Jan F 0e9135
diff -up openssh-5.8p2/configure.ac.ldap openssh-5.8p2/configure.ac
Jan F 0e9135
--- openssh-5.8p2/configure.ac.ldap	2011-05-28 21:03:47.808925111 +0200
Jan F 0e9135
+++ openssh-5.8p2/configure.ac	2011-05-28 21:03:48.797857317 +0200
Jan F 1499a2
@@ -1434,6 +1434,106 @@ AC_ARG_WITH(authorized-keys-command,
7818e5
 	]
7e7fb4
 )
7e7fb4
 
7e7fb4
+# Check whether user wants LDAP support
7e7fb4
+LDAP_MSG="no"
7e7fb4
+INSTALL_SSH_LDAP_HELPER=""
7e7fb4
+AC_ARG_WITH(ldap,
7e7fb4
+	[  --with-ldap[[=PATH]]      Enable LDAP pubkey support (optionally in PATH)],
7e7fb4
+	[
7e7fb4
+		if test "x$withval" != "xno" ; then
7e7fb4
+
7e7fb4
+			INSTALL_SSH_LDAP_HELPER="yes"
7e7fb4
+			CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
7e7fb4
+
7e7fb4
+			if test "x$withval" != "xyes" ; then
7e7fb4
+				CPPFLAGS="$CPPFLAGS -I${withval}/include"
7e7fb4
+				LDFLAGS="$LDFLAGS -L${withval}/lib"
7e7fb4
+			fi
7e7fb4
+
7e7fb4
+			AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
7e7fb4
+			LDAP_MSG="yes"
7e7fb4
+
7e7fb4
+			AC_CHECK_HEADERS(lber.h)
7e7fb4
+			AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
7e7fb4
+			AC_CHECK_HEADERS(ldap_ssl.h)
7e7fb4
+
7e7fb4
+			AC_ARG_WITH(ldap-lib,
7e7fb4
+				[  --with-ldap-lib=type    select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
7e7fb4
+
7e7fb4
+			if test -z "$with_ldap_lib"; then
7e7fb4
+				with_ldap_lib=auto
7e7fb4
+			fi
7e7fb4
+
7e7fb4
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
7e7fb4
+				AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
7e7fb4
+				AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
7e7fb4
+			fi
7e7fb4
+
7e7fb4
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
7e7fb4
+				AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
7e7fb4
+			fi
7e7fb4
+
7e7fb4
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
7e7fb4
+				AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
7e7fb4
+				if test -z "$found_ldap_lib"; then
7e7fb4
+					AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
7e7fb4
+				fi
7e7fb4
+				if test -z "$found_ldap_lib"; then
7e7fb4
+					AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
7e7fb4
+				fi
7e7fb4
+				if test -z "$found_ldap_lib"; then
7e7fb4
+					AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
7e7fb4
+				fi
7e7fb4
+			fi
7e7fb4
+
7e7fb4
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
7e7fb4
+				AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
7e7fb4
+			fi
7e7fb4
+
7e7fb4
+			if test -z "$found_ldap_lib"; then
7e7fb4
+				AC_MSG_ERROR(could not locate a valid LDAP library)
7e7fb4
+			fi
7e7fb4
+
7e7fb4
+			AC_MSG_CHECKING([for working LDAP support])
7e7fb4
+			AC_TRY_COMPILE(
7e7fb4
+				[#include <sys/types.h>
7e7fb4
+				 #include <ldap.h>],
7e7fb4
+				[(void)ldap_init(0, 0);],
7e7fb4
+				[AC_MSG_RESULT(yes)],
7e7fb4
+				[
7e7fb4
+				    AC_MSG_RESULT(no) 
7e7fb4
+					AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
7e7fb4
+				])
7e7fb4
+			AC_CHECK_FUNCS( \
7e7fb4
+				ldap_init \
7e7fb4
+				ldap_get_lderrno \
7e7fb4
+				ldap_set_lderrno \
7e7fb4
+				ldap_parse_result \
7e7fb4
+				ldap_memfree \
7e7fb4
+				ldap_controls_free \
7e7fb4
+				ldap_set_option \
7e7fb4
+				ldap_get_option \
7e7fb4
+				ldapssl_init \
7e7fb4
+				ldap_start_tls_s \
7e7fb4
+				ldap_pvt_tls_set_option \
7e7fb4
+				ldap_initialize \
7e7fb4
+			)
7e7fb4
+			AC_CHECK_FUNCS(ldap_set_rebind_proc,
7e7fb4
+				AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
7e7fb4
+				AC_TRY_COMPILE(
7e7fb4
+					[#include <lber.h>
7e7fb4
+					#include <ldap.h>],
7e7fb4
+					[ldap_set_rebind_proc(0, 0, 0);],
7e7fb4
+					[ac_cv_ldap_set_rebind_proc=3],
7e7fb4
+					[ac_cv_ldap_set_rebind_proc=2])
7e7fb4
+				AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
7e7fb4
+				AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
7e7fb4
+			)
7e7fb4
+		fi
7e7fb4
+	]
7e7fb4
+)
7e7fb4
+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
7e7fb4
+
7e7fb4
 dnl    Checks for library functions. Please keep in alphabetical order
7e7fb4
 AC_CHECK_FUNCS( \
7e7fb4
 	arc4random \
Jan F 0e9135
diff -up openssh-5.8p2/HOWTO.ldap-keys.ldap openssh-5.8p2/HOWTO.ldap-keys
Jan F 0e9135
--- openssh-5.8p2/HOWTO.ldap-keys.ldap	2011-05-28 21:03:48.914981834 +0200
Jan F 0e9135
+++ openssh-5.8p2/HOWTO.ldap-keys	2011-05-28 21:03:48.922914614 +0200
Jan F 1f6bdc
@@ -0,0 +1,108 @@
Jan F 1f6bdc
+
Jan F 1f6bdc
+HOW TO START
Jan F 1499a2
+
Jan F 1499a2
+1) configure LDAP server
Jan F 1f6bdc
+  * Use LDAP server documentation
Jan F 1f6bdc
+2) add appropriate LDAP schema
Jan F 1f6bdc
+  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
Jan F 1f6bdc
+  * LDAP user entry
Jan F 1f6bdc
+        User entry:
Jan F 1f6bdc
+	- attached to the 'ldapPublicKey' objectclass
Jan F 1f6bdc
+	- attached to the 'posixAccount' objectclass
Jan F 1f6bdc
+	- with a filled 'sshPublicKey' attribute 
Jan F 1499a2
+3) insert users into LDAP
Jan F 1f6bdc
+  * Use LDAP Tree management tool as useful
Jan F 1f6bdc
+  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
Jan F 1f6bdc
+  * Example:
Jan F 1f6bdc
+	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
Jan F 1f6bdc
+	objectclass: top
Jan F 1f6bdc
+	objectclass: person
Jan F 1f6bdc
+	objectclass: organizationalPerson
Jan F 1f6bdc
+	objectclass: posixAccount
Jan F 1f6bdc
+	objectclass: ldapPublicKey
Jan F 1f6bdc
+	description: Jonathan Archer
Jan F 1f6bdc
+	userPassword: Porthos
Jan F 1f6bdc
+	cn: onathan Archer
Jan F 1f6bdc
+	sn: onathan Archer
Jan F 1f6bdc
+	uid: captain
Jan F 1f6bdc
+	uidNumber: 1001
Jan F 1f6bdc
+	gidNumber: 1001
Jan F 1f6bdc
+	homeDirectory: /home/captain
Jan F 1f6bdc
+	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
Jan F 1f6bdc
+	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
Jan F 1499a2
+4) on the ssh side set in sshd_config
Jan F 1f6bdc
+  * Set up the backend
Jan F 1f6bdc
+	AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
Jan F 1f6bdc
+	AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
Jan F 1f6bdc
+  * Do not forget to set
Jan F 1f6bdc
+	PubkeyAuthentication yes
Jan F 1f6bdc
+  * Swith off unnecessary auth methods
Jan F 1f6bdc
+5) confugure ldap.conf
Jan F 1f6bdc
+  * Default ldap.conf is placed in /etc/ssh
Jan F 1f6bdc
+  * The configuration style is the same as other ldap based aplications
Jan F 1f6bdc
+6) if necessary edit ssh-ldap-wrapper
Jan F 1f6bdc
+  * There is a possibility to change ldap.conf location
Jan F 1f6bdc
+  * There are some debug options
Jan F 1f6bdc
+  * Example
Jan F 1f6bdc
+	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
Jan F 1f6bdc
+
Jan F 1f6bdc
+HOW TO MIGRATE FROM LPK
Jan F 1f6bdc
+
Jan F 1f6bdc
+1) goto HOW TO START 4) .... the ldap schema is the same
Jan F 1f6bdc
+
Jan F 1f6bdc
+2) convert the group requests to the appropriate LDAP requests
Jan F 1f6bdc
+
Jan F 1f6bdc
+HOW TO SOLVE PROBLEMS
Jan F 1f6bdc
+
Jan F 1f6bdc
+1) use debug in sshd
Jan F 1f6bdc
+  * /usr/sbin/sshd -d -d -d -d
Jan F 1f6bdc
+2) use debug in ssh-ldap-helper
Jan F 1f6bdc
+  * ssh-ldap-helper -d -d -d -d -s <username>
Jan F 1f6bdc
+3) use tcpdump ... other ldap client etc.
Jan F 1f6bdc
+
Jan F 1f6bdc
+ADVANTAGES
Jan F 1f6bdc
+
Jan F 1f6bdc
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
Jan F 1f6bdc
+
Jan F 1f6bdc
+DISADVANTAGES
Jan F 1f6bdc
+
Jan F 1f6bdc
+1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
Jan F 1f6bdc
+  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
Jan F 1f6bdc
+  of your users in all your server farm -- be VERY CAREFUL.
Jan F 1f6bdc
+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
Jan F 1f6bdc
+  as the impersonated user.
Jan F 1f6bdc
+3) If LDAP server is down there may be no fallback on passwd auth.
Jan F 1f6bdc
+  
Jan F 1f6bdc
+MISC.
Jan F 1f6bdc
+  
Jan F 1f6bdc
+1) todo
Jan F 1f6bdc
+  * Possibility to reuse the ssh-ldap-helper.
Jan F 1f6bdc
+  * Tune the LDAP part to accept  all possible LDAP configurations.
Jan F 1f6bdc
+
Jan F 1f6bdc
+2) differences from original lpk
Jan F 1f6bdc
+  * No LDAP code in sshd.
Jan F 1f6bdc
+  * Support for various LDAP platforms and configurations.
Jan F 1f6bdc
+  * LDAP is configured in separate ldap.conf file.
Jan F 1f6bdc
+
Jan F 1f6bdc
+3) docs/link 
Jan F 1f6bdc
+  * http://pacsec.jp/core05/psj05-barisani-en.pdf
Jan F 1f6bdc
+  * http://fritz.potsdam.edu/projects/openssh-lpk/
Jan F 1f6bdc
+  * http://fritz.potsdam.edu/projects/sshgate/
Jan F 1f6bdc
+  * http://dev.inversepath.com/trac/openssh-lpk
Jan F 1f6bdc
+  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
Jan F 1f6bdc
+
Jan F 1f6bdc
+4) contributors/ideas/greets
Jan F 1f6bdc
+  - Eric AUGE <eau@phear.org>
Jan F 1f6bdc
+  - Andrea Barisani <andrea@inversepath.com>
Jan F 1f6bdc
+  - Falk Siemonsmeier.
Jan F 1f6bdc
+  - Jacob Rief.
Jan F 1f6bdc
+  - Michael Durchgraf.
Jan F 1f6bdc
+  - frederic peters.
Jan F 1f6bdc
+  - Finlay dobbie.
Jan F 1f6bdc
+  - Stefan Fisher.
Jan F 1f6bdc
+  - Robin H. Johnson.
Jan F 1f6bdc
+  - Adrian Bridgett.
Jan F 1499a2
+
Jan F 1f6bdc
+5) Author
Jan F 1f6bdc
+    Jan F. Chadima <jchadima@redhat.com>
Jan F 1499a2
+
Jan F 0e9135
diff -up openssh-5.8p2/ldapbody.c.ldap openssh-5.8p2/ldapbody.c
Jan F 0e9135
--- openssh-5.8p2/ldapbody.c.ldap	2011-05-28 21:03:48.984982387 +0200
Jan F 0e9135
+++ openssh-5.8p2/ldapbody.c	2011-05-28 21:03:48.994983833 +0200
7e7fb4
@@ -0,0 +1,494 @@
7e7fb4
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
7e7fb4
+/*
7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
7e7fb4
+ *
7e7fb4
+ * Redistribution and use in source and binary forms, with or without
7e7fb4
+ * modification, are permitted provided that the following conditions
7e7fb4
+ * are met:
7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
7e7fb4
+ *    documentation and/or other materials provided with the distribution.
7e7fb4
+ *
7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
7e7fb4
+ */
7e7fb4
+
7e7fb4
+#include "ldapincludes.h"
7e7fb4
+#include "log.h"
7e7fb4
+#include "xmalloc.h"
7e7fb4
+#include "ldapconf.h"
7e7fb4
+#include "ldapmisc.h"
7e7fb4
+#include "ldapbody.h"
7e7fb4
+#include <stdio.h>
7e7fb4
+#include <unistd.h>
7e7fb4
+
7e7fb4
+#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"
7e7fb4
+#define PUBKEYATTR "sshPublicKey"
7e7fb4
+#define LDAP_LOGFILE	"%s/ldap.%d"
7e7fb4
+
7e7fb4
+static FILE *logfile = NULL;
7e7fb4
+static LDAP *ld;
7e7fb4
+
7e7fb4
+static char *attrs[] = {
7e7fb4
+    PUBKEYATTR,
7e7fb4
+    NULL
7e7fb4
+};
7e7fb4
+
7e7fb4
+void
7e7fb4
+ldap_checkconfig (void)
7e7fb4
+{
7e7fb4
+#ifdef HAVE_LDAP_INITIALIZE
7e7fb4
+		if (options.host == NULL && options.uri == NULL)
7e7fb4
+#else
7e7fb4
+		if (options.host == NULL)
7e7fb4
+#endif
7e7fb4
+		    fatal ("missing  \"host\" in config file");
7e7fb4
+}
7e7fb4
+
7e7fb4
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
7e7fb4
+static int
7e7fb4
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
7e7fb4
+{
7e7fb4
+	struct timeval timeout;
7e7fb4
+	int rc;
7e7fb4
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
7e7fb4
+	LDAPMessage *result;
7e7fb4
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
7e7fb4
+
7e7fb4
+	debug2 ("Doing LDAP rebind to %s", options.binddn);
7e7fb4
+	if (options.ssl == SSL_START_TLS) {
7e7fb4
+		if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
7e7fb4
+			error ("ldap_starttls_s: %s", ldap_err2string (rc));
7e7fb4
+			return LDAP_OPERATIONS_ERROR;
7e7fb4
+		}
7e7fb4
+	}
7e7fb4
+
7e7fb4
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
7e7fb4
+	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
7e7fb4
+#else
7e7fb4
+	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
7e7fb4
+	    fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
7e7fb4
+
7e7fb4
+	timeout.tv_sec = options.bind_timelimit;
7e7fb4
+	timeout.tv_usec = 0;
7e7fb4
+	result = NULL;
7e7fb4
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
7e7fb4
+		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
7e7fb4
+		ldap_msgfree (result);
7e7fb4
+		return LDAP_OPERATIONS_ERROR;
7e7fb4
+	}
7e7fb4
+	debug3 ("LDAP rebind to %s succesfull", options.binddn);
7e7fb4
+	return rc;
7e7fb4
+#endif
7e7fb4
+}
7e7fb4
+#else
7e7fb4
+
7e7fb4
+static int
7e7fb4
+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
7e7fb4
+{
7e7fb4
+	if (freeit)
7e7fb4
+	    return LDAP_SUCCESS;
7e7fb4
+
7e7fb4
+	*whop = strdup (options.binddn);
7e7fb4
+	*credp = strdup (options.bindpw);
7e7fb4
+	*methodp = LDAP_AUTH_SIMPLE;
7e7fb4
+	debug2 ("Doing LDAP rebind for %s", *whop);
7e7fb4
+	return LDAP_SUCCESS;
7e7fb4
+}
7e7fb4
+#endif
7e7fb4
+
7e7fb4
+void
7e7fb4
+ldap_do_connect(void)
7e7fb4
+{
7e7fb4
+	int rc, msgid, ld_errno = 0;
7e7fb4
+	struct timeval timeout;
7e7fb4
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
7e7fb4
+	int parserc;
7e7fb4
+	LDAPMessage *result;
7e7fb4
+	LDAPControl **controls;
7e7fb4
+	int reconnect = 0;
7e7fb4
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
7e7fb4
+
7e7fb4
+	debug ("LDAP do connect");
7e7fb4
+
7e7fb4
+retry:
7e7fb4
+	if (reconnect) {
7e7fb4
+		debug3 ("Reconnecting with ld_errno %d", ld_errno);
7e7fb4
+		if (options.bind_policy == 0 ||
7e7fb4
+		    (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
7e7fb4
+			reconnect > 5)
7e7fb4
+			    fatal ("Cannot connect to LDAP server");
7e7fb4
+	
7e7fb4
+		if (reconnect > 1)
7e7fb4
+			sleep (reconnect - 1);
7e7fb4
+
7e7fb4
+		if (ld != NULL) {
7e7fb4
+			ldap_unbind (ld);
7e7fb4
+			ld = NULL;
7e7fb4
+		}
7e7fb4
+		logit("reconnecting to LDAP server...");
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	if (ld == NULL) {
7e7fb4
+		int rc;
7e7fb4
+		struct timeval tv;
7e7fb4
+
7e7fb4
+#ifdef HAVE_LDAP_SET_OPTION
7e7fb4
+		if (options.debug > 0) {
7e7fb4
+#ifdef LBER_OPT_LOG_PRINT_FILE
7e7fb4
+			if (options.logdir) {
7e7fb4
+				char *logfilename;
7e7fb4
+				int logfilenamelen;
7e7fb4
+
7e7fb4
+				logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
7e7fb4
+				logfilename = xmalloc (logfilenamelen);
7e7fb4
+				snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
7e7fb4
+				logfilename[logfilenamelen - 1] = 0;
7e7fb4
+				if ((logfile = fopen (logfilename, "a")) == NULL)
7e7fb4
+				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
7e7fb4
+				debug3 ("LDAP debug into %s", logfilename);
7e7fb4
+				xfree (logfilename);
7e7fb4
+				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
7e7fb4
+			}
7e7fb4
+#endif
7e7fb4
+			if (options.debug) {
7e7fb4
+#ifdef LBER_OPT_DEBUG_LEVEL
7e7fb4
+				ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
7e7fb4
+#endif /* LBER_OPT_DEBUG_LEVEL */
7e7fb4
+#ifdef LDAP_OPT_DEBUG_LEVEL
7e7fb4
+				ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
7e7fb4
+#endif /* LDAP_OPT_DEBUG_LEVEL */
7e7fb4
+				debug3 ("Set LDAP debug to %d", options.debug);
7e7fb4
+			}
7e7fb4
+		}
7e7fb4
+#endif /* HAVE_LDAP_SET_OPTION */
7e7fb4
+
7e7fb4
+		ld = NULL;
7e7fb4
+#ifdef HAVE_LDAPSSL_INIT
7e7fb4
+		if (options.host != NULL) {
7e7fb4
+			if (options.ssl_on == SSL_LDAPS) {
7e7fb4
+				if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
7e7fb4
+				    fatal ("ldapssl_client_init %s", ldap_err2string (rc));
7e7fb4
+				debug3 ("LDAPssl client init");
7e7fb4
+			}
7e7fb4
+
7e7fb4
+			if (options.ssl_on != SSL_OFF) {
7e7fb4
+				if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
7e7fb4
+				    fatal ("ldapssl_init failed");
7e7fb4
+				debug3 ("LDAPssl init");
7e7fb4
+			}
7e7fb4
+		}
7e7fb4
+#endif /* HAVE_LDAPSSL_INIT */
7e7fb4
+
7e7fb4
+		/* continue with opening */
7e7fb4
+		if (ld == NULL) {
7e7fb4
+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
7e7fb4
+			/* Some global TLS-specific options need to be set before we create our
7e7fb4
+			 * session context, so we set them here. */
7e7fb4
+
7e7fb4
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
7e7fb4
+			/* rand file */
7e7fb4
+			if (options.tls_randfile != NULL) {
7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
7e7fb4
+				    options.tls_randfile)) != LDAP_SUCCESS)
7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
7e7fb4
+					    ldap_err2string (rc));
7e7fb4
+				debug3 ("Set TLS random file %s", options.tls_randfile);
7e7fb4
+			}
7e7fb4
+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
7e7fb4
+
7e7fb4
+			/* ca cert file */
7e7fb4
+			if (options.tls_cacertfile != NULL) {
7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
7e7fb4
+				    options.tls_cacertfile)) != LDAP_SUCCESS)
7e7fb4
+					error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
7e7fb4
+					    ldap_err2string (rc));
7e7fb4
+				debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
7e7fb4
+			}
7e7fb4
+
7e7fb4
+			/* ca cert directory */
7e7fb4
+			if (options.tls_cacertdir != NULL) {
7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
7e7fb4
+				    options.tls_cacertdir)) != LDAP_SUCCESS)
7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
7e7fb4
+					    ldap_err2string (rc));
7e7fb4
+				debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
7e7fb4
+			}
7e7fb4
+
7e7fb4
+			/* require cert? */
7e7fb4
+			if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
7e7fb4
+			    &options.tls_checkpeer)) != LDAP_SUCCESS)
7e7fb4
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
7e7fb4
+				    ldap_err2string (rc));
7e7fb4
+			debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
7e7fb4
+
7e7fb4
+			/* set cipher suite, certificate and private key: */
7e7fb4
+			if (options.tls_ciphers != NULL) {
7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
7e7fb4
+				    options.tls_ciphers)) != LDAP_SUCCESS)
7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
7e7fb4
+					    ldap_err2string (rc));
7e7fb4
+				debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
7e7fb4
+			}
7e7fb4
+
7e7fb4
+			/* cert file */
7e7fb4
+			if (options.tls_cert != NULL) {
7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
7e7fb4
+				    options.tls_cert)) != LDAP_SUCCESS)
7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
7e7fb4
+					    ldap_err2string (rc));
7e7fb4
+				debug3 ("Set TLS cert file %s ", options.tls_cert);
7e7fb4
+			}
7e7fb4
+
7e7fb4
+			/* key file */
7e7fb4
+			if (options.tls_key != NULL) {
7e7fb4
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
7e7fb4
+				    options.tls_key)) != LDAP_SUCCESS)
7e7fb4
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
7e7fb4
+					    ldap_err2string (rc));
7e7fb4
+				debug3 ("Set TLS key file %s ", options.tls_key);
7e7fb4
+			}
7e7fb4
+#endif
7e7fb4
+#ifdef HAVE_LDAP_INITIALIZE
7e7fb4
+			if (options.uri != NULL) {
7e7fb4
+				if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
7e7fb4
+					fatal ("ldap_initialize %s", ldap_err2string (rc));
7e7fb4
+				debug3 ("LDAP initialize %s", options.uri);
7e7fb4
+			}
7e7fb4
+	}
7e7fb4
+#endif /* HAVE_LDAP_INTITIALIZE */
7e7fb4
+
7e7fb4
+		/* continue with opening */
7e7fb4
+		if ((ld == NULL) && (options.host != NULL)) {
7e7fb4
+#ifdef HAVE_LDAP_INIT
7e7fb4
+			if ((ld = ldap_init (options.host, options.port)) == NULL)
7e7fb4
+			    fatal ("ldap_init failed");
7e7fb4
+			debug3 ("LDAP init %s:%d", options.host, options.port);
7e7fb4
+#else
7e7fb4
+			if ((ld = ldap_open (options.host, options.port)) == NULL)
7e7fb4
+			    fatal ("ldap_open failed");
7e7fb4
+			debug3 ("LDAP open %s:%d", options.host, options.port);
7e7fb4
+#endif /* HAVE_LDAP_INIT */
7e7fb4
+		}
7e7fb4
+
7e7fb4
+		if (ld == NULL)
7e7fb4
+			fatal ("no way to open ldap");
7e7fb4
+
7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
7e7fb4
+		if (options.ssl == SSL_LDAPS) {
7e7fb4
+			if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
7e7fb4
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
7e7fb4
+			debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
7e7fb4
+		}
7e7fb4
+#endif /* LDAP_OPT_X_TLS */
7e7fb4
+
7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
7e7fb4
+		    &options.ldap_version);
7e7fb4
+#else
7e7fb4
+		ld->ld_version = options.ldap_version;
7e7fb4
+#endif
7e7fb4
+		debug3 ("LDAP set version to %d", options.ldap_version);
7e7fb4
+
7e7fb4
+#if LDAP_SET_REBIND_PROC_ARGS == 3
7e7fb4
+		ldap_set_rebind_proc (ld, _rebind_proc, NULL);
7e7fb4
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
7e7fb4
+		ldap_set_rebind_proc (ld, _rebind_proc);
7e7fb4
+#else
7e7fb4
+#warning unknown LDAP_SET_REBIND_PROC_ARGS
7e7fb4
+#endif
7e7fb4
+		debug3 ("LDAP set rebind proc");
7e7fb4
+
7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
7e7fb4
+#else
7e7fb4
+		ld->ld_deref = options.deref;
7e7fb4
+#endif
7e7fb4
+		debug3 ("LDAP set deref to %d", options.deref);
7e7fb4
+
7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
7e7fb4
+		    &options.timelimit);
7e7fb4
+#else
7e7fb4
+		ld->ld_timelimit = options.timelimit;
7e7fb4
+#endif
7e7fb4
+		debug3 ("LDAP set timelimit to %d", options.timelimit);
7e7fb4
+
7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
7e7fb4
+		/*
7e7fb4
+		 * This is a new option in the Netscape SDK which sets 
7e7fb4
+		 * the TCP connect timeout. For want of a better value,
7e7fb4
+		 * we use the bind_timelimit to control this.
7e7fb4
+		 */
7e7fb4
+		timeout = options.bind_timelimit * 1000;
7e7fb4
+		(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
7e7fb4
+		debug3 ("LDAP set opt connect timeout to %d", timeout);
7e7fb4
+#endif
7e7fb4
+
7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
7e7fb4
+		tv.tv_sec = options.bind_timelimit;
7e7fb4
+		tv.tv_usec = 0;
7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv;;
7e7fb4
+		debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
7e7fb4
+#endif
7e7fb4
+
7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
7e7fb4
+		    options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
7e7fb4
+		debug3 ("LDAP set referrals to %d", options.referrals);
7e7fb4
+#endif
7e7fb4
+
7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
7e7fb4
+		(void) ldap_set_option (ld, LDAP_OPT_RESTART,
7e7fb4
+		    options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
7e7fb4
+		debug3 ("LDAP set restart to %d", options.restart);
7e7fb4
+#endif
7e7fb4
+
7e7fb4
+#ifdef HAVE_LDAP_START_TLS_S
7e7fb4
+		if (options.ssl == SSL_START_TLS) {
7e7fb4
+			int version;
7e7fb4
+
7e7fb4
+			if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
7e7fb4
+			    == LDAP_SUCCESS) {
7e7fb4
+				if (version < LDAP_VERSION3) {
7e7fb4
+					version = LDAP_VERSION3;
7e7fb4
+					(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
7e7fb4
+					    &version);
7e7fb4
+					debug3 ("LDAP set version to %d", version);
7e7fb4
+				}
7e7fb4
+			}
7e7fb4
+
7e7fb4
+			if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
7e7fb4
+			    fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
7e7fb4
+			debug3 ("LDAP start TLS");
7e7fb4
+		}
7e7fb4
+#endif /* HAVE_LDAP_START_TLS_S */
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	if ((msgid = ldap_simple_bind (ld, options.binddn,
7e7fb4
+	    options.bindpw)) == -1) {
7e7fb4
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
7e7fb4
+
7e7fb4
+		error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
7e7fb4
+		reconnect++;
7e7fb4
+		goto retry;
7e7fb4
+	}
7e7fb4
+	debug3 ("LDAP simple bind (%s)", options.binddn);
7e7fb4
+
7e7fb4
+	timeout.tv_sec = options.bind_timelimit;
7e7fb4
+	timeout.tv_usec = 0;
7e7fb4
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
7e7fb4
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
7e7fb4
+
7e7fb4
+		error ("ldap_result %s", ldap_err2string (ld_errno));
7e7fb4
+		reconnect++;
7e7fb4
+		goto retry;
7e7fb4
+	}
7e7fb4
+	debug3 ("LDAP result in time");
7e7fb4
+
7e7fb4
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
7e7fb4
+	controls = NULL;
7e7fb4
+	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
7e7fb4
+	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
7e7fb4
+	debug3 ("LDAP parse result OK");
7e7fb4
+
7e7fb4
+	if (controls != NULL) {
7e7fb4
+		ldap_controls_free (controls);
7e7fb4
+	}
7e7fb4
+#else
7e7fb4
+	rc = ldap_result2error (session->ld, result, TRUE);
7e7fb4
+#endif
7e7fb4
+	if (rc != LDAP_SUCCESS)
7e7fb4
+	    fatal ("error trying to bind as user \"%s\" (%s)",
7e7fb4
+		options.binddn, ldap_err2string (rc));
7e7fb4
+
7e7fb4
+	debug2 ("LDAP do connect OK");
7e7fb4
+}
7e7fb4
+
7e7fb4
+void
7e7fb4
+process_user (const char *user, FILE *output)
7e7fb4
+{
7e7fb4
+	LDAPMessage *res, *e;
7e7fb4
+	char *buffer;
7e7fb4
+	int bufflen, rc, i;
7e7fb4
+	struct timeval timeout;
7e7fb4
+
7e7fb4
+	debug ("LDAP process user");
7e7fb4
+
7e7fb4
+	/* quick check for attempts to be evil */
7e7fb4
+	if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
7e7fb4
+	    (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
7e7fb4
+		logit ("illegal user name %s not processed", user);
7e7fb4
+		return;
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	/* build  filter for LDAP request */
7e7fb4
+	bufflen = strlen (LDAPSEARCH_FORMAT) + strlen (user);
7e7fb4
+	if (options.ssh_filter != NULL)
7e7fb4
+	    bufflen += strlen (options.ssh_filter);
7e7fb4
+	buffer = xmalloc (bufflen);
7e7fb4
+	snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
7e7fb4
+	buffer[bufflen - 1] = 0;
7e7fb4
+
7e7fb4
+	debug3 ("LDAP search scope = %d %s", options.scope, buffer);
7e7fb4
+
7e7fb4
+	timeout.tv_sec = options.timelimit;
7e7fb4
+	timeout.tv_usec = 0;
7e7fb4
+	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
7e7fb4
+		error ("ldap_search_st(): %s", ldap_err2string (rc));
7e7fb4
+		xfree (buffer);
7e7fb4
+		return;
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	/* free */
7e7fb4
+	xfree (buffer);
7e7fb4
+
7e7fb4
+	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
7e7fb4
+		int num;
7e7fb4
+		struct berval **keys;
7e7fb4
+
7e7fb4
+		keys = ldap_get_values_len(ld, e, PUBKEYATTR);
7e7fb4
+		num = ldap_count_values_len(keys);
7e7fb4
+		for (i = 0 ; i < num ; i++) {
7e7fb4
+			char *cp; //, *options = NULL;
7e7fb4
+
7e7fb4
+			for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
7e7fb4
+			if (!*cp || *cp == '\n' || *cp == '#')
7e7fb4
+			    continue;
7e7fb4
+
7e7fb4
+			/* We have found the desired key. */
7e7fb4
+			fprintf (output, "%s\n", keys[i]->bv_val);
7e7fb4
+		}
7e7fb4
+
7e7fb4
+		ldap_value_free_len(keys);
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	ldap_msgfree(res);
7e7fb4
+	debug2 ("LDAP process user finished");
7e7fb4
+}
7e7fb4
+
7e7fb4
+void
7e7fb4
+ldap_do_close(void)
7e7fb4
+{
7e7fb4
+	int rc;
7e7fb4
+
7e7fb4
+	debug ("LDAP do close");
7e7fb4
+	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
7e7fb4
+	    fatal ("ldap_unbind_ext: %s",
7e7fb4
+                                    ldap_err2string (rc));
7e7fb4
+
7e7fb4
+	ld = NULL;
7e7fb4
+	debug2 ("LDAP do close OK");
7e7fb4
+	return;
7e7fb4
+}
7e7fb4
+
Jan F 0e9135
diff -up openssh-5.8p2/ldapbody.h.ldap openssh-5.8p2/ldapbody.h
Jan F 0e9135
--- openssh-5.8p2/ldapbody.h.ldap	2011-05-28 21:03:49.063861457 +0200
Jan F 0e9135
+++ openssh-5.8p2/ldapbody.h	2011-05-28 21:03:49.070983552 +0200
7e7fb4
@@ -0,0 +1,37 @@
7e7fb4
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
7e7fb4
+/*
7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
7e7fb4
+ *
7e7fb4
+ * Redistribution and use in source and binary forms, with or without
7e7fb4
+ * modification, are permitted provided that the following conditions
7e7fb4
+ * are met:
7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
7e7fb4
+ *    documentation and/or other materials provided with the distribution.
7e7fb4
+ *
7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
7e7fb4
+ */
7e7fb4
+
7e7fb4
+#ifndef LDAPBODY_H
7e7fb4
+#define LDAPBODY_H
7e7fb4
+
7e7fb4
+#include <stdio.h>
7e7fb4
+
7e7fb4
+void ldap_checkconfig(void);
7e7fb4
+void ldap_do_connect(void);
7e7fb4
+void process_user(const char *, FILE *);
7e7fb4
+void ldap_do_close(void);
7e7fb4
+
7e7fb4
+#endif /* LDAPBODY_H */
7e7fb4
+
Jan F 0e9135
diff -up openssh-5.8p2/ldapconf.c.ldap openssh-5.8p2/ldapconf.c
Jan F 0e9135
--- openssh-5.8p2/ldapconf.c.ldap	2011-05-28 21:03:49.145860570 +0200
Jan F 0e9135
+++ openssh-5.8p2/ldapconf.c	2011-05-28 21:03:49.154983297 +0200
86b2d1
@@ -0,0 +1,682 @@
7e7fb4
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
7e7fb4
+/*
7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
7e7fb4
+ *
7e7fb4
+ * Redistribution and use in source and binary forms, with or without
7e7fb4
+ * modification, are permitted provided that the following conditions
7e7fb4
+ * are met:
7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
7e7fb4
+ *    documentation and/or other materials provided with the distribution.
7e7fb4
+ *
7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
7e7fb4
+ */
7e7fb4
+
7e7fb4
+#include "ldapincludes.h"
7e7fb4
+#include "ldap-helper.h"
7e7fb4
+#include "log.h"
7e7fb4
+#include "misc.h"
7e7fb4
+#include "xmalloc.h"
7e7fb4
+#include "ldapconf.h"
7e7fb4
+#include <unistd.h>
7e7fb4
+#include <string.h>
7e7fb4
+
7e7fb4
+/* Keyword tokens. */
7e7fb4
+
7e7fb4
+typedef enum {
7e7fb4
+	lBadOption,
7e7fb4
+	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
7e7fb4
+	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
7e7fb4
+	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
86b2d1
+	lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
7e7fb4
+	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
86b2d1
+	lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
7e7fb4
+	lDeprecated, lUnsupported
7e7fb4
+} OpCodes;
7e7fb4
+
7e7fb4
+/* Textual representations of the tokens. */
7e7fb4
+
7e7fb4
+static struct {
7e7fb4
+	const char *name;
7e7fb4
+	OpCodes opcode;
7e7fb4
+} keywords[] = {
7e7fb4
+	{ "URI", lURI },
7e7fb4
+	{ "Base", lBase },
7e7fb4
+	{ "BindDN", lBindDN },
7e7fb4
+	{ "BindPW", lBindPW },
7e7fb4
+	{ "RootBindDN", lRootBindDN },
86b2d1
+	{ "Host", lHost },
86b2d1
+	{ "Port", lPort },
7e7fb4
+	{ "Scope", lScope },
7e7fb4
+	{ "Deref", lDeref },
86b2d1
+	{ "TimeLimit", lTimeLimit },
86b2d1
+	{ "TimeOut", lTimeLimit },
7e7fb4
+	{ "Bind_Timelimit", lBind_TimeLimit },
86b2d1
+	{ "Network_TimeOut", lBind_TimeLimit },
86b2d1
+/*
86b2d1
+ * Todo
86b2d1
+ * SIZELIMIT
86b2d1
+ */
7e7fb4
+	{ "Ldap_Version", lLdap_Version },
86b2d1
+	{ "Version", lLdap_Version },
7e7fb4
+	{ "Bind_Policy", lBind_Policy },
7e7fb4
+	{ "SSLPath", lSSLPath },
7e7fb4
+	{ "SSL", lSSL },
7e7fb4
+	{ "Referrals", lReferrals },
7e7fb4
+	{ "Restart", lRestart },
7e7fb4
+	{ "TLS_CheckPeer", lTLS_CheckPeer },
4669c3
+	{ "TLS_ReqCert", lTLS_CheckPeer },
7e7fb4
+	{ "TLS_CaCertFile", lTLS_CaCertFile },
4669c3
+	{ "TLS_CaCert", lTLS_CaCertFile },
7e7fb4
+	{ "TLS_CaCertDir", lTLS_CaCertDir },
7e7fb4
+	{ "TLS_Ciphers", lTLS_Ciphers },
4669c3
+	{ "TLS_Cipher_Suite", lTLS_Ciphers },
7e7fb4
+	{ "TLS_Cert", lTLS_Cert },
86b2d1
+	{ "TLS_Certificate", lTLS_Cert },
7e7fb4
+	{ "TLS_Key", lTLS_Key },
7e7fb4
+	{ "TLS_RandFile", lTLS_RandFile },
4669c3
+/*
4669c3
+ * Todo
4669c3
+ * TLS_CRLCHECK
4669c3
+ * TLS_CRLFILE
4669c3
+ */
86b2d1
+	{ "LogDir", lLogDir },
7e7fb4
+	{ "Debug", lDebug },
7e7fb4
+	{ "SSH_Filter", lSSH_Filter },
7e7fb4
+	{ NULL, lBadOption }
7e7fb4
+};
7e7fb4
+
7e7fb4
+/* Configuration ptions. */
7e7fb4
+
7e7fb4
+Options options;
7e7fb4
+
7e7fb4
+/*
7e7fb4
+ * Returns the number of the token pointed to by cp or oBadOption.
7e7fb4
+ */
7e7fb4
+
7e7fb4
+static OpCodes
7e7fb4
+parse_token(const char *cp, const char *filename, int linenum)
7e7fb4
+{
7e7fb4
+	u_int i;
7e7fb4
+
7e7fb4
+	for (i = 0; keywords[i].name; i++)
7e7fb4
+		if (strcasecmp(cp, keywords[i].name) == 0)
7e7fb4
+			return keywords[i].opcode;
7e7fb4
+
7e7fb4
+	if (config_warning_config_file) 
7e7fb4
+	    logit("%s: line %d: Bad configuration option: %s",
7e7fb4
+		filename, linenum, cp);
7e7fb4
+	return lBadOption;
7e7fb4
+}
7e7fb4
+
7e7fb4
+/*
7e7fb4
+ * Processes a single option line as used in the configuration files. This
7e7fb4
+ * only sets those values that have not already been set.
7e7fb4
+ */
7e7fb4
+#define WHITESPACE " \t\r\n"
7e7fb4
+
7e7fb4
+static int
7e7fb4
+process_config_line(char *line, const char *filename, int linenum)
7e7fb4
+{
7e7fb4
+	char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
7e7fb4
+	char *rootbinddn = NULL;
7e7fb4
+	int opcode, *intptr, value;
7e7fb4
+	size_t len;
7e7fb4
+
7e7fb4
+	/* Strip trailing whitespace */
7e7fb4
+	for (len = strlen(line) - 1; len > 0; len--) {
7e7fb4
+		if (strchr(WHITESPACE, line[len]) == NULL)
7e7fb4
+			break;
7e7fb4
+		line[len] = '\0';
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	s = line;
7e7fb4
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
7e7fb4
+	if ((keyword = strdelim(&s)) == NULL)
7e7fb4
+		return 0;
7e7fb4
+	/* Ignore leading whitespace. */
7e7fb4
+	if (*keyword == '\0')
7e7fb4
+		keyword = strdelim(&s);
7e7fb4
+	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
7e7fb4
+		return 0;
7e7fb4
+
7e7fb4
+	opcode = parse_token(keyword, filename, linenum);
7e7fb4
+
7e7fb4
+	switch (opcode) {
7e7fb4
+	case lBadOption:
7e7fb4
+		/* don't panic, but count bad options */
7e7fb4
+		return -1;
7e7fb4
+		/* NOTREACHED */
7e7fb4
+
7e7fb4
+	case lHost:
7e7fb4
+		xstringptr = &options.host;
7e7fb4
+parse_xstring:
7e7fb4
+		if (!s || *s == '\0')
7e7fb4
+		    fatal("%s line %d: missing dn",filename,linenum);
7e7fb4
+		if (*xstringptr == NULL)
7e7fb4
+		    *xstringptr = xstrdup(s);
7e7fb4
+		return 0;
7e7fb4
+
7e7fb4
+	case lURI:
7e7fb4
+		xstringptr = &options.uri;
7e7fb4
+		goto parse_xstring;
7e7fb4
+
7e7fb4
+	case lBase:
7e7fb4
+		xstringptr = &options.base;
7e7fb4
+		goto parse_xstring;
7e7fb4
+
7e7fb4
+	case lBindDN:
7e7fb4
+		xstringptr = &options.binddn;
7e7fb4
+		goto parse_xstring;
7e7fb4
+
7e7fb4
+	case lBindPW:
7e7fb4
+		charptr = &options.bindpw;
7e7fb4
+parse_string:
7e7fb4
+		arg = strdelim(&s);
7e7fb4
+		if (!arg || *arg == '\0')
7e7fb4
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
7e7fb4
+		if (*charptr == NULL)
7e7fb4
+			*charptr = xstrdup(arg);
7e7fb4
+		break;
7e7fb4
+
7e7fb4
+	case lRootBindDN:
7e7fb4
+		xstringptr = &rootbinddn;
7e7fb4
+		goto parse_xstring;
7e7fb4
+
7e7fb4
+	case lScope:
7e7fb4
+		intptr = &options.scope;
7e7fb4
+		arg = strdelim(&s);
7e7fb4
+		if (!arg || *arg == '\0')
7e7fb4
+			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
7e7fb4
+		value = 0;	/* To avoid compiler warning... */
86b2d1
+		if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
7e7fb4
+			value = LDAP_SCOPE_SUBTREE;
86b2d1
+		else if (strcasecmp (arg, "one") == 0)
7e7fb4
+			value = LDAP_SCOPE_ONELEVEL;
86b2d1
+		else if (strcasecmp (arg, "base") == 0)
7e7fb4
+			value = LDAP_SCOPE_BASE;
7e7fb4
+		else
7e7fb4
+			fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
7e7fb4
+		if (*intptr == -1)
7e7fb4
+			*intptr = value;
7e7fb4
+		break;
7e7fb4
+
7e7fb4
+	case lDeref:
7e7fb4
+		intptr = &options.scope;
7e7fb4
+		arg = strdelim(&s);
7e7fb4
+		if (!arg || *arg == '\0')
7e7fb4
+			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
7e7fb4
+		value = 0;	/* To avoid compiler warning... */
7e7fb4
+		if (!strcasecmp (arg, "never"))
7e7fb4
+			value = LDAP_DEREF_NEVER;
7e7fb4
+		else if (!strcasecmp (arg, "searching"))
7e7fb4
+			value = LDAP_DEREF_SEARCHING;
7e7fb4
+		else if (!strcasecmp (arg, "finding"))
7e7fb4
+			value = LDAP_DEREF_FINDING;
7e7fb4
+		else if (!strcasecmp (arg, "always"))
7e7fb4
+			value = LDAP_DEREF_ALWAYS;
7e7fb4
+		else
7e7fb4
+			fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
7e7fb4
+		if (*intptr == -1)
7e7fb4
+			*intptr = value;
7e7fb4
+		break;
7e7fb4
+
7e7fb4
+	case lPort:
7e7fb4
+		intptr = &options.port;
7e7fb4
+parse_int:
7e7fb4
+		arg = strdelim(&s);
7e7fb4
+		if (!arg || *arg == '\0')
7e7fb4
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
7e7fb4
+		if (arg[0] < '0' || arg[0] > '9')
7e7fb4
+			fatal("%.200s line %d: Bad number.", filename, linenum);
7e7fb4
+
7e7fb4
+		/* Octal, decimal, or hex format? */
7e7fb4
+		value = strtol(arg, &endofnumber, 0);
7e7fb4
+		if (arg == endofnumber)
7e7fb4
+			fatal("%.200s line %d: Bad number.", filename, linenum);
7e7fb4
+		if (*intptr == -1)
7e7fb4
+			*intptr = value;
7e7fb4
+		break;
7e7fb4
+
7e7fb4
+	case lTimeLimit:
7e7fb4
+		intptr = &options.timelimit;
7e7fb4
+parse_time:
7e7fb4
+		arg = strdelim(&s);
7e7fb4
+		if (!arg || *arg == '\0')
7e7fb4
+			fatal("%s line %d: missing time value.",
7e7fb4
+			    filename, linenum);
7e7fb4
+		if ((value = convtime(arg)) == -1)
7e7fb4
+			fatal("%s line %d: invalid time value.",
7e7fb4
+			    filename, linenum);
7e7fb4
+		if (*intptr == -1)
7e7fb4
+			*intptr = value;
7e7fb4
+		break;
7e7fb4
+
7e7fb4
+	case lBind_TimeLimit:
7e7fb4
+		intptr = &options.bind_timelimit;
7e7fb4
+		goto parse_time;
7e7fb4
+
7e7fb4
+	case lLdap_Version:
7e7fb4
+		intptr = &options.ldap_version;
7e7fb4
+		goto parse_int;
7e7fb4
+
7e7fb4
+	case lBind_Policy:
7e7fb4
+		intptr = &options.bind_policy;
7e7fb4
+		arg = strdelim(&s);
7e7fb4
+		if (!arg || *arg == '\0')
7e7fb4
+			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
7e7fb4
+		value = 0;	/* To avoid compiler warning... */
86b2d1
+		if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
7e7fb4
+			value = 1;
7e7fb4
+		else if (strcasecmp(arg, "soft") == 0)
7e7fb4
+			value = 0;
7e7fb4
+		else
7e7fb4
+			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
7e7fb4
+		if (*intptr == -1)
7e7fb4
+		break;
7e7fb4
+
7e7fb4
+	case lSSLPath:
7e7fb4
+		charptr = &options.sslpath;
7e7fb4
+		goto parse_string;
7e7fb4
+
7e7fb4
+	case lSSL:
7e7fb4
+		intptr = &options.ssl;
7e7fb4
+		arg = strdelim(&s);
7e7fb4
+		if (!arg || *arg == '\0')
7e7fb4
+			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
7e7fb4
+		value = 0;	/* To avoid compiler warning... */
7e7fb4
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
7e7fb4
+			value = SSL_LDAPS;
7e7fb4
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
7e7fb4
+			value = SSL_OFF;
7e7fb4
+		else if (!strcasecmp (arg, "start_tls"))
7e7fb4
+			value = SSL_START_TLS;
7e7fb4
+		else
7e7fb4
+			fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
7e7fb4
+		if (*intptr == -1)
7e7fb4
+			*intptr = value;
7e7fb4
+		break;
7e7fb4
+
7e7fb4
+	case lReferrals:
7e7fb4
+		intptr = &options.referrals;
7e7fb4
+parse_flag:
7e7fb4
+		arg = strdelim(&s);
7e7fb4
+		if (!arg || *arg == '\0')
7e7fb4
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
7e7fb4
+		value = 0;	/* To avoid compiler warning... */
7e7fb4
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
7e7fb4
+			value = 1;
7e7fb4
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
7e7fb4
+			value = 0;
7e7fb4
+		else
7e7fb4
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
7e7fb4
+		if (*intptr == -1)
7e7fb4
+			*intptr = value;
7e7fb4
+		break;
7e7fb4
+
7e7fb4
+	case lRestart:
7e7fb4
+		intptr = &options.restart;
7e7fb4
+		goto parse_flag;
7e7fb4
+
7e7fb4
+	case lTLS_CheckPeer:
7e7fb4
+		intptr = &options.tls_checkpeer;
7e7fb4
+		arg = strdelim(&s);
7e7fb4
+		if (!arg || *arg == '\0')
7e7fb4
+			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
7e7fb4
+		value = 0;	/* To avoid compiler warning... */
b6bdf1
+		if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
7e7fb4
+			value = LDAP_OPT_X_TLS_NEVER;
b6bdf1
+		else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
7e7fb4
+			value = LDAP_OPT_X_TLS_HARD;
7e7fb4
+		else if (strcasecmp(arg, "demand") == 0)
7e7fb4
+			value = LDAP_OPT_X_TLS_DEMAND;
7e7fb4
+		else if (strcasecmp(arg, "allow") == 0)
7e7fb4
+			value = LDAP_OPT_X_TLS_ALLOW;
7e7fb4
+		else if (strcasecmp(arg, "try") == 0)
7e7fb4
+			value = LDAP_OPT_X_TLS_TRY;
7e7fb4
+		else
7e7fb4
+			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
7e7fb4
+		if (*intptr == -1)
7e7fb4
+		break;
7e7fb4
+
7e7fb4
+	case lTLS_CaCertFile:
7e7fb4
+		charptr = &options.tls_cacertfile;
7e7fb4
+		goto parse_string;
7e7fb4
+
7e7fb4
+	case lTLS_CaCertDir:
7e7fb4
+		charptr = &options.tls_cacertdir;
7e7fb4
+		goto parse_string;
7e7fb4
+
7e7fb4
+	case lTLS_Ciphers:
7e7fb4
+		xstringptr = &options.tls_ciphers;
7e7fb4
+		goto parse_xstring;
7e7fb4
+
7e7fb4
+	case lTLS_Cert:
7e7fb4
+		charptr = &options.tls_cert;
7e7fb4
+		goto parse_string;
7e7fb4
+
7e7fb4
+	case lTLS_Key:
7e7fb4
+		charptr = &options.tls_key;
7e7fb4
+		goto parse_string;
7e7fb4
+
7e7fb4
+	case lTLS_RandFile:
7e7fb4
+		charptr = &options.tls_randfile;
7e7fb4
+		goto parse_string;
7e7fb4
+
86b2d1
+	case lLogDir:
7e7fb4
+		charptr = &options.logdir;
7e7fb4
+		goto parse_string;
7e7fb4
+
7e7fb4
+	case lDebug:
7e7fb4
+		intptr = &options.debug;
7e7fb4
+		goto parse_int;
7e7fb4
+
7e7fb4
+	case lSSH_Filter:
7e7fb4
+		xstringptr = &options.ssh_filter;
7e7fb4
+		goto parse_xstring;
7e7fb4
+
7e7fb4
+	case lDeprecated:
7e7fb4
+		debug("%s line %d: Deprecated option \"%s\"",
7e7fb4
+		    filename, linenum, keyword);
7e7fb4
+		return 0;
7e7fb4
+
7e7fb4
+	case lUnsupported:
7e7fb4
+		error("%s line %d: Unsupported option \"%s\"",
7e7fb4
+		    filename, linenum, keyword);
7e7fb4
+		return 0;
7e7fb4
+
7e7fb4
+	default:
7e7fb4
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	/* Check that there is no garbage at end of line. */
7e7fb4
+	if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
7e7fb4
+		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
7e7fb4
+		    filename, linenum, arg);
7e7fb4
+	}
7e7fb4
+	return 0;
7e7fb4
+}
7e7fb4
+
7e7fb4
+/*
7e7fb4
+ * Reads the config file and modifies the options accordingly.  Options
7e7fb4
+ * should already be initialized before this call.  This never returns if
7e7fb4
+ * there is an error.  If the file does not exist, this returns 0.
7e7fb4
+ */
7e7fb4
+
7e7fb4
+void
7e7fb4
+read_config_file(const char *filename)
7e7fb4
+{
7e7fb4
+	FILE *f;
7e7fb4
+	char line[1024];
7e7fb4
+	int active, linenum;
7e7fb4
+	int bad_options = 0;
7e7fb4
+	struct stat sb;
7e7fb4
+
7e7fb4
+	if ((f = fopen(filename, "r")) == NULL)
7e7fb4
+		fatal("fopen %s: %s", filename, strerror(errno));
7e7fb4
+
7e7fb4
+	if (fstat(fileno(f), &sb) == -1)
7e7fb4
+		fatal("fstat %s: %s", filename, strerror(errno));
7e7fb4
+	if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
7e7fb4
+	    (sb.st_mode & 022) != 0))
7e7fb4
+		fatal("Bad owner or permissions on %s", filename);
7e7fb4
+
7e7fb4
+	debug("Reading configuration data %.200s", filename);
7e7fb4
+
7e7fb4
+	/*
7e7fb4
+	 * Mark that we are now processing the options.  This flag is turned
7e7fb4
+	 * on/off by Host specifications.
7e7fb4
+	 */
7e7fb4
+	active = 1;
7e7fb4
+	linenum = 0;
7e7fb4
+	while (fgets(line, sizeof(line), f)) {
7e7fb4
+		/* Update line number counter. */
7e7fb4
+		linenum++;
7e7fb4
+		if (process_config_line(line, filename, linenum) != 0)
7e7fb4
+			bad_options++;
7e7fb4
+	}
7e7fb4
+	fclose(f);
7e7fb4
+	if ((bad_options > 0) && config_exclusive_config_file) 
7e7fb4
+		fatal("%s: terminating, %d bad configuration options",
7e7fb4
+		    filename, bad_options);
7e7fb4
+}
7e7fb4
+
7e7fb4
+/*
7e7fb4
+ * Initializes options to special values that indicate that they have not yet
7e7fb4
+ * been set.  Read_config_file will only set options with this value. Options
7e7fb4
+ * are processed in the following order: command line, user config file,
7e7fb4
+ * system config file.  Last, fill_default_options is called.
7e7fb4
+ */
7e7fb4
+
7e7fb4
+void
7e7fb4
+initialize_options(void)
7e7fb4
+{
7e7fb4
+	memset(&options, 'X', sizeof(options));
7e7fb4
+	options.host = NULL;
7e7fb4
+	options.uri = NULL;
7e7fb4
+	options.base = NULL;
7e7fb4
+	options.binddn = NULL;
7e7fb4
+	options.bindpw = NULL;
7e7fb4
+	options.scope = -1;
7e7fb4
+	options.deref = -1;
7e7fb4
+	options.port = -1;
7e7fb4
+	options.timelimit = -1;
7e7fb4
+	options.bind_timelimit = -1;
7e7fb4
+	options.ldap_version = -1;
7e7fb4
+	options.bind_policy = -1;
7e7fb4
+	options.sslpath = NULL;
7e7fb4
+	options.ssl = -1;
7e7fb4
+	options.referrals = -1;
7e7fb4
+	options.restart = -1;
7e7fb4
+	options.tls_checkpeer = -1;
7e7fb4
+	options.tls_cacertfile = NULL;
7e7fb4
+	options.tls_cacertdir = NULL;
7e7fb4
+	options.tls_ciphers = NULL;
7e7fb4
+	options.tls_cert = NULL;
7e7fb4
+	options.tls_key = NULL;
7e7fb4
+	options.tls_randfile = NULL;
7e7fb4
+	options.logdir = NULL;
7e7fb4
+	options.debug = -1;
7e7fb4
+	options.ssh_filter = NULL;
7e7fb4
+}
7e7fb4
+
7e7fb4
+/*
7e7fb4
+ * Called after processing other sources of option data, this fills those
7e7fb4
+ * options for which no value has been specified with their default values.
7e7fb4
+ */
7e7fb4
+
7e7fb4
+void
7e7fb4
+fill_default_options(void)
7e7fb4
+{
7e7fb4
+	if (options.uri != NULL) {
7e7fb4
+		LDAPURLDesc *ludp;
7e7fb4
+
7e7fb4
+		if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
7e7fb4
+			if (options.ssl == -1) {
86b2d1
+				if (strcmp (ludp->lud_scheme, "ldap") == 0)
7e7fb4
+				    options.ssl = 2;
86b2d1
+				if (strcmp (ludp->lud_scheme, "ldapi") == 0)
86b2d1
+				    options.ssl = 0;
86b2d1
+				else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
86b2d1
+				    options.ssl = 1;
7e7fb4
+			}
7e7fb4
+			if (options.host == NULL)
7e7fb4
+			    options.host = xstrdup (ludp->lud_host);
7e7fb4
+			if (options.port == -1)
7e7fb4
+			    options.port = ludp->lud_port;
7e7fb4
+
7e7fb4
+			ldap_free_urldesc (ludp);
7e7fb4
+		}
7e7fb4
+	} 
7e7fb4
+	if (options.ssl == -1)
7e7fb4
+	    options.ssl = SSL_START_TLS;
7e7fb4
+	if (options.port == -1)
7e7fb4
+	    options.port = (options.ssl == 0) ? 389 : 636;
7e7fb4
+	if (options.uri == NULL) {
7e7fb4
+		int len;
7e7fb4
+#define MAXURILEN 4096
7e7fb4
+
7e7fb4
+		options.uri = xmalloc (MAXURILEN);
7e7fb4
+		len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
7e7fb4
+		    (options.ssl == 0) ? "" : "s", options.host, options.port);
7e7fb4
+		options.uri[MAXURILEN - 1] = 0;
7e7fb4
+		options.uri = xrealloc (options.uri, len + 1, 1);
7e7fb4
+	}
7e7fb4
+	if (options.binddn == NULL)
7e7fb4
+	    options.binddn = "";
7e7fb4
+	if (options.bindpw == NULL)
7e7fb4
+	    options.bindpw = "";
7e7fb4
+	if (options.scope == -1)
7e7fb4
+	    options.scope = LDAP_SCOPE_SUBTREE;
7e7fb4
+	if (options.deref == -1)
7e7fb4
+	    options.deref = LDAP_DEREF_NEVER;
7e7fb4
+	if (options.timelimit == -1)
7e7fb4
+	    options.timelimit = 10;
7e7fb4
+	if (options.bind_timelimit == -1)
7e7fb4
+	    options.bind_timelimit = 10;
7e7fb4
+	if (options.ldap_version == -1)
7e7fb4
+	    options.ldap_version = 3;
7e7fb4
+	if (options.bind_policy == -1)
7e7fb4
+	    options.bind_policy = 1;
7e7fb4
+	if (options.referrals == -1)
7e7fb4
+	    options.referrals = 1;
7e7fb4
+	if (options.restart == -1)
7e7fb4
+	    options.restart = 1;
7e7fb4
+	if (options.tls_checkpeer == -1)
7e7fb4
+	    options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
7e7fb4
+	if (options.debug == -1)
7e7fb4
+	    options.debug = 0;
7e7fb4
+	if (options.ssh_filter == NULL)
7e7fb4
+	    options.ssh_filter = "";
7e7fb4
+}
7e7fb4
+
7e7fb4
+static const char *
7e7fb4
+lookup_opcode_name(OpCodes code)
7e7fb4
+{
7e7fb4
+	u_int i;
7e7fb4
+
7e7fb4
+	for (i = 0; keywords[i].name != NULL; i++)
7e7fb4
+	    if (keywords[i].opcode == code)
7e7fb4
+		return(keywords[i].name);
7e7fb4
+	return "UNKNOWN";
7e7fb4
+}
7e7fb4
+
7e7fb4
+static void
7e7fb4
+dump_cfg_string(OpCodes code, const char *val)
7e7fb4
+{
7e7fb4
+	if (val == NULL)
7e7fb4
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
7e7fb4
+	else
7e7fb4
+	    debug3("%s %s", lookup_opcode_name(code), val);
7e7fb4
+}
7e7fb4
+
7e7fb4
+static void
7e7fb4
+dump_cfg_int(OpCodes code, int val)
7e7fb4
+{
7e7fb4
+	if (val == -1)
7e7fb4
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
7e7fb4
+	else
7e7fb4
+	    debug3("%s %d", lookup_opcode_name(code), val);
7e7fb4
+}
7e7fb4
+
7e7fb4
+struct names {
7e7fb4
+	int value;
7e7fb4
+	char *name;
7e7fb4
+};
7e7fb4
+
7e7fb4
+static void
7e7fb4
+dump_cfg_namedint(OpCodes code, int val, struct names *names)
7e7fb4
+{
7e7fb4
+	u_int i;
7e7fb4
+
7e7fb4
+	if (val == -1)
7e7fb4
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
7e7fb4
+	else {
7e7fb4
+		for (i = 0; names[i].value != -1; i++)
7e7fb4
+	 	    if (names[i].value == val) {
7e7fb4
+	    		debug3("%s %s", lookup_opcode_name(code), names[i].name);
7e7fb4
+			    return;
7e7fb4
+		}
7e7fb4
+		debug3("%s unknown: %d", lookup_opcode_name(code), val);
7e7fb4
+	}
7e7fb4
+}
7e7fb4
+
7e7fb4
+static struct names _yesnotls[] = {
7e7fb4
+	{ 0, "No" },
7e7fb4
+	{ 1, "Yes" },
7e7fb4
+	{ 2, "Start_TLS" },
7e7fb4
+	{ -1, NULL }};
7e7fb4
+
7e7fb4
+static struct names _scope[] = {
7e7fb4
+	{ LDAP_SCOPE_BASE, "Base" },
7e7fb4
+	{ LDAP_SCOPE_ONELEVEL, "One" },
7e7fb4
+	{ LDAP_SCOPE_SUBTREE, "Sub"},
7e7fb4
+	{ -1, NULL }};
7e7fb4
+
7e7fb4
+static struct names _deref[] = {
7e7fb4
+	{ LDAP_DEREF_NEVER, "Never" },
7e7fb4
+	{ LDAP_DEREF_SEARCHING, "Searching" },
7e7fb4
+	{ LDAP_DEREF_FINDING, "Finding" },
7e7fb4
+	{ LDAP_DEREF_ALWAYS, "Always" },
7e7fb4
+	{ -1, NULL }};
7e7fb4
+
7e7fb4
+static struct names _yesno[] = {
7e7fb4
+	{ 0, "No" },
7e7fb4
+	{ 1, "Yes" },
7e7fb4
+	{ -1, NULL }};
7e7fb4
+
7e7fb4
+static struct names _bindpolicy[] = {
7e7fb4
+	{ 0, "Soft" },
7e7fb4
+	{ 1, "Hard" },
7e7fb4
+	{ -1, NULL }};
7e7fb4
+
7e7fb4
+static struct names _checkpeer[] = {
7e7fb4
+	{ LDAP_OPT_X_TLS_NEVER, "Never" },
7e7fb4
+	{ LDAP_OPT_X_TLS_HARD, "Hard" },
7e7fb4
+	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
7e7fb4
+	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
7e7fb4
+	{ LDAP_OPT_X_TLS_TRY, "TRY" },
7e7fb4
+	{ -1, NULL }};
7e7fb4
+
7e7fb4
+void
7e7fb4
+dump_config(void)
7e7fb4
+{
7e7fb4
+	dump_cfg_string(lURI, options.uri);
7e7fb4
+	dump_cfg_string(lHost, options.host);
7e7fb4
+	dump_cfg_int(lPort, options.port);
7e7fb4
+	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
7e7fb4
+	dump_cfg_int(lLdap_Version, options.ldap_version);
7e7fb4
+	dump_cfg_int(lTimeLimit, options.timelimit);
7e7fb4
+	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
7e7fb4
+	dump_cfg_string(lBase, options.base);
7e7fb4
+	dump_cfg_string(lBindDN, options.binddn);
7e7fb4
+	dump_cfg_string(lBindPW, options.bindpw);
7e7fb4
+	dump_cfg_namedint(lScope, options.scope, _scope);
7e7fb4
+	dump_cfg_namedint(lDeref, options.deref, _deref);
7e7fb4
+	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
7e7fb4
+	dump_cfg_namedint(lRestart, options.restart, _yesno);
7e7fb4
+	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
7e7fb4
+	dump_cfg_string(lSSLPath, options.sslpath);
7e7fb4
+	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
7e7fb4
+	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
7e7fb4
+	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
7e7fb4
+	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
7e7fb4
+	dump_cfg_string(lTLS_Cert, options.tls_cert);
7e7fb4
+	dump_cfg_string(lTLS_Key, options.tls_key);
7e7fb4
+	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
86b2d1
+	dump_cfg_string(lLogDir, options.logdir);
7e7fb4
+	dump_cfg_int(lDebug, options.debug);
7e7fb4
+	dump_cfg_string(lSSH_Filter, options.ssh_filter);
7e7fb4
+}
7e7fb4
+
Jan F 0e9135
diff -up openssh-5.8p2/ldapconf.h.ldap openssh-5.8p2/ldapconf.h
Jan F 0e9135
--- openssh-5.8p2/ldapconf.h.ldap	2011-05-28 21:03:49.222855494 +0200
Jan F 0e9135
+++ openssh-5.8p2/ldapconf.h	2011-05-28 21:03:49.230857403 +0200
7e7fb4
@@ -0,0 +1,71 @@
7e7fb4
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
7e7fb4
+/*
7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
7e7fb4
+ *
7e7fb4
+ * Redistribution and use in source and binary forms, with or without
7e7fb4
+ * modification, are permitted provided that the following conditions
7e7fb4
+ * are met:
7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
7e7fb4
+ *    documentation and/or other materials provided with the distribution.
7e7fb4
+ *
7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
7e7fb4
+ */
7e7fb4
+
7e7fb4
+#ifndef LDAPCONF_H
7e7fb4
+#define LDAPCONF_H
7e7fb4
+
7e7fb4
+#define SSL_OFF          0
7e7fb4
+#define SSL_LDAPS        1
7e7fb4
+#define SSL_START_TLS    2
7e7fb4
+
7e7fb4
+/* Data structure for representing option data. */
7e7fb4
+
7e7fb4
+typedef struct {
7e7fb4
+	char *host;
7e7fb4
+	char *uri;
7e7fb4
+	char *base;
7e7fb4
+	char *binddn;
7e7fb4
+	char *bindpw;
7e7fb4
+	int scope;
7e7fb4
+	int deref;
7e7fb4
+	int port;
7e7fb4
+	int timelimit;
7e7fb4
+	int bind_timelimit;
7e7fb4
+	int ldap_version;
7e7fb4
+	int bind_policy;
7e7fb4
+	char *sslpath;
7e7fb4
+	int ssl;
7e7fb4
+	int referrals;
7e7fb4
+	int restart;
7e7fb4
+	int tls_checkpeer;
7e7fb4
+	char *tls_cacertfile;
7e7fb4
+	char *tls_cacertdir;
7e7fb4
+	char *tls_ciphers;
7e7fb4
+	char *tls_cert;
7e7fb4
+	char *tls_key;
7e7fb4
+	char *tls_randfile;
7e7fb4
+	char *logdir;
7e7fb4
+	int debug;
7e7fb4
+	char *ssh_filter;
7e7fb4
+}       Options;
7e7fb4
+
7e7fb4
+extern Options options;
7e7fb4
+
7e7fb4
+void read_config_file(const char *);
7e7fb4
+void initialize_options(void);
7e7fb4
+void fill_default_options(void);
7e7fb4
+void dump_config(void);
7e7fb4
+
7e7fb4
+#endif /* LDAPCONF_H */
Jan F 0e9135
diff -up openssh-5.8p2/ldap.conf.ldap openssh-5.8p2/ldap.conf
Jan F 0e9135
--- openssh-5.8p2/ldap.conf.ldap	2011-05-28 21:03:49.286865328 +0200
Jan F 0e9135
+++ openssh-5.8p2/ldap.conf	2011-05-28 21:03:49.294861823 +0200
8fc96c
@@ -0,0 +1,88 @@
7818e5
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
8fc96c
+#
8fc96c
+# This is the example configuration file for the OpenSSH
8fc96c
+# LDAP backend
8fc96c
+# 
8fc96c
+# see ssh-ldap.conf(5)
8fc96c
+#
8fc96c
+
8fc96c
+# URI with your LDAP server name. This allows to use
8fc96c
+# Unix Domain Sockets to connect to a local LDAP Server.
8fc96c
+#uri ldap://127.0.0.1/
8fc96c
+#uri ldaps://127.0.0.1/   
8fc96c
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
8fc96c
+# Note: %2f encodes the '/' used as directory separator
8fc96c
+
8fc96c
+# Another way to specify your LDAP server is to provide an
8fc96c
+# host name and the port of our LDAP server. Host name
8fc96c
+# must be resolvable without using LDAP.
8fc96c
+# Multiple hosts may be specified, each separated by a 
8fc96c
+# space. How long nss_ldap takes to failover depends on
8fc96c
+# whether your LDAP client library supports configurable
8fc96c
+# network or connect timeouts (see bind_timelimit).
8fc96c
+#host 127.0.0.1
8fc96c
+
8fc96c
+# The port.
8fc96c
+# Optional: default is 389.
8fc96c
+#port 389
8fc96c
+
8fc96c
+# The distinguished name to bind to the server with.
8fc96c
+# Optional: default is to bind anonymously.
8fc96c
+#binddn cn=openssh_keys,dc=example,dc=org
8fc96c
+
8fc96c
+# The credentials to bind with. 
8fc96c
+# Optional: default is no credential.
8fc96c
+#bindpw TopSecret
8fc96c
+
8fc96c
+# The distinguished name of the search base.
8fc96c
+#base dc=example,dc=org
8fc96c
+
8fc96c
+# The LDAP version to use (defaults to 3
8fc96c
+# if supported by client library)
8fc96c
+#ldap_version 3
8fc96c
+
8fc96c
+# The search scope.
8fc96c
+#scope sub
8fc96c
+#scope one
8fc96c
+#scope base
8fc96c
+
8fc96c
+# Search timelimit
8fc96c
+#timelimit 30
8fc96c
+
8fc96c
+# Bind/connect timelimit
8fc96c
+#bind_timelimit 30
8fc96c
+
8fc96c
+# Reconnect policy: hard (default) will retry connecting to
8fc96c
+# the software with exponential backoff, soft will fail
8fc96c
+# immediately.
8fc96c
+#bind_policy hard
8fc96c
+
8fc96c
+# SSL setup, may be implied by URI also.
8fc96c
+#ssl no
8fc96c
+#ssl on
8fc96c
+#ssl start_tls
8fc96c
+
8fc96c
+# OpenLDAP SSL options
8fc96c
+# Require and verify server certificate (yes/no)
8fc96c
+# Default is to use libldap's default behavior, which can be configured in
8fc96c
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
8fc96c
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
8fc96c
+#tls_checkpeer hard
8fc96c
+
8fc96c
+# CA certificates for server certificate verification
8fc96c
+# At least one of these are required if tls_checkpeer is "yes"
8fc96c
+#tls_cacertfile /etc/ssl/ca.cert
8fc96c
+#tls_cacertdir /etc/pki/tls/certs
8fc96c
+
8fc96c
+# Seed the PRNG if /dev/urandom is not provided
8fc96c
+#tls_randfile /var/run/egd-pool
8fc96c
+
8fc96c
+# SSL cipher suite
8fc96c
+# See man ciphers for syntax
8fc96c
+#tls_ciphers TLSv1
8fc96c
+
8fc96c
+# Client certificate and key
8fc96c
+# Use these, if your server requires client authentication.
8fc96c
+#tls_cert
8fc96c
+#tls_key
8fc96c
+
Jan F 0e9135
diff -up openssh-5.8p2/ldap-helper.c.ldap openssh-5.8p2/ldap-helper.c
Jan F 0e9135
--- openssh-5.8p2/ldap-helper.c.ldap	2011-05-28 21:03:49.355862289 +0200
Jan F 0e9135
+++ openssh-5.8p2/ldap-helper.c	2011-05-28 21:03:49.364861642 +0200
Jan F 1f6bdc
@@ -0,0 +1,155 @@
7e7fb4
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
7e7fb4
+/*
7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
7e7fb4
+ *
7e7fb4
+ * Redistribution and use in source and binary forms, with or without
7e7fb4
+ * modification, are permitted provided that the following conditions
7e7fb4
+ * are met:
7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
7e7fb4
+ *    documentation and/or other materials provided with the distribution.
7e7fb4
+ *
7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
7e7fb4
+ */
7e7fb4
+
7e7fb4
+#include "ldapincludes.h"
7e7fb4
+#include "log.h"
7e7fb4
+#include "misc.h"
7e7fb4
+#include "xmalloc.h"
7e7fb4
+#include "ldapconf.h"
7e7fb4
+#include "ldapbody.h"
7e7fb4
+#include <string.h>
7e7fb4
+#include <unistd.h>
7e7fb4
+
7e7fb4
+static int config_debug = 0;
7e7fb4
+int config_exclusive_config_file = 0;
86b2d1
+static char *config_file_name = "/etc/ssh/ldap.conf";
7e7fb4
+static char *config_single_user = NULL;
7e7fb4
+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
7e7fb4
+int config_warning_config_file = 0;
7e7fb4
+extern char *__progname;
7e7fb4
+
7e7fb4
+static void
7e7fb4
+usage(void)
7e7fb4
+{
7e7fb4
+	fprintf(stderr, "usage: %s [options]\n",
7e7fb4
+	    __progname);
7e7fb4
+	fprintf(stderr, "Options:\n");
7e7fb4
+	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
7e7fb4
+	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
86b2d1
+	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ssh/ldap.conf).\n");
7e7fb4
+	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
7e7fb4
+	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
Jan F 1499a2
+	fprintf(stderr, "  -w          Warn on unknown commands in the config file.\n");
7e7fb4
+	exit(1);
7e7fb4
+}
7e7fb4
+
7e7fb4
+/*
7e7fb4
+ * Main program for the ssh pka ldap agent.
7e7fb4
+ */
7e7fb4
+
7e7fb4
+int
7e7fb4
+main(int ac, char **av)
7e7fb4
+{
7e7fb4
+	int opt;
7e7fb4
+	FILE *outfile = NULL;
7e7fb4
+
7e7fb4
+	__progname = ssh_get_progname(av[0]);
7e7fb4
+
7e7fb4
+	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
7e7fb4
+
7e7fb4
+	/*
7e7fb4
+	 * Initialize option structure to indicate that no values have been
7e7fb4
+	 * set.
7e7fb4
+	 */
7e7fb4
+	initialize_options();
7e7fb4
+
7e7fb4
+	/* Parse command-line arguments. */
7e7fb4
+	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
7e7fb4
+		switch (opt) {
7e7fb4
+		case 'd':
7e7fb4
+			config_debug = 1;
7e7fb4
+			break;
7e7fb4
+
7e7fb4
+		case 'e':
7e7fb4
+			config_exclusive_config_file = 1;
7e7fb4
+			config_warning_config_file = 1;
7e7fb4
+			break;
7e7fb4
+
7e7fb4
+		case 'f':
7e7fb4
+			config_file_name = optarg;
7e7fb4
+			break;
7e7fb4
+
7e7fb4
+		case 's':
7e7fb4
+			config_single_user = optarg;
7e7fb4
+			outfile = fdopen (dup (fileno (stdout)), "w");
7e7fb4
+			break;
7e7fb4
+
7e7fb4
+		case 'v':
7e7fb4
+			config_debug = 1;
7e7fb4
+			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
7e7fb4
+			    config_verbose++;
7e7fb4
+			break;
7e7fb4
+
7e7fb4
+		case 'w':
7e7fb4
+			config_warning_config_file = 1;
7e7fb4
+			break;
7e7fb4
+
7e7fb4
+		case '?':
7e7fb4
+		default:
7e7fb4
+			usage();
7e7fb4
+			break;
7e7fb4
+		}
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	/* Initialize loging */
7e7fb4
+	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
7e7fb4
+
7e7fb4
+	if (ac != optind)
7e7fb4
+	    fatal ("illegal extra parameter %s", av[1]);
7e7fb4
+
7e7fb4
+	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
7e7fb4
+	if (config_debug == 0)
7e7fb4
+	    sanitise_stdfd();
7e7fb4
+
7e7fb4
+	/* Read config file */
7e7fb4
+	read_config_file(config_file_name);
7e7fb4
+	fill_default_options();
7e7fb4
+	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
7e7fb4
+		debug3 ("=== Configuration ===");
7e7fb4
+		dump_config();
7e7fb4
+		debug3 ("=== *** ===");
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	ldap_checkconfig();
7e7fb4
+	ldap_do_connect();
7e7fb4
+
7e7fb4
+	if (config_single_user) {
7e7fb4
+		process_user (config_single_user, outfile);
7e7fb4
+	} else {
Jan F 1f6bdc
+		usage();
7e7fb4
+		fatal ("Not yet implemented");
7e7fb4
+/* TODO
7e7fb4
+ * open unix socket a run the loop on it
7e7fb4
+ */
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	ldap_do_close();
7e7fb4
+	return 0;
7e7fb4
+}
7e7fb4
+
7e7fb4
+/* Ugly hack */
7e7fb4
+void   *buffer_get_string(Buffer *b, u_int *l) {}
7e7fb4
+void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
7e7fb4
+
Jan F 0e9135
diff -up openssh-5.8p2/ldap-helper.h.ldap openssh-5.8p2/ldap-helper.h
Jan F 0e9135
--- openssh-5.8p2/ldap-helper.h.ldap	2011-05-28 21:03:49.446856183 +0200
Jan F 0e9135
+++ openssh-5.8p2/ldap-helper.h	2011-05-28 21:03:49.453861731 +0200
7e7fb4
@@ -0,0 +1,32 @@
7e7fb4
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
7e7fb4
+/*
7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
7e7fb4
+ *
7e7fb4
+ * Redistribution and use in source and binary forms, with or without
7e7fb4
+ * modification, are permitted provided that the following conditions
7e7fb4
+ * are met:
7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
7e7fb4
+ *    documentation and/or other materials provided with the distribution.
7e7fb4
+ *
7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
7e7fb4
+ */
7e7fb4
+
7e7fb4
+#ifndef LDAP_HELPER_H
7e7fb4
+#define LDAP_HELPER_H
7e7fb4
+
7e7fb4
+extern int config_exclusive_config_file;
7e7fb4
+extern int config_warning_config_file;
7e7fb4
+
7e7fb4
+#endif /* LDAP_HELPER_H */
Jan F 0e9135
diff -up openssh-5.8p2/ldapincludes.h.ldap openssh-5.8p2/ldapincludes.h
Jan F 0e9135
--- openssh-5.8p2/ldapincludes.h.ldap	2011-05-28 21:03:49.513856874 +0200
Jan F 0e9135
+++ openssh-5.8p2/ldapincludes.h	2011-05-28 21:03:49.520855810 +0200
7e7fb4
@@ -0,0 +1,41 @@
7e7fb4
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
7e7fb4
+/*
7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
7e7fb4
+ *
7e7fb4
+ * Redistribution and use in source and binary forms, with or without
7e7fb4
+ * modification, are permitted provided that the following conditions
7e7fb4
+ * are met:
7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
7e7fb4
+ *    documentation and/or other materials provided with the distribution.
7e7fb4
+ *
7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
7e7fb4
+ */
7e7fb4
+
7e7fb4
+#ifndef LDAPINCLUDES_H
7e7fb4
+#define LDAPINCLUDES_H
7e7fb4
+
7e7fb4
+#include "includes.h"
7e7fb4
+
7e7fb4
+#ifdef HAVE_LBER_H
7e7fb4
+#include <lber.h>
7e7fb4
+#endif
7e7fb4
+#ifdef HAVE_LDAP_H
7e7fb4
+#include <ldap.h>
7e7fb4
+#endif
7e7fb4
+#ifdef HAVE_LDAP_SSL_H
7e7fb4
+#include <ldap_ssl.h>
7e7fb4
+#endif
7e7fb4
+
7e7fb4
+#endif /* LDAPINCLUDES_H */
Jan F 0e9135
diff -up openssh-5.8p2/ldapmisc.c.ldap openssh-5.8p2/ldapmisc.c
Jan F 0e9135
--- openssh-5.8p2/ldapmisc.c.ldap	2011-05-28 21:03:49.590855991 +0200
Jan F 0e9135
+++ openssh-5.8p2/ldapmisc.c	2011-05-28 21:03:49.597856040 +0200
7e7fb4
@@ -0,0 +1,79 @@
7e7fb4
+
7e7fb4
+#include "ldapincludes.h"
7e7fb4
+#include "ldapmisc.h"
7e7fb4
+
7e7fb4
+#ifndef HAVE_LDAP_GET_LDERRNO
7e7fb4
+int
7e7fb4
+ldap_get_lderrno (LDAP * ld, char **m, char **s)
7e7fb4
+{
7e7fb4
+#ifdef HAVE_LDAP_GET_OPTION
7e7fb4
+	int rc;
7e7fb4
+#endif
7e7fb4
+	int lderrno;
7e7fb4
+
7e7fb4
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
7e7fb4
+	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
7e7fb4
+	    return rc;
7e7fb4
+#else
7e7fb4
+	lderrno = ld->ld_errno;
7e7fb4
+#endif
7e7fb4
+
7e7fb4
+	if (s != NULL) {
7e7fb4
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
7e7fb4
+		if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
7e7fb4
+		    return rc;
7e7fb4
+#else
7e7fb4
+		*s = ld->ld_error;
7e7fb4
+#endif
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	if (m != NULL) {
7e7fb4
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
7e7fb4
+		if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
7e7fb4
+		    return rc;
7e7fb4
+#else
7e7fb4
+		*m = ld->ld_matched;
7e7fb4
+#endif
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	return lderrno;
7e7fb4
+}
7e7fb4
+#endif
7e7fb4
+
7e7fb4
+#ifndef HAVE_LDAP_SET_LDERRNO
7e7fb4
+int
7e7fb4
+ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
7e7fb4
+{
7e7fb4
+#ifdef HAVE_LDAP_SET_OPTION
7e7fb4
+	int rc;
7e7fb4
+#endif
7e7fb4
+
7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
7e7fb4
+	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
7e7fb4
+	    return rc;
7e7fb4
+#else
7e7fb4
+	ld->ld_errno = lderrno;
7e7fb4
+#endif
7e7fb4
+
7e7fb4
+	if (s != NULL) {
7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
7e7fb4
+		if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
7e7fb4
+		    return rc;
7e7fb4
+#else
7e7fb4
+		ld->ld_error = s;
7e7fb4
+#endif
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	if (m != NULL) {
7e7fb4
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
7e7fb4
+		if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
7e7fb4
+		    return rc;
7e7fb4
+#else
7e7fb4
+		ld->ld_matched = m;
7e7fb4
+#endif
7e7fb4
+	}
7e7fb4
+
7e7fb4
+	return LDAP_SUCCESS;
7e7fb4
+}
7e7fb4
+#endif
7e7fb4
+
Jan F 0e9135
diff -up openssh-5.8p2/ldapmisc.h.ldap openssh-5.8p2/ldapmisc.h
Jan F 0e9135
--- openssh-5.8p2/ldapmisc.h.ldap	2011-05-28 21:03:49.664857820 +0200
Jan F 0e9135
+++ openssh-5.8p2/ldapmisc.h	2011-05-28 21:03:49.671861203 +0200
7e7fb4
@@ -0,0 +1,35 @@
7e7fb4
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
7e7fb4
+/*
7e7fb4
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
7e7fb4
+ *
7e7fb4
+ * Redistribution and use in source and binary forms, with or without
7e7fb4
+ * modification, are permitted provided that the following conditions
7e7fb4
+ * are met:
7e7fb4
+ * 1. Redistributions of source code must retain the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer.
7e7fb4
+ * 2. Redistributions in binary form must reproduce the above copyright
7e7fb4
+ *    notice, this list of conditions and the following disclaimer in the
7e7fb4
+ *    documentation and/or other materials provided with the distribution.
7e7fb4
+ *
7e7fb4
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
7e7fb4
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
7e7fb4
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
7e7fb4
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
7e7fb4
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7e7fb4
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
7e7fb4
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
7e7fb4
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
7e7fb4
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
7e7fb4
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
7e7fb4
+ */
7e7fb4
+
7e7fb4
+#ifndef LDAPMISC_H
7e7fb4
+#define LDAPMISC_H
7e7fb4
+
7e7fb4
+#include "ldapincludes.h"
7e7fb4
+
7e7fb4
+int ldap_get_lderrno (LDAP *, char **, char **);
7e7fb4
+int ldap_set_lderrno (LDAP *, int, const char *, const char *);
7e7fb4
+
7e7fb4
+#endif /* LDAPMISC_H */
7e7fb4
+
Jan F 0e9135
diff -up openssh-5.8p2/Makefile.in.ldap openssh-5.8p2/Makefile.in
Jan F 0e9135
--- openssh-5.8p2/Makefile.in.ldap	2011-05-28 21:03:37.758857361 +0200
Jan F 0e9135
+++ openssh-5.8p2/Makefile.in	2011-05-28 21:03:49.775856441 +0200
Jan F 1499a2
@@ -26,6 +26,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
7e7fb4
 SFTP_SERVER=$(libexecdir)/sftp-server
7e7fb4
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
7e7fb4
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
7e7fb4
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
Jan F 1499a2
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
7e7fb4
 RAND_HELPER=$(libexecdir)/ssh-rand-helper
7e7fb4
 PRIVSEP_PATH=@PRIVSEP_PATH@
7e7fb4
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
Jan F 1499a2
@@ -63,8 +65,9 @@ MANFMT=@MANFMT@
7e7fb4
 
7e7fb4
 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
7e7fb4
 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
7e7fb4
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
7e7fb4
 
7e7fb4
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
7e7fb4
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
7e7fb4
 
7e7fb4
 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
7e7fb4
 	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
Jan F 1499a2
@@ -96,8 +99,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
Jan F ba25ec
 	sftp-server.o sftp-common.o \
Jan F. Chadima 1b8a26
 	roaming_common.o roaming_serv.o
7e7fb4
 
7e7fb4
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
7e7fb4
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
86b2d1
+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
86b2d1
+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
7e7fb4
 MANTYPE		= @MANTYPE@
7e7fb4
 
7e7fb4
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
Jan F 1499a2
@@ -166,6 +169,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
3fdf10
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
Jan F. Chadima 1b8a26
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
7e7fb4
 
7e7fb4
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
7e7fb4
+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
7e7fb4
+
3fdf10
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
3fdf10
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
7e7fb4
 
Jan F 1499a2
@@ -270,6 +276,10 @@ install-files:
7e7fb4
 	fi
7e7fb4
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
7e7fb4
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
7e7fb4
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
7e7fb4
+		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
Jan F 1499a2
+		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
7e7fb4
+	fi
7e7fb4
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
7e7fb4
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
7e7fb4
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
Jan F 1499a2
@@ -289,6 +299,10 @@ install-files:
7e7fb4
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
7e7fb4
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
7e7fb4
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
7e7fb4
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
7e7fb4
+		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
86b2d1
+		$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
7e7fb4
+	fi
7e7fb4
 	-rm -f $(DESTDIR)$(bindir)/slogin
7e7fb4
 	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Jan F 1499a2
@@ -325,6 +339,13 @@ install-sysconf:
8fc96c
 	else \
8fc96c
 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
8fc96c
 	fi
8fc96c
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
8fc96c
+		if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
8fc96c
+			$(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
8fc96c
+		else \
8fc96c
+			echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
8fc96c
+		fi ; \
8fc96c
+	fi
8fc96c
 
8fc96c
 host-key: ssh-keygen$(EXEEXT)
8fc96c
 	@if [ -z "$(DESTDIR)" ] ; then \
Jan F 1499a2
@@ -396,6 +417,7 @@ uninstall:
7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
7e7fb4
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
7e7fb4
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
7e7fb4
 
7e7fb4
 tests interop-tests:	$(TARGETS)
Jan F 0e9135
diff -up openssh-5.8p2/openssh-lpk-openldap.schema.ldap openssh-5.8p2/openssh-lpk-openldap.schema
Jan F 0e9135
--- openssh-5.8p2/openssh-lpk-openldap.schema.ldap	2011-05-28 21:03:49.871872045 +0200
Jan F 0e9135
+++ openssh-5.8p2/openssh-lpk-openldap.schema	2011-05-28 21:03:49.878856149 +0200
7e7fb4
@@ -0,0 +1,21 @@
7e7fb4
+#
7e7fb4
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
7e7fb4
+#                              useful with PKA-LDAP also
7e7fb4
+#
7e7fb4
+# Author: Eric AUGE <eau@phear.org>
7e7fb4
+# 
7e7fb4
+# Based on the proposal of : Mark Ruijter
7e7fb4
+#
7e7fb4
+
7e7fb4
+
7e7fb4
+# octetString SYNTAX
7e7fb4
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
7e7fb4
+	DESC 'MANDATORY: OpenSSH Public key' 
7e7fb4
+	EQUALITY octetStringMatch
7e7fb4
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
7e7fb4
+
7e7fb4
+# printableString SYNTAX yes|no
7e7fb4
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
7e7fb4
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
7e7fb4
+	MUST ( sshPublicKey $ uid ) 
7e7fb4
+	)
Jan F 0e9135
diff -up openssh-5.8p2/openssh-lpk-sun.schema.ldap openssh-5.8p2/openssh-lpk-sun.schema
Jan F 0e9135
--- openssh-5.8p2/openssh-lpk-sun.schema.ldap	2011-05-28 21:03:49.934856078 +0200
Jan F 0e9135
+++ openssh-5.8p2/openssh-lpk-sun.schema	2011-05-28 21:03:49.941856158 +0200
7e7fb4
@@ -0,0 +1,23 @@
7e7fb4
+#
7e7fb4
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
7e7fb4
+#                              useful with PKA-LDAP also
7e7fb4
+#
7e7fb4
+# Author: Eric AUGE <eau@phear.org>
7e7fb4
+# 
7e7fb4
+# Schema for Sun Directory Server.
7e7fb4
+# Based on the original schema, modified by Stefan Fischer.
7e7fb4
+#
7e7fb4
+
7e7fb4
+dn: cn=schema
7e7fb4
+
7e7fb4
+# octetString SYNTAX
7e7fb4
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
7e7fb4
+	DESC 'MANDATORY: OpenSSH Public key' 
7e7fb4
+	EQUALITY octetStringMatch
7e7fb4
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
7e7fb4
+
7e7fb4
+# printableString SYNTAX yes|no
7e7fb4
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
7e7fb4
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
7e7fb4
+	MUST ( sshPublicKey $ uid ) 
7e7fb4
+	)
Jan F 0e9135
diff -up openssh-5.8p2/ssh-ldap.conf.5.ldap openssh-5.8p2/ssh-ldap.conf.5
Jan F 0e9135
--- openssh-5.8p2/ssh-ldap.conf.5.ldap	2011-05-28 21:03:50.013873320 +0200
Jan F 0e9135
+++ openssh-5.8p2/ssh-ldap.conf.5	2011-05-28 21:03:50.333857346 +0200
Jan F 0e9135
@@ -0,0 +1,376 @@
86b2d1
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
86b2d1
+.\"
86b2d1
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
86b2d1
+.\"
86b2d1
+.\" Permission to use, copy, modify, and distribute this software for any
86b2d1
+.\" purpose with or without fee is hereby granted, provided that the above