Arthur de Jong

Open Source / Free Software developer

current | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006

News in 2009

  • 2009-12-28: release 0.7.2 of nss-pam-ldapd
    This is an update for the 0.7 series that fixes some bugs and brings some new functionality. This should be a reasonably stable and well tested release.
    A summary of the changes since 0.7.1:
    • some attributes may be mapped to a shell-like expression that expand attributes from LDAP entries; this allows attributes overrides, defaults and much more (as a result the passwdcn attribute mapping has been removed because the gecos mapping is now "${gecos:-$cn}" by default)
    • update the NSS module to follow the change in Glibc where the addr parameter of getnetbyaddr_r() was changed from network-byte-order to host-byte-order
    • properly escape searches for uniqueMember attributes for DN with a comma in an attribute value
    • miscellaneous improvements to the configure script implementing better (and simpler) library detection
    • some general refactoring and other miscellaneous improvements
    • Debian packaging improvements
    Get this release from the downloads section.
  • 2009-11-22: security advisory: problems with case-insensitive LDAP lookups
    Versions of nss-ldapd (now called nss-pam-ldapd) before 0.6.11 do not filter the results from an LDAP search query to only return case-sensitive matches (many LDAP search queries are case-insensitive). This results in users which differ in name but with the same numeric userid to exist on the system.
    This can cause problems on systems where privileges are assigned to users based on their username with case-sensitive matching. One such place is in determining group membership (even in LDAP), another is in netgroups. This allows users to successfully log in with an incorrect name and have incorrect privileges assigned (e.g. user logs in as Joe and is no longer in the group denyaccess).
    This issue also exposes a problem in nscd (GNU C Library Name Service Cache Daemon) which does not support multiple users with the same numeric userid. This could cause invalid information being entered into the nscd cache which could deny services to affected users (e.g. this is known to cause problems for SSH usage and Kerberos). In some configurations this can be exploited remotely (Apache serving user's public_html directories, SSH server or other services that may perform username lookups).
    If you are affected by this problem but cannot upgrade to a more recent release, you may want to review the change that went into the 0.6.11 release. For Debian lenny an updated version 0.6.7.2 was made.
    This problem also affects the nss_ldap module from PADL Software Pty Ltd and probably also the nssov overlay from OpenLDAP's slapd. Similar problems may also affect other software that perform LDAP lookups.
    References: For questions please contact the nss-pam-ldapd-users mailing list.
  • 2009-10-20: release 0.7.1 of nss-pam-ldapd
    This is an update for the 0.7 release that fixes some bugs, improves portability and brings some new functionality, all mainly in the PAM functionality.
    This should be a reasonably stable and well tested release with the PAM module being reasonably complete.
    A summary of the changes since 0.7.0:
    • implement password changing by performing an LDAP password modify EXOP request
    • fix return of authorisation check in PAM module (patch by Howard Chu)
    • fix for problem when authenticating to LDAP entries without a uid attribute in the DN
    • general code clean-up and portability improvements
    • provide more information with communication error messages
    • Debian packaging improvements
    Get this release from the downloads section.
  • 2009-09-04: release 0.7.0 of nss-pam-ldapd
    This is a new release that brings with it amongst other things a name change of the software and a name change of the configuration file. These changes were done to reflect the addition of the PAM module as a standard part of the software.
    The PAM module is still under development but should be mostly functional for authentication purposes. Other than that this should be a reasonably stable and well tested release.
    A summary of the changes since 0.6.11:
    • rename software to nss-pam-ldapd to indicate that PAM module is now a standard part of the software
    • the PAM module is now built by default (the configure script can be instructed whether or not to build certain parts)
    • the default configuration file name has been changed to /etc/nslcd.conf
    • the default values for bind_timelimit and reconnect_maxsleeptime werelowered from 30 to 10 seconds
    • password hashes are no longer returned to non-root users (based on a patch by Alexander V. Chernikov)
    • a pam_ldap(8) manual page was added
    • unknown options in the configuration file can now be ignored with a new --disable-configfile-checking configure option
    Get this release from the downloads section.
    If you were using the svn version note that the repository name and path in the repository have changed. Either check out using the new location or update your repository with the following two commands:
    svn switch --relocate https://arthurdejong.org/svn/nss-ldapd/ https://arthurdejong.org/svn/nss-pam-ldapd/
    svn switch https://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd
  • 2009-07-12: release 0.6.11 of nss-ldapd
    This release fixes a number of bugs in the 0.6.10 and earlier releases and adds a couple of functionality improvements.
    This should be a reasonably stable and well tested release.
    changes since 0.6.10:
    • fix user name to groups mapping (a bug in buffer checking in initgroups() that was introduced in 0.6.9)
    • fix a possible buffer overflow with too many uidNumber or gidNumber attributes (thanks to David Binderman for finding this)
    • lookups for group, netgroup, passwd, protocols, rpc, services and shadow maps are now case-sensitive
    • test suite is now minimally documented
    • added --disable-sasl and --disable-kerberos configure options
    • changed references to home page and contact email addresses to use arthurdejong.org
    • Debian packaging improvements
    Get this release from the downloads section.
  • 2009-06-14: nss-ldapd homepage moved
    Since I have completed my study at the Delft University quite some time ago, the nss-ldapd homepage has been moved to https://arthurdejong.org/nss-ldapd/. The contact email address has also been changed to arthur@arthurdejong.org.
    The subversion repository and viewvc URLs have also changed (see the downloads section for details). If you were using the svn repository before you can do
    svn switch --relocate http://arthurenhella.demon.nl/ https://arthurdejong.org/
    to relocate your working copy.
  • 2009-06-03: release 0.6.10 of nss-ldapd
    This release fixes a number of bugs in the 0.6.9 and earlier releases. This should be a reasonably stable and well tested release.
    This release includes improvements to the experimental PAM module introduced in 0.6.9 and adds basic LDAP authentication to nslcd. The PAM module is still disabled by default. It is expected that the 0.7 release will include the PAM module by default at which point the software will probably be renamed to nss-pam-ldapd (suggestions for a better name are welcome).
    changes since 0.6.9:
    • implement searching through multiple search bases, based on a patch by Leigh Wedding
    • fix a segmentation fault that could occur when using any of the tls_* options with a string parameter
    • miscellaneous improvements to the experimental PAM module
    • implement PAM authentication function in the nslcd daemon
    • the code for reading and writing protocol entries between the NSS module and the daemon was improved
    • documentation updates
    • removed SSL/TLS related warnings during startup
    • Debian packaging improvements
    Get this release from the downloads section.
  • 2009-05-09: release 0.6.9 of nss-ldapd
    This release fixes a number of bugs in the 0.6.8 and earlier releases. This should be a reasonably stable and well tested release.
    This release introduces an experimental PAM module contributed by Howard Chu from the OpenLDAP project that works together with the nssov overlay in slapd. Work is underway to complete the needed functionality in nss-ldapd's nslcd process. With this release the PAM module is disabled by default.
    changes since 0.6.8:
    • produce more detailed logging in debug mode and allow multiple -d options to be specified to also include logging from the LDAP library
    • some LDAP configuration options are now initialized globally instead of per connection which should fix problems with the tls_reqcert option
    • documentation improvements for the NSLCD protocol used between the NSS module and the nslcd server
    • imported the new PAM module from the OpenLDAP nssov tree by Howard Chu (note that the PAM-related NSLCD protocol is not yet finalised and this module is not built by default)
    • in the configure script allow disabling of building certain components
    • fix a bug with writing alternate service names and add checks for validity of passed buffer in NSS module
    • various Debian packaging improvements
    Get this release from the downloads section.
  • 2009-03-22: release 0.6.8 of nss-ldapd (security update)
    This release fixes a security problem in 0.6.7 and earlier releases in the Debian package configuration. A similar problem could also affect other users.
    The nss-ldapd.conf that is installed by the Debian package was created world-readable which could cause problems if the bindpw option is used. This has been fixed in the Debian package but other users should check the permissions of the nss-ldapd.conf file when the bindpw option is used (warnings have been added to the manual page and sample nss-ldapd.conf)
    The CVE project has assigned id CVE-2009-1073 to this problem.
    This release also includes the following changes since 0.6.7:
    • clean the environment and set LDAPNOINIT to disable parsing of LDAP configuration files (~/.ldaprc, /etc/ldap/ldap.conf, etc)
    • remove sslpath option because it wasn't used
    • correctly set SSL/TLS options when using StartTLS
    • rename the tls_checkpeer option to tls_reqcert, deprecating the old name and supporting all values that OpenLDAP supports
    • allow backslashes in user and group names execpt as first or last character
    • check user and group names against LOGIN_NAME_MAX if it is defined
    • fix for getpeercred() on Solaris by David Bartley
    • Debian packaging improvements
    Get this release from the downloads section.