Jan F. Chadima 7e7fb4
 AC_CHECK_FUNCS( \
Jan F. Chadima 7e7fb4
 	arc4random \
Jan F 1499a2
diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
Jan F 1f6bdc
--- openssh-5.8p1/HOWTO.ldap-keys.ldap	2011-04-01 09:01:19.000648742 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/HOWTO.ldap-keys	2011-04-01 09:01:19.564648857 +0200
Jan F 1f6bdc
@@ -0,0 +1,108 @@
Jan F 1f6bdc
+
Jan F 1f6bdc
+HOW TO START
Jan F 1499a2
+
Jan F 1499a2
+1) configure LDAP server
Jan F 1f6bdc
+  * Use LDAP server documentation
Jan F 1f6bdc
+2) add appropriate LDAP schema
Jan F 1f6bdc
+  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
Jan F 1f6bdc
+  * LDAP user entry
Jan F 1f6bdc
+        User entry:
Jan F 1f6bdc
+	- attached to the 'ldapPublicKey' objectclass
Jan F 1f6bdc
+	- attached to the 'posixAccount' objectclass
Jan F 1f6bdc
+	- with a filled 'sshPublicKey' attribute 
Jan F 1499a2
+3) insert users into LDAP
Jan F 1f6bdc
+  * Use LDAP Tree management tool as useful
Jan F 1f6bdc
+  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
Jan F 1f6bdc
+  * Example:
Jan F 1f6bdc
+	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
Jan F 1f6bdc
+	objectclass: top
Jan F 1f6bdc
+	objectclass: person
Jan F 1f6bdc
+	objectclass: organizationalPerson
Jan F 1f6bdc
+	objectclass: posixAccount
Jan F 1f6bdc
+	objectclass: ldapPublicKey
Jan F 1f6bdc
+	description: Jonathan Archer
Jan F 1f6bdc
+	userPassword: Porthos
Jan F 1f6bdc
+	cn: onathan Archer
Jan F 1f6bdc
+	sn: onathan Archer
Jan F 1f6bdc
+	uid: captain
Jan F 1f6bdc
+	uidNumber: 1001
Jan F 1f6bdc
+	gidNumber: 1001
Jan F 1f6bdc
+	homeDirectory: /home/captain
Jan F 1f6bdc
+	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
Jan F 1f6bdc
+	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
Jan F 1499a2
+4) on the ssh side set in sshd_config
Jan F 1f6bdc
+  * Set up the backend
Jan F 1f6bdc
+	AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
Jan F 1f6bdc
+	AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
Jan F 1f6bdc
+  * Do not forget to set
Jan F 1f6bdc
+	PubkeyAuthentication yes
Jan F 1f6bdc
+  * Swith off unnecessary auth methods
Jan F 1f6bdc
+5) confugure ldap.conf
Jan F 1f6bdc
+  * Default ldap.conf is placed in /etc/ssh
Jan F 1f6bdc
+  * The configuration style is the same as other ldap based aplications
Jan F 1f6bdc
+6) if necessary edit ssh-ldap-wrapper
Jan F 1f6bdc
+  * There is a possibility to change ldap.conf location
Jan F 1f6bdc
+  * There are some debug options
Jan F 1f6bdc
+  * Example
Jan F 1f6bdc
+	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
Jan F 1f6bdc
+
Jan F 1f6bdc
+HOW TO MIGRATE FROM LPK
Jan F 1f6bdc
+
Jan F 1f6bdc
+1) goto HOW TO START 4) .... the ldap schema is the same
Jan F 1f6bdc
+
Jan F 1f6bdc
+2) convert the group requests to the appropriate LDAP requests
Jan F 1f6bdc
+
Jan F 1f6bdc
+HOW TO SOLVE PROBLEMS
Jan F 1f6bdc
+
Jan F 1f6bdc
+1) use debug in sshd
Jan F 1f6bdc
+  * /usr/sbin/sshd -d -d -d -d
Jan F 1f6bdc
+2) use debug in ssh-ldap-helper
Jan F 1f6bdc
+  * ssh-ldap-helper -d -d -d -d -s <username>
Jan F 1f6bdc
+3) use tcpdump ... other ldap client etc.
Jan F 1f6bdc
+
Jan F 1f6bdc
+ADVANTAGES
Jan F 1f6bdc
+
Jan F 1f6bdc
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
Jan F 1f6bdc
+
Jan F 1f6bdc
+DISADVANTAGES
Jan F 1f6bdc
+
Jan F 1f6bdc
+1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
Jan F 1f6bdc
+  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
Jan F 1f6bdc
+  of your users in all your server farm -- be VERY CAREFUL.
Jan F 1f6bdc
+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
Jan F 1f6bdc
+  as the impersonated user.
Jan F 1f6bdc
+3) If LDAP server is down there may be no fallback on passwd auth.
Jan F 1f6bdc
+  
Jan F 1f6bdc
+MISC.
Jan F 1f6bdc
+  
Jan F 1f6bdc
+1) todo
Jan F 1f6bdc
+  * Possibility to reuse the ssh-ldap-helper.
Jan F 1f6bdc
+  * Tune the LDAP part to accept  all possible LDAP configurations.
Jan F 1f6bdc
+
Jan F 1f6bdc
+2) differences from original lpk
Jan F 1f6bdc
+  * No LDAP code in sshd.
Jan F 1f6bdc
+  * Support for various LDAP platforms and configurations.
Jan F 1f6bdc
+  * LDAP is configured in separate ldap.conf file.
Jan F 1f6bdc
+
Jan F 1f6bdc
+3) docs/link 
Jan F 1f6bdc
+  * http://pacsec.jp/core05/psj05-barisani-en.pdf
Jan F 1f6bdc
+  * http://fritz.potsdam.edu/projects/openssh-lpk/
Jan F 1f6bdc
+  * http://fritz.potsdam.edu/projects/sshgate/
Jan F 1f6bdc
+  * http://dev.inversepath.com/trac/openssh-lpk
Jan F 1f6bdc
+  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
Jan F 1f6bdc
+
Jan F 1f6bdc
+4) contributors/ideas/greets
Jan F 1f6bdc
+  - Eric AUGE <eau@phear.org>
Jan F 1f6bdc
+  - Andrea Barisani <andrea@inversepath.com>
Jan F 1f6bdc
+  - Falk Siemonsmeier.
Jan F 1f6bdc
+  - Jacob Rief.
Jan F 1f6bdc
+  - Michael Durchgraf.
Jan F 1f6bdc
+  - frederic peters.
Jan F 1f6bdc
+  - Finlay dobbie.
Jan F 1f6bdc
+  - Stefan Fisher.
Jan F 1f6bdc
+  - Robin H. Johnson.
Jan F 1f6bdc
+  - Adrian Bridgett.
Jan F 1499a2
+
Jan F 1f6bdc
+5) Author
Jan F 1f6bdc
+    Jan F. Chadima <jchadima@redhat.com>
Jan F 1499a2
+
Jan F 1499a2
diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c
Jan F 1f6bdc
--- openssh-5.8p1/ldapbody.c.ldap	2011-04-01 09:01:19.024648747 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/ldapbody.c	2011-04-01 09:01:19.032648722 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,494 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4
+#include "log.h"
Jan F. Chadima 7e7fb4
+#include "xmalloc.h"
Jan F. Chadima 7e7fb4
+#include "ldapconf.h"
Jan F. Chadima 7e7fb4
+#include "ldapmisc.h"
Jan F. Chadima 7e7fb4
+#include "ldapbody.h"
Jan F. Chadima 7e7fb4
+#include <stdio.h>
Jan F. Chadima 7e7fb4
+#include <unistd.h>
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"
Jan F. Chadima 7e7fb4
+#define PUBKEYATTR "sshPublicKey"
Jan F. Chadima 7e7fb4
+#define LDAP_LOGFILE	"%s/ldap.%d"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static FILE *logfile = NULL;
Jan F. Chadima 7e7fb4
+static LDAP *ld;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static char *attrs[] = {
Jan F. Chadima 7e7fb4
+    PUBKEYATTR,
Jan F. Chadima 7e7fb4
+    NULL
Jan F. Chadima 7e7fb4
+};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+ldap_checkconfig (void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_INITIALIZE
Jan F. Chadima 7e7fb4
+		if (options.host == NULL && options.uri == NULL)
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		if (options.host == NULL)
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+		    fatal ("missing  \"host\" in config file");
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
Jan F. Chadima 7e7fb4
+static int
Jan F. Chadima 7e7fb4
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	struct timeval timeout;
Jan F. Chadima 7e7fb4
+	int rc;
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 7e7fb4
+	LDAPMessage *result;
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug2 ("Doing LDAP rebind to %s", options.binddn);
Jan F. Chadima 7e7fb4
+	if (options.ssl == SSL_START_TLS) {
Jan F. Chadima 7e7fb4
+		if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
Jan F. Chadima 7e7fb4
+			error ("ldap_starttls_s: %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+			return LDAP_OPERATIONS_ERROR;
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 7e7fb4
+	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
Jan F. Chadima 7e7fb4
+	    fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	timeout.tv_sec = options.bind_timelimit;
Jan F. Chadima 7e7fb4
+	timeout.tv_usec = 0;
Jan F. Chadima 7e7fb4
+	result = NULL;
Jan F. Chadima 7e7fb4
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
Jan F. Chadima 7e7fb4
+		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
Jan F. Chadima 7e7fb4
+		ldap_msgfree (result);
Jan F. Chadima 7e7fb4
+		return LDAP_OPERATIONS_ERROR;
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+	debug3 ("LDAP rebind to %s succesfull", options.binddn);
Jan F. Chadima 7e7fb4
+	return rc;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static int
Jan F. Chadima 7e7fb4
+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	if (freeit)
Jan F. Chadima 7e7fb4
+	    return LDAP_SUCCESS;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	*whop = strdup (options.binddn);
Jan F. Chadima 7e7fb4
+	*credp = strdup (options.bindpw);
Jan F. Chadima 7e7fb4
+	*methodp = LDAP_AUTH_SIMPLE;
Jan F. Chadima 7e7fb4
+	debug2 ("Doing LDAP rebind for %s", *whop);
Jan F. Chadima 7e7fb4
+	return LDAP_SUCCESS;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+ldap_do_connect(void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	int rc, msgid, ld_errno = 0;
Jan F. Chadima 7e7fb4
+	struct timeval timeout;
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 7e7fb4
+	int parserc;
Jan F. Chadima 7e7fb4
+	LDAPMessage *result;
Jan F. Chadima 7e7fb4
+	LDAPControl **controls;
Jan F. Chadima 7e7fb4
+	int reconnect = 0;
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug ("LDAP do connect");
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+retry:
Jan F. Chadima 7e7fb4
+	if (reconnect) {
Jan F. Chadima 7e7fb4
+		debug3 ("Reconnecting with ld_errno %d", ld_errno);
Jan F. Chadima 7e7fb4
+		if (options.bind_policy == 0 ||
Jan F. Chadima 7e7fb4
+		    (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
Jan F. Chadima 7e7fb4
+			reconnect > 5)
Jan F. Chadima 7e7fb4
+			    fatal ("Cannot connect to LDAP server");
Jan F. Chadima 7e7fb4
+	
Jan F. Chadima 7e7fb4
+		if (reconnect > 1)
Jan F. Chadima 7e7fb4
+			sleep (reconnect - 1);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		if (ld != NULL) {
Jan F. Chadima 7e7fb4
+			ldap_unbind (ld);
Jan F. Chadima 7e7fb4
+			ld = NULL;
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+		logit("reconnecting to LDAP server...");
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (ld == NULL) {
Jan F. Chadima 7e7fb4
+		int rc;
Jan F. Chadima 7e7fb4
+		struct timeval tv;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_SET_OPTION
Jan F. Chadima 7e7fb4
+		if (options.debug > 0) {
Jan F. Chadima 7e7fb4
+#ifdef LBER_OPT_LOG_PRINT_FILE
Jan F. Chadima 7e7fb4
+			if (options.logdir) {
Jan F. Chadima 7e7fb4
+				char *logfilename;
Jan F. Chadima 7e7fb4
+				int logfilenamelen;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+				logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
Jan F. Chadima 7e7fb4
+				logfilename = xmalloc (logfilenamelen);
Jan F. Chadima 7e7fb4
+				snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
Jan F. Chadima 7e7fb4
+				logfilename[logfilenamelen - 1] = 0;
Jan F. Chadima 7e7fb4
+				if ((logfile = fopen (logfilename, "a")) == NULL)
Jan F. Chadima 7e7fb4
+				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
Jan F. Chadima 7e7fb4
+				debug3 ("LDAP debug into %s", logfilename);
Jan F. Chadima 7e7fb4
+				xfree (logfilename);
Jan F. Chadima 7e7fb4
+				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+			if (options.debug) {
Jan F. Chadima 7e7fb4
+#ifdef LBER_OPT_DEBUG_LEVEL
Jan F. Chadima 7e7fb4
+				ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
Jan F. Chadima 7e7fb4
+#endif /* LBER_OPT_DEBUG_LEVEL */
Jan F. Chadima 7e7fb4
+#ifdef LDAP_OPT_DEBUG_LEVEL
Jan F. Chadima 7e7fb4
+				ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
Jan F. Chadima 7e7fb4
+#endif /* LDAP_OPT_DEBUG_LEVEL */
Jan F. Chadima 7e7fb4
+				debug3 ("Set LDAP debug to %d", options.debug);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAP_SET_OPTION */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		ld = NULL;
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAPSSL_INIT
Jan F. Chadima 7e7fb4
+		if (options.host != NULL) {
Jan F. Chadima 7e7fb4
+			if (options.ssl_on == SSL_LDAPS) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+				    fatal ("ldapssl_client_init %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("LDAPssl client init");
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if (options.ssl_on != SSL_OFF) {
Jan F. Chadima 7e7fb4
+				if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
Jan F. Chadima 7e7fb4
+				    fatal ("ldapssl_init failed");
Jan F. Chadima 7e7fb4
+				debug3 ("LDAPssl init");
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAPSSL_INIT */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		/* continue with opening */
Jan F. Chadima 7e7fb4
+		if (ld == NULL) {
Jan F. Chadima 7e7fb4
+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
Jan F. Chadima 7e7fb4
+			/* Some global TLS-specific options need to be set before we create our
Jan F. Chadima 7e7fb4
+			 * session context, so we set them here. */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
Jan F. Chadima 7e7fb4
+			/* rand file */
Jan F. Chadima 7e7fb4
+			if (options.tls_randfile != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
Jan F. Chadima 7e7fb4
+				    options.tls_randfile)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
Jan F. Chadima 7e7fb4
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("Set TLS random file %s", options.tls_randfile);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* ca cert file */
Jan F. Chadima 7e7fb4
+			if (options.tls_cacertfile != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
Jan F. Chadima 7e7fb4
+				    options.tls_cacertfile)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
Jan F. Chadima 7e7fb4
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* ca cert directory */
Jan F. Chadima 7e7fb4
+			if (options.tls_cacertdir != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
Jan F. Chadima 7e7fb4
+				    options.tls_cacertdir)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
Jan F. Chadima 7e7fb4
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* require cert? */
Jan F. Chadima 7e7fb4
+			if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
Jan F. Chadima 7e7fb4
+			    &options.tls_checkpeer)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
Jan F. Chadima 7e7fb4
+				    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+			debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* set cipher suite, certificate and private key: */
Jan F. Chadima 7e7fb4
+			if (options.tls_ciphers != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
Jan F. Chadima 7e7fb4
+				    options.tls_ciphers)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
Jan F. Chadima 7e7fb4
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* cert file */
Jan F. Chadima 7e7fb4
+			if (options.tls_cert != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
Jan F. Chadima 7e7fb4
+				    options.tls_cert)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
Jan F. Chadima 7e7fb4
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("Set TLS cert file %s ", options.tls_cert);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* key file */
Jan F. Chadima 7e7fb4
+			if (options.tls_key != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
Jan F. Chadima 7e7fb4
+				    options.tls_key)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
Jan F. Chadima 7e7fb4
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("Set TLS key file %s ", options.tls_key);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_INITIALIZE
Jan F. Chadima 7e7fb4
+			if (options.uri != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					fatal ("ldap_initialize %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("LDAP initialize %s", options.uri);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAP_INTITIALIZE */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		/* continue with opening */
Jan F. Chadima 7e7fb4
+		if ((ld == NULL) && (options.host != NULL)) {
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_INIT
Jan F. Chadima 7e7fb4
+			if ((ld = ldap_init (options.host, options.port)) == NULL)
Jan F. Chadima 7e7fb4
+			    fatal ("ldap_init failed");
Jan F. Chadima 7e7fb4
+			debug3 ("LDAP init %s:%d", options.host, options.port);
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+			if ((ld = ldap_open (options.host, options.port)) == NULL)
Jan F. Chadima 7e7fb4
+			    fatal ("ldap_open failed");
Jan F. Chadima 7e7fb4
+			debug3 ("LDAP open %s:%d", options.host, options.port);
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAP_INIT */
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		if (ld == NULL)
Jan F. Chadima 7e7fb4
+			fatal ("no way to open ldap");
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
Jan F. Chadima 7e7fb4
+		if (options.ssl == SSL_LDAPS) {
Jan F. Chadima 7e7fb4
+			if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+			debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+#endif /* LDAP_OPT_X_TLS */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
Jan F. Chadima 7e7fb4
+		    &options.ldap_version);
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		ld->ld_version = options.ldap_version;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set version to %d", options.ldap_version);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if LDAP_SET_REBIND_PROC_ARGS == 3
Jan F. Chadima 7e7fb4
+		ldap_set_rebind_proc (ld, _rebind_proc, NULL);
Jan F. Chadima 7e7fb4
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
Jan F. Chadima 7e7fb4
+		ldap_set_rebind_proc (ld, _rebind_proc);
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+#warning unknown LDAP_SET_REBIND_PROC_ARGS
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set rebind proc");
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		ld->ld_deref = options.deref;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set deref to %d", options.deref);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
Jan F. Chadima 7e7fb4
+		    &options.timelimit);
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		ld->ld_timelimit = options.timelimit;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set timelimit to %d", options.timelimit);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
Jan F. Chadima 7e7fb4
+		/*
Jan F. Chadima 7e7fb4
+		 * This is a new option in the Netscape SDK which sets 
Jan F. Chadima 7e7fb4
+		 * the TCP connect timeout. For want of a better value,
Jan F. Chadima 7e7fb4
+		 * we use the bind_timelimit to control this.
Jan F. Chadima 7e7fb4
+		 */
Jan F. Chadima 7e7fb4
+		timeout = options.bind_timelimit * 1000;
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set opt connect timeout to %d", timeout);
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
Jan F. Chadima 7e7fb4
+		tv.tv_sec = options.bind_timelimit;
Jan F. Chadima 7e7fb4
+		tv.tv_usec = 0;
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv;;
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
Jan F. Chadima 7e7fb4
+		    options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set referrals to %d", options.referrals);
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_RESTART,
Jan F. Chadima 7e7fb4
+		    options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set restart to %d", options.restart);
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_START_TLS_S
Jan F. Chadima 7e7fb4
+		if (options.ssl == SSL_START_TLS) {
Jan F. Chadima 7e7fb4
+			int version;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
Jan F. Chadima 7e7fb4
+			    == LDAP_SUCCESS) {
Jan F. Chadima 7e7fb4
+				if (version < LDAP_VERSION3) {
Jan F. Chadima 7e7fb4
+					version = LDAP_VERSION3;
Jan F. Chadima 7e7fb4
+					(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
Jan F. Chadima 7e7fb4
+					    &version);
Jan F. Chadima 7e7fb4
+					debug3 ("LDAP set version to %d", version);
Jan F. Chadima 7e7fb4
+				}
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+			    fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+			debug3 ("LDAP start TLS");
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAP_START_TLS_S */
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if ((msgid = ldap_simple_bind (ld, options.binddn,
Jan F. Chadima 7e7fb4
+	    options.bindpw)) == -1) {
Jan F. Chadima 7e7fb4
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
Jan F. Chadima 7e7fb4
+		reconnect++;
Jan F. Chadima 7e7fb4
+		goto retry;
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+	debug3 ("LDAP simple bind (%s)", options.binddn);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	timeout.tv_sec = options.bind_timelimit;
Jan F. Chadima 7e7fb4
+	timeout.tv_usec = 0;
Jan F. Chadima 7e7fb4
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
Jan F. Chadima 7e7fb4
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		error ("ldap_result %s", ldap_err2string (ld_errno));
Jan F. Chadima 7e7fb4
+		reconnect++;
Jan F. Chadima 7e7fb4
+		goto retry;
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+	debug3 ("LDAP result in time");
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 7e7fb4
+	controls = NULL;
Jan F. Chadima 7e7fb4
+	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
Jan F. Chadima 7e7fb4
+	debug3 ("LDAP parse result OK");
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (controls != NULL) {
Jan F. Chadima 7e7fb4
+		ldap_controls_free (controls);
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+	rc = ldap_result2error (session->ld, result, TRUE);
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+	if (rc != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+	    fatal ("error trying to bind as user \"%s\" (%s)",
Jan F. Chadima 7e7fb4
+		options.binddn, ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug2 ("LDAP do connect OK");
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+process_user (const char *user, FILE *output)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	LDAPMessage *res, *e;
Jan F. Chadima 7e7fb4
+	char *buffer;
Jan F. Chadima 7e7fb4
+	int bufflen, rc, i;
Jan F. Chadima 7e7fb4
+	struct timeval timeout;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug ("LDAP process user");
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* quick check for attempts to be evil */
Jan F. Chadima 7e7fb4
+	if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
Jan F. Chadima 7e7fb4
+	    (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
Jan F. Chadima 7e7fb4
+		logit ("illegal user name %s not processed", user);
Jan F. Chadima 7e7fb4
+		return;
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* build  filter for LDAP request */
Jan F. Chadima 7e7fb4
+	bufflen = strlen (LDAPSEARCH_FORMAT) + strlen (user);
Jan F. Chadima 7e7fb4
+	if (options.ssh_filter != NULL)
Jan F. Chadima 7e7fb4
+	    bufflen += strlen (options.ssh_filter);
Jan F. Chadima 7e7fb4
+	buffer = xmalloc (bufflen);
Jan F. Chadima 7e7fb4
+	snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
Jan F. Chadima 7e7fb4
+	buffer[bufflen - 1] = 0;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug3 ("LDAP search scope = %d %s", options.scope, buffer);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	timeout.tv_sec = options.timelimit;
Jan F. Chadima 7e7fb4
+	timeout.tv_usec = 0;
Jan F. Chadima 7e7fb4
+	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
Jan F. Chadima 7e7fb4
+		error ("ldap_search_st(): %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+		xfree (buffer);
Jan F. Chadima 7e7fb4
+		return;
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* free */
Jan F. Chadima 7e7fb4
+	xfree (buffer);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
Jan F. Chadima 7e7fb4
+		int num;
Jan F. Chadima 7e7fb4
+		struct berval **keys;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		keys = ldap_get_values_len(ld, e, PUBKEYATTR);
Jan F. Chadima 7e7fb4
+		num = ldap_count_values_len(keys);
Jan F. Chadima 7e7fb4
+		for (i = 0 ; i < num ; i++) {
Jan F. Chadima 7e7fb4
+			char *cp; //, *options = NULL;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
Jan F. Chadima 7e7fb4
+			if (!*cp || *cp == '\n' || *cp == '#')
Jan F. Chadima 7e7fb4
+			    continue;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* We have found the desired key. */
Jan F. Chadima 7e7fb4
+			fprintf (output, "%s\n", keys[i]->bv_val);
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		ldap_value_free_len(keys);
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	ldap_msgfree(res);
Jan F. Chadima 7e7fb4
+	debug2 ("LDAP process user finished");
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+ldap_do_close(void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	int rc;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug ("LDAP do close");
Jan F. Chadima 7e7fb4
+	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+	    fatal ("ldap_unbind_ext: %s",
Jan F. Chadima 7e7fb4
+                                    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	ld = NULL;
Jan F. Chadima 7e7fb4
+	debug2 ("LDAP do close OK");
Jan F. Chadima 7e7fb4
+	return;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F 1499a2
diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h
Jan F 1f6bdc
--- openssh-5.8p1/ldapbody.h.ldap	2011-04-01 09:01:19.047648768 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/ldapbody.h	2011-04-01 09:01:19.057648739 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,37 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef LDAPBODY_H
Jan F. Chadima 7e7fb4
+#define LDAPBODY_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include <stdio.h>
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void ldap_checkconfig(void);
Jan F. Chadima 7e7fb4
+void ldap_do_connect(void);
Jan F. Chadima 7e7fb4
+void process_user(const char *, FILE *);
Jan F. Chadima 7e7fb4
+void ldap_do_close(void);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#endif /* LDAPBODY_H */
Jan F. Chadima 7e7fb4
+
Jan F 1499a2
diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c
Jan F 1f6bdc
--- openssh-5.8p1/ldapconf.c.ldap	2011-04-01 09:01:19.073648744 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/ldapconf.c	2011-04-01 09:01:19.082648746 +0200
Jan F. Chadima 86b2d1
@@ -0,0 +1,682 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4
+#include "ldap-helper.h"
Jan F. Chadima 7e7fb4
+#include "log.h"
Jan F. Chadima 7e7fb4
+#include "misc.h"
Jan F. Chadima 7e7fb4
+#include "xmalloc.h"
Jan F. Chadima 7e7fb4
+#include "ldapconf.h"
Jan F. Chadima 7e7fb4
+#include <unistd.h>
Jan F. Chadima 7e7fb4
+#include <string.h>
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Keyword tokens. */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+typedef enum {
Jan F. Chadima 7e7fb4
+	lBadOption,
Jan F. Chadima 7e7fb4
+	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
Jan F. Chadima 7e7fb4
+	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
Jan F. Chadima 7e7fb4
+	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
Jan F. Chadima 86b2d1
+	lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
Jan F. Chadima 7e7fb4
+	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
Jan F. Chadima 86b2d1
+	lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
Jan F. Chadima 7e7fb4
+	lDeprecated, lUnsupported
Jan F. Chadima 7e7fb4
+} OpCodes;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Textual representations of the tokens. */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct {
Jan F. Chadima 7e7fb4
+	const char *name;
Jan F. Chadima 7e7fb4
+	OpCodes opcode;
Jan F. Chadima 7e7fb4
+} keywords[] = {
Jan F. Chadima 7e7fb4
+	{ "URI", lURI },
Jan F. Chadima 7e7fb4
+	{ "Base", lBase },
Jan F. Chadima 7e7fb4
+	{ "BindDN", lBindDN },
Jan F. Chadima 7e7fb4
+	{ "BindPW", lBindPW },
Jan F. Chadima 7e7fb4
+	{ "RootBindDN", lRootBindDN },
Jan F. Chadima 86b2d1
+	{ "Host", lHost },
Jan F. Chadima 86b2d1
+	{ "Port", lPort },
Jan F. Chadima 7e7fb4
+	{ "Scope", lScope },
Jan F. Chadima 7e7fb4
+	{ "Deref", lDeref },
Jan F. Chadima 86b2d1
+	{ "TimeLimit", lTimeLimit },
Jan F. Chadima 86b2d1
+	{ "TimeOut", lTimeLimit },
Jan F. Chadima 7e7fb4
+	{ "Bind_Timelimit", lBind_TimeLimit },
Jan F. Chadima 86b2d1
+	{ "Network_TimeOut", lBind_TimeLimit },
Jan F. Chadima 86b2d1
+/*
Jan F. Chadima 86b2d1
+ * Todo
Jan F. Chadima 86b2d1
+ * SIZELIMIT
Jan F. Chadima 86b2d1
+ */
Jan F. Chadima 7e7fb4
+	{ "Ldap_Version", lLdap_Version },
Jan F. Chadima 86b2d1
+	{ "Version", lLdap_Version },
Jan F. Chadima 7e7fb4
+	{ "Bind_Policy", lBind_Policy },
Jan F. Chadima 7e7fb4
+	{ "SSLPath", lSSLPath },
Jan F. Chadima 7e7fb4
+	{ "SSL", lSSL },
Jan F. Chadima 7e7fb4
+	{ "Referrals", lReferrals },
Jan F. Chadima 7e7fb4
+	{ "Restart", lRestart },
Jan F. Chadima 7e7fb4
+	{ "TLS_CheckPeer", lTLS_CheckPeer },
Jan F. Chadima 4669c3
+	{ "TLS_ReqCert", lTLS_CheckPeer },
Jan F. Chadima 7e7fb4
+	{ "TLS_CaCertFile", lTLS_CaCertFile },
Jan F. Chadima 4669c3
+	{ "TLS_CaCert", lTLS_CaCertFile },
Jan F. Chadima 7e7fb4
+	{ "TLS_CaCertDir", lTLS_CaCertDir },
Jan F. Chadima 7e7fb4
+	{ "TLS_Ciphers", lTLS_Ciphers },
Jan F. Chadima 4669c3
+	{ "TLS_Cipher_Suite", lTLS_Ciphers },
Jan F. Chadima 7e7fb4
+	{ "TLS_Cert", lTLS_Cert },
Jan F. Chadima 86b2d1
+	{ "TLS_Certificate", lTLS_Cert },
Jan F. Chadima 7e7fb4
+	{ "TLS_Key", lTLS_Key },
Jan F. Chadima 7e7fb4
+	{ "TLS_RandFile", lTLS_RandFile },
Jan F. Chadima 4669c3
+/*
Jan F. Chadima 4669c3
+ * Todo
Jan F. Chadima 4669c3
+ * TLS_CRLCHECK
Jan F. Chadima 4669c3
+ * TLS_CRLFILE
Jan F. Chadima 4669c3
+ */
Jan F. Chadima 86b2d1
+	{ "LogDir", lLogDir },
Jan F. Chadima 7e7fb4
+	{ "Debug", lDebug },
Jan F. Chadima 7e7fb4
+	{ "SSH_Filter", lSSH_Filter },
Jan F. Chadima 7e7fb4
+	{ NULL, lBadOption }
Jan F. Chadima 7e7fb4
+};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Configuration ptions. */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+Options options;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Returns the number of the token pointed to by cp or oBadOption.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static OpCodes
Jan F. Chadima 7e7fb4
+parse_token(const char *cp, const char *filename, int linenum)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	u_int i;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	for (i = 0; keywords[i].name; i++)
Jan F. Chadima 7e7fb4
+		if (strcasecmp(cp, keywords[i].name) == 0)
Jan F. Chadima 7e7fb4
+			return keywords[i].opcode;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (config_warning_config_file) 
Jan F. Chadima 7e7fb4
+	    logit("%s: line %d: Bad configuration option: %s",
Jan F. Chadima 7e7fb4
+		filename, linenum, cp);
Jan F. Chadima 7e7fb4
+	return lBadOption;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Processes a single option line as used in the configuration files. This
Jan F. Chadima 7e7fb4
+ * only sets those values that have not already been set.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+#define WHITESPACE " \t\r\n"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static int
Jan F. Chadima 7e7fb4
+process_config_line(char *line, const char *filename, int linenum)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
Jan F. Chadima 7e7fb4
+	char *rootbinddn = NULL;
Jan F. Chadima 7e7fb4
+	int opcode, *intptr, value;
Jan F. Chadima 7e7fb4
+	size_t len;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* Strip trailing whitespace */
Jan F. Chadima 7e7fb4
+	for (len = strlen(line) - 1; len > 0; len--) {
Jan F. Chadima 7e7fb4
+		if (strchr(WHITESPACE, line[len]) == NULL)
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+		line[len] = '\0';
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	s = line;
Jan F. Chadima 7e7fb4
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
Jan F. Chadima 7e7fb4
+	if ((keyword = strdelim(&s)) == NULL)
Jan F. Chadima 7e7fb4
+		return 0;
Jan F. Chadima 7e7fb4
+	/* Ignore leading whitespace. */
Jan F. Chadima 7e7fb4
+	if (*keyword == '\0')
Jan F. Chadima 7e7fb4
+		keyword = strdelim(&s);
Jan F. Chadima 7e7fb4
+	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
Jan F. Chadima 7e7fb4
+		return 0;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	opcode = parse_token(keyword, filename, linenum);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	switch (opcode) {
Jan F. Chadima 7e7fb4
+	case lBadOption:
Jan F. Chadima 7e7fb4
+		/* don't panic, but count bad options */
Jan F. Chadima 7e7fb4
+		return -1;
Jan F. Chadima 7e7fb4
+		/* NOTREACHED */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lHost:
Jan F. Chadima 7e7fb4
+		xstringptr = &options.host;
Jan F. Chadima 7e7fb4
+parse_xstring:
Jan F. Chadima 7e7fb4
+		if (!s || *s == '\0')
Jan F. Chadima 7e7fb4
+		    fatal("%s line %d: missing dn",filename,linenum);
Jan F. Chadima 7e7fb4
+		if (*xstringptr == NULL)
Jan F. Chadima 7e7fb4
+		    *xstringptr = xstrdup(s);
Jan F. Chadima 7e7fb4
+		return 0;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lURI:
Jan F. Chadima 7e7fb4
+		xstringptr = &options.uri;
Jan F. Chadima 7e7fb4
+		goto parse_xstring;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lBase:
Jan F. Chadima 7e7fb4
+		xstringptr = &options.base;
Jan F. Chadima 7e7fb4
+		goto parse_xstring;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lBindDN:
Jan F. Chadima 7e7fb4
+		xstringptr = &options.binddn;
Jan F. Chadima 7e7fb4
+		goto parse_xstring;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lBindPW:
Jan F. Chadima 7e7fb4
+		charptr = &options.bindpw;
Jan F. Chadima 7e7fb4
+parse_string:
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*charptr == NULL)
Jan F. Chadima 7e7fb4
+			*charptr = xstrdup(arg);
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lRootBindDN:
Jan F. Chadima 7e7fb4
+		xstringptr = &rootbinddn;
Jan F. Chadima 7e7fb4
+		goto parse_xstring;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lScope:
Jan F. Chadima 7e7fb4
+		intptr = &options.scope;
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 86b2d1
+		if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
Jan F. Chadima 7e7fb4
+			value = LDAP_SCOPE_SUBTREE;
Jan F. Chadima 86b2d1
+		else if (strcasecmp (arg, "one") == 0)
Jan F. Chadima 7e7fb4
+			value = LDAP_SCOPE_ONELEVEL;
Jan F. Chadima 86b2d1
+		else if (strcasecmp (arg, "base") == 0)
Jan F. Chadima 7e7fb4
+			value = LDAP_SCOPE_BASE;
Jan F. Chadima 7e7fb4
+		else
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+			*intptr = value;
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lDeref:
Jan F. Chadima 7e7fb4
+		intptr = &options.scope;
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4
+		if (!strcasecmp (arg, "never"))
Jan F. Chadima 7e7fb4
+			value = LDAP_DEREF_NEVER;
Jan F. Chadima 7e7fb4
+		else if (!strcasecmp (arg, "searching"))
Jan F. Chadima 7e7fb4
+			value = LDAP_DEREF_SEARCHING;
Jan F. Chadima 7e7fb4
+		else if (!strcasecmp (arg, "finding"))
Jan F. Chadima 7e7fb4
+			value = LDAP_DEREF_FINDING;
Jan F. Chadima 7e7fb4
+		else if (!strcasecmp (arg, "always"))
Jan F. Chadima 7e7fb4
+			value = LDAP_DEREF_ALWAYS;
Jan F. Chadima 7e7fb4
+		else
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+			*intptr = value;
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lPort:
Jan F. Chadima 7e7fb4
+		intptr = &options.port;
Jan F. Chadima 7e7fb4
+parse_int:
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (arg[0] < '0' || arg[0] > '9')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad number.", filename, linenum);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		/* Octal, decimal, or hex format? */
Jan F. Chadima 7e7fb4
+		value = strtol(arg, &endofnumber, 0);
Jan F. Chadima 7e7fb4
+		if (arg == endofnumber)
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad number.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+			*intptr = value;
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTimeLimit:
Jan F. Chadima 7e7fb4
+		intptr = &options.timelimit;
Jan F. Chadima 7e7fb4
+parse_time:
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%s line %d: missing time value.",
Jan F. Chadima 7e7fb4
+			    filename, linenum);
Jan F. Chadima 7e7fb4
+		if ((value = convtime(arg)) == -1)
Jan F. Chadima 7e7fb4
+			fatal("%s line %d: invalid time value.",
Jan F. Chadima 7e7fb4
+			    filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+			*intptr = value;
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lBind_TimeLimit:
Jan F. Chadima 7e7fb4
+		intptr = &options.bind_timelimit;
Jan F. Chadima 7e7fb4
+		goto parse_time;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lLdap_Version:
Jan F. Chadima 7e7fb4
+		intptr = &options.ldap_version;
Jan F. Chadima 7e7fb4
+		goto parse_int;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lBind_Policy:
Jan F. Chadima 7e7fb4
+		intptr = &options.bind_policy;
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 86b2d1
+		if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
Jan F. Chadima 7e7fb4
+			value = 1;
Jan F. Chadima 7e7fb4
+		else if (strcasecmp(arg, "soft") == 0)
Jan F. Chadima 7e7fb4
+			value = 0;
Jan F. Chadima 7e7fb4
+		else
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lSSLPath:
Jan F. Chadima 7e7fb4
+		charptr = &options.sslpath;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lSSL:
Jan F. Chadima 7e7fb4
+		intptr = &options.ssl;
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Jan F. Chadima 7e7fb4
+			value = SSL_LDAPS;
Jan F. Chadima 7e7fb4
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Jan F. Chadima 7e7fb4
+			value = SSL_OFF;
Jan F. Chadima 7e7fb4
+		else if (!strcasecmp (arg, "start_tls"))
Jan F. Chadima 7e7fb4
+			value = SSL_START_TLS;
Jan F. Chadima 7e7fb4
+		else
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+			*intptr = value;
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lReferrals:
Jan F. Chadima 7e7fb4
+		intptr = &options.referrals;
Jan F. Chadima 7e7fb4
+parse_flag:
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Jan F. Chadima 7e7fb4
+			value = 1;
Jan F. Chadima 7e7fb4
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Jan F. Chadima 7e7fb4
+			value = 0;
Jan F. Chadima 7e7fb4
+		else
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+			*intptr = value;
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lRestart:
Jan F. Chadima 7e7fb4
+		intptr = &options.restart;
Jan F. Chadima 7e7fb4
+		goto parse_flag;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_CheckPeer:
Jan F. Chadima 7e7fb4
+		intptr = &options.tls_checkpeer;
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima b6bdf1
+		if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Jan F. Chadima 7e7fb4
+			value = LDAP_OPT_X_TLS_NEVER;
Jan F. Chadima b6bdf1
+		else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Jan F. Chadima 7e7fb4
+			value = LDAP_OPT_X_TLS_HARD;
Jan F. Chadima 7e7fb4
+		else if (strcasecmp(arg, "demand") == 0)
Jan F. Chadima 7e7fb4
+			value = LDAP_OPT_X_TLS_DEMAND;
Jan F. Chadima 7e7fb4
+		else if (strcasecmp(arg, "allow") == 0)
Jan F. Chadima 7e7fb4
+			value = LDAP_OPT_X_TLS_ALLOW;
Jan F. Chadima 7e7fb4
+		else if (strcasecmp(arg, "try") == 0)
Jan F. Chadima 7e7fb4
+			value = LDAP_OPT_X_TLS_TRY;
Jan F. Chadima 7e7fb4
+		else
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_CaCertFile:
Jan F. Chadima 7e7fb4
+		charptr = &options.tls_cacertfile;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_CaCertDir:
Jan F. Chadima 7e7fb4
+		charptr = &options.tls_cacertdir;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_Ciphers:
Jan F. Chadima 7e7fb4
+		xstringptr = &options.tls_ciphers;
Jan F. Chadima 7e7fb4
+		goto parse_xstring;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_Cert:
Jan F. Chadima 7e7fb4
+		charptr = &options.tls_cert;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_Key:
Jan F. Chadima 7e7fb4
+		charptr = &options.tls_key;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_RandFile:
Jan F. Chadima 7e7fb4
+		charptr = &options.tls_randfile;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 86b2d1
+	case lLogDir:
Jan F. Chadima 7e7fb4
+		charptr = &options.logdir;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lDebug:
Jan F. Chadima 7e7fb4
+		intptr = &options.debug;
Jan F. Chadima 7e7fb4
+		goto parse_int;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lSSH_Filter:
Jan F. Chadima 7e7fb4
+		xstringptr = &options.ssh_filter;
Jan F. Chadima 7e7fb4
+		goto parse_xstring;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lDeprecated:
Jan F. Chadima 7e7fb4
+		debug("%s line %d: Deprecated option \"%s\"",
Jan F. Chadima 7e7fb4
+		    filename, linenum, keyword);
Jan F. Chadima 7e7fb4
+		return 0;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lUnsupported:
Jan F. Chadima 7e7fb4
+		error("%s line %d: Unsupported option \"%s\"",
Jan F. Chadima 7e7fb4
+		    filename, linenum, keyword);
Jan F. Chadima 7e7fb4
+		return 0;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	default:
Jan F. Chadima 7e7fb4
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* Check that there is no garbage at end of line. */
Jan F. Chadima 7e7fb4
+	if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
Jan F. Chadima 7e7fb4
+		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
Jan F. Chadima 7e7fb4
+		    filename, linenum, arg);
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+	return 0;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Reads the config file and modifies the options accordingly.  Options
Jan F. Chadima 7e7fb4
+ * should already be initialized before this call.  This never returns if
Jan F. Chadima 7e7fb4
+ * there is an error.  If the file does not exist, this returns 0.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+read_config_file(const char *filename)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	FILE *f;
Jan F. Chadima 7e7fb4
+	char line[1024];
Jan F. Chadima 7e7fb4
+	int active, linenum;
Jan F. Chadima 7e7fb4
+	int bad_options = 0;
Jan F. Chadima 7e7fb4
+	struct stat sb;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if ((f = fopen(filename, "r")) == NULL)
Jan F. Chadima 7e7fb4
+		fatal("fopen %s: %s", filename, strerror(errno));
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (fstat(fileno(f), &sb) == -1)
Jan F. Chadima 7e7fb4
+		fatal("fstat %s: %s", filename, strerror(errno));
Jan F. Chadima 7e7fb4
+	if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
Jan F. Chadima 7e7fb4
+	    (sb.st_mode & 022) != 0))
Jan F. Chadima 7e7fb4
+		fatal("Bad owner or permissions on %s", filename);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug("Reading configuration data %.200s", filename);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/*
Jan F. Chadima 7e7fb4
+	 * Mark that we are now processing the options.  This flag is turned
Jan F. Chadima 7e7fb4
+	 * on/off by Host specifications.
Jan F. Chadima 7e7fb4
+	 */
Jan F. Chadima 7e7fb4
+	active = 1;
Jan F. Chadima 7e7fb4
+	linenum = 0;
Jan F. Chadima 7e7fb4
+	while (fgets(line, sizeof(line), f)) {
Jan F. Chadima 7e7fb4
+		/* Update line number counter. */
Jan F. Chadima 7e7fb4
+		linenum++;
Jan F. Chadima 7e7fb4
+		if (process_config_line(line, filename, linenum) != 0)
Jan F. Chadima 7e7fb4
+			bad_options++;
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+	fclose(f);
Jan F. Chadima 7e7fb4
+	if ((bad_options > 0) && config_exclusive_config_file) 
Jan F. Chadima 7e7fb4
+		fatal("%s: terminating, %d bad configuration options",
Jan F. Chadima 7e7fb4
+		    filename, bad_options);
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Initializes options to special values that indicate that they have not yet
Jan F. Chadima 7e7fb4
+ * been set.  Read_config_file will only set options with this value. Options
Jan F. Chadima 7e7fb4
+ * are processed in the following order: command line, user config file,
Jan F. Chadima 7e7fb4
+ * system config file.  Last, fill_default_options is called.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+initialize_options(void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	memset(&options, 'X', sizeof(options));
Jan F. Chadima 7e7fb4
+	options.host = NULL;
Jan F. Chadima 7e7fb4
+	options.uri = NULL;
Jan F. Chadima 7e7fb4
+	options.base = NULL;
Jan F. Chadima 7e7fb4
+	options.binddn = NULL;
Jan F. Chadima 7e7fb4
+	options.bindpw = NULL;
Jan F. Chadima 7e7fb4
+	options.scope = -1;
Jan F. Chadima 7e7fb4
+	options.deref = -1;
Jan F. Chadima 7e7fb4
+	options.port = -1;
Jan F. Chadima 7e7fb4
+	options.timelimit = -1;
Jan F. Chadima 7e7fb4
+	options.bind_timelimit = -1;
Jan F. Chadima 7e7fb4
+	options.ldap_version = -1;
Jan F. Chadima 7e7fb4
+	options.bind_policy = -1;
Jan F. Chadima 7e7fb4
+	options.sslpath = NULL;
Jan F. Chadima 7e7fb4
+	options.ssl = -1;
Jan F. Chadima 7e7fb4
+	options.referrals = -1;
Jan F. Chadima 7e7fb4
+	options.restart = -1;
Jan F. Chadima 7e7fb4
+	options.tls_checkpeer = -1;
Jan F. Chadima 7e7fb4
+	options.tls_cacertfile = NULL;
Jan F. Chadima 7e7fb4
+	options.tls_cacertdir = NULL;
Jan F. Chadima 7e7fb4
+	options.tls_ciphers = NULL;
Jan F. Chadima 7e7fb4
+	options.tls_cert = NULL;
Jan F. Chadima 7e7fb4
+	options.tls_key = NULL;
Jan F. Chadima 7e7fb4
+	options.tls_randfile = NULL;
Jan F. Chadima 7e7fb4
+	options.logdir = NULL;
Jan F. Chadima 7e7fb4
+	options.debug = -1;
Jan F. Chadima 7e7fb4
+	options.ssh_filter = NULL;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Called after processing other sources of option data, this fills those
Jan F. Chadima 7e7fb4
+ * options for which no value has been specified with their default values.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+fill_default_options(void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	if (options.uri != NULL) {
Jan F. Chadima 7e7fb4
+		LDAPURLDesc *ludp;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
Jan F. Chadima 7e7fb4
+			if (options.ssl == -1) {
Jan F. Chadima 86b2d1
+				if (strcmp (ludp->lud_scheme, "ldap") == 0)
Jan F. Chadima 7e7fb4
+				    options.ssl = 2;
Jan F. Chadima 86b2d1
+				if (strcmp (ludp->lud_scheme, "ldapi") == 0)
Jan F. Chadima 86b2d1
+				    options.ssl = 0;
Jan F. Chadima 86b2d1
+				else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
Jan F. Chadima 86b2d1
+				    options.ssl = 1;
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+			if (options.host == NULL)
Jan F. Chadima 7e7fb4
+			    options.host = xstrdup (ludp->lud_host);
Jan F. Chadima 7e7fb4
+			if (options.port == -1)
Jan F. Chadima 7e7fb4
+			    options.port = ludp->lud_port;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			ldap_free_urldesc (ludp);
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+	} 
Jan F. Chadima 7e7fb4
+	if (options.ssl == -1)
Jan F. Chadima 7e7fb4
+	    options.ssl = SSL_START_TLS;
Jan F. Chadima 7e7fb4
+	if (options.port == -1)
Jan F. Chadima 7e7fb4
+	    options.port = (options.ssl == 0) ? 389 : 636;
Jan F. Chadima 7e7fb4
+	if (options.uri == NULL) {
Jan F. Chadima 7e7fb4
+		int len;
Jan F. Chadima 7e7fb4
+#define MAXURILEN 4096
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		options.uri = xmalloc (MAXURILEN);
Jan F. Chadima 7e7fb4
+		len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
Jan F. Chadima 7e7fb4
+		    (options.ssl == 0) ? "" : "s", options.host, options.port);
Jan F. Chadima 7e7fb4
+		options.uri[MAXURILEN - 1] = 0;
Jan F. Chadima 7e7fb4
+		options.uri = xrealloc (options.uri, len + 1, 1);
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+	if (options.binddn == NULL)
Jan F. Chadima 7e7fb4
+	    options.binddn = "";
Jan F. Chadima 7e7fb4
+	if (options.bindpw == NULL)
Jan F. Chadima 7e7fb4
+	    options.bindpw = "";
Jan F. Chadima 7e7fb4
+	if (options.scope == -1)
Jan F. Chadima 7e7fb4
+	    options.scope = LDAP_SCOPE_SUBTREE;
Jan F. Chadima 7e7fb4
+	if (options.deref == -1)
Jan F. Chadima 7e7fb4
+	    options.deref = LDAP_DEREF_NEVER;
Jan F. Chadima 7e7fb4
+	if (options.timelimit == -1)
Jan F. Chadima 7e7fb4
+	    options.timelimit = 10;
Jan F. Chadima 7e7fb4
+	if (options.bind_timelimit == -1)
Jan F. Chadima 7e7fb4
+	    options.bind_timelimit = 10;
Jan F. Chadima 7e7fb4
+	if (options.ldap_version == -1)
Jan F. Chadima 7e7fb4
+	    options.ldap_version = 3;
Jan F. Chadima 7e7fb4
+	if (options.bind_policy == -1)
Jan F. Chadima 7e7fb4
+	    options.bind_policy = 1;
Jan F. Chadima 7e7fb4
+	if (options.referrals == -1)
Jan F. Chadima 7e7fb4
+	    options.referrals = 1;
Jan F. Chadima 7e7fb4
+	if (options.restart == -1)
Jan F. Chadima 7e7fb4
+	    options.restart = 1;
Jan F. Chadima 7e7fb4
+	if (options.tls_checkpeer == -1)
Jan F. Chadima 7e7fb4
+	    options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
Jan F. Chadima 7e7fb4
+	if (options.debug == -1)
Jan F. Chadima 7e7fb4
+	    options.debug = 0;
Jan F. Chadima 7e7fb4
+	if (options.ssh_filter == NULL)
Jan F. Chadima 7e7fb4
+	    options.ssh_filter = "";
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static const char *
Jan F. Chadima 7e7fb4
+lookup_opcode_name(OpCodes code)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	u_int i;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	for (i = 0; keywords[i].name != NULL; i++)
Jan F. Chadima 7e7fb4
+	    if (keywords[i].opcode == code)
Jan F. Chadima 7e7fb4
+		return(keywords[i].name);
Jan F. Chadima 7e7fb4
+	return "UNKNOWN";
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static void
Jan F. Chadima 7e7fb4
+dump_cfg_string(OpCodes code, const char *val)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	if (val == NULL)
Jan F. Chadima 7e7fb4
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Jan F. Chadima 7e7fb4
+	else
Jan F. Chadima 7e7fb4
+	    debug3("%s %s", lookup_opcode_name(code), val);
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static void
Jan F. Chadima 7e7fb4
+dump_cfg_int(OpCodes code, int val)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	if (val == -1)
Jan F. Chadima 7e7fb4
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Jan F. Chadima 7e7fb4
+	else
Jan F. Chadima 7e7fb4
+	    debug3("%s %d", lookup_opcode_name(code), val);
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+struct names {
Jan F. Chadima 7e7fb4
+	int value;
Jan F. Chadima 7e7fb4
+	char *name;
Jan F. Chadima 7e7fb4
+};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static void
Jan F. Chadima 7e7fb4
+dump_cfg_namedint(OpCodes code, int val, struct names *names)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	u_int i;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (val == -1)
Jan F. Chadima 7e7fb4
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Jan F. Chadima 7e7fb4
+	else {
Jan F. Chadima 7e7fb4
+		for (i = 0; names[i].value != -1; i++)
Jan F. Chadima 7e7fb4
+	 	    if (names[i].value == val) {
Jan F. Chadima 7e7fb4
+	    		debug3("%s %s", lookup_opcode_name(code), names[i].name);
Jan F. Chadima 7e7fb4
+			    return;
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+		debug3("%s unknown: %d", lookup_opcode_name(code), val);
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct names _yesnotls[] = {
Jan F. Chadima 7e7fb4
+	{ 0, "No" },
Jan F. Chadima 7e7fb4
+	{ 1, "Yes" },
Jan F. Chadima 7e7fb4
+	{ 2, "Start_TLS" },
Jan F. Chadima 7e7fb4
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct names _scope[] = {
Jan F. Chadima 7e7fb4
+	{ LDAP_SCOPE_BASE, "Base" },
Jan F. Chadima 7e7fb4
+	{ LDAP_SCOPE_ONELEVEL, "One" },
Jan F. Chadima 7e7fb4
+	{ LDAP_SCOPE_SUBTREE, "Sub"},
Jan F. Chadima 7e7fb4
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct names _deref[] = {
Jan F. Chadima 7e7fb4
+	{ LDAP_DEREF_NEVER, "Never" },
Jan F. Chadima 7e7fb4
+	{ LDAP_DEREF_SEARCHING, "Searching" },
Jan F. Chadima 7e7fb4
+	{ LDAP_DEREF_FINDING, "Finding" },
Jan F. Chadima 7e7fb4
+	{ LDAP_DEREF_ALWAYS, "Always" },
Jan F. Chadima 7e7fb4
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct names _yesno[] = {
Jan F. Chadima 7e7fb4
+	{ 0, "No" },
Jan F. Chadima 7e7fb4
+	{ 1, "Yes" },
Jan F. Chadima 7e7fb4
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct names _bindpolicy[] = {
Jan F. Chadima 7e7fb4
+	{ 0, "Soft" },
Jan F. Chadima 7e7fb4
+	{ 1, "Hard" },
Jan F. Chadima 7e7fb4
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct names _checkpeer[] = {
Jan F. Chadima 7e7fb4
+	{ LDAP_OPT_X_TLS_NEVER, "Never" },
Jan F. Chadima 7e7fb4
+	{ LDAP_OPT_X_TLS_HARD, "Hard" },
Jan F. Chadima 7e7fb4
+	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
Jan F. Chadima 7e7fb4
+	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
Jan F. Chadima 7e7fb4
+	{ LDAP_OPT_X_TLS_TRY, "TRY" },
Jan F. Chadima 7e7fb4
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+dump_config(void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lURI, options.uri);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lHost, options.host);
Jan F. Chadima 7e7fb4
+	dump_cfg_int(lPort, options.port);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
Jan F. Chadima 7e7fb4
+	dump_cfg_int(lLdap_Version, options.ldap_version);
Jan F. Chadima 7e7fb4
+	dump_cfg_int(lTimeLimit, options.timelimit);
Jan F. Chadima 7e7fb4
+	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lBase, options.base);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lBindDN, options.binddn);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lBindPW, options.bindpw);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lScope, options.scope, _scope);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lDeref, options.deref, _deref);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lRestart, options.restart, _yesno);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lSSLPath, options.sslpath);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lTLS_Cert, options.tls_cert);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lTLS_Key, options.tls_key);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
Jan F. Chadima 86b2d1
+	dump_cfg_string(lLogDir, options.logdir);
Jan F. Chadima 7e7fb4
+	dump_cfg_int(lDebug, options.debug);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lSSH_Filter, options.ssh_filter);
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F 1499a2
diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h
Jan F 1f6bdc
--- openssh-5.8p1/ldapconf.h.ldap	2011-04-01 09:01:19.097648717 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/ldapconf.h	2011-04-01 09:01:19.107648734 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,71 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef LDAPCONF_H
Jan F. Chadima 7e7fb4
+#define LDAPCONF_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#define SSL_OFF          0
Jan F. Chadima 7e7fb4
+#define SSL_LDAPS        1
Jan F. Chadima 7e7fb4
+#define SSL_START_TLS    2
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Data structure for representing option data. */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+typedef struct {
Jan F. Chadima 7e7fb4
+	char *host;
Jan F. Chadima 7e7fb4
+	char *uri;
Jan F. Chadima 7e7fb4
+	char *base;
Jan F. Chadima 7e7fb4
+	char *binddn;
Jan F. Chadima 7e7fb4
+	char *bindpw;
Jan F. Chadima 7e7fb4
+	int scope;
Jan F. Chadima 7e7fb4
+	int deref;
Jan F. Chadima 7e7fb4
+	int port;
Jan F. Chadima 7e7fb4
+	int timelimit;
Jan F. Chadima 7e7fb4
+	int bind_timelimit;
Jan F. Chadima 7e7fb4
+	int ldap_version;
Jan F. Chadima 7e7fb4
+	int bind_policy;
Jan F. Chadima 7e7fb4
+	char *sslpath;
Jan F. Chadima 7e7fb4
+	int ssl;
Jan F. Chadima 7e7fb4
+	int referrals;
Jan F. Chadima 7e7fb4
+	int restart;
Jan F. Chadima 7e7fb4
+	int tls_checkpeer;
Jan F. Chadima 7e7fb4
+	char *tls_cacertfile;
Jan F. Chadima 7e7fb4
+	char *tls_cacertdir;
Jan F. Chadima 7e7fb4
+	char *tls_ciphers;
Jan F. Chadima 7e7fb4
+	char *tls_cert;
Jan F. Chadima 7e7fb4
+	char *tls_key;
Jan F. Chadima 7e7fb4
+	char *tls_randfile;
Jan F. Chadima 7e7fb4
+	char *logdir;
Jan F. Chadima 7e7fb4
+	int debug;
Jan F. Chadima 7e7fb4
+	char *ssh_filter;
Jan F. Chadima 7e7fb4
+}       Options;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+extern Options options;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void read_config_file(const char *);
Jan F. Chadima 7e7fb4
+void initialize_options(void);
Jan F. Chadima 7e7fb4
+void fill_default_options(void);
Jan F. Chadima 7e7fb4
+void dump_config(void);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#endif /* LDAPCONF_H */
Jan F 1499a2
diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf
Jan F 1f6bdc
--- openssh-5.8p1/ldap.conf.ldap	2011-04-01 09:01:19.122648724 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/ldap.conf	2011-04-01 09:01:19.131648759 +0200
Jan F. Chadima 8fc96c
@@ -0,0 +1,88 @@
Jan F. Chadima 7818e5
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
Jan F. Chadima 8fc96c
+#
Jan F. Chadima 8fc96c
+# This is the example configuration file for the OpenSSH
Jan F. Chadima 8fc96c
+# LDAP backend
Jan F. Chadima 8fc96c
+# 
Jan F. Chadima 8fc96c
+# see ssh-ldap.conf(5)
Jan F. Chadima 8fc96c
+#
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# URI with your LDAP server name. This allows to use
Jan F. Chadima 8fc96c
+# Unix Domain Sockets to connect to a local LDAP Server.
Jan F. Chadima 8fc96c
+#uri ldap://127.0.0.1/
Jan F. Chadima 8fc96c
+#uri ldaps://127.0.0.1/   
Jan F. Chadima 8fc96c
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
Jan F. Chadima 8fc96c
+# Note: %2f encodes the '/' used as directory separator
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# Another way to specify your LDAP server is to provide an
Jan F. Chadima 8fc96c
+# host name and the port of our LDAP server. Host name
Jan F. Chadima 8fc96c
+# must be resolvable without using LDAP.
Jan F. Chadima 8fc96c
+# Multiple hosts may be specified, each separated by a 
Jan F. Chadima 8fc96c
+# space. How long nss_ldap takes to failover depends on
Jan F. Chadima 8fc96c
+# whether your LDAP client library supports configurable
Jan F. Chadima 8fc96c
+# network or connect timeouts (see bind_timelimit).
Jan F. Chadima 8fc96c
+#host 127.0.0.1
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# The port.
Jan F. Chadima 8fc96c
+# Optional: default is 389.
Jan F. Chadima 8fc96c
+#port 389
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# The distinguished name to bind to the server with.
Jan F. Chadima 8fc96c
+# Optional: default is to bind anonymously.
Jan F. Chadima 8fc96c
+#binddn cn=openssh_keys,dc=example,dc=org
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# The credentials to bind with. 
Jan F. Chadima 8fc96c
+# Optional: default is no credential.
Jan F. Chadima 8fc96c
+#bindpw TopSecret
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# The distinguished name of the search base.
Jan F. Chadima 8fc96c
+#base dc=example,dc=org
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# The LDAP version to use (defaults to 3
Jan F. Chadima 8fc96c
+# if supported by client library)
Jan F. Chadima 8fc96c
+#ldap_version 3
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# The search scope.
Jan F. Chadima 8fc96c
+#scope sub
Jan F. Chadima 8fc96c
+#scope one
Jan F. Chadima 8fc96c
+#scope base
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# Search timelimit
Jan F. Chadima 8fc96c
+#timelimit 30
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# Bind/connect timelimit
Jan F. Chadima 8fc96c
+#bind_timelimit 30
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# Reconnect policy: hard (default) will retry connecting to
Jan F. Chadima 8fc96c
+# the software with exponential backoff, soft will fail
Jan F. Chadima 8fc96c
+# immediately.
Jan F. Chadima 8fc96c
+#bind_policy hard
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# SSL setup, may be implied by URI also.
Jan F. Chadima 8fc96c
+#ssl no
Jan F. Chadima 8fc96c
+#ssl on
Jan F. Chadima 8fc96c
+#ssl start_tls
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# OpenLDAP SSL options
Jan F. Chadima 8fc96c
+# Require and verify server certificate (yes/no)
Jan F. Chadima 8fc96c
+# Default is to use libldap's default behavior, which can be configured in
Jan F. Chadima 8fc96c
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
Jan F. Chadima 8fc96c
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
Jan F. Chadima 8fc96c
+#tls_checkpeer hard
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# CA certificates for server certificate verification
Jan F. Chadima 8fc96c
+# At least one of these are required if tls_checkpeer is "yes"
Jan F. Chadima 8fc96c
+#tls_cacertfile /etc/ssl/ca.cert
Jan F. Chadima 8fc96c
+#tls_cacertdir /etc/pki/tls/certs
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# Seed the PRNG if /dev/urandom is not provided
Jan F. Chadima 8fc96c
+#tls_randfile /var/run/egd-pool
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# SSL cipher suite
Jan F. Chadima 8fc96c
+# See man ciphers for syntax
Jan F. Chadima 8fc96c
+#tls_ciphers TLSv1
Jan F. Chadima 8fc96c
+
Jan F. Chadima 8fc96c
+# Client certificate and key
Jan F. Chadima 8fc96c
+# Use these, if your server requires client authentication.
Jan F. Chadima 8fc96c
+#tls_cert
Jan F. Chadima 8fc96c
+#tls_key
Jan F. Chadima 8fc96c
+
Jan F 1499a2
diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c
Jan F 1f6bdc
--- openssh-5.8p1/ldap-helper.c.ldap	2011-04-01 09:01:19.145658994 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/ldap-helper.c	2011-04-01 09:01:19.608648889 +0200
Jan F 1f6bdc
@@ -0,0 +1,155 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4
+#include "log.h"
Jan F. Chadima 7e7fb4
+#include "misc.h"
Jan F. Chadima 7e7fb4
+#include "xmalloc.h"
Jan F. Chadima 7e7fb4
+#include "ldapconf.h"
Jan F. Chadima 7e7fb4
+#include "ldapbody.h"
Jan F. Chadima 7e7fb4
+#include <string.h>
Jan F. Chadima 7e7fb4
+#include <unistd.h>
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static int config_debug = 0;
Jan F. Chadima 7e7fb4
+int config_exclusive_config_file = 0;
Jan F. Chadima 86b2d1
+static char *config_file_name = "/etc/ssh/ldap.conf";
Jan F. Chadima 7e7fb4
+static char *config_single_user = NULL;
Jan F. Chadima 7e7fb4
+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
Jan F. Chadima 7e7fb4
+int config_warning_config_file = 0;
Jan F. Chadima 7e7fb4
+extern char *__progname;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static void
Jan F. Chadima 7e7fb4
+usage(void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "usage: %s [options]\n",
Jan F. Chadima 7e7fb4
+	    __progname);
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "Options:\n");
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
Jan F. Chadima 86b2d1
+	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ssh/ldap.conf).\n");
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
Jan F 1499a2
+	fprintf(stderr, "  -w          Warn on unknown commands in the config file.\n");
Jan F. Chadima 7e7fb4
+	exit(1);
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Main program for the ssh pka ldap agent.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+int
Jan F. Chadima 7e7fb4
+main(int ac, char **av)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	int opt;
Jan F. Chadima 7e7fb4
+	FILE *outfile = NULL;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	__progname = ssh_get_progname(av[0]);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/*
Jan F. Chadima 7e7fb4
+	 * Initialize option structure to indicate that no values have been
Jan F. Chadima 7e7fb4
+	 * set.
Jan F. Chadima 7e7fb4
+	 */
Jan F. Chadima 7e7fb4
+	initialize_options();
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* Parse command-line arguments. */
Jan F. Chadima 7e7fb4
+	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
Jan F. Chadima 7e7fb4
+		switch (opt) {
Jan F. Chadima 7e7fb4
+		case 'd':
Jan F. Chadima 7e7fb4
+			config_debug = 1;
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		case 'e':
Jan F. Chadima 7e7fb4
+			config_exclusive_config_file = 1;
Jan F. Chadima 7e7fb4
+			config_warning_config_file = 1;
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		case 'f':
Jan F. Chadima 7e7fb4
+			config_file_name = optarg;
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		case 's':
Jan F. Chadima 7e7fb4
+			config_single_user = optarg;
Jan F. Chadima 7e7fb4
+			outfile = fdopen (dup (fileno (stdout)), "w");
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		case 'v':
Jan F. Chadima 7e7fb4
+			config_debug = 1;
Jan F. Chadima 7e7fb4
+			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
Jan F. Chadima 7e7fb4
+			    config_verbose++;
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		case 'w':
Jan F. Chadima 7e7fb4
+			config_warning_config_file = 1;
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		case '?':
Jan F. Chadima 7e7fb4
+		default:
Jan F. Chadima 7e7fb4
+			usage();
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* Initialize loging */
Jan F. Chadima 7e7fb4
+	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (ac != optind)
Jan F. Chadima 7e7fb4
+	    fatal ("illegal extra parameter %s", av[1]);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
Jan F. Chadima 7e7fb4
+	if (config_debug == 0)
Jan F. Chadima 7e7fb4
+	    sanitise_stdfd();
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* Read config file */
Jan F. Chadima 7e7fb4
+	read_config_file(config_file_name);
Jan F. Chadima 7e7fb4
+	fill_default_options();
Jan F. Chadima 7e7fb4
+	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
Jan F. Chadima 7e7fb4
+		debug3 ("=== Configuration ===");
Jan F. Chadima 7e7fb4
+		dump_config();
Jan F. Chadima 7e7fb4
+		debug3 ("=== *** ===");
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	ldap_checkconfig();
Jan F. Chadima 7e7fb4
+	ldap_do_connect();
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (config_single_user) {
Jan F. Chadima 7e7fb4
+		process_user (config_single_user, outfile);
Jan F. Chadima 7e7fb4
+	} else {
Jan F 1f6bdc
+		usage();
Jan F. Chadima 7e7fb4
+		fatal ("Not yet implemented");
Jan F. Chadima 7e7fb4
+/* TODO
Jan F. Chadima 7e7fb4
+ * open unix socket a run the loop on it
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	ldap_do_close();
Jan F. Chadima 7e7fb4
+	return 0;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Ugly hack */
Jan F. Chadima 7e7fb4
+void   *buffer_get_string(Buffer *b, u_int *l) {}
Jan F. Chadima 7e7fb4
+void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
Jan F. Chadima 7e7fb4
+
Jan F 1499a2
diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h
Jan F 1f6bdc
--- openssh-5.8p1/ldap-helper.h.ldap	2011-04-01 09:01:19.168648731 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/ldap-helper.h	2011-04-01 09:01:19.177648726 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,32 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef LDAP_HELPER_H
Jan F. Chadima 7e7fb4
+#define LDAP_HELPER_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+extern int config_exclusive_config_file;
Jan F. Chadima 7e7fb4
+extern int config_warning_config_file;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#endif /* LDAP_HELPER_H */
Jan F 1499a2
diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h
Jan F 1f6bdc
--- openssh-5.8p1/ldapincludes.h.ldap	2011-04-01 09:01:19.192648737 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/ldapincludes.h	2011-04-01 09:01:19.202648683 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,41 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef LDAPINCLUDES_H
Jan F. Chadima 7e7fb4
+#define LDAPINCLUDES_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include "includes.h"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LBER_H
Jan F. Chadima 7e7fb4
+#include <lber.h>
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_H
Jan F. Chadima 7e7fb4
+#include <ldap.h>
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_SSL_H
Jan F. Chadima 7e7fb4
+#include <ldap_ssl.h>
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#endif /* LDAPINCLUDES_H */
Jan F 1499a2
diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c
Jan F 1f6bdc
--- openssh-5.8p1/ldapmisc.c.ldap	2011-04-01 09:01:19.216648692 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/ldapmisc.c	2011-04-01 09:01:19.225648767 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,79 @@
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4
+#include "ldapmisc.h"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef HAVE_LDAP_GET_LDERRNO
Jan F. Chadima 7e7fb4
+int
Jan F. Chadima 7e7fb4
+ldap_get_lderrno (LDAP * ld, char **m, char **s)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_GET_OPTION
Jan F. Chadima 7e7fb4
+	int rc;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+	int lderrno;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 7e7fb4
+	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+	    return rc;
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+	lderrno = ld->ld_errno;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (s != NULL) {
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 7e7fb4
+		if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+		    return rc;
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		*s = ld->ld_error;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (m != NULL) {
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 7e7fb4
+		if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+		    return rc;
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		*m = ld->ld_matched;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	return lderrno;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef HAVE_LDAP_SET_LDERRNO
Jan F. Chadima 7e7fb4
+int
Jan F. Chadima 7e7fb4
+ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_SET_OPTION
Jan F. Chadima 7e7fb4
+	int rc;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 7e7fb4
+	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+	    return rc;
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+	ld->ld_errno = lderrno;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (s != NULL) {
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 7e7fb4
+		if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+		    return rc;
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		ld->ld_error = s;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (m != NULL) {
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 7e7fb4
+		if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+		    return rc;
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		ld->ld_matched = m;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	return LDAP_SUCCESS;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F 1499a2
diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h
Jan F 1f6bdc
--- openssh-5.8p1/ldapmisc.h.ldap	2011-04-01 09:01:19.240648724 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/ldapmisc.h	2011-04-01 09:01:19.249648718 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,35 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef LDAPMISC_H
Jan F. Chadima 7e7fb4
+#define LDAPMISC_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+int ldap_get_lderrno (LDAP *, char **, char **);
Jan F. Chadima 7e7fb4
+int ldap_set_lderrno (LDAP *, int, const char *, const char *);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#endif /* LDAPMISC_H */
Jan F. Chadima 7e7fb4
+
Jan F 1499a2
diff -up openssh-5.8p1/lpk-user-example.txt.ldap openssh-5.8p1/lpk-user-example.txt
Jan F 1499a2
diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in
Jan F 1f6bdc
--- openssh-5.8p1/Makefile.in.ldap	2011-04-01 09:01:15.209648708 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/Makefile.in	2011-04-01 09:01:19.307648329 +0200
Jan F 1499a2
@@ -26,6 +26,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
Jan F. Chadima 7e7fb4
 SFTP_SERVER=$(libexecdir)/sftp-server
Jan F. Chadima 7e7fb4
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
Jan F. Chadima 7e7fb4
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
Jan F. Chadima 7e7fb4
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
Jan F 1499a2
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
Jan F. Chadima 7e7fb4
 RAND_HELPER=$(libexecdir)/ssh-rand-helper
Jan F. Chadima 7e7fb4
 PRIVSEP_PATH=@PRIVSEP_PATH@
Jan F. Chadima 7e7fb4
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
Jan F 1499a2
@@ -63,8 +65,9 @@ MANFMT=@MANFMT@
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
Jan F. Chadima 7e7fb4
 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
Jan F. Chadima 7e7fb4
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
Jan F. Chadima 7e7fb4
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
Jan F. Chadima 7e7fb4
 	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
Jan F 1499a2
@@ -96,8 +99,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
Jan F ba25ec
 	sftp-server.o sftp-common.o \
Jan F. Chadima 1b8a26
 	roaming_common.o roaming_serv.o
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
Jan F. Chadima 7e7fb4
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
Jan F. Chadima 86b2d1
+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
Jan F. Chadima 86b2d1
+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
Jan F. Chadima 7e7fb4
 MANTYPE		= @MANTYPE@
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
Jan F 1499a2
@@ -166,6 +169,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
Jan F. Chadima 3fdf10
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
Jan F. Chadima 1b8a26
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
Jan F. Chadima 7e7fb4
+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 3fdf10
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
Jan F. Chadima 3fdf10
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
Jan F. Chadima 7e7fb4
 
Jan F 1499a2
@@ -270,6 +276,10 @@ install-files:
Jan F. Chadima 7e7fb4
 	fi
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
Jan F. Chadima 7e7fb4
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Jan F. Chadima 7e7fb4
+		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
Jan F 1499a2
+		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
Jan F. Chadima 7e7fb4
+	fi
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
Jan F 1499a2
@@ -289,6 +299,10 @@ install-files:
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
Jan F. Chadima 7e7fb4
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Jan F. Chadima 7e7fb4
+		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
Jan F. Chadima 86b2d1
+		$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
Jan F. Chadima 7e7fb4
+	fi
Jan F. Chadima 7e7fb4
 	-rm -f $(DESTDIR)$(bindir)/slogin
Jan F. Chadima 7e7fb4
 	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
Jan F. Chadima 7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Jan F 1499a2
@@ -325,6 +339,13 @@ install-sysconf:
Jan F. Chadima 8fc96c
 	else \
Jan F. Chadima 8fc96c
 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
Jan F. Chadima 8fc96c
 	fi
Jan F. Chadima 8fc96c
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Jan F. Chadima 8fc96c
+		if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
Jan F. Chadima 8fc96c
+			$(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
Jan F. Chadima 8fc96c
+		else \
Jan F. Chadima 8fc96c
+			echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
Jan F. Chadima 8fc96c
+		fi ; \
Jan F. Chadima 8fc96c
+	fi
Jan F. Chadima 8fc96c
 
Jan F. Chadima 8fc96c
 host-key: ssh-keygen$(EXEEXT)
Jan F. Chadima 8fc96c
 	@if [ -z "$(DESTDIR)" ] ; then \
Jan F 1499a2
@@ -396,6 +417,7 @@ uninstall:
Jan F. Chadima 7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Jan F. Chadima 7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
Jan F. Chadima 7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
Jan F. Chadima 7e7fb4
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
Jan F. Chadima 7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
 tests interop-tests:	$(TARGETS)
Jan F 1499a2
diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lpk-openldap.schema
Jan F 1f6bdc
--- openssh-5.8p1/openssh-lpk-openldap.schema.ldap	2011-04-01 09:01:19.333648708 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/openssh-lpk-openldap.schema	2011-04-01 09:01:19.343648766 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,21 @@
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 7e7fb4
+#                              useful with PKA-LDAP also
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 7e7fb4
+# 
Jan F. Chadima 7e7fb4
+# Based on the proposal of : Mark Ruijter
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+# octetString SYNTAX
Jan F. Chadima 7e7fb4
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
Jan F. Chadima 7e7fb4
+	DESC 'MANDATORY: OpenSSH Public key' 
Jan F. Chadima 7e7fb4
+	EQUALITY octetStringMatch
Jan F. Chadima 7e7fb4
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+# printableString SYNTAX yes|no
Jan F. Chadima 7e7fb4
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 7e7fb4
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 7e7fb4
+	MUST ( sshPublicKey $ uid ) 
Jan F. Chadima 7e7fb4
+	)
Jan F 1499a2
diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun.schema
Jan F 1f6bdc
--- openssh-5.8p1/openssh-lpk-sun.schema.ldap	2011-04-01 09:01:19.358648705 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/openssh-lpk-sun.schema	2011-04-01 09:01:19.368648739 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,23 @@
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 7e7fb4
+#                              useful with PKA-LDAP also
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 7e7fb4
+# 
Jan F. Chadima 7e7fb4
+# Schema for Sun Directory Server.
Jan F. Chadima 7e7fb4
+# Based on the original schema, modified by Stefan Fischer.
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+dn: cn=schema
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+# octetString SYNTAX
Jan F. Chadima 7e7fb4
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
Jan F. Chadima 7e7fb4
+	DESC 'MANDATORY: OpenSSH Public key' 
Jan F. Chadima 7e7fb4
+	EQUALITY octetStringMatch
Jan F. Chadima 7e7fb4
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+# printableString SYNTAX yes|no
Jan F. Chadima 7e7fb4
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 7e7fb4
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 7e7fb4
+	MUST ( sshPublicKey $ uid ) 
Jan F. Chadima 7e7fb4
+	)
Jan F 1499a2
diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk
Jan F 1499a2
diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
Jan F 1f6bdc
--- openssh-5.8p1/ssh-ldap.conf.5.ldap	2011-04-01 09:01:19.408648714 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/ssh-ldap.conf.5	2011-04-01 09:01:19.418648733 +0200
Jan F. Chadima b1a625
@@ -0,0 +1,373 @@
Jan F. Chadima 86b2d1
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
Jan F. Chadima 86b2d1
+.\"
Jan F. Chadima 86b2d1
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 86b2d1
+.\"
Jan F. Chadima 86b2d1
+.\" Permission to use, copy, modify, and distribute this software for any
Jan F. Chadima 86b2d1
+.\" purpose with or without fee is hereby granted, provided that the above
Jan F. Chadima 86b2d1
+.\" copyright notice and this permission notice appear in all copies.
Jan F. Chadima 86b2d1
+.\"
Jan F. Chadima 86b2d1
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
Jan F. Chadima 86b2d1
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
Jan F. Chadima 86b2d1
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
Jan F. Chadima 86b2d1
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
Jan F. Chadima 86b2d1
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
Jan F. Chadima 86b2d1
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
Jan F. Chadima 86b2d1
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Jan F. Chadima 86b2d1
+.\"
Jan F. Chadima 86b2d1
+.Dd $Mdocdate: may 12 2010 $
Jan F. Chadima 86b2d1
+.Dt SSH-LDAP.CONF 5
Jan F. Chadima 86b2d1
+.Os
Jan F. Chadima 86b2d1
+.Sh NAME
Jan F. Chadima 86b2d1
+.Nm ssh-ldap.conf
Jan F. Chadima 86b2d1
+.Nd configuration file for ssh-ldap-helper
Jan F. Chadima 86b2d1
+.Sh SYNOPSIS
Jan F. Chadima 86b2d1
+.Nm /etc/ssh/ldap.conf
Jan F. Chadima 86b2d1
+.Sh DESCRIPTION
Jan F. Chadima 86b2d1
+.Xr ssh-ldap-helper 8
Jan F. Chadima 86b2d1
+reads configuration data from
Jan F. Chadima 86b2d1
+.Pa /etc/ssh/ldap.conf
Jan F. Chadima 86b2d1
+(or the file specified with
Jan F. Chadima 86b2d1
+.Fl f
Jan F. Chadima 86b2d1
+on the command line).
Jan F. Chadima 86b2d1
+The file contains keyword-argument pairs, one per line.
Jan F. Chadima 86b2d1
+Lines starting with
Jan F. Chadima 86b2d1
+.Ql #
Jan F. Chadima 86b2d1
+and empty lines are interpreted as comments.
Jan F. Chadima 86b2d1
+.Pp
Jan F. Chadima 86b2d1
+The value starts with the first non-blank character after 
Jan F. Chadima 86b2d1
+the keyword's name, and terminates at the end of the line, 
Jan F. Chadima 86b2d1
+or at the last sequence of blanks before the end of the line.
Jan F. Chadima 86b2d1
+Quoting values that contain blanks 
Jan F. Chadima 86b2d1
+may be incorrect, as the quotes would become part of the value.
Jan F. Chadima 86b2d1
+The possible keywords and their meanings are as follows (note that
Jan F. Chadima b1a625
+keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
Jan F. Chadima 86b2d1
+.It Cm URI
Jan F. Chadima 86b2d1
+The argument(s) are in the form
Jan F. Chadima 86b2d1
+.Pa ldap[si]://[name[:port]]
Jan F. Chadima b1a625
+and specify the URI(s) of an LDAP server(s) to which the
Jan F. Chadima 86b2d1
+.Xr ssh-ldap-helper 8 
Jan F. Chadima 86b2d1
+should connect. The URI scheme may be any of
Jan F. Chadima 86b2d1
+.Dq ldap ,
Jan F. Chadima 86b2d1
+.Dq ldaps 
Jan F. Chadima 86b2d1
+or
Jan F. Chadima 86b2d1
+.Dq ldapi ,
Jan F. Chadima 86b2d1
+which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
Jan F. Chadima 86b2d1
+over IPC (UNIX domain sockets), respectively.
Jan F. Chadima 86b2d1
+Each server's name can be specified as a
Jan F. Chadima 86b2d1
+domain-style name or an IP address literal.  Optionally, the
Jan F. Chadima 86b2d1
+server's name can followed by a ':' and the port number the LDAP
Jan F. Chadima 86b2d1
+server is listening on.  If no port number is provided, the default
Jan F. Chadima 86b2d1
+port for the scheme is used (389 for ldap://, 636 for ldaps://).
Jan F. Chadima 86b2d1
+For LDAP over IPC, name is the name of the socket, and no port
Jan F. Chadima 86b2d1
+is required, nor allowed; note that directory separators must be 
Jan F. Chadima 86b2d1
+URL-encoded, like any other characters that are special to URLs; 
Jan F. Chadima 86b2d1
+A space separated list of URIs may be provided.
Jan F. Chadima 86b2d1
+There is no default.
Jan F. Chadima 86b2d1
+.It Cm Base
Jan F. Chadima b1a625
+Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
Jan F. Chadima b1a625
+The base must be specified as a DN in LDAP format.
Jan F. Chadima 86b2d1
+There is no default.
Jan F. Chadima 86b2d1
+.It Cm BindDN
Jan F. Chadima b1a625
+Specifies the default BIND DN to use when connecting to the ldap server.
Jan F. Chadima 86b2d1
+The bind DN must be specified as a Distinguished Name in LDAP format.
Jan F. Chadima 86b2d1
+There is no default.
Jan F. Chadima 86b2d1
+.It Cm BindPW
Jan F. Chadima 86b2d1
+Specifies the default password to use when connecting to the ldap server via
Jan F. Chadima 86b2d1
+.Cm BindDN .
Jan F. Chadima 86b2d1
+There is no default.
Jan F. Chadima 86b2d1
+.It Cm RootBindDN
Jan F. Chadima 86b2d1
+Intentionaly does nothing. Recognized for compatibility reasons.
Jan F. Chadima 86b2d1
+.It Cm Host
Jan F. Chadima 86b2d1
+The argument(s) specifies the name(s) of an LDAP server(s) to which the
Jan F. Chadima 86b2d1
+.Xr ssh-ldap-helper 8
Jan F. Chadima 86b2d1
+should connect.  Each server's name can be specified as a
Jan F. Chadima 86b2d1
+domain-style name or an IP address and optionally followed by a ':' and
Jan F. Chadima b1a625
+the port number the ldap server is listening on.  A space-separated
Jan F. Chadima 86b2d1
+list of hosts may be provided.
Jan F. Chadima 86b2d1
+There is no default.
Jan F. Chadima 86b2d1
+.Cm Host
Jan F. Chadima 86b2d1
+is deprecated in favor of
Jan F. Chadima 86b2d1
+.Cm URI .
Jan F. Chadima 86b2d1
+.It Cm Port
Jan F. Chadima 86b2d1
+Specifies the default port used when connecting to LDAP servers(s).
Jan F. Chadima 86b2d1
+The port may be specified as a number.
Jan F. Chadima 86b2d1
+The default port is 389 for ldap:// or 636 for ldaps:// respectively.
Jan F. Chadima 86b2d1
+.Cm Port
Jan F. Chadima 86b2d1
+is deprecated in favor of
Jan F. Chadima 86b2d1
+.Cm URI .
Jan F. Chadima 86b2d1
+.It Cm Scope
Jan F. Chadima b1a625
+Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
Jan F. Chadima 86b2d1
+There are three options (values) that can be assigned to the
Jan F. Chadima 86b2d1
+.Cm Scope parameter:
Jan F. Chadima 86b2d1
+.Dq base ,
Jan F. Chadima 86b2d1
+.Dq one
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq subtree .
Jan F. Chadima 86b2d1
+Alias for the subtree is
Jan F. Chadima 86b2d1
+.Dq sub .
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima 86b2d1
+.Dq base
Jan F. Chadima 86b2d1
+is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima 86b2d1
+.Dq one
Jan F. Chadima b1a625
+is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima 86b2d1
+.Dq subtree
Jan F. Chadima 86b2d1
+is used to indicate searching of all entries at all levels under and including the specified base DN.
Jan F. Chadima 86b2d1
+The default is
Jan F. Chadima 86b2d1
+.Dq subtree .
Jan F. Chadima 86b2d1
+.It Cm Deref
Jan F. Chadima 86b2d1
+Specifies how alias dereferencing is done when performing a search. There are four
Jan F. Chadima 86b2d1
+possible values that can be assigned to the
Jan F. Chadima 86b2d1
+.Cm Deref
Jan F. Chadima 86b2d1
+parameter:
Jan F. Chadima 86b2d1
+.Dq never ,
Jan F. Chadima 86b2d1
+.Dq searching ,
Jan F. Chadima 86b2d1
+.Dq finding ,
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq always .
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima 86b2d1
+.Dq never
Jan F. Chadima 86b2d1
+means that the aliases are never dereferenced.
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima 86b2d1
+.Dq searching
Jan F. Chadima 86b2d1
+means that the aliases are dereferenced in subordinates of the base object, but
Jan F. Chadima 86b2d1
+not in locating the base object of the search.
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima 86b2d1
+.Dq finding
Jan F. Chadima 86b2d1
+means that the aliases are only dereferenced when locating the base object of the search.
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima b1a625
+.Dq always
Jan F. Chadima 86b2d1
+means that the aliases are dereferenced both in searching and in locating the base object
Jan F. Chadima 86b2d1
+of the search.
Jan F. Chadima 86b2d1
+The default is
Jan F. Chadima 86b2d1
+.Dq never .
Jan F. Chadima 86b2d1
+.It Cm TimeLimit
Jan F. Chadima 86b2d1
+Specifies a time limit (in seconds) to use when performing searches.
Jan F. Chadima b1a625
+The number should be a non-negative integer. A
Jan F. Chadima 86b2d1
+.Cm TimeLimit
Jan F. Chadima b1a625
+of zero (0) specifies that the search time is unlimited. Please note that the server
Jan F. Chadima 86b2d1
+may still apply any server-side limit on the duration of a search operation.
Jan F. Chadima 86b2d1
+The default value is 10.
Jan F. Chadima 86b2d1
+.It Cm TimeOut
Jan F. Chadima 86b2d1
+Is an aliast to
Jan F. Chadima 86b2d1
+.Cm TimeLimit .
Jan F. Chadima 86b2d1
+.It Cm Bind_TimeLimit
Jan F. Chadima 86b2d1
+Specifies the timeout (in seconds) after which the poll(2)/select(2)
Jan F. Chadima 86b2d1
+following a connect(2) returns in case of no activity.
Jan F. Chadima 86b2d1
+The default value is 10.
Jan F. Chadima 86b2d1
+.It Cm Network_TimeOut
Jan F. Chadima 86b2d1
+Is an alias to
Jan F. Chadima 86b2d1
+.Cm Bind_TimeLimit .
Jan F. Chadima 86b2d1
+.It Cm Ldap_Version
Jan F. Chadima 86b2d1
+Specifies what version of the LDAP protocol should be used.
Jan F. Chadima 86b2d1
+The allowed values are 2 or 3. The default is 3.
Jan F. Chadima 86b2d1
+.It Cm Version
Jan F. Chadima 86b2d1
+Is an alias to
Jan F. Chadima 86b2d1
+.Cm Ldap_Version .
Jan F. Chadima 86b2d1
+.It Cm Bind_Policy
Jan F. Chadima b1a625
+Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
Jan F. Chadima 86b2d1
+.Dq hard
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq soft.
Jan F. Chadima b1a625
+.Dq hard has 2 aliases
Jan F. Chadima 86b2d1
+.Dq hard_open
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq hard_init .
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima 86b2d1
+.Dq hard
Jan F. Chadima b1a625
+means that reconects that the
Jan F. Chadima b1a625
+.Xr ssh-ldap-helper 8
Jan F. Chadima 86b2d1
+tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima 86b2d1
+.Dq soft
Jan F. Chadima 86b2d1
+means that
Jan F. Chadima b1a625
+.Xr ssh-ldap-helper 8
Jan F. Chadima b1a625
+fails immediately when it cannot connect to the LDAP seerver.
Jan F. Chadima 86b2d1
+The deault is
Jan F. Chadima 86b2d1
+.Dq hard .
Jan F. Chadima 86b2d1
+.It Cm SSLPath
Jan F. Chadima 86b2d1
+Specifies the path to the X.509 certificate database.
Jan F. Chadima 86b2d1
+There is no default.
Jan F. Chadima 86b2d1
+.It Cm SSL
Jan F. Chadima 86b2d1
+Specifies whether to use SSL/TLS or not.
Jan F. Chadima b1a625
+There are three allowed values:
Jan F. Chadima 86b2d1
+.Dq yes ,
Jan F. Chadima 86b2d1
+.Dq no
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq start_tls
Jan F. Chadima b1a625
+Both
Jan F. Chadima 86b2d1
+.Dq true
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq on
Jan F. Chadima 86b2d1
+are the aliases for
Jan F. Chadima 86b2d1
+.Dq yes .
Jan F. Chadima 86b2d1
+.Dq false
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq off
Jan F. Chadima 86b2d1
+are the aliases for
Jan F. Chadima 86b2d1
+.Dq no .
Jan F. Chadima b1a625
+If
Jan F. Chadima b1a625
+.Dqstart_tls
Jan F. Chadima b1a625
+is specified then StartTLS is used rather than raw LDAP over SSL.
Jan F. Chadima b1a625
+The default for ldap:// is
Jan F. Chadima b1a625
+.Dq start_tls ,
Jan F. Chadima b1a625
+for ldaps://
Jan F. Chadima 86b2d1
+.Dq yes
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq no
Jan F. Chadima 86b2d1
+for the ldapi:// .
Jan F. Chadima 86b2d1
+In case of host based configuration the default is
Jan F. Chadima 86b2d1
+.Dq start_tls .
Jan F. Chadima 86b2d1
+.It Cm Referrals
Jan F. Chadima 86b2d1
+Specifies if the client should automatically follow referrals returned
Jan F. Chadima 86b2d1
+by LDAP servers.
Jan F. Chadima 86b2d1
+The value can be or
Jan F. Chadima 86b2d1
+.Dq yes
Jan F. Chadima 86b2d1
+or
Jan F. Chadima 86b2d1
+.Dq no .
Jan F. Chadima 86b2d1
+.Dq true
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq on
Jan F. Chadima 86b2d1
+are the aliases for
Jan F. Chadima 86b2d1
+.Dq yes .
Jan F. Chadima 86b2d1
+.Dq false
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq off
Jan F. Chadima 86b2d1
+are the aliases for
Jan F. Chadima 86b2d1
+.Dq no .
Jan F. Chadima 86b2d1
+The default is yes.
Jan F. Chadima 86b2d1
+.It Cm Restart
Jan F. Chadima 86b2d1
+Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
Jan F. Chadima 86b2d1
+The value can be or
Jan F. Chadima 86b2d1
+.Dq yes
Jan F. Chadima 86b2d1
+or
Jan F. Chadima 86b2d1
+.Dq no .
Jan F. Chadima 86b2d1
+.Dq true
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq on
Jan F. Chadima 86b2d1
+are the aliases for
Jan F. Chadima 86b2d1
+.Dq yes .
Jan F. Chadima 86b2d1
+.Dq false
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq off
Jan F. Chadima 86b2d1
+are the aliases for
Jan F. Chadima 86b2d1
+.Dq no .
Jan F. Chadima 86b2d1
+The default is yes.
Jan F. Chadima 86b2d1
+.It Cm TLS_CheckPeer
Jan F. Chadima 86b2d1
+Specifies what checks to perform on server certificates in a TLS session,
Jan F. Chadima 86b2d1
+if any. The value
Jan F. Chadima 86b2d1
+can be specified as one of the following keywords:
Jan F. Chadima 86b2d1
+.Dq never ,
Jan F. Chadima 86b2d1
+.Dq hard ,
Jan F. Chadima 86b2d1
+.Dq demand ,
Jan F. Chadima 86b2d1
+.Dq allow
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq try .
Jan F. Chadima 86b2d1
+.Dq true ,
Jan F. Chadima 86b2d1
+.Dq on
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq yes
Jan F. Chadima b1a625
+are aliases for
Jan F. Chadima 86b2d1
+.Dq hard .
Jan F. Chadima 86b2d1
+.Dq false ,
Jan F. Chadima 86b2d1
+.Dq off
Jan F. Chadima 86b2d1
+and
Jan F. Chadima 86b2d1
+.Dq no
Jan F. Chadima 86b2d1
+are the aliases for
Jan F. Chadima 86b2d1
+.Dq never .
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima 86b2d1
+.Dq never
Jan F. Chadima 86b2d1
+means that the client will not request or check any server certificate.
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima 86b2d1
+.Dq allow
Jan F. Chadima 86b2d1
+means that the server certificate is requested. If no certificate is provided,
Jan F. Chadima 86b2d1
+the session proceeds normally. If a bad certificate is provided, it will
Jan F. Chadima 86b2d1
+be ignored and the session proceeds normally.
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima 86b2d1
+.Dq try
Jan F. Chadima 86b2d1
+means that the server certificate is requested. If no certificate is provided,
Jan F. Chadima 86b2d1
+the session proceeds normally. If a bad certificate is provided,
Jan F. Chadima 86b2d1
+the session is immediately terminated.
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima 86b2d1
+.Dq demand
Jan F. Chadima b1a625
+means that the server certificate is requested. If no
Jan F. Chadima 86b2d1
+certificate is provided, or a bad certificate is provided, the session
Jan F. Chadima 86b2d1
+is immediately terminated.
Jan F. Chadima 86b2d1
+The value
Jan F. Chadima 86b2d1
+.Dq hard
Jan F. Chadima 86b2d1
+is the same as
Jan F. Chadima 86b2d1
+.Dq demand .
Jan F. Chadima b1a625
+It requires an SSL connection. In the case of the plain conection the
Jan F. Chadima 86b2d1
+session is immediately terminated.
Jan F. Chadima 86b2d1
+The default is
Jan F. Chadima 86b2d1
+.Dq hard .
Jan F. Chadima 86b2d1
+.It Cm TLS_ReqCert
Jan F. Chadima 86b2d1
+Is an alias for 
Jan F. Chadima 86b2d1
+.Cm TLS_CheckPeer .
Jan F. Chadima 86b2d1
+.It Cm TLS_CACertFile
Jan F. Chadima 86b2d1
+Specifies the file that contains certificates for all of the Certificate
Jan F. Chadima 86b2d1
+Authorities the client will recognize.
Jan F. Chadima 86b2d1
+There is no default.
Jan F. Chadima 86b2d1
+.It Cm TLS_CACert
Jan F. Chadima 86b2d1
+Is an alias for
Jan F. Chadima 86b2d1
+.Cm TLS_CACertFile .
Jan F. Chadima 86b2d1
+.It Cm TLS_CACertDIR
Jan F. Chadima 86b2d1
+Specifies the path of a directory that contains Certificate Authority
Jan F. Chadima 86b2d1
+certificates in separate individual files. The
Jan F. Chadima 86b2d1
+.Cm TLS_CACert
Jan F. Chadima 86b2d1
+is always used before
Jan F. Chadima 86b2d1
+.Cm TLS_CACertDir .
Jan F. Chadima 86b2d1
+The specified directory must be managed with the OpenSSL c_rehash utility.
Jan F. Chadima 86b2d1
+There is no default.
Jan F. Chadima 86b2d1
+.It Cm TLS_Ciphers
Jan F. Chadima 86b2d1
+Specifies acceptable cipher suite and preference order.
Jan F. Chadima 86b2d1
+The value should be a cipher specification for OpenSSL,
Jan F. Chadima 86b2d1
+e.g.,
Jan F. Chadima 86b2d1
+.Dq HIGH:MEDIUM:+SSLv2 .
Jan F. Chadima 86b2d1
+The default is
Jan F. Chadima 86b2d1
+.Dq ALL .
Jan F. Chadima 86b2d1
+.It Cm TLS_Cipher_Suite
Jan F. Chadima 86b2d1
+Is an alias for
Jan F. Chadima 86b2d1
+.Cm TLS_Ciphers .
Jan F. Chadima 86b2d1
+.It Cm TLS_Cert
Jan F. Chadima 86b2d1
+Specifies the file that contains the client certificate.
Jan F. Chadima 86b2d1
+There is no default.
Jan F. Chadima 86b2d1
+.It Cm TLS_Certificate
Jan F. Chadima 86b2d1
+Is an alias for
Jan F. Chadima 86b2d1
+.Cm TLS_Cert .
Jan F. Chadima 86b2d1
+.It Cm TLS_Key
Jan F. Chadima 86b2d1
+Specifies the file that contains the private key that matches the certificate
Jan F. Chadima 86b2d1
+stored in the
Jan F. Chadima 86b2d1
+.Cm TLS_Cert
Jan F. Chadima 86b2d1
+file. Currently, the private key must not be protected with a password, so
Jan F. Chadima 86b2d1
+it is of critical importance that the key file is protected carefully.
Jan F. Chadima 86b2d1
+There is no default.
Jan F. Chadima 86b2d1
+.It Cm TLS_RandFile
Jan F. Chadima 86b2d1
+Specifies the file to obtain random bits from when /dev/[u]random is
Jan F. Chadima 86b2d1
+not available. Generally set to the name of the EGD/PRNGD socket.
Jan F. Chadima 86b2d1
+The environment variable RANDFILE can also be used to specify the filename.
Jan F. Chadima 86b2d1
+There is no default.
Jan F. Chadima 86b2d1
+.It Cm LogDir
Jan F. Chadima 86b2d1
+Specifies the directory used for logging by the LDAP client library.
Jan F. Chadima 86b2d1
+There is no default.
Jan F. Chadima 86b2d1
+.It Cm Debug
Jan F. Chadima 86b2d1
+Specifies the debug level used for logging by the LDAP client library.
Jan F. Chadima 86b2d1
+There is no default.
Jan F. Chadima 99d9a3
+.It Cm SSH_Filter
Jan F. Chadima 99d9a3
+Specifies the user filter applied on the LDAP serch.
Jan F. Chadima 99d9a3
+The default is no filter.
Jan F. Chadima 86b2d1
+.Sh FILES
Jan F. Chadima 86b2d1
+.Bl -tag -width Ds
Jan F. Chadima 86b2d1
+.It Pa  /etc/ssh/ldap.conf
Jan F. Chadima 86b2d1
+Ldap configuration file for
Jan F. Chadima 86b2d1
+.Xr ssh-ldap-helper 8 .
Jan F. Chadima 86b2d1
+.Sh "SEE ALSO"
Jan F. Chadima 86b2d1
+.Xr ldap.conf 5 ,
Jan F. Chadima 86b2d1
+.Xr ssh-ldap-helper 8
Jan F. Chadima 86b2d1
+.Sh HISTORY
Jan F. Chadima 86b2d1
+.Nm
Jan F. Chadima 86b2d1
+first appeared in
Jan F. Chadima 86b2d1
+OpenSSH 5.5 + PKA-LDAP .
Jan F. Chadima 86b2d1
+.Sh AUTHORS
Jan F. Chadima 86b2d1
+.An Jan F. Chadima Aq jchadima@redhat.com
Jan F 1499a2
diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
Jan F 1f6bdc
--- openssh-5.8p1/ssh-ldap-helper.8.ldap	2011-04-01 09:01:19.432648735 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/ssh-ldap-helper.8	2011-04-01 09:01:19.709648247 +0200
Jan F 1f6bdc
@@ -0,0 +1,79 @@
Jan F. Chadima 7e7fb4
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
Jan F. Chadima 7e7fb4
+.\"
Jan F. Chadima 7e7fb4
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+.\"
Jan F. Chadima 7e7fb4
+.\" Permission to use, copy, modify, and distribute this software for any
Jan F. Chadima 7e7fb4
+.\" purpose with or without fee is hereby granted, provided that the above
Jan F. Chadima 7e7fb4
+.\" copyright notice and this permission notice appear in all copies.
Jan F. Chadima 7e7fb4
+.\"
Jan F. Chadima 7e7fb4
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
Jan F. Chadima 7e7fb4
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
Jan F. Chadima 7e7fb4
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
Jan F. Chadima 7e7fb4
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
Jan F. Chadima 7e7fb4
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
Jan F. Chadima 7e7fb4
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
Jan F. Chadima 7e7fb4
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Jan F. Chadima 7e7fb4
+.\"
Jan F. Chadima 7e7fb4
+.Dd $Mdocdate: April 29 2010 $
Jan F. Chadima 7e7fb4
+.Dt SSH-LDAP-HELPER 8
Jan F. Chadima 7e7fb4
+.Os
Jan F. Chadima 7e7fb4
+.Sh NAME
Jan F. Chadima 7e7fb4
+.Nm ssh-ldap-helper
Jan F. Chadima 7e7fb4
+.Nd sshd helper program for ldap support
Jan F. Chadima 7e7fb4
+.Sh SYNOPSIS
Jan F. Chadima 7e7fb4
+.Nm ssh-ldap-helper
Jan F. Chadima 7e7fb4
+.Op Fl devw
Jan F. Chadima 7e7fb4
+.Op Fl f Ar file
Jan F. Chadima 7e7fb4
+.Op Fl s Ar user
Jan F. Chadima 7e7fb4
+.Sh DESCRIPTION
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+is used by
Jan F. Chadima 7e7fb4
+.Xr sshd 1
Jan F. Chadima b1a625
+to access keys provided by an LDAP.
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+is disabled by default and can only be enabled in the
Jan F. Chadima 7e7fb4
+sshd configuration file
Jan F. Chadima 7e7fb4
+.Pa /etc/ssh/sshd_config
Jan F. Chadima 7e7fb4
+by setting
Jan F. Chadima 7818e5
+.Cm AuthorizedKeysCommand
Jan F. Chadima 7e7fb4
+to
Jan F 1f6bdc
+.Dq /usr/libexec/ssh-ldap-wrapper .
Jan F. Chadima 7e7fb4
+.Pp
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+is not intended to be invoked by the user, but from
Jan F 1f6bdc
+.Xr sshd 8 via
Jan F 1f6bdc
+.Xr ssh-ldap-wrapper .
Jan F. Chadima 7e7fb4
+.Pp
Jan F. Chadima 7e7fb4
+The options are as follows:
Jan F. Chadima 7e7fb4
+.Bl -tag -width Ds
Jan F. Chadima 7e7fb4
+.It Fl d
Jan F. Chadima b1a625
+Set the debug mode; 
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+prints all logs to stderr instead of syslog.
Jan F. Chadima 7e7fb4
+.It Fl e
Jan F. Chadima b1a625
+Implies \-w;
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima b1a625
+halts if it encounters an unknown item in the ldap.conf file.
Jan F. Chadima 7e7fb4
+.It Fl f
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima b1a625
+uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
Jan F. Chadima 7e7fb4
+.It Fl s
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima b1a625
+prints out the user's keys to stdout and exits.
Jan F. Chadima 7e7fb4
+.It Fl v
Jan F. Chadima b1a625
+Implies \-d;
Jan F. Chadima 7e7fb4
+increases verbosity.
Jan F. Chadima 7e7fb4
+.It Fl w
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima b1a625
+writes warnings about unknown items in the ldap.conf configuration file.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+.Sh SEE ALSO
Jan F. Chadima 7e7fb4
+.Xr sshd 8 ,
Jan F. Chadima 7e7fb4
+.Xr sshd_config 5 ,
Jan F. Chadima 8fc96c
+.Xr ssh-ldap.conf 5 ,
Jan F. Chadima 7e7fb4
+.Sh HISTORY
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+first appeared in
Jan F. Chadima 7e7fb4
+OpenSSH 5.5 + PKA-LDAP .
Jan F. Chadima 7e7fb4
+.Sh AUTHORS
Jan F. Chadima 7e7fb4
+.An Jan F. Chadima Aq jchadima@redhat.com
Jan F 1499a2
diff -up openssh-5.8p1/ssh-ldap-wrapper.ldap openssh-5.8p1/ssh-ldap-wrapper
Jan F 1f6bdc
--- openssh-5.8p1/ssh-ldap-wrapper.ldap	2011-04-01 09:01:19.456648676 +0200
Jan F 1f6bdc
+++ openssh-5.8p1/ssh-ldap-wrapper	2011-04-01 09:01:19.464648753 +0200
Jan F 1499a2
@@ -0,0 +1,4 @@
Jan F 1499a2
+#!/bin/sh
Jan F 1499a2
+
Jan F 1499a2
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
Jan F 1499a2
+