Merge branch adam_ldap

Add LDAP+kerberos support This changes the used standard C library (due to lack of /etc/nsswitch.conf support) and uses openssh instead of dropbear (due to lack of LDAP/kerberos support in the dropbear) Signed-off-by: Adam Wujek <adam.wujek@cern.ch>

Merge branch adam_ldap
Add LDAP+kerberos support This changes the used standard C library (due to lack of /etc/nsswitch.conf support) and uses openssh instead of dropbear (due to lack of LDAP/kerberos support in the dropbear) Signed-off-by: Adam Wujek <adam.wujek@cern.ch>
83c3a764 · Adam Wujek · 70c80659 · d69d55dc · 83c3a764 · 83c3a764
Commit 83c3a764 authored Jun 03, 2019 by Adam Wujek 💬
33 changed files
--- a/Kconfig
+++ b/Kconfig
@@ -170,8 +170,95 @@ config HOSTNAME_STRING
 	help
 	  Use this string as a static hostname of the switch.

+menu "Authorization and authentication"
+
+config ROOT_ACCESS_DISABLE
+	bool "Disable root access via ssh"
+	help
+	  Used by ssh
+
+config LDAP_ENABLE
+	bool "Enable LDAP authorization"
+	help
+	  Enable LDAP authorization. Used by ssh.
+
+config LDAP_SERVER
+	string "LDAP server"
+	depends on LDAP_ENABLE
+	help
+	  LDAP server(s) e.g. ldap://xldap.cern.ch
+
+config LDAP_SEARCH_BASE
+	string "LDAP search base"
+	depends on LDAP_ENABLE
+	help
+	  LDAP search base e.g. dc=cern,dc=ch
+
+choice
+	prompt "LDAP filter"
+	depends on LDAP_ENABLE
+	default LDAP_FILTER_NONE
+
+config LDAP_FILTER_NONE
+	bool "Don't apply filter to LDAP"
+	help
+	  Allow all LDAP users to log in.
+
+config LDAP_FILTER_EGROUP
+	bool "Apply e-group filter to LDAP"
+	help
+	  Allow logins only from an e-group defined in CONFIG_LDAP_FILTER_EGROUP_STR
+	  This option is CERN specific.
+
+config LDAP_FILTER_CUSTOM
+	bool "Apply custom filter to LDAP"
+	help
+	  Provide custom filtering string for LDAP authorization.
+
+endchoice
+
+config LDAP_FILTER_EGROUP_STR
+	string "LDAP e-group"
+ 	depends on LDAP_FILTER_EGROUP
+	help
+	  LDAP's e-group for authorization. This option is CERN specific.
+
+config LDAP_FILTER_CUSTOM_STR
+	string "LDAP access filter string"
+	depends on LDAP_FILTER_CUSTOM
+	help
+	  Custom string with a filter for LDAP authorization:
+	  (memberOf=CN=white-rabbit-switch-root,OU=e-groups,OU=Workgroups,DC=cern,DC=ch)
+
+choice
+	prompt "Authorization method"
+	depends on LDAP_ENABLE
+	default AUTH_KRB5
+
+config AUTH_LDAP
+	bool "Enable LDAP authentication"
+	depends on LDAP_ENABLE
+	help
+	  Used by ssh for authentication
+
+config AUTH_KRB5
+	bool "Enable Kerberos authentication"
+	depends on LDAP_ENABLE
+	help
+	  Used by ssh for authentication
+
+endchoice
+
+config AUTH_KRB5_SERVER
+	string "Kerberos server"
+ 	depends on AUTH_KRB5
+	help
+	  Server name of Kerberos. Usually it is in capital letters.
+	  For CERN, please use CERN.CH
+
 menu "Root Password"

+
 config ROOT_PWD_IS_ENCRYPTED
 	bool "Should this file include an encripted root password?"
 	help
@@ -195,11 +282,12 @@ config ROOT_PWD_CYPHER
 	depends on ROOT_PWD_IS_ENCRYPTED
 	help
 	  The actual pre-encrypted string. This is stored at run time
-	  into /etc/passwd, for ssh authenticazion. To create the
+	  into /etc/passwd, for ssh authentication. To create the
 	  string, please run "mkpasswd --method=md5 <password>"

 endmenu

+endmenu # "Authorization and authentication"

 config NTP_SERVER
 	string "IP address of local NTP server (empty for none)"

--- a/build/scripts/wrs_build_wraprootfs
+++ b/build/scripts/wrs_build_wraprootfs
@@ -32,14 +32,12 @@ ROOTFS_INITRAMFS="$WRS_OUTPUT_DIR/images/wrs-initramfs.gz"

 cat > $TMPSCRIPT << EOF
 mkdir -p $TMPFS/wr
-cp -r $rootfs_vanilla/* $TMPFS
+cp -r --preserve=mode $rootfs_vanilla/* $TMPFS
 cp -r $WRS_OUTPUT_DIR/images/wr/* $TMPFS/wr
 cp -r $WRS_OUTPUT_DIR/images/lib/* $TMPFS/lib
 rm -f $TMPFS/etc/init.d/*
 rm -f $TMPFS/THIS_IS_NOT_YOUR_ROOT_FILESYSTEM
 # remove symlink from the buildroot
-rm -rf $TMPFS/etc/dropbear
-mkdir -p $TMPFS/etc/dropbear; chown -R root:root $TMPFS/etc/dropbear

 cp -r $rootfs_override/* $TMPFS
 # remove leftovers from on-going edits in rootfs_override
@@ -61,7 +59,7 @@ chmod a+rx $TMPFS

 ##### now move stuff to usr (we need usr to be in flash, / remains initramfs)
 # remove needless stuff
-rm -rf $TMPFS/home $TMPFS/opt
+rm -rf $TMPFS/opt
 sed -i '/^default/ d' $TMPFS/etc/passwd
 # move /wr and /var to /usr/wr and /usr/var
 mv $TMPFS/wr  $TMPFS/usr; ln -s usr/wr  $TMPFS

--- a/configs/buildroot/wrs_release_br2_config
+++ b/configs/buildroot/wrs_release_br2_config
--- a/doc/wrs-developer-manual.in
+++ b/doc/wrs-developer-manual.in
@@ -1914,8 +1914,10 @@ switch. Check is done every 10 seconds. As for now supervised processes are:
 @t{ppsi},
 @t{wrs_watchdog},
 @t{lighttpd},
-@t{dropbear},
-@t{snmpd}.
+@t{sshd},
+@t{snmpd},
+@t{lldpd},
+@t{nslcd}.

 In case any of the supervised processes does not run anymore (because of a crash,
 exit etc.), @t{monit} restarts missing process. If 5 restarts of a particular

--- a/doc/wrs-user-manual.in
+++ b/doc/wrs-user-manual.in
@@ -573,6 +573,41 @@ appropriate way, before the respective service is started.
 	(@t{CONFIG_HOSTNAME_DHCP}) or use a predefined value
 	(@t{CONFIG_HOSTNAME_STATIC}) defined in option @t{CONFIG_HOSTNAME_STRING}.

+@item CONFIG_ROOT_ACCESS_DISABLE
+
+	Disable root access via ssh. With this option enabled it is still
+	possible to use sudo to get root privileges.
+
+@item CONFIG_LDAP_ENABLE
+@itemx CONFIG_LDAP_SERVER
+@itemx CONFIG_LDAP_SEARCH_BASE
+@itemx CONFIG_LDAP_FILTER_NONE
+@itemx CONFIG_LDAP_FILTER_EGROUP
+@itemx CONFIG_LDAP_FILTER_CUSTOM
+@itemx CONFIG_LDAP_FILTER_EGROUP_STR
+@itemx CONFIG_LDAP_FILTER_CUSTOM_STR
+
+        Set of options related to providing an authorization via LDAP for ssh.
+        To be able to use LDAP please enable an option @t{CONFIG_LDAP_ENABLE},
+        provide LDAP server (@t{CONFIG_LDAP_SERVER}) and the search base
+        (@t{CONFIG_LDAP_SEARCH_BASE}). It is possible to limit the access
+        to a particular e-group used at CERN (@t{CONFIG_LDAP_FILTER_EGROUP}
+        to enable and @t{CONFIG_LDAP_FILTER_EGROUP_STR} to provide
+        the e-group's name) or to provide the custom filtering string
+        (@t{CONFIG_LDAP_FILTER_CUSTOM} to enable and
+        @t{CONFIG_LDAP_FILTER_CUSTOM_STR} to provide the filter).
+        For more information please refer to the @i{Kconfig}'s help.
+
+
+@item CONFIG_AUTH_LDAP
+@itemx CONFIG_AUTH_KRB5
+@itemx CONFIG_AUTH_KRB5_SERVER
+
+        Choose the authentication method. @t{CONFIG_AUTH_LDAP} for LDAP
+        authentication, @t{CONFIG_AUTH_LDAP} for Kerberos authentication.
+        For the later one it is obligatory to specify Kerberos Realm
+        @t{CONFIG_AUTH_KRB5_SERVER}.
+
 @item CONFIG_ROOT_PWD_IS_ENCRYPTED
 @itemx CONFIG_ROOT_PWD_CLEAR
 @itemx CONFIG_ROOT_PWD_CYPHER

--- a/doc/wrs_failures/fail.tex
+++ b/doc/wrs_failures/fail.tex
@@ -660,7 +660,7 @@ list of faults leading to a data error.
 				The idea is to reboot the system if it was not able to boot correctly.
 				Then we use the scratchpad registers of the processor to keep
 				the boot count. If the value of this counter is more than X we stop
-				rebooting and try to have a system running with at least \emph{dropbear}
+				rebooting and try to have a system running with at least \emph{sshd}
 				for SSH and \emph{net-snmp} to allow remote diagnostics. If on the other
 				hand the switch has booted correctly, we set the boot count to 0.
 		\end{pck_descr}
@@ -709,6 +709,7 @@ list of faults leading to a data error.
 				\snmpadd{WR-SWITCH-MIB::wrsStartCntWrsWatchdog}\\
 				\snmpadd{WR-SWITCH-MIB::wrsStartCntLldpd}\\
 				\snmpadd{WR-SWITCH-MIB::wrsStartCntSPLL}\\
+				\snmpadd{WR-SWITCH-MIB::wrsStartCntLdap}\\
 				\snmpadd{WR-SWITCH-MIB::wrsBootUserspaceDaemonsMissing}\\
 				\snmpadd{WR-SWITCH-MIB::wrsBootSuccessful} \\
 				\snmpadd{WR-SWITCH-MIB::wrsOSStatus}\\
@@ -732,12 +733,13 @@ list of faults leading to a data error.
 				Less critical processes (Restarting them and Warning generation is
 				enough):
 				\begin{itemize}
-					\item \emph{dropbear}
+					\item \emph{sshd}
 					\item \emph{udhcpc}
 					\item \emph{rsyslogd}
 					\item \emph{snmpd}
 					\item \emph{lighttpd}
 					\item \emph{lldpd}
+					\item \emph{nslcd} (LDAP)
 					\item \emph{TRUd/eRSTPd} -- not yet implemented
 				\end{itemize}


--- a/doc/wrs_failures/snmp_objects.tex
+++ b/doc/wrs_failures/snmp_objects.tex
@@ -512,6 +512,7 @@
  \snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntSyslogd}{}
  \snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntWrsWatchdog}{}
  \snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntLldpd}{}
+  \snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntLdap}{}
  \snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntSPLL}{Not implemented}

  \snmpentrye{WR-SWITCH-MIB}{}{wrsSpllState}{}

--- a/patches/buildroot/0010-add-libkrb5.patch
+++ b/patches/buildroot/0010-add-libkrb5.patch
+From f6ac6fde47cedd2b0a92412b39f9b9a014d637a7 Mon Sep 17 00:00:00 2001
+From: Adam Wujek <adam.wujek@cern.ch>
+Date: Tue, 4 Sep 2018 10:48:30 +0200
+Subject: [PATCH] add libkrb5
+
+Signed-off-by: Adam Wujek <adam.wujek@cern.ch>
+---
+ package/Config.in            |  1 +
+ package/libkrb5/Config.in    | 18 ++++++++++++++++
+ package/libkrb5/libkrb5.hash |  5 +++++
+ package/libkrb5/libkrb5.mk   | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 83 insertions(+)
+ create mode 100644 package/libkrb5/Config.in
+ create mode 100644 package/libkrb5/libkrb5.hash
+ create mode 100644 package/libkrb5/libkrb5.mk
+
+diff --git a/package/Config.in b/package/Config.in
+index 529ad33..b5583da 100644
+--- a/package/Config.in
+++ b/package/Config.in
+@@ -1084,6 +1084,7 @@ menu "Networking"
+ 	source "package/libidn/Config.in"
+ 	source "package/libiscsi/Config.in"
+ 	source "package/libldns/Config.in"
+	source "package/libkrb5/Config.in"
+ 	source "package/libmbus/Config.in"
+ 	source "package/libmemcached/Config.in"
+ 	source "package/libmicrohttpd/Config.in"
+diff --git a/package/libkrb5/Config.in b/package/libkrb5/Config.in
+new file mode 100644
+index 0000000..2e24c87
+--- /dev/null
+++ b/package/libkrb5/Config.in
+@@ -0,0 +1,18 @@
+config BR2_PACKAGE_LIBKRB5
+	bool "libkrb5"
+	# needs fork()
+	depends on BR2_USE_MMU
+	depends on !BR2_STATIC_LIBS
+	help
+	  Kerberos is a system for authenticating users and services
+	  on a network. Kerberos is a trusted third-party service.
+	  That means that there is a third party (the Kerberos server)
+	  that is trusted by all the entities on the network (users
+	  and services, usually called "principals"). This is the MIT
+	  reference implementation of Kerberos V5.
+
+	  https://web.mit.edu/kerberos/
+
+comment "libkrb5 needs a toolchain w/ dynamic library"
+	depends on BR2_USE_MMU
+	depends on BR2_STATIC_LIBS
+diff --git a/package/libkrb5/libkrb5.hash b/package/libkrb5/libkrb5.hash
+new file mode 100644
+index 0000000..2980947
+--- /dev/null
+++ b/package/libkrb5/libkrb5.hash
+@@ -0,0 +1,5 @@
+# Locally calculated after checking pgp signature
+sha256	214ffe394e3ad0c730564074ec44f1da119159d94281bbec541dc29168d21117	krb5-1.16.1.tar.gz
+
+# Hash for license file:
+sha256	58534f00ed877fd32936fcab094f49d399aeef7716393204d8028c4b89050c82	NOTICE
+diff --git a/package/libkrb5/libkrb5.mk b/package/libkrb5/libkrb5.mk
+new file mode 100644
+index 0000000..d9d7160
+--- /dev/null
+++ b/package/libkrb5/libkrb5.mk
+@@ -0,0 +1,59 @@
+################################################################################
+#
+# libkrb5
+#
+################################################################################
+
+LIBKRB5_VERSION_MAJOR = 1.16
+LIBKRB5_VERSION = $(LIBKRB5_VERSION_MAJOR).1
+LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION_MAJOR)
+LIBKRB5_SOURCE = krb5-$(LIBKRB5_VERSION).tar.gz
+LIBKRB5_SUBDIR = src
+LIBKRB5_LICENSE = MIT
+LIBKRB5_LICENSE_FILES = NOTICE
+LIBKRB5_DEPENDENCIES = host-bison
+LIBKRB5_INSTALL_STAGING = YES
+
+# The configure script uses AC_TRY_RUN tests to check for those values,
+# which doesn't work in a cross-compilation scenario. Therefore,
+# we feed the configure script with the correct answer for those tests
+LIBKRB5_CONF_ENV = \
+	ac_cv_printf_positional=yes \
+	ac_cv_func_regcomp=yes \
+	krb5_cv_attr_constructor_destructor=yes,yes
+
+# Never use the host packages
+LIBKRB5_CONF_OPTS = \
+	--without-system-db \
+	--without-system-et \
+	--without-system-ss \
+	--without-system-verto \
+	--without-tcl \
+	--disable-rpath
+
+ifeq ($(BR2_PACKAGE_OPENLDAP),y)
+LIBKRB5_CONF_OPTS += --with-ldap
+LIBKRB5_DEPENDENCIES += openldap
+else
+LIBKRB5_CONF_OPTS += --without-ldap
+endif
+
+ifeq ($(BR2_PACKAGE_LIBEDIT),y)
+LIBKRB5_CONF_OPTS += --with-libedit
+LIBKRB5_DEPENDENCIES += libedit
+else
+LIBKRB5_CONF_OPTS += --without-libedit
+endif
+
+ifeq ($(BR2_PACKAGE_READLINE),y)
+LIBKRB5_CONF_OPTS += --with-readline
+LIBKRB5_DEPENDENCIES += readline
+else
+LIBKRB5_CONF_OPTS += --without-readline
+endif
+
+ifneq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
+LIBKRB5_CONF_OPTS += --disable-thread-support
+endif
+
+$(eval $(autotools-package))
+-- 
+1.9.1
+
--- a/patches/buildroot/0011-add-libpam-krb5.patch
+++ b/patches/buildroot/0011-add-libpam-krb5.patch
+From 4a5dae02798200481775d6d8ba4a6c8f0a629544 Mon Sep 17 00:00:00 2001
+From: Adam Wujek <adam.wujek@cern.ch>
+Date: Wed, 5 Sep 2018 17:21:24 +0200
+Subject: [PATCH] add libpam-krb5
+
+Signed-off-by: Adam Wujek <adam.wujek@cern.ch>
+---
+ package/Config.in                    |  1 +
+ package/libpam-krb5/Config.in        | 21 +++++++++++++++++++++
+ package/libpam-krb5/libpam-krb5.hash |  6 ++++++
+ package/libpam-krb5/libpam-krb5.mk   | 16 ++++++++++++++++
+ 4 files changed, 44 insertions(+)
+ create mode 100644 package/libpam-krb5/Config.in
+ create mode 100644 package/libpam-krb5/libpam-krb5.hash
+ create mode 100644 package/libpam-krb5/libpam-krb5.mk
+
+diff --git a/package/Config.in b/package/Config.in
+index b5583da..8b43b7c 100644
+--- a/package/Config.in
+++ b/package/Config.in
+@@ -1208,6 +1208,7 @@ if BR2_PACKAGE_LINUX_PAM
+ comment "linux-pam plugins"
+ 	source "package/libpam-radius-auth/Config.in"
+ 	source "package/libpam-tacplus/Config.in"
+	source "package/libpam-krb5/Config.in"
+ endif
+ 	source "package/liquid-dsp/Config.in"
+ 	source "package/lttng-libust/Config.in"
+diff --git a/package/libpam-krb5/Config.in b/package/libpam-krb5/Config.in
+new file mode 100644
+index 0000000..7845e6c
+--- /dev/null
+++ b/package/libpam-krb5/Config.in
+@@ -0,0 +1,21 @@
+config BR2_PACKAGE_LIBPAM_KRB5
+	bool "libpam-krb5"
+	# needs fork()
+	depends on BR2_USE_MMU
+	depends on !BR2_STATIC_LIBS
+	help
+	  This package provides PAM plugin for kerberos.
+	  https://www.eyrie.org/~eagle/software/pam-krb5/
+
+	  Kerberos is a system for authenticating users and services
+	  on a network. Kerberos is a trusted third-party service.
+	  That means that there is a third party (the Kerberos server)
+	  that is trusted by all the entities on the network (users
+	  and services, usually called "principals"). This is the MIT
+	  reference implementation of Kerberos V5.
+
+	  https://web.mit.edu/kerberos/
+
+comment "libpam-krb5 needs a toolchain w/ dynamic library"
+	depends on BR2_USE_MMU
+	depends on BR2_STATIC_LIBS
+diff --git a/package/libpam-krb5/libpam-krb5.hash b/package/libpam-krb5/libpam-krb5.hash
+new file mode 100644
+index 0000000..650ea5a
+--- /dev/null
+++ b/package/libpam-krb5/libpam-krb5.hash
+@@ -0,0 +1,6 @@
+# Locally calculated after checking pgp signature
+sha256	3abb458b4b3aa200d414bd2b859b3daabddd55954f753c988b41cedf95932649	pam-krb5-4.8.tar.gz
+
+# Hash for license file:
+sha256	65e1a886587af0b0af4d7e9aae8618fe80e1276cc62117ff548ae69d0f1e9be3	LICENSE
+
+diff --git a/package/libpam-krb5/libpam-krb5.mk b/package/libpam-krb5/libpam-krb5.mk
+new file mode 100644
+index 0000000..5fa5fb2
+--- /dev/null
+++ b/package/libpam-krb5/libpam-krb5.mk
+@@ -0,0 +1,16 @@
+################################################################################
+#
+# libpam-krb5
+#
+################################################################################
+
+LIBPAM_KRB5_VERSION = 4.8
+LIBPAM_KRB5_SITE = https://archives.eyrie.org/software/kerberos
+LIBPAM_KRB5_SOURCE = pam-krb5-$(LIBPAM_KRB5_VERSION).tar.gz
+# LIBPAM_KRB5_SUBDIR = src
+LIBPAM_KRB5_LICENSE = MIT?
+LIBPAM_KRB5_LICENSE_FILES = LICENSE
+LIBPAM_KRB5_DEPENDENCIES = linux-pam
+LIBPAM_KRB5_INSTALL_STAGING = YES
+
+$(eval $(autotools-package))
+-- 
+1.9.1
+
--- a/userspace/rootfs_override/etc/init.d/ldap.sh
+++ b/userspace/rootfs_override/etc/init.d/ldap.sh
+nslcd.sh
\ No newline at end of file
--- a/userspace/rootfs_override/etc/init.d/nslcd.sh
+++ b/userspace/rootfs_override/etc/init.d/nslcd.sh
+#!/bin/sh
+#
+# Starts nslcd needed for LDAP
+#
+MONIT=/usr/bin/monit
+dotconfig=/wr/etc/dot-config
+
+start_counter() {
+	# increase boot counter
+	COUNTER_FILE="/tmp/start_cnt_ldap"
+	START_COUNTER=1
+	if [ -f "$COUNTER_FILE" ];
+	then
+		read -r START_COUNTER < $COUNTER_FILE
+		START_COUNTER=$((START_COUNTER+1))
+	fi
+	echo "$START_COUNTER" > $COUNTER_FILE
+}
+
+start() {
+	echo -n "Starting nslcd (LDAP): "
+	
+	if [ -f "$dotconfig" ]; then
+		. "$dotconfig"
+	else
+		echo "$0 unable to source dot-config ($dotconfig)!"
+	fi
+	
+	if [ "$CONFIG_LDAP_ENABLE" != "y" ]; then
+		echo "LDAP not enabled in dot-config"
+		# Unmonitor web server (nslcd), ignore all printouts
+		# from monit.
+		# Run in background since monit may wait for a timeout.
+		$MONIT unmonitor nslcd &>/dev/null &
+		exit 0
+	fi
+	
+	if [ -z "$CONFIG_LDAP_SERVER" ]; then
+		echo "Failed! LDAP server not defined"
+		exit 0
+	fi
+	# fill LDAP server address
+	cp -a /usr/etc/nslcd.conf /etc/nslcd.conf
+	sed -i "s,^uri CONFIG_LDAP_SERVER_ADDRESS,uri $CONFIG_LDAP_SERVER,g" /etc/nslcd.conf
+
+	if [ -z "$CONFIG_LDAP_SEARCH_BASE" ]; then
+		echo "Failed! LDAP search base not defined"
+		exit 0
+	fi
+	# fill LDAP search base
+	sed -i "s/CONFIG_LDAP_SEARCH_BASE/$CONFIG_LDAP_SEARCH_BASE/g" /etc/nslcd.conf
+
+	if [ "$CONFIG_LDAP_FILTER_NONE" = "y" ]; then
+		# no filter
+		sed -i "s/CONFIG_LDAP_FILTER//g" /etc/nslcd.conf
+	elif [ "$CONFIG_LDAP_FILTER_EGROUP" = "y" ]; then
+		if [ -z "$CONFIG_LDAP_FILTER_EGROUP_STR" ]; then
+			echo -n "Warning: CONFIG_LDAP_FILTER_EGROUP_STR empty! "
+		fi
+		sed -i "s/CONFIG_LDAP_FILTER/(memberOf=CN=$CONFIG_LDAP_FILTER_EGROUP_STR,OU=e-groups,OU=Workgroups,$CONFIG_LDAP_SEARCH_BASE)/g" /etc/nslcd.conf
+	elif [ "$CONFIG_LDAP_FILTER_CUSTOM" = "y" ]; then
+		if [ -z "$CONFIG_LDAP_FILTER_CUSTOM_STR" ]; then
+			echo -n "Warning: CONFIG_LDAP_FILTER_CUSTOM_STR empty! "
+		fi
+		sed -i "s/CONFIG_LDAP_FILTER/$CONFIG_LDAP_FILTER_CUSTOM_STR/g" /etc/nslcd.conf
+	fi
+
+	# add ldap to /etc/nsswitch.conf
+	cp -a /usr/etc/nsswitch.conf /etc/nsswitch.conf
+	sed -i "s/^passwd:[ \t]*files\$/passwd: files ldap/g" /etc/nsswitch.conf
+	sed -i "s/^group:[ \t]*files\$/group: files ldap/g" /etc/nsswitch.conf
+	sed -i "s/^shadow:[ \t]*files\$/shadow: files ldap/g" /etc/nsswitch.conf
+
+	cp -a /usr/etc/pam.d/sshd /etc/pam.d/sshd
+	if [ "$CONFIG_AUTH_KRB5" = "y" ]; then
+		if [ -z "$CONFIG_AUTH_KRB5_SERVER" ]; then
+			echo "Failed! CONFIG_AUTH_KRB5_SERVER empty!"
+			exit 0
+		fi
+		
+		sed -i "s,# auth line to be replaced by startup scripts,# added by $0\nauth       sufficient   /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
+		sed -i "s,# account line to be replaced by startup scripts,# added by $0\naccount    required     /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
+		sed -i "s,# session line to be replaced by startup scripts,# added by $0\nsession    required     /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
+		cp -a /usr/etc/krb5.conf /etc/krb5.conf
+		sed -i "s,default_realm = CONFIG_AUTH_KRB5_SERVER,default_realm = $CONFIG_AUTH_KRB5_SERVER,g" /etc/krb5.conf
+	fi
+	
+	if [ "$CONFIG_AUTH_LDAP" = "y" ]; then
+		sed -i "s,# auth line to be replaced by startup scripts,# added by $0\nauth       sufficient   /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
+		sed -i "s,# account line to be replaced by startup scripts,# added by $0\naccount    required     /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
+		sed -i "s,# session line to be replaced by startup scripts,# added by $0\nsession    required     /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
+
+	fi
+
+	# /var/run/nslcd/nslcd.pid is created automatically by nslcd
+	start-stop-daemon -S -q -p /var/run/nslcd/nslcd.pid --exec /usr/sbin/nslcd
+	ret=$?
+	if [ $ret -eq 0 ]; then
+		start_counter
+		echo "OK"
+	elif [ $ret -eq 1 ]; then
+		echo "Failed (already running?)"
+	else
+		echo "Failed"
+	fi
+}
+
+stop() {
+	echo -n "Stopping nslcd (LDAP): "
+	start-stop-daemon -K -q -p /var/run/nslcd/nslcd.pid
+	if [ $? -eq 0 ]; then
+		echo "OK"
+	else
+		echo "Failed"
+	fi
+}
+
+restart() {
+	stop
+	start
+}
+
+case "$1" in
+  start)
+  	start
+	;;
+  stop)
+  	stop
+	;;
+  restart|reload)
+  	restart
+	;;
+  *)
+	echo $"Usage: $0 {start|stop|restart}"
+	exit 1
+esac
+
+exit $?
+
--- a/userspace/rootfs_override/etc/init.d/dropbear
+++ b/userspace/rootfs_override/etc/init.d/dropbear
 #!/bin/sh
 #
-# Starts dropbear sshd.
+# Starts sshd.
 #

-# Make sure the dropbearkey progam exists
-[ -f /usr/bin/dropbearkey ] || exit 0
+dotconfig=/wr/etc/dot-config
+
+# Make sure the ssh-keygen progam exists
+[ -f /usr/bin/ssh-keygen ] || exit 0

 start_counter() {
 	# increase boot counter
@@ -19,32 +21,42 @@ start_counter() {
 }

 start() {
- 	echo -n "Starting dropbear sshd: "
+	echo -n "Starting sshd: "
+
+	if [ -f "$dotconfig" ]; then
+		. "$dotconfig"
+	else
+		echo "$0 unable to source dot-config ($dotconfig)!"
+	fi
+
 	# copy authorized keys if exists
 	if [ -f /usr/authorized_keys ] ; then
 		mkdir -p /root/.ssh/
 		cp /usr/authorized_keys /root/.ssh/
 	fi
-	# Make sure dropbear directory exists
-	if [ ! -d /etc/dropbear ] ; then
-		mkdir -p /etc/dropbear
-	fi
-	mkdir -p /usr/etc/dropbear
-	# Check for the Dropbear RSA key
-	if [ ! -f /etc/dropbear/dropbear_rsa_host_key ] ; then
-		echo -n "generating rsa key... "
-		/usr/bin/dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
-		cp /etc/dropbear/dropbear_rsa_host_key /usr/etc/dropbear
+
+	# Make sure ssh directory exists
+	mkdir -p /etc/ssh
+	mkdir -p /usr/etc/ssh
+	# Check for the ssh keys
+	if     [ ! -f /etc/ssh/ssh_host_rsa_key ] \
+        || [ ! -f /etc/ssh/ssh_host_dsa_key ] \
+        || [ ! -f /etc/ssh/ssh_host_ecdsa_key ] \
+        || [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
+# 		echo -n "generating ssh keys... "
+		/usr/bin/ssh-keygen -A
+		cp /etc/ssh/ssh_host_*_key* /usr/etc/ssh
 	fi

-	# Check for the Dropbear DSS key
-	if [ ! -f /etc/dropbear/dropbear_dss_host_key ] ; then
-		echo -n "generating dsa key... "
-		/usr/bin/dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
-		cp /etc/dropbear/dropbear_dss_host_key /usr/etc/dropbear
+	if [ "$CONFIG_ROOT_ACCESS_DISABLE" = "y" ]; then
+		sed -i "s|^PermitRootLogin.*|PermitRootLogin prohibit-password # replaced by $0|g" /etc/ssh/sshd_config
+	else
+		sed -i "s|^PermitRootLogin.*|PermitRootLogin yes # replaced by $0|g" /etc/ssh/sshd_config
 	fi
+
 	umask 077
-	start-stop-daemon -S -q -p /var/run/dropbear.pid --exec /usr/sbin/dropbear
+	# /var/run/sshd.pid is created automatically by sshd
+	start-stop-daemon -S -q -p /var/run/sshd.pid --exec /usr/sbin/sshd
 	ret=$?
 	if [ $ret -eq 0 ]; then
 		start_counter
@@ -57,8 +69,8 @@ start() {
 }

 stop() {
-	echo -n "Stopping dropbear sshd: "
-	start-stop-daemon -K -q -p /var/run/dropbear.pid
+	echo -n "Stopping sshd: "
+	start-stop-daemon -K -q -p /var/run/sshd.pid
 	if [ $? -eq 0 ]; then
 		echo "OK"
 	else

--- a/userspace/rootfs_override/etc/init.d/wrs-boot-procedure
+++ b/userspace/rootfs_override/etc/init.d/wrs-boot-procedure
@@ -296,3 +296,6 @@ if grep -q initrd= /proc/cmdline; then
    rm /etc/init.d/wrs-boot-procedure;
    cp -a /usr/etc/* /etc
 fi
+
+# create dir for home dirs
+mkdir -p /tmp/home
--- a/userspace/rootfs_override/etc/krb5.conf
+++ b/userspace/rootfs_override/etc/krb5.conf
+[libdefaults]
+        default_realm = CONFIG_AUTH_KRB5_SERVER
+        kdc_timesync = 1
+        ccache_type = 4
+        forwardable = true
+        proxiable = true
--- a/userspace/rootfs_override/etc/monit.d/dropbear.conf
+++ b/userspace/rootfs_override/etc/monit.d/dropbear.conf
- check process dropbear with pidfile /var/run/dropbear.pid
-   start program = "/etc/init.d/dropbear start"
-   stop program = "/etc/init.d/dropbear stop"
-   if 5 restarts within 10 cycles then exec "/etc/init.d/reboot.sh dropbear"
--- a/userspace/rootfs_override/etc/monit.d/nslcd.conf
+++ b/userspace/rootfs_override/etc/monit.d/nslcd.conf
+# nslcd is used for LDAP
+ check process nslcd with pidfile /var/run/nslcd/nslcd.pid
+   start program = "/etc/init.d/nslcd.sh start"
+   stop program = "/etc/init.d/nslcd.sh stop"
+   if 5 restarts within 10 cycles then exec "/etc/init.d/reboot.sh nslcd"
--- a/userspace/rootfs_override/etc/monit.d/sshd.conf
+++ b/userspace/rootfs_override/etc/monit.d/sshd.conf
+ check process sshd with pidfile /var/run/sshd.pid
+   start program = "/etc/init.d/sshd.sh start"
+   stop program = "/etc/init.d/sshd.sh stop"
+   if 5 restarts within 10 cycles then exec "/etc/init.d/reboot.sh sshd"
--- a/userspace/rootfs_override/etc/nslcd.conf
+++ b/userspace/rootfs_override/etc/nslcd.conf
+# This is the configuration file for the LDAP nameservice
+# switch library's nslcd daemon. It configures the mapping
+# between NSS names (see /etc/nsswitch.conf) and LDAP
+# information in the directory.
+# See the manual page nslcd.conf(5) for more information.
+
+# The uri pointing to the LDAP server to use for name lookups.
+# Multiple entries may be specified. The address that is used
+# here should be resolvable without using LDAP (obviously).
+uri CONFIG_LDAP_SERVER_ADDRESS
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+# uri ldap://127.0.0.1/
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+#ldap_version 3
+
+# The distinguished name of the search base.
+base CONFIG_LDAP_SEARCH_BASE
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+#binddn cn=proxyuser,dc=example,dc=com
+
+# The credentials to bind with.
+# Optional: default is no credentials.
+# Note that if you set a bindpw you should check the permissions of this file.
+#bindpw secret
+
+# The distinguished name to perform password modifications by root by.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# The default search scope.
+#scope sub
+scope one
+#scope base
+
+# Customize certain database lookups.
+base   group  ou=Unix,ou=Workgroups,CONFIG_LDAP_SEARCH_BASE
+base   passwd ou=Users,ou=Organic Units,CONFIG_LDAP_SEARCH_BASE
+#base   shadow ou=People,dc=example,dc=com
+#scope  group  onelevel
+#scope  hosts  sub
+
+# Bind/connect timelimit.
+#bind_timelimit 30
+
+# Search timelimit.
+timelimit 30
+
+# Idle timelimit. nslcd will close connections if the
+# server has not been contacted for the number of seconds.
+#idle_timelimit 3600
+
+# Use StartTLS without verifying the server certificate.
+ssl no
+#ssl start_tls
+#tls_reqcert never
+
+# CA certificates for server certificate verification
+#tls_cacertdir /etc/ssl/certs
+#tls_cacertfile /etc/ssl/ca.cert
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# NDS mappings
+#map group uniqueMember member
+
+# Mappings for Services for UNIX 3.5
+#filter passwd (objectClass=User)
+#map    passwd uid              msSFU30Name
+#map    passwd userPassword     msSFU30Password
+#map    passwd homeDirectory    msSFU30HomeDirectory
+#map    passwd homeDirectory    msSFUHomeDirectory
+#filter shadow (objectClass=User)
+#map    shadow uid              msSFU30Name
+#map    shadow userPassword     msSFU30Password
+#filter group  (objectClass=Group)
+#map    group  uniqueMember     msSFU30PosixMember
+
+# Mappings for Services for UNIX 2.0
+#filter passwd (objectClass=User)
+#map    passwd uid              msSFUName
+#map    passwd userPassword     msSFUPassword
+#map    passwd homeDirectory    msSFUHomeDirectory
+#map    passwd gecos            msSFUName
+#filter shadow (objectClass=User)
+#map    shadow uid              msSFUName
+#map    shadow userPassword     msSFUPassword
+#map    shadow shadowLastChange pwdLastSet
+#filter group  (objectClass=Group)
+#map    group  uniqueMember     posixMember
+
+# Mappings for Active Directory
+pagesize 1000
+referrals off
+filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)CONFIG_LDAP_FILTER)
+map    passwd uid              sAMAccountName
+#map    passwd homeDirectory    unixHomeDirectory
+map    passwd homeDirectory    "/home/$sAMAccountName"
+map    passwd gecos            displayName
+#map    passwd loginShell       "/sbin/nologin"
+
+filter shadow (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*))
+map    shadow uid              sAMAccountName
+map    shadow shadowLastChange pwdLastSet
+
+filter group  (&(objectClass=group)(gidNumber=*))
+map    group  member sAMAccountName
+
+# Mappings for AIX SecureWay
+#filter passwd (objectClass=aixAccount)
+#map    passwd uid              userName
+#map    passwd userPassword     passwordChar
+#map    passwd uidNumber        uid
+#map    passwd gidNumber        gid
+#filter group  (objectClass=aixAccessGroup)
+#map    group  cn               groupName
+#map    group  uniqueMember     member
+#map    group  gidNumber        gid
+# This comment prevents repeated auto-migration of settings.
+
--- a/userspace/rootfs_override/etc/nsswitch.conf
+++ b/userspace/rootfs_override/etc/nsswitch.conf
+# /etc/nsswitch.conf
+
+passwd:         files
+group:          files
+shadow:         files
+
+hosts:          files dns
+networks:       files dns
+
+protocols:      files
+services:       files
+ethers:         files
+rpc:            files
--- a/userspace/rootfs_override/etc/pam.d/sshd
+++ b/userspace/rootfs_override/etc/pam.d/sshd
+#%PAM-1.0
+# auth line to be replaced by startup scripts
+auth       required     /lib/security/pam_unix.so shadow nodelay
+account    required     /lib/security/pam_nologin.so
+account    required     /lib/security/pam_unix.so
+# account line to be replaced by startup scripts
+password   required     /lib/security/pam_unix.so shadow nullok use_authtok
+session    required     /lib/security/pam_unix.so
+session    required     /lib/security/pam_limits.so
+# session line to be replaced by startup scripts
+session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
--- a/userspace/rootfs_override/etc/pam.d/sudo
+++ b/userspace/rootfs_override/etc/pam.d/sudo
+# accept all users who managed to log
+auth        sufficient   pam_permit.so
+auth        sufficient   pam_rootok.so
+auth        required     pam_wheel.so use_uid
+auth        required     pam_env.so
+auth        required     pam_unix.so nullok
+
+account     required     pam_unix.so
+
+password    required     pam_unix.so nullok
+
+session     required     pam_limits.so
+session     required     pam_env.so
+session     required     pam_unix.so
--- a/userspace/rootfs_override/etc/rcS/S49ldap.sh
+++ b/userspace/rootfs_override/etc/rcS/S49ldap.sh
+../init.d/ldap.sh
\ No newline at end of file
--- a/userspace/rootfs_override/etc/rcS/S50dropbear
+++ b/userspace/rootfs_override/etc/rcS/S50dropbear
-../init.d/dropbear
\ No newline at end of file
--- a/userspace/rootfs_override/etc/rcS/S50sshd.sh
+++ b/userspace/rootfs_override/etc/rcS/S50sshd.sh
+../init.d/sshd.sh
\ No newline at end of file
--- a/userspace/rootfs_override/etc/shadow
+++ b/userspace/rootfs_override/etc/shadow
-root:$1$y12oP.6b$/Ds3CzM9uKLS1YwkgJ1A81:0:0:99999:7:::
+root:$1$y12oP.6b$/Ds3CzM9uKLS1YwkgJ1A81:1:0:99999:7:::
 bin:*:10933:0:99999:7:::
 daemon:*:10933:0:99999:7:::
 adm:*:10933:0:99999:7:::

--- a/userspace/rootfs_override/etc/skel/.bashrc
+++ b/userspace/rootfs_override/etc/skel/.bashrc
+echo "Home directory was automatically generated, it will be removed at the reboot"
--- a/userspace/rootfs_override/etc/ssh/sshd_config
+++ b/userspace/rootfs_override/etc/ssh/sshd_config
+#	$OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+# PermitRootLogin may be replaced by a startup scripts
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+# Set to no to avoid additional prompts for a password after 3 failures.
+# From man:
+# Because PAM challenge-response authentication usually serves an
+# equivalent role to password authentication, you should disable
+# either PasswordAuthentication or
+# ChallengeResponseAuthentication.
+
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation no
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
--- a/userspace/rootfs_override/etc/sudoers.d/allow_all
+++ b/userspace/rootfs_override/etc/sudoers.d/allow_all
+# Allow all users to be sudo
+# The assumption is that every user which is able to login can become sudo.
+# Please limit users using LDAP filter mechanism
+ALL ALL=(ALL) ALL
--- a/userspace/rootfs_override/home
+++ b/userspace/rootfs_override/home
+tmp/home
\ No newline at end of file
--- a/userspace/snmpd/WR-SWITCH-MIB.txt
+++ b/userspace/snmpd/WR-SWITCH-MIB.txt
@@ -28,6 +28,7 @@ wrSwitchMIB MODULE-IDENTITY
    REVISION     "201807181400Z"
    DESCRIPTION
        "Add wrsStartCntLldpd
+        Add wrsStartCntLdap
        Add in wrsPortStatusTable:
         - wrsPortStatusMonitor
         - wrsPortStatusSfpDom
@@ -1167,6 +1168,14 @@ wrsStartCntLldpd OBJECT-TYPE
            "Number of LLDP daemon starts"
    ::= { wrsStartCntGroup 9 }

+wrsStartCntLdap OBJECT-TYPE
+    SYNTAX         Counter32
+    MAX-ACCESS     read-only
+    STATUS         current
+    DESCRIPTION
+            "Number of LDAP daemon starts"
+    ::= { wrsStartCntGroup 9 }
+
 -- wrsSpllState (.7.3)
 wrsSpllState            OBJECT IDENTIFIER ::= { wrsExpertStatus 3 }


--- a/userspace/snmpd/wrsBootStatusGroup.c
+++ b/userspace/snmpd/wrsBootStatusGroup.c
@@ -96,16 +96,17 @@ struct wrs_usd_item {
 #define UDI_HTTP 4 /* index of web server in userspace_daemons array */
 #define UDI_MONIT 5 /* index of MONIT in userspace_daemons array */
 #define UDI_LLDP 8 /* index of LLDP in userspace_daemons array */
+#define UDI_NSLCD 9 /* index of NSLCD (LDAP) in userspace_daemons array */
 /* user space daemon list */
 /* - key contain process name reported by ps command
 * - positive exp describe exact number of expected processes
 * - negative exp describe minimum number of expected processes. Usefull for
 *   processes that is hard to predict number of their instances. For example
- *   new dropbear process is spawned at ssh login.
+ *   new sshd process is spawned at ssh login.
 */
 static struct wrs_usd_item userspace_daemons[] = {
-	[0] = {.key = "/usr/sbin/dropbear", .exp = -1}, /* expect at least one
-							 * dropbear process */
+	[0] = {.key = "/usr/sbin/sshd", .exp = -1}, /* expect at least one
+						     * sshd process */
 	[1] = {"/wr/bin/wrsw_hal", 2}, /* two wrsw_hal instances */
 	[2] = {"/wr/bin/wrsw_rtud", 1},
 	[3] = {"/wr/bin/ppsi", 1},
@@ -117,6 +118,8 @@ static struct wrs_usd_item userspace_daemons[] = {
 	[7] = {"/wr/bin/wrs_watchdog", 1},
 	[UDI_LLDP] = {"/usr/sbin/lldpd", 1}, /* LLDP can be disabled in
 						dot-config */
+	[UDI_NSLCD] = {"/usr/sbin/nslcd", 1}, /* nslcd/LDAP can be disabled in
+						dot-config */
 };

 struct wrs_bc_item {
@@ -496,6 +499,15 @@ static void update_daemon_expectancy(struct wrs_usd_item *daemon_array)
 		snmp_log(LOG_INFO, "SNMP: Info wrsBootUserspaceDaemonsMissing:"
 			 " CONFIG_LLDPD_DISABLE=y in dot-config\n");
 	}
+
+	daemon_array[UDI_NSLCD].exp = 0;
+	tmp = libwr_cfg_get("LDAP_ENABLE");
+	if (tmp && !strcmp(tmp, "y")) {
+		/* SNMP should not expect nslcd/LDAP to be running */
+		daemon_array[UDI_NSLCD].exp = 1;
+		snmp_log(LOG_INFO, "SNMP: Info wrsBootUserspaceDaemonsMissing:"
+			 "no CONFIG_LDAP_ENABLE in dot-config\n");
+	}
 }

 /* check if daemons from userspace_daemons array are running */

--- a/userspace/snmpd/wrsStartCntGroup.c
+++ b/userspace/snmpd/wrsStartCntGroup.c
@@ -8,6 +8,7 @@
 #define START_CNT_SYSLOGD "/tmp/start_cnt_syslogd"
 #define START_CNT_WRSWATCHDOG "/tmp/start_cnt_wrs_watchdog"
 #define START_CNT_LLDPD "/tmp/start_cnt_lldpd"
+#define START_CNT_LDAP "/tmp/start_cnt_ldap"

 static struct pickinfo wrsStartCnt_pickinfo[] = {
 	FIELD(wrsStartCnt_s, ASN_COUNTER, wrsStartCntHAL),
@@ -19,6 +20,7 @@ static struct pickinfo wrsStartCnt_pickinfo[] = {
 	FIELD(wrsStartCnt_s, ASN_COUNTER, wrsStartCntSyslogd),
 	FIELD(wrsStartCnt_s, ASN_COUNTER, wrsStartCntWrsWatchdog),
 	FIELD(wrsStartCnt_s, ASN_COUNTER, wrsStartCntLldpd),
+	FIELD(wrsStartCnt_s, ASN_COUNTER, wrsStartCntLdap),
 };

 struct wrsStartCnt_s wrsStartCnt_s;
@@ -77,6 +79,7 @@ time_t wrsStartCnt_data_fill(void){
 	read_start_count(START_CNT_SYSLOGD, &wrsStartCnt_s.wrsStartCntSyslogd);
 	read_start_count(START_CNT_WRSWATCHDOG, &wrsStartCnt_s.wrsStartCntWrsWatchdog);
 	read_start_count(START_CNT_LLDPD, &wrsStartCnt_s.wrsStartCntLldpd);
+	read_start_count(START_CNT_LDAP, &wrsStartCnt_s.wrsStartCntLdap);

 	/* there was an update, return current time */
 	return time_update;

--- a/userspace/snmpd/wrsStartCntGroup.h
+++ b/userspace/snmpd/wrsStartCntGroup.h
@@ -14,6 +14,7 @@ struct wrsStartCnt_s {
 	uint32_t wrsStartCntSyslogd;
 	uint32_t wrsStartCntWrsWatchdog;
 	uint32_t wrsStartCntLldpd;
+	uint32_t wrsStartCntLdap;
 };

 extern struct wrsStartCnt_s wrsStartCnt_s;