From e6dbb83190eb4c886b3f638b642630e2e89d1a92 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Jun 07 2013 13:12:40 +0000 Subject: make an object class filter configurable (#963281) --- diff --git a/openssh-6.2p1-ldap.patch b/openssh-6.2p1-ldap.patch index d97bcca..8d717c5 100644 --- a/openssh-6.2p1-ldap.patch +++ b/openssh-6.2p1-ldap.patch @@ -258,7 +258,7 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c +#include +#include + -+#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)" ++#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)" +#define PUBKEYATTR "sshPublicKey" +#define LDAP_LOGFILE "%s/ldap.%d" + @@ -659,11 +659,11 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c + } + + /* build filter for LDAP request */ -+ bufflen = strlen (LDAPSEARCH_FORMAT) + strlen (user); ++ bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user); + if (options.ssh_filter != NULL) + bufflen += strlen (options.ssh_filter); + buffer = xmalloc (bufflen); -+ snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL); ++ snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL); + buffer[bufflen - 1] = 0; + + debug3 ("LDAP search scope = %d %s", options.scope, buffer); @@ -759,10 +759,10 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h + +#endif /* LDAPBODY_H */ + -diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c ---- openssh-6.2p1/ldapconf.c.ldap 2013-03-25 21:27:15.890248084 +0100 -+++ openssh-6.2p1/ldapconf.c 2013-03-25 21:27:15.890248084 +0100 -@@ -0,0 +1,682 @@ +diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c +--- openssh-6.2p2/ldapconf.c.ldap 2013-06-07 15:10:05.601942693 +0200 ++++ openssh-6.2p2/ldapconf.c 2013-06-07 15:10:24.928857566 +0200 +@@ -0,0 +1,691 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -807,7 +807,7 @@ diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c + lRestart, lTLS_CheckPeer, lTLS_CaCertFile, + lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key, + lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, -+ lDeprecated, lUnsupported ++ lAccountClass, lDeprecated, lUnsupported +} OpCodes; + +/* Textual representations of the tokens. */ @@ -859,6 +859,7 @@ diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c + { "LogDir", lLogDir }, + { "Debug", lDebug }, + { "SSH_Filter", lSSH_Filter }, ++ { "AccountClass", lAccountClass }, + { NULL, lBadOption } +}; + @@ -1151,6 +1152,10 @@ diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c + xstringptr = &options.ssh_filter; + goto parse_xstring; + ++ case lAccountClass: ++ charptr = &options.account_class; ++ goto parse_string; ++ + case lDeprecated: + debug("%s line %d: Deprecated option \"%s\"", + filename, linenum, keyword); @@ -1254,6 +1259,7 @@ diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c + options.logdir = NULL; + options.debug = -1; + options.ssh_filter = NULL; ++ options.account_class = NULL; +} + +/* @@ -1324,6 +1330,8 @@ diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c + options.debug = 0; + if (options.ssh_filter == NULL) + options.ssh_filter = ""; ++ if (options.account_class == NULL) ++ options.account_class = "posixAccount"; +} + +static const char * @@ -1443,12 +1451,13 @@ diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c + dump_cfg_string(lLogDir, options.logdir); + dump_cfg_int(lDebug, options.debug); + dump_cfg_string(lSSH_Filter, options.ssh_filter); ++ dump_cfg_string(lAccountClass, options.logdir); +} + -diff -up openssh-6.2p1/ldapconf.h.ldap openssh-6.2p1/ldapconf.h ---- openssh-6.2p1/ldapconf.h.ldap 2013-03-25 21:27:15.891248091 +0100 -+++ openssh-6.2p1/ldapconf.h 2013-03-25 21:27:15.891248091 +0100 -@@ -0,0 +1,71 @@ +diff -up openssh-6.2p2/ldapconf.h.ldap openssh-6.2p2/ldapconf.h +--- openssh-6.2p2/ldapconf.h.ldap 2013-06-07 15:10:05.602942689 +0200 ++++ openssh-6.2p2/ldapconf.h 2013-06-07 15:10:24.928857566 +0200 +@@ -0,0 +1,72 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -1510,6 +1519,7 @@ diff -up openssh-6.2p1/ldapconf.h.ldap openssh-6.2p1/ldapconf.h + char *logdir; + int debug; + char *ssh_filter; ++ char *account_class; +} Options; + +extern Options options; @@ -2123,10 +2133,10 @@ diff -up openssh-6.2p1/openssh-lpk-sun.schema.ldap openssh-6.2p1/openssh-lpk-sun + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff -up openssh-6.2p1/ssh-ldap.conf.5.ldap openssh-6.2p1/ssh-ldap.conf.5 ---- openssh-6.2p1/ssh-ldap.conf.5.ldap 2013-03-25 21:27:15.895248117 +0100 -+++ openssh-6.2p1/ssh-ldap.conf.5 2013-03-25 21:27:15.895248117 +0100 -@@ -0,0 +1,376 @@ +diff -up openssh-6.2p2/ssh-ldap.conf.5.ldap openssh-6.2p2/ssh-ldap.conf.5 +--- openssh-6.2p2/ssh-ldap.conf.5.ldap 2013-06-07 15:10:05.604942680 +0200 ++++ openssh-6.2p2/ssh-ldap.conf.5 2013-06-07 15:10:24.928857566 +0200 +@@ -0,0 +1,379 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved. @@ -2487,6 +2497,9 @@ diff -up openssh-6.2p1/ssh-ldap.conf.5.ldap openssh-6.2p1/ssh-ldap.conf.5 +.It Cm SSH_Filter +Specifies the user filter applied on the LDAP serch. +The default is no filter. ++.It Cm AccountClass ++Specifies the LDAP class used to find user accounts. ++The default is posixAccount. +.El +.Sh FILES +.Bl -tag -width Ds