From 3bc8b8b1ac7d33605ad2010f042035c26701c50e Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 10 Mar 2015 09:10:39 +0100 Subject: [PATCH] Ability to specify an arbitrary LDAP filter in ldap.conf for ssh-ldap-helper --- openssh-6.7p1-ldap.patch | 67 +++++++++++++++++++++++++++++----------- 1 file changed, 49 insertions(+), 18 deletions(-) diff --git a/openssh-6.7p1-ldap.patch b/openssh-6.7p1-ldap.patch index af00abd..e46e93a 100644 --- a/openssh-6.7p1-ldap.patch +++ b/openssh-6.7p1-ldap.patch @@ -3,7 +3,7 @@ new file mode 100644 index 0000000..dd5f5cc --- /dev/null +++ b/HOWTO.ldap-keys -@@ -0,0 +1,108 @@ +@@ -0,0 +1,119 @@ + +HOW TO START + @@ -66,6 +66,17 @@ index 0000000..dd5f5cc + * ssh-ldap-helper -d -d -d -d -s +3) use tcpdump ... other ldap client etc. + ++HOW TO CONFIGURE SSH FOR OTHER LDAP CONFIGURATION / SERVER /SCHEMA ++ ++You can adjust search format string in /etc/ldap.conf using ++ 1) SSH_Filter option to limit results for only specified users ++ (this appends search condition after original query) ++ 2) Search_Format option to define your own search string using expansion ++ characters %u for username, %c for objectclass and %f for above mentioned filter. ++ ++Example: ++Search_Format (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%u)%f) ++ +ADVANTAGES + +1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only). @@ -525,7 +536,7 @@ new file mode 100644 index 0000000..42e38d3 --- /dev/null +++ b/ldap.conf -@@ -0,0 +1,88 @@ +@@ -0,0 +1,95 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# +# This is the example configuration file for the OpenSSH @@ -614,12 +625,19 @@ index 0000000..42e38d3 +#tls_cert +#tls_key + ++# OpenLDAP search_format ++# format used to search for users in LDAP directory using substitution ++# for %u for user name and %f for SSH_Filter option (optional, empty by default) ++#search_format (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f) ++ ++#AccountClass posixAccount ++ diff --git a/ldapbody.c b/ldapbody.c new file mode 100644 index 0000000..3029108 --- /dev/null +++ b/ldapbody.c -@@ -0,0 +1,494 @@ +@@ -0,0 +1,493 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -653,8 +671,9 @@ index 0000000..3029108 +#include "ldapbody.h" +#include +#include ++#include "misc.h" + -+#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)" ++#define LDAPSEARCH_FORMAT "(&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)" +#define PUBKEYATTR "sshPublicKey" +#define LDAP_LOGFILE "%s/ldap.%d" + @@ -1041,8 +1060,8 @@ index 0000000..3029108 +process_user (const char *user, FILE *output) +{ + LDAPMessage *res, *e; -+ char *buffer; -+ int bufflen, rc, i; ++ char *buffer, *format; ++ int rc, i; + struct timeval timeout; + + debug ("LDAP process user"); @@ -1055,12 +1074,10 @@ index 0000000..3029108 + } + + /* build filter for LDAP request */ -+ bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user); -+ if (options.ssh_filter != NULL) -+ bufflen += strlen (options.ssh_filter); -+ buffer = xmalloc (bufflen); -+ snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL); -+ buffer[bufflen - 1] = 0; ++ format = LDAPSEARCH_FORMAT; ++ if (options.search_format != NULL) ++ format = options.search_format; ++ buffer = percent_expand(format, "c", options.account_class, "u", user, "f", options.ssh_filter, (char *)NULL); + + debug3 ("LDAP search scope = %d %s", options.scope, buffer); + @@ -1162,7 +1179,7 @@ new file mode 100644 index 0000000..b49cae6 --- /dev/null +++ b/ldapconf.c -@@ -0,0 +1,721 @@ +@@ -0,0 +1,728 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -1206,7 +1223,7 @@ index 0000000..b49cae6 + lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals, + lRestart, lTLS_CheckPeer, lTLS_CaCertFile, + lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key, -+ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, ++ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, lSearch_Format, + lAccountClass, lDeprecated, lUnsupported +} OpCodes; + @@ -1259,6 +1276,7 @@ index 0000000..b49cae6 + { "LogDir", lLogDir }, + { "Debug", lDebug }, + { "SSH_Filter", lSSH_Filter }, ++ { "search_format", lSearch_Format }, + { "AccountClass", lAccountClass }, + { NULL, lBadOption } +}; @@ -1583,6 +1601,10 @@ index 0000000..b49cae6 + xstringptr = &options.ssh_filter; + goto parse_xstring; + ++ case lSearch_Format: ++ charptr = &options.search_format; ++ goto parse_string; ++ + case lAccountClass: + charptr = &options.account_class; + goto parse_string; @@ -1689,6 +1711,7 @@ index 0000000..b49cae6 + options.logdir = NULL; + options.debug = -1; + options.ssh_filter = NULL; ++ options.search_format = NULL; + options.account_class = NULL; +} + @@ -1881,7 +1904,8 @@ index 0000000..b49cae6 + dump_cfg_string(lLogDir, options.logdir); + dump_cfg_int(lDebug, options.debug); + dump_cfg_string(lSSH_Filter, options.ssh_filter); -+ dump_cfg_string(lAccountClass, options.logdir); ++ dump_cfg_string(lSearch_Format, options.search_format); ++ dump_cfg_string(lAccountClass, options.account_class); +} + diff --git a/ldapconf.h b/ldapconf.h @@ -1889,7 +1913,7 @@ new file mode 100644 index 0000000..2cb550c --- /dev/null +++ b/ldapconf.h -@@ -0,0 +1,72 @@ +@@ -0,0 +1,73 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -1951,6 +1975,7 @@ index 0000000..2cb550c + char *logdir; + int debug; + char *ssh_filter; ++ char *search_format; + char *account_class; +} Options; + @@ -2291,7 +2316,7 @@ new file mode 100644 index 0000000..f7081b8 --- /dev/null +++ b/ssh-ldap.conf.5 -@@ -0,0 +1,379 @@ +@@ -0,0 +1,385 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved. @@ -2650,11 +2675,17 @@ index 0000000..f7081b8 +Specifies the debug level used for logging by the LDAP client library. +There is no default. +.It Cm SSH_Filter -+Specifies the user filter applied on the LDAP serch. ++Specifies the user filter applied on the LDAP search. +The default is no filter. +.It Cm AccountClass +Specifies the LDAP class used to find user accounts. +The default is posixAccount. ++.It Cm search_format ++Specifies the user format of search string in LDAP substituting %u for user name ++and %f for additional ssh filter ++.Cm SSH_Filter ++(optional). ++The default value is (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f) +.El +.Sh FILES +.Bl -tag -width Ds