Verified Commit 60b91871 authored by Korynkai's avatar Korynkai

Initial commit. Version 1.0.0.

parents
Change Log
==========
Key
---
* = Info
~ = Change
- = Removal
+ = Addition
02NOV17 1.0.0 Matthew J. Schultz <matt@qmxtech.com>
===================================================
* Initial release.
################################################################################################################################################################
# CMakeLists.txt
# Robert M. Baker | Created : 31OCT17 | Last Modified : 28NOV17 by Matthew J. Schultz
# Version : 0.0.1
# This is a CMake script for building 'LSSHKeys'.
################################################################################################################################################################
# Copyright (C) 2017 QuantuMatriX Software, a QuantuMatriX Technologies Cooperative Partnership
#
# This file is part of 'LSSHKeys'.
#
# 'LSSHKeys' is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free
# Software Foundation, either version 3 of the License, or (at your option) any later version.
#
# 'LSSHKeys' is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License along with 'LSSHKeys'. If not, see <http://www.gnu.org/licenses/>.
################################################################################################################################################################
# TODO (Malachy - Priority 50): Complete and test for Apple macOS platform.
################################################################################################################################################################
# Environment Check
################################################################################################################################################################
# General
cmake_minimum_required( VERSION 3.9.3 )
if( NOT "${CMAKE_BINARY_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}/build" )
message( FATAL_ERROR "You must build the project from '${CMAKE_SOURCE_DIR}/build'! See 'README.md' for build instructions." )
endif()
project( PROJECT VERSION 1.0.0 LANGUAGES C CXX )
# Project-Specific
if( NOT ${CMAKE_SYSTEM_NAME} STREQUAL "Windows" )
find_path( LDAP_INCLUDE_DIR ldap.h )
find_library( LDAP_LIBRARIES NAMES ldap )
find_library( LBER_LIBRARIES NAMES lber )
else()
message( FATAL_ERROR "LSSHKeys is not supported on this platform!" )
endif()
if( NOT LDAP_INCLUDE_DIR AND LDAP_LIBRARIES AND LBER_LIBRARIES )
message( FATAL_ERROR "LDAP libraries not found!" )
endif()
################################################################################################################################################################
# Setup
################################################################################################################################################################
# Project Info
set( PROJECT_TARGET "lsshkeys" )
# General
include( CMakePackageConfigHelpers )
set( CMAKE_SKIP_INSTALL_ALL_DEPENDENCY true )
set( COMPILE_FLAGS_DEBUG "-g -Wall -Wno-unknown-warning-option -Wno-maybe-uninitialized -Wno-attributes -D_DEBUG"
CACHE STRING "These are the debug compile flags." )
set( COMPILE_FLAGS_RELWITHDEBINFO "-O2 -g -Wall -Wno-unknown-warning-option -Wno-maybe-uninitialized -Wno-attributes -DNDEBUG"
CACHE STRING "These are the release with debug info compile flags." )
set( COMPILE_FLAGS_RELEASE "-O3 -Wall -Wno-unknown-warning-option -Wno-maybe-uninitialized -Wno-attributes -DNDEBUG"
CACHE STRING "These are the release compile flags." )
set( COMPILE_FLAGS_MINSIZEREL "-Os -Wall -Wno-unknown-warning-option -Wno-maybe-uninitialized -Wno-attributes -DNDEBUG"
CACHE STRING "These are the minimum size release compile flags." )
set( LINK_FLAGS_DEBUG "-z defs"
CACHE STRING "These are the debug link flags." )
set( LINK_FLAGS_RELWITHDEBINFO "-z defs"
CACHE STRING "These are the release with debug info link flags." )
set( LINK_FLAGS_RELEASE "-z defs -s"
CACHE STRING "These are the release link flags." )
set( LINK_FLAGS_MINSIZEREL "-z defs -s"
CACHE STRING "These are the minimum size release link flags." )
set( PROJECT_BIN_PATH "bin"
CACHE STRING "This is the path (appended to 'CMAKE_INSTALL_PREFIX') where the binaries will be installed." )
set( PROJECT_MAN_PATH "share/man"
CACHE STRING "This is the path (appended to 'CMAKE_INSTALL_PREFIX') where the man pages will be installed." )
# Project-Specific
set( CONFIG_FILE "lsshkeys.conf"
CACHE STRING "This is the name of the project's config file." )
set( CONFIG_PATH "/etc"
CACHE STRING "This is the path of the project's config file." )
set( PROGRAM_NAME "LSSHKeys"
CACHE STRING "This is the project's official name." )
set( PROJECT_URL "https://git.qmx-software.com/open-source/lsshkeys"
CACHE STRING "This is the URL of the project's Git repository." )
set( BUG_URL "https://git.qmx-software.com/open-source/lsshkeys/issues"
CACHE STRING "This is the URL of the project's bug tracker." )
set( DEFAULT_LOG_LEVEL "5"
CACHE STRING "This is the default log level for the project." )
set( PROJECT_INCLUDES
"${LDAP_INCLUDE_DIR}" )
set( PROJECT_SOURCES
"src/LSSHKeys.cpp" )
set( PROJECT_LIBRARIES_DEBUG
"${LDAP_LIBRARIES}"
"${LBER_LIBRARIES}" )
set( PROJECT_LIBRARIES_RELEASE ${PROJECT_LIBRARIES_DEBUG} )
# Configure Files
configure_file( "config/Config.hpp.in" "Config.hpp" )
configure_file( "config/conf.in" "${CONFIG_FILE}" )
configure_file( "config/man.5.in" "${CONFIG_FILE}.5" )
configure_file( "config/man.8.in" "${PROJECT_TARGET}.8" )
################################################################################################################################################################
# Targets
################################################################################################################################################################
# Project
add_executable( debug ${PROJECT_SOURCES} )
target_include_directories( debug PRIVATE ${PROJECT_INCLUDES} )
target_link_libraries( debug ${PROJECT_LIBRARIES_DEBUG} )
set_target_properties( debug PROPERTIES
OUTPUT_NAME "${PROJECT_TARGET}_d"
COMPILE_FLAGS ${COMPILE_FLAGS_DEBUG}
LINK_FLAGS ${LINK_FLAGS_DEBUG} )
add_executable( relwithdebinfo ${PROJECT_SOURCES} )
target_include_directories( relwithdebinfo PRIVATE ${PROJECT_INCLUDES} )
target_link_libraries( relwithdebinfo ${PROJECT_LIBRARIES_RELEASE} )
set_target_properties( relwithdebinfo PROPERTIES
EXCLUDE_FROM_ALL true
EXCLUDE_FROM_DEFAULT_BUILD true
OUTPUT_NAME "${PROJECT_TARGET}"
COMPILE_FLAGS ${COMPILE_FLAGS_RELWITHDEBINFO}
LINK_FLAGS ${LINK_FLAGS_RELWITHDEBINFO} )
add_executable( release ${PROJECT_SOURCES} )
target_include_directories( release PRIVATE ${PROJECT_INCLUDES} )
target_link_libraries( release ${PROJECT_LIBRARIES_RELEASE} )
set_target_properties( release PROPERTIES
OUTPUT_NAME "${PROJECT_TARGET}"
COMPILE_FLAGS ${COMPILE_FLAGS_RELEASE}
LINK_FLAGS ${LINK_FLAGS_RELEASE} )
add_executable( minsizerel ${PROJECT_SOURCES} )
target_include_directories( minsizerel PRIVATE ${PROJECT_INCLUDES} )
target_link_libraries( minsizerel ${PROJECT_LIBRARIES_RELEASE} )
set_target_properties( minsizerel PROPERTIES
EXCLUDE_FROM_ALL true
EXCLUDE_FROM_DEFAULT_BUILD true
OUTPUT_NAME "${PROJECT_TARGET}"
COMPILE_FLAGS ${COMPILE_FLAGS_MINSIZEREL}
LINK_FLAGS ${LINK_FLAGS_MINSIZEREL} )
# Installation
install( TARGETS debug RUNTIME DESTINATION "${PROJECT_BIN_PATH}" OPTIONAL )
install( TARGETS release RUNTIME DESTINATION "${PROJECT_BIN_PATH}" OPTIONAL )
install( FILES "build/${CONFIG_FILE}" DESTINATION "${CONFIG_PATH}" )
install( FILES "build/${CONFIG_FILE}.5" DESTINATION "${PROJECT_MAN_PATH}/man5" )
install( FILES "build/${PROJECT_TARGET}.8" DESTINATION "${PROJECT_MAN_PATH}/man8" )
install( CODE "execute_process( COMMAND mandb )" )
# Uninstallation
add_custom_target( uninstall
COMMAND ${CMAKE_COMMAND} -E remove "${CMAKE_INSTALL_PREFIX}/${PROJECT_BIN_PATH}/${PROJECT_TARGET}*"
COMMAND ${CMAKE_COMMAND} -E remove "${CMAKE_INSTALL_PREFIX}/${PROJECT_MAN_PATH}/man5/${PROJECT_TARGET}.5"
COMMAND ${CMAKE_COMMAND} -E remove "${CMAKE_INSTALL_PREFIX}/${PROJECT_MAN_PATH}/man8/${PROJECT_TARGET}.8"
COMMAND "execute_process( COMMAND mandb )"
COMMENT "Uninstalling the project ..." )
################################################################################################################################################################
# End of 'CMakeLists.txt'
################################################################################################################################################################
# Contributing
> This document is on the todo list. For now, contact us at 'support@qmxtech.com' for more information.
This diff is collapsed.
# LSSHKeys
## Synopsis
> Fetch SSH Keys from LDAP - V1.0.0
> Copyright (C) 2017 QuantuMatriX Software, a QuantuMatriX Technologies Cooperative Partnership
>
> This utility allows retrievel of SSH keys from an LDAP directory. Please see the man pages for more details, or visit the LSSHKeys website at 'https://git.qmx-software.com/open-source/lsshkeys'.
>
> 'LSSHKeys' is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
## Dependencies
> ### GNU Linux and Apple macOS
>
>> #### Compiler
>> * Clang >= 5.0.0 or GCC >= 7.2.0
>>
>> #### Libraries
>> * LDAP
>>
>> #### Tools
>> * CMake >= 3.9.3
>
> ### Microsoft Windows
>
>> This utility is not supported on a Microsoft Windows platform.
## Requirements
> LSSHKeys requires a working LDAP server and an appropriate attributetype in the LDAP server schema to fetch from the LDAP server (typically 'sshPublicKey') storing the value to output, and an objectclass in the LDAP server schema containing that attribute type.
>
> Typically this attributetype would be defined as follows:
> ```
> ( 1.3.6.1.4.1.24552.500.1.1.1.13
> NAME 'sshPublicKey'
> DESC 'SSH Public Key'
> EQUALITY octetStringMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
> ```
> An example schema containing the default attributetype ('sshPublicKey') and an auxiliary objectclass that can be used to add this attributetype to an existing installation ('ssh') is available in the docs directory. The attributetype (+/- objectclass) may be pulled into a custom schema, they may be rewritten or another attributetype may be used; however, additional attributetypes will be required when using this with [nss-pam-ldapd](https://arthurdejong.org/nss-pam-ldapd/). _Please note this schema may not be complete or may conflict with other similar schemas and is provided as an example_.
>
> To install the schema on an OpenLDAP server using slapd.conf:
>
> * Copy 'sshPublicKey.openldap.schema' to the schema directory for your OpenLDAP installation (typically /etc/ldap/schema).
> * Add a new 'include' line to your slapd.conf. It should look something like the following:
> ```
> include /etc/ldap/schema/sshPublicKey.schema
> ```
>
> * Restart slapd and make sure the new attributetype and objectclass are available in the schema.
>
> To install the schema on an OpenLDAP server using olc:
>
> * Import 'sshPublicKey.openldap-olc.ldif' using the `ldapadd` command. This will probably look something like the following:
> ```
> ldapadd -D '<rootdn>' -W -f sshPublicKey.openldap-olc.ldif
> ```
> (where \<rootdn\> is the rootdn as configured in olc, or another user with write access to 'cn=config'; you will be asked for the corresponding password)
>
> * Make sure the new attributetype and objectclass are available in the schema. You may have to restart slapd.
>
>> *__Note:__ One can also import a schema ldif file while slapd is offline using* `slapadd`*; however the schema indexes must be known to use this method and it requires adding the schema indexes being created to the ldif file.*
>
> To install the schema on a 389 Directory server:
>
> * Copy 'sshPublicKey.389.schema' to '/etc/dirsrv/slapd-<instance_name>/schema/<\?\?>sshPublicKey.ldif' (where '<instance_name>' denotes your slapd instance name, and '<\?\?>' denotes the load order key to give to this schema).
>
> * Restart slapd and make sure the new attributetype and objectclass are available in the schema.
>
> To install the schema on an ApacheDS server:
>
> * Import 'sshPublicKey.apacheds.schema' using Apache Directory Studio, convert it to an LDIF and import it into the ApacheDS server. More details can be found in the [ApacheDS documentation](https://directory.apache.org/apacheds/basic-ug/2.3.1-adding-schema-elements.html).
>
> To install the schema on an Oracle Directory server:
>
> * Import 'sshPublicKey.oracle.ldif' using the `ldapmodify` command. More details can be found in the [Oracle Directory Server documentation](https://docs.oracle.com/cd/E20295_01/html/821-1220/bcasv.html).
>
> To install the schema on a Microsoft Active Directory server:
>
> * _Active Directory is currently not supported._
>
> To install the schema on a Micro Focus (Novell) eDirectory server:
>
> * _eDirectory is currently not supported._
## Building
> To build using CMake, use the following steps:
>
> * Navigate to the project's root directory, and create a new directory called 'build'.
> * Enter the 'build' directory and run the following command (replacing '[GENERATOR]' with the name of the desired CMake generator; note that only Clang and GCC-based compilers are currently supported):
>
>> cmake -G "[GENERATOR]" ..
>
> * After the project files are fully generated, build in the usual manner. The following targets are supported:
>
>> * all (default; includes 'debug' and 'release')
>> * debug
>> * relwithdebinfo
>> * release
>> * minsizerel
>> * install (only targets actually built will be installed)
>> * uninstall
## Installing
> To install on any platform, use the 'install' target of the generated project files.
## Configuring
> LSSHKeys requires a mimimum of the 'base' and 'uri' parameters in its configuration file. An example configuration file which provides a description of each configuration parameter is included and will be installed to the compiled-in configuration directory (typically '/etc') as the default configuration file. Descriptions of each configuration parameter are also available in the installed manpage **lsshkeys.conf**(5).
## Running
> LSSHKeys is typically invoked by the SSH server by setting the SSH server to use LSSHKeys as its **AuthorizedKeysCommand** (see the manpage **sshd_config**(5)).
>
> LSSHKeys accepts the following options:
>
> * **--config** _FILE_, **--conf** _FILE_, **-c** _FILE_
> Loads the alternate configuration file _FILE_.
>
> * **--debug**, **--dbg**, **-d**
> Enable debugging mode. LSSHKeys will send verbose debugging messages to stderr. LSSHKeys will otherwise handle connections as usual. This is functionally equivalent to setting **log stdio** and **loglevel debug** in the configuration file. This option is for debugging purposes only.
>
> * **--help**, **--version**, **-h**, **-v**, **-?**
> Display version information and help to stdout, then exit.
>
>> _These options are not case sensitive._
>
> LSSHKeys will only ever output the result attribute value to stdout (except when run with a variant of --help, see above). If a variant of **--debug** is specified, or if **log stderr** is set, LSSHKeys will output those messages to stderr.
>
> LSSHKeys returns **0** (**EXIT\_SUCCESS**) when the operation was a success, and **1** (**EXIT\_FAILURE**) when the operation has failed.
## Uninstalling
> To uninstall on any platform, use the 'uninstall' target of the generated project files.
## Contacts and Support
> * Site: 'https://git.qmx-software.com/open-source/lsshkeys'
> * Forums: 'https://forums.qmx-software.com/lsshkeys' (Currently Unavailable)
> * Bug Tracker: 'https://git.qmx-software.com/open-source/lsshkeys/issues'
> * Email: 'support@qmx-software.com'
Add SASL and Kerberos/GSSAPI support as demand presents itself.
Add support for LDAP references as demand presents itself.
Add support to use DNS:SRV to fetch uri as demand presents itself.
Better internationalization support as demand presents itself.
Add package build scripts to repository (ongoing) (arch, debian, gentoo, nixos, redhat, opkg [openwrt/openembedded], homebrew and macports were brought in; add others including BSD variants) as demand presents itself
Eliminate access() system call if possible (this introduces a setuid-only security hole; this is low priority: binary should never be run with setuid anyway).
\ No newline at end of file
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Config.hpp
// Robert M. Baker | Created : 31OCT17 | Last Modified : 02NOV17 by Matthew J. Schultz
// Version : 2.0.0
// This is the platform-specific configuration header file for 'LSSHKeys'.
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Copyright (C) 2017 QuantuMatriX Software, a QuantuMatriX Technologies Cooperative Partnership
//
// This file is part of 'LSSHKeys'.
//
// 'LSSHKeys' is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option) any later version.
//
// 'LSSHKeys' is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
// A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
//
// You should have received a copy of the GNU Lesser General Public License along with 'LSSHKeys'. If not, see <http://www.gnu.org/licenses/>.
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
#ifndef __QMX_LSSHKEYS_CONFIG_HPP_
#define __QMX_LSSHKEYS_CONFIG_HPP_
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Control Macros
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
#define LSSHKEYS_VER_MAJOR @PROJECT_VERSION_MAJOR@ull
#define LSSHKEYS_VER_MINOR @PROJECT_VERSION_MINOR@ull
#define LSSHKEYS_VER_PATCH @PROJECT_VERSION_PATCH@ull
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Dynamic Macros
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
#define CONFIG_FILE "@CONFIG_FILE@"
#define CONFIG "@CONFIG_PATH@" "/" CONFIG_FILE
#define NAME "@PROGRAM_NAME@"
#define BINARY "@PROJECT_TARGET@"
#define PROJECT_URL "@PROJECT_URL@"
#define BUG_URL "@BUG_URL@"
#define DEFAULT_LOG_LEVEL @DEFAULT_LOG_LEVEL@
#endif // __QMX_LSSHKEYS_CONFIG_HPP_
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// End of 'Config.hpp'
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
# This is the configuration file for @PROGRAM_NAME@. See @CONFIG_FILE@(5)
# for more information.
# The strategy used for options in the default @CONFIG_FILE@ shipped with
# @PROGRAM_NAME@ is to give a description for each option and specify
# options with their default value where possible and an example value
# when the default cannot be set manually, but leave them commented.
# Uncommented options override the default value. If a value is
# mandatory, a default example value is given that is left uncommented.
# LOG OPTIONS
# These options control how @PROGRAM_NAME@ logs messages.
# log SCHEME | FILE
#
# This option controls the way logging is done. Either a SCHEME or a FILE
# may be specified.
#
# SCHEME can be specified as one of the following keywords:
# syslog : Log to syslog. This is the default setting.
# stderr : Log to stderr.
#
# FILE must be a path to a logfile If FILE does not exist, FILE will be
# created. If FILE already exists, FILE will be appended to. If
# @PROGRAM_NAME@ is unable to write to FILE or the path to FILE does not
# exist, @PROGRAM_NAME@ will critically error.
#
# file usage example:
# log /var/log/@PROJECT_TARGET@.log
#
# This value is optional.
#
# default:
#log syslog
# loglevel LEVEL
#
# This option controls the minimum level of the messages to log.
#
# LEVEL can be specified as one of the following keywords:
# critical | crit : Only log critical error messages.
# error | err : Log error messages and above. NOTE: any error
# message actually logged is critical, so using
# this loglevel will have the same effect as
# setting LEVEL to critical.
# warning | warn : Log warning messages and above.
# notice : Log notice messages and above. This is the
# default setting.
# information | info : Log information messages and above.
# debug : Log debug messages and above.
#
# This value is optional.
#
# default:
#loglevel notice
# CONNECTION OPTIONS
# These options control how @PROGRAM_NAME@ connects to the LDAP server.
# uri URI
#
# This option specifies the LDAP URI of the server to connect to. The URI
# scheme must be one of ldap, ldapi or ldaps, specifying LDAP over TCP,
# ICP or SSL respectively (if supported by the LDAP library).
#
# ICP example:
# uri ldapi:///
#
# TCP (and STARTTLS) example:
# uri ldap://ldap.example.net
#
# SSL example:
# uri ldaps://ldap.example.net
#
# This value is MANDATORY.
#
# default example:
uri ldap://ldap.example.net
# ldap_version VERSION
#
# This option specifies the version of the LDAP protocol to use. Valid
# values are 2 and 3. If VERSION is set to 2, a notice message will be
# logged on each request.
#
# The default value is 3
#
# This value is optional.
#
# default:
#ldap_version 3
# binddn DN
#
# This option specifies the distinguished name (DN) with which to bind to
# the LDAP server for search. The default is to bind anonymously.
#
# This value is optional.
#
# example:
#binddn cn=person,ou=users,dc=example,dc=net
# bindpw PASSWORD
#
# This option specifies the credentials with which to bind to the LDAP
# server for search. This option is only applicable when used with binddn
# above.
#
# This value is optional.
#
# example:
#bindpw REDACTED
# SEARCH OPTIONS
# These options control how @PROGRAM_NAME@ searches the LDAP server.
# base DN
#
# This option specifies the distinguished name (DN) to use as the base
# for searches.
#
# This value is MANDATORY.
#
# default example:
base ou=users,dc=example,dc=net
# filter FILTER
#
# This option specifies the LDAP filter to use for searches. %1 must
# represent the username passed as an argument to @PROGRAM_NAME@ in this
# filter.
#
# The default value is (cn=%1)
#
# This value is optional.
#
# default:
#filter (cn=%1)
# scope SCOPE
#
# This option specifies the search scope.
#
# SCOPE can be specified as one of the following keywords:
# onelevel | one : Search all entries in the first level below the
# search base distinguished name (DN). This is the
# default setting.
# subtree | sub : Search the entire subtree below the search base
# distinguished name (DN) including the base entry
# itself.
#
# This value is optional.
#
# default:
#scope onelevel
# attribute ATTRIBUTE
#
# This option specifies the attribute whose value should be sent to
# stdout as the result. The default is sshPublicKey.
#
# This value is optional.
#
# default:
#attribute sshPublicKey
# TIMING OPTIONS
# These options control the timing limits @PROGRAM_NAME@ sets on the LDAP
# library.
# timelimit SECONDS
#
# This option specifies the number of seconds to wait for a response from
# the server. The default is unlimited.
#
# This value is optional.
#
# example:
#timelimit 30
# bind_timelimit SECONDS
#
# This option specifies the number of seconds to allow for a bind
# operation to the server. This option is OpenLDAP specific. The default
# is unlimited.
#
# This value is optional.
#
# example:
#bind_timelimit 30
# idle_timelimit SECONDS
#
# This option specifies the number of seconds after which the connection
# to the LDAP server will be closed. This option is OpenLDAP specific.
# The default is unlimited.
#
# This value is optional.
#
# example:
#idle_timelimit 30
# SSL/TLS OPTIONS
# These options control the SSL/TLS settings for @PROGRAM_NAME@.
# tls_cacertdir PATH
#
# This option specifies the directory containing X.509 certificates for
# peer authentication.
#
# This value is optional.
#
# example:
#tls_cacertdir /etc/ssl/certs
# tls_cacertfile PATH
#
# This option specifies the path to the X.509 certificate for peer
# authentication. This option is ignored when using GnuTLS.
#
# This value is optional.
#
# example:
#tls_cacertfile /etc/ssl/ldap/cacert.pem
# tls_cert PATH
#
# This option specifies the path to the file containing the local
# certificate for client TLS authentication.
#
# This value is optional.
#
# example:
#tls_cert /etc/ssl/ldap/@PROJECT_TARGET@.pem
# tls_key PATH
#
# This option specifies the path to the file containing the local private
# key for client TLS authentication.
#
# This value is optional.
#
# example:
#tls_cert /etc/ssl/ldap/private/@PROJECT_TARGET@-key.pem
# tls_randfile PATH
#
# This option specifies the path to an entropy source (for instance:
# /dev/urandom). This option is ignored when using GnuTLS older than
# version 2.2 or Mozilla NSS. The default is /dev/urandom.
#
# This value is optional.
#
# default:
#tls_randfile /dev/urandom
# tls_dhfile PATH
#
# This option specifies the path of the file containing the parameters
# for Diffie-Hellman ephemeral key exchange. This option is ignored when
# using GnuTLS or Mozilla NSS.
#
# This value is optional.
#
# example:
#tls_dhfile /etc/ssl/ldap/dh.pem
# tls_ciphers CIPHERS
#
# This option specifies the allowed cipher suite to use for TLS. See
# your TLS implementation's documentation for further information.
#
# This value is optional.
#
# example:
#tls_ciphers HIGH:MEDIUM:+SSLv2
# tls_reqcert LEVEL
#
# This option specifies what checks to perform on a server-supplied
# certificate. At least one of tls_cacertdir or tls_cacertfile is
# required for peer verification.
#
# LEVEL can be specified as one of the following keywords:
# never : The client will not request or check any server
# certificate.
# allow : The server certificate is requested. If no
# certificate is provided, the session proceeds
# normally. If a bad certificate is provided, it will
# be ignored and the session proceeds normally.
# try : The server certificate is requested. If no
# certificate is provided, the session proceeds
# normally. If a bad certificate is provided, the
# session is immediately terminated.
# demand | hard : These keywords are equivalent. The server certificate
# is requested. If no certificate is provided, or a bad
# certificate is provided, the session is immediately
# terminated. This is the default setting.
#
# This value is optional.
#
# default:
#tls_reqcert demand
# tls_crlcheck LEVEL
#
# This option specifies if the Certificate Revocation List (CRL) of the
# CA should be used to verify if the server certificates have been
# revoked. This requires tls_cacertdir to be set. This parameter is
# ignored when using GnuTLS and Mozilla NSS.
#
# LEVEL can be specified as one of the following keywords:
# none : Do not perform a CRL check.
# peer : Check the CRL of the peer certificate.
# all : Check the CRL for the whole certificate chain.
#
# This value is optional.
#
# example:
#tls_crlcheck all
# start_tls on | off
#
# This option specifies whether to use StartTLS. The default is off.
#
# This value is optional.
#
# default:
#start_tls off
'\" -*- coding: utf-8 -*-
.TH @CONFIG_FILE@ 28 "Nov 2017" "Version @PROJECT_VERSION_MAJOR@.@PROJECT_VERSION_MINOR@.@PROJECT_VERSION_PATCH@" "System Manager's Manual"
.SH NAME
@CONFIG_FILE@ \- configuration file for @PROGRAM_NAME@.
.SH DESCRIPTION
The file \fI@CONFIG_FILE@\fR contains the configuration information for running \fB@PROJECT_TARGET@\fR (see \fB@PROJECT_TARGET@\fR(8)).
The file contains configuration options, one per line, defining the method to fetch a single attribute (typically \fIsshPublicKey\fR) from an LDAP directory.
.SH OPTIONS
.SS "LOG OPTIONS"
.TP
\fBlog\fR \fISCHEME\fR | \fIFILE\fR
This option controls the way logging is done.
Either a \fISCHEME\fR or a \fIFILE\fR may be specified.
\fISCHEME\fR can be specified as one of the following keywords:
.RS
.TP
.B syslog
Log to syslog. This is the default setting.
.TP
.B stderr
Log to stderr.
.RE
.IP
\fIFILE\fR must be a path to a logfile
If \fIFILE\fR does not exist, \fIFILE\fR will be created.
If \fIFILE\fR already exists, \fIFILE\fR will be appended to.
If \fB@PROGRAM_NAME@\fR is unable to write to \fIFILE\fR or the path to \fIFILE\fR does not exist, \fB@PROGRAM_NAME@\fR will critically error.
.IP
This value is optional.
.TP
\fBloglevel\fR \fILEVEL\fR
This option controls the minimum level of the messages to log.
\fILEVEL\fR can be specified as one of the following keywords:
.RS
.TP
.B critical | crit
Only log critical error messages.
.TP