c31b6fe
From 85097245b57f190337225dbdbf6e33b58616c092 Mon Sep 17 00:00:00 2001
c31b6fe
From: Sumit Bose <sbose@redhat.com>
c31b6fe
Date: Thu, 19 Dec 2019 07:22:33 +0100
c31b6fe
Subject: [PATCH 5/6] add option use-ldaps
c31b6fe
c31b6fe
In general using the LDAP port with GSS-SPNEGO should satifiy all
c31b6fe
requirements an AD DC should have for authentication on an encrypted
c31b6fe
LDAP connection.
c31b6fe
c31b6fe
But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
c31b6fe
with TLS encryption might be an alternative. For this use case the
c31b6fe
--use-ldaps option is added.
c31b6fe
c31b6fe
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
c31b6fe
---
c31b6fe
 doc/adcli.xml    | 24 +++++++++++++++
c31b6fe
 library/adconn.c | 79 ++++++++++++++++++++++++++++++++++++++++++------
c31b6fe
 library/adconn.h |  4 +++
c31b6fe
 tools/computer.c | 10 ++++++
c31b6fe
 tools/entry.c    | 11 +++++++
c31b6fe
 5 files changed, 119 insertions(+), 9 deletions(-)
c31b6fe
c31b6fe
diff --git a/doc/adcli.xml b/doc/adcli.xml
c31b6fe
index dd30435..acced25 100644
c31b6fe
--- a/doc/adcli.xml
c31b6fe
+++ b/doc/adcli.xml
c31b6fe
@@ -128,6 +128,30 @@
c31b6fe
 			If not specified, then an appropriate domain controller
c31b6fe
 			is automatically discovered.</para></listitem>
c31b6fe
 		</varlistentry>
c31b6fe
+		<varlistentry>
c31b6fe
+			<term><option>--use-ldaps</option></term>
c31b6fe
+			<listitem><para>Connect to the domain controller
c31b6fe
+			with LDAPS. By default the LDAP port is used and SASL
c31b6fe
+			GSS-SPNEGO or GSSAPI is used for authentication and to
c31b6fe
+			establish encryption. This should satisfy all
c31b6fe
+			requirements set on the server side and LDAPS should
c31b6fe
+			only be used if the LDAP port is not accessible due to
c31b6fe
+			firewalls or other reasons.</para>
c31b6fe
+			<para> Please note that the place where CA certificates
c31b6fe
+			can be found to validate the AD DC certificates
c31b6fe
+			must be configured in the OpenLDAP configuration
c31b6fe
+			file, e.g. <filename>/etc/openldap/ldap.conf</filename>.
c31b6fe
+			As an alternative it can be specified with the help of
c31b6fe
+			an environment variable, e.g.
c31b6fe
+<programlisting>
c31b6fe
+$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
c31b6fe
+...
c31b6fe
+</programlisting>
c31b6fe
+			Please see
c31b6fe
+			<citerefentry><refentrytitle>ldap.conf</refentrytitle>
c31b6fe
+			<manvolnum>5</manvolnum></citerefentry> for details.
c31b6fe
+			</para></listitem>
c31b6fe
+		</varlistentry>
c31b6fe
 		<varlistentry>
c31b6fe
 			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
c31b6fe
 			<listitem><para>Use the specified kerberos credential
c31b6fe
diff --git a/library/adconn.c b/library/adconn.c
c31b6fe
index ffb54f9..7bab852 100644
c31b6fe
--- a/library/adconn.c
c31b6fe
+++ b/library/adconn.c
c31b6fe
@@ -70,6 +70,7 @@ struct _adcli_conn_ctx {
c31b6fe
 	char *domain_name;
c31b6fe
 	char *domain_realm;
c31b6fe
 	char *domain_controller;
c31b6fe
+	bool use_ldaps;
c31b6fe
 	char *canonical_host;
c31b6fe
 	char *domain_short;
c31b6fe
 	char *domain_sid;
c31b6fe
@@ -773,7 +774,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
c31b6fe
 
c31b6fe
 static LDAP *
c31b6fe
 connect_to_address (const char *host,
c31b6fe
-                    const char *canonical_host)
c31b6fe
+                    const char *canonical_host,
c31b6fe
+                    bool use_ldaps)
c31b6fe
 {
c31b6fe
 	struct addrinfo *res = NULL;
c31b6fe
 	struct addrinfo *ai;
c31b6fe
@@ -783,6 +785,16 @@ connect_to_address (const char *host,
c31b6fe
 	char *url;
c31b6fe
 	int sock;
c31b6fe
 	int rc;
c31b6fe
+	int opt_rc;
c31b6fe
+	const char *port = "389";
c31b6fe
+	const char *proto = "ldap";
c31b6fe
+	const char *errmsg = NULL;
c31b6fe
+
c31b6fe
+	if (use_ldaps) {
c31b6fe
+		port = "636";
c31b6fe
+		proto = "ldaps";
c31b6fe
+		_adcli_info ("Using LDAPS to connect to %s", host);
c31b6fe
+	}
c31b6fe
 
c31b6fe
 	memset (&hints, '\0', sizeof(hints));
c31b6fe
 #ifdef AI_ADDRCONFIG
c31b6fe
@@ -794,7 +806,7 @@ connect_to_address (const char *host,
c31b6fe
 	if (!canonical_host)
c31b6fe
 		canonical_host = host;
c31b6fe
 
c31b6fe
-	rc = getaddrinfo (host, "389", &hints, &res;;
c31b6fe
+	rc = getaddrinfo (host, port, &hints, &res;;
c31b6fe
 	if (rc != 0) {
c31b6fe
 		_adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc));
c31b6fe
 		return NULL;
c31b6fe
@@ -810,7 +822,7 @@ connect_to_address (const char *host,
c31b6fe
 			close (sock);
c31b6fe
 		} else {
c31b6fe
 			error = 0;
c31b6fe
-			if (asprintf (&url, "ldap://%s", canonical_host) < 0)
c31b6fe
+			if (asprintf (&url, "%s://%s", proto, canonical_host) < 0)
c31b6fe
 				return_val_if_reached (NULL);
c31b6fe
 			rc = ldap_init_fd (sock, 1, url, &ldap);
c31b6fe
 			free (url);
c31b6fe
@@ -820,6 +832,25 @@ connect_to_address (const char *host,
c31b6fe
 				            ldap_err2string (rc));
c31b6fe
 				break;
c31b6fe
 			}
c31b6fe
+
c31b6fe
+			if (use_ldaps) {
c31b6fe
+				rc = ldap_install_tls (ldap);
c31b6fe
+				if (rc != LDAP_SUCCESS) {
c31b6fe
+					opt_rc = ldap_get_option (ldap,
c31b6fe
+					                          LDAP_OPT_DIAGNOSTIC_MESSAGE,
c31b6fe
+					                          (void *) &errmsg);
c31b6fe
+					if (opt_rc != LDAP_SUCCESS) {
c31b6fe
+						errmsg = NULL;
c31b6fe
+					}
c31b6fe
+					_adcli_err ("Couldn't initialize TLS [%s]: %s",
c31b6fe
+					            ldap_err2string (rc),
c31b6fe
+					            errmsg == NULL ? "- no details -"
c31b6fe
+					                           : errmsg);
c31b6fe
+					ldap_unbind_ext_s (ldap, NULL, NULL);
c31b6fe
+					ldap = NULL;
c31b6fe
+					break;
c31b6fe
+				}
c31b6fe
+			}
c31b6fe
 		}
c31b6fe
 	}
c31b6fe
 
c31b6fe
@@ -856,7 +887,8 @@ connect_and_lookup_naming (adcli_conn *conn,
c31b6fe
 	if (!canonical_host)
c31b6fe
 		canonical_host = disco->host_addr;
c31b6fe
 
c31b6fe
-	ldap = connect_to_address (disco->host_addr, canonical_host);
c31b6fe
+	ldap = connect_to_address (disco->host_addr, canonical_host,
c31b6fe
+	                           adcli_conn_get_use_ldaps (conn));
c31b6fe
 	if (ldap == NULL)
c31b6fe
 		return ADCLI_ERR_DIRECTORY;
c31b6fe
 
c31b6fe
@@ -1041,14 +1073,28 @@ authenticate_to_directory (adcli_conn *conn)
c31b6fe
 	status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL);
c31b6fe
 	return_unexpected_if_fail (status == 0);
c31b6fe
 
c31b6fe
-	/* Clumsily tell ldap + cyrus-sasl that we want encryption */
c31b6fe
-	ssf = 1;
c31b6fe
-	ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf;;
c31b6fe
-	return_unexpected_if_fail (ret == 0);
c31b6fe
+	if (adcli_conn_get_use_ldaps (conn)) {
c31b6fe
+		/* do not use SASL encryption on LDAPS connection */
c31b6fe
+		ssf = 0;
c31b6fe
+		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf;;
c31b6fe
+		return_unexpected_if_fail (ret == 0);
c31b6fe
+		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf;;
c31b6fe
+		return_unexpected_if_fail (ret == 0);
c31b6fe
+	} else {
c31b6fe
+		/* Clumsily tell ldap + cyrus-sasl that we want encryption */
c31b6fe
+		ssf = 1;
c31b6fe
+		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf;;
c31b6fe
+		return_unexpected_if_fail (ret == 0);
c31b6fe
+	}
c31b6fe
 
c31b6fe
-	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
c31b6fe
+	/* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if
c31b6fe
+	 * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used
c31b6fe
+	 * without LDAPS. */
c31b6fe
+	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")
c31b6fe
+	                     && !adcli_conn_get_use_ldaps (conn)) {
c31b6fe
 		mech =  "GSS-SPNEGO";
c31b6fe
 	}
c31b6fe
+	_adcli_info ("Using %s for SASL bind", mech);
c31b6fe
 
c31b6fe
 	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
c31b6fe
 	                                    LDAP_SASL_QUIET, sasl_interact, NULL);
c31b6fe
@@ -1230,6 +1276,7 @@ adcli_conn_new (const char *domain_name)
c31b6fe
 	conn->refs = 1;
c31b6fe
 	conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT | ADCLI_LOGIN_USER_ACCOUNT;
c31b6fe
 	adcli_conn_set_domain_name (conn, domain_name);
c31b6fe
+	adcli_conn_set_use_ldaps (conn, false);
c31b6fe
 	return conn;
c31b6fe
 }
c31b6fe
 
c31b6fe
@@ -1389,6 +1436,20 @@ adcli_conn_set_domain_controller (adcli_conn *conn,
c31b6fe
 	no_more_disco (conn);
c31b6fe
 }
c31b6fe
 
c31b6fe
+bool
c31b6fe
+adcli_conn_get_use_ldaps (adcli_conn *conn)
c31b6fe
+{
c31b6fe
+	return_val_if_fail (conn != NULL, NULL);
c31b6fe
+	return conn->use_ldaps;
c31b6fe
+}
c31b6fe
+
c31b6fe
+void
c31b6fe
+adcli_conn_set_use_ldaps (adcli_conn *conn, bool value)
c31b6fe
+{
c31b6fe
+	return_if_fail (conn != NULL);
c31b6fe
+	conn->use_ldaps = value;
c31b6fe
+}
c31b6fe
+
c31b6fe
 const char *
c31b6fe
 adcli_conn_get_domain_short (adcli_conn *conn)
c31b6fe
 {
c31b6fe
diff --git a/library/adconn.h b/library/adconn.h
c31b6fe
index 37ebdd9..1d5faa8 100644
c31b6fe
--- a/library/adconn.h
c31b6fe
+++ b/library/adconn.h
c31b6fe
@@ -89,6 +89,10 @@ const char *        adcli_conn_get_domain_controller (adcli_conn *conn);
c31b6fe
 void                adcli_conn_set_domain_controller (adcli_conn *conn,
c31b6fe
                                                       const char *value);
c31b6fe
 
c31b6fe
+bool                adcli_conn_get_use_ldaps         (adcli_conn *conn);
c31b6fe
+void                adcli_conn_set_use_ldaps         (adcli_conn *conn,
c31b6fe
+                                                      bool value);
c31b6fe
+
c31b6fe
 const char *        adcli_conn_get_domain_short      (adcli_conn *conn);
c31b6fe
 
c31b6fe
 const char *        adcli_conn_get_domain_sid        (adcli_conn *conn);
c31b6fe
diff --git a/tools/computer.c b/tools/computer.c
c31b6fe
index 840e334..292c4d8 100644
c31b6fe
--- a/tools/computer.c
c31b6fe
+++ b/tools/computer.c
c31b6fe
@@ -113,12 +113,14 @@ typedef enum {
c31b6fe
 	opt_add_service_principal,
c31b6fe
 	opt_remove_service_principal,
c31b6fe
 	opt_description,
c31b6fe
+	opt_use_ldaps,
c31b6fe
 } Option;
c31b6fe
 
c31b6fe
 static adcli_tool_desc common_usages[] = {
c31b6fe
 	{ opt_domain, "active directory domain name" },
c31b6fe
 	{ opt_domain_realm, "kerberos realm for the domain" },
c31b6fe
 	{ opt_domain_controller, "domain controller to connect to" },
c31b6fe
+	{ opt_use_ldaps, "use LDAPS port for communication" },
c31b6fe
 	{ opt_host_fqdn, "override the fully qualified domain name of the\n"
c31b6fe
 	                 "local machine" },
c31b6fe
 	{ opt_host_keytab, "filename for the host kerberos keytab" },
c31b6fe
@@ -311,6 +313,9 @@ parse_option (Option opt,
c31b6fe
 	case opt_description:
c31b6fe
 		adcli_enroll_set_description (enroll, optarg);
c31b6fe
 		return ADCLI_SUCCESS;
c31b6fe
+	case opt_use_ldaps:
c31b6fe
+		adcli_conn_set_use_ldaps (conn, true);
c31b6fe
+		return ADCLI_SUCCESS;
c31b6fe
 	case opt_verbose:
c31b6fe
 		return ADCLI_SUCCESS;
c31b6fe
 
c31b6fe
@@ -357,6 +362,7 @@ adcli_tool_computer_join (adcli_conn *conn,
c31b6fe
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
c31b6fe
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
c31b6fe
 		{ "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */
c31b6fe
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
c31b6fe
 		{ "login-user", required_argument, NULL, opt_login_user },
c31b6fe
 		{ "user", required_argument, NULL, opt_login_user }, /* compat */
c31b6fe
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
c31b6fe
@@ -688,6 +694,7 @@ adcli_tool_computer_preset (adcli_conn *conn,
c31b6fe
 		{ "domain", required_argument, NULL, opt_domain },
c31b6fe
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
c31b6fe
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
c31b6fe
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
c31b6fe
 		{ "domain-ou", required_argument, NULL, opt_domain_ou },
c31b6fe
 		{ "login-user", required_argument, NULL, opt_login_user },
c31b6fe
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
c31b6fe
@@ -800,6 +807,7 @@ adcli_tool_computer_reset (adcli_conn *conn,
c31b6fe
 		{ "domain", required_argument, NULL, opt_domain },
c31b6fe
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
c31b6fe
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
c31b6fe
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
c31b6fe
 		{ "login-user", required_argument, NULL, opt_login_user },
c31b6fe
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
c31b6fe
 		{ "login-type", required_argument, NULL, opt_login_type },
c31b6fe
@@ -888,6 +896,7 @@ adcli_tool_computer_delete (adcli_conn *conn,
c31b6fe
 		{ "domain", required_argument, NULL, opt_domain },
c31b6fe
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
c31b6fe
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
c31b6fe
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
c31b6fe
 		{ "login-user", required_argument, NULL, opt_login_user },
c31b6fe
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
c31b6fe
 		{ "no-password", no_argument, 0, opt_no_password },
c31b6fe
@@ -985,6 +994,7 @@ adcli_tool_computer_show (adcli_conn *conn,
c31b6fe
 		{ "domain", required_argument, NULL, opt_domain },
c31b6fe
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
c31b6fe
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
c31b6fe
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
c31b6fe
 		{ "login-user", required_argument, NULL, opt_login_user },
c31b6fe
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
c31b6fe
 		{ "login-type", required_argument, NULL, opt_login_type },
c31b6fe
diff --git a/tools/entry.c b/tools/entry.c
c31b6fe
index f361845..05e4313 100644
c31b6fe
--- a/tools/entry.c
c31b6fe
+++ b/tools/entry.c
c31b6fe
@@ -53,6 +53,7 @@ typedef enum {
c31b6fe
 	opt_unix_gid,
c31b6fe
 	opt_unix_shell,
c31b6fe
 	opt_nis_domain,
c31b6fe
+	opt_use_ldaps,
c31b6fe
 } Option;
c31b6fe
 
c31b6fe
 static adcli_tool_desc common_usages[] = {
c31b6fe
@@ -67,6 +68,7 @@ static adcli_tool_desc common_usages[] = {
c31b6fe
 	{ opt_domain, "active directory domain name" },
c31b6fe
 	{ opt_domain_realm, "kerberos realm for the domain" },
c31b6fe
 	{ opt_domain_controller, "domain directory server to connect to" },
c31b6fe
+	{ opt_use_ldaps, "use LDAPS port for communication" },
c31b6fe
 	{ opt_login_ccache, "kerberos credential cache file which contains\n"
c31b6fe
 	                    "ticket to used to connect to the domain" },
c31b6fe
 	{ opt_login_user, "user (usually administrative) login name of\n"
c31b6fe
@@ -136,6 +138,9 @@ parse_option (Option opt,
c31b6fe
 			stdin_password = 1;
c31b6fe
 		}
c31b6fe
 		return ADCLI_SUCCESS;
c31b6fe
+	case opt_use_ldaps:
c31b6fe
+		adcli_conn_set_use_ldaps (conn, true);
c31b6fe
+		return ADCLI_SUCCESS;
c31b6fe
 	case opt_verbose:
c31b6fe
 		return ADCLI_SUCCESS;
c31b6fe
 	default:
c31b6fe
@@ -172,6 +177,7 @@ adcli_tool_user_create (adcli_conn *conn,
c31b6fe
 		{ "domain", required_argument, NULL, opt_domain },
c31b6fe
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
c31b6fe
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
c31b6fe
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
c31b6fe
 		{ "login-user", required_argument, NULL, opt_login_user },
c31b6fe
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
c31b6fe
 		{ "no-password", no_argument, 0, opt_no_password },
c31b6fe
@@ -306,6 +312,7 @@ adcli_tool_user_delete (adcli_conn *conn,
c31b6fe
 		{ "domain", required_argument, NULL, opt_domain },
c31b6fe
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
c31b6fe
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
c31b6fe
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
c31b6fe
 		{ "login-user", required_argument, NULL, opt_login_user },
c31b6fe
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
c31b6fe
 		{ "no-password", no_argument, 0, opt_no_password },
c31b6fe
@@ -394,6 +401,7 @@ adcli_tool_group_create (adcli_conn *conn,
c31b6fe
 		{ "domain", required_argument, NULL, opt_domain },
c31b6fe
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
c31b6fe
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
c31b6fe
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
c31b6fe
 		{ "domain-ou", required_argument, NULL, opt_domain_ou },
c31b6fe
 		{ "login-user", required_argument, NULL, opt_login_user },
c31b6fe
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
c31b6fe
@@ -496,6 +504,7 @@ adcli_tool_group_delete (adcli_conn *conn,
c31b6fe
 		{ "domain", required_argument, NULL, opt_domain },
c31b6fe
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
c31b6fe
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
c31b6fe
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
c31b6fe
 		{ "login-user", required_argument, NULL, opt_login_user },
c31b6fe
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
c31b6fe
 		{ "no-password", no_argument, 0, opt_no_password },
c31b6fe
@@ -622,6 +631,7 @@ adcli_tool_member_add (adcli_conn *conn,
c31b6fe
 		{ "domain", required_argument, NULL, opt_domain },
c31b6fe
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
c31b6fe
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
c31b6fe
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
c31b6fe
 		{ "login-user", required_argument, NULL, opt_login_user },
c31b6fe
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
c31b6fe
 		{ "no-password", no_argument, 0, opt_no_password },
c31b6fe
@@ -722,6 +732,7 @@ adcli_tool_member_remove (adcli_conn *conn,
c31b6fe
 		{ "domain", required_argument, NULL, opt_domain },
c31b6fe
 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
c31b6fe
 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
c31b6fe
+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
c31b6fe
 		{ "login-user", required_argument, NULL, opt_login_user },
c31b6fe
 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
c31b6fe
 		{ "no-password", no_argument, 0, opt_no_password },
c31b6fe
-- 
c31b6fe
2.25.1
c31b6fe