1 diff -up openssh-5.9p0/HOWTO.ldap-keys.ldap openssh-5.9p0/HOWTO.ldap-keys
2 --- openssh-5.9p0/HOWTO.ldap-keys.ldap 2011-08-30 15:57:12.449212853 +0200
3 +++ openssh-5.9p0/HOWTO.ldap-keys 2011-08-30 15:57:12.453101662 +0200
8 +1) configure LDAP server
9 + * Use LDAP server documentation
10 +2) add appropriate LDAP schema
11 + * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it.
14 + - attached to the 'ldapPublicKey' objectclass
15 + - attached to the 'posixAccount' objectclass
16 + - with a filled 'sshPublicKey' attribute
17 +3) insert users into LDAP
18 + * Use LDAP Tree management tool as useful
19 + * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
21 + dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
24 + objectclass: organizationalPerson
25 + objectclass: posixAccount
26 + objectclass: ldapPublicKey
27 + description: Jonathan Archer
28 + userPassword: Porthos
34 + homeDirectory: /home/captain
35 + sshPublicKey: ssh-rss AAAAB3.... =captain@universe
36 + sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
37 +4) on the ssh side set in sshd_config
38 + * Set up the backend
39 + AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
40 + AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
41 + * Do not forget to set
42 + PubkeyAuthentication yes
43 + * Swith off unnecessary auth methods
44 +5) confugure ldap.conf
45 + * Default ldap.conf is placed in /etc/ssh
46 + * The configuration style is the same as other ldap based aplications
47 +6) if necessary edit ssh-ldap-wrapper
48 + * There is a possibility to change ldap.conf location
49 + * There are some debug options
51 + /usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
53 +HOW TO MIGRATE FROM LPK
55 +1) goto HOW TO START 4) .... the ldap schema is the same
57 +2) convert the group requests to the appropriate LDAP requests
59 +HOW TO SOLVE PROBLEMS
62 + * /usr/sbin/sshd -d -d -d -d
63 +2) use debug in ssh-ldap-helper
64 + * ssh-ldap-helper -d -d -d -d -s <username>
65 +3) use tcpdump ... other ldap client etc.
69 +1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
73 +1) LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP
74 + allows write to users dn, somebody could replace some user's public key by his own and impersonate some
75 + of your users in all your server farm -- be VERY CAREFUL.
76 +2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login
77 + as the impersonated user.
78 +3) If LDAP server is down there may be no fallback on passwd auth.
83 + * Possibility to reuse the ssh-ldap-helper.
84 + * Tune the LDAP part to accept all possible LDAP configurations.
86 +2) differences from original lpk
87 + * No LDAP code in sshd.
88 + * Support for various LDAP platforms and configurations.
89 + * LDAP is configured in separate ldap.conf file.
92 + * http://pacsec.jp/core05/psj05-barisani-en.pdf
93 + * http://fritz.potsdam.edu/projects/openssh-lpk/
94 + * http://fritz.potsdam.edu/projects/sshgate/
95 + * http://dev.inversepath.com/trac/openssh-lpk
96 + * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
98 +4) contributors/ideas/greets
99 + - Eric AUGE <eau@phear.org>
100 + - Andrea Barisani <andrea@inversepath.com>
101 + - Falk Siemonsmeier.
103 + - Michael Durchgraf.
107 + - Robin H. Johnson.
111 + Jan F. Chadima <jchadima@redhat.com>
113 diff -up openssh-5.9p0/Makefile.in.ldap openssh-5.9p0/Makefile.in
114 --- openssh-5.9p0/Makefile.in.ldap 2011-08-30 15:57:01.693024742 +0200
115 +++ openssh-5.9p0/Makefile.in 2011-08-30 16:00:02.478212295 +0200
116 @@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
117 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
118 SFTP_SERVER=$(libexecdir)/sftp-server
119 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
120 +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
121 +SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
122 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
123 PRIVSEP_PATH=@PRIVSEP_PATH@
124 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
125 @@ -58,8 +60,9 @@ XAUTH_PATH=@XAUTH_PATH@
126 LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
129 +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
131 -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
132 +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
134 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
135 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
136 @@ -92,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
137 roaming_common.o roaming_serv.o \
138 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o
140 -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
141 -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
142 +MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
143 +MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
146 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
147 @@ -161,6 +164,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
148 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
149 $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
151 +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
152 + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
154 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
155 $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
157 @@ -256,6 +262,10 @@ install-files:
158 $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
159 $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
160 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
161 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
162 + $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
163 + $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
165 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
166 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
167 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
168 @@ -272,6 +282,10 @@ install-files:
169 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
170 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
171 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
172 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
173 + $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
174 + $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
176 -rm -f $(DESTDIR)$(bindir)/slogin
177 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
178 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
179 @@ -301,6 +315,13 @@ install-sysconf:
181 echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
183 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
184 + if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
185 + $(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
187 + echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
191 host-key: ssh-keygen$(EXEEXT)
192 @if [ -z "$(DESTDIR)" ] ; then \
193 @@ -358,6 +379,8 @@ uninstall:
194 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
195 -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
196 -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
197 + -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
198 + -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
199 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
200 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
201 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
202 @@ -369,6 +392,7 @@ uninstall:
203 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
204 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
205 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
206 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
207 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
209 tests interop-tests: $(TARGETS)
210 diff -up openssh-5.9p0/configure.ac.ldap openssh-5.9p0/configure.ac
211 --- openssh-5.9p0/configure.ac.ldap 2011-08-30 15:57:11.297032991 +0200
212 +++ openssh-5.9p0/configure.ac 2011-08-30 15:57:12.664024959 +0200
213 @@ -1433,6 +1433,106 @@ AC_ARG_WITH(authorized-keys-command,
217 +# Check whether user wants LDAP support
219 +INSTALL_SSH_LDAP_HELPER=""
221 + [ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in PATH)],
223 + if test "x$withval" != "xno" ; then
225 + INSTALL_SSH_LDAP_HELPER="yes"
226 + CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
228 + if test "x$withval" != "xyes" ; then
229 + CPPFLAGS="$CPPFLAGS -I${withval}/include"
230 + LDFLAGS="$LDFLAGS -L${withval}/lib"
233 + AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
236 + AC_CHECK_HEADERS(lber.h)
237 + AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
238 + AC_CHECK_HEADERS(ldap_ssl.h)
240 + AC_ARG_WITH(ldap-lib,
241 + [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
243 + if test -z "$with_ldap_lib"; then
247 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
248 + AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
249 + AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
252 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
253 + AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
256 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
257 + AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
258 + if test -z "$found_ldap_lib"; then
259 + AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
261 + if test -z "$found_ldap_lib"; then
262 + AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
264 + if test -z "$found_ldap_lib"; then
265 + AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
269 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
270 + AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
273 + if test -z "$found_ldap_lib"; then
274 + AC_MSG_ERROR(could not locate a valid LDAP library)
277 + AC_MSG_CHECKING([for working LDAP support])
279 + [#include <sys/types.h>
280 + #include <ldap.h>],
281 + [(void)ldap_init(0, 0);],
282 + [AC_MSG_RESULT(yes)],
285 + AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
291 + ldap_parse_result \
293 + ldap_controls_free \
298 + ldap_pvt_tls_set_option \
301 + AC_CHECK_FUNCS(ldap_set_rebind_proc,
302 + AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
305 + #include <ldap.h>],
306 + [ldap_set_rebind_proc(0, 0, 0);],
307 + [ac_cv_ldap_set_rebind_proc=3],
308 + [ac_cv_ldap_set_rebind_proc=2])
309 + AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
310 + AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
315 +AC_SUBST(INSTALL_SSH_LDAP_HELPER)
317 dnl Checks for library functions. Please keep in alphabetical order
320 diff -up openssh-5.9p0/ldap-helper.c.ldap openssh-5.9p0/ldap-helper.c
321 --- openssh-5.9p0/ldap-helper.c.ldap 2011-08-30 15:57:12.754025033 +0200
322 +++ openssh-5.9p0/ldap-helper.c 2011-08-30 15:57:12.759025510 +0200
324 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
326 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
328 + * Redistribution and use in source and binary forms, with or without
329 + * modification, are permitted provided that the following conditions
331 + * 1. Redistributions of source code must retain the above copyright
332 + * notice, this list of conditions and the following disclaimer.
333 + * 2. Redistributions in binary form must reproduce the above copyright
334 + * notice, this list of conditions and the following disclaimer in the
335 + * documentation and/or other materials provided with the distribution.
337 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
338 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
339 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
340 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
341 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
342 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
343 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
344 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
345 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
346 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
349 +#include "ldapincludes.h"
352 +#include "xmalloc.h"
353 +#include "ldapconf.h"
354 +#include "ldapbody.h"
358 +static int config_debug = 0;
359 +int config_exclusive_config_file = 0;
360 +static char *config_file_name = "/etc/ssh/ldap.conf";
361 +static char *config_single_user = NULL;
362 +static int config_verbose = SYSLOG_LEVEL_VERBOSE;
363 +int config_warning_config_file = 0;
364 +extern char *__progname;
369 + fprintf(stderr, "usage: %s [options]\n",
371 + fprintf(stderr, "Options:\n");
372 + fprintf(stderr, " -d Output the log messages to stderr.\n");
373 + fprintf(stderr, " -e Check the config file for unknown commands.\n");
374 + fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n");
375 + fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n");
376 + fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n");
377 + fprintf(stderr, " -w Warn on unknown commands in the config file.\n");
382 + * Main program for the ssh pka ldap agent.
386 +main(int ac, char **av)
389 + FILE *outfile = NULL;
391 + __progname = ssh_get_progname(av[0]);
393 + log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
396 + * Initialize option structure to indicate that no values have been
399 + initialize_options();
401 + /* Parse command-line arguments. */
402 + while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
409 + config_exclusive_config_file = 1;
410 + config_warning_config_file = 1;
414 + config_file_name = optarg;
418 + config_single_user = optarg;
419 + outfile = fdopen (dup (fileno (stdout)), "w");
424 + if (config_verbose < SYSLOG_LEVEL_DEBUG3)
429 + config_warning_config_file = 1;
439 + /* Initialize loging */
440 + log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
443 + fatal ("illegal extra parameter %s", av[1]);
445 + /* Ensure that fds 0 and 2 are open or directed to /dev/null */
446 + if (config_debug == 0)
449 + /* Read config file */
450 + read_config_file(config_file_name);
451 + fill_default_options();
452 + if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
453 + debug3 ("=== Configuration ===");
455 + debug3 ("=== *** ===");
458 + ldap_checkconfig();
461 + if (config_single_user) {
462 + process_user (config_single_user, outfile);
465 + fatal ("Not yet implemented");
467 + * open unix socket a run the loop on it
476 +void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
477 +void buffer_put_string(Buffer *b, const void *f, u_int l) {}
479 diff -up openssh-5.9p0/ldap-helper.h.ldap openssh-5.9p0/ldap-helper.h
480 --- openssh-5.9p0/ldap-helper.h.ldap 2011-08-30 15:57:12.835024792 +0200
481 +++ openssh-5.9p0/ldap-helper.h 2011-08-30 15:57:12.839024637 +0200
483 +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
485 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
487 + * Redistribution and use in source and binary forms, with or without
488 + * modification, are permitted provided that the following conditions
490 + * 1. Redistributions of source code must retain the above copyright
491 + * notice, this list of conditions and the following disclaimer.
492 + * 2. Redistributions in binary form must reproduce the above copyright
493 + * notice, this list of conditions and the following disclaimer in the
494 + * documentation and/or other materials provided with the distribution.
496 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
497 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
498 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
499 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
500 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
501 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
502 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
503 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
504 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
505 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
508 +#ifndef LDAP_HELPER_H
509 +#define LDAP_HELPER_H
511 +extern int config_exclusive_config_file;
512 +extern int config_warning_config_file;
514 +#endif /* LDAP_HELPER_H */
515 diff -up openssh-5.9p0/ldap.conf.ldap openssh-5.9p0/ldap.conf
516 --- openssh-5.9p0/ldap.conf.ldap 2011-08-30 15:57:12.929026186 +0200
517 +++ openssh-5.9p0/ldap.conf 2011-08-30 15:57:12.933024937 +0200
521 +# This is the example configuration file for the OpenSSH
524 +# see ssh-ldap.conf(5)
527 +# URI with your LDAP server name. This allows to use
528 +# Unix Domain Sockets to connect to a local LDAP Server.
529 +#uri ldap://127.0.0.1/
530 +#uri ldaps://127.0.0.1/
531 +#uri ldapi://%2fvar%2frun%2fldapi_sock/
532 +# Note: %2f encodes the '/' used as directory separator
534 +# Another way to specify your LDAP server is to provide an
535 +# host name and the port of our LDAP server. Host name
536 +# must be resolvable without using LDAP.
537 +# Multiple hosts may be specified, each separated by a
538 +# space. How long nss_ldap takes to failover depends on
539 +# whether your LDAP client library supports configurable
540 +# network or connect timeouts (see bind_timelimit).
544 +# Optional: default is 389.
547 +# The distinguished name to bind to the server with.
548 +# Optional: default is to bind anonymously.
549 +#binddn cn=openssh_keys,dc=example,dc=org
551 +# The credentials to bind with.
552 +# Optional: default is no credential.
555 +# The distinguished name of the search base.
556 +#base dc=example,dc=org
558 +# The LDAP version to use (defaults to 3
559 +# if supported by client library)
570 +# Bind/connect timelimit
573 +# Reconnect policy: hard (default) will retry connecting to
574 +# the software with exponential backoff, soft will fail
578 +# SSL setup, may be implied by URI also.
583 +# OpenLDAP SSL options
584 +# Require and verify server certificate (yes/no)
585 +# Default is to use libldap's default behavior, which can be configured in
586 +# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
587 +# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
590 +# CA certificates for server certificate verification
591 +# At least one of these are required if tls_checkpeer is "yes"
592 +#tls_cacertfile /etc/ssl/ca.cert
593 +#tls_cacertdir /etc/pki/tls/certs
595 +# Seed the PRNG if /dev/urandom is not provided
596 +#tls_randfile /var/run/egd-pool
599 +# See man ciphers for syntax
602 +# Client certificate and key
603 +# Use these, if your server requires client authentication.
607 diff -up openssh-5.9p0/ldapbody.c.ldap openssh-5.9p0/ldapbody.c
608 --- openssh-5.9p0/ldapbody.c.ldap 2011-08-30 15:57:13.005024661 +0200
609 +++ openssh-5.9p0/ldapbody.c 2011-08-30 15:57:13.011024848 +0200
611 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
613 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
615 + * Redistribution and use in source and binary forms, with or without
616 + * modification, are permitted provided that the following conditions
618 + * 1. Redistributions of source code must retain the above copyright
619 + * notice, this list of conditions and the following disclaimer.
620 + * 2. Redistributions in binary form must reproduce the above copyright
621 + * notice, this list of conditions and the following disclaimer in the
622 + * documentation and/or other materials provided with the distribution.
624 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
625 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
626 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
627 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
628 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
629 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
630 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
631 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
632 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
633 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
636 +#include "ldapincludes.h"
638 +#include "xmalloc.h"
639 +#include "ldapconf.h"
640 +#include "ldapmisc.h"
641 +#include "ldapbody.h"
645 +#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"
646 +#define PUBKEYATTR "sshPublicKey"
647 +#define LDAP_LOGFILE "%s/ldap.%d"
649 +static FILE *logfile = NULL;
652 +static char *attrs[] = {
658 +ldap_checkconfig (void)
660 +#ifdef HAVE_LDAP_INITIALIZE
661 + if (options.host == NULL && options.uri == NULL)
663 + if (options.host == NULL)
665 + fatal ("missing \"host\" in config file");
668 +#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
670 +_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
672 + struct timeval timeout;
674 +#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
675 + LDAPMessage *result;
676 +#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
678 + debug2 ("Doing LDAP rebind to %s", options.binddn);
679 + if (options.ssl == SSL_START_TLS) {
680 + if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
681 + error ("ldap_starttls_s: %s", ldap_err2string (rc));
682 + return LDAP_OPERATIONS_ERROR;
686 +#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
687 + return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
689 + if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
690 + fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
692 + timeout.tv_sec = options.bind_timelimit;
693 + timeout.tv_usec = 0;
695 + if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
696 + error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
697 + ldap_msgfree (result);
698 + return LDAP_OPERATIONS_ERROR;
700 + debug3 ("LDAP rebind to %s succesfull", options.binddn);
707 +_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
710 + return LDAP_SUCCESS;
712 + *whop = strdup (options.binddn);
713 + *credp = strdup (options.bindpw);
714 + *methodp = LDAP_AUTH_SIMPLE;
715 + debug2 ("Doing LDAP rebind for %s", *whop);
716 + return LDAP_SUCCESS;
721 +ldap_do_connect(void)
723 + int rc, msgid, ld_errno = 0;
724 + struct timeval timeout;
725 +#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
727 + LDAPMessage *result;
728 + LDAPControl **controls;
730 +#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
732 + debug ("LDAP do connect");
736 + debug3 ("Reconnecting with ld_errno %d", ld_errno);
737 + if (options.bind_policy == 0 ||
738 + (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
740 + fatal ("Cannot connect to LDAP server");
743 + sleep (reconnect - 1);
749 + logit("reconnecting to LDAP server...");
756 +#ifdef HAVE_LDAP_SET_OPTION
757 + if (options.debug > 0) {
758 +#ifdef LBER_OPT_LOG_PRINT_FILE
759 + if (options.logdir) {
761 + int logfilenamelen;
763 + logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
764 + logfilename = xmalloc (logfilenamelen);
765 + snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
766 + logfilename[logfilenamelen - 1] = 0;
767 + if ((logfile = fopen (logfilename, "a")) == NULL)
768 + fatal ("cannot append to %s: %s", logfilename, strerror (errno));
769 + debug3 ("LDAP debug into %s", logfilename);
770 + xfree (logfilename);
771 + ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
774 + if (options.debug) {
775 +#ifdef LBER_OPT_DEBUG_LEVEL
776 + ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
777 +#endif /* LBER_OPT_DEBUG_LEVEL */
778 +#ifdef LDAP_OPT_DEBUG_LEVEL
779 + (void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
780 +#endif /* LDAP_OPT_DEBUG_LEVEL */
781 + debug3 ("Set LDAP debug to %d", options.debug);
784 +#endif /* HAVE_LDAP_SET_OPTION */
787 +#ifdef HAVE_LDAPSSL_INIT
788 + if (options.host != NULL) {
789 + if (options.ssl_on == SSL_LDAPS) {
790 + if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
791 + fatal ("ldapssl_client_init %s", ldap_err2string (rc));
792 + debug3 ("LDAPssl client init");
795 + if (options.ssl_on != SSL_OFF) {
796 + if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
797 + fatal ("ldapssl_init failed");
798 + debug3 ("LDAPssl init");
801 +#endif /* HAVE_LDAPSSL_INIT */
803 + /* continue with opening */
805 +#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
806 + /* Some global TLS-specific options need to be set before we create our
807 + * session context, so we set them here. */
809 +#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
811 + if (options.tls_randfile != NULL) {
812 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
813 + options.tls_randfile)) != LDAP_SUCCESS)
814 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
815 + ldap_err2string (rc));
816 + debug3 ("Set TLS random file %s", options.tls_randfile);
818 +#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
821 + if (options.tls_cacertfile != NULL) {
822 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
823 + options.tls_cacertfile)) != LDAP_SUCCESS)
824 + error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
825 + ldap_err2string (rc));
826 + debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
829 + /* ca cert directory */
830 + if (options.tls_cacertdir != NULL) {
831 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
832 + options.tls_cacertdir)) != LDAP_SUCCESS)
833 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
834 + ldap_err2string (rc));
835 + debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
838 + /* require cert? */
839 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
840 + &options.tls_checkpeer)) != LDAP_SUCCESS)
841 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
842 + ldap_err2string (rc));
843 + debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
845 + /* set cipher suite, certificate and private key: */
846 + if (options.tls_ciphers != NULL) {
847 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
848 + options.tls_ciphers)) != LDAP_SUCCESS)
849 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
850 + ldap_err2string (rc));
851 + debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
855 + if (options.tls_cert != NULL) {
856 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
857 + options.tls_cert)) != LDAP_SUCCESS)
858 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
859 + ldap_err2string (rc));
860 + debug3 ("Set TLS cert file %s ", options.tls_cert);
864 + if (options.tls_key != NULL) {
865 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
866 + options.tls_key)) != LDAP_SUCCESS)
867 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
868 + ldap_err2string (rc));
869 + debug3 ("Set TLS key file %s ", options.tls_key);
872 +#ifdef HAVE_LDAP_INITIALIZE
873 + if (options.uri != NULL) {
874 + if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
875 + fatal ("ldap_initialize %s", ldap_err2string (rc));
876 + debug3 ("LDAP initialize %s", options.uri);
879 +#endif /* HAVE_LDAP_INTITIALIZE */
881 + /* continue with opening */
882 + if ((ld == NULL) && (options.host != NULL)) {
883 +#ifdef HAVE_LDAP_INIT
884 + if ((ld = ldap_init (options.host, options.port)) == NULL)
885 + fatal ("ldap_init failed");
886 + debug3 ("LDAP init %s:%d", options.host, options.port);
888 + if ((ld = ldap_open (options.host, options.port)) == NULL)
889 + fatal ("ldap_open failed");
890 + debug3 ("LDAP open %s:%d", options.host, options.port);
891 +#endif /* HAVE_LDAP_INIT */
895 + fatal ("no way to open ldap");
897 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
898 + if (options.ssl == SSL_LDAPS) {
899 + if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
900 + fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
901 + debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
903 +#endif /* LDAP_OPT_X_TLS */
905 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
906 + (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
907 + &options.ldap_version);
909 + ld->ld_version = options.ldap_version;
911 + debug3 ("LDAP set version to %d", options.ldap_version);
913 +#if LDAP_SET_REBIND_PROC_ARGS == 3
914 + ldap_set_rebind_proc (ld, _rebind_proc, NULL);
915 +#elif LDAP_SET_REBIND_PROC_ARGS == 2
916 + ldap_set_rebind_proc (ld, _rebind_proc);
918 +#warning unknown LDAP_SET_REBIND_PROC_ARGS
920 + debug3 ("LDAP set rebind proc");
922 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
923 + (void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
925 + ld->ld_deref = options.deref;
927 + debug3 ("LDAP set deref to %d", options.deref);
929 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
930 + (void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
931 + &options.timelimit);
933 + ld->ld_timelimit = options.timelimit;
935 + debug3 ("LDAP set timelimit to %d", options.timelimit);
937 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
939 + * This is a new option in the Netscape SDK which sets
940 + * the TCP connect timeout. For want of a better value,
941 + * we use the bind_timelimit to control this.
943 + timeout = options.bind_timelimit * 1000;
944 + (void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
945 + debug3 ("LDAP set opt connect timeout to %d", timeout);
948 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
949 + tv.tv_sec = options.bind_timelimit;
951 + (void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
952 + debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
955 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
956 + (void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
957 + options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
958 + debug3 ("LDAP set referrals to %d", options.referrals);
961 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
962 + (void) ldap_set_option (ld, LDAP_OPT_RESTART,
963 + options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
964 + debug3 ("LDAP set restart to %d", options.restart);
967 +#ifdef HAVE_LDAP_START_TLS_S
968 + if (options.ssl == SSL_START_TLS) {
971 + if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
973 + if (version < LDAP_VERSION3) {
974 + version = LDAP_VERSION3;
975 + (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
977 + debug3 ("LDAP set version to %d", version);
981 + if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
982 + fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
983 + debug3 ("LDAP start TLS");
985 +#endif /* HAVE_LDAP_START_TLS_S */
988 + if ((msgid = ldap_simple_bind (ld, options.binddn,
989 + options.bindpw)) == -1) {
990 + ld_errno = ldap_get_lderrno (ld, 0, 0);
992 + error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
996 + debug3 ("LDAP simple bind (%s)", options.binddn);
998 + timeout.tv_sec = options.bind_timelimit;
999 + timeout.tv_usec = 0;
1000 + if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
1001 + ld_errno = ldap_get_lderrno (ld, 0, 0);
1003 + error ("ldap_result %s", ldap_err2string (ld_errno));
1007 + debug3 ("LDAP result in time");
1009 +#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
1011 + if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
1012 + fatal ("ldap_parse_result %s", ldap_err2string (parserc));
1013 + debug3 ("LDAP parse result OK");
1015 + if (controls != NULL) {
1016 + ldap_controls_free (controls);
1019 + rc = ldap_result2error (session->ld, result, TRUE);
1021 + if (rc != LDAP_SUCCESS)
1022 + fatal ("error trying to bind as user \"%s\" (%s)",
1023 + options.binddn, ldap_err2string (rc));
1025 + debug2 ("LDAP do connect OK");
1029 +process_user (const char *user, FILE *output)
1031 + LDAPMessage *res, *e;
1033 + int bufflen, rc, i;
1034 + struct timeval timeout;
1036 + debug ("LDAP process user");
1038 + /* quick check for attempts to be evil */
1039 + if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
1040 + (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
1041 + logit ("illegal user name %s not processed", user);
1045 + /* build filter for LDAP request */
1046 + bufflen = strlen (LDAPSEARCH_FORMAT) + strlen (user);
1047 + if (options.ssh_filter != NULL)
1048 + bufflen += strlen (options.ssh_filter);
1049 + buffer = xmalloc (bufflen);
1050 + snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
1051 + buffer[bufflen - 1] = 0;
1053 + debug3 ("LDAP search scope = %d %s", options.scope, buffer);
1055 + timeout.tv_sec = options.timelimit;
1056 + timeout.tv_usec = 0;
1057 + if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
1058 + error ("ldap_search_st(): %s", ldap_err2string (rc));
1066 + for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
1068 + struct berval **keys;
1070 + keys = ldap_get_values_len(ld, e, PUBKEYATTR);
1071 + num = ldap_count_values_len(keys);
1072 + for (i = 0 ; i < num ; i++) {
1073 + char *cp; //, *options = NULL;
1075 + for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
1076 + if (!*cp || *cp == '\n' || *cp == '#')
1079 + /* We have found the desired key. */
1080 + fprintf (output, "%s\n", keys[i]->bv_val);
1083 + ldap_value_free_len(keys);
1086 + ldap_msgfree(res);
1087 + debug2 ("LDAP process user finished");
1091 +ldap_do_close(void)
1095 + debug ("LDAP do close");
1096 + if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
1097 + fatal ("ldap_unbind_ext: %s",
1098 + ldap_err2string (rc));
1101 + debug2 ("LDAP do close OK");
1105 diff -up openssh-5.9p0/ldapbody.h.ldap openssh-5.9p0/ldapbody.h
1106 --- openssh-5.9p0/ldapbody.h.ldap 2011-08-30 15:57:13.087150596 +0200
1107 +++ openssh-5.9p0/ldapbody.h 2011-08-30 15:57:13.091149461 +0200
1109 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1111 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1113 + * Redistribution and use in source and binary forms, with or without
1114 + * modification, are permitted provided that the following conditions
1116 + * 1. Redistributions of source code must retain the above copyright
1117 + * notice, this list of conditions and the following disclaimer.
1118 + * 2. Redistributions in binary form must reproduce the above copyright
1119 + * notice, this list of conditions and the following disclaimer in the
1120 + * documentation and/or other materials provided with the distribution.
1122 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1123 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1124 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1125 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1126 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1127 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1128 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1129 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1130 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1131 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1139 +void ldap_checkconfig(void);
1140 +void ldap_do_connect(void);
1141 +void process_user(const char *, FILE *);
1142 +void ldap_do_close(void);
1144 +#endif /* LDAPBODY_H */
1146 diff -up openssh-5.9p0/ldapconf.c.ldap openssh-5.9p0/ldapconf.c
1147 --- openssh-5.9p0/ldapconf.c.ldap 2011-08-30 15:57:13.164036922 +0200
1148 +++ openssh-5.9p0/ldapconf.c 2011-08-30 15:57:13.171065499 +0200
1150 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1152 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1154 + * Redistribution and use in source and binary forms, with or without
1155 + * modification, are permitted provided that the following conditions
1157 + * 1. Redistributions of source code must retain the above copyright
1158 + * notice, this list of conditions and the following disclaimer.
1159 + * 2. Redistributions in binary form must reproduce the above copyright
1160 + * notice, this list of conditions and the following disclaimer in the
1161 + * documentation and/or other materials provided with the distribution.
1163 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1164 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1165 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1166 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1167 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1168 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1169 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1170 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1171 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1172 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1175 +#include "ldapincludes.h"
1176 +#include "ldap-helper.h"
1179 +#include "xmalloc.h"
1180 +#include "ldapconf.h"
1181 +#include <unistd.h>
1182 +#include <string.h>
1184 +/* Keyword tokens. */
1188 + lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
1189 + lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
1190 + lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
1191 + lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
1192 + lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
1193 + lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
1194 + lDeprecated, lUnsupported
1197 +/* Textual representations of the tokens. */
1204 + { "Base", lBase },
1205 + { "BindDN", lBindDN },
1206 + { "BindPW", lBindPW },
1207 + { "RootBindDN", lRootBindDN },
1208 + { "Host", lHost },
1209 + { "Port", lPort },
1210 + { "Scope", lScope },
1211 + { "Deref", lDeref },
1212 + { "TimeLimit", lTimeLimit },
1213 + { "TimeOut", lTimeLimit },
1214 + { "Bind_Timelimit", lBind_TimeLimit },
1215 + { "Network_TimeOut", lBind_TimeLimit },
1220 + { "Ldap_Version", lLdap_Version },
1221 + { "Version", lLdap_Version },
1222 + { "Bind_Policy", lBind_Policy },
1223 + { "SSLPath", lSSLPath },
1225 + { "Referrals", lReferrals },
1226 + { "Restart", lRestart },
1227 + { "TLS_CheckPeer", lTLS_CheckPeer },
1228 + { "TLS_ReqCert", lTLS_CheckPeer },
1229 + { "TLS_CaCertFile", lTLS_CaCertFile },
1230 + { "TLS_CaCert", lTLS_CaCertFile },
1231 + { "TLS_CaCertDir", lTLS_CaCertDir },
1232 + { "TLS_Ciphers", lTLS_Ciphers },
1233 + { "TLS_Cipher_Suite", lTLS_Ciphers },
1234 + { "TLS_Cert", lTLS_Cert },
1235 + { "TLS_Certificate", lTLS_Cert },
1236 + { "TLS_Key", lTLS_Key },
1237 + { "TLS_RandFile", lTLS_RandFile },
1243 + { "LogDir", lLogDir },
1244 + { "Debug", lDebug },
1245 + { "SSH_Filter", lSSH_Filter },
1246 + { NULL, lBadOption }
1249 +/* Configuration ptions. */
1254 + * Returns the number of the token pointed to by cp or oBadOption.
1258 +parse_token(const char *cp, const char *filename, int linenum)
1262 + for (i = 0; keywords[i].name; i++)
1263 + if (strcasecmp(cp, keywords[i].name) == 0)
1264 + return keywords[i].opcode;
1266 + if (config_warning_config_file)
1267 + logit("%s: line %d: Bad configuration option: %s",
1268 + filename, linenum, cp);
1269 + return lBadOption;
1273 + * Processes a single option line as used in the configuration files. This
1274 + * only sets those values that have not already been set.
1276 +#define WHITESPACE " \t\r\n"
1279 +process_config_line(char *line, const char *filename, int linenum)
1281 + char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
1282 + char *rootbinddn = NULL;
1283 + int opcode, *intptr, value;
1286 + /* Strip trailing whitespace */
1287 + for (len = strlen(line) - 1; len > 0; len--) {
1288 + if (strchr(WHITESPACE, line[len]) == NULL)
1294 + /* Get the keyword. (Each line is supposed to begin with a keyword). */
1295 + if ((keyword = strdelim(&s)) == NULL)
1297 + /* Ignore leading whitespace. */
1298 + if (*keyword == '\0')
1299 + keyword = strdelim(&s);
1300 + if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
1303 + opcode = parse_token(keyword, filename, linenum);
1307 + /* don't panic, but count bad options */
1312 + xstringptr = &options.host;
1314 + if (!s || *s == '\0')
1315 + fatal("%s line %d: missing dn",filename,linenum);
1316 + if (*xstringptr == NULL)
1317 + *xstringptr = xstrdup(s);
1321 + xstringptr = &options.uri;
1322 + goto parse_xstring;
1325 + xstringptr = &options.base;
1326 + goto parse_xstring;
1329 + xstringptr = &options.binddn;
1330 + goto parse_xstring;
1333 + charptr = &options.bindpw;
1335 + arg = strdelim(&s);
1336 + if (!arg || *arg == '\0')
1337 + fatal("%.200s line %d: Missing argument.", filename, linenum);
1338 + if (*charptr == NULL)
1339 + *charptr = xstrdup(arg);
1343 + xstringptr = &rootbinddn;
1344 + goto parse_xstring;
1347 + intptr = &options.scope;
1348 + arg = strdelim(&s);
1349 + if (!arg || *arg == '\0')
1350 + fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
1351 + value = 0; /* To avoid compiler warning... */
1352 + if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
1353 + value = LDAP_SCOPE_SUBTREE;
1354 + else if (strcasecmp (arg, "one") == 0)
1355 + value = LDAP_SCOPE_ONELEVEL;
1356 + else if (strcasecmp (arg, "base") == 0)
1357 + value = LDAP_SCOPE_BASE;
1359 + fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
1360 + if (*intptr == -1)
1365 + intptr = &options.scope;
1366 + arg = strdelim(&s);
1367 + if (!arg || *arg == '\0')
1368 + fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
1369 + value = 0; /* To avoid compiler warning... */
1370 + if (!strcasecmp (arg, "never"))
1371 + value = LDAP_DEREF_NEVER;
1372 + else if (!strcasecmp (arg, "searching"))
1373 + value = LDAP_DEREF_SEARCHING;
1374 + else if (!strcasecmp (arg, "finding"))
1375 + value = LDAP_DEREF_FINDING;
1376 + else if (!strcasecmp (arg, "always"))
1377 + value = LDAP_DEREF_ALWAYS;
1379 + fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
1380 + if (*intptr == -1)
1385 + intptr = &options.port;
1387 + arg = strdelim(&s);
1388 + if (!arg || *arg == '\0')
1389 + fatal("%.200s line %d: Missing argument.", filename, linenum);
1390 + if (arg[0] < '0' || arg[0] > '9')
1391 + fatal("%.200s line %d: Bad number.", filename, linenum);
1393 + /* Octal, decimal, or hex format? */
1394 + value = strtol(arg, &endofnumber, 0);
1395 + if (arg == endofnumber)
1396 + fatal("%.200s line %d: Bad number.", filename, linenum);
1397 + if (*intptr == -1)
1402 + intptr = &options.timelimit;
1404 + arg = strdelim(&s);
1405 + if (!arg || *arg == '\0')
1406 + fatal("%s line %d: missing time value.",
1407 + filename, linenum);
1408 + if ((value = convtime(arg)) == -1)
1409 + fatal("%s line %d: invalid time value.",
1410 + filename, linenum);
1411 + if (*intptr == -1)
1415 + case lBind_TimeLimit:
1416 + intptr = &options.bind_timelimit;
1419 + case lLdap_Version:
1420 + intptr = &options.ldap_version;
1423 + case lBind_Policy:
1424 + intptr = &options.bind_policy;
1425 + arg = strdelim(&s);
1426 + if (!arg || *arg == '\0')
1427 + fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
1428 + value = 0; /* To avoid compiler warning... */
1429 + if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
1431 + else if (strcasecmp(arg, "soft") == 0)
1434 + fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
1435 + if (*intptr == -1)
1439 + charptr = &options.sslpath;
1440 + goto parse_string;
1443 + intptr = &options.ssl;
1444 + arg = strdelim(&s);
1445 + if (!arg || *arg == '\0')
1446 + fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
1447 + value = 0; /* To avoid compiler warning... */
1448 + if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
1449 + value = SSL_LDAPS;
1450 + else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
1452 + else if (!strcasecmp (arg, "start_tls"))
1453 + value = SSL_START_TLS;
1455 + fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
1456 + if (*intptr == -1)
1461 + intptr = &options.referrals;
1463 + arg = strdelim(&s);
1464 + if (!arg || *arg == '\0')
1465 + fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
1466 + value = 0; /* To avoid compiler warning... */
1467 + if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
1469 + else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
1472 + fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
1473 + if (*intptr == -1)
1478 + intptr = &options.restart;
1481 + case lTLS_CheckPeer:
1482 + intptr = &options.tls_checkpeer;
1483 + arg = strdelim(&s);
1484 + if (!arg || *arg == '\0')
1485 + fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
1486 + value = 0; /* To avoid compiler warning... */
1487 + if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
1488 + value = LDAP_OPT_X_TLS_NEVER;
1489 + else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
1490 + value = LDAP_OPT_X_TLS_HARD;
1491 + else if (strcasecmp(arg, "demand") == 0)
1492 + value = LDAP_OPT_X_TLS_DEMAND;
1493 + else if (strcasecmp(arg, "allow") == 0)
1494 + value = LDAP_OPT_X_TLS_ALLOW;
1495 + else if (strcasecmp(arg, "try") == 0)
1496 + value = LDAP_OPT_X_TLS_TRY;
1498 + fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
1499 + if (*intptr == -1)
1502 + case lTLS_CaCertFile:
1503 + charptr = &options.tls_cacertfile;
1504 + goto parse_string;
1506 + case lTLS_CaCertDir:
1507 + charptr = &options.tls_cacertdir;
1508 + goto parse_string;
1510 + case lTLS_Ciphers:
1511 + xstringptr = &options.tls_ciphers;
1512 + goto parse_xstring;
1515 + charptr = &options.tls_cert;
1516 + goto parse_string;
1519 + charptr = &options.tls_key;
1520 + goto parse_string;
1522 + case lTLS_RandFile:
1523 + charptr = &options.tls_randfile;
1524 + goto parse_string;
1527 + charptr = &options.logdir;
1528 + goto parse_string;
1531 + intptr = &options.debug;
1535 + xstringptr = &options.ssh_filter;
1536 + goto parse_xstring;
1539 + debug("%s line %d: Deprecated option \"%s\"",
1540 + filename, linenum, keyword);
1543 + case lUnsupported:
1544 + error("%s line %d: Unsupported option \"%s\"",
1545 + filename, linenum, keyword);
1549 + fatal("process_config_line: Unimplemented opcode %d", opcode);
1552 + /* Check that there is no garbage at end of line. */
1553 + if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1554 + fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1555 + filename, linenum, arg);
1561 + * Reads the config file and modifies the options accordingly. Options
1562 + * should already be initialized before this call. This never returns if
1563 + * there is an error. If the file does not exist, this returns 0.
1567 +read_config_file(const char *filename)
1571 + int active, linenum;
1572 + int bad_options = 0;
1575 + if ((f = fopen(filename, "r")) == NULL)
1576 + fatal("fopen %s: %s", filename, strerror(errno));
1578 + if (fstat(fileno(f), &sb) == -1)
1579 + fatal("fstat %s: %s", filename, strerror(errno));
1580 + if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1581 + (sb.st_mode & 022) != 0))
1582 + fatal("Bad owner or permissions on %s", filename);
1584 + debug("Reading configuration data %.200s", filename);
1587 + * Mark that we are now processing the options. This flag is turned
1588 + * on/off by Host specifications.
1592 + while (fgets(line, sizeof(line), f)) {
1593 + /* Update line number counter. */
1595 + if (process_config_line(line, filename, linenum) != 0)
1599 + if ((bad_options > 0) && config_exclusive_config_file)
1600 + fatal("%s: terminating, %d bad configuration options",
1601 + filename, bad_options);
1605 + * Initializes options to special values that indicate that they have not yet
1606 + * been set. Read_config_file will only set options with this value. Options
1607 + * are processed in the following order: command line, user config file,
1608 + * system config file. Last, fill_default_options is called.
1612 +initialize_options(void)
1614 + memset(&options, 'X', sizeof(options));
1615 + options.host = NULL;
1616 + options.uri = NULL;
1617 + options.base = NULL;
1618 + options.binddn = NULL;
1619 + options.bindpw = NULL;
1620 + options.scope = -1;
1621 + options.deref = -1;
1622 + options.port = -1;
1623 + options.timelimit = -1;
1624 + options.bind_timelimit = -1;
1625 + options.ldap_version = -1;
1626 + options.bind_policy = -1;
1627 + options.sslpath = NULL;
1629 + options.referrals = -1;
1630 + options.restart = -1;
1631 + options.tls_checkpeer = -1;
1632 + options.tls_cacertfile = NULL;
1633 + options.tls_cacertdir = NULL;
1634 + options.tls_ciphers = NULL;
1635 + options.tls_cert = NULL;
1636 + options.tls_key = NULL;
1637 + options.tls_randfile = NULL;
1638 + options.logdir = NULL;
1639 + options.debug = -1;
1640 + options.ssh_filter = NULL;
1644 + * Called after processing other sources of option data, this fills those
1645 + * options for which no value has been specified with their default values.
1649 +fill_default_options(void)
1651 + if (options.uri != NULL) {
1652 + LDAPURLDesc *ludp;
1654 + if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
1655 + if (options.ssl == -1) {
1656 + if (strcmp (ludp->lud_scheme, "ldap") == 0)
1658 + if (strcmp (ludp->lud_scheme, "ldapi") == 0)
1660 + else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
1663 + if (options.host == NULL)
1664 + options.host = xstrdup (ludp->lud_host);
1665 + if (options.port == -1)
1666 + options.port = ludp->lud_port;
1668 + ldap_free_urldesc (ludp);
1671 + if (options.ssl == -1)
1672 + options.ssl = SSL_START_TLS;
1673 + if (options.port == -1)
1674 + options.port = (options.ssl == 0) ? 389 : 636;
1675 + if (options.uri == NULL) {
1677 +#define MAXURILEN 4096
1679 + options.uri = xmalloc (MAXURILEN);
1680 + len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
1681 + (options.ssl == 0) ? "" : "s", options.host, options.port);
1682 + options.uri[MAXURILEN - 1] = 0;
1683 + options.uri = xrealloc (options.uri, len + 1, 1);
1685 + if (options.binddn == NULL)
1686 + options.binddn = "";
1687 + if (options.bindpw == NULL)
1688 + options.bindpw = "";
1689 + if (options.scope == -1)
1690 + options.scope = LDAP_SCOPE_SUBTREE;
1691 + if (options.deref == -1)
1692 + options.deref = LDAP_DEREF_NEVER;
1693 + if (options.timelimit == -1)
1694 + options.timelimit = 10;
1695 + if (options.bind_timelimit == -1)
1696 + options.bind_timelimit = 10;
1697 + if (options.ldap_version == -1)
1698 + options.ldap_version = 3;
1699 + if (options.bind_policy == -1)
1700 + options.bind_policy = 1;
1701 + if (options.referrals == -1)
1702 + options.referrals = 1;
1703 + if (options.restart == -1)
1704 + options.restart = 1;
1705 + if (options.tls_checkpeer == -1)
1706 + options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
1707 + if (options.debug == -1)
1708 + options.debug = 0;
1709 + if (options.ssh_filter == NULL)
1710 + options.ssh_filter = "";
1713 +static const char *
1714 +lookup_opcode_name(OpCodes code)
1718 + for (i = 0; keywords[i].name != NULL; i++)
1719 + if (keywords[i].opcode == code)
1720 + return(keywords[i].name);
1725 +dump_cfg_string(OpCodes code, const char *val)
1728 + debug3("%s <UNDEFINED>", lookup_opcode_name(code));
1730 + debug3("%s %s", lookup_opcode_name(code), val);
1734 +dump_cfg_int(OpCodes code, int val)
1737 + debug3("%s <UNDEFINED>", lookup_opcode_name(code));
1739 + debug3("%s %d", lookup_opcode_name(code), val);
1748 +dump_cfg_namedint(OpCodes code, int val, struct names *names)
1753 + debug3("%s <UNDEFINED>", lookup_opcode_name(code));
1755 + for (i = 0; names[i].value != -1; i++)
1756 + if (names[i].value == val) {
1757 + debug3("%s %s", lookup_opcode_name(code), names[i].name);
1760 + debug3("%s unknown: %d", lookup_opcode_name(code), val);
1764 +static struct names _yesnotls[] = {
1767 + { 2, "Start_TLS" },
1770 +static struct names _scope[] = {
1771 + { LDAP_SCOPE_BASE, "Base" },
1772 + { LDAP_SCOPE_ONELEVEL, "One" },
1773 + { LDAP_SCOPE_SUBTREE, "Sub"},
1776 +static struct names _deref[] = {
1777 + { LDAP_DEREF_NEVER, "Never" },
1778 + { LDAP_DEREF_SEARCHING, "Searching" },
1779 + { LDAP_DEREF_FINDING, "Finding" },
1780 + { LDAP_DEREF_ALWAYS, "Always" },
1783 +static struct names _yesno[] = {
1788 +static struct names _bindpolicy[] = {
1793 +static struct names _checkpeer[] = {
1794 + { LDAP_OPT_X_TLS_NEVER, "Never" },
1795 + { LDAP_OPT_X_TLS_HARD, "Hard" },
1796 + { LDAP_OPT_X_TLS_DEMAND, "Demand" },
1797 + { LDAP_OPT_X_TLS_ALLOW, "Allow" },
1798 + { LDAP_OPT_X_TLS_TRY, "TRY" },
1804 + dump_cfg_string(lURI, options.uri);
1805 + dump_cfg_string(lHost, options.host);
1806 + dump_cfg_int(lPort, options.port);
1807 + dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
1808 + dump_cfg_int(lLdap_Version, options.ldap_version);
1809 + dump_cfg_int(lTimeLimit, options.timelimit);
1810 + dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
1811 + dump_cfg_string(lBase, options.base);
1812 + dump_cfg_string(lBindDN, options.binddn);
1813 + dump_cfg_string(lBindPW, options.bindpw);
1814 + dump_cfg_namedint(lScope, options.scope, _scope);
1815 + dump_cfg_namedint(lDeref, options.deref, _deref);
1816 + dump_cfg_namedint(lReferrals, options.referrals, _yesno);
1817 + dump_cfg_namedint(lRestart, options.restart, _yesno);
1818 + dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
1819 + dump_cfg_string(lSSLPath, options.sslpath);
1820 + dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
1821 + dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
1822 + dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
1823 + dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
1824 + dump_cfg_string(lTLS_Cert, options.tls_cert);
1825 + dump_cfg_string(lTLS_Key, options.tls_key);
1826 + dump_cfg_string(lTLS_RandFile, options.tls_randfile);
1827 + dump_cfg_string(lLogDir, options.logdir);
1828 + dump_cfg_int(lDebug, options.debug);
1829 + dump_cfg_string(lSSH_Filter, options.ssh_filter);
1832 diff -up openssh-5.9p0/ldapconf.h.ldap openssh-5.9p0/ldapconf.h
1833 --- openssh-5.9p0/ldapconf.h.ldap 2011-08-30 15:57:13.265149057 +0200
1834 +++ openssh-5.9p0/ldapconf.h 2011-08-30 15:57:13.271153923 +0200
1836 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1838 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1840 + * Redistribution and use in source and binary forms, with or without
1841 + * modification, are permitted provided that the following conditions
1843 + * 1. Redistributions of source code must retain the above copyright
1844 + * notice, this list of conditions and the following disclaimer.
1845 + * 2. Redistributions in binary form must reproduce the above copyright
1846 + * notice, this list of conditions and the following disclaimer in the
1847 + * documentation and/or other materials provided with the distribution.
1849 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1850 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1851 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1852 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1853 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1854 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1855 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1856 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1857 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1858 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1865 +#define SSL_LDAPS 1
1866 +#define SSL_START_TLS 2
1868 +/* Data structure for representing option data. */
1880 + int bind_timelimit;
1887 + int tls_checkpeer;
1888 + char *tls_cacertfile;
1889 + char *tls_cacertdir;
1890 + char *tls_ciphers;
1893 + char *tls_randfile;
1899 +extern Options options;
1901 +void read_config_file(const char *);
1902 +void initialize_options(void);
1903 +void fill_default_options(void);
1904 +void dump_config(void);
1906 +#endif /* LDAPCONF_H */
1907 diff -up openssh-5.9p0/ldapincludes.h.ldap openssh-5.9p0/ldapincludes.h
1908 --- openssh-5.9p0/ldapincludes.h.ldap 2011-08-30 15:57:13.344023601 +0200
1909 +++ openssh-5.9p0/ldapincludes.h 2011-08-30 15:57:13.348024596 +0200
1911 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1913 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1915 + * Redistribution and use in source and binary forms, with or without
1916 + * modification, are permitted provided that the following conditions
1918 + * 1. Redistributions of source code must retain the above copyright
1919 + * notice, this list of conditions and the following disclaimer.
1920 + * 2. Redistributions in binary form must reproduce the above copyright
1921 + * notice, this list of conditions and the following disclaimer in the
1922 + * documentation and/or other materials provided with the distribution.
1924 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1925 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1926 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1927 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1928 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1929 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1930 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1931 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1932 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1933 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1936 +#ifndef LDAPINCLUDES_H
1937 +#define LDAPINCLUDES_H
1939 +#include "includes.h"
1947 +#ifdef HAVE_LDAP_SSL_H
1948 +#include <ldap_ssl.h>
1951 +#endif /* LDAPINCLUDES_H */
1952 diff -up openssh-5.9p0/ldapmisc.c.ldap openssh-5.9p0/ldapmisc.c
1953 --- openssh-5.9p0/ldapmisc.c.ldap 2011-08-30 15:57:13.429148896 +0200
1954 +++ openssh-5.9p0/ldapmisc.c 2011-08-30 15:57:13.433150396 +0200
1957 +#include "ldapincludes.h"
1958 +#include "ldapmisc.h"
1960 +#ifndef HAVE_LDAP_GET_LDERRNO
1962 +ldap_get_lderrno (LDAP * ld, char **m, char **s)
1964 +#ifdef HAVE_LDAP_GET_OPTION
1969 +#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
1970 + if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
1973 + lderrno = ld->ld_errno;
1977 +#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
1978 + if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
1981 + *s = ld->ld_error;
1986 +#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
1987 + if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
1990 + *m = ld->ld_matched;
1998 +#ifndef HAVE_LDAP_SET_LDERRNO
2000 +ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
2002 +#ifdef HAVE_LDAP_SET_OPTION
2006 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
2007 + if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
2010 + ld->ld_errno = lderrno;
2014 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
2015 + if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
2023 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
2024 + if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
2027 + ld->ld_matched = m;
2031 + return LDAP_SUCCESS;
2035 diff -up openssh-5.9p0/ldapmisc.h.ldap openssh-5.9p0/ldapmisc.h
2036 --- openssh-5.9p0/ldapmisc.h.ldap 2011-08-30 15:57:13.531150853 +0200
2037 +++ openssh-5.9p0/ldapmisc.h 2011-08-30 15:57:13.537153831 +0200
2039 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
2041 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
2043 + * Redistribution and use in source and binary forms, with or without
2044 + * modification, are permitted provided that the following conditions
2046 + * 1. Redistributions of source code must retain the above copyright
2047 + * notice, this list of conditions and the following disclaimer.
2048 + * 2. Redistributions in binary form must reproduce the above copyright
2049 + * notice, this list of conditions and the following disclaimer in the
2050 + * documentation and/or other materials provided with the distribution.
2052 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
2053 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
2054 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
2055 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
2056 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
2057 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
2058 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
2059 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
2060 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
2061 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
2067 +#include "ldapincludes.h"
2069 +int ldap_get_lderrno (LDAP *, char **, char **);
2070 +int ldap_set_lderrno (LDAP *, int, const char *, const char *);
2072 +#endif /* LDAPMISC_H */
2074 diff -up openssh-5.9p0/openssh-lpk-openldap.schema.ldap openssh-5.9p0/openssh-lpk-openldap.schema
2075 --- openssh-5.9p0/openssh-lpk-openldap.schema.ldap 2011-08-30 15:57:13.607025841 +0200
2076 +++ openssh-5.9p0/openssh-lpk-openldap.schema 2011-08-30 15:57:13.612150461 +0200
2079 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
2080 +# useful with PKA-LDAP also
2082 +# Author: Eric AUGE <eau@phear.org>
2084 +# Based on the proposal of : Mark Ruijter
2088 +# octetString SYNTAX
2089 +attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
2090 + DESC 'MANDATORY: OpenSSH Public key'
2091 + EQUALITY octetStringMatch
2092 + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
2094 +# printableString SYNTAX yes|no
2095 +objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
2096 + DESC 'MANDATORY: OpenSSH LPK objectclass'
2097 + MUST ( sshPublicKey $ uid )
2099 diff -up openssh-5.9p0/openssh-lpk-sun.schema.ldap openssh-5.9p0/openssh-lpk-sun.schema
2100 --- openssh-5.9p0/openssh-lpk-sun.schema.ldap 2011-08-30 15:57:13.696025724 +0200
2101 +++ openssh-5.9p0/openssh-lpk-sun.schema 2011-08-30 15:57:13.699024704 +0200
2104 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
2105 +# useful with PKA-LDAP also
2107 +# Author: Eric AUGE <eau@phear.org>
2109 +# Schema for Sun Directory Server.
2110 +# Based on the original schema, modified by Stefan Fischer.
2115 +# octetString SYNTAX
2116 +attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
2117 + DESC 'MANDATORY: OpenSSH Public key'
2118 + EQUALITY octetStringMatch
2119 + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
2121 +# printableString SYNTAX yes|no
2122 +objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
2123 + DESC 'MANDATORY: OpenSSH LPK objectclass'
2124 + MUST ( sshPublicKey $ uid )
2126 diff -up openssh-5.9p0/ssh-ldap-helper.8.ldap openssh-5.9p0/ssh-ldap-helper.8
2127 --- openssh-5.9p0/ssh-ldap-helper.8.ldap 2011-08-30 15:57:13.772026539 +0200
2128 +++ openssh-5.9p0/ssh-ldap-helper.8 2011-08-30 15:57:13.778026299 +0200
2130 +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
2132 +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
2134 +.\" Permission to use, copy, modify, and distribute this software for any
2135 +.\" purpose with or without fee is hereby granted, provided that the above
2136 +.\" copyright notice and this permission notice appear in all copies.
2138 +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
2139 +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
2140 +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
2141 +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
2142 +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
2143 +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
2144 +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
2146 +.Dd $Mdocdate: April 29 2010 $
2147 +.Dt SSH-LDAP-HELPER 8
2150 +.Nm ssh-ldap-helper
2151 +.Nd sshd helper program for ldap support
2153 +.Nm ssh-ldap-helper
2161 +to access keys provided by an LDAP.
2163 +is disabled by default and can only be enabled in the
2164 +sshd configuration file
2165 +.Pa /etc/ssh/sshd_config
2167 +.Cm AuthorizedKeysCommand
2169 +.Dq /usr/libexec/ssh-ldap-wrapper .
2172 +is not intended to be invoked by the user, but from
2174 +.Xr ssh-ldap-wrapper .
2176 +The options are as follows:
2179 +Set the debug mode;
2181 +prints all logs to stderr instead of syslog.
2185 +halts if it encounters an unknown item in the ldap.conf file.
2188 +uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
2191 +prints out the user's keys to stdout and exits.
2194 +increases verbosity.
2197 +writes warnings about unknown items in the ldap.conf configuration file.
2201 +.Xr sshd_config 5 ,
2202 +.Xr ssh-ldap.conf 5 ,
2206 +OpenSSH 5.5 + PKA-LDAP .
2208 +.An Jan F. Chadima Aq jchadima@redhat.com
2209 diff -up openssh-5.9p0/ssh-ldap-wrapper.ldap openssh-5.9p0/ssh-ldap-wrapper
2210 --- openssh-5.9p0/ssh-ldap-wrapper.ldap 2011-08-30 15:57:13.854024986 +0200
2211 +++ openssh-5.9p0/ssh-ldap-wrapper 2011-08-30 15:57:13.858149926 +0200
2215 +exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
2217 diff -up openssh-5.9p0/ssh-ldap.conf.5.ldap openssh-5.9p0/ssh-ldap.conf.5
2218 --- openssh-5.9p0/ssh-ldap.conf.5.ldap 2011-08-30 15:57:13.934151066 +0200
2219 +++ openssh-5.9p0/ssh-ldap.conf.5 2011-08-30 15:57:13.942024641 +0200
2221 +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
2223 +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
2225 +.\" Permission to use, copy, modify, and distribute this software for any
2226 +.\" purpose with or without fee is hereby granted, provided that the above
2227 +.\" copyright notice and this permission notice appear in all copies.
2229 +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
2230 +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
2231 +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
2232 +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
2233 +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
2234 +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
2235 +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
2237 +.Dd $Mdocdate: may 12 2010 $
2238 +.Dt SSH-LDAP.CONF 5
2242 +.Nd configuration file for ssh-ldap-helper
2244 +.Nm /etc/ssh/ldap.conf
2246 +.Xr ssh-ldap-helper 8
2247 +reads configuration data from
2248 +.Pa /etc/ssh/ldap.conf
2249 +(or the file specified with
2251 +on the command line).
2252 +The file contains keyword-argument pairs, one per line.
2253 +Lines starting with
2255 +and empty lines are interpreted as comments.
2257 +The value starts with the first non-blank character after
2258 +the keyword's name, and terminates at the end of the line,
2259 +or at the last sequence of blanks before the end of the line.
2260 +Quoting values that contain blanks
2261 +may be incorrect, as the quotes would become part of the value.
2262 +The possible keywords and their meanings are as follows (note that
2263 +keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
2266 +The argument(s) are in the form
2267 +.Pa ldap[si]://[name[:port]]
2268 +and specify the URI(s) of an LDAP server(s) to which the
2269 +.Xr ssh-ldap-helper 8
2270 +should connect. The URI scheme may be any of
2275 +which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
2276 +over IPC (UNIX domain sockets), respectively.
2277 +Each server's name can be specified as a
2278 +domain-style name or an IP address literal. Optionally, the
2279 +server's name can followed by a ':' and the port number the LDAP
2280 +server is listening on. If no port number is provided, the default
2281 +port for the scheme is used (389 for ldap://, 636 for ldaps://).
2282 +For LDAP over IPC, name is the name of the socket, and no port
2283 +is required, nor allowed; note that directory separators must be
2284 +URL-encoded, like any other characters that are special to URLs;
2285 +A space separated list of URIs may be provided.
2286 +There is no default.
2288 +Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
2289 +The base must be specified as a DN in LDAP format.
2290 +There is no default.
2292 +Specifies the default BIND DN to use when connecting to the ldap server.
2293 +The bind DN must be specified as a Distinguished Name in LDAP format.
2294 +There is no default.
2296 +Specifies the default password to use when connecting to the ldap server via
2298 +There is no default.
2300 +Intentionaly does nothing. Recognized for compatibility reasons.
2302 +The argument(s) specifies the name(s) of an LDAP server(s) to which the
2303 +.Xr ssh-ldap-helper 8
2304 +should connect. Each server's name can be specified as a
2305 +domain-style name or an IP address and optionally followed by a ':' and
2306 +the port number the ldap server is listening on. A space-separated
2307 +list of hosts may be provided.
2308 +There is no default.
2310 +is deprecated in favor of
2313 +Specifies the default port used when connecting to LDAP servers(s).
2314 +The port may be specified as a number.
2315 +The default port is 389 for ldap:// or 636 for ldaps:// respectively.
2317 +is deprecated in favor of
2320 +Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
2321 +There are three options (values) that can be assigned to the
2322 +.Cm Scope parameter:
2327 +Alias for the subtree is
2331 +is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
2334 +is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
2337 +is used to indicate searching of all entries at all levels under and including the specified base DN.
2341 +Specifies how alias dereferencing is done when performing a search. There are four
2342 +possible values that can be assigned to the
2352 +means that the aliases are never dereferenced.
2355 +means that the aliases are dereferenced in subordinates of the base object, but
2356 +not in locating the base object of the search.
2359 +means that the aliases are only dereferenced when locating the base object of the search.
2362 +means that the aliases are dereferenced both in searching and in locating the base object
2367 +Specifies a time limit (in seconds) to use when performing searches.
2368 +The number should be a non-negative integer. A
2370 +of zero (0) specifies that the search time is unlimited. Please note that the server
2371 +may still apply any server-side limit on the duration of a search operation.
2372 +The default value is 10.
2376 +.It Cm Bind_TimeLimit
2377 +Specifies the timeout (in seconds) after which the poll(2)/select(2)
2378 +following a connect(2) returns in case of no activity.
2379 +The default value is 10.
2380 +.It Cm Network_TimeOut
2382 +.Cm Bind_TimeLimit .
2383 +.It Cm Ldap_Version
2384 +Specifies what version of the LDAP protocol should be used.
2385 +The allowed values are 2 or 3. The default is 3.
2390 +Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
2394 +.Dq hard has 2 aliases
2400 +means that reconects that the
2401 +.Xr ssh-ldap-helper 8
2402 +tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
2406 +.Xr ssh-ldap-helper 8
2407 +fails immediately when it cannot connect to the LDAP seerver.
2411 +Specifies the path to the X.509 certificate database.
2412 +There is no default.
2414 +Specifies whether to use SSL/TLS or not.
2415 +There are three allowed values:
2424 +are the aliases for
2429 +are the aliases for
2433 +is specified then StartTLS is used rather than raw LDAP over SSL.
2434 +The default for ldap:// is
2441 +In case of host based configuration the default is
2444 +Specifies if the client should automatically follow referrals returned
2446 +The value can be or
2453 +are the aliases for
2458 +are the aliases for
2460 +The default is yes.
2462 +Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
2463 +The value can be or
2470 +are the aliases for
2475 +are the aliases for
2477 +The default is yes.
2478 +.It Cm TLS_CheckPeer
2479 +Specifies what checks to perform on server certificates in a TLS session,
2481 +can be specified as one of the following keywords:
2498 +are the aliases for
2502 +means that the client will not request or check any server certificate.
2505 +means that the server certificate is requested. If no certificate is provided,
2506 +the session proceeds normally. If a bad certificate is provided, it will
2507 +be ignored and the session proceeds normally.
2510 +means that the server certificate is requested. If no certificate is provided,
2511 +the session proceeds normally. If a bad certificate is provided,
2512 +the session is immediately terminated.
2515 +means that the server certificate is requested. If no
2516 +certificate is provided, or a bad certificate is provided, the session
2517 +is immediately terminated.
2522 +It requires an SSL connection. In the case of the plain conection the
2523 +session is immediately terminated.
2528 +.Cm TLS_CheckPeer .
2529 +.It Cm TLS_CACertFile
2530 +Specifies the file that contains certificates for all of the Certificate
2531 +Authorities the client will recognize.
2532 +There is no default.
2535 +.Cm TLS_CACertFile .
2536 +.It Cm TLS_CACertDIR
2537 +Specifies the path of a directory that contains Certificate Authority
2538 +certificates in separate individual files. The
2540 +is always used before
2541 +.Cm TLS_CACertDir .
2542 +The specified directory must be managed with the OpenSSL c_rehash utility.
2543 +There is no default.
2545 +Specifies acceptable cipher suite and preference order.
2546 +The value should be a cipher specification for OpenSSL,
2548 +.Dq HIGH:MEDIUM:+SSLv2 .
2551 +.It Cm TLS_Cipher_Suite
2555 +Specifies the file that contains the client certificate.
2556 +There is no default.
2557 +.It Cm TLS_Certificate
2561 +Specifies the file that contains the private key that matches the certificate
2564 +file. Currently, the private key must not be protected with a password, so
2565 +it is of critical importance that the key file is protected carefully.
2566 +There is no default.
2567 +.It Cm TLS_RandFile
2568 +Specifies the file to obtain random bits from when /dev/[u]random is
2569 +not available. Generally set to the name of the EGD/PRNGD socket.
2570 +The environment variable RANDFILE can also be used to specify the filename.
2571 +There is no default.
2573 +Specifies the directory used for logging by the LDAP client library.
2574 +There is no default.
2576 +Specifies the debug level used for logging by the LDAP client library.
2577 +There is no default.
2579 +Specifies the user filter applied on the LDAP serch.
2580 +The default is no filter.
2584 +.It Pa /etc/ssh/ldap.conf
2585 +Ldap configuration file for
2586 +.Xr ssh-ldap-helper 8 .
2590 +.Xr ssh-ldap-helper 8
2594 +OpenSSH 5.5 + PKA-LDAP .
2596 +.An Jan F. Chadima Aq jchadima@redhat.com