[openssh] Ability to specify an arbitrary LDAP filter in ldap.conf for ssh-ldap-helper
Jakub Jelen
jjelen at fedoraproject.org
Thu Mar 12 10:55:12 UTC 2015
commit 3bc8b8b1ac7d33605ad2010f042035c26701c50e
Author: Jakub Jelen <jjelen at redhat.com>
Date: Tue Mar 10 09:10:39 2015 +0100
Ability to specify an arbitrary LDAP filter in ldap.conf for ssh-ldap-helper
openssh-6.7p1-ldap.patch | 67 +++++++++++++++++++++++++++++++++++-------------
1 file changed, 49 insertions(+), 18 deletions(-)
---
diff --git a/openssh-6.7p1-ldap.patch b/openssh-6.7p1-ldap.patch
index af00abd..e46e93a 100644
--- a/openssh-6.7p1-ldap.patch
+++ b/openssh-6.7p1-ldap.patch
@@ -3,7 +3,7 @@ new file mode 100644
index 0000000..dd5f5cc
--- /dev/null
+++ b/HOWTO.ldap-keys
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,119 @@
+
+HOW TO START
+
@@ -66,6 +66,17 @@ index 0000000..dd5f5cc
+ * ssh-ldap-helper -d -d -d -d -s <username>
+3) use tcpdump ... other ldap client etc.
+
++HOW TO CONFIGURE SSH FOR OTHER LDAP CONFIGURATION / SERVER /SCHEMA
++
++You can adjust search format string in /etc/ldap.conf using
++ 1) SSH_Filter option to limit results for only specified users
++ (this appends search condition after original query)
++ 2) Search_Format option to define your own search string using expansion
++ characters %u for username, %c for objectclass and %f for above mentioned filter.
++
++Example:
++Search_Format (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%u)%f)
++
+ADVANTAGES
+
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
@@ -525,7 +536,7 @@ new file mode 100644
index 0000000..42e38d3
--- /dev/null
+++ b/ldap.conf
-@@ -0,0 +1,88 @@
+@@ -0,0 +1,95 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
+# This is the example configuration file for the OpenSSH
@@ -614,12 +625,19 @@ index 0000000..42e38d3
+#tls_cert
+#tls_key
+
++# OpenLDAP search_format
++# format used to search for users in LDAP directory using substitution
++# for %u for user name and %f for SSH_Filter option (optional, empty by default)
++#search_format (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
++
++#AccountClass posixAccount
++
diff --git a/ldapbody.c b/ldapbody.c
new file mode 100644
index 0000000..3029108
--- /dev/null
+++ b/ldapbody.c
-@@ -0,0 +1,494 @@
+@@ -0,0 +1,493 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@@ -653,8 +671,9 @@ index 0000000..3029108
+#include "ldapbody.h"
+#include <stdio.h>
+#include <unistd.h>
++#include "misc.h"
+
-+#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)"
++#define LDAPSEARCH_FORMAT "(&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)"
+#define PUBKEYATTR "sshPublicKey"
+#define LDAP_LOGFILE "%s/ldap.%d"
+
@@ -1041,8 +1060,8 @@ index 0000000..3029108
+process_user (const char *user, FILE *output)
+{
+ LDAPMessage *res, *e;
-+ char *buffer;
-+ int bufflen, rc, i;
++ char *buffer, *format;
++ int rc, i;
+ struct timeval timeout;
+
+ debug ("LDAP process user");
@@ -1055,12 +1074,10 @@ index 0000000..3029108
+ }
+
+ /* build filter for LDAP request */
-+ bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user);
-+ if (options.ssh_filter != NULL)
-+ bufflen += strlen (options.ssh_filter);
-+ buffer = xmalloc (bufflen);
-+ snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
-+ buffer[bufflen - 1] = 0;
++ format = LDAPSEARCH_FORMAT;
++ if (options.search_format != NULL)
++ format = options.search_format;
++ buffer = percent_expand(format, "c", options.account_class, "u", user, "f", options.ssh_filter, (char *)NULL);
+
+ debug3 ("LDAP search scope = %d %s", options.scope, buffer);
+
@@ -1162,7 +1179,7 @@ new file mode 100644
index 0000000..b49cae6
--- /dev/null
+++ b/ldapconf.c
-@@ -0,0 +1,721 @@
+@@ -0,0 +1,728 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@@ -1206,7 +1223,7 @@ index 0000000..b49cae6
+ lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
+ lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
+ lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
-+ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
++ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, lSearch_Format,
+ lAccountClass, lDeprecated, lUnsupported
+} OpCodes;
+
@@ -1259,6 +1276,7 @@ index 0000000..b49cae6
+ { "LogDir", lLogDir },
+ { "Debug", lDebug },
+ { "SSH_Filter", lSSH_Filter },
++ { "search_format", lSearch_Format },
+ { "AccountClass", lAccountClass },
+ { NULL, lBadOption }
+};
@@ -1583,6 +1601,10 @@ index 0000000..b49cae6
+ xstringptr = &options.ssh_filter;
+ goto parse_xstring;
+
++ case lSearch_Format:
++ charptr = &options.search_format;
++ goto parse_string;
++
+ case lAccountClass:
+ charptr = &options.account_class;
+ goto parse_string;
@@ -1689,6 +1711,7 @@ index 0000000..b49cae6
+ options.logdir = NULL;
+ options.debug = -1;
+ options.ssh_filter = NULL;
++ options.search_format = NULL;
+ options.account_class = NULL;
+}
+
@@ -1881,7 +1904,8 @@ index 0000000..b49cae6
+ dump_cfg_string(lLogDir, options.logdir);
+ dump_cfg_int(lDebug, options.debug);
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
-+ dump_cfg_string(lAccountClass, options.logdir);
++ dump_cfg_string(lSearch_Format, options.search_format);
++ dump_cfg_string(lAccountClass, options.account_class);
+}
+
diff --git a/ldapconf.h b/ldapconf.h
@@ -1889,7 +1913,7 @@ new file mode 100644
index 0000000..2cb550c
--- /dev/null
+++ b/ldapconf.h
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,73 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@@ -1951,6 +1975,7 @@ index 0000000..2cb550c
+ char *logdir;
+ int debug;
+ char *ssh_filter;
++ char *search_format;
+ char *account_class;
+} Options;
+
@@ -2291,7 +2316,7 @@ new file mode 100644
index 0000000..f7081b8
--- /dev/null
+++ b/ssh-ldap.conf.5
-@@ -0,0 +1,379 @@
+@@ -0,0 +1,385 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
+.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
@@ -2650,11 +2675,17 @@ index 0000000..f7081b8
+Specifies the debug level used for logging by the LDAP client library.
+There is no default.
+.It Cm SSH_Filter
-+Specifies the user filter applied on the LDAP serch.
++Specifies the user filter applied on the LDAP search.
+The default is no filter.
+.It Cm AccountClass
+Specifies the LDAP class used to find user accounts.
+The default is posixAccount.
++.It Cm search_format
++Specifies the user format of search string in LDAP substituting %u for user name
++and %f for additional ssh filter
++.Cm SSH_Filter
++(optional).
++The default value is (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
+.El
+.Sh FILES
+.Bl -tag -width Ds
More information about the scm-commits
mailing list