| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
| |
In several places the code used a %d format to print a size_t variable.
On amd64 at least size_t is an unsigned long, so use %lu instead.
An alternative would be to use %ud for size_t and %zd fo ssize_t but not
all platforms seem to support that formatter.
|
|
|
|
|
|
|
| |
There are several places where a static length array in a struct is
compared to a null pointer. These comparisons will always be false,
since an array in a struct is not actually a pointer, so they can be
removed.
|
|
|
|
|
| |
Adjust the Linux OOM (Out-Of-Memory) killer score by -1000 for nslcd so
that it should not be killed.
|
|
|
|
| |
This introduces the --with-module-name configure option to allow building of NSS and
PAM modules with different namespaces than ldap.
|
|
|
|
|
| |
This fixes a bug in the NSS library when encountering IPv6 addresses in
the hosts map.
|
|
|
|
|
|
|
| |
Thanks David Binderma for pointing this out.
Note that in practical situations this should not result in any errors
due to the position of searches within the ldap_session struct.
|
|
|
| |
See http://lists.arthurdejong.org/nss-pam-ldapd-users/2014/msg00166.html
|
|
|
| |
Thanks Jianhai Luan.
|
| |
|
|
|
|
|
|
|
|
|
| |
mmkfilter_passwd_byuid()/mkfilter_group_bygid() get wrong filter string
because "%d" will return negative when uid/gid larger than 2^31, and
result to "Authentiction failure".
This also changes the other places where uid_t or gid_t values are
formatted.
|
|
|
|
|
|
|
|
| |
This fixes a problem with a buffer that could end up padded with
garbage.
This also clarifies the code a bit and adds extra logging for errors
that could occur during daemonising.
|
| |
|
|
|
|
|
|
|
|
|
| |
This alleviates some cases where multi-second lag occurs before a query
returns due to some or all connections having been closed by the peer,
e.g. a load balancer timing out old connections, but they are all tried
before opening new connections.
Tested and working on Linux.
|
| |
|
|
|
|
|
|
| |
This uses IP addresses from the RFC 5737 TEST-NET-1 range that is meant
for use in documentation. This avoids issues with running the tests
environments that also use the 10.0.0.0/8 range.
|
| |
|
|
|
|
|
|
| |
This is a small fix for when using nscd (which still does not seem to
work completely). The port is stored in network byte order but should be
printed in host byte order.
|
| |
|
|
|
|
| |
This fixes 15fc13c.
|
|
|
|
| |
This fixes 3d29861.
|
|
|
|
| |
This fixes 2274b41.
|
| |
|
| |
|
|
|
|
|
|
| |
This command can be used to perform a lookup using getgrouplist() to
present a list of returned numeric group ids. This can be used to avoid
the additional lookups that are done with the id and groups commands.
|
|
|
|
|
| |
This clears most buffers that may hold credentials at one point before
free()ing the memory.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
This ensures that controls returned by an LDAP server as part of a
failed BIND operation are also returned. This makes it possible to
distinguish between a wrong password and an expired password.
This also only logs the BIND operation result on DEBUG level (the error
is logged later on).
|
| |
|
|
|
|
|
| |
This includes a number of minor changes to the documentation. This also
documents the children search scope (related to 2caeef4).
|
|
|
|
|
| |
This also clears errno in the main function to ensure that no incorrect
errno value is logged on errors.
|
| |
|
|
|
|
| |
This fixes be94912.
|
|
|
|
|
| |
This adds logging of most cases where a defined buffer is not large
enough to hold provided data on error log level.
|
| |
|
|
|
|
|
| |
The buffer size seems to be a problem in environments with long names or
environments with non-ASCII characters.
|
|
|
|
|
|
| |
I had some edge cases where 64 bytes were not enough. People are using
password managers with long generated passwords. I increased the buffer
size to 128.
|
| |
|
| |
|
|
|
|
|
| |
This fixes issues with running the tests when using a separate build
directory (fixes ef0eddaa).
|
|
|
|
|
|
| |
This ensures that configuration file is not world readable when the
tests are run. This avoids test failure for the use of the rootpwmodpw
option.
|
|
|
|
|
|
|
|
| |
This fixes an issue with unsigned values ending up in signed fields and
missing sign extension.
See:
https://bugs.debian.org/739330
|
|
|
|
|
|
|
| |
The libc nsswitch code expects h_errno to be set to NETDB_INTERNAL when
it needs to try again with a larger buffer.
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If NSS_STATUS_TRYAGAIN is returned from read_one_hostent or
read_one_netent then fp will be closed and function tio_skipall will be
called with NULL pointer.
It could happend in functions:
_nss_ldap_getnetbyname_r
_nss_ldap_getnetbyaddr_r
_nss_ldap_gethostbyname2_r
_nss_ldap_gethostbyaddr_r
Fixes r548 (aka afd5d9b).
|
|
|
|
|
|
|
|
|
|
|
| |
This maps the gid (gidNumber) to an AD SID for builtin groups when
searching a group by gid (RID) between 544 and 552. In that case the SID
prefix is not the domain's prefix (S-1-5-21-dddddd-dddddd-dddddd) but
the BUILTIN SID prefix (1-5-32).
For example, if you add a user to the Administrators builtin group
(S-1-5-32-544), now you should be able to get this group through nslcd,
instead of receiving an error message.
|
|
|
|
|
|
|
|
|
| |
This adds a test that checks the return value of krb5_is_thread_safe()
to see if krb5 is thread safe (during build) and issues a warning if it
is not.
nslcd does not directly link to krb5 but the library may be loaded (by
GSSAPI) if Kerberos is used to authenticate nslcd to the LDAP server.
|
|
|
|
|
| |
This fixes the detection of DragonFly as requiring the freebsd NSS
interface flavour.
|
|
|
|
|
|
|
| |
We read the date into the buffer to the specified length to get it to
the Unix time (i.e. seconds) from its AD value of nanoseconds, then
convert it to days for shadow. If we use date rather than buffer we end
up trying to convert the original nanosecond value.
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This uses the LDAP_CONTROL_X_DEREF control as described in
draft-masarati-ldap-deref-00 to request the LDAP server to dereference
group member attribute values to uid attribute values.
This should reduce the number of searches that are required for
expanding group members that use the member attribute.
This mechanism could also be used to extract information on nested
groups but the gains are less clear there.
Not all LDAP servers support this control. In OpenLDAP, load the
(currently undocumented) deref overlay and enable it for the database to
take advantage of this improvement.
There is a functional difference when using this control. Any returned
deferred uid value returned by the LDAP server is accepted as a member.
No checks are performed to see if the user matches the search base and
search filters set for passwd entries.
|
| |
| |
| |
| | |
This documents the way the deref controls are used.
|