|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/HOWTO.ldap-keys.ldap openssh-6.8p1/HOWTO.ldap-keys
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/HOWTO.ldap-keys.ldap 2015-03-18 11:11:29.029801467 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/HOWTO.ldap-keys 2015-03-18 11:11:29.029801467 +0100
|
|
Jakub Jelen |
474a38 |
@@ -0,0 +1,122 @@
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+HOW TO START
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+1) configure LDAP server
|
|
Jan F. Chadima |
69dd72 |
+ * Use LDAP server documentation
|
|
Jan F. Chadima |
69dd72 |
+2) add appropriate LDAP schema
|
|
Jan F. Chadima |
69dd72 |
+ * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it.
|
|
Jan F. Chadima |
69dd72 |
+ * LDAP user entry
|
|
Jan F. Chadima |
69dd72 |
+ User entry:
|
|
Jan F. Chadima |
69dd72 |
+ - attached to the 'ldapPublicKey' objectclass
|
|
Jan F. Chadima |
69dd72 |
+ - attached to the 'posixAccount' objectclass
|
|
Jan F. Chadima |
69dd72 |
+ - with a filled 'sshPublicKey' attribute
|
|
Jan F. Chadima |
69dd72 |
+3) insert users into LDAP
|
|
Jan F. Chadima |
69dd72 |
+ * Use LDAP Tree management tool as useful
|
|
Jan F. Chadima |
69dd72 |
+ * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
|
|
Jan F. Chadima |
69dd72 |
+ * Example:
|
|
Jan F. Chadima |
69dd72 |
+ dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
|
|
Jan F. Chadima |
69dd72 |
+ objectclass: top
|
|
Jan F. Chadima |
69dd72 |
+ objectclass: person
|
|
Jan F. Chadima |
69dd72 |
+ objectclass: organizationalPerson
|
|
Jan F. Chadima |
69dd72 |
+ objectclass: posixAccount
|
|
Jan F. Chadima |
69dd72 |
+ objectclass: ldapPublicKey
|
|
Jan F. Chadima |
69dd72 |
+ description: Jonathan Archer
|
|
Jan F. Chadima |
69dd72 |
+ userPassword: Porthos
|
|
Jan F. Chadima |
69dd72 |
+ cn: onathan Archer
|
|
Jan F. Chadima |
69dd72 |
+ sn: onathan Archer
|
|
Jan F. Chadima |
69dd72 |
+ uid: captain
|
|
Jan F. Chadima |
69dd72 |
+ uidNumber: 1001
|
|
Jan F. Chadima |
69dd72 |
+ gidNumber: 1001
|
|
Jan F. Chadima |
69dd72 |
+ homeDirectory: /home/captain
|
|
Jan F. Chadima |
69dd72 |
+ sshPublicKey: ssh-rss AAAAB3.... =captain@universe
|
|
Jan F. Chadima |
69dd72 |
+ sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
|
|
Jan F. Chadima |
69dd72 |
+4) on the ssh side set in sshd_config
|
|
Jan F. Chadima |
69dd72 |
+ * Set up the backend
|
|
Petr Lautrbach |
f5022a |
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
|
|
Petr Lautrbach |
f5022a |
+ AuthorizedKeysCommandUser <appropriate user to run LDAP>
|
|
Jan F. Chadima |
69dd72 |
+ * Do not forget to set
|
|
Jan F. Chadima |
69dd72 |
+ PubkeyAuthentication yes
|
|
Jan F. Chadima |
69dd72 |
+ * Swith off unnecessary auth methods
|
|
Jan F. Chadima |
69dd72 |
+5) confugure ldap.conf
|
|
Jan F. Chadima |
69dd72 |
+ * Default ldap.conf is placed in /etc/ssh
|
|
Jan F. Chadima |
69dd72 |
+ * The configuration style is the same as other ldap based aplications
|
|
Jan F. Chadima |
69dd72 |
+6) if necessary edit ssh-ldap-wrapper
|
|
Jan F. Chadima |
69dd72 |
+ * There is a possibility to change ldap.conf location
|
|
Jan F. Chadima |
69dd72 |
+ * There are some debug options
|
|
Jan F. Chadima |
69dd72 |
+ * Example
|
|
Jan F. Chadima |
69dd72 |
+ /usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
|
|
Jakub Jelen |
474a38 |
+7) Configure SELinux boolean which allows ldap-helper to bind ldap server
|
|
Jakub Jelen |
474a38 |
+ Run this command
|
|
Jakub Jelen |
474a38 |
+ # setsebool -P authlogin_nsswitch_use_ldap on
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+HOW TO MIGRATE FROM LPK
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+1) goto HOW TO START 4) .... the ldap schema is the same
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+2) convert the group requests to the appropriate LDAP requests
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+HOW TO SOLVE PROBLEMS
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+1) use debug in sshd
|
|
Jan F. Chadima |
69dd72 |
+ * /usr/sbin/sshd -d -d -d -d
|
|
Jan F. Chadima |
69dd72 |
+2) use debug in ssh-ldap-helper
|
|
Jan F. Chadima |
69dd72 |
+ * ssh-ldap-helper -d -d -d -d -s <username>
|
|
Jan F. Chadima |
69dd72 |
+3) use tcpdump ... other ldap client etc.
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jakub Jelen |
3bc8b8 |
+HOW TO CONFIGURE SSH FOR OTHER LDAP CONFIGURATION / SERVER /SCHEMA
|
|
Jakub Jelen |
3bc8b8 |
+
|
|
Jakub Jelen |
3bc8b8 |
+You can adjust search format string in /etc/ldap.conf using
|
|
Jakub Jelen |
3bc8b8 |
+ 1) SSH_Filter option to limit results for only specified users
|
|
Jakub Jelen |
3bc8b8 |
+ (this appends search condition after original query)
|
|
Jakub Jelen |
3bc8b8 |
+ 2) Search_Format option to define your own search string using expansion
|
|
Jakub Jelen |
3bc8b8 |
+ characters %u for username, %c for objectclass and %f for above mentioned filter.
|
|
Jakub Jelen |
3bc8b8 |
+
|
|
Jakub Jelen |
3bc8b8 |
+Example:
|
|
Jakub Jelen |
3bc8b8 |
+Search_Format (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%u)%f)
|
|
Jakub Jelen |
3bc8b8 |
+
|
|
Jan F. Chadima |
69dd72 |
+ADVANTAGES
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+DISADVANTAGES
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+1) LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP
|
|
Jan F. Chadima |
69dd72 |
+ allows write to users dn, somebody could replace some user's public key by his own and impersonate some
|
|
Jan F. Chadima |
69dd72 |
+ of your users in all your server farm -- be VERY CAREFUL.
|
|
Jan F. Chadima |
69dd72 |
+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login
|
|
Jan F. Chadima |
69dd72 |
+ as the impersonated user.
|
|
Jan F. Chadima |
69dd72 |
+3) If LDAP server is down there may be no fallback on passwd auth.
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+MISC.
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+1) todo
|
|
Jan F. Chadima |
69dd72 |
+ * Possibility to reuse the ssh-ldap-helper.
|
|
Jan F. Chadima |
69dd72 |
+ * Tune the LDAP part to accept all possible LDAP configurations.
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+2) differences from original lpk
|
|
Jan F. Chadima |
69dd72 |
+ * No LDAP code in sshd.
|
|
Jan F. Chadima |
69dd72 |
+ * Support for various LDAP platforms and configurations.
|
|
Jan F. Chadima |
69dd72 |
+ * LDAP is configured in separate ldap.conf file.
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+3) docs/link
|
|
Jan F. Chadima |
69dd72 |
+ * http://pacsec.jp/core05/psj05-barisani-en.pdf
|
|
Jan F. Chadima |
69dd72 |
+ * http://fritz.potsdam.edu/projects/openssh-lpk/
|
|
Jan F. Chadima |
69dd72 |
+ * http://fritz.potsdam.edu/projects/sshgate/
|
|
Jan F. Chadima |
69dd72 |
+ * http://dev.inversepath.com/trac/openssh-lpk
|
|
Jan F. Chadima |
69dd72 |
+ * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+4) contributors/ideas/greets
|
|
Jan F. Chadima |
69dd72 |
+ - Eric AUGE <eau@phear.org>
|
|
Jan F. Chadima |
69dd72 |
+ - Andrea Barisani <andrea@inversepath.com>
|
|
Jan F. Chadima |
69dd72 |
+ - Falk Siemonsmeier.
|
|
Jan F. Chadima |
69dd72 |
+ - Jacob Rief.
|
|
Jan F. Chadima |
69dd72 |
+ - Michael Durchgraf.
|
|
Jan F. Chadima |
69dd72 |
+ - frederic peters.
|
|
Jan F. Chadima |
69dd72 |
+ - Finlay dobbie.
|
|
Jan F. Chadima |
69dd72 |
+ - Stefan Fisher.
|
|
Jan F. Chadima |
69dd72 |
+ - Robin H. Johnson.
|
|
Jan F. Chadima |
69dd72 |
+ - Adrian Bridgett.
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+5) Author
|
|
Jan F. Chadima |
69dd72 |
+ Jan F. Chadima <jchadima@redhat.com>
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/Makefile.in.ldap 2015-03-17 06:49:20.000000000 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:13:10.147561177 +0100
|
|
Petr Lautrbach |
94c6f8 |
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
|
|
Petr Lautrbach |
94c6f8 |
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
|
Petr Lautrbach |
94c6f8 |
SFTP_SERVER=$(libexecdir)/sftp-server
|
|
Petr Lautrbach |
94c6f8 |
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
|
Petr Lautrbach |
94c6f8 |
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
|
Petr Lautrbach |
94c6f8 |
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
|
Petr Lautrbach |
94c6f8 |
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
|
Petr Lautrbach |
94c6f8 |
PRIVSEP_PATH=@PRIVSEP_PATH@
|
|
Petr Lautrbach |
94c6f8 |
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
Jakub Jelen |
e3f4c1 |
@@ -50,6 +50,7 @@
|
|
Jakub Jelen |
e3f4c1 |
CFLAGS=@CFLAGS@
|
|
Jakub Jelen |
e3f4c1 |
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
|
Jakub Jelen |
e3f4c1 |
LIBS=@LIBS@
|
|
Jakub Jelen |
e3f4c1 |
+LDAPLIBS=@LDAPLIBS@
|
|
Jakub Jelen |
e3f4c1 |
K5LIBS=@K5LIBS@
|
|
Jakub Jelen |
e3f4c1 |
GSSLIBS=@GSSLIBS@
|
|
Jakub Jelen |
e3f4c1 |
SSHLIBS=@SSHLIBS@
|
|
Petr Lautrbach |
190035 |
@@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@
|
|
Petr Lautrbach |
94c6f8 |
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
|
Petr Lautrbach |
94c6f8 |
EXEEXT=@EXEEXT@
|
|
Petr Lautrbach |
94c6f8 |
MANFMT=@MANFMT@
|
|
Petr Lautrbach |
94c6f8 |
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
|
Petr Lautrbach |
94c6f8 |
|
|
Petr Lautrbach |
94c6f8 |
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
|
Petr Lautrbach |
94c6f8 |
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
|
Petr Lautrbach |
94c6f8 |
|
|
Petr Lautrbach |
190035 |
LIBOPENSSH_OBJS=\
|
|
Jakub Jelen |
132f8f |
ssh_api.o \
|
|
Jakub Jelen |
132f8f |
@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
|
Jakub Jelen |
13073f |
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
|
|
Jakub Jelen |
13073f |
sandbox-solaris.o
|
|
Petr Lautrbach |
94c6f8 |
|
|
Petr Lautrbach |
94c6f8 |
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
|
Petr Lautrbach |
94c6f8 |
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
|
Petr Lautrbach |
94c6f8 |
+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
|
|
Petr Lautrbach |
94c6f8 |
+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
|
|
Petr Lautrbach |
94c6f8 |
MANTYPE = @MANTYPE@
|
|
Petr Lautrbach |
94c6f8 |
|
|
Petr Lautrbach |
94c6f8 |
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
|
Jakub Jelen |
132f8f |
@@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
|
|
Petr Lautrbach |
94c6f8 |
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
|
Petr Lautrbach |
94c6f8 |
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
|
Petr Lautrbach |
94c6f8 |
|
|
Jakub Jelen |
4cf8f1 |
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
|
Jakub Jelen |
e3f4c1 |
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jakub Jelen |
13073f |
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
|
Jakub Jelen |
13073f |
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
Petr Lautrbach |
94c6f8 |
|
|
Jakub Jelen |
132f8f |
@@ -311,6 +317,10 @@ install-files:
|
|
Petr Lautrbach |
94c6f8 |
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
|
Petr Lautrbach |
94c6f8 |
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
|
Petr Lautrbach |
94c6f8 |
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
|
Petr Lautrbach |
94c6f8 |
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
|
Petr Lautrbach |
94c6f8 |
+ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
|
Petr Lautrbach |
94c6f8 |
+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Petr Lautrbach |
94c6f8 |
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
|
Petr Lautrbach |
94c6f8 |
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
|
Petr Lautrbach |
94c6f8 |
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
|
Jakub Jelen |
132f8f |
@@ -327,6 +337,10 @@ install-files:
|
|
Petr Lautrbach |
94c6f8 |
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
|
Petr Lautrbach |
94c6f8 |
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
|
Petr Lautrbach |
94c6f8 |
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
|
Petr Lautrbach |
94c6f8 |
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
|
Petr Lautrbach |
94c6f8 |
+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
|
|
Petr Lautrbach |
94c6f8 |
+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Jakub Jelen |
13073f |
|
|
Jakub Jelen |
13073f |
install-sysconf:
|
|
Jakub Jelen |
13073f |
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
|
|
Jakub Jelen |
132f8f |
@@ -356,6 +370,13 @@ install-sysconf:
|
|
Petr Lautrbach |
94c6f8 |
else \
|
|
Petr Lautrbach |
94c6f8 |
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
|
Petr Lautrbach |
94c6f8 |
fi
|
|
Petr Lautrbach |
94c6f8 |
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
|
Petr Lautrbach |
94c6f8 |
+ if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
|
|
Petr Lautrbach |
94c6f8 |
+ $(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
|
|
Petr Lautrbach |
94c6f8 |
+ else \
|
|
Petr Lautrbach |
94c6f8 |
+ echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
|
|
Petr Lautrbach |
94c6f8 |
+ fi ; \
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Petr Lautrbach |
94c6f8 |
|
|
Petr Lautrbach |
94c6f8 |
host-key: ssh-keygen$(EXEEXT)
|
|
Petr Lautrbach |
94c6f8 |
@if [ -z "$(DESTDIR)" ] ; then \
|
|
Jakub Jelen |
132f8f |
@@ -419,6 +440,8 @@ uninstall:
|
|
Petr Lautrbach |
94c6f8 |
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
|
Petr Lautrbach |
94c6f8 |
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
|
Petr Lautrbach |
94c6f8 |
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
|
Petr Lautrbach |
94c6f8 |
+ -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
|
|
Petr Lautrbach |
94c6f8 |
+ -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
|
|
Petr Lautrbach |
94c6f8 |
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
|
Petr Lautrbach |
94c6f8 |
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
|
Petr Lautrbach |
94c6f8 |
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
|
Jakub Jelen |
132f8f |
@@ -430,6 +453,7 @@ uninstall:
|
|
Petr Lautrbach |
94c6f8 |
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
|
Petr Lautrbach |
94c6f8 |
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
|
Petr Lautrbach |
94c6f8 |
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
|
Petr Lautrbach |
94c6f8 |
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
|
|
Petr Lautrbach |
94c6f8 |
|
|
Petr Lautrbach |
190035 |
regress-prep:
|
|
Jakub Jelen |
13073f |
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100
|
|
Jakub Jelen |
e3f4c1 |
@@ -1605,6 +1605,110 @@ if test "x$use_pie" != "xno"; then
|
|
Petr Lautrbach |
94c6f8 |
fi
|
|
Petr Lautrbach |
94c6f8 |
fi
|
|
Petr Lautrbach |
94c6f8 |
|
|
Petr Lautrbach |
94c6f8 |
+# Check whether user wants LDAP support
|
|
Petr Lautrbach |
94c6f8 |
+LDAP_MSG="no"
|
|
Petr Lautrbach |
94c6f8 |
+INSTALL_SSH_LDAP_HELPER=""
|
|
Petr Lautrbach |
94c6f8 |
+AC_ARG_WITH(ldap,
|
|
Petr Lautrbach |
94c6f8 |
+ [ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in PATH)],
|
|
Petr Lautrbach |
94c6f8 |
+ [
|
|
Petr Lautrbach |
94c6f8 |
+ if test "x$withval" != "xno" ; then
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ INSTALL_SSH_LDAP_HELPER="yes"
|
|
Petr Lautrbach |
94c6f8 |
+ CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if test "x$withval" != "xyes" ; then
|
|
Petr Lautrbach |
94c6f8 |
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
|
|
Petr Lautrbach |
94c6f8 |
+ LDFLAGS="$LDFLAGS -L${withval}/lib"
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
|
|
Petr Lautrbach |
94c6f8 |
+ LDAP_MSG="yes"
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ AC_CHECK_HEADERS(lber.h)
|
|
Petr Lautrbach |
94c6f8 |
+ AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
|
|
Petr Lautrbach |
94c6f8 |
+ AC_CHECK_HEADERS(ldap_ssl.h)
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ AC_ARG_WITH(ldap-lib,
|
|
Petr Lautrbach |
94c6f8 |
+ [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if test -z "$with_ldap_lib"; then
|
|
Petr Lautrbach |
94c6f8 |
+ with_ldap_lib=auto
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
|
|
Jakub Jelen |
e3f4c1 |
+ AC_CHECK_LIB(lber, main, LDAPLIBS="-llber $LDAPLIBS" found_ldap_lib=yes)
|
|
Jakub Jelen |
e3f4c1 |
+ AC_CHECK_LIB(ldap, main, LDAPLIBS="-lldap $LDAPLIBS" found_ldap_lib=yes)
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
|
|
Jakub Jelen |
c8f138 |
+ AC_CHECK_LIB(ldap50, main, LDAPLIBS="-lldap50 -lssldap50 -lssl3 -lprldap50 -lplc4 -lplds4 $LDAPLIBS" found_ldap_lib=yes)
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
|
|
Jakub Jelen |
c8f138 |
+ AC_CHECK_LIB(ldapssl41, main, LDAPLIBS="-lldapssl41 -lplc3 -lplds3 $LDAPLIBS" found_ldap_lib=yes)
|
|
Petr Lautrbach |
94c6f8 |
+ if test -z "$found_ldap_lib"; then
|
|
Jakub Jelen |
e3f4c1 |
+ AC_CHECK_LIB(ldapssl40, main, LDAPLIBS="-lldapssl40 $LDAPLIBS" found_ldap_lib=yes)
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Petr Lautrbach |
94c6f8 |
+ if test -z "$found_ldap_lib"; then
|
|
Jakub Jelen |
e3f4c1 |
+ AC_CHECK_LIB(ldap41, main, LDAPLIBS="-lldap41 $LDAPLIBS" found_ldap_lib=yes)
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Petr Lautrbach |
94c6f8 |
+ if test -z "$found_ldap_lib"; then
|
|
Jakub Jelen |
e3f4c1 |
+ AC_CHECK_LIB(ldap40, main, LDAPLIBS="-lldap40 $LDAPLIBS" found_ldap_lib=yes)
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
|
|
Jakub Jelen |
e3f4c1 |
+ AC_CHECK_LIB(ldapssl30, main, LDAPLIBS="-lldapssl30 $LDAPLIBS" found_ldap_lib=yes)
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if test -z "$found_ldap_lib"; then
|
|
Petr Lautrbach |
94c6f8 |
+ AC_MSG_ERROR(could not locate a valid LDAP library)
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jakub Jelen |
e3f4c1 |
+ saved_LIBS="$LIBS"
|
|
Jakub Jelen |
e3f4c1 |
+ LIBS="$LIBS $LDAPLIBS"
|
|
Petr Lautrbach |
94c6f8 |
+ AC_MSG_CHECKING([for working LDAP support])
|
|
Petr Lautrbach |
94c6f8 |
+ AC_TRY_COMPILE(
|
|
Petr Lautrbach |
94c6f8 |
+ [#include <sys/types.h>
|
|
Petr Lautrbach |
94c6f8 |
+ #include <ldap.h>],
|
|
Petr Lautrbach |
94c6f8 |
+ [(void)ldap_init(0, 0);],
|
|
Petr Lautrbach |
94c6f8 |
+ [AC_MSG_RESULT(yes)],
|
|
Petr Lautrbach |
94c6f8 |
+ [
|
|
Petr Lautrbach |
94c6f8 |
+ AC_MSG_RESULT(no)
|
|
Petr Lautrbach |
94c6f8 |
+ AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
|
|
Petr Lautrbach |
94c6f8 |
+ ])
|
|
Petr Lautrbach |
94c6f8 |
+ AC_CHECK_FUNCS( \
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_init \
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_get_lderrno \
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_set_lderrno \
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_parse_result \
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_memfree \
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_controls_free \
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_set_option \
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_get_option \
|
|
Petr Lautrbach |
94c6f8 |
+ ldapssl_init \
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_start_tls_s \
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_pvt_tls_set_option \
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_initialize \
|
|
Petr Lautrbach |
94c6f8 |
+ )
|
|
Petr Lautrbach |
94c6f8 |
+ AC_CHECK_FUNCS(ldap_set_rebind_proc,
|
|
Petr Lautrbach |
94c6f8 |
+ AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
|
|
Petr Lautrbach |
94c6f8 |
+ AC_TRY_COMPILE(
|
|
Petr Lautrbach |
94c6f8 |
+ [#include <lber.h>
|
|
Petr Lautrbach |
94c6f8 |
+ #include <ldap.h>],
|
|
Petr Lautrbach |
94c6f8 |
+ [ldap_set_rebind_proc(0, 0, 0);],
|
|
Petr Lautrbach |
94c6f8 |
+ [ac_cv_ldap_set_rebind_proc=3],
|
|
Petr Lautrbach |
94c6f8 |
+ [ac_cv_ldap_set_rebind_proc=2])
|
|
Petr Lautrbach |
94c6f8 |
+ AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
|
|
Petr Lautrbach |
94c6f8 |
+ AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
|
|
Petr Lautrbach |
94c6f8 |
+ )
|
|
Jakub Jelen |
e3f4c1 |
+ LIBS="$saved_LIBS"
|
|
Petr Lautrbach |
94c6f8 |
+ fi
|
|
Petr Lautrbach |
94c6f8 |
+ ]
|
|
Petr Lautrbach |
94c6f8 |
+)
|
|
Petr Lautrbach |
94c6f8 |
+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
|
|
Jakub Jelen |
e3f4c1 |
+AC_SUBST(LDAPLIBS)
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
dnl Checks for library functions. Please keep in alphabetical order
|
|
Petr Lautrbach |
94c6f8 |
AC_CHECK_FUNCS([ \
|
|
Petr Lautrbach |
94c6f8 |
Blowfish_initstate \
|
|
Jakub Jelen |
e3f4c1 |
@@ -5227,6 +5352,9 @@
|
|
Jakub Jelen |
e3f4c1 |
echo "Preprocessor flags: ${CPPFLAGS}"
|
|
Jakub Jelen |
e3f4c1 |
echo " Linker flags: ${LDFLAGS}"
|
|
Jakub Jelen |
e3f4c1 |
echo " Libraries: ${LIBS}"
|
|
Jakub Jelen |
e3f4c1 |
+if test ! -z "${LDAPLIBS}"; then
|
|
Jakub Jelen |
e3f4c1 |
+echo " +for ldap: ${LDAPLIBS}"
|
|
Jakub Jelen |
e3f4c1 |
+fi
|
|
Jakub Jelen |
e3f4c1 |
if test ! -z "${SSHDLIBS}"; then
|
|
Jakub Jelen |
e3f4c1 |
echo " +for sshd: ${SSHDLIBS}"
|
|
Jakub Jelen |
e3f4c1 |
fi
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/ldap-helper.c.ldap openssh-6.8p1/ldap-helper.c
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/ldap-helper.c.ldap 2015-03-18 11:11:29.030801464 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/ldap-helper.c 2015-03-18 11:11:29.030801464 +0100
|
|
Petr Lautrbach |
94c6f8 |
@@ -0,0 +1,155 @@
|
|
Petr Lautrbach |
94c6f8 |
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
|
Petr Lautrbach |
94c6f8 |
+/*
|
|
Petr Lautrbach |
94c6f8 |
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
|
Petr Lautrbach |
94c6f8 |
+ *
|
|
Petr Lautrbach |
94c6f8 |
+ * Redistribution and use in source and binary forms, with or without
|
|
Petr Lautrbach |
94c6f8 |
+ * modification, are permitted provided that the following conditions
|
|
Petr Lautrbach |
94c6f8 |
+ * are met:
|
|
Petr Lautrbach |
94c6f8 |
+ * 1. Redistributions of source code must retain the above copyright
|
|
Petr Lautrbach |
94c6f8 |
+ * notice, this list of conditions and the following disclaimer.
|
|
Petr Lautrbach |
94c6f8 |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
Petr Lautrbach |
94c6f8 |
+ * notice, this list of conditions and the following disclaimer in the
|
|
Petr Lautrbach |
94c6f8 |
+ * documentation and/or other materials provided with the distribution.
|
|
Petr Lautrbach |
94c6f8 |
+ *
|
|
Petr Lautrbach |
94c6f8 |
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
Petr Lautrbach |
94c6f8 |
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
Petr Lautrbach |
94c6f8 |
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
Petr Lautrbach |
94c6f8 |
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
Petr Lautrbach |
94c6f8 |
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
Petr Lautrbach |
94c6f8 |
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
Petr Lautrbach |
94c6f8 |
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
Petr Lautrbach |
94c6f8 |
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
Petr Lautrbach |
94c6f8 |
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
Petr Lautrbach |
94c6f8 |
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
Petr Lautrbach |
94c6f8 |
+ */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#include "ldapincludes.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include "log.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include "misc.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include "xmalloc.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include "ldapconf.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include "ldapbody.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include <string.h>
|
|
Petr Lautrbach |
94c6f8 |
+#include <unistd.h>
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static int config_debug = 0;
|
|
Petr Lautrbach |
94c6f8 |
+int config_exclusive_config_file = 0;
|
|
Petr Lautrbach |
94c6f8 |
+static char *config_file_name = "/etc/ssh/ldap.conf";
|
|
Petr Lautrbach |
94c6f8 |
+static char *config_single_user = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
|
|
Petr Lautrbach |
94c6f8 |
+int config_warning_config_file = 0;
|
|
Petr Lautrbach |
94c6f8 |
+extern char *__progname;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static void
|
|
Petr Lautrbach |
94c6f8 |
+usage(void)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ fprintf(stderr, "usage: %s [options]\n",
|
|
Petr Lautrbach |
94c6f8 |
+ __progname);
|
|
Petr Lautrbach |
94c6f8 |
+ fprintf(stderr, "Options:\n");
|
|
Petr Lautrbach |
94c6f8 |
+ fprintf(stderr, " -d Output the log messages to stderr.\n");
|
|
Petr Lautrbach |
94c6f8 |
+ fprintf(stderr, " -e Check the config file for unknown commands.\n");
|
|
Petr Lautrbach |
94c6f8 |
+ fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n");
|
|
Petr Lautrbach |
94c6f8 |
+ fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n");
|
|
Petr Lautrbach |
94c6f8 |
+ fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n");
|
|
Petr Lautrbach |
94c6f8 |
+ fprintf(stderr, " -w Warn on unknown commands in the config file.\n");
|
|
Petr Lautrbach |
94c6f8 |
+ exit(1);
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Petr Lautrbach |
94c6f8 |
+/*
|
|
Petr Lautrbach |
94c6f8 |
+ * Main program for the ssh pka ldap agent.
|
|
Petr Lautrbach |
94c6f8 |
+ */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+int
|
|
Petr Lautrbach |
94c6f8 |
+main(int ac, char **av)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ int opt;
|
|
Petr Lautrbach |
94c6f8 |
+ FILE *outfile = NULL;
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ __progname = ssh_get_progname(av[0]);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /*
|
|
Petr Lautrbach |
94c6f8 |
+ * Initialize option structure to indicate that no values have been
|
|
Petr Lautrbach |
94c6f8 |
+ * set.
|
|
Petr Lautrbach |
94c6f8 |
+ */
|
|
Petr Lautrbach |
94c6f8 |
+ initialize_options();
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* Parse command-line arguments. */
|
|
Petr Lautrbach |
94c6f8 |
+ while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
|
|
Petr Lautrbach |
94c6f8 |
+ switch (opt) {
|
|
Petr Lautrbach |
94c6f8 |
+ case 'd':
|
|
Petr Lautrbach |
94c6f8 |
+ config_debug = 1;
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case 'e':
|
|
Petr Lautrbach |
94c6f8 |
+ config_exclusive_config_file = 1;
|
|
Petr Lautrbach |
94c6f8 |
+ config_warning_config_file = 1;
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case 'f':
|
|
Petr Lautrbach |
94c6f8 |
+ config_file_name = optarg;
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case 's':
|
|
Petr Lautrbach |
94c6f8 |
+ config_single_user = optarg;
|
|
Petr Lautrbach |
94c6f8 |
+ outfile = fdopen (dup (fileno (stdout)), "w");
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case 'v':
|
|
Petr Lautrbach |
94c6f8 |
+ config_debug = 1;
|
|
Petr Lautrbach |
94c6f8 |
+ if (config_verbose < SYSLOG_LEVEL_DEBUG3)
|
|
Petr Lautrbach |
94c6f8 |
+ config_verbose++;
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case 'w':
|
|
Petr Lautrbach |
94c6f8 |
+ config_warning_config_file = 1;
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case '?':
|
|
Petr Lautrbach |
94c6f8 |
+ default:
|
|
Petr Lautrbach |
94c6f8 |
+ usage();
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* Initialize loging */
|
|
Petr Lautrbach |
94c6f8 |
+ log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (ac != optind)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("illegal extra parameter %s", av[1]);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* Ensure that fds 0 and 2 are open or directed to /dev/null */
|
|
Petr Lautrbach |
94c6f8 |
+ if (config_debug == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ sanitise_stdfd();
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* Read config file */
|
|
Petr Lautrbach |
94c6f8 |
+ read_config_file(config_file_name);
|
|
Petr Lautrbach |
94c6f8 |
+ fill_default_options();
|
|
Petr Lautrbach |
94c6f8 |
+ if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("=== Configuration ===");
|
|
Petr Lautrbach |
94c6f8 |
+ dump_config();
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("=== *** ===");
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_checkconfig();
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_do_connect();
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (config_single_user) {
|
|
Petr Lautrbach |
94c6f8 |
+ process_user (config_single_user, outfile);
|
|
Petr Lautrbach |
94c6f8 |
+ } else {
|
|
Petr Lautrbach |
94c6f8 |
+ usage();
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("Not yet implemented");
|
|
Petr Lautrbach |
94c6f8 |
+/* TODO
|
|
Petr Lautrbach |
94c6f8 |
+ * open unix socket a run the loop on it
|
|
Petr Lautrbach |
94c6f8 |
+ */
|
|
Petr Lautrbach |
65ba94 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_do_close();
|
|
Petr Lautrbach |
94c6f8 |
+ return 0;
|
|
Petr Lautrbach |
65ba94 |
+}
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+/* Ugly hack */
|
|
Petr Lautrbach |
94c6f8 |
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
|
|
Petr Lautrbach |
94c6f8 |
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/ldap-helper.h.ldap openssh-6.8p1/ldap-helper.h
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/ldap-helper.h.ldap 2015-03-18 11:11:29.031801462 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/ldap-helper.h 2015-03-18 11:11:29.031801462 +0100
|
|
Petr Lautrbach |
94c6f8 |
@@ -0,0 +1,32 @@
|
|
Petr Lautrbach |
94c6f8 |
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
|
Petr Lautrbach |
65ba94 |
+/*
|
|
Petr Lautrbach |
65ba94 |
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
|
Petr Lautrbach |
65ba94 |
+ *
|
|
Petr Lautrbach |
65ba94 |
+ * Redistribution and use in source and binary forms, with or without
|
|
Petr Lautrbach |
65ba94 |
+ * modification, are permitted provided that the following conditions
|
|
Petr Lautrbach |
65ba94 |
+ * are met:
|
|
Petr Lautrbach |
65ba94 |
+ * 1. Redistributions of source code must retain the above copyright
|
|
Petr Lautrbach |
65ba94 |
+ * notice, this list of conditions and the following disclaimer.
|
|
Petr Lautrbach |
65ba94 |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
Petr Lautrbach |
65ba94 |
+ * notice, this list of conditions and the following disclaimer in the
|
|
Petr Lautrbach |
65ba94 |
+ * documentation and/or other materials provided with the distribution.
|
|
Petr Lautrbach |
65ba94 |
+ *
|
|
Petr Lautrbach |
65ba94 |
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
Petr Lautrbach |
65ba94 |
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
Petr Lautrbach |
65ba94 |
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
Petr Lautrbach |
65ba94 |
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
Petr Lautrbach |
65ba94 |
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
Petr Lautrbach |
65ba94 |
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
Petr Lautrbach |
65ba94 |
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
Petr Lautrbach |
65ba94 |
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
Petr Lautrbach |
65ba94 |
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
Petr Lautrbach |
65ba94 |
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
Petr Lautrbach |
65ba94 |
+ */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#ifndef LDAP_HELPER_H
|
|
Petr Lautrbach |
94c6f8 |
+#define LDAP_HELPER_H
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+extern int config_exclusive_config_file;
|
|
Petr Lautrbach |
94c6f8 |
+extern int config_warning_config_file;
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* LDAP_HELPER_H */
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/ldap.conf.ldap openssh-6.8p1/ldap.conf
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/ldap.conf.ldap 2015-03-18 11:11:29.031801462 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/ldap.conf 2015-03-18 11:11:29.031801462 +0100
|
|
Jakub Jelen |
3bc8b8 |
@@ -0,0 +1,95 @@
|
|
Petr Lautrbach |
94c6f8 |
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
|
|
Petr Lautrbach |
94c6f8 |
+#
|
|
Petr Lautrbach |
94c6f8 |
+# This is the example configuration file for the OpenSSH
|
|
Petr Lautrbach |
94c6f8 |
+# LDAP backend
|
|
Petr Lautrbach |
94c6f8 |
+#
|
|
Petr Lautrbach |
94c6f8 |
+# see ssh-ldap.conf(5)
|
|
Petr Lautrbach |
94c6f8 |
+#
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# URI with your LDAP server name. This allows to use
|
|
Petr Lautrbach |
94c6f8 |
+# Unix Domain Sockets to connect to a local LDAP Server.
|
|
Petr Lautrbach |
94c6f8 |
+#uri ldap://127.0.0.1/
|
|
Petr Lautrbach |
94c6f8 |
+#uri ldaps://127.0.0.1/
|
|
Petr Lautrbach |
94c6f8 |
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
|
|
Petr Lautrbach |
94c6f8 |
+# Note: %2f encodes the '/' used as directory separator
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# Another way to specify your LDAP server is to provide an
|
|
Petr Lautrbach |
94c6f8 |
+# host name and the port of our LDAP server. Host name
|
|
Petr Lautrbach |
94c6f8 |
+# must be resolvable without using LDAP.
|
|
Petr Lautrbach |
94c6f8 |
+# Multiple hosts may be specified, each separated by a
|
|
Petr Lautrbach |
94c6f8 |
+# space. How long nss_ldap takes to failover depends on
|
|
Petr Lautrbach |
94c6f8 |
+# whether your LDAP client library supports configurable
|
|
Petr Lautrbach |
94c6f8 |
+# network or connect timeouts (see bind_timelimit).
|
|
Petr Lautrbach |
94c6f8 |
+#host 127.0.0.1
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# The port.
|
|
Petr Lautrbach |
94c6f8 |
+# Optional: default is 389.
|
|
Petr Lautrbach |
94c6f8 |
+#port 389
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# The distinguished name to bind to the server with.
|
|
Petr Lautrbach |
94c6f8 |
+# Optional: default is to bind anonymously.
|
|
Petr Lautrbach |
94c6f8 |
+#binddn cn=openssh_keys,dc=example,dc=org
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# The credentials to bind with.
|
|
Petr Lautrbach |
94c6f8 |
+# Optional: default is no credential.
|
|
Petr Lautrbach |
94c6f8 |
+#bindpw TopSecret
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# The distinguished name of the search base.
|
|
Petr Lautrbach |
94c6f8 |
+#base dc=example,dc=org
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# The LDAP version to use (defaults to 3
|
|
Petr Lautrbach |
94c6f8 |
+# if supported by client library)
|
|
Petr Lautrbach |
94c6f8 |
+#ldap_version 3
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# The search scope.
|
|
Petr Lautrbach |
94c6f8 |
+#scope sub
|
|
Petr Lautrbach |
94c6f8 |
+#scope one
|
|
Petr Lautrbach |
94c6f8 |
+#scope base
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# Search timelimit
|
|
Petr Lautrbach |
94c6f8 |
+#timelimit 30
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# Bind/connect timelimit
|
|
Petr Lautrbach |
94c6f8 |
+#bind_timelimit 30
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# Reconnect policy: hard (default) will retry connecting to
|
|
Petr Lautrbach |
94c6f8 |
+# the software with exponential backoff, soft will fail
|
|
Petr Lautrbach |
94c6f8 |
+# immediately.
|
|
Petr Lautrbach |
94c6f8 |
+#bind_policy hard
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# SSL setup, may be implied by URI also.
|
|
Petr Lautrbach |
94c6f8 |
+#ssl no
|
|
Petr Lautrbach |
94c6f8 |
+#ssl on
|
|
Petr Lautrbach |
94c6f8 |
+#ssl start_tls
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# OpenLDAP SSL options
|
|
Petr Lautrbach |
94c6f8 |
+# Require and verify server certificate (yes/no)
|
|
Petr Lautrbach |
94c6f8 |
+# Default is to use libldap's default behavior, which can be configured in
|
|
Petr Lautrbach |
94c6f8 |
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
|
|
Petr Lautrbach |
94c6f8 |
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
|
|
Petr Lautrbach |
94c6f8 |
+#tls_checkpeer hard
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# CA certificates for server certificate verification
|
|
Petr Lautrbach |
94c6f8 |
+# At least one of these are required if tls_checkpeer is "yes"
|
|
Petr Lautrbach |
94c6f8 |
+#tls_cacertfile /etc/ssl/ca.cert
|
|
Petr Lautrbach |
94c6f8 |
+#tls_cacertdir /etc/pki/tls/certs
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# Seed the PRNG if /dev/urandom is not provided
|
|
Petr Lautrbach |
94c6f8 |
+#tls_randfile /var/run/egd-pool
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# SSL cipher suite
|
|
Petr Lautrbach |
94c6f8 |
+# See man ciphers for syntax
|
|
Petr Lautrbach |
94c6f8 |
+#tls_ciphers TLSv1
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+# Client certificate and key
|
|
Petr Lautrbach |
94c6f8 |
+# Use these, if your server requires client authentication.
|
|
Petr Lautrbach |
94c6f8 |
+#tls_cert
|
|
Petr Lautrbach |
94c6f8 |
+#tls_key
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Jakub Jelen |
3bc8b8 |
+# OpenLDAP search_format
|
|
Jakub Jelen |
3bc8b8 |
+# format used to search for users in LDAP directory using substitution
|
|
Jakub Jelen |
3bc8b8 |
+# for %u for user name and %f for SSH_Filter option (optional, empty by default)
|
|
Jakub Jelen |
3bc8b8 |
+#search_format (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
|
|
Jakub Jelen |
3bc8b8 |
+
|
|
Jakub Jelen |
3bc8b8 |
+#AccountClass posixAccount
|
|
Jakub Jelen |
3bc8b8 |
+
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/ldapbody.c.ldap 2015-03-18 11:11:29.031801462 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/ldapbody.c 2015-03-18 11:11:29.031801462 +0100
|
|
Jakub Jelen |
3bc8b8 |
@@ -0,0 +1,493 @@
|
|
Petr Lautrbach |
94c6f8 |
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
|
Petr Lautrbach |
65ba94 |
+/*
|
|
Petr Lautrbach |
65ba94 |
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
|
Petr Lautrbach |
65ba94 |
+ *
|
|
Petr Lautrbach |
65ba94 |
+ * Redistribution and use in source and binary forms, with or without
|
|
Petr Lautrbach |
65ba94 |
+ * modification, are permitted provided that the following conditions
|
|
Petr Lautrbach |
65ba94 |
+ * are met:
|
|
Petr Lautrbach |
65ba94 |
+ * 1. Redistributions of source code must retain the above copyright
|
|
Petr Lautrbach |
65ba94 |
+ * notice, this list of conditions and the following disclaimer.
|
|
Petr Lautrbach |
65ba94 |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
Petr Lautrbach |
65ba94 |
+ * notice, this list of conditions and the following disclaimer in the
|
|
Petr Lautrbach |
65ba94 |
+ * documentation and/or other materials provided with the distribution.
|
|
Petr Lautrbach |
65ba94 |
+ *
|
|
Petr Lautrbach |
65ba94 |
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
Petr Lautrbach |
65ba94 |
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
Petr Lautrbach |
65ba94 |
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
Petr Lautrbach |
65ba94 |
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
Petr Lautrbach |
65ba94 |
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
Petr Lautrbach |
65ba94 |
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
Petr Lautrbach |
65ba94 |
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
Petr Lautrbach |
65ba94 |
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
Petr Lautrbach |
65ba94 |
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
Petr Lautrbach |
65ba94 |
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
Petr Lautrbach |
65ba94 |
+ */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
65ba94 |
+#include "ldapincludes.h"
|
|
Petr Lautrbach |
65ba94 |
+#include "log.h"
|
|
Petr Lautrbach |
65ba94 |
+#include "xmalloc.h"
|
|
Petr Lautrbach |
65ba94 |
+#include "ldapconf.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include "ldapmisc.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include "ldapbody.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include <stdio.h>
|
|
Petr Lautrbach |
65ba94 |
+#include <unistd.h>
|
|
Jakub Jelen |
3bc8b8 |
+#include "misc.h"
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jakub Jelen |
3bc8b8 |
+#define LDAPSEARCH_FORMAT "(&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)"
|
|
Petr Lautrbach |
94c6f8 |
+#define PUBKEYATTR "sshPublicKey"
|
|
Petr Lautrbach |
94c6f8 |
+#define LDAP_LOGFILE "%s/ldap.%d"
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static FILE *logfile = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+static LDAP *ld;
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static char *attrs[] = {
|
|
Petr Lautrbach |
94c6f8 |
+ PUBKEYATTR,
|
|
Petr Lautrbach |
94c6f8 |
+ NULL
|
|
Petr Lautrbach |
94c6f8 |
+};
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+void
|
|
Petr Lautrbach |
94c6f8 |
+ldap_checkconfig (void)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+#ifdef HAVE_LDAP_INITIALIZE
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.host == NULL && options.uri == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+#else
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.host == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("missing \"host\" in config file");
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
|
|
Petr Lautrbach |
94c6f8 |
+static int
|
|
Petr Lautrbach |
94c6f8 |
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ struct timeval timeout;
|
|
Petr Lautrbach |
94c6f8 |
+ int rc;
|
|
Petr Lautrbach |
94c6f8 |
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
|
|
Petr Lautrbach |
94c6f8 |
+ LDAPMessage *result;
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ debug2 ("Doing LDAP rebind to %s", options.binddn);
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.ssl == SSL_START_TLS) {
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
|
|
Petr Lautrbach |
94c6f8 |
+ error ("ldap_starttls_s: %s", ldap_err2string (rc));
|
|
Petr Lautrbach |
94c6f8 |
+ return LDAP_OPERATIONS_ERROR;
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
|
|
Petr Lautrbach |
94c6f8 |
+ return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
|
|
Petr Lautrbach |
94c6f8 |
+#else
|
|
Petr Lautrbach |
94c6f8 |
+ if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ timeout.tv_sec = options.bind_timelimit;
|
|
Petr Lautrbach |
94c6f8 |
+ timeout.tv_usec = 0;
|
|
Petr Lautrbach |
94c6f8 |
+ result = NULL;
|
|
Jakub Jelen |
38b67a |
+ if ((rc = ldap_result (ld, msgid, 0, &timeout, &result)) < 1) {
|
|
Petr Lautrbach |
94c6f8 |
+ error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_msgfree (result);
|
|
Petr Lautrbach |
94c6f8 |
+ return LDAP_OPERATIONS_ERROR;
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP rebind to %s succesfull", options.binddn);
|
|
Petr Lautrbach |
94c6f8 |
+ return rc;
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Petr Lautrbach |
94c6f8 |
+#else
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static int
|
|
Petr Lautrbach |
94c6f8 |
+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ if (freeit)
|
|
Petr Lautrbach |
94c6f8 |
+ return LDAP_SUCCESS;
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ *whop = strdup (options.binddn);
|
|
Petr Lautrbach |
94c6f8 |
+ *credp = strdup (options.bindpw);
|
|
Petr Lautrbach |
94c6f8 |
+ *methodp = LDAP_AUTH_SIMPLE;
|
|
Petr Lautrbach |
94c6f8 |
+ debug2 ("Doing LDAP rebind for %s", *whop);
|
|
Petr Lautrbach |
94c6f8 |
+ return LDAP_SUCCESS;
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+void
|
|
Petr Lautrbach |
94c6f8 |
+ldap_do_connect(void)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ int rc, msgid, ld_errno = 0;
|
|
Petr Lautrbach |
94c6f8 |
+ struct timeval timeout;
|
|
Petr Lautrbach |
94c6f8 |
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
|
|
Petr Lautrbach |
94c6f8 |
+ int parserc;
|
|
Petr Lautrbach |
94c6f8 |
+ LDAPMessage *result;
|
|
Petr Lautrbach |
94c6f8 |
+ LDAPControl **controls;
|
|
Petr Lautrbach |
94c6f8 |
+ int reconnect = 0;
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ debug ("LDAP do connect");
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+retry:
|
|
Petr Lautrbach |
94c6f8 |
+ if (reconnect) {
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("Reconnecting with ld_errno %d", ld_errno);
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.bind_policy == 0 ||
|
|
Petr Lautrbach |
94c6f8 |
+ (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
|
|
Petr Lautrbach |
94c6f8 |
+ reconnect > 5)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("Cannot connect to LDAP server");
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (reconnect > 1)
|
|
Petr Lautrbach |
94c6f8 |
+ sleep (reconnect - 1);
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (ld != NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_unbind (ld);
|
|
Petr Lautrbach |
94c6f8 |
+ ld = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ logit("reconnecting to LDAP server...");
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (ld == NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+ int rc;
|
|
Petr Lautrbach |
94c6f8 |
+ struct timeval tv;
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#ifdef HAVE_LDAP_SET_OPTION
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.debug > 0) {
|
|
Petr Lautrbach |
94c6f8 |
+#ifdef LBER_OPT_LOG_PRINT_FILE
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.logdir) {
|
|
Petr Lautrbach |
94c6f8 |
+ char *logfilename;
|
|
Petr Lautrbach |
94c6f8 |
+ int logfilenamelen;
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
|
|
Petr Lautrbach |
94c6f8 |
+ logfilename = xmalloc (logfilenamelen);
|
|
Petr Lautrbach |
94c6f8 |
+ snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
|
|
Petr Lautrbach |
94c6f8 |
+ logfilename[logfilenamelen - 1] = 0;
|
|
Petr Lautrbach |
94c6f8 |
+ if ((logfile = fopen (logfilename, "a")) == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("cannot append to %s: %s", logfilename, strerror (errno));
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP debug into %s", logfilename);
|
|
Petr Lautrbach |
94c6f8 |
+ free (logfilename);
|
|
Petr Lautrbach |
94c6f8 |
+ ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.debug) {
|
|
Petr Lautrbach |
94c6f8 |
+#ifdef LBER_OPT_DEBUG_LEVEL
|
|
Petr Lautrbach |
94c6f8 |
+ ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* LBER_OPT_DEBUG_LEVEL */
|
|
Petr Lautrbach |
94c6f8 |
+#ifdef LDAP_OPT_DEBUG_LEVEL
|
|
Petr Lautrbach |
94c6f8 |
+ (void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* LDAP_OPT_DEBUG_LEVEL */
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("Set LDAP debug to %d", options.debug);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* HAVE_LDAP_SET_OPTION */
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ ld = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+#ifdef HAVE_LDAPSSL_INIT
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.host != NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.ssl_on == SSL_LDAPS) {
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldapssl_client_init %s", ldap_err2string (rc));
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAPssl client init");
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.ssl_on != SSL_OFF) {
|
|
Jakub Jelen |
38b67a |
+ if ((ld = ldapssl_init (options.host, options.port, 1)) == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldapssl_init failed");
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAPssl init");
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* HAVE_LDAPSSL_INIT */
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* continue with opening */
|
|
Petr Lautrbach |
94c6f8 |
+ if (ld == NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
|
|
Petr Lautrbach |
94c6f8 |
+ /* Some global TLS-specific options need to be set before we create our
|
|
Petr Lautrbach |
94c6f8 |
+ * session context, so we set them here. */
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
|
|
Petr Lautrbach |
94c6f8 |
+ /* rand file */
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.tls_randfile != NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_randfile)) != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_err2string (rc));
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("Set TLS random file %s", options.tls_randfile);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* ca cert file */
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.tls_cacertfile != NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_cacertfile)) != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_err2string (rc));
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* ca cert directory */
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.tls_cacertdir != NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_cacertdir)) != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_err2string (rc));
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* require cert? */
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
|
|
Petr Lautrbach |
94c6f8 |
+ &options.tls_checkpeer)) != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_err2string (rc));
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* set cipher suite, certificate and private key: */
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.tls_ciphers != NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_ciphers)) != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_err2string (rc));
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* cert file */
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.tls_cert != NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_cert)) != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_err2string (rc));
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("Set TLS cert file %s ", options.tls_cert);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* key file */
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.tls_key != NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_key)) != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_err2string (rc));
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("Set TLS key file %s ", options.tls_key);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
94c6f8 |
+#ifdef HAVE_LDAP_INITIALIZE
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.uri != NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_initialize %s", ldap_err2string (rc));
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP initialize %s", options.uri);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* HAVE_LDAP_INTITIALIZE */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* continue with opening */
|
|
Petr Lautrbach |
94c6f8 |
+ if ((ld == NULL) && (options.host != NULL)) {
|
|
Petr Lautrbach |
94c6f8 |
+#ifdef HAVE_LDAP_INIT
|
|
Petr Lautrbach |
94c6f8 |
+ if ((ld = ldap_init (options.host, options.port)) == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_init failed");
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP init %s:%d", options.host, options.port);
|
|
Petr Lautrbach |
94c6f8 |
+#else
|
|
Petr Lautrbach |
94c6f8 |
+ if ((ld = ldap_open (options.host, options.port)) == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_open failed");
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP open %s:%d", options.host, options.port);
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* HAVE_LDAP_INIT */
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (ld == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("no way to open ldap");
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.ssl == SSL_LDAPS) {
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* LDAP_OPT_X_TLS */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
|
|
Petr Lautrbach |
94c6f8 |
+ (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
|
|
Petr Lautrbach |
94c6f8 |
+ &options.ldap_version);
|
|
Petr Lautrbach |
94c6f8 |
+#else
|
|
Petr Lautrbach |
94c6f8 |
+ ld->ld_version = options.ldap_version;
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP set version to %d", options.ldap_version);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#if LDAP_SET_REBIND_PROC_ARGS == 3
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_set_rebind_proc (ld, _rebind_proc, NULL);
|
|
Petr Lautrbach |
94c6f8 |
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_set_rebind_proc (ld, _rebind_proc);
|
|
Petr Lautrbach |
94c6f8 |
+#else
|
|
Petr Lautrbach |
94c6f8 |
+#warning unknown LDAP_SET_REBIND_PROC_ARGS
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP set rebind proc");
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
|
|
Petr Lautrbach |
94c6f8 |
+ (void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
|
|
Petr Lautrbach |
94c6f8 |
+#else
|
|
Petr Lautrbach |
94c6f8 |
+ ld->ld_deref = options.deref;
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP set deref to %d", options.deref);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
|
|
Petr Lautrbach |
94c6f8 |
+ (void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
|
|
Petr Lautrbach |
94c6f8 |
+ &options.timelimit);
|
|
Petr Lautrbach |
94c6f8 |
+#else
|
|
Petr Lautrbach |
94c6f8 |
+ ld->ld_timelimit = options.timelimit;
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP set timelimit to %d", options.timelimit);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
|
|
Petr Lautrbach |
94c6f8 |
+ /*
|
|
Petr Lautrbach |
94c6f8 |
+ * This is a new option in the Netscape SDK which sets
|
|
Petr Lautrbach |
94c6f8 |
+ * the TCP connect timeout. For want of a better value,
|
|
Petr Lautrbach |
94c6f8 |
+ * we use the bind_timelimit to control this.
|
|
Petr Lautrbach |
94c6f8 |
+ */
|
|
Petr Lautrbach |
94c6f8 |
+ timeout = options.bind_timelimit * 1000;
|
|
Petr Lautrbach |
94c6f8 |
+ (void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP set opt connect timeout to %d", timeout);
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
36a09e |
+
|
|
Petr Lautrbach |
94c6f8 |
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
|
|
Petr Lautrbach |
94c6f8 |
+ tv.tv_sec = options.bind_timelimit;
|
|
Petr Lautrbach |
94c6f8 |
+ tv.tv_usec = 0;
|
|
Petr Lautrbach |
94c6f8 |
+ (void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv;;
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
36a09e |
+
|
|
Petr Lautrbach |
94c6f8 |
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
|
|
Petr Lautrbach |
94c6f8 |
+ (void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
|
|
Petr Lautrbach |
94c6f8 |
+ options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP set referrals to %d", options.referrals);
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
36a09e |
+
|
|
Petr Lautrbach |
94c6f8 |
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
|
|
Petr Lautrbach |
94c6f8 |
+ (void) ldap_set_option (ld, LDAP_OPT_RESTART,
|
|
Petr Lautrbach |
94c6f8 |
+ options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP set restart to %d", options.restart);
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
36a09e |
+
|
|
Petr Lautrbach |
94c6f8 |
+#ifdef HAVE_LDAP_START_TLS_S
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.ssl == SSL_START_TLS) {
|
|
Petr Lautrbach |
94c6f8 |
+ int version;
|
|
Petr Lautrbach |
36a09e |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
|
|
Petr Lautrbach |
94c6f8 |
+ == LDAP_SUCCESS) {
|
|
Petr Lautrbach |
94c6f8 |
+ if (version < LDAP_VERSION3) {
|
|
Petr Lautrbach |
94c6f8 |
+ version = LDAP_VERSION3;
|
|
Petr Lautrbach |
94c6f8 |
+ (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
|
|
Petr Lautrbach |
94c6f8 |
+ &version);
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP set version to %d", version);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
36a09e |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP start TLS");
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* HAVE_LDAP_START_TLS_S */
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
36a09e |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if ((msgid = ldap_simple_bind (ld, options.binddn,
|
|
Petr Lautrbach |
94c6f8 |
+ options.bindpw)) == -1) {
|
|
Petr Lautrbach |
94c6f8 |
+ ld_errno = ldap_get_lderrno (ld, 0, 0);
|
|
Petr Lautrbach |
36a09e |
+
|
|
Petr Lautrbach |
94c6f8 |
+ error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
|
|
Petr Lautrbach |
94c6f8 |
+ reconnect++;
|
|
Petr Lautrbach |
94c6f8 |
+ goto retry;
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP simple bind (%s)", options.binddn);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ timeout.tv_sec = options.bind_timelimit;
|
|
Petr Lautrbach |
94c6f8 |
+ timeout.tv_usec = 0;
|
|
Jakub Jelen |
38b67a |
+ if ((rc = ldap_result (ld, msgid, 0, &timeout, &result)) < 1) {
|
|
Petr Lautrbach |
94c6f8 |
+ ld_errno = ldap_get_lderrno (ld, 0, 0);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ error ("ldap_result %s", ldap_err2string (ld_errno));
|
|
Petr Lautrbach |
94c6f8 |
+ reconnect++;
|
|
Petr Lautrbach |
94c6f8 |
+ goto retry;
|
|
Jan F. Chadima |
69dd72 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP result in time");
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
|
|
Petr Lautrbach |
94c6f8 |
+ controls = NULL;
|
|
Jakub Jelen |
38b67a |
+ if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, 1)) != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_parse_result %s", ldap_err2string (parserc));
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP parse result OK");
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (controls != NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_controls_free (controls);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+#else
|
|
Jakub Jelen |
38b67a |
+ rc = ldap_result2error (session->ld, result, 1);
|
|
Petr Lautrbach |
94c6f8 |
+#endif
|
|
Petr Lautrbach |
94c6f8 |
+ if (rc != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("error trying to bind as user \"%s\" (%s)",
|
|
Petr Lautrbach |
94c6f8 |
+ options.binddn, ldap_err2string (rc));
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ debug2 ("LDAP do connect OK");
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+void
|
|
Petr Lautrbach |
94c6f8 |
+process_user (const char *user, FILE *output)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ LDAPMessage *res, *e;
|
|
Jakub Jelen |
3bc8b8 |
+ char *buffer, *format;
|
|
Jakub Jelen |
3bc8b8 |
+ int rc, i;
|
|
Petr Lautrbach |
94c6f8 |
+ struct timeval timeout;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ debug ("LDAP process user");
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* quick check for attempts to be evil */
|
|
Petr Lautrbach |
94c6f8 |
+ if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
|
|
Petr Lautrbach |
94c6f8 |
+ (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
|
|
Petr Lautrbach |
94c6f8 |
+ logit ("illegal user name %s not processed", user);
|
|
Petr Lautrbach |
94c6f8 |
+ return;
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* build filter for LDAP request */
|
|
Jakub Jelen |
3bc8b8 |
+ format = LDAPSEARCH_FORMAT;
|
|
Jakub Jelen |
3bc8b8 |
+ if (options.search_format != NULL)
|
|
Jakub Jelen |
3bc8b8 |
+ format = options.search_format;
|
|
Jakub Jelen |
3bc8b8 |
+ buffer = percent_expand(format, "c", options.account_class, "u", user, "f", options.ssh_filter, (char *)NULL);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ debug3 ("LDAP search scope = %d %s", options.scope, buffer);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ timeout.tv_sec = options.timelimit;
|
|
Petr Lautrbach |
94c6f8 |
+ timeout.tv_usec = 0;
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
|
|
Petr Lautrbach |
94c6f8 |
+ error ("ldap_search_st(): %s", ldap_err2string (rc));
|
|
Petr Lautrbach |
94c6f8 |
+ free (buffer);
|
|
Petr Lautrbach |
94c6f8 |
+ return;
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* free */
|
|
Petr Lautrbach |
94c6f8 |
+ free (buffer);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
|
|
Petr Lautrbach |
94c6f8 |
+ int num;
|
|
Petr Lautrbach |
94c6f8 |
+ struct berval **keys;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ keys = ldap_get_values_len(ld, e, PUBKEYATTR);
|
|
Petr Lautrbach |
94c6f8 |
+ num = ldap_count_values_len(keys);
|
|
Petr Lautrbach |
94c6f8 |
+ for (i = 0 ; i < num ; i++) {
|
|
Petr Lautrbach |
94c6f8 |
+ char *cp; //, *options = NULL;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
|
|
Petr Lautrbach |
94c6f8 |
+ if (!*cp || *cp == '\n' || *cp == '#')
|
|
Petr Lautrbach |
94c6f8 |
+ continue;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* We have found the desired key. */
|
|
Petr Lautrbach |
94c6f8 |
+ fprintf (output, "%s\n", keys[i]->bv_val);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_value_free_len(keys);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_msgfree(res);
|
|
Petr Lautrbach |
94c6f8 |
+ debug2 ("LDAP process user finished");
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+void
|
|
Petr Lautrbach |
94c6f8 |
+ldap_do_close(void)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ int rc;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ debug ("LDAP do close");
|
|
Petr Lautrbach |
94c6f8 |
+ if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal ("ldap_unbind_ext: %s",
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_err2string (rc));
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ ld = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ debug2 ("LDAP do close OK");
|
|
Petr Lautrbach |
94c6f8 |
+ return;
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/ldapbody.h.ldap openssh-6.8p1/ldapbody.h
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/ldapbody.h.ldap 2015-03-18 11:11:29.031801462 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/ldapbody.h 2015-03-18 11:11:29.031801462 +0100
|
|
Petr Lautrbach |
94c6f8 |
@@ -0,0 +1,37 @@
|
|
Petr Lautrbach |
94c6f8 |
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
|
Petr Lautrbach |
94c6f8 |
+/*
|
|
Petr Lautrbach |
94c6f8 |
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
|
Petr Lautrbach |
94c6f8 |
+ *
|
|
Petr Lautrbach |
94c6f8 |
+ * Redistribution and use in source and binary forms, with or without
|
|
Petr Lautrbach |
94c6f8 |
+ * modification, are permitted provided that the following conditions
|
|
Petr Lautrbach |
94c6f8 |
+ * are met:
|
|
Petr Lautrbach |
94c6f8 |
+ * 1. Redistributions of source code must retain the above copyright
|
|
Petr Lautrbach |
94c6f8 |
+ * notice, this list of conditions and the following disclaimer.
|
|
Petr Lautrbach |
94c6f8 |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
Petr Lautrbach |
94c6f8 |
+ * notice, this list of conditions and the following disclaimer in the
|
|
Petr Lautrbach |
94c6f8 |
+ * documentation and/or other materials provided with the distribution.
|
|
Petr Lautrbach |
94c6f8 |
+ *
|
|
Petr Lautrbach |
94c6f8 |
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
Petr Lautrbach |
94c6f8 |
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
Petr Lautrbach |
94c6f8 |
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
Petr Lautrbach |
94c6f8 |
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
Petr Lautrbach |
94c6f8 |
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
Petr Lautrbach |
94c6f8 |
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
Petr Lautrbach |
94c6f8 |
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
Petr Lautrbach |
94c6f8 |
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
Petr Lautrbach |
94c6f8 |
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
Petr Lautrbach |
94c6f8 |
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
Petr Lautrbach |
94c6f8 |
+ */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#ifndef LDAPBODY_H
|
|
Petr Lautrbach |
94c6f8 |
+#define LDAPBODY_H
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#include <stdio.h>
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+void ldap_checkconfig(void);
|
|
Petr Lautrbach |
94c6f8 |
+void ldap_do_connect(void);
|
|
Petr Lautrbach |
94c6f8 |
+void process_user(const char *, FILE *);
|
|
Petr Lautrbach |
94c6f8 |
+void ldap_do_close(void);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* LDAPBODY_H */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/ldapconf.c.ldap openssh-6.8p1/ldapconf.c
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/ldapconf.c.ldap 2015-03-18 11:11:29.032801460 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/ldapconf.c 2015-03-18 11:11:29.032801460 +0100
|
|
Jakub Jelen |
3bc8b8 |
@@ -0,0 +1,728 @@
|
|
Petr Lautrbach |
94c6f8 |
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
|
Petr Lautrbach |
94c6f8 |
+/*
|
|
Petr Lautrbach |
94c6f8 |
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
|
Petr Lautrbach |
94c6f8 |
+ *
|
|
Petr Lautrbach |
94c6f8 |
+ * Redistribution and use in source and binary forms, with or without
|
|
Petr Lautrbach |
94c6f8 |
+ * modification, are permitted provided that the following conditions
|
|
Petr Lautrbach |
94c6f8 |
+ * are met:
|
|
Petr Lautrbach |
94c6f8 |
+ * 1. Redistributions of source code must retain the above copyright
|
|
Petr Lautrbach |
94c6f8 |
+ * notice, this list of conditions and the following disclaimer.
|
|
Petr Lautrbach |
94c6f8 |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
Petr Lautrbach |
94c6f8 |
+ * notice, this list of conditions and the following disclaimer in the
|
|
Petr Lautrbach |
94c6f8 |
+ * documentation and/or other materials provided with the distribution.
|
|
Petr Lautrbach |
94c6f8 |
+ *
|
|
Petr Lautrbach |
94c6f8 |
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
Petr Lautrbach |
94c6f8 |
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
Petr Lautrbach |
94c6f8 |
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
Petr Lautrbach |
94c6f8 |
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
Petr Lautrbach |
94c6f8 |
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
Petr Lautrbach |
94c6f8 |
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
Petr Lautrbach |
94c6f8 |
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
Petr Lautrbach |
94c6f8 |
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
Petr Lautrbach |
94c6f8 |
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
Petr Lautrbach |
94c6f8 |
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
Petr Lautrbach |
94c6f8 |
+ */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#include "ldapincludes.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include "ldap-helper.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include "log.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include "misc.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include "xmalloc.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include "ldapconf.h"
|
|
Petr Lautrbach |
94c6f8 |
+#include <unistd.h>
|
|
Petr Lautrbach |
94c6f8 |
+#include <string.h>
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+/* Keyword tokens. */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+typedef enum {
|
|
Petr Lautrbach |
94c6f8 |
+ lBadOption,
|
|
Petr Lautrbach |
94c6f8 |
+ lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
|
|
Petr Lautrbach |
94c6f8 |
+ lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
|
|
Petr Lautrbach |
94c6f8 |
+ lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
|
|
Petr Lautrbach |
94c6f8 |
+ lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
|
|
Petr Lautrbach |
94c6f8 |
+ lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
|
|
Jakub Jelen |
3bc8b8 |
+ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, lSearch_Format,
|
|
Petr Lautrbach |
94c6f8 |
+ lAccountClass, lDeprecated, lUnsupported
|
|
Petr Lautrbach |
94c6f8 |
+} OpCodes;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+/* Textual representations of the tokens. */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static struct {
|
|
Petr Lautrbach |
94c6f8 |
+ const char *name;
|
|
Petr Lautrbach |
94c6f8 |
+ OpCodes opcode;
|
|
Petr Lautrbach |
94c6f8 |
+} keywords[] = {
|
|
Petr Lautrbach |
94c6f8 |
+ { "URI", lURI },
|
|
Petr Lautrbach |
94c6f8 |
+ { "Base", lBase },
|
|
Petr Lautrbach |
94c6f8 |
+ { "BindDN", lBindDN },
|
|
Petr Lautrbach |
94c6f8 |
+ { "BindPW", lBindPW },
|
|
Petr Lautrbach |
94c6f8 |
+ { "RootBindDN", lRootBindDN },
|
|
Petr Lautrbach |
94c6f8 |
+ { "Host", lHost },
|
|
Petr Lautrbach |
94c6f8 |
+ { "Port", lPort },
|
|
Petr Lautrbach |
94c6f8 |
+ { "Scope", lScope },
|
|
Petr Lautrbach |
94c6f8 |
+ { "Deref", lDeref },
|
|
Petr Lautrbach |
94c6f8 |
+ { "TimeLimit", lTimeLimit },
|
|
Petr Lautrbach |
94c6f8 |
+ { "TimeOut", lTimeLimit },
|
|
Petr Lautrbach |
94c6f8 |
+ { "Bind_Timelimit", lBind_TimeLimit },
|
|
Petr Lautrbach |
94c6f8 |
+ { "Network_TimeOut", lBind_TimeLimit },
|
|
Petr Lautrbach |
94c6f8 |
+/*
|
|
Petr Lautrbach |
94c6f8 |
+ * Todo
|
|
Petr Lautrbach |
94c6f8 |
+ * SIZELIMIT
|
|
Petr Lautrbach |
94c6f8 |
+ */
|
|
Petr Lautrbach |
94c6f8 |
+ { "Ldap_Version", lLdap_Version },
|
|
Petr Lautrbach |
94c6f8 |
+ { "Version", lLdap_Version },
|
|
Petr Lautrbach |
94c6f8 |
+ { "Bind_Policy", lBind_Policy },
|
|
Petr Lautrbach |
94c6f8 |
+ { "SSLPath", lSSLPath },
|
|
Petr Lautrbach |
94c6f8 |
+ { "SSL", lSSL },
|
|
Petr Lautrbach |
94c6f8 |
+ { "Referrals", lReferrals },
|
|
Petr Lautrbach |
94c6f8 |
+ { "Restart", lRestart },
|
|
Petr Lautrbach |
94c6f8 |
+ { "TLS_CheckPeer", lTLS_CheckPeer },
|
|
Petr Lautrbach |
94c6f8 |
+ { "TLS_ReqCert", lTLS_CheckPeer },
|
|
Petr Lautrbach |
94c6f8 |
+ { "TLS_CaCertFile", lTLS_CaCertFile },
|
|
Petr Lautrbach |
94c6f8 |
+ { "TLS_CaCert", lTLS_CaCertFile },
|
|
Petr Lautrbach |
94c6f8 |
+ { "TLS_CaCertDir", lTLS_CaCertDir },
|
|
Petr Lautrbach |
94c6f8 |
+ { "TLS_Ciphers", lTLS_Ciphers },
|
|
Petr Lautrbach |
94c6f8 |
+ { "TLS_Cipher_Suite", lTLS_Ciphers },
|
|
Petr Lautrbach |
94c6f8 |
+ { "TLS_Cert", lTLS_Cert },
|
|
Petr Lautrbach |
94c6f8 |
+ { "TLS_Certificate", lTLS_Cert },
|
|
Petr Lautrbach |
94c6f8 |
+ { "TLS_Key", lTLS_Key },
|
|
Petr Lautrbach |
94c6f8 |
+ { "TLS_RandFile", lTLS_RandFile },
|
|
Petr Lautrbach |
94c6f8 |
+/*
|
|
Petr Lautrbach |
94c6f8 |
+ * Todo
|
|
Petr Lautrbach |
94c6f8 |
+ * TLS_CRLCHECK
|
|
Petr Lautrbach |
94c6f8 |
+ * TLS_CRLFILE
|
|
Petr Lautrbach |
94c6f8 |
+ */
|
|
Petr Lautrbach |
94c6f8 |
+ { "LogDir", lLogDir },
|
|
Petr Lautrbach |
94c6f8 |
+ { "Debug", lDebug },
|
|
Petr Lautrbach |
94c6f8 |
+ { "SSH_Filter", lSSH_Filter },
|
|
Jakub Jelen |
3bc8b8 |
+ { "search_format", lSearch_Format },
|
|
Petr Lautrbach |
94c6f8 |
+ { "AccountClass", lAccountClass },
|
|
Petr Lautrbach |
94c6f8 |
+ { NULL, lBadOption }
|
|
Petr Lautrbach |
94c6f8 |
+};
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+/* Configuration ptions. */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+Options options;
|
|
Petr Lautrbach |
e6dbb8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+/*
|
|
Petr Lautrbach |
94c6f8 |
+ * Returns the number of the token pointed to by cp or oBadOption.
|
|
Petr Lautrbach |
94c6f8 |
+ */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static OpCodes
|
|
Petr Lautrbach |
94c6f8 |
+parse_token(const char *cp, const char *filename, int linenum)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ u_int i;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ for (i = 0; keywords[i].name; i++)
|
|
Petr Lautrbach |
94c6f8 |
+ if (strcasecmp(cp, keywords[i].name) == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ return keywords[i].opcode;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (config_warning_config_file)
|
|
Petr Lautrbach |
94c6f8 |
+ logit("%s: line %d: Bad configuration option: %s",
|
|
Petr Lautrbach |
94c6f8 |
+ filename, linenum, cp);
|
|
Petr Lautrbach |
94c6f8 |
+ return lBadOption;
|
|
Petr Lautrbach |
65ba94 |
+}
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+/* Characters considered whitespace in strsep calls. */
|
|
Petr Lautrbach |
94c6f8 |
+#define WHITESPACE " \t\r\n"
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+/* return next token in configuration line */
|
|
Petr Lautrbach |
94c6f8 |
+static char *
|
|
Petr Lautrbach |
94c6f8 |
+ldap_strdelim(char **s)
|
|
Jan F. Chadima |
69dd72 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ char *old;
|
|
Petr Lautrbach |
94c6f8 |
+ int wspace = 0;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (*s == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ return NULL;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ old = *s;
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ *s = strpbrk(*s, WHITESPACE);
|
|
Petr Lautrbach |
94c6f8 |
+ if (*s == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ return (old);
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ *s[0] = '\0';
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* Skip any extra whitespace after first token */
|
|
Petr Lautrbach |
94c6f8 |
+ *s += strspn(*s + 1, WHITESPACE) + 1;
|
|
Petr Lautrbach |
94c6f8 |
+ if (*s[0] == '=' && !wspace)
|
|
Petr Lautrbach |
94c6f8 |
+ *s += strspn(*s + 1, WHITESPACE) + 1;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ return (old);
|
|
Petr Lautrbach |
65ba94 |
+}
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
65ba94 |
+/*
|
|
Petr Lautrbach |
94c6f8 |
+ * Processes a single option line as used in the configuration files. This
|
|
Petr Lautrbach |
94c6f8 |
+ * only sets those values that have not already been set.
|
|
Petr Lautrbach |
65ba94 |
+ */
|
|
Petr Lautrbach |
94c6f8 |
+#define WHITESPACE " \t\r\n"
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static int
|
|
Petr Lautrbach |
94c6f8 |
+process_config_line(char *line, const char *filename, int linenum)
|
|
Petr Lautrbach |
65ba94 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
|
|
Petr Lautrbach |
94c6f8 |
+ char *rootbinddn = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ int opcode, *intptr, value;
|
|
Petr Lautrbach |
94c6f8 |
+ size_t len;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* Strip trailing whitespace */
|
|
Petr Lautrbach |
94c6f8 |
+ for (len = strlen(line) - 1; len > 0; len--) {
|
|
Petr Lautrbach |
94c6f8 |
+ if (strchr(WHITESPACE, line[len]) == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Petr Lautrbach |
94c6f8 |
+ line[len] = '\0';
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ s = line;
|
|
Petr Lautrbach |
94c6f8 |
+ /* Get the keyword. (Each line is supposed to begin with a keyword). */
|
|
Petr Lautrbach |
94c6f8 |
+ if ((keyword = ldap_strdelim(&s)) == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ return 0;
|
|
Petr Lautrbach |
94c6f8 |
+ /* Ignore leading whitespace. */
|
|
Petr Lautrbach |
94c6f8 |
+ if (*keyword == '\0')
|
|
Petr Lautrbach |
94c6f8 |
+ keyword = ldap_strdelim(&s);
|
|
Petr Lautrbach |
94c6f8 |
+ if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
|
|
Petr Lautrbach |
94c6f8 |
+ return 0;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ opcode = parse_token(keyword, filename, linenum);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ switch (opcode) {
|
|
Petr Lautrbach |
94c6f8 |
+ case lBadOption:
|
|
Petr Lautrbach |
94c6f8 |
+ /* don't panic, but count bad options */
|
|
Petr Lautrbach |
94c6f8 |
+ return -1;
|
|
Petr Lautrbach |
94c6f8 |
+ /* NOTREACHED */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lHost:
|
|
Petr Lautrbach |
94c6f8 |
+ xstringptr = &options.host;
|
|
Petr Lautrbach |
94c6f8 |
+parse_xstring:
|
|
Petr Lautrbach |
94c6f8 |
+ if (!s || *s == '\0')
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%s line %d: missing dn",filename,linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ if (*xstringptr == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ *xstringptr = xstrdup(s);
|
|
Petr Lautrbach |
94c6f8 |
+ return 0;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lURI:
|
|
Petr Lautrbach |
94c6f8 |
+ xstringptr = &options.uri;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_xstring;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lBase:
|
|
Petr Lautrbach |
94c6f8 |
+ xstringptr = &options.base;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_xstring;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lBindDN:
|
|
Petr Lautrbach |
94c6f8 |
+ xstringptr = &options.binddn;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_xstring;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lBindPW:
|
|
Petr Lautrbach |
94c6f8 |
+ charptr = &options.bindpw;
|
|
Petr Lautrbach |
94c6f8 |
+parse_string:
|
|
Petr Lautrbach |
94c6f8 |
+ arg = ldap_strdelim(&s);
|
|
Petr Lautrbach |
94c6f8 |
+ if (!arg || *arg == '\0')
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ if (*charptr == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ *charptr = xstrdup(arg);
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lRootBindDN:
|
|
Petr Lautrbach |
94c6f8 |
+ xstringptr = &rootbinddn;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_xstring;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lScope:
|
|
Petr Lautrbach |
94c6f8 |
+ intptr = &options.scope;
|
|
Petr Lautrbach |
94c6f8 |
+ arg = ldap_strdelim(&s);
|
|
Petr Lautrbach |
94c6f8 |
+ if (!arg || *arg == '\0')
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ value = 0; /* To avoid compiler warning... */
|
|
Petr Lautrbach |
94c6f8 |
+ if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = LDAP_SCOPE_SUBTREE;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (strcasecmp (arg, "one") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = LDAP_SCOPE_ONELEVEL;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (strcasecmp (arg, "base") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = LDAP_SCOPE_BASE;
|
|
Petr Lautrbach |
94c6f8 |
+ else
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ if (*intptr == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ *intptr = value;
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lDeref:
|
|
Petr Lautrbach |
94c6f8 |
+ intptr = &options.scope;
|
|
Petr Lautrbach |
94c6f8 |
+ arg = ldap_strdelim(&s);
|
|
Petr Lautrbach |
94c6f8 |
+ if (!arg || *arg == '\0')
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ value = 0; /* To avoid compiler warning... */
|
|
Petr Lautrbach |
94c6f8 |
+ if (!strcasecmp (arg, "never"))
|
|
Petr Lautrbach |
94c6f8 |
+ value = LDAP_DEREF_NEVER;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (!strcasecmp (arg, "searching"))
|
|
Petr Lautrbach |
94c6f8 |
+ value = LDAP_DEREF_SEARCHING;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (!strcasecmp (arg, "finding"))
|
|
Petr Lautrbach |
94c6f8 |
+ value = LDAP_DEREF_FINDING;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (!strcasecmp (arg, "always"))
|
|
Petr Lautrbach |
94c6f8 |
+ value = LDAP_DEREF_ALWAYS;
|
|
Petr Lautrbach |
94c6f8 |
+ else
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ if (*intptr == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ *intptr = value;
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lPort:
|
|
Petr Lautrbach |
94c6f8 |
+ intptr = &options.port;
|
|
Petr Lautrbach |
94c6f8 |
+parse_int:
|
|
Petr Lautrbach |
94c6f8 |
+ arg = ldap_strdelim(&s);
|
|
Petr Lautrbach |
94c6f8 |
+ if (!arg || *arg == '\0')
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ if (arg[0] < '0' || arg[0] > '9')
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Bad number.", filename, linenum);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* Octal, decimal, or hex format? */
|
|
Petr Lautrbach |
94c6f8 |
+ value = strtol(arg, &endofnumber, 0);
|
|
Petr Lautrbach |
94c6f8 |
+ if (arg == endofnumber)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Bad number.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ if (*intptr == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ *intptr = value;
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lTimeLimit:
|
|
Petr Lautrbach |
94c6f8 |
+ intptr = &options.timelimit;
|
|
Petr Lautrbach |
94c6f8 |
+parse_time:
|
|
Petr Lautrbach |
94c6f8 |
+ arg = ldap_strdelim(&s);
|
|
Petr Lautrbach |
94c6f8 |
+ if (!arg || *arg == '\0')
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%s line %d: missing time value.",
|
|
Petr Lautrbach |
94c6f8 |
+ filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ if ((value = convtime(arg)) == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%s line %d: invalid time value.",
|
|
Petr Lautrbach |
94c6f8 |
+ filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ if (*intptr == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ *intptr = value;
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lBind_TimeLimit:
|
|
Petr Lautrbach |
94c6f8 |
+ intptr = &options.bind_timelimit;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_time;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lLdap_Version:
|
|
Petr Lautrbach |
94c6f8 |
+ intptr = &options.ldap_version;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_int;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lBind_Policy:
|
|
Petr Lautrbach |
94c6f8 |
+ intptr = &options.bind_policy;
|
|
Petr Lautrbach |
94c6f8 |
+ arg = ldap_strdelim(&s);
|
|
Petr Lautrbach |
94c6f8 |
+ if (!arg || *arg == '\0')
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ value = 0; /* To avoid compiler warning... */
|
|
Petr Lautrbach |
94c6f8 |
+ if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = 1;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (strcasecmp(arg, "soft") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = 0;
|
|
Petr Lautrbach |
94c6f8 |
+ else
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ if (*intptr == -1)
|
|
Jakub Jelen |
f92cd0 |
+ *intptr = value;
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lSSLPath:
|
|
Petr Lautrbach |
94c6f8 |
+ charptr = &options.sslpath;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_string;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lSSL:
|
|
Petr Lautrbach |
94c6f8 |
+ intptr = &options.ssl;
|
|
Petr Lautrbach |
94c6f8 |
+ arg = ldap_strdelim(&s);
|
|
Petr Lautrbach |
94c6f8 |
+ if (!arg || *arg == '\0')
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ value = 0; /* To avoid compiler warning... */
|
|
Petr Lautrbach |
94c6f8 |
+ if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = SSL_LDAPS;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = SSL_OFF;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (!strcasecmp (arg, "start_tls"))
|
|
Petr Lautrbach |
94c6f8 |
+ value = SSL_START_TLS;
|
|
Petr Lautrbach |
94c6f8 |
+ else
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ if (*intptr == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ *intptr = value;
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lReferrals:
|
|
Petr Lautrbach |
94c6f8 |
+ intptr = &options.referrals;
|
|
Petr Lautrbach |
94c6f8 |
+parse_flag:
|
|
Petr Lautrbach |
94c6f8 |
+ arg = ldap_strdelim(&s);
|
|
Petr Lautrbach |
94c6f8 |
+ if (!arg || *arg == '\0')
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ value = 0; /* To avoid compiler warning... */
|
|
Petr Lautrbach |
94c6f8 |
+ if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = 1;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = 0;
|
|
Petr Lautrbach |
94c6f8 |
+ else
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ if (*intptr == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ *intptr = value;
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lRestart:
|
|
Petr Lautrbach |
94c6f8 |
+ intptr = &options.restart;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_flag;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lTLS_CheckPeer:
|
|
Petr Lautrbach |
94c6f8 |
+ intptr = &options.tls_checkpeer;
|
|
Petr Lautrbach |
94c6f8 |
+ arg = ldap_strdelim(&s);
|
|
Petr Lautrbach |
94c6f8 |
+ if (!arg || *arg == '\0')
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ value = 0; /* To avoid compiler warning... */
|
|
Petr Lautrbach |
94c6f8 |
+ if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = LDAP_OPT_X_TLS_NEVER;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = LDAP_OPT_X_TLS_HARD;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (strcasecmp(arg, "demand") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = LDAP_OPT_X_TLS_DEMAND;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (strcasecmp(arg, "allow") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = LDAP_OPT_X_TLS_ALLOW;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (strcasecmp(arg, "try") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ value = LDAP_OPT_X_TLS_TRY;
|
|
Petr Lautrbach |
94c6f8 |
+ else
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
|
|
Petr Lautrbach |
94c6f8 |
+ if (*intptr == -1)
|
|
Jakub Jelen |
f92cd0 |
+ *intptr = value;
|
|
Petr Lautrbach |
94c6f8 |
+ break;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lTLS_CaCertFile:
|
|
Petr Lautrbach |
94c6f8 |
+ charptr = &options.tls_cacertfile;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_string;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lTLS_CaCertDir:
|
|
Petr Lautrbach |
94c6f8 |
+ charptr = &options.tls_cacertdir;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_string;
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lTLS_Ciphers:
|
|
Petr Lautrbach |
94c6f8 |
+ xstringptr = &options.tls_ciphers;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_xstring;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lTLS_Cert:
|
|
Petr Lautrbach |
94c6f8 |
+ charptr = &options.tls_cert;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_string;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lTLS_Key:
|
|
Petr Lautrbach |
94c6f8 |
+ charptr = &options.tls_key;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_string;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lTLS_RandFile:
|
|
Petr Lautrbach |
94c6f8 |
+ charptr = &options.tls_randfile;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_string;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lLogDir:
|
|
Petr Lautrbach |
94c6f8 |
+ charptr = &options.logdir;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_string;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lDebug:
|
|
Petr Lautrbach |
94c6f8 |
+ intptr = &options.debug;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_int;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lSSH_Filter:
|
|
Petr Lautrbach |
94c6f8 |
+ xstringptr = &options.ssh_filter;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_xstring;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jakub Jelen |
3bc8b8 |
+ case lSearch_Format:
|
|
Jakub Jelen |
3bc8b8 |
+ charptr = &options.search_format;
|
|
Jakub Jelen |
3bc8b8 |
+ goto parse_string;
|
|
Jakub Jelen |
3bc8b8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lAccountClass:
|
|
Petr Lautrbach |
94c6f8 |
+ charptr = &options.account_class;
|
|
Petr Lautrbach |
94c6f8 |
+ goto parse_string;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lDeprecated:
|
|
Petr Lautrbach |
94c6f8 |
+ debug("%s line %d: Deprecated option \"%s\"",
|
|
Petr Lautrbach |
94c6f8 |
+ filename, linenum, keyword);
|
|
Petr Lautrbach |
94c6f8 |
+ return 0;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ case lUnsupported:
|
|
Petr Lautrbach |
94c6f8 |
+ error("%s line %d: Unsupported option \"%s\"",
|
|
Petr Lautrbach |
94c6f8 |
+ filename, linenum, keyword);
|
|
Petr Lautrbach |
94c6f8 |
+ return 0;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ default:
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("process_config_line: Unimplemented opcode %d", opcode);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /* Check that there is no garbage at end of line. */
|
|
Petr Lautrbach |
94c6f8 |
+ if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') {
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
|
|
Petr Lautrbach |
94c6f8 |
+ filename, linenum, arg);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ return 0;
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+/*
|
|
Petr Lautrbach |
94c6f8 |
+ * Reads the config file and modifies the options accordingly. Options
|
|
Petr Lautrbach |
94c6f8 |
+ * should already be initialized before this call. This never returns if
|
|
Petr Lautrbach |
94c6f8 |
+ * there is an error. If the file does not exist, this returns 0.
|
|
Petr Lautrbach |
94c6f8 |
+ */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+void
|
|
Petr Lautrbach |
94c6f8 |
+read_config_file(const char *filename)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ FILE *f;
|
|
Petr Lautrbach |
94c6f8 |
+ char line[1024];
|
|
Jakub Jelen |
580f98 |
+ int linenum;
|
|
Petr Lautrbach |
94c6f8 |
+ int bad_options = 0;
|
|
Petr Lautrbach |
94c6f8 |
+ struct stat sb;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if ((f = fopen(filename, "r")) == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("fopen %s: %s", filename, strerror(errno));
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (fstat(fileno(f), &sb) == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("fstat %s: %s", filename, strerror(errno));
|
|
Petr Lautrbach |
94c6f8 |
+ if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
|
|
Petr Lautrbach |
94c6f8 |
+ (sb.st_mode & 022) != 0))
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("Bad owner or permissions on %s", filename);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ debug("Reading configuration data %.200s", filename);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ /*
|
|
Petr Lautrbach |
94c6f8 |
+ * Mark that we are now processing the options. This flag is turned
|
|
Petr Lautrbach |
94c6f8 |
+ * on/off by Host specifications.
|
|
Petr Lautrbach |
94c6f8 |
+ */
|
|
Petr Lautrbach |
94c6f8 |
+ linenum = 0;
|
|
Petr Lautrbach |
94c6f8 |
+ while (fgets(line, sizeof(line), f)) {
|
|
Petr Lautrbach |
94c6f8 |
+ /* Update line number counter. */
|
|
Petr Lautrbach |
94c6f8 |
+ linenum++;
|
|
Petr Lautrbach |
94c6f8 |
+ if (process_config_line(line, filename, linenum) != 0)
|
|
Petr Lautrbach |
94c6f8 |
+ bad_options++;
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ fclose(f);
|
|
Petr Lautrbach |
94c6f8 |
+ if ((bad_options > 0) && config_exclusive_config_file)
|
|
Petr Lautrbach |
94c6f8 |
+ fatal("%s: terminating, %d bad configuration options",
|
|
Petr Lautrbach |
94c6f8 |
+ filename, bad_options);
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
65ba94 |
+/*
|
|
Petr Lautrbach |
94c6f8 |
+ * Initializes options to special values that indicate that they have not yet
|
|
Petr Lautrbach |
94c6f8 |
+ * been set. Read_config_file will only set options with this value. Options
|
|
Petr Lautrbach |
94c6f8 |
+ * are processed in the following order: command line, user config file,
|
|
Petr Lautrbach |
94c6f8 |
+ * system config file. Last, fill_default_options is called.
|
|
Petr Lautrbach |
65ba94 |
+ */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+void
|
|
Petr Lautrbach |
94c6f8 |
+initialize_options(void)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ memset(&options, 'X', sizeof(options));
|
|
Petr Lautrbach |
94c6f8 |
+ options.host = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.uri = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.base = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.binddn = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.bindpw = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.scope = -1;
|
|
Petr Lautrbach |
94c6f8 |
+ options.deref = -1;
|
|
Petr Lautrbach |
94c6f8 |
+ options.port = -1;
|
|
Petr Lautrbach |
94c6f8 |
+ options.timelimit = -1;
|
|
Petr Lautrbach |
94c6f8 |
+ options.bind_timelimit = -1;
|
|
Petr Lautrbach |
94c6f8 |
+ options.ldap_version = -1;
|
|
Petr Lautrbach |
94c6f8 |
+ options.bind_policy = -1;
|
|
Petr Lautrbach |
94c6f8 |
+ options.sslpath = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.ssl = -1;
|
|
Petr Lautrbach |
94c6f8 |
+ options.referrals = -1;
|
|
Petr Lautrbach |
94c6f8 |
+ options.restart = -1;
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_checkpeer = -1;
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_cacertfile = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_cacertdir = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_ciphers = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_cert = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_key = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_randfile = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.logdir = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.debug = -1;
|
|
Petr Lautrbach |
94c6f8 |
+ options.ssh_filter = NULL;
|
|
Jakub Jelen |
3bc8b8 |
+ options.search_format = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+ options.account_class = NULL;
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+/*
|
|
Petr Lautrbach |
94c6f8 |
+ * Called after processing other sources of option data, this fills those
|
|
Petr Lautrbach |
94c6f8 |
+ * options for which no value has been specified with their default values.
|
|
Petr Lautrbach |
94c6f8 |
+ */
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+void
|
|
Petr Lautrbach |
94c6f8 |
+fill_default_options(void)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.uri != NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+ LDAPURLDesc *ludp;
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.ssl == -1) {
|
|
Petr Lautrbach |
94c6f8 |
+ if (strcmp (ludp->lud_scheme, "ldap") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ options.ssl = 2;
|
|
Petr Lautrbach |
94c6f8 |
+ if (strcmp (ludp->lud_scheme, "ldapi") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ options.ssl = 0;
|
|
Petr Lautrbach |
94c6f8 |
+ else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
|
|
Petr Lautrbach |
94c6f8 |
+ options.ssl = 1;
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.host == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ options.host = xstrdup (ludp->lud_host);
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.port == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ options.port = ludp->lud_port;
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ ldap_free_urldesc (ludp);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.ssl == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ options.ssl = SSL_START_TLS;
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.port == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ options.port = (options.ssl == 0) ? 389 : 636;
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.uri == NULL) {
|
|
Petr Lautrbach |
94c6f8 |
+ int len;
|
|
Petr Lautrbach |
94c6f8 |
+#define MAXURILEN 4096
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ options.uri = xmalloc (MAXURILEN);
|
|
Petr Lautrbach |
94c6f8 |
+ len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
|
|
Petr Lautrbach |
94c6f8 |
+ (options.ssl == 0) ? "" : "s", options.host, options.port);
|
|
Petr Lautrbach |
94c6f8 |
+ options.uri[MAXURILEN - 1] = 0;
|
|
Jakub Jelen |
535d34 |
+ options.uri = xreallocarray(options.uri, len + 1, 1);
|
|
Petr Lautrbach |
94c6f8 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.binddn == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ options.binddn = "";
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.bindpw == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ options.bindpw = "";
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.scope == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ options.scope = LDAP_SCOPE_SUBTREE;
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.deref == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ options.deref = LDAP_DEREF_NEVER;
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.timelimit == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ options.timelimit = 10;
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.bind_timelimit == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ options.bind_timelimit = 10;
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.ldap_version == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ options.ldap_version = 3;
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.bind_policy == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ options.bind_policy = 1;
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.referrals == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ options.referrals = 1;
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.restart == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ options.restart = 1;
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.tls_checkpeer == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.debug == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ options.debug = 0;
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.ssh_filter == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ options.ssh_filter = "";
|
|
Petr Lautrbach |
94c6f8 |
+ if (options.account_class == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ options.account_class = "posixAccount";
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static const char *
|
|
Petr Lautrbach |
94c6f8 |
+lookup_opcode_name(OpCodes code)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ u_int i;
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ for (i = 0; keywords[i].name != NULL; i++)
|
|
Petr Lautrbach |
94c6f8 |
+ if (keywords[i].opcode == code)
|
|
Petr Lautrbach |
94c6f8 |
+ return(keywords[i].name);
|
|
Petr Lautrbach |
94c6f8 |
+ return "UNKNOWN";
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+static void
|
|
Petr Lautrbach |
94c6f8 |
+dump_cfg_string(OpCodes code, const char *val)
|
|
Jan F. Chadima |
69dd72 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ if (val == NULL)
|
|
Petr Lautrbach |
94c6f8 |
+ debug3("%s <UNDEFINED>", lookup_opcode_name(code));
|
|
Petr Lautrbach |
94c6f8 |
+ else
|
|
Petr Lautrbach |
94c6f8 |
+ debug3("%s %s", lookup_opcode_name(code), val);
|
|
Jan F. Chadima |
69dd72 |
+}
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static void
|
|
Petr Lautrbach |
94c6f8 |
+dump_cfg_int(OpCodes code, int val)
|
|
Jan F. Chadima |
69dd72 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ if (val == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ debug3("%s <UNDEFINED>", lookup_opcode_name(code));
|
|
Petr Lautrbach |
94c6f8 |
+ else
|
|
Petr Lautrbach |
94c6f8 |
+ debug3("%s %d", lookup_opcode_name(code), val);
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Petr Lautrbach |
94c6f8 |
+struct names {
|
|
Petr Lautrbach |
94c6f8 |
+ int value;
|
|
Petr Lautrbach |
94c6f8 |
+ char *name;
|
|
Petr Lautrbach |
94c6f8 |
+};
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static void
|
|
Petr Lautrbach |
94c6f8 |
+dump_cfg_namedint(OpCodes code, int val, struct names *names)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ u_int i;
|
|
Petr Lautrbach |
65ba94 |
+
|
|
Petr Lautrbach |
94c6f8 |
+ if (val == -1)
|
|
Petr Lautrbach |
94c6f8 |
+ debug3("%s <UNDEFINED>", lookup_opcode_name(code));
|
|
Petr Lautrbach |
94c6f8 |
+ else {
|
|
Petr Lautrbach |
94c6f8 |
+ for (i = 0; names[i].value != -1; i++)
|
|
Petr Lautrbach |
94c6f8 |
+ if (names[i].value == val) {
|
|
Petr Lautrbach |
94c6f8 |
+ debug3("%s %s", lookup_opcode_name(code), names[i].name);
|
|
Petr Lautrbach |
94c6f8 |
+ return;
|
|
Jan F. Chadima |
69dd72 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+ debug3("%s unknown: %d", lookup_opcode_name(code), val);
|
|
Jan F. Chadima |
69dd72 |
+ }
|
|
Petr Lautrbach |
94c6f8 |
+}
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static struct names _yesnotls[] = {
|
|
Petr Lautrbach |
94c6f8 |
+ { 0, "No" },
|
|
Petr Lautrbach |
94c6f8 |
+ { 1, "Yes" },
|
|
Petr Lautrbach |
94c6f8 |
+ { 2, "Start_TLS" },
|
|
Petr Lautrbach |
94c6f8 |
+ { -1, NULL }};
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static struct names _scope[] = {
|
|
Petr Lautrbach |
94c6f8 |
+ { LDAP_SCOPE_BASE, "Base" },
|
|
Petr Lautrbach |
94c6f8 |
+ { LDAP_SCOPE_ONELEVEL, "One" },
|
|
Petr Lautrbach |
94c6f8 |
+ { LDAP_SCOPE_SUBTREE, "Sub"},
|
|
Petr Lautrbach |
94c6f8 |
+ { -1, NULL }};
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static struct names _deref[] = {
|
|
Petr Lautrbach |
94c6f8 |
+ { LDAP_DEREF_NEVER, "Never" },
|
|
Petr Lautrbach |
94c6f8 |
+ { LDAP_DEREF_SEARCHING, "Searching" },
|
|
Petr Lautrbach |
94c6f8 |
+ { LDAP_DEREF_FINDING, "Finding" },
|
|
Petr Lautrbach |
94c6f8 |
+ { LDAP_DEREF_ALWAYS, "Always" },
|
|
Petr Lautrbach |
94c6f8 |
+ { -1, NULL }};
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static struct names _yesno[] = {
|
|
Petr Lautrbach |
94c6f8 |
+ { 0, "No" },
|
|
Petr Lautrbach |
94c6f8 |
+ { 1, "Yes" },
|
|
Petr Lautrbach |
94c6f8 |
+ { -1, NULL }};
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static struct names _bindpolicy[] = {
|
|
Petr Lautrbach |
94c6f8 |
+ { 0, "Soft" },
|
|
Petr Lautrbach |
94c6f8 |
+ { 1, "Hard" },
|
|
Petr Lautrbach |
94c6f8 |
+ { -1, NULL }};
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+static struct names _checkpeer[] = {
|
|
Petr Lautrbach |
94c6f8 |
+ { LDAP_OPT_X_TLS_NEVER, "Never" },
|
|
Petr Lautrbach |
94c6f8 |
+ { LDAP_OPT_X_TLS_HARD, "Hard" },
|
|
Petr Lautrbach |
94c6f8 |
+ { LDAP_OPT_X_TLS_DEMAND, "Demand" },
|
|
Petr Lautrbach |
94c6f8 |
+ { LDAP_OPT_X_TLS_ALLOW, "Allow" },
|
|
Petr Lautrbach |
94c6f8 |
+ { LDAP_OPT_X_TLS_TRY, "TRY" },
|
|
Petr Lautrbach |
94c6f8 |
+ { -1, NULL }};
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+void
|
|
Petr Lautrbach |
94c6f8 |
+dump_config(void)
|
|
Petr Lautrbach |
94c6f8 |
+{
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lURI, options.uri);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lHost, options.host);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_int(lPort, options.port);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_int(lLdap_Version, options.ldap_version);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_int(lTimeLimit, options.timelimit);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lBase, options.base);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lBindDN, options.binddn);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lBindPW, options.bindpw);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_namedint(lScope, options.scope, _scope);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_namedint(lDeref, options.deref, _deref);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_namedint(lReferrals, options.referrals, _yesno);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_namedint(lRestart, options.restart, _yesno);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lSSLPath, options.sslpath);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lTLS_Cert, options.tls_cert);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lTLS_Key, options.tls_key);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lTLS_RandFile, options.tls_randfile);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lLogDir, options.logdir);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_int(lDebug, options.debug);
|
|
Petr Lautrbach |
94c6f8 |
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
|
|
Jakub Jelen |
3bc8b8 |
+ dump_cfg_string(lSearch_Format, options.search_format);
|
|
Jakub Jelen |
3bc8b8 |
+ dump_cfg_string(lAccountClass, options.account_class);
|
|
Jan F. Chadima |
69dd72 |
+}
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/ldapconf.h.ldap openssh-6.8p1/ldapconf.h
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/ldapconf.h.ldap 2015-03-18 11:11:29.032801460 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/ldapconf.h 2015-03-18 11:11:29.032801460 +0100
|
|
Jakub Jelen |
3bc8b8 |
@@ -0,0 +1,73 @@
|
|
Petr Lautrbach |
94c6f8 |
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
|
Jan F. Chadima |
69dd72 |
+/*
|
|
Jan F. Chadima |
69dd72 |
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
|
Jan F. Chadima |
69dd72 |
+ *
|
|
Jan F. Chadima |
69dd72 |
+ * Redistribution and use in source and binary forms, with or without
|
|
Jan F. Chadima |
69dd72 |
+ * modification, are permitted provided that the following conditions
|
|
Jan F. Chadima |
69dd72 |
+ * are met:
|
|
Jan F. Chadima |
69dd72 |
+ * 1. Redistributions of source code must retain the above copyright
|
|
Jan F. Chadima |
69dd72 |
+ * notice, this list of conditions and the following disclaimer.
|
|
Jan F. Chadima |
69dd72 |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
Jan F. Chadima |
69dd72 |
+ * notice, this list of conditions and the following disclaimer in the
|
|
Jan F. Chadima |
69dd72 |
+ * documentation and/or other materials provided with the distribution.
|
|
Jan F. Chadima |
69dd72 |
+ *
|
|
Jan F. Chadima |
69dd72 |
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
Jan F. Chadima |
69dd72 |
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
Jan F. Chadima |
69dd72 |
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
Jan F. Chadima |
69dd72 |
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
Jan F. Chadima |
69dd72 |
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
Jan F. Chadima |
69dd72 |
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
Jan F. Chadima |
69dd72 |
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
Jan F. Chadima |
69dd72 |
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
Jan F. Chadima |
69dd72 |
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
Jan F. Chadima |
69dd72 |
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
Jan F. Chadima |
69dd72 |
+ */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#ifndef LDAPCONF_H
|
|
Petr Lautrbach |
94c6f8 |
+#define LDAPCONF_H
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#define SSL_OFF 0
|
|
Petr Lautrbach |
94c6f8 |
+#define SSL_LDAPS 1
|
|
Petr Lautrbach |
94c6f8 |
+#define SSL_START_TLS 2
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+/* Data structure for representing option data. */
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+typedef struct {
|
|
Petr Lautrbach |
94c6f8 |
+ char *host;
|
|
Petr Lautrbach |
94c6f8 |
+ char *uri;
|
|
Petr Lautrbach |
94c6f8 |
+ char *base;
|
|
Petr Lautrbach |
94c6f8 |
+ char *binddn;
|
|
Petr Lautrbach |
94c6f8 |
+ char *bindpw;
|
|
Petr Lautrbach |
94c6f8 |
+ int scope;
|
|
Petr Lautrbach |
94c6f8 |
+ int deref;
|
|
Petr Lautrbach |
94c6f8 |
+ int port;
|
|
Petr Lautrbach |
94c6f8 |
+ int timelimit;
|
|
Petr Lautrbach |
94c6f8 |
+ int bind_timelimit;
|
|
Petr Lautrbach |
94c6f8 |
+ int ldap_version;
|
|
Petr Lautrbach |
94c6f8 |
+ int bind_policy;
|
|
Petr Lautrbach |
94c6f8 |
+ char *sslpath;
|
|
Petr Lautrbach |
94c6f8 |
+ int ssl;
|
|
Petr Lautrbach |
94c6f8 |
+ int referrals;
|
|
Petr Lautrbach |
94c6f8 |
+ int restart;
|
|
Petr Lautrbach |
94c6f8 |
+ int tls_checkpeer;
|
|
Petr Lautrbach |
94c6f8 |
+ char *tls_cacertfile;
|
|
Petr Lautrbach |
94c6f8 |
+ char *tls_cacertdir;
|
|
Petr Lautrbach |
94c6f8 |
+ char *tls_ciphers;
|
|
Petr Lautrbach |
94c6f8 |
+ char *tls_cert;
|
|
Petr Lautrbach |
94c6f8 |
+ char *tls_key;
|
|
Petr Lautrbach |
94c6f8 |
+ char *tls_randfile;
|
|
Petr Lautrbach |
94c6f8 |
+ char *logdir;
|
|
Petr Lautrbach |
94c6f8 |
+ int debug;
|
|
Petr Lautrbach |
94c6f8 |
+ char *ssh_filter;
|
|
Jakub Jelen |
3bc8b8 |
+ char *search_format;
|
|
Petr Lautrbach |
94c6f8 |
+ char *account_class;
|
|
Petr Lautrbach |
94c6f8 |
+} Options;
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+extern Options options;
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+void read_config_file(const char *);
|
|
Petr Lautrbach |
94c6f8 |
+void initialize_options(void);
|
|
Petr Lautrbach |
94c6f8 |
+void fill_default_options(void);
|
|
Petr Lautrbach |
94c6f8 |
+void dump_config(void);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Petr Lautrbach |
94c6f8 |
+#endif /* LDAPCONF_H */
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/ldapincludes.h.ldap openssh-6.8p1/ldapincludes.h
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/ldapincludes.h.ldap 2015-03-18 11:11:29.032801460 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/ldapincludes.h 2015-03-18 11:11:29.032801460 +0100
|
|
Jan F. Chadima |
69dd72 |
@@ -0,0 +1,41 @@
|
|
Jan F. Chadima |
69dd72 |
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
|
Jan F. Chadima |
69dd72 |
+/*
|
|
Jan F. Chadima |
69dd72 |
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
|
Jan F. Chadima |
69dd72 |
+ *
|
|
Jan F. Chadima |
69dd72 |
+ * Redistribution and use in source and binary forms, with or without
|
|
Jan F. Chadima |
69dd72 |
+ * modification, are permitted provided that the following conditions
|
|
Jan F. Chadima |
69dd72 |
+ * are met:
|
|
Jan F. Chadima |
69dd72 |
+ * 1. Redistributions of source code must retain the above copyright
|
|
Jan F. Chadima |
69dd72 |
+ * notice, this list of conditions and the following disclaimer.
|
|
Jan F. Chadima |
69dd72 |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
Jan F. Chadima |
69dd72 |
+ * notice, this list of conditions and the following disclaimer in the
|
|
Jan F. Chadima |
69dd72 |
+ * documentation and/or other materials provided with the distribution.
|
|
Jan F. Chadima |
69dd72 |
+ *
|
|
Jan F. Chadima |
69dd72 |
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
Jan F. Chadima |
69dd72 |
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
Jan F. Chadima |
69dd72 |
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
Jan F. Chadima |
69dd72 |
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
Jan F. Chadima |
69dd72 |
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
Jan F. Chadima |
69dd72 |
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
Jan F. Chadima |
69dd72 |
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
Jan F. Chadima |
69dd72 |
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
Jan F. Chadima |
69dd72 |
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
Jan F. Chadima |
69dd72 |
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
Jan F. Chadima |
69dd72 |
+ */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+#ifndef LDAPINCLUDES_H
|
|
Jan F. Chadima |
69dd72 |
+#define LDAPINCLUDES_H
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+#include "includes.h"
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+#ifdef HAVE_LBER_H
|
|
Jan F. Chadima |
69dd72 |
+#include <lber.h>
|
|
Jan F. Chadima |
69dd72 |
+#endif
|
|
Jan F. Chadima |
69dd72 |
+#ifdef HAVE_LDAP_H
|
|
Jan F. Chadima |
69dd72 |
+#include <ldap.h>
|
|
Jan F. Chadima |
69dd72 |
+#endif
|
|
Jan F. Chadima |
69dd72 |
+#ifdef HAVE_LDAP_SSL_H
|
|
Jan F. Chadima |
69dd72 |
+#include <ldap_ssl.h>
|
|
Jan F. Chadima |
69dd72 |
+#endif
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+#endif /* LDAPINCLUDES_H */
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/ldapmisc.c.ldap openssh-6.8p1/ldapmisc.c
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/ldapmisc.c.ldap 2015-03-18 11:11:29.032801460 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/ldapmisc.c 2015-03-18 11:11:29.032801460 +0100
|
|
Jan F. Chadima |
69dd72 |
@@ -0,0 +1,79 @@
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+#include "ldapincludes.h"
|
|
Jan F. Chadima |
69dd72 |
+#include "ldapmisc.h"
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+#ifndef HAVE_LDAP_GET_LDERRNO
|
|
Jan F. Chadima |
69dd72 |
+int
|
|
Jan F. Chadima |
69dd72 |
+ldap_get_lderrno (LDAP * ld, char **m, char **s)
|
|
Jan F. Chadima |
69dd72 |
+{
|
|
Jan F. Chadima |
69dd72 |
+#ifdef HAVE_LDAP_GET_OPTION
|
|
Jan F. Chadima |
69dd72 |
+ int rc;
|
|
Jan F. Chadima |
69dd72 |
+#endif
|
|
Jan F. Chadima |
69dd72 |
+ int lderrno;
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
|
|
Jan F. Chadima |
69dd72 |
+ if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
|
|
Jan F. Chadima |
69dd72 |
+ return rc;
|
|
Jan F. Chadima |
69dd72 |
+#else
|
|
Jan F. Chadima |
69dd72 |
+ lderrno = ld->ld_errno;
|
|
Jan F. Chadima |
69dd72 |
+#endif
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+ if (s != NULL) {
|
|
Jan F. Chadima |
69dd72 |
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
|
|
Jan F. Chadima |
69dd72 |
+ if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
|
|
Jan F. Chadima |
69dd72 |
+ return rc;
|
|
Jan F. Chadima |
69dd72 |
+#else
|
|
Jan F. Chadima |
69dd72 |
+ *s = ld->ld_error;
|
|
Jan F. Chadima |
69dd72 |
+#endif
|
|
Jan F. Chadima |
69dd72 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+ if (m != NULL) {
|
|
Jan F. Chadima |
69dd72 |
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
|
|
Jan F. Chadima |
69dd72 |
+ if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
|
|
Jan F. Chadima |
69dd72 |
+ return rc;
|
|
Jan F. Chadima |
69dd72 |
+#else
|
|
Jan F. Chadima |
69dd72 |
+ *m = ld->ld_matched;
|
|
Jan F. Chadima |
69dd72 |
+#endif
|
|
Jan F. Chadima |
69dd72 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+ return lderrno;
|
|
Jan F. Chadima |
69dd72 |
+}
|
|
Jan F. Chadima |
69dd72 |
+#endif
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+#ifndef HAVE_LDAP_SET_LDERRNO
|
|
Jan F. Chadima |
69dd72 |
+int
|
|
Jan F. Chadima |
69dd72 |
+ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
|
|
Jan F. Chadima |
69dd72 |
+{
|
|
Jan F. Chadima |
69dd72 |
+#ifdef HAVE_LDAP_SET_OPTION
|
|
Jan F. Chadima |
69dd72 |
+ int rc;
|
|
Jan F. Chadima |
69dd72 |
+#endif
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
|
|
Jan F. Chadima |
69dd72 |
+ if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
|
|
Jan F. Chadima |
69dd72 |
+ return rc;
|
|
Jan F. Chadima |
69dd72 |
+#else
|
|
Jan F. Chadima |
69dd72 |
+ ld->ld_errno = lderrno;
|
|
Jan F. Chadima |
69dd72 |
+#endif
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+ if (s != NULL) {
|
|
Jan F. Chadima |
69dd72 |
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
|
|
Jan F. Chadima |
69dd72 |
+ if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
|
|
Jan F. Chadima |
69dd72 |
+ return rc;
|
|
Jan F. Chadima |
69dd72 |
+#else
|
|
Jan F. Chadima |
69dd72 |
+ ld->ld_error = s;
|
|
Jan F. Chadima |
69dd72 |
+#endif
|
|
Jan F. Chadima |
69dd72 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+ if (m != NULL) {
|
|
Jan F. Chadima |
69dd72 |
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
|
|
Jan F. Chadima |
69dd72 |
+ if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
|
|
Jan F. Chadima |
69dd72 |
+ return rc;
|
|
Jan F. Chadima |
69dd72 |
+#else
|
|
Jan F. Chadima |
69dd72 |
+ ld->ld_matched = m;
|
|
Jan F. Chadima |
69dd72 |
+#endif
|
|
Jan F. Chadima |
69dd72 |
+ }
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+ return LDAP_SUCCESS;
|
|
Jan F. Chadima |
69dd72 |
+}
|
|
Jan F. Chadima |
69dd72 |
+#endif
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/ldapmisc.h.ldap openssh-6.8p1/ldapmisc.h
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/ldapmisc.h.ldap 2015-03-18 11:11:29.032801460 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/ldapmisc.h 2015-03-18 11:11:29.032801460 +0100
|
|
Jan F. Chadima |
69dd72 |
@@ -0,0 +1,35 @@
|
|
Jan F. Chadima |
69dd72 |
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
|
Jan F. Chadima |
69dd72 |
+/*
|
|
Jan F. Chadima |
69dd72 |
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
|
Jan F. Chadima |
69dd72 |
+ *
|
|
Jan F. Chadima |
69dd72 |
+ * Redistribution and use in source and binary forms, with or without
|
|
Jan F. Chadima |
69dd72 |
+ * modification, are permitted provided that the following conditions
|
|
Jan F. Chadima |
69dd72 |
+ * are met:
|
|
Jan F. Chadima |
69dd72 |
+ * 1. Redistributions of source code must retain the above copyright
|
|
Jan F. Chadima |
69dd72 |
+ * notice, this list of conditions and the following disclaimer.
|
|
Jan F. Chadima |
69dd72 |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
Jan F. Chadima |
69dd72 |
+ * notice, this list of conditions and the following disclaimer in the
|
|
Jan F. Chadima |
69dd72 |
+ * documentation and/or other materials provided with the distribution.
|
|
Jan F. Chadima |
69dd72 |
+ *
|
|
Jan F. Chadima |
69dd72 |
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
Jan F. Chadima |
69dd72 |
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
Jan F. Chadima |
69dd72 |
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
Jan F. Chadima |
69dd72 |
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
Jan F. Chadima |
69dd72 |
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
Jan F. Chadima |
69dd72 |
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
Jan F. Chadima |
69dd72 |
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
Jan F. Chadima |
69dd72 |
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
Jan F. Chadima |
69dd72 |
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
Jan F. Chadima |
69dd72 |
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
Jan F. Chadima |
69dd72 |
+ */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+#ifndef LDAPMISC_H
|
|
Jan F. Chadima |
69dd72 |
+#define LDAPMISC_H
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+#include "ldapincludes.h"
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+int ldap_get_lderrno (LDAP *, char **, char **);
|
|
Jan F. Chadima |
69dd72 |
+int ldap_set_lderrno (LDAP *, int, const char *, const char *);
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+#endif /* LDAPMISC_H */
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/openssh-lpk-openldap.schema.ldap openssh-6.8p1/openssh-lpk-openldap.schema
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/openssh-lpk-openldap.schema.ldap 2015-03-18 11:11:29.033801457 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/openssh-lpk-openldap.schema 2015-03-18 11:11:29.033801457 +0100
|
|
Jan F. Chadima |
69dd72 |
@@ -0,0 +1,21 @@
|
|
Jan F. Chadima |
69dd72 |
+#
|
|
Jan F. Chadima |
69dd72 |
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
|
Jan F. Chadima |
69dd72 |
+# useful with PKA-LDAP also
|
|
Jan F. Chadima |
69dd72 |
+#
|
|
Jan F. Chadima |
69dd72 |
+# Author: Eric AUGE <eau@phear.org>
|
|
Jan F. Chadima |
69dd72 |
+#
|
|
Jan F. Chadima |
69dd72 |
+# Based on the proposal of : Mark Ruijter
|
|
Jan F. Chadima |
69dd72 |
+#
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+# octetString SYNTAX
|
|
Jan F. Chadima |
69dd72 |
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
|
|
Jan F. Chadima |
69dd72 |
+ DESC 'MANDATORY: OpenSSH Public key'
|
|
Jan F. Chadima |
69dd72 |
+ EQUALITY octetStringMatch
|
|
Jan F. Chadima |
69dd72 |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+# printableString SYNTAX yes|no
|
|
Jan F. Chadima |
69dd72 |
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
|
|
Jan F. Chadima |
69dd72 |
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
|
Jan F. Chadima |
69dd72 |
+ MUST ( sshPublicKey $ uid )
|
|
Jan F. Chadima |
69dd72 |
+ )
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/openssh-lpk-sun.schema.ldap openssh-6.8p1/openssh-lpk-sun.schema
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/openssh-lpk-sun.schema.ldap 2015-03-18 11:11:29.033801457 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/openssh-lpk-sun.schema 2015-03-18 11:11:29.033801457 +0100
|
|
Jan F. Chadima |
69dd72 |
@@ -0,0 +1,23 @@
|
|
Jan F. Chadima |
69dd72 |
+#
|
|
Jan F. Chadima |
69dd72 |
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
|
Jan F. Chadima |
69dd72 |
+# useful with PKA-LDAP also
|
|
Jan F. Chadima |
69dd72 |
+#
|
|
Jan F. Chadima |
69dd72 |
+# Author: Eric AUGE <eau@phear.org>
|
|
Jan F. Chadima |
69dd72 |
+#
|
|
Jan F. Chadima |
69dd72 |
+# Schema for Sun Directory Server.
|
|
Jan F. Chadima |
69dd72 |
+# Based on the original schema, modified by Stefan Fischer.
|
|
Jan F. Chadima |
69dd72 |
+#
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+dn: cn=schema
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+# octetString SYNTAX
|
|
Jan F. Chadima |
69dd72 |
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
|
|
Jan F. Chadima |
69dd72 |
+ DESC 'MANDATORY: OpenSSH Public key'
|
|
Jan F. Chadima |
69dd72 |
+ EQUALITY octetStringMatch
|
|
Jan F. Chadima |
69dd72 |
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
|
|
Jan F. Chadima |
69dd72 |
+
|
|
Jan F. Chadima |
69dd72 |
+# printableString SYNTAX yes|no
|
|
Jan F. Chadima |
69dd72 |
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
|
|
Jan F. Chadima |
69dd72 |
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
|
Jan F. Chadima |
69dd72 |
+ MUST ( sshPublicKey $ uid )
|
|
Jan F. Chadima |
69dd72 |
+ )
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/ssh-ldap-helper.8.ldap openssh-6.8p1/ssh-ldap-helper.8
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/ssh-ldap-helper.8.ldap 2015-03-18 11:11:29.033801457 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/ssh-ldap-helper.8 2015-03-18 11:11:29.033801457 +0100
|
|
Petr Lautrbach |
94c6f8 |
@@ -0,0 +1,79 @@
|
|
Petr Lautrbach |
94c6f8 |
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
|
|
Petr Lautrbach |
94c6f8 |
+.\"
|
|
Petr Lautrbach |
94c6f8 |
+.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
|
|
Petr Lautrbach |
94c6f8 |
+.\"
|
|
Petr Lautrbach |
94c6f8 |
+.\" Permission to use, copy, modify, and distribute this software for any
|
|
Petr Lautrbach |
94c6f8 |
+.\" purpose with or without fee is hereby granted, provided that the above
|
|
Petr Lautrbach |
94c6f8 |
+.\" copyright notice and this permission notice appear in all copies.
|
|
Petr Lautrbach |
94c6f8 |
+.\"
|
|
Petr Lautrbach |
94c6f8 |
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
Petr Lautrbach |
94c6f8 |
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
Petr Lautrbach |
94c6f8 |
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
Petr Lautrbach |
94c6f8 |
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
Petr Lautrbach |
94c6f8 |
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
Petr Lautrbach |
94c6f8 |
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
Petr Lautrbach |
94c6f8 |
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
Petr Lautrbach |
94c6f8 |
+.\"
|
|
Petr Lautrbach |
94c6f8 |
+.Dd $Mdocdate: April 29 2010 $
|
|
Petr Lautrbach |
94c6f8 |
+.Dt SSH-LDAP-HELPER 8
|
|
Petr Lautrbach |
94c6f8 |
+.Os
|
|
Petr Lautrbach |
94c6f8 |
+.Sh NAME
|
|
Petr Lautrbach |
94c6f8 |
+.Nm ssh-ldap-helper
|
|
Petr Lautrbach |
94c6f8 |
+.Nd sshd helper program for ldap support
|
|
Petr Lautrbach |
94c6f8 |
+.Sh SYNOPSIS
|
|
Petr Lautrbach |
94c6f8 |
+.Nm ssh-ldap-helper
|
|
Petr Lautrbach |
94c6f8 |
+.Op Fl devw
|
|
Petr Lautrbach |
94c6f8 |
+.Op Fl f Ar file
|
|
Petr Lautrbach |
94c6f8 |
+.Op Fl s Ar user
|
|
Petr Lautrbach |
94c6f8 |
+.Sh DESCRIPTION
|
|
Petr Lautrbach |
94c6f8 |
+.Nm
|
|
Petr Lautrbach |
94c6f8 |
+is used by
|
|
Petr Lautrbach |
94c6f8 |
+.Xr sshd 1
|
|
Petr Lautrbach |
94c6f8 |
+to access keys provided by an LDAP.
|
|
Petr Lautrbach |
94c6f8 |
+.Nm
|
|
Petr Lautrbach |
94c6f8 |
+is disabled by default and can only be enabled in the
|
|
Petr Lautrbach |
94c6f8 |
+sshd configuration file
|
|
Petr Lautrbach |
94c6f8 |
+.Pa /etc/ssh/sshd_config
|
|
Petr Lautrbach |
94c6f8 |
+by setting
|
|
Petr Lautrbach |
94c6f8 |
+.Cm AuthorizedKeysCommand
|
|
Petr Lautrbach |
94c6f8 |
+to
|
|
Petr Lautrbach |
94c6f8 |
+.Dq /usr/libexec/ssh-ldap-wrapper .
|
|
Petr Lautrbach |
94c6f8 |
+.Pp
|
|
Petr Lautrbach |
94c6f8 |
+.Nm
|
|
Petr Lautrbach |
94c6f8 |
+is not intended to be invoked by the user, but from
|
|
Petr Lautrbach |
94c6f8 |
+.Xr sshd 8 via
|
|
Petr Lautrbach |
94c6f8 |
+.Xr ssh-ldap-wrapper .
|
|
Petr Lautrbach |
94c6f8 |
+.Pp
|
|
Petr Lautrbach |
94c6f8 |
+The options are as follows:
|
|
Petr Lautrbach |
94c6f8 |
+.Bl -tag -width Ds
|
|
Petr Lautrbach |
94c6f8 |
+.It Fl d
|
|
Petr Lautrbach |
94c6f8 |
+Set the debug mode;
|
|
Petr Lautrbach |
94c6f8 |
+.Nm
|
|
Petr Lautrbach |
94c6f8 |
+prints all logs to stderr instead of syslog.
|
|
Petr Lautrbach |
94c6f8 |
+.It Fl e
|
|
Petr Lautrbach |
94c6f8 |
+Implies \-w;
|
|
Petr Lautrbach |
94c6f8 |
+.Nm
|
|
Petr Lautrbach |
94c6f8 |
+halts if it encounters an unknown item in the ldap.conf file.
|
|
Petr Lautrbach |
94c6f8 |
+.It Fl f
|
|
Petr Lautrbach |
94c6f8 |
+.Nm
|
|
Petr Lautrbach |
94c6f8 |
+uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
|
|
Petr Lautrbach |
94c6f8 |
+.It Fl s
|
|
Petr Lautrbach |
94c6f8 |
+.Nm
|
|
Petr Lautrbach |
94c6f8 |
+prints out the user's keys to stdout and exits.
|
|
Petr Lautrbach |
94c6f8 |
+.It Fl v
|
|
Petr Lautrbach |
94c6f8 |
+Implies \-d;
|
|
Petr Lautrbach |
94c6f8 |
+increases verbosity.
|
|
Petr Lautrbach |
94c6f8 |
+.It Fl w
|
|
Petr Lautrbach |
94c6f8 |
+.Nm
|
|
Petr Lautrbach |
94c6f8 |
+writes warnings about unknown items in the ldap.conf configuration file.
|
|
Petr Lautrbach |
94c6f8 |
+.El
|
|
Petr Lautrbach |
94c6f8 |
+.Sh SEE ALSO
|
|
Petr Lautrbach |
94c6f8 |
+.Xr sshd 8 ,
|
|
Petr Lautrbach |
94c6f8 |
+.Xr sshd_config 5 ,
|
|
Petr Lautrbach |
94c6f8 |
+.Xr ssh-ldap.conf 5 ,
|
|
Petr Lautrbach |
94c6f8 |
+.Sh HISTORY
|
|
Petr Lautrbach |
94c6f8 |
+.Nm
|
|
Petr Lautrbach |
94c6f8 |
+first appeared in
|
|
Petr Lautrbach |
94c6f8 |
+OpenSSH 5.5 + PKA-LDAP .
|
|
Petr Lautrbach |
94c6f8 |
+.Sh AUTHORS
|
|
Petr Lautrbach |
94c6f8 |
+.An Jan F. Chadima Aq jchadima@redhat.com
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/ssh-ldap-wrapper.ldap openssh-6.8p1/ssh-ldap-wrapper
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/ssh-ldap-wrapper.ldap 2015-03-18 11:11:29.033801457 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/ssh-ldap-wrapper 2015-03-18 11:11:29.033801457 +0100
|
|
Petr Lautrbach |
94c6f8 |
@@ -0,0 +1,4 @@
|
|
Petr Lautrbach |
94c6f8 |
+#!/bin/sh
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Petr Lautrbach |
94c6f8 |
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
|
|
Petr Lautrbach |
94c6f8 |
+
|
|
Jakub Jelen |
132f8f |
diff -up openssh-6.8p1/ssh-ldap.conf.5.ldap openssh-6.8p1/ssh-ldap.conf.5
|
|
Jakub Jelen |
132f8f |
--- openssh-6.8p1/ssh-ldap.conf.5.ldap 2015-03-18 11:11:29.033801457 +0100
|
|
Jakub Jelen |
132f8f |
+++ openssh-6.8p1/ssh-ldap.conf.5 2015-03-18 11:11:29.033801457 +0100
|
|
Jakub Jelen |
3bc8b8 |
@@ -0,0 +1,385 @@
|
|
Jan F. Chadima |
69dd72 |
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
|
|
Jan F. Chadima |
69dd72 |
+.\"
|
|
Jan F. Chadima |
69dd72 |
+.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
|
|
Jan F. Chadima |
69dd72 |
+.\"
|
|
Jan F. Chadima |
69dd72 |
+.\" Permission to use, copy, modify, and distribute this software for any
|
|
Jan F. Chadima |
69dd72 |
+.\" purpose with or without fee is hereby granted, provided that the above
|
|
Jan F. Chadima |
69dd72 |
+.\" copyright notice and this permission notice appear in all copies.
|
|
Jan F. Chadima |
69dd72 |
+.\"
|
|
Jan F. Chadima |
69dd72 |
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
Jan F. Chadima |
69dd72 |
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
Jan F. Chadima |
69dd72 |
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
Jan F. Chadima |
69dd72 |
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
Jan F. Chadima |
69dd72 |
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
Jan F. Chadima |
69dd72 |
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
Jan F. Chadima |
69dd72 |
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
Jan F. Chadima |
69dd72 |
+.\"
|
|
Jan F. Chadima |
69dd72 |
+.Dd $Mdocdate: may 12 2010 $
|
|
Jan F. Chadima |
69dd72 |
+.Dt SSH-LDAP.CONF 5
|
|
Jan F. Chadima |
69dd72 |
+.Os
|
|
Jan F. Chadima |
69dd72 |
+.Sh NAME
|
|
Jan F. Chadima |
69dd72 |
+.Nm ssh-ldap.conf
|
|
Jan F. Chadima |
69dd72 |
+.Nd configuration file for ssh-ldap-helper
|
|
Jan F. Chadima |
69dd72 |
+.Sh SYNOPSIS
|
|
Jan F. Chadima |
69dd72 |
+.Nm /etc/ssh/ldap.conf
|
|
Jan F. Chadima |
69dd72 |
+.Sh DESCRIPTION
|
|
Jan F. Chadima |
69dd72 |
+.Xr ssh-ldap-helper 8
|
|
Jan F. Chadima |
69dd72 |
+reads configuration data from
|
|
Jan F. Chadima |
69dd72 |
+.Pa /etc/ssh/ldap.conf
|
|
Jan F. Chadima |
69dd72 |
+(or the file specified with
|
|
Jan F. Chadima |
69dd72 |
+.Fl f
|
|
Jan F. Chadima |
69dd72 |
+on the command line).
|
|
Jan F. Chadima |
69dd72 |
+The file contains keyword-argument pairs, one per line.
|
|
Jan F. Chadima |
69dd72 |
+Lines starting with
|
|
Jan F. Chadima |
69dd72 |
+.Ql #
|
|
Jan F. Chadima |
69dd72 |
+and empty lines are interpreted as comments.
|
|
Jan F. Chadima |
69dd72 |
+.Pp
|
|
Jan F. Chadima |
69dd72 |
+The value starts with the first non-blank character after
|
|
Jan F. Chadima |
69dd72 |
+the keyword's name, and terminates at the end of the line,
|
|
Jan F. Chadima |
69dd72 |
+or at the last sequence of blanks before the end of the line.
|
|
Jan F. Chadima |
69dd72 |
+Quoting values that contain blanks
|
|
Jan F. Chadima |
69dd72 |
+may be incorrect, as the quotes would become part of the value.
|
|
Jan F. Chadima |
69dd72 |
+The possible keywords and their meanings are as follows (note that
|
|
Jan F. Chadima |
69dd72 |
+keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
|
|
Jan F. Chadima |
69dd72 |
+.Bl -tag -width Ds
|
|
Jan F. Chadima |
69dd72 |
+.It Cm URI
|
|
Jan F. Chadima |
69dd72 |
+The argument(s) are in the form
|
|
Jan F. Chadima |
69dd72 |
+.Pa ldap[si]://[name[:port]]
|
|
Jan F. Chadima |
69dd72 |
+and specify the URI(s) of an LDAP server(s) to which the
|
|
Jan F. Chadima |
69dd72 |
+.Xr ssh-ldap-helper 8
|
|
Jan F. Chadima |
69dd72 |
+should connect. The URI scheme may be any of
|
|
Jan F. Chadima |
69dd72 |
+.Dq ldap ,
|
|
Jan F. Chadima |
69dd72 |
+.Dq ldaps
|
|
Jan F. Chadima |
69dd72 |
+or
|
|
Jan F. Chadima |
69dd72 |
+.Dq ldapi ,
|
|
Jan F. Chadima |
69dd72 |
+which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
|
|
Jan F. Chadima |
69dd72 |
+over IPC (UNIX domain sockets), respectively.
|
|
Jan F. Chadima |
69dd72 |
+Each server's name can be specified as a
|
|
Jan F. Chadima |
69dd72 |
+domain-style name or an IP address literal. Optionally, the
|
|
Jan F. Chadima |
69dd72 |
+server's name can followed by a ':' and the port number the LDAP
|
|
Jan F. Chadima |
69dd72 |
+server is listening on. If no port number is provided, the default
|
|
Jan F. Chadima |
69dd72 |
+port for the scheme is used (389 for ldap://, 636 for ldaps://).
|
|
Jan F. Chadima |
69dd72 |
+For LDAP over IPC, name is the name of the socket, and no port
|
|
Jan F. Chadima |
69dd72 |
+is required, nor allowed; note that directory separators must be
|
|
Jan F. Chadima |
69dd72 |
+URL-encoded, like any other characters that are special to URLs;
|
|
Jan F. Chadima |
69dd72 |
+A space separated list of URIs may be provided.
|
|
Jan F. Chadima |
69dd72 |
+There is no default.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm Base
|
|
Jan F. Chadima |
69dd72 |
+Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
|
|
Jan F. Chadima |
69dd72 |
+The base must be specified as a DN in LDAP format.
|
|
Jan F. Chadima |
69dd72 |
+There is no default.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm BindDN
|
|
Jan F. Chadima |
69dd72 |
+Specifies the default BIND DN to use when connecting to the ldap server.
|
|
Jan F. Chadima |
69dd72 |
+The bind DN must be specified as a Distinguished Name in LDAP format.
|
|
Jan F. Chadima |
69dd72 |
+There is no default.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm BindPW
|
|
Jan F. Chadima |
69dd72 |
+Specifies the default password to use when connecting to the ldap server via
|
|
Jan F. Chadima |
69dd72 |
+.Cm BindDN .
|
|
Jan F. Chadima |
69dd72 |
+There is no default.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm RootBindDN
|
|
Jan F. Chadima |
69dd72 |
+Intentionaly does nothing. Recognized for compatibility reasons.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm Host
|
|
Jan F. Chadima |
69dd72 |
+The argument(s) specifies the name(s) of an LDAP server(s) to which the
|
|
Jan F. Chadima |
69dd72 |
+.Xr ssh-ldap-helper 8
|
|
Jan F. Chadima |
69dd72 |
+should connect. Each server's name can be specified as a
|
|
Jan F. Chadima |
69dd72 |
+domain-style name or an IP address and optionally followed by a ':' and
|
|
Jan F. Chadima |
69dd72 |
+the port number the ldap server is listening on. A space-separated
|
|
Jan F. Chadima |
69dd72 |
+list of hosts may be provided.
|
|
Jan F. Chadima |
69dd72 |
+There is no default.
|
|
Jan F. Chadima |
69dd72 |
+.Cm Host
|
|
Jan F. Chadima |
69dd72 |
+is deprecated in favor of
|
|
Jan F. Chadima |
69dd72 |
+.Cm URI .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm Port
|
|
Jan F. Chadima |
69dd72 |
+Specifies the default port used when connecting to LDAP servers(s).
|
|
Jan F. Chadima |
69dd72 |
+The port may be specified as a number.
|
|
Jan F. Chadima |
69dd72 |
+The default port is 389 for ldap:// or 636 for ldaps:// respectively.
|
|
Jan F. Chadima |
69dd72 |
+.Cm Port
|
|
Jan F. Chadima |
69dd72 |
+is deprecated in favor of
|
|
Jan F. Chadima |
69dd72 |
+.Cm URI .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm Scope
|
|
Jan F. Chadima |
69dd72 |
+Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
|
|
Jan F. Chadima |
69dd72 |
+There are three options (values) that can be assigned to the
|
|
Jan F. Chadima |
69dd72 |
+.Cm Scope parameter:
|
|
Jan F. Chadima |
69dd72 |
+.Dq base ,
|
|
Jan F. Chadima |
69dd72 |
+.Dq one
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq subtree .
|
|
Jan F. Chadima |
69dd72 |
+Alias for the subtree is
|
|
Jan F. Chadima |
69dd72 |
+.Dq sub .
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq base
|
|
Jan F. Chadima |
69dd72 |
+is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq one
|
|
Jan F. Chadima |
69dd72 |
+is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq subtree
|
|
Jan F. Chadima |
69dd72 |
+is used to indicate searching of all entries at all levels under and including the specified base DN.
|
|
Jan F. Chadima |
69dd72 |
+The default is
|
|
Jan F. Chadima |
69dd72 |
+.Dq subtree .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm Deref
|
|
Jan F. Chadima |
69dd72 |
+Specifies how alias dereferencing is done when performing a search. There are four
|
|
Jan F. Chadima |
69dd72 |
+possible values that can be assigned to the
|
|
Jan F. Chadima |
69dd72 |
+.Cm Deref
|
|
Jan F. Chadima |
69dd72 |
+parameter:
|
|
Jan F. Chadima |
69dd72 |
+.Dq never ,
|
|
Jan F. Chadima |
69dd72 |
+.Dq searching ,
|
|
Jan F. Chadima |
69dd72 |
+.Dq finding ,
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq always .
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq never
|
|
Jan F. Chadima |
69dd72 |
+means that the aliases are never dereferenced.
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq searching
|
|
Jan F. Chadima |
69dd72 |
+means that the aliases are dereferenced in subordinates of the base object, but
|
|
Jan F. Chadima |
69dd72 |
+not in locating the base object of the search.
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq finding
|
|
Jan F. Chadima |
69dd72 |
+means that the aliases are only dereferenced when locating the base object of the search.
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq always
|
|
Jan F. Chadima |
69dd72 |
+means that the aliases are dereferenced both in searching and in locating the base object
|
|
Jan F. Chadima |
69dd72 |
+of the search.
|
|
Jan F. Chadima |
69dd72 |
+The default is
|
|
Jan F. Chadima |
69dd72 |
+.Dq never .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm TimeLimit
|
|
Jan F. Chadima |
69dd72 |
+Specifies a time limit (in seconds) to use when performing searches.
|
|
Jan F. Chadima |
69dd72 |
+The number should be a non-negative integer. A
|
|
Jan F. Chadima |
69dd72 |
+.Cm TimeLimit
|
|
Jan F. Chadima |
69dd72 |
+of zero (0) specifies that the search time is unlimited. Please note that the server
|
|
Jan F. Chadima |
69dd72 |
+may still apply any server-side limit on the duration of a search operation.
|
|
Jan F. Chadima |
69dd72 |
+The default value is 10.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm TimeOut
|
|
Jan F. Chadima |
69dd72 |
+Is an aliast to
|
|
Jan F. Chadima |
69dd72 |
+.Cm TimeLimit .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm Bind_TimeLimit
|
|
Jan F. Chadima |
69dd72 |
+Specifies the timeout (in seconds) after which the poll(2)/select(2)
|
|
Jan F. Chadima |
69dd72 |
+following a connect(2) returns in case of no activity.
|
|
Jan F. Chadima |
69dd72 |
+The default value is 10.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm Network_TimeOut
|
|
Jan F. Chadima |
69dd72 |
+Is an alias to
|
|
Jan F. Chadima |
69dd72 |
+.Cm Bind_TimeLimit .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm Ldap_Version
|
|
Jan F. Chadima |
69dd72 |
+Specifies what version of the LDAP protocol should be used.
|
|
Jan F. Chadima |
69dd72 |
+The allowed values are 2 or 3. The default is 3.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm Version
|
|
Jan F. Chadima |
69dd72 |
+Is an alias to
|
|
Jan F. Chadima |
69dd72 |
+.Cm Ldap_Version .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm Bind_Policy
|
|
Jan F. Chadima |
69dd72 |
+Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
|
|
Jan F. Chadima |
69dd72 |
+.Dq hard
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq soft.
|
|
Jan F. Chadima |
69dd72 |
+.Dq hard has 2 aliases
|
|
Jan F. Chadima |
69dd72 |
+.Dq hard_open
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq hard_init .
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq hard
|
|
Jan F. Chadima |
69dd72 |
+means that reconects that the
|
|
Jan F. Chadima |
69dd72 |
+.Xr ssh-ldap-helper 8
|
|
Jan F. Chadima |
69dd72 |
+tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq soft
|
|
Jan F. Chadima |
69dd72 |
+means that
|
|
Jan F. Chadima |
69dd72 |
+.Xr ssh-ldap-helper 8
|
|
Jan F. Chadima |
69dd72 |
+fails immediately when it cannot connect to the LDAP seerver.
|
|
Jan F. Chadima |
69dd72 |
+The deault is
|
|
Jan F. Chadima |
69dd72 |
+.Dq hard .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm SSLPath
|
|
Jan F. Chadima |
69dd72 |
+Specifies the path to the X.509 certificate database.
|
|
Jan F. Chadima |
69dd72 |
+There is no default.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm SSL
|
|
Jan F. Chadima |
69dd72 |
+Specifies whether to use SSL/TLS or not.
|
|
Jan F. Chadima |
69dd72 |
+There are three allowed values:
|
|
Jan F. Chadima |
69dd72 |
+.Dq yes ,
|
|
Jan F. Chadima |
69dd72 |
+.Dq no
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq start_tls
|
|
Jan F. Chadima |
69dd72 |
+Both
|
|
Jan F. Chadima |
69dd72 |
+.Dq true
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq on
|
|
Jan F. Chadima |
69dd72 |
+are the aliases for
|
|
Jan F. Chadima |
69dd72 |
+.Dq yes .
|
|
Jan F. Chadima |
69dd72 |
+.Dq false
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq off
|
|
Jan F. Chadima |
69dd72 |
+are the aliases for
|
|
Jan F. Chadima |
69dd72 |
+.Dq no .
|
|
Jan F. Chadima |
69dd72 |
+If
|
|
Jan F. Chadima |
69dd72 |
+.Dq start_tls
|
|
Jan F. Chadima |
69dd72 |
+is specified then StartTLS is used rather than raw LDAP over SSL.
|
|
Jan F. Chadima |
69dd72 |
+The default for ldap:// is
|
|
Jan F. Chadima |
69dd72 |
+.Dq start_tls ,
|
|
Jan F. Chadima |
69dd72 |
+for ldaps://
|
|
Jan F. Chadima |
69dd72 |
+.Dq yes
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq no
|
|
Jan F. Chadima |
69dd72 |
+for the ldapi:// .
|
|
Jan F. Chadima |
69dd72 |
+In case of host based configuration the default is
|
|
Jan F. Chadima |
69dd72 |
+.Dq start_tls .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm Referrals
|
|
Jan F. Chadima |
69dd72 |
+Specifies if the client should automatically follow referrals returned
|
|
Jan F. Chadima |
69dd72 |
+by LDAP servers.
|
|
Jan F. Chadima |
69dd72 |
+The value can be or
|
|
Jan F. Chadima |
69dd72 |
+.Dq yes
|
|
Jan F. Chadima |
69dd72 |
+or
|
|
Jan F. Chadima |
69dd72 |
+.Dq no .
|
|
Jan F. Chadima |
69dd72 |
+.Dq true
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq on
|
|
Jan F. Chadima |
69dd72 |
+are the aliases for
|
|
Jan F. Chadima |
69dd72 |
+.Dq yes .
|
|
Jan F. Chadima |
69dd72 |
+.Dq false
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq off
|
|
Jan F. Chadima |
69dd72 |
+are the aliases for
|
|
Jan F. Chadima |
69dd72 |
+.Dq no .
|
|
Jan F. Chadima |
69dd72 |
+The default is yes.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm Restart
|
|
Jan F. Chadima |
69dd72 |
+Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
|
|
Jan F. Chadima |
69dd72 |
+The value can be or
|
|
Jan F. Chadima |
69dd72 |
+.Dq yes
|
|
Jan F. Chadima |
69dd72 |
+or
|
|
Jan F. Chadima |
69dd72 |
+.Dq no .
|
|
Jan F. Chadima |
69dd72 |
+.Dq true
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq on
|
|
Jan F. Chadima |
69dd72 |
+are the aliases for
|
|
Jan F. Chadima |
69dd72 |
+.Dq yes .
|
|
Jan F. Chadima |
69dd72 |
+.Dq false
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq off
|
|
Jan F. Chadima |
69dd72 |
+are the aliases for
|
|
Jan F. Chadima |
69dd72 |
+.Dq no .
|
|
Jan F. Chadima |
69dd72 |
+The default is yes.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm TLS_CheckPeer
|
|
Jan F. Chadima |
69dd72 |
+Specifies what checks to perform on server certificates in a TLS session,
|
|
Jan F. Chadima |
69dd72 |
+if any. The value
|
|
Jan F. Chadima |
69dd72 |
+can be specified as one of the following keywords:
|
|
Jan F. Chadima |
69dd72 |
+.Dq never ,
|
|
Jan F. Chadima |
69dd72 |
+.Dq hard ,
|
|
Jan F. Chadima |
69dd72 |
+.Dq demand ,
|
|
Jan F. Chadima |
69dd72 |
+.Dq allow
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq try .
|
|
Jan F. Chadima |
69dd72 |
+.Dq true ,
|
|
Jan F. Chadima |
69dd72 |
+.Dq on
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq yes
|
|
Jan F. Chadima |
69dd72 |
+are aliases for
|
|
Jan F. Chadima |
69dd72 |
+.Dq hard .
|
|
Jan F. Chadima |
69dd72 |
+.Dq false ,
|
|
Jan F. Chadima |
69dd72 |
+.Dq off
|
|
Jan F. Chadima |
69dd72 |
+and
|
|
Jan F. Chadima |
69dd72 |
+.Dq no
|
|
Jan F. Chadima |
69dd72 |
+are the aliases for
|
|
Jan F. Chadima |
69dd72 |
+.Dq never .
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq never
|
|
Jan F. Chadima |
69dd72 |
+means that the client will not request or check any server certificate.
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq allow
|
|
Jan F. Chadima |
69dd72 |
+means that the server certificate is requested. If no certificate is provided,
|
|
Jan F. Chadima |
69dd72 |
+the session proceeds normally. If a bad certificate is provided, it will
|
|
Jan F. Chadima |
69dd72 |
+be ignored and the session proceeds normally.
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq try
|
|
Jan F. Chadima |
69dd72 |
+means that the server certificate is requested. If no certificate is provided,
|
|
Jan F. Chadima |
69dd72 |
+the session proceeds normally. If a bad certificate is provided,
|
|
Jan F. Chadima |
69dd72 |
+the session is immediately terminated.
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq demand
|
|
Jan F. Chadima |
69dd72 |
+means that the server certificate is requested. If no
|
|
Jan F. Chadima |
69dd72 |
+certificate is provided, or a bad certificate is provided, the session
|
|
Jan F. Chadima |
69dd72 |
+is immediately terminated.
|
|
Jan F. Chadima |
69dd72 |
+The value
|
|
Jan F. Chadima |
69dd72 |
+.Dq hard
|
|
Jan F. Chadima |
69dd72 |
+is the same as
|
|
Jan F. Chadima |
69dd72 |
+.Dq demand .
|
|
Jan F. Chadima |
69dd72 |
+It requires an SSL connection. In the case of the plain conection the
|
|
Jan F. Chadima |
69dd72 |
+session is immediately terminated.
|
|
Jan F. Chadima |
69dd72 |
+The default is
|
|
Jan F. Chadima |
69dd72 |
+.Dq hard .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm TLS_ReqCert
|
|
Jan F. Chadima |
69dd72 |
+Is an alias for
|
|
Jan F. Chadima |
69dd72 |
+.Cm TLS_CheckPeer .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm TLS_CACertFile
|
|
Jan F. Chadima |
69dd72 |
+Specifies the file that contains certificates for all of the Certificate
|
|
Jan F. Chadima |
69dd72 |
+Authorities the client will recognize.
|
|
Jan F. Chadima |
69dd72 |
+There is no default.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm TLS_CACert
|
|
Jan F. Chadima |
69dd72 |
+Is an alias for
|
|
Jan F. Chadima |
69dd72 |
+.Cm TLS_CACertFile .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm TLS_CACertDIR
|
|
Jan F. Chadima |
69dd72 |
+Specifies the path of a directory that contains Certificate Authority
|
|
Jan F. Chadima |
69dd72 |
+certificates in separate individual files. The
|
|
Jan F. Chadima |
69dd72 |
+.Cm TLS_CACert
|
|
Jan F. Chadima |
69dd72 |
+is always used before
|
|
Jan F. Chadima |
69dd72 |
+.Cm TLS_CACertDir .
|
|
Jan F. Chadima |
69dd72 |
+The specified directory must be managed with the OpenSSL c_rehash utility.
|
|
Jan F. Chadima |
69dd72 |
+There is no default.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm TLS_Ciphers
|
|
Jan F. Chadima |
69dd72 |
+Specifies acceptable cipher suite and preference order.
|
|
Jan F. Chadima |
69dd72 |
+The value should be a cipher specification for OpenSSL,
|
|
Jan F. Chadima |
69dd72 |
+e.g.,
|
|
Jan F. Chadima |
69dd72 |
+.Dq HIGH:MEDIUM:+SSLv2 .
|
|
Jan F. Chadima |
69dd72 |
+The default is
|
|
Jan F. Chadima |
69dd72 |
+.Dq ALL .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm TLS_Cipher_Suite
|
|
Jan F. Chadima |
69dd72 |
+Is an alias for
|
|
Jan F. Chadima |
69dd72 |
+.Cm TLS_Ciphers .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm TLS_Cert
|
|
Jan F. Chadima |
69dd72 |
+Specifies the file that contains the client certificate.
|
|
Jan F. Chadima |
69dd72 |
+There is no default.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm TLS_Certificate
|
|
Jan F. Chadima |
69dd72 |
+Is an alias for
|
|
Jan F. Chadima |
69dd72 |
+.Cm TLS_Cert .
|
|
Jan F. Chadima |
69dd72 |
+.It Cm TLS_Key
|
|
Jan F. Chadima |
69dd72 |
+Specifies the file that contains the private key that matches the certificate
|
|
Jan F. Chadima |
69dd72 |
+stored in the
|
|
Jan F. Chadima |
69dd72 |
+.Cm TLS_Cert
|
|
Jan F. Chadima |
69dd72 |
+file. Currently, the private key must not be protected with a password, so
|
|
Jan F. Chadima |
69dd72 |
+it is of critical importance that the key file is protected carefully.
|
|
Jan F. Chadima |
69dd72 |
+There is no default.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm TLS_RandFile
|
|
Jan F. Chadima |
69dd72 |
+Specifies the file to obtain random bits from when /dev/[u]random is
|
|
Jan F. Chadima |
69dd72 |
+not available. Generally set to the name of the EGD/PRNGD socket.
|
|
Jan F. Chadima |
69dd72 |
+The environment variable RANDFILE can also be used to specify the filename.
|
|
Jan F. Chadima |
69dd72 |
+There is no default.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm LogDir
|
|
Jan F. Chadima |
69dd72 |
+Specifies the directory used for logging by the LDAP client library.
|
|
Jan F. Chadima |
69dd72 |
+There is no default.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm Debug
|
|
Jan F. Chadima |
69dd72 |
+Specifies the debug level used for logging by the LDAP client library.
|
|
Jan F. Chadima |
69dd72 |
+There is no default.
|
|
Jan F. Chadima |
69dd72 |
+.It Cm SSH_Filter
|
|
Jakub Jelen |
3bc8b8 |
+Specifies the user filter applied on the LDAP search.
|
|
Jan F. Chadima |
69dd72 |
+The default is no filter.
|
|
Petr Lautrbach |
e6dbb8 |
+.It Cm AccountClass
|
|
Petr Lautrbach |
e6dbb8 |
+Specifies the LDAP class used to find user accounts.
|
|
Petr Lautrbach |
e6dbb8 |
+The default is posixAccount.
|
|
Jakub Jelen |
3bc8b8 |
+.It Cm search_format
|
|
Jakub Jelen |
3bc8b8 |
+Specifies the user format of search string in LDAP substituting %u for user name
|
|
Jakub Jelen |
3bc8b8 |
+and %f for additional ssh filter
|
|
Jakub Jelen |
3bc8b8 |
+.Cm SSH_Filter
|
|
Jakub Jelen |
3bc8b8 |
+(optional).
|
|
Jakub Jelen |
3bc8b8 |
+The default value is (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
|
|
Jan F. Chadima |
69dd72 |
+.El
|
|
Jan F. Chadima |
69dd72 |
+.Sh FILES
|
|
Jan F. Chadima |
69dd72 |
+.Bl -tag -width Ds
|
|
Jan F. Chadima |
69dd72 |
+.It Pa /etc/ssh/ldap.conf
|
|
Jan F. Chadima |
69dd72 |
+Ldap configuration file for
|
|
Jan F. Chadima |
69dd72 |
+.Xr ssh-ldap-helper 8 .
|
|
Jan F. Chadima |
69dd72 |
+.El
|
|
Jan F. Chadima |
69dd72 |
+.Sh "SEE ALSO"
|
|
Jan F. Chadima |
69dd72 |
+.Xr ldap.conf 5 ,
|
|
Jan F. Chadima |
69dd72 |
+.Xr ssh-ldap-helper 8
|
|
Jan F. Chadima |
69dd72 |
+.Sh HISTORY
|
|
Jan F. Chadima |
69dd72 |
+.Nm
|
|
Jan F. Chadima |
69dd72 |
+first appeared in
|
|
Jan F. Chadima |
69dd72 |
+OpenSSH 5.5 + PKA-LDAP .
|
|
Jan F. Chadima |
69dd72 |
+.Sh AUTHORS
|
|
Jan F. Chadima |
69dd72 |
+.An Jan F. Chadima Aq jchadima@redhat.com
|
|
Jakub Jelen |
09ca6e |
diff --git a/openssh-lpk-openldap.ldif b/openssh-lpk-openldap.ldif
|
|
Jakub Jelen |
09ca6e |
new file mode 100644
|
|
Jakub Jelen |
09ca6e |
index 0000000..9adf4b8
|
|
Jakub Jelen |
09ca6e |
--- /dev/null
|
|
Jakub Jelen |
09ca6e |
+++ b/openssh-lpk-openldap.ldif
|
|
Jakub Jelen |
09ca6e |
@@ -0,0 +1,19 @@
|
|
Jakub Jelen |
09ca6e |
+#
|
|
Jakub Jelen |
09ca6e |
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
|
Jakub Jelen |
09ca6e |
+# useful with PKA-LDAP also
|
|
Jakub Jelen |
09ca6e |
+#
|
|
Jakub Jelen |
09ca6e |
+# Author: Eric AUGE <eau@phear.org>
|
|
Jakub Jelen |
09ca6e |
+#
|
|
Jakub Jelen |
09ca6e |
+# LDIF for openLDAP Directory Server.
|
|
Jakub Jelen |
09ca6e |
+# Based on the original schema, modified by Jakub Jelen.
|
|
Jakub Jelen |
09ca6e |
+#
|
|
Jakub Jelen |
09ca6e |
+
|
|
Jakub Jelen |
09ca6e |
+dn: cn=openssh-lpk,cn=schema,cn=config
|
|
Jakub Jelen |
09ca6e |
+objectClass: olcSchemaConfig
|
|
Jakub Jelen |
09ca6e |
+cn: openssh-lpk
|
|
Jakub Jelen |
09ca6e |
+olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13
|
|
Jakub Jelen |
09ca6e |
+ NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key'
|
|
Jakub Jelen |
09ca6e |
+ EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
|
|
Jakub Jelen |
09ca6e |
+olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0
|
|
Jakub Jelen |
09ca6e |
+ NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass'
|
|
Jakub Jelen |
09ca6e |
+ SUP top AUXILIARY MUST ( sshPublicKey $ uid ) )
|
|
Jakub Jelen |
09ca6e |
diff --git a/openssh-lpk-sun.ldif b/openssh-lpk-sun.ldif
|
|
Jakub Jelen |
09ca6e |
new file mode 100644
|
|
Jakub Jelen |
09ca6e |
index 0000000..9adf4b8
|
|
Jakub Jelen |
09ca6e |
--- /dev/null
|
|
Jakub Jelen |
09ca6e |
+++ b/openssh-lpk-sun.ldif
|
|
Jakub Jelen |
09ca6e |
@@ -0,0 +1,17 @@
|
|
Jakub Jelen |
09ca6e |
+#
|
|
Jakub Jelen |
09ca6e |
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
|
Jakub Jelen |
09ca6e |
+# useful with PKA-LDAP also
|
|
Jakub Jelen |
09ca6e |
+#
|
|
Jakub Jelen |
09ca6e |
+# Author: Eric AUGE <eau@phear.org>
|
|
Jakub Jelen |
09ca6e |
+#
|
|
Jakub Jelen |
09ca6e |
+# LDIF for Sun Directory Server.
|
|
Jakub Jelen |
09ca6e |
+# Based on the original schema, modified by Jakub Jelen.
|
|
Jakub Jelen |
09ca6e |
+#
|
|
Jakub Jelen |
09ca6e |
+
|
|
Jakub Jelen |
09ca6e |
+dn: cn=schema
|
|
Jakub Jelen |
09ca6e |
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13
|
|
Jakub Jelen |
09ca6e |
+ NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key'
|
|
Jakub Jelen |
09ca6e |
+ EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
|
|
Jakub Jelen |
09ca6e |
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0
|
|
Jakub Jelen |
09ca6e |
+ NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass'
|
|
Jakub Jelen |
09ca6e |
+ SUP top AUXILIARY MUST ( sshPublicKey $ uid ) )
|