vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Jan F. Chadima c870e6
diff -up openssh-5.9p1/HOWTO.ldap-keys.ldap openssh-5.9p1/HOWTO.ldap-keys
Jan F. Chadima c870e6
--- openssh-5.9p1/HOWTO.ldap-keys.ldap	2011-09-13 11:17:05.178644691 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/HOWTO.ldap-keys	2011-09-13 11:17:05.181522429 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,108 @@
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+HOW TO START
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) configure LDAP server
Jan F. Chadima 69dd72
+  * Use LDAP server documentation
Jan F. Chadima 69dd72
+2) add appropriate LDAP schema
Jan F. Chadima 69dd72
+  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
Jan F. Chadima 69dd72
+  * LDAP user entry
Jan F. Chadima 69dd72
+        User entry:
Jan F. Chadima 69dd72
+	- attached to the 'ldapPublicKey' objectclass
Jan F. Chadima 69dd72
+	- attached to the 'posixAccount' objectclass
Jan F. Chadima 69dd72
+	- with a filled 'sshPublicKey' attribute 
Jan F. Chadima 69dd72
+3) insert users into LDAP
Jan F. Chadima 69dd72
+  * Use LDAP Tree management tool as useful
Jan F. Chadima 69dd72
+  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
Jan F. Chadima 69dd72
+  * Example:
Jan F. Chadima 69dd72
+	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
Jan F. Chadima 69dd72
+	objectclass: top
Jan F. Chadima 69dd72
+	objectclass: person
Jan F. Chadima 69dd72
+	objectclass: organizationalPerson
Jan F. Chadima 69dd72
+	objectclass: posixAccount
Jan F. Chadima 69dd72
+	objectclass: ldapPublicKey
Jan F. Chadima 69dd72
+	description: Jonathan Archer
Jan F. Chadima 69dd72
+	userPassword: Porthos
Jan F. Chadima 69dd72
+	cn: onathan Archer
Jan F. Chadima 69dd72
+	sn: onathan Archer
Jan F. Chadima 69dd72
+	uid: captain
Jan F. Chadima 69dd72
+	uidNumber: 1001
Jan F. Chadima 69dd72
+	gidNumber: 1001
Jan F. Chadima 69dd72
+	homeDirectory: /home/captain
Jan F. Chadima 69dd72
+	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
Jan F. Chadima 69dd72
+	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
Jan F. Chadima 69dd72
+4) on the ssh side set in sshd_config
Jan F. Chadima 69dd72
+  * Set up the backend
Jan F. Chadima 69dd72
+	AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
Jan F. Chadima 69dd72
+	AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
Jan F. Chadima 69dd72
+  * Do not forget to set
Jan F. Chadima 69dd72
+	PubkeyAuthentication yes
Jan F. Chadima 69dd72
+  * Swith off unnecessary auth methods
Jan F. Chadima 69dd72
+5) confugure ldap.conf
Jan F. Chadima 69dd72
+  * Default ldap.conf is placed in /etc/ssh
Jan F. Chadima 69dd72
+  * The configuration style is the same as other ldap based aplications
Jan F. Chadima 69dd72
+6) if necessary edit ssh-ldap-wrapper
Jan F. Chadima 69dd72
+  * There is a possibility to change ldap.conf location
Jan F. Chadima 69dd72
+  * There are some debug options
Jan F. Chadima 69dd72
+  * Example
Jan F. Chadima 69dd72
+	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+HOW TO MIGRATE FROM LPK
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) goto HOW TO START 4) .... the ldap schema is the same
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+2) convert the group requests to the appropriate LDAP requests
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+HOW TO SOLVE PROBLEMS
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) use debug in sshd
Jan F. Chadima 69dd72
+  * /usr/sbin/sshd -d -d -d -d
Jan F. Chadima 69dd72
+2) use debug in ssh-ldap-helper
Jan F. Chadima 69dd72
+  * ssh-ldap-helper -d -d -d -d -s <username>
Jan F. Chadima 69dd72
+3) use tcpdump ... other ldap client etc.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+ADVANTAGES
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+DISADVANTAGES
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
Jan F. Chadima 69dd72
+  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
Jan F. Chadima 69dd72
+  of your users in all your server farm -- be VERY CAREFUL.
Jan F. Chadima 69dd72
+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
Jan F. Chadima 69dd72
+  as the impersonated user.
Jan F. Chadima 69dd72
+3) If LDAP server is down there may be no fallback on passwd auth.
Jan F. Chadima 69dd72
+  
Jan F. Chadima 69dd72
+MISC.
Jan F. Chadima 69dd72
+  
Jan F. Chadima 69dd72
+1) todo
Jan F. Chadima 69dd72
+  * Possibility to reuse the ssh-ldap-helper.
Jan F. Chadima 69dd72
+  * Tune the LDAP part to accept  all possible LDAP configurations.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+2) differences from original lpk
Jan F. Chadima 69dd72
+  * No LDAP code in sshd.
Jan F. Chadima 69dd72
+  * Support for various LDAP platforms and configurations.
Jan F. Chadima 69dd72
+  * LDAP is configured in separate ldap.conf file.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+3) docs/link 
Jan F. Chadima 69dd72
+  * http://pacsec.jp/core05/psj05-barisani-en.pdf
Jan F. Chadima 69dd72
+  * http://fritz.potsdam.edu/projects/openssh-lpk/
Jan F. Chadima 69dd72
+  * http://fritz.potsdam.edu/projects/sshgate/
Jan F. Chadima 69dd72
+  * http://dev.inversepath.com/trac/openssh-lpk
Jan F. Chadima 69dd72
+  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+4) contributors/ideas/greets
Jan F. Chadima 69dd72
+  - Eric AUGE <eau@phear.org>
Jan F. Chadima 69dd72
+  - Andrea Barisani <andrea@inversepath.com>
Jan F. Chadima 69dd72
+  - Falk Siemonsmeier.
Jan F. Chadima 69dd72
+  - Jacob Rief.
Jan F. Chadima 69dd72
+  - Michael Durchgraf.
Jan F. Chadima 69dd72
+  - frederic peters.
Jan F. Chadima 69dd72
+  - Finlay dobbie.
Jan F. Chadima 69dd72
+  - Stefan Fisher.
Jan F. Chadima 69dd72
+  - Robin H. Johnson.
Jan F. Chadima 69dd72
+  - Adrian Bridgett.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+5) Author
Jan F. Chadima 69dd72
+    Jan F. Chadima <jchadima@redhat.com>
Jan F. Chadima 69dd72
+
Jan F. Chadima c870e6
diff -up openssh-5.9p1/Makefile.in.ldap openssh-5.9p1/Makefile.in
Jan F. Chadima c870e6
--- openssh-5.9p1/Makefile.in.ldap	2011-09-13 11:17:04.064644353 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/Makefile.in	2011-09-13 11:20:16.996522219 +0200
Jan F. Chadima 69dd72
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
Jan F. Chadima 69dd72
 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
Jan F. Chadima 69dd72
 SFTP_SERVER=$(libexecdir)/sftp-server
Jan F. Chadima 69dd72
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
Jan F. Chadima 69dd72
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
Jan F. Chadima 69dd72
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
Jan F. Chadima 69dd72
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
Jan F. Chadima 69dd72
 PRIVSEP_PATH=@PRIVSEP_PATH@
Jan F. Chadima 69dd72
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
Jan F. Chadima 69dd72
@@ -58,8 +60,9 @@ XAUTH_PATH=@XAUTH_PATH@
Jan F. Chadima 69dd72
 LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
Jan F. Chadima 69dd72
 EXEEXT=@EXEEXT@
Jan F. Chadima 69dd72
 MANFMT=@MANFMT@
Jan F. Chadima 69dd72
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
Jan F. Chadima 69dd72
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
Jan F. Chadima 69dd72
 	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
Jan F. Chadima 69dd72
@@ -92,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
Jan F. Chadima 69dd72
 	roaming_common.o roaming_serv.o \
Jan F. Chadima c870e6
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-selinux.o
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
Jan F. Chadima 69dd72
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
Jan F. Chadima 69dd72
+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
Jan F. Chadima 69dd72
+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
Jan F. Chadima 69dd72
 MANTYPE		= @MANTYPE@
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
Jan F. Chadima 69dd72
@@ -161,6 +164,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
Jan F. Chadima 69dd72
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
Jan F. Chadima 69dd72
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
Jan F. Chadima 69dd72
+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
Jan F. Chadima 69dd72
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
@@ -256,6 +262,10 @@ install-files:
Jan F. Chadima 69dd72
 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
Jan F. Chadima 69dd72
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
Jan F. Chadima 69dd72
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
Jan F. Chadima 69dd72
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Jan F. Chadima 69dd72
+		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
Jan F. Chadima 69dd72
+		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
Jan F. Chadima 69dd72
+	fi
Jan F. Chadima 69dd72
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
Jan F. Chadima 69dd72
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
Jan F. Chadima 69dd72
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
Jan F. Chadima 69dd72
@@ -272,6 +282,10 @@ install-files:
Jan F. Chadima 69dd72
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Jan F. Chadima 69dd72
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
Jan F. Chadima 69dd72
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
Jan F. Chadima 69dd72
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Jan F. Chadima 69dd72
+		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
Jan F. Chadima 69dd72
+		$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
Jan F. Chadima 69dd72
+	fi
Jan F. Chadima 69dd72
 	-rm -f $(DESTDIR)$(bindir)/slogin
Jan F. Chadima 69dd72
 	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
Jan F. Chadima 69dd72
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Jan F. Chadima 69dd72
@@ -301,6 +315,13 @@ install-sysconf:
Jan F. Chadima 69dd72
 	else \
Jan F. Chadima 69dd72
 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
Jan F. Chadima 69dd72
 	fi
Jan F. Chadima 69dd72
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Jan F. Chadima 69dd72
+		if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
Jan F. Chadima 69dd72
+			$(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
Jan F. Chadima 69dd72
+		else \
Jan F. Chadima 69dd72
+			echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
Jan F. Chadima 69dd72
+		fi ; \
Jan F. Chadima 69dd72
+	fi
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 host-key: ssh-keygen$(EXEEXT)
Jan F. Chadima 69dd72
 	@if [ -z "$(DESTDIR)" ] ; then \
Jan F. Chadima 69dd72
@@ -358,6 +379,8 @@ uninstall:
Jan F. Chadima 69dd72
 	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
Jan F. Chadima 69dd72
 	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
Jan F. Chadima 69dd72
 	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
Jan F. Chadima 69dd72
+	-rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
Jan F. Chadima 69dd72
+	-rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
Jan F. Chadima 69dd72
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
Jan F. Chadima 69dd72
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
Jan F. Chadima 69dd72
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
Jan F. Chadima 69dd72
@@ -369,6 +392,7 @@ uninstall:
Jan F. Chadima 69dd72
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Jan F. Chadima 69dd72
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
Jan F. Chadima 69dd72
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
Jan F. Chadima 69dd72
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
Jan F. Chadima 69dd72
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 tests interop-tests:	$(TARGETS)
Jan F. Chadima c870e6
diff -up openssh-5.9p1/configure.ac.ldap openssh-5.9p1/configure.ac
Jan F. Chadima c870e6
--- openssh-5.9p1/configure.ac.ldap	2011-09-13 11:17:04.488583772 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/configure.ac	2011-09-13 11:17:05.418529375 +0200
Jan F. Chadima 69dd72
@@ -1433,6 +1433,106 @@ AC_ARG_WITH(authorized-keys-command,
Jan F. Chadima 69dd72
 	]
Jan F. Chadima 69dd72
 )
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
+# Check whether user wants LDAP support
Jan F. Chadima 69dd72
+LDAP_MSG="no"
Jan F. Chadima 69dd72
+INSTALL_SSH_LDAP_HELPER=""
Jan F. Chadima 69dd72
+AC_ARG_WITH(ldap,
Jan F. Chadima 69dd72
+	[  --with-ldap[[=PATH]]      Enable LDAP pubkey support (optionally in PATH)],
Jan F. Chadima 69dd72
+	[
Jan F. Chadima 69dd72
+		if test "x$withval" != "xno" ; then
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			INSTALL_SSH_LDAP_HELPER="yes"
Jan F. Chadima 69dd72
+			CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			if test "x$withval" != "xyes" ; then
Jan F. Chadima 69dd72
+				CPPFLAGS="$CPPFLAGS -I${withval}/include"
Jan F. Chadima 69dd72
+				LDFLAGS="$LDFLAGS -L${withval}/lib"
Jan F. Chadima 69dd72
+			fi
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
Jan F. Chadima 69dd72
+			LDAP_MSG="yes"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			AC_CHECK_HEADERS(lber.h)
Jan F. Chadima 69dd72
+			AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
Jan F. Chadima 69dd72
+			AC_CHECK_HEADERS(ldap_ssl.h)
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			AC_ARG_WITH(ldap-lib,
Jan F. Chadima 69dd72
+				[  --with-ldap-lib=type    select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			if test -z "$with_ldap_lib"; then
Jan F. Chadima 69dd72
+				with_ldap_lib=auto
Jan F. Chadima 69dd72
+			fi
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
Jan F. Chadima 69dd72
+				AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
Jan F. Chadima 69dd72
+				AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
Jan F. Chadima 69dd72
+			fi
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
Jan F. Chadima 69dd72
+				AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 69dd72
+			fi
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
Jan F. Chadima 69dd72
+				AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 69dd72
+				if test -z "$found_ldap_lib"; then
Jan F. Chadima 69dd72
+					AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 69dd72
+				fi
Jan F. Chadima 69dd72
+				if test -z "$found_ldap_lib"; then
Jan F. Chadima 69dd72
+					AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 69dd72
+				fi
Jan F. Chadima 69dd72
+				if test -z "$found_ldap_lib"; then
Jan F. Chadima 69dd72
+					AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 69dd72
+				fi
Jan F. Chadima 69dd72
+			fi
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
Jan F. Chadima 69dd72
+				AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 69dd72
+			fi
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			if test -z "$found_ldap_lib"; then
Jan F. Chadima 69dd72
+				AC_MSG_ERROR(could not locate a valid LDAP library)
Jan F. Chadima 69dd72
+			fi
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			AC_MSG_CHECKING([for working LDAP support])
Jan F. Chadima 69dd72
+			AC_TRY_COMPILE(
Jan F. Chadima 69dd72
+				[#include <sys/types.h>
Jan F. Chadima 69dd72
+				 #include <ldap.h>],
Jan F. Chadima 69dd72
+				[(void)ldap_init(0, 0);],
Jan F. Chadima 69dd72
+				[AC_MSG_RESULT(yes)],
Jan F. Chadima 69dd72
+				[
Jan F. Chadima 69dd72
+				    AC_MSG_RESULT(no) 
Jan F. Chadima 69dd72
+					AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
Jan F. Chadima 69dd72
+				])
Jan F. Chadima 69dd72
+			AC_CHECK_FUNCS( \
Jan F. Chadima 69dd72
+				ldap_init \
Jan F. Chadima 69dd72
+				ldap_get_lderrno \
Jan F. Chadima 69dd72
+				ldap_set_lderrno \
Jan F. Chadima 69dd72
+				ldap_parse_result \
Jan F. Chadima 69dd72
+				ldap_memfree \
Jan F. Chadima 69dd72
+				ldap_controls_free \
Jan F. Chadima 69dd72
+				ldap_set_option \
Jan F. Chadima 69dd72
+				ldap_get_option \
Jan F. Chadima 69dd72
+				ldapssl_init \
Jan F. Chadima 69dd72
+				ldap_start_tls_s \
Jan F. Chadima 69dd72
+				ldap_pvt_tls_set_option \
Jan F. Chadima 69dd72
+				ldap_initialize \
Jan F. Chadima 69dd72
+			)
Jan F. Chadima 69dd72
+			AC_CHECK_FUNCS(ldap_set_rebind_proc,
Jan F. Chadima 69dd72
+				AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
Jan F. Chadima 69dd72
+				AC_TRY_COMPILE(
Jan F. Chadima 69dd72
+					[#include <lber.h>
Jan F. Chadima 69dd72
+					#include <ldap.h>],
Jan F. Chadima 69dd72
+					[ldap_set_rebind_proc(0, 0, 0);],
Jan F. Chadima 69dd72
+					[ac_cv_ldap_set_rebind_proc=3],
Jan F. Chadima 69dd72
+					[ac_cv_ldap_set_rebind_proc=2])
Jan F. Chadima 69dd72
+				AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
Jan F. Chadima 69dd72
+				AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
Jan F. Chadima 69dd72
+			)
Jan F. Chadima 69dd72
+		fi
Jan F. Chadima 69dd72
+	]
Jan F. Chadima 69dd72
+)
Jan F. Chadima 69dd72
+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
 dnl    Checks for library functions. Please keep in alphabetical order
Jan F. Chadima 69dd72
 AC_CHECK_FUNCS([ \
Jan F. Chadima 69dd72
 	arc4random \
Jan F. Chadima c870e6
diff -up openssh-5.9p1/ldap-helper.c.ldap openssh-5.9p1/ldap-helper.c
Jan F. Chadima c870e6
--- openssh-5.9p1/ldap-helper.c.ldap	2011-09-13 11:17:05.527520185 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/ldap-helper.c	2011-09-13 11:17:05.531521117 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,155 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "ldapincludes.h"
Jan F. Chadima 69dd72
+#include "log.h"
Jan F. Chadima 69dd72
+#include "misc.h"
Jan F. Chadima 69dd72
+#include "xmalloc.h"
Jan F. Chadima 69dd72
+#include "ldapconf.h"
Jan F. Chadima 69dd72
+#include "ldapbody.h"
Jan F. Chadima 69dd72
+#include <string.h>
Jan F. Chadima 69dd72
+#include <unistd.h>
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static int config_debug = 0;
Jan F. Chadima 69dd72
+int config_exclusive_config_file = 0;
Jan F. Chadima 69dd72
+static char *config_file_name = "/etc/ssh/ldap.conf";
Jan F. Chadima 69dd72
+static char *config_single_user = NULL;
Jan F. Chadima 69dd72
+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
Jan F. Chadima 69dd72
+int config_warning_config_file = 0;
Jan F. Chadima 69dd72
+extern char *__progname;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static void
Jan F. Chadima 69dd72
+usage(void)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	fprintf(stderr, "usage: %s [options]\n",
Jan F. Chadima 69dd72
+	    __progname);
Jan F. Chadima 69dd72
+	fprintf(stderr, "Options:\n");
Jan F. Chadima 69dd72
+	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
Jan F. Chadima 69dd72
+	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
Jan F. Chadima 69dd72
+	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ssh/ldap.conf).\n");
Jan F. Chadima 69dd72
+	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
Jan F. Chadima 69dd72
+	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
Jan F. Chadima 69dd72
+	fprintf(stderr, "  -w          Warn on unknown commands in the config file.\n");
Jan F. Chadima 69dd72
+	exit(1);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Main program for the ssh pka ldap agent.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+main(int ac, char **av)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	int opt;
Jan F. Chadima 69dd72
+	FILE *outfile = NULL;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	__progname = ssh_get_progname(av[0]);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	/*
Jan F. Chadima 69dd72
+	 * Initialize option structure to indicate that no values have been
Jan F. Chadima 69dd72
+	 * set.
Jan F. Chadima 69dd72
+	 */
Jan F. Chadima 69dd72
+	initialize_options();
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	/* Parse command-line arguments. */
Jan F. Chadima 69dd72
+	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
Jan F. Chadima 69dd72
+		switch (opt) {
Jan F. Chadima 69dd72
+		case 'd':
Jan F. Chadima 69dd72
+			config_debug = 1;
Jan F. Chadima 69dd72
+			break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		case 'e':
Jan F. Chadima 69dd72
+			config_exclusive_config_file = 1;
Jan F. Chadima 69dd72
+			config_warning_config_file = 1;
Jan F. Chadima 69dd72
+			break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		case 'f':
Jan F. Chadima 69dd72
+			config_file_name = optarg;
Jan F. Chadima 69dd72
+			break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		case 's':
Jan F. Chadima 69dd72
+			config_single_user = optarg;
Jan F. Chadima 69dd72
+			outfile = fdopen (dup (fileno (stdout)), "w");
Jan F. Chadima 69dd72
+			break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		case 'v':
Jan F. Chadima 69dd72
+			config_debug = 1;
Jan F. Chadima 69dd72
+			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
Jan F. Chadima 69dd72
+			    config_verbose++;
Jan F. Chadima 69dd72
+			break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		case 'w':
Jan F. Chadima 69dd72
+			config_warning_config_file = 1;
Jan F. Chadima 69dd72
+			break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		case '?':
Jan F. Chadima 69dd72
+		default:
Jan F. Chadima 69dd72
+			usage();
Jan F. Chadima 69dd72
+			break;
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	/* Initialize loging */
Jan F. Chadima 69dd72
+	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (ac != optind)
Jan F. Chadima 69dd72
+	    fatal ("illegal extra parameter %s", av[1]);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
Jan F. Chadima 69dd72
+	if (config_debug == 0)
Jan F. Chadima 69dd72
+	    sanitise_stdfd();
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	/* Read config file */
Jan F. Chadima 69dd72
+	read_config_file(config_file_name);
Jan F. Chadima 69dd72
+	fill_default_options();
Jan F. Chadima 69dd72
+	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
Jan F. Chadima 69dd72
+		debug3 ("=== Configuration ===");
Jan F. Chadima 69dd72
+		dump_config();
Jan F. Chadima 69dd72
+		debug3 ("=== *** ===");
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	ldap_checkconfig();
Jan F. Chadima 69dd72
+	ldap_do_connect();
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (config_single_user) {
Jan F. Chadima 69dd72
+		process_user (config_single_user, outfile);
Jan F. Chadima 69dd72
+	} else {
Jan F. Chadima 69dd72
+		usage();
Jan F. Chadima 69dd72
+		fatal ("Not yet implemented");
Jan F. Chadima 69dd72
+/* TODO
Jan F. Chadima 69dd72
+ * open unix socket a run the loop on it
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	ldap_do_close();
Jan F. Chadima 69dd72
+	return 0;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+/* Ugly hack */
Jan F. Chadima 3b545b
+void   *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
Jan F. Chadima 69dd72
+void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
Jan F. Chadima 69dd72
+
Jan F. Chadima c870e6
diff -up openssh-5.9p1/ldap-helper.h.ldap openssh-5.9p1/ldap-helper.h
Jan F. Chadima c870e6
--- openssh-5.9p1/ldap-helper.h.ldap	2011-09-13 11:17:05.619520027 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/ldap-helper.h	2011-09-13 11:17:05.621522622 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,32 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef LDAP_HELPER_H
Jan F. Chadima 69dd72
+#define LDAP_HELPER_H
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+extern int config_exclusive_config_file;
Jan F. Chadima 69dd72
+extern int config_warning_config_file;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#endif /* LDAP_HELPER_H */
Jan F. Chadima c870e6
diff -up openssh-5.9p1/ldap.conf.ldap openssh-5.9p1/ldap.conf
Jan F. Chadima c870e6
--- openssh-5.9p1/ldap.conf.ldap	2011-09-13 11:17:05.697522387 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/ldap.conf	2011-09-13 11:17:05.699522577 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,88 @@
Jan F. Chadima 69dd72
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# This is the example configuration file for the OpenSSH
Jan F. Chadima 69dd72
+# LDAP backend
Jan F. Chadima 69dd72
+# 
Jan F. Chadima 69dd72
+# see ssh-ldap.conf(5)
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# URI with your LDAP server name. This allows to use
Jan F. Chadima 69dd72
+# Unix Domain Sockets to connect to a local LDAP Server.
Jan F. Chadima 69dd72
+#uri ldap://127.0.0.1/
Jan F. Chadima 69dd72
+#uri ldaps://127.0.0.1/   
Jan F. Chadima 69dd72
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
Jan F. Chadima 69dd72
+# Note: %2f encodes the '/' used as directory separator
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# Another way to specify your LDAP server is to provide an
Jan F. Chadima 69dd72
+# host name and the port of our LDAP server. Host name
Jan F. Chadima 69dd72
+# must be resolvable without using LDAP.
Jan F. Chadima 69dd72
+# Multiple hosts may be specified, each separated by a 
Jan F. Chadima 69dd72
+# space. How long nss_ldap takes to failover depends on
Jan F. Chadima 69dd72
+# whether your LDAP client library supports configurable
Jan F. Chadima 69dd72
+# network or connect timeouts (see bind_timelimit).
Jan F. Chadima 69dd72
+#host 127.0.0.1
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# The port.
Jan F. Chadima 69dd72
+# Optional: default is 389.
Jan F. Chadima 69dd72
+#port 389
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# The distinguished name to bind to the server with.
Jan F. Chadima 69dd72
+# Optional: default is to bind anonymously.
Jan F. Chadima 69dd72
+#binddn cn=openssh_keys,dc=example,dc=org
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# The credentials to bind with. 
Jan F. Chadima 69dd72
+# Optional: default is no credential.
Jan F. Chadima 69dd72
+#bindpw TopSecret
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# The distinguished name of the search base.
Jan F. Chadima 69dd72
+#base dc=example,dc=org
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# The LDAP version to use (defaults to 3
Jan F. Chadima 69dd72
+# if supported by client library)
Jan F. Chadima 69dd72
+#ldap_version 3
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# The search scope.
Jan F. Chadima 69dd72
+#scope sub
Jan F. Chadima 69dd72
+#scope one
Jan F. Chadima 69dd72
+#scope base
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# Search timelimit
Jan F. Chadima 69dd72
+#timelimit 30
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# Bind/connect timelimit
Jan F. Chadima 69dd72
+#bind_timelimit 30
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# Reconnect policy: hard (default) will retry connecting to
Jan F. Chadima 69dd72
+# the software with exponential backoff, soft will fail
Jan F. Chadima 69dd72
+# immediately.
Jan F. Chadima 69dd72
+#bind_policy hard
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# SSL setup, may be implied by URI also.
Jan F. Chadima 69dd72
+#ssl no
Jan F. Chadima 69dd72
+#ssl on
Jan F. Chadima 69dd72
+#ssl start_tls
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# OpenLDAP SSL options
Jan F. Chadima 69dd72
+# Require and verify server certificate (yes/no)
Jan F. Chadima 69dd72
+# Default is to use libldap's default behavior, which can be configured in
Jan F. Chadima 69dd72
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
Jan F. Chadima 69dd72
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
Jan F. Chadima 69dd72
+#tls_checkpeer hard
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# CA certificates for server certificate verification
Jan F. Chadima 69dd72
+# At least one of these are required if tls_checkpeer is "yes"
Jan F. Chadima 69dd72
+#tls_cacertfile /etc/ssl/ca.cert
Jan F. Chadima 69dd72
+#tls_cacertdir /etc/pki/tls/certs
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# Seed the PRNG if /dev/urandom is not provided
Jan F. Chadima 69dd72
+#tls_randfile /var/run/egd-pool
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# SSL cipher suite
Jan F. Chadima 69dd72
+# See man ciphers for syntax
Jan F. Chadima 69dd72
+#tls_ciphers TLSv1
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# Client certificate and key
Jan F. Chadima 69dd72
+# Use these, if your server requires client authentication.
Jan F. Chadima 69dd72
+#tls_cert
Jan F. Chadima 69dd72
+#tls_key
Jan F. Chadima 69dd72
+
Jan F. Chadima c870e6
diff -up openssh-5.9p1/ldapbody.c.ldap openssh-5.9p1/ldapbody.c
Jan F. Chadima c870e6
--- openssh-5.9p1/ldapbody.c.ldap	2011-09-13 11:17:05.782571211 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/ldapbody.c	2011-09-13 11:17:05.785584958 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,494 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "ldapincludes.h"
Jan F. Chadima 69dd72
+#include "log.h"
Jan F. Chadima 69dd72
+#include "xmalloc.h"
Jan F. Chadima 69dd72
+#include "ldapconf.h"
Jan F. Chadima 69dd72
+#include "ldapmisc.h"
Jan F. Chadima 69dd72
+#include "ldapbody.h"
Jan F. Chadima 69dd72
+#include <stdio.h>
Jan F. Chadima 69dd72
+#include <unistd.h>
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"
Jan F. Chadima 69dd72
+#define PUBKEYATTR "sshPublicKey"
Jan F. Chadima 69dd72
+#define LDAP_LOGFILE	"%s/ldap.%d"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static FILE *logfile = NULL;
Jan F. Chadima 69dd72
+static LDAP *ld;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static char *attrs[] = {
Jan F. Chadima 69dd72
+    PUBKEYATTR,
Jan F. Chadima 69dd72
+    NULL
Jan F. Chadima 69dd72
+};
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+void
Jan F. Chadima 69dd72
+ldap_checkconfig (void)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_INITIALIZE
Jan F. Chadima 69dd72
+		if (options.host == NULL && options.uri == NULL)
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		if (options.host == NULL)
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+		    fatal ("missing  \"host\" in config file");
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
Jan F. Chadima 69dd72
+static int
Jan F. Chadima 69dd72
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	struct timeval timeout;
Jan F. Chadima 69dd72
+	int rc;
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 69dd72
+	LDAPMessage *result;
Jan F. Chadima 69dd72
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	debug2 ("Doing LDAP rebind to %s", options.binddn);
Jan F. Chadima 69dd72
+	if (options.ssl == SSL_START_TLS) {
Jan F. Chadima 69dd72
+		if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
Jan F. Chadima 69dd72
+			error ("ldap_starttls_s: %s", ldap_err2string (rc));
Jan F. Chadima 69dd72
+			return LDAP_OPERATIONS_ERROR;
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 69dd72
+	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
Jan F. Chadima 69dd72
+	    fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	timeout.tv_sec = options.bind_timelimit;
Jan F. Chadima 69dd72
+	timeout.tv_usec = 0;
Jan F. Chadima 69dd72
+	result = NULL;
Jan F. Chadima 69dd72
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
Jan F. Chadima 69dd72
+		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
Jan F. Chadima 69dd72
+		ldap_msgfree (result);
Jan F. Chadima 69dd72
+		return LDAP_OPERATIONS_ERROR;
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+	debug3 ("LDAP rebind to %s succesfull", options.binddn);
Jan F. Chadima 69dd72
+	return rc;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static int
Jan F. Chadima 69dd72
+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	if (freeit)
Jan F. Chadima 69dd72
+	    return LDAP_SUCCESS;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	*whop = strdup (options.binddn);
Jan F. Chadima 69dd72
+	*credp = strdup (options.bindpw);
Jan F. Chadima 69dd72
+	*methodp = LDAP_AUTH_SIMPLE;
Jan F. Chadima 69dd72
+	debug2 ("Doing LDAP rebind for %s", *whop);
Jan F. Chadima 69dd72
+	return LDAP_SUCCESS;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+void
Jan F. Chadima 69dd72
+ldap_do_connect(void)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	int rc, msgid, ld_errno = 0;
Jan F. Chadima 69dd72
+	struct timeval timeout;
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 69dd72
+	int parserc;
Jan F. Chadima 69dd72
+	LDAPMessage *result;
Jan F. Chadima 69dd72
+	LDAPControl **controls;
Jan F. Chadima 69dd72
+	int reconnect = 0;
Jan F. Chadima 69dd72
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	debug ("LDAP do connect");
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+retry:
Jan F. Chadima 69dd72
+	if (reconnect) {
Jan F. Chadima 69dd72
+		debug3 ("Reconnecting with ld_errno %d", ld_errno);
Jan F. Chadima 69dd72
+		if (options.bind_policy == 0 ||
Jan F. Chadima 69dd72
+		    (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
Jan F. Chadima 69dd72
+			reconnect > 5)
Jan F. Chadima 69dd72
+			    fatal ("Cannot connect to LDAP server");
Jan F. Chadima 69dd72
+	
Jan F. Chadima 69dd72
+		if (reconnect > 1)
Jan F. Chadima 69dd72
+			sleep (reconnect - 1);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		if (ld != NULL) {
Jan F. Chadima 69dd72
+			ldap_unbind (ld);
Jan F. Chadima 69dd72
+			ld = NULL;
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+		logit("reconnecting to LDAP server...");
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (ld == NULL) {
Jan F. Chadima 69dd72
+		int rc;
Jan F. Chadima 69dd72
+		struct timeval tv;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_SET_OPTION
Jan F. Chadima 69dd72
+		if (options.debug > 0) {
Jan F. Chadima 69dd72
+#ifdef LBER_OPT_LOG_PRINT_FILE
Jan F. Chadima 69dd72
+			if (options.logdir) {
Jan F. Chadima 69dd72
+				char *logfilename;
Jan F. Chadima 69dd72
+				int logfilenamelen;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+				logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
Jan F. Chadima 69dd72
+				logfilename = xmalloc (logfilenamelen);
Jan F. Chadima 69dd72
+				snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
Jan F. Chadima 69dd72
+				logfilename[logfilenamelen - 1] = 0;
Jan F. Chadima 69dd72
+				if ((logfile = fopen (logfilename, "a")) == NULL)
Jan F. Chadima 69dd72
+				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
Jan F. Chadima 69dd72
+				debug3 ("LDAP debug into %s", logfilename);
Jan F. Chadima 69dd72
+				xfree (logfilename);
Jan F. Chadima 69dd72
+				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
Jan F. Chadima 69dd72
+			}
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+			if (options.debug) {
Jan F. Chadima 69dd72
+#ifdef LBER_OPT_DEBUG_LEVEL
Jan F. Chadima 69dd72
+				ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
Jan F. Chadima 69dd72
+#endif /* LBER_OPT_DEBUG_LEVEL */
Jan F. Chadima 69dd72
+#ifdef LDAP_OPT_DEBUG_LEVEL
Jan F. Chadima 3b545b
+				(void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
Jan F. Chadima 69dd72
+#endif /* LDAP_OPT_DEBUG_LEVEL */
Jan F. Chadima 69dd72
+				debug3 ("Set LDAP debug to %d", options.debug);
Jan F. Chadima 69dd72
+			}
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+#endif /* HAVE_LDAP_SET_OPTION */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		ld = NULL;
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAPSSL_INIT
Jan F. Chadima 69dd72
+		if (options.host != NULL) {
Jan F. Chadima 69dd72
+			if (options.ssl_on == SSL_LDAPS) {
Jan F. Chadima 69dd72
+				if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+				    fatal ("ldapssl_client_init %s", ldap_err2string (rc));
Jan F. Chadima 69dd72
+				debug3 ("LDAPssl client init");
Jan F. Chadima 69dd72
+			}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			if (options.ssl_on != SSL_OFF) {
Jan F. Chadima 69dd72
+				if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
Jan F. Chadima 69dd72
+				    fatal ("ldapssl_init failed");
Jan F. Chadima 69dd72
+				debug3 ("LDAPssl init");
Jan F. Chadima 69dd72
+			}
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+#endif /* HAVE_LDAPSSL_INIT */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		/* continue with opening */
Jan F. Chadima 69dd72
+		if (ld == NULL) {
Jan F. Chadima 69dd72
+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
Jan F. Chadima 69dd72
+			/* Some global TLS-specific options need to be set before we create our
Jan F. Chadima 69dd72
+			 * session context, so we set them here. */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
Jan F. Chadima 69dd72
+			/* rand file */
Jan F. Chadima 69dd72
+			if (options.tls_randfile != NULL) {
Jan F. Chadima 69dd72
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
Jan F. Chadima 69dd72
+				    options.tls_randfile)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
Jan F. Chadima 69dd72
+					    ldap_err2string (rc));
Jan F. Chadima 69dd72
+				debug3 ("Set TLS random file %s", options.tls_randfile);
Jan F. Chadima 69dd72
+			}
Jan F. Chadima 69dd72
+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			/* ca cert file */
Jan F. Chadima 69dd72
+			if (options.tls_cacertfile != NULL) {
Jan F. Chadima 69dd72
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
Jan F. Chadima 69dd72
+				    options.tls_cacertfile)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+					error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
Jan F. Chadima 69dd72
+					    ldap_err2string (rc));
Jan F. Chadima 69dd72
+				debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
Jan F. Chadima 69dd72
+			}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			/* ca cert directory */
Jan F. Chadima 69dd72
+			if (options.tls_cacertdir != NULL) {
Jan F. Chadima 69dd72
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
Jan F. Chadima 69dd72
+				    options.tls_cacertdir)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
Jan F. Chadima 69dd72
+					    ldap_err2string (rc));
Jan F. Chadima 69dd72
+				debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
Jan F. Chadima 69dd72
+			}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			/* require cert? */
Jan F. Chadima 69dd72
+			if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
Jan F. Chadima 69dd72
+			    &options.tls_checkpeer)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
Jan F. Chadima 69dd72
+				    ldap_err2string (rc));
Jan F. Chadima 69dd72
+			debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			/* set cipher suite, certificate and private key: */
Jan F. Chadima 69dd72
+			if (options.tls_ciphers != NULL) {
Jan F. Chadima 69dd72
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
Jan F. Chadima 69dd72
+				    options.tls_ciphers)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
Jan F. Chadima 69dd72
+					    ldap_err2string (rc));
Jan F. Chadima 69dd72
+				debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
Jan F. Chadima 69dd72
+			}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			/* cert file */
Jan F. Chadima 69dd72
+			if (options.tls_cert != NULL) {
Jan F. Chadima 69dd72
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
Jan F. Chadima 69dd72
+				    options.tls_cert)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
Jan F. Chadima 69dd72
+					    ldap_err2string (rc));
Jan F. Chadima 69dd72
+				debug3 ("Set TLS cert file %s ", options.tls_cert);
Jan F. Chadima 69dd72
+			}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			/* key file */
Jan F. Chadima 69dd72
+			if (options.tls_key != NULL) {
Jan F. Chadima 69dd72
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
Jan F. Chadima 69dd72
+				    options.tls_key)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
Jan F. Chadima 69dd72
+					    ldap_err2string (rc));
Jan F. Chadima 69dd72
+				debug3 ("Set TLS key file %s ", options.tls_key);
Jan F. Chadima 69dd72
+			}
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_INITIALIZE
Jan F. Chadima 69dd72
+			if (options.uri != NULL) {
Jan F. Chadima 69dd72
+				if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+					fatal ("ldap_initialize %s", ldap_err2string (rc));
Jan F. Chadima 69dd72
+				debug3 ("LDAP initialize %s", options.uri);
Jan F. Chadima 69dd72
+			}
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+#endif /* HAVE_LDAP_INTITIALIZE */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		/* continue with opening */
Jan F. Chadima 69dd72
+		if ((ld == NULL) && (options.host != NULL)) {
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_INIT
Jan F. Chadima 69dd72
+			if ((ld = ldap_init (options.host, options.port)) == NULL)
Jan F. Chadima 69dd72
+			    fatal ("ldap_init failed");
Jan F. Chadima 69dd72
+			debug3 ("LDAP init %s:%d", options.host, options.port);
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+			if ((ld = ldap_open (options.host, options.port)) == NULL)
Jan F. Chadima 69dd72
+			    fatal ("ldap_open failed");
Jan F. Chadima 69dd72
+			debug3 ("LDAP open %s:%d", options.host, options.port);
Jan F. Chadima 69dd72
+#endif /* HAVE_LDAP_INIT */
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		if (ld == NULL)
Jan F. Chadima 69dd72
+			fatal ("no way to open ldap");
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
Jan F. Chadima 69dd72
+		if (options.ssl == SSL_LDAPS) {
Jan F. Chadima 69dd72
+			if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
Jan F. Chadima 69dd72
+			debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+#endif /* LDAP_OPT_X_TLS */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
Jan F. Chadima 69dd72
+		(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
Jan F. Chadima 69dd72
+		    &options.ldap_version);
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		ld->ld_version = options.ldap_version;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+		debug3 ("LDAP set version to %d", options.ldap_version);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if LDAP_SET_REBIND_PROC_ARGS == 3
Jan F. Chadima 69dd72
+		ldap_set_rebind_proc (ld, _rebind_proc, NULL);
Jan F. Chadima 69dd72
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
Jan F. Chadima 69dd72
+		ldap_set_rebind_proc (ld, _rebind_proc);
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+#warning unknown LDAP_SET_REBIND_PROC_ARGS
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+		debug3 ("LDAP set rebind proc");
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
Jan F. Chadima 69dd72
+		(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		ld->ld_deref = options.deref;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+		debug3 ("LDAP set deref to %d", options.deref);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
Jan F. Chadima 69dd72
+		(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
Jan F. Chadima 69dd72
+		    &options.timelimit);
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		ld->ld_timelimit = options.timelimit;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+		debug3 ("LDAP set timelimit to %d", options.timelimit);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
Jan F. Chadima 69dd72
+		/*
Jan F. Chadima 69dd72
+		 * This is a new option in the Netscape SDK which sets 
Jan F. Chadima 69dd72
+		 * the TCP connect timeout. For want of a better value,
Jan F. Chadima 69dd72
+		 * we use the bind_timelimit to control this.
Jan F. Chadima 69dd72
+		 */
Jan F. Chadima 69dd72
+		timeout = options.bind_timelimit * 1000;
Jan F. Chadima 69dd72
+		(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
Jan F. Chadima 69dd72
+		debug3 ("LDAP set opt connect timeout to %d", timeout);
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
Jan F. Chadima 69dd72
+		tv.tv_sec = options.bind_timelimit;
Jan F. Chadima 69dd72
+		tv.tv_usec = 0;
Jan F. Chadima 69dd72
+		(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv;;
Jan F. Chadima 69dd72
+		debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
Jan F. Chadima 69dd72
+		(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
Jan F. Chadima 69dd72
+		    options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
Jan F. Chadima 69dd72
+		debug3 ("LDAP set referrals to %d", options.referrals);
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
Jan F. Chadima 69dd72
+		(void) ldap_set_option (ld, LDAP_OPT_RESTART,
Jan F. Chadima 69dd72
+		    options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
Jan F. Chadima 69dd72
+		debug3 ("LDAP set restart to %d", options.restart);
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_START_TLS_S
Jan F. Chadima 69dd72
+		if (options.ssl == SSL_START_TLS) {
Jan F. Chadima 69dd72
+			int version;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
Jan F. Chadima 69dd72
+			    == LDAP_SUCCESS) {
Jan F. Chadima 69dd72
+				if (version < LDAP_VERSION3) {
Jan F. Chadima 69dd72
+					version = LDAP_VERSION3;
Jan F. Chadima 69dd72
+					(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
Jan F. Chadima 69dd72
+					    &version);
Jan F. Chadima 69dd72
+					debug3 ("LDAP set version to %d", version);
Jan F. Chadima 69dd72
+				}
Jan F. Chadima 69dd72
+			}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+			    fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
Jan F. Chadima 69dd72
+			debug3 ("LDAP start TLS");
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+#endif /* HAVE_LDAP_START_TLS_S */
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if ((msgid = ldap_simple_bind (ld, options.binddn,
Jan F. Chadima 69dd72
+	    options.bindpw)) == -1) {
Jan F. Chadima 69dd72
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
Jan F. Chadima 69dd72
+		reconnect++;
Jan F. Chadima 69dd72
+		goto retry;
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+	debug3 ("LDAP simple bind (%s)", options.binddn);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	timeout.tv_sec = options.bind_timelimit;
Jan F. Chadima 69dd72
+	timeout.tv_usec = 0;
Jan F. Chadima 69dd72
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
Jan F. Chadima 69dd72
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		error ("ldap_result %s", ldap_err2string (ld_errno));
Jan F. Chadima 69dd72
+		reconnect++;
Jan F. Chadima 69dd72
+		goto retry;
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+	debug3 ("LDAP result in time");
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 69dd72
+	controls = NULL;
Jan F. Chadima 69dd72
+	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
Jan F. Chadima 69dd72
+	debug3 ("LDAP parse result OK");
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (controls != NULL) {
Jan F. Chadima 69dd72
+		ldap_controls_free (controls);
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+	rc = ldap_result2error (session->ld, result, TRUE);
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	if (rc != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+	    fatal ("error trying to bind as user \"%s\" (%s)",
Jan F. Chadima 69dd72
+		options.binddn, ldap_err2string (rc));
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	debug2 ("LDAP do connect OK");
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+void
Jan F. Chadima 69dd72
+process_user (const char *user, FILE *output)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	LDAPMessage *res, *e;
Jan F. Chadima 69dd72
+	char *buffer;
Jan F. Chadima 69dd72
+	int bufflen, rc, i;
Jan F. Chadima 69dd72
+	struct timeval timeout;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	debug ("LDAP process user");
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	/* quick check for attempts to be evil */
Jan F. Chadima 69dd72
+	if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
Jan F. Chadima 69dd72
+	    (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
Jan F. Chadima 69dd72
+		logit ("illegal user name %s not processed", user);
Jan F. Chadima 69dd72
+		return;
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	/* build  filter for LDAP request */
Jan F. Chadima 69dd72
+	bufflen = strlen (LDAPSEARCH_FORMAT) + strlen (user);
Jan F. Chadima 69dd72
+	if (options.ssh_filter != NULL)
Jan F. Chadima 69dd72
+	    bufflen += strlen (options.ssh_filter);
Jan F. Chadima 69dd72
+	buffer = xmalloc (bufflen);
Jan F. Chadima 69dd72
+	snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
Jan F. Chadima 69dd72
+	buffer[bufflen - 1] = 0;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	debug3 ("LDAP search scope = %d %s", options.scope, buffer);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	timeout.tv_sec = options.timelimit;
Jan F. Chadima 69dd72
+	timeout.tv_usec = 0;
Jan F. Chadima 69dd72
+	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
Jan F. Chadima 69dd72
+		error ("ldap_search_st(): %s", ldap_err2string (rc));
Jan F. Chadima 69dd72
+		xfree (buffer);
Jan F. Chadima 69dd72
+		return;
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	/* free */
Jan F. Chadima 69dd72
+	xfree (buffer);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
Jan F. Chadima 69dd72
+		int num;
Jan F. Chadima 69dd72
+		struct berval **keys;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		keys = ldap_get_values_len(ld, e, PUBKEYATTR);
Jan F. Chadima 69dd72
+		num = ldap_count_values_len(keys);
Jan F. Chadima 69dd72
+		for (i = 0 ; i < num ; i++) {
Jan F. Chadima 69dd72
+			char *cp; //, *options = NULL;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
Jan F. Chadima 69dd72
+			if (!*cp || *cp == '\n' || *cp == '#')
Jan F. Chadima 69dd72
+			    continue;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			/* We have found the desired key. */
Jan F. Chadima 69dd72
+			fprintf (output, "%s\n", keys[i]->bv_val);
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		ldap_value_free_len(keys);
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	ldap_msgfree(res);
Jan F. Chadima 69dd72
+	debug2 ("LDAP process user finished");
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+void
Jan F. Chadima 69dd72
+ldap_do_close(void)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	int rc;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	debug ("LDAP do close");
Jan F. Chadima 69dd72
+	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+	    fatal ("ldap_unbind_ext: %s",
Jan F. Chadima 69dd72
+                                    ldap_err2string (rc));
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	ld = NULL;
Jan F. Chadima 69dd72
+	debug2 ("LDAP do close OK");
Jan F. Chadima 69dd72
+	return;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima c870e6
diff -up openssh-5.9p1/ldapbody.h.ldap openssh-5.9p1/ldapbody.h
Jan F. Chadima c870e6
--- openssh-5.9p1/ldapbody.h.ldap	2011-09-13 11:17:05.861522789 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/ldapbody.h	2011-09-13 11:17:05.863522010 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,37 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef LDAPBODY_H
Jan F. Chadima 69dd72
+#define LDAPBODY_H
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include <stdio.h>
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+void ldap_checkconfig(void);
Jan F. Chadima 69dd72
+void ldap_do_connect(void);
Jan F. Chadima 69dd72
+void process_user(const char *, FILE *);
Jan F. Chadima 69dd72
+void ldap_do_close(void);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#endif /* LDAPBODY_H */
Jan F. Chadima 69dd72
+
Jan F. Chadima c870e6
diff -up openssh-5.9p1/ldapconf.c.ldap openssh-5.9p1/ldapconf.c
Jan F. Chadima c870e6
--- openssh-5.9p1/ldapconf.c.ldap	2011-09-13 11:17:05.937548294 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/ldapconf.c	2011-09-13 11:17:05.941547073 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,682 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "ldapincludes.h"
Jan F. Chadima 69dd72
+#include "ldap-helper.h"
Jan F. Chadima 69dd72
+#include "log.h"
Jan F. Chadima 69dd72
+#include "misc.h"
Jan F. Chadima 69dd72
+#include "xmalloc.h"
Jan F. Chadima 69dd72
+#include "ldapconf.h"
Jan F. Chadima 69dd72
+#include <unistd.h>
Jan F. Chadima 69dd72
+#include <string.h>
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+/* Keyword tokens. */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+typedef enum {
Jan F. Chadima 69dd72
+	lBadOption,
Jan F. Chadima 69dd72
+	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
Jan F. Chadima 69dd72
+	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
Jan F. Chadima 69dd72
+	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
Jan F. Chadima 69dd72
+	lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
Jan F. Chadima 69dd72
+	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
Jan F. Chadima 69dd72
+	lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
Jan F. Chadima 69dd72
+	lDeprecated, lUnsupported
Jan F. Chadima 69dd72
+} OpCodes;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+/* Textual representations of the tokens. */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static struct {
Jan F. Chadima 69dd72
+	const char *name;
Jan F. Chadima 69dd72
+	OpCodes opcode;
Jan F. Chadima 69dd72
+} keywords[] = {
Jan F. Chadima 69dd72
+	{ "URI", lURI },
Jan F. Chadima 69dd72
+	{ "Base", lBase },
Jan F. Chadima 69dd72
+	{ "BindDN", lBindDN },
Jan F. Chadima 69dd72
+	{ "BindPW", lBindPW },
Jan F. Chadima 69dd72
+	{ "RootBindDN", lRootBindDN },
Jan F. Chadima 69dd72
+	{ "Host", lHost },
Jan F. Chadima 69dd72
+	{ "Port", lPort },
Jan F. Chadima 69dd72
+	{ "Scope", lScope },
Jan F. Chadima 69dd72
+	{ "Deref", lDeref },
Jan F. Chadima 69dd72
+	{ "TimeLimit", lTimeLimit },
Jan F. Chadima 69dd72
+	{ "TimeOut", lTimeLimit },
Jan F. Chadima 69dd72
+	{ "Bind_Timelimit", lBind_TimeLimit },
Jan F. Chadima 69dd72
+	{ "Network_TimeOut", lBind_TimeLimit },
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Todo
Jan F. Chadima 69dd72
+ * SIZELIMIT
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+	{ "Ldap_Version", lLdap_Version },
Jan F. Chadima 69dd72
+	{ "Version", lLdap_Version },
Jan F. Chadima 69dd72
+	{ "Bind_Policy", lBind_Policy },
Jan F. Chadima 69dd72
+	{ "SSLPath", lSSLPath },
Jan F. Chadima 69dd72
+	{ "SSL", lSSL },
Jan F. Chadima 69dd72
+	{ "Referrals", lReferrals },
Jan F. Chadima 69dd72
+	{ "Restart", lRestart },
Jan F. Chadima 69dd72
+	{ "TLS_CheckPeer", lTLS_CheckPeer },
Jan F. Chadima 69dd72
+	{ "TLS_ReqCert", lTLS_CheckPeer },
Jan F. Chadima 69dd72
+	{ "TLS_CaCertFile", lTLS_CaCertFile },
Jan F. Chadima 69dd72
+	{ "TLS_CaCert", lTLS_CaCertFile },
Jan F. Chadima 69dd72
+	{ "TLS_CaCertDir", lTLS_CaCertDir },
Jan F. Chadima 69dd72
+	{ "TLS_Ciphers", lTLS_Ciphers },
Jan F. Chadima 69dd72
+	{ "TLS_Cipher_Suite", lTLS_Ciphers },
Jan F. Chadima 69dd72
+	{ "TLS_Cert", lTLS_Cert },
Jan F. Chadima 69dd72
+	{ "TLS_Certificate", lTLS_Cert },
Jan F. Chadima 69dd72
+	{ "TLS_Key", lTLS_Key },
Jan F. Chadima 69dd72
+	{ "TLS_RandFile", lTLS_RandFile },
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Todo
Jan F. Chadima 69dd72
+ * TLS_CRLCHECK
Jan F. Chadima 69dd72
+ * TLS_CRLFILE
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+	{ "LogDir", lLogDir },
Jan F. Chadima 69dd72
+	{ "Debug", lDebug },
Jan F. Chadima 69dd72
+	{ "SSH_Filter", lSSH_Filter },
Jan F. Chadima 69dd72
+	{ NULL, lBadOption }
Jan F. Chadima 69dd72
+};
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+/* Configuration ptions. */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+Options options;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Returns the number of the token pointed to by cp or oBadOption.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static OpCodes
Jan F. Chadima 69dd72
+parse_token(const char *cp, const char *filename, int linenum)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	u_int i;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	for (i = 0; keywords[i].name; i++)
Jan F. Chadima 69dd72
+		if (strcasecmp(cp, keywords[i].name) == 0)
Jan F. Chadima 69dd72
+			return keywords[i].opcode;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (config_warning_config_file) 
Jan F. Chadima 69dd72
+	    logit("%s: line %d: Bad configuration option: %s",
Jan F. Chadima 69dd72
+		filename, linenum, cp);
Jan F. Chadima 69dd72
+	return lBadOption;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Processes a single option line as used in the configuration files. This
Jan F. Chadima 69dd72
+ * only sets those values that have not already been set.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+#define WHITESPACE " \t\r\n"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static int
Jan F. Chadima 69dd72
+process_config_line(char *line, const char *filename, int linenum)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
Jan F. Chadima 69dd72
+	char *rootbinddn = NULL;
Jan F. Chadima 69dd72
+	int opcode, *intptr, value;
Jan F. Chadima 69dd72
+	size_t len;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	/* Strip trailing whitespace */
Jan F. Chadima 69dd72
+	for (len = strlen(line) - 1; len > 0; len--) {
Jan F. Chadima 69dd72
+		if (strchr(WHITESPACE, line[len]) == NULL)
Jan F. Chadima 69dd72
+			break;
Jan F. Chadima 69dd72
+		line[len] = '\0';
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	s = line;
Jan F. Chadima 69dd72
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
Jan F. Chadima 69dd72
+	if ((keyword = strdelim(&s)) == NULL)
Jan F. Chadima 69dd72
+		return 0;
Jan F. Chadima 69dd72
+	/* Ignore leading whitespace. */
Jan F. Chadima 69dd72
+	if (*keyword == '\0')
Jan F. Chadima 69dd72
+		keyword = strdelim(&s);
Jan F. Chadima 69dd72
+	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
Jan F. Chadima 69dd72
+		return 0;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	opcode = parse_token(keyword, filename, linenum);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	switch (opcode) {
Jan F. Chadima 69dd72
+	case lBadOption:
Jan F. Chadima 69dd72
+		/* don't panic, but count bad options */
Jan F. Chadima 69dd72
+		return -1;
Jan F. Chadima 69dd72
+		/* NOTREACHED */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lHost:
Jan F. Chadima 69dd72
+		xstringptr = &options.host;
Jan F. Chadima 69dd72
+parse_xstring:
Jan F. Chadima 69dd72
+		if (!s || *s == '\0')
Jan F. Chadima 69dd72
+		    fatal("%s line %d: missing dn",filename,linenum);
Jan F. Chadima 69dd72
+		if (*xstringptr == NULL)
Jan F. Chadima 69dd72
+		    *xstringptr = xstrdup(s);
Jan F. Chadima 69dd72
+		return 0;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lURI:
Jan F. Chadima 69dd72
+		xstringptr = &options.uri;
Jan F. Chadima 69dd72
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lBase:
Jan F. Chadima 69dd72
+		xstringptr = &options.base;
Jan F. Chadima 69dd72
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lBindDN:
Jan F. Chadima 69dd72
+		xstringptr = &options.binddn;
Jan F. Chadima 69dd72
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lBindPW:
Jan F. Chadima 69dd72
+		charptr = &options.bindpw;
Jan F. Chadima 69dd72
+parse_string:
Jan F. Chadima 69dd72
+		arg = strdelim(&s);
Jan F. Chadima 69dd72
+		if (!arg || *arg == '\0')
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
Jan F. Chadima 69dd72
+		if (*charptr == NULL)
Jan F. Chadima 69dd72
+			*charptr = xstrdup(arg);
Jan F. Chadima 69dd72
+		break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lRootBindDN:
Jan F. Chadima 69dd72
+		xstringptr = &rootbinddn;
Jan F. Chadima 69dd72
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lScope:
Jan F. Chadima 69dd72
+		intptr = &options.scope;
Jan F. Chadima 69dd72
+		arg = strdelim(&s);
Jan F. Chadima 69dd72
+		if (!arg || *arg == '\0')
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
Jan F. Chadima 69dd72
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 69dd72
+		if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
Jan F. Chadima 69dd72
+			value = LDAP_SCOPE_SUBTREE;
Jan F. Chadima 69dd72
+		else if (strcasecmp (arg, "one") == 0)
Jan F. Chadima 69dd72
+			value = LDAP_SCOPE_ONELEVEL;
Jan F. Chadima 69dd72
+		else if (strcasecmp (arg, "base") == 0)
Jan F. Chadima 69dd72
+			value = LDAP_SCOPE_BASE;
Jan F. Chadima 69dd72
+		else
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
Jan F. Chadima 69dd72
+		if (*intptr == -1)
Jan F. Chadima 69dd72
+			*intptr = value;
Jan F. Chadima 69dd72
+		break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lDeref:
Jan F. Chadima 69dd72
+		intptr = &options.scope;
Jan F. Chadima 69dd72
+		arg = strdelim(&s);
Jan F. Chadima 69dd72
+		if (!arg || *arg == '\0')
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
Jan F. Chadima 69dd72
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 69dd72
+		if (!strcasecmp (arg, "never"))
Jan F. Chadima 69dd72
+			value = LDAP_DEREF_NEVER;
Jan F. Chadima 69dd72
+		else if (!strcasecmp (arg, "searching"))
Jan F. Chadima 69dd72
+			value = LDAP_DEREF_SEARCHING;
Jan F. Chadima 69dd72
+		else if (!strcasecmp (arg, "finding"))
Jan F. Chadima 69dd72
+			value = LDAP_DEREF_FINDING;
Jan F. Chadima 69dd72
+		else if (!strcasecmp (arg, "always"))
Jan F. Chadima 69dd72
+			value = LDAP_DEREF_ALWAYS;
Jan F. Chadima 69dd72
+		else
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
Jan F. Chadima 69dd72
+		if (*intptr == -1)
Jan F. Chadima 69dd72
+			*intptr = value;
Jan F. Chadima 69dd72
+		break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lPort:
Jan F. Chadima 69dd72
+		intptr = &options.port;
Jan F. Chadima 69dd72
+parse_int:
Jan F. Chadima 69dd72
+		arg = strdelim(&s);
Jan F. Chadima 69dd72
+		if (!arg || *arg == '\0')
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
Jan F. Chadima 69dd72
+		if (arg[0] < '0' || arg[0] > '9')
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Bad number.", filename, linenum);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		/* Octal, decimal, or hex format? */
Jan F. Chadima 69dd72
+		value = strtol(arg, &endofnumber, 0);
Jan F. Chadima 69dd72
+		if (arg == endofnumber)
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Bad number.", filename, linenum);
Jan F. Chadima 69dd72
+		if (*intptr == -1)
Jan F. Chadima 69dd72
+			*intptr = value;
Jan F. Chadima 69dd72
+		break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lTimeLimit:
Jan F. Chadima 69dd72
+		intptr = &options.timelimit;
Jan F. Chadima 69dd72
+parse_time:
Jan F. Chadima 69dd72
+		arg = strdelim(&s);
Jan F. Chadima 69dd72
+		if (!arg || *arg == '\0')
Jan F. Chadima 69dd72
+			fatal("%s line %d: missing time value.",
Jan F. Chadima 69dd72
+			    filename, linenum);
Jan F. Chadima 69dd72
+		if ((value = convtime(arg)) == -1)
Jan F. Chadima 69dd72
+			fatal("%s line %d: invalid time value.",
Jan F. Chadima 69dd72
+			    filename, linenum);
Jan F. Chadima 69dd72
+		if (*intptr == -1)
Jan F. Chadima 69dd72
+			*intptr = value;
Jan F. Chadima 69dd72
+		break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lBind_TimeLimit:
Jan F. Chadima 69dd72
+		intptr = &options.bind_timelimit;
Jan F. Chadima 69dd72
+		goto parse_time;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lLdap_Version:
Jan F. Chadima 69dd72
+		intptr = &options.ldap_version;
Jan F. Chadima 69dd72
+		goto parse_int;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lBind_Policy:
Jan F. Chadima 69dd72
+		intptr = &options.bind_policy;
Jan F. Chadima 69dd72
+		arg = strdelim(&s);
Jan F. Chadima 69dd72
+		if (!arg || *arg == '\0')
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
Jan F. Chadima 69dd72
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 69dd72
+		if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
Jan F. Chadima 69dd72
+			value = 1;
Jan F. Chadima 69dd72
+		else if (strcasecmp(arg, "soft") == 0)
Jan F. Chadima 69dd72
+			value = 0;
Jan F. Chadima 69dd72
+		else
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
Jan F. Chadima 69dd72
+		if (*intptr == -1)
Jan F. Chadima 69dd72
+		break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lSSLPath:
Jan F. Chadima 69dd72
+		charptr = &options.sslpath;
Jan F. Chadima 69dd72
+		goto parse_string;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lSSL:
Jan F. Chadima 69dd72
+		intptr = &options.ssl;
Jan F. Chadima 69dd72
+		arg = strdelim(&s);
Jan F. Chadima 69dd72
+		if (!arg || *arg == '\0')
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
Jan F. Chadima 69dd72
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 69dd72
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Jan F. Chadima 69dd72
+			value = SSL_LDAPS;
Jan F. Chadima 69dd72
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Jan F. Chadima 69dd72
+			value = SSL_OFF;
Jan F. Chadima 69dd72
+		else if (!strcasecmp (arg, "start_tls"))
Jan F. Chadima 69dd72
+			value = SSL_START_TLS;
Jan F. Chadima 69dd72
+		else
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
Jan F. Chadima 69dd72
+		if (*intptr == -1)
Jan F. Chadima 69dd72
+			*intptr = value;
Jan F. Chadima 69dd72
+		break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lReferrals:
Jan F. Chadima 69dd72
+		intptr = &options.referrals;
Jan F. Chadima 69dd72
+parse_flag:
Jan F. Chadima 69dd72
+		arg = strdelim(&s);
Jan F. Chadima 69dd72
+		if (!arg || *arg == '\0')
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
Jan F. Chadima 69dd72
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 69dd72
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Jan F. Chadima 69dd72
+			value = 1;
Jan F. Chadima 69dd72
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Jan F. Chadima 69dd72
+			value = 0;
Jan F. Chadima 69dd72
+		else
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
Jan F. Chadima 69dd72
+		if (*intptr == -1)
Jan F. Chadima 69dd72
+			*intptr = value;
Jan F. Chadima 69dd72
+		break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lRestart:
Jan F. Chadima 69dd72
+		intptr = &options.restart;
Jan F. Chadima 69dd72
+		goto parse_flag;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lTLS_CheckPeer:
Jan F. Chadima 69dd72
+		intptr = &options.tls_checkpeer;
Jan F. Chadima 69dd72
+		arg = strdelim(&s);
Jan F. Chadima 69dd72
+		if (!arg || *arg == '\0')
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
Jan F. Chadima 69dd72
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 69dd72
+		if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Jan F. Chadima 69dd72
+			value = LDAP_OPT_X_TLS_NEVER;
Jan F. Chadima 69dd72
+		else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Jan F. Chadima 69dd72
+			value = LDAP_OPT_X_TLS_HARD;
Jan F. Chadima 69dd72
+		else if (strcasecmp(arg, "demand") == 0)
Jan F. Chadima 69dd72
+			value = LDAP_OPT_X_TLS_DEMAND;
Jan F. Chadima 69dd72
+		else if (strcasecmp(arg, "allow") == 0)
Jan F. Chadima 69dd72
+			value = LDAP_OPT_X_TLS_ALLOW;
Jan F. Chadima 69dd72
+		else if (strcasecmp(arg, "try") == 0)
Jan F. Chadima 69dd72
+			value = LDAP_OPT_X_TLS_TRY;
Jan F. Chadima 69dd72
+		else
Jan F. Chadima 69dd72
+			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
Jan F. Chadima 69dd72
+		if (*intptr == -1)
Jan F. Chadima 69dd72
+		break;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lTLS_CaCertFile:
Jan F. Chadima 69dd72
+		charptr = &options.tls_cacertfile;
Jan F. Chadima 69dd72
+		goto parse_string;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lTLS_CaCertDir:
Jan F. Chadima 69dd72
+		charptr = &options.tls_cacertdir;
Jan F. Chadima 69dd72
+		goto parse_string;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lTLS_Ciphers:
Jan F. Chadima 69dd72
+		xstringptr = &options.tls_ciphers;
Jan F. Chadima 69dd72
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lTLS_Cert:
Jan F. Chadima 69dd72
+		charptr = &options.tls_cert;
Jan F. Chadima 69dd72
+		goto parse_string;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lTLS_Key:
Jan F. Chadima 69dd72
+		charptr = &options.tls_key;
Jan F. Chadima 69dd72
+		goto parse_string;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lTLS_RandFile:
Jan F. Chadima 69dd72
+		charptr = &options.tls_randfile;
Jan F. Chadima 69dd72
+		goto parse_string;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lLogDir:
Jan F. Chadima 69dd72
+		charptr = &options.logdir;
Jan F. Chadima 69dd72
+		goto parse_string;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lDebug:
Jan F. Chadima 69dd72
+		intptr = &options.debug;
Jan F. Chadima 69dd72
+		goto parse_int;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lSSH_Filter:
Jan F. Chadima 69dd72
+		xstringptr = &options.ssh_filter;
Jan F. Chadima 69dd72
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lDeprecated:
Jan F. Chadima 69dd72
+		debug("%s line %d: Deprecated option \"%s\"",
Jan F. Chadima 69dd72
+		    filename, linenum, keyword);
Jan F. Chadima 69dd72
+		return 0;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	case lUnsupported:
Jan F. Chadima 69dd72
+		error("%s line %d: Unsupported option \"%s\"",
Jan F. Chadima 69dd72
+		    filename, linenum, keyword);
Jan F. Chadima 69dd72
+		return 0;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	default:
Jan F. Chadima 69dd72
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	/* Check that there is no garbage at end of line. */
Jan F. Chadima 69dd72
+	if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
Jan F. Chadima 69dd72
+		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
Jan F. Chadima 69dd72
+		    filename, linenum, arg);
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+	return 0;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Reads the config file and modifies the options accordingly.  Options
Jan F. Chadima 69dd72
+ * should already be initialized before this call.  This never returns if
Jan F. Chadima 69dd72
+ * there is an error.  If the file does not exist, this returns 0.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+void
Jan F. Chadima 69dd72
+read_config_file(const char *filename)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	FILE *f;
Jan F. Chadima 69dd72
+	char line[1024];
Jan F. Chadima 69dd72
+	int active, linenum;
Jan F. Chadima 69dd72
+	int bad_options = 0;
Jan F. Chadima 69dd72
+	struct stat sb;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if ((f = fopen(filename, "r")) == NULL)
Jan F. Chadima 69dd72
+		fatal("fopen %s: %s", filename, strerror(errno));
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (fstat(fileno(f), &sb) == -1)
Jan F. Chadima 69dd72
+		fatal("fstat %s: %s", filename, strerror(errno));
Jan F. Chadima 69dd72
+	if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
Jan F. Chadima 69dd72
+	    (sb.st_mode & 022) != 0))
Jan F. Chadima 69dd72
+		fatal("Bad owner or permissions on %s", filename);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	debug("Reading configuration data %.200s", filename);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	/*
Jan F. Chadima 69dd72
+	 * Mark that we are now processing the options.  This flag is turned
Jan F. Chadima 69dd72
+	 * on/off by Host specifications.
Jan F. Chadima 69dd72
+	 */
Jan F. Chadima 69dd72
+	active = 1;
Jan F. Chadima 69dd72
+	linenum = 0;
Jan F. Chadima 69dd72
+	while (fgets(line, sizeof(line), f)) {
Jan F. Chadima 69dd72
+		/* Update line number counter. */
Jan F. Chadima 69dd72
+		linenum++;
Jan F. Chadima 69dd72
+		if (process_config_line(line, filename, linenum) != 0)
Jan F. Chadima 69dd72
+			bad_options++;
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+	fclose(f);
Jan F. Chadima 69dd72
+	if ((bad_options > 0) && config_exclusive_config_file) 
Jan F. Chadima 69dd72
+		fatal("%s: terminating, %d bad configuration options",
Jan F. Chadima 69dd72
+		    filename, bad_options);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Initializes options to special values that indicate that they have not yet
Jan F. Chadima 69dd72
+ * been set.  Read_config_file will only set options with this value. Options
Jan F. Chadima 69dd72
+ * are processed in the following order: command line, user config file,
Jan F. Chadima 69dd72
+ * system config file.  Last, fill_default_options is called.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+void
Jan F. Chadima 69dd72
+initialize_options(void)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	memset(&options, 'X', sizeof(options));
Jan F. Chadima 69dd72
+	options.host = NULL;
Jan F. Chadima 69dd72
+	options.uri = NULL;
Jan F. Chadima 69dd72
+	options.base = NULL;
Jan F. Chadima 69dd72
+	options.binddn = NULL;
Jan F. Chadima 69dd72
+	options.bindpw = NULL;
Jan F. Chadima 69dd72
+	options.scope = -1;
Jan F. Chadima 69dd72
+	options.deref = -1;
Jan F. Chadima 69dd72
+	options.port = -1;
Jan F. Chadima 69dd72
+	options.timelimit = -1;
Jan F. Chadima 69dd72
+	options.bind_timelimit = -1;
Jan F. Chadima 69dd72
+	options.ldap_version = -1;
Jan F. Chadima 69dd72
+	options.bind_policy = -1;
Jan F. Chadima 69dd72
+	options.sslpath = NULL;
Jan F. Chadima 69dd72
+	options.ssl = -1;
Jan F. Chadima 69dd72
+	options.referrals = -1;
Jan F. Chadima 69dd72
+	options.restart = -1;
Jan F. Chadima 69dd72
+	options.tls_checkpeer = -1;
Jan F. Chadima 69dd72
+	options.tls_cacertfile = NULL;
Jan F. Chadima 69dd72
+	options.tls_cacertdir = NULL;
Jan F. Chadima 69dd72
+	options.tls_ciphers = NULL;
Jan F. Chadima 69dd72
+	options.tls_cert = NULL;
Jan F. Chadima 69dd72
+	options.tls_key = NULL;
Jan F. Chadima 69dd72
+	options.tls_randfile = NULL;
Jan F. Chadima 69dd72
+	options.logdir = NULL;
Jan F. Chadima 69dd72
+	options.debug = -1;
Jan F. Chadima 69dd72
+	options.ssh_filter = NULL;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Called after processing other sources of option data, this fills those
Jan F. Chadima 69dd72
+ * options for which no value has been specified with their default values.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+void
Jan F. Chadima 69dd72
+fill_default_options(void)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	if (options.uri != NULL) {
Jan F. Chadima 69dd72
+		LDAPURLDesc *ludp;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
Jan F. Chadima 69dd72
+			if (options.ssl == -1) {
Jan F. Chadima 69dd72
+				if (strcmp (ludp->lud_scheme, "ldap") == 0)
Jan F. Chadima 69dd72
+				    options.ssl = 2;
Jan F. Chadima 69dd72
+				if (strcmp (ludp->lud_scheme, "ldapi") == 0)
Jan F. Chadima 69dd72
+				    options.ssl = 0;
Jan F. Chadima 69dd72
+				else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
Jan F. Chadima 69dd72
+				    options.ssl = 1;
Jan F. Chadima 69dd72
+			}
Jan F. Chadima 69dd72
+			if (options.host == NULL)
Jan F. Chadima 69dd72
+			    options.host = xstrdup (ludp->lud_host);
Jan F. Chadima 69dd72
+			if (options.port == -1)
Jan F. Chadima 69dd72
+			    options.port = ludp->lud_port;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+			ldap_free_urldesc (ludp);
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+	} 
Jan F. Chadima 69dd72
+	if (options.ssl == -1)
Jan F. Chadima 69dd72
+	    options.ssl = SSL_START_TLS;
Jan F. Chadima 69dd72
+	if (options.port == -1)
Jan F. Chadima 69dd72
+	    options.port = (options.ssl == 0) ? 389 : 636;
Jan F. Chadima 69dd72
+	if (options.uri == NULL) {
Jan F. Chadima 69dd72
+		int len;
Jan F. Chadima 69dd72
+#define MAXURILEN 4096
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+		options.uri = xmalloc (MAXURILEN);
Jan F. Chadima 69dd72
+		len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
Jan F. Chadima 69dd72
+		    (options.ssl == 0) ? "" : "s", options.host, options.port);
Jan F. Chadima 69dd72
+		options.uri[MAXURILEN - 1] = 0;
Jan F. Chadima 69dd72
+		options.uri = xrealloc (options.uri, len + 1, 1);
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+	if (options.binddn == NULL)
Jan F. Chadima 69dd72
+	    options.binddn = "";
Jan F. Chadima 69dd72
+	if (options.bindpw == NULL)
Jan F. Chadima 69dd72
+	    options.bindpw = "";
Jan F. Chadima 69dd72
+	if (options.scope == -1)
Jan F. Chadima 69dd72
+	    options.scope = LDAP_SCOPE_SUBTREE;
Jan F. Chadima 69dd72
+	if (options.deref == -1)
Jan F. Chadima 69dd72
+	    options.deref = LDAP_DEREF_NEVER;
Jan F. Chadima 69dd72
+	if (options.timelimit == -1)
Jan F. Chadima 69dd72
+	    options.timelimit = 10;
Jan F. Chadima 69dd72
+	if (options.bind_timelimit == -1)
Jan F. Chadima 69dd72
+	    options.bind_timelimit = 10;
Jan F. Chadima 69dd72
+	if (options.ldap_version == -1)
Jan F. Chadima 69dd72
+	    options.ldap_version = 3;
Jan F. Chadima 69dd72
+	if (options.bind_policy == -1)
Jan F. Chadima 69dd72
+	    options.bind_policy = 1;
Jan F. Chadima 69dd72
+	if (options.referrals == -1)
Jan F. Chadima 69dd72
+	    options.referrals = 1;
Jan F. Chadima 69dd72
+	if (options.restart == -1)
Jan F. Chadima 69dd72
+	    options.restart = 1;
Jan F. Chadima 69dd72
+	if (options.tls_checkpeer == -1)
Jan F. Chadima 69dd72
+	    options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
Jan F. Chadima 69dd72
+	if (options.debug == -1)
Jan F. Chadima 69dd72
+	    options.debug = 0;
Jan F. Chadima 69dd72
+	if (options.ssh_filter == NULL)
Jan F. Chadima 69dd72
+	    options.ssh_filter = "";
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static const char *
Jan F. Chadima 69dd72
+lookup_opcode_name(OpCodes code)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	u_int i;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	for (i = 0; keywords[i].name != NULL; i++)
Jan F. Chadima 69dd72
+	    if (keywords[i].opcode == code)
Jan F. Chadima 69dd72
+		return(keywords[i].name);
Jan F. Chadima 69dd72
+	return "UNKNOWN";
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static void
Jan F. Chadima 69dd72
+dump_cfg_string(OpCodes code, const char *val)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	if (val == NULL)
Jan F. Chadima 69dd72
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Jan F. Chadima 69dd72
+	else
Jan F. Chadima 69dd72
+	    debug3("%s %s", lookup_opcode_name(code), val);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static void
Jan F. Chadima 69dd72
+dump_cfg_int(OpCodes code, int val)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	if (val == -1)
Jan F. Chadima 69dd72
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Jan F. Chadima 69dd72
+	else
Jan F. Chadima 69dd72
+	    debug3("%s %d", lookup_opcode_name(code), val);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+struct names {
Jan F. Chadima 69dd72
+	int value;
Jan F. Chadima 69dd72
+	char *name;
Jan F. Chadima 69dd72
+};
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static void
Jan F. Chadima 69dd72
+dump_cfg_namedint(OpCodes code, int val, struct names *names)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	u_int i;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (val == -1)
Jan F. Chadima 69dd72
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Jan F. Chadima 69dd72
+	else {
Jan F. Chadima 69dd72
+		for (i = 0; names[i].value != -1; i++)
Jan F. Chadima 69dd72
+	 	    if (names[i].value == val) {
Jan F. Chadima 69dd72
+	    		debug3("%s %s", lookup_opcode_name(code), names[i].name);
Jan F. Chadima 69dd72
+			    return;
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+		debug3("%s unknown: %d", lookup_opcode_name(code), val);
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static struct names _yesnotls[] = {
Jan F. Chadima 69dd72
+	{ 0, "No" },
Jan F. Chadima 69dd72
+	{ 1, "Yes" },
Jan F. Chadima 69dd72
+	{ 2, "Start_TLS" },
Jan F. Chadima 69dd72
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static struct names _scope[] = {
Jan F. Chadima 69dd72
+	{ LDAP_SCOPE_BASE, "Base" },
Jan F. Chadima 69dd72
+	{ LDAP_SCOPE_ONELEVEL, "One" },
Jan F. Chadima 69dd72
+	{ LDAP_SCOPE_SUBTREE, "Sub"},
Jan F. Chadima 69dd72
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static struct names _deref[] = {
Jan F. Chadima 69dd72
+	{ LDAP_DEREF_NEVER, "Never" },
Jan F. Chadima 69dd72
+	{ LDAP_DEREF_SEARCHING, "Searching" },
Jan F. Chadima 69dd72
+	{ LDAP_DEREF_FINDING, "Finding" },
Jan F. Chadima 69dd72
+	{ LDAP_DEREF_ALWAYS, "Always" },
Jan F. Chadima 69dd72
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static struct names _yesno[] = {
Jan F. Chadima 69dd72
+	{ 0, "No" },
Jan F. Chadima 69dd72
+	{ 1, "Yes" },
Jan F. Chadima 69dd72
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static struct names _bindpolicy[] = {
Jan F. Chadima 69dd72
+	{ 0, "Soft" },
Jan F. Chadima 69dd72
+	{ 1, "Hard" },
Jan F. Chadima 69dd72
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static struct names _checkpeer[] = {
Jan F. Chadima 69dd72
+	{ LDAP_OPT_X_TLS_NEVER, "Never" },
Jan F. Chadima 69dd72
+	{ LDAP_OPT_X_TLS_HARD, "Hard" },
Jan F. Chadima 69dd72
+	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
Jan F. Chadima 69dd72
+	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
Jan F. Chadima 69dd72
+	{ LDAP_OPT_X_TLS_TRY, "TRY" },
Jan F. Chadima 69dd72
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+void
Jan F. Chadima 69dd72
+dump_config(void)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	dump_cfg_string(lURI, options.uri);
Jan F. Chadima 69dd72
+	dump_cfg_string(lHost, options.host);
Jan F. Chadima 69dd72
+	dump_cfg_int(lPort, options.port);
Jan F. Chadima 69dd72
+	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
Jan F. Chadima 69dd72
+	dump_cfg_int(lLdap_Version, options.ldap_version);
Jan F. Chadima 69dd72
+	dump_cfg_int(lTimeLimit, options.timelimit);
Jan F. Chadima 69dd72
+	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
Jan F. Chadima 69dd72
+	dump_cfg_string(lBase, options.base);
Jan F. Chadima 69dd72
+	dump_cfg_string(lBindDN, options.binddn);
Jan F. Chadima 69dd72
+	dump_cfg_string(lBindPW, options.bindpw);
Jan F. Chadima 69dd72
+	dump_cfg_namedint(lScope, options.scope, _scope);
Jan F. Chadima 69dd72
+	dump_cfg_namedint(lDeref, options.deref, _deref);
Jan F. Chadima 69dd72
+	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
Jan F. Chadima 69dd72
+	dump_cfg_namedint(lRestart, options.restart, _yesno);
Jan F. Chadima 69dd72
+	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
Jan F. Chadima 69dd72
+	dump_cfg_string(lSSLPath, options.sslpath);
Jan F. Chadima 69dd72
+	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
Jan F. Chadima 69dd72
+	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
Jan F. Chadima 69dd72
+	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
Jan F. Chadima 69dd72
+	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
Jan F. Chadima 69dd72
+	dump_cfg_string(lTLS_Cert, options.tls_cert);
Jan F. Chadima 69dd72
+	dump_cfg_string(lTLS_Key, options.tls_key);
Jan F. Chadima 69dd72
+	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
Jan F. Chadima 69dd72
+	dump_cfg_string(lLogDir, options.logdir);
Jan F. Chadima 69dd72
+	dump_cfg_int(lDebug, options.debug);
Jan F. Chadima 69dd72
+	dump_cfg_string(lSSH_Filter, options.ssh_filter);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima c870e6
diff -up openssh-5.9p1/ldapconf.h.ldap openssh-5.9p1/ldapconf.h
Jan F. Chadima c870e6
--- openssh-5.9p1/ldapconf.h.ldap	2011-09-13 11:17:06.016522201 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/ldapconf.h	2011-09-13 11:17:06.018522083 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,71 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef LDAPCONF_H
Jan F. Chadima 69dd72
+#define LDAPCONF_H
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#define SSL_OFF          0
Jan F. Chadima 69dd72
+#define SSL_LDAPS        1
Jan F. Chadima 69dd72
+#define SSL_START_TLS    2
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+/* Data structure for representing option data. */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+typedef struct {
Jan F. Chadima 69dd72
+	char *host;
Jan F. Chadima 69dd72
+	char *uri;
Jan F. Chadima 69dd72
+	char *base;
Jan F. Chadima 69dd72
+	char *binddn;
Jan F. Chadima 69dd72
+	char *bindpw;
Jan F. Chadima 69dd72
+	int scope;
Jan F. Chadima 69dd72
+	int deref;
Jan F. Chadima 69dd72
+	int port;
Jan F. Chadima 69dd72
+	int timelimit;
Jan F. Chadima 69dd72
+	int bind_timelimit;
Jan F. Chadima 69dd72
+	int ldap_version;
Jan F. Chadima 69dd72
+	int bind_policy;
Jan F. Chadima 69dd72
+	char *sslpath;
Jan F. Chadima 69dd72
+	int ssl;
Jan F. Chadima 69dd72
+	int referrals;
Jan F. Chadima 69dd72
+	int restart;
Jan F. Chadima 69dd72
+	int tls_checkpeer;
Jan F. Chadima 69dd72
+	char *tls_cacertfile;
Jan F. Chadima 69dd72
+	char *tls_cacertdir;
Jan F. Chadima 69dd72
+	char *tls_ciphers;
Jan F. Chadima 69dd72
+	char *tls_cert;
Jan F. Chadima 69dd72
+	char *tls_key;
Jan F. Chadima 69dd72
+	char *tls_randfile;
Jan F. Chadima 69dd72
+	char *logdir;
Jan F. Chadima 69dd72
+	int debug;
Jan F. Chadima 69dd72
+	char *ssh_filter;
Jan F. Chadima 69dd72
+}       Options;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+extern Options options;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+void read_config_file(const char *);
Jan F. Chadima 69dd72
+void initialize_options(void);
Jan F. Chadima 69dd72
+void fill_default_options(void);
Jan F. Chadima 69dd72
+void dump_config(void);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#endif /* LDAPCONF_H */
Jan F. Chadima c870e6
diff -up openssh-5.9p1/ldapincludes.h.ldap openssh-5.9p1/ldapincludes.h
Jan F. Chadima c870e6
--- openssh-5.9p1/ldapincludes.h.ldap	2011-09-13 11:17:06.123519312 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/ldapincludes.h	2011-09-13 11:17:06.126518977 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,41 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef LDAPINCLUDES_H
Jan F. Chadima 69dd72
+#define LDAPINCLUDES_H
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "includes.h"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifdef HAVE_LBER_H
Jan F. Chadima 69dd72
+#include <lber.h>
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_H
Jan F. Chadima 69dd72
+#include <ldap.h>
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_SSL_H
Jan F. Chadima 69dd72
+#include <ldap_ssl.h>
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#endif /* LDAPINCLUDES_H */
Jan F. Chadima c870e6
diff -up openssh-5.9p1/ldapmisc.c.ldap openssh-5.9p1/ldapmisc.c
Jan F. Chadima c870e6
--- openssh-5.9p1/ldapmisc.c.ldap	2011-09-13 11:17:06.195508388 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/ldapmisc.c	2011-09-13 11:17:06.197507964 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,79 @@
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "ldapincludes.h"
Jan F. Chadima 69dd72
+#include "ldapmisc.h"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef HAVE_LDAP_GET_LDERRNO
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+ldap_get_lderrno (LDAP * ld, char **m, char **s)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_GET_OPTION
Jan F. Chadima 69dd72
+	int rc;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	int lderrno;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 69dd72
+	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+	    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+	lderrno = ld->ld_errno;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (s != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 69dd72
+		if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		*s = ld->ld_error;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (m != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 69dd72
+		if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		*m = ld->ld_matched;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	return lderrno;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef HAVE_LDAP_SET_LDERRNO
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_SET_OPTION
Jan F. Chadima 69dd72
+	int rc;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 69dd72
+	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+	    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+	ld->ld_errno = lderrno;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (s != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 69dd72
+		if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		ld->ld_error = s;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (m != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 69dd72
+		if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		ld->ld_matched = m;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	return LDAP_SUCCESS;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima c870e6
diff -up openssh-5.9p1/ldapmisc.h.ldap openssh-5.9p1/ldapmisc.h
Jan F. Chadima c870e6
--- openssh-5.9p1/ldapmisc.h.ldap	2011-09-13 11:17:06.273496889 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/ldapmisc.h	2011-09-13 11:17:06.276496151 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,35 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef LDAPMISC_H
Jan F. Chadima 69dd72
+#define LDAPMISC_H
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "ldapincludes.h"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+int ldap_get_lderrno (LDAP *, char **, char **);
Jan F. Chadima 69dd72
+int ldap_set_lderrno (LDAP *, int, const char *, const char *);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#endif /* LDAPMISC_H */
Jan F. Chadima 69dd72
+
Jan F. Chadima c870e6
diff -up openssh-5.9p1/openssh-lpk-openldap.schema.ldap openssh-5.9p1/openssh-lpk-openldap.schema
Jan F. Chadima c870e6
--- openssh-5.9p1/openssh-lpk-openldap.schema.ldap	2011-09-13 11:17:06.349485171 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/openssh-lpk-openldap.schema	2011-09-13 11:17:06.351484488 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,21 @@
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 69dd72
+#                              useful with PKA-LDAP also
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 69dd72
+# 
Jan F. Chadima 69dd72
+# Based on the proposal of : Mark Ruijter
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# octetString SYNTAX
Jan F. Chadima 69dd72
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH Public key' 
Jan F. Chadima 69dd72
+	EQUALITY octetStringMatch
Jan F. Chadima 69dd72
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# printableString SYNTAX yes|no
Jan F. Chadima 69dd72
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 69dd72
+	MUST ( sshPublicKey $ uid ) 
Jan F. Chadima 69dd72
+	)
Jan F. Chadima c870e6
diff -up openssh-5.9p1/openssh-lpk-sun.schema.ldap openssh-5.9p1/openssh-lpk-sun.schema
Jan F. Chadima c870e6
--- openssh-5.9p1/openssh-lpk-sun.schema.ldap	2011-09-13 11:17:06.420474045 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/openssh-lpk-sun.schema	2011-09-13 11:17:06.422473843 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,23 @@
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 69dd72
+#                              useful with PKA-LDAP also
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 69dd72
+# 
Jan F. Chadima 69dd72
+# Schema for Sun Directory Server.
Jan F. Chadima 69dd72
+# Based on the original schema, modified by Stefan Fischer.
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+dn: cn=schema
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# octetString SYNTAX
Jan F. Chadima 69dd72
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH Public key' 
Jan F. Chadima 69dd72
+	EQUALITY octetStringMatch
Jan F. Chadima 69dd72
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# printableString SYNTAX yes|no
Jan F. Chadima 69dd72
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 69dd72
+	MUST ( sshPublicKey $ uid ) 
Jan F. Chadima 69dd72
+	)
Jan F. Chadima c870e6
diff -up openssh-5.9p1/ssh-ldap-helper.8.ldap openssh-5.9p1/ssh-ldap-helper.8
Jan F. Chadima c870e6
--- openssh-5.9p1/ssh-ldap-helper.8.ldap	2011-09-13 11:17:06.504461435 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/ssh-ldap-helper.8	2011-09-13 11:17:06.506460976 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,79 @@
Jan F. Chadima 69dd72
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.\" Permission to use, copy, modify, and distribute this software for any
Jan F. Chadima 69dd72
+.\" purpose with or without fee is hereby granted, provided that the above
Jan F. Chadima 69dd72
+.\" copyright notice and this permission notice appear in all copies.
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
Jan F. Chadima 69dd72
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
Jan F. Chadima 69dd72
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
Jan F. Chadima 69dd72
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
Jan F. Chadima 69dd72
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
Jan F. Chadima 69dd72
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
Jan F. Chadima 69dd72
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.Dd $Mdocdate: April 29 2010 $
Jan F. Chadima 69dd72
+.Dt SSH-LDAP-HELPER 8
Jan F. Chadima 69dd72
+.Os
Jan F. Chadima 69dd72
+.Sh NAME
Jan F. Chadima 69dd72
+.Nm ssh-ldap-helper
Jan F. Chadima 69dd72
+.Nd sshd helper program for ldap support
Jan F. Chadima 69dd72
+.Sh SYNOPSIS
Jan F. Chadima 69dd72
+.Nm ssh-ldap-helper
Jan F. Chadima 69dd72
+.Op Fl devw
Jan F. Chadima 69dd72
+.Op Fl f Ar file
Jan F. Chadima 69dd72
+.Op Fl s Ar user
Jan F. Chadima 69dd72
+.Sh DESCRIPTION
Jan F. Chadima 69dd72
+.Nm
Jan F. Chadima 69dd72
+is used by
Jan F. Chadima 69dd72
+.Xr sshd 1
Jan F. Chadima 69dd72
+to access keys provided by an LDAP.
Jan F. Chadima 69dd72
+.Nm
Jan F. Chadima 69dd72
+is disabled by default and can only be enabled in the
Jan F. Chadima 69dd72
+sshd configuration file
Jan F. Chadima 69dd72
+.Pa /etc/ssh/sshd_config
Jan F. Chadima 69dd72
+by setting
Jan F. Chadima 69dd72
+.Cm AuthorizedKeysCommand
Jan F. Chadima 69dd72
+to
Jan F. Chadima 69dd72
+.Dq /usr/libexec/ssh-ldap-wrapper .
Jan F. Chadima 69dd72
+.Pp
Jan F. Chadima 69dd72
+.Nm
Jan F. Chadima 69dd72
+is not intended to be invoked by the user, but from
Jan F. Chadima 69dd72
+.Xr sshd 8 via
Jan F. Chadima 69dd72
+.Xr ssh-ldap-wrapper .
Jan F. Chadima 69dd72
+.Pp
Jan F. Chadima 69dd72
+The options are as follows:
Jan F. Chadima 69dd72
+.Bl -tag -width Ds
Jan F. Chadima 69dd72
+.It Fl d
Jan F. Chadima 69dd72
+Set the debug mode; 
Jan F. Chadima 69dd72
+.Nm
Jan F. Chadima 69dd72
+prints all logs to stderr instead of syslog.
Jan F. Chadima 69dd72
+.It Fl e
Jan F. Chadima 69dd72
+Implies \-w;
Jan F. Chadima 69dd72
+.Nm
Jan F. Chadima 69dd72
+halts if it encounters an unknown item in the ldap.conf file.
Jan F. Chadima 69dd72
+.It Fl f
Jan F. Chadima 69dd72
+.Nm
Jan F. Chadima 69dd72
+uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
Jan F. Chadima 69dd72
+.It Fl s
Jan F. Chadima 69dd72
+.Nm
Jan F. Chadima 69dd72
+prints out the user's keys to stdout and exits.
Jan F. Chadima 69dd72
+.It Fl v
Jan F. Chadima 69dd72
+Implies \-d;
Jan F. Chadima 69dd72
+increases verbosity.
Jan F. Chadima 69dd72
+.It Fl w
Jan F. Chadima 69dd72
+.Nm
Jan F. Chadima 69dd72
+writes warnings about unknown items in the ldap.conf configuration file.
Jan F. Chadima 69dd72
+.El
Jan F. Chadima 69dd72
+.Sh SEE ALSO
Jan F. Chadima 69dd72
+.Xr sshd 8 ,
Jan F. Chadima 69dd72
+.Xr sshd_config 5 ,
Jan F. Chadima 69dd72
+.Xr ssh-ldap.conf 5 ,
Jan F. Chadima 69dd72
+.Sh HISTORY
Jan F. Chadima 69dd72
+.Nm
Jan F. Chadima 69dd72
+first appeared in
Jan F. Chadima 69dd72
+OpenSSH 5.5 + PKA-LDAP .
Jan F. Chadima 69dd72
+.Sh AUTHORS
Jan F. Chadima 69dd72
+.An Jan F. Chadima Aq jchadima@redhat.com
Jan F. Chadima c870e6
diff -up openssh-5.9p1/ssh-ldap-wrapper.ldap openssh-5.9p1/ssh-ldap-wrapper
Jan F. Chadima c870e6
--- openssh-5.9p1/ssh-ldap-wrapper.ldap	2011-09-13 11:17:06.574455869 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/ssh-ldap-wrapper	2011-09-13 11:17:06.576475704 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,4 @@
Jan F. Chadima 69dd72
+#!/bin/sh
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
Jan F. Chadima 69dd72
+
Jan F. Chadima c870e6
diff -up openssh-5.9p1/ssh-ldap.conf.5.ldap openssh-5.9p1/ssh-ldap.conf.5
Jan F. Chadima c870e6
--- openssh-5.9p1/ssh-ldap.conf.5.ldap	2011-09-13 11:17:06.650522542 +0200
Jan F. Chadima c870e6
+++ openssh-5.9p1/ssh-ldap.conf.5	2011-09-13 11:17:06.653474746 +0200
Jan F. Chadima 69dd72
@@ -0,0 +1,376 @@
Jan F. Chadima 69dd72
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.\" Permission to use, copy, modify, and distribute this software for any
Jan F. Chadima 69dd72
+.\" purpose with or without fee is hereby granted, provided that the above
Jan F. Chadima 69dd72
+.\" copyright notice and this permission notice appear in all copies.
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
Jan F. Chadima 69dd72
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
Jan F. Chadima 69dd72
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
Jan F. Chadima 69dd72
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
Jan F. Chadima 69dd72
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
Jan F. Chadima 69dd72
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
Jan F. Chadima 69dd72
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.Dd $Mdocdate: may 12 2010 $
Jan F. Chadima 69dd72
+.Dt SSH-LDAP.CONF 5
Jan F. Chadima 69dd72
+.Os
Jan F. Chadima 69dd72
+.Sh NAME
Jan F. Chadima 69dd72
+.Nm ssh-ldap.conf
Jan F. Chadima 69dd72
+.Nd configuration file for ssh-ldap-helper
Jan F. Chadima 69dd72
+.Sh SYNOPSIS
Jan F. Chadima 69dd72
+.Nm /etc/ssh/ldap.conf
Jan F. Chadima 69dd72
+.Sh DESCRIPTION
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+reads configuration data from
Jan F. Chadima 69dd72
+.Pa /etc/ssh/ldap.conf
Jan F. Chadima 69dd72
+(or the file specified with
Jan F. Chadima 69dd72
+.Fl f
Jan F. Chadima 69dd72
+on the command line).
Jan F. Chadima 69dd72
+The file contains keyword-argument pairs, one per line.
Jan F. Chadima 69dd72
+Lines starting with
Jan F. Chadima 69dd72
+.Ql #
Jan F. Chadima 69dd72
+and empty lines are interpreted as comments.
Jan F. Chadima 69dd72
+.Pp
Jan F. Chadima 69dd72
+The value starts with the first non-blank character after 
Jan F. Chadima 69dd72
+the keyword's name, and terminates at the end of the line, 
Jan F. Chadima 69dd72
+or at the last sequence of blanks before the end of the line.
Jan F. Chadima 69dd72
+Quoting values that contain blanks 
Jan F. Chadima 69dd72
+may be incorrect, as the quotes would become part of the value.
Jan F. Chadima 69dd72
+The possible keywords and their meanings are as follows (note that
Jan F. Chadima 69dd72
+keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
Jan F. Chadima 69dd72
+.Bl -tag -width Ds
Jan F. Chadima 69dd72
+.It Cm URI
Jan F. Chadima 69dd72
+The argument(s) are in the form
Jan F. Chadima 69dd72
+.Pa ldap[si]://[name[:port]]
Jan F. Chadima 69dd72
+and specify the URI(s) of an LDAP server(s) to which the
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8 
Jan F. Chadima 69dd72
+should connect. The URI scheme may be any of
Jan F. Chadima 69dd72
+.Dq ldap ,
Jan F. Chadima 69dd72
+.Dq ldaps 
Jan F. Chadima 69dd72
+or
Jan F. Chadima 69dd72
+.Dq ldapi ,
Jan F. Chadima 69dd72
+which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
Jan F. Chadima 69dd72
+over IPC (UNIX domain sockets), respectively.
Jan F. Chadima 69dd72
+Each server's name can be specified as a
Jan F. Chadima 69dd72
+domain-style name or an IP address literal.  Optionally, the
Jan F. Chadima 69dd72
+server's name can followed by a ':' and the port number the LDAP
Jan F. Chadima 69dd72
+server is listening on.  If no port number is provided, the default
Jan F. Chadima 69dd72
+port for the scheme is used (389 for ldap://, 636 for ldaps://).
Jan F. Chadima 69dd72
+For LDAP over IPC, name is the name of the socket, and no port
Jan F. Chadima 69dd72
+is required, nor allowed; note that directory separators must be 
Jan F. Chadima 69dd72
+URL-encoded, like any other characters that are special to URLs; 
Jan F. Chadima 69dd72
+A space separated list of URIs may be provided.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm Base
Jan F. Chadima 69dd72
+Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
Jan F. Chadima 69dd72
+The base must be specified as a DN in LDAP format.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm BindDN
Jan F. Chadima 69dd72
+Specifies the default BIND DN to use when connecting to the ldap server.
Jan F. Chadima 69dd72
+The bind DN must be specified as a Distinguished Name in LDAP format.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm BindPW
Jan F. Chadima 69dd72
+Specifies the default password to use when connecting to the ldap server via
Jan F. Chadima 69dd72
+.Cm BindDN .
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm RootBindDN
Jan F. Chadima 69dd72
+Intentionaly does nothing. Recognized for compatibility reasons.
Jan F. Chadima 69dd72
+.It Cm Host
Jan F. Chadima 69dd72
+The argument(s) specifies the name(s) of an LDAP server(s) to which the
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+should connect.  Each server's name can be specified as a
Jan F. Chadima 69dd72
+domain-style name or an IP address and optionally followed by a ':' and
Jan F. Chadima 69dd72
+the port number the ldap server is listening on.  A space-separated
Jan F. Chadima 69dd72
+list of hosts may be provided.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.Cm Host
Jan F. Chadima 69dd72
+is deprecated in favor of
Jan F. Chadima 69dd72
+.Cm URI .
Jan F. Chadima 69dd72
+.It Cm Port
Jan F. Chadima 69dd72
+Specifies the default port used when connecting to LDAP servers(s).
Jan F. Chadima 69dd72
+The port may be specified as a number.
Jan F. Chadima 69dd72
+The default port is 389 for ldap:// or 636 for ldaps:// respectively.
Jan F. Chadima 69dd72
+.Cm Port
Jan F. Chadima 69dd72
+is deprecated in favor of
Jan F. Chadima 69dd72
+.Cm URI .
Jan F. Chadima 69dd72
+.It Cm Scope
Jan F. Chadima 69dd72
+Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
Jan F. Chadima 69dd72
+There are three options (values) that can be assigned to the
Jan F. Chadima 69dd72
+.Cm Scope parameter:
Jan F. Chadima 69dd72
+.Dq base ,
Jan F. Chadima 69dd72
+.Dq one
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq subtree .
Jan F. Chadima 69dd72
+Alias for the subtree is
Jan F. Chadima 69dd72
+.Dq sub .
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq base
Jan F. Chadima 69dd72
+is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq one
Jan F. Chadima 69dd72
+is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq subtree
Jan F. Chadima 69dd72
+is used to indicate searching of all entries at all levels under and including the specified base DN.
Jan F. Chadima 69dd72
+The default is
Jan F. Chadima 69dd72
+.Dq subtree .
Jan F. Chadima 69dd72
+.It Cm Deref
Jan F. Chadima 69dd72
+Specifies how alias dereferencing is done when performing a search. There are four
Jan F. Chadima 69dd72
+possible values that can be assigned to the
Jan F. Chadima 69dd72
+.Cm Deref
Jan F. Chadima 69dd72
+parameter:
Jan F. Chadima 69dd72
+.Dq never ,
Jan F. Chadima 69dd72
+.Dq searching ,
Jan F. Chadima 69dd72
+.Dq finding ,
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq always .
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq never
Jan F. Chadima 69dd72
+means that the aliases are never dereferenced.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq searching
Jan F. Chadima 69dd72
+means that the aliases are dereferenced in subordinates of the base object, but
Jan F. Chadima 69dd72
+not in locating the base object of the search.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq finding
Jan F. Chadima 69dd72
+means that the aliases are only dereferenced when locating the base object of the search.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq always
Jan F. Chadima 69dd72
+means that the aliases are dereferenced both in searching and in locating the base object
Jan F. Chadima 69dd72
+of the search.
Jan F. Chadima 69dd72
+The default is
Jan F. Chadima 69dd72
+.Dq never .
Jan F. Chadima 69dd72
+.It Cm TimeLimit
Jan F. Chadima 69dd72
+Specifies a time limit (in seconds) to use when performing searches.
Jan F. Chadima 69dd72
+The number should be a non-negative integer. A
Jan F. Chadima 69dd72
+.Cm TimeLimit
Jan F. Chadima 69dd72
+of zero (0) specifies that the search time is unlimited. Please note that the server
Jan F. Chadima 69dd72
+may still apply any server-side limit on the duration of a search operation.
Jan F. Chadima 69dd72
+The default value is 10.
Jan F. Chadima 69dd72
+.It Cm TimeOut
Jan F. Chadima 69dd72
+Is an aliast to
Jan F. Chadima 69dd72
+.Cm TimeLimit .
Jan F. Chadima 69dd72
+.It Cm Bind_TimeLimit
Jan F. Chadima 69dd72
+Specifies the timeout (in seconds) after which the poll(2)/select(2)
Jan F. Chadima 69dd72
+following a connect(2) returns in case of no activity.
Jan F. Chadima 69dd72
+The default value is 10.
Jan F. Chadima 69dd72
+.It Cm Network_TimeOut
Jan F. Chadima 69dd72
+Is an alias to
Jan F. Chadima 69dd72
+.Cm Bind_TimeLimit .
Jan F. Chadima 69dd72
+.It Cm Ldap_Version
Jan F. Chadima 69dd72
+Specifies what version of the LDAP protocol should be used.
Jan F. Chadima 69dd72
+The allowed values are 2 or 3. The default is 3.
Jan F. Chadima 69dd72
+.It Cm Version
Jan F. Chadima 69dd72
+Is an alias to
Jan F. Chadima 69dd72
+.Cm Ldap_Version .
Jan F. Chadima 69dd72
+.It Cm Bind_Policy
Jan F. Chadima 69dd72
+Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
Jan F. Chadima 69dd72
+.Dq hard
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq soft.
Jan F. Chadima 69dd72
+.Dq hard has 2 aliases
Jan F. Chadima 69dd72
+.Dq hard_open
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq hard_init .
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq hard
Jan F. Chadima 69dd72
+means that reconects that the
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq soft
Jan F. Chadima 69dd72
+means that
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+fails immediately when it cannot connect to the LDAP seerver.
Jan F. Chadima 69dd72
+The deault is
Jan F. Chadima 69dd72
+.Dq hard .
Jan F. Chadima 69dd72
+.It Cm SSLPath
Jan F. Chadima 69dd72
+Specifies the path to the X.509 certificate database.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm SSL
Jan F. Chadima 69dd72
+Specifies whether to use SSL/TLS or not.
Jan F. Chadima 69dd72
+There are three allowed values:
Jan F. Chadima 69dd72
+.Dq yes ,
Jan F. Chadima 69dd72
+.Dq no
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq start_tls
Jan F. Chadima 69dd72
+Both
Jan F. Chadima 69dd72
+.Dq true
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq on
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq yes .
Jan F. Chadima 69dd72
+.Dq false
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq off
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+If
Jan F. Chadima 69dd72
+.Dq start_tls
Jan F. Chadima 69dd72
+is specified then StartTLS is used rather than raw LDAP over SSL.
Jan F. Chadima 69dd72
+The default for ldap:// is
Jan F. Chadima 69dd72
+.Dq start_tls ,
Jan F. Chadima 69dd72
+for ldaps://
Jan F. Chadima 69dd72
+.Dq yes
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq no
Jan F. Chadima 69dd72
+for the ldapi:// .
Jan F. Chadima 69dd72
+In case of host based configuration the default is
Jan F. Chadima 69dd72
+.Dq start_tls .
Jan F. Chadima 69dd72
+.It Cm Referrals
Jan F. Chadima 69dd72
+Specifies if the client should automatically follow referrals returned
Jan F. Chadima 69dd72
+by LDAP servers.
Jan F. Chadima 69dd72
+The value can be or
Jan F. Chadima 69dd72
+.Dq yes
Jan F. Chadima 69dd72
+or
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+.Dq true
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq on
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq yes .
Jan F. Chadima 69dd72
+.Dq false
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq off
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+The default is yes.
Jan F. Chadima 69dd72
+.It Cm Restart
Jan F. Chadima 69dd72
+Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
Jan F. Chadima 69dd72
+The value can be or
Jan F. Chadima 69dd72
+.Dq yes
Jan F. Chadima 69dd72
+or
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+.Dq true
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq on
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq yes .
Jan F. Chadima 69dd72
+.Dq false
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq off
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+The default is yes.
Jan F. Chadima 69dd72
+.It Cm TLS_CheckPeer
Jan F. Chadima 69dd72
+Specifies what checks to perform on server certificates in a TLS session,
Jan F. Chadima 69dd72
+if any. The value
Jan F. Chadima 69dd72
+can be specified as one of the following keywords:
Jan F. Chadima 69dd72
+.Dq never ,
Jan F. Chadima 69dd72
+.Dq hard ,
Jan F. Chadima 69dd72
+.Dq demand ,
Jan F. Chadima 69dd72
+.Dq allow
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq try .
Jan F. Chadima 69dd72
+.Dq true ,
Jan F. Chadima 69dd72
+.Dq on
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq yes
Jan F. Chadima 69dd72
+are aliases for
Jan F. Chadima 69dd72
+.Dq hard .
Jan F. Chadima 69dd72
+.Dq false ,
Jan F. Chadima 69dd72
+.Dq off
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq no
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq never .
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq never
Jan F. Chadima 69dd72
+means that the client will not request or check any server certificate.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq allow
Jan F. Chadima 69dd72
+means that the server certificate is requested. If no certificate is provided,
Jan F. Chadima 69dd72
+the session proceeds normally. If a bad certificate is provided, it will
Jan F. Chadima 69dd72
+be ignored and the session proceeds normally.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq try
Jan F. Chadima 69dd72
+means that the server certificate is requested. If no certificate is provided,
Jan F. Chadima 69dd72
+the session proceeds normally. If a bad certificate is provided,
Jan F. Chadima 69dd72
+the session is immediately terminated.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq demand
Jan F. Chadima 69dd72
+means that the server certificate is requested. If no
Jan F. Chadima 69dd72
+certificate is provided, or a bad certificate is provided, the session
Jan F. Chadima 69dd72
+is immediately terminated.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq hard
Jan F. Chadima 69dd72
+is the same as
Jan F. Chadima 69dd72
+.Dq demand .
Jan F. Chadima 69dd72
+It requires an SSL connection. In the case of the plain conection the
Jan F. Chadima 69dd72
+session is immediately terminated.
Jan F. Chadima 69dd72
+The default is
Jan F. Chadima 69dd72
+.Dq hard .
Jan F. Chadima 69dd72
+.It Cm TLS_ReqCert
Jan F. Chadima 69dd72
+Is an alias for 
Jan F. Chadima 69dd72
+.Cm TLS_CheckPeer .
Jan F. Chadima 69dd72
+.It Cm TLS_CACertFile
Jan F. Chadima 69dd72
+Specifies the file that contains certificates for all of the Certificate
Jan F. Chadima 69dd72
+Authorities the client will recognize.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm TLS_CACert
Jan F. Chadima 69dd72
+Is an alias for
Jan F. Chadima 69dd72
+.Cm TLS_CACertFile .
Jan F. Chadima 69dd72
+.It Cm TLS_CACertDIR
Jan F. Chadima 69dd72
+Specifies the path of a directory that contains Certificate Authority
Jan F. Chadima 69dd72
+certificates in separate individual files. The
Jan F. Chadima 69dd72
+.Cm TLS_CACert
Jan F. Chadima 69dd72
+is always used before
Jan F. Chadima 69dd72
+.Cm TLS_CACertDir .
Jan F. Chadima 69dd72
+The specified directory must be managed with the OpenSSL c_rehash utility.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm TLS_Ciphers
Jan F. Chadima 69dd72
+Specifies acceptable cipher suite and preference order.
Jan F. Chadima 69dd72
+The value should be a cipher specification for OpenSSL,
Jan F. Chadima 69dd72
+e.g.,
Jan F. Chadima 69dd72
+.Dq HIGH:MEDIUM:+SSLv2 .
Jan F. Chadima 69dd72
+The default is
Jan F. Chadima 69dd72
+.Dq ALL .
Jan F. Chadima 69dd72
+.It Cm TLS_Cipher_Suite
Jan F. Chadima 69dd72
+Is an alias for
Jan F. Chadima 69dd72
+.Cm TLS_Ciphers .
Jan F. Chadima 69dd72
+.It Cm TLS_Cert
Jan F. Chadima 69dd72
+Specifies the file that contains the client certificate.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm TLS_Certificate
Jan F. Chadima 69dd72
+Is an alias for
Jan F. Chadima 69dd72
+.Cm TLS_Cert .
Jan F. Chadima 69dd72
+.It Cm TLS_Key
Jan F. Chadima 69dd72
+Specifies the file that contains the private key that matches the certificate
Jan F. Chadima 69dd72
+stored in the
Jan F. Chadima 69dd72
+.Cm TLS_Cert
Jan F. Chadima 69dd72
+file. Currently, the private key must not be protected with a password, so
Jan F. Chadima 69dd72
+it is of critical importance that the key file is protected carefully.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm TLS_RandFile
Jan F. Chadima 69dd72
+Specifies the file to obtain random bits from when /dev/[u]random is
Jan F. Chadima 69dd72
+not available. Generally set to the name of the EGD/PRNGD socket.
Jan F. Chadima 69dd72
+The environment variable RANDFILE can also be used to specify the filename.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm LogDir
Jan F. Chadima 69dd72
+Specifies the directory used for logging by the LDAP client library.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm Debug
Jan F. Chadima 69dd72
+Specifies the debug level used for logging by the LDAP client library.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm SSH_Filter
Jan F. Chadima 69dd72
+Specifies the user filter applied on the LDAP serch.
Jan F. Chadima 69dd72
+The default is no filter.
Jan F. Chadima 69dd72
+.El
Jan F. Chadima 69dd72
+.Sh FILES
Jan F. Chadima 69dd72
+.Bl -tag -width Ds
Jan F. Chadima 69dd72
+.It Pa  /etc/ssh/ldap.conf
Jan F. Chadima 69dd72
+Ldap configuration file for
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8 .
Jan F. Chadima 69dd72
+.El
Jan F. Chadima 69dd72
+.Sh "SEE ALSO"
Jan F. Chadima 69dd72
+.Xr ldap.conf 5 ,
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+.Sh HISTORY
Jan F. Chadima 69dd72
+.Nm
Jan F. Chadima 69dd72
+first appeared in
Jan F. Chadima 69dd72
+OpenSSH 5.5 + PKA-LDAP .
Jan F. Chadima 69dd72
+.Sh AUTHORS
Jan F. Chadima 69dd72
+.An Jan F. Chadima Aq jchadima@redhat.com