rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

Ability to specify an arbitrary LDAP filter in ldap.conf for ssh-ldap-helper

Browse Source
This commit is contained in:
Jakub Jelen 2015-03-10 09:10:39 +01:00
parent 68fa4fb961
commit 3bc8b8b1ac
1 changed files with 49 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
openssh-6.7p1-ldap.patch
View File

@ -3,7 +3,7 @@ new file mode 100644
index 0000000..dd5f5cc index 0000000..dd5f5cc
--- /dev/null --- /dev/null
+++ b/HOWTO.ldap-keys +++ b/HOWTO.ldap-keys
@@ -0,0 +1,108 @@ @@ -0,0 +1,119 @@
+ +
+HOW TO START +HOW TO START
+ +
@ -66,6 +66,17 @@ index 0000000..dd5f5cc
+ * ssh-ldap-helper -d -d -d -d -s <username> + * ssh-ldap-helper -d -d -d -d -s <username>
+3) use tcpdump ... other ldap client etc. +3) use tcpdump ... other ldap client etc.
+ +
+HOW TO CONFIGURE SSH FOR OTHER LDAP CONFIGURATION / SERVER /SCHEMA
+
+You can adjust search format string in /etc/ldap.conf using
+ 1) SSH_Filter option to limit results for only specified users
+ (this appends search condition after original query)
+ 2) Search_Format option to define your own search string using expansion
+ characters %u for username, %c for objectclass and %f for above mentioned filter.
+
+Example:
+Search_Format (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%u)%f)
+
+ADVANTAGES +ADVANTAGES
+ +
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only). +1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
@ -525,7 +536,7 @@ new file mode 100644
index 0000000..42e38d3 index 0000000..42e38d3
--- /dev/null --- /dev/null
+++ b/ldap.conf +++ b/ldap.conf
@@ -0,0 +1,88 @@ @@ -0,0 +1,95 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+# +#
+# This is the example configuration file for the OpenSSH +# This is the example configuration file for the OpenSSH
@ -614,12 +625,19 @@ index 0000000..42e38d3
+#tls_cert +#tls_cert
+#tls_key +#tls_key
+ +
+# OpenLDAP search_format
+# format used to search for users in LDAP directory using substitution
+# for %u for user name and %f for SSH_Filter option (optional, empty by default)
+#search_format (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
+
+#AccountClass posixAccount
+
diff --git a/ldapbody.c b/ldapbody.c diff --git a/ldapbody.c b/ldapbody.c
new file mode 100644 new file mode 100644
index 0000000..3029108 index 0000000..3029108
--- /dev/null --- /dev/null
+++ b/ldapbody.c +++ b/ldapbody.c
@@ -0,0 +1,494 @@ @@ -0,0 +1,493 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved. + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@ -653,8 +671,9 @@ index 0000000..3029108
+#include "ldapbody.h" +#include "ldapbody.h"
+#include <stdio.h> +#include <stdio.h>
+#include <unistd.h> +#include <unistd.h>
+#include "misc.h"
+ +
+#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)" +#define LDAPSEARCH_FORMAT "(&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)"
+#define PUBKEYATTR "sshPublicKey" +#define PUBKEYATTR "sshPublicKey"
+#define LDAP_LOGFILE "%s/ldap.%d" +#define LDAP_LOGFILE "%s/ldap.%d"
+ +
@ -1041,8 +1060,8 @@ index 0000000..3029108
+process_user (const char *user, FILE *output) +process_user (const char *user, FILE *output)
+{ +{
+ LDAPMessage *res, *e; + LDAPMessage *res, *e;
+ char *buffer; + char *buffer, *format;
+ int bufflen, rc, i; + int rc, i;
+ struct timeval timeout; + struct timeval timeout;
+ +
+ debug ("LDAP process user"); + debug ("LDAP process user");
@ -1055,12 +1074,10 @@ index 0000000..3029108
+ } + }
+ +
+ /* build filter for LDAP request */ + /* build filter for LDAP request */
+ bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user); + format = LDAPSEARCH_FORMAT;
+ if (options.ssh_filter != NULL) + if (options.search_format != NULL)
+ bufflen += strlen (options.ssh_filter); + format = options.search_format;
+ buffer = xmalloc (bufflen); + buffer = percent_expand(format, "c", options.account_class, "u", user, "f", options.ssh_filter, (char *)NULL);
+ snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
+ buffer[bufflen - 1] = 0;
+ +
+ debug3 ("LDAP search scope = %d %s", options.scope, buffer); + debug3 ("LDAP search scope = %d %s", options.scope, buffer);
+ +
@ -1162,7 +1179,7 @@ new file mode 100644
index 0000000..b49cae6 index 0000000..b49cae6
--- /dev/null --- /dev/null
+++ b/ldapconf.c +++ b/ldapconf.c
@@ -0,0 +1,721 @@ @@ -0,0 +1,728 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved. + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@ -1206,7 +1223,7 @@ index 0000000..b49cae6
+ lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals, + lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
+ lRestart, lTLS_CheckPeer, lTLS_CaCertFile, + lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
+ lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key, + lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
+ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, + lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, lSearch_Format,
+ lAccountClass, lDeprecated, lUnsupported + lAccountClass, lDeprecated, lUnsupported
+} OpCodes; +} OpCodes;
+ +
@ -1259,6 +1276,7 @@ index 0000000..b49cae6
+ { "LogDir", lLogDir }, + { "LogDir", lLogDir },
+ { "Debug", lDebug }, + { "Debug", lDebug },
+ { "SSH_Filter", lSSH_Filter }, + { "SSH_Filter", lSSH_Filter },
+ { "search_format", lSearch_Format },
+ { "AccountClass", lAccountClass }, + { "AccountClass", lAccountClass },
+ { NULL, lBadOption } + { NULL, lBadOption }
+}; +};
@ -1583,6 +1601,10 @@ index 0000000..b49cae6
+ xstringptr = &options.ssh_filter; + xstringptr = &options.ssh_filter;
+ goto parse_xstring; + goto parse_xstring;
+ +
+ case lSearch_Format:
+ charptr = &options.search_format;
+ goto parse_string;
+
+ case lAccountClass: + case lAccountClass:
+ charptr = &options.account_class; + charptr = &options.account_class;
+ goto parse_string; + goto parse_string;
@ -1689,6 +1711,7 @@ index 0000000..b49cae6
+ options.logdir = NULL; + options.logdir = NULL;
+ options.debug = -1; + options.debug = -1;
+ options.ssh_filter = NULL; + options.ssh_filter = NULL;
+ options.search_format = NULL;
+ options.account_class = NULL; + options.account_class = NULL;
+} +}
+ +
@ -1881,7 +1904,8 @@ index 0000000..b49cae6
+ dump_cfg_string(lLogDir, options.logdir); + dump_cfg_string(lLogDir, options.logdir);
+ dump_cfg_int(lDebug, options.debug); + dump_cfg_int(lDebug, options.debug);
+ dump_cfg_string(lSSH_Filter, options.ssh_filter); + dump_cfg_string(lSSH_Filter, options.ssh_filter);
+ dump_cfg_string(lAccountClass, options.logdir); + dump_cfg_string(lSearch_Format, options.search_format);
+ dump_cfg_string(lAccountClass, options.account_class);
+} +}
+ +
diff --git a/ldapconf.h b/ldapconf.h diff --git a/ldapconf.h b/ldapconf.h
@ -1889,7 +1913,7 @@ new file mode 100644
index 0000000..2cb550c index 0000000..2cb550c
--- /dev/null --- /dev/null
+++ b/ldapconf.h +++ b/ldapconf.h
@@ -0,0 +1,72 @@ @@ -0,0 +1,73 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved. + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@ -1951,6 +1975,7 @@ index 0000000..2cb550c
+ char *logdir; + char *logdir;
+ int debug; + int debug;
+ char *ssh_filter; + char *ssh_filter;
+ char *search_format;
+ char *account_class; + char *account_class;
+} Options; +} Options;
+ +
@ -2291,7 +2316,7 @@ new file mode 100644
index 0000000..f7081b8 index 0000000..f7081b8
--- /dev/null --- /dev/null
+++ b/ssh-ldap.conf.5 +++ b/ssh-ldap.conf.5
@@ -0,0 +1,379 @@ @@ -0,0 +1,385 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"
+.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved. +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
@ -2650,11 +2675,17 @@ index 0000000..f7081b8
+Specifies the debug level used for logging by the LDAP client library. +Specifies the debug level used for logging by the LDAP client library.
+There is no default. +There is no default.
+.It Cm SSH_Filter +.It Cm SSH_Filter
+Specifies the user filter applied on the LDAP serch. +Specifies the user filter applied on the LDAP search.
+The default is no filter. +The default is no filter.
+.It Cm AccountClass +.It Cm AccountClass
+Specifies the LDAP class used to find user accounts. +Specifies the LDAP class used to find user accounts.
+The default is posixAccount. +The default is posixAccount.
+.It Cm search_format
+Specifies the user format of search string in LDAP substituting %u for user name
+and %f for additional ssh filter
+.Cm SSH_Filter
+(optional).
+The default value is (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
+.El +.El
+.Sh FILES +.Sh FILES
+.Bl -tag -width Ds +.Bl -tag -width Ds