vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Jakub Jelen 132f8f
diff -up openssh-6.8p1/HOWTO.ldap-keys.ldap openssh-6.8p1/HOWTO.ldap-keys
Jakub Jelen 132f8f
--- openssh-6.8p1/HOWTO.ldap-keys.ldap	2015-03-18 11:11:29.029801467 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/HOWTO.ldap-keys	2015-03-18 11:11:29.029801467 +0100
Jakub Jelen 474a38
@@ -0,0 +1,122 @@
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+HOW TO START
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) configure LDAP server
Jan F. Chadima 69dd72
+  * Use LDAP server documentation
Jan F. Chadima 69dd72
+2) add appropriate LDAP schema
Jan F. Chadima 69dd72
+  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
Jan F. Chadima 69dd72
+  * LDAP user entry
Jan F. Chadima 69dd72
+        User entry:
Jan F. Chadima 69dd72
+	- attached to the 'ldapPublicKey' objectclass
Jan F. Chadima 69dd72
+	- attached to the 'posixAccount' objectclass
Jan F. Chadima 69dd72
+	- with a filled 'sshPublicKey' attribute 
Jan F. Chadima 69dd72
+3) insert users into LDAP
Jan F. Chadima 69dd72
+  * Use LDAP Tree management tool as useful
Jan F. Chadima 69dd72
+  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
Jan F. Chadima 69dd72
+  * Example:
Jan F. Chadima 69dd72
+	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
Jan F. Chadima 69dd72
+	objectclass: top
Jan F. Chadima 69dd72
+	objectclass: person
Jan F. Chadima 69dd72
+	objectclass: organizationalPerson
Jan F. Chadima 69dd72
+	objectclass: posixAccount
Jan F. Chadima 69dd72
+	objectclass: ldapPublicKey
Jan F. Chadima 69dd72
+	description: Jonathan Archer
Jan F. Chadima 69dd72
+	userPassword: Porthos
Jan F. Chadima 69dd72
+	cn: onathan Archer
Jan F. Chadima 69dd72
+	sn: onathan Archer
Jan F. Chadima 69dd72
+	uid: captain
Jan F. Chadima 69dd72
+	uidNumber: 1001
Jan F. Chadima 69dd72
+	gidNumber: 1001
Jan F. Chadima 69dd72
+	homeDirectory: /home/captain
Jan F. Chadima 69dd72
+	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
Jan F. Chadima 69dd72
+	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
Jan F. Chadima 69dd72
+4) on the ssh side set in sshd_config
Jan F. Chadima 69dd72
+  * Set up the backend
Petr Lautrbach f5022a
+	AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
Petr Lautrbach f5022a
+	AuthorizedKeysCommandUser <appropriate user to run LDAP>
Jan F. Chadima 69dd72
+  * Do not forget to set
Jan F. Chadima 69dd72
+	PubkeyAuthentication yes
Jan F. Chadima 69dd72
+  * Swith off unnecessary auth methods
Jan F. Chadima 69dd72
+5) confugure ldap.conf
Jan F. Chadima 69dd72
+  * Default ldap.conf is placed in /etc/ssh
Jan F. Chadima 69dd72
+  * The configuration style is the same as other ldap based aplications
Jan F. Chadima 69dd72
+6) if necessary edit ssh-ldap-wrapper
Jan F. Chadima 69dd72
+  * There is a possibility to change ldap.conf location
Jan F. Chadima 69dd72
+  * There are some debug options
Jan F. Chadima 69dd72
+  * Example
Jan F. Chadima 69dd72
+	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
Jakub Jelen 474a38
+7) Configure SELinux boolean which allows ldap-helper to bind ldap server
Jakub Jelen 474a38
+  Run this command
Jakub Jelen 474a38
+  # setsebool -P authlogin_nsswitch_use_ldap on
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+HOW TO MIGRATE FROM LPK
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) goto HOW TO START 4) .... the ldap schema is the same
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+2) convert the group requests to the appropriate LDAP requests
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+HOW TO SOLVE PROBLEMS
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) use debug in sshd
Jan F. Chadima 69dd72
+  * /usr/sbin/sshd -d -d -d -d
Jan F. Chadima 69dd72
+2) use debug in ssh-ldap-helper
Jan F. Chadima 69dd72
+  * ssh-ldap-helper -d -d -d -d -s <username>
Jan F. Chadima 69dd72
+3) use tcpdump ... other ldap client etc.
Jan F. Chadima 69dd72
+
Jakub Jelen 3bc8b8
+HOW TO CONFIGURE SSH FOR OTHER LDAP CONFIGURATION / SERVER /SCHEMA
Jakub Jelen 3bc8b8
+
Jakub Jelen 3bc8b8
+You can adjust search format string in /etc/ldap.conf using
Jakub Jelen 3bc8b8
+ 1) SSH_Filter option to limit results for only specified users
Jakub Jelen 3bc8b8
+    (this appends search condition after original query)
Jakub Jelen 3bc8b8
+ 2) Search_Format option to define your own search string using expansion
Jakub Jelen 3bc8b8
+    characters %u for username, %c for objectclass and %f for above mentioned filter.
Jakub Jelen 3bc8b8
+
Jakub Jelen 3bc8b8
+Example:
Jakub Jelen 3bc8b8
+Search_Format (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%u)%f)
Jakub Jelen 3bc8b8
+
Jan F. Chadima 69dd72
+ADVANTAGES
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+DISADVANTAGES
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
Jan F. Chadima 69dd72
+  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
Jan F. Chadima 69dd72
+  of your users in all your server farm -- be VERY CAREFUL.
Jan F. Chadima 69dd72
+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
Jan F. Chadima 69dd72
+  as the impersonated user.
Jan F. Chadima 69dd72
+3) If LDAP server is down there may be no fallback on passwd auth.
Jan F. Chadima 69dd72
+  
Jan F. Chadima 69dd72
+MISC.
Jan F. Chadima 69dd72
+  
Jan F. Chadima 69dd72
+1) todo
Jan F. Chadima 69dd72
+  * Possibility to reuse the ssh-ldap-helper.
Jan F. Chadima 69dd72
+  * Tune the LDAP part to accept  all possible LDAP configurations.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+2) differences from original lpk
Jan F. Chadima 69dd72
+  * No LDAP code in sshd.
Jan F. Chadima 69dd72
+  * Support for various LDAP platforms and configurations.
Jan F. Chadima 69dd72
+  * LDAP is configured in separate ldap.conf file.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+3) docs/link 
Jan F. Chadima 69dd72
+  * http://pacsec.jp/core05/psj05-barisani-en.pdf
Jan F. Chadima 69dd72
+  * http://fritz.potsdam.edu/projects/openssh-lpk/
Jan F. Chadima 69dd72
+  * http://fritz.potsdam.edu/projects/sshgate/
Jan F. Chadima 69dd72
+  * http://dev.inversepath.com/trac/openssh-lpk
Jan F. Chadima 69dd72
+  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+4) contributors/ideas/greets
Jan F. Chadima 69dd72
+  - Eric AUGE <eau@phear.org>
Jan F. Chadima 69dd72
+  - Andrea Barisani <andrea@inversepath.com>
Jan F. Chadima 69dd72
+  - Falk Siemonsmeier.
Jan F. Chadima 69dd72
+  - Jacob Rief.
Jan F. Chadima 69dd72
+  - Michael Durchgraf.
Jan F. Chadima 69dd72
+  - frederic peters.
Jan F. Chadima 69dd72
+  - Finlay dobbie.
Jan F. Chadima 69dd72
+  - Stefan Fisher.
Jan F. Chadima 69dd72
+  - Robin H. Johnson.
Jan F. Chadima 69dd72
+  - Adrian Bridgett.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+5) Author
Jan F. Chadima 69dd72
+    Jan F. Chadima <jchadima@redhat.com>
Jan F. Chadima 69dd72
+
Jakub Jelen 132f8f
diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
Jakub Jelen 132f8f
--- openssh-6.8p1/Makefile.in.ldap	2015-03-17 06:49:20.000000000 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/Makefile.in	2015-03-18 11:13:10.147561177 +0100
Petr Lautrbach 94c6f8
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
Petr Lautrbach 94c6f8
 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
Petr Lautrbach 94c6f8
 SFTP_SERVER=$(libexecdir)/sftp-server
Petr Lautrbach 94c6f8
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
Petr Lautrbach 94c6f8
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
Petr Lautrbach 94c6f8
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
Petr Lautrbach 94c6f8
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
Petr Lautrbach 94c6f8
 PRIVSEP_PATH=@PRIVSEP_PATH@
Petr Lautrbach 94c6f8
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
Petr Lautrbach 190035
@@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@
Petr Lautrbach 94c6f8
 LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
Petr Lautrbach 94c6f8
 EXEEXT=@EXEEXT@
Petr Lautrbach 94c6f8
 MANFMT=@MANFMT@
Petr Lautrbach 94c6f8
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
Petr Lautrbach 94c6f8
 
Petr Lautrbach 94c6f8
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
Petr Lautrbach 94c6f8
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
Petr Lautrbach 94c6f8
 
Petr Lautrbach 190035
 LIBOPENSSH_OBJS=\
Jakub Jelen 132f8f
 	ssh_api.o \
Jakub Jelen 132f8f
@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
Jakub Jelen 13073f
 	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
Jakub Jelen 13073f
 	sandbox-solaris.o
Petr Lautrbach 94c6f8
 
Petr Lautrbach 94c6f8
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
Petr Lautrbach 94c6f8
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
Petr Lautrbach 94c6f8
+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
Petr Lautrbach 94c6f8
+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
Petr Lautrbach 94c6f8
 MANTYPE		= @MANTYPE@
Petr Lautrbach 94c6f8
 
Petr Lautrbach 94c6f8
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
Jakub Jelen 132f8f
@@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
Petr Lautrbach 94c6f8
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
Petr Lautrbach 94c6f8
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
Petr Lautrbach 94c6f8
 
Jakub Jelen 132f8f
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o
Jakub Jelen 132f8f
+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
Jan F. Chadima 69dd72
+
Jakub Jelen 13073f
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
Jakub Jelen 13073f
 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
Petr Lautrbach 94c6f8
 
Jakub Jelen 132f8f
@@ -311,6 +317,10 @@ install-files:
Petr Lautrbach 94c6f8
 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
Petr Lautrbach 94c6f8
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
Petr Lautrbach 94c6f8
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
Petr Lautrbach 94c6f8
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Petr Lautrbach 94c6f8
+		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
Petr Lautrbach 94c6f8
+		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
Petr Lautrbach 94c6f8
+	fi
Petr Lautrbach 94c6f8
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
Petr Lautrbach 94c6f8
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
Petr Lautrbach 94c6f8
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
Jakub Jelen 132f8f
@@ -327,6 +337,10 @@ install-files:
Petr Lautrbach 94c6f8
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Petr Lautrbach 94c6f8
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
Petr Lautrbach 94c6f8
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
Petr Lautrbach 94c6f8
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Petr Lautrbach 94c6f8
+		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
Petr Lautrbach 94c6f8
+		$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
Petr Lautrbach 94c6f8
+	fi
Jakub Jelen 13073f
 
Jakub Jelen 13073f
 install-sysconf:
Jakub Jelen 13073f
 	if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
Jakub Jelen 132f8f
@@ -356,6 +370,13 @@ install-sysconf:
Petr Lautrbach 94c6f8
 	else \
Petr Lautrbach 94c6f8
 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
Petr Lautrbach 94c6f8
 	fi
Petr Lautrbach 94c6f8
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Petr Lautrbach 94c6f8
+		if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
Petr Lautrbach 94c6f8
+			$(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
Petr Lautrbach 94c6f8
+		else \
Petr Lautrbach 94c6f8
+			echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
Petr Lautrbach 94c6f8
+		fi ; \
Petr Lautrbach 94c6f8
+	fi
Petr Lautrbach 94c6f8
 
Petr Lautrbach 94c6f8
 host-key: ssh-keygen$(EXEEXT)
Petr Lautrbach 94c6f8
 	@if [ -z "$(DESTDIR)" ] ; then \
Jakub Jelen 132f8f
@@ -419,6 +440,8 @@ uninstall:
Petr Lautrbach 94c6f8
 	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
Petr Lautrbach 94c6f8
 	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
Petr Lautrbach 94c6f8
 	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
Petr Lautrbach 94c6f8
+	-rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
Petr Lautrbach 94c6f8
+	-rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
Petr Lautrbach 94c6f8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
Petr Lautrbach 94c6f8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
Petr Lautrbach 94c6f8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
Jakub Jelen 132f8f
@@ -430,6 +453,7 @@ uninstall:
Petr Lautrbach 94c6f8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Petr Lautrbach 94c6f8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
Petr Lautrbach 94c6f8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
Petr Lautrbach 94c6f8
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
Petr Lautrbach 94c6f8
 
Petr Lautrbach 190035
 regress-prep:
Jakub Jelen 13073f
 	[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
Jakub Jelen 132f8f
diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac
Jakub Jelen 132f8f
--- openssh-6.8p1/configure.ac.ldap	2015-03-17 06:49:20.000000000 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/configure.ac	2015-03-18 11:11:29.030801464 +0100
Jakub Jelen 132f8f
@@ -1605,6 +1605,106 @@ if test "x$use_pie" != "xno"; then
Petr Lautrbach 94c6f8
 	fi
Petr Lautrbach 94c6f8
 fi
Petr Lautrbach 94c6f8
 
Petr Lautrbach 94c6f8
+# Check whether user wants LDAP support
Petr Lautrbach 94c6f8
+LDAP_MSG="no"
Petr Lautrbach 94c6f8
+INSTALL_SSH_LDAP_HELPER=""
Petr Lautrbach 94c6f8
+AC_ARG_WITH(ldap,
Petr Lautrbach 94c6f8
+	[  --with-ldap[[=PATH]]      Enable LDAP pubkey support (optionally in PATH)],
Petr Lautrbach 94c6f8
+	[
Petr Lautrbach 94c6f8
+		if test "x$withval" != "xno" ; then
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			INSTALL_SSH_LDAP_HELPER="yes"
Petr Lautrbach 94c6f8
+			CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			if test "x$withval" != "xyes" ; then
Petr Lautrbach 94c6f8
+				CPPFLAGS="$CPPFLAGS -I${withval}/include"
Petr Lautrbach 94c6f8
+				LDFLAGS="$LDFLAGS -L${withval}/lib"
Petr Lautrbach 94c6f8
+			fi
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
Petr Lautrbach 94c6f8
+			LDAP_MSG="yes"
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			AC_CHECK_HEADERS(lber.h)
Petr Lautrbach 94c6f8
+			AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
Petr Lautrbach 94c6f8
+			AC_CHECK_HEADERS(ldap_ssl.h)
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			AC_ARG_WITH(ldap-lib,
Petr Lautrbach 94c6f8
+				[  --with-ldap-lib=type    select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			if test -z "$with_ldap_lib"; then
Petr Lautrbach 94c6f8
+				with_ldap_lib=auto
Petr Lautrbach 94c6f8
+			fi
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
Petr Lautrbach 94c6f8
+				AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
Petr Lautrbach 94c6f8
+				AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
Petr Lautrbach 94c6f8
+			fi
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
Petr Lautrbach 94c6f8
+				AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
Petr Lautrbach 94c6f8
+			fi
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
Petr Lautrbach 94c6f8
+				AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
Petr Lautrbach 94c6f8
+				if test -z "$found_ldap_lib"; then
Petr Lautrbach 94c6f8
+					AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
Petr Lautrbach 94c6f8
+				fi
Petr Lautrbach 94c6f8
+				if test -z "$found_ldap_lib"; then
Petr Lautrbach 94c6f8
+					AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
Petr Lautrbach 94c6f8
+				fi
Petr Lautrbach 94c6f8
+				if test -z "$found_ldap_lib"; then
Petr Lautrbach 94c6f8
+					AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
Petr Lautrbach 94c6f8
+				fi
Petr Lautrbach 94c6f8
+			fi
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
Petr Lautrbach 94c6f8
+				AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
Petr Lautrbach 94c6f8
+			fi
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			if test -z "$found_ldap_lib"; then
Petr Lautrbach 94c6f8
+				AC_MSG_ERROR(could not locate a valid LDAP library)
Petr Lautrbach 94c6f8
+			fi
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			AC_MSG_CHECKING([for working LDAP support])
Petr Lautrbach 94c6f8
+			AC_TRY_COMPILE(
Petr Lautrbach 94c6f8
+				[#include <sys/types.h>
Petr Lautrbach 94c6f8
+				 #include <ldap.h>],
Petr Lautrbach 94c6f8
+				[(void)ldap_init(0, 0);],
Petr Lautrbach 94c6f8
+				[AC_MSG_RESULT(yes)],
Petr Lautrbach 94c6f8
+				[
Petr Lautrbach 94c6f8
+				    AC_MSG_RESULT(no) 
Petr Lautrbach 94c6f8
+					AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
Petr Lautrbach 94c6f8
+				])
Petr Lautrbach 94c6f8
+			AC_CHECK_FUNCS( \
Petr Lautrbach 94c6f8
+				ldap_init \
Petr Lautrbach 94c6f8
+				ldap_get_lderrno \
Petr Lautrbach 94c6f8
+				ldap_set_lderrno \
Petr Lautrbach 94c6f8
+				ldap_parse_result \
Petr Lautrbach 94c6f8
+				ldap_memfree \
Petr Lautrbach 94c6f8
+				ldap_controls_free \
Petr Lautrbach 94c6f8
+				ldap_set_option \
Petr Lautrbach 94c6f8
+				ldap_get_option \
Petr Lautrbach 94c6f8
+				ldapssl_init \
Petr Lautrbach 94c6f8
+				ldap_start_tls_s \
Petr Lautrbach 94c6f8
+				ldap_pvt_tls_set_option \
Petr Lautrbach 94c6f8
+				ldap_initialize \
Petr Lautrbach 94c6f8
+			)
Petr Lautrbach 94c6f8
+			AC_CHECK_FUNCS(ldap_set_rebind_proc,
Petr Lautrbach 94c6f8
+				AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
Petr Lautrbach 94c6f8
+				AC_TRY_COMPILE(
Petr Lautrbach 94c6f8
+					[#include <lber.h>
Petr Lautrbach 94c6f8
+					#include <ldap.h>],
Petr Lautrbach 94c6f8
+					[ldap_set_rebind_proc(0, 0, 0);],
Petr Lautrbach 94c6f8
+					[ac_cv_ldap_set_rebind_proc=3],
Petr Lautrbach 94c6f8
+					[ac_cv_ldap_set_rebind_proc=2])
Petr Lautrbach 94c6f8
+				AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
Petr Lautrbach 94c6f8
+				AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
Petr Lautrbach 94c6f8
+			)
Petr Lautrbach 94c6f8
+		fi
Petr Lautrbach 94c6f8
+	]
Petr Lautrbach 94c6f8
+)
Petr Lautrbach 94c6f8
+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
 dnl    Checks for library functions. Please keep in alphabetical order
Petr Lautrbach 94c6f8
 AC_CHECK_FUNCS([ \
Petr Lautrbach 94c6f8
 	Blowfish_initstate \
Jakub Jelen 132f8f
diff -up openssh-6.8p1/ldap-helper.c.ldap openssh-6.8p1/ldap-helper.c
Jakub Jelen 132f8f
--- openssh-6.8p1/ldap-helper.c.ldap	2015-03-18 11:11:29.030801464 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/ldap-helper.c	2015-03-18 11:11:29.030801464 +0100
Petr Lautrbach 94c6f8
@@ -0,0 +1,155 @@
Petr Lautrbach 94c6f8
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Petr Lautrbach 94c6f8
+/*
Petr Lautrbach 94c6f8
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Petr Lautrbach 94c6f8
+ *
Petr Lautrbach 94c6f8
+ * Redistribution and use in source and binary forms, with or without
Petr Lautrbach 94c6f8
+ * modification, are permitted provided that the following conditions
Petr Lautrbach 94c6f8
+ * are met:
Petr Lautrbach 94c6f8
+ * 1. Redistributions of source code must retain the above copyright
Petr Lautrbach 94c6f8
+ *    notice, this list of conditions and the following disclaimer.
Petr Lautrbach 94c6f8
+ * 2. Redistributions in binary form must reproduce the above copyright
Petr Lautrbach 94c6f8
+ *    notice, this list of conditions and the following disclaimer in the
Petr Lautrbach 94c6f8
+ *    documentation and/or other materials provided with the distribution.
Petr Lautrbach 94c6f8
+ *
Petr Lautrbach 94c6f8
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Petr Lautrbach 94c6f8
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Petr Lautrbach 94c6f8
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Petr Lautrbach 94c6f8
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Petr Lautrbach 94c6f8
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Petr Lautrbach 94c6f8
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Petr Lautrbach 94c6f8
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Petr Lautrbach 94c6f8
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Petr Lautrbach 94c6f8
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Petr Lautrbach 94c6f8
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Petr Lautrbach 94c6f8
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#include "ldapincludes.h"
Petr Lautrbach 94c6f8
+#include "log.h"
Petr Lautrbach 94c6f8
+#include "misc.h"
Petr Lautrbach 94c6f8
+#include "xmalloc.h"
Petr Lautrbach 94c6f8
+#include "ldapconf.h"
Petr Lautrbach 94c6f8
+#include "ldapbody.h"
Petr Lautrbach 94c6f8
+#include <string.h>
Petr Lautrbach 94c6f8
+#include <unistd.h>
Petr Lautrbach 65ba94
+
Petr Lautrbach 94c6f8
+static int config_debug = 0;
Petr Lautrbach 94c6f8
+int config_exclusive_config_file = 0;
Petr Lautrbach 94c6f8
+static char *config_file_name = "/etc/ssh/ldap.conf";
Petr Lautrbach 94c6f8
+static char *config_single_user = NULL;
Petr Lautrbach 94c6f8
+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
Petr Lautrbach 94c6f8
+int config_warning_config_file = 0;
Petr Lautrbach 94c6f8
+extern char *__progname;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+static void
Petr Lautrbach 94c6f8
+usage(void)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	fprintf(stderr, "usage: %s [options]\n",
Petr Lautrbach 94c6f8
+	    __progname);
Petr Lautrbach 94c6f8
+	fprintf(stderr, "Options:\n");
Petr Lautrbach 94c6f8
+	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
Petr Lautrbach 94c6f8
+	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
Petr Lautrbach 94c6f8
+	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ssh/ldap.conf).\n");
Petr Lautrbach 94c6f8
+	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
Petr Lautrbach 94c6f8
+	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
Petr Lautrbach 94c6f8
+	fprintf(stderr, "  -w          Warn on unknown commands in the config file.\n");
Petr Lautrbach 94c6f8
+	exit(1);
Petr Lautrbach 94c6f8
+}
Petr Lautrbach 65ba94
+
Petr Lautrbach 94c6f8
+/*
Petr Lautrbach 94c6f8
+ * Main program for the ssh pka ldap agent.
Petr Lautrbach 94c6f8
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+int
Petr Lautrbach 94c6f8
+main(int ac, char **av)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	int opt;
Petr Lautrbach 94c6f8
+	FILE *outfile = NULL;
Petr Lautrbach 65ba94
+
Petr Lautrbach 94c6f8
+	__progname = ssh_get_progname(av[0]);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	/*
Petr Lautrbach 94c6f8
+	 * Initialize option structure to indicate that no values have been
Petr Lautrbach 94c6f8
+	 * set.
Petr Lautrbach 94c6f8
+	 */
Petr Lautrbach 94c6f8
+	initialize_options();
Petr Lautrbach 65ba94
+
Petr Lautrbach 94c6f8
+	/* Parse command-line arguments. */
Petr Lautrbach 94c6f8
+	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
Petr Lautrbach 94c6f8
+		switch (opt) {
Petr Lautrbach 94c6f8
+		case 'd':
Petr Lautrbach 94c6f8
+			config_debug = 1;
Petr Lautrbach 94c6f8
+			break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+		case 'e':
Petr Lautrbach 94c6f8
+			config_exclusive_config_file = 1;
Petr Lautrbach 94c6f8
+			config_warning_config_file = 1;
Petr Lautrbach 94c6f8
+			break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+		case 'f':
Petr Lautrbach 94c6f8
+			config_file_name = optarg;
Petr Lautrbach 94c6f8
+			break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+		case 's':
Petr Lautrbach 94c6f8
+			config_single_user = optarg;
Petr Lautrbach 94c6f8
+			outfile = fdopen (dup (fileno (stdout)), "w");
Petr Lautrbach 94c6f8
+			break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+		case 'v':
Petr Lautrbach 94c6f8
+			config_debug = 1;
Petr Lautrbach 94c6f8
+			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
Petr Lautrbach 94c6f8
+			    config_verbose++;
Petr Lautrbach 94c6f8
+			break;
Petr Lautrbach 65ba94
+
Petr Lautrbach 94c6f8
+		case 'w':
Petr Lautrbach 94c6f8
+			config_warning_config_file = 1;
Petr Lautrbach 94c6f8
+			break;
Petr Lautrbach 65ba94
+
Petr Lautrbach 94c6f8
+		case '?':
Petr Lautrbach 94c6f8
+		default:
Petr Lautrbach 94c6f8
+			usage();
Petr Lautrbach 94c6f8
+			break;
Petr Lautrbach 94c6f8
+		}
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	/* Initialize loging */
Petr Lautrbach 94c6f8
+	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	if (ac != optind)
Petr Lautrbach 94c6f8
+	    fatal ("illegal extra parameter %s", av[1]);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
Petr Lautrbach 94c6f8
+	if (config_debug == 0)
Petr Lautrbach 94c6f8
+	    sanitise_stdfd();
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	/* Read config file */
Petr Lautrbach 94c6f8
+	read_config_file(config_file_name);
Petr Lautrbach 94c6f8
+	fill_default_options();
Petr Lautrbach 94c6f8
+	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
Petr Lautrbach 94c6f8
+		debug3 ("=== Configuration ===");
Petr Lautrbach 94c6f8
+		dump_config();
Petr Lautrbach 94c6f8
+		debug3 ("=== *** ===");
Petr Lautrbach 94c6f8
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	ldap_checkconfig();
Petr Lautrbach 94c6f8
+	ldap_do_connect();
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	if (config_single_user) {
Petr Lautrbach 94c6f8
+		process_user (config_single_user, outfile);
Petr Lautrbach 94c6f8
+	} else {
Petr Lautrbach 94c6f8
+		usage();
Petr Lautrbach 94c6f8
+		fatal ("Not yet implemented");
Petr Lautrbach 94c6f8
+/* TODO
Petr Lautrbach 94c6f8
+ * open unix socket a run the loop on it
Petr Lautrbach 94c6f8
+ */
Petr Lautrbach 65ba94
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	ldap_do_close();
Petr Lautrbach 94c6f8
+	return 0;
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+/* Ugly hack */
Petr Lautrbach 94c6f8
+void   *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
Petr Lautrbach 94c6f8
+void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
Petr Lautrbach 65ba94
+
Jakub Jelen 132f8f
diff -up openssh-6.8p1/ldap-helper.h.ldap openssh-6.8p1/ldap-helper.h
Jakub Jelen 132f8f
--- openssh-6.8p1/ldap-helper.h.ldap	2015-03-18 11:11:29.031801462 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/ldap-helper.h	2015-03-18 11:11:29.031801462 +0100
Petr Lautrbach 94c6f8
@@ -0,0 +1,32 @@
Petr Lautrbach 94c6f8
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 65ba94
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * Redistribution and use in source and binary forms, with or without
Petr Lautrbach 65ba94
+ * modification, are permitted provided that the following conditions
Petr Lautrbach 65ba94
+ * are met:
Petr Lautrbach 65ba94
+ * 1. Redistributions of source code must retain the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer.
Petr Lautrbach 65ba94
+ * 2. Redistributions in binary form must reproduce the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer in the
Petr Lautrbach 65ba94
+ *    documentation and/or other materials provided with the distribution.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Petr Lautrbach 65ba94
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Petr Lautrbach 65ba94
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Petr Lautrbach 65ba94
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Petr Lautrbach 65ba94
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Petr Lautrbach 65ba94
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Petr Lautrbach 65ba94
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Petr Lautrbach 65ba94
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Petr Lautrbach 65ba94
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Petr Lautrbach 65ba94
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Petr Lautrbach 65ba94
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#ifndef LDAP_HELPER_H
Petr Lautrbach 94c6f8
+#define LDAP_HELPER_H
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+extern int config_exclusive_config_file;
Petr Lautrbach 94c6f8
+extern int config_warning_config_file;
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+#endif /* LDAP_HELPER_H */
Jakub Jelen 132f8f
diff -up openssh-6.8p1/ldap.conf.ldap openssh-6.8p1/ldap.conf
Jakub Jelen 132f8f
--- openssh-6.8p1/ldap.conf.ldap	2015-03-18 11:11:29.031801462 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/ldap.conf	2015-03-18 11:11:29.031801462 +0100
Jakub Jelen 3bc8b8
@@ -0,0 +1,95 @@
Petr Lautrbach 94c6f8
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
Petr Lautrbach 94c6f8
+#
Petr Lautrbach 94c6f8
+# This is the example configuration file for the OpenSSH
Petr Lautrbach 94c6f8
+# LDAP backend
Petr Lautrbach 94c6f8
+# 
Petr Lautrbach 94c6f8
+# see ssh-ldap.conf(5)
Petr Lautrbach 94c6f8
+#
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+# URI with your LDAP server name. This allows to use
Petr Lautrbach 94c6f8
+# Unix Domain Sockets to connect to a local LDAP Server.
Petr Lautrbach 94c6f8
+#uri ldap://127.0.0.1/
Petr Lautrbach 94c6f8
+#uri ldaps://127.0.0.1/   
Petr Lautrbach 94c6f8
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
Petr Lautrbach 94c6f8
+# Note: %2f encodes the '/' used as directory separator
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+# Another way to specify your LDAP server is to provide an
Petr Lautrbach 94c6f8
+# host name and the port of our LDAP server. Host name
Petr Lautrbach 94c6f8
+# must be resolvable without using LDAP.
Petr Lautrbach 94c6f8
+# Multiple hosts may be specified, each separated by a 
Petr Lautrbach 94c6f8
+# space. How long nss_ldap takes to failover depends on
Petr Lautrbach 94c6f8
+# whether your LDAP client library supports configurable
Petr Lautrbach 94c6f8
+# network or connect timeouts (see bind_timelimit).
Petr Lautrbach 94c6f8
+#host 127.0.0.1
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+# The port.
Petr Lautrbach 94c6f8
+# Optional: default is 389.
Petr Lautrbach 94c6f8
+#port 389
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+# The distinguished name to bind to the server with.
Petr Lautrbach 94c6f8
+# Optional: default is to bind anonymously.
Petr Lautrbach 94c6f8
+#binddn cn=openssh_keys,dc=example,dc=org
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+# The credentials to bind with. 
Petr Lautrbach 94c6f8
+# Optional: default is no credential.
Petr Lautrbach 94c6f8
+#bindpw TopSecret
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+# The distinguished name of the search base.
Petr Lautrbach 94c6f8
+#base dc=example,dc=org
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+# The LDAP version to use (defaults to 3
Petr Lautrbach 94c6f8
+# if supported by client library)
Petr Lautrbach 94c6f8
+#ldap_version 3
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+# The search scope.
Petr Lautrbach 94c6f8
+#scope sub
Petr Lautrbach 94c6f8
+#scope one
Petr Lautrbach 94c6f8
+#scope base
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+# Search timelimit
Petr Lautrbach 94c6f8
+#timelimit 30
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+# Bind/connect timelimit
Petr Lautrbach 94c6f8
+#bind_timelimit 30
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+# Reconnect policy: hard (default) will retry connecting to
Petr Lautrbach 94c6f8
+# the software with exponential backoff, soft will fail
Petr Lautrbach 94c6f8
+# immediately.
Petr Lautrbach 94c6f8
+#bind_policy hard
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+# SSL setup, may be implied by URI also.
Petr Lautrbach 94c6f8
+#ssl no
Petr Lautrbach 94c6f8
+#ssl on
Petr Lautrbach 94c6f8
+#ssl start_tls
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+# OpenLDAP SSL options
Petr Lautrbach 94c6f8
+# Require and verify server certificate (yes/no)
Petr Lautrbach 94c6f8
+# Default is to use libldap's default behavior, which can be configured in
Petr Lautrbach 94c6f8
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
Petr Lautrbach 94c6f8
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
Petr Lautrbach 94c6f8
+#tls_checkpeer hard
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+# CA certificates for server certificate verification
Petr Lautrbach 94c6f8
+# At least one of these are required if tls_checkpeer is "yes"
Petr Lautrbach 94c6f8
+#tls_cacertfile /etc/ssl/ca.cert
Petr Lautrbach 94c6f8
+#tls_cacertdir /etc/pki/tls/certs
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+# Seed the PRNG if /dev/urandom is not provided
Petr Lautrbach 94c6f8
+#tls_randfile /var/run/egd-pool
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+# SSL cipher suite
Petr Lautrbach 94c6f8
+# See man ciphers for syntax
Petr Lautrbach 94c6f8
+#tls_ciphers TLSv1
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+# Client certificate and key
Petr Lautrbach 94c6f8
+# Use these, if your server requires client authentication.
Petr Lautrbach 94c6f8
+#tls_cert
Petr Lautrbach 94c6f8
+#tls_key
Petr Lautrbach 94c6f8
+
Jakub Jelen 3bc8b8
+# OpenLDAP search_format
Jakub Jelen 3bc8b8
+# format used to search for users in LDAP directory using substitution
Jakub Jelen 3bc8b8
+# for %u for user name and %f for SSH_Filter option (optional, empty by default)
Jakub Jelen 3bc8b8
+#search_format (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
Jakub Jelen 3bc8b8
+
Jakub Jelen 3bc8b8
+#AccountClass posixAccount
Jakub Jelen 3bc8b8
+
Jakub Jelen 132f8f
diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
Jakub Jelen 132f8f
--- openssh-6.8p1/ldapbody.c.ldap	2015-03-18 11:11:29.031801462 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/ldapbody.c	2015-03-18 11:11:29.031801462 +0100
Jakub Jelen 3bc8b8
@@ -0,0 +1,493 @@
Petr Lautrbach 94c6f8
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 65ba94
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * Redistribution and use in source and binary forms, with or without
Petr Lautrbach 65ba94
+ * modification, are permitted provided that the following conditions
Petr Lautrbach 65ba94
+ * are met:
Petr Lautrbach 65ba94
+ * 1. Redistributions of source code must retain the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer.
Petr Lautrbach 65ba94
+ * 2. Redistributions in binary form must reproduce the above copyright
Petr Lautrbach 65ba94
+ *    notice, this list of conditions and the following disclaimer in the
Petr Lautrbach 65ba94
+ *    documentation and/or other materials provided with the distribution.
Petr Lautrbach 65ba94
+ *
Petr Lautrbach 65ba94
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Petr Lautrbach 65ba94
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Petr Lautrbach 65ba94
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Petr Lautrbach 65ba94
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Petr Lautrbach 65ba94
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Petr Lautrbach 65ba94
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Petr Lautrbach 65ba94
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Petr Lautrbach 65ba94
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Petr Lautrbach 65ba94
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Petr Lautrbach 65ba94
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Petr Lautrbach 65ba94
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+#include "ldapincludes.h"
Petr Lautrbach 65ba94
+#include "log.h"
Petr Lautrbach 65ba94
+#include "xmalloc.h"
Petr Lautrbach 65ba94
+#include "ldapconf.h"
Petr Lautrbach 94c6f8
+#include "ldapmisc.h"
Petr Lautrbach 94c6f8
+#include "ldapbody.h"
Petr Lautrbach 94c6f8
+#include <stdio.h>
Petr Lautrbach 65ba94
+#include <unistd.h>
Jakub Jelen 3bc8b8
+#include "misc.h"
Jan F. Chadima 69dd72
+
Jakub Jelen 3bc8b8
+#define LDAPSEARCH_FORMAT "(&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)"
Petr Lautrbach 94c6f8
+#define PUBKEYATTR "sshPublicKey"
Petr Lautrbach 94c6f8
+#define LDAP_LOGFILE	"%s/ldap.%d"
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+static FILE *logfile = NULL;
Petr Lautrbach 94c6f8
+static LDAP *ld;
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+static char *attrs[] = {
Petr Lautrbach 94c6f8
+    PUBKEYATTR,
Petr Lautrbach 94c6f8
+    NULL
Petr Lautrbach 94c6f8
+};
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+void
Petr Lautrbach 94c6f8
+ldap_checkconfig (void)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+#ifdef HAVE_LDAP_INITIALIZE
Petr Lautrbach 94c6f8
+		if (options.host == NULL && options.uri == NULL)
Petr Lautrbach 94c6f8
+#else
Petr Lautrbach 94c6f8
+		if (options.host == NULL)
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 94c6f8
+		    fatal ("missing  \"host\" in config file");
Petr Lautrbach 94c6f8
+}
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
Petr Lautrbach 94c6f8
+static int
Petr Lautrbach 94c6f8
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	struct timeval timeout;
Petr Lautrbach 94c6f8
+	int rc;
Petr Lautrbach 94c6f8
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Petr Lautrbach 94c6f8
+	LDAPMessage *result;
Petr Lautrbach 94c6f8
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+	debug2 ("Doing LDAP rebind to %s", options.binddn);
Petr Lautrbach 94c6f8
+	if (options.ssl == SSL_START_TLS) {
Petr Lautrbach 94c6f8
+		if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
Petr Lautrbach 94c6f8
+			error ("ldap_starttls_s: %s", ldap_err2string (rc));
Petr Lautrbach 94c6f8
+			return LDAP_OPERATIONS_ERROR;
Petr Lautrbach 94c6f8
+		}
Petr Lautrbach 94c6f8
+	}
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
Petr Lautrbach 94c6f8
+	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
Petr Lautrbach 94c6f8
+#else
Petr Lautrbach 94c6f8
+	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
Petr Lautrbach 94c6f8
+	    fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+	timeout.tv_sec = options.bind_timelimit;
Petr Lautrbach 94c6f8
+	timeout.tv_usec = 0;
Petr Lautrbach 94c6f8
+	result = NULL;
Petr Lautrbach 94c6f8
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
Petr Lautrbach 94c6f8
+		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
Petr Lautrbach 94c6f8
+		ldap_msgfree (result);
Petr Lautrbach 94c6f8
+		return LDAP_OPERATIONS_ERROR;
Petr Lautrbach 94c6f8
+	}
Petr Lautrbach 94c6f8
+	debug3 ("LDAP rebind to %s succesfull", options.binddn);
Petr Lautrbach 94c6f8
+	return rc;
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 94c6f8
+}
Petr Lautrbach 94c6f8
+#else
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+static int
Petr Lautrbach 94c6f8
+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	if (freeit)
Petr Lautrbach 94c6f8
+	    return LDAP_SUCCESS;
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+	*whop = strdup (options.binddn);
Petr Lautrbach 94c6f8
+	*credp = strdup (options.bindpw);
Petr Lautrbach 94c6f8
+	*methodp = LDAP_AUTH_SIMPLE;
Petr Lautrbach 94c6f8
+	debug2 ("Doing LDAP rebind for %s", *whop);
Petr Lautrbach 94c6f8
+	return LDAP_SUCCESS;
Petr Lautrbach 94c6f8
+}
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+void
Petr Lautrbach 94c6f8
+ldap_do_connect(void)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	int rc, msgid, ld_errno = 0;
Petr Lautrbach 94c6f8
+	struct timeval timeout;
Petr Lautrbach 94c6f8
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Petr Lautrbach 94c6f8
+	int parserc;
Petr Lautrbach 94c6f8
+	LDAPMessage *result;
Petr Lautrbach 94c6f8
+	LDAPControl **controls;
Petr Lautrbach 94c6f8
+	int reconnect = 0;
Petr Lautrbach 94c6f8
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+	debug ("LDAP do connect");
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+retry:
Petr Lautrbach 94c6f8
+	if (reconnect) {
Petr Lautrbach 94c6f8
+		debug3 ("Reconnecting with ld_errno %d", ld_errno);
Petr Lautrbach 94c6f8
+		if (options.bind_policy == 0 ||
Petr Lautrbach 94c6f8
+		    (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
Petr Lautrbach 94c6f8
+			reconnect > 5)
Petr Lautrbach 94c6f8
+			    fatal ("Cannot connect to LDAP server");
Petr Lautrbach 94c6f8
+	
Petr Lautrbach 94c6f8
+		if (reconnect > 1)
Petr Lautrbach 94c6f8
+			sleep (reconnect - 1);
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+		if (ld != NULL) {
Petr Lautrbach 94c6f8
+			ldap_unbind (ld);
Petr Lautrbach 94c6f8
+			ld = NULL;
Petr Lautrbach 94c6f8
+		}
Petr Lautrbach 94c6f8
+		logit("reconnecting to LDAP server...");
Petr Lautrbach 94c6f8
+	}
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+	if (ld == NULL) {
Petr Lautrbach 94c6f8
+		int rc;
Petr Lautrbach 94c6f8
+		struct timeval tv;
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+#ifdef HAVE_LDAP_SET_OPTION
Petr Lautrbach 94c6f8
+		if (options.debug > 0) {
Petr Lautrbach 94c6f8
+#ifdef LBER_OPT_LOG_PRINT_FILE
Petr Lautrbach 94c6f8
+			if (options.logdir) {
Petr Lautrbach 94c6f8
+				char *logfilename;
Petr Lautrbach 94c6f8
+				int logfilenamelen;
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+				logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
Petr Lautrbach 94c6f8
+				logfilename = xmalloc (logfilenamelen);
Petr Lautrbach 94c6f8
+				snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
Petr Lautrbach 94c6f8
+				logfilename[logfilenamelen - 1] = 0;
Petr Lautrbach 94c6f8
+				if ((logfile = fopen (logfilename, "a")) == NULL)
Petr Lautrbach 94c6f8
+				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
Petr Lautrbach 94c6f8
+				debug3 ("LDAP debug into %s", logfilename);
Petr Lautrbach 94c6f8
+				free (logfilename);
Petr Lautrbach 94c6f8
+				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
Petr Lautrbach 94c6f8
+			}
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 94c6f8
+			if (options.debug) {
Petr Lautrbach 94c6f8
+#ifdef LBER_OPT_DEBUG_LEVEL
Petr Lautrbach 94c6f8
+				ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
Petr Lautrbach 94c6f8
+#endif /* LBER_OPT_DEBUG_LEVEL */
Petr Lautrbach 94c6f8
+#ifdef LDAP_OPT_DEBUG_LEVEL
Petr Lautrbach 94c6f8
+				(void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
Petr Lautrbach 94c6f8
+#endif /* LDAP_OPT_DEBUG_LEVEL */
Petr Lautrbach 94c6f8
+				debug3 ("Set LDAP debug to %d", options.debug);
Petr Lautrbach 94c6f8
+			}
Petr Lautrbach 94c6f8
+		}
Petr Lautrbach 94c6f8
+#endif /* HAVE_LDAP_SET_OPTION */
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+		ld = NULL;
Petr Lautrbach 94c6f8
+#ifdef HAVE_LDAPSSL_INIT
Petr Lautrbach 94c6f8
+		if (options.host != NULL) {
Petr Lautrbach 94c6f8
+			if (options.ssl_on == SSL_LDAPS) {
Petr Lautrbach 94c6f8
+				if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+				    fatal ("ldapssl_client_init %s", ldap_err2string (rc));
Petr Lautrbach 94c6f8
+				debug3 ("LDAPssl client init");
Petr Lautrbach 94c6f8
+			}
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+			if (options.ssl_on != SSL_OFF) {
Petr Lautrbach 94c6f8
+				if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
Petr Lautrbach 94c6f8
+				    fatal ("ldapssl_init failed");
Petr Lautrbach 94c6f8
+				debug3 ("LDAPssl init");
Petr Lautrbach 94c6f8
+			}
Petr Lautrbach 94c6f8
+		}
Petr Lautrbach 94c6f8
+#endif /* HAVE_LDAPSSL_INIT */
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+		/* continue with opening */
Petr Lautrbach 94c6f8
+		if (ld == NULL) {
Petr Lautrbach 94c6f8
+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
Petr Lautrbach 94c6f8
+			/* Some global TLS-specific options need to be set before we create our
Petr Lautrbach 94c6f8
+			 * session context, so we set them here. */
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
Petr Lautrbach 94c6f8
+			/* rand file */
Petr Lautrbach 94c6f8
+			if (options.tls_randfile != NULL) {
Petr Lautrbach 94c6f8
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
Petr Lautrbach 94c6f8
+				    options.tls_randfile)) != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
Petr Lautrbach 94c6f8
+					    ldap_err2string (rc));
Petr Lautrbach 94c6f8
+				debug3 ("Set TLS random file %s", options.tls_randfile);
Petr Lautrbach 94c6f8
+			}
Petr Lautrbach 94c6f8
+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+			/* ca cert file */
Petr Lautrbach 94c6f8
+			if (options.tls_cacertfile != NULL) {
Petr Lautrbach 94c6f8
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
Petr Lautrbach 94c6f8
+				    options.tls_cacertfile)) != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+					error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
Petr Lautrbach 94c6f8
+					    ldap_err2string (rc));
Petr Lautrbach 94c6f8
+				debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
Petr Lautrbach 94c6f8
+			}
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+			/* ca cert directory */
Petr Lautrbach 94c6f8
+			if (options.tls_cacertdir != NULL) {
Petr Lautrbach 94c6f8
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
Petr Lautrbach 94c6f8
+				    options.tls_cacertdir)) != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
Petr Lautrbach 94c6f8
+					    ldap_err2string (rc));
Petr Lautrbach 94c6f8
+				debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
Petr Lautrbach 94c6f8
+			}
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+			/* require cert? */
Petr Lautrbach 94c6f8
+			if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
Petr Lautrbach 94c6f8
+			    &options.tls_checkpeer)) != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
Petr Lautrbach 94c6f8
+				    ldap_err2string (rc));
Petr Lautrbach 94c6f8
+			debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+			/* set cipher suite, certificate and private key: */
Petr Lautrbach 94c6f8
+			if (options.tls_ciphers != NULL) {
Petr Lautrbach 94c6f8
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
Petr Lautrbach 94c6f8
+				    options.tls_ciphers)) != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
Petr Lautrbach 94c6f8
+					    ldap_err2string (rc));
Petr Lautrbach 94c6f8
+				debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
Petr Lautrbach 94c6f8
+			}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			/* cert file */
Petr Lautrbach 94c6f8
+			if (options.tls_cert != NULL) {
Petr Lautrbach 94c6f8
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
Petr Lautrbach 94c6f8
+				    options.tls_cert)) != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
Petr Lautrbach 94c6f8
+					    ldap_err2string (rc));
Petr Lautrbach 94c6f8
+				debug3 ("Set TLS cert file %s ", options.tls_cert);
Petr Lautrbach 94c6f8
+			}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			/* key file */
Petr Lautrbach 94c6f8
+			if (options.tls_key != NULL) {
Petr Lautrbach 94c6f8
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
Petr Lautrbach 94c6f8
+				    options.tls_key)) != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
Petr Lautrbach 94c6f8
+					    ldap_err2string (rc));
Petr Lautrbach 94c6f8
+				debug3 ("Set TLS key file %s ", options.tls_key);
Petr Lautrbach 94c6f8
+			}
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 94c6f8
+#ifdef HAVE_LDAP_INITIALIZE
Petr Lautrbach 94c6f8
+			if (options.uri != NULL) {
Petr Lautrbach 94c6f8
+				if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+					fatal ("ldap_initialize %s", ldap_err2string (rc));
Petr Lautrbach 94c6f8
+				debug3 ("LDAP initialize %s", options.uri);
Petr Lautrbach 94c6f8
+			}
Petr Lautrbach 94c6f8
+	}
Petr Lautrbach 94c6f8
+#endif /* HAVE_LDAP_INTITIALIZE */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+		/* continue with opening */
Petr Lautrbach 94c6f8
+		if ((ld == NULL) && (options.host != NULL)) {
Petr Lautrbach 94c6f8
+#ifdef HAVE_LDAP_INIT
Petr Lautrbach 94c6f8
+			if ((ld = ldap_init (options.host, options.port)) == NULL)
Petr Lautrbach 94c6f8
+			    fatal ("ldap_init failed");
Petr Lautrbach 94c6f8
+			debug3 ("LDAP init %s:%d", options.host, options.port);
Petr Lautrbach 94c6f8
+#else
Petr Lautrbach 94c6f8
+			if ((ld = ldap_open (options.host, options.port)) == NULL)
Petr Lautrbach 94c6f8
+			    fatal ("ldap_open failed");
Petr Lautrbach 94c6f8
+			debug3 ("LDAP open %s:%d", options.host, options.port);
Petr Lautrbach 94c6f8
+#endif /* HAVE_LDAP_INIT */
Petr Lautrbach 94c6f8
+		}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+		if (ld == NULL)
Petr Lautrbach 94c6f8
+			fatal ("no way to open ldap");
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
Petr Lautrbach 94c6f8
+		if (options.ssl == SSL_LDAPS) {
Petr Lautrbach 94c6f8
+			if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
Petr Lautrbach 94c6f8
+			debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
Petr Lautrbach 94c6f8
+		}
Petr Lautrbach 94c6f8
+#endif /* LDAP_OPT_X_TLS */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
Petr Lautrbach 94c6f8
+		(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
Petr Lautrbach 94c6f8
+		    &options.ldap_version);
Petr Lautrbach 94c6f8
+#else
Petr Lautrbach 94c6f8
+		ld->ld_version = options.ldap_version;
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 94c6f8
+		debug3 ("LDAP set version to %d", options.ldap_version);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#if LDAP_SET_REBIND_PROC_ARGS == 3
Petr Lautrbach 94c6f8
+		ldap_set_rebind_proc (ld, _rebind_proc, NULL);
Petr Lautrbach 94c6f8
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
Petr Lautrbach 94c6f8
+		ldap_set_rebind_proc (ld, _rebind_proc);
Petr Lautrbach 94c6f8
+#else
Petr Lautrbach 94c6f8
+#warning unknown LDAP_SET_REBIND_PROC_ARGS
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 94c6f8
+		debug3 ("LDAP set rebind proc");
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
Petr Lautrbach 94c6f8
+		(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
Petr Lautrbach 94c6f8
+#else
Petr Lautrbach 94c6f8
+		ld->ld_deref = options.deref;
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 94c6f8
+		debug3 ("LDAP set deref to %d", options.deref);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
Petr Lautrbach 94c6f8
+		(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
Petr Lautrbach 94c6f8
+		    &options.timelimit);
Petr Lautrbach 94c6f8
+#else
Petr Lautrbach 94c6f8
+		ld->ld_timelimit = options.timelimit;
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 94c6f8
+		debug3 ("LDAP set timelimit to %d", options.timelimit);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
Petr Lautrbach 94c6f8
+		/*
Petr Lautrbach 94c6f8
+		 * This is a new option in the Netscape SDK which sets 
Petr Lautrbach 94c6f8
+		 * the TCP connect timeout. For want of a better value,
Petr Lautrbach 94c6f8
+		 * we use the bind_timelimit to control this.
Petr Lautrbach 94c6f8
+		 */
Petr Lautrbach 94c6f8
+		timeout = options.bind_timelimit * 1000;
Petr Lautrbach 94c6f8
+		(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
Petr Lautrbach 94c6f8
+		debug3 ("LDAP set opt connect timeout to %d", timeout);
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 36a09e
+
Petr Lautrbach 94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
Petr Lautrbach 94c6f8
+		tv.tv_sec = options.bind_timelimit;
Petr Lautrbach 94c6f8
+		tv.tv_usec = 0;
Petr Lautrbach 94c6f8
+		(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv;;
Petr Lautrbach 94c6f8
+		debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 36a09e
+
Petr Lautrbach 94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
Petr Lautrbach 94c6f8
+		(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
Petr Lautrbach 94c6f8
+		    options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
Petr Lautrbach 94c6f8
+		debug3 ("LDAP set referrals to %d", options.referrals);
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 36a09e
+
Petr Lautrbach 94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
Petr Lautrbach 94c6f8
+		(void) ldap_set_option (ld, LDAP_OPT_RESTART,
Petr Lautrbach 94c6f8
+		    options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
Petr Lautrbach 94c6f8
+		debug3 ("LDAP set restart to %d", options.restart);
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 36a09e
+
Petr Lautrbach 94c6f8
+#ifdef HAVE_LDAP_START_TLS_S
Petr Lautrbach 94c6f8
+		if (options.ssl == SSL_START_TLS) {
Petr Lautrbach 94c6f8
+			int version;
Petr Lautrbach 36a09e
+
Petr Lautrbach 94c6f8
+			if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
Petr Lautrbach 94c6f8
+			    == LDAP_SUCCESS) {
Petr Lautrbach 94c6f8
+				if (version < LDAP_VERSION3) {
Petr Lautrbach 94c6f8
+					version = LDAP_VERSION3;
Petr Lautrbach 94c6f8
+					(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
Petr Lautrbach 94c6f8
+					    &version);
Petr Lautrbach 94c6f8
+					debug3 ("LDAP set version to %d", version);
Petr Lautrbach 94c6f8
+				}
Petr Lautrbach 94c6f8
+			}
Petr Lautrbach 36a09e
+
Petr Lautrbach 94c6f8
+			if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+			    fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
Petr Lautrbach 94c6f8
+			debug3 ("LDAP start TLS");
Petr Lautrbach 94c6f8
+		}
Petr Lautrbach 94c6f8
+#endif /* HAVE_LDAP_START_TLS_S */
Petr Lautrbach 94c6f8
+	}
Petr Lautrbach 36a09e
+
Petr Lautrbach 94c6f8
+	if ((msgid = ldap_simple_bind (ld, options.binddn,
Petr Lautrbach 94c6f8
+	    options.bindpw)) == -1) {
Petr Lautrbach 94c6f8
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
Petr Lautrbach 36a09e
+
Petr Lautrbach 94c6f8
+		error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
Petr Lautrbach 94c6f8
+		reconnect++;
Petr Lautrbach 94c6f8
+		goto retry;
Petr Lautrbach 94c6f8
+	}
Petr Lautrbach 94c6f8
+	debug3 ("LDAP simple bind (%s)", options.binddn);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	timeout.tv_sec = options.bind_timelimit;
Petr Lautrbach 94c6f8
+	timeout.tv_usec = 0;
Petr Lautrbach 94c6f8
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
Petr Lautrbach 94c6f8
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+		error ("ldap_result %s", ldap_err2string (ld_errno));
Petr Lautrbach 94c6f8
+		reconnect++;
Petr Lautrbach 94c6f8
+		goto retry;
Jan F. Chadima 69dd72
+	}
Petr Lautrbach 94c6f8
+	debug3 ("LDAP result in time");
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Petr Lautrbach 94c6f8
+	controls = NULL;
Petr Lautrbach 94c6f8
+	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
Petr Lautrbach 94c6f8
+	debug3 ("LDAP parse result OK");
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	if (controls != NULL) {
Petr Lautrbach 94c6f8
+		ldap_controls_free (controls);
Petr Lautrbach 94c6f8
+	}
Petr Lautrbach 94c6f8
+#else
Petr Lautrbach 94c6f8
+	rc = ldap_result2error (session->ld, result, TRUE);
Petr Lautrbach 94c6f8
+#endif
Petr Lautrbach 94c6f8
+	if (rc != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+	    fatal ("error trying to bind as user \"%s\" (%s)",
Petr Lautrbach 94c6f8
+		options.binddn, ldap_err2string (rc));
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	debug2 ("LDAP do connect OK");
Petr Lautrbach 94c6f8
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+void
Petr Lautrbach 94c6f8
+process_user (const char *user, FILE *output)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	LDAPMessage *res, *e;
Jakub Jelen 3bc8b8
+	char *buffer, *format;
Jakub Jelen 3bc8b8
+	int rc, i;
Petr Lautrbach 94c6f8
+	struct timeval timeout;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	debug ("LDAP process user");
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	/* quick check for attempts to be evil */
Petr Lautrbach 94c6f8
+	if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
Petr Lautrbach 94c6f8
+	    (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
Petr Lautrbach 94c6f8
+		logit ("illegal user name %s not processed", user);
Petr Lautrbach 94c6f8
+		return;
Petr Lautrbach 94c6f8
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	/* build  filter for LDAP request */
Jakub Jelen 3bc8b8
+	format = LDAPSEARCH_FORMAT;
Jakub Jelen 3bc8b8
+	if (options.search_format != NULL)
Jakub Jelen 3bc8b8
+		format = options.search_format;
Jakub Jelen 3bc8b8
+	buffer = percent_expand(format, "c", options.account_class, "u", user, "f", options.ssh_filter, (char *)NULL);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	debug3 ("LDAP search scope = %d %s", options.scope, buffer);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	timeout.tv_sec = options.timelimit;
Petr Lautrbach 94c6f8
+	timeout.tv_usec = 0;
Petr Lautrbach 94c6f8
+	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
Petr Lautrbach 94c6f8
+		error ("ldap_search_st(): %s", ldap_err2string (rc));
Petr Lautrbach 94c6f8
+		free (buffer);
Petr Lautrbach 94c6f8
+		return;
Petr Lautrbach 94c6f8
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	/* free */
Petr Lautrbach 94c6f8
+	free (buffer);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
Petr Lautrbach 94c6f8
+		int num;
Petr Lautrbach 94c6f8
+		struct berval **keys;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+		keys = ldap_get_values_len(ld, e, PUBKEYATTR);
Petr Lautrbach 94c6f8
+		num = ldap_count_values_len(keys);
Petr Lautrbach 94c6f8
+		for (i = 0 ; i < num ; i++) {
Petr Lautrbach 94c6f8
+			char *cp; //, *options = NULL;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
Petr Lautrbach 94c6f8
+			if (!*cp || *cp == '\n' || *cp == '#')
Petr Lautrbach 94c6f8
+			    continue;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+			/* We have found the desired key. */
Petr Lautrbach 94c6f8
+			fprintf (output, "%s\n", keys[i]->bv_val);
Petr Lautrbach 94c6f8
+		}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+		ldap_value_free_len(keys);
Petr Lautrbach 94c6f8
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	ldap_msgfree(res);
Petr Lautrbach 94c6f8
+	debug2 ("LDAP process user finished");
Petr Lautrbach 94c6f8
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+void
Petr Lautrbach 94c6f8
+ldap_do_close(void)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	int rc;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	debug ("LDAP do close");
Petr Lautrbach 94c6f8
+	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
Petr Lautrbach 94c6f8
+	    fatal ("ldap_unbind_ext: %s",
Petr Lautrbach 94c6f8
+                                    ldap_err2string (rc));
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	ld = NULL;
Petr Lautrbach 94c6f8
+	debug2 ("LDAP do close OK");
Petr Lautrbach 94c6f8
+	return;
Petr Lautrbach 94c6f8
+}
Petr Lautrbach 65ba94
+
Jakub Jelen 132f8f
diff -up openssh-6.8p1/ldapbody.h.ldap openssh-6.8p1/ldapbody.h
Jakub Jelen 132f8f
--- openssh-6.8p1/ldapbody.h.ldap	2015-03-18 11:11:29.031801462 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/ldapbody.h	2015-03-18 11:11:29.031801462 +0100
Petr Lautrbach 94c6f8
@@ -0,0 +1,37 @@
Petr Lautrbach 94c6f8
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Petr Lautrbach 94c6f8
+/*
Petr Lautrbach 94c6f8
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Petr Lautrbach 94c6f8
+ *
Petr Lautrbach 94c6f8
+ * Redistribution and use in source and binary forms, with or without
Petr Lautrbach 94c6f8
+ * modification, are permitted provided that the following conditions
Petr Lautrbach 94c6f8
+ * are met:
Petr Lautrbach 94c6f8
+ * 1. Redistributions of source code must retain the above copyright
Petr Lautrbach 94c6f8
+ *    notice, this list of conditions and the following disclaimer.
Petr Lautrbach 94c6f8
+ * 2. Redistributions in binary form must reproduce the above copyright
Petr Lautrbach 94c6f8
+ *    notice, this list of conditions and the following disclaimer in the
Petr Lautrbach 94c6f8
+ *    documentation and/or other materials provided with the distribution.
Petr Lautrbach 94c6f8
+ *
Petr Lautrbach 94c6f8
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Petr Lautrbach 94c6f8
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Petr Lautrbach 94c6f8
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Petr Lautrbach 94c6f8
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Petr Lautrbach 94c6f8
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Petr Lautrbach 94c6f8
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Petr Lautrbach 94c6f8
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Petr Lautrbach 94c6f8
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Petr Lautrbach 94c6f8
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Petr Lautrbach 94c6f8
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Petr Lautrbach 94c6f8
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#ifndef LDAPBODY_H
Petr Lautrbach 94c6f8
+#define LDAPBODY_H
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#include <stdio.h>
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+void ldap_checkconfig(void);
Petr Lautrbach 94c6f8
+void ldap_do_connect(void);
Petr Lautrbach 94c6f8
+void process_user(const char *, FILE *);
Petr Lautrbach 94c6f8
+void ldap_do_close(void);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#endif /* LDAPBODY_H */
Jan F. Chadima 69dd72
+
Jakub Jelen 132f8f
diff -up openssh-6.8p1/ldapconf.c.ldap openssh-6.8p1/ldapconf.c
Jakub Jelen 132f8f
--- openssh-6.8p1/ldapconf.c.ldap	2015-03-18 11:11:29.032801460 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/ldapconf.c	2015-03-18 11:11:29.032801460 +0100
Jakub Jelen 3bc8b8
@@ -0,0 +1,728 @@
Petr Lautrbach 94c6f8
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Petr Lautrbach 94c6f8
+/*
Petr Lautrbach 94c6f8
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Petr Lautrbach 94c6f8
+ *
Petr Lautrbach 94c6f8
+ * Redistribution and use in source and binary forms, with or without
Petr Lautrbach 94c6f8
+ * modification, are permitted provided that the following conditions
Petr Lautrbach 94c6f8
+ * are met:
Petr Lautrbach 94c6f8
+ * 1. Redistributions of source code must retain the above copyright
Petr Lautrbach 94c6f8
+ *    notice, this list of conditions and the following disclaimer.
Petr Lautrbach 94c6f8
+ * 2. Redistributions in binary form must reproduce the above copyright
Petr Lautrbach 94c6f8
+ *    notice, this list of conditions and the following disclaimer in the
Petr Lautrbach 94c6f8
+ *    documentation and/or other materials provided with the distribution.
Petr Lautrbach 94c6f8
+ *
Petr Lautrbach 94c6f8
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Petr Lautrbach 94c6f8
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Petr Lautrbach 94c6f8
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Petr Lautrbach 94c6f8
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Petr Lautrbach 94c6f8
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Petr Lautrbach 94c6f8
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Petr Lautrbach 94c6f8
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Petr Lautrbach 94c6f8
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Petr Lautrbach 94c6f8
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Petr Lautrbach 94c6f8
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Petr Lautrbach 94c6f8
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#include "ldapincludes.h"
Petr Lautrbach 94c6f8
+#include "ldap-helper.h"
Petr Lautrbach 94c6f8
+#include "log.h"
Petr Lautrbach 94c6f8
+#include "misc.h"
Petr Lautrbach 94c6f8
+#include "xmalloc.h"
Petr Lautrbach 94c6f8
+#include "ldapconf.h"
Petr Lautrbach 94c6f8
+#include <unistd.h>
Petr Lautrbach 94c6f8
+#include <string.h>
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+/* Keyword tokens. */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+typedef enum {
Petr Lautrbach 94c6f8
+	lBadOption,
Petr Lautrbach 94c6f8
+	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
Petr Lautrbach 94c6f8
+	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
Petr Lautrbach 94c6f8
+	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
Petr Lautrbach 94c6f8
+	lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
Petr Lautrbach 94c6f8
+	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
Jakub Jelen 3bc8b8
+	lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, lSearch_Format,
Petr Lautrbach 94c6f8
+	lAccountClass, lDeprecated, lUnsupported
Petr Lautrbach 94c6f8
+} OpCodes;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+/* Textual representations of the tokens. */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+static struct {
Petr Lautrbach 94c6f8
+	const char *name;
Petr Lautrbach 94c6f8
+	OpCodes opcode;
Petr Lautrbach 94c6f8
+} keywords[] = {
Petr Lautrbach 94c6f8
+	{ "URI", lURI },
Petr Lautrbach 94c6f8
+	{ "Base", lBase },
Petr Lautrbach 94c6f8
+	{ "BindDN", lBindDN },
Petr Lautrbach 94c6f8
+	{ "BindPW", lBindPW },
Petr Lautrbach 94c6f8
+	{ "RootBindDN", lRootBindDN },
Petr Lautrbach 94c6f8
+	{ "Host", lHost },
Petr Lautrbach 94c6f8
+	{ "Port", lPort },
Petr Lautrbach 94c6f8
+	{ "Scope", lScope },
Petr Lautrbach 94c6f8
+	{ "Deref", lDeref },
Petr Lautrbach 94c6f8
+	{ "TimeLimit", lTimeLimit },
Petr Lautrbach 94c6f8
+	{ "TimeOut", lTimeLimit },
Petr Lautrbach 94c6f8
+	{ "Bind_Timelimit", lBind_TimeLimit },
Petr Lautrbach 94c6f8
+	{ "Network_TimeOut", lBind_TimeLimit },
Petr Lautrbach 94c6f8
+/*
Petr Lautrbach 94c6f8
+ * Todo
Petr Lautrbach 94c6f8
+ * SIZELIMIT
Petr Lautrbach 94c6f8
+ */
Petr Lautrbach 94c6f8
+	{ "Ldap_Version", lLdap_Version },
Petr Lautrbach 94c6f8
+	{ "Version", lLdap_Version },
Petr Lautrbach 94c6f8
+	{ "Bind_Policy", lBind_Policy },
Petr Lautrbach 94c6f8
+	{ "SSLPath", lSSLPath },
Petr Lautrbach 94c6f8
+	{ "SSL", lSSL },
Petr Lautrbach 94c6f8
+	{ "Referrals", lReferrals },
Petr Lautrbach 94c6f8
+	{ "Restart", lRestart },
Petr Lautrbach 94c6f8
+	{ "TLS_CheckPeer", lTLS_CheckPeer },
Petr Lautrbach 94c6f8
+	{ "TLS_ReqCert", lTLS_CheckPeer },
Petr Lautrbach 94c6f8
+	{ "TLS_CaCertFile", lTLS_CaCertFile },
Petr Lautrbach 94c6f8
+	{ "TLS_CaCert", lTLS_CaCertFile },
Petr Lautrbach 94c6f8
+	{ "TLS_CaCertDir", lTLS_CaCertDir },
Petr Lautrbach 94c6f8
+	{ "TLS_Ciphers", lTLS_Ciphers },
Petr Lautrbach 94c6f8
+	{ "TLS_Cipher_Suite", lTLS_Ciphers },
Petr Lautrbach 94c6f8
+	{ "TLS_Cert", lTLS_Cert },
Petr Lautrbach 94c6f8
+	{ "TLS_Certificate", lTLS_Cert },
Petr Lautrbach 94c6f8
+	{ "TLS_Key", lTLS_Key },
Petr Lautrbach 94c6f8
+	{ "TLS_RandFile", lTLS_RandFile },
Petr Lautrbach 94c6f8
+/*
Petr Lautrbach 94c6f8
+ * Todo
Petr Lautrbach 94c6f8
+ * TLS_CRLCHECK
Petr Lautrbach 94c6f8
+ * TLS_CRLFILE
Petr Lautrbach 94c6f8
+ */
Petr Lautrbach 94c6f8
+	{ "LogDir", lLogDir },
Petr Lautrbach 94c6f8
+	{ "Debug", lDebug },
Petr Lautrbach 94c6f8
+	{ "SSH_Filter", lSSH_Filter },
Jakub Jelen 3bc8b8
+	{ "search_format", lSearch_Format },
Petr Lautrbach 94c6f8
+	{ "AccountClass", lAccountClass },
Petr Lautrbach 94c6f8
+	{ NULL, lBadOption }
Petr Lautrbach 94c6f8
+};
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+/* Configuration ptions. */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+Options options;
Petr Lautrbach e6dbb8
+
Petr Lautrbach 94c6f8
+/*
Petr Lautrbach 94c6f8
+ * Returns the number of the token pointed to by cp or oBadOption.
Petr Lautrbach 94c6f8
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+static OpCodes
Petr Lautrbach 94c6f8
+parse_token(const char *cp, const char *filename, int linenum)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	u_int i;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	for (i = 0; keywords[i].name; i++)
Petr Lautrbach 94c6f8
+		if (strcasecmp(cp, keywords[i].name) == 0)
Petr Lautrbach 94c6f8
+			return keywords[i].opcode;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	if (config_warning_config_file) 
Petr Lautrbach 94c6f8
+	    logit("%s: line %d: Bad configuration option: %s",
Petr Lautrbach 94c6f8
+		filename, linenum, cp);
Petr Lautrbach 94c6f8
+	return lBadOption;
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+/* Characters considered whitespace in strsep calls. */
Petr Lautrbach 94c6f8
+#define WHITESPACE " \t\r\n"
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+/* return next token in configuration line */
Petr Lautrbach 94c6f8
+static char *
Petr Lautrbach 94c6f8
+ldap_strdelim(char **s)
Jan F. Chadima 69dd72
+{
Petr Lautrbach 94c6f8
+      char *old;
Petr Lautrbach 94c6f8
+      int wspace = 0;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+      if (*s == NULL)
Petr Lautrbach 94c6f8
+              return NULL;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+      old = *s;
Petr Lautrbach 65ba94
+
Petr Lautrbach 94c6f8
+      *s = strpbrk(*s, WHITESPACE);
Petr Lautrbach 94c6f8
+      if (*s == NULL)
Petr Lautrbach 94c6f8
+              return (old);
Petr Lautrbach 65ba94
+
Petr Lautrbach 94c6f8
+      *s[0] = '\0';
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+      /* Skip any extra whitespace after first token */
Petr Lautrbach 94c6f8
+      *s += strspn(*s + 1, WHITESPACE) + 1;
Petr Lautrbach 94c6f8
+      if (*s[0] == '=' && !wspace)
Petr Lautrbach 94c6f8
+              *s += strspn(*s + 1, WHITESPACE) + 1;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+      return (old);
Petr Lautrbach 65ba94
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 94c6f8
+ * Processes a single option line as used in the configuration files. This
Petr Lautrbach 94c6f8
+ * only sets those values that have not already been set.
Petr Lautrbach 65ba94
+ */
Petr Lautrbach 94c6f8
+#define WHITESPACE " \t\r\n"
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+static int
Petr Lautrbach 94c6f8
+process_config_line(char *line, const char *filename, int linenum)
Petr Lautrbach 65ba94
+{
Petr Lautrbach 94c6f8
+	char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
Petr Lautrbach 94c6f8
+	char *rootbinddn = NULL;
Petr Lautrbach 94c6f8
+	int opcode, *intptr, value;
Petr Lautrbach 94c6f8
+	size_t len;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	/* Strip trailing whitespace */
Petr Lautrbach 94c6f8
+	for (len = strlen(line) - 1; len > 0; len--) {
Petr Lautrbach 94c6f8
+		if (strchr(WHITESPACE, line[len]) == NULL)
Petr Lautrbach 94c6f8
+			break;
Petr Lautrbach 94c6f8
+		line[len] = '\0';
Petr Lautrbach 94c6f8
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	s = line;
Petr Lautrbach 94c6f8
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
Petr Lautrbach 94c6f8
+	if ((keyword = ldap_strdelim(&s)) == NULL)
Petr Lautrbach 94c6f8
+		return 0;
Petr Lautrbach 94c6f8
+	/* Ignore leading whitespace. */
Petr Lautrbach 94c6f8
+	if (*keyword == '\0')
Petr Lautrbach 94c6f8
+		keyword = ldap_strdelim(&s);
Petr Lautrbach 94c6f8
+	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
Petr Lautrbach 94c6f8
+		return 0;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	opcode = parse_token(keyword, filename, linenum);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	switch (opcode) {
Petr Lautrbach 94c6f8
+	case lBadOption:
Petr Lautrbach 94c6f8
+		/* don't panic, but count bad options */
Petr Lautrbach 94c6f8
+		return -1;
Petr Lautrbach 94c6f8
+		/* NOTREACHED */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lHost:
Petr Lautrbach 94c6f8
+		xstringptr = &options.host;
Petr Lautrbach 94c6f8
+parse_xstring:
Petr Lautrbach 94c6f8
+		if (!s || *s == '\0')
Petr Lautrbach 94c6f8
+		    fatal("%s line %d: missing dn",filename,linenum);
Petr Lautrbach 94c6f8
+		if (*xstringptr == NULL)
Petr Lautrbach 94c6f8
+		    *xstringptr = xstrdup(s);
Petr Lautrbach 94c6f8
+		return 0;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lURI:
Petr Lautrbach 94c6f8
+		xstringptr = &options.uri;
Petr Lautrbach 94c6f8
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lBase:
Petr Lautrbach 94c6f8
+		xstringptr = &options.base;
Petr Lautrbach 94c6f8
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lBindDN:
Petr Lautrbach 94c6f8
+		xstringptr = &options.binddn;
Petr Lautrbach 94c6f8
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lBindPW:
Petr Lautrbach 94c6f8
+		charptr = &options.bindpw;
Petr Lautrbach 94c6f8
+parse_string:
Petr Lautrbach 94c6f8
+		arg = ldap_strdelim(&s);
Petr Lautrbach 94c6f8
+		if (!arg || *arg == '\0')
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		if (*charptr == NULL)
Petr Lautrbach 94c6f8
+			*charptr = xstrdup(arg);
Petr Lautrbach 94c6f8
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lRootBindDN:
Petr Lautrbach 94c6f8
+		xstringptr = &rootbinddn;
Petr Lautrbach 94c6f8
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lScope:
Petr Lautrbach 94c6f8
+		intptr = &options.scope;
Petr Lautrbach 94c6f8
+		arg = ldap_strdelim(&s);
Petr Lautrbach 94c6f8
+		if (!arg || *arg == '\0')
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		value = 0;	/* To avoid compiler warning... */
Petr Lautrbach 94c6f8
+		if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
Petr Lautrbach 94c6f8
+			value = LDAP_SCOPE_SUBTREE;
Petr Lautrbach 94c6f8
+		else if (strcasecmp (arg, "one") == 0)
Petr Lautrbach 94c6f8
+			value = LDAP_SCOPE_ONELEVEL;
Petr Lautrbach 94c6f8
+		else if (strcasecmp (arg, "base") == 0)
Petr Lautrbach 94c6f8
+			value = LDAP_SCOPE_BASE;
Petr Lautrbach 94c6f8
+		else
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		if (*intptr == -1)
Petr Lautrbach 94c6f8
+			*intptr = value;
Petr Lautrbach 94c6f8
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lDeref:
Petr Lautrbach 94c6f8
+		intptr = &options.scope;
Petr Lautrbach 94c6f8
+		arg = ldap_strdelim(&s);
Petr Lautrbach 94c6f8
+		if (!arg || *arg == '\0')
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		value = 0;	/* To avoid compiler warning... */
Petr Lautrbach 94c6f8
+		if (!strcasecmp (arg, "never"))
Petr Lautrbach 94c6f8
+			value = LDAP_DEREF_NEVER;
Petr Lautrbach 94c6f8
+		else if (!strcasecmp (arg, "searching"))
Petr Lautrbach 94c6f8
+			value = LDAP_DEREF_SEARCHING;
Petr Lautrbach 94c6f8
+		else if (!strcasecmp (arg, "finding"))
Petr Lautrbach 94c6f8
+			value = LDAP_DEREF_FINDING;
Petr Lautrbach 94c6f8
+		else if (!strcasecmp (arg, "always"))
Petr Lautrbach 94c6f8
+			value = LDAP_DEREF_ALWAYS;
Petr Lautrbach 94c6f8
+		else
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		if (*intptr == -1)
Petr Lautrbach 94c6f8
+			*intptr = value;
Petr Lautrbach 94c6f8
+		break;
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+	case lPort:
Petr Lautrbach 94c6f8
+		intptr = &options.port;
Petr Lautrbach 94c6f8
+parse_int:
Petr Lautrbach 94c6f8
+		arg = ldap_strdelim(&s);
Petr Lautrbach 94c6f8
+		if (!arg || *arg == '\0')
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		if (arg[0] < '0' || arg[0] > '9')
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Bad number.", filename, linenum);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+		/* Octal, decimal, or hex format? */
Petr Lautrbach 94c6f8
+		value = strtol(arg, &endofnumber, 0);
Petr Lautrbach 94c6f8
+		if (arg == endofnumber)
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Bad number.", filename, linenum);
Petr Lautrbach 94c6f8
+		if (*intptr == -1)
Petr Lautrbach 94c6f8
+			*intptr = value;
Petr Lautrbach 94c6f8
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lTimeLimit:
Petr Lautrbach 94c6f8
+		intptr = &options.timelimit;
Petr Lautrbach 94c6f8
+parse_time:
Petr Lautrbach 94c6f8
+		arg = ldap_strdelim(&s);
Petr Lautrbach 94c6f8
+		if (!arg || *arg == '\0')
Petr Lautrbach 94c6f8
+			fatal("%s line %d: missing time value.",
Petr Lautrbach 94c6f8
+			    filename, linenum);
Petr Lautrbach 94c6f8
+		if ((value = convtime(arg)) == -1)
Petr Lautrbach 94c6f8
+			fatal("%s line %d: invalid time value.",
Petr Lautrbach 94c6f8
+			    filename, linenum);
Petr Lautrbach 94c6f8
+		if (*intptr == -1)
Petr Lautrbach 94c6f8
+			*intptr = value;
Petr Lautrbach 94c6f8
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lBind_TimeLimit:
Petr Lautrbach 94c6f8
+		intptr = &options.bind_timelimit;
Petr Lautrbach 94c6f8
+		goto parse_time;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lLdap_Version:
Petr Lautrbach 94c6f8
+		intptr = &options.ldap_version;
Petr Lautrbach 94c6f8
+		goto parse_int;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lBind_Policy:
Petr Lautrbach 94c6f8
+		intptr = &options.bind_policy;
Petr Lautrbach 94c6f8
+		arg = ldap_strdelim(&s);
Petr Lautrbach 94c6f8
+		if (!arg || *arg == '\0')
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		value = 0;	/* To avoid compiler warning... */
Petr Lautrbach 94c6f8
+		if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
Petr Lautrbach 94c6f8
+			value = 1;
Petr Lautrbach 94c6f8
+		else if (strcasecmp(arg, "soft") == 0)
Petr Lautrbach 94c6f8
+			value = 0;
Petr Lautrbach 94c6f8
+		else
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		if (*intptr == -1)
Jakub Jelen f92cd0
+			*intptr = value;
Petr Lautrbach 94c6f8
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lSSLPath:
Petr Lautrbach 94c6f8
+		charptr = &options.sslpath;
Petr Lautrbach 94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lSSL:
Petr Lautrbach 94c6f8
+		intptr = &options.ssl;
Petr Lautrbach 94c6f8
+		arg = ldap_strdelim(&s);
Petr Lautrbach 94c6f8
+		if (!arg || *arg == '\0')
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		value = 0;	/* To avoid compiler warning... */
Petr Lautrbach 94c6f8
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Petr Lautrbach 94c6f8
+			value = SSL_LDAPS;
Petr Lautrbach 94c6f8
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Petr Lautrbach 94c6f8
+			value = SSL_OFF;
Petr Lautrbach 94c6f8
+		else if (!strcasecmp (arg, "start_tls"))
Petr Lautrbach 94c6f8
+			value = SSL_START_TLS;
Petr Lautrbach 94c6f8
+		else
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		if (*intptr == -1)
Petr Lautrbach 94c6f8
+			*intptr = value;
Petr Lautrbach 94c6f8
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lReferrals:
Petr Lautrbach 94c6f8
+		intptr = &options.referrals;
Petr Lautrbach 94c6f8
+parse_flag:
Petr Lautrbach 94c6f8
+		arg = ldap_strdelim(&s);
Petr Lautrbach 94c6f8
+		if (!arg || *arg == '\0')
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		value = 0;	/* To avoid compiler warning... */
Petr Lautrbach 94c6f8
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Petr Lautrbach 94c6f8
+			value = 1;
Petr Lautrbach 94c6f8
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Petr Lautrbach 94c6f8
+			value = 0;
Petr Lautrbach 94c6f8
+		else
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		if (*intptr == -1)
Petr Lautrbach 94c6f8
+			*intptr = value;
Petr Lautrbach 94c6f8
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lRestart:
Petr Lautrbach 94c6f8
+		intptr = &options.restart;
Petr Lautrbach 94c6f8
+		goto parse_flag;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lTLS_CheckPeer:
Petr Lautrbach 94c6f8
+		intptr = &options.tls_checkpeer;
Petr Lautrbach 94c6f8
+		arg = ldap_strdelim(&s);
Petr Lautrbach 94c6f8
+		if (!arg || *arg == '\0')
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		value = 0;	/* To avoid compiler warning... */
Petr Lautrbach 94c6f8
+		if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Petr Lautrbach 94c6f8
+			value = LDAP_OPT_X_TLS_NEVER;
Petr Lautrbach 94c6f8
+		else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Petr Lautrbach 94c6f8
+			value = LDAP_OPT_X_TLS_HARD;
Petr Lautrbach 94c6f8
+		else if (strcasecmp(arg, "demand") == 0)
Petr Lautrbach 94c6f8
+			value = LDAP_OPT_X_TLS_DEMAND;
Petr Lautrbach 94c6f8
+		else if (strcasecmp(arg, "allow") == 0)
Petr Lautrbach 94c6f8
+			value = LDAP_OPT_X_TLS_ALLOW;
Petr Lautrbach 94c6f8
+		else if (strcasecmp(arg, "try") == 0)
Petr Lautrbach 94c6f8
+			value = LDAP_OPT_X_TLS_TRY;
Petr Lautrbach 94c6f8
+		else
Petr Lautrbach 94c6f8
+			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
Petr Lautrbach 94c6f8
+		if (*intptr == -1)
Jakub Jelen f92cd0
+			*intptr = value;
Petr Lautrbach 94c6f8
+		break;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lTLS_CaCertFile:
Petr Lautrbach 94c6f8
+		charptr = &options.tls_cacertfile;
Petr Lautrbach 94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lTLS_CaCertDir:
Petr Lautrbach 94c6f8
+		charptr = &options.tls_cacertdir;
Petr Lautrbach 94c6f8
+		goto parse_string;
Petr Lautrbach 65ba94
+
Petr Lautrbach 94c6f8
+	case lTLS_Ciphers:
Petr Lautrbach 94c6f8
+		xstringptr = &options.tls_ciphers;
Petr Lautrbach 94c6f8
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lTLS_Cert:
Petr Lautrbach 94c6f8
+		charptr = &options.tls_cert;
Petr Lautrbach 94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lTLS_Key:
Petr Lautrbach 94c6f8
+		charptr = &options.tls_key;
Petr Lautrbach 94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lTLS_RandFile:
Petr Lautrbach 94c6f8
+		charptr = &options.tls_randfile;
Petr Lautrbach 94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lLogDir:
Petr Lautrbach 94c6f8
+		charptr = &options.logdir;
Petr Lautrbach 94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lDebug:
Petr Lautrbach 94c6f8
+		intptr = &options.debug;
Petr Lautrbach 94c6f8
+		goto parse_int;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lSSH_Filter:
Petr Lautrbach 94c6f8
+		xstringptr = &options.ssh_filter;
Petr Lautrbach 94c6f8
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
Jakub Jelen 3bc8b8
+	case lSearch_Format:
Jakub Jelen 3bc8b8
+		charptr = &options.search_format;
Jakub Jelen 3bc8b8
+		goto parse_string;
Jakub Jelen 3bc8b8
+
Petr Lautrbach 94c6f8
+	case lAccountClass:
Petr Lautrbach 94c6f8
+		charptr = &options.account_class;
Petr Lautrbach 94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lDeprecated:
Petr Lautrbach 94c6f8
+		debug("%s line %d: Deprecated option \"%s\"",
Petr Lautrbach 94c6f8
+		    filename, linenum, keyword);
Petr Lautrbach 94c6f8
+		return 0;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	case lUnsupported:
Petr Lautrbach 94c6f8
+		error("%s line %d: Unsupported option \"%s\"",
Petr Lautrbach 94c6f8
+		    filename, linenum, keyword);
Petr Lautrbach 94c6f8
+		return 0;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	default:
Petr Lautrbach 94c6f8
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
Petr Lautrbach 94c6f8
+	}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	/* Check that there is no garbage at end of line. */
Petr Lautrbach 94c6f8
+	if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') {
Petr Lautrbach 94c6f8
+		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
Petr Lautrbach 94c6f8
+		    filename, linenum, arg);
Petr Lautrbach 94c6f8
+	}
Petr Lautrbach 94c6f8
+	return 0;
Petr Lautrbach 94c6f8
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+/*
Petr Lautrbach 94c6f8
+ * Reads the config file and modifies the options accordingly.  Options
Petr Lautrbach 94c6f8
+ * should already be initialized before this call.  This never returns if
Petr Lautrbach 94c6f8
+ * there is an error.  If the file does not exist, this returns 0.
Petr Lautrbach 94c6f8
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+void
Petr Lautrbach 94c6f8
+read_config_file(const char *filename)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	FILE *f;
Petr Lautrbach 94c6f8
+	char line[1024];
Jakub Jelen 580f98
+	int linenum;
Petr Lautrbach 94c6f8
+	int bad_options = 0;
Petr Lautrbach 94c6f8
+	struct stat sb;
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	if ((f = fopen(filename, "r")) == NULL)
Petr Lautrbach 94c6f8
+		fatal("fopen %s: %s", filename, strerror(errno));
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	if (fstat(fileno(f), &sb) == -1)
Petr Lautrbach 94c6f8
+		fatal("fstat %s: %s", filename, strerror(errno));
Petr Lautrbach 94c6f8
+	if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
Petr Lautrbach 94c6f8
+	    (sb.st_mode & 022) != 0))
Petr Lautrbach 94c6f8
+		fatal("Bad owner or permissions on %s", filename);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	debug("Reading configuration data %.200s", filename);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+	/*
Petr Lautrbach 94c6f8
+	 * Mark that we are now processing the options.  This flag is turned
Petr Lautrbach 94c6f8
+	 * on/off by Host specifications.
Petr Lautrbach 94c6f8
+	 */
Petr Lautrbach 94c6f8
+	linenum = 0;
Petr Lautrbach 94c6f8
+	while (fgets(line, sizeof(line), f)) {
Petr Lautrbach 94c6f8
+		/* Update line number counter. */
Petr Lautrbach 94c6f8
+		linenum++;
Petr Lautrbach 94c6f8
+		if (process_config_line(line, filename, linenum) != 0)
Petr Lautrbach 94c6f8
+			bad_options++;
Petr Lautrbach 94c6f8
+	}
Petr Lautrbach 94c6f8
+	fclose(f);
Petr Lautrbach 94c6f8
+	if ((bad_options > 0) && config_exclusive_config_file) 
Petr Lautrbach 94c6f8
+		fatal("%s: terminating, %d bad configuration options",
Petr Lautrbach 94c6f8
+		    filename, bad_options);
Petr Lautrbach 94c6f8
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 65ba94
+/*
Petr Lautrbach 94c6f8
+ * Initializes options to special values that indicate that they have not yet
Petr Lautrbach 94c6f8
+ * been set.  Read_config_file will only set options with this value. Options
Petr Lautrbach 94c6f8
+ * are processed in the following order: command line, user config file,
Petr Lautrbach 94c6f8
+ * system config file.  Last, fill_default_options is called.
Petr Lautrbach 65ba94
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+void
Petr Lautrbach 94c6f8
+initialize_options(void)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	memset(&options, 'X', sizeof(options));
Petr Lautrbach 94c6f8
+	options.host = NULL;
Petr Lautrbach 94c6f8
+	options.uri = NULL;
Petr Lautrbach 94c6f8
+	options.base = NULL;
Petr Lautrbach 94c6f8
+	options.binddn = NULL;
Petr Lautrbach 94c6f8
+	options.bindpw = NULL;
Petr Lautrbach 94c6f8
+	options.scope = -1;
Petr Lautrbach 94c6f8
+	options.deref = -1;
Petr Lautrbach 94c6f8
+	options.port = -1;
Petr Lautrbach 94c6f8
+	options.timelimit = -1;
Petr Lautrbach 94c6f8
+	options.bind_timelimit = -1;
Petr Lautrbach 94c6f8
+	options.ldap_version = -1;
Petr Lautrbach 94c6f8
+	options.bind_policy = -1;
Petr Lautrbach 94c6f8
+	options.sslpath = NULL;
Petr Lautrbach 94c6f8
+	options.ssl = -1;
Petr Lautrbach 94c6f8
+	options.referrals = -1;
Petr Lautrbach 94c6f8
+	options.restart = -1;
Petr Lautrbach 94c6f8
+	options.tls_checkpeer = -1;
Petr Lautrbach 94c6f8
+	options.tls_cacertfile = NULL;
Petr Lautrbach 94c6f8
+	options.tls_cacertdir = NULL;
Petr Lautrbach 94c6f8
+	options.tls_ciphers = NULL;
Petr Lautrbach 94c6f8
+	options.tls_cert = NULL;
Petr Lautrbach 94c6f8
+	options.tls_key = NULL;
Petr Lautrbach 94c6f8
+	options.tls_randfile = NULL;
Petr Lautrbach 94c6f8
+	options.logdir = NULL;
Petr Lautrbach 94c6f8
+	options.debug = -1;
Petr Lautrbach 94c6f8
+	options.ssh_filter = NULL;
Jakub Jelen 3bc8b8
+	options.search_format = NULL;
Petr Lautrbach 94c6f8
+	options.account_class = NULL;
Petr Lautrbach 94c6f8
+}
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+/*
Petr Lautrbach 94c6f8
+ * Called after processing other sources of option data, this fills those
Petr Lautrbach 94c6f8
+ * options for which no value has been specified with their default values.
Petr Lautrbach 94c6f8
+ */
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+void
Petr Lautrbach 94c6f8
+fill_default_options(void)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	if (options.uri != NULL) {
Petr Lautrbach 94c6f8
+		LDAPURLDesc *ludp;
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+		if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
Petr Lautrbach 94c6f8
+			if (options.ssl == -1) {
Petr Lautrbach 94c6f8
+				if (strcmp (ludp->lud_scheme, "ldap") == 0)
Petr Lautrbach 94c6f8
+				    options.ssl = 2;
Petr Lautrbach 94c6f8
+				if (strcmp (ludp->lud_scheme, "ldapi") == 0)
Petr Lautrbach 94c6f8
+				    options.ssl = 0;
Petr Lautrbach 94c6f8
+				else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
Petr Lautrbach 94c6f8
+				    options.ssl = 1;
Petr Lautrbach 94c6f8
+			}
Petr Lautrbach 94c6f8
+			if (options.host == NULL)
Petr Lautrbach 94c6f8
+			    options.host = xstrdup (ludp->lud_host);
Petr Lautrbach 94c6f8
+			if (options.port == -1)
Petr Lautrbach 94c6f8
+			    options.port = ludp->lud_port;
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+			ldap_free_urldesc (ludp);
Petr Lautrbach 94c6f8
+		}
Petr Lautrbach 94c6f8
+	} 
Petr Lautrbach 94c6f8
+	if (options.ssl == -1)
Petr Lautrbach 94c6f8
+	    options.ssl = SSL_START_TLS;
Petr Lautrbach 94c6f8
+	if (options.port == -1)
Petr Lautrbach 94c6f8
+	    options.port = (options.ssl == 0) ? 389 : 636;
Petr Lautrbach 94c6f8
+	if (options.uri == NULL) {
Petr Lautrbach 94c6f8
+		int len;
Petr Lautrbach 94c6f8
+#define MAXURILEN 4096
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+		options.uri = xmalloc (MAXURILEN);
Petr Lautrbach 94c6f8
+		len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
Petr Lautrbach 94c6f8
+		    (options.ssl == 0) ? "" : "s", options.host, options.port);
Petr Lautrbach 94c6f8
+		options.uri[MAXURILEN - 1] = 0;
Jakub Jelen 535d34
+		options.uri = xreallocarray(options.uri, len + 1, 1);
Petr Lautrbach 94c6f8
+	}
Petr Lautrbach 94c6f8
+	if (options.binddn == NULL)
Petr Lautrbach 94c6f8
+	    options.binddn = "";
Petr Lautrbach 94c6f8
+	if (options.bindpw == NULL)
Petr Lautrbach 94c6f8
+	    options.bindpw = "";
Petr Lautrbach 94c6f8
+	if (options.scope == -1)
Petr Lautrbach 94c6f8
+	    options.scope = LDAP_SCOPE_SUBTREE;
Petr Lautrbach 94c6f8
+	if (options.deref == -1)
Petr Lautrbach 94c6f8
+	    options.deref = LDAP_DEREF_NEVER;
Petr Lautrbach 94c6f8
+	if (options.timelimit == -1)
Petr Lautrbach 94c6f8
+	    options.timelimit = 10;
Petr Lautrbach 94c6f8
+	if (options.bind_timelimit == -1)
Petr Lautrbach 94c6f8
+	    options.bind_timelimit = 10;
Petr Lautrbach 94c6f8
+	if (options.ldap_version == -1)
Petr Lautrbach 94c6f8
+	    options.ldap_version = 3;
Petr Lautrbach 94c6f8
+	if (options.bind_policy == -1)
Petr Lautrbach 94c6f8
+	    options.bind_policy = 1;
Petr Lautrbach 94c6f8
+	if (options.referrals == -1)
Petr Lautrbach 94c6f8
+	    options.referrals = 1;
Petr Lautrbach 94c6f8
+	if (options.restart == -1)
Petr Lautrbach 94c6f8
+	    options.restart = 1;
Petr Lautrbach 94c6f8
+	if (options.tls_checkpeer == -1)
Petr Lautrbach 94c6f8
+	    options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
Petr Lautrbach 94c6f8
+	if (options.debug == -1)
Petr Lautrbach 94c6f8
+	    options.debug = 0;
Petr Lautrbach 94c6f8
+	if (options.ssh_filter == NULL)
Petr Lautrbach 94c6f8
+	    options.ssh_filter = "";
Petr Lautrbach 94c6f8
+	if (options.account_class == NULL)
Petr Lautrbach 94c6f8
+	    options.account_class = "posixAccount";
Petr Lautrbach 94c6f8
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+static const char *
Petr Lautrbach 94c6f8
+lookup_opcode_name(OpCodes code)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	u_int i;
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+	for (i = 0; keywords[i].name != NULL; i++)
Petr Lautrbach 94c6f8
+	    if (keywords[i].opcode == code)
Petr Lautrbach 94c6f8
+		return(keywords[i].name);
Petr Lautrbach 94c6f8
+	return "UNKNOWN";
Petr Lautrbach 94c6f8
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static void
Petr Lautrbach 94c6f8
+dump_cfg_string(OpCodes code, const char *val)
Jan F. Chadima 69dd72
+{
Petr Lautrbach 94c6f8
+	if (val == NULL)
Petr Lautrbach 94c6f8
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Petr Lautrbach 94c6f8
+	else
Petr Lautrbach 94c6f8
+	    debug3("%s %s", lookup_opcode_name(code), val);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+static void
Petr Lautrbach 94c6f8
+dump_cfg_int(OpCodes code, int val)
Jan F. Chadima 69dd72
+{
Petr Lautrbach 94c6f8
+	if (val == -1)
Petr Lautrbach 94c6f8
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Petr Lautrbach 94c6f8
+	else
Petr Lautrbach 94c6f8
+	    debug3("%s %d", lookup_opcode_name(code), val);
Petr Lautrbach 94c6f8
+}
Petr Lautrbach 65ba94
+
Petr Lautrbach 94c6f8
+struct names {
Petr Lautrbach 94c6f8
+	int value;
Petr Lautrbach 94c6f8
+	char *name;
Petr Lautrbach 94c6f8
+};
Petr Lautrbach 65ba94
+
Petr Lautrbach 94c6f8
+static void
Petr Lautrbach 94c6f8
+dump_cfg_namedint(OpCodes code, int val, struct names *names)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	u_int i;
Petr Lautrbach 65ba94
+
Petr Lautrbach 94c6f8
+	if (val == -1)
Petr Lautrbach 94c6f8
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Petr Lautrbach 94c6f8
+	else {
Petr Lautrbach 94c6f8
+		for (i = 0; names[i].value != -1; i++)
Petr Lautrbach 94c6f8
+	 	    if (names[i].value == val) {
Petr Lautrbach 94c6f8
+	    		debug3("%s %s", lookup_opcode_name(code), names[i].name);
Petr Lautrbach 94c6f8
+			    return;
Jan F. Chadima 69dd72
+		}
Petr Lautrbach 94c6f8
+		debug3("%s unknown: %d", lookup_opcode_name(code), val);
Jan F. Chadima 69dd72
+	}
Petr Lautrbach 94c6f8
+}
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+static struct names _yesnotls[] = {
Petr Lautrbach 94c6f8
+	{ 0, "No" },
Petr Lautrbach 94c6f8
+	{ 1, "Yes" },
Petr Lautrbach 94c6f8
+	{ 2, "Start_TLS" },
Petr Lautrbach 94c6f8
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+static struct names _scope[] = {
Petr Lautrbach 94c6f8
+	{ LDAP_SCOPE_BASE, "Base" },
Petr Lautrbach 94c6f8
+	{ LDAP_SCOPE_ONELEVEL, "One" },
Petr Lautrbach 94c6f8
+	{ LDAP_SCOPE_SUBTREE, "Sub"},
Petr Lautrbach 94c6f8
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+static struct names _deref[] = {
Petr Lautrbach 94c6f8
+	{ LDAP_DEREF_NEVER, "Never" },
Petr Lautrbach 94c6f8
+	{ LDAP_DEREF_SEARCHING, "Searching" },
Petr Lautrbach 94c6f8
+	{ LDAP_DEREF_FINDING, "Finding" },
Petr Lautrbach 94c6f8
+	{ LDAP_DEREF_ALWAYS, "Always" },
Petr Lautrbach 94c6f8
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+static struct names _yesno[] = {
Petr Lautrbach 94c6f8
+	{ 0, "No" },
Petr Lautrbach 94c6f8
+	{ 1, "Yes" },
Petr Lautrbach 94c6f8
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+static struct names _bindpolicy[] = {
Petr Lautrbach 94c6f8
+	{ 0, "Soft" },
Petr Lautrbach 94c6f8
+	{ 1, "Hard" },
Petr Lautrbach 94c6f8
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+static struct names _checkpeer[] = {
Petr Lautrbach 94c6f8
+	{ LDAP_OPT_X_TLS_NEVER, "Never" },
Petr Lautrbach 94c6f8
+	{ LDAP_OPT_X_TLS_HARD, "Hard" },
Petr Lautrbach 94c6f8
+	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
Petr Lautrbach 94c6f8
+	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
Petr Lautrbach 94c6f8
+	{ LDAP_OPT_X_TLS_TRY, "TRY" },
Petr Lautrbach 94c6f8
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+void
Petr Lautrbach 94c6f8
+dump_config(void)
Petr Lautrbach 94c6f8
+{
Petr Lautrbach 94c6f8
+	dump_cfg_string(lURI, options.uri);
Petr Lautrbach 94c6f8
+	dump_cfg_string(lHost, options.host);
Petr Lautrbach 94c6f8
+	dump_cfg_int(lPort, options.port);
Petr Lautrbach 94c6f8
+	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
Petr Lautrbach 94c6f8
+	dump_cfg_int(lLdap_Version, options.ldap_version);
Petr Lautrbach 94c6f8
+	dump_cfg_int(lTimeLimit, options.timelimit);
Petr Lautrbach 94c6f8
+	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
Petr Lautrbach 94c6f8
+	dump_cfg_string(lBase, options.base);
Petr Lautrbach 94c6f8
+	dump_cfg_string(lBindDN, options.binddn);
Petr Lautrbach 94c6f8
+	dump_cfg_string(lBindPW, options.bindpw);
Petr Lautrbach 94c6f8
+	dump_cfg_namedint(lScope, options.scope, _scope);
Petr Lautrbach 94c6f8
+	dump_cfg_namedint(lDeref, options.deref, _deref);
Petr Lautrbach 94c6f8
+	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
Petr Lautrbach 94c6f8
+	dump_cfg_namedint(lRestart, options.restart, _yesno);
Petr Lautrbach 94c6f8
+	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
Petr Lautrbach 94c6f8
+	dump_cfg_string(lSSLPath, options.sslpath);
Petr Lautrbach 94c6f8
+	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
Petr Lautrbach 94c6f8
+	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
Petr Lautrbach 94c6f8
+	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
Petr Lautrbach 94c6f8
+	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
Petr Lautrbach 94c6f8
+	dump_cfg_string(lTLS_Cert, options.tls_cert);
Petr Lautrbach 94c6f8
+	dump_cfg_string(lTLS_Key, options.tls_key);
Petr Lautrbach 94c6f8
+	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
Petr Lautrbach 94c6f8
+	dump_cfg_string(lLogDir, options.logdir);
Petr Lautrbach 94c6f8
+	dump_cfg_int(lDebug, options.debug);
Petr Lautrbach 94c6f8
+	dump_cfg_string(lSSH_Filter, options.ssh_filter);
Jakub Jelen 3bc8b8
+	dump_cfg_string(lSearch_Format, options.search_format);
Jakub Jelen 3bc8b8
+	dump_cfg_string(lAccountClass, options.account_class);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jakub Jelen 132f8f
diff -up openssh-6.8p1/ldapconf.h.ldap openssh-6.8p1/ldapconf.h
Jakub Jelen 132f8f
--- openssh-6.8p1/ldapconf.h.ldap	2015-03-18 11:11:29.032801460 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/ldapconf.h	2015-03-18 11:11:29.032801460 +0100
Jakub Jelen 3bc8b8
@@ -0,0 +1,73 @@
Petr Lautrbach 94c6f8
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#ifndef LDAPCONF_H
Petr Lautrbach 94c6f8
+#define LDAPCONF_H
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#define SSL_OFF          0
Petr Lautrbach 94c6f8
+#define SSL_LDAPS        1
Petr Lautrbach 94c6f8
+#define SSL_START_TLS    2
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+/* Data structure for representing option data. */
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+typedef struct {
Petr Lautrbach 94c6f8
+	char *host;
Petr Lautrbach 94c6f8
+	char *uri;
Petr Lautrbach 94c6f8
+	char *base;
Petr Lautrbach 94c6f8
+	char *binddn;
Petr Lautrbach 94c6f8
+	char *bindpw;
Petr Lautrbach 94c6f8
+	int scope;
Petr Lautrbach 94c6f8
+	int deref;
Petr Lautrbach 94c6f8
+	int port;
Petr Lautrbach 94c6f8
+	int timelimit;
Petr Lautrbach 94c6f8
+	int bind_timelimit;
Petr Lautrbach 94c6f8
+	int ldap_version;
Petr Lautrbach 94c6f8
+	int bind_policy;
Petr Lautrbach 94c6f8
+	char *sslpath;
Petr Lautrbach 94c6f8
+	int ssl;
Petr Lautrbach 94c6f8
+	int referrals;
Petr Lautrbach 94c6f8
+	int restart;
Petr Lautrbach 94c6f8
+	int tls_checkpeer;
Petr Lautrbach 94c6f8
+	char *tls_cacertfile;
Petr Lautrbach 94c6f8
+	char *tls_cacertdir;
Petr Lautrbach 94c6f8
+	char *tls_ciphers;
Petr Lautrbach 94c6f8
+	char *tls_cert;
Petr Lautrbach 94c6f8
+	char *tls_key;
Petr Lautrbach 94c6f8
+	char *tls_randfile;
Petr Lautrbach 94c6f8
+	char *logdir;
Petr Lautrbach 94c6f8
+	int debug;
Petr Lautrbach 94c6f8
+	char *ssh_filter;
Jakub Jelen 3bc8b8
+	char *search_format;
Petr Lautrbach 94c6f8
+	char *account_class;
Petr Lautrbach 94c6f8
+}       Options;
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+extern Options options;
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+void read_config_file(const char *);
Petr Lautrbach 94c6f8
+void initialize_options(void);
Petr Lautrbach 94c6f8
+void fill_default_options(void);
Petr Lautrbach 94c6f8
+void dump_config(void);
Jan F. Chadima 69dd72
+
Petr Lautrbach 94c6f8
+#endif /* LDAPCONF_H */
Jakub Jelen 132f8f
diff -up openssh-6.8p1/ldapincludes.h.ldap openssh-6.8p1/ldapincludes.h
Jakub Jelen 132f8f
--- openssh-6.8p1/ldapincludes.h.ldap	2015-03-18 11:11:29.032801460 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/ldapincludes.h	2015-03-18 11:11:29.032801460 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,41 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef LDAPINCLUDES_H
Jan F. Chadima 69dd72
+#define LDAPINCLUDES_H
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "includes.h"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifdef HAVE_LBER_H
Jan F. Chadima 69dd72
+#include <lber.h>
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_H
Jan F. Chadima 69dd72
+#include <ldap.h>
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_SSL_H
Jan F. Chadima 69dd72
+#include <ldap_ssl.h>
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#endif /* LDAPINCLUDES_H */
Jakub Jelen 132f8f
diff -up openssh-6.8p1/ldapmisc.c.ldap openssh-6.8p1/ldapmisc.c
Jakub Jelen 132f8f
--- openssh-6.8p1/ldapmisc.c.ldap	2015-03-18 11:11:29.032801460 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/ldapmisc.c	2015-03-18 11:11:29.032801460 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,79 @@
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "ldapincludes.h"
Jan F. Chadima 69dd72
+#include "ldapmisc.h"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef HAVE_LDAP_GET_LDERRNO
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+ldap_get_lderrno (LDAP * ld, char **m, char **s)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_GET_OPTION
Jan F. Chadima 69dd72
+	int rc;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	int lderrno;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 69dd72
+	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+	    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+	lderrno = ld->ld_errno;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (s != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 69dd72
+		if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		*s = ld->ld_error;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (m != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 69dd72
+		if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		*m = ld->ld_matched;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	return lderrno;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef HAVE_LDAP_SET_LDERRNO
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_SET_OPTION
Jan F. Chadima 69dd72
+	int rc;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 69dd72
+	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+	    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+	ld->ld_errno = lderrno;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (s != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 69dd72
+		if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		ld->ld_error = s;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (m != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 69dd72
+		if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		ld->ld_matched = m;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	return LDAP_SUCCESS;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jakub Jelen 132f8f
diff -up openssh-6.8p1/ldapmisc.h.ldap openssh-6.8p1/ldapmisc.h
Jakub Jelen 132f8f
--- openssh-6.8p1/ldapmisc.h.ldap	2015-03-18 11:11:29.032801460 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/ldapmisc.h	2015-03-18 11:11:29.032801460 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,35 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef LDAPMISC_H
Jan F. Chadima 69dd72
+#define LDAPMISC_H
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "ldapincludes.h"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+int ldap_get_lderrno (LDAP *, char **, char **);
Jan F. Chadima 69dd72
+int ldap_set_lderrno (LDAP *, int, const char *, const char *);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#endif /* LDAPMISC_H */
Jan F. Chadima 69dd72
+
Jakub Jelen 132f8f
diff -up openssh-6.8p1/openssh-lpk-openldap.schema.ldap openssh-6.8p1/openssh-lpk-openldap.schema
Jakub Jelen 132f8f
--- openssh-6.8p1/openssh-lpk-openldap.schema.ldap	2015-03-18 11:11:29.033801457 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/openssh-lpk-openldap.schema	2015-03-18 11:11:29.033801457 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,21 @@
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 69dd72
+#                              useful with PKA-LDAP also
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 69dd72
+# 
Jan F. Chadima 69dd72
+# Based on the proposal of : Mark Ruijter
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# octetString SYNTAX
Jan F. Chadima 69dd72
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH Public key' 
Jan F. Chadima 69dd72
+	EQUALITY octetStringMatch
Jan F. Chadima 69dd72
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# printableString SYNTAX yes|no
Jan F. Chadima 69dd72
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 69dd72
+	MUST ( sshPublicKey $ uid ) 
Jan F. Chadima 69dd72
+	)
Jakub Jelen 132f8f
diff -up openssh-6.8p1/openssh-lpk-sun.schema.ldap openssh-6.8p1/openssh-lpk-sun.schema
Jakub Jelen 132f8f
--- openssh-6.8p1/openssh-lpk-sun.schema.ldap	2015-03-18 11:11:29.033801457 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/openssh-lpk-sun.schema	2015-03-18 11:11:29.033801457 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,23 @@
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 69dd72
+#                              useful with PKA-LDAP also
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 69dd72
+# 
Jan F. Chadima 69dd72
+# Schema for Sun Directory Server.
Jan F. Chadima 69dd72
+# Based on the original schema, modified by Stefan Fischer.
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+dn: cn=schema
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# octetString SYNTAX
Jan F. Chadima 69dd72
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH Public key' 
Jan F. Chadima 69dd72
+	EQUALITY octetStringMatch
Jan F. Chadima 69dd72
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# printableString SYNTAX yes|no
Jan F. Chadima 69dd72
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 69dd72
+	MUST ( sshPublicKey $ uid ) 
Jan F. Chadima 69dd72
+	)
Jakub Jelen 132f8f
diff -up openssh-6.8p1/ssh-ldap-helper.8.ldap openssh-6.8p1/ssh-ldap-helper.8
Jakub Jelen 132f8f
--- openssh-6.8p1/ssh-ldap-helper.8.ldap	2015-03-18 11:11:29.033801457 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/ssh-ldap-helper.8	2015-03-18 11:11:29.033801457 +0100
Petr Lautrbach 94c6f8
@@ -0,0 +1,79 @@
Petr Lautrbach 94c6f8
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
Petr Lautrbach 94c6f8
+.\"
Petr Lautrbach 94c6f8
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
Petr Lautrbach 94c6f8
+.\"
Petr Lautrbach 94c6f8
+.\" Permission to use, copy, modify, and distribute this software for any
Petr Lautrbach 94c6f8
+.\" purpose with or without fee is hereby granted, provided that the above
Petr Lautrbach 94c6f8
+.\" copyright notice and this permission notice appear in all copies.
Petr Lautrbach 94c6f8
+.\"
Petr Lautrbach 94c6f8
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
Petr Lautrbach 94c6f8
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
Petr Lautrbach 94c6f8
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
Petr Lautrbach 94c6f8
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
Petr Lautrbach 94c6f8
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
Petr Lautrbach 94c6f8
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
Petr Lautrbach 94c6f8
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Petr Lautrbach 94c6f8
+.\"
Petr Lautrbach 94c6f8
+.Dd $Mdocdate: April 29 2010 $
Petr Lautrbach 94c6f8
+.Dt SSH-LDAP-HELPER 8
Petr Lautrbach 94c6f8
+.Os
Petr Lautrbach 94c6f8
+.Sh NAME
Petr Lautrbach 94c6f8
+.Nm ssh-ldap-helper
Petr Lautrbach 94c6f8
+.Nd sshd helper program for ldap support
Petr Lautrbach 94c6f8
+.Sh SYNOPSIS
Petr Lautrbach 94c6f8
+.Nm ssh-ldap-helper
Petr Lautrbach 94c6f8
+.Op Fl devw
Petr Lautrbach 94c6f8
+.Op Fl f Ar file
Petr Lautrbach 94c6f8
+.Op Fl s Ar user
Petr Lautrbach 94c6f8
+.Sh DESCRIPTION
Petr Lautrbach 94c6f8
+.Nm
Petr Lautrbach 94c6f8
+is used by
Petr Lautrbach 94c6f8
+.Xr sshd 1
Petr Lautrbach 94c6f8
+to access keys provided by an LDAP.
Petr Lautrbach 94c6f8
+.Nm
Petr Lautrbach 94c6f8
+is disabled by default and can only be enabled in the
Petr Lautrbach 94c6f8
+sshd configuration file
Petr Lautrbach 94c6f8
+.Pa /etc/ssh/sshd_config
Petr Lautrbach 94c6f8
+by setting
Petr Lautrbach 94c6f8
+.Cm AuthorizedKeysCommand
Petr Lautrbach 94c6f8
+to
Petr Lautrbach 94c6f8
+.Dq /usr/libexec/ssh-ldap-wrapper .
Petr Lautrbach 94c6f8
+.Pp
Petr Lautrbach 94c6f8
+.Nm
Petr Lautrbach 94c6f8
+is not intended to be invoked by the user, but from
Petr Lautrbach 94c6f8
+.Xr sshd 8 via
Petr Lautrbach 94c6f8
+.Xr ssh-ldap-wrapper .
Petr Lautrbach 94c6f8
+.Pp
Petr Lautrbach 94c6f8
+The options are as follows:
Petr Lautrbach 94c6f8
+.Bl -tag -width Ds
Petr Lautrbach 94c6f8
+.It Fl d
Petr Lautrbach 94c6f8
+Set the debug mode; 
Petr Lautrbach 94c6f8
+.Nm
Petr Lautrbach 94c6f8
+prints all logs to stderr instead of syslog.
Petr Lautrbach 94c6f8
+.It Fl e
Petr Lautrbach 94c6f8
+Implies \-w;
Petr Lautrbach 94c6f8
+.Nm
Petr Lautrbach 94c6f8
+halts if it encounters an unknown item in the ldap.conf file.
Petr Lautrbach 94c6f8
+.It Fl f
Petr Lautrbach 94c6f8
+.Nm
Petr Lautrbach 94c6f8
+uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
Petr Lautrbach 94c6f8
+.It Fl s
Petr Lautrbach 94c6f8
+.Nm
Petr Lautrbach 94c6f8
+prints out the user's keys to stdout and exits.
Petr Lautrbach 94c6f8
+.It Fl v
Petr Lautrbach 94c6f8
+Implies \-d;
Petr Lautrbach 94c6f8
+increases verbosity.
Petr Lautrbach 94c6f8
+.It Fl w
Petr Lautrbach 94c6f8
+.Nm
Petr Lautrbach 94c6f8
+writes warnings about unknown items in the ldap.conf configuration file.
Petr Lautrbach 94c6f8
+.El
Petr Lautrbach 94c6f8
+.Sh SEE ALSO
Petr Lautrbach 94c6f8
+.Xr sshd 8 ,
Petr Lautrbach 94c6f8
+.Xr sshd_config 5 ,
Petr Lautrbach 94c6f8
+.Xr ssh-ldap.conf 5 ,
Petr Lautrbach 94c6f8
+.Sh HISTORY
Petr Lautrbach 94c6f8
+.Nm
Petr Lautrbach 94c6f8
+first appeared in
Petr Lautrbach 94c6f8
+OpenSSH 5.5 + PKA-LDAP .
Petr Lautrbach 94c6f8
+.Sh AUTHORS
Petr Lautrbach 94c6f8
+.An Jan F. Chadima Aq jchadima@redhat.com
Jakub Jelen 132f8f
diff -up openssh-6.8p1/ssh-ldap-wrapper.ldap openssh-6.8p1/ssh-ldap-wrapper
Jakub Jelen 132f8f
--- openssh-6.8p1/ssh-ldap-wrapper.ldap	2015-03-18 11:11:29.033801457 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/ssh-ldap-wrapper	2015-03-18 11:11:29.033801457 +0100
Petr Lautrbach 94c6f8
@@ -0,0 +1,4 @@
Petr Lautrbach 94c6f8
+#!/bin/sh
Petr Lautrbach 94c6f8
+
Petr Lautrbach 94c6f8
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
Petr Lautrbach 94c6f8
+
Jakub Jelen 132f8f
diff -up openssh-6.8p1/ssh-ldap.conf.5.ldap openssh-6.8p1/ssh-ldap.conf.5
Jakub Jelen 132f8f
--- openssh-6.8p1/ssh-ldap.conf.5.ldap	2015-03-18 11:11:29.033801457 +0100
Jakub Jelen 132f8f
+++ openssh-6.8p1/ssh-ldap.conf.5	2015-03-18 11:11:29.033801457 +0100
Jakub Jelen 3bc8b8
@@ -0,0 +1,385 @@
Jan F. Chadima 69dd72
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.\" Permission to use, copy, modify, and distribute this software for any
Jan F. Chadima 69dd72
+.\" purpose with or without fee is hereby granted, provided that the above
Jan F. Chadima 69dd72
+.\" copyright notice and this permission notice appear in all copies.
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
Jan F. Chadima 69dd72
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
Jan F. Chadima 69dd72
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
Jan F. Chadima 69dd72
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
Jan F. Chadima 69dd72
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
Jan F. Chadima 69dd72
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
Jan F. Chadima 69dd72
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Jan F. Chadima 69dd72
+.\"
Jan F. Chadima 69dd72
+.Dd $Mdocdate: may 12 2010 $
Jan F. Chadima 69dd72
+.Dt SSH-LDAP.CONF 5
Jan F. Chadima 69dd72
+.Os
Jan F. Chadima 69dd72
+.Sh NAME
Jan F. Chadima 69dd72
+.Nm ssh-ldap.conf
Jan F. Chadima 69dd72
+.Nd configuration file for ssh-ldap-helper
Jan F. Chadima 69dd72
+.Sh SYNOPSIS
Jan F. Chadima 69dd72
+.Nm /etc/ssh/ldap.conf
Jan F. Chadima 69dd72
+.Sh DESCRIPTION
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+reads configuration data from
Jan F. Chadima 69dd72
+.Pa /etc/ssh/ldap.conf
Jan F. Chadima 69dd72
+(or the file specified with
Jan F. Chadima 69dd72
+.Fl f
Jan F. Chadima 69dd72
+on the command line).
Jan F. Chadima 69dd72
+The file contains keyword-argument pairs, one per line.
Jan F. Chadima 69dd72
+Lines starting with
Jan F. Chadima 69dd72
+.Ql #
Jan F. Chadima 69dd72
+and empty lines are interpreted as comments.
Jan F. Chadima 69dd72
+.Pp
Jan F. Chadima 69dd72
+The value starts with the first non-blank character after 
Jan F. Chadima 69dd72
+the keyword's name, and terminates at the end of the line, 
Jan F. Chadima 69dd72
+or at the last sequence of blanks before the end of the line.
Jan F. Chadima 69dd72
+Quoting values that contain blanks 
Jan F. Chadima 69dd72
+may be incorrect, as the quotes would become part of the value.
Jan F. Chadima 69dd72
+The possible keywords and their meanings are as follows (note that
Jan F. Chadima 69dd72
+keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
Jan F. Chadima 69dd72
+.Bl -tag -width Ds
Jan F. Chadima 69dd72
+.It Cm URI
Jan F. Chadima 69dd72
+The argument(s) are in the form
Jan F. Chadima 69dd72
+.Pa ldap[si]://[name[:port]]
Jan F. Chadima 69dd72
+and specify the URI(s) of an LDAP server(s) to which the
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8 
Jan F. Chadima 69dd72
+should connect. The URI scheme may be any of
Jan F. Chadima 69dd72
+.Dq ldap ,
Jan F. Chadima 69dd72
+.Dq ldaps 
Jan F. Chadima 69dd72
+or
Jan F. Chadima 69dd72
+.Dq ldapi ,
Jan F. Chadima 69dd72
+which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
Jan F. Chadima 69dd72
+over IPC (UNIX domain sockets), respectively.
Jan F. Chadima 69dd72
+Each server's name can be specified as a
Jan F. Chadima 69dd72
+domain-style name or an IP address literal.  Optionally, the
Jan F. Chadima 69dd72
+server's name can followed by a ':' and the port number the LDAP
Jan F. Chadima 69dd72
+server is listening on.  If no port number is provided, the default
Jan F. Chadima 69dd72
+port for the scheme is used (389 for ldap://, 636 for ldaps://).
Jan F. Chadima 69dd72
+For LDAP over IPC, name is the name of the socket, and no port
Jan F. Chadima 69dd72
+is required, nor allowed; note that directory separators must be 
Jan F. Chadima 69dd72
+URL-encoded, like any other characters that are special to URLs; 
Jan F. Chadima 69dd72
+A space separated list of URIs may be provided.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm Base
Jan F. Chadima 69dd72
+Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
Jan F. Chadima 69dd72
+The base must be specified as a DN in LDAP format.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm BindDN
Jan F. Chadima 69dd72
+Specifies the default BIND DN to use when connecting to the ldap server.
Jan F. Chadima 69dd72
+The bind DN must be specified as a Distinguished Name in LDAP format.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm BindPW
Jan F. Chadima 69dd72
+Specifies the default password to use when connecting to the ldap server via
Jan F. Chadima 69dd72
+.Cm BindDN .
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm RootBindDN
Jan F. Chadima 69dd72
+Intentionaly does nothing. Recognized for compatibility reasons.
Jan F. Chadima 69dd72
+.It Cm Host
Jan F. Chadima 69dd72
+The argument(s) specifies the name(s) of an LDAP server(s) to which the
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+should connect.  Each server's name can be specified as a
Jan F. Chadima 69dd72
+domain-style name or an IP address and optionally followed by a ':' and
Jan F. Chadima 69dd72
+the port number the ldap server is listening on.  A space-separated
Jan F. Chadima 69dd72
+list of hosts may be provided.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.Cm Host
Jan F. Chadima 69dd72
+is deprecated in favor of
Jan F. Chadima 69dd72
+.Cm URI .
Jan F. Chadima 69dd72
+.It Cm Port
Jan F. Chadima 69dd72
+Specifies the default port used when connecting to LDAP servers(s).
Jan F. Chadima 69dd72
+The port may be specified as a number.
Jan F. Chadima 69dd72
+The default port is 389 for ldap:// or 636 for ldaps:// respectively.
Jan F. Chadima 69dd72
+.Cm Port
Jan F. Chadima 69dd72
+is deprecated in favor of
Jan F. Chadima 69dd72
+.Cm URI .
Jan F. Chadima 69dd72
+.It Cm Scope
Jan F. Chadima 69dd72
+Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
Jan F. Chadima 69dd72
+There are three options (values) that can be assigned to the
Jan F. Chadima 69dd72
+.Cm Scope parameter:
Jan F. Chadima 69dd72
+.Dq base ,
Jan F. Chadima 69dd72
+.Dq one
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq subtree .
Jan F. Chadima 69dd72
+Alias for the subtree is
Jan F. Chadima 69dd72
+.Dq sub .
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq base
Jan F. Chadima 69dd72
+is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq one
Jan F. Chadima 69dd72
+is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq subtree
Jan F. Chadima 69dd72
+is used to indicate searching of all entries at all levels under and including the specified base DN.
Jan F. Chadima 69dd72
+The default is
Jan F. Chadima 69dd72
+.Dq subtree .
Jan F. Chadima 69dd72
+.It Cm Deref
Jan F. Chadima 69dd72
+Specifies how alias dereferencing is done when performing a search. There are four
Jan F. Chadima 69dd72
+possible values that can be assigned to the
Jan F. Chadima 69dd72
+.Cm Deref
Jan F. Chadima 69dd72
+parameter:
Jan F. Chadima 69dd72
+.Dq never ,
Jan F. Chadima 69dd72
+.Dq searching ,
Jan F. Chadima 69dd72
+.Dq finding ,
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq always .
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq never
Jan F. Chadima 69dd72
+means that the aliases are never dereferenced.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq searching
Jan F. Chadima 69dd72
+means that the aliases are dereferenced in subordinates of the base object, but
Jan F. Chadima 69dd72
+not in locating the base object of the search.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq finding
Jan F. Chadima 69dd72
+means that the aliases are only dereferenced when locating the base object of the search.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq always
Jan F. Chadima 69dd72
+means that the aliases are dereferenced both in searching and in locating the base object
Jan F. Chadima 69dd72
+of the search.
Jan F. Chadima 69dd72
+The default is
Jan F. Chadima 69dd72
+.Dq never .
Jan F. Chadima 69dd72
+.It Cm TimeLimit
Jan F. Chadima 69dd72
+Specifies a time limit (in seconds) to use when performing searches.
Jan F. Chadima 69dd72
+The number should be a non-negative integer. A
Jan F. Chadima 69dd72
+.Cm TimeLimit
Jan F. Chadima 69dd72
+of zero (0) specifies that the search time is unlimited. Please note that the server
Jan F. Chadima 69dd72
+may still apply any server-side limit on the duration of a search operation.
Jan F. Chadima 69dd72
+The default value is 10.
Jan F. Chadima 69dd72
+.It Cm TimeOut
Jan F. Chadima 69dd72
+Is an aliast to
Jan F. Chadima 69dd72
+.Cm TimeLimit .
Jan F. Chadima 69dd72
+.It Cm Bind_TimeLimit
Jan F. Chadima 69dd72
+Specifies the timeout (in seconds) after which the poll(2)/select(2)
Jan F. Chadima 69dd72
+following a connect(2) returns in case of no activity.
Jan F. Chadima 69dd72
+The default value is 10.
Jan F. Chadima 69dd72
+.It Cm Network_TimeOut
Jan F. Chadima 69dd72
+Is an alias to
Jan F. Chadima 69dd72
+.Cm Bind_TimeLimit .
Jan F. Chadima 69dd72
+.It Cm Ldap_Version
Jan F. Chadima 69dd72
+Specifies what version of the LDAP protocol should be used.
Jan F. Chadima 69dd72
+The allowed values are 2 or 3. The default is 3.
Jan F. Chadima 69dd72
+.It Cm Version
Jan F. Chadima 69dd72
+Is an alias to
Jan F. Chadima 69dd72
+.Cm Ldap_Version .
Jan F. Chadima 69dd72
+.It Cm Bind_Policy
Jan F. Chadima 69dd72
+Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
Jan F. Chadima 69dd72
+.Dq hard
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq soft.
Jan F. Chadima 69dd72
+.Dq hard has 2 aliases
Jan F. Chadima 69dd72
+.Dq hard_open
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq hard_init .
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq hard
Jan F. Chadima 69dd72
+means that reconects that the
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq soft
Jan F. Chadima 69dd72
+means that
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+fails immediately when it cannot connect to the LDAP seerver.
Jan F. Chadima 69dd72
+The deault is
Jan F. Chadima 69dd72
+.Dq hard .
Jan F. Chadima 69dd72
+.It Cm SSLPath
Jan F. Chadima 69dd72
+Specifies the path to the X.509 certificate database.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm SSL
Jan F. Chadima 69dd72
+Specifies whether to use SSL/TLS or not.
Jan F. Chadima 69dd72
+There are three allowed values:
Jan F. Chadima 69dd72
+.Dq yes ,
Jan F. Chadima 69dd72
+.Dq no
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq start_tls
Jan F. Chadima 69dd72
+Both
Jan F. Chadima 69dd72
+.Dq true
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq on
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq yes .
Jan F. Chadima 69dd72
+.Dq false
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq off
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+If
Jan F. Chadima 69dd72
+.Dq start_tls
Jan F. Chadima 69dd72
+is specified then StartTLS is used rather than raw LDAP over SSL.
Jan F. Chadima 69dd72
+The default for ldap:// is
Jan F. Chadima 69dd72
+.Dq start_tls ,
Jan F. Chadima 69dd72
+for ldaps://
Jan F. Chadima 69dd72
+.Dq yes
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq no
Jan F. Chadima 69dd72
+for the ldapi:// .
Jan F. Chadima 69dd72
+In case of host based configuration the default is
Jan F. Chadima 69dd72
+.Dq start_tls .
Jan F. Chadima 69dd72
+.It Cm Referrals
Jan F. Chadima 69dd72
+Specifies if the client should automatically follow referrals returned
Jan F. Chadima 69dd72
+by LDAP servers.
Jan F. Chadima 69dd72
+The value can be or
Jan F. Chadima 69dd72
+.Dq yes
Jan F. Chadima 69dd72
+or
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+.Dq true
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq on
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq yes .
Jan F. Chadima 69dd72
+.Dq false
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq off
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+The default is yes.
Jan F. Chadima 69dd72
+.It Cm Restart
Jan F. Chadima 69dd72
+Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
Jan F. Chadima 69dd72
+The value can be or
Jan F. Chadima 69dd72
+.Dq yes
Jan F. Chadima 69dd72
+or
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+.Dq true
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq on
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq yes .
Jan F. Chadima 69dd72
+.Dq false
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq off
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq no .
Jan F. Chadima 69dd72
+The default is yes.
Jan F. Chadima 69dd72
+.It Cm TLS_CheckPeer
Jan F. Chadima 69dd72
+Specifies what checks to perform on server certificates in a TLS session,
Jan F. Chadima 69dd72
+if any. The value
Jan F. Chadima 69dd72
+can be specified as one of the following keywords:
Jan F. Chadima 69dd72
+.Dq never ,
Jan F. Chadima 69dd72
+.Dq hard ,
Jan F. Chadima 69dd72
+.Dq demand ,
Jan F. Chadima 69dd72
+.Dq allow
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq try .
Jan F. Chadima 69dd72
+.Dq true ,
Jan F. Chadima 69dd72
+.Dq on
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq yes
Jan F. Chadima 69dd72
+are aliases for
Jan F. Chadima 69dd72
+.Dq hard .
Jan F. Chadima 69dd72
+.Dq false ,
Jan F. Chadima 69dd72
+.Dq off
Jan F. Chadima 69dd72
+and
Jan F. Chadima 69dd72
+.Dq no
Jan F. Chadima 69dd72
+are the aliases for
Jan F. Chadima 69dd72
+.Dq never .
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq never
Jan F. Chadima 69dd72
+means that the client will not request or check any server certificate.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq allow
Jan F. Chadima 69dd72
+means that the server certificate is requested. If no certificate is provided,
Jan F. Chadima 69dd72
+the session proceeds normally. If a bad certificate is provided, it will
Jan F. Chadima 69dd72
+be ignored and the session proceeds normally.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq try
Jan F. Chadima 69dd72
+means that the server certificate is requested. If no certificate is provided,
Jan F. Chadima 69dd72
+the session proceeds normally. If a bad certificate is provided,
Jan F. Chadima 69dd72
+the session is immediately terminated.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq demand
Jan F. Chadima 69dd72
+means that the server certificate is requested. If no
Jan F. Chadima 69dd72
+certificate is provided, or a bad certificate is provided, the session
Jan F. Chadima 69dd72
+is immediately terminated.
Jan F. Chadima 69dd72
+The value
Jan F. Chadima 69dd72
+.Dq hard
Jan F. Chadima 69dd72
+is the same as
Jan F. Chadima 69dd72
+.Dq demand .
Jan F. Chadima 69dd72
+It requires an SSL connection. In the case of the plain conection the
Jan F. Chadima 69dd72
+session is immediately terminated.
Jan F. Chadima 69dd72
+The default is
Jan F. Chadima 69dd72
+.Dq hard .
Jan F. Chadima 69dd72
+.It Cm TLS_ReqCert
Jan F. Chadima 69dd72
+Is an alias for 
Jan F. Chadima 69dd72
+.Cm TLS_CheckPeer .
Jan F. Chadima 69dd72
+.It Cm TLS_CACertFile
Jan F. Chadima 69dd72
+Specifies the file that contains certificates for all of the Certificate
Jan F. Chadima 69dd72
+Authorities the client will recognize.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm TLS_CACert
Jan F. Chadima 69dd72
+Is an alias for
Jan F. Chadima 69dd72
+.Cm TLS_CACertFile .
Jan F. Chadima 69dd72
+.It Cm TLS_CACertDIR
Jan F. Chadima 69dd72
+Specifies the path of a directory that contains Certificate Authority
Jan F. Chadima 69dd72
+certificates in separate individual files. The
Jan F. Chadima 69dd72
+.Cm TLS_CACert
Jan F. Chadima 69dd72
+is always used before
Jan F. Chadima 69dd72
+.Cm TLS_CACertDir .
Jan F. Chadima 69dd72
+The specified directory must be managed with the OpenSSL c_rehash utility.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm TLS_Ciphers
Jan F. Chadima 69dd72
+Specifies acceptable cipher suite and preference order.
Jan F. Chadima 69dd72
+The value should be a cipher specification for OpenSSL,
Jan F. Chadima 69dd72
+e.g.,
Jan F. Chadima 69dd72
+.Dq HIGH:MEDIUM:+SSLv2 .
Jan F. Chadima 69dd72
+The default is
Jan F. Chadima 69dd72
+.Dq ALL .
Jan F. Chadima 69dd72
+.It Cm TLS_Cipher_Suite
Jan F. Chadima 69dd72
+Is an alias for
Jan F. Chadima 69dd72
+.Cm TLS_Ciphers .
Jan F. Chadima 69dd72
+.It Cm TLS_Cert
Jan F. Chadima 69dd72
+Specifies the file that contains the client certificate.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm TLS_Certificate
Jan F. Chadima 69dd72
+Is an alias for
Jan F. Chadima 69dd72
+.Cm TLS_Cert .
Jan F. Chadima 69dd72
+.It Cm TLS_Key
Jan F. Chadima 69dd72
+Specifies the file that contains the private key that matches the certificate
Jan F. Chadima 69dd72
+stored in the
Jan F. Chadima 69dd72
+.Cm TLS_Cert
Jan F. Chadima 69dd72
+file. Currently, the private key must not be protected with a password, so
Jan F. Chadima 69dd72
+it is of critical importance that the key file is protected carefully.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm TLS_RandFile
Jan F. Chadima 69dd72
+Specifies the file to obtain random bits from when /dev/[u]random is
Jan F. Chadima 69dd72
+not available. Generally set to the name of the EGD/PRNGD socket.
Jan F. Chadima 69dd72
+The environment variable RANDFILE can also be used to specify the filename.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm LogDir
Jan F. Chadima 69dd72
+Specifies the directory used for logging by the LDAP client library.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm Debug
Jan F. Chadima 69dd72
+Specifies the debug level used for logging by the LDAP client library.
Jan F. Chadima 69dd72
+There is no default.
Jan F. Chadima 69dd72
+.It Cm SSH_Filter
Jakub Jelen 3bc8b8
+Specifies the user filter applied on the LDAP search.
Jan F. Chadima 69dd72
+The default is no filter.
Petr Lautrbach e6dbb8
+.It Cm AccountClass
Petr Lautrbach e6dbb8
+Specifies the LDAP class used to find user accounts.
Petr Lautrbach e6dbb8
+The default is posixAccount.
Jakub Jelen 3bc8b8
+.It Cm search_format
Jakub Jelen 3bc8b8
+Specifies the user format of search string in LDAP substituting %u for user name
Jakub Jelen 3bc8b8
+and %f for additional ssh filter
Jakub Jelen 3bc8b8
+.Cm SSH_Filter
Jakub Jelen 3bc8b8
+(optional).
Jakub Jelen 3bc8b8
+The default value is (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
Jan F. Chadima 69dd72
+.El
Jan F. Chadima 69dd72
+.Sh FILES
Jan F. Chadima 69dd72
+.Bl -tag -width Ds
Jan F. Chadima 69dd72
+.It Pa  /etc/ssh/ldap.conf
Jan F. Chadima 69dd72
+Ldap configuration file for
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8 .
Jan F. Chadima 69dd72
+.El
Jan F. Chadima 69dd72
+.Sh "SEE ALSO"
Jan F. Chadima 69dd72
+.Xr ldap.conf 5 ,
Jan F. Chadima 69dd72
+.Xr ssh-ldap-helper 8
Jan F. Chadima 69dd72
+.Sh HISTORY
Jan F. Chadima 69dd72
+.Nm
Jan F. Chadima 69dd72
+first appeared in
Jan F. Chadima 69dd72
+OpenSSH 5.5 + PKA-LDAP .
Jan F. Chadima 69dd72
+.Sh AUTHORS
Jan F. Chadima 69dd72
+.An Jan F. Chadima Aq jchadima@redhat.com
Jakub Jelen 09ca6e
diff --git a/openssh-lpk-openldap.ldif b/openssh-lpk-openldap.ldif
Jakub Jelen 09ca6e
new file mode 100644
Jakub Jelen 09ca6e
index 0000000..9adf4b8
Jakub Jelen 09ca6e
--- /dev/null
Jakub Jelen 09ca6e
+++ b/openssh-lpk-openldap.ldif
Jakub Jelen 09ca6e
@@ -0,0 +1,19 @@
Jakub Jelen 09ca6e
+#
Jakub Jelen 09ca6e
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jakub Jelen 09ca6e
+#                              useful with PKA-LDAP also
Jakub Jelen 09ca6e
+#
Jakub Jelen 09ca6e
+# Author: Eric AUGE <eau@phear.org>
Jakub Jelen 09ca6e
+#
Jakub Jelen 09ca6e
+# LDIF for openLDAP Directory Server.
Jakub Jelen 09ca6e
+# Based on the original schema, modified by Jakub Jelen.
Jakub Jelen 09ca6e
+#
Jakub Jelen 09ca6e
+
Jakub Jelen 09ca6e
+dn: cn=openssh-lpk,cn=schema,cn=config
Jakub Jelen 09ca6e
+objectClass: olcSchemaConfig
Jakub Jelen 09ca6e
+cn: openssh-lpk
Jakub Jelen 09ca6e
+olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13
Jakub Jelen 09ca6e
+  NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key'
Jakub Jelen 09ca6e
+  EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jakub Jelen 09ca6e
+olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0
Jakub Jelen 09ca6e
+  NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass'
Jakub Jelen 09ca6e
+  SUP top AUXILIARY MUST ( sshPublicKey $ uid ) )
Jakub Jelen 09ca6e
diff --git a/openssh-lpk-sun.ldif b/openssh-lpk-sun.ldif
Jakub Jelen 09ca6e
new file mode 100644
Jakub Jelen 09ca6e
index 0000000..9adf4b8
Jakub Jelen 09ca6e
--- /dev/null
Jakub Jelen 09ca6e
+++ b/openssh-lpk-sun.ldif
Jakub Jelen 09ca6e
@@ -0,0 +1,17 @@
Jakub Jelen 09ca6e
+#
Jakub Jelen 09ca6e
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jakub Jelen 09ca6e
+#                              useful with PKA-LDAP also
Jakub Jelen 09ca6e
+#
Jakub Jelen 09ca6e
+# Author: Eric AUGE <eau@phear.org>
Jakub Jelen 09ca6e
+#
Jakub Jelen 09ca6e
+# LDIF for Sun Directory Server.
Jakub Jelen 09ca6e
+# Based on the original schema, modified by Jakub Jelen.
Jakub Jelen 09ca6e
+#
Jakub Jelen 09ca6e
+
Jakub Jelen 09ca6e
+dn: cn=schema
Jakub Jelen 09ca6e
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13
Jakub Jelen 09ca6e
+  NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key'
Jakub Jelen 09ca6e
+  EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jakub Jelen 09ca6e
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0
Jakub Jelen 09ca6e
+  NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass'
Jakub Jelen 09ca6e
+  SUP top AUXILIARY MUST ( sshPublicKey $ uid ) )