Merge branch adam_ldap

Add LDAP+kerberos support This changes the used standard C library (due to lack of /etc/nsswitch.conf support) and uses openssh instead of dropbear (due to lack of LDAP/kerberos support in the dropbear) Signed-off-by: Adam Wujek <adam.wujek@cern.ch>

Merge branch adam_ldap
Add LDAP+kerberos support This changes the used standard C library (due to lack of /etc/nsswitch.conf support) and uses openssh instead of dropbear (due to lack of LDAP/kerberos support in the dropbear) Signed-off-by: Adam Wujek <adam.wujek@cern.ch>
83c3a764 · Adam Wujek · 70c80659 · d69d55dc · 83c3a764 · 83c3a764
Commit 83c3a764 authored Jun 03, 2019 by Adam Wujek 💬
33 changed files
--- a/Kconfig
+++ b/Kconfig
@@ -170,8 +170,95 @@ config HOSTNAME_STRING
 	help
 	  Use this string as a static hostname of the switch.

+menu "Authorization and authentication"
+
+config ROOT_ACCESS_DISABLE
+	bool "Disable root access via ssh"
+	help
+	  Used by ssh
+
+config LDAP_ENABLE
+	bool "Enable LDAP authorization"
+	help
+	  Enable LDAP authorization. Used by ssh.
+
+config LDAP_SERVER
+	string "LDAP server"
+	depends on LDAP_ENABLE
+	help
+	  LDAP server(s) e.g. ldap://xldap.cern.ch
+
+config LDAP_SEARCH_BASE
+	string "LDAP search base"
+	depends on LDAP_ENABLE
+	help
+	  LDAP search base e.g. dc=cern,dc=ch
+
+choice
+	prompt "LDAP filter"
+	depends on LDAP_ENABLE
+	default LDAP_FILTER_NONE
+
+config LDAP_FILTER_NONE
+	bool "Don't apply filter to LDAP"
+	help
+	  Allow all LDAP users to log in.
+
+config LDAP_FILTER_EGROUP
+	bool "Apply e-group filter to LDAP"
+	help
+	  Allow logins only from an e-group defined in CONFIG_LDAP_FILTER_EGROUP_STR
+	  This option is CERN specific.
+
+config LDAP_FILTER_CUSTOM
+	bool "Apply custom filter to LDAP"
+	help
+	  Provide custom filtering string for LDAP authorization.
+
+endchoice
+
+config LDAP_FILTER_EGROUP_STR
+	string "LDAP e-group"
+ 	depends on LDAP_FILTER_EGROUP
+	help
+	  LDAP's e-group for authorization. This option is CERN specific.
+
+config LDAP_FILTER_CUSTOM_STR
+	string "LDAP access filter string"
+	depends on LDAP_FILTER_CUSTOM
+	help
+	  Custom string with a filter for LDAP authorization:
+	  (memberOf=CN=white-rabbit-switch-root,OU=e-groups,OU=Workgroups,DC=cern,DC=ch)
+
+choice
+	prompt "Authorization method"
+	depends on LDAP_ENABLE
+	default AUTH_KRB5
+
+config AUTH_LDAP
+	bool "Enable LDAP authentication"
+	depends on LDAP_ENABLE
+	help
+	  Used by ssh for authentication
+
+config AUTH_KRB5
+	bool "Enable Kerberos authentication"
+	depends on LDAP_ENABLE
+	help
+	  Used by ssh for authentication
+
+endchoice
+
+config AUTH_KRB5_SERVER
+	string "Kerberos server"
+ 	depends on AUTH_KRB5
+	help
+	  Server name of Kerberos. Usually it is in capital letters.
+	  For CERN, please use CERN.CH
+
 menu "Root Password"

+
 config ROOT_PWD_IS_ENCRYPTED
 	bool "Should this file include an encripted root password?"
 	help
@@ -195,11 +282,12 @@ config ROOT_PWD_CYPHER
 	depends on ROOT_PWD_IS_ENCRYPTED
 	help
 	  The actual pre-encrypted string. This is stored at run time
-	  into /etc/passwd, for ssh authenticazion. To create the
+	  into /etc/passwd, for ssh authentication. To create the
 	  string, please run "mkpasswd --method=md5 <password>"

 endmenu

+endmenu # "Authorization and authentication"

 config NTP_SERVER
 	string "IP address of local NTP server (empty for none)"

--- a/build/scripts/wrs_build_wraprootfs
+++ b/build/scripts/wrs_build_wraprootfs
@@ -32,14 +32,12 @@ ROOTFS_INITRAMFS="$WRS_OUTPUT_DIR/images/wrs-initramfs.gz"

 cat > $TMPSCRIPT << EOF
 mkdir -p $TMPFS/wr
-cp -r $rootfs_vanilla/* $TMPFS
+cp -r --preserve=mode $rootfs_vanilla/* $TMPFS
 cp -r $WRS_OUTPUT_DIR/images/wr/* $TMPFS/wr
 cp -r $WRS_OUTPUT_DIR/images/lib/* $TMPFS/lib
 rm -f $TMPFS/etc/init.d/*
 rm -f $TMPFS/THIS_IS_NOT_YOUR_ROOT_FILESYSTEM
 # remove symlink from the buildroot
-rm -rf $TMPFS/etc/dropbear
-mkdir -p $TMPFS/etc/dropbear; chown -R root:root $TMPFS/etc/dropbear

 cp -r $rootfs_override/* $TMPFS
 # remove leftovers from on-going edits in rootfs_override
@@ -61,7 +59,7 @@ chmod a+rx $TMPFS

 ##### now move stuff to usr (we need usr to be in flash, / remains initramfs)
 # remove needless stuff
-rm -rf $TMPFS/home $TMPFS/opt
+rm -rf $TMPFS/opt
 sed -i '/^default/ d' $TMPFS/etc/passwd
 # move /wr and /var to /usr/wr and /usr/var
 mv $TMPFS/wr  $TMPFS/usr; ln -s usr/wr  $TMPFS

--- a/configs/buildroot/wrs_release_br2_config
+++ b/configs/buildroot/wrs_release_br2_config
@@ -116,10 +116,10 @@ BR2_STRIP_EXCLUDE_DIRS=""
 # BR2_OPTIMIZE_2 is not set
 # BR2_OPTIMIZE_3 is not set
 BR2_OPTIMIZE_S=y
-
-#
-# Stack Smashing Protection needs a toolchain w/ SSP
-#
+BR2_SSP_NONE=y
+# BR2_SSP_REGULAR is not set
+# BR2_SSP_STRONG is not set
+# BR2_SSP_ALL is not set
 # BR2_STATIC_LIBS is not set
 BR2_SHARED_LIBS=y
 # BR2_SHARED_STATIC_LIBS is not set
@@ -135,7 +135,7 @@ BR2_COMPILER_PARANOID_UNSAFE_PATH=y
 # Toolchain
 #
 BR2_TOOLCHAIN=y
-BR2_TOOLCHAIN_USES_UCLIBC=y
+BR2_TOOLCHAIN_USES_GLIBC=y
 BR2_TOOLCHAIN_BUILDROOT=y
 # BR2_TOOLCHAIN_EXTERNAL is not set
 BR2_TOOLCHAIN_BUILDROOT_VENDOR="buildroot"
@@ -181,30 +181,15 @@ BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_3_16=y
 # BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_3_0 is not set
 # BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_REALLY_OLD is not set
 BR2_DEFAULT_KERNEL_HEADERS="3.16.38"
-BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
-# BR2_TOOLCHAIN_BUILDROOT_GLIBC is not set
+# BR2_TOOLCHAIN_BUILDROOT_UCLIBC is not set
+BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
 # BR2_TOOLCHAIN_BUILDROOT_MUSL is not set
-BR2_TOOLCHAIN_BUILDROOT_LIBC="uclibc"
+BR2_TOOLCHAIN_BUILDROOT_LIBC="glibc"
 BR2_PACKAGE_LINUX_HEADERS=y
-BR2_PACKAGE_UCLIBC=y
-
-#
-# uClibc Options
-#
-BR2_UCLIBC_CONFIG="package/uclibc/uClibc-ng.config"
-BR2_UCLIBC_CONFIG_FRAGMENT_FILES=""
-BR2_TOOLCHAIN_BUILDROOT_INET_RPC=y
-BR2_TOOLCHAIN_BUILDROOT_WCHAR=y
-# BR2_TOOLCHAIN_BUILDROOT_LOCALE is not set
-# BR2_PTHREADS_NONE is not set
-# BR2_PTHREADS_OLD is not set
-BR2_PTHREADS_NATIVE=y
-BR2_PTHREAD_DEBUG=y
-# BR2_TOOLCHAIN_BUILDROOT_USE_SSP is not set
-BR2_UCLIBC_INSTALL_UTILS=y
-# BR2_UCLIBC_INSTALL_TEST_SUITE is not set
-BR2_UCLIBC_TARGET_ARCH="arm"
-BR2_UCLIBC_ARM_BX=y
+BR2_PACKAGE_GLIBC=y
+BR2_GLIBC_VERSION_2_21=y
+# BR2_GLIBC_VERSION_2_22 is not set
+BR2_GLIBC_VERSION_STRING="2.21"

 #
 # Binutils Options
@@ -233,20 +218,28 @@ BR2_GCC_ENABLE_TLS=y
 # BR2_GCC_ENABLE_LTO is not set
 # BR2_GCC_ENABLE_OPENMP is not set
 # BR2_GCC_ENABLE_GRAPHITE is not set
-# BR2_PACKAGE_HOST_GDB is not set
+BR2_PACKAGE_HOST_GDB=y
+BR2_PACKAGE_HOST_GDB_TUI=y
+# BR2_PACKAGE_HOST_GDB_PYTHON is not set
+# BR2_GDB_VERSION_7_8 is not set
+BR2_GDB_VERSION_7_9=y
+# BR2_GDB_VERSION_7_10 is not set
 BR2_GDB_VERSION="7.9.1"
 BR2_TOOLCHAIN_HAS_NATIVE_RPC=y
 BR2_USE_WCHAR=y
+BR2_ENABLE_LOCALE=y
 BR2_TOOLCHAIN_HAS_THREADS=y
 BR2_TOOLCHAIN_HAS_THREADS_DEBUG=y
 BR2_TOOLCHAIN_HAS_THREADS_NPTL=y
 BR2_TOOLCHAIN_HAS_SHADOW_PASSWORDS=y
+BR2_TOOLCHAIN_HAS_SSP=y
 # BR2_ENABLE_LOCALE_PURGE is not set
-BR2_NEEDS_GETTEXT=y
+BR2_GENERATE_LOCALE=""
+# BR2_TOOLCHAIN_GLIBC_GCONV_LIBS_COPY is not set
 BR2_USE_MMU=y
 BR2_TARGET_OPTIMIZATION="-pipe"
 BR2_TARGET_LDFLAGS=""
-# BR2_ECLIPSE_REGISTER is not set
+BR2_ECLIPSE_REGISTER=y
 BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_0=y
 BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_1=y
 BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_2=y
@@ -276,6 +269,8 @@ BR2_TOOLCHAIN_GCC_AT_LEAST="4.9"
 BR2_TOOLCHAIN_HAS_SYNC_1=y
 BR2_TOOLCHAIN_HAS_SYNC_2=y
 BR2_TOOLCHAIN_HAS_SYNC_4=y
+BR2_TOOLCHAIN_ARM_HAS_SYNC_8=y
+BR2_TOOLCHAIN_HAS_SYNC_8=y
 BR2_TOOLCHAIN_HAS_ATOMIC=y

 #
@@ -289,10 +284,7 @@ BR2_TARGET_GENERIC_PASSWD_MD5=y
 BR2_TARGET_GENERIC_PASSWD_METHOD="md5"
 BR2_INIT_BUSYBOX=y
 # BR2_INIT_SYSV is not set
-
-#
-# systemd needs (e)glibc toolchain, headers >= 3.10
-#
+# BR2_INIT_SYSTEMD is not set
 # BR2_INIT_NONE is not set
 # BR2_ROOTFS_DEVICE_CREATION_STATIC is not set
 # BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_DEVTMPFS is not set
@@ -464,10 +456,7 @@ BR2_PACKAGE_MPLAYER_ARCH_SUPPORTS=y
 #
 # Debugging, profiling and benchmark
 #
-
-#
-# blktrace needs a (e)glibc or musl toolchain
-#
+# BR2_PACKAGE_BLKTRACE is not set

 #
 # bonnie++ needs a toolchain w/ C++
@@ -510,10 +499,7 @@ BR2_PACKAGE_LTRACE=y
 # BR2_PACKAGE_LTTNG_TOOLS is not set
 # BR2_PACKAGE_MEMSTAT is not set
 # BR2_PACKAGE_NETPERF is not set
-
-#
-# netsniff-ng needs an (e)glibc toolchain w/ threads, headers >= 3.0
-#
+# BR2_PACKAGE_NETSNIFF_NG is not set

 #
 # oprofile needs a toolchain w/ C++, wchar
@@ -526,10 +512,7 @@ BR2_PACKAGE_LTRACE=y
 # BR2_PACKAGE_SPIDEV_TEST is not set
 BR2_PACKAGE_STRACE=y
 # BR2_PACKAGE_STRESS is not set
-
-#
-# stress-ng needs a glibc toolchain w/ dynamic library, headers >= 3.3
-#
+# BR2_PACKAGE_STRESS_NG is not set

 #
 # sysdig needs a toolchain w/ C++, gcc >= 4.7, dynamic library and a Linux kernel to be built
@@ -563,7 +546,7 @@ BR2_PACKAGE_CMAKE_ARCH_SUPPORTS=y
 # BR2_PACKAGE_DIFFUTILS is not set
 # BR2_PACKAGE_DOS2UNIX is not set
 # BR2_PACKAGE_FINDUTILS is not set
-# BR2_PACKAGE_FLEX is not set
+BR2_PACKAGE_FLEX=y
 # BR2_PACKAGE_GAWK is not set
 BR2_PACKAGE_GETTEXT=y
 # BR2_PACKAGE_GIT is not set
@@ -899,10 +882,7 @@ BR2_PACKAGE_QT5_JSCORE_AVAILABLE=y
 # BR2_PACKAGE_IRDA_UTILS is not set
 # BR2_PACKAGE_KBD is not set
 # BR2_PACKAGE_LCDPROC is not set
-
-#
-# libump needs a (e)glibc toolchain
-#
+# BR2_PACKAGE_LIBUMP is not set

 #
 # linux-backports needs a Linux kernel to be built
@@ -976,14 +956,8 @@ BR2_PACKAGE_QT5_JSCORE_AVAILABLE=y
 # BR2_PACKAGE_SREDIRD is not set
 # BR2_PACKAGE_STATSERIAL is not set
 # BR2_PACKAGE_STM32FLASH is not set
-
-#
-# sunxi-cedarx needs an (e)glibc toolchain
-#
-
-#
-# sunxi-mali needs an (e)glibc toolchain
-#
+# BR2_PACKAGE_SUNXI_CEDARX is not set
+# BR2_PACKAGE_SUNXI_MALI is not set
 # BR2_PACKAGE_SYSSTAT is not set

 #
@@ -1667,10 +1641,7 @@ BR2_PACKAGE_LIBLOGGING=y
 #
 # libebml needs a toolchain w/ C++, wchar
 #
-
-#
-# libfslcodec needs an (e)glibc toolchain
-#
+# BR2_PACKAGE_LIBFSLCODEC is not set
 # BR2_PACKAGE_LIBFSLPARSER is not set

 #
@@ -1762,6 +1733,7 @@ BR2_PACKAGE_CANFESTIVAL_ARCH_SUPPORTS=y
 # BR2_PACKAGE_LIBIDN is not set
 # BR2_PACKAGE_LIBISCSI is not set
 # BR2_PACKAGE_LIBLDNS is not set
+BR2_PACKAGE_LIBKRB5=y
 # BR2_PACKAGE_LIBMBUS is not set

 #
@@ -1809,15 +1781,14 @@ BR2_PACKAGE_LIBPCAP=y
 # BR2_PACKAGE_LIBWEBSOCKETS is not set
 # BR2_PACKAGE_MONGOOSE is not set
 # BR2_PACKAGE_NEON is not set
-
-#
-# nss-pam-ldapd needs an (e)glibc toolchain
-#
+BR2_PACKAGE_NSS_PAM_LDAPD=y
+BR2_PACKAGE_NSS_PAM_LDAPD_UTILITIES=y

 #
 # omniORB needs a toolchain w/ C++, threads
 #
-# BR2_PACKAGE_OPENLDAP is not set
+BR2_PACKAGE_OPENLDAP=y
+BR2_PACKAGE_OPENLDAP_CLIENTS=y
 # BR2_PACKAGE_OPENPGM is not set
 # BR2_PACKAGE_ORTP is not set
 # BR2_PACKAGE_QDECODER is not set
@@ -1857,7 +1828,6 @@ BR2_PACKAGE_LIBPCAP=y
 #
 # BR2_PACKAGE_APR is not set
 # BR2_PACKAGE_APR_UTIL is not set
-BR2_PACKAGE_ARGP_STANDALONE=y

 #
 # armadillo needs a toolchain w/ C++
@@ -1887,6 +1857,7 @@ BR2_PACKAGE_BOOST_ARCH_SUPPORTS=y
 # eigen needs a toolchain w/ C++
 #
 BR2_PACKAGE_ELFUTILS=y
+# BR2_PACKAGE_ELFUTILS_PROGS is not set
 # BR2_PACKAGE_FFTW is not set

 #
@@ -1918,10 +1889,7 @@ BR2_PACKAGE_ELFUTILS=y
 BR2_PACKAGE_LIBATOMIC_OPS_ARCH_SUPPORTS=y
 # BR2_PACKAGE_LIBATOMIC_OPS is not set
 BR2_PACKAGE_LIBBSD_ARCH_SUPPORTS=y
-
-#
-# libbsd needs an (e)glibc toolchain w/ threads
-#
+# BR2_PACKAGE_LIBBSD is not set
 # BR2_PACKAGE_LIBCAP is not set
 # BR2_PACKAGE_LIBCAP_NG is not set

@@ -1973,14 +1941,15 @@ BR2_PACKAGE_LIBURCU_ARCH_SUPPORTS=y
 # BR2_PACKAGE_LIBURCU is not set
 # BR2_PACKAGE_LIBUV is not set
 # BR2_PACKAGE_LIGHTNING is not set
+BR2_PACKAGE_LINUX_PAM=y

 #
-# linux-pam needs a uClibc or (e)glibc toolchain w/ wchar, locale, dynamic library
-#
-
-#
-# liquid-dsp requires a (e)glibc/musl toolchain w/ dynamic library
+# linux-pam plugins
 #
+# BR2_PACKAGE_LIBPAM_RADIUS_AUTH is not set
+# BR2_PACKAGE_LIBPAM_TACPLUS is not set
+BR2_PACKAGE_LIBPAM_KRB5=y
+# BR2_PACKAGE_LIQUID_DSP is not set
 # BR2_PACKAGE_LTTNG_LIBUST is not set
 # BR2_PACKAGE_MPC is not set
 # BR2_PACKAGE_MPDECIMAL is not set
@@ -2034,7 +2003,6 @@ BR2_PACKAGE_PROTOBUF_ARCH_SUPPORTS=y
 # BR2_PACKAGE_LIBENCA is not set
 BR2_PACKAGE_LIBESTR=y
 # BR2_PACKAGE_LIBFRIBIDI is not set
-# BR2_PACKAGE_LIBICONV is not set
 # BR2_PACKAGE_LIBUNISTRING is not set
 # BR2_PACKAGE_LINENOISE is not set
 BR2_PACKAGE_NCURSES=y
@@ -2113,10 +2081,7 @@ BR2_PACKAGE_READLINE=y
 #
 # BR2_PACKAGE_BIND is not set
 # BR2_PACKAGE_BLUEZ_UTILS is not set
-
-#
-# bluez5-utils needs a glibc or musl toolchain w/ wchar, threads, headers >= 3.4, dynamic library
-#
+# BR2_PACKAGE_BLUEZ5_UTILS is not set
 # BR2_PACKAGE_BMON is not set
 # BR2_PACKAGE_BOA is not set
 BR2_PACKAGE_BRIDGE_UTILS=y
@@ -2141,12 +2106,7 @@ BR2_PACKAGE_BRIDGE_UTILS=y
 BR2_PACKAGE_DHCPDUMP=y
 # BR2_PACKAGE_DNSMASQ is not set
 # BR2_PACKAGE_DRBD_UTILS is not set
-BR2_PACKAGE_DROPBEAR=y
-BR2_PACKAGE_DROPBEAR_CLIENT=y
-BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS=y
-BR2_PACKAGE_DROPBEAR_SMALL=y
-# BR2_PACKAGE_DROPBEAR_WTMP is not set
-# BR2_PACKAGE_DROPBEAR_LASTLOG is not set
+# BR2_PACKAGE_DROPBEAR is not set
 # BR2_PACKAGE_EBTABLES is not set

 #
@@ -2175,10 +2135,7 @@ BR2_PACKAGE_ETHTOOL=y
 #
 # BR2_PACKAGE_IFPLUGD is not set
 # BR2_PACKAGE_IFTOP is not set
-
-#
-# ifupdown needs an (e)glibc or musl toolchain w/ headers >= 3.0
-#
+# BR2_PACKAGE_IFUPDOWN is not set

 #
 # igh-ethercat needs a Linux kernel to be built
@@ -2263,10 +2220,7 @@ BR2_PACKAGE_MONGREL2_LIBC_SUPPORTS=y
 # BR2_PACKAGE_NDISC6 is not set
 # BR2_PACKAGE_NETATALK is not set
 # BR2_PACKAGE_NETCAT is not set
-
-#
-# netcat-openbsd needs an (e)glibc toolchain w/ threads
-#
+# BR2_PACKAGE_NETCAT_OPENBSD is not set
 # BR2_PACKAGE_NETPLUG is not set
 BR2_PACKAGE_NETSNMP=y
 BR2_PACKAGE_NETSNMP_SERVER=y
@@ -2299,7 +2253,7 @@ BR2_PACKAGE_NETSNMP_WITHOUT_MIB_MODULES="disman/event disman/schedule utilities"
 # BR2_PACKAGE_OPEN_PLC_UTILS is not set
 # BR2_PACKAGE_OPENNTPD is not set
 # BR2_PACKAGE_OPENOBEX is not set
-# BR2_PACKAGE_OPENSSH is not set
+BR2_PACKAGE_OPENSSH=y
 # BR2_PACKAGE_OPENSWAN is not set
 # BR2_PACKAGE_OPENVPN is not set
 # BR2_PACKAGE_P910ND is not set
@@ -2476,7 +2430,7 @@ BR2_PACKAGE_BASH=y
 # BR2_PACKAGE_PINENTRY is not set
 # BR2_PACKAGE_RANGER is not set
 BR2_PACKAGE_SCREEN=y
-# BR2_PACKAGE_SUDO is not set
+BR2_PACKAGE_SUDO=y
 # BR2_PACKAGE_TIME is not set
 # BR2_PACKAGE_TMUX is not set
 # BR2_PACKAGE_WHICH is not set
@@ -2511,10 +2465,7 @@ BR2_PACKAGE_INITSCRIPTS=y
 # BR2_PACKAGE_IRQBALANCE is not set
 # BR2_PACKAGE_KEYUTILS is not set
 # BR2_PACKAGE_KMOD is not set
-
-#
-# kvmtool needs a (e)glibc or musl toolchain w/ dynamic library
-#
+# BR2_PACKAGE_KVMTOOL is not set
 # BR2_PACKAGE_LXC is not set
 BR2_PACKAGE_MONIT=y
 # BR2_PACKAGE_NCDU is not set
@@ -2541,10 +2492,7 @@ BR2_PACKAGE_RSYSLOG=y
 BR2_PACKAGE_SYSTEMD_ARCH_SUPPORTS=y
 # BR2_PACKAGE_TAR is not set
 # BR2_PACKAGE_TPM_TOOLS is not set
-
-#
-# unscd needs an (e)glibc toolchain
-#
+# BR2_PACKAGE_UNSCD is not set
 # BR2_PACKAGE_UTIL_LINUX is not set

 #

--- a/doc/wrs-developer-manual.in
+++ b/doc/wrs-developer-manual.in
@@ -1914,8 +1914,10 @@ switch. Check is done every 10 seconds. As for now supervised processes are:
 @t{ppsi},
 @t{wrs_watchdog},
 @t{lighttpd},
-@t{dropbear},
-@t{snmpd}.
+@t{sshd},
+@t{snmpd},
+@t{lldpd},
+@t{nslcd}.

 In case any of the supervised processes does not run anymore (because of a crash,
 exit etc.), @t{monit} restarts missing process. If 5 restarts of a particular

--- a/doc/wrs-user-manual.in
+++ b/doc/wrs-user-manual.in
@@ -573,6 +573,41 @@ appropriate way, before the respective service is started.
 	(@t{CONFIG_HOSTNAME_DHCP}) or use a predefined value
 	(@t{CONFIG_HOSTNAME_STATIC}) defined in option @t{CONFIG_HOSTNAME_STRING}.

+@item CONFIG_ROOT_ACCESS_DISABLE
+
+	Disable root access via ssh. With this option enabled it is still
+	possible to use sudo to get root privileges.
+
+@item CONFIG_LDAP_ENABLE
+@itemx CONFIG_LDAP_SERVER
+@itemx CONFIG_LDAP_SEARCH_BASE
+@itemx CONFIG_LDAP_FILTER_NONE
+@itemx CONFIG_LDAP_FILTER_EGROUP
+@itemx CONFIG_LDAP_FILTER_CUSTOM
+@itemx CONFIG_LDAP_FILTER_EGROUP_STR
+@itemx CONFIG_LDAP_FILTER_CUSTOM_STR
+
+        Set of options related to providing an authorization via LDAP for ssh.
+        To be able to use LDAP please enable an option @t{CONFIG_LDAP_ENABLE},
+        provide LDAP server (@t{CONFIG_LDAP_SERVER}) and the search base
+        (@t{CONFIG_LDAP_SEARCH_BASE}). It is possible to limit the access
+        to a particular e-group used at CERN (@t{CONFIG_LDAP_FILTER_EGROUP}
+        to enable and @t{CONFIG_LDAP_FILTER_EGROUP_STR} to provide
+        the e-group's name) or to provide the custom filtering string
+        (@t{CONFIG_LDAP_FILTER_CUSTOM} to enable and
+        @t{CONFIG_LDAP_FILTER_CUSTOM_STR} to provide the filter).
+        For more information please refer to the @i{Kconfig}'s help.
+
+
+@item CONFIG_AUTH_LDAP
+@itemx CONFIG_AUTH_KRB5
+@itemx CONFIG_AUTH_KRB5_SERVER
+
+        Choose the authentication method. @t{CONFIG_AUTH_LDAP} for LDAP
+        authentication, @t{CONFIG_AUTH_LDAP} for Kerberos authentication.
+        For the later one it is obligatory to specify Kerberos Realm
+        @t{CONFIG_AUTH_KRB5_SERVER}.
+
 @item CONFIG_ROOT_PWD_IS_ENCRYPTED
 @itemx CONFIG_ROOT_PWD_CLEAR
 @itemx CONFIG_ROOT_PWD_CYPHER

--- a/doc/wrs_failures/fail.tex
+++ b/doc/wrs_failures/fail.tex
@@ -660,7 +660,7 @@ list of faults leading to a data error.
 				The idea is to reboot the system if it was not able to boot correctly.
 				Then we use the scratchpad registers of the processor to keep
 				the boot count. If the value of this counter is more than X we stop
-				rebooting and try to have a system running with at least \emph{dropbear}
+				rebooting and try to have a system running with at least \emph{sshd}
 				for SSH and \emph{net-snmp} to allow remote diagnostics. If on the other
 				hand the switch has booted correctly, we set the boot count to 0.
 		\end{pck_descr}
@@ -709,6 +709,7 @@ list of faults leading to a data error.
 				\snmpadd{WR-SWITCH-MIB::wrsStartCntWrsWatchdog}\\
 				\snmpadd{WR-SWITCH-MIB::wrsStartCntLldpd}\\
 				\snmpadd{WR-SWITCH-MIB::wrsStartCntSPLL}\\
+				\snmpadd{WR-SWITCH-MIB::wrsStartCntLdap}\\
 				\snmpadd{WR-SWITCH-MIB::wrsBootUserspaceDaemonsMissing}\\
 				\snmpadd{WR-SWITCH-MIB::wrsBootSuccessful} \\
 				\snmpadd{WR-SWITCH-MIB::wrsOSStatus}\\
@@ -732,12 +733,13 @@ list of faults leading to a data error.
 				Less critical processes (Restarting them and Warning generation is
 				enough):
 				\begin{itemize}
-					\item \emph{dropbear}
+					\item \emph{sshd}
 					\item \emph{udhcpc}
 					\item \emph{rsyslogd}
 					\item \emph{snmpd}
 					\item \emph{lighttpd}
 					\item \emph{lldpd}
+					\item \emph{nslcd} (LDAP)
 					\item \emph{TRUd/eRSTPd} -- not yet implemented
 				\end{itemize}


--- a/doc/wrs_failures/snmp_objects.tex
+++ b/doc/wrs_failures/snmp_objects.tex
@@ -512,6 +512,7 @@
  \snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntSyslogd}{}
  \snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntWrsWatchdog}{}
  \snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntLldpd}{}
+  \snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntLdap}{}
  \snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntSPLL}{Not implemented}

  \snmpentrye{WR-SWITCH-MIB}{}{wrsSpllState}{}

--- a/patches/buildroot/0010-add-libkrb5.patch
+++ b/patches/buildroot/0010-add-libkrb5.patch
+From f6ac6fde47cedd2b0a92412b39f9b9a014d637a7 Mon Sep 17 00:00:00 2001
+From: Adam Wujek <adam.wujek@cern.ch>
+Date: Tue, 4 Sep 2018 10:48:30 +0200
+Subject: [PATCH] add libkrb5
+
+Signed-off-by: Adam Wujek <adam.wujek@cern.ch>
+---
+ package/Config.in            |  1 +
+ package/libkrb5/Config.in    | 18 ++++++++++++++++
+ package/libkrb5/libkrb5.hash |  5 +++++
+ package/libkrb5/libkrb5.mk   | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 83 insertions(+)
+ create mode 100644 package/libkrb5/Config.in
+ create mode 100644 package/libkrb5/libkrb5.hash
+ create mode 100644 package/libkrb5/libkrb5.mk
+
+diff --git a/package/Config.in b/package/Config.in
+index 529ad33..b5583da 100644
+--- a/package/Config.in
+++ b/package/Config.in
+@@ -1084,6 +1084,7 @@ menu "Networking"
+ 	source "package/libidn/Config.in"
+ 	source "package/libiscsi/Config.in"
+ 	source "package/libldns/Config.in"
+	source "package/libkrb5/Config.in"
+ 	source "package/libmbus/Config.in"
+ 	source "package/libmemcached/Config.in"
+ 	source "package/libmicrohttpd/Config.in"
+diff --git a/package/libkrb5/Config.in b/package/libkrb5/Config.in
+new file mode 100644
+index 0000000..2e24c87
+--- /dev/null
+++ b/package/libkrb5/Config.in
+@@ -0,0 +1,18 @@
+config BR2_PACKAGE_LIBKRB5
+	bool "libkrb5"
+	# needs fork()
+	depends on BR2_USE_MMU
+	depends on !BR2_STATIC_LIBS
+	help
+	  Kerberos is a system for authenticating users and services
+	  on a network. Kerberos is a trusted third-party service.
+	  That means that there is a third party (the Kerberos server)
+	  that is trusted by all the entities on the network (users
+	  and services, usually called "principals"). This is the MIT
+	  reference implementation of Kerberos V5.
+
+	  https://web.mit.edu/kerberos/
+
+comment "libkrb5 needs a toolchain w/ dynamic library"
+	depends on BR2_USE_MMU
+	depends on BR2_STATIC_LIBS
+diff --git a/package/libkrb5/libkrb5.hash b/package/libkrb5/libkrb5.hash
+new file mode 100644
+index 0000000..2980947
+--- /dev/null
+++ b/package/libkrb5/libkrb5.hash
+@@ -0,0 +1,5 @@
+# Locally calculated after checking pgp signature
+sha256	214ffe394e3ad0c730564074ec44f1da119159d94281bbec541dc29168d21117	krb5-1.16.1.tar.gz
+
+# Hash for license file:
+sha256	58534f00ed877fd32936fcab094f49d399aeef7716393204d8028c4b89050c82	NOTICE
+diff --git a/package/libkrb5/libkrb5.mk b/package/libkrb5/libkrb5.mk
+new file mode 100644
+index 0000000..d9d7160
+--- /dev/null
+++ b/package/libkrb5/libkrb5.mk
+@@ -0,0 +1,59 @@
+################################################################################
+#
+# libkrb5
+#
+################################################################################
+
+LIBKRB5_VERSION_MAJOR = 1.16
+LIBKRB5_VERSION = $(LIBKRB5_VERSION_MAJOR).1
+LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION_MAJOR)
+LIBKRB5_SOURCE = krb5-$(LIBKRB5_VERSION).tar.gz
+LIBKRB5_SUBDIR = src
+LIBKRB5_LICENSE = MIT
+LIBKRB5_LICENSE_FILES = NOTICE
+LIBKRB5_DEPENDENCIES = host-bison
+LIBKRB5_INSTALL_STAGING = YES
+
+# The configure script uses AC_TRY_RUN tests to check for those values,
+# which doesn't work in a cross-compilation scenario. Therefore,
+# we feed the configure script with the correct answer for those tests
+LIBKRB5_CONF_ENV = \
+	ac_cv_printf_positional=yes \
+	ac_cv_func_regcomp=yes \
+	krb5_cv_attr_constructor_destructor=yes,yes
+
+# Never use the host packages
+LIBKRB5_CONF_OPTS = \
+	--without-system-db \
+	--without-system-et \
+	--without-system-ss \
+	--without-system-verto \
+	--without-tcl \
+	--disable-rpath
+
+ifeq ($(BR2_PACKAGE_OPENLDAP),y)
+LIBKRB5_CONF_OPTS += --with-ldap
+LIBKRB5_DEPENDENCIES += openldap
+else
+LIBKRB5_CONF_OPTS += --without-ldap
+endif
+
+ifeq ($(BR2_PACKAGE_LIBEDIT),y)
+LIBKRB5_CONF_OPTS += --with-libedit
+LIBKRB5_DEPENDENCIES += libedit
+else
+LIBKRB5_CONF_OPTS += --without-libedit
+endif
+
+ifeq ($(BR2_PACKAGE_READLINE),y)
+LIBKRB5_CONF_OPTS += --with-readline
+LIBKRB5_DEPENDENCIES += readline
+else
+LIBKRB5_CONF_OPTS += --without-readline
+endif
+
+ifneq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
+LIBKRB5_CONF_OPTS += --disable-thread-support
+endif
+
+$(eval $(autotools-package))
+-- 
+1.9.1
+
--- a/patches/buildroot/0011-add-libpam-krb5.patch
+++ b/patches/buildroot/0011-add-libpam-krb5.patch
+From 4a5dae02798200481775d6d8ba4a6c8f0a629544 Mon Sep 17 00:00:00 2001
+From: Adam Wujek <adam.wujek@cern.ch>
+Date: Wed, 5 Sep 2018 17:21:24 +0200
+Subject: [PATCH] add libpam-krb5
+
+Signed-off-by: Adam Wujek <adam.wujek@cern.ch>
+---
+ package/Config.in                    |  1 +
+ package/libpam-krb5/Config.in        | 21 +++++++++++++++++++++
+ package/libpam-krb5/libpam-krb5.hash |  6 ++++++
+ package/libpam-krb5/libpam-krb5.mk   | 16 ++++++++++++++++
+ 4 files changed, 44 insertions(+)
+ create mode 100644 package/libpam-krb5/Config.in
+ create mode 100644 package/libpam-krb5/libpam-krb5.hash
+ create mode 100644 package/libpam-krb5/libpam-krb5.mk
+
+diff --git a/package/Config.in b/package/Config.in
+index b5583da..8b43b7c 100644
+--- a/package/Config.in
+++ b/package/Config.in
+@@ -1208,6 +1208,7 @@ if BR2_PACKAGE_LINUX_PAM
+ comment "linux-pam plugins"
+ 	source "package/libpam-radius-auth/Config.in"
+ 	source "package/libpam-tacplus/Config.in"
+	source "package/libpam-krb5/Config.in"
+ endif
+ 	source "package/liquid-dsp/Config.in"
+ 	source "package/lttng-libust/Config.in"
+diff --git a/package/libpam-krb5/Config.in b/package/libpam-krb5/Config.in
+new file mode 100644
+index 0000000..7845e6c
+--- /dev/null
+++ b/package/libpam-krb5/Config.in
+@@ -0,0 +1,21 @@
+config BR2_PACKAGE_LIBPAM_KRB5
+	bool "libpam-krb5"
+	# needs fork()
+	depends on BR2_USE_MMU
+	depends on !BR2_STATIC_LIBS
+	help
+	  This package provides PAM plugin for kerberos.
+	  https://www.eyrie.org/~eagle/software/pam-krb5/
+
+	  Kerberos is a system for authenticating users and services
+	  on a network. Kerberos is a trusted third-party service.
+	  That means that there is a third party (the Kerberos server)
+	  that is trusted by all the entities on the network (users
+	  and services, usually called "principals"). This is the MIT
+	  reference implementation of Kerberos V5.
+
+	  https://web.mit.edu/kerberos/
+
+comment "libpam-krb5 needs a toolchain w/ dynamic library"
+	depends on BR2_USE_MMU
+	depends on BR2_STATIC_LIBS
+diff --git a/package/libpam-krb5/libpam-krb5.hash b/package/libpam-krb5/libpam-krb5.hash
+new file mode 100644
+index 0000000..650ea5a
+--- /dev/null
+++ b/package/libpam-krb5/libpam-krb5.hash
+@@ -0,0 +1,6 @@
+# Locally calculated after checking pgp signature
+sha256	3abb458b4b3aa200d414bd2b859b3daabddd55954f753c988b41cedf95932649	pam-krb5-4.8.tar.gz
+
+# Hash for license file:
+sha256	65e1a886587af0b0af4d7e9aae8618fe80e1276cc62117ff548ae69d0f1e9be3	LICENSE
+
+diff --git a/package/libpam-krb5/libpam-krb5.mk b/package/libpam-krb5/libpam-krb5.mk
+new file mode 100644
+index 0000000..5fa5fb2
+--- /dev/null
+++ b/package/libpam-krb5/libpam-krb5.mk
+@@ -0,0 +1,16 @@
+################################################################################
+#
+# libpam-krb5
+#
+################################################################################
+
+LIBPAM_KRB5_VERSION = 4.8
+LIBPAM_KRB5_SITE = https://archives.eyrie.org/software/kerberos
+LIBPAM_KRB5_SOURCE = pam-krb5-$(LIBPAM_KRB5_VERSION).tar.gz
+# LIBPAM_KRB5_SUBDIR = src
+LIBPAM_KRB5_LICENSE = MIT?
+LIBPAM_KRB5_LICENSE_FILES = LICENSE
+LIBPAM_KRB5_DEPENDENCIES = linux-pam
+LIBPAM_KRB5_INSTALL_STAGING = YES
+
+$(eval $(autotools-package))
+-- 
+1.9.1
+
--- a/userspace/rootfs_override/etc/init.d/ldap.sh
+++ b/userspace/rootfs_override/etc/init.d/ldap.sh
+nslcd.sh
\ No newline at end of file
--- a/userspace/rootfs_override/etc/init.d/nslcd.sh
+++ b/userspace/rootfs_override/etc/init.d/nslcd.sh
+#!/bin/sh
+#
+# Starts nslcd needed for LDAP
+#
+MONIT=/usr/bin/monit
+dotconfig=/wr/etc/dot-config
+
+start_counter() {
+	# increase boot counter
+	COUNTER_FILE="/tmp/start_cnt_ldap"
+	START_COUNTER=1
+	if [ -f "$COUNTER_FILE" ];
+	then
+		read -r START_COUNTER < $COUNTER_FILE
+		START_COUNTER=$((START_COUNTER+1))
+	fi
+	echo "$START_COUNTER" > $COUNTER_FILE
+}
+
+start() {
+	echo -n "Starting nslcd (LDAP): "
+	
+	if [ -f "$dotconfig" ]; then
+		. "$dotconfig"
+	else
+		echo "$0 unable to source dot-config ($dotconfig)!"
+	fi
+	
+	if [ "$CONFIG_LDAP_ENABLE" != "y" ]; then
+		echo "LDAP not enabled in dot-config"
+		# Unmonitor web server (nslcd), ignore all printouts
+		# from monit.
+		# Run in background since monit may wait for a timeout.
+		$MONIT unmonitor nslcd &>/dev/null &
+		exit 0
+	fi
+	
+	if [ -z "$CONFIG_LDAP_SERVER" ]; then
+		echo "Failed! LDAP server not defined"
+		exit 0
+	fi
+	# fill LDAP server address
+	cp -a /usr/etc/nslcd.conf /etc/nslcd.conf
+	sed -i "s,^uri CONFIG_LDAP_SERVER_ADDRESS,uri $CONFIG_LDAP_SERVER,g" /etc/nslcd.conf
+
+	if [ -z "$CONFIG_LDAP_SEARCH_BASE" ]; then
+		echo "Failed! LDAP search base not defined"
+		exit 0
+	fi
+	# fill LDAP search base
+	sed -i "s/CONFIG_LDAP_SEARCH_BASE/$CONFIG_LDAP_SEARCH_BASE/g" /etc/nslcd.conf
+
+	if [ "$CONFIG_LDAP_FILTER_NONE" = "y" ]; then
+		# no filter
+		sed -i "s/CONFIG_LDAP_FILTER//g" /etc/nslcd.conf
+	elif [ "$CONFIG_LDAP_FILTER_EGROUP" = "y" ]; then
+		if [ -z "$CONFIG_LDAP_FILTER_EGROUP_STR" ]; then
+			echo -n "Warning: CONFIG_LDAP_FILTER_EGROUP_STR empty! "
+		fi
+		sed -i "s/CONFIG_LDAP_FILTER/(memberOf=CN=$CONFIG_LDAP_FILTER_EGROUP_STR,OU=e-groups,OU=Workgroups,$CONFIG_LDAP_SEARCH_BASE)/g" /etc/nslcd.conf
+	elif [ "$CONFIG_LDAP_FILTER_CUSTOM" = "y" ]; then
+		if [ -z "$CONFIG_LDAP_FILTER_CUSTOM_STR" ]; then
+			echo -n "Warning: CONFIG_LDAP_FILTER_CUSTOM_STR empty! "
+		fi
+		sed -i "s/CONFIG_LDAP_FILTER/$CONFIG_LDAP_FILTER_CUSTOM_STR/g" /etc/nslcd.conf
+	fi
+
+	# add ldap to /etc/nsswitch.conf
+	cp -a /usr/etc/nsswitch.conf /etc/nsswitch.conf
+	sed -i "s/^passwd:[ \t]*files\$/passwd: files ldap/g" /etc/nsswitch.conf
+	sed -i "s/^group:[ \t]*files\$/group: files ldap/g" /etc/nsswitch.conf
+	sed -i "s/^shadow:[ \t]*files\$/shadow: files ldap/g" /etc/nsswitch.conf
+
+	cp -a /usr/etc/pam.d/sshd /etc/pam.d/sshd
+	if [ "$CONFIG_AUTH_KRB5" = "y" ]; then
+		if [ -z "$CONFIG_AUTH_KRB5_SERVER" ]; then
+			echo "Failed! CONFIG_AUTH_KRB5_SERVER empty!"
+			exit 0
+		fi
+		
+		sed -i "s,# auth line to be replaced by startup scripts,# added by $0\nauth       sufficient   /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
+		sed -i "s,# account line to be replaced by startup scripts,# added by $0\naccount    required     /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
+		sed -i "s,# session line to be replaced by startup scripts,# added by $0\nsession    required     /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
+		cp -a /usr/etc/krb5.conf /etc/krb5.conf
+		sed -i "s,default_realm = CONFIG_AUTH_KRB5_SERVER,default_realm = $CONFIG_AUTH_KRB5_SERVER,g" /etc/krb5.conf
+	fi
+	
+	if [ "$CONFIG_AUTH_LDAP" = "y" ]; then
+		sed -i "s,# auth line to be replaced by startup scripts,# added by $0\nauth       sufficient   /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
+		sed -i "s,# account line to be replaced by startup scripts,# added by $0\naccount    required     /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
+		sed -i "s,# session line to be replaced by startup scripts,# added by $0\nsession    required     /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
+
+	fi
+
+	# /var/run/nslcd/nslcd.pid is created automatically by nslcd
+	start-stop-daemon -S -q -p /var/run/nslcd/nslcd.pid --exec /usr/sbin/nslcd
+	ret=$?
+	if [ $ret -eq 0 ]; then
+		start_counter
+		echo "OK"
+	elif [ $ret -eq 1 ]; then
+		echo "Failed (already running?)"
+	else
+		echo "Failed"
+	fi
+}
+
+stop() {
+	echo -n "Stopping nslcd (LDAP): "
+	start-stop-daemon -K -q -p /var/run/nslcd/nslcd.pid
+	if [ $? -eq 0 ]; then
+		echo "OK"
+	else
+		echo "Failed"
+	fi
+}
+
+restart() {
+	stop
+	start
+}
+
+case "$1" in
+  start)
+  	start
+	;;
+  stop)
+  	stop
+	;;
+  restart|reload)
+  	restart
+	;;
+  *)
+	echo $"Usage: $0 {start|stop|restart}"
+	exit 1
+esac
+
+exit $?
+
--- a/userspace/rootfs_override/etc/init.d/dropbear
+++ b/userspace/rootfs_override/etc/init.d/dropbear
 #!/bin/sh
 #
-# Starts dropbear sshd.
+# Starts sshd.
 #

-# Make sure the dropbearkey progam exists
-[ -f /usr/bin/dropbearkey ] || exit 0
+dotconfig=/wr/etc/dot-config
+
+# Make sure the ssh-keygen progam exists
+[ -f /usr/bin/ssh-keygen ] || exit 0

 start_counter() {
 	# increase boot counter
@@ -19,32 +21,42 @@ start_counter() {
 }

 start() {
- 	echo -n "Starting dropbear sshd: "
+	echo -n "Starting sshd: "
+
+	if [ -f "$dotconfig" ]; then
+		. "$dotconfig"
+	else
+		echo "$0 unable to source dot-config ($dotconfig)!"
+	fi
+
 	# copy authorized keys if exists
 	if [ -f /usr/authorized_keys ] ; then
 		mkdir -p /root/.ssh/
 		cp /usr/authorized_keys /root/.ssh/
 	fi
-	# Make sure dropbear directory exists
-	if [ ! -d /etc/dropbear ] ; then
-		mkdir -p /etc/dropbear
-	fi
-	mkdir -p /usr/etc/dropbear
-	# Check for the Dropbear RSA key
-	if [ ! -f /etc/dropbear/dropbear_rsa_host_key ] ; then
-		echo -n "generating rsa key... "
-		/usr/bin/dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
-		cp /etc/dropbear/dropbear_rsa_host_key /usr/etc/dropbear
+
+	# Make sure ssh directory exists
+	mkdir -p /etc/ssh
+	mkdir -p /usr/etc/ssh
+	# Check for the ssh keys
+	if     [ ! -f /etc/ssh/ssh_host_rsa_key ] \
+        || [ ! -f /etc/ssh/ssh_host_dsa_key ] \
+        || [ ! -f /etc/ssh/ssh_host_ecdsa_key ] \
+        || [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
+# 		echo -n "generating ssh keys... "
+		/usr/bin/ssh-keygen -A
+		cp /etc/ssh/ssh_host_*_key* /usr/etc/ssh
 	fi

-	# Check for the Dropbear DSS key
-	if [ ! -f /etc/dropbear/dropbear_dss_host_key ] ; then
-		echo -n "generating dsa key... "
-		/usr/bin/dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
-		cp /etc/dropbear/dropbear_dss_host_key /usr/etc/dropbear
+	if [ "$CONFIG_ROOT_ACCESS_DISABLE" = "y" ]; then
+		sed -i "s|^PermitRootLogin.*|PermitRootLogin prohibit-password # replaced by $0|g" /etc/ssh/sshd_config
+	else
+		sed -i "s|^PermitRootLogin.*|PermitRootLogin yes # replaced by $0|g" /etc/ssh/sshd_config
 	fi
+
 	umask 077
-	start-stop-daemon -S -q -p /var/run/dropbear.pid --exec /usr/sbin/dropbear
+	# /var/run/sshd.pid is created automatically by sshd
+	start-stop-daemon -S -q -p /var/run/sshd.pid --exec /usr/sbin/sshd
 	ret=$?
 	if [ $ret -eq 0 ]; then
 		start_counter
@@ -57,8 +69,8 @@ start() {
 }

 stop() {
-	echo -n "Stopping dropbear sshd: "
-	start-stop-daemon -K -q -p /var/run/dropbear.pid
+	echo -n "Stopping sshd: "
+	start-stop-daemon -K -q -p /var/run/sshd.pid
 	if [ $? -eq 0 ]; then
 		echo "OK"
 	else

--- a/userspace/rootfs_override/etc/init.d/wrs-boot-procedure
+++ b/userspace/rootfs_override/etc/init.d/wrs-boot-procedure
@@ -296,3 +296,6 @@ if grep -q initrd= /proc/cmdline; then
    rm /etc/init.d/wrs-boot-procedure;
    cp -a /usr/etc/* /etc
 fi
+
+# create dir for home dirs
+mkdir -p /tmp/home
--- a/userspace/rootfs_override/etc/krb5.conf
+++ b/userspace/rootfs_override/etc/krb5.conf
+[libdefaults]
+        default_realm = CONFIG_AUTH_KRB5_SERVER
+        kdc_timesync = 1
+        ccache_type = 4
+        forwardable = true
+        proxiable = true
--- a/userspace/rootfs_override/etc/monit.d/dropbear.conf
+++ b/userspace/rootfs_override/etc/monit.d/dropbear.conf
- check process dropbear with pidfile /var/run/dropbear.pid
-   start program = "/etc/init.d/dropbear start"
-   stop program = "/etc/init.d/dropbear stop"
-   if 5 restarts within 10 cycles then exec "/etc/init.d/reboot.sh dropbear"
--- a/userspace/rootfs_override/etc/monit.d/nslcd.conf
+++ b/userspace/rootfs_override/etc/monit.d/nslcd.conf
+# nslcd is used for LDAP
+ check process nslcd with pidfile /var/run/nslcd/nslcd.pid
+   start program = "/etc/init.d/nslcd.sh start"
+   stop program = "/etc/init.d/nslcd.sh stop"
+   if 5 restarts within 10 cycles then exec "/etc/init.d/reboot.sh nslcd"
--- a/userspace/rootfs_override/etc/monit.d/sshd.conf
+++ b/userspace/rootfs_override/etc/monit.d/sshd.conf
+ check process sshd with pidfile /var/run/sshd.pid
+   start program = "/etc/init.d/sshd.sh start"
+   stop program = "/etc/init.d/sshd.sh stop"
+   if 5 restarts within 10 cycles then exec "/etc/init.d/reboot.sh sshd"
--- a/userspace/rootfs_override/etc/nslcd.conf
+++ b/userspace/rootfs_override/etc/nslcd.conf
+# This is the configuration file for the LDAP nameservice
+# switch library's nslcd daemon. It configures the mapping
+# between NSS names (see /etc/nsswitch.conf) and LDAP
+# information in the directory.
+# See the manual page nslcd.conf(5) for more information.
+
+# The uri pointing to the LDAP server to use for name lookups.
+# Multiple entries may be specified. The address that is used
+# here should be resolvable without using LDAP (obviously).
+uri CONFIG_LDAP_SERVER_ADDRESS
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+# uri ldap://127.0.0.1/
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+#ldap_version 3
+
+# The distinguished name of the search base.
+base CONFIG_LDAP_SEARCH_BASE
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+#binddn cn=proxyuser,dc=example,dc=com
+
+# The credentials to bind with.
+# Optional: default is no credentials.
+# Note that if you set a bindpw you should check the permissions of this file.
+#bindpw secret
+
+# The distinguished name to perform password modifications by root by.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# The default search scope.
+#scope sub
+scope one
+#scope base
+
+# Customize certain database lookups.
+base   group  ou=Unix,ou=Workgroups,CONFIG_LDAP_SEARCH_BASE
+base   passwd ou=Users,ou=Organic Units,CONFIG_LDAP_SEARCH_BASE
+#base   shadow ou=People,dc=example,dc=com
+#scope  group  onelevel
+#scope  hosts  sub
+
+# Bind/connect timelimit.
+#bind_timelimit 30
+
+# Search timelimit.
+timelimit 30
+
+# Idle timelimit. nslcd will close connections if the
+# server has not been contacted for the number of seconds.
+#idle_timelimit 3600
+
+# Use StartTLS without verifying the server certificate.
+ssl no
+#ssl start_tls
+#tls_reqcert never
+
+# CA certificates for server certificate verification
+#tls_cacertdir /etc/ssl/certs
+#tls_cacertfile /etc/ssl/ca.cert
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# NDS mappings
+#map group uniqueMember member
+
+# Mappings for Services for UNIX 3.5
+#filter passwd (objectClass=User)
+#map    passwd uid              msSFU30Name
+#map    passwd userPassword     msSFU30Password
+#map    passwd homeDirectory    msSFU30HomeDirectory
+#map    passwd homeDirectory    msSFUHomeDirectory
+#filter shadow (objectClass=User)
+#map    shadow uid              msSFU30Name
+#map    shadow userPassword     msSFU30Password
+#filter group  (objectClass=Group)
+#map    group  uniqueMember     msSFU30PosixMember
+
+# Mappings for Services for UNIX 2.0
+#filter passwd (objectClass=User)
+#map    passwd uid              msSFUName
+#map    passwd userPassword     msSFUPassword
+#map    passwd homeDirectory    msSFUHomeDirectory
+#map    passwd gecos            msSFUName
+#filter shadow (objectClass=User)
+#map    shadow uid              msSFUName
+#map    shadow userPassword     msSFUPassword
+#map    shadow shadowLastChange pwdLastSet
+#filter group  (objectClass=Group)
+#map    group  uniqueMember     posixMember
+
+# Mappings for Active Directory
+pagesize 1000
+referrals off
+filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)CONFIG_LDAP_FILTER)
+map    passwd uid              sAMAccountName
+#map    passwd homeDirectory    unixHomeDirectory
+map    passwd homeDirectory    "/home/$sAMAccountName"
+map    passwd gecos            displayName
+#map    passwd loginShell       "/sbin/nologin"
+
+filter shadow (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*))
+map    shadow uid              sAMAccountName
+map    shadow shadowLastChange pwdLastSet
+
+filter group  (&(objectClass=group)(gidNumber=*))
+map    group  member sAMAccountName
+
+# Mappings for AIX SecureWay
+#filter passwd (objectClass=aixAccount)
+#map    passwd uid              userName
+#map    passwd userPassword     passwordChar
+#map    passwd uidNumber        uid
+#map    passwd gidNumber        gid
+#filter group  (objectClass=aixAccessGroup)
+#map    group  cn               groupName
+#map    group  uniqueMember     member
+#map    group  gidNumber        gid
+# This comment prevents repeated auto-migration of settings.
+
--- a/userspace/rootfs_override/etc/nsswitch.conf
+++ b/userspace/rootfs_override/etc/nsswitch.conf
+# /etc/nsswitch.conf
+
+passwd:         files
+group:          files
+shadow:         files
+
+hosts:          files dns
+networks:       files dns
+
+protocols:      files
+services:       files
+ethers:         files
+rpc:            files
--- a/userspace/rootfs_override/etc/pam.d/sshd
+++ b/userspace/rootfs_override/etc/pam.d/sshd
+#%PAM-1.0
+# auth line to be replaced by startup scripts
+auth       required     /lib/security/pam_unix.so shadow nodelay
+account    required     /lib/security/pam_nologin.so
+account    required     /lib/security/pam_unix.so
+# account line to be replaced by startup scripts
+password   required     /lib/security/pam_unix.so shadow nullok use_authtok
+session    required     /lib/security/pam_unix.so
+session    required     /lib/security/pam_limits.so
+# session line to be replaced by startup scripts
+session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
--- a/userspace/rootfs_override/etc/pam.d/sudo
+++ b/userspace/rootfs_override/etc/pam.d/sudo
+# accept all users who managed to log
+auth        sufficient   pam_permit.so
+auth        sufficient   pam_rootok.so
+auth        required     pam_wheel.so use_uid
+auth        required     pam_env.so
+auth        required     pam_unix.so nullok
+
+account     required     pam_unix.so
+
+password    required     pam_unix.so nullok
+
+session     required     pam_limits.so
+session     required     pam_env.so
+session     required     pam_unix.so
--- a/userspace/rootfs_override/etc/rcS/S49ldap.sh
+++ b/userspace/rootfs_override/etc/rcS/S49ldap.sh
+../init.d/ldap.sh
\ No newline at end of file
--- a/userspace/rootfs_override/etc/rcS/S50dropbear
+++ b/userspace/rootfs_override/etc/rcS/S50dropbear
-../init.d/dropbear
\ No newline at end of file
--- a/userspace/rootfs_override/etc/rcS/S50sshd.sh
+++ b/userspace/rootfs_override/etc/rcS/S50sshd.sh
+../init.d/sshd.sh
\ No newline at end of file
--- a/userspace/rootfs_override/etc/shadow
+++ b/userspace/rootfs_override/etc/shadow
-root:$1$y12oP.6b$/Ds3CzM9uKLS1YwkgJ1A81:0:0:99999:7:::
+root:$1$y12oP.6b$/Ds3CzM9uKLS1YwkgJ1A81:1:0:99999:7:::
 bin:*:10933:0:99999:7:::
 daemon:*:10933:0:99999:7:::
 adm:*:10933:0:99999:7:::

--- a/userspace/rootfs_override/etc/skel/.bashrc
+++ b/userspace/rootfs_override/etc/skel/.bashrc
+echo "Home directory was automatically generated, it will be removed at the reboot"
--- a/userspace/rootfs_override/etc/ssh/sshd_config
+++ b/userspace/rootfs_override/etc/ssh/sshd_config
+#	$OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+# PermitRootLogin may be replaced by a startup scripts
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+# Set to no to avoid additional prompts for a password after 3 failures.
+# From man:
+# Because PAM challenge-response authentication usually serves an
+# equivalent role to password authentication, you should disable
+# either PasswordAuthentication or
+# ChallengeResponseAuthentication.
+
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation no
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
--- a/userspace/rootfs_override/etc/sudoers.d/allow_all
+++ b/userspace/rootfs_override/etc/sudoers.d/allow_all
+# Allow all users to be sudo
+# The assumption is that every user which is able to login can become sudo.
+# Please limit users using LDAP filter mechanism
+ALL ALL=(ALL) ALL
--- a/userspace/rootfs_override/home
+++ b/userspace/rootfs_override/home
+tmp/home
\ No newline at end of file
--- a/userspace/snmpd/WR-SWITCH-MIB.txt
+++ b/userspace/snmpd/WR-SWITCH-MIB.txt
@@ -28,6 +28,7 @@ wrSwitchMIB MODULE-IDENTITY
    REVISION     "201807181400Z"
    DESCRIPTION
        "Add wrsStartCntLldpd
+        Add wrsStartCntLdap
        Add in wrsPortStatusTable:
         - wrsPortStatusMonitor
         - wrsPortStatusSfpDom
@@ -1167,6 +1168,14 @@ wrsStartCntLldpd OBJECT-TYPE
            "Number of LLDP daemon starts"
    ::= { wrsStartCntGroup 9 }

+wrsStartCntLdap OBJECT-TYPE
+    SYNTAX         Counter32
+    MAX-ACCESS     read-only
+    STATUS         current
+    DESCRIPTION
+            "Number of LDAP daemon starts"
+    ::= { wrsStartCntGroup 9 }
+
 -- wrsSpllState (.7.3)
 wrsSpllState            OBJECT IDENTIFIER ::= { wrsExpertStatus 3 }


--- a/userspace/snmpd/wrsBootStatusGroup.c
+++ b/userspace/snmpd/wrsBootStatusGroup.c
@@ -96,16 +96,17 @@ struct wrs_usd_item {
 #define UDI_HTTP 4 /* index of web server in userspace_daemons array */
 #define UDI_MONIT 5 /* index of MONIT in userspace_daemons array */
 #define UDI_LLDP 8 /* index of LLDP in userspace_daemons array */
+#define UDI_NSLCD 9 /* index of NSLCD (LDAP) in userspace_daemons array */
 /* user space daemon list */
 /* - key contain process name reported by ps command
 * - positive exp describe exact number of expected processes
 * - negative exp describe minimum number of expected processes. Usefull for
 *   processes that is hard to predict number of their instances. For example
- *   new dropbear process is spawned at ssh login.
+ *   new sshd process is spawned at ssh login.
 */
 static struct wrs_usd_item userspace_daemons[] = {
-	[0] = {.key = "/usr/sbin/dropbear", .exp = -1}, /* expect at least one
-							 * dropbear process */
+	[0] = {.key = "/usr/sbin/sshd", .exp = -1}, /* expect at least one
+						     * sshd process */
 	[1] = {"/wr/bin/wrsw_hal", 2}, /* two wrsw_hal instances */
 	[2] = {"/wr/bin/wrsw_rtud", 1},
 	[3] = {"/wr/bin/ppsi", 1},
@@ -117,6 +118,8 @@ static struct wrs_usd_item userspace_daemons[] = {
 	[7] = {"/wr/bin/wrs_watchdog", 1},
 	[UDI_LLDP] = {"/usr/sbin/lldpd", 1}, /* LLDP can be disabled in
 						dot-config */
+	[UDI_NSLCD] = {"/usr/sbin/nslcd", 1}, /* nslcd/LDAP can be disabled in
+						dot-config */
 };

 struct wrs_bc_item {
@@ -496,6 +499,15 @@ static void update_daemon_expectancy(struct wrs_usd_item *daemon_array)
 		snmp_log(LOG_INFO, "SNMP: Info wrsBootUserspaceDaemonsMissing:"
 			 " CONFIG_LLDPD_DISABLE=y in dot-config\n");
 	}
+
+	daemon_array[UDI_NSLCD].exp = 0;
+	tmp = libwr_cfg_get("LDAP_ENABLE");
+	if (tmp && !strcmp(tmp, "y")) {
+		/* SNMP should not expect nslcd/LDAP to be running */
+		daemon_array[UDI_NSLCD].exp = 1;
+		snmp_log(LOG_INFO, "SNMP: Info wrsBootUserspaceDaemonsMissing:"
+			 "no CONFIG_LDAP_ENABLE in dot-config\n");
+	}
 }

 /* check if daemons from userspace_daemons array are running */

--- a/userspace/snmpd/wrsStartCntGroup.c
+++ b/userspace/snmpd/wrsStartCntGroup.c
@@ -8,6 +8,7 @@
 #define START_CNT_SYSLOGD "/tmp/start_cnt_syslogd"
 #define START_CNT_WRSWATCHDOG "/tmp/start_cnt_wrs_watchdog"
 #define START_CNT_LLDPD "/tmp/start_cnt_lldpd"
+#define START_CNT_LDAP "/tmp/start_cnt_ldap"

 static struct pickinfo wrsStartCnt_pickinfo[] = {
 	FIELD(wrsStartCnt_s, ASN_COUNTER, wrsStartCntHAL),
@@ -19,6 +20,7 @@ static struct pickinfo wrsStartCnt_pickinfo[] = {
 	FIELD(wrsStartCnt_s, ASN_COUNTER, wrsStartCntSyslogd),
 	FIELD(wrsStartCnt_s, ASN_COUNTER, wrsStartCntWrsWatchdog),
 	FIELD(wrsStartCnt_s, ASN_COUNTER, wrsStartCntLldpd),
+	FIELD(wrsStartCnt_s, ASN_COUNTER, wrsStartCntLdap),
 };

 struct wrsStartCnt_s wrsStartCnt_s;
@@ -77,6 +79,7 @@ time_t wrsStartCnt_data_fill(void){
 	read_start_count(START_CNT_SYSLOGD, &wrsStartCnt_s.wrsStartCntSyslogd);
 	read_start_count(START_CNT_WRSWATCHDOG, &wrsStartCnt_s.wrsStartCntWrsWatchdog);
 	read_start_count(START_CNT_LLDPD, &wrsStartCnt_s.wrsStartCntLldpd);
+	read_start_count(START_CNT_LDAP, &wrsStartCnt_s.wrsStartCntLdap);

 	/* there was an update, return current time */
 	return time_update;

--- a/userspace/snmpd/wrsStartCntGroup.h
+++ b/userspace/snmpd/wrsStartCntGroup.h
@@ -14,6 +14,7 @@ struct wrsStartCnt_s {
 	uint32_t wrsStartCntSyslogd;
 	uint32_t wrsStartCntWrsWatchdog;
 	uint32_t wrsStartCntLldpd;
+	uint32_t wrsStartCntLdap;
 };

 extern struct wrsStartCnt_s wrsStartCnt_s;