| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
This moves the parsing of the various ${var...} expressions to separate
functions so they can be extended more easily.
|
| |
|
|
|
|
|
|
|
| |
This could result in a free(NULL) call. This code path can only be
triggered if pam_ldap changes the logged-in username (introduced in
6a74d8d).
Thanks 依云, see
https://github.com/arthurdejong/nss-pam-ldapd/issues/11
|
| |
|
|
|
| |
Display a human readable message (days+hours, or hours+minutes, or
seconds) when the password expiring warning is issued.
|
| |
|
|
|
|
|
| |
This fixes a copy-paste bug where nss_disable_enumeration was
incorrectly handled. Fixes c0366d8.
Thanks Andrew W Elble for pointing this out.
|
| |
|
|
|
|
|
| |
This adds a few test hosts that have IPv6 addresses. This ensures that
we have an IPv6-only host and hosts which have address values in
different order in the ipHostNumber attribute (although attribute order
is probably not guaranteed).
|
| |
|
|
| |
This option allows completely disabling ppolicy handling.
|
| |
|
|
|
| |
This fixes setting the correct LDAP error code and also fixes formatting
in 027df03.
|
| |
|
|
|
|
|
|
|
|
| |
chasing referrals
This fixes a bug where 'shadowLastChange' attribute cannot be updated when
chasing a referral. After a password is succesfully changed, the credentials
for binding should also be updated with the new password for the session.
Signed-off-by: Vasilis Tsiligiannis <vasilis.tsiligiannis@nokia.com>
|
| |
|
|
|
| |
This uses access() instead of stat() to see if the file is readable by
the current process. This fixes f089e01.
|
| |
|
|
|
|
| |
Also try to fail over to another LDAP server on a larger number of
errors. Specifically errors that point to problems connecting to the
LDAP server.
|
| |
|
|
|
| |
This is in preparation for splitting the BIND from the search phase for
authentication.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This changes the check (for configuration options that specify file
names) to just check that the specified path is readable instead of
ensisting that it points to a file.
This allows tls_randfile to point to /dev/urandom (a character device)
or a pipe. This fixes 6779a51.
This also applies the same check to the krb5_ccname option.
Thanks to Patrick McLean for pointing this out.
|
| |
|
|
|
|
| |
This logs informational messages that are presented to the user tot
syslog. This normally includes password expiry and grace login
information which may be useful to log.
|
| |
|
|
|
|
|
|
|
|
|
| |
This simplifies the check for overwriging pending password expiry and
grace logins warnigns and updates handling of the
LDAP_CONTROL_PWEXPIRING control to be consistent with that of the expire
value of LDAP_CONTROL_PASSWORDPOLICYRESPONSE.
This also corrects the function name, also logs empty password policy
responses in debug mode and documents the meaning of the various
password policy values.
|
| |
|
|
|
|
|
|
|
|
| |
If a password expiration warning (pwdExpireWarning) is set in slapd, and
the password is about to expire, slapd sends the timeBeforeExpiration
value as part of the passwordPolicyResponse.
nslcd would incorrectly instruct the PAM module to require immediate
password change. This has been fixed for both timeBeforeExpiration and
graceLoginsRemaining.
|
| |
|
|
|
| |
This also includes the m4 directory when invoking aclocal because not
all versions seem to handle AC_CONFIG_MACRO_DIR.
|
| |
|
|
|
| |
This ensures that AS_IF does not generate an empty else clause which
will result in an invalid configure script.
|
| |
|
|
|
|
| |
This adds addition checks to the tls_cacertdir, tls_cacertfile,
tls_randfile, tls_cert and tls_key options to ensure that they point to
an existing file when parsing nslcd.conf.
|
| |
|
| |
See https://bugs.debian.org/792871
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
This should have been part of d217632.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
This implements a function in the Solaris version of the NSS module to
check if a specifc netgroup triplet is part of a netgroup.
This also avoids a compiler warning and includes improvements and
testing by Mark R Bannister.
|
| |
|
|
|
|
|
|
|
|
| |
If this option is present, functions which cause all user/group entries
to be loaded (getpwent(), getgrent()) from the directory will not
succeed in doing so. This can dramatically reduce ldap server load in
situations where there are a great number of users and/or groups.
Applications that depend on being able to sequentially read all users
and/or groups may fail to operate correctly. This option is not
recommended for most configurations.
|
| |
|
|
|
|
|
| |
This option allows skipping group member list retrieval to improve
performance with very large groups. This option results in inconsistent
group membership information being presented that may confuse some
applications.
|
| |
|
|
|
|
|
| |
This only restores the signal mask after signal handlers are in place
and the daemon has completely daemonised to avoid a race condition in
the start-up phase of nslcd where a signal could be sent to nslcd
causing it to quit or fail to write information to the parent process.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This fixes a byte order issue when nscd is running.
|
| |
|
|
| |
This adds tests for a function and type used in the code.
|
| |
|
|
| |
FreeBSD doesn't have ENODATA so we use ENOATTR instead.
|
| |
|
|
| |
This was a compatibility leftover from the nss_ldap days.
|
| | |
|
| |
|
|
|
|
|
| |
This updates the test framework to support --with-module-name, ensures
that exports.map is rebuilt when configure is re-ran, fixes parsing of
nsswitch.conf (to determine what to return for passwd lookups) and fixes
the check for _nss_ldap_version.
|
| |
|
|
|
|
|
| |
This disables the use of thread-local storage in the NSS module when it
is not available in libc. This results in the get*ent() functions not
being thread-safe. However, on most platforms they are not expected to
be thread-safe anyway.
|
| |
|
|
|
|
|
| |
Update nslcd.conf man page that multiple URIs can be set by using more
uri lines or more URIs defined on one uri line.
https://bugzilla.redhat.com/show_bug.cgi?id=1204195
|
| |
|
|
|
|
|
|
| |
In several places the code used a %d format to print a size_t variable.
On amd64 at least size_t is an unsigned long, so use %lu instead.
An alternative would be to use %ud for size_t and %zd fo ssize_t but not
all platforms seem to support that formatter.
|
| |
|
|
|
|
|
| |
There are several places where a static length array in a struct is
compared to a null pointer. These comparisons will always be false,
since an array in a struct is not actually a pointer, so they can be
removed.
|
| |
|
|
|
| |
Adjust the Linux OOM (Out-Of-Memory) killer score by -1000 for nslcd so
that it should not be killed.
|
| |
|
|
| |
This introduces the --with-module-name configure option to allow building of NSS and
PAM modules with different namespaces than ldap.
|
| |
|
|
|
| |
This fixes a bug in the NSS library when encountering IPv6 addresses in
the hosts map.
|
| |
|
|
|
|
|
| |
Thanks David Binderma for pointing this out.
Note that in practical situations this should not result in any errors
due to the position of searches within the ldap_session struct.
|
| |
|
| |
See http://lists.arthurdejong.org/nss-pam-ldapd-users/2014/msg00166.html
|
| |
|
| |
Thanks Jianhai Luan.
|
| | |
|