132f8f
diff -up openssh-6.8p1/HOWTO.ldap-keys.ldap openssh-6.8p1/HOWTO.ldap-keys
132f8f
--- openssh-6.8p1/HOWTO.ldap-keys.ldap	2015-03-18 11:11:29.029801467 +0100
132f8f
+++ openssh-6.8p1/HOWTO.ldap-keys	2015-03-18 11:11:29.029801467 +0100
474a38
@@ -0,0 +1,122 @@
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+HOW TO START
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) configure LDAP server
Jan F. Chadima 69dd72
+  * Use LDAP server documentation
Jan F. Chadima 69dd72
+2) add appropriate LDAP schema
Jan F. Chadima 69dd72
+  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
Jan F. Chadima 69dd72
+  * LDAP user entry
Jan F. Chadima 69dd72
+        User entry:
Jan F. Chadima 69dd72
+	- attached to the 'ldapPublicKey' objectclass
Jan F. Chadima 69dd72
+	- attached to the 'posixAccount' objectclass
Jan F. Chadima 69dd72
+	- with a filled 'sshPublicKey' attribute 
Jan F. Chadima 69dd72
+3) insert users into LDAP
Jan F. Chadima 69dd72
+  * Use LDAP Tree management tool as useful
Jan F. Chadima 69dd72
+  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
Jan F. Chadima 69dd72
+  * Example:
Jan F. Chadima 69dd72
+	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
Jan F. Chadima 69dd72
+	objectclass: top
Jan F. Chadima 69dd72
+	objectclass: person
Jan F. Chadima 69dd72
+	objectclass: organizationalPerson
Jan F. Chadima 69dd72
+	objectclass: posixAccount
Jan F. Chadima 69dd72
+	objectclass: ldapPublicKey
Jan F. Chadima 69dd72
+	description: Jonathan Archer
Jan F. Chadima 69dd72
+	userPassword: Porthos
Jan F. Chadima 69dd72
+	cn: onathan Archer
Jan F. Chadima 69dd72
+	sn: onathan Archer
Jan F. Chadima 69dd72
+	uid: captain
Jan F. Chadima 69dd72
+	uidNumber: 1001
Jan F. Chadima 69dd72
+	gidNumber: 1001
Jan F. Chadima 69dd72
+	homeDirectory: /home/captain
Jan F. Chadima 69dd72
+	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
Jan F. Chadima 69dd72
+	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
Jan F. Chadima 69dd72
+4) on the ssh side set in sshd_config
Jan F. Chadima 69dd72
+  * Set up the backend
f5022a
+	AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
f5022a
+	AuthorizedKeysCommandUser <appropriate user to run LDAP>
Jan F. Chadima 69dd72
+  * Do not forget to set
Jan F. Chadima 69dd72
+	PubkeyAuthentication yes
Jan F. Chadima 69dd72
+  * Swith off unnecessary auth methods
Jan F. Chadima 69dd72
+5) confugure ldap.conf
Jan F. Chadima 69dd72
+  * Default ldap.conf is placed in /etc/ssh
Jan F. Chadima 69dd72
+  * The configuration style is the same as other ldap based aplications
Jan F. Chadima 69dd72
+6) if necessary edit ssh-ldap-wrapper
Jan F. Chadima 69dd72
+  * There is a possibility to change ldap.conf location
Jan F. Chadima 69dd72
+  * There are some debug options
Jan F. Chadima 69dd72
+  * Example
Jan F. Chadima 69dd72
+	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
474a38
+7) Configure SELinux boolean which allows ldap-helper to bind ldap server
474a38
+  Run this command
474a38
+  # setsebool -P authlogin_nsswitch_use_ldap on
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+HOW TO MIGRATE FROM LPK
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) goto HOW TO START 4) .... the ldap schema is the same
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+2) convert the group requests to the appropriate LDAP requests
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+HOW TO SOLVE PROBLEMS
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) use debug in sshd
Jan F. Chadima 69dd72
+  * /usr/sbin/sshd -d -d -d -d
Jan F. Chadima 69dd72
+2) use debug in ssh-ldap-helper
Jan F. Chadima 69dd72
+  * ssh-ldap-helper -d -d -d -d -s <username>
Jan F. Chadima 69dd72
+3) use tcpdump ... other ldap client etc.
Jan F. Chadima 69dd72
+
3bc8b8
+HOW TO CONFIGURE SSH FOR OTHER LDAP CONFIGURATION / SERVER /SCHEMA
3bc8b8
+
3bc8b8
+You can adjust search format string in /etc/ldap.conf using
3bc8b8
+ 1) SSH_Filter option to limit results for only specified users
3bc8b8
+    (this appends search condition after original query)
3bc8b8
+ 2) Search_Format option to define your own search string using expansion
3bc8b8
+    characters %u for username, %c for objectclass and %f for above mentioned filter.
3bc8b8
+
3bc8b8
+Example:
3bc8b8
+Search_Format (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%u)%f)
3bc8b8
+
Jan F. Chadima 69dd72
+ADVANTAGES
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+DISADVANTAGES
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
Jan F. Chadima 69dd72
+  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
Jan F. Chadima 69dd72
+  of your users in all your server farm -- be VERY CAREFUL.
Jan F. Chadima 69dd72
+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
Jan F. Chadima 69dd72
+  as the impersonated user.
Jan F. Chadima 69dd72
+3) If LDAP server is down there may be no fallback on passwd auth.
Jan F. Chadima 69dd72
+  
Jan F. Chadima 69dd72
+MISC.
Jan F. Chadima 69dd72
+  
Jan F. Chadima 69dd72
+1) todo
Jan F. Chadima 69dd72
+  * Possibility to reuse the ssh-ldap-helper.
Jan F. Chadima 69dd72
+  * Tune the LDAP part to accept  all possible LDAP configurations.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+2) differences from original lpk
Jan F. Chadima 69dd72
+  * No LDAP code in sshd.
Jan F. Chadima 69dd72
+  * Support for various LDAP platforms and configurations.
Jan F. Chadima 69dd72
+  * LDAP is configured in separate ldap.conf file.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+3) docs/link 
Jan F. Chadima 69dd72
+  * http://pacsec.jp/core05/psj05-barisani-en.pdf
Jan F. Chadima 69dd72
+  * http://fritz.potsdam.edu/projects/openssh-lpk/
Jan F. Chadima 69dd72
+  * http://fritz.potsdam.edu/projects/sshgate/
Jan F. Chadima 69dd72
+  * http://dev.inversepath.com/trac/openssh-lpk
Jan F. Chadima 69dd72
+  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+4) contributors/ideas/greets
Jan F. Chadima 69dd72
+  - Eric AUGE <eau@phear.org>
Jan F. Chadima 69dd72
+  - Andrea Barisani <andrea@inversepath.com>
Jan F. Chadima 69dd72
+  - Falk Siemonsmeier.
Jan F. Chadima 69dd72
+  - Jacob Rief.
Jan F. Chadima 69dd72
+  - Michael Durchgraf.
Jan F. Chadima 69dd72
+  - frederic peters.
Jan F. Chadima 69dd72
+  - Finlay dobbie.
Jan F. Chadima 69dd72
+  - Stefan Fisher.
Jan F. Chadima 69dd72
+  - Robin H. Johnson.
Jan F. Chadima 69dd72
+  - Adrian Bridgett.
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+5) Author
Jan F. Chadima 69dd72
+    Jan F. Chadima <jchadima@redhat.com>
Jan F. Chadima 69dd72
+
132f8f
diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
132f8f
--- openssh-6.8p1/Makefile.in.ldap	2015-03-17 06:49:20.000000000 +0100
132f8f
+++ openssh-6.8p1/Makefile.in	2015-03-18 11:13:10.147561177 +0100
94c6f8
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
94c6f8
 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
94c6f8
 SFTP_SERVER=$(libexecdir)/sftp-server
94c6f8
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
94c6f8
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
94c6f8
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
94c6f8
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
94c6f8
 PRIVSEP_PATH=@PRIVSEP_PATH@
94c6f8
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
190035
@@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@
94c6f8
 LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
94c6f8
 EXEEXT=@EXEEXT@
94c6f8
 MANFMT=@MANFMT@
94c6f8
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
94c6f8
 
94c6f8
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
94c6f8
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
94c6f8
 
190035
 LIBOPENSSH_OBJS=\
132f8f
 	ssh_api.o \
132f8f
@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
13073f
 	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
13073f
 	sandbox-solaris.o
94c6f8
 
94c6f8
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
94c6f8
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
94c6f8
+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
94c6f8
+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
94c6f8
 MANTYPE		= @MANTYPE@
94c6f8
 
94c6f8
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
132f8f
@@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
94c6f8
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
94c6f8
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
94c6f8
 
4cf8f1
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
4cf8f1
+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS)
Jan F. Chadima 69dd72
+
13073f
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
13073f
 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
94c6f8
 
132f8f
@@ -311,6 +317,10 @@ install-files:
94c6f8
 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
94c6f8
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
94c6f8
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
94c6f8
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
94c6f8
+		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
94c6f8
+		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
94c6f8
+	fi
94c6f8
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
94c6f8
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
94c6f8
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
132f8f
@@ -327,6 +337,10 @@ install-files:
94c6f8
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
94c6f8
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
94c6f8
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
94c6f8
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
94c6f8
+		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
94c6f8
+		$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
94c6f8
+	fi
13073f
 
13073f
 install-sysconf:
13073f
 	if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
132f8f
@@ -356,6 +370,13 @@ install-sysconf:
94c6f8
 	else \
94c6f8
 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
94c6f8
 	fi
94c6f8
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
94c6f8
+		if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
94c6f8
+			$(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
94c6f8
+		else \
94c6f8
+			echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
94c6f8
+		fi ; \
94c6f8
+	fi
94c6f8
 
94c6f8
 host-key: ssh-keygen$(EXEEXT)
94c6f8
 	@if [ -z "$(DESTDIR)" ] ; then \
132f8f
@@ -419,6 +440,8 @@ uninstall:
94c6f8
 	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
94c6f8
 	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
94c6f8
 	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
94c6f8
+	-rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
94c6f8
+	-rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
94c6f8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
94c6f8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
94c6f8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
132f8f
@@ -430,6 +453,7 @@ uninstall:
94c6f8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
94c6f8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
94c6f8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
94c6f8
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
94c6f8
 
190035
 regress-prep:
13073f
 	[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
132f8f
diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac
132f8f
--- openssh-6.8p1/configure.ac.ldap	2015-03-17 06:49:20.000000000 +0100
132f8f
+++ openssh-6.8p1/configure.ac	2015-03-18 11:11:29.030801464 +0100
132f8f
@@ -1605,6 +1605,106 @@ if test "x$use_pie" != "xno"; then
94c6f8
 	fi
94c6f8
 fi
94c6f8
 
94c6f8
+# Check whether user wants LDAP support
94c6f8
+LDAP_MSG="no"
94c6f8
+INSTALL_SSH_LDAP_HELPER=""
94c6f8
+AC_ARG_WITH(ldap,
94c6f8
+	[  --with-ldap[[=PATH]]      Enable LDAP pubkey support (optionally in PATH)],
94c6f8
+	[
94c6f8
+		if test "x$withval" != "xno" ; then
Jan F. Chadima 69dd72
+
94c6f8
+			INSTALL_SSH_LDAP_HELPER="yes"
94c6f8
+			CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
Jan F. Chadima 69dd72
+
94c6f8
+			if test "x$withval" != "xyes" ; then
94c6f8
+				CPPFLAGS="$CPPFLAGS -I${withval}/include"
94c6f8
+				LDFLAGS="$LDFLAGS -L${withval}/lib"
94c6f8
+			fi
Jan F. Chadima 69dd72
+
94c6f8
+			AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
94c6f8
+			LDAP_MSG="yes"
Jan F. Chadima 69dd72
+
94c6f8
+			AC_CHECK_HEADERS(lber.h)
94c6f8
+			AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
94c6f8
+			AC_CHECK_HEADERS(ldap_ssl.h)
Jan F. Chadima 69dd72
+
94c6f8
+			AC_ARG_WITH(ldap-lib,
94c6f8
+				[  --with-ldap-lib=type    select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
Jan F. Chadima 69dd72
+
94c6f8
+			if test -z "$with_ldap_lib"; then
94c6f8
+				with_ldap_lib=auto
94c6f8
+			fi
Jan F. Chadima 69dd72
+
94c6f8
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
94c6f8
+				AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
94c6f8
+				AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
94c6f8
+			fi
Jan F. Chadima 69dd72
+
94c6f8
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
94c6f8
+				AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
94c6f8
+			fi
Jan F. Chadima 69dd72
+
94c6f8
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
94c6f8
+				AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
94c6f8
+				if test -z "$found_ldap_lib"; then
94c6f8
+					AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
94c6f8
+				fi
94c6f8
+				if test -z "$found_ldap_lib"; then
94c6f8
+					AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
94c6f8
+				fi
94c6f8
+				if test -z "$found_ldap_lib"; then
94c6f8
+					AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
94c6f8
+				fi
94c6f8
+			fi
Jan F. Chadima 69dd72
+
94c6f8
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
94c6f8
+				AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
94c6f8
+			fi
Jan F. Chadima 69dd72
+
94c6f8
+			if test -z "$found_ldap_lib"; then
94c6f8
+				AC_MSG_ERROR(could not locate a valid LDAP library)
94c6f8
+			fi
Jan F. Chadima 69dd72
+
94c6f8
+			AC_MSG_CHECKING([for working LDAP support])
94c6f8
+			AC_TRY_COMPILE(
94c6f8
+				[#include <sys/types.h>
94c6f8
+				 #include <ldap.h>],
94c6f8
+				[(void)ldap_init(0, 0);],
94c6f8
+				[AC_MSG_RESULT(yes)],
94c6f8
+				[
94c6f8
+				    AC_MSG_RESULT(no) 
94c6f8
+					AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
94c6f8
+				])
94c6f8
+			AC_CHECK_FUNCS( \
94c6f8
+				ldap_init \
94c6f8
+				ldap_get_lderrno \
94c6f8
+				ldap_set_lderrno \
94c6f8
+				ldap_parse_result \
94c6f8
+				ldap_memfree \
94c6f8
+				ldap_controls_free \
94c6f8
+				ldap_set_option \
94c6f8
+				ldap_get_option \
94c6f8
+				ldapssl_init \
94c6f8
+				ldap_start_tls_s \
94c6f8
+				ldap_pvt_tls_set_option \
94c6f8
+				ldap_initialize \
94c6f8
+			)
94c6f8
+			AC_CHECK_FUNCS(ldap_set_rebind_proc,
94c6f8
+				AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
94c6f8
+				AC_TRY_COMPILE(
94c6f8
+					[#include <lber.h>
94c6f8
+					#include <ldap.h>],
94c6f8
+					[ldap_set_rebind_proc(0, 0, 0);],
94c6f8
+					[ac_cv_ldap_set_rebind_proc=3],
94c6f8
+					[ac_cv_ldap_set_rebind_proc=2])
94c6f8
+				AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
94c6f8
+				AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
94c6f8
+			)
94c6f8
+		fi
94c6f8
+	]
94c6f8
+)
94c6f8
+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
Jan F. Chadima 69dd72
+
94c6f8
 dnl    Checks for library functions. Please keep in alphabetical order
94c6f8
 AC_CHECK_FUNCS([ \
94c6f8
 	Blowfish_initstate \
132f8f
diff -up openssh-6.8p1/ldap-helper.c.ldap openssh-6.8p1/ldap-helper.c
132f8f
--- openssh-6.8p1/ldap-helper.c.ldap	2015-03-18 11:11:29.030801464 +0100
132f8f
+++ openssh-6.8p1/ldap-helper.c	2015-03-18 11:11:29.030801464 +0100
94c6f8
@@ -0,0 +1,155 @@
94c6f8
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
94c6f8
+/*
94c6f8
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
94c6f8
+ *
94c6f8
+ * Redistribution and use in source and binary forms, with or without
94c6f8
+ * modification, are permitted provided that the following conditions
94c6f8
+ * are met:
94c6f8
+ * 1. Redistributions of source code must retain the above copyright
94c6f8
+ *    notice, this list of conditions and the following disclaimer.
94c6f8
+ * 2. Redistributions in binary form must reproduce the above copyright
94c6f8
+ *    notice, this list of conditions and the following disclaimer in the
94c6f8
+ *    documentation and/or other materials provided with the distribution.
94c6f8
+ *
94c6f8
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
94c6f8
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
94c6f8
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
94c6f8
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
94c6f8
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
94c6f8
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
94c6f8
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
94c6f8
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
94c6f8
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
94c6f8
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
94c6f8
+ */
Jan F. Chadima 69dd72
+
94c6f8
+#include "ldapincludes.h"
94c6f8
+#include "log.h"
94c6f8
+#include "misc.h"
94c6f8
+#include "xmalloc.h"
94c6f8
+#include "ldapconf.h"
94c6f8
+#include "ldapbody.h"
94c6f8
+#include <string.h>
94c6f8
+#include <unistd.h>
65ba94
+
94c6f8
+static int config_debug = 0;
94c6f8
+int config_exclusive_config_file = 0;
94c6f8
+static char *config_file_name = "/etc/ssh/ldap.conf";
94c6f8
+static char *config_single_user = NULL;
94c6f8
+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
94c6f8
+int config_warning_config_file = 0;
94c6f8
+extern char *__progname;
Jan F. Chadima 69dd72
+
94c6f8
+static void
94c6f8
+usage(void)
94c6f8
+{
94c6f8
+	fprintf(stderr, "usage: %s [options]\n",
94c6f8
+	    __progname);
94c6f8
+	fprintf(stderr, "Options:\n");
94c6f8
+	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
94c6f8
+	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
94c6f8
+	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ssh/ldap.conf).\n");
94c6f8
+	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
94c6f8
+	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
94c6f8
+	fprintf(stderr, "  -w          Warn on unknown commands in the config file.\n");
94c6f8
+	exit(1);
94c6f8
+}
65ba94
+
94c6f8
+/*
94c6f8
+ * Main program for the ssh pka ldap agent.
94c6f8
+ */
Jan F. Chadima 69dd72
+
94c6f8
+int
94c6f8
+main(int ac, char **av)
94c6f8
+{
94c6f8
+	int opt;
94c6f8
+	FILE *outfile = NULL;
65ba94
+
94c6f8
+	__progname = ssh_get_progname(av[0]);
Jan F. Chadima 69dd72
+
94c6f8
+	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
Jan F. Chadima 69dd72
+
94c6f8
+	/*
94c6f8
+	 * Initialize option structure to indicate that no values have been
94c6f8
+	 * set.
94c6f8
+	 */
94c6f8
+	initialize_options();
65ba94
+
94c6f8
+	/* Parse command-line arguments. */
94c6f8
+	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
94c6f8
+		switch (opt) {
94c6f8
+		case 'd':
94c6f8
+			config_debug = 1;
94c6f8
+			break;
Jan F. Chadima 69dd72
+
94c6f8
+		case 'e':
94c6f8
+			config_exclusive_config_file = 1;
94c6f8
+			config_warning_config_file = 1;
94c6f8
+			break;
Jan F. Chadima 69dd72
+
94c6f8
+		case 'f':
94c6f8
+			config_file_name = optarg;
94c6f8
+			break;
Jan F. Chadima 69dd72
+
94c6f8
+		case 's':
94c6f8
+			config_single_user = optarg;
94c6f8
+			outfile = fdopen (dup (fileno (stdout)), "w");
94c6f8
+			break;
Jan F. Chadima 69dd72
+
94c6f8
+		case 'v':
94c6f8
+			config_debug = 1;
94c6f8
+			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
94c6f8
+			    config_verbose++;
94c6f8
+			break;
65ba94
+
94c6f8
+		case 'w':
94c6f8
+			config_warning_config_file = 1;
94c6f8
+			break;
65ba94
+
94c6f8
+		case '?':
94c6f8
+		default:
94c6f8
+			usage();
94c6f8
+			break;
94c6f8
+		}
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
94c6f8
+	/* Initialize loging */
94c6f8
+	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
Jan F. Chadima 69dd72
+
94c6f8
+	if (ac != optind)
94c6f8
+	    fatal ("illegal extra parameter %s", av[1]);
Jan F. Chadima 69dd72
+
94c6f8
+	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
94c6f8
+	if (config_debug == 0)
94c6f8
+	    sanitise_stdfd();
Jan F. Chadima 69dd72
+
94c6f8
+	/* Read config file */
94c6f8
+	read_config_file(config_file_name);
94c6f8
+	fill_default_options();
94c6f8
+	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
94c6f8
+		debug3 ("=== Configuration ===");
94c6f8
+		dump_config();
94c6f8
+		debug3 ("=== *** ===");
94c6f8
+	}
Jan F. Chadima 69dd72
+
94c6f8
+	ldap_checkconfig();
94c6f8
+	ldap_do_connect();
Jan F. Chadima 69dd72
+
94c6f8
+	if (config_single_user) {
94c6f8
+		process_user (config_single_user, outfile);
94c6f8
+	} else {
94c6f8
+		usage();
94c6f8
+		fatal ("Not yet implemented");
94c6f8
+/* TODO
94c6f8
+ * open unix socket a run the loop on it
94c6f8
+ */
65ba94
+	}
Jan F. Chadima 69dd72
+
94c6f8
+	ldap_do_close();
94c6f8
+	return 0;
65ba94
+}
Jan F. Chadima 69dd72
+
94c6f8
+/* Ugly hack */
94c6f8
+void   *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
94c6f8
+void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
65ba94
+
132f8f
diff -up openssh-6.8p1/ldap-helper.h.ldap openssh-6.8p1/ldap-helper.h
132f8f
--- openssh-6.8p1/ldap-helper.h.ldap	2015-03-18 11:11:29.031801462 +0100
132f8f
+++ openssh-6.8p1/ldap-helper.h	2015-03-18 11:11:29.031801462 +0100
94c6f8
@@ -0,0 +1,32 @@
94c6f8
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
65ba94
+/*
65ba94
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
65ba94
+ *
65ba94
+ * Redistribution and use in source and binary forms, with or without
65ba94
+ * modification, are permitted provided that the following conditions
65ba94
+ * are met:
65ba94
+ * 1. Redistributions of source code must retain the above copyright
65ba94
+ *    notice, this list of conditions and the following disclaimer.
65ba94
+ * 2. Redistributions in binary form must reproduce the above copyright
65ba94
+ *    notice, this list of conditions and the following disclaimer in the
65ba94
+ *    documentation and/or other materials provided with the distribution.
65ba94
+ *
65ba94
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
65ba94
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
65ba94
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
65ba94
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
65ba94
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
65ba94
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
65ba94
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
65ba94
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
65ba94
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
65ba94
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
65ba94
+ */
Jan F. Chadima 69dd72
+
94c6f8
+#ifndef LDAP_HELPER_H
94c6f8
+#define LDAP_HELPER_H
94c6f8
+
94c6f8
+extern int config_exclusive_config_file;
94c6f8
+extern int config_warning_config_file;
94c6f8
+
94c6f8
+#endif /* LDAP_HELPER_H */
132f8f
diff -up openssh-6.8p1/ldap.conf.ldap openssh-6.8p1/ldap.conf
132f8f
--- openssh-6.8p1/ldap.conf.ldap	2015-03-18 11:11:29.031801462 +0100
132f8f
+++ openssh-6.8p1/ldap.conf	2015-03-18 11:11:29.031801462 +0100
3bc8b8
@@ -0,0 +1,95 @@
94c6f8
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
94c6f8
+#
94c6f8
+# This is the example configuration file for the OpenSSH
94c6f8
+# LDAP backend
94c6f8
+# 
94c6f8
+# see ssh-ldap.conf(5)
94c6f8
+#
94c6f8
+
94c6f8
+# URI with your LDAP server name. This allows to use
94c6f8
+# Unix Domain Sockets to connect to a local LDAP Server.
94c6f8
+#uri ldap://127.0.0.1/
94c6f8
+#uri ldaps://127.0.0.1/   
94c6f8
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
94c6f8
+# Note: %2f encodes the '/' used as directory separator
94c6f8
+
94c6f8
+# Another way to specify your LDAP server is to provide an
94c6f8
+# host name and the port of our LDAP server. Host name
94c6f8
+# must be resolvable without using LDAP.
94c6f8
+# Multiple hosts may be specified, each separated by a 
94c6f8
+# space. How long nss_ldap takes to failover depends on
94c6f8
+# whether your LDAP client library supports configurable
94c6f8
+# network or connect timeouts (see bind_timelimit).
94c6f8
+#host 127.0.0.1
94c6f8
+
94c6f8
+# The port.
94c6f8
+# Optional: default is 389.
94c6f8
+#port 389
94c6f8
+
94c6f8
+# The distinguished name to bind to the server with.
94c6f8
+# Optional: default is to bind anonymously.
94c6f8
+#binddn cn=openssh_keys,dc=example,dc=org
94c6f8
+
94c6f8
+# The credentials to bind with. 
94c6f8
+# Optional: default is no credential.
94c6f8
+#bindpw TopSecret
94c6f8
+
94c6f8
+# The distinguished name of the search base.
94c6f8
+#base dc=example,dc=org
94c6f8
+
94c6f8
+# The LDAP version to use (defaults to 3
94c6f8
+# if supported by client library)
94c6f8
+#ldap_version 3
94c6f8
+
94c6f8
+# The search scope.
94c6f8
+#scope sub
94c6f8
+#scope one
94c6f8
+#scope base
94c6f8
+
94c6f8
+# Search timelimit
94c6f8
+#timelimit 30
94c6f8
+
94c6f8
+# Bind/connect timelimit
94c6f8
+#bind_timelimit 30
Jan F. Chadima 69dd72
+
94c6f8
+# Reconnect policy: hard (default) will retry connecting to
94c6f8
+# the software with exponential backoff, soft will fail
94c6f8
+# immediately.
94c6f8
+#bind_policy hard
Jan F. Chadima 69dd72
+
94c6f8
+# SSL setup, may be implied by URI also.
94c6f8
+#ssl no
94c6f8
+#ssl on
94c6f8
+#ssl start_tls
Jan F. Chadima 69dd72
+
94c6f8
+# OpenLDAP SSL options
94c6f8
+# Require and verify server certificate (yes/no)
94c6f8
+# Default is to use libldap's default behavior, which can be configured in
94c6f8
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
94c6f8
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
94c6f8
+#tls_checkpeer hard
Jan F. Chadima 69dd72
+
94c6f8
+# CA certificates for server certificate verification
94c6f8
+# At least one of these are required if tls_checkpeer is "yes"
94c6f8
+#tls_cacertfile /etc/ssl/ca.cert
94c6f8
+#tls_cacertdir /etc/pki/tls/certs
94c6f8
+
94c6f8
+# Seed the PRNG if /dev/urandom is not provided
94c6f8
+#tls_randfile /var/run/egd-pool
94c6f8
+
94c6f8
+# SSL cipher suite
94c6f8
+# See man ciphers for syntax
94c6f8
+#tls_ciphers TLSv1
94c6f8
+
94c6f8
+# Client certificate and key
94c6f8
+# Use these, if your server requires client authentication.
94c6f8
+#tls_cert
94c6f8
+#tls_key
94c6f8
+
3bc8b8
+# OpenLDAP search_format
3bc8b8
+# format used to search for users in LDAP directory using substitution
3bc8b8
+# for %u for user name and %f for SSH_Filter option (optional, empty by default)
3bc8b8
+#search_format (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
3bc8b8
+
3bc8b8
+#AccountClass posixAccount
3bc8b8
+
132f8f
diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
132f8f
--- openssh-6.8p1/ldapbody.c.ldap	2015-03-18 11:11:29.031801462 +0100
132f8f
+++ openssh-6.8p1/ldapbody.c	2015-03-18 11:11:29.031801462 +0100
3bc8b8
@@ -0,0 +1,493 @@
94c6f8
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
65ba94
+/*
65ba94
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
65ba94
+ *
65ba94
+ * Redistribution and use in source and binary forms, with or without
65ba94
+ * modification, are permitted provided that the following conditions
65ba94
+ * are met:
65ba94
+ * 1. Redistributions of source code must retain the above copyright
65ba94
+ *    notice, this list of conditions and the following disclaimer.
65ba94
+ * 2. Redistributions in binary form must reproduce the above copyright
65ba94
+ *    notice, this list of conditions and the following disclaimer in the
65ba94
+ *    documentation and/or other materials provided with the distribution.
65ba94
+ *
65ba94
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
65ba94
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
65ba94
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
65ba94
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
65ba94
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
65ba94
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
65ba94
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
65ba94
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
65ba94
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
65ba94
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
65ba94
+ */
Jan F. Chadima 69dd72
+
65ba94
+#include "ldapincludes.h"
65ba94
+#include "log.h"
65ba94
+#include "xmalloc.h"
65ba94
+#include "ldapconf.h"
94c6f8
+#include "ldapmisc.h"
94c6f8
+#include "ldapbody.h"
94c6f8
+#include <stdio.h>
65ba94
+#include <unistd.h>
3bc8b8
+#include "misc.h"
Jan F. Chadima 69dd72
+
3bc8b8
+#define LDAPSEARCH_FORMAT "(&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)"
94c6f8
+#define PUBKEYATTR "sshPublicKey"
94c6f8
+#define LDAP_LOGFILE	"%s/ldap.%d"
94c6f8
+
94c6f8
+static FILE *logfile = NULL;
94c6f8
+static LDAP *ld;
94c6f8
+
94c6f8
+static char *attrs[] = {
94c6f8
+    PUBKEYATTR,
94c6f8
+    NULL
94c6f8
+};
94c6f8
+
94c6f8
+void
94c6f8
+ldap_checkconfig (void)
94c6f8
+{
94c6f8
+#ifdef HAVE_LDAP_INITIALIZE
94c6f8
+		if (options.host == NULL && options.uri == NULL)
94c6f8
+#else
94c6f8
+		if (options.host == NULL)
94c6f8
+#endif
94c6f8
+		    fatal ("missing  \"host\" in config file");
94c6f8
+}
94c6f8
+
94c6f8
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
94c6f8
+static int
94c6f8
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
94c6f8
+{
94c6f8
+	struct timeval timeout;
94c6f8
+	int rc;
94c6f8
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
94c6f8
+	LDAPMessage *result;
94c6f8
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
94c6f8
+
94c6f8
+	debug2 ("Doing LDAP rebind to %s", options.binddn);
94c6f8
+	if (options.ssl == SSL_START_TLS) {
94c6f8
+		if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
94c6f8
+			error ("ldap_starttls_s: %s", ldap_err2string (rc));
94c6f8
+			return LDAP_OPERATIONS_ERROR;
94c6f8
+		}
94c6f8
+	}
94c6f8
+
94c6f8
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
94c6f8
+	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
94c6f8
+#else
94c6f8
+	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
94c6f8
+	    fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
94c6f8
+
94c6f8
+	timeout.tv_sec = options.bind_timelimit;
94c6f8
+	timeout.tv_usec = 0;
94c6f8
+	result = NULL;
94c6f8
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
94c6f8
+		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
94c6f8
+		ldap_msgfree (result);
94c6f8
+		return LDAP_OPERATIONS_ERROR;
94c6f8
+	}
94c6f8
+	debug3 ("LDAP rebind to %s succesfull", options.binddn);
94c6f8
+	return rc;
94c6f8
+#endif
94c6f8
+}
94c6f8
+#else
94c6f8
+
94c6f8
+static int
94c6f8
+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
94c6f8
+{
94c6f8
+	if (freeit)
94c6f8
+	    return LDAP_SUCCESS;
94c6f8
+
94c6f8
+	*whop = strdup (options.binddn);
94c6f8
+	*credp = strdup (options.bindpw);
94c6f8
+	*methodp = LDAP_AUTH_SIMPLE;
94c6f8
+	debug2 ("Doing LDAP rebind for %s", *whop);
94c6f8
+	return LDAP_SUCCESS;
94c6f8
+}
94c6f8
+#endif
94c6f8
+
94c6f8
+void
94c6f8
+ldap_do_connect(void)
94c6f8
+{
94c6f8
+	int rc, msgid, ld_errno = 0;
94c6f8
+	struct timeval timeout;
94c6f8
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
94c6f8
+	int parserc;
94c6f8
+	LDAPMessage *result;
94c6f8
+	LDAPControl **controls;
94c6f8
+	int reconnect = 0;
94c6f8
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
94c6f8
+
94c6f8
+	debug ("LDAP do connect");
94c6f8
+
94c6f8
+retry:
94c6f8
+	if (reconnect) {
94c6f8
+		debug3 ("Reconnecting with ld_errno %d", ld_errno);
94c6f8
+		if (options.bind_policy == 0 ||
94c6f8
+		    (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
94c6f8
+			reconnect > 5)
94c6f8
+			    fatal ("Cannot connect to LDAP server");
94c6f8
+	
94c6f8
+		if (reconnect > 1)
94c6f8
+			sleep (reconnect - 1);
94c6f8
+
94c6f8
+		if (ld != NULL) {
94c6f8
+			ldap_unbind (ld);
94c6f8
+			ld = NULL;
94c6f8
+		}
94c6f8
+		logit("reconnecting to LDAP server...");
94c6f8
+	}
94c6f8
+
94c6f8
+	if (ld == NULL) {
94c6f8
+		int rc;
94c6f8
+		struct timeval tv;
94c6f8
+
94c6f8
+#ifdef HAVE_LDAP_SET_OPTION
94c6f8
+		if (options.debug > 0) {
94c6f8
+#ifdef LBER_OPT_LOG_PRINT_FILE
94c6f8
+			if (options.logdir) {
94c6f8
+				char *logfilename;
94c6f8
+				int logfilenamelen;
94c6f8
+
94c6f8
+				logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
94c6f8
+				logfilename = xmalloc (logfilenamelen);
94c6f8
+				snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
94c6f8
+				logfilename[logfilenamelen - 1] = 0;
94c6f8
+				if ((logfile = fopen (logfilename, "a")) == NULL)
94c6f8
+				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
94c6f8
+				debug3 ("LDAP debug into %s", logfilename);
94c6f8
+				free (logfilename);
94c6f8
+				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
94c6f8
+			}
94c6f8
+#endif
94c6f8
+			if (options.debug) {
94c6f8
+#ifdef LBER_OPT_DEBUG_LEVEL
94c6f8
+				ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
94c6f8
+#endif /* LBER_OPT_DEBUG_LEVEL */
94c6f8
+#ifdef LDAP_OPT_DEBUG_LEVEL
94c6f8
+				(void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
94c6f8
+#endif /* LDAP_OPT_DEBUG_LEVEL */
94c6f8
+				debug3 ("Set LDAP debug to %d", options.debug);
94c6f8
+			}
94c6f8
+		}
94c6f8
+#endif /* HAVE_LDAP_SET_OPTION */
94c6f8
+
94c6f8
+		ld = NULL;
94c6f8
+#ifdef HAVE_LDAPSSL_INIT
94c6f8
+		if (options.host != NULL) {
94c6f8
+			if (options.ssl_on == SSL_LDAPS) {
94c6f8
+				if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
94c6f8
+				    fatal ("ldapssl_client_init %s", ldap_err2string (rc));
94c6f8
+				debug3 ("LDAPssl client init");
94c6f8
+			}
94c6f8
+
94c6f8
+			if (options.ssl_on != SSL_OFF) {
94c6f8
+				if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
94c6f8
+				    fatal ("ldapssl_init failed");
94c6f8
+				debug3 ("LDAPssl init");
94c6f8
+			}
94c6f8
+		}
94c6f8
+#endif /* HAVE_LDAPSSL_INIT */
94c6f8
+
94c6f8
+		/* continue with opening */
94c6f8
+		if (ld == NULL) {
94c6f8
+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
94c6f8
+			/* Some global TLS-specific options need to be set before we create our
94c6f8
+			 * session context, so we set them here. */
94c6f8
+
94c6f8
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
94c6f8
+			/* rand file */
94c6f8
+			if (options.tls_randfile != NULL) {
94c6f8
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
94c6f8
+				    options.tls_randfile)) != LDAP_SUCCESS)
94c6f8
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
94c6f8
+					    ldap_err2string (rc));
94c6f8
+				debug3 ("Set TLS random file %s", options.tls_randfile);
94c6f8
+			}
94c6f8
+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
94c6f8
+
94c6f8
+			/* ca cert file */
94c6f8
+			if (options.tls_cacertfile != NULL) {
94c6f8
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
94c6f8
+				    options.tls_cacertfile)) != LDAP_SUCCESS)
94c6f8
+					error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
94c6f8
+					    ldap_err2string (rc));
94c6f8
+				debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
94c6f8
+			}
94c6f8
+
94c6f8
+			/* ca cert directory */
94c6f8
+			if (options.tls_cacertdir != NULL) {
94c6f8
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
94c6f8
+				    options.tls_cacertdir)) != LDAP_SUCCESS)
94c6f8
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
94c6f8
+					    ldap_err2string (rc));
94c6f8
+				debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
94c6f8
+			}
94c6f8
+
94c6f8
+			/* require cert? */
94c6f8
+			if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
94c6f8
+			    &options.tls_checkpeer)) != LDAP_SUCCESS)
94c6f8
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
94c6f8
+				    ldap_err2string (rc));
94c6f8
+			debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
94c6f8
+
94c6f8
+			/* set cipher suite, certificate and private key: */
94c6f8
+			if (options.tls_ciphers != NULL) {
94c6f8
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
94c6f8
+				    options.tls_ciphers)) != LDAP_SUCCESS)
94c6f8
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
94c6f8
+					    ldap_err2string (rc));
94c6f8
+				debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
94c6f8
+			}
Jan F. Chadima 69dd72
+
94c6f8
+			/* cert file */
94c6f8
+			if (options.tls_cert != NULL) {
94c6f8
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
94c6f8
+				    options.tls_cert)) != LDAP_SUCCESS)
94c6f8
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
94c6f8
+					    ldap_err2string (rc));
94c6f8
+				debug3 ("Set TLS cert file %s ", options.tls_cert);
94c6f8
+			}
Jan F. Chadima 69dd72
+
94c6f8
+			/* key file */
94c6f8
+			if (options.tls_key != NULL) {
94c6f8
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
94c6f8
+				    options.tls_key)) != LDAP_SUCCESS)
94c6f8
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
94c6f8
+					    ldap_err2string (rc));
94c6f8
+				debug3 ("Set TLS key file %s ", options.tls_key);
94c6f8
+			}
94c6f8
+#endif
94c6f8
+#ifdef HAVE_LDAP_INITIALIZE
94c6f8
+			if (options.uri != NULL) {
94c6f8
+				if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
94c6f8
+					fatal ("ldap_initialize %s", ldap_err2string (rc));
94c6f8
+				debug3 ("LDAP initialize %s", options.uri);
94c6f8
+			}
94c6f8
+	}
94c6f8
+#endif /* HAVE_LDAP_INTITIALIZE */
Jan F. Chadima 69dd72
+
94c6f8
+		/* continue with opening */
94c6f8
+		if ((ld == NULL) && (options.host != NULL)) {
94c6f8
+#ifdef HAVE_LDAP_INIT
94c6f8
+			if ((ld = ldap_init (options.host, options.port)) == NULL)
94c6f8
+			    fatal ("ldap_init failed");
94c6f8
+			debug3 ("LDAP init %s:%d", options.host, options.port);
94c6f8
+#else
94c6f8
+			if ((ld = ldap_open (options.host, options.port)) == NULL)
94c6f8
+			    fatal ("ldap_open failed");
94c6f8
+			debug3 ("LDAP open %s:%d", options.host, options.port);
94c6f8
+#endif /* HAVE_LDAP_INIT */
94c6f8
+		}
Jan F. Chadima 69dd72
+
94c6f8
+		if (ld == NULL)
94c6f8
+			fatal ("no way to open ldap");
Jan F. Chadima 69dd72
+
94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
94c6f8
+		if (options.ssl == SSL_LDAPS) {
94c6f8
+			if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
94c6f8
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
94c6f8
+			debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
94c6f8
+		}
94c6f8
+#endif /* LDAP_OPT_X_TLS */
Jan F. Chadima 69dd72
+
94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
94c6f8
+		(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
94c6f8
+		    &options.ldap_version);
94c6f8
+#else
94c6f8
+		ld->ld_version = options.ldap_version;
94c6f8
+#endif
94c6f8
+		debug3 ("LDAP set version to %d", options.ldap_version);
Jan F. Chadima 69dd72
+
94c6f8
+#if LDAP_SET_REBIND_PROC_ARGS == 3
94c6f8
+		ldap_set_rebind_proc (ld, _rebind_proc, NULL);
94c6f8
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
94c6f8
+		ldap_set_rebind_proc (ld, _rebind_proc);
94c6f8
+#else
94c6f8
+#warning unknown LDAP_SET_REBIND_PROC_ARGS
94c6f8
+#endif
94c6f8
+		debug3 ("LDAP set rebind proc");
Jan F. Chadima 69dd72
+
94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
94c6f8
+		(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
94c6f8
+#else
94c6f8
+		ld->ld_deref = options.deref;
94c6f8
+#endif
94c6f8
+		debug3 ("LDAP set deref to %d", options.deref);
Jan F. Chadima 69dd72
+
94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
94c6f8
+		(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
94c6f8
+		    &options.timelimit);
94c6f8
+#else
94c6f8
+		ld->ld_timelimit = options.timelimit;
94c6f8
+#endif
94c6f8
+		debug3 ("LDAP set timelimit to %d", options.timelimit);
Jan F. Chadima 69dd72
+
94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
94c6f8
+		/*
94c6f8
+		 * This is a new option in the Netscape SDK which sets 
94c6f8
+		 * the TCP connect timeout. For want of a better value,
94c6f8
+		 * we use the bind_timelimit to control this.
94c6f8
+		 */
94c6f8
+		timeout = options.bind_timelimit * 1000;
94c6f8
+		(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
94c6f8
+		debug3 ("LDAP set opt connect timeout to %d", timeout);
94c6f8
+#endif
36a09e
+
94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
94c6f8
+		tv.tv_sec = options.bind_timelimit;
94c6f8
+		tv.tv_usec = 0;
94c6f8
+		(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv;;
94c6f8
+		debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
94c6f8
+#endif
36a09e
+
94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
94c6f8
+		(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
94c6f8
+		    options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
94c6f8
+		debug3 ("LDAP set referrals to %d", options.referrals);
94c6f8
+#endif
36a09e
+
94c6f8
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
94c6f8
+		(void) ldap_set_option (ld, LDAP_OPT_RESTART,
94c6f8
+		    options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
94c6f8
+		debug3 ("LDAP set restart to %d", options.restart);
94c6f8
+#endif
36a09e
+
94c6f8
+#ifdef HAVE_LDAP_START_TLS_S
94c6f8
+		if (options.ssl == SSL_START_TLS) {
94c6f8
+			int version;
36a09e
+
94c6f8
+			if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
94c6f8
+			    == LDAP_SUCCESS) {
94c6f8
+				if (version < LDAP_VERSION3) {
94c6f8
+					version = LDAP_VERSION3;
94c6f8
+					(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
94c6f8
+					    &version);
94c6f8
+					debug3 ("LDAP set version to %d", version);
94c6f8
+				}
94c6f8
+			}
36a09e
+
94c6f8
+			if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
94c6f8
+			    fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
94c6f8
+			debug3 ("LDAP start TLS");
94c6f8
+		}
94c6f8
+#endif /* HAVE_LDAP_START_TLS_S */
94c6f8
+	}
36a09e
+
94c6f8
+	if ((msgid = ldap_simple_bind (ld, options.binddn,
94c6f8
+	    options.bindpw)) == -1) {
94c6f8
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
36a09e
+
94c6f8
+		error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
94c6f8
+		reconnect++;
94c6f8
+		goto retry;
94c6f8
+	}
94c6f8
+	debug3 ("LDAP simple bind (%s)", options.binddn);
Jan F. Chadima 69dd72
+
94c6f8
+	timeout.tv_sec = options.bind_timelimit;
94c6f8
+	timeout.tv_usec = 0;
94c6f8
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
94c6f8
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
Jan F. Chadima 69dd72
+
94c6f8
+		error ("ldap_result %s", ldap_err2string (ld_errno));
94c6f8
+		reconnect++;
94c6f8
+		goto retry;
Jan F. Chadima 69dd72
+	}
94c6f8
+	debug3 ("LDAP result in time");
Jan F. Chadima 69dd72
+
94c6f8
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
94c6f8
+	controls = NULL;
94c6f8
+	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
94c6f8
+	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
94c6f8
+	debug3 ("LDAP parse result OK");
Jan F. Chadima 69dd72
+
94c6f8
+	if (controls != NULL) {
94c6f8
+		ldap_controls_free (controls);
94c6f8
+	}
94c6f8
+#else
94c6f8
+	rc = ldap_result2error (session->ld, result, TRUE);
94c6f8
+#endif
94c6f8
+	if (rc != LDAP_SUCCESS)
94c6f8
+	    fatal ("error trying to bind as user \"%s\" (%s)",
94c6f8
+		options.binddn, ldap_err2string (rc));
Jan F. Chadima 69dd72
+
94c6f8
+	debug2 ("LDAP do connect OK");
94c6f8
+}
Jan F. Chadima 69dd72
+
94c6f8
+void
94c6f8
+process_user (const char *user, FILE *output)
94c6f8
+{
94c6f8
+	LDAPMessage *res, *e;
3bc8b8
+	char *buffer, *format;
3bc8b8
+	int rc, i;
94c6f8
+	struct timeval timeout;
Jan F. Chadima 69dd72
+
94c6f8
+	debug ("LDAP process user");
Jan F. Chadima 69dd72
+
94c6f8
+	/* quick check for attempts to be evil */
94c6f8
+	if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
94c6f8
+	    (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
94c6f8
+		logit ("illegal user name %s not processed", user);
94c6f8
+		return;
94c6f8
+	}
Jan F. Chadima 69dd72
+
94c6f8
+	/* build  filter for LDAP request */
3bc8b8
+	format = LDAPSEARCH_FORMAT;
3bc8b8
+	if (options.search_format != NULL)
3bc8b8
+		format = options.search_format;
3bc8b8
+	buffer = percent_expand(format, "c", options.account_class, "u", user, "f", options.ssh_filter, (char *)NULL);
Jan F. Chadima 69dd72
+
94c6f8
+	debug3 ("LDAP search scope = %d %s", options.scope, buffer);
Jan F. Chadima 69dd72
+
94c6f8
+	timeout.tv_sec = options.timelimit;
94c6f8
+	timeout.tv_usec = 0;
94c6f8
+	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
94c6f8
+		error ("ldap_search_st(): %s", ldap_err2string (rc));
94c6f8
+		free (buffer);
94c6f8
+		return;
94c6f8
+	}
Jan F. Chadima 69dd72
+
94c6f8
+	/* free */
94c6f8
+	free (buffer);
Jan F. Chadima 69dd72
+
94c6f8
+	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
94c6f8
+		int num;
94c6f8
+		struct berval **keys;
Jan F. Chadima 69dd72
+
94c6f8
+		keys = ldap_get_values_len(ld, e, PUBKEYATTR);
94c6f8
+		num = ldap_count_values_len(keys);
94c6f8
+		for (i = 0 ; i < num ; i++) {
94c6f8
+			char *cp; //, *options = NULL;
Jan F. Chadima 69dd72
+
94c6f8
+			for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
94c6f8
+			if (!*cp || *cp == '\n' || *cp == '#')
94c6f8
+			    continue;
Jan F. Chadima 69dd72
+
94c6f8
+			/* We have found the desired key. */
94c6f8
+			fprintf (output, "%s\n", keys[i]->bv_val);
94c6f8
+		}
Jan F. Chadima 69dd72
+
94c6f8
+		ldap_value_free_len(keys);
94c6f8
+	}
Jan F. Chadima 69dd72
+
94c6f8
+	ldap_msgfree(res);
94c6f8
+	debug2 ("LDAP process user finished");
94c6f8
+}
Jan F. Chadima 69dd72
+
94c6f8
+void
94c6f8
+ldap_do_close(void)
94c6f8
+{
94c6f8
+	int rc;
Jan F. Chadima 69dd72
+
94c6f8
+	debug ("LDAP do close");
94c6f8
+	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
94c6f8
+	    fatal ("ldap_unbind_ext: %s",
94c6f8
+                                    ldap_err2string (rc));
Jan F. Chadima 69dd72
+
94c6f8
+	ld = NULL;
94c6f8
+	debug2 ("LDAP do close OK");
94c6f8
+	return;
94c6f8
+}
65ba94
+
132f8f
diff -up openssh-6.8p1/ldapbody.h.ldap openssh-6.8p1/ldapbody.h
132f8f
--- openssh-6.8p1/ldapbody.h.ldap	2015-03-18 11:11:29.031801462 +0100
132f8f
+++ openssh-6.8p1/ldapbody.h	2015-03-18 11:11:29.031801462 +0100
94c6f8
@@ -0,0 +1,37 @@
94c6f8
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
94c6f8
+/*
94c6f8
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
94c6f8
+ *
94c6f8
+ * Redistribution and use in source and binary forms, with or without
94c6f8
+ * modification, are permitted provided that the following conditions
94c6f8
+ * are met:
94c6f8
+ * 1. Redistributions of source code must retain the above copyright
94c6f8
+ *    notice, this list of conditions and the following disclaimer.
94c6f8
+ * 2. Redistributions in binary form must reproduce the above copyright
94c6f8
+ *    notice, this list of conditions and the following disclaimer in the
94c6f8
+ *    documentation and/or other materials provided with the distribution.
94c6f8
+ *
94c6f8
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
94c6f8
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
94c6f8
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
94c6f8
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
94c6f8
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
94c6f8
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
94c6f8
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
94c6f8
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
94c6f8
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
94c6f8
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
94c6f8
+ */
Jan F. Chadima 69dd72
+
94c6f8
+#ifndef LDAPBODY_H
94c6f8
+#define LDAPBODY_H
Jan F. Chadima 69dd72
+
94c6f8
+#include <stdio.h>
Jan F. Chadima 69dd72
+
94c6f8
+void ldap_checkconfig(void);
94c6f8
+void ldap_do_connect(void);
94c6f8
+void process_user(const char *, FILE *);
94c6f8
+void ldap_do_close(void);
Jan F. Chadima 69dd72
+
94c6f8
+#endif /* LDAPBODY_H */
Jan F. Chadima 69dd72
+
132f8f
diff -up openssh-6.8p1/ldapconf.c.ldap openssh-6.8p1/ldapconf.c
132f8f
--- openssh-6.8p1/ldapconf.c.ldap	2015-03-18 11:11:29.032801460 +0100
132f8f
+++ openssh-6.8p1/ldapconf.c	2015-03-18 11:11:29.032801460 +0100
3bc8b8
@@ -0,0 +1,728 @@
94c6f8
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
94c6f8
+/*
94c6f8
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
94c6f8
+ *
94c6f8
+ * Redistribution and use in source and binary forms, with or without
94c6f8
+ * modification, are permitted provided that the following conditions
94c6f8
+ * are met:
94c6f8
+ * 1. Redistributions of source code must retain the above copyright
94c6f8
+ *    notice, this list of conditions and the following disclaimer.
94c6f8
+ * 2. Redistributions in binary form must reproduce the above copyright
94c6f8
+ *    notice, this list of conditions and the following disclaimer in the
94c6f8
+ *    documentation and/or other materials provided with the distribution.
94c6f8
+ *
94c6f8
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
94c6f8
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
94c6f8
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
94c6f8
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
94c6f8
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
94c6f8
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
94c6f8
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
94c6f8
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
94c6f8
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
94c6f8
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
94c6f8
+ */
Jan F. Chadima 69dd72
+
94c6f8
+#include "ldapincludes.h"
94c6f8
+#include "ldap-helper.h"
94c6f8
+#include "log.h"
94c6f8
+#include "misc.h"
94c6f8
+#include "xmalloc.h"
94c6f8
+#include "ldapconf.h"
94c6f8
+#include <unistd.h>
94c6f8
+#include <string.h>
Jan F. Chadima 69dd72
+
94c6f8
+/* Keyword tokens. */
Jan F. Chadima 69dd72
+
94c6f8
+typedef enum {
94c6f8
+	lBadOption,
94c6f8
+	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
94c6f8
+	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
94c6f8
+	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
94c6f8
+	lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
94c6f8
+	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
3bc8b8
+	lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, lSearch_Format,
94c6f8
+	lAccountClass, lDeprecated, lUnsupported
94c6f8
+} OpCodes;
Jan F. Chadima 69dd72
+
94c6f8
+/* Textual representations of the tokens. */
Jan F. Chadima 69dd72
+
94c6f8
+static struct {
94c6f8
+	const char *name;
94c6f8
+	OpCodes opcode;
94c6f8
+} keywords[] = {
94c6f8
+	{ "URI", lURI },
94c6f8
+	{ "Base", lBase },
94c6f8
+	{ "BindDN", lBindDN },
94c6f8
+	{ "BindPW", lBindPW },
94c6f8
+	{ "RootBindDN", lRootBindDN },
94c6f8
+	{ "Host", lHost },
94c6f8
+	{ "Port", lPort },
94c6f8
+	{ "Scope", lScope },
94c6f8
+	{ "Deref", lDeref },
94c6f8
+	{ "TimeLimit", lTimeLimit },
94c6f8
+	{ "TimeOut", lTimeLimit },
94c6f8
+	{ "Bind_Timelimit", lBind_TimeLimit },
94c6f8
+	{ "Network_TimeOut", lBind_TimeLimit },
94c6f8
+/*
94c6f8
+ * Todo
94c6f8
+ * SIZELIMIT
94c6f8
+ */
94c6f8
+	{ "Ldap_Version", lLdap_Version },
94c6f8
+	{ "Version", lLdap_Version },
94c6f8
+	{ "Bind_Policy", lBind_Policy },
94c6f8
+	{ "SSLPath", lSSLPath },
94c6f8
+	{ "SSL", lSSL },
94c6f8
+	{ "Referrals", lReferrals },
94c6f8
+	{ "Restart", lRestart },
94c6f8
+	{ "TLS_CheckPeer", lTLS_CheckPeer },
94c6f8
+	{ "TLS_ReqCert", lTLS_CheckPeer },
94c6f8
+	{ "TLS_CaCertFile", lTLS_CaCertFile },
94c6f8
+	{ "TLS_CaCert", lTLS_CaCertFile },
94c6f8
+	{ "TLS_CaCertDir", lTLS_CaCertDir },
94c6f8
+	{ "TLS_Ciphers", lTLS_Ciphers },
94c6f8
+	{ "TLS_Cipher_Suite", lTLS_Ciphers },
94c6f8
+	{ "TLS_Cert", lTLS_Cert },
94c6f8
+	{ "TLS_Certificate", lTLS_Cert },
94c6f8
+	{ "TLS_Key", lTLS_Key },
94c6f8
+	{ "TLS_RandFile", lTLS_RandFile },
94c6f8
+/*
94c6f8
+ * Todo
94c6f8
+ * TLS_CRLCHECK
94c6f8
+ * TLS_CRLFILE
94c6f8
+ */
94c6f8
+	{ "LogDir", lLogDir },
94c6f8
+	{ "Debug", lDebug },
94c6f8
+	{ "SSH_Filter", lSSH_Filter },
3bc8b8
+	{ "search_format", lSearch_Format },
94c6f8
+	{ "AccountClass", lAccountClass },
94c6f8
+	{ NULL, lBadOption }
94c6f8
+};
Jan F. Chadima 69dd72
+
94c6f8
+/* Configuration ptions. */
Jan F. Chadima 69dd72
+
94c6f8
+Options options;
e6dbb8
+
94c6f8
+/*
94c6f8
+ * Returns the number of the token pointed to by cp or oBadOption.
94c6f8
+ */
Jan F. Chadima 69dd72
+
94c6f8
+static OpCodes
94c6f8
+parse_token(const char *cp, const char *filename, int linenum)
94c6f8
+{
94c6f8
+	u_int i;
Jan F. Chadima 69dd72
+
94c6f8
+	for (i = 0; keywords[i].name; i++)
94c6f8
+		if (strcasecmp(cp, keywords[i].name) == 0)
94c6f8
+			return keywords[i].opcode;
Jan F. Chadima 69dd72
+
94c6f8
+	if (config_warning_config_file) 
94c6f8
+	    logit("%s: line %d: Bad configuration option: %s",
94c6f8
+		filename, linenum, cp);
94c6f8
+	return lBadOption;
65ba94
+}
Jan F. Chadima 69dd72
+
94c6f8
+/* Characters considered whitespace in strsep calls. */
94c6f8
+#define WHITESPACE " \t\r\n"
Jan F. Chadima 69dd72
+
94c6f8
+/* return next token in configuration line */
94c6f8
+static char *
94c6f8
+ldap_strdelim(char **s)
Jan F. Chadima 69dd72
+{
94c6f8
+      char *old;
94c6f8
+      int wspace = 0;
Jan F. Chadima 69dd72
+
94c6f8
+      if (*s == NULL)
94c6f8
+              return NULL;
Jan F. Chadima 69dd72
+
94c6f8
+      old = *s;
65ba94
+
94c6f8
+      *s = strpbrk(*s, WHITESPACE);
94c6f8
+      if (*s == NULL)
94c6f8
+              return (old);
65ba94
+
94c6f8
+      *s[0] = '\0';
Jan F. Chadima 69dd72
+
94c6f8
+      /* Skip any extra whitespace after first token */
94c6f8
+      *s += strspn(*s + 1, WHITESPACE) + 1;
94c6f8
+      if (*s[0] == '=' && !wspace)
94c6f8
+              *s += strspn(*s + 1, WHITESPACE) + 1;
Jan F. Chadima 69dd72
+
94c6f8
+      return (old);
65ba94
+}
Jan F. Chadima 69dd72
+
65ba94
+/*
94c6f8
+ * Processes a single option line as used in the configuration files. This
94c6f8
+ * only sets those values that have not already been set.
65ba94
+ */
94c6f8
+#define WHITESPACE " \t\r\n"
Jan F. Chadima 69dd72
+
94c6f8
+static int
94c6f8
+process_config_line(char *line, const char *filename, int linenum)
65ba94
+{
94c6f8
+	char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
94c6f8
+	char *rootbinddn = NULL;
94c6f8
+	int opcode, *intptr, value;
94c6f8
+	size_t len;
Jan F. Chadima 69dd72
+
94c6f8
+	/* Strip trailing whitespace */
94c6f8
+	for (len = strlen(line) - 1; len > 0; len--) {
94c6f8
+		if (strchr(WHITESPACE, line[len]) == NULL)
94c6f8
+			break;
94c6f8
+		line[len] = '\0';
94c6f8
+	}
Jan F. Chadima 69dd72
+
94c6f8
+	s = line;
94c6f8
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
94c6f8
+	if ((keyword = ldap_strdelim(&s)) == NULL)
94c6f8
+		return 0;
94c6f8
+	/* Ignore leading whitespace. */
94c6f8
+	if (*keyword == '\0')
94c6f8
+		keyword = ldap_strdelim(&s);
94c6f8
+	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
94c6f8
+		return 0;
Jan F. Chadima 69dd72
+
94c6f8
+	opcode = parse_token(keyword, filename, linenum);
Jan F. Chadima 69dd72
+
94c6f8
+	switch (opcode) {
94c6f8
+	case lBadOption:
94c6f8
+		/* don't panic, but count bad options */
94c6f8
+		return -1;
94c6f8
+		/* NOTREACHED */
Jan F. Chadima 69dd72
+
94c6f8
+	case lHost:
94c6f8
+		xstringptr = &options.host;
94c6f8
+parse_xstring:
94c6f8
+		if (!s || *s == '\0')
94c6f8
+		    fatal("%s line %d: missing dn",filename,linenum);
94c6f8
+		if (*xstringptr == NULL)
94c6f8
+		    *xstringptr = xstrdup(s);
94c6f8
+		return 0;
Jan F. Chadima 69dd72
+
94c6f8
+	case lURI:
94c6f8
+		xstringptr = &options.uri;
94c6f8
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
94c6f8
+	case lBase:
94c6f8
+		xstringptr = &options.base;
94c6f8
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
94c6f8
+	case lBindDN:
94c6f8
+		xstringptr = &options.binddn;
94c6f8
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
94c6f8
+	case lBindPW:
94c6f8
+		charptr = &options.bindpw;
94c6f8
+parse_string:
94c6f8
+		arg = ldap_strdelim(&s);
94c6f8
+		if (!arg || *arg == '\0')
94c6f8
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
94c6f8
+		if (*charptr == NULL)
94c6f8
+			*charptr = xstrdup(arg);
94c6f8
+		break;
Jan F. Chadima 69dd72
+
94c6f8
+	case lRootBindDN:
94c6f8
+		xstringptr = &rootbinddn;
94c6f8
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
94c6f8
+	case lScope:
94c6f8
+		intptr = &options.scope;
94c6f8
+		arg = ldap_strdelim(&s);
94c6f8
+		if (!arg || *arg == '\0')
94c6f8
+			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
94c6f8
+		value = 0;	/* To avoid compiler warning... */
94c6f8
+		if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
94c6f8
+			value = LDAP_SCOPE_SUBTREE;
94c6f8
+		else if (strcasecmp (arg, "one") == 0)
94c6f8
+			value = LDAP_SCOPE_ONELEVEL;
94c6f8
+		else if (strcasecmp (arg, "base") == 0)
94c6f8
+			value = LDAP_SCOPE_BASE;
94c6f8
+		else
94c6f8
+			fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
94c6f8
+		if (*intptr == -1)
94c6f8
+			*intptr = value;
94c6f8
+		break;
Jan F. Chadima 69dd72
+
94c6f8
+	case lDeref:
94c6f8
+		intptr = &options.scope;
94c6f8
+		arg = ldap_strdelim(&s);
94c6f8
+		if (!arg || *arg == '\0')
94c6f8
+			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
94c6f8
+		value = 0;	/* To avoid compiler warning... */
94c6f8
+		if (!strcasecmp (arg, "never"))
94c6f8
+			value = LDAP_DEREF_NEVER;
94c6f8
+		else if (!strcasecmp (arg, "searching"))
94c6f8
+			value = LDAP_DEREF_SEARCHING;
94c6f8
+		else if (!strcasecmp (arg, "finding"))
94c6f8
+			value = LDAP_DEREF_FINDING;
94c6f8
+		else if (!strcasecmp (arg, "always"))
94c6f8
+			value = LDAP_DEREF_ALWAYS;
94c6f8
+		else
94c6f8
+			fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
94c6f8
+		if (*intptr == -1)
94c6f8
+			*intptr = value;
94c6f8
+		break;
94c6f8
+
94c6f8
+	case lPort:
94c6f8
+		intptr = &options.port;
94c6f8
+parse_int:
94c6f8
+		arg = ldap_strdelim(&s);
94c6f8
+		if (!arg || *arg == '\0')
94c6f8
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
94c6f8
+		if (arg[0] < '0' || arg[0] > '9')
94c6f8
+			fatal("%.200s line %d: Bad number.", filename, linenum);
Jan F. Chadima 69dd72
+
94c6f8
+		/* Octal, decimal, or hex format? */
94c6f8
+		value = strtol(arg, &endofnumber, 0);
94c6f8
+		if (arg == endofnumber)
94c6f8
+			fatal("%.200s line %d: Bad number.", filename, linenum);
94c6f8
+		if (*intptr == -1)
94c6f8
+			*intptr = value;
94c6f8
+		break;
Jan F. Chadima 69dd72
+
94c6f8
+	case lTimeLimit:
94c6f8
+		intptr = &options.timelimit;
94c6f8
+parse_time:
94c6f8
+		arg = ldap_strdelim(&s);
94c6f8
+		if (!arg || *arg == '\0')
94c6f8
+			fatal("%s line %d: missing time value.",
94c6f8
+			    filename, linenum);
94c6f8
+		if ((value = convtime(arg)) == -1)
94c6f8
+			fatal("%s line %d: invalid time value.",
94c6f8
+			    filename, linenum);
94c6f8
+		if (*intptr == -1)
94c6f8
+			*intptr = value;
94c6f8
+		break;
Jan F. Chadima 69dd72
+
94c6f8
+	case lBind_TimeLimit:
94c6f8
+		intptr = &options.bind_timelimit;
94c6f8
+		goto parse_time;
Jan F. Chadima 69dd72
+
94c6f8
+	case lLdap_Version:
94c6f8
+		intptr = &options.ldap_version;
94c6f8
+		goto parse_int;
Jan F. Chadima 69dd72
+
94c6f8
+	case lBind_Policy:
94c6f8
+		intptr = &options.bind_policy;
94c6f8
+		arg = ldap_strdelim(&s);
94c6f8
+		if (!arg || *arg == '\0')
94c6f8
+			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
94c6f8
+		value = 0;	/* To avoid compiler warning... */
94c6f8
+		if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
94c6f8
+			value = 1;
94c6f8
+		else if (strcasecmp(arg, "soft") == 0)
94c6f8
+			value = 0;
94c6f8
+		else
94c6f8
+			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
94c6f8
+		if (*intptr == -1)
f92cd0
+			*intptr = value;
94c6f8
+		break;
Jan F. Chadima 69dd72
+
94c6f8
+	case lSSLPath:
94c6f8
+		charptr = &options.sslpath;
94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
94c6f8
+	case lSSL:
94c6f8
+		intptr = &options.ssl;
94c6f8
+		arg = ldap_strdelim(&s);
94c6f8
+		if (!arg || *arg == '\0')
94c6f8
+			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
94c6f8
+		value = 0;	/* To avoid compiler warning... */
94c6f8
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
94c6f8
+			value = SSL_LDAPS;
94c6f8
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
94c6f8
+			value = SSL_OFF;
94c6f8
+		else if (!strcasecmp (arg, "start_tls"))
94c6f8
+			value = SSL_START_TLS;
94c6f8
+		else
94c6f8
+			fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
94c6f8
+		if (*intptr == -1)
94c6f8
+			*intptr = value;
94c6f8
+		break;
Jan F. Chadima 69dd72
+
94c6f8
+	case lReferrals:
94c6f8
+		intptr = &options.referrals;
94c6f8
+parse_flag:
94c6f8
+		arg = ldap_strdelim(&s);
94c6f8
+		if (!arg || *arg == '\0')
94c6f8
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
94c6f8
+		value = 0;	/* To avoid compiler warning... */
94c6f8
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
94c6f8
+			value = 1;
94c6f8
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
94c6f8
+			value = 0;
94c6f8
+		else
94c6f8
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
94c6f8
+		if (*intptr == -1)
94c6f8
+			*intptr = value;
94c6f8
+		break;
Jan F. Chadima 69dd72
+
94c6f8
+	case lRestart:
94c6f8
+		intptr = &options.restart;
94c6f8
+		goto parse_flag;
Jan F. Chadima 69dd72
+
94c6f8
+	case lTLS_CheckPeer:
94c6f8
+		intptr = &options.tls_checkpeer;
94c6f8
+		arg = ldap_strdelim(&s);
94c6f8
+		if (!arg || *arg == '\0')
94c6f8
+			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
94c6f8
+		value = 0;	/* To avoid compiler warning... */
94c6f8
+		if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
94c6f8
+			value = LDAP_OPT_X_TLS_NEVER;
94c6f8
+		else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
94c6f8
+			value = LDAP_OPT_X_TLS_HARD;
94c6f8
+		else if (strcasecmp(arg, "demand") == 0)
94c6f8
+			value = LDAP_OPT_X_TLS_DEMAND;
94c6f8
+		else if (strcasecmp(arg, "allow") == 0)
94c6f8
+			value = LDAP_OPT_X_TLS_ALLOW;
94c6f8
+		else if (strcasecmp(arg, "try") == 0)
94c6f8
+			value = LDAP_OPT_X_TLS_TRY;
94c6f8
+		else
94c6f8
+			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
94c6f8
+		if (*intptr == -1)
f92cd0
+			*intptr = value;
94c6f8
+		break;
Jan F. Chadima 69dd72
+
94c6f8
+	case lTLS_CaCertFile:
94c6f8
+		charptr = &options.tls_cacertfile;
94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
94c6f8
+	case lTLS_CaCertDir:
94c6f8
+		charptr = &options.tls_cacertdir;
94c6f8
+		goto parse_string;
65ba94
+
94c6f8
+	case lTLS_Ciphers:
94c6f8
+		xstringptr = &options.tls_ciphers;
94c6f8
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
94c6f8
+	case lTLS_Cert:
94c6f8
+		charptr = &options.tls_cert;
94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
94c6f8
+	case lTLS_Key:
94c6f8
+		charptr = &options.tls_key;
94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
94c6f8
+	case lTLS_RandFile:
94c6f8
+		charptr = &options.tls_randfile;
94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
94c6f8
+	case lLogDir:
94c6f8
+		charptr = &options.logdir;
94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
94c6f8
+	case lDebug:
94c6f8
+		intptr = &options.debug;
94c6f8
+		goto parse_int;
Jan F. Chadima 69dd72
+
94c6f8
+	case lSSH_Filter:
94c6f8
+		xstringptr = &options.ssh_filter;
94c6f8
+		goto parse_xstring;
Jan F. Chadima 69dd72
+
3bc8b8
+	case lSearch_Format:
3bc8b8
+		charptr = &options.search_format;
3bc8b8
+		goto parse_string;
3bc8b8
+
94c6f8
+	case lAccountClass:
94c6f8
+		charptr = &options.account_class;
94c6f8
+		goto parse_string;
Jan F. Chadima 69dd72
+
94c6f8
+	case lDeprecated:
94c6f8
+		debug("%s line %d: Deprecated option \"%s\"",
94c6f8
+		    filename, linenum, keyword);
94c6f8
+		return 0;
Jan F. Chadima 69dd72
+
94c6f8
+	case lUnsupported:
94c6f8
+		error("%s line %d: Unsupported option \"%s\"",
94c6f8
+		    filename, linenum, keyword);
94c6f8
+		return 0;
Jan F. Chadima 69dd72
+
94c6f8
+	default:
94c6f8
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
94c6f8
+	}
Jan F. Chadima 69dd72
+
94c6f8
+	/* Check that there is no garbage at end of line. */
94c6f8
+	if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') {
94c6f8
+		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
94c6f8
+		    filename, linenum, arg);
94c6f8
+	}
94c6f8
+	return 0;
94c6f8
+}
Jan F. Chadima 69dd72
+
94c6f8
+/*
94c6f8
+ * Reads the config file and modifies the options accordingly.  Options
94c6f8
+ * should already be initialized before this call.  This never returns if
94c6f8
+ * there is an error.  If the file does not exist, this returns 0.
94c6f8
+ */
Jan F. Chadima 69dd72
+
94c6f8
+void
94c6f8
+read_config_file(const char *filename)
94c6f8
+{
94c6f8
+	FILE *f;
94c6f8
+	char line[1024];
580f98
+	int linenum;
94c6f8
+	int bad_options = 0;
94c6f8
+	struct stat sb;
Jan F. Chadima 69dd72
+
94c6f8
+	if ((f = fopen(filename, "r")) == NULL)
94c6f8
+		fatal("fopen %s: %s", filename, strerror(errno));
Jan F. Chadima 69dd72
+
94c6f8
+	if (fstat(fileno(f), &sb) == -1)
94c6f8
+		fatal("fstat %s: %s", filename, strerror(errno));
94c6f8
+	if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
94c6f8
+	    (sb.st_mode & 022) != 0))
94c6f8
+		fatal("Bad owner or permissions on %s", filename);
Jan F. Chadima 69dd72
+
94c6f8
+	debug("Reading configuration data %.200s", filename);
Jan F. Chadima 69dd72
+
94c6f8
+	/*
94c6f8
+	 * Mark that we are now processing the options.  This flag is turned
94c6f8
+	 * on/off by Host specifications.
94c6f8
+	 */
94c6f8
+	linenum = 0;
94c6f8
+	while (fgets(line, sizeof(line), f)) {
94c6f8
+		/* Update line number counter. */
94c6f8
+		linenum++;
94c6f8
+		if (process_config_line(line, filename, linenum) != 0)
94c6f8
+			bad_options++;
94c6f8
+	}
94c6f8
+	fclose(f);
94c6f8
+	if ((bad_options > 0) && config_exclusive_config_file) 
94c6f8
+		fatal("%s: terminating, %d bad configuration options",
94c6f8
+		    filename, bad_options);
94c6f8
+}
Jan F. Chadima 69dd72
+
65ba94
+/*
94c6f8
+ * Initializes options to special values that indicate that they have not yet
94c6f8
+ * been set.  Read_config_file will only set options with this value. Options
94c6f8
+ * are processed in the following order: command line, user config file,
94c6f8
+ * system config file.  Last, fill_default_options is called.
65ba94
+ */
Jan F. Chadima 69dd72
+
94c6f8
+void
94c6f8
+initialize_options(void)
94c6f8
+{
94c6f8
+	memset(&options, 'X', sizeof(options));
94c6f8
+	options.host = NULL;
94c6f8
+	options.uri = NULL;
94c6f8
+	options.base = NULL;
94c6f8
+	options.binddn = NULL;
94c6f8
+	options.bindpw = NULL;
94c6f8
+	options.scope = -1;
94c6f8
+	options.deref = -1;
94c6f8
+	options.port = -1;
94c6f8
+	options.timelimit = -1;
94c6f8
+	options.bind_timelimit = -1;
94c6f8
+	options.ldap_version = -1;
94c6f8
+	options.bind_policy = -1;
94c6f8
+	options.sslpath = NULL;
94c6f8
+	options.ssl = -1;
94c6f8
+	options.referrals = -1;
94c6f8
+	options.restart = -1;
94c6f8
+	options.tls_checkpeer = -1;
94c6f8
+	options.tls_cacertfile = NULL;
94c6f8
+	options.tls_cacertdir = NULL;
94c6f8
+	options.tls_ciphers = NULL;
94c6f8
+	options.tls_cert = NULL;
94c6f8
+	options.tls_key = NULL;
94c6f8
+	options.tls_randfile = NULL;
94c6f8
+	options.logdir = NULL;
94c6f8
+	options.debug = -1;
94c6f8
+	options.ssh_filter = NULL;
3bc8b8
+	options.search_format = NULL;
94c6f8
+	options.account_class = NULL;
94c6f8
+}
94c6f8
+
94c6f8
+/*
94c6f8
+ * Called after processing other sources of option data, this fills those
94c6f8
+ * options for which no value has been specified with their default values.
94c6f8
+ */
94c6f8
+
94c6f8
+void
94c6f8
+fill_default_options(void)
94c6f8
+{
94c6f8
+	if (options.uri != NULL) {
94c6f8
+		LDAPURLDesc *ludp;
94c6f8
+
94c6f8
+		if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
94c6f8
+			if (options.ssl == -1) {
94c6f8
+				if (strcmp (ludp->lud_scheme, "ldap") == 0)
94c6f8
+				    options.ssl = 2;
94c6f8
+				if (strcmp (ludp->lud_scheme, "ldapi") == 0)
94c6f8
+				    options.ssl = 0;
94c6f8
+				else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
94c6f8
+				    options.ssl = 1;
94c6f8
+			}
94c6f8
+			if (options.host == NULL)
94c6f8
+			    options.host = xstrdup (ludp->lud_host);
94c6f8
+			if (options.port == -1)
94c6f8
+			    options.port = ludp->lud_port;
94c6f8
+
94c6f8
+			ldap_free_urldesc (ludp);
94c6f8
+		}
94c6f8
+	} 
94c6f8
+	if (options.ssl == -1)
94c6f8
+	    options.ssl = SSL_START_TLS;
94c6f8
+	if (options.port == -1)
94c6f8
+	    options.port = (options.ssl == 0) ? 389 : 636;
94c6f8
+	if (options.uri == NULL) {
94c6f8
+		int len;
94c6f8
+#define MAXURILEN 4096
94c6f8
+
94c6f8
+		options.uri = xmalloc (MAXURILEN);
94c6f8
+		len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
94c6f8
+		    (options.ssl == 0) ? "" : "s", options.host, options.port);
94c6f8
+		options.uri[MAXURILEN - 1] = 0;
535d34
+		options.uri = xreallocarray(options.uri, len + 1, 1);
94c6f8
+	}
94c6f8
+	if (options.binddn == NULL)
94c6f8
+	    options.binddn = "";
94c6f8
+	if (options.bindpw == NULL)
94c6f8
+	    options.bindpw = "";
94c6f8
+	if (options.scope == -1)
94c6f8
+	    options.scope = LDAP_SCOPE_SUBTREE;
94c6f8
+	if (options.deref == -1)
94c6f8
+	    options.deref = LDAP_DEREF_NEVER;
94c6f8
+	if (options.timelimit == -1)
94c6f8
+	    options.timelimit = 10;
94c6f8
+	if (options.bind_timelimit == -1)
94c6f8
+	    options.bind_timelimit = 10;
94c6f8
+	if (options.ldap_version == -1)
94c6f8
+	    options.ldap_version = 3;
94c6f8
+	if (options.bind_policy == -1)
94c6f8
+	    options.bind_policy = 1;
94c6f8
+	if (options.referrals == -1)
94c6f8
+	    options.referrals = 1;
94c6f8
+	if (options.restart == -1)
94c6f8
+	    options.restart = 1;
94c6f8
+	if (options.tls_checkpeer == -1)
94c6f8
+	    options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
94c6f8
+	if (options.debug == -1)
94c6f8
+	    options.debug = 0;
94c6f8
+	if (options.ssh_filter == NULL)
94c6f8
+	    options.ssh_filter = "";
94c6f8
+	if (options.account_class == NULL)
94c6f8
+	    options.account_class = "posixAccount";
94c6f8
+}
Jan F. Chadima 69dd72
+
94c6f8
+static const char *
94c6f8
+lookup_opcode_name(OpCodes code)
94c6f8
+{
94c6f8
+	u_int i;
94c6f8
+
94c6f8
+	for (i = 0; keywords[i].name != NULL; i++)
94c6f8
+	    if (keywords[i].opcode == code)
94c6f8
+		return(keywords[i].name);
94c6f8
+	return "UNKNOWN";
94c6f8
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+static void
94c6f8
+dump_cfg_string(OpCodes code, const char *val)
Jan F. Chadima 69dd72
+{
94c6f8
+	if (val == NULL)
94c6f8
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
94c6f8
+	else
94c6f8
+	    debug3("%s %s", lookup_opcode_name(code), val);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
94c6f8
+static void
94c6f8
+dump_cfg_int(OpCodes code, int val)
Jan F. Chadima 69dd72
+{
94c6f8
+	if (val == -1)
94c6f8
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
94c6f8
+	else
94c6f8
+	    debug3("%s %d", lookup_opcode_name(code), val);
94c6f8
+}
65ba94
+
94c6f8
+struct names {
94c6f8
+	int value;
94c6f8
+	char *name;
94c6f8
+};
65ba94
+
94c6f8
+static void
94c6f8
+dump_cfg_namedint(OpCodes code, int val, struct names *names)
94c6f8
+{
94c6f8
+	u_int i;
65ba94
+
94c6f8
+	if (val == -1)
94c6f8
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
94c6f8
+	else {
94c6f8
+		for (i = 0; names[i].value != -1; i++)
94c6f8
+	 	    if (names[i].value == val) {
94c6f8
+	    		debug3("%s %s", lookup_opcode_name(code), names[i].name);
94c6f8
+			    return;
Jan F. Chadima 69dd72
+		}
94c6f8
+		debug3("%s unknown: %d", lookup_opcode_name(code), val);
Jan F. Chadima 69dd72
+	}
94c6f8
+}
Jan F. Chadima 69dd72
+
94c6f8
+static struct names _yesnotls[] = {
94c6f8
+	{ 0, "No" },
94c6f8
+	{ 1, "Yes" },
94c6f8
+	{ 2, "Start_TLS" },
94c6f8
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
94c6f8
+static struct names _scope[] = {
94c6f8
+	{ LDAP_SCOPE_BASE, "Base" },
94c6f8
+	{ LDAP_SCOPE_ONELEVEL, "One" },
94c6f8
+	{ LDAP_SCOPE_SUBTREE, "Sub"},
94c6f8
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
94c6f8
+static struct names _deref[] = {
94c6f8
+	{ LDAP_DEREF_NEVER, "Never" },
94c6f8
+	{ LDAP_DEREF_SEARCHING, "Searching" },
94c6f8
+	{ LDAP_DEREF_FINDING, "Finding" },
94c6f8
+	{ LDAP_DEREF_ALWAYS, "Always" },
94c6f8
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
94c6f8
+static struct names _yesno[] = {
94c6f8
+	{ 0, "No" },
94c6f8
+	{ 1, "Yes" },
94c6f8
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
94c6f8
+static struct names _bindpolicy[] = {
94c6f8
+	{ 0, "Soft" },
94c6f8
+	{ 1, "Hard" },
94c6f8
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
94c6f8
+static struct names _checkpeer[] = {
94c6f8
+	{ LDAP_OPT_X_TLS_NEVER, "Never" },
94c6f8
+	{ LDAP_OPT_X_TLS_HARD, "Hard" },
94c6f8
+	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
94c6f8
+	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
94c6f8
+	{ LDAP_OPT_X_TLS_TRY, "TRY" },
94c6f8
+	{ -1, NULL }};
Jan F. Chadima 69dd72
+
94c6f8
+void
94c6f8
+dump_config(void)
94c6f8
+{
94c6f8
+	dump_cfg_string(lURI, options.uri);
94c6f8
+	dump_cfg_string(lHost, options.host);
94c6f8
+	dump_cfg_int(lPort, options.port);
94c6f8
+	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
94c6f8
+	dump_cfg_int(lLdap_Version, options.ldap_version);
94c6f8
+	dump_cfg_int(lTimeLimit, options.timelimit);
94c6f8
+	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
94c6f8
+	dump_cfg_string(lBase, options.base);
94c6f8
+	dump_cfg_string(lBindDN, options.binddn);
94c6f8
+	dump_cfg_string(lBindPW, options.bindpw);
94c6f8
+	dump_cfg_namedint(lScope, options.scope, _scope);
94c6f8
+	dump_cfg_namedint(lDeref, options.deref, _deref);
94c6f8
+	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
94c6f8
+	dump_cfg_namedint(lRestart, options.restart, _yesno);
94c6f8
+	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
94c6f8
+	dump_cfg_string(lSSLPath, options.sslpath);
94c6f8
+	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
94c6f8
+	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
94c6f8
+	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
94c6f8
+	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
94c6f8
+	dump_cfg_string(lTLS_Cert, options.tls_cert);
94c6f8
+	dump_cfg_string(lTLS_Key, options.tls_key);
94c6f8
+	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
94c6f8
+	dump_cfg_string(lLogDir, options.logdir);
94c6f8
+	dump_cfg_int(lDebug, options.debug);
94c6f8
+	dump_cfg_string(lSSH_Filter, options.ssh_filter);
3bc8b8
+	dump_cfg_string(lSearch_Format, options.search_format);
3bc8b8
+	dump_cfg_string(lAccountClass, options.account_class);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
132f8f
diff -up openssh-6.8p1/ldapconf.h.ldap openssh-6.8p1/ldapconf.h
132f8f
--- openssh-6.8p1/ldapconf.h.ldap	2015-03-18 11:11:29.032801460 +0100
132f8f
+++ openssh-6.8p1/ldapconf.h	2015-03-18 11:11:29.032801460 +0100
3bc8b8
@@ -0,0 +1,73 @@
94c6f8
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
94c6f8
+#ifndef LDAPCONF_H
94c6f8
+#define LDAPCONF_H
Jan F. Chadima 69dd72
+
94c6f8
+#define SSL_OFF          0
94c6f8
+#define SSL_LDAPS        1
94c6f8
+#define SSL_START_TLS    2
94c6f8
+
94c6f8
+/* Data structure for representing option data. */
94c6f8
+
94c6f8
+typedef struct {
94c6f8
+	char *host;
94c6f8
+	char *uri;
94c6f8
+	char *base;
94c6f8
+	char *binddn;
94c6f8
+	char *bindpw;
94c6f8
+	int scope;
94c6f8
+	int deref;
94c6f8
+	int port;
94c6f8
+	int timelimit;
94c6f8
+	int bind_timelimit;
94c6f8
+	int ldap_version;
94c6f8
+	int bind_policy;
94c6f8
+	char *sslpath;
94c6f8
+	int ssl;
94c6f8
+	int referrals;
94c6f8
+	int restart;
94c6f8
+	int tls_checkpeer;
94c6f8
+	char *tls_cacertfile;
94c6f8
+	char *tls_cacertdir;
94c6f8
+	char *tls_ciphers;
94c6f8
+	char *tls_cert;
94c6f8
+	char *tls_key;
94c6f8
+	char *tls_randfile;
94c6f8
+	char *logdir;
94c6f8
+	int debug;
94c6f8
+	char *ssh_filter;
3bc8b8
+	char *search_format;
94c6f8
+	char *account_class;
94c6f8
+}       Options;
94c6f8
+
94c6f8
+extern Options options;
94c6f8
+
94c6f8
+void read_config_file(const char *);
94c6f8
+void initialize_options(void);
94c6f8
+void fill_default_options(void);
94c6f8
+void dump_config(void);
Jan F. Chadima 69dd72
+
94c6f8
+#endif /* LDAPCONF_H */
132f8f
diff -up openssh-6.8p1/ldapincludes.h.ldap openssh-6.8p1/ldapincludes.h
132f8f
--- openssh-6.8p1/ldapincludes.h.ldap	2015-03-18 11:11:29.032801460 +0100
132f8f
+++ openssh-6.8p1/ldapincludes.h	2015-03-18 11:11:29.032801460 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,41 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef LDAPINCLUDES_H
Jan F. Chadima 69dd72
+#define LDAPINCLUDES_H
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "includes.h"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifdef HAVE_LBER_H
Jan F. Chadima 69dd72
+#include <lber.h>
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_H
Jan F. Chadima 69dd72
+#include <ldap.h>
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_SSL_H
Jan F. Chadima 69dd72
+#include <ldap_ssl.h>
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#endif /* LDAPINCLUDES_H */
132f8f
diff -up openssh-6.8p1/ldapmisc.c.ldap openssh-6.8p1/ldapmisc.c
132f8f
--- openssh-6.8p1/ldapmisc.c.ldap	2015-03-18 11:11:29.032801460 +0100
132f8f
+++ openssh-6.8p1/ldapmisc.c	2015-03-18 11:11:29.032801460 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,79 @@
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "ldapincludes.h"
Jan F. Chadima 69dd72
+#include "ldapmisc.h"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef HAVE_LDAP_GET_LDERRNO
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+ldap_get_lderrno (LDAP * ld, char **m, char **s)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_GET_OPTION
Jan F. Chadima 69dd72
+	int rc;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	int lderrno;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 69dd72
+	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+	    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+	lderrno = ld->ld_errno;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (s != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 69dd72
+		if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		*s = ld->ld_error;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (m != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 69dd72
+		if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		*m = ld->ld_matched;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	return lderrno;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef HAVE_LDAP_SET_LDERRNO
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+#ifdef HAVE_LDAP_SET_OPTION
Jan F. Chadima 69dd72
+	int rc;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 69dd72
+	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+	    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+	ld->ld_errno = lderrno;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (s != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 69dd72
+		if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		ld->ld_error = s;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	if (m != NULL) {
Jan F. Chadima 69dd72
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 69dd72
+		if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 69dd72
+		    return rc;
Jan F. Chadima 69dd72
+#else
Jan F. Chadima 69dd72
+		ld->ld_matched = m;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	return LDAP_SUCCESS;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
132f8f
diff -up openssh-6.8p1/ldapmisc.h.ldap openssh-6.8p1/ldapmisc.h
132f8f
--- openssh-6.8p1/ldapmisc.h.ldap	2015-03-18 11:11:29.032801460 +0100
132f8f
+++ openssh-6.8p1/ldapmisc.h	2015-03-18 11:11:29.032801460 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,35 @@
Jan F. Chadima 69dd72
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 69dd72
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 69dd72
+ * are met:
Jan F. Chadima 69dd72
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 69dd72
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 69dd72
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 69dd72
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 69dd72
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 69dd72
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 69dd72
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 69dd72
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 69dd72
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 69dd72
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 69dd72
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 69dd72
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 69dd72
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifndef LDAPMISC_H
Jan F. Chadima 69dd72
+#define LDAPMISC_H
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#include "ldapincludes.h"
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+int ldap_get_lderrno (LDAP *, char **, char **);
Jan F. Chadima 69dd72
+int ldap_set_lderrno (LDAP *, int, const char *, const char *);
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#endif /* LDAPMISC_H */
Jan F. Chadima 69dd72
+
132f8f
diff -up openssh-6.8p1/openssh-lpk-openldap.schema.ldap openssh-6.8p1/openssh-lpk-openldap.schema
132f8f
--- openssh-6.8p1/openssh-lpk-openldap.schema.ldap	2015-03-18 11:11:29.033801457 +0100
132f8f
+++ openssh-6.8p1/openssh-lpk-openldap.schema	2015-03-18 11:11:29.033801457 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,21 @@
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 69dd72
+#                              useful with PKA-LDAP also
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 69dd72
+# 
Jan F. Chadima 69dd72
+# Based on the proposal of : Mark Ruijter
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# octetString SYNTAX
Jan F. Chadima 69dd72
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH Public key' 
Jan F. Chadima 69dd72
+	EQUALITY octetStringMatch
Jan F. Chadima 69dd72
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# printableString SYNTAX yes|no
Jan F. Chadima 69dd72
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 69dd72
+	MUST ( sshPublicKey $ uid ) 
Jan F. Chadima 69dd72
+	)
132f8f
diff -up openssh-6.8p1/openssh-lpk-sun.schema.ldap openssh-6.8p1/openssh-lpk-sun.schema
132f8f
--- openssh-6.8p1/openssh-lpk-sun.schema.ldap	2015-03-18 11:11:29.033801457 +0100
132f8f
+++ openssh-6.8p1/openssh-lpk-sun.schema	2015-03-18 11:11:29.033801457 +0100
Jan F. Chadima 69dd72
@@ -0,0 +1,23 @@
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 69dd72
+#                              useful with PKA-LDAP also
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 69dd72
+# 
Jan F. Chadima 69dd72
+# Schema for Sun Directory Server.
Jan F. Chadima 69dd72
+# Based on the original schema, modified by Stefan Fischer.
Jan F. Chadima 69dd72
+#
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+dn: cn=schema
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# octetString SYNTAX
Jan F. Chadima 69dd72
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH Public key' 
Jan F. Chadima 69dd72
+	EQUALITY octetStringMatch
Jan F. Chadima 69dd72
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+# printableString SYNTAX yes|no
Jan F. Chadima 69dd72
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 69dd72
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 69dd72
+	MUST ( sshPublicKey $ uid ) 
Jan F. Chadima 69dd72
+	)
132f8f
diff -up openssh-6.8p1/ssh-ldap-helper.8.ldap openssh-6.8p1/ssh-ldap-helper.8
132f8f
--- openssh-6.8p1/ssh-ldap-helper.8.ldap	2015-03-18 11:11:29.033801457 +0100
132f8f
+++ openssh-6.8p1/ssh-ldap-helper.8	2015-03-18 11:11:29.033801457 +0100
94c6f8
@@ -0,0 +1,79 @@
94c6f8
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
94c6f8
+.\"
94c6f8
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
94c6f8
+.\"
94c6f8
+.\" Permission to use, copy, modify, and distribute this software for any
94c6f8
+.\" purpose with or without fee is hereby granted, provided that the above
94c6f8
+.\" copyright notice and this permission notice appear in all copies.
94c6f8
+.\"
94c6f8
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
94c6f8
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
94c6f8
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
94c6f8
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
94c6f8
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
94c6f8
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
94c6f8
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
94c6f8
+.\"
94c6f8
+.Dd $Mdocdate: April 29 2010 $
94c6f8
+.Dt SSH-LDAP-HELPER 8
94c6f8
+.Os
94c6f8
+.Sh NAME
94c6f8
+.Nm ssh-ldap-helper
94c6f8
+.Nd sshd helper program for ldap support
94c6f8
+.Sh SYNOPSIS
94c6f8
+.Nm ssh-ldap-helper
94c6f8
+.Op Fl devw
94c6f8
+.Op Fl f Ar file
94c6f8
+.Op Fl s Ar user
94c6f8
+.Sh DESCRIPTION
94c6f8
+.Nm
94c6f8
+is used by
94c6f8
+.Xr sshd 1
94c6f8
+to access keys provided by an LDAP.
94c6f8
+.Nm
94c6f8
+is disabled by default and can only be enabled in the
94c6f8
+sshd configuration file
94c6f8
+.Pa /etc/ssh/sshd_config
94c6f8
+by setting
94c6f8
+.Cm AuthorizedKeysCommand
94c6f8
+to
94c6f8
+.Dq /usr/libexec/ssh-ldap-wrapper .
94c6f8
+.Pp
94c6f8
+.Nm
94c6f8
+is not intended to be invoked by the user, but from
94c6f8
+.Xr sshd 8 via
94c6f8
+.Xr ssh-ldap-wrapper .
94c6f8