jonathancammack / rpms / openssh

Forked from rpms/openssh 8 months ago
Clone
3e8b5b
diff -up openssh-6.8p1/HOWTO.ldap-keys.ldap openssh-6.8p1/HOWTO.ldap-keys
3e8b5b
--- openssh-6.8p1/HOWTO.ldap-keys.ldap	2015-03-18 11:11:29.029801467 +0100
3e8b5b
+++ openssh-6.8p1/HOWTO.ldap-keys	2015-03-18 11:11:29.029801467 +0100
3e8b5b
@@ -0,0 +1,122 @@
3e8b5b
+
3e8b5b
+HOW TO START
3e8b5b
+
3e8b5b
+1) configure LDAP server
3e8b5b
+  * Use LDAP server documentation
3e8b5b
+2) add appropriate LDAP schema
3e8b5b
+  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
3e8b5b
+  * LDAP user entry
3e8b5b
+        User entry:
3e8b5b
+	- attached to the 'ldapPublicKey' objectclass
3e8b5b
+	- attached to the 'posixAccount' objectclass
3e8b5b
+	- with a filled 'sshPublicKey' attribute 
3e8b5b
+3) insert users into LDAP
3e8b5b
+  * Use LDAP Tree management tool as useful
3e8b5b
+  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
3e8b5b
+  * Example:
3e8b5b
+	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
3e8b5b
+	objectclass: top
3e8b5b
+	objectclass: person
3e8b5b
+	objectclass: organizationalPerson
3e8b5b
+	objectclass: posixAccount
3e8b5b
+	objectclass: ldapPublicKey
3e8b5b
+	description: Jonathan Archer
3e8b5b
+	userPassword: Porthos
3e8b5b
+	cn: onathan Archer
3e8b5b
+	sn: onathan Archer
3e8b5b
+	uid: captain
3e8b5b
+	uidNumber: 1001
3e8b5b
+	gidNumber: 1001
3e8b5b
+	homeDirectory: /home/captain
3e8b5b
+	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
3e8b5b
+	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
3e8b5b
+4) on the ssh side set in sshd_config
3e8b5b
+  * Set up the backend
3e8b5b
+	AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
3e8b5b
+	AuthorizedKeysCommandUser <appropriate user to run LDAP>
3e8b5b
+  * Do not forget to set
3e8b5b
+	PubkeyAuthentication yes
3e8b5b
+  * Swith off unnecessary auth methods
3e8b5b
+5) confugure ldap.conf
3e8b5b
+  * Default ldap.conf is placed in /etc/ssh
3e8b5b
+  * The configuration style is the same as other ldap based aplications
3e8b5b
+6) if necessary edit ssh-ldap-wrapper
3e8b5b
+  * There is a possibility to change ldap.conf location
3e8b5b
+  * There are some debug options
3e8b5b
+  * Example
3e8b5b
+	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
3e8b5b
+7) Configure SELinux boolean which allows ldap-helper to bind ldap server
3e8b5b
+  Run this command
3e8b5b
+  # setsebool -P authlogin_nsswitch_use_ldap on
3e8b5b
+
3e8b5b
+HOW TO MIGRATE FROM LPK
3e8b5b
+
3e8b5b
+1) goto HOW TO START 4) .... the ldap schema is the same
3e8b5b
+
3e8b5b
+2) convert the group requests to the appropriate LDAP requests
3e8b5b
+
3e8b5b
+HOW TO SOLVE PROBLEMS
3e8b5b
+
3e8b5b
+1) use debug in sshd
3e8b5b
+  * /usr/sbin/sshd -d -d -d -d
3e8b5b
+2) use debug in ssh-ldap-helper
3e8b5b
+  * ssh-ldap-helper -d -d -d -d -s <username>
3e8b5b
+3) use tcpdump ... other ldap client etc.
3e8b5b
+
3e8b5b
+HOW TO CONFIGURE SSH FOR OTHER LDAP CONFIGURATION / SERVER /SCHEMA
3e8b5b
+
3e8b5b
+You can adjust search format string in /etc/ldap.conf using
3e8b5b
+ 1) SSH_Filter option to limit results for only specified users
3e8b5b
+    (this appends search condition after original query)
3e8b5b
+ 2) Search_Format option to define your own search string using expansion
3e8b5b
+    characters %u for username, %c for objectclass and %f for above mentioned filter.
3e8b5b
+
3e8b5b
+Example:
3e8b5b
+Search_Format (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%u)%f)
3e8b5b
+
3e8b5b
+ADVANTAGES
3e8b5b
+
3e8b5b
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
3e8b5b
+
3e8b5b
+DISADVANTAGES
3e8b5b
+
3e8b5b
+1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
3e8b5b
+  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
3e8b5b
+  of your users in all your server farm -- be VERY CAREFUL.
3e8b5b
+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
3e8b5b
+  as the impersonated user.
3e8b5b
+3) If LDAP server is down there may be no fallback on passwd auth.
3e8b5b
+  
3e8b5b
+MISC.
3e8b5b
+  
3e8b5b
+1) todo
3e8b5b
+  * Possibility to reuse the ssh-ldap-helper.
3e8b5b
+  * Tune the LDAP part to accept  all possible LDAP configurations.
3e8b5b
+
3e8b5b
+2) differences from original lpk
3e8b5b
+  * No LDAP code in sshd.
3e8b5b
+  * Support for various LDAP platforms and configurations.
3e8b5b
+  * LDAP is configured in separate ldap.conf file.
3e8b5b
+
3e8b5b
+3) docs/link 
3e8b5b
+  * http://pacsec.jp/core05/psj05-barisani-en.pdf
3e8b5b
+  * http://fritz.potsdam.edu/projects/openssh-lpk/
3e8b5b
+  * http://fritz.potsdam.edu/projects/sshgate/
3e8b5b
+  * http://dev.inversepath.com/trac/openssh-lpk
3e8b5b
+  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
3e8b5b
+
3e8b5b
+4) contributors/ideas/greets
3e8b5b
+  - Eric AUGE <eau@phear.org>
3e8b5b
+  - Andrea Barisani <andrea@inversepath.com>
3e8b5b
+  - Falk Siemonsmeier.
3e8b5b
+  - Jacob Rief.
3e8b5b
+  - Michael Durchgraf.
3e8b5b
+  - frederic peters.
3e8b5b
+  - Finlay dobbie.
3e8b5b
+  - Stefan Fisher.
3e8b5b
+  - Robin H. Johnson.
3e8b5b
+  - Adrian Bridgett.
3e8b5b
+
3e8b5b
+5) Author
3e8b5b
+    Jan F. Chadima <jchadima@redhat.com>
3e8b5b
+
3e8b5b
diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
3e8b5b
--- openssh-6.8p1/Makefile.in.ldap	2015-03-17 06:49:20.000000000 +0100
3e8b5b
+++ openssh-6.8p1/Makefile.in	2015-03-18 11:13:10.147561177 +0100
3e8b5b
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
3e8b5b
 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
3e8b5b
 SFTP_SERVER=$(libexecdir)/sftp-server
3e8b5b
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
3e8b5b
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
3e8b5b
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
3e8b5b
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
3e8b5b
 PRIVSEP_PATH=@PRIVSEP_PATH@
3e8b5b
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
3e8b5b
@@ -50,6 +50,7 @@
3e8b5b
 CFLAGS=@CFLAGS@
3e8b5b
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
3e8b5b
 LIBS=@LIBS@
3e8b5b
+LDAPLIBS=@LDAPLIBS@
3e8b5b
 K5LIBS=@K5LIBS@
3e8b5b
 GSSLIBS=@GSSLIBS@
3e8b5b
 SSHLIBS=@SSHLIBS@
3e8b5b
@@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@
3e8b5b
 EXEEXT=@EXEEXT@
3e8b5b
 MANFMT=@MANFMT@
3e8b5b
 MKDIR_P=@MKDIR_P@
3e8b5b
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
3e8b5b
 
3e8b5b
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
3e8b5b
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
3e8b5b
 
3e8b5b
 XMSS_OBJS=\
3e8b5b
 	ssh-xmss.o \
3e8b5b
@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
3e8b5b
 	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
3e8b5b
 	sandbox-solaris.o uidswap.o
3e8b5b
 
3e8b5b
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
3e8b5b
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
3e8b5b
+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
3e8b5b
+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
3e8b5b
 MANTYPE		= @MANTYPE@
3e8b5b
 
3e8b5b
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
3e8b5b
@@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
3e8b5b
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
3e8b5b
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
3e8b5b
 
3e8b5b
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
3009ed
+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LDAPLIBS)
3e8b5b
+
3e8b5b
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
3e8b5b
 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
3e8b5b
 
3e8b5b
@@ -311,6 +317,10 @@ install-files:
3e8b5b
 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
3e8b5b
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
3e8b5b
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
3e8b5b
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
3e8b5b
+		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
3e8b5b
+		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
3e8b5b
+	fi
3e8b5b
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
3e8b5b
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
3e8b5b
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
3e8b5b
@@ -327,6 +337,10 @@ install-files:
3e8b5b
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
3e8b5b
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
3e8b5b
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
3e8b5b
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
3e8b5b
+		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
3e8b5b
+		$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
3e8b5b
+	fi
3e8b5b
 
3e8b5b
 install-sysconf:
3e8b5b
 	$(MKDIR_P) $(DESTDIR)$(sysconfdir)
3e8b5b
@@ -356,6 +370,13 @@ install-sysconf:
3e8b5b
 	else \
3e8b5b
 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
3e8b5b
 	fi
3e8b5b
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
3e8b5b
+		if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
3e8b5b
+			$(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
3e8b5b
+		else \
3e8b5b
+			echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
3e8b5b
+		fi ; \
3e8b5b
+	fi
3e8b5b
 
3e8b5b
 host-key: ssh-keygen$(EXEEXT)
3e8b5b
 	@if [ -z "$(DESTDIR)" ] ; then \
3e8b5b
@@ -419,6 +440,8 @@ uninstall:
3e8b5b
 	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
3e8b5b
 	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
3e8b5b
 	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
3e8b5b
+	-rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
3e8b5b
+	-rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
3e8b5b
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
3e8b5b
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
3e8b5b
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
3e8b5b
@@ -430,6 +453,7 @@ uninstall:
3e8b5b
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
3e8b5b
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
3e8b5b
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
3e8b5b
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
3e8b5b
 
3e8b5b
 regress-prep:
3e8b5b
 	$(MKDIR_P) `pwd`/regress/unittests/test_helper
3e8b5b
diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac
3e8b5b
--- openssh-6.8p1/configure.ac.ldap	2015-03-17 06:49:20.000000000 +0100
3e8b5b
+++ openssh-6.8p1/configure.ac	2015-03-18 11:11:29.030801464 +0100
3e8b5b
@@ -1605,6 +1605,110 @@ if test "x$use_pie" != "xno"; then
3e8b5b
 	fi
3e8b5b
 fi
3e8b5b
 
3e8b5b
+# Check whether user wants LDAP support
3e8b5b
+LDAP_MSG="no"
3e8b5b
+INSTALL_SSH_LDAP_HELPER=""
3e8b5b
+AC_ARG_WITH(ldap,
3e8b5b
+	[  --with-ldap[[=PATH]]      Enable LDAP pubkey support (optionally in PATH)],
3e8b5b
+	[
3e8b5b
+		if test "x$withval" != "xno" ; then
3e8b5b
+
3e8b5b
+			INSTALL_SSH_LDAP_HELPER="yes"
3e8b5b
+			CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
3e8b5b
+
3e8b5b
+			if test "x$withval" != "xyes" ; then
3e8b5b
+				CPPFLAGS="$CPPFLAGS -I${withval}/include"
3e8b5b
+				LDFLAGS="$LDFLAGS -L${withval}/lib"
3e8b5b
+			fi
3e8b5b
+
3e8b5b
+			AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
3e8b5b
+			LDAP_MSG="yes"
3e8b5b
+
3e8b5b
+			AC_CHECK_HEADERS(lber.h)
3e8b5b
+			AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
3e8b5b
+			AC_CHECK_HEADERS(ldap_ssl.h)
3e8b5b
+
3e8b5b
+			AC_ARG_WITH(ldap-lib,
3e8b5b
+				[  --with-ldap-lib=type    select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
3e8b5b
+
3e8b5b
+			if test -z "$with_ldap_lib"; then
3e8b5b
+				with_ldap_lib=auto
3e8b5b
+			fi
3e8b5b
+
3e8b5b
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
3e8b5b
+				AC_CHECK_LIB(lber, main, LDAPLIBS="-llber $LDAPLIBS" found_ldap_lib=yes)
3e8b5b
+				AC_CHECK_LIB(ldap, main, LDAPLIBS="-lldap $LDAPLIBS" found_ldap_lib=yes)
3e8b5b
+			fi
3e8b5b
+
3e8b5b
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
3e8b5b
+				AC_CHECK_LIB(ldap50, main, LDAPLIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LDAPLIBS" found_ldap_lib=yes)
3e8b5b
+			fi
3e8b5b
+
3e8b5b
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
3e8b5b
+				AC_CHECK_LIB(ldapssl41, main, LDAPLIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LDAPLIBS" found_ldap_lib=yes)
3e8b5b
+				if test -z "$found_ldap_lib"; then
3e8b5b
+					AC_CHECK_LIB(ldapssl40, main, LDAPLIBS="-lldapssl40 $LDAPLIBS" found_ldap_lib=yes)
3e8b5b
+				fi
3e8b5b
+				if test -z "$found_ldap_lib"; then
3e8b5b
+					AC_CHECK_LIB(ldap41, main, LDAPLIBS="-lldap41 $LDAPLIBS" found_ldap_lib=yes)
3e8b5b
+				fi
3e8b5b
+				if test -z "$found_ldap_lib"; then
3e8b5b
+					AC_CHECK_LIB(ldap40, main, LDAPLIBS="-lldap40 $LDAPLIBS" found_ldap_lib=yes)
3e8b5b
+				fi
3e8b5b
+			fi
3e8b5b
+
3e8b5b
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
3e8b5b
+				AC_CHECK_LIB(ldapssl30, main, LDAPLIBS="-lldapssl30 $LDAPLIBS" found_ldap_lib=yes)
3e8b5b
+			fi
3e8b5b
+
3e8b5b
+			if test -z "$found_ldap_lib"; then
3e8b5b
+				AC_MSG_ERROR(could not locate a valid LDAP library)
3e8b5b
+			fi
3e8b5b
+
3e8b5b
+			saved_LIBS="$LIBS"
3e8b5b
+			LIBS="$LIBS $LDAPLIBS"
3e8b5b
+			AC_MSG_CHECKING([for working LDAP support])
3e8b5b
+			AC_TRY_COMPILE(
3e8b5b
+				[#include <sys/types.h>
3e8b5b
+				 #include <ldap.h>],
3e8b5b
+				[(void)ldap_init(0, 0);],
3e8b5b
+				[AC_MSG_RESULT(yes)],
3e8b5b
+				[
3e8b5b
+				    AC_MSG_RESULT(no) 
3e8b5b
+					AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
3e8b5b
+				])
3e8b5b
+			AC_CHECK_FUNCS( \
3e8b5b
+				ldap_init \
3e8b5b
+				ldap_get_lderrno \
3e8b5b
+				ldap_set_lderrno \
3e8b5b
+				ldap_parse_result \
3e8b5b
+				ldap_memfree \
3e8b5b
+				ldap_controls_free \
3e8b5b
+				ldap_set_option \
3e8b5b
+				ldap_get_option \
3e8b5b
+				ldapssl_init \
3e8b5b
+				ldap_start_tls_s \
3e8b5b
+				ldap_pvt_tls_set_option \
3e8b5b
+				ldap_initialize \
3e8b5b
+			)
3e8b5b
+			AC_CHECK_FUNCS(ldap_set_rebind_proc,
3e8b5b
+				AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
3e8b5b
+				AC_TRY_COMPILE(
3e8b5b
+					[#include <lber.h>
3e8b5b
+					#include <ldap.h>],
3e8b5b
+					[ldap_set_rebind_proc(0, 0, 0);],
3e8b5b
+					[ac_cv_ldap_set_rebind_proc=3],
3e8b5b
+					[ac_cv_ldap_set_rebind_proc=2])
3e8b5b
+				AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
3e8b5b
+				AC_DEFINE_UNQUOTED(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
3e8b5b
+			)
3e8b5b
+			LIBS="$saved_LIBS"
3e8b5b
+		fi
3e8b5b
+	]
3e8b5b
+)
3e8b5b
+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
3e8b5b
+AC_SUBST(LDAPLIBS)
3e8b5b
+
3e8b5b
 dnl    Checks for library functions. Please keep in alphabetical order
3e8b5b
 AC_CHECK_FUNCS([ \
3e8b5b
 	Blowfish_initstate \
3e8b5b
@@ -5227,6 +5352,9 @@
3e8b5b
 echo "Preprocessor flags: ${CPPFLAGS}"
3e8b5b
 echo "      Linker flags: ${LDFLAGS}"
3e8b5b
 echo "         Libraries: ${LIBS}"
3e8b5b
+if test ! -z "${LDAPLIBS}"; then
3e8b5b
+echo "         +for ldap: ${LDAPLIBS}"
3e8b5b
+fi
3e8b5b
 if test ! -z "${SSHDLIBS}"; then
3e8b5b
 echo "         +for sshd: ${SSHDLIBS}"
3e8b5b
 fi
3e8b5b
diff -up openssh-6.8p1/ldap-helper.c.ldap openssh-6.8p1/ldap-helper.c
3e8b5b
--- openssh-6.8p1/ldap-helper.c.ldap	2015-03-18 11:11:29.030801464 +0100
3e8b5b
+++ openssh-6.8p1/ldap-helper.c	2015-03-18 11:11:29.030801464 +0100
3e8b5b
@@ -0,0 +1,151 @@
3e8b5b
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
3e8b5b
+/*
3e8b5b
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
3e8b5b
+ *
3e8b5b
+ * Redistribution and use in source and binary forms, with or without
3e8b5b
+ * modification, are permitted provided that the following conditions
3e8b5b
+ * are met:
3e8b5b
+ * 1. Redistributions of source code must retain the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer.
3e8b5b
+ * 2. Redistributions in binary form must reproduce the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer in the
3e8b5b
+ *    documentation and/or other materials provided with the distribution.
3e8b5b
+ *
3e8b5b
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
3e8b5b
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
3e8b5b
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
3e8b5b
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
3e8b5b
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
3e8b5b
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
3e8b5b
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
3e8b5b
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
3e8b5b
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
3e8b5b
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+#include "ldapincludes.h"
3e8b5b
+#include "log.h"
3e8b5b
+#include "misc.h"
3e8b5b
+#include "xmalloc.h"
3e8b5b
+#include "ldapconf.h"
3e8b5b
+#include "ldapbody.h"
3e8b5b
+#include <string.h>
3e8b5b
+#include <unistd.h>
3e8b5b
+#include <stdlib.h>
3e8b5b
+
3e8b5b
+static int config_debug = 0;
3e8b5b
+int config_exclusive_config_file = 0;
3e8b5b
+static char *config_file_name = "/etc/ssh/ldap.conf";
3e8b5b
+static char *config_single_user = NULL;
3e8b5b
+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
3e8b5b
+int config_warning_config_file = 0;
3e8b5b
+extern char *__progname;
3e8b5b
+
3e8b5b
+static void
3e8b5b
+usage(void)
3e8b5b
+{
3e8b5b
+	fprintf(stderr, "usage: %s [options]\n",
3e8b5b
+	    __progname);
3e8b5b
+	fprintf(stderr, "Options:\n");
3e8b5b
+	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
3e8b5b
+	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
3e8b5b
+	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ssh/ldap.conf).\n");
3e8b5b
+	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
3e8b5b
+	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
3e8b5b
+	fprintf(stderr, "  -w          Warn on unknown commands in the config file.\n");
3e8b5b
+	exit(1);
3e8b5b
+}
3e8b5b
+
3e8b5b
+/*
3e8b5b
+ * Main program for the ssh pka ldap agent.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+int
3e8b5b
+main(int ac, char **av)
3e8b5b
+{
3e8b5b
+	int opt;
3e8b5b
+	FILE *outfile = NULL;
3e8b5b
+
3e8b5b
+	__progname = ssh_get_progname(av[0]);
3e8b5b
+
3e8b5b
+	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
3e8b5b
+
3e8b5b
+	/*
3e8b5b
+	 * Initialize option structure to indicate that no values have been
3e8b5b
+	 * set.
3e8b5b
+	 */
3e8b5b
+	initialize_options();
3e8b5b
+
3e8b5b
+	/* Parse command-line arguments. */
3e8b5b
+	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
3e8b5b
+		switch (opt) {
3e8b5b
+		case 'd':
3e8b5b
+			config_debug = 1;
3e8b5b
+			break;
3e8b5b
+
3e8b5b
+		case 'e':
3e8b5b
+			config_exclusive_config_file = 1;
3e8b5b
+			config_warning_config_file = 1;
3e8b5b
+			break;
3e8b5b
+
3e8b5b
+		case 'f':
3e8b5b
+			config_file_name = optarg;
3e8b5b
+			break;
3e8b5b
+
3e8b5b
+		case 's':
3e8b5b
+			config_single_user = optarg;
3e8b5b
+			outfile = fdopen (dup (fileno (stdout)), "w");
3e8b5b
+			break;
3e8b5b
+
3e8b5b
+		case 'v':
3e8b5b
+			config_debug = 1;
3e8b5b
+			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
3e8b5b
+			    config_verbose++;
3e8b5b
+			break;
3e8b5b
+
3e8b5b
+		case 'w':
3e8b5b
+			config_warning_config_file = 1;
3e8b5b
+			break;
3e8b5b
+
3e8b5b
+		case '?':
3e8b5b
+		default:
3e8b5b
+			usage();
3e8b5b
+			break;
3e8b5b
+		}
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	/* Initialize loging */
3e8b5b
+	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
3e8b5b
+
3e8b5b
+	if (ac != optind)
3e8b5b
+	    fatal ("illegal extra parameter %s", av[1]);
3e8b5b
+
3e8b5b
+	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
3e8b5b
+	if (config_debug == 0)
3e8b5b
+	    sanitise_stdfd();
3e8b5b
+
3e8b5b
+	/* Read config file */
3e8b5b
+	read_config_file(config_file_name);
3e8b5b
+	fill_default_options();
3e8b5b
+	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
3e8b5b
+		debug3 ("=== Configuration ===");
3e8b5b
+		dump_config();
3e8b5b
+		debug3 ("=== *** ===");
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	ldap_checkconfig();
3e8b5b
+	ldap_do_connect();
3e8b5b
+
3e8b5b
+	if (config_single_user) {
3e8b5b
+		process_user (config_single_user, outfile);
3e8b5b
+	} else {
3e8b5b
+		usage();
3e8b5b
+		fatal ("Not yet implemented");
3e8b5b
+/* TODO
3e8b5b
+ * open unix socket a run the loop on it
3e8b5b
+ */
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	ldap_do_close();
3e8b5b
+	return 0;
3e8b5b
+}
3e8b5b
diff -up openssh-6.8p1/ldap-helper.h.ldap openssh-6.8p1/ldap-helper.h
3e8b5b
--- openssh-6.8p1/ldap-helper.h.ldap	2015-03-18 11:11:29.031801462 +0100
3e8b5b
+++ openssh-6.8p1/ldap-helper.h	2015-03-18 11:11:29.031801462 +0100
3e8b5b
@@ -0,0 +1,32 @@
3e8b5b
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
3e8b5b
+/*
3e8b5b
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
3e8b5b
+ *
3e8b5b
+ * Redistribution and use in source and binary forms, with or without
3e8b5b
+ * modification, are permitted provided that the following conditions
3e8b5b
+ * are met:
3e8b5b
+ * 1. Redistributions of source code must retain the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer.
3e8b5b
+ * 2. Redistributions in binary form must reproduce the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer in the
3e8b5b
+ *    documentation and/or other materials provided with the distribution.
3e8b5b
+ *
3e8b5b
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
3e8b5b
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
3e8b5b
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
3e8b5b
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
3e8b5b
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
3e8b5b
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
3e8b5b
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
3e8b5b
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
3e8b5b
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
3e8b5b
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+#ifndef LDAP_HELPER_H
3e8b5b
+#define LDAP_HELPER_H
3e8b5b
+
3e8b5b
+extern int config_exclusive_config_file;
3e8b5b
+extern int config_warning_config_file;
3e8b5b
+
3e8b5b
+#endif /* LDAP_HELPER_H */
3e8b5b
diff -up openssh-6.8p1/ldap.conf.ldap openssh-6.8p1/ldap.conf
3e8b5b
--- openssh-6.8p1/ldap.conf.ldap	2015-03-18 11:11:29.031801462 +0100
3e8b5b
+++ openssh-6.8p1/ldap.conf	2015-03-18 11:11:29.031801462 +0100
3e8b5b
@@ -0,0 +1,95 @@
3e8b5b
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
3e8b5b
+#
3e8b5b
+# This is the example configuration file for the OpenSSH
3e8b5b
+# LDAP backend
3e8b5b
+# 
3e8b5b
+# see ssh-ldap.conf(5)
3e8b5b
+#
3e8b5b
+
3e8b5b
+# URI with your LDAP server name. This allows to use
3e8b5b
+# Unix Domain Sockets to connect to a local LDAP Server.
3e8b5b
+#uri ldap://127.0.0.1/
3e8b5b
+#uri ldaps://127.0.0.1/   
3e8b5b
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
3e8b5b
+# Note: %2f encodes the '/' used as directory separator
3e8b5b
+
3e8b5b
+# Another way to specify your LDAP server is to provide an
3e8b5b
+# host name and the port of our LDAP server. Host name
3e8b5b
+# must be resolvable without using LDAP.
3e8b5b
+# Multiple hosts may be specified, each separated by a 
3e8b5b
+# space. How long nss_ldap takes to failover depends on
3e8b5b
+# whether your LDAP client library supports configurable
3e8b5b
+# network or connect timeouts (see bind_timelimit).
3e8b5b
+#host 127.0.0.1
3e8b5b
+
3e8b5b
+# The port.
3e8b5b
+# Optional: default is 389.
3e8b5b
+#port 389
3e8b5b
+
3e8b5b
+# The distinguished name to bind to the server with.
3e8b5b
+# Optional: default is to bind anonymously.
3e8b5b
+#binddn cn=openssh_keys,dc=example,dc=org
3e8b5b
+
3e8b5b
+# The credentials to bind with. 
3e8b5b
+# Optional: default is no credential.
3e8b5b
+#bindpw TopSecret
3e8b5b
+
3e8b5b
+# The distinguished name of the search base.
3e8b5b
+#base dc=example,dc=org
3e8b5b
+
3e8b5b
+# The LDAP version to use (defaults to 3
3e8b5b
+# if supported by client library)
3e8b5b
+#ldap_version 3
3e8b5b
+
3e8b5b
+# The search scope.
3e8b5b
+#scope sub
3e8b5b
+#scope one
3e8b5b
+#scope base
3e8b5b
+
3e8b5b
+# Search timelimit
3e8b5b
+#timelimit 30
3e8b5b
+
3e8b5b
+# Bind/connect timelimit
3e8b5b
+#bind_timelimit 30
3e8b5b
+
3e8b5b
+# Reconnect policy: hard (default) will retry connecting to
3e8b5b
+# the software with exponential backoff, soft will fail
3e8b5b
+# immediately.
3e8b5b
+#bind_policy hard
3e8b5b
+
3e8b5b
+# SSL setup, may be implied by URI also.
3e8b5b
+#ssl no
3e8b5b
+#ssl on
3e8b5b
+#ssl start_tls
3e8b5b
+
3e8b5b
+# OpenLDAP SSL options
3e8b5b
+# Require and verify server certificate (yes/no)
3e8b5b
+# Default is to use libldap's default behavior, which can be configured in
3e8b5b
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
3e8b5b
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
3e8b5b
+#tls_checkpeer hard
3e8b5b
+
3e8b5b
+# CA certificates for server certificate verification
3e8b5b
+# At least one of these are required if tls_checkpeer is "yes"
3e8b5b
+#tls_cacertfile /etc/ssl/ca.cert
3e8b5b
+#tls_cacertdir /etc/pki/tls/certs
3e8b5b
+
3e8b5b
+# Seed the PRNG if /dev/urandom is not provided
3e8b5b
+#tls_randfile /var/run/egd-pool
3e8b5b
+
3e8b5b
+# SSL cipher suite
3e8b5b
+# See man ciphers for syntax
3e8b5b
+#tls_ciphers TLSv1
3e8b5b
+
3e8b5b
+# Client certificate and key
3e8b5b
+# Use these, if your server requires client authentication.
3e8b5b
+#tls_cert
3e8b5b
+#tls_key
3e8b5b
+
3e8b5b
+# OpenLDAP search_format
3e8b5b
+# format used to search for users in LDAP directory using substitution
3e8b5b
+# for %u for user name and %f for SSH_Filter option (optional, empty by default)
3e8b5b
+#search_format (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
3e8b5b
+
3e8b5b
+#AccountClass posixAccount
3e8b5b
+
3e8b5b
diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
3e8b5b
--- openssh-6.8p1/ldapbody.c.ldap	2015-03-18 11:11:29.031801462 +0100
3e8b5b
+++ openssh-6.8p1/ldapbody.c	2015-03-18 11:11:29.031801462 +0100
3e8b5b
@@ -0,0 +1,499 @@
3e8b5b
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
3e8b5b
+/*
3e8b5b
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
3e8b5b
+ *
3e8b5b
+ * Redistribution and use in source and binary forms, with or without
3e8b5b
+ * modification, are permitted provided that the following conditions
3e8b5b
+ * are met:
3e8b5b
+ * 1. Redistributions of source code must retain the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer.
3e8b5b
+ * 2. Redistributions in binary form must reproduce the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer in the
3e8b5b
+ *    documentation and/or other materials provided with the distribution.
3e8b5b
+ *
3e8b5b
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
3e8b5b
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
3e8b5b
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
3e8b5b
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
3e8b5b
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
3e8b5b
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
3e8b5b
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
3e8b5b
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
3e8b5b
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
3e8b5b
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+#include "ldapincludes.h"
3e8b5b
+#include "log.h"
3e8b5b
+#include "xmalloc.h"
3e8b5b
+#include "ldapconf.h"
3e8b5b
+#include "ldapmisc.h"
3e8b5b
+#include "ldapbody.h"
3e8b5b
+#include <stdio.h>
3e8b5b
+#include <unistd.h>
3e8b5b
+#include <stdlib.h>
3e8b5b
+#include "misc.h"
3e8b5b
+
3e8b5b
+#define LDAPSEARCH_FORMAT "(&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)"
3e8b5b
+#define PUBKEYATTR "sshPublicKey"
3e8b5b
+#define LDAP_LOGFILE	"%s/ldap.%d"
3e8b5b
+
3e8b5b
+static FILE *logfile = NULL;
3e8b5b
+static LDAP *ld;
3e8b5b
+
3e8b5b
+static char *attrs[] = {
3e8b5b
+    PUBKEYATTR,
3e8b5b
+    NULL
3e8b5b
+};
3e8b5b
+
3e8b5b
+void
3e8b5b
+ldap_checkconfig (void)
3e8b5b
+{
3e8b5b
+#ifdef HAVE_LDAP_INITIALIZE
3e8b5b
+		if (options.host == NULL && options.uri == NULL)
3e8b5b
+#else
3e8b5b
+		if (options.host == NULL)
3e8b5b
+#endif
3e8b5b
+		    fatal ("missing  \"host\" in config file");
3e8b5b
+}
3e8b5b
+
3e8b5b
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
3e8b5b
+static int
3e8b5b
+#if LDAP_API_VERSION > 3000
3e8b5b
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, ber_tag_t request, ber_int_t msgid, void *params)
3e8b5b
+#else
3e8b5b
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
3e8b5b
+#endif
3e8b5b
+{
3e8b5b
+	struct timeval timeout;
3e8b5b
+	int rc;
3e8b5b
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
3e8b5b
+	LDAPMessage *result;
3e8b5b
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
3e8b5b
+
3e8b5b
+	debug2 ("Doing LDAP rebind to %s", options.binddn);
3e8b5b
+	if (options.ssl == SSL_START_TLS) {
3e8b5b
+		if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
3e8b5b
+			error ("ldap_starttls_s: %s", ldap_err2string (rc));
3e8b5b
+			return LDAP_OPERATIONS_ERROR;
3e8b5b
+		}
3e8b5b
+	}
3e8b5b
+
3e8b5b
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
3e8b5b
+	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
3e8b5b
+#else
3e8b5b
+	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
3e8b5b
+	    fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
3e8b5b
+
3e8b5b
+	timeout.tv_sec = options.bind_timelimit;
3e8b5b
+	timeout.tv_usec = 0;
3e8b5b
+	result = NULL;
3e8b5b
+	if ((rc = ldap_result (ld, msgid, 0, &timeout, &result)) < 1) {
3e8b5b
+		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
3e8b5b
+		ldap_msgfree (result);
3e8b5b
+		return LDAP_OPERATIONS_ERROR;
3e8b5b
+	}
3e8b5b
+	debug3 ("LDAP rebind to %s succesfull", options.binddn);
3e8b5b
+	return rc;
3e8b5b
+#endif
3e8b5b
+}
3e8b5b
+#else
3e8b5b
+
3e8b5b
+static int
3e8b5b
+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
3e8b5b
+{
3e8b5b
+	if (freeit)
3e8b5b
+	    return LDAP_SUCCESS;
3e8b5b
+
3e8b5b
+	*whop = strdup (options.binddn);
3e8b5b
+	*credp = strdup (options.bindpw);
3e8b5b
+	*methodp = LDAP_AUTH_SIMPLE;
3e8b5b
+	debug2 ("Doing LDAP rebind for %s", *whop);
3e8b5b
+	return LDAP_SUCCESS;
3e8b5b
+}
3e8b5b
+#endif
3e8b5b
+
3e8b5b
+void
3e8b5b
+ldap_do_connect(void)
3e8b5b
+{
3e8b5b
+	int rc, msgid, ld_errno = 0;
3e8b5b
+	struct timeval timeout;
3e8b5b
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
3e8b5b
+	int parserc;
3e8b5b
+	LDAPMessage *result;
3e8b5b
+	LDAPControl **controls;
3e8b5b
+	int reconnect = 0;
3e8b5b
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
3e8b5b
+
3e8b5b
+	debug ("LDAP do connect");
3e8b5b
+
3e8b5b
+retry:
3e8b5b
+	if (reconnect) {
3e8b5b
+		debug3 ("Reconnecting with ld_errno %d", ld_errno);
3e8b5b
+		if (options.bind_policy == 0 ||
3e8b5b
+		    (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
3e8b5b
+			reconnect > 5)
3e8b5b
+			    fatal ("Cannot connect to LDAP server");
3e8b5b
+	
3e8b5b
+		if (reconnect > 1)
3e8b5b
+			sleep (reconnect - 1);
3e8b5b
+
3e8b5b
+		if (ld != NULL) {
3e8b5b
+			ldap_unbind (ld);
3e8b5b
+			ld = NULL;
3e8b5b
+		}
3e8b5b
+		logit("reconnecting to LDAP server...");
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	if (ld == NULL) {
3e8b5b
+		int rc;
3e8b5b
+		struct timeval tv;
3e8b5b
+
3e8b5b
+#ifdef HAVE_LDAP_SET_OPTION
3e8b5b
+		if (options.debug > 0) {
3e8b5b
+#ifdef LBER_OPT_LOG_PRINT_FILE
3e8b5b
+			if (options.logdir) {
3e8b5b
+				char *logfilename;
3e8b5b
+				int logfilenamelen;
3e8b5b
+
3e8b5b
+				logfilenamelen = strlen(LDAP_LOGFILE)
3e8b5b
+				    + strlen("000000") + strlen (options.logdir);
3e8b5b
+				logfilename = xmalloc (logfilenamelen);
3e8b5b
+				snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
3e8b5b
+				logfilename[logfilenamelen - 1] = 0;
3e8b5b
+				if ((logfile = fopen (logfilename, "a")) == NULL)
3e8b5b
+				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
3e8b5b
+				debug3 ("LDAP debug into %s", logfilename);
3e8b5b
+				free (logfilename);
3e8b5b
+				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
3e8b5b
+			}
3e8b5b
+#endif
3e8b5b
+			if (options.debug) {
3e8b5b
+#ifdef LBER_OPT_DEBUG_LEVEL
3e8b5b
+				ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
3e8b5b
+#endif /* LBER_OPT_DEBUG_LEVEL */
3e8b5b
+#ifdef LDAP_OPT_DEBUG_LEVEL
3e8b5b
+				(void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
3e8b5b
+#endif /* LDAP_OPT_DEBUG_LEVEL */
3e8b5b
+				debug3 ("Set LDAP debug to %d", options.debug);
3e8b5b
+			}
3e8b5b
+		}
3e8b5b
+#endif /* HAVE_LDAP_SET_OPTION */
3e8b5b
+
3e8b5b
+		ld = NULL;
3e8b5b
+#ifdef HAVE_LDAPSSL_INIT
3e8b5b
+		if (options.host != NULL) {
3e8b5b
+			if (options.ssl_on == SSL_LDAPS) {
3e8b5b
+				if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
3e8b5b
+				    fatal ("ldapssl_client_init %s", ldap_err2string (rc));
3e8b5b
+				debug3 ("LDAPssl client init");
3e8b5b
+			}
3e8b5b
+
3e8b5b
+			if (options.ssl_on != SSL_OFF) {
3e8b5b
+				if ((ld = ldapssl_init (options.host, options.port, 1)) == NULL)
3e8b5b
+				    fatal ("ldapssl_init failed");
3e8b5b
+				debug3 ("LDAPssl init");
3e8b5b
+			}
3e8b5b
+		}
3e8b5b
+#endif /* HAVE_LDAPSSL_INIT */
3e8b5b
+
3e8b5b
+		/* continue with opening */
3e8b5b
+		if (ld == NULL) {
3e8b5b
+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
3e8b5b
+			/* Some global TLS-specific options need to be set before we create our
3e8b5b
+			 * session context, so we set them here. */
3e8b5b
+
3e8b5b
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
3e8b5b
+			/* rand file */
3e8b5b
+			if (options.tls_randfile != NULL) {
3e8b5b
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
3e8b5b
+				    options.tls_randfile)) != LDAP_SUCCESS)
3e8b5b
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
3e8b5b
+					    ldap_err2string (rc));
3e8b5b
+				debug3 ("Set TLS random file %s", options.tls_randfile);
3e8b5b
+			}
3e8b5b
+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
3e8b5b
+
3e8b5b
+			/* ca cert file */
3e8b5b
+			if (options.tls_cacertfile != NULL) {
3e8b5b
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
3e8b5b
+				    options.tls_cacertfile)) != LDAP_SUCCESS)
3e8b5b
+					error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
3e8b5b
+					    ldap_err2string (rc));
3e8b5b
+				debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
3e8b5b
+			}
3e8b5b
+
3e8b5b
+			/* ca cert directory */
3e8b5b
+			if (options.tls_cacertdir != NULL) {
3e8b5b
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
3e8b5b
+				    options.tls_cacertdir)) != LDAP_SUCCESS)
3e8b5b
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
3e8b5b
+					    ldap_err2string (rc));
3e8b5b
+				debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
3e8b5b
+			}
3e8b5b
+
3e8b5b
+			/* require cert? */
3e8b5b
+			if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
3e8b5b
+			    &options.tls_checkpeer)) != LDAP_SUCCESS)
3e8b5b
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
3e8b5b
+				    ldap_err2string (rc));
3e8b5b
+			debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
3e8b5b
+
3e8b5b
+			/* set cipher suite, certificate and private key: */
3e8b5b
+			if (options.tls_ciphers != NULL) {
3e8b5b
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
3e8b5b
+				    options.tls_ciphers)) != LDAP_SUCCESS)
3e8b5b
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
3e8b5b
+					    ldap_err2string (rc));
3e8b5b
+				debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
3e8b5b
+			}
3e8b5b
+
3e8b5b
+			/* cert file */
3e8b5b
+			if (options.tls_cert != NULL) {
3e8b5b
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
3e8b5b
+				    options.tls_cert)) != LDAP_SUCCESS)
3e8b5b
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
3e8b5b
+					    ldap_err2string (rc));
3e8b5b
+				debug3 ("Set TLS cert file %s ", options.tls_cert);
3e8b5b
+			}
3e8b5b
+
3e8b5b
+			/* key file */
3e8b5b
+			if (options.tls_key != NULL) {
3e8b5b
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
3e8b5b
+				    options.tls_key)) != LDAP_SUCCESS)
3e8b5b
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
3e8b5b
+					    ldap_err2string (rc));
3e8b5b
+				debug3 ("Set TLS key file %s ", options.tls_key);
3e8b5b
+			}
3e8b5b
+#endif
3e8b5b
+#ifdef HAVE_LDAP_INITIALIZE
3e8b5b
+			if (options.uri != NULL) {
3e8b5b
+				if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
3e8b5b
+					fatal ("ldap_initialize %s", ldap_err2string (rc));
3e8b5b
+				debug3 ("LDAP initialize %s", options.uri);
3e8b5b
+			}
3e8b5b
+	}
3e8b5b
+#endif /* HAVE_LDAP_INTITIALIZE */
3e8b5b
+
3e8b5b
+		/* continue with opening */
3e8b5b
+		if ((ld == NULL) && (options.host != NULL)) {
3e8b5b
+#ifdef HAVE_LDAP_INIT
3e8b5b
+			if ((ld = ldap_init (options.host, options.port)) == NULL)
3e8b5b
+			    fatal ("ldap_init failed");
3e8b5b
+			debug3 ("LDAP init %s:%d", options.host, options.port);
3e8b5b
+#else
3e8b5b
+			if ((ld = ldap_open (options.host, options.port)) == NULL)
3e8b5b
+			    fatal ("ldap_open failed");
3e8b5b
+			debug3 ("LDAP open %s:%d", options.host, options.port);
3e8b5b
+#endif /* HAVE_LDAP_INIT */
3e8b5b
+		}
3e8b5b
+
3e8b5b
+		if (ld == NULL)
3e8b5b
+			fatal ("no way to open ldap");
3e8b5b
+
3e8b5b
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
3e8b5b
+		if (options.ssl == SSL_LDAPS) {
3e8b5b
+			if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
3e8b5b
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
3e8b5b
+			debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
3e8b5b
+		}
3e8b5b
+#endif /* LDAP_OPT_X_TLS */
3e8b5b
+
3e8b5b
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
3e8b5b
+		(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
3e8b5b
+		    &options.ldap_version);
3e8b5b
+#else
3e8b5b
+		ld->ld_version = options.ldap_version;
3e8b5b
+#endif
3e8b5b
+		debug3 ("LDAP set version to %d", options.ldap_version);
3e8b5b
+
3e8b5b
+#if LDAP_SET_REBIND_PROC_ARGS == 3
3e8b5b
+		ldap_set_rebind_proc (ld, _rebind_proc, NULL);
3e8b5b
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
3e8b5b
+		ldap_set_rebind_proc (ld, _rebind_proc);
3e8b5b
+#else
3e8b5b
+#warning unknown LDAP_SET_REBIND_PROC_ARGS
3e8b5b
+#endif
3e8b5b
+		debug3 ("LDAP set rebind proc");
3e8b5b
+
3e8b5b
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
3e8b5b
+		(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
3e8b5b
+#else
3e8b5b
+		ld->ld_deref = options.deref;
3e8b5b
+#endif
3e8b5b
+		debug3 ("LDAP set deref to %d", options.deref);
3e8b5b
+
3e8b5b
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
3e8b5b
+		(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
3e8b5b
+		    &options.timelimit);
3e8b5b
+#else
3e8b5b
+		ld->ld_timelimit = options.timelimit;
3e8b5b
+#endif
3e8b5b
+		debug3 ("LDAP set timelimit to %d", options.timelimit);
3e8b5b
+
3e8b5b
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
3e8b5b
+		/*
3e8b5b
+		 * This is a new option in the Netscape SDK which sets 
3e8b5b
+		 * the TCP connect timeout. For want of a better value,
3e8b5b
+		 * we use the bind_timelimit to control this.
3e8b5b
+		 */
3e8b5b
+		timeout = options.bind_timelimit * 1000;
3e8b5b
+		(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
3e8b5b
+		debug3 ("LDAP set opt connect timeout to %d", timeout);
3e8b5b
+#endif
3e8b5b
+
3e8b5b
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
3e8b5b
+		tv.tv_sec = options.bind_timelimit;
3e8b5b
+		tv.tv_usec = 0;
3e8b5b
+		(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv;;
3e8b5b
+		debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
3e8b5b
+#endif
3e8b5b
+
3e8b5b
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
3e8b5b
+		(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
3e8b5b
+		    options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
3e8b5b
+		debug3 ("LDAP set referrals to %d", options.referrals);
3e8b5b
+#endif
3e8b5b
+
3e8b5b
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
3e8b5b
+		(void) ldap_set_option (ld, LDAP_OPT_RESTART,
3e8b5b
+		    options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
3e8b5b
+		debug3 ("LDAP set restart to %d", options.restart);
3e8b5b
+#endif
3e8b5b
+
3e8b5b
+#ifdef HAVE_LDAP_START_TLS_S
3e8b5b
+		if (options.ssl == SSL_START_TLS) {
3e8b5b
+			int version;
3e8b5b
+
3e8b5b
+			if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
3e8b5b
+			    == LDAP_SUCCESS) {
3e8b5b
+				if (version < LDAP_VERSION3) {
3e8b5b
+					version = LDAP_VERSION3;
3e8b5b
+					(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
3e8b5b
+					    &version);
3e8b5b
+					debug3 ("LDAP set version to %d", version);
3e8b5b
+				}
3e8b5b
+			}
3e8b5b
+
3e8b5b
+			if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
3e8b5b
+			    fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
3e8b5b
+			debug3 ("LDAP start TLS");
3e8b5b
+		}
3e8b5b
+#endif /* HAVE_LDAP_START_TLS_S */
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	if ((msgid = ldap_simple_bind (ld, options.binddn,
3e8b5b
+	    options.bindpw)) == -1) {
3e8b5b
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
3e8b5b
+
3e8b5b
+		error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
3e8b5b
+		reconnect++;
3e8b5b
+		goto retry;
3e8b5b
+	}
3e8b5b
+	debug3 ("LDAP simple bind (%s)", options.binddn);
3e8b5b
+
3e8b5b
+	timeout.tv_sec = options.bind_timelimit;
3e8b5b
+	timeout.tv_usec = 0;
3e8b5b
+	if ((rc = ldap_result (ld, msgid, 0, &timeout, &result)) < 1) {
3e8b5b
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
3e8b5b
+
3e8b5b
+		error ("ldap_result %s", ldap_err2string (ld_errno));
3e8b5b
+		reconnect++;
3e8b5b
+		goto retry;
3e8b5b
+	}
3e8b5b
+	debug3 ("LDAP result in time");
3e8b5b
+
3e8b5b
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
3e8b5b
+	controls = NULL;
3e8b5b
+	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, 1)) != LDAP_SUCCESS)
3e8b5b
+	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
3e8b5b
+	debug3 ("LDAP parse result OK");
3e8b5b
+
3e8b5b
+	if (controls != NULL) {
3e8b5b
+		ldap_controls_free (controls);
3e8b5b
+	}
3e8b5b
+#else
3e8b5b
+	rc = ldap_result2error (session->ld, result, 1);
3e8b5b
+#endif
3e8b5b
+	if (rc != LDAP_SUCCESS)
3e8b5b
+	    fatal ("error trying to bind as user \"%s\" (%s)",
3e8b5b
+		options.binddn, ldap_err2string (rc));
3e8b5b
+
3e8b5b
+	debug2 ("LDAP do connect OK");
3e8b5b
+}
3e8b5b
+
3e8b5b
+void
3e8b5b
+process_user (const char *user, FILE *output)
3e8b5b
+{
3e8b5b
+	LDAPMessage *res, *e;
3e8b5b
+	char *buffer, *format;
3e8b5b
+	int rc, i;
3e8b5b
+	struct timeval timeout;
3e8b5b
+
3e8b5b
+	debug ("LDAP process user");
3e8b5b
+
3e8b5b
+	/* quick check for attempts to be evil */
3e8b5b
+	if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
3e8b5b
+	    (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
3e8b5b
+		logit ("illegal user name %s not processed", user);
3e8b5b
+		return;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	/* build  filter for LDAP request */
3e8b5b
+	format = LDAPSEARCH_FORMAT;
3e8b5b
+	if (options.search_format != NULL)
3e8b5b
+		format = options.search_format;
3e8b5b
+	buffer = percent_expand(format, "c", options.account_class, "u", user, "f", options.ssh_filter, (char *)NULL);
3e8b5b
+
3e8b5b
+	debug3 ("LDAP search scope = %d %s", options.scope, buffer);
3e8b5b
+
3e8b5b
+	timeout.tv_sec = options.timelimit;
3e8b5b
+	timeout.tv_usec = 0;
3e8b5b
+	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
3e8b5b
+		error ("ldap_search_st(): %s", ldap_err2string (rc));
3e8b5b
+		free (buffer);
3e8b5b
+		return;
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	/* free */
3e8b5b
+	free (buffer);
3e8b5b
+
3e8b5b
+	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
3e8b5b
+		int num;
3e8b5b
+		struct berval **keys;
3e8b5b
+
3e8b5b
+		keys = ldap_get_values_len(ld, e, PUBKEYATTR);
3e8b5b
+		num = ldap_count_values_len(keys);
3e8b5b
+		for (i = 0 ; i < num ; i++) {
3e8b5b
+			char *cp; //, *options = NULL;
3e8b5b
+
3e8b5b
+			for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
3e8b5b
+			if (!*cp || *cp == '\n' || *cp == '#')
3e8b5b
+			    continue;
3e8b5b
+
3e8b5b
+			/* We have found the desired key. */
3e8b5b
+			fprintf (output, "%s\n", keys[i]->bv_val);
3e8b5b
+		}
3e8b5b
+
3e8b5b
+		ldap_value_free_len(keys);
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	ldap_msgfree(res);
3e8b5b
+	debug2 ("LDAP process user finished");
3e8b5b
+}
3e8b5b
+
3e8b5b
+void
3e8b5b
+ldap_do_close(void)
3e8b5b
+{
3e8b5b
+	int rc;
3e8b5b
+
3e8b5b
+	debug ("LDAP do close");
3e8b5b
+	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
3e8b5b
+	    fatal ("ldap_unbind_ext: %s",
3e8b5b
+                                    ldap_err2string (rc));
3e8b5b
+
3e8b5b
+	ld = NULL;
3e8b5b
+	debug2 ("LDAP do close OK");
3e8b5b
+	return;
3e8b5b
+}
3e8b5b
+
3e8b5b
diff -up openssh-6.8p1/ldapbody.h.ldap openssh-6.8p1/ldapbody.h
3e8b5b
--- openssh-6.8p1/ldapbody.h.ldap	2015-03-18 11:11:29.031801462 +0100
3e8b5b
+++ openssh-6.8p1/ldapbody.h	2015-03-18 11:11:29.031801462 +0100
3e8b5b
@@ -0,0 +1,37 @@
3e8b5b
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
3e8b5b
+/*
3e8b5b
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
3e8b5b
+ *
3e8b5b
+ * Redistribution and use in source and binary forms, with or without
3e8b5b
+ * modification, are permitted provided that the following conditions
3e8b5b
+ * are met:
3e8b5b
+ * 1. Redistributions of source code must retain the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer.
3e8b5b
+ * 2. Redistributions in binary form must reproduce the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer in the
3e8b5b
+ *    documentation and/or other materials provided with the distribution.
3e8b5b
+ *
3e8b5b
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
3e8b5b
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
3e8b5b
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
3e8b5b
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
3e8b5b
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
3e8b5b
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
3e8b5b
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
3e8b5b
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
3e8b5b
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
3e8b5b
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+#ifndef LDAPBODY_H
3e8b5b
+#define LDAPBODY_H
3e8b5b
+
3e8b5b
+#include <stdio.h>
3e8b5b
+
3e8b5b
+void ldap_checkconfig(void);
3e8b5b
+void ldap_do_connect(void);
3e8b5b
+void process_user(const char *, FILE *);
3e8b5b
+void ldap_do_close(void);
3e8b5b
+
3e8b5b
+#endif /* LDAPBODY_H */
3e8b5b
+
3e8b5b
diff -up openssh-6.8p1/ldapconf.c.ldap openssh-6.8p1/ldapconf.c
3e8b5b
--- openssh-6.8p1/ldapconf.c.ldap	2015-03-18 11:11:29.032801460 +0100
3e8b5b
+++ openssh-6.8p1/ldapconf.c	2015-03-18 11:11:29.032801460 +0100
3e8b5b
@@ -0,0 +1,729 @@
3e8b5b
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
3e8b5b
+/*
3e8b5b
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
3e8b5b
+ *
3e8b5b
+ * Redistribution and use in source and binary forms, with or without
3e8b5b
+ * modification, are permitted provided that the following conditions
3e8b5b
+ * are met:
3e8b5b
+ * 1. Redistributions of source code must retain the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer.
3e8b5b
+ * 2. Redistributions in binary form must reproduce the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer in the
3e8b5b
+ *    documentation and/or other materials provided with the distribution.
3e8b5b
+ *
3e8b5b
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
3e8b5b
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
3e8b5b
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
3e8b5b
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
3e8b5b
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
3e8b5b
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
3e8b5b
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
3e8b5b
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
3e8b5b
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
3e8b5b
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+#include "ldapincludes.h"
3e8b5b
+#include "ldap-helper.h"
3e8b5b
+#include "log.h"
3e8b5b
+#include "misc.h"
3e8b5b
+#include "xmalloc.h"
3e8b5b
+#include "ldapconf.h"
3e8b5b
+#include <unistd.h>
3e8b5b
+#include <string.h>
3e8b5b
+#include <stdlib.h>
3e8b5b
+
3e8b5b
+/* Keyword tokens. */
3e8b5b
+
3e8b5b
+typedef enum {
3e8b5b
+	lBadOption,
3e8b5b
+	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
3e8b5b
+	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
3e8b5b
+	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
3e8b5b
+	lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
3e8b5b
+	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
3e8b5b
+	lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, lSearch_Format,
3e8b5b
+	lAccountClass, lDeprecated, lUnsupported
3e8b5b
+} OpCodes;
3e8b5b
+
3e8b5b
+/* Textual representations of the tokens. */
3e8b5b
+
3e8b5b
+static struct {
3e8b5b
+	const char *name;
3e8b5b
+	OpCodes opcode;
3e8b5b
+} keywords[] = {
3e8b5b
+	{ "URI", lURI },
3e8b5b
+	{ "Base", lBase },
3e8b5b
+	{ "BindDN", lBindDN },
3e8b5b
+	{ "BindPW", lBindPW },
3e8b5b
+	{ "RootBindDN", lRootBindDN },
3e8b5b
+	{ "Host", lHost },
3e8b5b
+	{ "Port", lPort },
3e8b5b
+	{ "Scope", lScope },
3e8b5b
+	{ "Deref", lDeref },
3e8b5b
+	{ "TimeLimit", lTimeLimit },
3e8b5b
+	{ "TimeOut", lTimeLimit },
3e8b5b
+	{ "Bind_Timelimit", lBind_TimeLimit },
3e8b5b
+	{ "Network_TimeOut", lBind_TimeLimit },
3e8b5b
+/*
3e8b5b
+ * Todo
3e8b5b
+ * SIZELIMIT
3e8b5b
+ */
3e8b5b
+	{ "Ldap_Version", lLdap_Version },
3e8b5b
+	{ "Version", lLdap_Version },
3e8b5b
+	{ "Bind_Policy", lBind_Policy },
3e8b5b
+	{ "SSLPath", lSSLPath },
3e8b5b
+	{ "SSL", lSSL },
3e8b5b
+	{ "Referrals", lReferrals },
3e8b5b
+	{ "Restart", lRestart },
3e8b5b
+	{ "TLS_CheckPeer", lTLS_CheckPeer },
3e8b5b
+	{ "TLS_ReqCert", lTLS_CheckPeer },
3e8b5b
+	{ "TLS_CaCertFile", lTLS_CaCertFile },
3e8b5b
+	{ "TLS_CaCert", lTLS_CaCertFile },
3e8b5b
+	{ "TLS_CaCertDir", lTLS_CaCertDir },
3e8b5b
+	{ "TLS_Ciphers", lTLS_Ciphers },
3e8b5b
+	{ "TLS_Cipher_Suite", lTLS_Ciphers },
3e8b5b
+	{ "TLS_Cert", lTLS_Cert },
3e8b5b
+	{ "TLS_Certificate", lTLS_Cert },
3e8b5b
+	{ "TLS_Key", lTLS_Key },
3e8b5b
+	{ "TLS_RandFile", lTLS_RandFile },
3e8b5b
+/*
3e8b5b
+ * Todo
3e8b5b
+ * TLS_CRLCHECK
3e8b5b
+ * TLS_CRLFILE
3e8b5b
+ */
3e8b5b
+	{ "LogDir", lLogDir },
3e8b5b
+	{ "Debug", lDebug },
3e8b5b
+	{ "SSH_Filter", lSSH_Filter },
3e8b5b
+	{ "search_format", lSearch_Format },
3e8b5b
+	{ "AccountClass", lAccountClass },
3e8b5b
+	{ NULL, lBadOption }
3e8b5b
+};
3e8b5b
+
3e8b5b
+/* Configuration ptions. */
3e8b5b
+
3e8b5b
+Options options;
3e8b5b
+
3e8b5b
+/*
3e8b5b
+ * Returns the number of the token pointed to by cp or oBadOption.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+static OpCodes
3e8b5b
+parse_token(const char *cp, const char *filename, int linenum)
3e8b5b
+{
3e8b5b
+	u_int i;
3e8b5b
+
3e8b5b
+	for (i = 0; keywords[i].name; i++)
3e8b5b
+		if (strcasecmp(cp, keywords[i].name) == 0)
3e8b5b
+			return keywords[i].opcode;
3e8b5b
+
3e8b5b
+	if (config_warning_config_file) 
3e8b5b
+	    logit("%s: line %d: Bad configuration option: %s",
3e8b5b
+		filename, linenum, cp);
3e8b5b
+	return lBadOption;
3e8b5b
+}
3e8b5b
+
3e8b5b
+/* Characters considered whitespace in strsep calls. */
3e8b5b
+#define WHITESPACE " \t\r\n"
3e8b5b
+
3e8b5b
+/* return next token in configuration line */
3e8b5b
+static char *
3e8b5b
+ldap_strdelim(char **s)
3e8b5b
+{
3e8b5b
+      char *old;
3e8b5b
+      int wspace = 0;
3e8b5b
+
3e8b5b
+      if (*s == NULL)
3e8b5b
+              return NULL;
3e8b5b
+
3e8b5b
+      old = *s;
3e8b5b
+
3e8b5b
+      *s = strpbrk(*s, WHITESPACE);
3e8b5b
+      if (*s == NULL)
3e8b5b
+              return (old);
3e8b5b
+
3e8b5b
+      *s[0] = '\0';
3e8b5b
+
3e8b5b
+      /* Skip any extra whitespace after first token */
3e8b5b
+      *s += strspn(*s + 1, WHITESPACE) + 1;
3e8b5b
+      if (*s[0] == '=' && !wspace)
3e8b5b
+              *s += strspn(*s + 1, WHITESPACE) + 1;
3e8b5b
+
3e8b5b
+      return (old);
3e8b5b
+}
3e8b5b
+
3e8b5b
+/*
3e8b5b
+ * Processes a single option line as used in the configuration files. This
3e8b5b
+ * only sets those values that have not already been set.
3e8b5b
+ */
3e8b5b
+#define WHITESPACE " \t\r\n"
3e8b5b
+
3e8b5b
+static int
3e8b5b
+process_config_line(char *line, const char *filename, int linenum)
3e8b5b
+{
3e8b5b
+	char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
3e8b5b
+	char *rootbinddn = NULL;
3e8b5b
+	int opcode, *intptr, value;
3e8b5b
+	size_t len;
3e8b5b
+
3e8b5b
+	/* Strip trailing whitespace */
3e8b5b
+	for (len = strlen(line) - 1; len > 0; len--) {
3e8b5b
+		if (strchr(WHITESPACE, line[len]) == NULL)
3e8b5b
+			break;
3e8b5b
+		line[len] = '\0';
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	s = line;
3e8b5b
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
3e8b5b
+	if ((keyword = ldap_strdelim(&s)) == NULL)
3e8b5b
+		return 0;
3e8b5b
+	/* Ignore leading whitespace. */
3e8b5b
+	if (*keyword == '\0')
3e8b5b
+		keyword = ldap_strdelim(&s);
3e8b5b
+	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
3e8b5b
+		return 0;
3e8b5b
+
3e8b5b
+	opcode = parse_token(keyword, filename, linenum);
3e8b5b
+
3e8b5b
+	switch (opcode) {
3e8b5b
+	case lBadOption:
3e8b5b
+		/* don't panic, but count bad options */
3e8b5b
+		return -1;
3e8b5b
+		/* NOTREACHED */
3e8b5b
+
3e8b5b
+	case lHost:
3e8b5b
+		xstringptr = &options.host;
3e8b5b
+parse_xstring:
3e8b5b
+		if (!s || *s == '\0')
3e8b5b
+		    fatal("%s line %d: missing dn",filename,linenum);
3e8b5b
+		if (*xstringptr == NULL)
3e8b5b
+		    *xstringptr = xstrdup(s);
3e8b5b
+		return 0;
3e8b5b
+
3e8b5b
+	case lURI:
3e8b5b
+		xstringptr = &options.uri;
3e8b5b
+		goto parse_xstring;
3e8b5b
+
3e8b5b
+	case lBase:
3e8b5b
+		xstringptr = &options.base;
3e8b5b
+		goto parse_xstring;
3e8b5b
+
3e8b5b
+	case lBindDN:
3e8b5b
+		xstringptr = &options.binddn;
3e8b5b
+		goto parse_xstring;
3e8b5b
+
3e8b5b
+	case lBindPW:
3e8b5b
+		charptr = &options.bindpw;
3e8b5b
+parse_string:
3e8b5b
+		arg = ldap_strdelim(&s);
3e8b5b
+		if (!arg || *arg == '\0')
3e8b5b
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
3e8b5b
+		if (*charptr == NULL)
3e8b5b
+			*charptr = xstrdup(arg);
3e8b5b
+		break;
3e8b5b
+
3e8b5b
+	case lRootBindDN:
3e8b5b
+		xstringptr = &rootbinddn;
3e8b5b
+		goto parse_xstring;
3e8b5b
+
3e8b5b
+	case lScope:
3e8b5b
+		intptr = &options.scope;
3e8b5b
+		arg = ldap_strdelim(&s);
3e8b5b
+		if (!arg || *arg == '\0')
3e8b5b
+			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
3e8b5b
+		value = 0;	/* To avoid compiler warning... */
3e8b5b
+		if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
3e8b5b
+			value = LDAP_SCOPE_SUBTREE;
3e8b5b
+		else if (strcasecmp (arg, "one") == 0)
3e8b5b
+			value = LDAP_SCOPE_ONELEVEL;
3e8b5b
+		else if (strcasecmp (arg, "base") == 0)
3e8b5b
+			value = LDAP_SCOPE_BASE;
3e8b5b
+		else
3e8b5b
+			fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
3e8b5b
+		if (*intptr == -1)
3e8b5b
+			*intptr = value;
3e8b5b
+		break;
3e8b5b
+
3e8b5b
+	case lDeref:
3e8b5b
+		intptr = &options.scope;
3e8b5b
+		arg = ldap_strdelim(&s);
3e8b5b
+		if (!arg || *arg == '\0')
3e8b5b
+			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
3e8b5b
+		value = 0;	/* To avoid compiler warning... */
3e8b5b
+		if (!strcasecmp (arg, "never"))
3e8b5b
+			value = LDAP_DEREF_NEVER;
3e8b5b
+		else if (!strcasecmp (arg, "searching"))
3e8b5b
+			value = LDAP_DEREF_SEARCHING;
3e8b5b
+		else if (!strcasecmp (arg, "finding"))
3e8b5b
+			value = LDAP_DEREF_FINDING;
3e8b5b
+		else if (!strcasecmp (arg, "always"))
3e8b5b
+			value = LDAP_DEREF_ALWAYS;
3e8b5b
+		else
3e8b5b
+			fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
3e8b5b
+		if (*intptr == -1)
3e8b5b
+			*intptr = value;
3e8b5b
+		break;
3e8b5b
+
3e8b5b
+	case lPort:
3e8b5b
+		intptr = &options.port;
3e8b5b
+parse_int:
3e8b5b
+		arg = ldap_strdelim(&s);
3e8b5b
+		if (!arg || *arg == '\0')
3e8b5b
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
3e8b5b
+		if (arg[0] < '0' || arg[0] > '9')
3e8b5b
+			fatal("%.200s line %d: Bad number.", filename, linenum);
3e8b5b
+
3e8b5b
+		/* Octal, decimal, or hex format? */
3e8b5b
+		value = strtol(arg, &endofnumber, 0);
3e8b5b
+		if (arg == endofnumber)
3e8b5b
+			fatal("%.200s line %d: Bad number.", filename, linenum);
3e8b5b
+		if (*intptr == -1)
3e8b5b
+			*intptr = value;
3e8b5b
+		break;
3e8b5b
+
3e8b5b
+	case lTimeLimit:
3e8b5b
+		intptr = &options.timelimit;
3e8b5b
+parse_time:
3e8b5b
+		arg = ldap_strdelim(&s);
3e8b5b
+		if (!arg || *arg == '\0')
3e8b5b
+			fatal("%s line %d: missing time value.",
3e8b5b
+			    filename, linenum);
3e8b5b
+		if ((value = convtime(arg)) == -1)
3e8b5b
+			fatal("%s line %d: invalid time value.",
3e8b5b
+			    filename, linenum);
3e8b5b
+		if (*intptr == -1)
3e8b5b
+			*intptr = value;
3e8b5b
+		break;
3e8b5b
+
3e8b5b
+	case lBind_TimeLimit:
3e8b5b
+		intptr = &options.bind_timelimit;
3e8b5b
+		goto parse_time;
3e8b5b
+
3e8b5b
+	case lLdap_Version:
3e8b5b
+		intptr = &options.ldap_version;
3e8b5b
+		goto parse_int;
3e8b5b
+
3e8b5b
+	case lBind_Policy:
3e8b5b
+		intptr = &options.bind_policy;
3e8b5b
+		arg = ldap_strdelim(&s);
3e8b5b
+		if (!arg || *arg == '\0')
3e8b5b
+			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
3e8b5b
+		value = 0;	/* To avoid compiler warning... */
3e8b5b
+		if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
3e8b5b
+			value = 1;
3e8b5b
+		else if (strcasecmp(arg, "soft") == 0)
3e8b5b
+			value = 0;
3e8b5b
+		else
3e8b5b
+			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
3e8b5b
+		if (*intptr == -1)
3e8b5b
+			*intptr = value;
3e8b5b
+		break;
3e8b5b
+
3e8b5b
+	case lSSLPath:
3e8b5b
+		charptr = &options.sslpath;
3e8b5b
+		goto parse_string;
3e8b5b
+
3e8b5b
+	case lSSL:
3e8b5b
+		intptr = &options.ssl;
3e8b5b
+		arg = ldap_strdelim(&s);
3e8b5b
+		if (!arg || *arg == '\0')
3e8b5b
+			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
3e8b5b
+		value = 0;	/* To avoid compiler warning... */
3e8b5b
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
3e8b5b
+			value = SSL_LDAPS;
3e8b5b
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
3e8b5b
+			value = SSL_OFF;
3e8b5b
+		else if (!strcasecmp (arg, "start_tls"))
3e8b5b
+			value = SSL_START_TLS;
3e8b5b
+		else
3e8b5b
+			fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
3e8b5b
+		if (*intptr == -1)
3e8b5b
+			*intptr = value;
3e8b5b
+		break;
3e8b5b
+
3e8b5b
+	case lReferrals:
3e8b5b
+		intptr = &options.referrals;
3e8b5b
+parse_flag:
3e8b5b
+		arg = ldap_strdelim(&s);
3e8b5b
+		if (!arg || *arg == '\0')
3e8b5b
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
3e8b5b
+		value = 0;	/* To avoid compiler warning... */
3e8b5b
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
3e8b5b
+			value = 1;
3e8b5b
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
3e8b5b
+			value = 0;
3e8b5b
+		else
3e8b5b
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
3e8b5b
+		if (*intptr == -1)
3e8b5b
+			*intptr = value;
3e8b5b
+		break;
3e8b5b
+
3e8b5b
+	case lRestart:
3e8b5b
+		intptr = &options.restart;
3e8b5b
+		goto parse_flag;
3e8b5b
+
3e8b5b
+	case lTLS_CheckPeer:
3e8b5b
+		intptr = &options.tls_checkpeer;
3e8b5b
+		arg = ldap_strdelim(&s);
3e8b5b
+		if (!arg || *arg == '\0')
3e8b5b
+			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
3e8b5b
+		value = 0;	/* To avoid compiler warning... */
3e8b5b
+		if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
3e8b5b
+			value = LDAP_OPT_X_TLS_NEVER;
3e8b5b
+		else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
3e8b5b
+			value = LDAP_OPT_X_TLS_HARD;
3e8b5b
+		else if (strcasecmp(arg, "demand") == 0)
3e8b5b
+			value = LDAP_OPT_X_TLS_DEMAND;
3e8b5b
+		else if (strcasecmp(arg, "allow") == 0)
3e8b5b
+			value = LDAP_OPT_X_TLS_ALLOW;
3e8b5b
+		else if (strcasecmp(arg, "try") == 0)
3e8b5b
+			value = LDAP_OPT_X_TLS_TRY;
3e8b5b
+		else
3e8b5b
+			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
3e8b5b
+		if (*intptr == -1)
3e8b5b
+			*intptr = value;
3e8b5b
+		break;
3e8b5b
+
3e8b5b
+	case lTLS_CaCertFile:
3e8b5b
+		charptr = &options.tls_cacertfile;
3e8b5b
+		goto parse_string;
3e8b5b
+
3e8b5b
+	case lTLS_CaCertDir:
3e8b5b
+		charptr = &options.tls_cacertdir;
3e8b5b
+		goto parse_string;
3e8b5b
+
3e8b5b
+	case lTLS_Ciphers:
3e8b5b
+		xstringptr = &options.tls_ciphers;
3e8b5b
+		goto parse_xstring;
3e8b5b
+
3e8b5b
+	case lTLS_Cert:
3e8b5b
+		charptr = &options.tls_cert;
3e8b5b
+		goto parse_string;
3e8b5b
+
3e8b5b
+	case lTLS_Key:
3e8b5b
+		charptr = &options.tls_key;
3e8b5b
+		goto parse_string;
3e8b5b
+
3e8b5b
+	case lTLS_RandFile:
3e8b5b
+		charptr = &options.tls_randfile;
3e8b5b
+		goto parse_string;
3e8b5b
+
3e8b5b
+	case lLogDir:
3e8b5b
+		charptr = &options.logdir;
3e8b5b
+		goto parse_string;
3e8b5b
+
3e8b5b
+	case lDebug:
3e8b5b
+		intptr = &options.debug;
3e8b5b
+		goto parse_int;
3e8b5b
+
3e8b5b
+	case lSSH_Filter:
3e8b5b
+		xstringptr = &options.ssh_filter;
3e8b5b
+		goto parse_xstring;
3e8b5b
+
3e8b5b
+	case lSearch_Format:
3e8b5b
+		charptr = &options.search_format;
3e8b5b
+		goto parse_string;
3e8b5b
+
3e8b5b
+	case lAccountClass:
3e8b5b
+		charptr = &options.account_class;
3e8b5b
+		goto parse_string;
3e8b5b
+
3e8b5b
+	case lDeprecated:
3e8b5b
+		debug("%s line %d: Deprecated option \"%s\"",
3e8b5b
+		    filename, linenum, keyword);
3e8b5b
+		return 0;
3e8b5b
+
3e8b5b
+	case lUnsupported:
3e8b5b
+		error("%s line %d: Unsupported option \"%s\"",
3e8b5b
+		    filename, linenum, keyword);
3e8b5b
+		return 0;
3e8b5b
+
3e8b5b
+	default:
3e8b5b
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	/* Check that there is no garbage at end of line. */
3e8b5b
+	if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') {
3e8b5b
+		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
3e8b5b
+		    filename, linenum, arg);
3e8b5b
+	}
3e8b5b
+	return 0;
3e8b5b
+}
3e8b5b
+
3e8b5b
+/*
3e8b5b
+ * Reads the config file and modifies the options accordingly.  Options
3e8b5b
+ * should already be initialized before this call.  This never returns if
3e8b5b
+ * there is an error.  If the file does not exist, this returns 0.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+void
3e8b5b
+read_config_file(const char *filename)
3e8b5b
+{
3e8b5b
+	FILE *f;
3e8b5b
+	char line[1024];
3e8b5b
+	int linenum;
3e8b5b
+	int bad_options = 0;
3e8b5b
+	struct stat sb;
3e8b5b
+
3e8b5b
+	if ((f = fopen(filename, "r")) == NULL)
3e8b5b
+		fatal("fopen %s: %s", filename, strerror(errno));
3e8b5b
+
3e8b5b
+	if (fstat(fileno(f), &sb) == -1)
3e8b5b
+		fatal("fstat %s: %s", filename, strerror(errno));
3e8b5b
+	if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
3e8b5b
+	    (sb.st_mode & 022) != 0))
3e8b5b
+		fatal("Bad owner or permissions on %s", filename);
3e8b5b
+
3e8b5b
+	debug("Reading configuration data %.200s", filename);
3e8b5b
+
3e8b5b
+	/*
3e8b5b
+	 * Mark that we are now processing the options.  This flag is turned
3e8b5b
+	 * on/off by Host specifications.
3e8b5b
+	 */
3e8b5b
+	linenum = 0;
3e8b5b
+	while (fgets(line, sizeof(line), f)) {
3e8b5b
+		/* Update line number counter. */
3e8b5b
+		linenum++;
3e8b5b
+		if (process_config_line(line, filename, linenum) != 0)
3e8b5b
+			bad_options++;
3e8b5b
+	}
3e8b5b
+	fclose(f);
3e8b5b
+	if ((bad_options > 0) && config_exclusive_config_file) 
3e8b5b
+		fatal("%s: terminating, %d bad configuration options",
3e8b5b
+		    filename, bad_options);
3e8b5b
+}
3e8b5b
+
3e8b5b
+/*
3e8b5b
+ * Initializes options to special values that indicate that they have not yet
3e8b5b
+ * been set.  Read_config_file will only set options with this value. Options
3e8b5b
+ * are processed in the following order: command line, user config file,
3e8b5b
+ * system config file.  Last, fill_default_options is called.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+void
3e8b5b
+initialize_options(void)
3e8b5b
+{
3e8b5b
+	memset(&options, 'X', sizeof(options));
3e8b5b
+	options.host = NULL;
3e8b5b
+	options.uri = NULL;
3e8b5b
+	options.base = NULL;
3e8b5b
+	options.binddn = NULL;
3e8b5b
+	options.bindpw = NULL;
3e8b5b
+	options.scope = -1;
3e8b5b
+	options.deref = -1;
3e8b5b
+	options.port = -1;
3e8b5b
+	options.timelimit = -1;
3e8b5b
+	options.bind_timelimit = -1;
3e8b5b
+	options.ldap_version = -1;
3e8b5b
+	options.bind_policy = -1;
3e8b5b
+	options.sslpath = NULL;
3e8b5b
+	options.ssl = -1;
3e8b5b
+	options.referrals = -1;
3e8b5b
+	options.restart = -1;
3e8b5b
+	options.tls_checkpeer = -1;
3e8b5b
+	options.tls_cacertfile = NULL;
3e8b5b
+	options.tls_cacertdir = NULL;
3e8b5b
+	options.tls_ciphers = NULL;
3e8b5b
+	options.tls_cert = NULL;
3e8b5b
+	options.tls_key = NULL;
3e8b5b
+	options.tls_randfile = NULL;
3e8b5b
+	options.logdir = NULL;
3e8b5b
+	options.debug = -1;
3e8b5b
+	options.ssh_filter = NULL;
3e8b5b
+	options.search_format = NULL;
3e8b5b
+	options.account_class = NULL;
3e8b5b
+}
3e8b5b
+
3e8b5b
+/*
3e8b5b
+ * Called after processing other sources of option data, this fills those
3e8b5b
+ * options for which no value has been specified with their default values.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+void
3e8b5b
+fill_default_options(void)
3e8b5b
+{
3e8b5b
+	if (options.uri != NULL) {
3e8b5b
+		LDAPURLDesc *ludp;
3e8b5b
+
3e8b5b
+		if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
3e8b5b
+			if (options.ssl == -1) {
3e8b5b
+				if (strcmp (ludp->lud_scheme, "ldap") == 0)
3e8b5b
+				    options.ssl = 2;
3e8b5b
+				if (strcmp (ludp->lud_scheme, "ldapi") == 0)
3e8b5b
+				    options.ssl = 0;
3e8b5b
+				else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
3e8b5b
+				    options.ssl = 1;
3e8b5b
+			}
3e8b5b
+			if (options.host == NULL)
3e8b5b
+			    options.host = xstrdup (ludp->lud_host);
3e8b5b
+			if (options.port == -1)
3e8b5b
+			    options.port = ludp->lud_port;
3e8b5b
+
3e8b5b
+			ldap_free_urldesc (ludp);
3e8b5b
+		}
3e8b5b
+	} 
3e8b5b
+	if (options.ssl == -1)
3e8b5b
+	    options.ssl = SSL_START_TLS;
3e8b5b
+	if (options.port == -1)
3e8b5b
+	    options.port = (options.ssl == 0) ? 389 : 636;
3e8b5b
+	if (options.uri == NULL) {
3e8b5b
+		int len;
3e8b5b
+#define MAXURILEN 4096
3e8b5b
+
3e8b5b
+		options.uri = xmalloc (MAXURILEN);
3e8b5b
+		len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
3e8b5b
+		    (options.ssl == 0) ? "" : "s", options.host, options.port);
3e8b5b
+		options.uri[MAXURILEN - 1] = 0;
3e8b5b
+		options.uri = xreallocarray(options.uri, len + 1, 1);
3e8b5b
+	}
3e8b5b
+	if (options.binddn == NULL)
3e8b5b
+	    options.binddn = "";
3e8b5b
+	if (options.bindpw == NULL)
3e8b5b
+	    options.bindpw = "";
3e8b5b
+	if (options.scope == -1)
3e8b5b
+	    options.scope = LDAP_SCOPE_SUBTREE;
3e8b5b
+	if (options.deref == -1)
3e8b5b
+	    options.deref = LDAP_DEREF_NEVER;
3e8b5b
+	if (options.timelimit == -1)
3e8b5b
+	    options.timelimit = 10;
3e8b5b
+	if (options.bind_timelimit == -1)
3e8b5b
+	    options.bind_timelimit = 10;
3e8b5b
+	if (options.ldap_version == -1)
3e8b5b
+	    options.ldap_version = 3;
3e8b5b
+	if (options.bind_policy == -1)
3e8b5b
+	    options.bind_policy = 1;
3e8b5b
+	if (options.referrals == -1)
3e8b5b
+	    options.referrals = 1;
3e8b5b
+	if (options.restart == -1)
3e8b5b
+	    options.restart = 1;
3e8b5b
+	if (options.tls_checkpeer == -1)
3e8b5b
+	    options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
3e8b5b
+	if (options.debug == -1)
3e8b5b
+	    options.debug = 0;
3e8b5b
+	if (options.ssh_filter == NULL)
3e8b5b
+	    options.ssh_filter = "";
3e8b5b
+	if (options.account_class == NULL)
3e8b5b
+	    options.account_class = "posixAccount";
3e8b5b
+}
3e8b5b
+
3e8b5b
+static const char *
3e8b5b
+lookup_opcode_name(OpCodes code)
3e8b5b
+{
3e8b5b
+	u_int i;
3e8b5b
+
3e8b5b
+	for (i = 0; keywords[i].name != NULL; i++)
3e8b5b
+	    if (keywords[i].opcode == code)
3e8b5b
+		return(keywords[i].name);
3e8b5b
+	return "UNKNOWN";
3e8b5b
+}
3e8b5b
+
3e8b5b
+static void
3e8b5b
+dump_cfg_string(OpCodes code, const char *val)
3e8b5b
+{
3e8b5b
+	if (val == NULL)
3e8b5b
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
3e8b5b
+	else
3e8b5b
+	    debug3("%s %s", lookup_opcode_name(code), val);
3e8b5b
+}
3e8b5b
+
3e8b5b
+static void
3e8b5b
+dump_cfg_int(OpCodes code, int val)
3e8b5b
+{
3e8b5b
+	if (val == -1)
3e8b5b
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
3e8b5b
+	else
3e8b5b
+	    debug3("%s %d", lookup_opcode_name(code), val);
3e8b5b
+}
3e8b5b
+
3e8b5b
+struct names {
3e8b5b
+	int value;
3e8b5b
+	char *name;
3e8b5b
+};
3e8b5b
+
3e8b5b
+static void
3e8b5b
+dump_cfg_namedint(OpCodes code, int val, struct names *names)
3e8b5b
+{
3e8b5b
+	u_int i;
3e8b5b
+
3e8b5b
+	if (val == -1)
3e8b5b
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
3e8b5b
+	else {
3e8b5b
+		for (i = 0; names[i].value != -1; i++)
3e8b5b
+	 	    if (names[i].value == val) {
3e8b5b
+	    		debug3("%s %s", lookup_opcode_name(code), names[i].name);
3e8b5b
+			    return;
3e8b5b
+		}
3e8b5b
+		debug3("%s unknown: %d", lookup_opcode_name(code), val);
3e8b5b
+	}
3e8b5b
+}
3e8b5b
+
3e8b5b
+static struct names _yesnotls[] = {
3e8b5b
+	{ 0, "No" },
3e8b5b
+	{ 1, "Yes" },
3e8b5b
+	{ 2, "Start_TLS" },
3e8b5b
+	{ -1, NULL }};
3e8b5b
+
3e8b5b
+static struct names _scope[] = {
3e8b5b
+	{ LDAP_SCOPE_BASE, "Base" },
3e8b5b
+	{ LDAP_SCOPE_ONELEVEL, "One" },
3e8b5b
+	{ LDAP_SCOPE_SUBTREE, "Sub"},
3e8b5b
+	{ -1, NULL }};
3e8b5b
+
3e8b5b
+static struct names _deref[] = {
3e8b5b
+	{ LDAP_DEREF_NEVER, "Never" },
3e8b5b
+	{ LDAP_DEREF_SEARCHING, "Searching" },
3e8b5b
+	{ LDAP_DEREF_FINDING, "Finding" },
3e8b5b
+	{ LDAP_DEREF_ALWAYS, "Always" },
3e8b5b
+	{ -1, NULL }};
3e8b5b
+
3e8b5b
+static struct names _yesno[] = {
3e8b5b
+	{ 0, "No" },
3e8b5b
+	{ 1, "Yes" },
3e8b5b
+	{ -1, NULL }};
3e8b5b
+
3e8b5b
+static struct names _bindpolicy[] = {
3e8b5b
+	{ 0, "Soft" },
3e8b5b
+	{ 1, "Hard" },
3e8b5b
+	{ -1, NULL }};
3e8b5b
+
3e8b5b
+static struct names _checkpeer[] = {
3e8b5b
+	{ LDAP_OPT_X_TLS_NEVER, "Never" },
3e8b5b
+	{ LDAP_OPT_X_TLS_HARD, "Hard" },
3e8b5b
+	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
3e8b5b
+	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
3e8b5b
+	{ LDAP_OPT_X_TLS_TRY, "TRY" },
3e8b5b
+	{ -1, NULL }};
3e8b5b
+
3e8b5b
+void
3e8b5b
+dump_config(void)
3e8b5b
+{
3e8b5b
+	dump_cfg_string(lURI, options.uri);
3e8b5b
+	dump_cfg_string(lHost, options.host);
3e8b5b
+	dump_cfg_int(lPort, options.port);
3e8b5b
+	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
3e8b5b
+	dump_cfg_int(lLdap_Version, options.ldap_version);
3e8b5b
+	dump_cfg_int(lTimeLimit, options.timelimit);
3e8b5b
+	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
3e8b5b
+	dump_cfg_string(lBase, options.base);
3e8b5b
+	dump_cfg_string(lBindDN, options.binddn);
3e8b5b
+	dump_cfg_string(lBindPW, options.bindpw);
3e8b5b
+	dump_cfg_namedint(lScope, options.scope, _scope);
3e8b5b
+	dump_cfg_namedint(lDeref, options.deref, _deref);
3e8b5b
+	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
3e8b5b
+	dump_cfg_namedint(lRestart, options.restart, _yesno);
3e8b5b
+	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
3e8b5b
+	dump_cfg_string(lSSLPath, options.sslpath);
3e8b5b
+	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
3e8b5b
+	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
3e8b5b
+	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
3e8b5b
+	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
3e8b5b
+	dump_cfg_string(lTLS_Cert, options.tls_cert);
3e8b5b
+	dump_cfg_string(lTLS_Key, options.tls_key);
3e8b5b
+	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
3e8b5b
+	dump_cfg_string(lLogDir, options.logdir);
3e8b5b
+	dump_cfg_int(lDebug, options.debug);
3e8b5b
+	dump_cfg_string(lSSH_Filter, options.ssh_filter);
3e8b5b
+	dump_cfg_string(lSearch_Format, options.search_format);
3e8b5b
+	dump_cfg_string(lAccountClass, options.account_class);
3e8b5b
+}
3e8b5b
+
3e8b5b
diff -up openssh-6.8p1/ldapconf.h.ldap openssh-6.8p1/ldapconf.h
3e8b5b
--- openssh-6.8p1/ldapconf.h.ldap	2015-03-18 11:11:29.032801460 +0100
3e8b5b
+++ openssh-6.8p1/ldapconf.h	2015-03-18 11:11:29.032801460 +0100
3e8b5b
@@ -0,0 +1,73 @@
3e8b5b
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
3e8b5b
+/*
3e8b5b
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
3e8b5b
+ *
3e8b5b
+ * Redistribution and use in source and binary forms, with or without
3e8b5b
+ * modification, are permitted provided that the following conditions
3e8b5b
+ * are met:
3e8b5b
+ * 1. Redistributions of source code must retain the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer.
3e8b5b
+ * 2. Redistributions in binary form must reproduce the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer in the
3e8b5b
+ *    documentation and/or other materials provided with the distribution.
3e8b5b
+ *
3e8b5b
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
3e8b5b
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
3e8b5b
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
3e8b5b
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
3e8b5b
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
3e8b5b
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
3e8b5b
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
3e8b5b
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
3e8b5b
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
3e8b5b
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+#ifndef LDAPCONF_H
3e8b5b
+#define LDAPCONF_H
3e8b5b
+
3e8b5b
+#define SSL_OFF          0
3e8b5b
+#define SSL_LDAPS        1
3e8b5b
+#define SSL_START_TLS    2
3e8b5b
+
3e8b5b
+/* Data structure for representing option data. */
3e8b5b
+
3e8b5b
+typedef struct {
3e8b5b
+	char *host;
3e8b5b
+	char *uri;
3e8b5b
+	char *base;
3e8b5b
+	char *binddn;
3e8b5b
+	char *bindpw;
3e8b5b
+	int scope;
3e8b5b
+	int deref;
3e8b5b
+	int port;
3e8b5b
+	int timelimit;
3e8b5b
+	int bind_timelimit;
3e8b5b
+	int ldap_version;
3e8b5b
+	int bind_policy;
3e8b5b
+	char *sslpath;
3e8b5b
+	int ssl;
3e8b5b
+	int referrals;
3e8b5b
+	int restart;
3e8b5b
+	int tls_checkpeer;
3e8b5b
+	char *tls_cacertfile;
3e8b5b
+	char *tls_cacertdir;
3e8b5b
+	char *tls_ciphers;
3e8b5b
+	char *tls_cert;
3e8b5b
+	char *tls_key;
3e8b5b
+	char *tls_randfile;
3e8b5b
+	char *logdir;
3e8b5b
+	int debug;
3e8b5b
+	char *ssh_filter;
3e8b5b
+	char *search_format;
3e8b5b
+	char *account_class;
3e8b5b
+}       Options;
3e8b5b
+
3e8b5b
+extern Options options;
3e8b5b
+
3e8b5b
+void read_config_file(const char *);
3e8b5b
+void initialize_options(void);
3e8b5b
+void fill_default_options(void);
3e8b5b
+void dump_config(void);
3e8b5b
+
3e8b5b
+#endif /* LDAPCONF_H */
3e8b5b
diff -up openssh-6.8p1/ldapincludes.h.ldap openssh-6.8p1/ldapincludes.h
3e8b5b
--- openssh-6.8p1/ldapincludes.h.ldap	2015-03-18 11:11:29.032801460 +0100
3e8b5b
+++ openssh-6.8p1/ldapincludes.h	2015-03-18 11:11:29.032801460 +0100
3e8b5b
@@ -0,0 +1,41 @@
3e8b5b
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
3e8b5b
+/*
3e8b5b
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
3e8b5b
+ *
3e8b5b
+ * Redistribution and use in source and binary forms, with or without
3e8b5b
+ * modification, are permitted provided that the following conditions
3e8b5b
+ * are met:
3e8b5b
+ * 1. Redistributions of source code must retain the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer.
3e8b5b
+ * 2. Redistributions in binary form must reproduce the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer in the
3e8b5b
+ *    documentation and/or other materials provided with the distribution.
3e8b5b
+ *
3e8b5b
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
3e8b5b
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
3e8b5b
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
3e8b5b
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
3e8b5b
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
3e8b5b
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
3e8b5b
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
3e8b5b
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
3e8b5b
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
3e8b5b
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+#ifndef LDAPINCLUDES_H
3e8b5b
+#define LDAPINCLUDES_H
3e8b5b
+
3e8b5b
+#include "includes.h"
3e8b5b
+
3e8b5b
+#ifdef HAVE_LBER_H
3e8b5b
+#include <lber.h>
3e8b5b
+#endif
3e8b5b
+#ifdef HAVE_LDAP_H
3e8b5b
+#include <ldap.h>
3e8b5b
+#endif
3e8b5b
+#ifdef HAVE_LDAP_SSL_H
3e8b5b
+#include <ldap_ssl.h>
3e8b5b
+#endif
3e8b5b
+
3e8b5b
+#endif /* LDAPINCLUDES_H */
3e8b5b
diff -up openssh-6.8p1/ldapmisc.c.ldap openssh-6.8p1/ldapmisc.c
3e8b5b
--- openssh-6.8p1/ldapmisc.c.ldap	2015-03-18 11:11:29.032801460 +0100
3e8b5b
+++ openssh-6.8p1/ldapmisc.c	2015-03-18 11:11:29.032801460 +0100
3e8b5b
@@ -0,0 +1,79 @@
3e8b5b
+
3e8b5b
+#include "ldapincludes.h"
3e8b5b
+#include "ldapmisc.h"
3e8b5b
+
3e8b5b
+#ifndef HAVE_LDAP_GET_LDERRNO
3e8b5b
+int
3e8b5b
+ldap_get_lderrno (LDAP * ld, char **m, char **s)
3e8b5b
+{
3e8b5b
+#ifdef HAVE_LDAP_GET_OPTION
3e8b5b
+	int rc;
3e8b5b
+#endif
3e8b5b
+	int lderrno;
3e8b5b
+
3e8b5b
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
3e8b5b
+	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
3e8b5b
+	    return rc;
3e8b5b
+#else
3e8b5b
+	lderrno = ld->ld_errno;
3e8b5b
+#endif
3e8b5b
+
3e8b5b
+	if (s != NULL) {
3e8b5b
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
3e8b5b
+		if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
3e8b5b
+		    return rc;
3e8b5b
+#else
3e8b5b
+		*s = ld->ld_error;
3e8b5b
+#endif
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	if (m != NULL) {
3e8b5b
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
3e8b5b
+		if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
3e8b5b
+		    return rc;
3e8b5b
+#else
3e8b5b
+		*m = ld->ld_matched;
3e8b5b
+#endif
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	return lderrno;
3e8b5b
+}
3e8b5b
+#endif
3e8b5b
+
3e8b5b
+#ifndef HAVE_LDAP_SET_LDERRNO
3e8b5b
+int
3e8b5b
+ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
3e8b5b
+{
3e8b5b
+#ifdef HAVE_LDAP_SET_OPTION
3e8b5b
+	int rc;
3e8b5b
+#endif
3e8b5b
+
3e8b5b
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
3e8b5b
+	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
3e8b5b
+	    return rc;
3e8b5b
+#else
3e8b5b
+	ld->ld_errno = lderrno;
3e8b5b
+#endif
3e8b5b
+
3e8b5b
+	if (s != NULL) {
3e8b5b
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
3e8b5b
+		if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
3e8b5b
+		    return rc;
3e8b5b
+#else
3e8b5b
+		ld->ld_error = s;
3e8b5b
+#endif
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	if (m != NULL) {
3e8b5b
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
3e8b5b
+		if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
3e8b5b
+		    return rc;
3e8b5b
+#else
3e8b5b
+		ld->ld_matched = m;
3e8b5b
+#endif
3e8b5b
+	}
3e8b5b
+
3e8b5b
+	return LDAP_SUCCESS;
3e8b5b
+}
3e8b5b
+#endif
3e8b5b
+
3e8b5b
diff -up openssh-6.8p1/ldapmisc.h.ldap openssh-6.8p1/ldapmisc.h
3e8b5b
--- openssh-6.8p1/ldapmisc.h.ldap	2015-03-18 11:11:29.032801460 +0100
3e8b5b
+++ openssh-6.8p1/ldapmisc.h	2015-03-18 11:11:29.032801460 +0100
3e8b5b
@@ -0,0 +1,35 @@
3e8b5b
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
3e8b5b
+/*
3e8b5b
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
3e8b5b
+ *
3e8b5b
+ * Redistribution and use in source and binary forms, with or without
3e8b5b
+ * modification, are permitted provided that the following conditions
3e8b5b
+ * are met:
3e8b5b
+ * 1. Redistributions of source code must retain the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer.
3e8b5b
+ * 2. Redistributions in binary form must reproduce the above copyright
3e8b5b
+ *    notice, this list of conditions and the following disclaimer in the
3e8b5b
+ *    documentation and/or other materials provided with the distribution.
3e8b5b
+ *
3e8b5b
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
3e8b5b
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
3e8b5b
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
3e8b5b
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
3e8b5b
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
3e8b5b
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
3e8b5b
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
3e8b5b
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
3e8b5b
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
3e8b5b
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3e8b5b
+ */
3e8b5b
+
3e8b5b
+#ifndef LDAPMISC_H
3e8b5b
+#define LDAPMISC_H
3e8b5b
+
3e8b5b
+#include "ldapincludes.h"
3e8b5b
+
3e8b5b
+int ldap_get_lderrno (LDAP *, char **, char **);
3e8b5b
+int ldap_set_lderrno (LDAP *, int, const char *, const char *);
3e8b5b
+
3e8b5b
+#endif /* LDAPMISC_H */
3e8b5b
+
3e8b5b
diff -up openssh-6.8p1/openssh-lpk-openldap.schema.ldap openssh-6.8p1/openssh-lpk-openldap.schema
3e8b5b
--- openssh-6.8p1/openssh-lpk-openldap.schema.ldap	2015-03-18 11:11:29.033801457 +0100
3e8b5b
+++ openssh-6.8p1/openssh-lpk-openldap.schema	2015-03-18 11:11:29.033801457 +0100
3e8b5b
@@ -0,0 +1,21 @@
3e8b5b
+#
3e8b5b
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
3e8b5b
+#                              useful with PKA-LDAP also
3e8b5b
+#
3e8b5b
+# Author: Eric AUGE <eau@phear.org>
3e8b5b
+# 
3e8b5b
+# Based on the proposal of : Mark Ruijter
3e8b5b
+#
3e8b5b
+
3e8b5b
+
3e8b5b
+# octetString SYNTAX
3e8b5b
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
3e8b5b
+	DESC 'MANDATORY: OpenSSH Public key' 
3e8b5b
+	EQUALITY octetStringMatch
3e8b5b
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
3e8b5b
+
3e8b5b
+# printableString SYNTAX yes|no
3e8b5b
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
3e8b5b
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
3e8b5b
+	MUST ( sshPublicKey $ uid ) 
3e8b5b
+	)
3e8b5b
diff -up openssh-6.8p1/openssh-lpk-sun.schema.ldap openssh-6.8p1/openssh-lpk-sun.schema
3e8b5b
--- openssh-6.8p1/openssh-lpk-sun.schema.ldap	2015-03-18 11:11:29.033801457 +0100
3e8b5b
+++ openssh-6.8p1/openssh-lpk-sun.schema	2015-03-18 11:11:29.033801457 +0100
3e8b5b
@@ -0,0 +1,23 @@
3e8b5b
+#
3e8b5b
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
3e8b5b
+#                              useful with PKA-LDAP also
3e8b5b
+#
3e8b5b
+# Author: Eric AUGE <eau@phear.org>
3e8b5b
+# 
3e8b5b
+# Schema for Sun Directory Server.
3e8b5b
+# Based on the original schema, modified by Stefan Fischer.
3e8b5b
+#
3e8b5b
+
3e8b5b
+dn: cn=schema
3e8b5b
+
3e8b5b
+# octetString SYNTAX
3e8b5b
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
3e8b5b
+	DESC 'MANDATORY: OpenSSH Public key' 
3e8b5b
+	EQUALITY octetStringMatch
3e8b5b
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
3e8b5b
+
3e8b5b
+# printableString SYNTAX yes|no
3e8b5b
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
3e8b5b
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
3e8b5b
+	MUST ( sshPublicKey $ uid ) 
3e8b5b
+	)
3e8b5b
diff -up openssh-6.8p1/ssh-ldap-helper.8.ldap openssh-6.8p1/ssh-ldap-helper.8
3e8b5b
--- openssh-6.8p1/ssh-ldap-helper.8.ldap	2015-03-18 11:11:29.033801457 +0100
3e8b5b
+++ openssh-6.8p1/ssh-ldap-helper.8	2015-03-18 11:11:29.033801457 +0100
3e8b5b
@@ -0,0 +1,79 @@
3e8b5b
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
3e8b5b
+.\"
3e8b5b
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
3e8b5b
+.\"
3e8b5b
+.\" Permission to use, copy, modify, and distribute this software for any
3e8b5b
+.\" purpose with or without fee is hereby granted, provided that the above
3e8b5b
+.\" copyright notice and this permission notice appear in all copies.
3e8b5b
+.\"
3e8b5b
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
3e8b5b
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
3e8b5b
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
3e8b5b
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
3e8b5b
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
3e8b5b
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
3e8b5b
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
3e8b5b
+.\"
3e8b5b
+.Dd $Mdocdate: April 29 2010 $
3e8b5b
+.Dt SSH-LDAP-HELPER 8
3e8b5b
+.Os
3e8b5b
+.Sh NAME
3e8b5b
+.Nm ssh-ldap-helper
3e8b5b
+.Nd sshd helper program for ldap support
3e8b5b
+.Sh SYNOPSIS
3e8b5b
+.Nm ssh-ldap-helper
3e8b5b
+.Op Fl devw
3e8b5b
+.Op Fl f Ar file
3e8b5b
+.Op Fl s Ar user
3e8b5b
+.Sh DESCRIPTION
3e8b5b
+.Nm
3e8b5b
+is used by
3e8b5b
+.Xr sshd 1
3e8b5b
+to access keys provided by an LDAP.
3e8b5b
+.Nm
3e8b5b
+is disabled by default and can only be enabled in the
3e8b5b
+sshd configuration file
3e8b5b
+.Pa /etc/ssh/sshd_config
3e8b5b
+by setting
3e8b5b
+.Cm AuthorizedKeysCommand
3e8b5b
+to
3e8b5b
+.Dq /usr/libexec/ssh-ldap-wrapper .
3e8b5b
+.Pp
3e8b5b
+.Nm
3e8b5b
+is not intended to be invoked by the user, but from
3e8b5b
+.Xr sshd 8 via
3e8b5b
+.Xr ssh-ldap-wrapper .
3e8b5b
+.Pp
3e8b5b
+The options are as follows:
3e8b5b
+.Bl -tag -width Ds
3e8b5b
+.It Fl d
3e8b5b
+Set the debug mode; 
3e8b5b
+.Nm
3e8b5b
+prints all logs to stderr instead of syslog.
3e8b5b
+.It Fl e
3e8b5b
+Implies \-w;
3e8b5b
+.Nm
3e8b5b
+halts if it encounters an unknown item in the ldap.conf file.
3e8b5b
+.It Fl f
3e8b5b
+.Nm
3e8b5b
+uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
3e8b5b
+.It Fl s
3e8b5b
+.Nm
3e8b5b
+prints out the user's keys to stdout and exits.
3e8b5b
+.It Fl v
3e8b5b
+Implies \-d;
3e8b5b
+increases verbosity.
3e8b5b
+.It Fl w
3e8b5b
+.Nm
3e8b5b
+writes warnings about unknown items in the ldap.conf configuration file.
3e8b5b
+.El
3e8b5b
+.Sh SEE ALSO
3e8b5b
+.Xr sshd 8 ,
3e8b5b
+.Xr sshd_config 5 ,
3e8b5b
+.Xr ssh-ldap.conf 5 ,
3e8b5b
+.Sh HISTORY
3e8b5b
+.Nm
3e8b5b
+first appeared in
3e8b5b
+OpenSSH 5.5 + PKA-LDAP .
3e8b5b
+.Sh AUTHORS
3e8b5b
+.An Jan F. Chadima Aq jchadima@redhat.com
3e8b5b
diff -up openssh-6.8p1/ssh-ldap-wrapper.ldap openssh-6.8p1/ssh-ldap-wrapper
3e8b5b
--- openssh-6.8p1/ssh-ldap-wrapper.ldap	2015-03-18 11:11:29.033801457 +0100
3e8b5b
+++ openssh-6.8p1/ssh-ldap-wrapper	2015-03-18 11:11:29.033801457 +0100
3e8b5b
@@ -0,0 +1,4 @@
3e8b5b
+#!/bin/sh
3e8b5b
+
3e8b5b
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
3e8b5b
+
3e8b5b
diff -up openssh-6.8p1/ssh-ldap.conf.5.ldap openssh-6.8p1/ssh-ldap.conf.5
3e8b5b
--- openssh-6.8p1/ssh-ldap.conf.5.ldap	2015-03-18 11:11:29.033801457 +0100
3e8b5b
+++ openssh-6.8p1/ssh-ldap.conf.5	2015-03-18 11:11:29.033801457 +0100
3e8b5b
@@ -0,0 +1,385 @@
3e8b5b
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
3e8b5b
+.\"
3e8b5b
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
3e8b5b
+.\"
3e8b5b
+.\" Permission to use, copy, modify, and distribute this software for any
3e8b5b
+.\" purpose with or without fee is hereby granted, provided that the above
3e8b5b
+.\" copyright notice and this permission notice appear in all copies.
3e8b5b
+.\"
3e8b5b
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
3e8b5b
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
3e8b5b
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
3e8b5b
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
3e8b5b
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
3e8b5b
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
3e8b5b
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
3e8b5b
+.\"
3e8b5b
+.Dd $Mdocdate: may 12 2010 $
3e8b5b
+.Dt SSH-LDAP.CONF 5
3e8b5b
+.Os
3e8b5b
+.Sh NAME
3e8b5b
+.Nm ssh-ldap.conf
3e8b5b
+.Nd configuration file for ssh-ldap-helper
3e8b5b
+.Sh SYNOPSIS
3e8b5b
+.Nm /etc/ssh/ldap.conf
3e8b5b
+.Sh DESCRIPTION
3e8b5b
+.Xr ssh-ldap-helper 8
3e8b5b
+reads configuration data from
3e8b5b
+.Pa /etc/ssh/ldap.conf
3e8b5b
+(or the file specified with
3e8b5b
+.Fl f
3e8b5b
+on the command line).
3e8b5b
+The file contains keyword-argument pairs, one per line.
3e8b5b
+Lines starting with
3e8b5b
+.Ql #
3e8b5b
+and empty lines are interpreted as comments.
3e8b5b
+.Pp
3e8b5b
+The value starts with the first non-blank character after 
3e8b5b
+the keyword's name, and terminates at the end of the line, 
3e8b5b
+or at the last sequence of blanks before the end of the line.
3e8b5b
+Quoting values that contain blanks 
3e8b5b
+may be incorrect, as the quotes would become part of the value.
3e8b5b
+The possible keywords and their meanings are as follows (note that
3e8b5b
+keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
3e8b5b
+.Bl -tag -width Ds
3e8b5b
+.It Cm URI
3e8b5b
+The argument(s) are in the form
3e8b5b
+.Pa ldap[si]://[name[:port]]
3e8b5b
+and specify the URI(s) of an LDAP server(s) to which the
3e8b5b
+.Xr ssh-ldap-helper 8 
3e8b5b
+should connect. The URI scheme may be any of
3e8b5b
+.Dq ldap ,
3e8b5b
+.Dq ldaps 
3e8b5b
+or
3e8b5b
+.Dq ldapi ,
3e8b5b
+which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
3e8b5b
+over IPC (UNIX domain sockets), respectively.
3e8b5b
+Each server's name can be specified as a
3e8b5b
+domain-style name or an IP address literal.  Optionally, the
3e8b5b
+server's name can followed by a ':' and the port number the LDAP
3e8b5b
+server is listening on.  If no port number is provided, the default
3e8b5b
+port for the scheme is used (389 for ldap://, 636 for ldaps://).
3e8b5b
+For LDAP over IPC, name is the name of the socket, and no port
3e8b5b
+is required, nor allowed; note that directory separators must be 
3e8b5b
+URL-encoded, like any other characters that are special to URLs; 
3e8b5b
+A space separated list of URIs may be provided.
3e8b5b
+There is no default.
3e8b5b
+.It Cm Base
3e8b5b
+Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
3e8b5b
+The base must be specified as a DN in LDAP format.
3e8b5b
+There is no default.
3e8b5b
+.It Cm BindDN
3e8b5b
+Specifies the default BIND DN to use when connecting to the ldap server.
3e8b5b
+The bind DN must be specified as a Distinguished Name in LDAP format.
3e8b5b
+There is no default.
3e8b5b
+.It Cm BindPW
3e8b5b
+Specifies the default password to use when connecting to the ldap server via
3e8b5b
+.Cm BindDN .
3e8b5b
+There is no default.
3e8b5b
+.It Cm RootBindDN
3e8b5b
+Intentionaly does nothing. Recognized for compatibility reasons.
3e8b5b
+.It Cm Host
3e8b5b
+The argument(s) specifies the name(s) of an LDAP server(s) to which the
3e8b5b
+.Xr ssh-ldap-helper 8
3e8b5b
+should connect.  Each server's name can be specified as a
3e8b5b
+domain-style name or an IP address and optionally followed by a ':' and
3e8b5b
+the port number the ldap server is listening on.  A space-separated
3e8b5b
+list of hosts may be provided.
3e8b5b
+There is no default.
3e8b5b
+.Cm Host
3e8b5b
+is deprecated in favor of
3e8b5b
+.Cm URI .
3e8b5b
+.It Cm Port
3e8b5b
+Specifies the default port used when connecting to LDAP servers(s).
3e8b5b
+The port may be specified as a number.
3e8b5b
+The default port is 389 for ldap:// or 636 for ldaps:// respectively.
3e8b5b
+.Cm Port
3e8b5b
+is deprecated in favor of
3e8b5b
+.Cm URI .
3e8b5b
+.It Cm Scope
3e8b5b
+Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
3e8b5b
+There are three options (values) that can be assigned to the
3e8b5b
+.Cm Scope parameter:
3e8b5b
+.Dq base ,
3e8b5b
+.Dq one
3e8b5b
+and
3e8b5b
+.Dq subtree .
3e8b5b
+Alias for the subtree is
3e8b5b
+.Dq sub .
3e8b5b
+The value
3e8b5b
+.Dq base
3e8b5b
+is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
3e8b5b
+The value
3e8b5b
+.Dq one
3e8b5b
+is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
3e8b5b
+The value
3e8b5b
+.Dq subtree
3e8b5b
+is used to indicate searching of all entries at all levels under and including the specified base DN.
3e8b5b
+The default is
3e8b5b
+.Dq subtree .
3e8b5b
+.It Cm Deref
3e8b5b
+Specifies how alias dereferencing is done when performing a search. There are four
3e8b5b
+possible values that can be assigned to the
3e8b5b
+.Cm Deref
3e8b5b
+parameter:
3e8b5b
+.Dq never ,
3e8b5b
+.Dq searching ,
3e8b5b
+.Dq finding ,
3e8b5b
+and
3e8b5b
+.Dq always .
3e8b5b
+The value
3e8b5b
+.Dq never
3e8b5b
+means that the aliases are never dereferenced.
3e8b5b
+The value
3e8b5b
+.Dq searching
3e8b5b
+means that the aliases are dereferenced in subordinates of the base object, but
3e8b5b
+not in locating the base object of the search.
3e8b5b
+The value
3e8b5b
+.Dq finding
3e8b5b
+means that the aliases are only dereferenced when locating the base object of the search.
3e8b5b
+The value
3e8b5b
+.Dq always
3e8b5b
+means that the aliases are dereferenced both in searching and in locating the base object
3e8b5b
+of the search.
3e8b5b
+The default is
3e8b5b
+.Dq never .
3e8b5b
+.It Cm TimeLimit
3e8b5b
+Specifies a time limit (in seconds) to use when performing searches.
3e8b5b
+The number should be a non-negative integer. A
3e8b5b
+.Cm TimeLimit
3e8b5b
+of zero (0) specifies that the search time is unlimited. Please note that the server
3e8b5b
+may still apply any server-side limit on the duration of a search operation.
3e8b5b
+The default value is 10.
3e8b5b
+.It Cm TimeOut
3e8b5b
+Is an aliast to
3e8b5b
+.Cm TimeLimit .
3e8b5b
+.It Cm Bind_TimeLimit
3e8b5b
+Specifies the timeout (in seconds) after which the poll(2)/select(2)
3e8b5b
+following a connect(2) returns in case of no activity.
3e8b5b
+The default value is 10.
3e8b5b
+.It Cm Network_TimeOut
3e8b5b
+Is an alias to
3e8b5b
+.Cm Bind_TimeLimit .
3e8b5b
+.It Cm Ldap_Version
3e8b5b
+Specifies what version of the LDAP protocol should be used.
3e8b5b
+The allowed values are 2 or 3. The default is 3.
3e8b5b
+.It Cm Version
3e8b5b
+Is an alias to
3e8b5b
+.Cm Ldap_Version .
3e8b5b
+.It Cm Bind_Policy
3e8b5b
+Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
3e8b5b
+.Dq hard
3e8b5b
+and
3e8b5b
+.Dq soft.
3e8b5b
+.Dq hard has 2 aliases
3e8b5b
+.Dq hard_open
3e8b5b
+and
3e8b5b
+.Dq hard_init .
3e8b5b
+The value
3e8b5b
+.Dq hard
3e8b5b
+means that reconects that the
3e8b5b
+.Xr ssh-ldap-helper 8
3e8b5b
+tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
3e8b5b
+The value
3e8b5b
+.Dq soft
3e8b5b
+means that
3e8b5b
+.Xr ssh-ldap-helper 8
3e8b5b
+fails immediately when it cannot connect to the LDAP seerver.
3e8b5b
+The deault is
3e8b5b
+.Dq hard .
3e8b5b
+.It Cm SSLPath
3e8b5b
+Specifies the path to the X.509 certificate database.
3e8b5b
+There is no default.
3e8b5b
+.It Cm SSL
3e8b5b
+Specifies whether to use SSL/TLS or not.
3e8b5b
+There are three allowed values:
3e8b5b
+.Dq yes ,
3e8b5b
+.Dq no
3e8b5b
+and
3e8b5b
+.Dq start_tls
3e8b5b
+Both
3e8b5b
+.Dq true
3e8b5b
+and
3e8b5b
+.Dq on
3e8b5b
+are the aliases for
3e8b5b
+.Dq yes .
3e8b5b
+.Dq false
3e8b5b
+and
3e8b5b
+.Dq off
3e8b5b
+are the aliases for
3e8b5b
+.Dq no .
3e8b5b
+If
3e8b5b
+.Dq start_tls
3e8b5b
+is specified then StartTLS is used rather than raw LDAP over SSL.
3e8b5b
+The default for ldap:// is
3e8b5b
+.Dq start_tls ,
3e8b5b
+for ldaps://
3e8b5b
+.Dq yes
3e8b5b
+and
3e8b5b
+.Dq no
3e8b5b
+for the ldapi:// .
3e8b5b
+In case of host based configuration the default is
3e8b5b
+.Dq start_tls .
3e8b5b
+.It Cm Referrals
3e8b5b
+Specifies if the client should automatically follow referrals returned
3e8b5b
+by LDAP servers.
3e8b5b
+The value can be or
3e8b5b
+.Dq yes
3e8b5b
+or
3e8b5b
+.Dq no .
3e8b5b
+.Dq true
3e8b5b
+and
3e8b5b
+.Dq on
3e8b5b
+are the aliases for
3e8b5b
+.Dq yes .
3e8b5b
+.Dq false
3e8b5b
+and
3e8b5b
+.Dq off
3e8b5b
+are the aliases for
3e8b5b
+.Dq no .
3e8b5b
+The default is yes.
3e8b5b
+.It Cm Restart
3e8b5b
+Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
3e8b5b
+The value can be or
3e8b5b
+.Dq yes
3e8b5b
+or
3e8b5b
+.Dq no .
3e8b5b
+.Dq true
3e8b5b
+and
3e8b5b
+.Dq on
3e8b5b
+are the aliases for
3e8b5b
+.Dq yes .
3e8b5b
+.Dq false
3e8b5b
+and
3e8b5b
+.Dq off
3e8b5b
+are the aliases for
3e8b5b
+.Dq no .
3e8b5b
+The default is yes.
3e8b5b
+.It Cm TLS_CheckPeer
3e8b5b
+Specifies what checks to perform on server certificates in a TLS session,
3e8b5b
+if any. The value
3e8b5b
+can be specified as one of the following keywords:
3e8b5b
+.Dq never ,
3e8b5b
+.Dq hard ,
3e8b5b
+.Dq demand ,
3e8b5b
+.Dq allow
3e8b5b
+and
3e8b5b
+.Dq try .
3e8b5b
+.Dq true ,
3e8b5b
+.Dq on
3e8b5b
+and
3e8b5b
+.Dq yes
3e8b5b
+are aliases for
3e8b5b
+.Dq hard .
3e8b5b
+.Dq false ,
3e8b5b
+.Dq off
3e8b5b
+and
3e8b5b
+.Dq no
3e8b5b
+are the aliases for
3e8b5b
+.Dq never .
3e8b5b
+The value
3e8b5b
+.Dq never
3e8b5b
+means that the client will not request or check any server certificate.
3e8b5b
+The value
3e8b5b
+.Dq allow
3e8b5b
+means that the server certificate is requested. If no certificate is provided,
3e8b5b
+the session proceeds normally. If a bad certificate is provided, it will
3e8b5b
+be ignored and the session proceeds normally.
3e8b5b
+The value
3e8b5b
+.Dq try
3e8b5b
+means that the server certificate is requested. If no certificate is provided,
3e8b5b
+the session proceeds normally. If a bad certificate is provided,
3e8b5b
+the session is immediately terminated.
3e8b5b
+The value
3e8b5b
+.Dq demand
3e8b5b
+means that the server certificate is requested. If no
3e8b5b
+certificate is provided, or a bad certificate is provided, the session
3e8b5b
+is immediately terminated.
3e8b5b
+The value
3e8b5b
+.Dq hard
3e8b5b
+is the same as
3e8b5b
+.Dq demand .
3e8b5b
+It requires an SSL connection. In the case of the plain conection the
3e8b5b
+session is immediately terminated.
3e8b5b
+The default is
3e8b5b
+.Dq hard .
3e8b5b
+.It Cm TLS_ReqCert
3e8b5b
+Is an alias for 
3e8b5b
+.Cm TLS_CheckPeer .
3e8b5b
+.It Cm TLS_CACertFile
3e8b5b
+Specifies the file that contains certificates for all of the Certificate
3e8b5b
+Authorities the client will recognize.
3e8b5b
+There is no default.
3e8b5b
+.It Cm TLS_CACert
3e8b5b
+Is an alias for
3e8b5b
+.Cm TLS_CACertFile .
3e8b5b
+.It Cm TLS_CACertDIR
3e8b5b
+Specifies the path of a directory that contains Certificate Authority
3e8b5b
+certificates in separate individual files. The
3e8b5b
+.Cm TLS_CACert
3e8b5b
+is always used before
3e8b5b
+.Cm TLS_CACertDir .
3e8b5b
+The specified directory must be managed with the OpenSSL c_rehash utility.
3e8b5b
+There is no default.
3e8b5b
+.It Cm TLS_Ciphers
3e8b5b
+Specifies acceptable cipher suite and preference order.
3e8b5b
+The value should be a cipher specification for OpenSSL,
3e8b5b
+e.g.,
3e8b5b
+.Dq HIGH:MEDIUM:+SSLv2 .
3e8b5b
+The default is
3e8b5b
+.Dq ALL .
3e8b5b
+.It Cm TLS_Cipher_Suite
3e8b5b
+Is an alias for
3e8b5b
+.Cm TLS_Ciphers .
3e8b5b
+.It Cm TLS_Cert
3e8b5b
+Specifies the file that contains the client certificate.
3e8b5b
+There is no default.
3e8b5b
+.It Cm TLS_Certificate
3e8b5b
+Is an alias for
3e8b5b
+.Cm TLS_Cert .
3e8b5b
+.It Cm TLS_Key
3e8b5b
+Specifies the file that contains the private key that matches the certificate
3e8b5b
+stored in the
3e8b5b
+.Cm TLS_Cert
3e8b5b
+file. Currently, the private key must not be protected with a password, so
3e8b5b
+it is of critical importance that the key file is protected carefully.
3e8b5b
+There is no default.
3e8b5b
+.It Cm TLS_RandFile
3e8b5b
+Specifies the file to obtain random bits from when /dev/[u]random is
3e8b5b
+not available. Generally set to the name of the EGD/PRNGD socket.
3e8b5b
+The environment variable RANDFILE can also be used to specify the filename.
3e8b5b
+There is no default.
3e8b5b
+.It Cm LogDir
3e8b5b
+Specifies the directory used for logging by the LDAP client library.
3e8b5b
+There is no default.
3e8b5b
+.It Cm Debug
3e8b5b
+Specifies the debug level used for logging by the LDAP client library.
3e8b5b
+There is no default.
3e8b5b
+.It Cm SSH_Filter
3e8b5b
+Specifies the user filter applied on the LDAP search.
3e8b5b
+The default is no filter.
3e8b5b
+.It Cm AccountClass
3e8b5b
+Specifies the LDAP class used to find user accounts.
3e8b5b
+The default is posixAccount.
3e8b5b
+.It Cm search_format
3e8b5b
+Specifies the user format of search string in LDAP substituting %u for user name
3e8b5b
+and %f for additional ssh filter
3e8b5b
+.Cm SSH_Filter
3e8b5b
+(optional).
3e8b5b
+The default value is (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
3e8b5b
+.El
3e8b5b
+.Sh FILES
3e8b5b
+.Bl -tag -width Ds
3e8b5b
+.It Pa  /etc/ssh/ldap.conf
3e8b5b
+Ldap configuration file for
3e8b5b
+.Xr ssh-ldap-helper 8 .
3e8b5b
+.El
3e8b5b
+.Sh "SEE ALSO"
3e8b5b
+.Xr ldap.conf 5 ,
3e8b5b
+.Xr ssh-ldap-helper 8
3e8b5b
+.Sh HISTORY
3e8b5b
+.Nm
3e8b5b
+first appeared in
3e8b5b
+OpenSSH 5.5 + PKA-LDAP .
3e8b5b
+.Sh AUTHORS
3e8b5b
+.An Jan F. Chadima Aq jchadima@redhat.com
3e8b5b
diff --git a/openssh-lpk-openldap.ldif b/openssh-lpk-openldap.ldif
3e8b5b
new file mode 100644
3e8b5b
index 0000000..9adf4b8
3e8b5b
--- /dev/null
3e8b5b
+++ b/openssh-lpk-openldap.ldif
3e8b5b
@@ -0,0 +1,19 @@
3e8b5b
+#
3e8b5b
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
3e8b5b
+#                              useful with PKA-LDAP also
3e8b5b
+#
3e8b5b
+# Author: Eric AUGE <eau@phear.org>
3e8b5b
+#
3e8b5b
+# LDIF for openLDAP Directory Server.
3e8b5b
+# Based on the original schema, modified by Jakub Jelen.
3e8b5b
+#
3e8b5b
+
3e8b5b
+dn: cn=openssh-lpk,cn=schema,cn=config
3e8b5b
+objectClass: olcSchemaConfig
3e8b5b
+cn: openssh-lpk
3e8b5b
+olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13
3e8b5b
+  NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key'
3e8b5b
+  EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
3e8b5b
+olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0
3e8b5b
+  NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass'
3e8b5b
+  SUP top AUXILIARY MUST ( sshPublicKey $ uid ) )
3e8b5b
diff --git a/openssh-lpk-sun.ldif b/openssh-lpk-sun.ldif
3e8b5b
new file mode 100644
3e8b5b
index 0000000..9adf4b8
3e8b5b
--- /dev/null
3e8b5b
+++ b/openssh-lpk-sun.ldif
3e8b5b
@@ -0,0 +1,17 @@
3e8b5b
+#
3e8b5b
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
3e8b5b
+#                              useful with PKA-LDAP also
3e8b5b
+#
3e8b5b
+# Author: Eric AUGE <eau@phear.org>
3e8b5b
+#
3e8b5b
+# LDIF for Sun Directory Server.
3e8b5b
+# Based on the original schema, modified by Jakub Jelen.
3e8b5b
+#
3e8b5b
+
3e8b5b
+dn: cn=schema
3e8b5b
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13
3e8b5b
+  NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key'
3e8b5b
+  EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
3e8b5b
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0
3e8b5b
+  NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass'
3e8b5b
+  SUP top AUXILIARY MUST ( sshPublicKey $ uid ) )