| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Display a human readable message (days+hours, or hours+minutes, or
seconds) when the password expiring warning is issued.
|
|
|
|
| |
This option allows completely disabling ppolicy handling.
|
|
|
|
|
|
| |
Also try to fail over to another LDAP server on a larger number of
errors. Specifically errors that point to problems connecting to the
LDAP server.
|
|
|
|
|
| |
This is in preparation for splitting the BIND from the search phase for
authentication.
|
|
|
|
|
|
|
|
|
|
|
| |
This simplifies the check for overwriging pending password expiry and
grace logins warnigns and updates handling of the
LDAP_CONTROL_PWEXPIRING control to be consistent with that of the expire
value of LDAP_CONTROL_PASSWORDPOLICYRESPONSE.
This also corrects the function name, also logs empty password policy
responses in debug mode and documents the meaning of the various
password policy values.
|
|
|
|
|
|
|
|
|
|
| |
If a password expiration warning (pwdExpireWarning) is set in slapd, and
the password is about to expire, slapd sends the timeBeforeExpiration
value as part of the passwordPolicyResponse.
nslcd would incorrectly instruct the PAM module to require immediate
password change. This has been fixed for both timeBeforeExpiration and
graceLoginsRemaining.
|
|
|
|
|
|
|
|
| |
In several places the code used a %d format to print a size_t variable.
On amd64 at least size_t is an unsigned long, so use %lu instead.
An alternative would be to use %ud for size_t and %zd fo ssize_t but not
all platforms seem to support that formatter.
|
|
|
|
|
|
|
| |
There are several places where a static length array in a struct is
compared to a null pointer. These comparisons will always be false,
since an array in a struct is not actually a pointer, so they can be
removed.
|
|
|
|
|
|
|
| |
Thanks David Binderma for pointing this out.
Note that in practical situations this should not result in any errors
due to the position of searches within the ldap_session struct.
|
| |
|
|
|
|
|
|
|
|
|
| |
This alleviates some cases where multi-second lag occurs before a query
returns due to some or all connections having been closed by the peer,
e.g. a load balancer timing out old connections, but they are all tried
before opening new connections.
Tested and working on Linux.
|
|
|
|
|
| |
This clears most buffers that may hold credentials at one point before
free()ing the memory.
|
|
|
|
|
|
|
|
|
| |
This ensures that controls returned by an LDAP server as part of a
failed BIND operation are also returned. This makes it possible to
distinguish between a wrong password and an expired password.
This also only logs the BIND operation result on DEBUG level (the error
is logged later on).
|
|
|
|
|
| |
This adds logging of most cases where a defined buffer is not large
enough to hold provided data on error log level.
|
| |
|
|
|
|
|
|
|
| |
This function looks for deref response controls (LDAP_CONTROL_X_DEREF)
in the entry and returns the information from the dereferenced attribute
in two lists: dereferenced values and attribute values that could not be
dereferenced.
|
|
|
|
|
|
|
|
|
|
| |
This uses the LDAP_CONTROL_X_DEREF control as descibed in
draft-masarati-ldap-deref-00 to request the LDAP server to dereference
member attribute values to uid attribute values in order to avoid doing
extra searches.
This control is currently only added for group search by looking for the
member attribute in the search.
|
|
|
|
|
|
| |
This changes entrye->rangedattributevalues to entry->buffers because the
propery is not only used for ranged attribute values but for anything
that can be freed with free().
|
|
|
|
|
| |
Since we could get arbitrray controls and are only interested in page
controls we ignore failures to find page controls.
|
|
|
|
|
| |
This also changes do_try_search() to support building continued paged
controls and lays the groundwork for adding more search controls.
|
|
|
|
|
|
| |
Common buffer sizes are now stored centrally so it can be easily and
consistently updated if required. Some buffers remain with locally
defined sizes that do not match a global buffer size.
|
|
|
|
|
|
| |
This also invalidates the caches configured with reconnect_invalidate on
the first successful search. This should handle the case more gracefully
where caches were filled with negative hits before nslcd was running.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This implemens a myldap_immediate_reconnect() function that resets the
reconnect timer to retry failing connections to the LDAP server upon the
next search.
This can be used to cut the reconnect_sleeptime and reconnect_retrytime
sleeping periodss short if we have some indication that the LDAP server
is available again.
|
|
|
|
|
| |
This also renames the internal nscd module to invalidator for both nslcd
and pynslcd. The new invalidator module is now no longer nscd-specific.
|
| |
|
|
|
|
| |
after reconnecting to the LDAP server after failure
|
| |
|
|
|
|
| |
user authentication in nslcd
|
| |
|
|
|
|
|
|
| |
instead of a set
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1912 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
ranged attributes (very unlikely to occur)
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1910 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
myldap_get_values_len() if malloc() would fail
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1909 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1906 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1901 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1898 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
LDAP error on password change failure
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1895 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1892 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1889 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
line with manual page
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1888 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1887 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1873 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1868 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
sasl_canonicalize option is explicitly set in the configuration file
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1824 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
to not hide these log messages in most configurations (fixes r1095)
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1814 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
attribute values for possibly binary attributes (thanks scan-build)
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1770 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
alignment warnings
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1769 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1745 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
but should have been removed in r1714
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1734 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
default, disable reverse host name lookups in OpenLDAP
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1733 ef36b2f9-881f-0410-afb5-c4e39611909c
|