• 2012-04-27: release 0.8.8 of nss-pam-ldapd

  This is a quick update to fix a regression in the 0.8.7 release.

  A summary of the changes since 0.8.7:
  • fix a regression in the handling of PAM requests
  • add the ldapns.schema file from pam_ldap to the tarball

  Get this release from the downloads section.

• 2012-04-22: release 0.8.7 of nss-pam-ldapd

  This is an update for the 0.8 series that includes a few fixes and some work on the pynslcd implementation. The 0.8 series is getting more and more stable and there are not many issues reported. It is planned to be stabilised a bit now with work continuing on the pynslcd implementation.

  A summary of the changes since 0.8.6:
  • log the first 10 search results in debug mode to make debugging easier (patch by Matthijs Kooijman)
  • provide more detailed logging information for LDAP errors, this should especially help for TLS related problems (based on a patch by Mel Flynn)
  • fix logging of invalid pam_authz_search value
  • when doing DNS queries for SRV records recognise default ldap and ldaps ports
  • make whether or not to do case-sensitive filtering configurable (patch by Matthew L. Dailey)
  • document the fact that each thread opens it's own connection (patch by Chris Hiestand)
  • some small portability improvements
  • try to prevent some of the Broken pipe messages in nslcd
  • increase buffer used for pam_authz_search as suggested by Chris J Arges
  • pynslcd now handles privileged requests correctly
  • pynslcd now supports attribute mapping using the lower() and upper() functions

  pynslcd, the Python implementation of nslcd that is included in nss-pam-ldapd should now be mostly useful for test environments and testing is welcomed.

  Get this release from the downloads section.

• 2012-04-09: release 0.7.16 of nss-pam-ldapd

  This is an update for the 0.7 series that fixes a few minor bugs and includes a few small improvements. The changes should be minimal and have mostly been available in the 0.8 branch for some time.

  A summary of the changes since 0.7.15:
  • implement proper range checking of numeric values returned from LDAP (thanks Jakub Hrozek)
  • fix an issue with detecting the uid of the calling process
  • fix a problem in the disconnect logic code
  • fix logging of invalid pam_authz_search value
  • properly log failures to lookup DNS SRV records
  • increase buffer for pam_authz_search as suggested by Chris J Arges
  • the Debian packaging was split from the main source tree

  Get this release from the downloads section.

• 2012-01-29: release 0.8.6 of nss-pam-ldapd

  This is an update for the 0.8 series that includes a few fixes and some work on the pynslcd implementation. The 0.8 series remains in development mode and several more changes, enhancements and new features are planned. Users that require a stable release are encouraged to stay with 0.7 until 0.8 stabilises.

  A summary of the changes since 0.8.5:
  • a number of code improvements by Jakub Hrozek
  • fixes for FreeBSD (thanks Maxim Vetrov)
  • include missing pynslcd files in tarball
  • improvements to the pynslcd implementation
  • implement an offline cache in pynslcd
  • the Debian packaging was split from the main source tree

  pynslcd, the Python implementation of nslcd that is included in nss-pam-ldapd should now be mostly useful for test environments and testing is welcomed. The newly implemented offline cache should be functional but for example disappearing users in LDAP are not reflected in the offline cache yet and LDAP reconnect logic is not yet working.

  Get this release from the downloads section.

• 2011-12-31: release 0.8.5 of nss-pam-ldapd

  This is an update for the 0.8 series that includes a number of fixes and a few new features. The 0.8 series remains in development mode and several more changes, enhancements and new features are planned. Users that require a stable release are encouraged to stay with 0.7 until 0.8 stabilises.

  A summary of the changes since 0.8.4:
  • support larger gecos values
  • reduce loglevel of user not found messages to avoid spamming the logs with useless information (thanks Wakko Warner)
  • other logging improvements
  • explicitly parse numbers as base 10 (thanks Jakub Hrozek)
  • implement FreeBSD group membership NSS function (thanks Tom Judge)
  • fix an issue with detecting the uid of the calling process and log denied shadow requests in debug mode
  • fix a typo in the disconnect logic code (thanks Martin Poole)
  • implement configuration file handling in pynslcd and other pynslcd improvements
  • Debian packaging improvements

  The pynslcd Python implementation of nslcd that is included in nss-pam-ldapd should now be mostly useful for most test environments and testing is welcomed. All NSS lookups should work but only authentication is implemented for PAM. Configuration files for nslcd should be parsed but not all options are currently supported.

  Get this release from the downloads section.

• 2011-10-02: release 0.7.15 of nss-pam-ldapd

  This is a bugfix release that fixes a problem in the Debian packaging where not all values for the tls_reqcert option were handled correctly.

  Get this release from the downloads section.

• 2011-09-18: release 0.7.14 of nss-pam-ldapd

  This is a bugfix release that addresses some annoying bugs. The fixes are intended to be minimal and have been available in the development branch for some time.

  A summary of the changes since 0.7.13:
  • log correct error from ldap_abandon()
  • fix problem with partial attribute name matches in DN (thanks Timothy White)
  • handle expressions where some variable would expand to NULL
  • make buffer sizes consistent and grow all buffers holding string representations of numbers to be able to hold 64-bit numbers
  • fix a problem with uninitialised memory while parsing the tls_ciphers option

  Get this release from the downloads section.

• 2011-09-04: release 0.8.4 of nss-pam-ldapd

  This is an update for the 0.8 series that includes a number of fixes, new features and a few backwards incompatible changes. The 0.8 series remains in development mode and several more bigger changes, enhancements and new features are planned. Users that require a stable release are encouraged to stay with 0.7 until 0.8 stabilises.

  A summary of the changes since 0.8.3:
  • switch to using the member attribute by default instead of uniqueMember (backwards incompatible change)
  • only return "x" as a password hash when the object has the shadowAccount objectClass and nsswitch.conf is configured to do shadow lookups using LDAP (this avoids some problems with pam_unix)
  • fix problem with partial attribute name matches in DN (thanks Timothy White)
  • fix a problem with objectSid mappings with recent versions of OpenLDAP (patch by Wesley Mason)
  • set the socket timeout in a connection callback to avoid timeout issues during the SSL handshake (patch by Stefan Völkel)
  • check for unknown variables in pam_authz_search
  • only check password expiration when authenticating, only check account expiration when doing authorisation
  • make buffer sizes consistent and grow all buffers holding string representations of numbers to be able to hold 64-bit numbers
  • update AX_PTHREAD from autoconf-archive
  • support querying DNS SRV records from a different domain than the current one (based on a patch by James M. Leddy)
  • fix a problem with uninitialised memory while parsing the tls_ciphers option
  • implement bounds checking of numeric values read from LDAP (patch by Jakub Hrozek)
  • correctly support large uid and gid values from LDAP (patch by Jakub Hrozek)
  • improvements to the configure script (patch by Jakub Hrozek)
  • Debian packaging improvements

  Get this release from the downloads section.

• 2011-05-13: release 0.8.3 of nss-pam-ldapd

  This is an update for the 0.8 series that fixes some bugs and introduces some new features. The 0.8 series remains in development mode and several more bigger changes, enhancements and new features are planned. Users that require a stable release are encouraged to stay with 0.7 until 0.8 stabilises.

  A summary of the changes since 0.8.2:
  • support using the objectSid attribute to provide numeric user and group ids, based on a patch by Wesley Mason
  • check shadow account and password expiry properties (similarly to what pam_unix does) in the PAM handling code
  • implement attribute mapping functionality in pynslcd
  • relax default for validnames option to allow user names of only two characters
  • make user and group name validation errors a little more informative
  • small portability improvements
  • general code improvements and refactoring in pynslcd
  • some simplifications in the protocol between the PAM module and nslcd (without actual protocol changes so far)
  • Debian packaging improvements

  Get this release from the downloads section.

• 2011-03-26: release 0.8.2 of nss-pam-ldapd

  This is an update for the 0.8 series that fixes some bugs and introduces some new features but mainly focusses on improving the tests to avoid another security problem as was seen in 0.8.0.

  The 0.8 series remains in development mode and several more bigger changes, enhancements and new features are planned. Users that require a stable release are encouraged to stay with 0.7 until 0.8 stabilises.

  A summary of the changes since 0.8.1:
  • fix problem with endless loop on incorrect password
  • fix a communication problem between nslcd and the NSS and PAM modules when running on Solaris 10
  • fix a compilation issue on systems without HOST_NAME_MAX
  • link to the resolv library for hstrerror() on platforms that need it
  • ignore password change requests for users not in LDAP
  • many clean-ups to the tests and added some new tests including some integration tests for the PAM functionality
  • some smaller code clean-ups and improvements
  • improvements to pynslcd, including implementations for service, protocol and rpc lookups
  • implement a validnames option that can be used to filter valid user and group names using a regular expression
  • improvements to the way nslcd shuts down with hanging worker threads

  Get this release from the downloads section.

• 2011-03-10: release 0.8.1 of nss-pam-ldapd (security update)

  This is an update for the 0.8 series that fixes a security problem that allows authentication for users not in LDAP. See the advisory and the news item for details.
  The CVE project has assigned CVE-2011-0438 to this problem.

  This release remains a development release and is expected to undergo more active development. Users that require a stable release are encouraged to stay with 0.7 until 0.8 stabilises.
  This development release also includes some new features, FreeBSD support and more work done on the Python implementation of nslcd.

  A summary of the changes since 0.8.0:
  • properly handle user-not-found errors when doing authentication
  • include a file that was missing for Solaris support
  • add FreeBSD support, partially imported from the FreeBSD port (thanks to Jacques Vidrine, Artem Kazakov and Alexander V. Chernikov)
  • document how to replace pam_check_service_attr and pam_check_host_attr options in PADL's pam_ldap with pam_authz_search in nss-pam-ldapd
  • implement a fqdn variable that can be used in pam_authz_search filters
  • create the directory to hold the socket and pidfile on startup
  • implement host, network and netgroup support in pynslcd

  Get this release from the downloads section.

• 2011-03-09: security advisory: authentication bypass for local accounts

  A serious security vulnerability was found in development release 0.8.0 of nss-pam-ldapd that allows authentication with an incorrect password for local user accounts.

  The PAM module will return a success code when the user cannot be found in LDAP.

  Exploitability depends on the details of the PAM configuration. In Debian (which currently ships 0.8.0 in their experimental repository) the PAM module by default uses the minimum_uid=1000 option which limits exploits to users with a numeric uid >= 1000. In common configurations the user nobody fits these criteria.

  On systems that don't use the minimum_uid PAM option it may be possible to log in to any local account, including root.

  This problem only affects the 0.8.0 release of nss-pam-ldapd. Earlier releases are not affected.
  This problem has been assigned CVE-2011-0438.

  The problem is triggered by the fact that an LDAP search that returns no entries does not result in an LDAP error. The function that performs the user name lookup incorrectly only used the LDAP return code to determine the lookup result.

  References:
  • the original advisory
  • the commit that introduced the bug
    
  • a patch for 0.8.0 to fix this with minimal side-effects

  This bug should not be exploitable if your LDAP server requires authentication before performing queries.

  For questions please contact the nss-pam-ldapd-users mailing list.

News archive

• 2010
• 2009
• 2008
• 2007
• 2006

These pages contain no frames, blinking stuff, animated gifs or commercials, do not require javascript and are not optimised for any specific screen resolution or browser and should be valid XHTML 1.1 and contain valid CSS.