vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/configure.ac.ldap openssh-6.2p1/configure.ac
Petr Lautrbach 8a29de
--- openssh-6.2p1/configure.ac.ldap	2013-03-20 02:55:15.000000000 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/configure.ac	2013-03-25 21:27:15.888248071 +0100
Petr Lautrbach 8a29de
@@ -1509,6 +1509,106 @@ AC_ARG_WITH([audit],
bach f7f8b4
 	esac ]
Petr Lautrbach 65ba94
 )
Petr Lautrbach 65ba94
 
Petr Lautrbach 65ba94
+# Check whether user wants LDAP support
Petr Lautrbach 65ba94
+LDAP_MSG="no"
Petr Lautrbach 65ba94
+INSTALL_SSH_LDAP_HELPER=""
Petr Lautrbach 65ba94
+AC_ARG_WITH(ldap,
Petr Lautrbach 65ba94
+	[  --with-ldap[[=PATH]]      Enable LDAP pubkey support (optionally in PATH)],
Petr Lautrbach 65ba94
+	[
Petr Lautrbach 65ba94
+		if test "x$withval" != "xno" ; then
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+			INSTALL_SSH_LDAP_HELPER="yes"
Petr Lautrbach 65ba94
+			CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+			if test "x$withval" != "xyes" ; then
Petr Lautrbach 65ba94
+				CPPFLAGS="$CPPFLAGS -I${withval}/include"
Petr Lautrbach 65ba94
+				LDFLAGS="$LDFLAGS -L${withval}/lib"
Petr Lautrbach 65ba94
+			fi
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+			AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
Petr Lautrbach 65ba94
+			LDAP_MSG="yes"
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+			AC_CHECK_HEADERS(lber.h)
Petr Lautrbach 65ba94
+			AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
Petr Lautrbach 65ba94
+			AC_CHECK_HEADERS(ldap_ssl.h)
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+			AC_ARG_WITH(ldap-lib,
Petr Lautrbach 65ba94
+				[  --with-ldap-lib=type    select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+			if test -z "$with_ldap_lib"; then
Petr Lautrbach 65ba94
+				with_ldap_lib=auto
Petr Lautrbach 65ba94
+			fi
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
Petr Lautrbach 65ba94
+				AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
Petr Lautrbach 65ba94
+				AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
Petr Lautrbach 65ba94
+			fi
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
Petr Lautrbach 65ba94
+				AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
Petr Lautrbach 65ba94
+			fi
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
Petr Lautrbach 65ba94
+				AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
Petr Lautrbach 65ba94
+				if test -z "$found_ldap_lib"; then
Petr Lautrbach 65ba94
+					AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
Petr Lautrbach 65ba94
+				fi
Petr Lautrbach 65ba94
+				if test -z "$found_ldap_lib"; then
Petr Lautrbach 65ba94
+					AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
Petr Lautrbach 65ba94
+				fi
Petr Lautrbach 65ba94
+				if test -z "$found_ldap_lib"; then
Petr Lautrbach 65ba94
+					AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
Petr Lautrbach 65ba94
+				fi
Petr Lautrbach 65ba94
+			fi
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
Petr Lautrbach 65ba94
+				AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
Petr Lautrbach 65ba94
+			fi
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+			if test -z "$found_ldap_lib"; then
Petr Lautrbach 65ba94
+				AC_MSG_ERROR(could not locate a valid LDAP library)
Petr Lautrbach 65ba94
+			fi
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+			AC_MSG_CHECKING([for working LDAP support])
Petr Lautrbach 65ba94
+			AC_TRY_COMPILE(
Petr Lautrbach 65ba94
+				[#include <sys/types.h>
Petr Lautrbach 65ba94
+				 #include <ldap.h>],
Petr Lautrbach 65ba94
+				[(void)ldap_init(0, 0);],
Petr Lautrbach 65ba94
+				[AC_MSG_RESULT(yes)],
Petr Lautrbach 65ba94
+				[
Petr Lautrbach 65ba94
+				    AC_MSG_RESULT(no) 
Petr Lautrbach 65ba94
+					AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
Petr Lautrbach 65ba94
+				])
Petr Lautrbach 65ba94
+			AC_CHECK_FUNCS( \
Petr Lautrbach 65ba94
+				ldap_init \
Petr Lautrbach 65ba94
+				ldap_get_lderrno \
Petr Lautrbach 65ba94
+				ldap_set_lderrno \
Petr Lautrbach 65ba94
+				ldap_parse_result \
Petr Lautrbach 65ba94
+				ldap_memfree \
Petr Lautrbach 65ba94
+				ldap_controls_free \
Petr Lautrbach 65ba94
+				ldap_set_option \
Petr Lautrbach 65ba94
+				ldap_get_option \
Petr Lautrbach 65ba94
+				ldapssl_init \
Petr Lautrbach 65ba94
+				ldap_start_tls_s \
Petr Lautrbach 65ba94
+				ldap_pvt_tls_set_option \
Petr Lautrbach 65ba94
+				ldap_initialize \
Petr Lautrbach 65ba94
+			)
Petr Lautrbach 65ba94
+			AC_CHECK_FUNCS(ldap_set_rebind_proc,
Petr Lautrbach 65ba94
+				AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
Petr Lautrbach 65ba94
+				AC_TRY_COMPILE(
Petr Lautrbach 65ba94
+					[#include <lber.h>
Petr Lautrbach 65ba94
+					#include <ldap.h>],
Petr Lautrbach 65ba94
+					[ldap_set_rebind_proc(0, 0, 0);],
Petr Lautrbach 65ba94
+					[ac_cv_ldap_set_rebind_proc=3],
Petr Lautrbach 65ba94
+					[ac_cv_ldap_set_rebind_proc=2])
Petr Lautrbach 65ba94
+				AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
Petr Lautrbach 65ba94
+				AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
Petr Lautrbach 65ba94
+			)
Petr Lautrbach 65ba94
+		fi
Petr Lautrbach 65ba94
+	]
Petr Lautrbach 65ba94
+)
Petr Lautrbach 65ba94
+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
 dnl    Checks for library functions. Please keep in alphabetical order
Petr Lautrbach 65ba94
 AC_CHECK_FUNCS([ \
Petr Lautrbach 65ba94
 	arc4random \
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/HOWTO.ldap-keys.ldap openssh-6.2p1/HOWTO.ldap-keys
Petr Lautrbach 8a29de
--- openssh-6.2p1/HOWTO.ldap-keys.ldap	2013-03-25 21:27:15.889248078 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/HOWTO.ldap-keys	2013-03-25 21:27:15.889248078 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,108 @@
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+HOW TO START
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) configure LDAP server
Jan F. Chadima 69dd72
+  * Use LDAP server documentation
Jan F. Chadima 69dd72
+2) add appropriate LDAP schema
Jan F. Chadima 69dd72
+  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
Jan F. Chadima 69dd72
+  * LDAP user entry
Jan F. Chadima 69dd72
+        User entry:
Jan F. Chadima 69dd72
+	- attached to the 'ldapPublicKey' objectclass
Jan F. Chadima 69dd72
+	- attached to the 'posixAccount' objectclass
Jan F. Chadima 69dd72
+	- with a filled 'sshPublicKey' attribute 
Jan F. Chadima 69dd72
+3) insert users into LDAP
Jan F. Chadima 69dd72
+  * Use LDAP Tree management tool as useful
Jan F. Chadima 69dd72
+  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
Jan F. Chadima 69dd72
+  * Example:
Jan F. Chadima 69dd72
+	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
Jan F. Chadima 69dd72
+	objectclass: top
Jan F. Chadima 69dd72
+	objectclass: person
Jan F. Chadima 69dd72
+	objectclass: organizationalPerson
Jan F. Chadima 69dd72
+	objectclass: posixAccount
Jan F. Chadima 69dd72
+	objectclass: ldapPublicKey
Jan F. Chadima 69dd72
+	description: Jonathan Archer
Jan F. Chadima 69dd72
+	userPassword: Porthos
Jan F. Chadima 69dd72
+	cn: onathan Archer
Jan F. Chadima 69dd72
+	sn: onathan Archer
Jan F. Chadima 69dd72
+	uid: captain
Jan F. Chadima 69dd72
+	uidNumber: 1001
Jan F. Chadima 69dd72
+	gidNumber: 1001
Jan F. Chadima 69dd72
+	homeDirectory: /home/captain
Jan F. Chadima 69dd72
+	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
Jan F. Chadima 69dd72
+	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
Jan F. Chadima 69dd72
+4) on the ssh side set in sshd_config
Jan F. Chadima 69dd72
+  * Set up the backend
Petr Lautrbach f5022a
+	AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
Petr Lautrbach f5022a
+	AuthorizedKeysCommandUser <appropriate user to run LDAP>
Jan F. Chadima 69dd72
+  * Do not forget to set
Jan F. Chadima 69dd72
+	PubkeyAuthentication yes
Jan F. Chadima 69dd72
+  * Swith off unnecessary auth methods
Jan F. Chadima 69dd72
+5) confugure ldap.conf
Jan F. Chadima 69dd72
+  * Default ldap.conf is placed in /etc/ssh
Jan F. Chadima 69dd72
+  * The configuration style is the same as other ldap based aplications
Jan F. Chadima 69dd72
+6) if necessary edit ssh-ldap-wrapper
Jan F. Chadima 69dd72
+  * There is a possibility to change ldap.conf location
Jan F. Chadima 69dd72
+  * There are some debug options
Jan F. Chadima 69dd72
+  * Example
Jan F. Chadima 69dd72
+	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+HOW TO MIGRATE FROM LPK
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) goto HOW TO START 4) .... the ldap schema is the same
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+2) convert the group requests to the appropriate LDAP requests
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+HOW TO SOLVE PROBLEMS
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) use debug in sshd
Jan F. Chadima 69dd72
+  * /usr/sbin/sshd -d -d -d -d
Jan F. Chadima 69dd72
+2) use debug in ssh-ldap-helper
Jan F. Chadima 69dd72
+  * ssh-ldap-helper -d -d -d -d -s <username>
Jan F. Chadima 69dd72
+3) use tcpdump ... other ldap client etc.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+ADVANTAGES
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+DISADVANTAGES
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
Jan F. Chadima 69dd72
+  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
Jan F. Chadima 69dd72
+  of your users in all your server farm -- be VERY CAREFUL.
Jan F. Chadima 69dd72
+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
Jan F. Chadima 69dd72
+  as the impersonated user.
Jan F. Chadima 69dd72
+3) If LDAP server is down there may be no fallback on passwd auth.
Jan F. Chadima 69dd72
+  
Jan F. Chadima 69dd72
+MISC.
Jan F. Chadima 69dd72
+  
Jan F. Chadima 69dd72
+1) todo
Jan F. Chadima 69dd72
+  * Possibility to reuse the ssh-ldap-helper.
Jan F. Chadima 69dd72
+  * Tune the LDAP part to accept  all possible LDAP configurations.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+2) differences from original lpk
Jan F. Chadima 69dd72
+  * No LDAP code in sshd.
Jan F. Chadima 69dd72
+  * Support for various LDAP platforms and configurations.
Jan F. Chadima 69dd72
+  * LDAP is configured in separate ldap.conf file.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+3) docs/link 
Jan F. Chadima 69dd72
+  * http://pacsec.jp/core05/psj05-barisani-en.pdf
Jan F. Chadima 69dd72
+  * http://fritz.potsdam.edu/projects/openssh-lpk/
Jan F. Chadima 69dd72
+  * http://fritz.potsdam.edu/projects/sshgate/
Jan F. Chadima 69dd72
+  * http://dev.inversepath.com/trac/openssh-lpk
Jan F. Chadima 69dd72
+  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+4) contributors/ideas/greets
Jan F. Chadima 69dd72
+  - Eric AUGE <eau@phear.org>
Jan F. Chadima 69dd72
+  - Andrea Barisani <andrea@inversepath.com>
Jan F. Chadima 69dd72
+  - Falk Siemonsmeier.
Jan F. Chadima 69dd72
+  - Jacob Rief.
Jan F. Chadima 69dd72
+  - Michael Durchgraf.
Jan F. Chadima 69dd72
+  - frederic peters.
Jan F. Chadima 69dd72
+  - Finlay dobbie.
Jan F. Chadima 69dd72
+  - Stefan Fisher.
Jan F. Chadima 69dd72
+  - Robin H. Johnson.
Jan F. Chadima 69dd72
+  - Adrian Bridgett.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+5) Author
Jan F. Chadima 69dd72
+    Jan F. Chadima <jchadima@redhat.com>
Jan F. Chadima 69dd72
+
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
Petr Lautrbach 8a29de
--- openssh-6.2p1/ldapbody.c.ldap	2013-03-25 21:27:15.889248078 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/ldapbody.c	2013-03-25 21:27:15.889248078 +0100
Petr Lautrbach 65ba94
@@ -0,0 +1,494 @@
Petr Lautrbach 65ba94
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 65ba94
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * Redistribution and use in source and binary forms, with or without
Petr Lautrbach 65ba94
+ * modification, are permitted provided that the following conditions
Petr Lautrbach 65ba94
+ * are met:
Petr Lautrbach 65ba94
+ * 1. Redistributions of source code must retain the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer.
Petr Lautrbach 65ba94
+ * 2. Redistributions in binary form must reproduce the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer in the
Petr Lautrbach 65ba94
+ *    documentation and/or other materials provided with the distribution.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Petr Lautrbach 65ba94
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Petr Lautrbach 65ba94
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Petr Lautrbach 65ba94
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Petr Lautrbach 65ba94
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Petr Lautrbach 65ba94
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Petr Lautrbach 65ba94
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Petr Lautrbach 65ba94
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Petr Lautrbach 65ba94
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Petr Lautrbach 65ba94
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Petr Lautrbach 65ba94
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#include "ldapincludes.h"
Petr Lautrbach 65ba94
+#include "log.h"
Petr Lautrbach 65ba94
+#include "xmalloc.h"
Petr Lautrbach 65ba94
+#include "ldapconf.h"
Petr Lautrbach 65ba94
+#include "ldapmisc.h"
Petr Lautrbach 65ba94
+#include "ldapbody.h"
Petr Lautrbach 65ba94
+#include <stdio.h>
Petr Lautrbach 65ba94
+#include <unistd.h>
Jan F. Chadima 69dd72
+
Petr Lautrbach e6dbb8
+#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)"
Petr Lautrbach 65ba94
+#define PUBKEYATTR "sshPublicKey"
Petr Lautrbach 65ba94
+#define LDAP_LOGFILE	"%s/ldap.%d"
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static FILE *logfile = NULL;
Petr Lautrbach 65ba94
+static LDAP *ld;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static char *attrs[] = {
Petr Lautrbach 65ba94
+    PUBKEYATTR,
Petr Lautrbach 65ba94
+    NULL
Petr Lautrbach 65ba94
+};
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+void
Petr Lautrbach 65ba94
+ldap_checkconfig (void)
Jan F. Chadima 69dd72
+{
Petr Lautrbach 65ba94
+#ifdef HAVE_LDAP_INITIALIZE
Petr Lautrbach 65ba94
+		if (options.host == NULL && options.uri == NULL)
Petr Lautrbach 65ba94
+#else
Petr Lautrbach 65ba94
+		if (options.host == NULL)
Petr Lautrbach 65ba94
+#endif
Petr Lautrbach 65ba94
+		    fatal ("missing  \"host\" in config file");
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
Petr Lautrbach 65ba94
+static int
Petr Lautrbach 65ba94
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
Jan F. Chadima 69dd72
+{
Petr Lautrbach 65ba94
+	struct timeval timeout;
Petr Lautrbach 65ba94
+	int rc;
Petr Lautrbach 65ba94
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Petr Lautrbach 65ba94
+	LDAPMessage *result;
Petr Lautrbach 65ba94
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	debug2 ("Doing LDAP rebind to %s", options.binddn);
Petr Lautrbach 65ba94
+	if (options.ssl == SSL_START_TLS) {
Petr Lautrbach 65ba94
+		if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
Petr Lautrbach 65ba94
+			error ("ldap_starttls_s: %s", ldap_err2string (rc));
Petr Lautrbach 65ba94
+			return LDAP_OPERATIONS_ERROR;
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
Petr Lautrbach 65ba94
+	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
Petr Lautrbach 65ba94
+#else
Petr Lautrbach 65ba94
+	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
Petr Lautrbach 65ba94
+	    fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	timeout.tv_sec = options.bind_timelimit;
Petr Lautrbach 65ba94
+	timeout.tv_usec = 0;
Petr Lautrbach 65ba94
+	result = NULL;
Petr Lautrbach 65ba94
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
Petr Lautrbach 65ba94
+		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
Petr Lautrbach 65ba94
+		ldap_msgfree (result);
Petr Lautrbach 65ba94
+		return LDAP_OPERATIONS_ERROR;
Jan F. Chadima 69dd72
+	}
Petr Lautrbach 65ba94
+	debug3 ("LDAP rebind to %s succesfull", options.binddn);
Petr Lautrbach 65ba94
+	return rc;
Petr Lautrbach 65ba94
+#endif
Petr Lautrbach 65ba94
+}
Petr Lautrbach 65ba94
+#else
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static int
Petr Lautrbach 65ba94
+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
Petr Lautrbach 65ba94
+{
Petr Lautrbach 65ba94
+	if (freeit)
Petr Lautrbach 65ba94
+	    return LDAP_SUCCESS;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	*whop = strdup (options.binddn);
Petr Lautrbach 65ba94
+	*credp = strdup (options.bindpw);
Petr Lautrbach 65ba94
+	*methodp = LDAP_AUTH_SIMPLE;
Petr Lautrbach 65ba94
+	debug2 ("Doing LDAP rebind for %s", *whop);
Petr Lautrbach 65ba94
+	return LDAP_SUCCESS;
Jan F. Chadima 69dd72
+}
Petr Lautrbach 65ba94
+#endif
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+void
Petr Lautrbach 65ba94
+ldap_do_connect(void)
Petr Lautrbach 65ba94
+{
Petr Lautrbach 65ba94
+	int rc, msgid, ld_errno = 0;
Petr Lautrbach 65ba94
+	struct timeval timeout;
Petr Lautrbach 65ba94
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Petr Lautrbach 65ba94
+	int parserc;
Petr Lautrbach 65ba94
+	LDAPMessage *result;
Petr Lautrbach 65ba94
+	LDAPControl **controls;
Petr Lautrbach 65ba94
+	int reconnect = 0;
Petr Lautrbach 65ba94
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	debug ("LDAP do connect");
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+retry:
Petr Lautrbach 65ba94
+	if (reconnect) {
Petr Lautrbach 65ba94
+		debug3 ("Reconnecting with ld_errno %d", ld_errno);
Petr Lautrbach 65ba94
+		if (options.bind_policy == 0 ||
Petr Lautrbach 65ba94
+		    (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
Petr Lautrbach 65ba94
+			reconnect > 5)
Petr Lautrbach 65ba94
+			    fatal ("Cannot connect to LDAP server");
Petr Lautrbach 65ba94
+	
Petr Lautrbach 65ba94
+		if (reconnect > 1)
Petr Lautrbach 65ba94
+			sleep (reconnect - 1);
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+		if (ld != NULL) {
Petr Lautrbach 65ba94
+			ldap_unbind (ld);
Petr Lautrbach 65ba94
+			ld = NULL;
Petr Lautrbach 65ba94
+		}
Petr Lautrbach 65ba94
+		logit("reconnecting to LDAP server...");
Petr Lautrbach 65ba94
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	if (ld == NULL) {
Petr Lautrbach 65ba94
+		int rc;
Petr Lautrbach 65ba94
+		struct timeval tv;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#ifdef HAVE_LDAP_SET_OPTION
Petr Lautrbach 65ba94
+		if (options.debug > 0) {
Petr Lautrbach 65ba94
+#ifdef LBER_OPT_LOG_PRINT_FILE
Petr Lautrbach 65ba94
+			if (options.logdir) {
Petr Lautrbach 65ba94
+				char *logfilename;
Petr Lautrbach 65ba94
+				int logfilenamelen;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+				logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
Petr Lautrbach 65ba94
+				logfilename = xmalloc (logfilenamelen);
Petr Lautrbach 65ba94
+				snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
Petr Lautrbach 65ba94
+				logfilename[logfilenamelen - 1] = 0;
Petr Lautrbach 65ba94
+				if ((logfile = fopen (logfilename, "a")) == NULL)
Petr Lautrbach 65ba94
+				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
Petr Lautrbach 65ba94
+				debug3 ("LDAP debug into %s", logfilename);
Petr Lautrbach 84822b
+				free (logfilename);
Petr Lautrbach 65ba94
+				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
Petr Lautrbach 65ba94
+			}
Petr Lautrbach 65ba94
+#endif
Petr Lautrbach 65ba94
+			if (options.debug) {
Petr Lautrbach 65ba94
+#ifdef LBER_OPT_DEBUG_LEVEL
Petr Lautrbach 65ba94
+				ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
Petr Lautrbach 65ba94
+#endif /* LBER_OPT_DEBUG_LEVEL */
Petr Lautrbach 65ba94
+#ifdef LDAP_OPT_DEBUG_LEVEL
Petr Lautrbach 65ba94
+				(void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
Petr Lautrbach 65ba94
+#endif /* LDAP_OPT_DEBUG_LEVEL */
Petr Lautrbach 65ba94
+				debug3 ("Set LDAP debug to %d", options.debug);
Petr Lautrbach 65ba94
+			}
Petr Lautrbach 65ba94
+		}
Petr Lautrbach 65ba94
+#endif /* HAVE_LDAP_SET_OPTION */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+		ld = NULL;
Petr Lautrbach 65ba94
+#ifdef HAVE_LDAPSSL_INIT
Petr Lautrbach 65ba94
+		if (options.host != NULL) {
Petr Lautrbach 65ba94
+			if (options.ssl_on == SSL_LDAPS) {
Petr Lautrbach 65ba94
+				if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+				    fatal ("ldapssl_client_init %s", ldap_err2string (rc));
Petr Lautrbach 65ba94
+				debug3 ("LDAPssl client init");
Petr Lautrbach 65ba94
+			}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+			if (options.ssl_on != SSL_OFF) {
Petr Lautrbach 65ba94
+				if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
Petr Lautrbach 65ba94
+				    fatal ("ldapssl_init failed");
Petr Lautrbach 65ba94
+				debug3 ("LDAPssl init");
Petr Lautrbach 65ba94
+			}
Petr Lautrbach 65ba94
+		}
Petr Lautrbach 65ba94
+#endif /* HAVE_LDAPSSL_INIT */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+		/* continue with opening */
Petr Lautrbach 65ba94
+		if (ld == NULL) {
Petr Lautrbach 65ba94
+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
Petr Lautrbach 65ba94
+			/* Some global TLS-specific options need to be set before we create our
Petr Lautrbach 65ba94
+			 * session context, so we set them here. */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
Petr Lautrbach 65ba94
+			/* rand file */
Petr Lautrbach 65ba94
+			if (options.tls_randfile != NULL) {
Petr Lautrbach 65ba94
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
Petr Lautrbach 65ba94
+				    options.tls_randfile)) != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
Petr Lautrbach 65ba94
+					    ldap_err2string (rc));
Petr Lautrbach 65ba94
+				debug3 ("Set TLS random file %s", options.tls_randfile);
Petr Lautrbach 65ba94
+			}
Petr Lautrbach 65ba94
+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+			/* ca cert file */
Petr Lautrbach 65ba94
+			if (options.tls_cacertfile != NULL) {
Petr Lautrbach 65ba94
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
Petr Lautrbach 65ba94
+				    options.tls_cacertfile)) != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+					error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
Petr Lautrbach 65ba94
+					    ldap_err2string (rc));
Petr Lautrbach 65ba94
+				debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
Petr Lautrbach 65ba94
+			}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+			/* ca cert directory */
Petr Lautrbach 65ba94
+			if (options.tls_cacertdir != NULL) {
Petr Lautrbach 65ba94
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
Petr Lautrbach 65ba94
+				    options.tls_cacertdir)) != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
Petr Lautrbach 65ba94
+					    ldap_err2string (rc));
Petr Lautrbach 65ba94
+				debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
Petr Lautrbach 65ba94
+			}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+			/* require cert? */
Petr Lautrbach 65ba94
+			if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
Petr Lautrbach 65ba94
+			    &options.tls_checkpeer)) != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
Petr Lautrbach 65ba94
+				    ldap_err2string (rc));
Petr Lautrbach 65ba94
+			debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+			/* set cipher suite, certificate and private key: */
Petr Lautrbach 65ba94
+			if (options.tls_ciphers != NULL) {
Petr Lautrbach 65ba94
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
Petr Lautrbach 65ba94
+				    options.tls_ciphers)) != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
Petr Lautrbach 65ba94
+					    ldap_err2string (rc));
Petr Lautrbach 65ba94
+				debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
Petr Lautrbach 65ba94
+			}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+			/* cert file */
Petr Lautrbach 65ba94
+			if (options.tls_cert != NULL) {
Petr Lautrbach 65ba94
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
Petr Lautrbach 65ba94
+				    options.tls_cert)) != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
Petr Lautrbach 65ba94
+					    ldap_err2string (rc));
Petr Lautrbach 65ba94
+				debug3 ("Set TLS cert file %s ", options.tls_cert);
Petr Lautrbach 65ba94
+			}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+			/* key file */
Petr Lautrbach 65ba94
+			if (options.tls_key != NULL) {
Petr Lautrbach 65ba94
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
Petr Lautrbach 65ba94
+				    options.tls_key)) != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
Petr Lautrbach 65ba94
+					    ldap_err2string (rc));
Petr Lautrbach 65ba94
+				debug3 ("Set TLS key file %s ", options.tls_key);
Petr Lautrbach 65ba94
+			}
Petr Lautrbach 65ba94
+#endif
Petr Lautrbach 65ba94
+#ifdef HAVE_LDAP_INITIALIZE
Petr Lautrbach 65ba94
+			if (options.uri != NULL) {
Petr Lautrbach 65ba94
+				if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+					fatal ("ldap_initialize %s", ldap_err2string (rc));
Petr Lautrbach 65ba94
+				debug3 ("LDAP initialize %s", options.uri);
Petr Lautrbach 65ba94
+			}
Petr Lautrbach 65ba94
+	}
Petr Lautrbach 65ba94
+#endif /* HAVE_LDAP_INTITIALIZE */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+		/* continue with opening */
Petr Lautrbach 65ba94
+		if ((ld == NULL) && (options.host != NULL)) {
Petr Lautrbach 65ba94
+#ifdef HAVE_LDAP_INIT
Petr Lautrbach 65ba94
+			if ((ld = ldap_init (options.host, options.port)) == NULL)
Petr Lautrbach 65ba94
+			    fatal ("ldap_init failed");
Petr Lautrbach 65ba94
+			debug3 ("LDAP init %s:%d", options.host, options.port);
Petr Lautrbach 65ba94
+#else
Petr Lautrbach 65ba94
+			if ((ld = ldap_open (options.host, options.port)) == NULL)
Petr Lautrbach 65ba94
+			    fatal ("ldap_open failed");
Petr Lautrbach 65ba94
+			debug3 ("LDAP open %s:%d", options.host, options.port);
Petr Lautrbach 65ba94
+#endif /* HAVE_LDAP_INIT */
Petr Lautrbach 65ba94
+		}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+		if (ld == NULL)
Petr Lautrbach 65ba94
+			fatal ("no way to open ldap");
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
Petr Lautrbach 65ba94
+		if (options.ssl == SSL_LDAPS) {
Petr Lautrbach 65ba94
+			if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
Petr Lautrbach 65ba94
+			debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
Petr Lautrbach 65ba94
+		}
Petr Lautrbach 65ba94
+#endif /* LDAP_OPT_X_TLS */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
Petr Lautrbach 65ba94
+		(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
Petr Lautrbach 65ba94
+		    &options.ldap_version);
Petr Lautrbach 65ba94
+#else
Petr Lautrbach 65ba94
+		ld->ld_version = options.ldap_version;
Petr Lautrbach 65ba94
+#endif
Petr Lautrbach 65ba94
+		debug3 ("LDAP set version to %d", options.ldap_version);
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#if LDAP_SET_REBIND_PROC_ARGS == 3
Petr Lautrbach 65ba94
+		ldap_set_rebind_proc (ld, _rebind_proc, NULL);
Petr Lautrbach 65ba94
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
Petr Lautrbach 65ba94
+		ldap_set_rebind_proc (ld, _rebind_proc);
Petr Lautrbach 65ba94
+#else
Petr Lautrbach 65ba94
+#warning unknown LDAP_SET_REBIND_PROC_ARGS
Petr Lautrbach 65ba94
+#endif
Petr Lautrbach 65ba94
+		debug3 ("LDAP set rebind proc");
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
Petr Lautrbach 65ba94
+		(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
Petr Lautrbach 65ba94
+#else
Petr Lautrbach 65ba94
+		ld->ld_deref = options.deref;
Petr Lautrbach 65ba94
+#endif
Petr Lautrbach 65ba94
+		debug3 ("LDAP set deref to %d", options.deref);
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
Petr Lautrbach 65ba94
+		(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
Petr Lautrbach 65ba94
+		    &options.timelimit);
Petr Lautrbach 65ba94
+#else
Petr Lautrbach 65ba94
+		ld->ld_timelimit = options.timelimit;
Petr Lautrbach 65ba94
+#endif
Petr Lautrbach 65ba94
+		debug3 ("LDAP set timelimit to %d", options.timelimit);
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
Petr Lautrbach 65ba94
+		/*
Petr Lautrbach 65ba94
+		 * This is a new option in the Netscape SDK which sets 
Petr Lautrbach 65ba94
+		 * the TCP connect timeout. For want of a better value,
Petr Lautrbach 65ba94
+		 * we use the bind_timelimit to control this.
Petr Lautrbach 65ba94
+		 */
Petr Lautrbach 65ba94
+		timeout = options.bind_timelimit * 1000;
Petr Lautrbach 65ba94
+		(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
Petr Lautrbach 65ba94
+		debug3 ("LDAP set opt connect timeout to %d", timeout);
Petr Lautrbach 65ba94
+#endif
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
Petr Lautrbach 65ba94
+		tv.tv_sec = options.bind_timelimit;
Petr Lautrbach 65ba94
+		tv.tv_usec = 0;
Petr Lautrbach 65ba94
+		(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv;;
Petr Lautrbach 65ba94
+		debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
Petr Lautrbach 65ba94
+#endif
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
Petr Lautrbach 65ba94
+		(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
Petr Lautrbach 65ba94
+		    options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
Petr Lautrbach 65ba94
+		debug3 ("LDAP set referrals to %d", options.referrals);
Petr Lautrbach 65ba94
+#endif
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
Petr Lautrbach 65ba94
+		(void) ldap_set_option (ld, LDAP_OPT_RESTART,
Petr Lautrbach 65ba94
+		    options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
Petr Lautrbach 65ba94
+		debug3 ("LDAP set restart to %d", options.restart);
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#ifdef HAVE_LDAP_START_TLS_S
Petr Lautrbach 65ba94
+		if (options.ssl == SSL_START_TLS) {
Petr Lautrbach 65ba94
+			int version;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+			if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
Petr Lautrbach 65ba94
+			    == LDAP_SUCCESS) {
Petr Lautrbach 65ba94
+				if (version < LDAP_VERSION3) {
Petr Lautrbach 65ba94
+					version = LDAP_VERSION3;
Petr Lautrbach 65ba94
+					(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
Petr Lautrbach 65ba94
+					    &version);
Petr Lautrbach 65ba94
+					debug3 ("LDAP set version to %d", version);
Petr Lautrbach 65ba94
+				}
Petr Lautrbach 65ba94
+			}
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+			if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+			    fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
Petr Lautrbach 65ba94
+			debug3 ("LDAP start TLS");
Jan F. Chadima 69dd72
+		}
Petr Lautrbach 65ba94
+#endif /* HAVE_LDAP_START_TLS_S */
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	if ((msgid = ldap_simple_bind (ld, options.binddn,
Petr Lautrbach 65ba94
+	    options.bindpw)) == -1) {
Petr Lautrbach 65ba94
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+		error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
Petr Lautrbach 65ba94
+		reconnect++;
Petr Lautrbach 65ba94
+		goto retry;
Petr Lautrbach 65ba94
+	}
Petr Lautrbach 65ba94
+	debug3 ("LDAP simple bind (%s)", options.binddn);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	timeout.tv_sec = options.bind_timelimit;
Jan F. Chadima 69dd72
+	timeout.tv_usec = 0;
Jan F. Chadima 69dd72
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
Petr Lautrbach 65ba94
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+		error ("ldap_result %s", ldap_err2string (ld_errno));
Petr Lautrbach 65ba94
+		reconnect++;
Petr Lautrbach 65ba94
+		goto retry;
Jan F. Chadima 69dd72
+	}
Petr Lautrbach 65ba94
+	debug3 ("LDAP result in time");
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Petr Lautrbach 65ba94
+	controls = NULL;
Petr Lautrbach 65ba94
+	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
Petr Lautrbach 65ba94
+	debug3 ("LDAP parse result OK");
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	if (controls != NULL) {
Petr Lautrbach 65ba94
+		ldap_controls_free (controls);
Petr Lautrbach 65ba94
+	}
Petr Lautrbach 65ba94
+#else
Petr Lautrbach 65ba94
+	rc = ldap_result2error (session->ld, result, TRUE);
Jan F. Chadima 69dd72
+#endif
Petr Lautrbach 65ba94
+	if (rc != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+	    fatal ("error trying to bind as user \"%s\" (%s)",
Petr Lautrbach 65ba94
+		options.binddn, ldap_err2string (rc));
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+	debug2 ("LDAP do connect OK");
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+void
Petr Lautrbach 65ba94
+process_user (const char *user, FILE *output)
Jan F. Chadima 69dd72
+{
Petr Lautrbach 65ba94
+	LDAPMessage *res, *e;
Petr Lautrbach 65ba94
+	char *buffer;
Petr Lautrbach 65ba94
+	int bufflen, rc, i;
Jan F. Chadima 69dd72
+	struct timeval timeout;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	debug ("LDAP process user");
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	/* quick check for attempts to be evil */
Petr Lautrbach 65ba94
+	if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
Petr Lautrbach 65ba94
+	    (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
Petr Lautrbach 65ba94
+		logit ("illegal user name %s not processed", user);
Petr Lautrbach 65ba94
+		return;
Petr Lautrbach 65ba94
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	/* build  filter for LDAP request */
Petr Lautrbach e6dbb8
+	bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user);
Petr Lautrbach 65ba94
+	if (options.ssh_filter != NULL)
Petr Lautrbach 65ba94
+	    bufflen += strlen (options.ssh_filter);
Petr Lautrbach 65ba94
+	buffer = xmalloc (bufflen);
Petr Lautrbach e6dbb8
+	snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
Petr Lautrbach 65ba94
+	buffer[bufflen - 1] = 0;
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+	debug3 ("LDAP search scope = %d %s", options.scope, buffer);
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+	timeout.tv_sec = options.timelimit;
Petr Lautrbach 65ba94
+	timeout.tv_usec = 0;
Petr Lautrbach 65ba94
+	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
Petr Lautrbach 65ba94
+		error ("ldap_search_st(): %s", ldap_err2string (rc));
Petr Lautrbach 84822b
+		free (buffer);
Petr Lautrbach 65ba94
+		return;
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	/* free */
Petr Lautrbach 84822b
+	free (buffer);
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
Petr Lautrbach 65ba94
+		int num;
Petr Lautrbach 65ba94
+		struct berval **keys;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+		keys = ldap_get_values_len(ld, e, PUBKEYATTR);
Petr Lautrbach 65ba94
+		num = ldap_count_values_len(keys);
Petr Lautrbach 65ba94
+		for (i = 0 ; i < num ; i++) {
Petr Lautrbach 65ba94
+			char *cp; //, *options = NULL;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+			for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
Petr Lautrbach 65ba94
+			if (!*cp || *cp == '\n' || *cp == '#')
Petr Lautrbach 65ba94
+			    continue;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+			/* We have found the desired key. */
Petr Lautrbach 65ba94
+			fprintf (output, "%s\n", keys[i]->bv_val);
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+		ldap_value_free_len(keys);
Petr Lautrbach 65ba94
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	ldap_msgfree(res);
Petr Lautrbach 65ba94
+	debug2 ("LDAP process user finished");
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+void
Petr Lautrbach 65ba94
+ldap_do_close(void)
Petr Lautrbach 65ba94
+{
Petr Lautrbach 65ba94
+	int rc;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	debug ("LDAP do close");
Petr Lautrbach 65ba94
+	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
Petr Lautrbach 65ba94
+	    fatal ("ldap_unbind_ext: %s",
Petr Lautrbach 65ba94
+                                    ldap_err2string (rc));
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	ld = NULL;
Petr Lautrbach 65ba94
+	debug2 ("LDAP do close OK");
Petr Lautrbach 65ba94
+	return;
Petr Lautrbach 65ba94
+}
Petr Lautrbach 65ba94
+
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
Petr Lautrbach 8a29de
--- openssh-6.2p1/ldapbody.h.ldap	2013-03-25 21:27:15.889248078 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/ldapbody.h	2013-03-25 21:27:15.889248078 +0100
Petr Lautrbach 65ba94
@@ -0,0 +1,37 @@
Petr Lautrbach 65ba94
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 65ba94
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * Redistribution and use in source and binary forms, with or without
Petr Lautrbach 65ba94
+ * modification, are permitted provided that the following conditions
Petr Lautrbach 65ba94
+ * are met:
Petr Lautrbach 65ba94
+ * 1. Redistributions of source code must retain the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer.
Petr Lautrbach 65ba94
+ * 2. Redistributions in binary form must reproduce the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer in the
Petr Lautrbach 65ba94
+ *    documentation and/or other materials provided with the distribution.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Petr Lautrbach 65ba94
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Petr Lautrbach 65ba94
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Petr Lautrbach 65ba94
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Petr Lautrbach 65ba94
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Petr Lautrbach 65ba94
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Petr Lautrbach 65ba94
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Petr Lautrbach 65ba94
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Petr Lautrbach 65ba94
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Petr Lautrbach 65ba94
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Petr Lautrbach 65ba94
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#ifndef LDAPBODY_H
Petr Lautrbach 65ba94
+#define LDAPBODY_H
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#include <stdio.h>
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+void ldap_checkconfig(void);
Petr Lautrbach 65ba94
+void ldap_do_connect(void);
Petr Lautrbach 65ba94
+void process_user(const char *, FILE *);
Petr Lautrbach 65ba94
+void ldap_do_close(void);
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#endif /* LDAPBODY_H */
Jan F. Chadima 69dd72
+
Petr Lautrbach e6dbb8
diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
Petr Lautrbach e6dbb8
--- openssh-6.2p2/ldapconf.c.ldap	2013-06-07 15:10:05.601942693 +0200
Petr Lautrbach e6dbb8
+++ openssh-6.2p2/ldapconf.c	2013-06-07 15:10:24.928857566 +0200
Petr Lautrbach e6dbb8
@@ -0,0 +1,691 @@
Petr Lautrbach 65ba94
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 65ba94
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * Redistribution and use in source and binary forms, with or without
Petr Lautrbach 65ba94
+ * modification, are permitted provided that the following conditions
Petr Lautrbach 65ba94
+ * are met:
Petr Lautrbach 65ba94
+ * 1. Redistributions of source code must retain the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer.
Petr Lautrbach 65ba94
+ * 2. Redistributions in binary form must reproduce the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer in the
Petr Lautrbach 65ba94
+ *    documentation and/or other materials provided with the distribution.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Petr Lautrbach 65ba94
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Petr Lautrbach 65ba94
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Petr Lautrbach 65ba94
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Petr Lautrbach 65ba94
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Petr Lautrbach 65ba94
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Petr Lautrbach 65ba94
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Petr Lautrbach 65ba94
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Petr Lautrbach 65ba94
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Petr Lautrbach 65ba94
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Petr Lautrbach 65ba94
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#include "ldapincludes.h"
Petr Lautrbach 65ba94
+#include "ldap-helper.h"
Petr Lautrbach 65ba94
+#include "log.h"
Petr Lautrbach 65ba94
+#include "misc.h"
Petr Lautrbach 65ba94
+#include "xmalloc.h"
Petr Lautrbach 65ba94
+#include "ldapconf.h"
Petr Lautrbach 65ba94
+#include <unistd.h>
Petr Lautrbach 65ba94
+#include <string.h>
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+/* Keyword tokens. */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+typedef enum {
Petr Lautrbach 65ba94
+	lBadOption,
Petr Lautrbach 65ba94
+	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
Petr Lautrbach 65ba94
+	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
Petr Lautrbach 65ba94
+	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
Petr Lautrbach 65ba94
+	lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
Petr Lautrbach 65ba94
+	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
Petr Lautrbach 65ba94
+	lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
Petr Lautrbach e6dbb8
+	lAccountClass, lDeprecated, lUnsupported
Petr Lautrbach 65ba94
+} OpCodes;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+/* Textual representations of the tokens. */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static struct {
Petr Lautrbach 65ba94
+	const char *name;
Petr Lautrbach 65ba94
+	OpCodes opcode;
Petr Lautrbach 65ba94
+} keywords[] = {
Petr Lautrbach 65ba94
+	{ "URI", lURI },
Petr Lautrbach 65ba94
+	{ "Base", lBase },
Petr Lautrbach 65ba94
+	{ "BindDN", lBindDN },
Petr Lautrbach 65ba94
+	{ "BindPW", lBindPW },
Petr Lautrbach 65ba94
+	{ "RootBindDN", lRootBindDN },
Petr Lautrbach 65ba94
+	{ "Host", lHost },
Petr Lautrbach 65ba94
+	{ "Port", lPort },
Petr Lautrbach 65ba94
+	{ "Scope", lScope },
Petr Lautrbach 65ba94
+	{ "Deref", lDeref },
Petr Lautrbach 65ba94
+	{ "TimeLimit", lTimeLimit },
Petr Lautrbach 65ba94
+	{ "TimeOut", lTimeLimit },
Petr Lautrbach 65ba94
+	{ "Bind_Timelimit", lBind_TimeLimit },
Petr Lautrbach 65ba94
+	{ "Network_TimeOut", lBind_TimeLimit },
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 65ba94
+ * Todo
Petr Lautrbach 65ba94
+ * SIZELIMIT
Petr Lautrbach 65ba94
+ */
Petr Lautrbach 65ba94
+	{ "Ldap_Version", lLdap_Version },
Petr Lautrbach 65ba94
+	{ "Version", lLdap_Version },
Petr Lautrbach 65ba94
+	{ "Bind_Policy", lBind_Policy },
Petr Lautrbach 65ba94
+	{ "SSLPath", lSSLPath },
Petr Lautrbach 65ba94
+	{ "SSL", lSSL },
Petr Lautrbach 65ba94
+	{ "Referrals", lReferrals },
Petr Lautrbach 65ba94
+	{ "Restart", lRestart },
Petr Lautrbach 65ba94
+	{ "TLS_CheckPeer", lTLS_CheckPeer },
Petr Lautrbach 65ba94
+	{ "TLS_ReqCert", lTLS_CheckPeer },
Petr Lautrbach 65ba94
+	{ "TLS_CaCertFile", lTLS_CaCertFile },
Petr Lautrbach 65ba94
+	{ "TLS_CaCert", lTLS_CaCertFile },
Petr Lautrbach 65ba94
+	{ "TLS_CaCertDir", lTLS_CaCertDir },
Petr Lautrbach 65ba94
+	{ "TLS_Ciphers", lTLS_Ciphers },
Petr Lautrbach 65ba94
+	{ "TLS_Cipher_Suite", lTLS_Ciphers },
Petr Lautrbach 65ba94
+	{ "TLS_Cert", lTLS_Cert },
Petr Lautrbach 65ba94
+	{ "TLS_Certificate", lTLS_Cert },
Petr Lautrbach 65ba94
+	{ "TLS_Key", lTLS_Key },
Petr Lautrbach 65ba94
+	{ "TLS_RandFile", lTLS_RandFile },
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 65ba94
+ * Todo
Petr Lautrbach 65ba94
+ * TLS_CRLCHECK
Petr Lautrbach 65ba94
+ * TLS_CRLFILE
Petr Lautrbach 65ba94
+ */
Petr Lautrbach 65ba94
+	{ "LogDir", lLogDir },
Petr Lautrbach 65ba94
+	{ "Debug", lDebug },
Petr Lautrbach 65ba94
+	{ "SSH_Filter", lSSH_Filter },
Petr Lautrbach e6dbb8
+	{ "AccountClass", lAccountClass },
Petr Lautrbach 65ba94
+	{ NULL, lBadOption }
Petr Lautrbach 65ba94
+};
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+/* Configuration ptions. */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+Options options;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 65ba94
+ * Returns the number of the token pointed to by cp or oBadOption.
Petr Lautrbach 65ba94
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static OpCodes
Petr Lautrbach 65ba94
+parse_token(const char *cp, const char *filename, int linenum)
Petr Lautrbach 65ba94
+{
Petr Lautrbach 65ba94
+	u_int i;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	for (i = 0; keywords[i].name; i++)
Petr Lautrbach 65ba94
+		if (strcasecmp(cp, keywords[i].name) == 0)
Petr Lautrbach 65ba94
+			return keywords[i].opcode;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	if (config_warning_config_file) 
Petr Lautrbach 65ba94
+	    logit("%s: line %d: Bad configuration option: %s",
Petr Lautrbach 65ba94
+		filename, linenum, cp);
Petr Lautrbach 65ba94
+	return lBadOption;
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 65ba94
+ * Processes a single option line as used in the configuration files. This
Petr Lautrbach 65ba94
+ * only sets those values that have not already been set.
Petr Lautrbach 65ba94
+ */
Petr Lautrbach 65ba94
+#define WHITESPACE " \t\r\n"
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static int
Petr Lautrbach 65ba94
+process_config_line(char *line, const char *filename, int linenum)
Petr Lautrbach 65ba94
+{
Petr Lautrbach 65ba94
+	char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
Petr Lautrbach 65ba94
+	char *rootbinddn = NULL;
Petr Lautrbach 65ba94
+	int opcode, *intptr, value;
Petr Lautrbach 65ba94
+	size_t len;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	/* Strip trailing whitespace */
Petr Lautrbach 65ba94
+	for (len = strlen(line) - 1; len > 0; len--) {
Petr Lautrbach 65ba94
+		if (strchr(WHITESPACE, line[len]) == NULL)
Petr Lautrbach 65ba94
+			break;
Petr Lautrbach 65ba94
+		line[len] = '\0';
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	s = line;
Petr Lautrbach 65ba94
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
Petr Lautrbach 65ba94
+	if ((keyword = strdelim(&s)) == NULL)
Petr Lautrbach 65ba94
+		return 0;
Petr Lautrbach 65ba94
+	/* Ignore leading whitespace. */
Petr Lautrbach 65ba94
+	if (*keyword == '\0')
Petr Lautrbach 65ba94
+		keyword = strdelim(&s);
Petr Lautrbach 65ba94
+	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
Petr Lautrbach 65ba94
+		return 0;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	opcode = parse_token(keyword, filename, linenum);
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	switch (opcode) {
Petr Lautrbach 65ba94
+	case lBadOption:
Petr Lautrbach 65ba94
+		/* don't panic, but count bad options */
Petr Lautrbach 65ba94
+		return -1;
Petr Lautrbach 65ba94
+		/* NOTREACHED */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lHost:
Petr Lautrbach 65ba94
+		xstringptr = &options.host;
Petr Lautrbach 65ba94
+parse_xstring:
Petr Lautrbach 65ba94
+		if (!s || *s == '\0')
Petr Lautrbach 65ba94
+		    fatal("%s line %d: missing dn",filename,linenum);
Petr Lautrbach 65ba94
+		if (*xstringptr == NULL)
Petr Lautrbach 65ba94
+		    *xstringptr = xstrdup(s);
Petr Lautrbach 65ba94
+		return 0;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lURI:
Petr Lautrbach 65ba94
+		xstringptr = &options.uri;
Petr Lautrbach 65ba94
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lBase:
Petr Lautrbach 65ba94
+		xstringptr = &options.base;
Petr Lautrbach 65ba94
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lBindDN:
Petr Lautrbach 65ba94
+		xstringptr = &options.binddn;
Petr Lautrbach 65ba94
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lBindPW:
Petr Lautrbach 65ba94
+		charptr = &options.bindpw;
Petr Lautrbach 65ba94
+parse_string:
Petr Lautrbach 65ba94
+		arg = strdelim(&s);
Petr Lautrbach 65ba94
+		if (!arg || *arg == '\0')
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
Petr Lautrbach 65ba94
+		if (*charptr == NULL)
Petr Lautrbach 65ba94
+			*charptr = xstrdup(arg);
Petr Lautrbach 65ba94
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lRootBindDN:
Petr Lautrbach 65ba94
+		xstringptr = &rootbinddn;
Petr Lautrbach 65ba94
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lScope:
Petr Lautrbach 65ba94
+		intptr = &options.scope;
Petr Lautrbach 65ba94
+		arg = strdelim(&s);
Petr Lautrbach 65ba94
+		if (!arg || *arg == '\0')
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
Petr Lautrbach 65ba94
+		value = 0;	/* To avoid compiler warning... */
Petr Lautrbach 65ba94
+		if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
Petr Lautrbach 65ba94
+			value = LDAP_SCOPE_SUBTREE;
Petr Lautrbach 65ba94
+		else if (strcasecmp (arg, "one") == 0)
Petr Lautrbach 65ba94
+			value = LDAP_SCOPE_ONELEVEL;
Petr Lautrbach 65ba94
+		else if (strcasecmp (arg, "base") == 0)
Petr Lautrbach 65ba94
+			value = LDAP_SCOPE_BASE;
Petr Lautrbach 65ba94
+		else
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
Petr Lautrbach 65ba94
+		if (*intptr == -1)
Petr Lautrbach 65ba94
+			*intptr = value;
Petr Lautrbach 65ba94
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lDeref:
Petr Lautrbach 65ba94
+		intptr = &options.scope;
Petr Lautrbach 65ba94
+		arg = strdelim(&s);
Petr Lautrbach 65ba94
+		if (!arg || *arg == '\0')
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
Petr Lautrbach 65ba94
+		value = 0;	/* To avoid compiler warning... */
Petr Lautrbach 65ba94
+		if (!strcasecmp (arg, "never"))
Petr Lautrbach 65ba94
+			value = LDAP_DEREF_NEVER;
Petr Lautrbach 65ba94
+		else if (!strcasecmp (arg, "searching"))
Petr Lautrbach 65ba94
+			value = LDAP_DEREF_SEARCHING;
Petr Lautrbach 65ba94
+		else if (!strcasecmp (arg, "finding"))
Petr Lautrbach 65ba94
+			value = LDAP_DEREF_FINDING;
Petr Lautrbach 65ba94
+		else if (!strcasecmp (arg, "always"))
Petr Lautrbach 65ba94
+			value = LDAP_DEREF_ALWAYS;
Petr Lautrbach 65ba94
+		else
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
Petr Lautrbach 65ba94
+		if (*intptr == -1)
Petr Lautrbach 65ba94
+			*intptr = value;
Petr Lautrbach 65ba94
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lPort:
Petr Lautrbach 65ba94
+		intptr = &options.port;
Petr Lautrbach 65ba94
+parse_int:
Petr Lautrbach 65ba94
+		arg = strdelim(&s);
Petr Lautrbach 65ba94
+		if (!arg || *arg == '\0')
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
Petr Lautrbach 65ba94
+		if (arg[0] < '0' || arg[0] > '9')
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Bad number.", filename, linenum);
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+		/* Octal, decimal, or hex format? */
Petr Lautrbach 65ba94
+		value = strtol(arg, &endofnumber, 0);
Petr Lautrbach 65ba94
+		if (arg == endofnumber)
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Bad number.", filename, linenum);
Petr Lautrbach 65ba94
+		if (*intptr == -1)
Petr Lautrbach 65ba94
+			*intptr = value;
Petr Lautrbach 65ba94
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lTimeLimit:
Petr Lautrbach 65ba94
+		intptr = &options.timelimit;
Petr Lautrbach 65ba94
+parse_time:
Petr Lautrbach 65ba94
+		arg = strdelim(&s);
Petr Lautrbach 65ba94
+		if (!arg || *arg == '\0')
Petr Lautrbach 65ba94
+			fatal("%s line %d: missing time value.",
Petr Lautrbach 65ba94
+			    filename, linenum);
Petr Lautrbach 65ba94
+		if ((value = convtime(arg)) == -1)
Petr Lautrbach 65ba94
+			fatal("%s line %d: invalid time value.",
Petr Lautrbach 65ba94
+			    filename, linenum);
Petr Lautrbach 65ba94
+		if (*intptr == -1)
Petr Lautrbach 65ba94
+			*intptr = value;
Petr Lautrbach 65ba94
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lBind_TimeLimit:
Petr Lautrbach 65ba94
+		intptr = &options.bind_timelimit;
Petr Lautrbach 65ba94
+		goto parse_time;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lLdap_Version:
Petr Lautrbach 65ba94
+		intptr = &options.ldap_version;
Petr Lautrbach 65ba94
+		goto parse_int;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lBind_Policy:
Petr Lautrbach 65ba94
+		intptr = &options.bind_policy;
Petr Lautrbach 65ba94
+		arg = strdelim(&s);
Petr Lautrbach 65ba94
+		if (!arg || *arg == '\0')
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
Petr Lautrbach 65ba94
+		value = 0;	/* To avoid compiler warning... */
Petr Lautrbach 65ba94
+		if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
Petr Lautrbach 65ba94
+			value = 1;
Petr Lautrbach 65ba94
+		else if (strcasecmp(arg, "soft") == 0)
Petr Lautrbach 65ba94
+			value = 0;
Petr Lautrbach 65ba94
+		else
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
Petr Lautrbach 65ba94
+		if (*intptr == -1)
Petr Lautrbach 65ba94
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lSSLPath:
Petr Lautrbach 65ba94
+		charptr = &options.sslpath;
Petr Lautrbach 65ba94
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lSSL:
Petr Lautrbach 65ba94
+		intptr = &options.ssl;
Petr Lautrbach 65ba94
+		arg = strdelim(&s);
Petr Lautrbach 65ba94
+		if (!arg || *arg == '\0')
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
Petr Lautrbach 65ba94
+		value = 0;	/* To avoid compiler warning... */
Petr Lautrbach 65ba94
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Petr Lautrbach 65ba94
+			value = SSL_LDAPS;
Petr Lautrbach 65ba94
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Petr Lautrbach 65ba94
+			value = SSL_OFF;
Petr Lautrbach 65ba94
+		else if (!strcasecmp (arg, "start_tls"))
Petr Lautrbach 65ba94
+			value = SSL_START_TLS;
Petr Lautrbach 65ba94
+		else
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
Petr Lautrbach 65ba94
+		if (*intptr == -1)
Petr Lautrbach 65ba94
+			*intptr = value;
Petr Lautrbach 65ba94
+		break;
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+	case lReferrals:
Petr Lautrbach 65ba94
+		intptr = &options.referrals;
Petr Lautrbach 65ba94
+parse_flag:
Petr Lautrbach 65ba94
+		arg = strdelim(&s);
Petr Lautrbach 65ba94
+		if (!arg || *arg == '\0')
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
Petr Lautrbach 65ba94
+		value = 0;	/* To avoid compiler warning... */
Petr Lautrbach 65ba94
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Petr Lautrbach 65ba94
+			value = 1;
Petr Lautrbach 65ba94
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Petr Lautrbach 65ba94
+			value = 0;
Petr Lautrbach 65ba94
+		else
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
Petr Lautrbach 65ba94
+		if (*intptr == -1)
Petr Lautrbach 65ba94
+			*intptr = value;
Petr Lautrbach 65ba94
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lRestart:
Petr Lautrbach 65ba94
+		intptr = &options.restart;
Petr Lautrbach 65ba94
+		goto parse_flag;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lTLS_CheckPeer:
Petr Lautrbach 65ba94
+		intptr = &options.tls_checkpeer;
Petr Lautrbach 65ba94
+		arg = strdelim(&s);
Petr Lautrbach 65ba94
+		if (!arg || *arg == '\0')
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
Petr Lautrbach 65ba94
+		value = 0;	/* To avoid compiler warning... */
Petr Lautrbach 65ba94
+		if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Petr Lautrbach 65ba94
+			value = LDAP_OPT_X_TLS_NEVER;
Petr Lautrbach 65ba94
+		else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Petr Lautrbach 65ba94
+			value = LDAP_OPT_X_TLS_HARD;
Petr Lautrbach 65ba94
+		else if (strcasecmp(arg, "demand") == 0)
Petr Lautrbach 65ba94
+			value = LDAP_OPT_X_TLS_DEMAND;
Petr Lautrbach 65ba94
+		else if (strcasecmp(arg, "allow") == 0)
Petr Lautrbach 65ba94
+			value = LDAP_OPT_X_TLS_ALLOW;
Petr Lautrbach 65ba94
+		else if (strcasecmp(arg, "try") == 0)
Petr Lautrbach 65ba94
+			value = LDAP_OPT_X_TLS_TRY;
Petr Lautrbach 65ba94
+		else
Petr Lautrbach 65ba94
+			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
Petr Lautrbach 65ba94
+		if (*intptr == -1)
Petr Lautrbach 65ba94
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lTLS_CaCertFile:
Petr Lautrbach 65ba94
+		charptr = &options.tls_cacertfile;
Petr Lautrbach 65ba94
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lTLS_CaCertDir:
Petr Lautrbach 65ba94
+		charptr = &options.tls_cacertdir;
Petr Lautrbach 65ba94
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lTLS_Ciphers:
Petr Lautrbach 65ba94
+		xstringptr = &options.tls_ciphers;
Petr Lautrbach 65ba94
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lTLS_Cert:
Petr Lautrbach 65ba94
+		charptr = &options.tls_cert;
Petr Lautrbach 65ba94
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lTLS_Key:
Petr Lautrbach 65ba94
+		charptr = &options.tls_key;
Petr Lautrbach 65ba94
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lTLS_RandFile:
Petr Lautrbach 65ba94
+		charptr = &options.tls_randfile;
Petr Lautrbach 65ba94
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lLogDir:
Petr Lautrbach 65ba94
+		charptr = &options.logdir;
Petr Lautrbach 65ba94
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lDebug:
Petr Lautrbach 65ba94
+		intptr = &options.debug;
Petr Lautrbach 65ba94
+		goto parse_int;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lSSH_Filter:
Petr Lautrbach 65ba94
+		xstringptr = &options.ssh_filter;
Petr Lautrbach 65ba94
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Petr Lautrbach e6dbb8
+	case lAccountClass:
Petr Lautrbach e6dbb8
+		charptr = &options.account_class;
Petr Lautrbach e6dbb8
+		goto parse_string;
Petr Lautrbach e6dbb8
+
Petr Lautrbach 65ba94
+	case lDeprecated:
Petr Lautrbach 65ba94
+		debug("%s line %d: Deprecated option \"%s\"",
Petr Lautrbach 65ba94
+		    filename, linenum, keyword);
Petr Lautrbach 65ba94
+		return 0;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	case lUnsupported:
Petr Lautrbach 65ba94
+		error("%s line %d: Unsupported option \"%s\"",
Petr Lautrbach 65ba94
+		    filename, linenum, keyword);
Petr Lautrbach 65ba94
+		return 0;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	default:
Petr Lautrbach 65ba94
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
Petr Lautrbach 65ba94
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	/* Check that there is no garbage at end of line. */
Petr Lautrbach 65ba94
+	if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
Petr Lautrbach 65ba94
+		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
Petr Lautrbach 65ba94
+		    filename, linenum, arg);
Petr Lautrbach 65ba94
+	}
Petr Lautrbach 65ba94
+	return 0;
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+/*
Petr Lautrbach 65ba94
+ * Reads the config file and modifies the options accordingly.  Options
Petr Lautrbach 65ba94
+ * should already be initialized before this call.  This never returns if
Petr Lautrbach 65ba94
+ * there is an error.  If the file does not exist, this returns 0.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+void
Petr Lautrbach 65ba94
+read_config_file(const char *filename)
Jan F. Chadima 69dd72
+{
Petr Lautrbach 65ba94
+	FILE *f;
Petr Lautrbach 65ba94
+	char line[1024];
Petr Lautrbach 65ba94
+	int active, linenum;
Petr Lautrbach 65ba94
+	int bad_options = 0;
Petr Lautrbach 65ba94
+	struct stat sb;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	if ((f = fopen(filename, "r")) == NULL)
Petr Lautrbach 65ba94
+		fatal("fopen %s: %s", filename, strerror(errno));
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	if (fstat(fileno(f), &sb) == -1)
Petr Lautrbach 65ba94
+		fatal("fstat %s: %s", filename, strerror(errno));
Petr Lautrbach 65ba94
+	if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
Petr Lautrbach 65ba94
+	    (sb.st_mode & 022) != 0))
Petr Lautrbach 65ba94
+		fatal("Bad owner or permissions on %s", filename);
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+	debug("Reading configuration data %.200s", filename);
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+	/*
Petr Lautrbach 65ba94
+	 * Mark that we are now processing the options.  This flag is turned
Petr Lautrbach 65ba94
+	 * on/off by Host specifications.
Petr Lautrbach 65ba94
+	 */
Petr Lautrbach 65ba94
+	active = 1;
Petr Lautrbach 65ba94
+	linenum = 0;
Petr Lautrbach 65ba94
+	while (fgets(line, sizeof(line), f)) {
Petr Lautrbach 65ba94
+		/* Update line number counter. */
Petr Lautrbach 65ba94
+		linenum++;
Petr Lautrbach 65ba94
+		if (process_config_line(line, filename, linenum) != 0)
Petr Lautrbach 65ba94
+			bad_options++;
Petr Lautrbach 65ba94
+	}
Petr Lautrbach 65ba94
+	fclose(f);
Petr Lautrbach 65ba94
+	if ((bad_options > 0) && config_exclusive_config_file) 
Petr Lautrbach 65ba94
+		fatal("%s: terminating, %d bad configuration options",
Petr Lautrbach 65ba94
+		    filename, bad_options);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+/*
Petr Lautrbach 65ba94
+ * Initializes options to special values that indicate that they have not yet
Petr Lautrbach 65ba94
+ * been set.  Read_config_file will only set options with this value. Options
Petr Lautrbach 65ba94
+ * are processed in the following order: command line, user config file,
Petr Lautrbach 65ba94
+ * system config file.  Last, fill_default_options is called.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+void
Petr Lautrbach 65ba94
+initialize_options(void)
Jan F. Chadima 69dd72
+{
Petr Lautrbach 65ba94
+	memset(&options, 'X', sizeof(options));
Petr Lautrbach 65ba94
+	options.host = NULL;
Petr Lautrbach 65ba94
+	options.uri = NULL;
Petr Lautrbach 65ba94
+	options.base = NULL;
Petr Lautrbach 65ba94
+	options.binddn = NULL;
Petr Lautrbach 65ba94
+	options.bindpw = NULL;
Petr Lautrbach 65ba94
+	options.scope = -1;
Petr Lautrbach 65ba94
+	options.deref = -1;
Petr Lautrbach 65ba94
+	options.port = -1;
Petr Lautrbach 65ba94
+	options.timelimit = -1;
Petr Lautrbach 65ba94
+	options.bind_timelimit = -1;
Petr Lautrbach 65ba94
+	options.ldap_version = -1;
Petr Lautrbach 65ba94
+	options.bind_policy = -1;
Petr Lautrbach 65ba94
+	options.sslpath = NULL;
Petr Lautrbach 65ba94
+	options.ssl = -1;
Petr Lautrbach 65ba94
+	options.referrals = -1;
Petr Lautrbach 65ba94
+	options.restart = -1;
Petr Lautrbach 65ba94
+	options.tls_checkpeer = -1;
Petr Lautrbach 65ba94
+	options.tls_cacertfile = NULL;
Petr Lautrbach 65ba94
+	options.tls_cacertdir = NULL;
Petr Lautrbach 65ba94
+	options.tls_ciphers = NULL;
Petr Lautrbach 65ba94
+	options.tls_cert = NULL;
Petr Lautrbach 65ba94
+	options.tls_key = NULL;
Petr Lautrbach 65ba94
+	options.tls_randfile = NULL;
Petr Lautrbach 65ba94
+	options.logdir = NULL;
Petr Lautrbach 65ba94
+	options.debug = -1;
Petr Lautrbach 65ba94
+	options.ssh_filter = NULL;
Petr Lautrbach e6dbb8
+	options.account_class = NULL;
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 65ba94
+ * Called after processing other sources of option data, this fills those
Petr Lautrbach 65ba94
+ * options for which no value has been specified with their default values.
Petr Lautrbach 65ba94
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+void
Petr Lautrbach 65ba94
+fill_default_options(void)
Petr Lautrbach 65ba94
+{
Petr Lautrbach 65ba94
+	if (options.uri != NULL) {
Petr Lautrbach 65ba94
+		LDAPURLDesc *ludp;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+		if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
Petr Lautrbach 65ba94
+			if (options.ssl == -1) {
Petr Lautrbach 65ba94
+				if (strcmp (ludp->lud_scheme, "ldap") == 0)
Petr Lautrbach 65ba94
+				    options.ssl = 2;
Petr Lautrbach 65ba94
+				if (strcmp (ludp->lud_scheme, "ldapi") == 0)
Petr Lautrbach 65ba94
+				    options.ssl = 0;
Petr Lautrbach 65ba94
+				else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
Petr Lautrbach 65ba94
+				    options.ssl = 1;
Petr Lautrbach 65ba94
+			}
Petr Lautrbach 65ba94
+			if (options.host == NULL)
Petr Lautrbach 65ba94
+			    options.host = xstrdup (ludp->lud_host);
Petr Lautrbach 65ba94
+			if (options.port == -1)
Petr Lautrbach 65ba94
+			    options.port = ludp->lud_port;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+			ldap_free_urldesc (ludp);
Petr Lautrbach 65ba94
+		}
Petr Lautrbach 65ba94
+	} 
Petr Lautrbach 65ba94
+	if (options.ssl == -1)
Petr Lautrbach 65ba94
+	    options.ssl = SSL_START_TLS;
Petr Lautrbach 65ba94
+	if (options.port == -1)
Petr Lautrbach 65ba94
+	    options.port = (options.ssl == 0) ? 389 : 636;
Petr Lautrbach 65ba94
+	if (options.uri == NULL) {
Petr Lautrbach 65ba94
+		int len;
Petr Lautrbach 65ba94
+#define MAXURILEN 4096
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+		options.uri = xmalloc (MAXURILEN);
Petr Lautrbach 65ba94
+		len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
Petr Lautrbach 65ba94
+		    (options.ssl == 0) ? "" : "s", options.host, options.port);
Petr Lautrbach 65ba94
+		options.uri[MAXURILEN - 1] = 0;
Petr Lautrbach 65ba94
+		options.uri = xrealloc (options.uri, len + 1, 1);
Petr Lautrbach 65ba94
+	}
Petr Lautrbach 65ba94
+	if (options.binddn == NULL)
Petr Lautrbach 65ba94
+	    options.binddn = "";
Petr Lautrbach 65ba94
+	if (options.bindpw == NULL)
Petr Lautrbach 65ba94
+	    options.bindpw = "";
Petr Lautrbach 65ba94
+	if (options.scope == -1)
Petr Lautrbach 65ba94
+	    options.scope = LDAP_SCOPE_SUBTREE;
Petr Lautrbach 65ba94
+	if (options.deref == -1)
Petr Lautrbach 65ba94
+	    options.deref = LDAP_DEREF_NEVER;
Petr Lautrbach 65ba94
+	if (options.timelimit == -1)
Petr Lautrbach 65ba94
+	    options.timelimit = 10;
Petr Lautrbach 65ba94
+	if (options.bind_timelimit == -1)
Petr Lautrbach 65ba94
+	    options.bind_timelimit = 10;
Petr Lautrbach 65ba94
+	if (options.ldap_version == -1)
Petr Lautrbach 65ba94
+	    options.ldap_version = 3;
Petr Lautrbach 65ba94
+	if (options.bind_policy == -1)
Petr Lautrbach 65ba94
+	    options.bind_policy = 1;
Petr Lautrbach 65ba94
+	if (options.referrals == -1)
Petr Lautrbach 65ba94
+	    options.referrals = 1;
Petr Lautrbach 65ba94
+	if (options.restart == -1)
Petr Lautrbach 65ba94
+	    options.restart = 1;
Petr Lautrbach 65ba94
+	if (options.tls_checkpeer == -1)
Petr Lautrbach 65ba94
+	    options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
Petr Lautrbach 65ba94
+	if (options.debug == -1)
Petr Lautrbach 65ba94
+	    options.debug = 0;
Petr Lautrbach 65ba94
+	if (options.ssh_filter == NULL)
Petr Lautrbach 65ba94
+	    options.ssh_filter = "";
Petr Lautrbach e6dbb8
+	if (options.account_class == NULL)
Petr Lautrbach e6dbb8
+	    options.account_class = "posixAccount";
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static const char *
Petr Lautrbach 65ba94
+lookup_opcode_name(OpCodes code)
Petr Lautrbach 65ba94
+{
Petr Lautrbach 65ba94
+	u_int i;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	for (i = 0; keywords[i].name != NULL; i++)
Petr Lautrbach 65ba94
+	    if (keywords[i].opcode == code)
Petr Lautrbach 65ba94
+		return(keywords[i].name);
Petr Lautrbach 65ba94
+	return "UNKNOWN";
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static void
Petr Lautrbach 65ba94
+dump_cfg_string(OpCodes code, const char *val)
Petr Lautrbach 65ba94
+{
Petr Lautrbach 65ba94
+	if (val == NULL)
Petr Lautrbach 65ba94
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Petr Lautrbach 65ba94
+	else
Petr Lautrbach 65ba94
+	    debug3("%s %s", lookup_opcode_name(code), val);
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static void
Petr Lautrbach 65ba94
+dump_cfg_int(OpCodes code, int val)
Petr Lautrbach 65ba94
+{
Petr Lautrbach 65ba94
+	if (val == -1)
Petr Lautrbach 65ba94
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Petr Lautrbach 65ba94
+	else
Petr Lautrbach 65ba94
+	    debug3("%s %d", lookup_opcode_name(code), val);
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+struct names {
Petr Lautrbach 65ba94
+	int value;
Petr Lautrbach 65ba94
+	char *name;
Petr Lautrbach 65ba94
+};
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static void
Petr Lautrbach 65ba94
+dump_cfg_namedint(OpCodes code, int val, struct names *names)
Petr Lautrbach 65ba94
+{
Petr Lautrbach 65ba94
+	u_int i;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	if (val == -1)
Petr Lautrbach 65ba94
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Petr Lautrbach 65ba94
+	else {
Petr Lautrbach 65ba94
+		for (i = 0; names[i].value != -1; i++)
Petr Lautrbach 65ba94
+	 	    if (names[i].value == val) {
Petr Lautrbach 65ba94
+	    		debug3("%s %s", lookup_opcode_name(code), names[i].name);
Petr Lautrbach 65ba94
+			    return;
Petr Lautrbach 65ba94
+		}
Petr Lautrbach 65ba94
+		debug3("%s unknown: %d", lookup_opcode_name(code), val);
Petr Lautrbach 65ba94
+	}
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static struct names _yesnotls[] = {
Petr Lautrbach 65ba94
+	{ 0, "No" },
Petr Lautrbach 65ba94
+	{ 1, "Yes" },
Petr Lautrbach 65ba94
+	{ 2, "Start_TLS" },
Petr Lautrbach 65ba94
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static struct names _scope[] = {
Petr Lautrbach 65ba94
+	{ LDAP_SCOPE_BASE, "Base" },
Petr Lautrbach 65ba94
+	{ LDAP_SCOPE_ONELEVEL, "One" },
Petr Lautrbach 65ba94
+	{ LDAP_SCOPE_SUBTREE, "Sub"},
Petr Lautrbach 65ba94
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static struct names _deref[] = {
Petr Lautrbach 65ba94
+	{ LDAP_DEREF_NEVER, "Never" },
Petr Lautrbach 65ba94
+	{ LDAP_DEREF_SEARCHING, "Searching" },
Petr Lautrbach 65ba94
+	{ LDAP_DEREF_FINDING, "Finding" },
Petr Lautrbach 65ba94
+	{ LDAP_DEREF_ALWAYS, "Always" },
Petr Lautrbach 65ba94
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static struct names _yesno[] = {
Petr Lautrbach 65ba94
+	{ 0, "No" },
Petr Lautrbach 65ba94
+	{ 1, "Yes" },
Petr Lautrbach 65ba94
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static struct names _bindpolicy[] = {
Petr Lautrbach 65ba94
+	{ 0, "Soft" },
Petr Lautrbach 65ba94
+	{ 1, "Hard" },
Petr Lautrbach 65ba94
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static struct names _checkpeer[] = {
Petr Lautrbach 65ba94
+	{ LDAP_OPT_X_TLS_NEVER, "Never" },
Petr Lautrbach 65ba94
+	{ LDAP_OPT_X_TLS_HARD, "Hard" },
Petr Lautrbach 65ba94
+	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
Petr Lautrbach 65ba94
+	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
Petr Lautrbach 65ba94
+	{ LDAP_OPT_X_TLS_TRY, "TRY" },
Petr Lautrbach 65ba94
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+void
Petr Lautrbach 65ba94
+dump_config(void)
Petr Lautrbach 65ba94
+{
Petr Lautrbach 65ba94
+	dump_cfg_string(lURI, options.uri);
Petr Lautrbach 65ba94
+	dump_cfg_string(lHost, options.host);
Petr Lautrbach 65ba94
+	dump_cfg_int(lPort, options.port);
Petr Lautrbach 65ba94
+	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
Petr Lautrbach 65ba94
+	dump_cfg_int(lLdap_Version, options.ldap_version);
Petr Lautrbach 65ba94
+	dump_cfg_int(lTimeLimit, options.timelimit);
Petr Lautrbach 65ba94
+	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
Petr Lautrbach 65ba94
+	dump_cfg_string(lBase, options.base);
Petr Lautrbach 65ba94
+	dump_cfg_string(lBindDN, options.binddn);
Petr Lautrbach 65ba94
+	dump_cfg_string(lBindPW, options.bindpw);
Petr Lautrbach 65ba94
+	dump_cfg_namedint(lScope, options.scope, _scope);
Petr Lautrbach 65ba94
+	dump_cfg_namedint(lDeref, options.deref, _deref);
Petr Lautrbach 65ba94
+	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
Petr Lautrbach 65ba94
+	dump_cfg_namedint(lRestart, options.restart, _yesno);
Petr Lautrbach 65ba94
+	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
Petr Lautrbach 65ba94
+	dump_cfg_string(lSSLPath, options.sslpath);
Petr Lautrbach 65ba94
+	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
Petr Lautrbach 65ba94
+	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
Petr Lautrbach 65ba94
+	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
Petr Lautrbach 65ba94
+	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
Petr Lautrbach 65ba94
+	dump_cfg_string(lTLS_Cert, options.tls_cert);
Petr Lautrbach 65ba94
+	dump_cfg_string(lTLS_Key, options.tls_key);
Petr Lautrbach 65ba94
+	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
Petr Lautrbach 65ba94
+	dump_cfg_string(lLogDir, options.logdir);
Petr Lautrbach 65ba94
+	dump_cfg_int(lDebug, options.debug);
Petr Lautrbach 65ba94
+	dump_cfg_string(lSSH_Filter, options.ssh_filter);
Petr Lautrbach e6dbb8
+	dump_cfg_string(lAccountClass, options.logdir);
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach e6dbb8
diff -up openssh-6.2p2/ldapconf.h.ldap openssh-6.2p2/ldapconf.h
Petr Lautrbach e6dbb8
--- openssh-6.2p2/ldapconf.h.ldap	2013-06-07 15:10:05.602942689 +0200
Petr Lautrbach e6dbb8
+++ openssh-6.2p2/ldapconf.h	2013-06-07 15:10:24.928857566 +0200
Petr Lautrbach e6dbb8
@@ -0,0 +1,72 @@
Petr Lautrbach 65ba94
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 65ba94
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * Redistribution and use in source and binary forms, with or without
Petr Lautrbach 65ba94
+ * modification, are permitted provided that the following conditions
Petr Lautrbach 65ba94
+ * are met:
Petr Lautrbach 65ba94
+ * 1. Redistributions of source code must retain the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer.
Petr Lautrbach 65ba94
+ * 2. Redistributions in binary form must reproduce the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer in the
Petr Lautrbach 65ba94
+ *    documentation and/or other materials provided with the distribution.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Petr Lautrbach 65ba94
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Petr Lautrbach 65ba94
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Petr Lautrbach 65ba94
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Petr Lautrbach 65ba94
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Petr Lautrbach 65ba94
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Petr Lautrbach 65ba94
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Petr Lautrbach 65ba94
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Petr Lautrbach 65ba94
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Petr Lautrbach 65ba94
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Petr Lautrbach 65ba94
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#ifndef LDAPCONF_H
Petr Lautrbach 65ba94
+#define LDAPCONF_H
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#define SSL_OFF          0
Petr Lautrbach 65ba94
+#define SSL_LDAPS        1
Petr Lautrbach 65ba94
+#define SSL_START_TLS    2
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+/* Data structure for representing option data. */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+typedef struct {
Petr Lautrbach 65ba94
+	char *host;
Petr Lautrbach 65ba94
+	char *uri;
Petr Lautrbach 65ba94
+	char *base;
Petr Lautrbach 65ba94
+	char *binddn;
Petr Lautrbach 65ba94
+	char *bindpw;
Petr Lautrbach 65ba94
+	int scope;
Petr Lautrbach 65ba94
+	int deref;
Petr Lautrbach 65ba94
+	int port;
Petr Lautrbach 65ba94
+	int timelimit;
Petr Lautrbach 65ba94
+	int bind_timelimit;
Petr Lautrbach 65ba94
+	int ldap_version;
Petr Lautrbach 65ba94
+	int bind_policy;
Petr Lautrbach 65ba94
+	char *sslpath;
Petr Lautrbach 65ba94
+	int ssl;
Petr Lautrbach 65ba94
+	int referrals;
Petr Lautrbach 65ba94
+	int restart;
Petr Lautrbach 65ba94
+	int tls_checkpeer;
Petr Lautrbach 65ba94
+	char *tls_cacertfile;
Petr Lautrbach 65ba94
+	char *tls_cacertdir;
Petr Lautrbach 65ba94
+	char *tls_ciphers;
Petr Lautrbach 65ba94
+	char *tls_cert;
Petr Lautrbach 65ba94
+	char *tls_key;
Petr Lautrbach 65ba94
+	char *tls_randfile;
Petr Lautrbach 65ba94
+	char *logdir;
Petr Lautrbach 65ba94
+	int debug;
Petr Lautrbach 65ba94
+	char *ssh_filter;
Petr Lautrbach e6dbb8
+	char *account_class;
Petr Lautrbach 65ba94
+}       Options;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+extern Options options;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+void read_config_file(const char *);
Petr Lautrbach 65ba94
+void initialize_options(void);
Petr Lautrbach 65ba94
+void fill_default_options(void);
Petr Lautrbach 65ba94
+void dump_config(void);
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+#endif /* LDAPCONF_H */
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/ldap.conf.ldap openssh-6.2p1/ldap.conf
Petr Lautrbach 8a29de
--- openssh-6.2p1/ldap.conf.ldap	2013-03-25 21:27:15.891248091 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/ldap.conf	2013-03-25 21:27:15.891248091 +0100
Petr Lautrbach 65ba94
@@ -0,0 +1,88 @@
Petr Lautrbach 65ba94
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
Petr Lautrbach 65ba94
+#
Petr Lautrbach 65ba94
+# This is the example configuration file for the OpenSSH
Petr Lautrbach 65ba94
+# LDAP backend
Petr Lautrbach 65ba94
+# 
Petr Lautrbach 65ba94
+# see ssh-ldap.conf(5)
Petr Lautrbach 65ba94
+#
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# URI with your LDAP server name. This allows to use
Petr Lautrbach 65ba94
+# Unix Domain Sockets to connect to a local LDAP Server.
Petr Lautrbach 65ba94
+#uri ldap://127.0.0.1/
Petr Lautrbach 65ba94
+#uri ldaps://127.0.0.1/   
Petr Lautrbach 65ba94
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
Petr Lautrbach 65ba94
+# Note: %2f encodes the '/' used as directory separator
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# Another way to specify your LDAP server is to provide an
Petr Lautrbach 65ba94
+# host name and the port of our LDAP server. Host name
Petr Lautrbach 65ba94
+# must be resolvable without using LDAP.
Petr Lautrbach 65ba94
+# Multiple hosts may be specified, each separated by a 
Petr Lautrbach 65ba94
+# space. How long nss_ldap takes to failover depends on
Petr Lautrbach 65ba94
+# whether your LDAP client library supports configurable
Petr Lautrbach 65ba94
+# network or connect timeouts (see bind_timelimit).
Petr Lautrbach 65ba94
+#host 127.0.0.1
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# The port.
Petr Lautrbach 65ba94
+# Optional: default is 389.
Petr Lautrbach 65ba94
+#port 389
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# The distinguished name to bind to the server with.
Petr Lautrbach 65ba94
+# Optional: default is to bind anonymously.
Petr Lautrbach 65ba94
+#binddn cn=openssh_keys,dc=example,dc=org
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# The credentials to bind with. 
Petr Lautrbach 65ba94
+# Optional: default is no credential.
Petr Lautrbach 65ba94
+#bindpw TopSecret
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# The distinguished name of the search base.
Petr Lautrbach 65ba94
+#base dc=example,dc=org
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# The LDAP version to use (defaults to 3
Petr Lautrbach 65ba94
+# if supported by client library)
Petr Lautrbach 65ba94
+#ldap_version 3
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# The search scope.
Petr Lautrbach 65ba94
+#scope sub
Petr Lautrbach 65ba94
+#scope one
Petr Lautrbach 65ba94
+#scope base
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# Search timelimit
Petr Lautrbach 65ba94
+#timelimit 30
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# Bind/connect timelimit
Petr Lautrbach 65ba94
+#bind_timelimit 30
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# Reconnect policy: hard (default) will retry connecting to
Petr Lautrbach 65ba94
+# the software with exponential backoff, soft will fail
Petr Lautrbach 65ba94
+# immediately.
Petr Lautrbach 65ba94
+#bind_policy hard
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# SSL setup, may be implied by URI also.
Petr Lautrbach 65ba94
+#ssl no
Petr Lautrbach 65ba94
+#ssl on
Petr Lautrbach 65ba94
+#ssl start_tls
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# OpenLDAP SSL options
Petr Lautrbach 65ba94
+# Require and verify server certificate (yes/no)
Petr Lautrbach 65ba94
+# Default is to use libldap's default behavior, which can be configured in
Petr Lautrbach 65ba94
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
Petr Lautrbach 65ba94
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
Petr Lautrbach 65ba94
+#tls_checkpeer hard
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# CA certificates for server certificate verification
Petr Lautrbach 65ba94
+# At least one of these are required if tls_checkpeer is "yes"
Petr Lautrbach 65ba94
+#tls_cacertfile /etc/ssl/ca.cert
Petr Lautrbach 65ba94
+#tls_cacertdir /etc/pki/tls/certs
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# Seed the PRNG if /dev/urandom is not provided
Petr Lautrbach 65ba94
+#tls_randfile /var/run/egd-pool
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# SSL cipher suite
Petr Lautrbach 65ba94
+# See man ciphers for syntax
Petr Lautrbach 65ba94
+#tls_ciphers TLSv1
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+# Client certificate and key
Petr Lautrbach 65ba94
+# Use these, if your server requires client authentication.
Petr Lautrbach 65ba94
+#tls_cert
Petr Lautrbach 65ba94
+#tls_key
Jan F. Chadima 69dd72
+
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/ldap-helper.c.ldap openssh-6.2p1/ldap-helper.c
Petr Lautrbach 8a29de
--- openssh-6.2p1/ldap-helper.c.ldap	2013-03-25 21:27:15.892248097 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/ldap-helper.c	2013-03-25 21:27:15.892248097 +0100
Petr Lautrbach 65ba94
@@ -0,0 +1,155 @@
Petr Lautrbach 65ba94
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 65ba94
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * Redistribution and use in source and binary forms, with or without
Petr Lautrbach 65ba94
+ * modification, are permitted provided that the following conditions
Petr Lautrbach 65ba94
+ * are met:
Petr Lautrbach 65ba94
+ * 1. Redistributions of source code must retain the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer.
Petr Lautrbach 65ba94
+ * 2. Redistributions in binary form must reproduce the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer in the
Petr Lautrbach 65ba94
+ *    documentation and/or other materials provided with the distribution.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Petr Lautrbach 65ba94
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Petr Lautrbach 65ba94
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Petr Lautrbach 65ba94
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Petr Lautrbach 65ba94
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Petr Lautrbach 65ba94
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Petr Lautrbach 65ba94
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Petr Lautrbach 65ba94
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Petr Lautrbach 65ba94
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Petr Lautrbach 65ba94
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Petr Lautrbach 65ba94
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#include "ldapincludes.h"
Petr Lautrbach 65ba94
+#include "log.h"
Petr Lautrbach 65ba94
+#include "misc.h"
Petr Lautrbach 65ba94
+#include "xmalloc.h"
Petr Lautrbach 65ba94
+#include "ldapconf.h"
Petr Lautrbach 65ba94
+#include "ldapbody.h"
Petr Lautrbach 65ba94
+#include <string.h>
Petr Lautrbach 65ba94
+#include <unistd.h>
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+static int config_debug = 0;
Petr Lautrbach 65ba94
+int config_exclusive_config_file = 0;
Petr Lautrbach 65ba94
+static char *config_file_name = "/etc/ssh/ldap.conf";
Petr Lautrbach 65ba94
+static char *config_single_user = NULL;
Petr Lautrbach 65ba94
+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
Petr Lautrbach 65ba94
+int config_warning_config_file = 0;
Petr Lautrbach 65ba94
+extern char *__progname;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static void
Petr Lautrbach 65ba94
+usage(void)
Jan F. Chadima 69dd72
+{
Petr Lautrbach 65ba94
+	fprintf(stderr, "usage: %s [options]\n",
Petr Lautrbach 65ba94
+	    __progname);
Petr Lautrbach 65ba94
+	fprintf(stderr, "Options:\n");
Petr Lautrbach 65ba94
+	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
Petr Lautrbach 65ba94
+	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
Petr Lautrbach 65ba94
+	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ssh/ldap.conf).\n");
Petr Lautrbach 65ba94
+	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
Petr Lautrbach 65ba94
+	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
Petr Lautrbach 65ba94
+	fprintf(stderr, "  -w          Warn on unknown commands in the config file.\n");
Petr Lautrbach 65ba94
+	exit(1);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 65ba94
+ * Main program for the ssh pka ldap agent.
Petr Lautrbach 65ba94
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+int
Petr Lautrbach 65ba94
+main(int ac, char **av)
Jan F. Chadima 69dd72
+{
Petr Lautrbach 65ba94
+	int opt;
Petr Lautrbach 65ba94
+	FILE *outfile = NULL;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	__progname = ssh_get_progname(av[0]);
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+	/*
Petr Lautrbach 65ba94
+	 * Initialize option structure to indicate that no values have been
Petr Lautrbach 65ba94
+	 * set.
Petr Lautrbach 65ba94
+	 */
Petr Lautrbach 65ba94
+	initialize_options();
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+	/* Parse command-line arguments. */
Petr Lautrbach 65ba94
+	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
Petr Lautrbach 65ba94
+		switch (opt) {
Petr Lautrbach 65ba94
+		case 'd':
Petr Lautrbach 65ba94
+			config_debug = 1;
Petr Lautrbach 65ba94
+			break;
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+		case 'e':
Petr Lautrbach 65ba94
+			config_exclusive_config_file = 1;
Petr Lautrbach 65ba94
+			config_warning_config_file = 1;
Petr Lautrbach 65ba94
+			break;
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+		case 'f':
Petr Lautrbach 65ba94
+			config_file_name = optarg;
Petr Lautrbach 65ba94
+			break;
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+		case 's':
Petr Lautrbach 65ba94
+			config_single_user = optarg;
Petr Lautrbach 65ba94
+			outfile = fdopen (dup (fileno (stdout)), "w");
Petr Lautrbach 65ba94
+			break;
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+		case 'v':
Petr Lautrbach 65ba94
+			config_debug = 1;
Petr Lautrbach 65ba94
+			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
Petr Lautrbach 65ba94
+			    config_verbose++;
Petr Lautrbach 65ba94
+			break;
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+		case 'w':
Petr Lautrbach 65ba94
+			config_warning_config_file = 1;
Petr Lautrbach 65ba94
+			break;
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+		case '?':
Petr Lautrbach 65ba94
+		default:
Petr Lautrbach 65ba94
+			usage();
Petr Lautrbach 65ba94
+			break;
Jan F. Chadima 69dd72
+		}
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	/* Initialize loging */
Petr Lautrbach 65ba94
+	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	if (ac != optind)
Petr Lautrbach 65ba94
+	    fatal ("illegal extra parameter %s", av[1]);
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
Petr Lautrbach 65ba94
+	if (config_debug == 0)
Petr Lautrbach 65ba94
+	    sanitise_stdfd();
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	/* Read config file */
Petr Lautrbach 65ba94
+	read_config_file(config_file_name);
Petr Lautrbach 65ba94
+	fill_default_options();
Petr Lautrbach 65ba94
+	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
Petr Lautrbach 65ba94
+		debug3 ("=== Configuration ===");
Petr Lautrbach 65ba94
+		dump_config();
Petr Lautrbach 65ba94
+		debug3 ("=== *** ===");
Petr Lautrbach 65ba94
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	ldap_checkconfig();
Petr Lautrbach 65ba94
+	ldap_do_connect();
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	if (config_single_user) {
Petr Lautrbach 65ba94
+		process_user (config_single_user, outfile);
Petr Lautrbach 65ba94
+	} else {
Petr Lautrbach 65ba94
+		usage();
Petr Lautrbach 65ba94
+		fatal ("Not yet implemented");
Petr Lautrbach 65ba94
+/* TODO
Petr Lautrbach 65ba94
+ * open unix socket a run the loop on it
Petr Lautrbach 65ba94
+ */
Petr Lautrbach 65ba94
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+	ldap_do_close();
Petr Lautrbach 65ba94
+	return 0;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+/* Ugly hack */
Petr Lautrbach 65ba94
+void   *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
Petr Lautrbach 65ba94
+void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
Petr Lautrbach 65ba94
+
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/ldap-helper.h.ldap openssh-6.2p1/ldap-helper.h
Petr Lautrbach 8a29de
--- openssh-6.2p1/ldap-helper.h.ldap	2013-03-25 21:27:15.892248097 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/ldap-helper.h	2013-03-25 21:27:15.892248097 +0100
Petr Lautrbach 65ba94
@@ -0,0 +1,32 @@
Petr Lautrbach 65ba94
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#ifndef LDAP_HELPER_H
Petr Lautrbach 65ba94
+#define LDAP_HELPER_H
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+extern int config_exclusive_config_file;
Petr Lautrbach 65ba94
+extern int config_warning_config_file;
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#endif /* LDAP_HELPER_H */
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/ldapincludes.h.ldap openssh-6.2p1/ldapincludes.h
Petr Lautrbach 8a29de
--- openssh-6.2p1/ldapincludes.h.ldap	2013-03-25 21:27:15.892248097 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/ldapincludes.h	2013-03-25 21:27:15.892248097 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,41 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef LDAPINCLUDES_H
Jan F. Chadima 69dd72
+#define LDAPINCLUDES_H
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "includes.h"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifdef HAVE_LBER_H
Jan F. Chadima 69dd72
+#include <lber.h>
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_H
Jan F. Chadima 69dd72
+#include <ldap.h>
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_SSL_H
Jan F. Chadima 69dd72
+#include <ldap_ssl.h>
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#endif /* LDAPINCLUDES_H */
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/ldapmisc.c.ldap openssh-6.2p1/ldapmisc.c
Petr Lautrbach 8a29de
--- openssh-6.2p1/ldapmisc.c.ldap	2013-03-25 21:27:15.893248104 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/ldapmisc.c	2013-03-25 21:27:15.893248104 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,79 @@
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "ldapincludes.h"
Jan F. Chadima 69dd72
+#include "ldapmisc.h"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef HAVE_LDAP_GET_LDERRNO
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+ldap_get_lderrno (LDAP * ld, char **m, char **s)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_GET_OPTION
Jan F. Chadima 69dd72
+	int rc;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	int lderrno;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 69dd72
+	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+	    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+	lderrno = ld->ld_errno;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (s != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 69dd72
+		if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		*s = ld->ld_error;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (m != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 69dd72
+		if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		*m = ld->ld_matched;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	return lderrno;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef HAVE_LDAP_SET_LDERRNO
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_SET_OPTION
Jan F. Chadima 69dd72
+	int rc;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 69dd72
+	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+	    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+	ld->ld_errno = lderrno;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (s != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 69dd72
+		if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		ld->ld_error = s;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (m != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 69dd72
+		if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		ld->ld_matched = m;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	return LDAP_SUCCESS;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h
Petr Lautrbach 8a29de
--- openssh-6.2p1/ldapmisc.h.ldap	2013-03-25 21:27:15.893248104 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/ldapmisc.h	2013-03-25 21:27:15.893248104 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,35 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef LDAPMISC_H
Jan F. Chadima 69dd72
+#define LDAPMISC_H
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "ldapincludes.h"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+int ldap_get_lderrno (LDAP *, char **, char **);
Jan F. Chadima 69dd72
+int ldap_set_lderrno (LDAP *, int, const char *, const char *);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#endif /* LDAPMISC_H */
Jan F. Chadima 69dd72
+
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/Makefile.in.ldap openssh-6.2p1/Makefile.in
Petr Lautrbach 8a29de
--- openssh-6.2p1/Makefile.in.ldap	2013-03-25 21:27:15.850247822 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/Makefile.in	2013-03-25 21:27:57.356518817 +0100
Petr Lautrbach 65ba94
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
Petr Lautrbach 65ba94
 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
Petr Lautrbach 65ba94
 SFTP_SERVER=$(libexecdir)/sftp-server
Petr Lautrbach 65ba94
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
Petr Lautrbach 65ba94
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
Petr Lautrbach 65ba94
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
Petr Lautrbach 65ba94
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
Petr Lautrbach 65ba94
 PRIVSEP_PATH=@PRIVSEP_PATH@
Petr Lautrbach 65ba94
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
Petr Lautrbach 8a29de
@@ -60,8 +62,9 @@ XAUTH_PATH=@XAUTH_PATH@
Petr Lautrbach 65ba94
 LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
Petr Lautrbach 65ba94
 EXEEXT=@EXEEXT@
Petr Lautrbach 65ba94
 MANFMT=@MANFMT@
Petr Lautrbach 65ba94
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
Petr Lautrbach 65ba94
 
Petr Lautrbach 65ba94
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
Petr Lautrbach 65ba94
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
Petr Lautrbach 65ba94
 
Petr Lautrbach 8a29de
 LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
Petr Lautrbach 8a29de
 	canohost.o channels.o cipher.o cipher-aes.o \
Petr Lautrbach 8a29de
@@ -95,8 +98,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
Petr Lautrbach 65ba94
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
Petr Lautrbach 65ba94
 	sandbox-seccomp-filter.o
Petr Lautrbach 65ba94
 
Petr Lautrbach 65ba94
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
Petr Lautrbach 65ba94
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
Petr Lautrbach 65ba94
+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
Petr Lautrbach 65ba94
+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
Petr Lautrbach 65ba94
 MANTYPE		= @MANTYPE@
Petr Lautrbach 65ba94
 
Petr Lautrbach 65ba94
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
Petr Lautrbach 8a29de
@@ -164,6 +167,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
Petr Lautrbach 65ba94
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
Petr Lautrbach 65ba94
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
Petr Lautrbach 65ba94
 
Petr Lautrbach 65ba94
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
Petr Lautrbach 65ba94
+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
Petr Lautrbach 65ba94
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
Petr Lautrbach 65ba94
 
Petr Lautrbach 8a29de
@@ -266,6 +272,10 @@ install-files:
Petr Lautrbach 65ba94
 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
Petr Lautrbach 65ba94
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
Petr Lautrbach 65ba94
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
Petr Lautrbach 65ba94
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Petr Lautrbach 65ba94
+		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
Petr Lautrbach 65ba94
+		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
Petr Lautrbach 65ba94
+	fi
Petr Lautrbach 65ba94
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
Petr Lautrbach 65ba94
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
Petr Lautrbach 65ba94
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
Petr Lautrbach 8a29de
@@ -282,6 +292,10 @@ install-files:
Petr Lautrbach 65ba94
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Petr Lautrbach 65ba94
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
Petr Lautrbach 65ba94
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
Petr Lautrbach 65ba94
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Petr Lautrbach 65ba94
+		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
Petr Lautrbach 65ba94
+		$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
Petr Lautrbach 65ba94
+	fi
Petr Lautrbach 65ba94
 	-rm -f $(DESTDIR)$(bindir)/slogin
Petr Lautrbach 65ba94
 	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
Petr Lautrbach 65ba94
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Petr Lautrbach 8a29de
@@ -311,6 +325,13 @@ install-sysconf:
Petr Lautrbach 65ba94
 	else \
Petr Lautrbach 65ba94
 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
Petr Lautrbach 65ba94
 	fi
Petr Lautrbach 65ba94
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Petr Lautrbach 65ba94
+		if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
Petr Lautrbach 65ba94
+			$(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
Petr Lautrbach 65ba94
+		else \
Petr Lautrbach 65ba94
+			echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
Petr Lautrbach 65ba94
+		fi ; \
Petr Lautrbach 65ba94
+	fi
Petr Lautrbach 65ba94
 
Petr Lautrbach 65ba94
 host-key: ssh-keygen$(EXEEXT)
Petr Lautrbach 65ba94
 	@if [ -z "$(DESTDIR)" ] ; then \
Petr Lautrbach 8a29de
@@ -368,6 +389,8 @@ uninstall:
Petr Lautrbach 65ba94
 	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
Petr Lautrbach 65ba94
 	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
Petr Lautrbach 65ba94
 	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
Petr Lautrbach 65ba94
+	-rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
Petr Lautrbach 65ba94
+	-rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
Petr Lautrbach 65ba94
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
Petr Lautrbach 65ba94
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
Petr Lautrbach 65ba94
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
Petr Lautrbach 8a29de
@@ -379,6 +402,7 @@ uninstall:
Petr Lautrbach 65ba94
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Petr Lautrbach 65ba94
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
Petr Lautrbach 65ba94
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
Petr Lautrbach 65ba94
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
Petr Lautrbach 65ba94
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Petr Lautrbach 65ba94
 
Petr Lautrbach 8a29de
 regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lpk-openldap.schema
Petr Lautrbach 8a29de
--- openssh-6.2p1/openssh-lpk-openldap.schema.ldap	2013-03-25 21:27:15.894248110 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/openssh-lpk-openldap.schema	2013-03-25 21:27:15.894248110 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,21 @@
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 69dd72
+#                              useful with PKA-LDAP also
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 69dd72
+# 
Jan F. Chadima 69dd72
+# Based on the proposal of : Mark Ruijter
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# octetString SYNTAX
Jan F. Chadima 69dd72
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH Public key' 
Jan F. Chadima 69dd72
+	EQUALITY octetStringMatch
Jan F. Chadima 69dd72
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# printableString SYNTAX yes|no
Jan F. Chadima 69dd72
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 69dd72
+	MUST ( sshPublicKey $ uid ) 
Jan F. Chadima 69dd72
+	)
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/openssh-lpk-sun.schema.ldap openssh-6.2p1/openssh-lpk-sun.schema
Petr Lautrbach 8a29de
--- openssh-6.2p1/openssh-lpk-sun.schema.ldap	2013-03-25 21:27:15.894248110 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/openssh-lpk-sun.schema	2013-03-25 21:27:15.894248110 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,23 @@
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 69dd72
+#                              useful with PKA-LDAP also
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 69dd72
+# 
Jan F. Chadima 69dd72
+# Schema for Sun Directory Server.
Jan F. Chadima 69dd72
+# Based on the original schema, modified by Stefan Fischer.
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+dn: cn=schema
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# octetString SYNTAX
Jan F. Chadima 69dd72
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH Public key' 
Jan F. Chadima 69dd72
+	EQUALITY octetStringMatch
Jan F. Chadima 69dd72
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# printableString SYNTAX yes|no
Jan F. Chadima 69dd72
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 69dd72
+	MUST ( sshPublicKey $ uid ) 
Jan F. Chadima 69dd72
+	)
Petr Lautrbach e6dbb8
diff -up openssh-6.2p2/ssh-ldap.conf.5.ldap openssh-6.2p2/ssh-ldap.conf.5
Petr Lautrbach e6dbb8
--- openssh-6.2p2/ssh-ldap.conf.5.ldap	2013-06-07 15:10:05.604942680 +0200
Petr Lautrbach e6dbb8
+++ openssh-6.2p2/ssh-ldap.conf.5	2013-06-07 15:10:24.928857566 +0200
Petr Lautrbach e6dbb8
@@ -0,0 +1,379 @@
Jan F. Chadima 69dd72
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.\" Permission to use, copy, modify, and distribute this software for any
Jan F. Chadima 69dd72
+.\" purpose with or without fee is hereby granted, provided that the above
Jan F. Chadima 69dd72
+.\" copyright notice and this permission notice appear in all copies.
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
Jan F. Chadima 69dd72
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
Jan F. Chadima 69dd72
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
Jan F. Chadima 69dd72
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
Jan F. Chadima 69dd72
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
Jan F. Chadima 69dd72
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
Jan F. Chadima 69dd72
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.Dd $Mdocdate: may 12 2010 $
Jan F. Chadima 69dd72
+.Dt SSH-LDAP.CONF 5
Jan F. Chadima 69dd72
+.Os
Jan F. Chadima 69dd72
+.Sh NAME
Jan F. Chadima 69dd72
+.Nm ssh-ldap.conf
Jan F. Chadima 69dd72
+.Nd configuration file for ssh-ldap-helper
Jan F. Chadima 69dd72
+.Sh SYNOPSIS
Jan F. Chadima 69dd72
+.Nm /etc/ssh/ldap.conf
Jan F. Chadima 69dd72
+.Sh DESCRIPTION
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+reads configuration data from
Jan F. Chadima 69dd72
+.Pa /etc/ssh/ldap.conf
Jan F. Chadima 69dd72
+(or the file specified with
Jan F. Chadima 69dd72
+.Fl f
Jan F. Chadima 69dd72
+on the command line).
Jan F. Chadima 69dd72
+The file contains keyword-argument pairs, one per line.
Jan F. Chadima 69dd72
+Lines starting with
Jan F. Chadima 69dd72
+.Ql #
Jan F. Chadima 69dd72
+and empty lines are interpreted as comments.
Jan F. Chadima 69dd72
+.Pp
Jan F. Chadima 69dd72
+The value starts with the first non-blank character after 
Jan F. Chadima 69dd72
+the keyword's name, and terminates at the end of the line, 
Jan F. Chadima 69dd72
+or at the last sequence of blanks before the end of the line.
Jan F. Chadima 69dd72
+Quoting values that contain blanks 
Jan F. Chadima 69dd72
+may be incorrect, as the quotes would become part of the value.
Jan F. Chadima 69dd72
+The possible keywords and their meanings are as follows (note that
Jan F. Chadima 69dd72
+keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
Jan F. Chadima 69dd72
+.Bl -tag -width Ds
Jan F. Chadima 69dd72
+.It Cm URI
Jan F. Chadima 69dd72
+The argument(s) are in the form
Jan F. Chadima 69dd72
+.Pa ldap[si]://[name[:port]]
Jan F. Chadima 69dd72
+and specify the URI(s) of an LDAP server(s) to which the
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8 
Jan F. Chadima 69dd72
+should connect. The URI scheme may be any of
Jan F. Chadima 69dd72
+.Dq ldap ,
Jan F. Chadima 69dd72
+.Dq ldaps 
Jan F. Chadima 69dd72
+or
Jan F. Chadima 69dd72
+.Dq ldapi ,
Jan F. Chadima 69dd72
+which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
Jan F. Chadima 69dd72
+over IPC (UNIX domain sockets), respectively.
Jan F. Chadima 69dd72
+Each server's name can be specified as a
Jan F. Chadima 69dd72
+domain-style name or an IP address literal.  Optionally, the
Jan F. Chadima 69dd72
+server's name can followed by a ':' and the port number the LDAP
Jan F. Chadima 69dd72
+server is listening on.  If no port number is provided, the default
Jan F. Chadima 69dd72
+port for the scheme is used (389 for ldap://, 636 for ldaps://).
Jan F. Chadima 69dd72
+For LDAP over IPC, name is the name of the socket, and no port
Jan F. Chadima 69dd72
+is required, nor allowed; note that directory separators must be 
Jan F. Chadima 69dd72
+URL-encoded, like any other characters that are special to URLs; 
Jan F. Chadima 69dd72
+A space separated list of URIs may be provided.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm Base
Jan F. Chadima 69dd72
+Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
Jan F. Chadima 69dd72
+The base must be specified as a DN in LDAP format.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm BindDN
Jan F. Chadima 69dd72
+Specifies the default BIND DN to use when connecting to the ldap server.
Jan F. Chadima 69dd72
+The bind DN must be specified as a Distinguished Name in LDAP format.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm BindPW
Jan F. Chadima 69dd72
+Specifies the default password to use when connecting to the ldap server via
Jan F. Chadima 69dd72
+.Cm BindDN .
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm RootBindDN
Jan F. Chadima 69dd72
+Intentionaly does nothing. Recognized for compatibility reasons.
Jan F. Chadima 69dd72
+.It Cm Host
Jan F. Chadima 69dd72
+The argument(s) specifies the name(s) of an LDAP server(s) to which the
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+should connect.  Each server's name can be specified as a
Jan F. Chadima 69dd72
+domain-style name or an IP address and optionally followed by a ':' and
Jan F. Chadima 69dd72
+the port number the ldap server is listening on.  A space-separated
Jan F. Chadima 69dd72
+list of hosts may be provided.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.Cm Host
Jan F. Chadima 69dd72
+is deprecated in favor of
Jan F. Chadima 69dd72
+.Cm URI .
Jan F. Chadima 69dd72
+.It Cm Port
Jan F. Chadima 69dd72
+Specifies the default port used when connecting to LDAP servers(s).
Jan F. Chadima 69dd72
+The port may be specified as a number.
Jan F. Chadima 69dd72
+The default port is 389 for ldap:// or 636 for ldaps:// respectively.
Jan F. Chadima 69dd72
+.Cm Port
Jan F. Chadima 69dd72
+is deprecated in favor of
Jan F. Chadima 69dd72
+.Cm URI .
Jan F. Chadima 69dd72
+.It Cm Scope
Jan F. Chadima 69dd72
+Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
Jan F. Chadima 69dd72
+There are three options (values) that can be assigned to the
Jan F. Chadima 69dd72
+.Cm Scope parameter:
Jan F. Chadima 69dd72
+.Dq base ,
Jan F. Chadima 69dd72
+.Dq one
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq subtree .
Jan F. Chadima 69dd72
+Alias for the subtree is
Jan F. Chadima 69dd72
+.Dq sub .
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq base
Jan F. Chadima 69dd72
+is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq one
Jan F. Chadima 69dd72
+is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq subtree
Jan F. Chadima 69dd72
+is used to indicate searching of all entries at all levels under and including the specified base DN.
Jan F. Chadima 69dd72
+The default is
Jan F. Chadima 69dd72
+.Dq subtree .
Jan F. Chadima 69dd72
+.It Cm Deref
Jan F. Chadima 69dd72
+Specifies how alias dereferencing is done when performing a search. There are four
Jan F. Chadima 69dd72
+possible values that can be assigned to the
Jan F. Chadima 69dd72
+.Cm Deref
Jan F. Chadima 69dd72
+parameter:
Jan F. Chadima 69dd72
+.Dq never ,
Jan F. Chadima 69dd72
+.Dq searching ,
Jan F. Chadima 69dd72
+.Dq finding ,
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq always .
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq never
Jan F. Chadima 69dd72
+means that the aliases are never dereferenced.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq searching
Jan F. Chadima 69dd72
+means that the aliases are dereferenced in subordinates of the base object, but
Jan F. Chadima 69dd72
+not in locating the base object of the search.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq finding
Jan F. Chadima 69dd72
+means that the aliases are only dereferenced when locating the base object of the search.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq always
Jan F. Chadima 69dd72
+means that the aliases are dereferenced both in searching and in locating the base object
Jan F. Chadima 69dd72
+of the search.
Jan F. Chadima 69dd72
+The default is
Jan F. Chadima 69dd72
+.Dq never .
Jan F. Chadima 69dd72
+.It Cm TimeLimit
Jan F. Chadima 69dd72
+Specifies a time limit (in seconds) to use when performing searches.
Jan F. Chadima 69dd72
+The number should be a non-negative integer. A
Jan F. Chadima 69dd72
+.Cm TimeLimit
Jan F. Chadima 69dd72
+of zero (0) specifies that the search time is unlimited. Please note that the server
Jan F. Chadima 69dd72
+may still apply any server-side limit on the duration of a search operation.
Jan F. Chadima 69dd72
+The default value is 10.
Jan F. Chadima 69dd72
+.It Cm TimeOut
Jan F. Chadima 69dd72
+Is an aliast to
Jan F. Chadima 69dd72
+.Cm TimeLimit .
Jan F. Chadima 69dd72
+.It Cm Bind_TimeLimit
Jan F. Chadima 69dd72
+Specifies the timeout (in seconds) after which the poll(2)/select(2)
Jan F. Chadima 69dd72
+following a connect(2) returns in case of no activity.
Jan F. Chadima 69dd72
+The default value is 10.
Jan F. Chadima 69dd72
+.It Cm Network_TimeOut
Jan F. Chadima 69dd72
+Is an alias to
Jan F. Chadima 69dd72
+.Cm Bind_TimeLimit .
Jan F. Chadima 69dd72
+.It Cm Ldap_Version
Jan F. Chadima 69dd72
+Specifies what version of the LDAP protocol should be used.
Jan F. Chadima 69dd72
+The allowed values are 2 or 3. The default is 3.
Jan F. Chadima 69dd72
+.It Cm Version
Jan F. Chadima 69dd72
+Is an alias to
Jan F. Chadima 69dd72
+.Cm Ldap_Version .
Jan F. Chadima 69dd72
+.It Cm Bind_Policy
Jan F. Chadima 69dd72
+Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
Jan F. Chadima 69dd72
+.Dq hard
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq soft.
Jan F. Chadima 69dd72
+.Dq hard has 2 aliases
Jan F. Chadima 69dd72
+.Dq hard_open
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq hard_init .
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq hard
Jan F. Chadima 69dd72
+means that reconects that the
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq soft
Jan F. Chadima 69dd72
+means that
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+fails immediately when it cannot connect to the LDAP seerver.
Jan F. Chadima 69dd72
+The deault is
Jan F. Chadima 69dd72
+.Dq hard .
Jan F. Chadima 69dd72
+.It Cm SSLPath
Jan F. Chadima 69dd72
+Specifies the path to the X.509 certificate database.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm SSL
Jan F. Chadima 69dd72
+Specifies whether to use SSL/TLS or not.
Jan F. Chadima 69dd72
+There are three allowed values:
Jan F. Chadima 69dd72
+.Dq yes ,
Jan F. Chadima 69dd72
+.Dq no
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq start_tls
Jan F. Chadima 69dd72
+Both
Jan F. Chadima 69dd72
+.Dq true
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq on
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq yes .
Jan F. Chadima 69dd72
+.Dq false
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq off
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+If
Jan F. Chadima 69dd72
+.Dq start_tls
Jan F. Chadima 69dd72
+is specified then StartTLS is used rather than raw LDAP over SSL.
Jan F. Chadima 69dd72
+The default for ldap:// is
Jan F. Chadima 69dd72
+.Dq start_tls ,
Jan F. Chadima 69dd72
+for ldaps://
Jan F. Chadima 69dd72
+.Dq yes
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq no
Jan F. Chadima 69dd72
+for the ldapi:// .
Jan F. Chadima 69dd72
+In case of host based configuration the default is
Jan F. Chadima 69dd72
+.Dq start_tls .
Jan F. Chadima 69dd72
+.It Cm Referrals
Jan F. Chadima 69dd72
+Specifies if the client should automatically follow referrals returned
Jan F. Chadima 69dd72
+by LDAP servers.
Jan F. Chadima 69dd72
+The value can be or
Jan F. Chadima 69dd72
+.Dq yes
Jan F. Chadima 69dd72
+or
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+.Dq true
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq on
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq yes .
Jan F. Chadima 69dd72
+.Dq false
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq off
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+The default is yes.
Jan F. Chadima 69dd72
+.It Cm Restart
Jan F. Chadima 69dd72
+Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
Jan F. Chadima 69dd72
+The value can be or
Jan F. Chadima 69dd72
+.Dq yes
Jan F. Chadima 69dd72
+or
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+.Dq true
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq on
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq yes .
Jan F. Chadima 69dd72
+.Dq false
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq off
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+The default is yes.
Jan F. Chadima 69dd72
+.It Cm TLS_CheckPeer
Jan F. Chadima 69dd72
+Specifies what checks to perform on server certificates in a TLS session,
Jan F. Chadima 69dd72
+if any. The value
Jan F. Chadima 69dd72
+can be specified as one of the following keywords:
Jan F. Chadima 69dd72
+.Dq never ,
Jan F. Chadima 69dd72
+.Dq hard ,
Jan F. Chadima 69dd72
+.Dq demand ,
Jan F. Chadima 69dd72
+.Dq allow
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq try .
Jan F. Chadima 69dd72
+.Dq true ,
Jan F. Chadima 69dd72
+.Dq on
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq yes
Jan F. Chadima 69dd72
+are aliases for
Jan F. Chadima 69dd72
+.Dq hard .
Jan F. Chadima 69dd72
+.Dq false ,
Jan F. Chadima 69dd72
+.Dq off
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq no
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq never .
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq never
Jan F. Chadima 69dd72
+means that the client will not request or check any server certificate.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq allow
Jan F. Chadima 69dd72
+means that the server certificate is requested. If no certificate is provided,
Jan F. Chadima 69dd72
+the session proceeds normally. If a bad certificate is provided, it will
Jan F. Chadima 69dd72
+be ignored and the session proceeds normally.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq try
Jan F. Chadima 69dd72
+means that the server certificate is requested. If no certificate is provided,
Jan F. Chadima 69dd72
+the session proceeds normally. If a bad certificate is provided,
Jan F. Chadima 69dd72
+the session is immediately terminated.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq demand
Jan F. Chadima 69dd72
+means that the server certificate is requested. If no
Jan F. Chadima 69dd72
+certificate is provided, or a bad certificate is provided, the session
Jan F. Chadima 69dd72
+is immediately terminated.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq hard
Jan F. Chadima 69dd72
+is the same as
Jan F. Chadima 69dd72
+.Dq demand .
Jan F. Chadima 69dd72
+It requires an SSL connection. In the case of the plain conection the
Jan F. Chadima 69dd72
+session is immediately terminated.
Jan F. Chadima 69dd72
+The default is
Jan F. Chadima 69dd72
+.Dq hard .
Jan F. Chadima 69dd72
+.It Cm TLS_ReqCert
Jan F. Chadima 69dd72
+Is an alias for 
Jan F. Chadima 69dd72
+.Cm TLS_CheckPeer .
Jan F. Chadima 69dd72
+.It Cm TLS_CACertFile
Jan F. Chadima 69dd72
+Specifies the file that contains certificates for all of the Certificate
Jan F. Chadima 69dd72
+Authorities the client will recognize.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm TLS_CACert
Jan F. Chadima 69dd72
+Is an alias for
Jan F. Chadima 69dd72
+.Cm TLS_CACertFile .
Jan F. Chadima 69dd72
+.It Cm TLS_CACertDIR
Jan F. Chadima 69dd72
+Specifies the path of a directory that contains Certificate Authority
Jan F. Chadima 69dd72
+certificates in separate individual files. The
Jan F. Chadima 69dd72
+.Cm TLS_CACert
Jan F. Chadima 69dd72
+is always used before
Jan F. Chadima 69dd72
+.Cm TLS_CACertDir .
Jan F. Chadima 69dd72
+The specified directory must be managed with the OpenSSL c_rehash utility.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm TLS_Ciphers
Jan F. Chadima 69dd72
+Specifies acceptable cipher suite and preference order.
Jan F. Chadima 69dd72
+The value should be a cipher specification for OpenSSL,
Jan F. Chadima 69dd72
+e.g.,
Jan F. Chadima 69dd72
+.Dq HIGH:MEDIUM:+SSLv2 .
Jan F. Chadima 69dd72
+The default is
Jan F. Chadima 69dd72
+.Dq ALL .
Jan F. Chadima 69dd72
+.It Cm TLS_Cipher_Suite
Jan F. Chadima 69dd72
+Is an alias for
Jan F. Chadima 69dd72
+.Cm TLS_Ciphers .
Jan F. Chadima 69dd72
+.It Cm TLS_Cert
Jan F. Chadima 69dd72
+Specifies the file that contains the client certificate.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm TLS_Certificate
Jan F. Chadima 69dd72
+Is an alias for
Jan F. Chadima 69dd72
+.Cm TLS_Cert .
Jan F. Chadima 69dd72
+.It Cm TLS_Key
Jan F. Chadima 69dd72
+Specifies the file that contains the private key that matches the certificate
Jan F. Chadima 69dd72
+stored in the
Jan F. Chadima 69dd72
+.Cm TLS_Cert
Jan F. Chadima 69dd72
+file. Currently, the private key must not be protected with a password, so
Jan F. Chadima 69dd72
+it is of critical importance that the key file is protected carefully.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm TLS_RandFile
Jan F. Chadima 69dd72
+Specifies the file to obtain random bits from when /dev/[u]random is
Jan F. Chadima 69dd72
+not available. Generally set to the name of the EGD/PRNGD socket.
Jan F. Chadima 69dd72
+The environment variable RANDFILE can also be used to specify the filename.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm LogDir
Jan F. Chadima 69dd72
+Specifies the directory used for logging by the LDAP client library.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm Debug
Jan F. Chadima 69dd72
+Specifies the debug level used for logging by the LDAP client library.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm SSH_Filter
Jan F. Chadima 69dd72
+Specifies the user filter applied on the LDAP serch.
Jan F. Chadima 69dd72
+The default is no filter.
Petr Lautrbach e6dbb8
+.It Cm AccountClass
Petr Lautrbach e6dbb8
+Specifies the LDAP class used to find user accounts.
Petr Lautrbach e6dbb8
+The default is posixAccount.
Jan F. Chadima 69dd72
+.El
Jan F. Chadima 69dd72
+.Sh FILES
Jan F. Chadima 69dd72
+.Bl -tag -width Ds
Jan F. Chadima 69dd72
+.It Pa  /etc/ssh/ldap.conf
Jan F. Chadima 69dd72
+Ldap configuration file for
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8 .
Jan F. Chadima 69dd72
+.El
Jan F. Chadima 69dd72
+.Sh "SEE ALSO"
Jan F. Chadima 69dd72
+.Xr ldap.conf 5 ,
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+.Sh HISTORY
Jan F. Chadima 69dd72
+.Nm
Jan F. Chadima 69dd72
+first appeared in
Jan F. Chadima 69dd72
+OpenSSH 5.5 + PKA-LDAP .
Jan F. Chadima 69dd72
+.Sh AUTHORS
Jan F. Chadima 69dd72
+.An Jan F. Chadima Aq jchadima@redhat.com
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/ssh-ldap-helper.8.ldap openssh-6.2p1/ssh-ldap-helper.8
Petr Lautrbach 8a29de
--- openssh-6.2p1/ssh-ldap-helper.8.ldap	2013-03-25 21:27:15.895248117 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/ssh-ldap-helper.8	2013-03-25 21:27:15.895248117 +0100
Petr Lautrbach 65ba94
@@ -0,0 +1,79 @@
Petr Lautrbach 65ba94
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
Petr Lautrbach 65ba94
+.\"
Petr Lautrbach 65ba94
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
Petr Lautrbach 65ba94
+.\"
Petr Lautrbach 65ba94
+.\" Permission to use, copy, modify, and distribute this software for any
Petr Lautrbach 65ba94
+.\" purpose with or without fee is hereby granted, provided that the above
Petr Lautrbach 65ba94
+.\" copyright notice and this permission notice appear in all copies.
Petr Lautrbach 65ba94
+.\"
Petr Lautrbach 65ba94
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
Petr Lautrbach 65ba94
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
Petr Lautrbach 65ba94
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
Petr Lautrbach 65ba94
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
Petr Lautrbach 65ba94
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
Petr Lautrbach 65ba94
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
Petr Lautrbach 65ba94
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Petr Lautrbach 65ba94
+.\"
Petr Lautrbach 65ba94
+.Dd $Mdocdate: April 29 2010 $
Petr Lautrbach 65ba94
+.Dt SSH-LDAP-HELPER 8
Petr Lautrbach 65ba94
+.Os
Petr Lautrbach 65ba94
+.Sh NAME
Petr Lautrbach 65ba94
+.Nm ssh-ldap-helper
Petr Lautrbach 65ba94
+.Nd sshd helper program for ldap support
Petr Lautrbach 65ba94
+.Sh SYNOPSIS
Petr Lautrbach 65ba94
+.Nm ssh-ldap-helper
Petr Lautrbach 65ba94
+.Op Fl devw
Petr Lautrbach 65ba94
+.Op Fl f Ar file
Petr Lautrbach 65ba94
+.Op Fl s Ar user
Petr Lautrbach 65ba94
+.Sh DESCRIPTION
Petr Lautrbach 65ba94
+.Nm
Petr Lautrbach 65ba94
+is used by
Petr Lautrbach 65ba94
+.Xr sshd 1
Petr Lautrbach 65ba94
+to access keys provided by an LDAP.
Petr Lautrbach 65ba94
+.Nm
Petr Lautrbach 65ba94
+is disabled by default and can only be enabled in the
Petr Lautrbach 65ba94
+sshd configuration file
Petr Lautrbach 65ba94
+.Pa /etc/ssh/sshd_config
Petr Lautrbach 65ba94
+by setting
Petr Lautrbach 65ba94
+.Cm AuthorizedKeysCommand
Petr Lautrbach 65ba94
+to
Petr Lautrbach 65ba94
+.Dq /usr/libexec/ssh-ldap-wrapper .
Petr Lautrbach 65ba94
+.Pp
Petr Lautrbach 65ba94
+.Nm
Petr Lautrbach 65ba94
+is not intended to be invoked by the user, but from
Petr Lautrbach 65ba94
+.Xr sshd 8 via
Petr Lautrbach 65ba94
+.Xr ssh-ldap-wrapper .
Petr Lautrbach 65ba94
+.Pp
Petr Lautrbach 65ba94
+The options are as follows:
Petr Lautrbach 65ba94
+.Bl -tag -width Ds
Petr Lautrbach 65ba94
+.It Fl d
Petr Lautrbach 65ba94
+Set the debug mode; 
Petr Lautrbach 65ba94
+.Nm
Petr Lautrbach 65ba94
+prints all logs to stderr instead of syslog.
Petr Lautrbach 65ba94
+.It Fl e
Petr Lautrbach 65ba94
+Implies \-w;
Petr Lautrbach 65ba94
+.Nm
Petr Lautrbach 65ba94
+halts if it encounters an unknown item in the ldap.conf file.
Petr Lautrbach 65ba94
+.It Fl f
Petr Lautrbach 65ba94
+.Nm
Petr Lautrbach 65ba94
+uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
Petr Lautrbach 65ba94
+.It Fl s
Petr Lautrbach 65ba94
+.Nm
Petr Lautrbach 65ba94
+prints out the user's keys to stdout and exits.
Petr Lautrbach 65ba94
+.It Fl v
Petr Lautrbach 65ba94
+Implies \-d;
Petr Lautrbach 65ba94
+increases verbosity.
Petr Lautrbach 65ba94
+.It Fl w
Petr Lautrbach 65ba94
+.Nm
Petr Lautrbach 65ba94
+writes warnings about unknown items in the ldap.conf configuration file.
Petr Lautrbach 65ba94
+.El
Petr Lautrbach 65ba94
+.Sh SEE ALSO
Petr Lautrbach 65ba94
+.Xr sshd 8 ,
Petr Lautrbach 65ba94
+.Xr sshd_config 5 ,
Petr Lautrbach 65ba94
+.Xr ssh-ldap.conf 5 ,
Petr Lautrbach 65ba94
+.Sh HISTORY
Petr Lautrbach 65ba94
+.Nm
Petr Lautrbach 65ba94
+first appeared in
Petr Lautrbach 65ba94
+OpenSSH 5.5 + PKA-LDAP .
Petr Lautrbach 65ba94
+.Sh AUTHORS
Petr Lautrbach 65ba94
+.An Jan F. Chadima Aq jchadima@redhat.com
Petr Lautrbach 8a29de
diff -up openssh-6.2p1/ssh-ldap-wrapper.ldap openssh-6.2p1/ssh-ldap-wrapper
Petr Lautrbach 8a29de
--- openssh-6.2p1/ssh-ldap-wrapper.ldap	2013-03-25 21:27:15.896248124 +0100
Petr Lautrbach 8a29de
+++ openssh-6.2p1/ssh-ldap-wrapper	2013-03-25 21:27:15.896248124 +0100
Petr Lautrbach 65ba94
@@ -0,0 +1,4 @@
Petr Lautrbach 65ba94
+#!/bin/sh
Petr Lautrbach 65ba94
+
Petr Lautrbach 65ba94
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
Petr Lautrbach 65ba94
+