make an object class filter configurable <charles@dyfis.net> (#963281)
This commit is contained in:
parent
e99c4840f1
commit
e6dbb83190
@ -258,7 +258,7 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
|
|||||||
+#include <stdio.h>
|
+#include <stdio.h>
|
||||||
+#include <unistd.h>
|
+#include <unistd.h>
|
||||||
+
|
+
|
||||||
+#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"
|
+#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)"
|
||||||
+#define PUBKEYATTR "sshPublicKey"
|
+#define PUBKEYATTR "sshPublicKey"
|
||||||
+#define LDAP_LOGFILE "%s/ldap.%d"
|
+#define LDAP_LOGFILE "%s/ldap.%d"
|
||||||
+
|
+
|
||||||
@ -659,11 +659,11 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
|
|||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ /* build filter for LDAP request */
|
+ /* build filter for LDAP request */
|
||||||
+ bufflen = strlen (LDAPSEARCH_FORMAT) + strlen (user);
|
+ bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user);
|
||||||
+ if (options.ssh_filter != NULL)
|
+ if (options.ssh_filter != NULL)
|
||||||
+ bufflen += strlen (options.ssh_filter);
|
+ bufflen += strlen (options.ssh_filter);
|
||||||
+ buffer = xmalloc (bufflen);
|
+ buffer = xmalloc (bufflen);
|
||||||
+ snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
|
+ snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
|
||||||
+ buffer[bufflen - 1] = 0;
|
+ buffer[bufflen - 1] = 0;
|
||||||
+
|
+
|
||||||
+ debug3 ("LDAP search scope = %d %s", options.scope, buffer);
|
+ debug3 ("LDAP search scope = %d %s", options.scope, buffer);
|
||||||
@ -759,10 +759,10 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
|
|||||||
+
|
+
|
||||||
+#endif /* LDAPBODY_H */
|
+#endif /* LDAPBODY_H */
|
||||||
+
|
+
|
||||||
diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c
|
diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||||
--- openssh-6.2p1/ldapconf.c.ldap 2013-03-25 21:27:15.890248084 +0100
|
--- openssh-6.2p2/ldapconf.c.ldap 2013-06-07 15:10:05.601942693 +0200
|
||||||
+++ openssh-6.2p1/ldapconf.c 2013-03-25 21:27:15.890248084 +0100
|
+++ openssh-6.2p2/ldapconf.c 2013-06-07 15:10:24.928857566 +0200
|
||||||
@@ -0,0 +1,682 @@
|
@@ -0,0 +1,691 @@
|
||||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
||||||
@ -807,7 +807,7 @@ diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c
|
|||||||
+ lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
|
+ lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
|
||||||
+ lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
|
+ lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
|
||||||
+ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
|
+ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
|
||||||
+ lDeprecated, lUnsupported
|
+ lAccountClass, lDeprecated, lUnsupported
|
||||||
+} OpCodes;
|
+} OpCodes;
|
||||||
+
|
+
|
||||||
+/* Textual representations of the tokens. */
|
+/* Textual representations of the tokens. */
|
||||||
@ -859,6 +859,7 @@ diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c
|
|||||||
+ { "LogDir", lLogDir },
|
+ { "LogDir", lLogDir },
|
||||||
+ { "Debug", lDebug },
|
+ { "Debug", lDebug },
|
||||||
+ { "SSH_Filter", lSSH_Filter },
|
+ { "SSH_Filter", lSSH_Filter },
|
||||||
|
+ { "AccountClass", lAccountClass },
|
||||||
+ { NULL, lBadOption }
|
+ { NULL, lBadOption }
|
||||||
+};
|
+};
|
||||||
+
|
+
|
||||||
@ -1151,6 +1152,10 @@ diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c
|
|||||||
+ xstringptr = &options.ssh_filter;
|
+ xstringptr = &options.ssh_filter;
|
||||||
+ goto parse_xstring;
|
+ goto parse_xstring;
|
||||||
+
|
+
|
||||||
|
+ case lAccountClass:
|
||||||
|
+ charptr = &options.account_class;
|
||||||
|
+ goto parse_string;
|
||||||
|
+
|
||||||
+ case lDeprecated:
|
+ case lDeprecated:
|
||||||
+ debug("%s line %d: Deprecated option \"%s\"",
|
+ debug("%s line %d: Deprecated option \"%s\"",
|
||||||
+ filename, linenum, keyword);
|
+ filename, linenum, keyword);
|
||||||
@ -1254,6 +1259,7 @@ diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c
|
|||||||
+ options.logdir = NULL;
|
+ options.logdir = NULL;
|
||||||
+ options.debug = -1;
|
+ options.debug = -1;
|
||||||
+ options.ssh_filter = NULL;
|
+ options.ssh_filter = NULL;
|
||||||
|
+ options.account_class = NULL;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+/*
|
+/*
|
||||||
@ -1324,6 +1330,8 @@ diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c
|
|||||||
+ options.debug = 0;
|
+ options.debug = 0;
|
||||||
+ if (options.ssh_filter == NULL)
|
+ if (options.ssh_filter == NULL)
|
||||||
+ options.ssh_filter = "";
|
+ options.ssh_filter = "";
|
||||||
|
+ if (options.account_class == NULL)
|
||||||
|
+ options.account_class = "posixAccount";
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+static const char *
|
+static const char *
|
||||||
@ -1443,12 +1451,13 @@ diff -up openssh-6.2p1/ldapconf.c.ldap openssh-6.2p1/ldapconf.c
|
|||||||
+ dump_cfg_string(lLogDir, options.logdir);
|
+ dump_cfg_string(lLogDir, options.logdir);
|
||||||
+ dump_cfg_int(lDebug, options.debug);
|
+ dump_cfg_int(lDebug, options.debug);
|
||||||
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
|
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
|
||||||
|
+ dump_cfg_string(lAccountClass, options.logdir);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
diff -up openssh-6.2p1/ldapconf.h.ldap openssh-6.2p1/ldapconf.h
|
diff -up openssh-6.2p2/ldapconf.h.ldap openssh-6.2p2/ldapconf.h
|
||||||
--- openssh-6.2p1/ldapconf.h.ldap 2013-03-25 21:27:15.891248091 +0100
|
--- openssh-6.2p2/ldapconf.h.ldap 2013-06-07 15:10:05.602942689 +0200
|
||||||
+++ openssh-6.2p1/ldapconf.h 2013-03-25 21:27:15.891248091 +0100
|
+++ openssh-6.2p2/ldapconf.h 2013-06-07 15:10:24.928857566 +0200
|
||||||
@@ -0,0 +1,71 @@
|
@@ -0,0 +1,72 @@
|
||||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
||||||
@ -1510,6 +1519,7 @@ diff -up openssh-6.2p1/ldapconf.h.ldap openssh-6.2p1/ldapconf.h
|
|||||||
+ char *logdir;
|
+ char *logdir;
|
||||||
+ int debug;
|
+ int debug;
|
||||||
+ char *ssh_filter;
|
+ char *ssh_filter;
|
||||||
|
+ char *account_class;
|
||||||
+} Options;
|
+} Options;
|
||||||
+
|
+
|
||||||
+extern Options options;
|
+extern Options options;
|
||||||
@ -2123,10 +2133,10 @@ diff -up openssh-6.2p1/openssh-lpk-sun.schema.ldap openssh-6.2p1/openssh-lpk-sun
|
|||||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||||
+ MUST ( sshPublicKey $ uid )
|
+ MUST ( sshPublicKey $ uid )
|
||||||
+ )
|
+ )
|
||||||
diff -up openssh-6.2p1/ssh-ldap.conf.5.ldap openssh-6.2p1/ssh-ldap.conf.5
|
diff -up openssh-6.2p2/ssh-ldap.conf.5.ldap openssh-6.2p2/ssh-ldap.conf.5
|
||||||
--- openssh-6.2p1/ssh-ldap.conf.5.ldap 2013-03-25 21:27:15.895248117 +0100
|
--- openssh-6.2p2/ssh-ldap.conf.5.ldap 2013-06-07 15:10:05.604942680 +0200
|
||||||
+++ openssh-6.2p1/ssh-ldap.conf.5 2013-03-25 21:27:15.895248117 +0100
|
+++ openssh-6.2p2/ssh-ldap.conf.5 2013-06-07 15:10:24.928857566 +0200
|
||||||
@@ -0,0 +1,376 @@
|
@@ -0,0 +1,379 @@
|
||||||
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
|
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||||
+.\"
|
+.\"
|
||||||
+.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
|
+.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
|
||||||
@ -2487,6 +2497,9 @@ diff -up openssh-6.2p1/ssh-ldap.conf.5.ldap openssh-6.2p1/ssh-ldap.conf.5
|
|||||||
+.It Cm SSH_Filter
|
+.It Cm SSH_Filter
|
||||||
+Specifies the user filter applied on the LDAP serch.
|
+Specifies the user filter applied on the LDAP serch.
|
||||||
+The default is no filter.
|
+The default is no filter.
|
||||||
|
+.It Cm AccountClass
|
||||||
|
+Specifies the LDAP class used to find user accounts.
|
||||||
|
+The default is posixAccount.
|
||||||
+.El
|
+.El
|
||||||
+.Sh FILES
|
+.Sh FILES
|
||||||
+.Bl -tag -width Ds
|
+.Bl -tag -width Ds
|
||||||
|
Loading…
Reference in New Issue
Block a user