vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Blob Blame History Raw
diff -up openssh-5.5p1/config.h.in.ldap openssh-5.5p1/config.h.in
--- openssh-5.5p1/config.h.in.ldap	2010-04-16 02:17:09.000000000 +0200
+++ openssh-5.5p1/config.h.in	2010-04-28 11:34:13.000000000 +0200
@@ -1,5 +1,8 @@
 /* config.h.in.  Generated from configure.ac by autoheader.  */
 
+/* Define if building universal (internal helper macro) */
+#undef AC_APPLE_UNIVERSAL_BUILD
+
 /* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
    */
 #undef AIX_GETNAMEINFO_HACK
@@ -536,6 +539,57 @@
 /* Define to 1 if you have the <lastlog.h> header file. */
 #undef HAVE_LASTLOG_H
 
+/* Define to 1 if you have the <lber.h> header file. */
+#undef HAVE_LBER_H
+
+/* Define to 1 if you have the `ldapssl_init' function. */
+#undef HAVE_LDAPSSL_INIT
+
+/* Define to 1 if you have the `ldap_controls_free' function. */
+#undef HAVE_LDAP_CONTROLS_FREE
+
+/* Define to 1 if you have the `ldap_get_lderrno' function. */
+#undef HAVE_LDAP_GET_LDERRNO
+
+/* Define to 1 if you have the `ldap_get_option' function. */
+#undef HAVE_LDAP_GET_OPTION
+
+/* Define to 1 if you have the <ldap.h> header file. */
+#undef HAVE_LDAP_H
+
+/* Define to 1 if you have the `ldap_init' function. */
+#undef HAVE_LDAP_INIT
+
+/* Define to 1 if you have the `ldap_initialize' function. */
+#undef HAVE_LDAP_INITIALIZE
+
+/* Define to 1 if you have the `ldap_memfree' function. */
+#undef HAVE_LDAP_MEMFREE
+
+/* Define to 1 if you have the `ldap_parse_result' function. */
+#undef HAVE_LDAP_PARSE_RESULT
+
+/* Define to 1 if you have the `ldap_pvt_tls_set_option' function. */
+#undef HAVE_LDAP_PVT_TLS_SET_OPTION
+
+/* Define to 1 if you have the `ldap_set_lderrno' function. */
+#undef HAVE_LDAP_SET_LDERRNO
+
+/* Define to 1 if you have the `ldap_set_option' function. */
+#undef HAVE_LDAP_SET_OPTION
+
+/* Define to 1 if you have the `ldap_set_rebind_proc' function. */
+#undef HAVE_LDAP_SET_REBIND_PROC
+
+/* Define to 1 if you have the <ldap_ssl.h> header file. */
+#undef HAVE_LDAP_SSL_H
+
+/* Define to 1 if you have the `ldap_start_tls_s' function. */
+#undef HAVE_LDAP_START_TLS_S
+
+/* Define to 1 if you have the <libaudit.h> header file. */
+#undef HAVE_LIBAUDIT_H
+
 /* Define to 1 if you have the `bsm' library (-lbsm). */
 #undef HAVE_LIBBSM
 
@@ -575,6 +629,9 @@
 /* Define to 1 if you have the <limits.h> header file. */
 #undef HAVE_LIMITS_H
 
+/* Define if you want Linux audit support. */
+#undef HAVE_LINUX_AUDIT
+
 /* Define to 1 if you have the <linux/if_tun.h> header file. */
 #undef HAVE_LINUX_IF_TUN_H
 
@@ -771,6 +828,9 @@
 /* Define to 1 if you have the `setgroups' function. */
 #undef HAVE_SETGROUPS
 
+/* Define to 1 if you have the `setkeycreatecon' function. */
+#undef HAVE_SETKEYCREATECON
+
 /* Define to 1 if you have the `setlogin' function. */
 #undef HAVE_SETLOGIN
 
@@ -921,13 +981,13 @@
 /* define if you have struct sockaddr_in6 data type */
 #undef HAVE_STRUCT_SOCKADDR_IN6
 
-/* Define to 1 if `sin6_scope_id' is member of `struct sockaddr_in6'. */
+/* Define to 1 if `sin6_scope_id' is a member of `struct sockaddr_in6'. */
 #undef HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID
 
 /* define if you have struct sockaddr_storage data type */
 #undef HAVE_STRUCT_SOCKADDR_STORAGE
 
-/* Define to 1 if `st_blksize' is member of `struct stat'. */
+/* Define to 1 if `st_blksize' is a member of `struct stat'. */
 #undef HAVE_STRUCT_STAT_ST_BLKSIZE
 
 /* Define to 1 if the system has the type `struct timespec'. */
@@ -1191,6 +1251,9 @@
 /* Define if pututxline updates lastlog too */
 #undef LASTLOG_WRITE_PUTUTXLINE
 
+/* number arguments of ldap_set_rebind_proc */
+#undef LDAP_SET_REBIND_PROC_ARGS
+
 /* Define if you want TCP Wrappers support */
 #undef LIBWRAP
 
@@ -1274,6 +1337,9 @@
 /* Define to the one symbol short name of this package. */
 #undef PACKAGE_TARNAME
 
+/* Define to the home page for this package. */
+#undef PACKAGE_URL
+
 /* Define to the version of this package. */
 #undef PACKAGE_VERSION
 
@@ -1360,6 +1426,10 @@
 /* Prepend the address family to IP tunnel traffic */
 #undef SSH_TUN_PREPEND_AF
 
+/* Define to your vendor patch level, if it has been modified from the
+   upstream source release. */
+#undef SSH_VENDOR_PATCHLEVEL
+
 /* Define to 1 if you have the ANSI C header files. */
 #undef STDC_HEADERS
 
@@ -1384,6 +1454,9 @@
 /* Use btmp to log bad logins */
 #undef USE_BTMP
 
+/* platform uses an in-memory credentials cache */
+#undef USE_CCAPI
+
 /* Use libedit for sftp */
 #undef USE_LIBEDIT
 
@@ -1396,6 +1469,9 @@
 /* Use PIPES instead of a socketpair() */
 #undef USE_PIPES
 
+/* platform has the Security Authorization Session API */
+#undef USE_SECURITY_SESSION_API
+
 /* Define if you have Solaris process contracts */
 #undef USE_SOLARIS_PROCESS_CONTRACTS
 
@@ -1418,12 +1494,26 @@
 /* Define if you want IRIX project management */
 #undef WITH_IRIX_PROJECT
 
+/* Enable LDAP pubkey support */
+#undef WITH_LDAP_PUBKEY
+
+/* Enable pubkey agent support */
+#undef WITH_PUBKEY_AGENT
+
 /* Define if you want SELinux support. */
 #undef WITH_SELINUX
 
-/* Define to 1 if your processor stores words with the most significant byte
-   first (like Motorola and SPARC, unlike Intel and VAX). */
-#undef WORDS_BIGENDIAN
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
+   significant byte first (like Motorola and SPARC, unlike Intel). */
+#if defined AC_APPLE_UNIVERSAL_BUILD
+# if defined __BIG_ENDIAN__
+#  define WORDS_BIGENDIAN 1
+# endif
+#else
+# ifndef WORDS_BIGENDIAN
+#  undef WORDS_BIGENDIAN
+# endif
+#endif
 
 /* Define if xauth is found in your path */
 #undef XAUTH_PATH
diff -up openssh-5.5p1/configure.ac.ldap openssh-5.5p1/configure.ac
--- openssh-5.5p1/configure.ac.ldap	2010-04-28 11:34:09.000000000 +0200
+++ openssh-5.5p1/configure.ac	2010-04-28 11:34:13.000000000 +0200
@@ -1382,6 +1382,106 @@ AC_ARG_WITH(pka,
 	]
 )
 
+# Check whether user wants LDAP support
+LDAP_MSG="no"
+INSTALL_SSH_LDAP_HELPER=""
+AC_ARG_WITH(ldap,
+	[  --with-ldap[[=PATH]]      Enable LDAP pubkey support (optionally in PATH)],
+	[
+		if test "x$withval" != "xno" ; then
+
+			INSTALL_SSH_LDAP_HELPER="yes"
+			CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
+
+			if test "x$withval" != "xyes" ; then
+				CPPFLAGS="$CPPFLAGS -I${withval}/include"
+				LDFLAGS="$LDFLAGS -L${withval}/lib"
+			fi
+
+			AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
+			LDAP_MSG="yes"
+
+			AC_CHECK_HEADERS(lber.h)
+			AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
+			AC_CHECK_HEADERS(ldap_ssl.h)
+
+			AC_ARG_WITH(ldap-lib,
+				[  --with-ldap-lib=type    select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
+
+			if test -z "$with_ldap_lib"; then
+				with_ldap_lib=auto
+			fi
+
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
+				AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
+				AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
+			fi
+
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
+				AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
+			fi
+
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
+				AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
+				if test -z "$found_ldap_lib"; then
+					AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
+				fi
+				if test -z "$found_ldap_lib"; then
+					AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
+				fi
+				if test -z "$found_ldap_lib"; then
+					AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
+				fi
+			fi
+
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
+				AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
+			fi
+
+			if test -z "$found_ldap_lib"; then
+				AC_MSG_ERROR(could not locate a valid LDAP library)
+			fi
+
+			AC_MSG_CHECKING([for working LDAP support])
+			AC_TRY_COMPILE(
+				[#include <sys/types.h>
+				 #include <ldap.h>],
+				[(void)ldap_init(0, 0);],
+				[AC_MSG_RESULT(yes)],
+				[
+				    AC_MSG_RESULT(no) 
+					AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
+				])
+			AC_CHECK_FUNCS( \
+				ldap_init \
+				ldap_get_lderrno \
+				ldap_set_lderrno \
+				ldap_parse_result \
+				ldap_memfree \
+				ldap_controls_free \
+				ldap_set_option \
+				ldap_get_option \
+				ldapssl_init \
+				ldap_start_tls_s \
+				ldap_pvt_tls_set_option \
+				ldap_initialize \
+			)
+			AC_CHECK_FUNCS(ldap_set_rebind_proc,
+				AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
+				AC_TRY_COMPILE(
+					[#include <lber.h>
+					#include <ldap.h>],
+					[ldap_set_rebind_proc(0, 0, 0);],
+					[ac_cv_ldap_set_rebind_proc=3],
+					[ac_cv_ldap_set_rebind_proc=2])
+				AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
+				AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
+			)
+		fi
+	]
+)
+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
+
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS( \
 	arc4random \
@@ -4239,6 +4339,7 @@ echo "                 Smartcard support
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
 echo "                       PKA support: $PKA_MSG"
+echo "                      LDAP support: $LDAP_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
diff -up openssh-5.5p1/ldapbody.c.ldap openssh-5.5p1/ldapbody.c
--- openssh-5.5p1/ldapbody.c.ldap	2010-04-28 11:34:13.000000000 +0200
+++ openssh-5.5p1/ldapbody.c	2010-04-28 11:34:13.000000000 +0200
@@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "ldapincludes.h"
+#include "log.h"
+#include "xmalloc.h"
+#include "ldapconf.h"
+#include "ldapmisc.h"
+#include "ldapbody.h"
+#include <stdio.h>
+#include <unistd.h>
+
+#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"
+#define PUBKEYATTR "sshPublicKey"
+#define LDAP_LOGFILE	"%s/ldap.%d"
+
+static FILE *logfile = NULL;
+static LDAP *ld;
+
+static char *attrs[] = {
+    PUBKEYATTR,
+    NULL
+};
+
+void
+ldap_checkconfig (void)
+{
+#ifdef HAVE_LDAP_INITIALIZE
+		if (options.host == NULL && options.uri == NULL)
+#else
+		if (options.host == NULL)
+#endif
+		    fatal ("missing  \"host\" in config file");
+}
+
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+static int
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
+{
+	struct timeval timeout;
+	int rc;
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
+	LDAPMessage *result;
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
+
+	debug2 ("Doing LDAP rebind to %s", options.binddn);
+	if (options.ssl == SSL_START_TLS) {
+		if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
+			error ("ldap_starttls_s: %s", ldap_err2string (rc));
+			return LDAP_OPERATIONS_ERROR;
+		}
+	}
+
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
+	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
+#else
+	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
+	    fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
+
+	timeout.tv_sec = options.bind_timelimit;
+	timeout.tv_usec = 0;
+	result = NULL;
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
+		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
+		ldap_msgfree (result);
+		return LDAP_OPERATIONS_ERROR;
+	}
+	debug3 ("LDAP rebind to %s succesfull", options.binddn);
+	return rc;
+#endif
+}
+#else
+
+static int
+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
+{
+	if (freeit)
+	    return LDAP_SUCCESS;
+
+	*whop = strdup (options.binddn);
+	*credp = strdup (options.bindpw);
+	*methodp = LDAP_AUTH_SIMPLE;
+	debug2 ("Doing LDAP rebind for %s", *whop);
+	return LDAP_SUCCESS;
+}
+#endif
+
+void
+ldap_do_connect(void)
+{
+	int rc, msgid, ld_errno = 0;
+	struct timeval timeout;
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
+	int parserc;
+	LDAPMessage *result;
+	LDAPControl **controls;
+	int reconnect = 0;
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
+
+	debug ("LDAP do connect");
+
+retry:
+	if (reconnect) {
+		debug3 ("Reconnecting with ld_errno %d", ld_errno);
+		if (options.bind_policy == 0 ||
+		    (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
+			reconnect > 5)
+			    fatal ("Cannot connect to LDAP server");
+	
+		if (reconnect > 1)
+			sleep (reconnect - 1);
+
+		if (ld != NULL) {
+			ldap_unbind (ld);
+			ld = NULL;
+		}
+		logit("reconnecting to LDAP server...");
+	}
+
+	if (ld == NULL) {
+		int rc;
+		struct timeval tv;
+
+#ifdef HAVE_LDAP_SET_OPTION
+		if (options.debug > 0) {
+#ifdef LBER_OPT_LOG_PRINT_FILE
+			if (options.logdir) {
+				char *logfilename;
+				int logfilenamelen;
+
+				logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
+				logfilename = xmalloc (logfilenamelen);
+				snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
+				logfilename[logfilenamelen - 1] = 0;
+				if ((logfile = fopen (logfilename, "a")) == NULL)
+				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
+				debug3 ("LDAP debug into %s", logfilename);
+				xfree (logfilename);
+				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
+			}
+#endif
+			if (options.debug) {
+#ifdef LBER_OPT_DEBUG_LEVEL
+				ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
+#endif /* LBER_OPT_DEBUG_LEVEL */
+#ifdef LDAP_OPT_DEBUG_LEVEL
+				ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
+#endif /* LDAP_OPT_DEBUG_LEVEL */
+				debug3 ("Set LDAP debug to %d", options.debug);
+			}
+		}
+#endif /* HAVE_LDAP_SET_OPTION */
+
+		ld = NULL;
+#ifdef HAVE_LDAPSSL_INIT
+		if (options.host != NULL) {
+			if (options.ssl_on == SSL_LDAPS) {
+				if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
+				    fatal ("ldapssl_client_init %s", ldap_err2string (rc));
+				debug3 ("LDAPssl client init");
+			}
+
+			if (options.ssl_on != SSL_OFF) {
+				if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
+				    fatal ("ldapssl_init failed");
+				debug3 ("LDAPssl init");
+			}
+		}
+#endif /* HAVE_LDAPSSL_INIT */
+
+		/* continue with opening */
+		if (ld == NULL) {
+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
+			/* Some global TLS-specific options need to be set before we create our
+			 * session context, so we set them here. */
+
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
+			/* rand file */
+			if (options.tls_randfile != NULL) {
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
+				    options.tls_randfile)) != LDAP_SUCCESS)
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
+					    ldap_err2string (rc));
+				debug3 ("Set TLS random file %s", options.tls_randfile);
+			}
+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
+
+			/* ca cert file */
+			if (options.tls_cacertfile != NULL) {
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
+				    options.tls_cacertfile)) != LDAP_SUCCESS)
+					error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
+					    ldap_err2string (rc));
+				debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
+			}
+
+			/* ca cert directory */
+			if (options.tls_cacertdir != NULL) {
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
+				    options.tls_cacertdir)) != LDAP_SUCCESS)
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
+					    ldap_err2string (rc));
+				debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
+			}
+
+			/* require cert? */
+			if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
+			    &options.tls_checkpeer)) != LDAP_SUCCESS)
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
+				    ldap_err2string (rc));
+			debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
+
+			/* set cipher suite, certificate and private key: */
+			if (options.tls_ciphers != NULL) {
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
+				    options.tls_ciphers)) != LDAP_SUCCESS)
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
+					    ldap_err2string (rc));
+				debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
+			}
+
+			/* cert file */
+			if (options.tls_cert != NULL) {
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
+				    options.tls_cert)) != LDAP_SUCCESS)
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
+					    ldap_err2string (rc));
+				debug3 ("Set TLS cert file %s ", options.tls_cert);
+			}
+
+			/* key file */
+			if (options.tls_key != NULL) {
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
+				    options.tls_key)) != LDAP_SUCCESS)
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
+					    ldap_err2string (rc));
+				debug3 ("Set TLS key file %s ", options.tls_key);
+			}
+#endif
+#ifdef HAVE_LDAP_INITIALIZE
+			if (options.uri != NULL) {
+				if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
+					fatal ("ldap_initialize %s", ldap_err2string (rc));
+				debug3 ("LDAP initialize %s", options.uri);
+			}
+	}
+#endif /* HAVE_LDAP_INTITIALIZE */
+
+		/* continue with opening */
+		if ((ld == NULL) && (options.host != NULL)) {
+#ifdef HAVE_LDAP_INIT
+			if ((ld = ldap_init (options.host, options.port)) == NULL)
+			    fatal ("ldap_init failed");
+			debug3 ("LDAP init %s:%d", options.host, options.port);
+#else
+			if ((ld = ldap_open (options.host, options.port)) == NULL)
+			    fatal ("ldap_open failed");
+			debug3 ("LDAP open %s:%d", options.host, options.port);
+#endif /* HAVE_LDAP_INIT */
+		}
+
+		if (ld == NULL)
+			fatal ("no way to open ldap");
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
+		if (options.ssl == SSL_LDAPS) {
+			if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
+			debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
+		}
+#endif /* LDAP_OPT_X_TLS */
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
+		(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
+		    &options.ldap_version);
+#else
+		ld->ld_version = options.ldap_version;
+#endif
+		debug3 ("LDAP set version to %d", options.ldap_version);
+
+#if LDAP_SET_REBIND_PROC_ARGS == 3
+		ldap_set_rebind_proc (ld, _rebind_proc, NULL);
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
+		ldap_set_rebind_proc (ld, _rebind_proc);
+#else
+#warning unknown LDAP_SET_REBIND_PROC_ARGS
+#endif
+		debug3 ("LDAP set rebind proc");
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
+		(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
+#else
+		ld->ld_deref = options.deref;
+#endif
+		debug3 ("LDAP set deref to %d", options.deref);
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
+		(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
+		    &options.timelimit);
+#else
+		ld->ld_timelimit = options.timelimit;
+#endif
+		debug3 ("LDAP set timelimit to %d", options.timelimit);
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
+		/*
+		 * This is a new option in the Netscape SDK which sets 
+		 * the TCP connect timeout. For want of a better value,
+		 * we use the bind_timelimit to control this.
+		 */
+		timeout = options.bind_timelimit * 1000;
+		(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
+		debug3 ("LDAP set opt connect timeout to %d", timeout);
+#endif
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
+		tv.tv_sec = options.bind_timelimit;
+		tv.tv_usec = 0;
+		(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
+		debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
+#endif
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
+		(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
+		    options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
+		debug3 ("LDAP set referrals to %d", options.referrals);
+#endif
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
+		(void) ldap_set_option (ld, LDAP_OPT_RESTART,
+		    options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
+		debug3 ("LDAP set restart to %d", options.restart);
+#endif
+
+#ifdef HAVE_LDAP_START_TLS_S
+		if (options.ssl == SSL_START_TLS) {
+			int version;
+
+			if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
+			    == LDAP_SUCCESS) {
+				if (version < LDAP_VERSION3) {
+					version = LDAP_VERSION3;
+					(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
+					    &version);
+					debug3 ("LDAP set version to %d", version);
+				}
+			}
+
+			if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
+			    fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
+			debug3 ("LDAP start TLS");
+		}
+#endif /* HAVE_LDAP_START_TLS_S */
+	}
+
+	if ((msgid = ldap_simple_bind (ld, options.binddn,
+	    options.bindpw)) == -1) {
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
+
+		error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
+		reconnect++;
+		goto retry;
+	}
+	debug3 ("LDAP simple bind (%s)", options.binddn);
+
+	timeout.tv_sec = options.bind_timelimit;
+	timeout.tv_usec = 0;
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
+
+		error ("ldap_result %s", ldap_err2string (ld_errno));
+		reconnect++;
+		goto retry;
+	}
+	debug3 ("LDAP result in time");
+
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
+	controls = NULL;
+	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
+	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
+	debug3 ("LDAP parse result OK");
+
+	if (controls != NULL) {
+		ldap_controls_free (controls);
+	}
+#else
+	rc = ldap_result2error (session->ld, result, TRUE);
+#endif
+	if (rc != LDAP_SUCCESS)
+	    fatal ("error trying to bind as user \"%s\" (%s)",
+		options.binddn, ldap_err2string (rc));
+
+	debug2 ("LDAP do connect OK");
+}
+
+void
+process_user (const char *user, FILE *output)
+{
+	LDAPMessage *res, *e;
+	char *buffer;
+	int bufflen, rc, i;
+	struct timeval timeout;
+
+	debug ("LDAP process user");
+
+	/* quick check for attempts to be evil */
+	if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
+	    (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
+		logit ("illegal user name %s not processed", user);
+		return;
+	}
+
+	/* build  filter for LDAP request */
+	bufflen = strlen (LDAPSEARCH_FORMAT) + strlen (user);
+	if (options.ssh_filter != NULL)
+	    bufflen += strlen (options.ssh_filter);
+	buffer = xmalloc (bufflen);
+	snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
+	buffer[bufflen - 1] = 0;
+
+	debug3 ("LDAP search scope = %d %s", options.scope, buffer);
+
+	timeout.tv_sec = options.timelimit;
+	timeout.tv_usec = 0;
+	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
+		error ("ldap_search_st(): %s", ldap_err2string (rc));
+		xfree (buffer);
+		return;
+	}
+
+	/* free */
+	xfree (buffer);
+
+	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
+		int num;
+		struct berval **keys;
+
+		keys = ldap_get_values_len(ld, e, PUBKEYATTR);
+		num = ldap_count_values_len(keys);
+		for (i = 0 ; i < num ; i++) {
+			char *cp; //, *options = NULL;
+
+			for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
+			if (!*cp || *cp == '\n' || *cp == '#')
+			    continue;
+
+			/* We have found the desired key. */
+			fprintf (output, "%s\n", keys[i]->bv_val);
+		}
+
+		ldap_value_free_len(keys);
+	}
+
+	ldap_msgfree(res);
+	debug2 ("LDAP process user finished");
+}
+
+void
+ldap_do_close(void)
+{
+	int rc;
+
+	debug ("LDAP do close");
+	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
+	    fatal ("ldap_unbind_ext: %s",
+                                    ldap_err2string (rc));
+
+	ld = NULL;
+	debug2 ("LDAP do close OK");
+	return;
+}
+
diff -up openssh-5.5p1/ldapbody.h.ldap openssh-5.5p1/ldapbody.h
--- openssh-5.5p1/ldapbody.h.ldap	2010-04-28 11:34:14.000000000 +0200
+++ openssh-5.5p1/ldapbody.h	2010-04-28 11:34:14.000000000 +0200
@@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef LDAPBODY_H
+#define LDAPBODY_H
+
+#include <stdio.h>
+
+void ldap_checkconfig(void);
+void ldap_do_connect(void);
+void process_user(const char *, FILE *);
+void ldap_do_close(void);
+
+#endif /* LDAPBODY_H */
+
diff -up openssh-5.5p1/ldapconf.c.ldap openssh-5.5p1/ldapconf.c
--- openssh-5.5p1/ldapconf.c.ldap	2010-04-28 11:34:14.000000000 +0200
+++ openssh-5.5p1/ldapconf.c	2010-04-28 11:34:14.000000000 +0200
@@ -0,0 +1,665 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "ldapincludes.h"
+#include "ldap-helper.h"
+#include "log.h"
+#include "misc.h"
+#include "xmalloc.h"
+#include "ldapconf.h"
+#include <unistd.h>
+#include <string.h>
+
+/* Keyword tokens. */
+
+typedef enum {
+	lBadOption,
+	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
+	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
+	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
+	lRestart, lTLS_CheckPeer, lTLS_Certificate, lTLS_CaCertFile,
+	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
+	lTLS_RandFile, lLogdir, lDebug, lSSH_Filter,
+	lDeprecated, lUnsupported
+} OpCodes;
+
+/* Textual representations of the tokens. */
+
+static struct {
+	const char *name;
+	OpCodes opcode;
+} keywords[] = {
+	{ "Host", lHost },
+	{ "URI", lURI },
+	{ "Base", lBase },
+	{ "BindDN", lBindDN },
+	{ "BindPW", lBindPW },
+	{ "RootBindDN", lRootBindDN },
+	{ "Scope", lScope },
+	{ "Deref", lDeref },
+	{ "Port", lPort },
+	{ "Timelimit", lTimeLimit },
+	{ "Bind_Timelimit", lBind_TimeLimit },
+	{ "Ldap_Version", lLdap_Version },
+	{ "Bind_Policy", lBind_Policy },
+	{ "SSLPath", lSSLPath },
+	{ "SSL", lSSL },
+	{ "Referrals", lReferrals },
+	{ "Restart", lRestart },
+	{ "TLS_CheckPeer", lTLS_CheckPeer },
+	{ "TLS_Certificate", lTLS_Certificate },
+	{ "TLS_CaCertFile", lTLS_CaCertFile },
+	{ "TLS_CaCertDir", lTLS_CaCertDir },
+	{ "TLS_Ciphers", lTLS_Ciphers },
+	{ "TLS_Cert", lTLS_Cert },
+	{ "TLS_Key", lTLS_Key },
+	{ "TLS_RandFile", lTLS_RandFile },
+	{ "Logdir", lLogdir },
+	{ "Debug", lDebug },
+	{ "SSH_Filter", lSSH_Filter },
+	{ NULL, lBadOption }
+};
+
+/* Configuration ptions. */
+
+Options options;
+
+/*
+ * Returns the number of the token pointed to by cp or oBadOption.
+ */
+
+static OpCodes
+parse_token(const char *cp, const char *filename, int linenum)
+{
+	u_int i;
+
+	for (i = 0; keywords[i].name; i++)
+		if (strcasecmp(cp, keywords[i].name) == 0)
+			return keywords[i].opcode;
+
+	if (config_warning_config_file) 
+	    logit("%s: line %d: Bad configuration option: %s",
+		filename, linenum, cp);
+	return lBadOption;
+}
+
+/*
+ * Processes a single option line as used in the configuration files. This
+ * only sets those values that have not already been set.
+ */
+#define WHITESPACE " \t\r\n"
+
+static int
+process_config_line(char *line, const char *filename, int linenum)
+{
+	char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
+	char *rootbinddn = NULL;
+	int opcode, *intptr, value;
+	size_t len;
+
+	/* Strip trailing whitespace */
+	for (len = strlen(line) - 1; len > 0; len--) {
+		if (strchr(WHITESPACE, line[len]) == NULL)
+			break;
+		line[len] = '\0';
+	}
+
+	s = line;
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
+	if ((keyword = strdelim(&s)) == NULL)
+		return 0;
+	/* Ignore leading whitespace. */
+	if (*keyword == '\0')
+		keyword = strdelim(&s);
+	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
+		return 0;
+
+	opcode = parse_token(keyword, filename, linenum);
+
+	switch (opcode) {
+	case lBadOption:
+		/* don't panic, but count bad options */
+		return -1;
+		/* NOTREACHED */
+
+	case lHost:
+		xstringptr = &options.host;
+parse_xstring:
+		if (!s || *s == '\0')
+		    fatal("%s line %d: missing dn",filename,linenum);
+		if (*xstringptr == NULL)
+		    *xstringptr = xstrdup(s);
+		return 0;
+
+	case lURI:
+		xstringptr = &options.uri;
+		goto parse_xstring;
+
+	case lBase:
+		xstringptr = &options.base;
+		goto parse_xstring;
+
+	case lBindDN:
+		xstringptr = &options.binddn;
+		goto parse_xstring;
+
+	case lBindPW:
+		charptr = &options.bindpw;
+parse_string:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (*charptr == NULL)
+			*charptr = xstrdup(arg);
+		break;
+
+	case lRootBindDN:
+		xstringptr = &rootbinddn;
+		goto parse_xstring;
+
+	case lScope:
+		intptr = &options.scope;
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
+		value = 0;	/* To avoid compiler warning... */
+		if (!strcasecmp (arg, "sub"))
+			value = LDAP_SCOPE_SUBTREE;
+		else if (!strcasecmp (arg, "one"))
+			value = LDAP_SCOPE_ONELEVEL;
+		else if (!strcasecmp (arg, "base"))
+			value = LDAP_SCOPE_BASE;
+		else
+			fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
+		if (*intptr == -1)
+			*intptr = value;
+		break;
+
+	case lDeref:
+		intptr = &options.scope;
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
+		value = 0;	/* To avoid compiler warning... */
+		if (!strcasecmp (arg, "never"))
+			value = LDAP_DEREF_NEVER;
+		else if (!strcasecmp (arg, "searching"))
+			value = LDAP_DEREF_SEARCHING;
+		else if (!strcasecmp (arg, "finding"))
+			value = LDAP_DEREF_FINDING;
+		else if (!strcasecmp (arg, "always"))
+			value = LDAP_DEREF_ALWAYS;
+		else
+			fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
+		if (*intptr == -1)
+			*intptr = value;
+		break;
+
+	case lPort:
+		intptr = &options.port;
+parse_int:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (arg[0] < '0' || arg[0] > '9')
+			fatal("%.200s line %d: Bad number.", filename, linenum);
+
+		/* Octal, decimal, or hex format? */
+		value = strtol(arg, &endofnumber, 0);
+		if (arg == endofnumber)
+			fatal("%.200s line %d: Bad number.", filename, linenum);
+		if (*intptr == -1)
+			*intptr = value;
+		break;
+
+	case lTimeLimit:
+		intptr = &options.timelimit;
+parse_time:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%s line %d: missing time value.",
+			    filename, linenum);
+		if ((value = convtime(arg)) == -1)
+			fatal("%s line %d: invalid time value.",
+			    filename, linenum);
+		if (*intptr == -1)
+			*intptr = value;
+		break;
+
+	case lBind_TimeLimit:
+		intptr = &options.bind_timelimit;
+		goto parse_time;
+
+	case lLdap_Version:
+		intptr = &options.ldap_version;
+		goto parse_int;
+
+	case lBind_Policy:
+		intptr = &options.bind_policy;
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
+		value = 0;	/* To avoid compiler warning... */
+		if (strcasecmp(arg, "hard") == 0)
+			value = 1;
+		else if (strcasecmp(arg, "soft") == 0)
+			value = 0;
+		else
+			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
+		if (*intptr == -1)
+		break;
+
+	case lSSLPath:
+		charptr = &options.sslpath;
+		goto parse_string;
+
+	case lSSL:
+		intptr = &options.ssl;
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
+		value = 0;	/* To avoid compiler warning... */
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
+			value = SSL_LDAPS;
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
+			value = SSL_OFF;
+		else if (!strcasecmp (arg, "start_tls"))
+			value = SSL_START_TLS;
+		else
+			fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
+		if (*intptr == -1)
+			*intptr = value;
+		break;
+
+	case lReferrals:
+		intptr = &options.referrals;
+parse_flag:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
+		value = 0;	/* To avoid compiler warning... */
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
+			value = 1;
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
+			value = 0;
+		else
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
+		if (*intptr == -1)
+			*intptr = value;
+		break;
+
+	case lRestart:
+		intptr = &options.restart;
+		goto parse_flag;
+
+	case lTLS_CheckPeer:
+		intptr = &options.tls_checkpeer;
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
+		value = 0;	/* To avoid compiler warning... */
+		if (strcasecmp(arg, "never") == 0)
+			value = LDAP_OPT_X_TLS_NEVER;
+		else if (strcasecmp(arg, "hard") == 0)
+			value = LDAP_OPT_X_TLS_HARD;
+		else if (strcasecmp(arg, "demand") == 0)
+			value = LDAP_OPT_X_TLS_DEMAND;
+		else if (strcasecmp(arg, "allow") == 0)
+			value = LDAP_OPT_X_TLS_ALLOW;
+		else if (strcasecmp(arg, "try") == 0)
+			value = LDAP_OPT_X_TLS_TRY;
+		else
+			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
+		if (*intptr == -1)
+		break;
+
+	case lTLS_CaCertFile:
+		charptr = &options.tls_cacertfile;
+		goto parse_string;
+
+	case lTLS_CaCertDir:
+		charptr = &options.tls_cacertdir;
+		goto parse_string;
+
+	case lTLS_Ciphers:
+		xstringptr = &options.tls_ciphers;
+		goto parse_xstring;
+
+	case lTLS_Cert:
+		charptr = &options.tls_cert;
+		goto parse_string;
+
+	case lTLS_Key:
+		charptr = &options.tls_key;
+		goto parse_string;
+
+	case lTLS_RandFile:
+		charptr = &options.tls_randfile;
+		goto parse_string;
+
+	case lLogdir:
+		charptr = &options.logdir;
+		goto parse_string;
+
+	case lDebug:
+		intptr = &options.debug;
+		goto parse_int;
+
+	case lSSH_Filter:
+		xstringptr = &options.ssh_filter;
+		goto parse_xstring;
+
+	case lDeprecated:
+		debug("%s line %d: Deprecated option \"%s\"",
+		    filename, linenum, keyword);
+		return 0;
+
+	case lUnsupported:
+		error("%s line %d: Unsupported option \"%s\"",
+		    filename, linenum, keyword);
+		return 0;
+
+	default:
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
+	}
+
+	/* Check that there is no garbage at end of line. */
+	if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
+		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
+		    filename, linenum, arg);
+	}
+	return 0;
+}
+
+/*
+ * Reads the config file and modifies the options accordingly.  Options
+ * should already be initialized before this call.  This never returns if
+ * there is an error.  If the file does not exist, this returns 0.
+ */
+
+void
+read_config_file(const char *filename)
+{
+	FILE *f;
+	char line[1024];
+	int active, linenum;
+	int bad_options = 0;
+	struct stat sb;
+
+	if ((f = fopen(filename, "r")) == NULL)
+		fatal("fopen %s: %s", filename, strerror(errno));
+
+	if (fstat(fileno(f), &sb) == -1)
+		fatal("fstat %s: %s", filename, strerror(errno));
+	if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
+	    (sb.st_mode & 022) != 0))
+		fatal("Bad owner or permissions on %s", filename);
+
+	debug("Reading configuration data %.200s", filename);
+
+	/*
+	 * Mark that we are now processing the options.  This flag is turned
+	 * on/off by Host specifications.
+	 */
+	active = 1;
+	linenum = 0;
+	while (fgets(line, sizeof(line), f)) {
+		/* Update line number counter. */
+		linenum++;
+		if (process_config_line(line, filename, linenum) != 0)
+			bad_options++;
+	}
+	fclose(f);
+	if ((bad_options > 0) && config_exclusive_config_file) 
+		fatal("%s: terminating, %d bad configuration options",
+		    filename, bad_options);
+}
+
+/*
+ * Initializes options to special values that indicate that they have not yet
+ * been set.  Read_config_file will only set options with this value. Options
+ * are processed in the following order: command line, user config file,
+ * system config file.  Last, fill_default_options is called.
+ */
+
+void
+initialize_options(void)
+{
+	memset(&options, 'X', sizeof(options));
+	options.host = NULL;
+	options.uri = NULL;
+	options.base = NULL;
+	options.binddn = NULL;
+	options.bindpw = NULL;
+	options.scope = -1;
+	options.deref = -1;
+	options.port = -1;
+	options.timelimit = -1;
+	options.bind_timelimit = -1;
+	options.ldap_version = -1;
+	options.bind_policy = -1;
+	options.sslpath = NULL;
+	options.ssl = -1;
+	options.referrals = -1;
+	options.restart = -1;
+	options.tls_checkpeer = -1;
+	options.tls_cacertfile = NULL;
+	options.tls_cacertdir = NULL;
+	options.tls_ciphers = NULL;
+	options.tls_cert = NULL;
+	options.tls_key = NULL;
+	options.tls_randfile = NULL;
+	options.logdir = NULL;
+	options.debug = -1;
+	options.ssh_filter = NULL;
+}
+
+/*
+ * Called after processing other sources of option data, this fills those
+ * options for which no value has been specified with their default values.
+ */
+
+void
+fill_default_options(void)
+{
+	if (options.uri != NULL) {
+		LDAPURLDesc *ludp;
+
+		if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
+			if (options.ssl == -1) {
+				if (strcmp (ludp->lud_scheme, "ldap") || strcmp (ludp->lud_scheme, "ldapi"))
+				    options.ssl = 0;
+				else if (strcmp (ludp->lud_scheme, "ldaps"))
+				    options.ssl = 2;
+			}
+			if (options.host == NULL)
+			    options.host = xstrdup (ludp->lud_host);
+			if (options.port == -1)
+			    options.port = ludp->lud_port;
+
+			ldap_free_urldesc (ludp);
+		}
+	} 
+	if (options.ssl == -1)
+	    options.ssl = SSL_START_TLS;
+	if (options.port == -1)
+	    options.port = (options.ssl == 0) ? 389 : 636;
+	if (options.uri == NULL) {
+		int len;
+#define MAXURILEN 4096
+
+		options.uri = xmalloc (MAXURILEN);
+		len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
+		    (options.ssl == 0) ? "" : "s", options.host, options.port);
+		options.uri[MAXURILEN - 1] = 0;
+		options.uri = xrealloc (options.uri, len + 1, 1);
+	}
+	if (options.binddn == NULL)
+	    options.binddn = "";
+	if (options.bindpw == NULL)
+	    options.bindpw = "";
+	if (options.scope == -1)
+	    options.scope = LDAP_SCOPE_SUBTREE;
+	if (options.deref == -1)
+	    options.deref = LDAP_DEREF_NEVER;
+	if (options.timelimit == -1)
+	    options.timelimit = 10;
+	if (options.bind_timelimit == -1)
+	    options.bind_timelimit = 10;
+	if (options.ldap_version == -1)
+	    options.ldap_version = 3;
+	if (options.bind_policy == -1)
+	    options.bind_policy = 1;
+	if (options.referrals == -1)
+	    options.referrals = 1;
+	if (options.restart == -1)
+	    options.restart = 1;
+	if (options.tls_checkpeer == -1)
+	    options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
+	if (options.debug == -1)
+	    options.debug = 0;
+	if (options.ssh_filter == NULL)
+	    options.ssh_filter = "";
+}
+
+static const char *
+lookup_opcode_name(OpCodes code)
+{
+	u_int i;
+
+	for (i = 0; keywords[i].name != NULL; i++)
+	    if (keywords[i].opcode == code)
+		return(keywords[i].name);
+	return "UNKNOWN";
+}
+
+static void
+dump_cfg_string(OpCodes code, const char *val)
+{
+	if (val == NULL)
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
+	else
+	    debug3("%s %s", lookup_opcode_name(code), val);
+}
+
+static void
+dump_cfg_int(OpCodes code, int val)
+{
+	if (val == -1)
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
+	else
+	    debug3("%s %d", lookup_opcode_name(code), val);
+}
+
+struct names {
+	int value;
+	char *name;
+};
+
+static void
+dump_cfg_namedint(OpCodes code, int val, struct names *names)
+{
+	u_int i;
+
+	if (val == -1)
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
+	else {
+		for (i = 0; names[i].value != -1; i++)
+	 	    if (names[i].value == val) {
+	    		debug3("%s %s", lookup_opcode_name(code), names[i].name);
+			    return;
+		}
+		debug3("%s unknown: %d", lookup_opcode_name(code), val);
+	}
+}
+
+static struct names _yesnotls[] = {
+	{ 0, "No" },
+	{ 1, "Yes" },
+	{ 2, "Start_TLS" },
+	{ -1, NULL }};
+
+static struct names _scope[] = {
+	{ LDAP_SCOPE_BASE, "Base" },
+	{ LDAP_SCOPE_ONELEVEL, "One" },
+	{ LDAP_SCOPE_SUBTREE, "Sub"},
+	{ -1, NULL }};
+
+static struct names _deref[] = {
+	{ LDAP_DEREF_NEVER, "Never" },
+	{ LDAP_DEREF_SEARCHING, "Searching" },
+	{ LDAP_DEREF_FINDING, "Finding" },
+	{ LDAP_DEREF_ALWAYS, "Always" },
+	{ -1, NULL }};
+
+static struct names _yesno[] = {
+	{ 0, "No" },
+	{ 1, "Yes" },
+	{ -1, NULL }};
+
+static struct names _bindpolicy[] = {
+	{ 0, "Soft" },
+	{ 1, "Hard" },
+	{ -1, NULL }};
+
+static struct names _checkpeer[] = {
+	{ LDAP_OPT_X_TLS_NEVER, "Never" },
+	{ LDAP_OPT_X_TLS_HARD, "Hard" },
+	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
+	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
+	{ LDAP_OPT_X_TLS_TRY, "TRY" },
+	{ -1, NULL }};
+
+void
+dump_config(void)
+{
+	dump_cfg_string(lURI, options.uri);
+	dump_cfg_string(lHost, options.host);
+	dump_cfg_int(lPort, options.port);
+	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
+	dump_cfg_int(lLdap_Version, options.ldap_version);
+	dump_cfg_int(lTimeLimit, options.timelimit);
+	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
+	dump_cfg_string(lBase, options.base);
+	dump_cfg_string(lBindDN, options.binddn);
+	dump_cfg_string(lBindPW, options.bindpw);
+	dump_cfg_namedint(lScope, options.scope, _scope);
+	dump_cfg_namedint(lDeref, options.deref, _deref);
+	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
+	dump_cfg_namedint(lRestart, options.restart, _yesno);
+	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
+	dump_cfg_string(lSSLPath, options.sslpath);
+	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
+	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
+	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
+	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
+	dump_cfg_string(lTLS_Cert, options.tls_cert);
+	dump_cfg_string(lTLS_Key, options.tls_key);
+	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
+	dump_cfg_string(lLogdir, options.logdir);
+	dump_cfg_int(lDebug, options.debug);
+	dump_cfg_string(lSSH_Filter, options.ssh_filter);
+}
+
diff -up openssh-5.5p1/ldapconf.h.ldap openssh-5.5p1/ldapconf.h
--- openssh-5.5p1/ldapconf.h.ldap	2010-04-28 11:34:14.000000000 +0200
+++ openssh-5.5p1/ldapconf.h	2010-04-28 11:34:14.000000000 +0200
@@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef LDAPCONF_H
+#define LDAPCONF_H
+
+#define SSL_OFF          0
+#define SSL_LDAPS        1
+#define SSL_START_TLS    2
+
+/* Data structure for representing option data. */
+
+typedef struct {
+	char *host;
+	char *uri;
+	char *base;
+	char *binddn;
+	char *bindpw;
+	int scope;
+	int deref;
+	int port;
+	int timelimit;
+	int bind_timelimit;
+	int ldap_version;
+	int bind_policy;
+	char *sslpath;
+	int ssl;
+	int referrals;
+	int restart;
+	int tls_checkpeer;
+	char *tls_cacertfile;
+	char *tls_cacertdir;
+	char *tls_ciphers;
+	char *tls_cert;
+	char *tls_key;
+	char *tls_randfile;
+	char *logdir;
+	int debug;
+	char *ssh_filter;
+}       Options;
+
+extern Options options;
+
+void read_config_file(const char *);
+void initialize_options(void);
+void fill_default_options(void);
+void dump_config(void);
+
+#endif /* LDAPCONF_H */
diff -up openssh-5.5p1/ldap-helper.c.ldap openssh-5.5p1/ldap-helper.c
--- openssh-5.5p1/ldap-helper.c.ldap	2010-04-28 11:34:14.000000000 +0200
+++ openssh-5.5p1/ldap-helper.c	2010-04-28 11:34:14.000000000 +0200
@@ -0,0 +1,154 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "ldapincludes.h"
+#include "log.h"
+#include "misc.h"
+#include "xmalloc.h"
+#include "ldapconf.h"
+#include "ldapbody.h"
+#include <string.h>
+#include <unistd.h>
+
+static int config_debug = 0;
+int config_exclusive_config_file = 0;
+static char *config_file_name = "/etc/ldap.conf";
+static char *config_single_user = NULL;
+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
+int config_warning_config_file = 0;
+extern char *__progname;
+
+static void
+usage(void)
+{
+	fprintf(stderr, "usage: %s [options]\n",
+	    __progname);
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
+	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
+	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ldap.conf).\n");
+	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
+	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
+	fprintf(stderr, "  -w          Warn on unknown commands int the config file.\n");
+	exit(1);
+}
+
+/*
+ * Main program for the ssh pka ldap agent.
+ */
+
+int
+main(int ac, char **av)
+{
+	int opt;
+	FILE *outfile = NULL;
+
+	__progname = ssh_get_progname(av[0]);
+
+	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
+
+	/*
+	 * Initialize option structure to indicate that no values have been
+	 * set.
+	 */
+	initialize_options();
+
+	/* Parse command-line arguments. */
+	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
+		switch (opt) {
+		case 'd':
+			config_debug = 1;
+			break;
+
+		case 'e':
+			config_exclusive_config_file = 1;
+			config_warning_config_file = 1;
+			break;
+
+		case 'f':
+			config_file_name = optarg;
+			break;
+
+		case 's':
+			config_single_user = optarg;
+			outfile = fdopen (dup (fileno (stdout)), "w");
+			break;
+
+		case 'v':
+			config_debug = 1;
+			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
+			    config_verbose++;
+			break;
+
+		case 'w':
+			config_warning_config_file = 1;
+			break;
+
+		case '?':
+		default:
+			usage();
+			break;
+		}
+	}
+
+	/* Initialize loging */
+	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
+
+	if (ac != optind)
+	    fatal ("illegal extra parameter %s", av[1]);
+
+	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
+	if (config_debug == 0)
+	    sanitise_stdfd();
+
+	/* Read config file */
+	read_config_file(config_file_name);
+	fill_default_options();
+	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
+		debug3 ("=== Configuration ===");
+		dump_config();
+		debug3 ("=== *** ===");
+	}
+
+	ldap_checkconfig();
+	ldap_do_connect();
+
+	if (config_single_user) {
+		process_user (config_single_user, outfile);
+	} else {
+		fatal ("Not yet implemented");
+/* TODO
+ * open unix socket a run the loop on it
+ */
+	}
+
+	ldap_do_close();
+	return 0;
+}
+
+/* Ugly hack */
+void   *buffer_get_string(Buffer *b, u_int *l) {}
+void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
+
diff -up openssh-5.5p1/ldap-helper.h.ldap openssh-5.5p1/ldap-helper.h
--- openssh-5.5p1/ldap-helper.h.ldap	2010-04-28 11:34:14.000000000 +0200
+++ openssh-5.5p1/ldap-helper.h	2010-04-28 11:34:14.000000000 +0200
@@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef LDAP_HELPER_H
+#define LDAP_HELPER_H
+
+extern int config_exclusive_config_file;
+extern int config_warning_config_file;
+
+#endif /* LDAP_HELPER_H */
diff -up openssh-5.5p1/ldapincludes.h.ldap openssh-5.5p1/ldapincludes.h
--- openssh-5.5p1/ldapincludes.h.ldap	2010-04-28 11:34:14.000000000 +0200
+++ openssh-5.5p1/ldapincludes.h	2010-04-28 11:34:14.000000000 +0200
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef LDAPINCLUDES_H
+#define LDAPINCLUDES_H
+
+#include "includes.h"
+
+#ifdef HAVE_LBER_H
+#include <lber.h>
+#endif
+#ifdef HAVE_LDAP_H
+#include <ldap.h>
+#endif
+#ifdef HAVE_LDAP_SSL_H
+#include <ldap_ssl.h>
+#endif
+
+#endif /* LDAPINCLUDES_H */
diff -up openssh-5.5p1/ldapmisc.c.ldap openssh-5.5p1/ldapmisc.c
--- openssh-5.5p1/ldapmisc.c.ldap	2010-04-28 11:34:14.000000000 +0200
+++ openssh-5.5p1/ldapmisc.c	2010-04-28 11:34:14.000000000 +0200
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
+#include "ldapmisc.h"
+
+#ifndef HAVE_LDAP_GET_LDERRNO
+int
+ldap_get_lderrno (LDAP * ld, char **m, char **s)
+{
+#ifdef HAVE_LDAP_GET_OPTION
+	int rc;
+#endif
+	int lderrno;
+
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
+	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
+	    return rc;
+#else
+	lderrno = ld->ld_errno;
+#endif
+
+	if (s != NULL) {
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
+		if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
+		    return rc;
+#else
+		*s = ld->ld_error;
+#endif
+	}
+
+	if (m != NULL) {
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
+		if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
+		    return rc;
+#else
+		*m = ld->ld_matched;
+#endif
+	}
+
+	return lderrno;
+}
+#endif
+
+#ifndef HAVE_LDAP_SET_LDERRNO
+int
+ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
+{
+#ifdef HAVE_LDAP_SET_OPTION
+	int rc;
+#endif
+
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
+	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
+	    return rc;
+#else
+	ld->ld_errno = lderrno;
+#endif
+
+	if (s != NULL) {
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
+		if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
+		    return rc;
+#else
+		ld->ld_error = s;
+#endif
+	}
+
+	if (m != NULL) {
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
+		if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
+		    return rc;
+#else
+		ld->ld_matched = m;
+#endif
+	}
+
+	return LDAP_SUCCESS;
+}
+#endif
+
diff -up openssh-5.5p1/ldapmisc.h.ldap openssh-5.5p1/ldapmisc.h
--- openssh-5.5p1/ldapmisc.h.ldap	2010-04-28 11:34:14.000000000 +0200
+++ openssh-5.5p1/ldapmisc.h	2010-04-28 11:34:14.000000000 +0200
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef LDAPMISC_H
+#define LDAPMISC_H
+
+#include "ldapincludes.h"
+
+int ldap_get_lderrno (LDAP *, char **, char **);
+int ldap_set_lderrno (LDAP *, int, const char *, const char *);
+
+#endif /* LDAPMISC_H */
+
diff -up openssh-5.5p1/lpk-user-example.txt.ldap openssh-5.5p1/lpk-user-example.txt
--- openssh-5.5p1/lpk-user-example.txt.ldap	2010-04-28 11:34:14.000000000 +0200
+++ openssh-5.5p1/lpk-user-example.txt	2010-04-28 11:34:14.000000000 +0200
@@ -0,0 +1,117 @@
+
+Post to ML -> User Made Quick Install Doc.
+Contribution from John Lane <john@lane.uk.net>
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+OpenSSH LDAP keystore Patch
+===========================
+
+NOTE: these notes are a transcript of a specific installation
+      they work for me, your specifics may be different!
+      from John Lane March 17th 2005         john@lane.uk.net
+
+This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys
+from their LDAP record as an alternative to ~/.ssh/authorized_keys.
+
+(Assuming here that necessary build stuff is in $BUILD)
+
+cd $BUILD/openssh-4.0p1
+patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
+mkdir -p /var/empty &&
+./configure --prefix=/usr --sysconfdir=/etc/ssh \
+    --libexecdir=/usr/sbin --with-md5-passwords --with-pam \
+    --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY"
+Now do.
+make &&
+make install
+
+Add the following config to /etc/ssh/ssh_config
+UseLPK yes
+LpkServers ldap://myhost.mydomain.com
+LpkUserDN  ou=People,dc=mydomain,dc=com
+
+We need to tell sshd about the SSL keys during boot, as root's
+environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
+Change the startup code from this:
+                echo "Starting SSH Server..."
+                loadproc /usr/sbin/sshd
+                ;;
+to this:
+                echo "Starting SSH Server..."
+                LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd
+                ;;
+
+Re-start the sshd daemon:
+/etc/rc.d/init.d/sshd restart
+
+Install the additional LDAP schema
+cp $BUILD/openssh-lpk-0.2.schema  /etc/openldap/schema/openssh.schema
+
+Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
+Add the following to the end of the existing block of schema includes
+include         /etc/openldap/schema/openssh.schema
+
+Re-start the LDAP server:
+/etc/rc.d/init.d/slapd restart
+
+To add one or more public keys to a user, eg "testuser" :
+ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
+"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser
+
+append the following to this /tmp/testuser file
+objectclass: ldapPublicKey
+sshPublicKey: ssh-rsa
+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS
+qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI
+7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
+
+Then do a modify:
+ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f
+/tmp/testuser -Z
+Enter LDAP Password:
+modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com"
+And check the modify is ok:
+ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
+"uid=testuser,ou=People,dc=mydomain,dc=com"
+Enter LDAP Password:
+# extended LDIF
+#
+# LDAPv3
+# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub
+# filter: (objectclass=*)
+# requesting: ALL
+#
+
+# testuser, People, mydomain.com
+dn: uid=testuser,ou=People,dc=mydomain,dc=com
+uid: testuser
+cn: testuser
+objectClass: account
+objectClass: posixAccount
+objectClass: top
+objectClass: shadowAccount
+objectClass: ldapPublicKey
+shadowLastChange: 12757
+shadowMax: 99999
+shadowWarning: 7
+loginShell: /bin/bash
+uidNumber: 9999
+gidNumber: 501
+homeDirectory: /home/testuser
+userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=
+sshPublicKey: ssh-rsa
+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
+8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
+
+# search result
+search: 3
+result: 0 Success
+
+# numResponses: 2
+# numEntries: 1
+
+Now start a ssh session to user "testuser" from usual ssh client (e.g.
+puTTY). Login should succeed.
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in
--- openssh-5.5p1/Makefile.in.ldap	2010-04-28 11:34:10.000000000 +0200
+++ openssh-5.5p1/Makefile.in	2010-04-28 11:34:15.000000000 +0200
@@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
 SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
 RAND_HELPER=$(libexecdir)/ssh-rand-helper
 PRIVSEP_PATH=@PRIVSEP_PATH@
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -61,8 +62,9 @@ EXEEXT=@EXEEXT@
 
 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
 
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
 
 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
 	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
@@ -93,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
 	audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
 	roaming_common.o roaming_serv.o kexgsss.o
 
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out
+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5
 MANTYPE		= @MANTYPE@
 
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -165,6 +167,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
@@ -266,6 +271,9 @@ install-files:
 	fi
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
+		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
+	fi
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
@@ -285,6 +293,9 @@ install-files:
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
+		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
+	fi
 	-rm -f $(DESTDIR)$(bindir)/slogin
 	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
@@ -384,6 +395,7 @@ uninstall:
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
 
 tests interop-tests:	$(TARGETS)
diff -up openssh-5.5p1/openssh-lpk-openldap.schema.ldap openssh-5.5p1/openssh-lpk-openldap.schema
--- openssh-5.5p1/openssh-lpk-openldap.schema.ldap	2010-04-28 11:34:15.000000000 +0200
+++ openssh-5.5p1/openssh-lpk-openldap.schema	2010-04-28 11:34:15.000000000 +0200
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
+#                              useful with PKA-LDAP also
+#
+# Author: Eric AUGE <eau@phear.org>
+# 
+# Based on the proposal of : Mark Ruijter
+#
+
+
+# octetString SYNTAX
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
+	DESC 'MANDATORY: OpenSSH Public key' 
+	EQUALITY octetStringMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+
+# printableString SYNTAX yes|no
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
+	MUST ( sshPublicKey $ uid ) 
+	)
diff -up openssh-5.5p1/openssh-lpk-sun.schema.ldap openssh-5.5p1/openssh-lpk-sun.schema
--- openssh-5.5p1/openssh-lpk-sun.schema.ldap	2010-04-28 11:34:15.000000000 +0200
+++ openssh-5.5p1/openssh-lpk-sun.schema	2010-04-28 11:34:15.000000000 +0200
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
+#                              useful with PKA-LDAP also
+#
+# Author: Eric AUGE <eau@phear.org>
+# 
+# Schema for Sun Directory Server.
+# Based on the original schema, modified by Stefan Fischer.
+#
+
+dn: cn=schema
+
+# octetString SYNTAX
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
+	DESC 'MANDATORY: OpenSSH Public key' 
+	EQUALITY octetStringMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+
+# printableString SYNTAX yes|no
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
+	MUST ( sshPublicKey $ uid ) 
+	)
diff -up openssh-5.5p1/README.lpk.ldap openssh-5.5p1/README.lpk
--- openssh-5.5p1/README.lpk.ldap	2010-04-28 11:34:15.000000000 +0200
+++ openssh-5.5p1/README.lpk	2010-04-28 12:33:34.000000000 +0200
@@ -0,0 +1,268 @@
+OpenSSH LDAP PUBLIC KEY PATCH 
+Copyright (c) 2003 Eric AUGE (eau@phear.org)
+All rights reserved.
+
+Rewriten by Jan F. Chadima (jchadima@redhat.com)
+Copyright (c) 2010 Red Hat, Inc.
+The new PKA-LDAP patch is rewritten from the scratch.
+LDAP schema and part of the documentation is based on original
+LPK project (http://code.google.com/p/openssh-lpk),
+copyright (c) 2003 Eric AUGE
+The new openssh configuration is different from the original LPK one.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. The name of the author may not be used to endorse or promote products
+   derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+purposes of this patch:
+
+This patch would help to have authentication centralization policy
+using ssh public key authentication.
+This patch could be an alternative to other "secure" authentication system
+working in a similar way (Kerberos, SecurID, etc...), except the fact 
+that it's based on OpenSSH and its public key abilities.
+
+>> FYI: <<
+'uid': means unix accounts existing on the current server
+'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf.
+
+example schema:
+
+
+                                  server1 (uid: eau,rival,toto) (ServerGroup: unix)
+                ___________      /
+               /           \ --- - server3 (uid: eau, titi) (ServerGroup: unix)
+              | LDAP Server |    \
+	      | eau  ,rival |     server2 (uid: rival, eau) (ServerGroup: unix)
+	      | titi ,toto  |
+	      | userx,....  |         server5 (uid: eau)  (ServerGroup: mail)
+               \___________/ \       /
+	                       ----- - server4 (uid: eau, rival)  (no group configured)
+			             \
+				        etc...
+
+- WHAT WE NEED :
+
+  * configured LDAP server somewhere on the network (i.e. OpenLDAP)
+  * patched sshd (with this patch ;)
+  * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
+        User entry:
+	- attached to the 'ldapPublicKey' objectclass
+	- attached to the 'posixAccount' objectclass
+	- with a filled 'sshPublicKey' attribute 
+	Example:
+		dn: uid=eau,ou=users,dc=cuckoos,dc=net
+		objectclass: top
+		objectclass: person
+		objectclass: organizationalPerson
+		objectclass: posixAccount
+		objectclass: ldapPublicKey
+		description: Eric AUGE Account
+		userPassword: blah
+		cn: Eric AUGE
+		sn: Eric AUGE
+		uid: eau
+		uidNumber: 1034
+		gidNumber: 1
+		homeDirectory: /export/home/eau
+		sshPublicKey: ssh-dss AAAAB3...
+		sshPublicKey: ssh-dss AAAAM5...
+
+	Group entry:
+	- attached to the 'posixGroup' objectclass
+	- with a 'cn' groupname attribute
+	- with multiple 'memberUid' attributes filled with usernames allowed in this group
+	Example:
+		# few members
+		dn: cn=unix,ou=groups,dc=cuckoos,dc=net
+		objectclass: top
+		objectclass: posixGroup
+		description: Unix based servers group
+		cn: unix
+		gidNumber: 1002
+		memberUid: eau
+		memberUid: user1
+		memberUid: user2
+
+
+- HOW IT WORKS :
+
+  * without patch
+  If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
+  and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
+
+  * with the patch
+  If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
+  It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. 
+  (usually in $HOME/.ssh/authorized_keys)
+
+  2 tokens are added to sshd_config :
+  # here is the new patched ldap related tokens
+  PubkeyAgent /usr/libexec/openssh/ssh-ldap-helper -s %u
+  PubkeyAgentRunAs nobody
+
+  The LDAP configuratin is read from common /etc/ldap.conf configuration file.
+There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched.
+
+- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
+
+  * my way (there is plenty :)
+  - create ldif file (i.e. users.ldif)
+  - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub
+  - my way in 4 steps :
+  Example:
+
+  # you add this to the user entry in the LDIF file :
+  [...]
+  objectclass: posixAccount
+  objectclass: ldapPublicKey
+  [...]
+  sshPubliKey: ssh-dss AAAABDh12DDUR2...
+  [...]
+
+  # insert your entry and you're done :)
+  ldapadd -D balblabla -w bleh < file.ldif 
+  
+  all standard options can be present in the 'sshPublicKey' attribute.
+
+- WHY :
+
+  Simply because, i was looking for a way to centralize all sysadmins authentication, easily,  without completely using LDAP 
+  as authentication method (like pam_ldap etc..).  
+  
+  After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get 
+  public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser'
+  objectclass within LDAP and part of the group the SSH server is in). 
+
+  Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase 
+  so each user can change it as much as he wants). 
+
+  Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only).
+
+- RULES :  
+  Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. 
+  and the additionnal lpk.schema.
+
+  This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication 
+  (pamldap, nss_ldap, etc..).
+
+  This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..).
+  
+  Referring to schema at the beginning of this file if user 'eau' is only in group 'unix'
+  'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'.
+  If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able
+  to log in 'server5' (i hope you got the idea, my english is bad :).
+
+  Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP
+  server.
+  When you want to allow a new user to have access to the server parc, you just add him an account on 
+  your servers, you add his public key into his entry on the LDAP server, it's done. 
+
+  Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys).
+
+  When the user needs to change his passphrase he can do it directly from his workstation by changing 
+  his own key set lock passphrase, and all servers are automatically aware.
+ 
+  With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself
+  so he can add/modify/delete himself his public key when needed.
+
+­ FLAWS :
+  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
+  allow write to users dn, somebody could replace someuser's public key by its own and impersonate some 
+  of your users in all your server farm be VERY CAREFUL.
+  
+  MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
+  as the impersonnated user.
+
+  If LDAP server is down then, no fallback on passwd auth.
+  
+  the ldap code part has not been well audited yet.
+
+- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
+    --- CUT HERE ---
+    dn: uid=jdoe,ou=users,dc=foobar,dc=net
+    objectclass: top
+    objectclass: person
+    objectclass: organizationalPerson
+    objectclass: posixAccount
+    objectclass: ldapPublicKey
+    description: My account
+    cn: John Doe
+    sn: John Doe
+    uid: jdoe
+    uidNumber: 100
+    gidNumber: 100
+    homeDirectory: /home/jdoe
+    sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
+    [...]
+    --- CUT HERE ---
+
+- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
+    --- CUT HERE ---
+    dn: cn=unix,ou=groups,dc=cuckoos,dc=net
+    objectclass: top
+    objectclass: posixGroup
+    description: Unix based servers group
+    cn: unix
+    gidNumber: 1002
+    memberUid: jdoe
+    memberUid: user1
+    memberUid: user2
+    [...]
+    --- CUT HERE ---
+
+>> FYI: << 
+Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry
+
+- COMPILING:
+  1. Apply the patch
+  2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes
+  3. make
+  4. it's done.
+
+- BLA :
+  I hope this could help, and i hope to be clear enough,, or give ideas.  questions/comments/improvements are welcome.
+  
+- TODO :
+  Redesign differently.
+
+- DOCS/LINK :
+  http://pacsec.jp/core05/psj05-barisani-en.pdf
+  http://fritz.potsdam.edu/projects/openssh-lpk/
+  http://fritz.potsdam.edu/projects/sshgate/
+  http://dev.inversepath.com/trac/openssh-lpk
+  http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
+
+- CONTRIBUTORS/IDEAS/GREETS :
+  - Eric AUGE <eau@phear.org>
+  - Andrea Barisani <andrea@inversepath.com>
+  - Falk Siemonsmeier.
+  - Jacob Rief.
+  - Michael Durchgraf.
+  - frederic peters.
+  - Finlay dobbie.
+  - Stefan Fisher.
+  - Robin H. Johnson.
+  - Adrian Bridgett.
+
+- CONTACT :
+    Jan F. Chadima <jchadima@redhat.com>
+
diff -up openssh-5.5p1/ssh-ldap-helper.8.ldap openssh-5.5p1/ssh-ldap-helper.8
--- openssh-5.5p1/ssh-ldap-helper.8.ldap	2010-04-28 11:34:15.000000000 +0200
+++ openssh-5.5p1/ssh-ldap-helper.8	2010-04-28 11:34:15.000000000 +0200
@@ -0,0 +1,78 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: April 29 2010 $
+.Dt SSH-LDAP-HELPER 8
+.Os
+.Sh NAME
+.Nm ssh-ldap-helper
+.Nd sshd helper program for ldap support
+.Sh SYNOPSIS
+.Nm ssh-ldap-helper
+.Op Fl devw
+.Op Fl f Ar file
+.Op Fl s Ar user
+.Sh DESCRIPTION
+.Nm
+is used by
+.Xr sshd 1
+to access keys provided by a LDAP.
+.Nm
+is disabled by default and can only be enabled in the
+sshd configuration file
+.Pa /etc/ssh/sshd_config
+by setting
+.Cm PubkeyAgent
+to
+.Dq /usr/libexec/ssh-ldap-helper -s %u .
+.Pp
+.Nm
+is not intended to be invoked by the user, but from
+.Xr sshd 8 .
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl d
+Set the debug mode, 
+.Nm
+prints all logs to stderr instead of syslog.
+.It Fl e
+Implies \-w
+.Nm
+halt when an unknown item is found in the ldap.conf file.
+.It Fl f
+Default /etc/ldap.conf.
+.Nm
+uses this file as a ldap configuration file.
+.It Fl s
+.Nm
+print out the keys of the user on stdout and exits.
+.It Fl v
+Implies \-d
+increases verbosity.
+.It Fl w
+.Nm
+writes warnings about unknown items in the ldap.conf file.
+
+.Sh SEE ALSO
+.Xr sshd 8 ,
+.Xr sshd_config 5 ,
+.Sh HISTORY
+.Nm
+first appeared in
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com