Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/config.h.in.ldap openssh-5.5p1/config.h.in
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/config.h.in.ldap	2010-04-16 02:17:09.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/config.h.in	2010-04-28 11:34:13.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -1,5 +1,8 @@
Jan F. Chadima 7e7fb4
 /* config.h.in.  Generated from configure.ac by autoheader.  */
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+/* Define if building universal (internal helper macro) */
Jan F. Chadima 7e7fb4
+#undef AC_APPLE_UNIVERSAL_BUILD
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
 /* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
Jan F. Chadima 7e7fb4
    */
Jan F. Chadima 7e7fb4
 #undef AIX_GETNAMEINFO_HACK
Jan F. Chadima 7e7fb4
@@ -536,6 +539,57 @@
Jan F. Chadima 7e7fb4
 /* Define to 1 if you have the <lastlog.h> header file. */
Jan F. Chadima 7e7fb4
 #undef HAVE_LASTLOG_H
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the <lber.h> header file. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LBER_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `ldapssl_init' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAPSSL_INIT
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `ldap_controls_free' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_CONTROLS_FREE
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `ldap_get_lderrno' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_GET_LDERRNO
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `ldap_get_option' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_GET_OPTION
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the <ldap.h> header file. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `ldap_init' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_INIT
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `ldap_initialize' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_INITIALIZE
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `ldap_memfree' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_MEMFREE
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `ldap_parse_result' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_PARSE_RESULT
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `ldap_pvt_tls_set_option' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_PVT_TLS_SET_OPTION
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `ldap_set_lderrno' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_SET_LDERRNO
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `ldap_set_option' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_SET_OPTION
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `ldap_set_rebind_proc' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_SET_REBIND_PROC
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the <ldap_ssl.h> header file. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_SSL_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `ldap_start_tls_s' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LDAP_START_TLS_S
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the <libaudit.h> header file. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LIBAUDIT_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
 /* Define to 1 if you have the `bsm' library (-lbsm). */
Jan F. Chadima 7e7fb4
 #undef HAVE_LIBBSM
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
@@ -575,6 +629,9 @@
Jan F. Chadima 7e7fb4
 /* Define to 1 if you have the <limits.h> header file. */
Jan F. Chadima 7e7fb4
 #undef HAVE_LIMITS_H
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+/* Define if you want Linux audit support. */
Jan F. Chadima 7e7fb4
+#undef HAVE_LINUX_AUDIT
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
 /* Define to 1 if you have the <linux/if_tun.h> header file. */
Jan F. Chadima 7e7fb4
 #undef HAVE_LINUX_IF_TUN_H
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
@@ -771,6 +828,9 @@
Jan F. Chadima 7e7fb4
 /* Define to 1 if you have the `setgroups' function. */
Jan F. Chadima 7e7fb4
 #undef HAVE_SETGROUPS
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+/* Define to 1 if you have the `setkeycreatecon' function. */
Jan F. Chadima 7e7fb4
+#undef HAVE_SETKEYCREATECON
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
 /* Define to 1 if you have the `setlogin' function. */
Jan F. Chadima 7e7fb4
 #undef HAVE_SETLOGIN
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
@@ -921,13 +981,13 @@
Jan F. Chadima 7e7fb4
 /* define if you have struct sockaddr_in6 data type */
Jan F. Chadima 7e7fb4
 #undef HAVE_STRUCT_SOCKADDR_IN6
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
-/* Define to 1 if `sin6_scope_id' is member of `struct sockaddr_in6'. */
Jan F. Chadima 7e7fb4
+/* Define to 1 if `sin6_scope_id' is a member of `struct sockaddr_in6'. */
Jan F. Chadima 7e7fb4
 #undef HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
 /* define if you have struct sockaddr_storage data type */
Jan F. Chadima 7e7fb4
 #undef HAVE_STRUCT_SOCKADDR_STORAGE
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
-/* Define to 1 if `st_blksize' is member of `struct stat'. */
Jan F. Chadima 7e7fb4
+/* Define to 1 if `st_blksize' is a member of `struct stat'. */
Jan F. Chadima 7e7fb4
 #undef HAVE_STRUCT_STAT_ST_BLKSIZE
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
 /* Define to 1 if the system has the type `struct timespec'. */
Jan F. Chadima 7e7fb4
@@ -1191,6 +1251,9 @@
Jan F. Chadima 7e7fb4
 /* Define if pututxline updates lastlog too */
Jan F. Chadima 7e7fb4
 #undef LASTLOG_WRITE_PUTUTXLINE
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+/* number arguments of ldap_set_rebind_proc */
Jan F. Chadima 7e7fb4
+#undef LDAP_SET_REBIND_PROC_ARGS
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
 /* Define if you want TCP Wrappers support */
Jan F. Chadima 7e7fb4
 #undef LIBWRAP
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
@@ -1274,6 +1337,9 @@
Jan F. Chadima 7e7fb4
 /* Define to the one symbol short name of this package. */
Jan F. Chadima 7e7fb4
 #undef PACKAGE_TARNAME
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+/* Define to the home page for this package. */
Jan F. Chadima 7e7fb4
+#undef PACKAGE_URL
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
 /* Define to the version of this package. */
Jan F. Chadima 7e7fb4
 #undef PACKAGE_VERSION
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
@@ -1360,6 +1426,10 @@
Jan F. Chadima 7e7fb4
 /* Prepend the address family to IP tunnel traffic */
Jan F. Chadima 7e7fb4
 #undef SSH_TUN_PREPEND_AF
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+/* Define to your vendor patch level, if it has been modified from the
Jan F. Chadima 7e7fb4
+   upstream source release. */
Jan F. Chadima 7e7fb4
+#undef SSH_VENDOR_PATCHLEVEL
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
 /* Define to 1 if you have the ANSI C header files. */
Jan F. Chadima 7e7fb4
 #undef STDC_HEADERS
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
@@ -1384,6 +1454,9 @@
Jan F. Chadima 7e7fb4
 /* Use btmp to log bad logins */
Jan F. Chadima 7e7fb4
 #undef USE_BTMP
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+/* platform uses an in-memory credentials cache */
Jan F. Chadima 7e7fb4
+#undef USE_CCAPI
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
 /* Use libedit for sftp */
Jan F. Chadima 7e7fb4
 #undef USE_LIBEDIT
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
@@ -1396,6 +1469,9 @@
Jan F. Chadima 7e7fb4
 /* Use PIPES instead of a socketpair() */
Jan F. Chadima 7e7fb4
 #undef USE_PIPES
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+/* platform has the Security Authorization Session API */
Jan F. Chadima 7e7fb4
+#undef USE_SECURITY_SESSION_API
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
 /* Define if you have Solaris process contracts */
Jan F. Chadima 7e7fb4
 #undef USE_SOLARIS_PROCESS_CONTRACTS
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
@@ -1418,12 +1494,26 @@
Jan F. Chadima 7e7fb4
 /* Define if you want IRIX project management */
Jan F. Chadima 7e7fb4
 #undef WITH_IRIX_PROJECT
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+/* Enable LDAP pubkey support */
Jan F. Chadima 7e7fb4
+#undef WITH_LDAP_PUBKEY
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Enable pubkey agent support */
Jan F. Chadima 7e7fb4
+#undef WITH_PUBKEY_AGENT
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
 /* Define if you want SELinux support. */
Jan F. Chadima 7e7fb4
 #undef WITH_SELINUX
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
-/* Define to 1 if your processor stores words with the most significant byte
Jan F. Chadima 7e7fb4
-   first (like Motorola and SPARC, unlike Intel and VAX). */
Jan F. Chadima 7e7fb4
-#undef WORDS_BIGENDIAN
Jan F. Chadima 7e7fb4
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
Jan F. Chadima 7e7fb4
+   significant byte first (like Motorola and SPARC, unlike Intel). */
Jan F. Chadima 7e7fb4
+#if defined AC_APPLE_UNIVERSAL_BUILD
Jan F. Chadima 7e7fb4
+# if defined __BIG_ENDIAN__
Jan F. Chadima 7e7fb4
+#  define WORDS_BIGENDIAN 1
Jan F. Chadima 7e7fb4
+# endif
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+# ifndef WORDS_BIGENDIAN
Jan F. Chadima 7e7fb4
+#  undef WORDS_BIGENDIAN
Jan F. Chadima 7e7fb4
+# endif
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
 /* Define if xauth is found in your path */
Jan F. Chadima 7e7fb4
 #undef XAUTH_PATH
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/configure.ac.ldap openssh-5.5p1/configure.ac
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/configure.ac.ldap	2010-04-28 11:34:09.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/configure.ac	2010-04-28 11:34:13.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -1382,6 +1382,106 @@ AC_ARG_WITH(pka,
Jan F. Chadima 7e7fb4
 	]
Jan F. Chadima 7e7fb4
 )
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+# Check whether user wants LDAP support
Jan F. Chadima 7e7fb4
+LDAP_MSG="no"
Jan F. Chadima 7e7fb4
+INSTALL_SSH_LDAP_HELPER=""
Jan F. Chadima 7e7fb4
+AC_ARG_WITH(ldap,
Jan F. Chadima 7e7fb4
+	[  --with-ldap[[=PATH]]      Enable LDAP pubkey support (optionally in PATH)],
Jan F. Chadima 7e7fb4
+	[
Jan F. Chadima 7e7fb4
+		if test "x$withval" != "xno" ; then
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			INSTALL_SSH_LDAP_HELPER="yes"
Jan F. Chadima 7e7fb4
+			CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test "x$withval" != "xyes" ; then
Jan F. Chadima 7e7fb4
+				CPPFLAGS="$CPPFLAGS -I${withval}/include"
Jan F. Chadima 7e7fb4
+				LDFLAGS="$LDFLAGS -L${withval}/lib"
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
Jan F. Chadima 7e7fb4
+			LDAP_MSG="yes"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			AC_CHECK_HEADERS(lber.h)
Jan F. Chadima 7e7fb4
+			AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
Jan F. Chadima 7e7fb4
+			AC_CHECK_HEADERS(ldap_ssl.h)
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			AC_ARG_WITH(ldap-lib,
Jan F. Chadima 7e7fb4
+				[  --with-ldap-lib=type    select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test -z "$with_ldap_lib"; then
Jan F. Chadima 7e7fb4
+				with_ldap_lib=auto
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
Jan F. Chadima 7e7fb4
+				AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+				AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
Jan F. Chadima 7e7fb4
+				AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
Jan F. Chadima 7e7fb4
+				AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+				if test -z "$found_ldap_lib"; then
Jan F. Chadima 7e7fb4
+					AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+				fi
Jan F. Chadima 7e7fb4
+				if test -z "$found_ldap_lib"; then
Jan F. Chadima 7e7fb4
+					AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+				fi
Jan F. Chadima 7e7fb4
+				if test -z "$found_ldap_lib"; then
Jan F. Chadima 7e7fb4
+					AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+				fi
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
Jan F. Chadima 7e7fb4
+				AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if test -z "$found_ldap_lib"; then
Jan F. Chadima 7e7fb4
+				AC_MSG_ERROR(could not locate a valid LDAP library)
Jan F. Chadima 7e7fb4
+			fi
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			AC_MSG_CHECKING([for working LDAP support])
Jan F. Chadima 7e7fb4
+			AC_TRY_COMPILE(
Jan F. Chadima 7e7fb4
+				[#include <sys/types.h>
Jan F. Chadima 7e7fb4
+				 #include <ldap.h>],
Jan F. Chadima 7e7fb4
+				[(void)ldap_init(0, 0);],
Jan F. Chadima 7e7fb4
+				[AC_MSG_RESULT(yes)],
Jan F. Chadima 7e7fb4
+				[
Jan F. Chadima 7e7fb4
+				    AC_MSG_RESULT(no) 
Jan F. Chadima 7e7fb4
+					AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
Jan F. Chadima 7e7fb4
+				])
Jan F. Chadima 7e7fb4
+			AC_CHECK_FUNCS( \
Jan F. Chadima 7e7fb4
+				ldap_init \
Jan F. Chadima 7e7fb4
+				ldap_get_lderrno \
Jan F. Chadima 7e7fb4
+				ldap_set_lderrno \
Jan F. Chadima 7e7fb4
+				ldap_parse_result \
Jan F. Chadima 7e7fb4
+				ldap_memfree \
Jan F. Chadima 7e7fb4
+				ldap_controls_free \
Jan F. Chadima 7e7fb4
+				ldap_set_option \
Jan F. Chadima 7e7fb4
+				ldap_get_option \
Jan F. Chadima 7e7fb4
+				ldapssl_init \
Jan F. Chadima 7e7fb4
+				ldap_start_tls_s \
Jan F. Chadima 7e7fb4
+				ldap_pvt_tls_set_option \
Jan F. Chadima 7e7fb4
+				ldap_initialize \
Jan F. Chadima 7e7fb4
+			)
Jan F. Chadima 7e7fb4
+			AC_CHECK_FUNCS(ldap_set_rebind_proc,
Jan F. Chadima 7e7fb4
+				AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
Jan F. Chadima 7e7fb4
+				AC_TRY_COMPILE(
Jan F. Chadima 7e7fb4
+					[#include <lber.h>
Jan F. Chadima 7e7fb4
+					#include <ldap.h>],
Jan F. Chadima 7e7fb4
+					[ldap_set_rebind_proc(0, 0, 0);],
Jan F. Chadima 7e7fb4
+					[ac_cv_ldap_set_rebind_proc=3],
Jan F. Chadima 7e7fb4
+					[ac_cv_ldap_set_rebind_proc=2])
Jan F. Chadima 7e7fb4
+				AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
Jan F. Chadima 7e7fb4
+				AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
Jan F. Chadima 7e7fb4
+			)
Jan F. Chadima 7e7fb4
+		fi
Jan F. Chadima 7e7fb4
+	]
Jan F. Chadima 7e7fb4
+)
Jan F. Chadima 7e7fb4
+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
 dnl    Checks for library functions. Please keep in alphabetical order
Jan F. Chadima 7e7fb4
 AC_CHECK_FUNCS( \
Jan F. Chadima 7e7fb4
 	arc4random \
Jan F. Chadima 7e7fb4
@@ -4239,6 +4339,7 @@ echo "                 Smartcard support
Jan F. Chadima 7e7fb4
 echo "                     S/KEY support: $SKEY_MSG"
Jan F. Chadima 7e7fb4
 echo "              TCP Wrappers support: $TCPW_MSG"
Jan F. Chadima 7e7fb4
 echo "                       PKA support: $PKA_MSG"
Jan F. Chadima 7e7fb4
+echo "                      LDAP support: $LDAP_MSG"
Jan F. Chadima 7e7fb4
 echo "              MD5 password support: $MD5_MSG"
Jan F. Chadima 7e7fb4
 echo "                   libedit support: $LIBEDIT_MSG"
Jan F. Chadima 7e7fb4
 echo "  Solaris process contract support: $SPC_MSG"
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/ldapbody.c.ldap openssh-5.5p1/ldapbody.c
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/ldapbody.c.ldap	2010-04-28 11:34:13.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/ldapbody.c	2010-04-28 11:34:13.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,494 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4
+#include "log.h"
Jan F. Chadima 7e7fb4
+#include "xmalloc.h"
Jan F. Chadima 7e7fb4
+#include "ldapconf.h"
Jan F. Chadima 7e7fb4
+#include "ldapmisc.h"
Jan F. Chadima 7e7fb4
+#include "ldapbody.h"
Jan F. Chadima 7e7fb4
+#include <stdio.h>
Jan F. Chadima 7e7fb4
+#include <unistd.h>
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"
Jan F. Chadima 7e7fb4
+#define PUBKEYATTR "sshPublicKey"
Jan F. Chadima 7e7fb4
+#define LDAP_LOGFILE	"%s/ldap.%d"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static FILE *logfile = NULL;
Jan F. Chadima 7e7fb4
+static LDAP *ld;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static char *attrs[] = {
Jan F. Chadima 7e7fb4
+    PUBKEYATTR,
Jan F. Chadima 7e7fb4
+    NULL
Jan F. Chadima 7e7fb4
+};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+ldap_checkconfig (void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_INITIALIZE
Jan F. Chadima 7e7fb4
+		if (options.host == NULL && options.uri == NULL)
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		if (options.host == NULL)
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+		    fatal ("missing  \"host\" in config file");
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
Jan F. Chadima 7e7fb4
+static int
Jan F. Chadima 7e7fb4
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	struct timeval timeout;
Jan F. Chadima 7e7fb4
+	int rc;
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 7e7fb4
+	LDAPMessage *result;
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug2 ("Doing LDAP rebind to %s", options.binddn);
Jan F. Chadima 7e7fb4
+	if (options.ssl == SSL_START_TLS) {
Jan F. Chadima 7e7fb4
+		if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
Jan F. Chadima 7e7fb4
+			error ("ldap_starttls_s: %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+			return LDAP_OPERATIONS_ERROR;
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 7e7fb4
+	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
Jan F. Chadima 7e7fb4
+	    fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	timeout.tv_sec = options.bind_timelimit;
Jan F. Chadima 7e7fb4
+	timeout.tv_usec = 0;
Jan F. Chadima 7e7fb4
+	result = NULL;
Jan F. Chadima 7e7fb4
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
Jan F. Chadima 7e7fb4
+		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
Jan F. Chadima 7e7fb4
+		ldap_msgfree (result);
Jan F. Chadima 7e7fb4
+		return LDAP_OPERATIONS_ERROR;
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+	debug3 ("LDAP rebind to %s succesfull", options.binddn);
Jan F. Chadima 7e7fb4
+	return rc;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static int
Jan F. Chadima 7e7fb4
+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	if (freeit)
Jan F. Chadima 7e7fb4
+	    return LDAP_SUCCESS;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	*whop = strdup (options.binddn);
Jan F. Chadima 7e7fb4
+	*credp = strdup (options.bindpw);
Jan F. Chadima 7e7fb4
+	*methodp = LDAP_AUTH_SIMPLE;
Jan F. Chadima 7e7fb4
+	debug2 ("Doing LDAP rebind for %s", *whop);
Jan F. Chadima 7e7fb4
+	return LDAP_SUCCESS;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+ldap_do_connect(void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	int rc, msgid, ld_errno = 0;
Jan F. Chadima 7e7fb4
+	struct timeval timeout;
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 7e7fb4
+	int parserc;
Jan F. Chadima 7e7fb4
+	LDAPMessage *result;
Jan F. Chadima 7e7fb4
+	LDAPControl **controls;
Jan F. Chadima 7e7fb4
+	int reconnect = 0;
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug ("LDAP do connect");
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+retry:
Jan F. Chadima 7e7fb4
+	if (reconnect) {
Jan F. Chadima 7e7fb4
+		debug3 ("Reconnecting with ld_errno %d", ld_errno);
Jan F. Chadima 7e7fb4
+		if (options.bind_policy == 0 ||
Jan F. Chadima 7e7fb4
+		    (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
Jan F. Chadima 7e7fb4
+			reconnect > 5)
Jan F. Chadima 7e7fb4
+			    fatal ("Cannot connect to LDAP server");
Jan F. Chadima 7e7fb4
+	
Jan F. Chadima 7e7fb4
+		if (reconnect > 1)
Jan F. Chadima 7e7fb4
+			sleep (reconnect - 1);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		if (ld != NULL) {
Jan F. Chadima 7e7fb4
+			ldap_unbind (ld);
Jan F. Chadima 7e7fb4
+			ld = NULL;
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+		logit("reconnecting to LDAP server...");
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (ld == NULL) {
Jan F. Chadima 7e7fb4
+		int rc;
Jan F. Chadima 7e7fb4
+		struct timeval tv;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_SET_OPTION
Jan F. Chadima 7e7fb4
+		if (options.debug > 0) {
Jan F. Chadima 7e7fb4
+#ifdef LBER_OPT_LOG_PRINT_FILE
Jan F. Chadima 7e7fb4
+			if (options.logdir) {
Jan F. Chadima 7e7fb4
+				char *logfilename;
Jan F. Chadima 7e7fb4
+				int logfilenamelen;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+				logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
Jan F. Chadima 7e7fb4
+				logfilename = xmalloc (logfilenamelen);
Jan F. Chadima 7e7fb4
+				snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
Jan F. Chadima 7e7fb4
+				logfilename[logfilenamelen - 1] = 0;
Jan F. Chadima 7e7fb4
+				if ((logfile = fopen (logfilename, "a")) == NULL)
Jan F. Chadima 7e7fb4
+				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
Jan F. Chadima 7e7fb4
+				debug3 ("LDAP debug into %s", logfilename);
Jan F. Chadima 7e7fb4
+				xfree (logfilename);
Jan F. Chadima 7e7fb4
+				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+			if (options.debug) {
Jan F. Chadima 7e7fb4
+#ifdef LBER_OPT_DEBUG_LEVEL
Jan F. Chadima 7e7fb4
+				ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
Jan F. Chadima 7e7fb4
+#endif /* LBER_OPT_DEBUG_LEVEL */
Jan F. Chadima 7e7fb4
+#ifdef LDAP_OPT_DEBUG_LEVEL
Jan F. Chadima 7e7fb4
+				ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
Jan F. Chadima 7e7fb4
+#endif /* LDAP_OPT_DEBUG_LEVEL */
Jan F. Chadima 7e7fb4
+				debug3 ("Set LDAP debug to %d", options.debug);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAP_SET_OPTION */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		ld = NULL;
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAPSSL_INIT
Jan F. Chadima 7e7fb4
+		if (options.host != NULL) {
Jan F. Chadima 7e7fb4
+			if (options.ssl_on == SSL_LDAPS) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+				    fatal ("ldapssl_client_init %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("LDAPssl client init");
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if (options.ssl_on != SSL_OFF) {
Jan F. Chadima 7e7fb4
+				if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
Jan F. Chadima 7e7fb4
+				    fatal ("ldapssl_init failed");
Jan F. Chadima 7e7fb4
+				debug3 ("LDAPssl init");
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAPSSL_INIT */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		/* continue with opening */
Jan F. Chadima 7e7fb4
+		if (ld == NULL) {
Jan F. Chadima 7e7fb4
+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
Jan F. Chadima 7e7fb4
+			/* Some global TLS-specific options need to be set before we create our
Jan F. Chadima 7e7fb4
+			 * session context, so we set them here. */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
Jan F. Chadima 7e7fb4
+			/* rand file */
Jan F. Chadima 7e7fb4
+			if (options.tls_randfile != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
Jan F. Chadima 7e7fb4
+				    options.tls_randfile)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
Jan F. Chadima 7e7fb4
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("Set TLS random file %s", options.tls_randfile);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* ca cert file */
Jan F. Chadima 7e7fb4
+			if (options.tls_cacertfile != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
Jan F. Chadima 7e7fb4
+				    options.tls_cacertfile)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
Jan F. Chadima 7e7fb4
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* ca cert directory */
Jan F. Chadima 7e7fb4
+			if (options.tls_cacertdir != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
Jan F. Chadima 7e7fb4
+				    options.tls_cacertdir)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
Jan F. Chadima 7e7fb4
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* require cert? */
Jan F. Chadima 7e7fb4
+			if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
Jan F. Chadima 7e7fb4
+			    &options.tls_checkpeer)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
Jan F. Chadima 7e7fb4
+				    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+			debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* set cipher suite, certificate and private key: */
Jan F. Chadima 7e7fb4
+			if (options.tls_ciphers != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
Jan F. Chadima 7e7fb4
+				    options.tls_ciphers)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
Jan F. Chadima 7e7fb4
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* cert file */
Jan F. Chadima 7e7fb4
+			if (options.tls_cert != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
Jan F. Chadima 7e7fb4
+				    options.tls_cert)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
Jan F. Chadima 7e7fb4
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("Set TLS cert file %s ", options.tls_cert);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* key file */
Jan F. Chadima 7e7fb4
+			if (options.tls_key != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
Jan F. Chadima 7e7fb4
+				    options.tls_key)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
Jan F. Chadima 7e7fb4
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("Set TLS key file %s ", options.tls_key);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_INITIALIZE
Jan F. Chadima 7e7fb4
+			if (options.uri != NULL) {
Jan F. Chadima 7e7fb4
+				if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+					fatal ("ldap_initialize %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+				debug3 ("LDAP initialize %s", options.uri);
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAP_INTITIALIZE */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		/* continue with opening */
Jan F. Chadima 7e7fb4
+		if ((ld == NULL) && (options.host != NULL)) {
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_INIT
Jan F. Chadima 7e7fb4
+			if ((ld = ldap_init (options.host, options.port)) == NULL)
Jan F. Chadima 7e7fb4
+			    fatal ("ldap_init failed");
Jan F. Chadima 7e7fb4
+			debug3 ("LDAP init %s:%d", options.host, options.port);
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+			if ((ld = ldap_open (options.host, options.port)) == NULL)
Jan F. Chadima 7e7fb4
+			    fatal ("ldap_open failed");
Jan F. Chadima 7e7fb4
+			debug3 ("LDAP open %s:%d", options.host, options.port);
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAP_INIT */
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		if (ld == NULL)
Jan F. Chadima 7e7fb4
+			fatal ("no way to open ldap");
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
Jan F. Chadima 7e7fb4
+		if (options.ssl == SSL_LDAPS) {
Jan F. Chadima 7e7fb4
+			if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+			debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+#endif /* LDAP_OPT_X_TLS */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
Jan F. Chadima 7e7fb4
+		    &options.ldap_version);
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		ld->ld_version = options.ldap_version;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set version to %d", options.ldap_version);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if LDAP_SET_REBIND_PROC_ARGS == 3
Jan F. Chadima 7e7fb4
+		ldap_set_rebind_proc (ld, _rebind_proc, NULL);
Jan F. Chadima 7e7fb4
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
Jan F. Chadima 7e7fb4
+		ldap_set_rebind_proc (ld, _rebind_proc);
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+#warning unknown LDAP_SET_REBIND_PROC_ARGS
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set rebind proc");
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		ld->ld_deref = options.deref;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set deref to %d", options.deref);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
Jan F. Chadima 7e7fb4
+		    &options.timelimit);
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		ld->ld_timelimit = options.timelimit;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set timelimit to %d", options.timelimit);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
Jan F. Chadima 7e7fb4
+		/*
Jan F. Chadima 7e7fb4
+		 * This is a new option in the Netscape SDK which sets 
Jan F. Chadima 7e7fb4
+		 * the TCP connect timeout. For want of a better value,
Jan F. Chadima 7e7fb4
+		 * we use the bind_timelimit to control this.
Jan F. Chadima 7e7fb4
+		 */
Jan F. Chadima 7e7fb4
+		timeout = options.bind_timelimit * 1000;
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set opt connect timeout to %d", timeout);
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
Jan F. Chadima 7e7fb4
+		tv.tv_sec = options.bind_timelimit;
Jan F. Chadima 7e7fb4
+		tv.tv_usec = 0;
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv;;
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
Jan F. Chadima 7e7fb4
+		    options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set referrals to %d", options.referrals);
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
Jan F. Chadima 7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_RESTART,
Jan F. Chadima 7e7fb4
+		    options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
Jan F. Chadima 7e7fb4
+		debug3 ("LDAP set restart to %d", options.restart);
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_START_TLS_S
Jan F. Chadima 7e7fb4
+		if (options.ssl == SSL_START_TLS) {
Jan F. Chadima 7e7fb4
+			int version;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
Jan F. Chadima 7e7fb4
+			    == LDAP_SUCCESS) {
Jan F. Chadima 7e7fb4
+				if (version < LDAP_VERSION3) {
Jan F. Chadima 7e7fb4
+					version = LDAP_VERSION3;
Jan F. Chadima 7e7fb4
+					(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
Jan F. Chadima 7e7fb4
+					    &version);
Jan F. Chadima 7e7fb4
+					debug3 ("LDAP set version to %d", version);
Jan F. Chadima 7e7fb4
+				}
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+			    fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+			debug3 ("LDAP start TLS");
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+#endif /* HAVE_LDAP_START_TLS_S */
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if ((msgid = ldap_simple_bind (ld, options.binddn,
Jan F. Chadima 7e7fb4
+	    options.bindpw)) == -1) {
Jan F. Chadima 7e7fb4
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
Jan F. Chadima 7e7fb4
+		reconnect++;
Jan F. Chadima 7e7fb4
+		goto retry;
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+	debug3 ("LDAP simple bind (%s)", options.binddn);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	timeout.tv_sec = options.bind_timelimit;
Jan F. Chadima 7e7fb4
+	timeout.tv_usec = 0;
Jan F. Chadima 7e7fb4
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
Jan F. Chadima 7e7fb4
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		error ("ldap_result %s", ldap_err2string (ld_errno));
Jan F. Chadima 7e7fb4
+		reconnect++;
Jan F. Chadima 7e7fb4
+		goto retry;
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+	debug3 ("LDAP result in time");
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 7e7fb4
+	controls = NULL;
Jan F. Chadima 7e7fb4
+	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
Jan F. Chadima 7e7fb4
+	debug3 ("LDAP parse result OK");
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (controls != NULL) {
Jan F. Chadima 7e7fb4
+		ldap_controls_free (controls);
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+	rc = ldap_result2error (session->ld, result, TRUE);
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+	if (rc != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+	    fatal ("error trying to bind as user \"%s\" (%s)",
Jan F. Chadima 7e7fb4
+		options.binddn, ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug2 ("LDAP do connect OK");
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+process_user (const char *user, FILE *output)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	LDAPMessage *res, *e;
Jan F. Chadima 7e7fb4
+	char *buffer;
Jan F. Chadima 7e7fb4
+	int bufflen, rc, i;
Jan F. Chadima 7e7fb4
+	struct timeval timeout;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug ("LDAP process user");
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* quick check for attempts to be evil */
Jan F. Chadima 7e7fb4
+	if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
Jan F. Chadima 7e7fb4
+	    (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
Jan F. Chadima 7e7fb4
+		logit ("illegal user name %s not processed", user);
Jan F. Chadima 7e7fb4
+		return;
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* build  filter for LDAP request */
Jan F. Chadima 7e7fb4
+	bufflen = strlen (LDAPSEARCH_FORMAT) + strlen (user);
Jan F. Chadima 7e7fb4
+	if (options.ssh_filter != NULL)
Jan F. Chadima 7e7fb4
+	    bufflen += strlen (options.ssh_filter);
Jan F. Chadima 7e7fb4
+	buffer = xmalloc (bufflen);
Jan F. Chadima 7e7fb4
+	snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
Jan F. Chadima 7e7fb4
+	buffer[bufflen - 1] = 0;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug3 ("LDAP search scope = %d %s", options.scope, buffer);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	timeout.tv_sec = options.timelimit;
Jan F. Chadima 7e7fb4
+	timeout.tv_usec = 0;
Jan F. Chadima 7e7fb4
+	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
Jan F. Chadima 7e7fb4
+		error ("ldap_search_st(): %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+		xfree (buffer);
Jan F. Chadima 7e7fb4
+		return;
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* free */
Jan F. Chadima 7e7fb4
+	xfree (buffer);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
Jan F. Chadima 7e7fb4
+		int num;
Jan F. Chadima 7e7fb4
+		struct berval **keys;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		keys = ldap_get_values_len(ld, e, PUBKEYATTR);
Jan F. Chadima 7e7fb4
+		num = ldap_count_values_len(keys);
Jan F. Chadima 7e7fb4
+		for (i = 0 ; i < num ; i++) {
Jan F. Chadima 7e7fb4
+			char *cp; //, *options = NULL;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
Jan F. Chadima 7e7fb4
+			if (!*cp || *cp == '\n' || *cp == '#')
Jan F. Chadima 7e7fb4
+			    continue;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			/* We have found the desired key. */
Jan F. Chadima 7e7fb4
+			fprintf (output, "%s\n", keys[i]->bv_val);
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		ldap_value_free_len(keys);
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	ldap_msgfree(res);
Jan F. Chadima 7e7fb4
+	debug2 ("LDAP process user finished");
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+ldap_do_close(void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	int rc;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug ("LDAP do close");
Jan F. Chadima 7e7fb4
+	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+	    fatal ("ldap_unbind_ext: %s",
Jan F. Chadima 7e7fb4
+                                    ldap_err2string (rc));
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	ld = NULL;
Jan F. Chadima 7e7fb4
+	debug2 ("LDAP do close OK");
Jan F. Chadima 7e7fb4
+	return;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/ldapbody.h.ldap openssh-5.5p1/ldapbody.h
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/ldapbody.h.ldap	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/ldapbody.h	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,37 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef LDAPBODY_H
Jan F. Chadima 7e7fb4
+#define LDAPBODY_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include <stdio.h>
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void ldap_checkconfig(void);
Jan F. Chadima 7e7fb4
+void ldap_do_connect(void);
Jan F. Chadima 7e7fb4
+void process_user(const char *, FILE *);
Jan F. Chadima 7e7fb4
+void ldap_do_close(void);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#endif /* LDAPBODY_H */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/ldapconf.c.ldap openssh-5.5p1/ldapconf.c
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/ldapconf.c.ldap	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/ldapconf.c	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,665 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4
+#include "ldap-helper.h"
Jan F. Chadima 7e7fb4
+#include "log.h"
Jan F. Chadima 7e7fb4
+#include "misc.h"
Jan F. Chadima 7e7fb4
+#include "xmalloc.h"
Jan F. Chadima 7e7fb4
+#include "ldapconf.h"
Jan F. Chadima 7e7fb4
+#include <unistd.h>
Jan F. Chadima 7e7fb4
+#include <string.h>
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Keyword tokens. */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+typedef enum {
Jan F. Chadima 7e7fb4
+	lBadOption,
Jan F. Chadima 7e7fb4
+	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
Jan F. Chadima 7e7fb4
+	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
Jan F. Chadima 7e7fb4
+	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
Jan F. Chadima 7e7fb4
+	lRestart, lTLS_CheckPeer, lTLS_Certificate, lTLS_CaCertFile,
Jan F. Chadima 7e7fb4
+	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
Jan F. Chadima 7e7fb4
+	lTLS_RandFile, lLogdir, lDebug, lSSH_Filter,
Jan F. Chadima 7e7fb4
+	lDeprecated, lUnsupported
Jan F. Chadima 7e7fb4
+} OpCodes;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Textual representations of the tokens. */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct {
Jan F. Chadima 7e7fb4
+	const char *name;
Jan F. Chadima 7e7fb4
+	OpCodes opcode;
Jan F. Chadima 7e7fb4
+} keywords[] = {
Jan F. Chadima 7e7fb4
+	{ "Host", lHost },
Jan F. Chadima 7e7fb4
+	{ "URI", lURI },
Jan F. Chadima 7e7fb4
+	{ "Base", lBase },
Jan F. Chadima 7e7fb4
+	{ "BindDN", lBindDN },
Jan F. Chadima 7e7fb4
+	{ "BindPW", lBindPW },
Jan F. Chadima 7e7fb4
+	{ "RootBindDN", lRootBindDN },
Jan F. Chadima 7e7fb4
+	{ "Scope", lScope },
Jan F. Chadima 7e7fb4
+	{ "Deref", lDeref },
Jan F. Chadima 7e7fb4
+	{ "Port", lPort },
Jan F. Chadima 7e7fb4
+	{ "Timelimit", lTimeLimit },
Jan F. Chadima 7e7fb4
+	{ "Bind_Timelimit", lBind_TimeLimit },
Jan F. Chadima 7e7fb4
+	{ "Ldap_Version", lLdap_Version },
Jan F. Chadima 7e7fb4
+	{ "Bind_Policy", lBind_Policy },
Jan F. Chadima 7e7fb4
+	{ "SSLPath", lSSLPath },
Jan F. Chadima 7e7fb4
+	{ "SSL", lSSL },
Jan F. Chadima 7e7fb4
+	{ "Referrals", lReferrals },
Jan F. Chadima 7e7fb4
+	{ "Restart", lRestart },
Jan F. Chadima 7e7fb4
+	{ "TLS_CheckPeer", lTLS_CheckPeer },
Jan F. Chadima 7e7fb4
+	{ "TLS_Certificate", lTLS_Certificate },
Jan F. Chadima 7e7fb4
+	{ "TLS_CaCertFile", lTLS_CaCertFile },
Jan F. Chadima 7e7fb4
+	{ "TLS_CaCertDir", lTLS_CaCertDir },
Jan F. Chadima 7e7fb4
+	{ "TLS_Ciphers", lTLS_Ciphers },
Jan F. Chadima 7e7fb4
+	{ "TLS_Cert", lTLS_Cert },
Jan F. Chadima 7e7fb4
+	{ "TLS_Key", lTLS_Key },
Jan F. Chadima 7e7fb4
+	{ "TLS_RandFile", lTLS_RandFile },
Jan F. Chadima 7e7fb4
+	{ "Logdir", lLogdir },
Jan F. Chadima 7e7fb4
+	{ "Debug", lDebug },
Jan F. Chadima 7e7fb4
+	{ "SSH_Filter", lSSH_Filter },
Jan F. Chadima 7e7fb4
+	{ NULL, lBadOption }
Jan F. Chadima 7e7fb4
+};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Configuration ptions. */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+Options options;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Returns the number of the token pointed to by cp or oBadOption.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static OpCodes
Jan F. Chadima 7e7fb4
+parse_token(const char *cp, const char *filename, int linenum)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	u_int i;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	for (i = 0; keywords[i].name; i++)
Jan F. Chadima 7e7fb4
+		if (strcasecmp(cp, keywords[i].name) == 0)
Jan F. Chadima 7e7fb4
+			return keywords[i].opcode;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (config_warning_config_file) 
Jan F. Chadima 7e7fb4
+	    logit("%s: line %d: Bad configuration option: %s",
Jan F. Chadima 7e7fb4
+		filename, linenum, cp);
Jan F. Chadima 7e7fb4
+	return lBadOption;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Processes a single option line as used in the configuration files. This
Jan F. Chadima 7e7fb4
+ * only sets those values that have not already been set.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+#define WHITESPACE " \t\r\n"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static int
Jan F. Chadima 7e7fb4
+process_config_line(char *line, const char *filename, int linenum)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
Jan F. Chadima 7e7fb4
+	char *rootbinddn = NULL;
Jan F. Chadima 7e7fb4
+	int opcode, *intptr, value;
Jan F. Chadima 7e7fb4
+	size_t len;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* Strip trailing whitespace */
Jan F. Chadima 7e7fb4
+	for (len = strlen(line) - 1; len > 0; len--) {
Jan F. Chadima 7e7fb4
+		if (strchr(WHITESPACE, line[len]) == NULL)
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+		line[len] = '\0';
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	s = line;
Jan F. Chadima 7e7fb4
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
Jan F. Chadima 7e7fb4
+	if ((keyword = strdelim(&s)) == NULL)
Jan F. Chadima 7e7fb4
+		return 0;
Jan F. Chadima 7e7fb4
+	/* Ignore leading whitespace. */
Jan F. Chadima 7e7fb4
+	if (*keyword == '\0')
Jan F. Chadima 7e7fb4
+		keyword = strdelim(&s);
Jan F. Chadima 7e7fb4
+	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
Jan F. Chadima 7e7fb4
+		return 0;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	opcode = parse_token(keyword, filename, linenum);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	switch (opcode) {
Jan F. Chadima 7e7fb4
+	case lBadOption:
Jan F. Chadima 7e7fb4
+		/* don't panic, but count bad options */
Jan F. Chadima 7e7fb4
+		return -1;
Jan F. Chadima 7e7fb4
+		/* NOTREACHED */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lHost:
Jan F. Chadima 7e7fb4
+		xstringptr = &options.host;
Jan F. Chadima 7e7fb4
+parse_xstring:
Jan F. Chadima 7e7fb4
+		if (!s || *s == '\0')
Jan F. Chadima 7e7fb4
+		    fatal("%s line %d: missing dn",filename,linenum);
Jan F. Chadima 7e7fb4
+		if (*xstringptr == NULL)
Jan F. Chadima 7e7fb4
+		    *xstringptr = xstrdup(s);
Jan F. Chadima 7e7fb4
+		return 0;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lURI:
Jan F. Chadima 7e7fb4
+		xstringptr = &options.uri;
Jan F. Chadima 7e7fb4
+		goto parse_xstring;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lBase:
Jan F. Chadima 7e7fb4
+		xstringptr = &options.base;
Jan F. Chadima 7e7fb4
+		goto parse_xstring;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lBindDN:
Jan F. Chadima 7e7fb4
+		xstringptr = &options.binddn;
Jan F. Chadima 7e7fb4
+		goto parse_xstring;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lBindPW:
Jan F. Chadima 7e7fb4
+		charptr = &options.bindpw;
Jan F. Chadima 7e7fb4
+parse_string:
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*charptr == NULL)
Jan F. Chadima 7e7fb4
+			*charptr = xstrdup(arg);
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lRootBindDN:
Jan F. Chadima 7e7fb4
+		xstringptr = &rootbinddn;
Jan F. Chadima 7e7fb4
+		goto parse_xstring;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lScope:
Jan F. Chadima 7e7fb4
+		intptr = &options.scope;
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4
+		if (!strcasecmp (arg, "sub"))
Jan F. Chadima 7e7fb4
+			value = LDAP_SCOPE_SUBTREE;
Jan F. Chadima 7e7fb4
+		else if (!strcasecmp (arg, "one"))
Jan F. Chadima 7e7fb4
+			value = LDAP_SCOPE_ONELEVEL;
Jan F. Chadima 7e7fb4
+		else if (!strcasecmp (arg, "base"))
Jan F. Chadima 7e7fb4
+			value = LDAP_SCOPE_BASE;
Jan F. Chadima 7e7fb4
+		else
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+			*intptr = value;
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lDeref:
Jan F. Chadima 7e7fb4
+		intptr = &options.scope;
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4
+		if (!strcasecmp (arg, "never"))
Jan F. Chadima 7e7fb4
+			value = LDAP_DEREF_NEVER;
Jan F. Chadima 7e7fb4
+		else if (!strcasecmp (arg, "searching"))
Jan F. Chadima 7e7fb4
+			value = LDAP_DEREF_SEARCHING;
Jan F. Chadima 7e7fb4
+		else if (!strcasecmp (arg, "finding"))
Jan F. Chadima 7e7fb4
+			value = LDAP_DEREF_FINDING;
Jan F. Chadima 7e7fb4
+		else if (!strcasecmp (arg, "always"))
Jan F. Chadima 7e7fb4
+			value = LDAP_DEREF_ALWAYS;
Jan F. Chadima 7e7fb4
+		else
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+			*intptr = value;
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lPort:
Jan F. Chadima 7e7fb4
+		intptr = &options.port;
Jan F. Chadima 7e7fb4
+parse_int:
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (arg[0] < '0' || arg[0] > '9')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad number.", filename, linenum);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		/* Octal, decimal, or hex format? */
Jan F. Chadima 7e7fb4
+		value = strtol(arg, &endofnumber, 0);
Jan F. Chadima 7e7fb4
+		if (arg == endofnumber)
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad number.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+			*intptr = value;
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTimeLimit:
Jan F. Chadima 7e7fb4
+		intptr = &options.timelimit;
Jan F. Chadima 7e7fb4
+parse_time:
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%s line %d: missing time value.",
Jan F. Chadima 7e7fb4
+			    filename, linenum);
Jan F. Chadima 7e7fb4
+		if ((value = convtime(arg)) == -1)
Jan F. Chadima 7e7fb4
+			fatal("%s line %d: invalid time value.",
Jan F. Chadima 7e7fb4
+			    filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+			*intptr = value;
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lBind_TimeLimit:
Jan F. Chadima 7e7fb4
+		intptr = &options.bind_timelimit;
Jan F. Chadima 7e7fb4
+		goto parse_time;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lLdap_Version:
Jan F. Chadima 7e7fb4
+		intptr = &options.ldap_version;
Jan F. Chadima 7e7fb4
+		goto parse_int;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lBind_Policy:
Jan F. Chadima 7e7fb4
+		intptr = &options.bind_policy;
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4
+		if (strcasecmp(arg, "hard") == 0)
Jan F. Chadima 7e7fb4
+			value = 1;
Jan F. Chadima 7e7fb4
+		else if (strcasecmp(arg, "soft") == 0)
Jan F. Chadima 7e7fb4
+			value = 0;
Jan F. Chadima 7e7fb4
+		else
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lSSLPath:
Jan F. Chadima 7e7fb4
+		charptr = &options.sslpath;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lSSL:
Jan F. Chadima 7e7fb4
+		intptr = &options.ssl;
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Jan F. Chadima 7e7fb4
+			value = SSL_LDAPS;
Jan F. Chadima 7e7fb4
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Jan F. Chadima 7e7fb4
+			value = SSL_OFF;
Jan F. Chadima 7e7fb4
+		else if (!strcasecmp (arg, "start_tls"))
Jan F. Chadima 7e7fb4
+			value = SSL_START_TLS;
Jan F. Chadima 7e7fb4
+		else
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+			*intptr = value;
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lReferrals:
Jan F. Chadima 7e7fb4
+		intptr = &options.referrals;
Jan F. Chadima 7e7fb4
+parse_flag:
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Jan F. Chadima 7e7fb4
+			value = 1;
Jan F. Chadima 7e7fb4
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Jan F. Chadima 7e7fb4
+			value = 0;
Jan F. Chadima 7e7fb4
+		else
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+			*intptr = value;
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lRestart:
Jan F. Chadima 7e7fb4
+		intptr = &options.restart;
Jan F. Chadima 7e7fb4
+		goto parse_flag;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_CheckPeer:
Jan F. Chadima 7e7fb4
+		intptr = &options.tls_checkpeer;
Jan F. Chadima 7e7fb4
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4
+		if (strcasecmp(arg, "never") == 0)
Jan F. Chadima 7e7fb4
+			value = LDAP_OPT_X_TLS_NEVER;
Jan F. Chadima 7e7fb4
+		else if (strcasecmp(arg, "hard") == 0)
Jan F. Chadima 7e7fb4
+			value = LDAP_OPT_X_TLS_HARD;
Jan F. Chadima 7e7fb4
+		else if (strcasecmp(arg, "demand") == 0)
Jan F. Chadima 7e7fb4
+			value = LDAP_OPT_X_TLS_DEMAND;
Jan F. Chadima 7e7fb4
+		else if (strcasecmp(arg, "allow") == 0)
Jan F. Chadima 7e7fb4
+			value = LDAP_OPT_X_TLS_ALLOW;
Jan F. Chadima 7e7fb4
+		else if (strcasecmp(arg, "try") == 0)
Jan F. Chadima 7e7fb4
+			value = LDAP_OPT_X_TLS_TRY;
Jan F. Chadima 7e7fb4
+		else
Jan F. Chadima 7e7fb4
+			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
Jan F. Chadima 7e7fb4
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4
+		break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_CaCertFile:
Jan F. Chadima 7e7fb4
+		charptr = &options.tls_cacertfile;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_CaCertDir:
Jan F. Chadima 7e7fb4
+		charptr = &options.tls_cacertdir;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_Ciphers:
Jan F. Chadima 7e7fb4
+		xstringptr = &options.tls_ciphers;
Jan F. Chadima 7e7fb4
+		goto parse_xstring;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_Cert:
Jan F. Chadima 7e7fb4
+		charptr = &options.tls_cert;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_Key:
Jan F. Chadima 7e7fb4
+		charptr = &options.tls_key;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lTLS_RandFile:
Jan F. Chadima 7e7fb4
+		charptr = &options.tls_randfile;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lLogdir:
Jan F. Chadima 7e7fb4
+		charptr = &options.logdir;
Jan F. Chadima 7e7fb4
+		goto parse_string;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lDebug:
Jan F. Chadima 7e7fb4
+		intptr = &options.debug;
Jan F. Chadima 7e7fb4
+		goto parse_int;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lSSH_Filter:
Jan F. Chadima 7e7fb4
+		xstringptr = &options.ssh_filter;
Jan F. Chadima 7e7fb4
+		goto parse_xstring;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lDeprecated:
Jan F. Chadima 7e7fb4
+		debug("%s line %d: Deprecated option \"%s\"",
Jan F. Chadima 7e7fb4
+		    filename, linenum, keyword);
Jan F. Chadima 7e7fb4
+		return 0;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	case lUnsupported:
Jan F. Chadima 7e7fb4
+		error("%s line %d: Unsupported option \"%s\"",
Jan F. Chadima 7e7fb4
+		    filename, linenum, keyword);
Jan F. Chadima 7e7fb4
+		return 0;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	default:
Jan F. Chadima 7e7fb4
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* Check that there is no garbage at end of line. */
Jan F. Chadima 7e7fb4
+	if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
Jan F. Chadima 7e7fb4
+		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
Jan F. Chadima 7e7fb4
+		    filename, linenum, arg);
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+	return 0;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Reads the config file and modifies the options accordingly.  Options
Jan F. Chadima 7e7fb4
+ * should already be initialized before this call.  This never returns if
Jan F. Chadima 7e7fb4
+ * there is an error.  If the file does not exist, this returns 0.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+read_config_file(const char *filename)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	FILE *f;
Jan F. Chadima 7e7fb4
+	char line[1024];
Jan F. Chadima 7e7fb4
+	int active, linenum;
Jan F. Chadima 7e7fb4
+	int bad_options = 0;
Jan F. Chadima 7e7fb4
+	struct stat sb;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if ((f = fopen(filename, "r")) == NULL)
Jan F. Chadima 7e7fb4
+		fatal("fopen %s: %s", filename, strerror(errno));
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (fstat(fileno(f), &sb) == -1)
Jan F. Chadima 7e7fb4
+		fatal("fstat %s: %s", filename, strerror(errno));
Jan F. Chadima 7e7fb4
+	if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
Jan F. Chadima 7e7fb4
+	    (sb.st_mode & 022) != 0))
Jan F. Chadima 7e7fb4
+		fatal("Bad owner or permissions on %s", filename);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	debug("Reading configuration data %.200s", filename);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/*
Jan F. Chadima 7e7fb4
+	 * Mark that we are now processing the options.  This flag is turned
Jan F. Chadima 7e7fb4
+	 * on/off by Host specifications.
Jan F. Chadima 7e7fb4
+	 */
Jan F. Chadima 7e7fb4
+	active = 1;
Jan F. Chadima 7e7fb4
+	linenum = 0;
Jan F. Chadima 7e7fb4
+	while (fgets(line, sizeof(line), f)) {
Jan F. Chadima 7e7fb4
+		/* Update line number counter. */
Jan F. Chadima 7e7fb4
+		linenum++;
Jan F. Chadima 7e7fb4
+		if (process_config_line(line, filename, linenum) != 0)
Jan F. Chadima 7e7fb4
+			bad_options++;
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+	fclose(f);
Jan F. Chadima 7e7fb4
+	if ((bad_options > 0) && config_exclusive_config_file) 
Jan F. Chadima 7e7fb4
+		fatal("%s: terminating, %d bad configuration options",
Jan F. Chadima 7e7fb4
+		    filename, bad_options);
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Initializes options to special values that indicate that they have not yet
Jan F. Chadima 7e7fb4
+ * been set.  Read_config_file will only set options with this value. Options
Jan F. Chadima 7e7fb4
+ * are processed in the following order: command line, user config file,
Jan F. Chadima 7e7fb4
+ * system config file.  Last, fill_default_options is called.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+initialize_options(void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	memset(&options, 'X', sizeof(options));
Jan F. Chadima 7e7fb4
+	options.host = NULL;
Jan F. Chadima 7e7fb4
+	options.uri = NULL;
Jan F. Chadima 7e7fb4
+	options.base = NULL;
Jan F. Chadima 7e7fb4
+	options.binddn = NULL;
Jan F. Chadima 7e7fb4
+	options.bindpw = NULL;
Jan F. Chadima 7e7fb4
+	options.scope = -1;
Jan F. Chadima 7e7fb4
+	options.deref = -1;
Jan F. Chadima 7e7fb4
+	options.port = -1;
Jan F. Chadima 7e7fb4
+	options.timelimit = -1;
Jan F. Chadima 7e7fb4
+	options.bind_timelimit = -1;
Jan F. Chadima 7e7fb4
+	options.ldap_version = -1;
Jan F. Chadima 7e7fb4
+	options.bind_policy = -1;
Jan F. Chadima 7e7fb4
+	options.sslpath = NULL;
Jan F. Chadima 7e7fb4
+	options.ssl = -1;
Jan F. Chadima 7e7fb4
+	options.referrals = -1;
Jan F. Chadima 7e7fb4
+	options.restart = -1;
Jan F. Chadima 7e7fb4
+	options.tls_checkpeer = -1;
Jan F. Chadima 7e7fb4
+	options.tls_cacertfile = NULL;
Jan F. Chadima 7e7fb4
+	options.tls_cacertdir = NULL;
Jan F. Chadima 7e7fb4
+	options.tls_ciphers = NULL;
Jan F. Chadima 7e7fb4
+	options.tls_cert = NULL;
Jan F. Chadima 7e7fb4
+	options.tls_key = NULL;
Jan F. Chadima 7e7fb4
+	options.tls_randfile = NULL;
Jan F. Chadima 7e7fb4
+	options.logdir = NULL;
Jan F. Chadima 7e7fb4
+	options.debug = -1;
Jan F. Chadima 7e7fb4
+	options.ssh_filter = NULL;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Called after processing other sources of option data, this fills those
Jan F. Chadima 7e7fb4
+ * options for which no value has been specified with their default values.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+fill_default_options(void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	if (options.uri != NULL) {
Jan F. Chadima 7e7fb4
+		LDAPURLDesc *ludp;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
Jan F. Chadima 7e7fb4
+			if (options.ssl == -1) {
Jan F. Chadima 7e7fb4
+				if (strcmp (ludp->lud_scheme, "ldap") || strcmp (ludp->lud_scheme, "ldapi"))
Jan F. Chadima 7e7fb4
+				    options.ssl = 0;
Jan F. Chadima 7e7fb4
+				else if (strcmp (ludp->lud_scheme, "ldaps"))
Jan F. Chadima 7e7fb4
+				    options.ssl = 2;
Jan F. Chadima 7e7fb4
+			}
Jan F. Chadima 7e7fb4
+			if (options.host == NULL)
Jan F. Chadima 7e7fb4
+			    options.host = xstrdup (ludp->lud_host);
Jan F. Chadima 7e7fb4
+			if (options.port == -1)
Jan F. Chadima 7e7fb4
+			    options.port = ludp->lud_port;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+			ldap_free_urldesc (ludp);
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+	} 
Jan F. Chadima 7e7fb4
+	if (options.ssl == -1)
Jan F. Chadima 7e7fb4
+	    options.ssl = SSL_START_TLS;
Jan F. Chadima 7e7fb4
+	if (options.port == -1)
Jan F. Chadima 7e7fb4
+	    options.port = (options.ssl == 0) ? 389 : 636;
Jan F. Chadima 7e7fb4
+	if (options.uri == NULL) {
Jan F. Chadima 7e7fb4
+		int len;
Jan F. Chadima 7e7fb4
+#define MAXURILEN 4096
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		options.uri = xmalloc (MAXURILEN);
Jan F. Chadima 7e7fb4
+		len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
Jan F. Chadima 7e7fb4
+		    (options.ssl == 0) ? "" : "s", options.host, options.port);
Jan F. Chadima 7e7fb4
+		options.uri[MAXURILEN - 1] = 0;
Jan F. Chadima 7e7fb4
+		options.uri = xrealloc (options.uri, len + 1, 1);
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+	if (options.binddn == NULL)
Jan F. Chadima 7e7fb4
+	    options.binddn = "";
Jan F. Chadima 7e7fb4
+	if (options.bindpw == NULL)
Jan F. Chadima 7e7fb4
+	    options.bindpw = "";
Jan F. Chadima 7e7fb4
+	if (options.scope == -1)
Jan F. Chadima 7e7fb4
+	    options.scope = LDAP_SCOPE_SUBTREE;
Jan F. Chadima 7e7fb4
+	if (options.deref == -1)
Jan F. Chadima 7e7fb4
+	    options.deref = LDAP_DEREF_NEVER;
Jan F. Chadima 7e7fb4
+	if (options.timelimit == -1)
Jan F. Chadima 7e7fb4
+	    options.timelimit = 10;
Jan F. Chadima 7e7fb4
+	if (options.bind_timelimit == -1)
Jan F. Chadima 7e7fb4
+	    options.bind_timelimit = 10;
Jan F. Chadima 7e7fb4
+	if (options.ldap_version == -1)
Jan F. Chadima 7e7fb4
+	    options.ldap_version = 3;
Jan F. Chadima 7e7fb4
+	if (options.bind_policy == -1)
Jan F. Chadima 7e7fb4
+	    options.bind_policy = 1;
Jan F. Chadima 7e7fb4
+	if (options.referrals == -1)
Jan F. Chadima 7e7fb4
+	    options.referrals = 1;
Jan F. Chadima 7e7fb4
+	if (options.restart == -1)
Jan F. Chadima 7e7fb4
+	    options.restart = 1;
Jan F. Chadima 7e7fb4
+	if (options.tls_checkpeer == -1)
Jan F. Chadima 7e7fb4
+	    options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
Jan F. Chadima 7e7fb4
+	if (options.debug == -1)
Jan F. Chadima 7e7fb4
+	    options.debug = 0;
Jan F. Chadima 7e7fb4
+	if (options.ssh_filter == NULL)
Jan F. Chadima 7e7fb4
+	    options.ssh_filter = "";
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static const char *
Jan F. Chadima 7e7fb4
+lookup_opcode_name(OpCodes code)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	u_int i;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	for (i = 0; keywords[i].name != NULL; i++)
Jan F. Chadima 7e7fb4
+	    if (keywords[i].opcode == code)
Jan F. Chadima 7e7fb4
+		return(keywords[i].name);
Jan F. Chadima 7e7fb4
+	return "UNKNOWN";
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static void
Jan F. Chadima 7e7fb4
+dump_cfg_string(OpCodes code, const char *val)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	if (val == NULL)
Jan F. Chadima 7e7fb4
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Jan F. Chadima 7e7fb4
+	else
Jan F. Chadima 7e7fb4
+	    debug3("%s %s", lookup_opcode_name(code), val);
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static void
Jan F. Chadima 7e7fb4
+dump_cfg_int(OpCodes code, int val)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	if (val == -1)
Jan F. Chadima 7e7fb4
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Jan F. Chadima 7e7fb4
+	else
Jan F. Chadima 7e7fb4
+	    debug3("%s %d", lookup_opcode_name(code), val);
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+struct names {
Jan F. Chadima 7e7fb4
+	int value;
Jan F. Chadima 7e7fb4
+	char *name;
Jan F. Chadima 7e7fb4
+};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static void
Jan F. Chadima 7e7fb4
+dump_cfg_namedint(OpCodes code, int val, struct names *names)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	u_int i;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (val == -1)
Jan F. Chadima 7e7fb4
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Jan F. Chadima 7e7fb4
+	else {
Jan F. Chadima 7e7fb4
+		for (i = 0; names[i].value != -1; i++)
Jan F. Chadima 7e7fb4
+	 	    if (names[i].value == val) {
Jan F. Chadima 7e7fb4
+	    		debug3("%s %s", lookup_opcode_name(code), names[i].name);
Jan F. Chadima 7e7fb4
+			    return;
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+		debug3("%s unknown: %d", lookup_opcode_name(code), val);
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct names _yesnotls[] = {
Jan F. Chadima 7e7fb4
+	{ 0, "No" },
Jan F. Chadima 7e7fb4
+	{ 1, "Yes" },
Jan F. Chadima 7e7fb4
+	{ 2, "Start_TLS" },
Jan F. Chadima 7e7fb4
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct names _scope[] = {
Jan F. Chadima 7e7fb4
+	{ LDAP_SCOPE_BASE, "Base" },
Jan F. Chadima 7e7fb4
+	{ LDAP_SCOPE_ONELEVEL, "One" },
Jan F. Chadima 7e7fb4
+	{ LDAP_SCOPE_SUBTREE, "Sub"},
Jan F. Chadima 7e7fb4
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct names _deref[] = {
Jan F. Chadima 7e7fb4
+	{ LDAP_DEREF_NEVER, "Never" },
Jan F. Chadima 7e7fb4
+	{ LDAP_DEREF_SEARCHING, "Searching" },
Jan F. Chadima 7e7fb4
+	{ LDAP_DEREF_FINDING, "Finding" },
Jan F. Chadima 7e7fb4
+	{ LDAP_DEREF_ALWAYS, "Always" },
Jan F. Chadima 7e7fb4
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct names _yesno[] = {
Jan F. Chadima 7e7fb4
+	{ 0, "No" },
Jan F. Chadima 7e7fb4
+	{ 1, "Yes" },
Jan F. Chadima 7e7fb4
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct names _bindpolicy[] = {
Jan F. Chadima 7e7fb4
+	{ 0, "Soft" },
Jan F. Chadima 7e7fb4
+	{ 1, "Hard" },
Jan F. Chadima 7e7fb4
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static struct names _checkpeer[] = {
Jan F. Chadima 7e7fb4
+	{ LDAP_OPT_X_TLS_NEVER, "Never" },
Jan F. Chadima 7e7fb4
+	{ LDAP_OPT_X_TLS_HARD, "Hard" },
Jan F. Chadima 7e7fb4
+	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
Jan F. Chadima 7e7fb4
+	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
Jan F. Chadima 7e7fb4
+	{ LDAP_OPT_X_TLS_TRY, "TRY" },
Jan F. Chadima 7e7fb4
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void
Jan F. Chadima 7e7fb4
+dump_config(void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lURI, options.uri);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lHost, options.host);
Jan F. Chadima 7e7fb4
+	dump_cfg_int(lPort, options.port);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
Jan F. Chadima 7e7fb4
+	dump_cfg_int(lLdap_Version, options.ldap_version);
Jan F. Chadima 7e7fb4
+	dump_cfg_int(lTimeLimit, options.timelimit);
Jan F. Chadima 7e7fb4
+	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lBase, options.base);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lBindDN, options.binddn);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lBindPW, options.bindpw);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lScope, options.scope, _scope);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lDeref, options.deref, _deref);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lRestart, options.restart, _yesno);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lSSLPath, options.sslpath);
Jan F. Chadima 7e7fb4
+	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lTLS_Cert, options.tls_cert);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lTLS_Key, options.tls_key);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lLogdir, options.logdir);
Jan F. Chadima 7e7fb4
+	dump_cfg_int(lDebug, options.debug);
Jan F. Chadima 7e7fb4
+	dump_cfg_string(lSSH_Filter, options.ssh_filter);
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/ldapconf.h.ldap openssh-5.5p1/ldapconf.h
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/ldapconf.h.ldap	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/ldapconf.h	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,71 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef LDAPCONF_H
Jan F. Chadima 7e7fb4
+#define LDAPCONF_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#define SSL_OFF          0
Jan F. Chadima 7e7fb4
+#define SSL_LDAPS        1
Jan F. Chadima 7e7fb4
+#define SSL_START_TLS    2
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Data structure for representing option data. */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+typedef struct {
Jan F. Chadima 7e7fb4
+	char *host;
Jan F. Chadima 7e7fb4
+	char *uri;
Jan F. Chadima 7e7fb4
+	char *base;
Jan F. Chadima 7e7fb4
+	char *binddn;
Jan F. Chadima 7e7fb4
+	char *bindpw;
Jan F. Chadima 7e7fb4
+	int scope;
Jan F. Chadima 7e7fb4
+	int deref;
Jan F. Chadima 7e7fb4
+	int port;
Jan F. Chadima 7e7fb4
+	int timelimit;
Jan F. Chadima 7e7fb4
+	int bind_timelimit;
Jan F. Chadima 7e7fb4
+	int ldap_version;
Jan F. Chadima 7e7fb4
+	int bind_policy;
Jan F. Chadima 7e7fb4
+	char *sslpath;
Jan F. Chadima 7e7fb4
+	int ssl;
Jan F. Chadima 7e7fb4
+	int referrals;
Jan F. Chadima 7e7fb4
+	int restart;
Jan F. Chadima 7e7fb4
+	int tls_checkpeer;
Jan F. Chadima 7e7fb4
+	char *tls_cacertfile;
Jan F. Chadima 7e7fb4
+	char *tls_cacertdir;
Jan F. Chadima 7e7fb4
+	char *tls_ciphers;
Jan F. Chadima 7e7fb4
+	char *tls_cert;
Jan F. Chadima 7e7fb4
+	char *tls_key;
Jan F. Chadima 7e7fb4
+	char *tls_randfile;
Jan F. Chadima 7e7fb4
+	char *logdir;
Jan F. Chadima 7e7fb4
+	int debug;
Jan F. Chadima 7e7fb4
+	char *ssh_filter;
Jan F. Chadima 7e7fb4
+}       Options;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+extern Options options;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+void read_config_file(const char *);
Jan F. Chadima 7e7fb4
+void initialize_options(void);
Jan F. Chadima 7e7fb4
+void fill_default_options(void);
Jan F. Chadima 7e7fb4
+void dump_config(void);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#endif /* LDAPCONF_H */
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/ldap-helper.c.ldap openssh-5.5p1/ldap-helper.c
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/ldap-helper.c.ldap	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/ldap-helper.c	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,154 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4
+#include "log.h"
Jan F. Chadima 7e7fb4
+#include "misc.h"
Jan F. Chadima 7e7fb4
+#include "xmalloc.h"
Jan F. Chadima 7e7fb4
+#include "ldapconf.h"
Jan F. Chadima 7e7fb4
+#include "ldapbody.h"
Jan F. Chadima 7e7fb4
+#include <string.h>
Jan F. Chadima 7e7fb4
+#include <unistd.h>
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static int config_debug = 0;
Jan F. Chadima 7e7fb4
+int config_exclusive_config_file = 0;
Jan F. Chadima 7e7fb4
+static char *config_file_name = "/etc/ldap.conf";
Jan F. Chadima 7e7fb4
+static char *config_single_user = NULL;
Jan F. Chadima 7e7fb4
+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
Jan F. Chadima 7e7fb4
+int config_warning_config_file = 0;
Jan F. Chadima 7e7fb4
+extern char *__progname;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+static void
Jan F. Chadima 7e7fb4
+usage(void)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "usage: %s [options]\n",
Jan F. Chadima 7e7fb4
+	    __progname);
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "Options:\n");
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ldap.conf).\n");
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
Jan F. Chadima 7e7fb4
+	fprintf(stderr, "  -w          Warn on unknown commands int the config file.\n");
Jan F. Chadima 7e7fb4
+	exit(1);
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Main program for the ssh pka ldap agent.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+int
Jan F. Chadima 7e7fb4
+main(int ac, char **av)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+	int opt;
Jan F. Chadima 7e7fb4
+	FILE *outfile = NULL;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	__progname = ssh_get_progname(av[0]);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/*
Jan F. Chadima 7e7fb4
+	 * Initialize option structure to indicate that no values have been
Jan F. Chadima 7e7fb4
+	 * set.
Jan F. Chadima 7e7fb4
+	 */
Jan F. Chadima 7e7fb4
+	initialize_options();
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* Parse command-line arguments. */
Jan F. Chadima 7e7fb4
+	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
Jan F. Chadima 7e7fb4
+		switch (opt) {
Jan F. Chadima 7e7fb4
+		case 'd':
Jan F. Chadima 7e7fb4
+			config_debug = 1;
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		case 'e':
Jan F. Chadima 7e7fb4
+			config_exclusive_config_file = 1;
Jan F. Chadima 7e7fb4
+			config_warning_config_file = 1;
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		case 'f':
Jan F. Chadima 7e7fb4
+			config_file_name = optarg;
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		case 's':
Jan F. Chadima 7e7fb4
+			config_single_user = optarg;
Jan F. Chadima 7e7fb4
+			outfile = fdopen (dup (fileno (stdout)), "w");
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		case 'v':
Jan F. Chadima 7e7fb4
+			config_debug = 1;
Jan F. Chadima 7e7fb4
+			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
Jan F. Chadima 7e7fb4
+			    config_verbose++;
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		case 'w':
Jan F. Chadima 7e7fb4
+			config_warning_config_file = 1;
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+		case '?':
Jan F. Chadima 7e7fb4
+		default:
Jan F. Chadima 7e7fb4
+			usage();
Jan F. Chadima 7e7fb4
+			break;
Jan F. Chadima 7e7fb4
+		}
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* Initialize loging */
Jan F. Chadima 7e7fb4
+	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (ac != optind)
Jan F. Chadima 7e7fb4
+	    fatal ("illegal extra parameter %s", av[1]);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
Jan F. Chadima 7e7fb4
+	if (config_debug == 0)
Jan F. Chadima 7e7fb4
+	    sanitise_stdfd();
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	/* Read config file */
Jan F. Chadima 7e7fb4
+	read_config_file(config_file_name);
Jan F. Chadima 7e7fb4
+	fill_default_options();
Jan F. Chadima 7e7fb4
+	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
Jan F. Chadima 7e7fb4
+		debug3 ("=== Configuration ===");
Jan F. Chadima 7e7fb4
+		dump_config();
Jan F. Chadima 7e7fb4
+		debug3 ("=== *** ===");
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	ldap_checkconfig();
Jan F. Chadima 7e7fb4
+	ldap_do_connect();
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (config_single_user) {
Jan F. Chadima 7e7fb4
+		process_user (config_single_user, outfile);
Jan F. Chadima 7e7fb4
+	} else {
Jan F. Chadima 7e7fb4
+		fatal ("Not yet implemented");
Jan F. Chadima 7e7fb4
+/* TODO
Jan F. Chadima 7e7fb4
+ * open unix socket a run the loop on it
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	ldap_do_close();
Jan F. Chadima 7e7fb4
+	return 0;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+/* Ugly hack */
Jan F. Chadima 7e7fb4
+void   *buffer_get_string(Buffer *b, u_int *l) {}
Jan F. Chadima 7e7fb4
+void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/ldap-helper.h.ldap openssh-5.5p1/ldap-helper.h
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/ldap-helper.h.ldap	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/ldap-helper.h	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,32 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef LDAP_HELPER_H
Jan F. Chadima 7e7fb4
+#define LDAP_HELPER_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+extern int config_exclusive_config_file;
Jan F. Chadima 7e7fb4
+extern int config_warning_config_file;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#endif /* LDAP_HELPER_H */
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/ldapincludes.h.ldap openssh-5.5p1/ldapincludes.h
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/ldapincludes.h.ldap	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/ldapincludes.h	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,41 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef LDAPINCLUDES_H
Jan F. Chadima 7e7fb4
+#define LDAPINCLUDES_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include "includes.h"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LBER_H
Jan F. Chadima 7e7fb4
+#include <lber.h>
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_H
Jan F. Chadima 7e7fb4
+#include <ldap.h>
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_SSL_H
Jan F. Chadima 7e7fb4
+#include <ldap_ssl.h>
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#endif /* LDAPINCLUDES_H */
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/ldapmisc.c.ldap openssh-5.5p1/ldapmisc.c
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/ldapmisc.c.ldap	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/ldapmisc.c	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,79 @@
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4
+#include "ldapmisc.h"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef HAVE_LDAP_GET_LDERRNO
Jan F. Chadima 7e7fb4
+int
Jan F. Chadima 7e7fb4
+ldap_get_lderrno (LDAP * ld, char **m, char **s)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_GET_OPTION
Jan F. Chadima 7e7fb4
+	int rc;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+	int lderrno;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 7e7fb4
+	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+	    return rc;
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+	lderrno = ld->ld_errno;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (s != NULL) {
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 7e7fb4
+		if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+		    return rc;
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		*s = ld->ld_error;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (m != NULL) {
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 7e7fb4
+		if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+		    return rc;
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		*m = ld->ld_matched;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	return lderrno;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef HAVE_LDAP_SET_LDERRNO
Jan F. Chadima 7e7fb4
+int
Jan F. Chadima 7e7fb4
+ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
Jan F. Chadima 7e7fb4
+{
Jan F. Chadima 7e7fb4
+#ifdef HAVE_LDAP_SET_OPTION
Jan F. Chadima 7e7fb4
+	int rc;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 7e7fb4
+	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+	    return rc;
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+	ld->ld_errno = lderrno;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (s != NULL) {
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 7e7fb4
+		if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+		    return rc;
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		ld->ld_error = s;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	if (m != NULL) {
Jan F. Chadima 7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 7e7fb4
+		if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4
+		    return rc;
Jan F. Chadima 7e7fb4
+#else
Jan F. Chadima 7e7fb4
+		ld->ld_matched = m;
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+	}
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	return LDAP_SUCCESS;
Jan F. Chadima 7e7fb4
+}
Jan F. Chadima 7e7fb4
+#endif
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/ldapmisc.h.ldap openssh-5.5p1/ldapmisc.h
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/ldapmisc.h.ldap	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/ldapmisc.h	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,35 @@
Jan F. Chadima 7e7fb4
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4
+/*
Jan F. Chadima 7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+ * are met:
Jan F. Chadima 7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+ *
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+ */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#ifndef LDAPMISC_H
Jan F. Chadima 7e7fb4
+#define LDAPMISC_H
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+int ldap_get_lderrno (LDAP *, char **, char **);
Jan F. Chadima 7e7fb4
+int ldap_set_lderrno (LDAP *, int, const char *, const char *);
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+#endif /* LDAPMISC_H */
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/lpk-user-example.txt.ldap openssh-5.5p1/lpk-user-example.txt
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/lpk-user-example.txt.ldap	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/lpk-user-example.txt	2010-04-28 11:34:14.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,117 @@
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+Post to ML -> User Made Quick Install Doc.
Jan F. Chadima 7e7fb4
+Contribution from John Lane <john@lane.uk.net>
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+OpenSSH LDAP keystore Patch
Jan F. Chadima 7e7fb4
+===========================
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+NOTE: these notes are a transcript of a specific installation
Jan F. Chadima 7e7fb4
+      they work for me, your specifics may be different!
Jan F. Chadima 7e7fb4
+      from John Lane March 17th 2005         john@lane.uk.net
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys
Jan F. Chadima 7e7fb4
+from their LDAP record as an alternative to ~/.ssh/authorized_keys.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+(Assuming here that necessary build stuff is in $BUILD)
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+cd $BUILD/openssh-4.0p1
Jan F. Chadima 7e7fb4
+patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
Jan F. Chadima 7e7fb4
+mkdir -p /var/empty &&
Jan F. Chadima 7e7fb4
+./configure --prefix=/usr --sysconfdir=/etc/ssh \
Jan F. Chadima 7e7fb4
+    --libexecdir=/usr/sbin --with-md5-passwords --with-pam \
Jan F. Chadima 7e7fb4
+    --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY"
Jan F. Chadima 7e7fb4
+Now do.
Jan F. Chadima 7e7fb4
+make &&
Jan F. Chadima 7e7fb4
+make install
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+Add the following config to /etc/ssh/ssh_config
Jan F. Chadima 7e7fb4
+UseLPK yes
Jan F. Chadima 7e7fb4
+LpkServers ldap://myhost.mydomain.com
Jan F. Chadima 7e7fb4
+LpkUserDN  ou=People,dc=mydomain,dc=com
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+We need to tell sshd about the SSL keys during boot, as root's
Jan F. Chadima 7e7fb4
+environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
Jan F. Chadima 7e7fb4
+Change the startup code from this:
Jan F. Chadima 7e7fb4
+                echo "Starting SSH Server..."
Jan F. Chadima 7e7fb4
+                loadproc /usr/sbin/sshd
Jan F. Chadima 7e7fb4
+                ;;
Jan F. Chadima 7e7fb4
+to this:
Jan F. Chadima 7e7fb4
+                echo "Starting SSH Server..."
Jan F. Chadima 7e7fb4
+                LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd
Jan F. Chadima 7e7fb4
+                ;;
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+Re-start the sshd daemon:
Jan F. Chadima 7e7fb4
+/etc/rc.d/init.d/sshd restart
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+Install the additional LDAP schema
Jan F. Chadima 7e7fb4
+cp $BUILD/openssh-lpk-0.2.schema  /etc/openldap/schema/openssh.schema
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
Jan F. Chadima 7e7fb4
+Add the following to the end of the existing block of schema includes
Jan F. Chadima 7e7fb4
+include         /etc/openldap/schema/openssh.schema
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+Re-start the LDAP server:
Jan F. Chadima 7e7fb4
+/etc/rc.d/init.d/slapd restart
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+To add one or more public keys to a user, eg "testuser" :
Jan F. Chadima 7e7fb4
+ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
Jan F. Chadima 7e7fb4
+"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+append the following to this /tmp/testuser file
Jan F. Chadima 7e7fb4
+objectclass: ldapPublicKey
Jan F. Chadima 7e7fb4
+sshPublicKey: ssh-rsa
Jan F. Chadima 7e7fb4
+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS
Jan F. Chadima 7e7fb4
+qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI
Jan F. Chadima 7e7fb4
+7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+Then do a modify:
Jan F. Chadima 7e7fb4
+ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f
Jan F. Chadima 7e7fb4
+/tmp/testuser -Z
Jan F. Chadima 7e7fb4
+Enter LDAP Password:
Jan F. Chadima 7e7fb4
+modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com"
Jan F. Chadima 7e7fb4
+And check the modify is ok:
Jan F. Chadima 7e7fb4
+ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
Jan F. Chadima 7e7fb4
+"uid=testuser,ou=People,dc=mydomain,dc=com"
Jan F. Chadima 7e7fb4
+Enter LDAP Password:
Jan F. Chadima 7e7fb4
+# extended LDIF
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+# LDAPv3
Jan F. Chadima 7e7fb4
+# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub
Jan F. Chadima 7e7fb4
+# filter: (objectclass=*)
Jan F. Chadima 7e7fb4
+# requesting: ALL
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+# testuser, People, mydomain.com
Jan F. Chadima 7e7fb4
+dn: uid=testuser,ou=People,dc=mydomain,dc=com
Jan F. Chadima 7e7fb4
+uid: testuser
Jan F. Chadima 7e7fb4
+cn: testuser
Jan F. Chadima 7e7fb4
+objectClass: account
Jan F. Chadima 7e7fb4
+objectClass: posixAccount
Jan F. Chadima 7e7fb4
+objectClass: top
Jan F. Chadima 7e7fb4
+objectClass: shadowAccount
Jan F. Chadima 7e7fb4
+objectClass: ldapPublicKey
Jan F. Chadima 7e7fb4
+shadowLastChange: 12757
Jan F. Chadima 7e7fb4
+shadowMax: 99999
Jan F. Chadima 7e7fb4
+shadowWarning: 7
Jan F. Chadima 7e7fb4
+loginShell: /bin/bash
Jan F. Chadima 7e7fb4
+uidNumber: 9999
Jan F. Chadima 7e7fb4
+gidNumber: 501
Jan F. Chadima 7e7fb4
+homeDirectory: /home/testuser
Jan F. Chadima 7e7fb4
+userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=
Jan F. Chadima 7e7fb4
+sshPublicKey: ssh-rsa
Jan F. Chadima 7e7fb4
+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
Jan F. Chadima 7e7fb4
+8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+# search result
Jan F. Chadima 7e7fb4
+search: 3
Jan F. Chadima 7e7fb4
+result: 0 Success
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+# numResponses: 2
Jan F. Chadima 7e7fb4
+# numEntries: 1
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+Now start a ssh session to user "testuser" from usual ssh client (e.g.
Jan F. Chadima 7e7fb4
+puTTY). Login should succeed.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/Makefile.in.ldap openssh-5.5p1/Makefile.in
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/Makefile.in.ldap	2010-04-28 11:34:10.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/Makefile.in	2010-04-28 11:34:15.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
Jan F. Chadima 7e7fb4
 SFTP_SERVER=$(libexecdir)/sftp-server
Jan F. Chadima 7e7fb4
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
Jan F. Chadima 7e7fb4
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
Jan F. Chadima 7e7fb4
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
Jan F. Chadima 7e7fb4
 RAND_HELPER=$(libexecdir)/ssh-rand-helper
Jan F. Chadima 7e7fb4
 PRIVSEP_PATH=@PRIVSEP_PATH@
Jan F. Chadima 7e7fb4
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
Jan F. Chadima 7e7fb4
@@ -61,8 +62,9 @@ EXEEXT=@EXEEXT@
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
Jan F. Chadima 7e7fb4
 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
Jan F. Chadima 7e7fb4
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
Jan F. Chadima 7e7fb4
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
Jan F. Chadima 7e7fb4
 	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
Jan F. Chadima 7e7fb4
@@ -93,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
Jan F. Chadima 7e7fb4
 	audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
Jan F. Chadima 7e7fb4
 	roaming_common.o roaming_serv.o kexgsss.o
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
Jan F. Chadima 7e7fb4
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
Jan F. Chadima 7e7fb4
+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out
Jan F. Chadima 7e7fb4
+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5
Jan F. Chadima 7e7fb4
 MANTYPE		= @MANTYPE@
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
Jan F. Chadima 7e7fb4
@@ -165,6 +167,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
Jan F. Chadima 7e7fb4
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
Jan F. Chadima 7e7fb4
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
Jan F. Chadima 7e7fb4
+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
Jan F. Chadima 7e7fb4
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
@@ -266,6 +271,9 @@ install-files:
Jan F. Chadima 7e7fb4
 	fi
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
Jan F. Chadima 7e7fb4
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Jan F. Chadima 7e7fb4
+		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
Jan F. Chadima 7e7fb4
+	fi
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
Jan F. Chadima 7e7fb4
@@ -285,6 +293,9 @@ install-files:
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
Jan F. Chadima 7e7fb4
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
Jan F. Chadima 7e7fb4
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Jan F. Chadima 7e7fb4
+		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
Jan F. Chadima 7e7fb4
+	fi
Jan F. Chadima 7e7fb4
 	-rm -f $(DESTDIR)$(bindir)/slogin
Jan F. Chadima 7e7fb4
 	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
Jan F. Chadima 7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Jan F. Chadima 7e7fb4
@@ -384,6 +395,7 @@ uninstall:
Jan F. Chadima 7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Jan F. Chadima 7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
Jan F. Chadima 7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
Jan F. Chadima 7e7fb4
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
Jan F. Chadima 7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Jan F. Chadima 7e7fb4
 
Jan F. Chadima 7e7fb4
 tests interop-tests:	$(TARGETS)
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/openssh-lpk-openldap.schema.ldap openssh-5.5p1/openssh-lpk-openldap.schema
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/openssh-lpk-openldap.schema.ldap	2010-04-28 11:34:15.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/openssh-lpk-openldap.schema	2010-04-28 11:34:15.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,21 @@
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 7e7fb4
+#                              useful with PKA-LDAP also
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 7e7fb4
+# 
Jan F. Chadima 7e7fb4
+# Based on the proposal of : Mark Ruijter
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+# octetString SYNTAX
Jan F. Chadima 7e7fb4
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
Jan F. Chadima 7e7fb4
+	DESC 'MANDATORY: OpenSSH Public key' 
Jan F. Chadima 7e7fb4
+	EQUALITY octetStringMatch
Jan F. Chadima 7e7fb4
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+# printableString SYNTAX yes|no
Jan F. Chadima 7e7fb4
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 7e7fb4
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 7e7fb4
+	MUST ( sshPublicKey $ uid ) 
Jan F. Chadima 7e7fb4
+	)
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/openssh-lpk-sun.schema.ldap openssh-5.5p1/openssh-lpk-sun.schema
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/openssh-lpk-sun.schema.ldap	2010-04-28 11:34:15.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/openssh-lpk-sun.schema	2010-04-28 11:34:15.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,23 @@
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 7e7fb4
+#                              useful with PKA-LDAP also
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 7e7fb4
+# 
Jan F. Chadima 7e7fb4
+# Schema for Sun Directory Server.
Jan F. Chadima 7e7fb4
+# Based on the original schema, modified by Stefan Fischer.
Jan F. Chadima 7e7fb4
+#
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+dn: cn=schema
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+# octetString SYNTAX
Jan F. Chadima 7e7fb4
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
Jan F. Chadima 7e7fb4
+	DESC 'MANDATORY: OpenSSH Public key' 
Jan F. Chadima 7e7fb4
+	EQUALITY octetStringMatch
Jan F. Chadima 7e7fb4
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+# printableString SYNTAX yes|no
Jan F. Chadima 7e7fb4
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 7e7fb4
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 7e7fb4
+	MUST ( sshPublicKey $ uid ) 
Jan F. Chadima 7e7fb4
+	)
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/README.lpk.ldap openssh-5.5p1/README.lpk
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/README.lpk.ldap	2010-04-28 11:34:15.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/README.lpk	2010-04-28 12:33:34.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,268 @@
Jan F. Chadima 7e7fb4
+OpenSSH LDAP PUBLIC KEY PATCH 
Jan F. Chadima 7e7fb4
+Copyright (c) 2003 Eric AUGE (eau@phear.org)
Jan F. Chadima 7e7fb4
+All rights reserved.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+Rewriten by Jan F. Chadima (jchadima@redhat.com)
Jan F. Chadima 7e7fb4
+Copyright (c) 2010 Red Hat, Inc.
Jan F. Chadima 7e7fb4
+The new PKA-LDAP patch is rewritten from the scratch.
Jan F. Chadima 7e7fb4
+LDAP schema and part of the documentation is based on original
Jan F. Chadima 7e7fb4
+LPK project (http://code.google.com/p/openssh-lpk),
Jan F. Chadima 7e7fb4
+copyright (c) 2003 Eric AUGE
Jan F. Chadima 7e7fb4
+The new openssh configuration is different from the original LPK one.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4
+modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4
+are met:
Jan F. Chadima 7e7fb4
+1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4
+   notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4
+2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4
+   notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4
+   documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4
+3. The name of the author may not be used to endorse or promote products
Jan F. Chadima 7e7fb4
+   derived from this software without specific prior written permission.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+purposes of this patch:
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+This patch would help to have authentication centralization policy
Jan F. Chadima 7e7fb4
+using ssh public key authentication.
Jan F. Chadima 7e7fb4
+This patch could be an alternative to other "secure" authentication system
Jan F. Chadima 7e7fb4
+working in a similar way (Kerberos, SecurID, etc...), except the fact 
Jan F. Chadima 7e7fb4
+that it's based on OpenSSH and its public key abilities.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+>> FYI: <<
Jan F. Chadima 7e7fb4
+'uid': means unix accounts existing on the current server
Jan F. Chadima 7e7fb4
+'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+example schema:
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+                                  server1 (uid: eau,rival,toto) (ServerGroup: unix)
Jan F. Chadima 7e7fb4
+                ___________      /
Jan F. Chadima 7e7fb4
+               /           \ --- - server3 (uid: eau, titi) (ServerGroup: unix)
Jan F. Chadima 7e7fb4
+              | LDAP Server |    \
Jan F. Chadima 7e7fb4
+	      | eau  ,rival |     server2 (uid: rival, eau) (ServerGroup: unix)
Jan F. Chadima 7e7fb4
+	      | titi ,toto  |
Jan F. Chadima 7e7fb4
+	      | userx,....  |         server5 (uid: eau)  (ServerGroup: mail)
Jan F. Chadima 7e7fb4
+               \___________/ \       /
Jan F. Chadima 7e7fb4
+	                       ----- - server4 (uid: eau, rival)  (no group configured)
Jan F. Chadima 7e7fb4
+			             \
Jan F. Chadima 7e7fb4
+				        etc...
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+- WHAT WE NEED :
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  * configured LDAP server somewhere on the network (i.e. OpenLDAP)
Jan F. Chadima 7e7fb4
+  * patched sshd (with this patch ;)
Jan F. Chadima 7e7fb4
+  * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
Jan F. Chadima 7e7fb4
+        User entry:
Jan F. Chadima 7e7fb4
+	- attached to the 'ldapPublicKey' objectclass
Jan F. Chadima 7e7fb4
+	- attached to the 'posixAccount' objectclass
Jan F. Chadima 7e7fb4
+	- with a filled 'sshPublicKey' attribute 
Jan F. Chadima 7e7fb4
+	Example:
Jan F. Chadima 7e7fb4
+		dn: uid=eau,ou=users,dc=cuckoos,dc=net
Jan F. Chadima 7e7fb4
+		objectclass: top
Jan F. Chadima 7e7fb4
+		objectclass: person
Jan F. Chadima 7e7fb4
+		objectclass: organizationalPerson
Jan F. Chadima 7e7fb4
+		objectclass: posixAccount
Jan F. Chadima 7e7fb4
+		objectclass: ldapPublicKey
Jan F. Chadima 7e7fb4
+		description: Eric AUGE Account
Jan F. Chadima 7e7fb4
+		userPassword: blah
Jan F. Chadima 7e7fb4
+		cn: Eric AUGE
Jan F. Chadima 7e7fb4
+		sn: Eric AUGE
Jan F. Chadima 7e7fb4
+		uid: eau
Jan F. Chadima 7e7fb4
+		uidNumber: 1034
Jan F. Chadima 7e7fb4
+		gidNumber: 1
Jan F. Chadima 7e7fb4
+		homeDirectory: /export/home/eau
Jan F. Chadima 7e7fb4
+		sshPublicKey: ssh-dss AAAAB3...
Jan F. Chadima 7e7fb4
+		sshPublicKey: ssh-dss AAAAM5...
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+	Group entry:
Jan F. Chadima 7e7fb4
+	- attached to the 'posixGroup' objectclass
Jan F. Chadima 7e7fb4
+	- with a 'cn' groupname attribute
Jan F. Chadima 7e7fb4
+	- with multiple 'memberUid' attributes filled with usernames allowed in this group
Jan F. Chadima 7e7fb4
+	Example:
Jan F. Chadima 7e7fb4
+		# few members
Jan F. Chadima 7e7fb4
+		dn: cn=unix,ou=groups,dc=cuckoos,dc=net
Jan F. Chadima 7e7fb4
+		objectclass: top
Jan F. Chadima 7e7fb4
+		objectclass: posixGroup
Jan F. Chadima 7e7fb4
+		description: Unix based servers group
Jan F. Chadima 7e7fb4
+		cn: unix
Jan F. Chadima 7e7fb4
+		gidNumber: 1002
Jan F. Chadima 7e7fb4
+		memberUid: eau
Jan F. Chadima 7e7fb4
+		memberUid: user1
Jan F. Chadima 7e7fb4
+		memberUid: user2
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+- HOW IT WORKS :
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  * without patch
Jan F. Chadima 7e7fb4
+  If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
Jan F. Chadima 7e7fb4
+  and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  * with the patch
Jan F. Chadima 7e7fb4
+  If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
Jan F. Chadima 7e7fb4
+  It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. 
Jan F. Chadima 7e7fb4
+  (usually in $HOME/.ssh/authorized_keys)
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  2 tokens are added to sshd_config :
Jan F. Chadima 7e7fb4
+  # here is the new patched ldap related tokens
Jan F. Chadima 7e7fb4
+  PubkeyAgent /usr/libexec/openssh/ssh-ldap-helper -s %u
Jan F. Chadima 7e7fb4
+  PubkeyAgentRunAs nobody
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  The LDAP configuratin is read from common /etc/ldap.conf configuration file.
Jan F. Chadima 7e7fb4
+There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  * my way (there is plenty :)
Jan F. Chadima 7e7fb4
+  - create ldif file (i.e. users.ldif)
Jan F. Chadima 7e7fb4
+  - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub
Jan F. Chadima 7e7fb4
+  - my way in 4 steps :
Jan F. Chadima 7e7fb4
+  Example:
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  # you add this to the user entry in the LDIF file :
Jan F. Chadima 7e7fb4
+  [...]
Jan F. Chadima 7e7fb4
+  objectclass: posixAccount
Jan F. Chadima 7e7fb4
+  objectclass: ldapPublicKey
Jan F. Chadima 7e7fb4
+  [...]
Jan F. Chadima 7e7fb4
+  sshPubliKey: ssh-dss AAAABDh12DDUR2...
Jan F. Chadima 7e7fb4
+  [...]
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  # insert your entry and you're done :)
Jan F. Chadima 7e7fb4
+  ldapadd -D balblabla -w bleh < file.ldif 
Jan F. Chadima 7e7fb4
+  
Jan F. Chadima 7e7fb4
+  all standard options can be present in the 'sshPublicKey' attribute.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+- WHY :
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  Simply because, i was looking for a way to centralize all sysadmins authentication, easily,  without completely using LDAP 
Jan F. Chadima 7e7fb4
+  as authentication method (like pam_ldap etc..).  
Jan F. Chadima 7e7fb4
+  
Jan F. Chadima 7e7fb4
+  After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get 
Jan F. Chadima 7e7fb4
+  public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser'
Jan F. Chadima 7e7fb4
+  objectclass within LDAP and part of the group the SSH server is in). 
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase 
Jan F. Chadima 7e7fb4
+  so each user can change it as much as he wants). 
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only).
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+- RULES :  
Jan F. Chadima 7e7fb4
+  Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. 
Jan F. Chadima 7e7fb4
+  and the additionnal lpk.schema.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication 
Jan F. Chadima 7e7fb4
+  (pamldap, nss_ldap, etc..).
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..).
Jan F. Chadima 7e7fb4
+  
Jan F. Chadima 7e7fb4
+  Referring to schema at the beginning of this file if user 'eau' is only in group 'unix'
Jan F. Chadima 7e7fb4
+  'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'.
Jan F. Chadima 7e7fb4
+  If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able
Jan F. Chadima 7e7fb4
+  to log in 'server5' (i hope you got the idea, my english is bad :).
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP
Jan F. Chadima 7e7fb4
+  server.
Jan F. Chadima 7e7fb4
+  When you want to allow a new user to have access to the server parc, you just add him an account on 
Jan F. Chadima 7e7fb4
+  your servers, you add his public key into his entry on the LDAP server, it's done. 
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys).
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  When the user needs to change his passphrase he can do it directly from his workstation by changing 
Jan F. Chadima 7e7fb4
+  his own key set lock passphrase, and all servers are automatically aware.
Jan F. Chadima 7e7fb4
+ 
Jan F. Chadima 7e7fb4
+  With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself
Jan F. Chadima 7e7fb4
+  so he can add/modify/delete himself his public key when needed.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+­ FLAWS :
Jan F. Chadima 7e7fb4
+  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
Jan F. Chadima 7e7fb4
+  allow write to users dn, somebody could replace someuser's public key by its own and impersonate some 
Jan F. Chadima 7e7fb4
+  of your users in all your server farm be VERY CAREFUL.
Jan F. Chadima 7e7fb4
+  
Jan F. Chadima 7e7fb4
+  MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
Jan F. Chadima 7e7fb4
+  as the impersonnated user.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+  If LDAP server is down then, no fallback on passwd auth.
Jan F. Chadima 7e7fb4
+  
Jan F. Chadima 7e7fb4
+  the ldap code part has not been well audited yet.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
Jan F. Chadima 7e7fb4
+    --- CUT HERE ---
Jan F. Chadima 7e7fb4
+    dn: uid=jdoe,ou=users,dc=foobar,dc=net
Jan F. Chadima 7e7fb4
+    objectclass: top
Jan F. Chadima 7e7fb4
+    objectclass: person
Jan F. Chadima 7e7fb4
+    objectclass: organizationalPerson
Jan F. Chadima 7e7fb4
+    objectclass: posixAccount
Jan F. Chadima 7e7fb4
+    objectclass: ldapPublicKey
Jan F. Chadima 7e7fb4
+    description: My account
Jan F. Chadima 7e7fb4
+    cn: John Doe
Jan F. Chadima 7e7fb4
+    sn: John Doe
Jan F. Chadima 7e7fb4
+    uid: jdoe
Jan F. Chadima 7e7fb4
+    uidNumber: 100
Jan F. Chadima 7e7fb4
+    gidNumber: 100
Jan F. Chadima 7e7fb4
+    homeDirectory: /home/jdoe
Jan F. Chadima 7e7fb4
+    sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
Jan F. Chadima 7e7fb4
+    [...]
Jan F. Chadima 7e7fb4
+    --- CUT HERE ---
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
Jan F. Chadima 7e7fb4
+    --- CUT HERE ---
Jan F. Chadima 7e7fb4
+    dn: cn=unix,ou=groups,dc=cuckoos,dc=net
Jan F. Chadima 7e7fb4
+    objectclass: top
Jan F. Chadima 7e7fb4
+    objectclass: posixGroup
Jan F. Chadima 7e7fb4
+    description: Unix based servers group
Jan F. Chadima 7e7fb4
+    cn: unix
Jan F. Chadima 7e7fb4
+    gidNumber: 1002
Jan F. Chadima 7e7fb4
+    memberUid: jdoe
Jan F. Chadima 7e7fb4
+    memberUid: user1
Jan F. Chadima 7e7fb4
+    memberUid: user2
Jan F. Chadima 7e7fb4
+    [...]
Jan F. Chadima 7e7fb4
+    --- CUT HERE ---
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+>> FYI: << 
Jan F. Chadima 7e7fb4
+Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+- COMPILING:
Jan F. Chadima 7e7fb4
+  1. Apply the patch
Jan F. Chadima 7e7fb4
+  2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes
Jan F. Chadima 7e7fb4
+  3. make
Jan F. Chadima 7e7fb4
+  4. it's done.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+- BLA :
Jan F. Chadima 7e7fb4
+  I hope this could help, and i hope to be clear enough,, or give ideas.  questions/comments/improvements are welcome.
Jan F. Chadima 7e7fb4
+  
Jan F. Chadima 7e7fb4
+- TODO :
Jan F. Chadima 7e7fb4
+  Redesign differently.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+- DOCS/LINK :
Jan F. Chadima 7e7fb4
+  http://pacsec.jp/core05/psj05-barisani-en.pdf
Jan F. Chadima 7e7fb4
+  http://fritz.potsdam.edu/projects/openssh-lpk/
Jan F. Chadima 7e7fb4
+  http://fritz.potsdam.edu/projects/sshgate/
Jan F. Chadima 7e7fb4
+  http://dev.inversepath.com/trac/openssh-lpk
Jan F. Chadima 7e7fb4
+  http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+- CONTRIBUTORS/IDEAS/GREETS :
Jan F. Chadima 7e7fb4
+  - Eric AUGE <eau@phear.org>
Jan F. Chadima 7e7fb4
+  - Andrea Barisani <andrea@inversepath.com>
Jan F. Chadima 7e7fb4
+  - Falk Siemonsmeier.
Jan F. Chadima 7e7fb4
+  - Jacob Rief.
Jan F. Chadima 7e7fb4
+  - Michael Durchgraf.
Jan F. Chadima 7e7fb4
+  - frederic peters.
Jan F. Chadima 7e7fb4
+  - Finlay dobbie.
Jan F. Chadima 7e7fb4
+  - Stefan Fisher.
Jan F. Chadima 7e7fb4
+  - Robin H. Johnson.
Jan F. Chadima 7e7fb4
+  - Adrian Bridgett.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+- CONTACT :
Jan F. Chadima 7e7fb4
+    Jan F. Chadima <jchadima@redhat.com>
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
diff -up openssh-5.5p1/ssh-ldap-helper.8.ldap openssh-5.5p1/ssh-ldap-helper.8
Jan F. Chadima 7e7fb4
--- openssh-5.5p1/ssh-ldap-helper.8.ldap	2010-04-28 11:34:15.000000000 +0200
Jan F. Chadima 7e7fb4
+++ openssh-5.5p1/ssh-ldap-helper.8	2010-04-28 11:34:15.000000000 +0200
Jan F. Chadima 7e7fb4
@@ -0,0 +1,78 @@
Jan F. Chadima 7e7fb4
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
Jan F. Chadima 7e7fb4
+.\"
Jan F. Chadima 7e7fb4
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4
+.\"
Jan F. Chadima 7e7fb4
+.\" Permission to use, copy, modify, and distribute this software for any
Jan F. Chadima 7e7fb4
+.\" purpose with or without fee is hereby granted, provided that the above
Jan F. Chadima 7e7fb4
+.\" copyright notice and this permission notice appear in all copies.
Jan F. Chadima 7e7fb4
+.\"
Jan F. Chadima 7e7fb4
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
Jan F. Chadima 7e7fb4
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
Jan F. Chadima 7e7fb4
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
Jan F. Chadima 7e7fb4
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
Jan F. Chadima 7e7fb4
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
Jan F. Chadima 7e7fb4
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
Jan F. Chadima 7e7fb4
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Jan F. Chadima 7e7fb4
+.\"
Jan F. Chadima 7e7fb4
+.Dd $Mdocdate: April 29 2010 $
Jan F. Chadima 7e7fb4
+.Dt SSH-LDAP-HELPER 8
Jan F. Chadima 7e7fb4
+.Os
Jan F. Chadima 7e7fb4
+.Sh NAME
Jan F. Chadima 7e7fb4
+.Nm ssh-ldap-helper
Jan F. Chadima 7e7fb4
+.Nd sshd helper program for ldap support
Jan F. Chadima 7e7fb4
+.Sh SYNOPSIS
Jan F. Chadima 7e7fb4
+.Nm ssh-ldap-helper
Jan F. Chadima 7e7fb4
+.Op Fl devw
Jan F. Chadima 7e7fb4
+.Op Fl f Ar file
Jan F. Chadima 7e7fb4
+.Op Fl s Ar user
Jan F. Chadima 7e7fb4
+.Sh DESCRIPTION
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+is used by
Jan F. Chadima 7e7fb4
+.Xr sshd 1
Jan F. Chadima 7e7fb4
+to access keys provided by a LDAP.
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+is disabled by default and can only be enabled in the
Jan F. Chadima 7e7fb4
+sshd configuration file
Jan F. Chadima 7e7fb4
+.Pa /etc/ssh/sshd_config
Jan F. Chadima 7e7fb4
+by setting
Jan F. Chadima 7e7fb4
+.Cm PubkeyAgent
Jan F. Chadima 7e7fb4
+to
Jan F. Chadima 7e7fb4
+.Dq /usr/libexec/ssh-ldap-helper -s %u .
Jan F. Chadima 7e7fb4
+.Pp
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+is not intended to be invoked by the user, but from
Jan F. Chadima 7e7fb4
+.Xr sshd 8 .
Jan F. Chadima 7e7fb4
+.Pp
Jan F. Chadima 7e7fb4
+The options are as follows:
Jan F. Chadima 7e7fb4
+.Bl -tag -width Ds
Jan F. Chadima 7e7fb4
+.It Fl d
Jan F. Chadima 7e7fb4
+Set the debug mode, 
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+prints all logs to stderr instead of syslog.
Jan F. Chadima 7e7fb4
+.It Fl e
Jan F. Chadima 7e7fb4
+Implies \-w
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+halt when an unknown item is found in the ldap.conf file.
Jan F. Chadima 7e7fb4
+.It Fl f
Jan F. Chadima 7e7fb4
+Default /etc/ldap.conf.
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+uses this file as a ldap configuration file.
Jan F. Chadima 7e7fb4
+.It Fl s
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+print out the keys of the user on stdout and exits.
Jan F. Chadima 7e7fb4
+.It Fl v
Jan F. Chadima 7e7fb4
+Implies \-d
Jan F. Chadima 7e7fb4
+increases verbosity.
Jan F. Chadima 7e7fb4
+.It Fl w
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+writes warnings about unknown items in the ldap.conf file.
Jan F. Chadima 7e7fb4
+
Jan F. Chadima 7e7fb4
+.Sh SEE ALSO
Jan F. Chadima 7e7fb4
+.Xr sshd 8 ,
Jan F. Chadima 7e7fb4
+.Xr sshd_config 5 ,
Jan F. Chadima 7e7fb4
+.Sh HISTORY
Jan F. Chadima 7e7fb4
+.Nm
Jan F. Chadima 7e7fb4
+first appeared in
Jan F. Chadima 7e7fb4
+OpenSSH 5.5 + PKA-LDAP .
Jan F. Chadima 7e7fb4
+.Sh AUTHORS
Jan F. Chadima 7e7fb4
+.An Jan F. Chadima Aq jchadima@redhat.com