Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Get files ready for 0.9.3 release0.9.3Arthur de Jong2014-03-1211-22/+404
|
* Update files from recent automakeArthur de Jong2014-03-123-8/+20
|
* Run the correct executables for the testsArthur de Jong2014-03-103-7/+11
| | | | | This fixes issues with running the tests when using a separate build directory (fixes ef0eddaa).
* Fix nslcd-test.conf permissions for testArthur de Jong2014-03-101-0/+3
| | | | | | This ensures that configuration file is not world readable when the tests are run. This avoids test failure for the use of the rootpwmodpw option.
* Interpret transferred integers as signed againArthur de Jong2014-03-101-2/+2
| | | | | | | | This fixes an issue with unsigned values ending up in signed fields and missing sign extension. See: https://bugs.debian.org/739330
* Use right h_errnop for retrying with larger bufferNalin Dahyabhai2014-03-022-2/+2
| | | | | | | The libc nsswitch code expects h_errno to be set to NETDB_INTERNAL when it needs to try again with a larger buffer. Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
* Fix crash when retrieving large networks entriesLukas Slebodnik2014-03-022-4/+0
| | | | | | | | | | | | | If NSS_STATUS_TRYAGAIN is returned from read_one_hostent or read_one_netent then fp will be closed and function tio_skipall will be called with NULL pointer. It could happend in functions: _nss_ldap_getnetbyname_r _nss_ldap_getnetbyaddr_r _nss_ldap_gethostbyname2_r _nss_ldap_gethostbyaddr_r Fixes r548 (aka afd5d9b).
* Support builtin Windows groupsDavy Defaud2014-01-311-0/+13
| | | | | | | | | | | This maps the gid (gidNumber) to an AD SID for builtin groups when searching a group by gid (RID) between 544 and 552. In that case the SID prefix is not the domain's prefix (S-1-5-21-dddddd-dddddd-dddddd) but the BUILTIN SID prefix (1-5-32). For example, if you add a user to the Administrators builtin group (S-1-5-32-544), now you should be able to get this group through nslcd, instead of receiving an error message.
* Add test for krb5 thread safetyArthur de Jong2014-01-251-1/+36
| | | | | | | | | This adds a test that checks the return value of krb5_is_thread_safe() to see if krb5 is thread safe (during build) and issues a warning if it is not. nslcd does not directly link to krb5 but the library may be loaded (by GSSAPI) if Kerberos is used to authenticate nslcd to the LDAP server.
* Also detect DragonFly as BSDFrancois Tigeot2014-01-251-1/+1
| | | | | This fixes the detection of DragonFly as requiring the freebsd NSS interface flavour.
* Update shadow.c to resolve pwdLastSet issuejoshuashire2014-01-251-1/+1
| | | | | | | We read the date into the buffer to the specified length to get it to the Unix time (i.e. seconds) from its AD value of nanoseconds, then convert it to days for shadow. If we use date rather than buffer we end up trying to convert the original nanosecond value.
* Implement deref control handlingArthur de Jong2014-01-058-83/+415
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This uses the LDAP_CONTROL_X_DEREF control as described in draft-masarati-ldap-deref-00 to request the LDAP server to dereference group member attribute values to uid attribute values. This should reduce the number of searches that are required for expanding group members that use the member attribute. This mechanism could also be used to extract information on nested groups but the gains are less clear there. Not all LDAP servers support this control. In OpenLDAP, load the (currently undocumented) deref overlay and enable it for the database to take advantage of this improvement. There is a functional difference when using this control. Any returned deferred uid value returned by the LDAP server is accepted as a member. No checks are performed to see if the user matches the search base and search filters set for passwd entries.
| * Update documentationArthur de Jong2014-01-051-10/+17
| | | | | | | | This documents the way the deref controls are used.
| * Use myldap_get_deref_values() to get member uidsArthur de Jong2014-01-051-0/+21
| | | | | | | | | | | | | | This uses information from the deref control (if available) to get the username for each of the members of the group. Any missing deref member attribute values will be seen as nested groups and will be traversed if nested group support is enabled.
| * Provide a myldap_get_deref_values() functionArthur de Jong2014-01-053-2/+158
| | | | | | | | | | | | | | This function looks for deref response controls (LDAP_CONTROL_X_DEREF) in the entry and returns the information from the dereferenced attribute in two lists: dereferenced values and attribute values that could not be dereferenced.
| * Skip member attributes in bymember searchArthur de Jong2014-01-051-2/+17
| | | | | | | | | | | | | | This changes the group by member searches to not request the member attributes. This will speed up result parsing by a fraction because less data is transferred but will also cause the deref control not to be added to these searches.
| * Provide replacement ldap_create_deref_control()Arthur de Jong2014-01-054-3/+123
| | | | | | | | | | | | This adds a test for a bug in OpenLDAP that allocated a LDAP_CONTROL_PAGEDRESULTS control instead of a LDAP_CONTROL_X_DEREF control.
| * Request attribute deref via search controlArthur de Jong2014-01-052-1/+35
| | | | | | | | | | | | | | | | | | | | This uses the LDAP_CONTROL_X_DEREF control as descibed in draft-masarati-ldap-deref-00 to request the LDAP server to dereference member attribute values to uid attribute values in order to avoid doing extra searches. This control is currently only added for group search by looking for the member attribute in the search.
| * Rename entry property to indicate storage typeArthur de Jong2014-01-051-20/+20
| | | | | | | | | | | | This changes entrye->rangedattributevalues to entry->buffers because the propery is not only used for ranged attribute values but for anything that can be freed with free().
| * Ignore missing page controlsArthur de Jong2014-01-051-1/+2
| | | | | | | | | | Since we could get arbitrray controls and are only interested in page controls we ignore failures to find page controls.
| * Use do_try_search() also for paged searchesArthur de Jong2014-01-051-46/+24
|/ | | | | This also changes do_try_search() to support building continued paged controls and lays the groundwork for adding more search controls.
* Support blanking the member attributeArthur de Jong2014-01-053-16/+27
| | | | | | This allows remapping the member attribute to an empty string which removes support for that attribute. This can reduce the number of search operations if the attribute is not used.
* Fix typoArthur de Jong2014-01-051-1/+1
|
* Fix memory leaks related to set_pop()Arthur de Jong2014-01-053-8/+18
| | | | | | | | | | | | | Some pieces of code did not properly free() the value returned by set_pop(). The leak in group code was related to the introduction of nested group functionality in 41ba574 (merged in 3daa68d) so should only be present in releases 0.9.0 forward. The leak in the netgroup code only ended up in the Solaris version of the NSS module and was introduced in 4ea9ad1 (merged in 5c8779d). This leak is present in all releases from 0.8.0 forward.
* Fix compiler warnings in the myldap testArthur de Jong2014-01-041-6/+5
|
* Only exit nslcd when daemon is readyArthur de Jong2014-01-028-133/+310
|\ | | | | | | | | This removes a race condition between the exit of the initial nslcd process (as started by the init script) and nslcd services being ready.
| * Remove daemon() replacement functionArthur de Jong2014-01-024-114/+1
| |
| * Close daemon pipe file descriptor on fork or execArthur de Jong2014-01-022-3/+21
| | | | | | | | | | This tries to avoid child processes ending up with a copy of the pipe file descriptor that is used to signal readiness of the daemon.
| * Properly daemonise nslcd and only exit when readyArthur de Jong2014-01-024-16/+288
|/ | | | | | | | | | | This introduces a new daemonize module that provides functions for closing all file descriptors, redirecting stdin/stdout/stderr to /dev/null and a function for backgrounding an application while only exiting the original process after the daemon process has indicated readiness. This is used to exit the original process only after the listening socket has been set up and the worker threads have been started.
* Re-organise ldap function testsArthur de Jong2013-12-281-12/+14
|
* Make dn2uid cache tuneableArthur de Jong2013-12-215-10/+156
|\ | | | | | | | | This introduces a new cache configuration option that allows setting positive and negative cache lifetimes for the dn2uid cache.
| * Add a test for new configuration optionArthur de Jong2013-12-211-1/+4
| |
| * Document cache option in manual pageArthur de Jong2013-12-211-0/+33
| |
| * Use dn2uid cache optionsArthur de Jong2013-12-211-4/+7
| | | | | | | | | | The configuration values are used in the cache to determine positive and negative hit TTLs. This also allows completely disabling the cache.
| * Implement a cache configuration optionArthur de Jong2013-12-212-0/+98
| | | | | | | | | | This adds the cache nslcd.conf configuration option to configure the dn2uid cache in nslcd with a positive and negative cache lifetime.
| * Have positive and negative cache timeoutsArthur de Jong2013-12-211-9/+18
|/ | | | | The positive value determines the time a found entry is valid, the negative timeout determines the lifetime of not found entries.
* Support printing children search scopeArthur de Jong2013-12-211-0/+3
| | | | This fixes 2caeef4.
* Centralise buffer sizesArthur de Jong2013-12-1816-82/+93
| | | | | | Common buffer sizes are now stored centrally so it can be easily and consistently updated if required. Some buffers remain with locally defined sizes that do not match a global buffer size.
* Add a test for pam_get_item() argument typeArthur de Jong2013-11-254-9/+41
| | | | | | This checks whether pam_get_item() takes a const void ** or void ** item value argument and defines a PAM_ITEM_CONST macro that is const when it should. This avoids some compiler warnings.
* Get files ready for 0.9.2 release0.9.2Arthur de Jong2013-10-309-15/+398
|
* Portability fixes to environment testsArthur de Jong2013-10-293-12/+18
| | | | | | | | | | This mostly tries to reduce the influences of the test environment (local users and groups) on the tests. This uses another username (vsefcovic) in the PAM tests instead of the user arthur to avoid clashes with existing users. The PAM tests are skipped if passwd claims that it cannot modify LDAP passwords (for FreeBSD).
* Fix a number of compiler warningsArthur de Jong2013-10-2919-34/+35
| | | | | This includes a number of small fixes for issues that were formerly masked by the incorrect AC_LANG_PROGRAM check.
* Add -Werror=implicit if compiler supports itArthur de Jong2013-10-291-1/+1
|
* Fix usage of AC_LANG_PROGRAMArthur de Jong2013-10-291-1/+1
| | | | | Apparently the macro got changed a long time ago to provide a main() definition. This bug caused the extra warning flags to not be added.
* Compatibility definitions for {set,get,end}usershell()Arthur de Jong2013-10-294-0/+52
| | | | | This provides compatibility definitions for systems that don't have these functions (some Solaris flavours).
* Start invalidator after locking pidfileArthur de Jong2013-10-291-7/+9
| | | | | | This causes the pidfile to be written as the first thing after daemonising nslcd to minimise the race between service script completion and pidfile being locked.
* Update documentationArthur de Jong2013-10-272-51/+69
|
* Specify m4 directory in configure scriptArthur de Jong2013-10-272-1/+2
|
* Also run invalidators on initial connectArthur de Jong2013-10-252-4/+19
| | | | | | This also invalidates the caches configured with reconnect_invalidate on the first successful search. This should handle the case more gracefully where caches were filled with negative hits before nslcd was running.
* Distribute setup_slapd.sh and associated filesArthur de Jong2013-10-251-2/+3
|