- 2010-02-27 release 0.7.3 of nss-pam-ldapd
This is an update for the 0.7 series that fixes some bugs and brings some new functionality. This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.2:- allow password modification by root using the rootpwmoddn configuration file option (the user will be prompted for the password for rootpwmoddn instead of the user's password)
- the LDAP password modify EXOP is first tried without the old password and if that fails retried with the old password
- when determining the domain name (used for some value of the base and uri options) also try to use the hostname aliases to build the domain name (patch by Jan Schampera)
- perform locking on the pidfile on start-up to ensure that only one nslcd process is running and implement a --check option (patch by Jan Schampera)
- documentation improvements
- 2010-01-22 announcing nss-pam-ldapd mailing lists
To improve participation and sharing of ideas for the nss-pam-ldapd project, three mailing lists have been set up. These lists are open for subscription by anyone and have public on-line archives.- The nss-pam-ldapd-announce mailing list will be used for announcements of new releases, security advisories and any other important news regarding nss-pam-ldapd.
- The nss-pam-ldapd-commits mailing list can be used to keep up with the day-to-day commits to the project.
- The nss-pam-ldapd-users mailing list is a general discussion list for the project. Please send your questions and patches there.
- 2009-12-28 release 0.7.2 of nss-pam-ldapd
This is an update for the 0.7 series that fixes some bugs and brings some new functionality. This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.1:- some attributes may be mapped to a shell-like expression that expand attributes from LDAP entries; this allows attributes overrides, defaults and much more (as a result the passwdcn attribute mapping has been removed because the gecos mapping is now "${gecos:-$cn}" by default)
- update the NSS module to follow the change in Glibc where the addr parameter of getnetbyaddr_r() was changed from network-byte-order to host-byte-order
- properly escape searches for uniqueMember attributes for DN with a comma in an attribute value
- miscellaneous improvements to the configure script implementing better (and simpler) library detection
- some general refactoring and other miscellaneous improvements
- Debian packaging improvements
- 2009-11-22 security advisory: problems with case-insensitive LDAP lookups
Versions of nss-ldapd (now called nss-pam-ldapd) before 0.6.11 do not filter the results from an LDAP search query to only return case-sensitive matches (many LDAP search queries are case-insensitive). This results in users which differ in name but with the same numeric userid to exist on the system.
This can cause problems on systems where privileges are assigned to users based on their username with case-sensitive matching. One such place is in determining group membership (even in LDAP), another is in netgroups. This allows users to successfully log in with an incorrect name and have incorrect privileges assigned (e.g. user logs in as Joe and is no longer in the group denyaccess).
This issue also exposes a problem in nscd (GNU C Library Name Service Cache Daemon) which does not support multiple users with the same numeric userid. This could cause invalid information being entered into the nscd cache which could deny services to affected users (e.g. this is known to cause problems for SSH usage and Kerberos). In some configurations this can be exploited remotely (Apache serving user's public_html directories, SSH server or other services that may perform username lookups).
If you are affected by this problem but cannot upgrade to a more recent release, you may want to review the change that went into the 0.6.11 release. An update for Debian lenny is in preparation.
This problem also affects the nss_ldap module from PADL Software Pty Ltd and probably also the nssov overlay from OpenLDAP's slapd. Similar problems may also affect other software that perform LDAP lookups.
References:- http://bugs.debian.org/552433
- http://bugs.skolelinux.org/show_bug.cgi?id=1383
- http://bugzilla.padl.com/show_bug.cgi?id=399
- 2009-10-20 release 0.7.1 of nss-pam-ldapd
This is an update for the 0.7 release that fixes some bugs, improves portability and brings some new functionality, all mainly in the PAM functionality.
This should be a reasonably stable and well tested release with the PAM module being reasonably complete.
A summary of the changes since 0.7.0:- implement password changing by performing an LDAP password modify EXOP request
- fix return of authorisation check in PAM module (patch by Howard Chu)
- fix for problem when authenticating to LDAP entries without a uid attribute in the DN
- general code clean-up and portability improvements
- provide more information with communication error messages
- Debian packaging improvements
- 2009-09-04 release 0.7.0 of nss-pam-ldapd
This is a new release that brings with it amongst other things a name change of the software and a name change of the configuration file. These changes were done to reflect the addition of the PAM module as a standard part of the software.
The PAM module is still under development but should be mostly functional for authentication purposes. Other than that this should be a reasonably stable and well tested release.
A summary of the changes since 0.6.11:- rename software to nss-pam-ldapd to indicate that PAM module is now a standard part of the software
- the PAM module is now built by default (the configure script can be instructed whether or not to build certain parts)
- the default configuration file name has been changed to /etc/nslcd.conf
- the default values for bind_timelimit and reconnect_maxsleeptime werelowered from 30 to 10 seconds
- password hashes are no longer returned to non-root users (based on a patch by Alexander V. Chernikov)
- a pam_ldap(8) manual page was added
- unknown options in the configuration file can now be ignored with a new --disable-configfile-checking configure option
If you were using the svn version note that the repository name and path in the repository have changed. Either check out using the new location or update your repository with the following two commands:svn switch --relocate http://arthurdejong.org/svn/nss-ldapd/ http://arthurdejong.org/svn/nss-pam-ldapd/
svn switch http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd - 2009-07-12 release 0.6.11 of nss-ldapd
This release fixes a number of bugs in the 0.6.10 and earlier releases and adds a couple of functionality improvements.
This should be a reasonably stable and well tested release.
changes since 0.6.10:- fix user name to groups mapping (a bug in buffer checking in initgroups() that was introduced in 0.6.9)
- fix a possible buffer overflow with too many uidNumber or gidNumber attributes (thanks to David Binderman for finding this)
- lookups for group, netgroup, passwd, protocols, rpc, services and shadow maps are now case-sensitive
- test suite is now minimally documented
- added --disable-sasl and --disable-kerberos configure options
- changed references to home page and contact email addresses to use arthurdejong.org
- Debian packaging improvements
- 2009-06-14 nss-ldapd homepage moved
Since I haven't been studying at the Delft University for quite some time the nss-ldapd homepage has been moved to http://arthurdejong.org/nss-ldapd/. The contact email address has also been changed to arthur@arthurdejong.org.
The subversion repository and viewvc URLs have also changed (see the downloads section for details). If you were using the svn repository before you can dosvn switch --relocate http://arthurenhella.demon.nl/ http://arthurdejong.org/to relocate your working copy. - 2009-06-03 release 0.6.10 of nss-ldapd
This release fixes a number of bugs in the 0.6.9 and earlier releases. This should be a reasonably stable and well tested release.
This release includes improvements to the experimental PAM module introduced in 0.6.9 and adds basic LDAP authentication to nslcd. The PAM module is still disabled by default. It is expected that the 0.7 release will include the PAM module by default at which point the software will probably be renamed to nss-pam-ldapd (suggestions for a better name are welcome).
changes since 0.6.9:- implement searching through multiple search bases, based on a patch by Leigh Wedding
- fix a segmentation fault that could occur when using any of the tls_* options with a string parameter
- miscellaneous improvements to the experimental PAM module
- implement PAM authentication function in the nslcd daemon
- the code for reading and writing protocol entries between the NSS module and the daemon was improved
- documentation updates
- removed SSL/TLS related warnings during startup
- Debian packaging improvements
- 2009-05-09 release 0.6.9 of nss-ldapd
This release fixes a number of bugs in the 0.6.8 and earlier releases. This should be a reasonably stable and well tested release.
This release introduces an experimental PAM module contributed by Howard Chu from the OpenLDAP project that works together with the nssov overlay in slapd. Work is underway to complete the needed functionality in nss-ldapd's nslcd process. With this release the PAM module is disabled by default.
changes since 0.6.8:- produce more detailed logging in debug mode and allow multiple -d options to be specified to also include logging from the LDAP library
- some LDAP configuration options are now initialized globally instead of per connection which should fix problems with the tls_reqcert option
- documentation improvements for the NSLCD protocol used between the NSS module and the nslcd server
- imported the new PAM module from the OpenLDAP nssov tree by Howard Chu (note that the PAM-related NSLCD protocol is not yet finalised and this module is not built by default)
- in the configure script allow disabling of building certain components
- fix a bug with writing alternate service names and add checks for validity of passed buffer in NSS module
- various Debian packaging improvements
- 2009-03-22 release 0.6.8 of nss-ldapd (security update)
This release fixes a security problem in 0.6.7 and earlier releases in the Debian package configuration. A similar problem could also affect other users.
The nss-ldapd.conf that is installed by the Debian package was created world-readable which could cause problems if the bindpw option is used. This has been fixed in the Debian package but other users should check the permissions of the nss-ldapd.conf file when the bindpw option is used (warnings have been added to the manual page and sample nss-ldapd.conf)
The CVE project has assigned id CVE-2009-1073 to this problem.
This release also includes the following changes since 0.6.7:- clean the environment and set LDAPNOINIT to disable parsing of LDAP configuration files (~/.ldaprc, /etc/ldap/ldap.conf, etc)
- remove sslpath option because it wasn't used
- correctly set SSL/TLS options when using StartTLS
- rename the tls_checkpeer option to tls_reqcert, deprecating the old name and supporting all values that OpenLDAP supports
- allow backslashes in user and group names execpt as first or last character
- check user and group names against LOGIN_NAME_MAX if it is defined
- fix for getpeercred() on Solaris by David Bartley
- Debian packaging improvements
- 2008-11-14 release 0.6.7 of nss-ldapd
This release fixes one bugs in the 0.6.6 and earlier releases in the Debian package configuration.
This should be a reasonably stable and well tested release.
changes since 0.6.6:- a fix for a problem in the Debian packaging that would cause user-configured options be ignored
- 2008-11-04 release 0.6.6 of nss-ldapd
This release just fixes a number of bugs in the 0.6.5 release.
This should be a reasonably stable and well tested release.
changes since 0.6.5:- Debian packaging improvements
- allow spaces in user and group names because it was causing problems in some environments
- if ldap_set_option() fails log the option name instead of number
- retry connecting to LDAP server in more cases
- 2008-08-22 release 0.6.5 of nss-ldapd
This release only updates some Debian configuration translations. Other than that there are no changes in this release. Get this release from the downloads section. - 2008-07-20 release 0.6.4 of nss-ldapd
This release mainly fixes a number of bugs in the 0.6.3 release. Only one new feature has been added.
This should be a reasonably stable and well tested release.
changes since 0.6.3:- fix for the tls_checkpeer option
- fix incorrect test for ssl option in combination with ldaps:// URIs
- improvements to Active Directory sample configuration
- implement looking up search base in rootDSE of LDAP server
- 2008-06-15 release 0.6.3 of nss-ldapd
This release mainly fixes a number of bugs in the 0.6.2 release and adds some new functionality. Most effort is put into getting the code as stable as possible.
Thanks everybody for the feedback provided and patches sent. All feedback is very much apreciated, even if a reply is not sent very quickly.
changes since 0.6.2:- retry connection and search if getting results failed with connection problems (some errors only occur when getting the results, not when starting the search)
- add support for groups with up to around 150000 members (assuming user names on average are a little under 10 characters)
- problem with possible SIGPIPE race condition was fixed by using send() instead of write()
- add uid and gid configuration keywords that set the user and group of the nslcd daemon
- add some documentation on supported group to member mappings
- add sanity checking to code for when clock moves backward
- log messages now include a session id that makes it easier to track errors to requests (especially useful in debugging mode)
- miscellaneous portability improvements
- increase buffers and timeouts to handle large lookups more gracefully
- implement SASL authentication based on a patch by Dan White
- allow more characters in user and group names
- Debian packaging improvements
Also, the people of OpenLDAP are working on a module in slapd to do the part that nslcd is doing now. See the openldap-devel mailing list and cvs tree for details. - 2008-05-04 release 0.6.2 of nss-ldapd
This release mainly fixes a number of bugs in the 0.6.1 release and adds some new functionality, mainly to add support for Active Directory.
Thanks everybody for the feedback provided and patches sent. All feedback is very much apreciated, even if a reply is not sent very quickly.
changes since 0.6.1:- all user and group names are now checked for validity are specified in the POSIX Portable Filename Character Set
- support retrieval of ranged attribute values as sometimes returned by Active Directory
- added the threads keyword to configure the number of threads that should be started in nslcd
- handle empty netgroups properly
- change the time out and retry mechanism for connecting to the LDAP server to return an error quickly if the LDAP server is known to be unavailable for a long time (this removed the reconnect_tries option and changes the meaning of the reconnect_sleeptime and reconnect_maxsleeptime options)
- increased the time out values between the NSS module and nslcd because of new retry mechanism
- implement new dict and set modules that use a hashtable to map keys efficiently
- use the new set to store group membership to simplify memory management and eliminate duplicate members
- the uniqueMember attribute now only supports DN values
- implement a cache for DN to user name lookups (15 minute timeout) used for the uniqueMember attribute to save on doing LDAP searches for groups with a lot of members, based on a patch by Petter Reinholdtsen
- improvements to the tests
- if any of the ldap calls return LDAP_UNAVAILABLE or LDAP_SERVER_DOWN the connection is closed
- improve dependencies in LSB init script header to improve dependency based booting
- 2008-04-06 release 0.6.1 of nss-ldapd
This release mainly fixes a number of bugs in the 0.6 release without big structural changes. There are a number of known problems in combination with Active Directory which require some more testing.
Thanks everybody for the feedback provided and patches sent. All feedback is very much apreciated, even if a reply is not sent very quickly.
changes since 0.6:- numerous small fixes and compatibility improvements
- the I/O buffers between nslcd and NSS module are now dynamically sized and tuned for common requests
- correctly follow referrals
- add StartTLS support by Ralf Haferkamp of SuSE
- miscellaneous documentation improvements
- remove code for handling rootbinddn/pw because it is unlikely to be supported any time soon
- fix a problem with realloc()ed memory that was not referenced
- fix for a crash in group membership buffer growing code thanks to Petter Reinholdtsen
- some improvements to the Active Directory sample configuration
- fix init script exit code with stop while not running
- fixes to the _nss_ldap_initgroups_dyn() function to properly handle the buffer and limits passed by Glibc
- fixes to the member to groups search functions to correctly handle uniqueMember attributes
- only return shadow entries to root users
- miscellaneous Debian packaging improvements
- 2008-02-03 release 0.6 of nss-ldapd
This release mainly focusses on (re-)adding support for certain features and improved portability. It also fixes a number of problems in the 0.5 release.
nss-ldapd is now nearing stability and feature-completeness and the main focus is on portability and implementing the remaining features. Any patches and feedback is welcome and thanks for the feedback already provided.
Note that improved portability does not (yet) mean that it will fully work on other platforms than Linux.
changes since 0.5:- fix parsing of map option in nss-ldapd.conf
- fix bug in handling of userPassword values
- remove warning about missing loginShell attribute
- support the uniqueMember LDAP attribute that holds DN values
- support ldap as a compat service in /etc/nsswitch.conf
- implement _nss_ldap_initgroups_dyn() to allow username->groups searches
- fix retry mechanism with get*ent() functions where a too small buffer was passed by libc (to support groups with a lot of members)
- fix a bug in reporting of communications problems between nslcd and the NSS library
- test and log failures of all LDAP library calls
- improved tests
- miscellaneous compatibility improvements to try to support more LDAP libraries and platforms
- support compilation with OpenLDAP 2.4 and newer
- some configure script improvements
- Debian packaging improvements