summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.bin/ldap/ldap.120
-rw-r--r--usr.bin/ldap/ldapclient.c41
2 files changed, 50 insertions, 11 deletions
diff --git a/usr.bin/ldap/ldap.1 b/usr.bin/ldap/ldap.1
index a24aa5bff9f..ae9d169b569 100644
--- a/usr.bin/ldap/ldap.1
+++ b/usr.bin/ldap/ldap.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ldap.1,v 1.5 2018/06/17 23:12:48 jmc Exp $
+.\" $OpenBSD: ldap.1,v 1.6 2018/06/26 09:47:20 reyk Exp $
.\"
.\" Copyright (c) 2018 Reyk Floeter <reyk@openbsd.org>
.\"
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: June 17 2018 $
+.Dd $Mdocdate: June 26 2018 $
.Dt LDAP 1
.Os
.Sh NAME
@@ -31,6 +31,7 @@
.Op Fl l Ar timelimit
.Op Fl s Ar scope
.Op Fl w Ar secret
+.Op Fl y Ar secretfile
.Op Fl z Ar sizelimit
.Op Ar arguments ...
.Sh DESCRIPTION
@@ -82,9 +83,11 @@ The LDAP URL is described in RFC 4516 with the following format:
.Op Ar protocol No ://
.Ar host Op : Ar port
.Oo / basedn
-.Op ? Ar attribute , ...
-.Op ? Ar scope
-.Op ? Ar filter
+.Oo ? Op Ar attribute , ...
+.Oo ? Op Ar scope
+.Op ? Op Ar filter
+.Oc
+.Oc
.Oc
.Sm on
.Pp
@@ -152,6 +155,13 @@ Use simple authentication.
This is the default as
.Nm
does not support SASL authentication.
+.It Fl y Ar secretfile
+Read the bind secret from the first line of the specified file or from
+standard input if the
+.Ar secretfile
+argument is
+.Sq - .
+The file must not be world-readable if it is a regular file.
.It Fl Z
Enable TLS using the StartTLS operation.
.It Fl z Ar sizelimit
diff --git a/usr.bin/ldap/ldapclient.c b/usr.bin/ldap/ldapclient.c
index 4058d3d7242..c203461bc82 100644
--- a/usr.bin/ldap/ldapclient.c
+++ b/usr.bin/ldap/ldapclient.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ldapclient.c,v 1.1 2018/06/13 15:45:58 reyk Exp $ */
+/* $OpenBSD: ldapclient.c,v 1.2 2018/06/26 09:47:20 reyk Exp $ */
/*
* Copyright (c) 2018 Reyk Floeter <reyk@openbsd.org>
@@ -19,6 +19,7 @@
#include <sys/param.h>
#include <sys/queue.h>
#include <sys/socket.h>
+#include <sys/stat.h>
#include <sys/tree.h>
#include <sys/un.h>
@@ -55,6 +56,7 @@
#define LDAPHOST "localhost"
#define LDAPFILTER "(objectClass=*)"
#define LDIF_LINELENGTH 79
+#define LDAPPASSMAX 1024
struct ldapc {
struct aldap *ldap_al;
@@ -95,8 +97,8 @@ usage(void)
fprintf(stderr,
"usage: %s search [-LvxZ] [-b basedn] [-c capath] [-D binddn] [-H host]\n"
-" [-l timelimit] [-s scope] [-w secret|-W] [-z sizelimit]\n"
-" [filter] [attributes ...]\n",
+" [-l timelimit] [-s scope] [-w secret|-W] [-y secretfile]\n"
+" [-z sizelimit] [filter] [attributes ...]\n",
__progname);
exit(1);
@@ -105,12 +107,14 @@ usage(void)
int
main(int argc, char *argv[])
{
- char passbuf[BUFSIZ];
- const char *errstr, *url = NULL;
+ char passbuf[LDAPPASSMAX];
+ const char *errstr, *url = NULL, *secretfile = NULL;
+ struct stat st;
struct ldapc ldap;
struct ldapc_search ls;
int ch;
int verbose = 1;
+ FILE *fp;
if (pledge("stdio inet unix tty rpath dns", NULL) == -1)
err(1, "pledge");
@@ -135,7 +139,7 @@ main(int argc, char *argv[])
argc--;
argv++;
- while ((ch = getopt(argc, argv, "b:c:D:H:Ll:s:vWw:xZz:")) != -1) {
+ while ((ch = getopt(argc, argv, "b:c:D:H:Ll:s:vWw:xy:Zz:")) != -1) {
switch (ch) {
case 'b':
ls.ls_basedn = optarg;
@@ -182,6 +186,10 @@ main(int argc, char *argv[])
case 'x':
/* provided for compatibility */
break;
+ case 'y':
+ secretfile = optarg;
+ ldap.ldap_flags |= F_NEEDAUTH;
+ break;
case 'Z':
ldap.ldap_flags |= F_STARTTLS;
break;
@@ -225,6 +233,27 @@ main(int argc, char *argv[])
log_warnx("missing -D binddn");
usage();
}
+ if (secretfile != NULL) {
+ if (ldap.ldap_secret != NULL)
+ errx(1, "conflicting -w/-y options");
+
+ /* read password from stdin or file (first line) */
+ if (strcmp(secretfile, "-") == 0)
+ fp = stdin;
+ else if (stat(secretfile, &st) == -1)
+ err(1, "failed to access %s", secretfile);
+ else if (S_ISREG(st.st_mode) && (st.st_mode & S_IROTH))
+ errx(1, "%s is world-readable", secretfile);
+ else if ((fp = fopen(secretfile, "r")) == NULL)
+ err(1, "failed to open %s", secretfile);
+ if (fgets(passbuf, sizeof(passbuf), fp) == NULL)
+ err(1, "failed to read %s", secretfile);
+ if (fp != stdin)
+ fclose(fp);
+
+ passbuf[strcspn(passbuf, "\n")] = '\0';
+ ldap.ldap_secret = passbuf;
+ }
if (ldap.ldap_secret == NULL) {
if (readpassphrase("Password: ",
passbuf, sizeof(passbuf), RPP_REQUIRE_TTY) == NULL)