- 2010-08-28 release 0.7.9 of nss-pam-ldapd
This is an update for the 0.7 series that brings some small improvements. This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.8:- fix for --with-nss-ldap-soname configure option by Julien Cristau
- Debian packaging improvements
With this release the 0.7 series will be in bugfixes-only mode. It will still receive bugfixes and security support for some time but not any major new features. See the mailing list post for more details. - 2010-08-18 release 0.7.8 of nss-pam-ldapd
This is an update for the 0.7 series that brings some small improvements. This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.7:- minor portability improvements and clean-ups (thanks Alexander V. Chernikov and Ted C. Cheng)
- don't expand variables in rest of ${var:-rest} and ${var:+rest} expressions if it is not needed
- Debian packaging improvements
- 2010-07-03 release 0.7.7 of nss-pam-ldapd
This is an update for the 0.7 series that brings some small improvements. This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.6:- refactoring and simplification of PAM module which also improves logging
- implement a nullok PAM option and disable empty passwords by default
- portability improvements and other minor code improvements
- the mechanism to disable name lookups through LDAP from within the nslcd process has been improved
- the undocumented use_sasl option has been removed (specifying sasl_mech now implies use_sasl)
- the sasl_mech, sasl_realm, sasl_authcid, sasl_authzid and sasl_secprops configuration options are now documented
- Debian packaging improvements
- 2010-05-27 release 0.7.6 of nss-pam-ldapd
This is an update for the 0.7 series that fixes a bug and brings some small improvements. This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.5:- fix a problem with empty attributes if expression-based attribute mapping is used (patch by Nalin Dahyabhai)
- make debug logging for pam_authz_search option a little more informative
- documentation improvements
- Debian packaging improvements
- 2010-05-14 release 0.7.5 of nss-pam-ldapd
This is an update for the 0.7.4 release that mainly fixes an annoying bug when using the minimum_uid PAM option and includes some improvements to the PAM module (20% code reduction with new features added).
A summary of the changes since 0.7.4:- fix a problem in the session handling of the PAM module if the minimum_uid option was used
- refactor the PAM module code to be simpler and better maintainable
- perform logging from PAM module to syslog and support the debug option to log more information
- 2010-05-09 release 0.7.4 of nss-pam-ldapd
This is an update for the 0.7 series that fixes some bugs and brings some new functionality. This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.3:- fix a buffer overflow that should have no security consequences
- perform proper fail-over when authenticating in the PAM module
- add an nss_initgroups_ignoreusers option to ignore user name to group lookups for the specified users
- add an pam_authz_search option to perform a flexible authorisation check on login (e.g. to restrict which users can login to which hosts, etc)
- implement a minimum_uid option for the PAM module to ignore users that have a lower numeric user id
- change the way retries are done to error out quicker if the LDAP server is down for some time (this should make the system more responsive when the LDAP server is unavailable) and rename the reconnect_maxsleeptime option to reconnect_retrytime to better describe the behaviour
- only log "connected to LDAP server" if the previous connection failed
- documentation improvements
- 2010-02-27 release 0.7.3 of nss-pam-ldapd
This is an update for the 0.7 series that fixes some bugs and brings some new functionality. This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.2:- allow password modification by root using the rootpwmoddn configuration file option (the user will be prompted for the password for rootpwmoddn instead of the user's password)
- the LDAP password modify EXOP is first tried without the old password and if that fails retried with the old password
- when determining the domain name (used for some value of the base and uri options) also try to use the hostname aliases to build the domain name (patch by Jan Schampera)
- perform locking on the pidfile on start-up to ensure that only one nslcd process is running and implement a --check option (patch by Jan Schampera)
- documentation improvements
- 2010-01-22 announcing nss-pam-ldapd mailing lists
To improve participation and sharing of ideas for the nss-pam-ldapd project, three mailing lists have been set up. These lists are open for subscription by anyone and have public on-line archives.- The nss-pam-ldapd-announce mailing list will be used for announcements of new releases, security advisories and any other important news regarding nss-pam-ldapd.
- The nss-pam-ldapd-commits mailing list can be used to keep up with the day-to-day commits to the project.
- The nss-pam-ldapd-users mailing list is a general discussion list for the project. Please send your questions and patches there.
- 2009-12-28 release 0.7.2 of nss-pam-ldapd
This is an update for the 0.7 series that fixes some bugs and brings some new functionality. This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.1:- some attributes may be mapped to a shell-like expression that expand attributes from LDAP entries; this allows attributes overrides, defaults and much more (as a result the passwdcn attribute mapping has been removed because the gecos mapping is now "${gecos:-$cn}" by default)
- update the NSS module to follow the change in Glibc where the addr parameter of getnetbyaddr_r() was changed from network-byte-order to host-byte-order
- properly escape searches for uniqueMember attributes for DN with a comma in an attribute value
- miscellaneous improvements to the configure script implementing better (and simpler) library detection
- some general refactoring and other miscellaneous improvements
- Debian packaging improvements
- 2009-11-22 security advisory: problems with case-insensitive LDAP lookups
Versions of nss-ldapd (now called nss-pam-ldapd) before 0.6.11 do not filter the results from an LDAP search query to only return case-sensitive matches (many LDAP search queries are case-insensitive). This results in users which differ in name but with the same numeric userid to exist on the system.
This can cause problems on systems where privileges are assigned to users based on their username with case-sensitive matching. One such place is in determining group membership (even in LDAP), another is in netgroups. This allows users to successfully log in with an incorrect name and have incorrect privileges assigned (e.g. user logs in as Joe and is no longer in the group denyaccess).
This issue also exposes a problem in nscd (GNU C Library Name Service Cache Daemon) which does not support multiple users with the same numeric userid. This could cause invalid information being entered into the nscd cache which could deny services to affected users (e.g. this is known to cause problems for SSH usage and Kerberos). In some configurations this can be exploited remotely (Apache serving user's public_html directories, SSH server or other services that may perform username lookups).
If you are affected by this problem but cannot upgrade to a more recent release, you may want to review the change that went into the 0.6.11 release. For Debian lenny an updated version 0.6.7.2 was made.
This problem also affects the nss_ldap module from PADL Software Pty Ltd and probably also the nssov overlay from OpenLDAP's slapd. Similar problems may also affect other software that perform LDAP lookups.
References:- http://bugs.debian.org/552433
- http://bugs.skolelinux.org/show_bug.cgi?id=1383
- http://bugzilla.padl.com/show_bug.cgi?id=399
- 2009-10-20 release 0.7.1 of nss-pam-ldapd
This is an update for the 0.7 release that fixes some bugs, improves portability and brings some new functionality, all mainly in the PAM functionality.
This should be a reasonably stable and well tested release with the PAM module being reasonably complete.
A summary of the changes since 0.7.0:- implement password changing by performing an LDAP password modify EXOP request
- fix return of authorisation check in PAM module (patch by Howard Chu)
- fix for problem when authenticating to LDAP entries without a uid attribute in the DN
- general code clean-up and portability improvements
- provide more information with communication error messages
- Debian packaging improvements
- 2009-09-04 release 0.7.0 of nss-pam-ldapd
This is a new release that brings with it amongst other things a name change of the software and a name change of the configuration file. These changes were done to reflect the addition of the PAM module as a standard part of the software.
The PAM module is still under development but should be mostly functional for authentication purposes. Other than that this should be a reasonably stable and well tested release.
A summary of the changes since 0.6.11:- rename software to nss-pam-ldapd to indicate that PAM module is now a standard part of the software
- the PAM module is now built by default (the configure script can be instructed whether or not to build certain parts)
- the default configuration file name has been changed to /etc/nslcd.conf
- the default values for bind_timelimit and reconnect_maxsleeptime werelowered from 30 to 10 seconds
- password hashes are no longer returned to non-root users (based on a patch by Alexander V. Chernikov)
- a pam_ldap(8) manual page was added
- unknown options in the configuration file can now be ignored with a new --disable-configfile-checking configure option
If you were using the svn version note that the repository name and path in the repository have changed. Either check out using the new location or update your repository with the following two commands:svn switch --relocate http://arthurdejong.org/svn/nss-ldapd/ http://arthurdejong.org/svn/nss-pam-ldapd/
svn switch http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd - 2009-07-12 release 0.6.11 of nss-ldapd
This release fixes a number of bugs in the 0.6.10 and earlier releases and adds a couple of functionality improvements.
This should be a reasonably stable and well tested release.
changes since 0.6.10:- fix user name to groups mapping (a bug in buffer checking in initgroups() that was introduced in 0.6.9)
- fix a possible buffer overflow with too many uidNumber or gidNumber attributes (thanks to David Binderman for finding this)
- lookups for group, netgroup, passwd, protocols, rpc, services and shadow maps are now case-sensitive
- test suite is now minimally documented
- added --disable-sasl and --disable-kerberos configure options
- changed references to home page and contact email addresses to use arthurdejong.org
- Debian packaging improvements
- 2009-06-14 nss-ldapd homepage moved
Since I haven't been studying at the Delft University for quite some time the nss-ldapd homepage has been moved to http://arthurdejong.org/nss-ldapd/. The contact email address has also been changed to arthur@arthurdejong.org.
The subversion repository and viewvc URLs have also changed (see the downloads section for details). If you were using the svn repository before you can dosvn switch --relocate http://arthurenhella.demon.nl/ http://arthurdejong.org/to relocate your working copy. - 2009-06-03 release 0.6.10 of nss-ldapd
This release fixes a number of bugs in the 0.6.9 and earlier releases. This should be a reasonably stable and well tested release.
This release includes improvements to the experimental PAM module introduced in 0.6.9 and adds basic LDAP authentication to nslcd. The PAM module is still disabled by default. It is expected that the 0.7 release will include the PAM module by default at which point the software will probably be renamed to nss-pam-ldapd (suggestions for a better name are welcome).
changes since 0.6.9:- implement searching through multiple search bases, based on a patch by Leigh Wedding
- fix a segmentation fault that could occur when using any of the tls_* options with a string parameter
- miscellaneous improvements to the experimental PAM module
- implement PAM authentication function in the nslcd daemon
- the code for reading and writing protocol entries between the NSS module and the daemon was improved
- documentation updates
- removed SSL/TLS related warnings during startup
- Debian packaging improvements
- 2009-05-09 release 0.6.9 of nss-ldapd
This release fixes a number of bugs in the 0.6.8 and earlier releases. This should be a reasonably stable and well tested release.
This release introduces an experimental PAM module contributed by Howard Chu from the OpenLDAP project that works together with the nssov overlay in slapd. Work is underway to complete the needed functionality in nss-ldapd's nslcd process. With this release the PAM module is disabled by default.
changes since 0.6.8:- produce more detailed logging in debug mode and allow multiple -d options to be specified to also include logging from the LDAP library
- some LDAP configuration options are now initialized globally instead of per connection which should fix problems with the tls_reqcert option
- documentation improvements for the NSLCD protocol used between the NSS module and the nslcd server
- imported the new PAM module from the OpenLDAP nssov tree by Howard Chu (note that the PAM-related NSLCD protocol is not yet finalised and this module is not built by default)
- in the configure script allow disabling of building certain components
- fix a bug with writing alternate service names and add checks for validity of passed buffer in NSS module
- various Debian packaging improvements
- 2009-03-22 release 0.6.8 of nss-ldapd (security update)
This release fixes a security problem in 0.6.7 and earlier releases in the Debian package configuration. A similar problem could also affect other users.
The nss-ldapd.conf that is installed by the Debian package was created world-readable which could cause problems if the bindpw option is used. This has been fixed in the Debian package but other users should check the permissions of the nss-ldapd.conf file when the bindpw option is used (warnings have been added to the manual page and sample nss-ldapd.conf)
The CVE project has assigned id CVE-2009-1073 to this problem.
This release also includes the following changes since 0.6.7:- clean the environment and set LDAPNOINIT to disable parsing of LDAP configuration files (~/.ldaprc, /etc/ldap/ldap.conf, etc)
- remove sslpath option because it wasn't used
- correctly set SSL/TLS options when using StartTLS
- rename the tls_checkpeer option to tls_reqcert, deprecating the old name and supporting all values that OpenLDAP supports
- allow backslashes in user and group names execpt as first or last character
- check user and group names against LOGIN_NAME_MAX if it is defined
- fix for getpeercred() on Solaris by David Bartley
- Debian packaging improvements