Arthur de Jong

- * ChangeLog, NEWS, TODO, configure.ac, man/getent.ldap.1.xml,

- man/nslcd.8.xml, man/nslcd.conf.5.xml, man/pam_ldap.8.xml,

- man/pynslcd.8.xml: Get files ready for 0.9.0 release

- * pynslcd/Makefile.am: Include the usermod.py file in the

- distribution

- * man/chsh.ldap.1.xml: Fix docbook validation

- * configure.ac: Ignore missing Python in initial test

- * nslcd/nslcd.c: Fix comment

- * pynslcd/pam.py: Update the shadowLastChange on password change in

- pynslcd

- * pynslcd/pam.py: Implement password modification in pynslcd

- * : Implement used modification functionality This adds user information modification functionality to nslcd and

- pynslcd and implements a chsh.ldap utility that can be used to

- change the login shell of a user (similar to the normal chsh

- command). The user modification functionality should allow for generic

- modifications of user information. More utility commands to perform

- modifications remain to be implemented.

- * pynslcd/pynslcd.py, pynslcd/usermod.py: Handle user modification

- requests in pynslcd Similar to the nslcd implementation, this currently only covers

- modifying the homeDirectory and loginShell attributes.

- * nslcd/Makefile.am, nslcd/common.h, nslcd/nslcd.c, nslcd/usermod.c:

- Handle user modification requests in nslcd This is currently limited to supporting modification of the

- homeDirectory and loginShell attributes. Modifications as root currently use the rootpwmoddn and rootpwmodpw

- options.

- * nslcd.h: Define a NSLCD_ACTION_USERMOD request The modification can either be requested by root or by the user

- itself. Modifications by the user should be done by connecting to the LDAP

- server with the user-supplied credentials. It is expected that

- access controls in the LDAP server prevent unwanted modifications.

- The nslcd process is expected to check whether supplied values are

- sensible.

- * pynslcd/pam.py: Rename authentication function and return

- connection

- * configure.ac: Fix test for absence of Python

- * pynslcd/cfg.py: Mark unsupported pynslcd configuration options

- * configure.ac: Preset default configure values consistently

- * configure.ac: Give an error when the Python interpreter is missing

- * configure.ac: Build command-line utilities by default if Python is

- available

- * : Implement clearing of nscd cache in pynslcd

- * pynslcd/pynslcd.py: Start the nscd invalidator process if needed

- * pynslcd/cfg.py: Parse the nscd_invalidate option

- * pynslcd/Makefile.am, pynslcd/nscd.py: Functionality for clearing

- the nscd cache in pynslcd

- * pynslcd/pynslcd.py: Switch to using os.environ instead of

- os.putenv() The os.putenv() call doesn't update os.environ and Python

- documentation recommends using os.environ.

- * pynslcd/pam.py: Rename validate_request to validate

- * pynslcd/pam.py: Also perform authentication search using

- LDAPSearch class

- * tests/test_nsscmds.sh: Make the NSS tests dependant on the

- configuration of nsswitch.conf

- * tests/test_myldap.c: Do not rely on printf() being able to print

- NULL strings

- * man/nslcd.conf.5.xml: Fix manual page generation

- * nslcd/cfg.h: Fix comment for nss_nested_groups config option

- * : Implement support for nested groups

- * README, man/nslcd.conf.5.xml, nslcd/cfg.c, nslcd/cfg.h,

- nslcd/group.c, pynslcd/cfg.py, pynslcd/group.py: Implement a

- nss_nested_groups configuration option This option can be used in both nslcd and pynslcd to enable

- recursive group member lookups. By default the functionality is

- disabled. This also updates the documentation.

- * pynslcd/common.py, pynslcd/group.py: Implement support for nested

- groups in pynslcd

- * nslcd/group.c: Implement support for nested groups in nslcd This differs from the code provided by Steve Hill in that it avoids (recursively) performing parallel LDAP searches by queueing groups

- and check for extra members per queued group (in the forward lookup)

- or check for extra parents (for the user to groups lookup). For the reverse lookup handling the NSLCD_HANDLE macro could no

- longer be used because extra care should be taken to free the sets

- before returning and two search phases are needed.

- * AUTHORS, nslcd/group.c: Implement a mkfilter_group_bymemberdn()

- function This was part of a bigger change to implement nested groups, however

- most of the other parts were re-implemented differently. For the original changes, see:

- http://lists.arthurdejong.org/nss-pam-ldapd-users/2013/msg00034.html

- * tests/test.ldif: Unpack the LDIF file to make diffs clearer

- * nslcd/cfg.h, nslcd/myldap.c: spelling fixes

- * nslcd/service.c: fix service request logging

- * nss/common.h: NSS: Return TRYAGAIN on zero-length buffer One of our customers was running into a situation where glibc

- provided a zero buffer, which is a condition that is retriable and

- the nss module should return NSS_STATUS_TRYAGAIN not

- NSS_STATUS_UNAVAIL.

- * nss/shadow.c: fix the text representation of shadow information

- for nscd on Solaris

- * .gitignore, tests/Makefile.am, tests/lookup_shadow.c: implement a

- lookup_shadow test command for use on systems that don't allow

- querying shadow via getent

- * nslcd/cfg.c, nslcd/nscd.c: fix a few compiler warnings

- * configure.ac: guess the value for --with-pam-seclib-dir if it is

- not specified

- * tests/test_pamcmds.sh: small portability fix in test_pamcmds.sh

- * nslcd/service.c: only log protocol name if it is present

- * compat/ldap_parse_passwordpolicy_control.c, configure.ac: also

- support systems without bet_get_enum()

- * pynslcd/pynslcd.py: log hex value of action id to make debugging

- easier

- * pynslcd/pam.py: ensure consistent naming of DN variables

- * pynslcd/attmap.py, pynslcd/group.py, pynslcd/netgroup.py,

- pynslcd/pam.py, pynslcd/search.py, pynslcd/service.py,

- pynslcd/shadow.py: clean up imports and use

- ldap.filter.escape_filter_chars() directly

- * pynslcd/pam.py, pynslcd/pynslcd.py, pynslcd/search.py: move

- get_connection function to search module as Connection class as

- subclass of ReconnectLDAPObject to automatically reconnect to the

- LDAP server

- * pynslcd/Makefile.am, pynslcd/alias.py, pynslcd/common.py,

- pynslcd/ether.py, pynslcd/group.py, pynslcd/host.py,

- pynslcd/netgroup.py, pynslcd/network.py, pynslcd/pam.py,

- pynslcd/passwd.py, pynslcd/protocol.py, pynslcd/rpc.py,

- pynslcd/search.py, pynslcd/service.py, pynslcd/shadow.py: move

- Search class to search module

- * pynslcd/cfg.py: fix default logging configuration setting in

- pynslcd

- * common/tio.c: fix the description of the tio_time_remaining()

- function

- * man/nslcd.conf.5.xml: document the nscd_invalidate option

- * nslcd/myldap.c, nslcd/nscd.c, nslcd/nslcd.c: start the nscd

- invalidator and invalidate the nscd cache after reconnecting to the

- LDAP server after failure

- * nslcd/cfg.c, nslcd/cfg.h: implement parsing of the nscd_invalidate

- option

- * configure.ac, nslcd/Makefile.am, nslcd/common.h, nslcd/nscd.c,

- tests/Makefile.am: implement functionality to send a cache

- invalidation signal to nscd

- * nslcd/common.c, nslcd/common.h, nslcd/nslcd.c: move signame()

- function to common.c to make it available to all modules

- * man/nslcd.conf.5.xml: document the trimming expressions in the

- nslcd.conf(5) manual page

- * pynslcd/expr.py: support trimming expressions with full shell glob

- matching in pynslcd

- * tests/test_expr.c: add tests for trimming expressions

- * common/expr.c: update the trimming expressions code to follow the

- new coding style

- * AUTHORS, common/expr.c: allow trimming expressions with ${foo#bar}

- syntax in nslcd

- * nslcd/myldap.c, nslcd/myldap.h, nslcd/pam.c: return the password

- policy bind information via PAM

- * compat/Makefile.am, compat/ldap_compat.h,

- compat/ldap_passwordpolicy_err2txt.c, configure.ac: provide a basic

- replacement implementation of ldap_passwordpolicy_err2txt() for

- systems that don't have it

- * compat/Makefile.am, compat/ldap_compat.h,

- compat/ldap_parse_passwordpolicy_control.c, configure.ac: provide a

- replacement implementation of ldap_parse_passwordpolicy_control()

- for systems that don't have it

- * compat/ldap_compat.h, configure.ac, nslcd/myldap.c: request and

- parse password policy controls when doing user authentication in

- nslcd

- * nslcd/myldap.c: pass the session along to the do_bind() function

- * configure.ac: add some missing checks to the configure script

- * nslcd/pam.c: log a more meaningful error in nslcd when trying to

- authenticate as administrator when rootpwmoddn is not set

- * nslcd/common.h, nslcd/pam.c, nslcd/shadow.c: move

- update_lastchange() function from shadow to pam code

- * utils/getent.py: move parsing to command line arguments to main

- body

- * TODO: update TODO (setnetgrent() returns an error since r1874)

- * man/nslcd.conf.5.xml: include information about when some of the

- options were added

- * nss/common.c: add missing include statement for NULL definition

- * nslcd/nslcd.c, pynslcd/pynslcd.py: log version information from

- the NSS module

- * nss/common.c, nss/exports.freebsd, nss/exports.glibc,

- nss/exports.solaris: define and export an _nss_ldap_version symbol

- * pynslcd/ether.py: also search for alternative macAddress

- representation in pynslcd

- * nslcd/nslcd.c: extra sanity check to ensure not too many file

- descriptors are open

- * nslcd.h: clarify NSLCD_ACTION_SERVICE_* request parameter

- description

- * man/nslcd.conf.5.xml, nslcd/cfg.c, tests/test_common.c: allow

- names with one character in default validnames option and allow

- parentheses (taken from Fedora packages)

- * man/nslcd.conf.5.xml: document the log option

- * pynslcd/cfg.py, pynslcd/pynslcd.py: handle the log configuration

- option in pynslcd

- * nslcd/cfg.c, nslcd/log.c, nslcd/log.h, nslcd/nslcd.c: handle the

- log configuration option in nslcd

- * nslcd/log.c, nslcd/log.h: implement functions for configuring

- alternative logging

- * man/getent.ldap.1.xml: fix docbook tag for file name

- * Makefile.am: generate ChangeLog with git2cl

- * ChangeLog, ChangeLog-2012: archive 2012 changelog messages into a

- year file including the change from Subversion

- * .gitignore, man/Makefile.am, man/getent.ldap.1.xml: add

- getent.ldap(1) manual page

- * utils/Makefile.am, utils/cmdline.py, utils/getent.py,

- utils/nslcd.py: implement a getent command to query nslcd while

- bypassing NSS stack

- * .gitignore, Makefile.am, configure.ac, utils/Makefile.am: add an

- --enable-utils option to configure to build command-line utilities

- * pynslcd/cache.py, pynslcd/common.py: disable pynslcd cache for now

- * nslcd.h, nslcd/common.h, nslcd/netgroup.c, nslcd/nslcd.c,

- pynslcd/netgroup.py: implement a netgroup_all request

- * nslcd/nslcd.c: make checking dlsym() result a little safer

- * compat/ldap_passwd_s.c: fix copyright year

- * common/tio.c: restructure timeout calculation in tio to reduce the

- number of times gettimeofday() is called

- * nslcd/log.c: use pthreads thread-local storage as fallback

- mechanism if compiler doesn't provide a keyword for TLS

- * configure.ac, m4/ax_tls.m4, nslcd/log.c, nss/aliases.c,

- nss/ethers.c, nss/group.c, nss/hosts.c, nss/netgroup.c,

- nss/networks.c, nss/passwd.c, nss/protocols.c, nss/rpc.c,

- nss/services.c, nss/shadow.c: use the AX_TLS macro to find correct

- thread-local storage class compiler directive

- * nslcd/cfg.c, nslcd/cfg.h: dump full nslcd configuration at debug

- level on start-up

- * man/Makefile.am: fix the way manual pages are generated and

- distributed

- * man/nslcd.conf.5.xml, nslcd/cfg.c, pynslcd/cfg.py,

- tests/test_cfg.c: support children search scope for systems that

- have it

- * pynslcd/cfg.py: fix parsing of scope option in pynslcd

- * tests/test_tio.c: support systems without ETIME

- * configure.ac, tests/lookup_netgroup.c: check whether setnetgrent()

- returns int or void (for FreeBSD)

- * nslcd/cfg.c, tests/test_cfg.c: reorganise configuration file

- parsing code

- * nslcd/myldap.c: have myldap_get_ranged_values() return a list of

- values instead of a set

- * nslcd/cfg.c, nslcd/group.c, nslcd/passwd.c, nslcd/shadow.c: check

- result of set_tolist() to ensure that memory allocation problems are

- logged

- * nslcd/myldap.c: fix memory leak in myldap_get_values_len() when

- using ranged attributes (very unlikely to occur)

- * nslcd/myldap.c: fix a problem in memory handling in

- myldap_get_values_len() if malloc() would fail

- * configure.ac: drop -Wcase-qual when using --enable-warnings

- because it was causing too much noise

- * nslcd/myldap.c: fix typo in comment

- * pynslcd/pam.py: request and parse password policy controls when

- doing user authentication in pynslcd

- * pam/pam.c: do not recheck the user password in first password

- phase if it was stored in the authentication phase

- * nslcd/pam.c: perform search for pam_authz_search on all search

- bases

- * pynslcd/pam.py: some simplifications in the current pynslcd PAM

- request handling

- * nslcd/myldap.c, tests/test_cfg.c: update FIXMEs

- * nslcd/ether.c: change ethernet address formatting from FIXME to

- note

- * pam/pam.c: save the old password if either the authentication or

- the authorisation response is NEW_AUTHTOK_REQD

- * nslcd/myldap.c: inline most is_valid_...() functions

- * compat/ldap_initialize.c: remove not needed define

- * common/nslcd-prot.h: log hex values when debugging the protocol

- * nslcd/myldap.c, nslcd/myldap.h, nslcd/pam.c: log and return a

- diagnostic message instead of just the LDAP error on password change

- failure

- * nslcd/pam.c: retry updating the lastChange attribute with the

- normal nslcd LDAP connection if the update with the user's

- connection failed

- * update pynslcd PAM protocol handling to be in line with r1865

- [0.9.0],

-RELEASE_MONTH="Apr 2013"

- <refmiscinfo class="version">Version 0.8.11</refmiscinfo>

- <refmiscinfo class="date">Oct 2012</refmiscinfo>

- <refmiscinfo class="version">Version 0.9.0</refmiscinfo>

- <refmiscinfo class="date">Apr 2013</refmiscinfo>

- <refmiscinfo class="version">Version 0.9.0</refmiscinfo>

- <refmiscinfo class="date">Apr 2013</refmiscinfo>

- <refmiscinfo class="version">Version 0.9.0</refmiscinfo>

- <refmiscinfo class="date">Apr 2013</refmiscinfo>

- <refmiscinfo class="version">Version 0.9.0</refmiscinfo>

- <refmiscinfo class="date">Apr 2013</refmiscinfo>

- <refmiscinfo class="version">Version 0.9.0</refmiscinfo>

- <refmiscinfo class="date">Apr 2013</refmiscinfo>