SOURCES: openssh-lpk-4.3p1-0.3.7.patch (NEW) - d9eacb819a73daddb3d...

shadzik shadzik at pld-linux.org
Mon Jun 12 11:11:33 CEST 2006


Author: shadzik                      Date: Mon Jun 12 09:11:33 2006 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- d9eacb819a73daddb3d21ca7aa8e5c25  openssh-lpk-4.3p1-0.3.7.patch

---- Files affected:
SOURCES:
   openssh-lpk-4.3p1-0.3.7.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/openssh-lpk-4.3p1-0.3.7.patch
diff -u /dev/null SOURCES/openssh-lpk-4.3p1-0.3.7.patch:1.1
--- /dev/null	Mon Jun 12 11:11:33 2006
+++ SOURCES/openssh-lpk-4.3p1-0.3.7.patch	Mon Jun 12 11:11:28 2006
@@ -0,0 +1,1825 @@
+diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.3p1/Makefile.in openssh-4.3p1-lpk/Makefile.in
+--- openssh-4.3p1/Makefile.in	2006-01-01 09:47:05.000000000 +0100
++++ openssh-4.3p1-lpk/Makefile.in	2006-04-18 15:46:59.000000000 +0200
+@@ -86,7 +86,7 @@
+ 	auth-krb5.o \
+ 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
+-	audit.o audit-bsm.o
++	audit.o audit-bsm.o ldapauth.o
+ 
+ MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
+ MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
+diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.3p1/README.lpk openssh-4.3p1-lpk/README.lpk
+--- openssh-4.3p1/README.lpk	1970-01-01 01:00:00.000000000 +0100
++++ openssh-4.3p1-lpk/README.lpk	2006-04-18 15:46:59.000000000 +0200
+@@ -0,0 +1,265 @@
++OpenSSH LDAP PUBLIC KEY PATCH 
++Copyright (c) 2003 Eric AUGE (eau at phear.org)
++All rights reserved.
++
++Redistribution and use in source and binary forms, with or without
++modification, are permitted provided that the following conditions
++are met:
++1. Redistributions of source code must retain the above copyright
++   notice, this list of conditions and the following disclaimer.
++2. Redistributions in binary form must reproduce the above copyright
++   notice, this list of conditions and the following disclaimer in the
++   documentation and/or other materials provided with the distribution.
++3. The name of the author may not be used to endorse or promote products
++   derived from this software without specific prior written permission.
++
++THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++purposes of this patch:
++
++This patch would help to have authentication centralization policy
++using ssh public key authentication.
++This patch could be an alternative to other "secure" authentication system
++working in a similar way (Kerberos, SecurID, etc...), except the fact 
++that it's based on OpenSSH and its public key abilities.
++
++>> FYI: <<
++'uid': means unix accounts existing on the current server
++'lpkServerGroup:' mean server group configured on the current server ('lpkServerGroup' in sshd_config)
++
++example schema:
++
++
++                                  server1 (uid: eau,rival,toto) (lpkServerGroup: unix)
++                ___________      /
++               /           \ --- - server3 (uid: eau, titi) (lpkServerGroup: unix)
++              | LDAP Server |    \
++	      | eau  ,rival |     server2 (uid: rival, eau) (lpkServerGroup: unix)
++	      | titi ,toto  |
++	      | userx,....  |         server5 (uid: eau)  (lpkServerGroup: mail)
++               \___________/ \       /
++	                       ----- - server4 (uid: eau, rival)  (no group configured)
++			             \
++				        etc...
++
++- WHAT WE NEED :
++
++  * configured LDAP server somewhere on the network (i.e. OpenLDAP)
++  * patched sshd (with this patch ;)
++  * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
++        User entry:
++	- attached to the 'ldapPublicKey' objectclass
++	- attached to the 'posixAccount' objectclass
++	- with a filled 'sshPublicKey' attribute 
++	Example:
++		dn: uid=eau,ou=users,dc=cuckoos,dc=net
++		objectclass: top
++		objectclass: person
++		objectclass: organizationalPerson
++		objectclass: posixAccount
++		objectclass: ldapPublicKey
++		description: Eric AUGE Account
++		userPassword: blah
++		cn: Eric AUGE
++		sn: Eric AUGE
++		uid: eau
++		uidNumber: 1034
++		gidNumber: 1
++		homeDirectory: /export/home/eau
++		sshPublicKey: ssh-dss AAAAB3...
++		sshPublicKey: ssh-dss AAAAM5...
++
++	Group entry:
++	- attached to the 'posixGroup' objectclass
++	- with a 'cn' groupname attribute
++	- with multiple 'memberUid' attributes filled with usernames allowed in this group
++	Example:
++		# few members
++		dn: cn=unix,ou=groups,dc=cuckoos,dc=net
++		objectclass: top
++		objectclass: posixGroup
++		description: Unix based servers group
++		cn: unix
++		gidNumber: 1002
++		memberUid: eau
++		memberUid: user1
++		memberUid: user2
++
++
++- HOW IT WORKS :
++
++  * without patch
++  If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
++  and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
++
++  * with the patch
++  If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
++  It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. 
++  (usually in $HOME/.ssh/authorized_keys)
++
++  If groups are enabled, it will also check if the user that wants to login is in the group of the server he is trying to log into.
++  If it fails, it falls back on RSA auth files ($HOME/.ssh/authorized_keys), etc.. and finally to standard password authentication (if enabled).
++
++  7 tokens are added to sshd_config :
++  # here is the new patched ldap related tokens
++  # entries in your LDAP must be posixAccount & strongAuthenticationUser & posixGroup
++  UseLPK yes								# look the pub key into LDAP
++  LpkServers ldap://10.31.32.5/ ldap://10.31.32.4 ldap://10.31.32.3	# which LDAP server for users ? (URL format)
++  LpkUserDN  ou=users,dc=foobar,dc=net					# which base DN for users ?
++  LpkGroupDN ou=groups,dc=foobar,dc=net					# which base DN for groups ? 
++  LpkBindDN cn=manager,dc=foobar,dc=net					# which bind DN ?
++  LpkBindPw asecret							# bind DN credidentials
++  LpkServerGroup agroupname						# the group the server is part of
++
++  Right now i'm using anonymous binding to get public keys, because getting public keys of someone doesn't impersonate him¸ but there is some
++  flaws you have to take care of.
++
++- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
++
++  * my way (there is plenty :)
++  - create ldif file (i.e. users.ldif)
++  - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub
++  - my way in 4 steps :
++  Example:
++
++  # you add this to the user entry in the LDIF file :
++  [...]
++  objectclass: posixAccount
++  objectclass: ldapPublicKey
++  [...]
++  sshPubliKey: ssh-dss AAAABDh12DDUR2...
++  [...]
++
++  # insert your entry and you're done :)
++  ldapadd -D balblabla -w bleh < file.ldif 
++  
++  all standard options can be present in the 'sshPublicKey' attribute.
++
++- WHY :
++
++  Simply because, i was looking for a way to centralize all sysadmins authentication, easily,  without completely using LDAP 
++  as authentication method (like pam_ldap etc..).  
++  
++  After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get 
++  public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser'
++  objectclass within LDAP and part of the group the SSH server is in). 
++
++  Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase 
++  so each user can change it as much as he wants). 
++
++  Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only).
++
++- RULES :  
++  Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. 
++  and the additionnal lpk.schema.
++
++  This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication 
++  (pamldap, nss_ldap, etc..).
++
++  This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..).
++  
++  Referring to schema at the beginning of this file if user 'eau' is only in group 'unix'
++  'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'.
++  If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able
++  to log in 'server5' (i hope you got the idea, my english is bad :).
++
++  Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP
++  server.
++  When you want to allow a new user to have access to the server parc, you just add him an account on 
++  your servers, you add his public key into his entry on the LDAP server, it's done. 
++
++  Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys).
++
++  When the user needs to change his passphrase he can do it directly from his workstation by changing 
++  his own key set lock passphrase, and all servers are automatically aware.
++ 
++  With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself
++  so he can add/modify/delete himself his public key when needed.
++
++­ FLAWS :
++  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
++  allow write to users dn, somebody could replace someuser's public key by its own and impersonate some 
++  of your users in all your server farm be VERY CAREFUL.
++  
++  MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
++  as the impersonnated user.
++
++  If LDAP server is down then, fallback on passwd auth.
++  
++  the ldap code part has not been well audited yet.
++
++- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
++    --- CUT HERE ---
++    dn: uid=jdoe,ou=users,dc=foobar,dc=net
++    objectclass: top
++    objectclass: person
++    objectclass: organizationalPerson
++    objectclass: posixAccount
++    objectclass: ldapPublicKey
++    description: My account
++    cn: John Doe
++    sn: John Doe
++    uid: jdoe
++    uidNumber: 100
++    gidNumber: 100
++    homeDirectory: /home/jdoe
++    sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
++    [...]
++    --- CUT HERE ---
++
++- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
++    --- CUT HERE ---
++    dn: cn=unix,ou=groups,dc=cuckoos,dc=net
++    objectclass: top
++    objectclass: posixGroup
++    description: Unix based servers group
++    cn: unix
++    gidNumber: 1002
++    memberUid: jdoe
++    memberUid: user1
++    memberUid: user2
++    [...]
++    --- CUT HERE ---
++
++>> FYI: << 
++Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry
++
++- COMPILING:
++  1. Apply the patch
++  2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes
++  3. make
++  4. it's done.
++
++- BLA :
++  I hope this could help, and i hope to be clear enough,, or give ideas.  questions/comments/improvements are welcome.
++  
++- TODO :
++  Redesign differently.
++
++- DOCS/LINK :
++  http://pacsec.jp/core05/psj05-barisani-en.pdf
++  http://fritz.potsdam.edu/projects/openssh-lpk/
++  http://fritz.potsdam.edu/projects/sshgate/
++  http://www.opendarwin.org/projects/openssh-lpk/files/examples/lpk-usrdoc.txt
++  http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
++
++- CONTRIBUTORS/IDEAS/GREETS :
++  - Falk Siemonsmeier -> 3.7 patch port candidate
++  - Jacob Rief -> ideas (group && cleanups)
++  - Michael.Durchgraf at dregis.com -> Bugfixes thanks ;)
++  - frederic.peters at free.fr -> X509 keys LDAP patch (old)
++  - oink -> bugfixes
++  - finlay dobbie -> new fresh start with this guy :)
++
++- CONTACT :
++  - Eric AUGE <eau at phear.org>, <eau at opendarwin.org>
++  - Andrea Barisani <lcars at opendarwin.org>
+diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.3p1/auth-rsa.c openssh-4.3p1-lpk/auth-rsa.c
+--- openssh-4.3p1/auth-rsa.c	2005-06-17 04:59:35.000000000 +0200
++++ openssh-4.3p1-lpk/auth-rsa.c	2006-04-18 15:46:59.000000000 +0200
+@@ -160,10 +160,96 @@
+ 	u_long linenum = 0;
+ 	struct stat st;
+ 	Key *key;
++#ifdef WITH_LDAP_PUBKEY
++	ldap_key_t * k;
++	unsigned int i = 0;
++#endif
+ 
+ 	/* Temporarily use the user's uid. */
+ 	temporarily_use_uid(pw);
+ 
++#ifdef WITH_LDAP_PUBKEY
++	/* here is the job */
++	key = key_new(KEY_RSA1);
++
++	if (options.lpk.on) {
++	    debug("[LDAP] trying LDAP first uid=%s", pw->pw_name);
++	    if ( ldap_ismember(&options.lpk, pw->pw_name) > 0) {
++		if ( (k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) {
++		    for (i = 0 ; i < k->num ; i++) {
++			char *cp, *options = NULL;
++
++			for (cp = k->keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++)
++			    ;
++			if (!*cp || *cp == '\n' || *cp == '#')
++			    continue;
++
++			/*
++			* Check if there are options for this key, and if so,
++			* save their starting address and skip the option part
++			* for now.  If there are no options, set the starting
++			* address to NULL.
++			 */
++			if (*cp < '0' || *cp > '9') {
++			    int quoted = 0;
++			    options = cp;
++			    for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
++				if (*cp == '\\' && cp[1] == '"')
++				    cp++;	/* Skip both */
++				else if (*cp == '"')
++				    quoted = !quoted;
++			    }
++			} else
++			    options = NULL;
++
++			/* Parse the key from the line. */
++			if (hostfile_read_key(&cp, &bits, key) == 0) {
++			    debug("[LDAP] line %d: non ssh1 key syntax", i);
++			    continue;
++			}
++			/* cp now points to the comment part. */
++
++			/* Check if the we have found the desired key (identified by its modulus). */
++			if (BN_cmp(key->rsa->n, client_n) != 0)
++			    continue;
++
++			/* check the real bits  */
++			if (bits != (unsigned int)BN_num_bits(key->rsa->n))
++			    logit("[LDAP] Warning: ldap, line %lu: keysize mismatch: "
++				    "actual %d vs. announced %d.", (unsigned long)i, BN_num_bits(key->rsa->n), bits);
++
++			/* We have found the desired key. */
++			/*
++			* If our options do not allow this key to be used,
++			* do not send challenge.
++			 */
++			if (!auth_parse_options(pw, options, "[LDAP]", (unsigned long) i))
++			    continue;
++
++			/* break out, this key is allowed */
++			allowed = 1;
++
++			/* add the return stuff etc... */
++			/* Restore the privileged uid. */
++			restore_uid();
++
++			/* return key if allowed */
++			if (allowed && rkey != NULL)
++			    *rkey = key;
++			else
++			    key_free(key);
++
++			ldap_keys_free(k);
++			return (allowed);
++		    }
++		} else {
++		    logit("[LDAP] no keys found for '%s'!", pw->pw_name);
++		}
++	    } else {
++		logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup);
++	    }
++	}
++#endif
+ 	/* The authorized keys. */
+ 	file = authorized_keys_file(pw);
+ 	debug("trying public RSA key file %s", file);
+diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.3p1/auth2-pubkey.c openssh-4.3p1-lpk/auth2-pubkey.c
+--- openssh-4.3p1/auth2-pubkey.c	2004-12-11 03:39:50.000000000 +0100
++++ openssh-4.3p1-lpk/auth2-pubkey.c	2006-04-18 15:46:59.000000000 +0200
+@@ -43,6 +43,10 @@
+ #include "monitor_wrap.h"
+ #include "misc.h"
+ 
++#ifdef WITH_LDAP_PUBKEY
++#include "ldapauth.h"
++#endif
++
+ /* import */
+ extern ServerOptions options;
+ extern u_char *session_id2;
+@@ -176,10 +180,79 @@
+ 	struct stat st;
+ 	Key *found;
+ 	char *fp;
++#ifdef WITH_LDAP_PUBKEY
++	ldap_key_t * k;
++	unsigned int i = 0;
++#endif
+ 
+ 	/* Temporarily use the user's uid. */
+ 	temporarily_use_uid(pw);
+ 
++#ifdef WITH_LDAP_PUBKEY
++ 	found_key = 0;
++ 	/* allocate a new key type */
++ 	found = key_new(key->type);
++ 
++ 	/* first check if the options is enabled, then try.. */
++	if (options.lpk.on) {
++	    debug("[LDAP] trying LDAP first uid=%s",pw->pw_name);
++	    if (ldap_ismember(&options.lpk, pw->pw_name) > 0) {
++		if ((k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) {
++		    /* Skip leading whitespace, empty and comment lines. */
++		    for (i = 0 ; i < k->num ; i++) {
++			/* dont forget if multiple keys to reset options */
++			char *cp, *options = NULL;
++
++			for (cp = (char *)k->keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++)
++			    ;
++			if (!*cp || *cp == '\n' || *cp == '#')
++			    continue;
++
++			if (key_read(found, &cp) != 1) {
++			    /* no key?  check if there are options for this key */
++			    int quoted = 0;
++			    debug2("[LDAP] user_key_allowed: check options: '%s'", cp);
++			    options = cp;
++			    for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
++				if (*cp == '\\' && cp[1] == '"')
++				    cp++;	/* Skip both */
++				else if (*cp == '"')
++				    quoted = !quoted;
++			    }
++			    /* Skip remaining whitespace. */
++			    for (; *cp == ' ' || *cp == '\t'; cp++)
++				;
++			    if (key_read(found, &cp) != 1) {
++				debug2("[LDAP] user_key_allowed: advance: '%s'", cp);
++				/* still no key?  advance to next line*/
++				continue;
++			    }
++			}
++
++			if (key_equal(found, key) &&
++				auth_parse_options(pw, options, file, linenum) == 1) {
++			    found_key = 1;
++			    debug("[LDAP] matching key found");
++			    fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
++			    verbose("[LDAP] Found matching %s key: %s", key_type(found), fp);
++
++			    /* restoring memory */
++			    ldap_keys_free(k);
++			    xfree(fp);
++			    restore_uid();
++			    key_free(found);
++			    return found_key;
++			    break;
++			}
++		    }/* end of LDAP for() */
++		} else {
++		    logit("[LDAP] no keys found for '%s'!", pw->pw_name);
++		}
++	    } else {
++		logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup);
++	    }
++	}
++#endif
+ 	debug("trying public key file %s", file);
+ 
+ 	/* Fail quietly if file does not exist */
+diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.3p1/config.h.in openssh-4.3p1-lpk/config.h.in
+--- openssh-4.3p1/config.h.in	2006-02-01 12:33:49.000000000 +0100
++++ openssh-4.3p1-lpk/config.h.in	2006-04-18 15:46:59.000000000 +0200
+@@ -476,6 +476,9 @@
+ /* Define to 1 if you have the <linux/if_tun.h> header file. */
+ #undef HAVE_LINUX_IF_TUN_H
+ 
++/* Define if you want LDAP support */
++#undef WITH_LDAP_PUBKEY
++
+ /* Define if your libraries define login() */
+ #undef HAVE_LOGIN
+ 
+diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.3p1/configure openssh-4.3p1-lpk/configure
+--- openssh-4.3p1/configure	2006-02-01 12:33:51.000000000 +0100
++++ openssh-4.3p1-lpk/configure	2006-04-18 15:46:59.000000000 +0200
+@@ -876,6 +876,7 @@
+   --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
+   --with-libedit[=PATH]   Enable libedit support for sftp
+   --with-audit=module     Enable EXPERIMENTAL audit support (modules=debug,bsm)
++  --with-ldap[=PATH]      Enable LDAP support (optionally in PATH)
+   --with-pam              Enable PAM support
+   --with-ssl-dir=PATH     Specify path to OpenSSL installation
+   --with-rand-helper      Use subprocess to gather strong randomness
+@@ -11242,6 +11243,88 @@
+ 
+ fi;
+ 
++# Check whether user wants LDAP support
++LDAP_MSG="no"
++
++# Check whether --with-ldap or --without-ldap was given.
++if test "${with_ldap+set}" = set; then
++  withval="$with_ldap"
++
++		if test "x$withval" != "xno" ; then
++
++			if test "x$withval" != "xyes" ; then
++				CPPFLAGS="$CPPFLAGS -I${withval}/include"
++				LDFLAGS="$LDFLAGS -L${withval}/lib"
++			fi
++
++			cat >>confdefs.h <<\_ACEOF
++#define WITH_LDAP_PUBKEY 1
++_ACEOF
++
++			LIBS="-lldap $LIBS"
++			LDAP_MSG="yes"
++
++			echo "$as_me:$LINENO: checking for LDAP support" >&5
++echo $ECHO_N "checking for LDAP support... $ECHO_C" >&6
++			cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++#include <sys/types.h>
++				 #include <ldap.h>
++int
++main ()
++{
++(void)ldap_init(0, 0);
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
++  (eval $ac_compile) 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } &&
++	 { ac_try='test -z "$ac_c_werror_flag"
++			 || test ! -s conftest.err'
++  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++  (eval $ac_try) 2>&5
++  ac_status=$?
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); }; } &&
++	 { ac_try='test -s conftest.$ac_objext'
++  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++  (eval $ac_try) 2>&5
++  ac_status=$?
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); }; }; then
++  echo "$as_me:$LINENO: result: yes" >&5
++echo "${ECHO_T}yes" >&6
++else
++  echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++				    echo "$as_me:$LINENO: result: no" >&5
++echo "${ECHO_T}no" >&6
++					{ { echo "$as_me:$LINENO: error: ** Incomplete or missing ldap libraries **" >&5
++echo "$as_me: error: ** Incomplete or missing ldap libraries **" >&2;}
++   { (exit 1); exit 1; }; }
++
++
++fi
++rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
++		fi
++
++
++fi;
++
+ 
+ 
+ 
+@@ -28025,6 +28108,7 @@
+ echo "                 Smartcard support: $SCARD_MSG"
+ echo "                     S/KEY support: $SKEY_MSG"
<<Diff was trimmed, longer than 597 lines>>


More information about the pld-cvs-commit mailing list