| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
| |
This fixes issues with running the tests when using a separate build
directory (fixes ef0eddaa).
|
|
|
|
|
|
| |
This ensures that configuration file is not world readable when the
tests are run. This avoids test failure for the use of the rootpwmodpw
option.
|
|
|
|
|
|
|
|
| |
This fixes an issue with unsigned values ending up in signed fields and
missing sign extension.
See:
https://bugs.debian.org/739330
|
|
|
|
|
|
|
| |
The libc nsswitch code expects h_errno to be set to NETDB_INTERNAL when
it needs to try again with a larger buffer.
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If NSS_STATUS_TRYAGAIN is returned from read_one_hostent or
read_one_netent then fp will be closed and function tio_skipall will be
called with NULL pointer.
It could happend in functions:
_nss_ldap_getnetbyname_r
_nss_ldap_getnetbyaddr_r
_nss_ldap_gethostbyname2_r
_nss_ldap_gethostbyaddr_r
Fixes r548 (aka afd5d9b).
|
|
|
|
|
|
|
|
|
|
|
| |
This maps the gid (gidNumber) to an AD SID for builtin groups when
searching a group by gid (RID) between 544 and 552. In that case the SID
prefix is not the domain's prefix (S-1-5-21-dddddd-dddddd-dddddd) but
the BUILTIN SID prefix (1-5-32).
For example, if you add a user to the Administrators builtin group
(S-1-5-32-544), now you should be able to get this group through nslcd,
instead of receiving an error message.
|
|
|
|
|
|
|
|
|
| |
This adds a test that checks the return value of krb5_is_thread_safe()
to see if krb5 is thread safe (during build) and issues a warning if it
is not.
nslcd does not directly link to krb5 but the library may be loaded (by
GSSAPI) if Kerberos is used to authenticate nslcd to the LDAP server.
|
|
|
|
|
| |
This fixes the detection of DragonFly as requiring the freebsd NSS
interface flavour.
|
|
|
|
|
|
|
| |
We read the date into the buffer to the specified length to get it to
the Unix time (i.e. seconds) from its AD value of nanoseconds, then
convert it to days for shadow. If we use date rather than buffer we end
up trying to convert the original nanosecond value.
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This uses the LDAP_CONTROL_X_DEREF control as described in
draft-masarati-ldap-deref-00 to request the LDAP server to dereference
group member attribute values to uid attribute values.
This should reduce the number of searches that are required for
expanding group members that use the member attribute.
This mechanism could also be used to extract information on nested
groups but the gains are less clear there.
Not all LDAP servers support this control. In OpenLDAP, load the
(currently undocumented) deref overlay and enable it for the database to
take advantage of this improvement.
There is a functional difference when using this control. Any returned
deferred uid value returned by the LDAP server is accepted as a member.
No checks are performed to see if the user matches the search base and
search filters set for passwd entries.
|
| |
| |
| |
| | |
This documents the way the deref controls are used.
|
| |
| |
| |
| |
| |
| |
| | |
This uses information from the deref control (if available) to get the
username for each of the members of the group. Any missing deref member
attribute values will be seen as nested groups and will be traversed if
nested group support is enabled.
|
| |
| |
| |
| |
| |
| |
| | |
This function looks for deref response controls (LDAP_CONTROL_X_DEREF)
in the entry and returns the information from the dereferenced attribute
in two lists: dereferenced values and attribute values that could not be
dereferenced.
|
| |
| |
| |
| |
| |
| |
| | |
This changes the group by member searches to not request the member
attributes. This will speed up result parsing by a fraction because less
data is transferred but will also cause the deref control not to be
added to these searches.
|
| |
| |
| |
| |
| |
| | |
This adds a test for a bug in OpenLDAP that allocated a
LDAP_CONTROL_PAGEDRESULTS control instead of a LDAP_CONTROL_X_DEREF
control.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This uses the LDAP_CONTROL_X_DEREF control as descibed in
draft-masarati-ldap-deref-00 to request the LDAP server to dereference
member attribute values to uid attribute values in order to avoid doing
extra searches.
This control is currently only added for group search by looking for the
member attribute in the search.
|
| |
| |
| |
| |
| |
| | |
This changes entrye->rangedattributevalues to entry->buffers because the
propery is not only used for ranged attribute values but for anything
that can be freed with free().
|
| |
| |
| |
| |
| | |
Since we could get arbitrray controls and are only interested in page
controls we ignore failures to find page controls.
|
|/
|
|
|
| |
This also changes do_try_search() to support building continued paged
controls and lays the groundwork for adding more search controls.
|
|
|
|
|
|
| |
This allows remapping the member attribute to an empty string which
removes support for that attribute. This can reduce the number of search
operations if the attribute is not used.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some pieces of code did not properly free() the value returned by
set_pop().
The leak in group code was related to the introduction of nested group
functionality in 41ba574 (merged in 3daa68d) so should only be present
in releases 0.9.0 forward.
The leak in the netgroup code only ended up in the Solaris version of
the NSS module and was introduced in 4ea9ad1 (merged in 5c8779d). This
leak is present in all releases from 0.8.0 forward.
|
| |
|
|\
| |
| |
| |
| | |
This removes a race condition between the exit of the initial nslcd
process (as started by the init script) and nslcd services being ready.
|
| | |
|
| |
| |
| |
| |
| | |
This tries to avoid child processes ending up with a copy of the pipe
file descriptor that is used to signal readiness of the daemon.
|
|/
|
|
|
|
|
|
|
|
|
| |
This introduces a new daemonize module that provides functions for
closing all file descriptors, redirecting stdin/stdout/stderr to
/dev/null and a function for backgrounding an application while only
exiting the original process after the daemon process has indicated
readiness.
This is used to exit the original process only after the listening
socket has been set up and the worker threads have been started.
|
| |
|
|\
| |
| |
| |
| | |
This introduces a new cache configuration option that allows setting
positive and negative cache lifetimes for the dn2uid cache.
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
The configuration values are used in the cache to determine positive and
negative hit TTLs. This also allows completely disabling the cache.
|
| |
| |
| |
| |
| | |
This adds the cache nslcd.conf configuration option to configure the
dn2uid cache in nslcd with a positive and negative cache lifetime.
|
|/
|
|
|
| |
The positive value determines the time a found entry is valid, the
negative timeout determines the lifetime of not found entries.
|
|
|
|
| |
This fixes 2caeef4.
|
|
|
|
|
|
| |
Common buffer sizes are now stored centrally so it can be easily and
consistently updated if required. Some buffers remain with locally
defined sizes that do not match a global buffer size.
|
|
|
|
|
|
| |
This checks whether pam_get_item() takes a const void ** or void ** item
value argument and defines a PAM_ITEM_CONST macro that is const when it
should. This avoids some compiler warnings.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This mostly tries to reduce the influences of the test environment
(local users and groups) on the tests. This uses another username
(vsefcovic) in the PAM tests instead of the user arthur to avoid clashes
with existing users.
The PAM tests are skipped if passwd claims that it cannot modify LDAP
passwords (for FreeBSD).
|
|
|
|
|
| |
This includes a number of small fixes for issues that were formerly
masked by the incorrect AC_LANG_PROGRAM check.
|
| |
|
|
|
|
|
| |
Apparently the macro got changed a long time ago to provide a main()
definition. This bug caused the extra warning flags to not be added.
|
|
|
|
|
| |
This provides compatibility definitions for systems that don't have
these functions (some Solaris flavours).
|
|
|
|
|
|
| |
This causes the pidfile to be written as the first thing after
daemonising nslcd to minimise the race between service script completion
and pidfile being locked.
|
| |
|
| |
|
|
|
|
|
|
| |
This also invalidates the caches configured with reconnect_invalidate on
the first successful search. This should handle the case more gracefully
where caches were filled with negative hits before nslcd was running.
|
| |
|