| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
This ensures that a connection to the first URI listed in the config
file will be re-established once the connection is closed cleanly after
the idle time.
This ensures that the listed URIs are handled more in a primary/fallback
manner if an idle time is configured.
Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/46
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Check the result of the BIND operation instead of that of the
ldap_result() call when pam_authc_ppolicy is set to "no".
This could have resulted in successful authentication if the BIND
operation to the LDAP server timed out and pam_authc_ppolicy was set to
"no" but should not result in successful authentication otherwise so it
is unlikely that setting pam_authc_ppolicy to "no" ever worked as
intended. The timeout also would have to occur on the BIND operation,
not on setting up the connection.
Fixes 31cd2cf
|
|
|
|
|
|
| |
This fixes logging of the LDAP_OPT_TIMEOUT, LDAP_OPT_NETWORK_TIMEOUT and
LDAP_X_OPT_CONNECT_TIMEOUT options to actually log the value of the
bind_timelimit option instead of the timelimit option.
|
| |
|
|
|
|
|
| |
Thanks to Têko Mihinto.
See https://bugzilla.redhat.com/show_bug.cgi?id=1612543
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function integrates the myldap_set_credentials() and
myldap_get_policy_response() and performs the bind operation witout
actually performing a search.
The function performs a "fake" search that returns after performing the
LDAP BIND operation.
This replaces a number of dummy search operations that were there to
ensure that the connection was open. This allows us to skip the search
operation after authentication.
|
|
|
|
| |
See https://bugs.launchpad.net/bugs/1618190
|
|
|
|
|
| |
Display a human readable message (days+hours, or hours+minutes, or
seconds) when the password expiring warning is issued.
|
|
|
|
| |
This option allows completely disabling ppolicy handling.
|
|
|
|
|
|
| |
Also try to fail over to another LDAP server on a larger number of
errors. Specifically errors that point to problems connecting to the
LDAP server.
|
|
|
|
|
| |
This is in preparation for splitting the BIND from the search phase for
authentication.
|
|
|
|
|
|
|
|
|
|
|
| |
This simplifies the check for overwriging pending password expiry and
grace logins warnigns and updates handling of the
LDAP_CONTROL_PWEXPIRING control to be consistent with that of the expire
value of LDAP_CONTROL_PASSWORDPOLICYRESPONSE.
This also corrects the function name, also logs empty password policy
responses in debug mode and documents the meaning of the various
password policy values.
|
|
|
|
|
|
|
|
|
|
| |
If a password expiration warning (pwdExpireWarning) is set in slapd, and
the password is about to expire, slapd sends the timeBeforeExpiration
value as part of the passwordPolicyResponse.
nslcd would incorrectly instruct the PAM module to require immediate
password change. This has been fixed for both timeBeforeExpiration and
graceLoginsRemaining.
|
|
|
|
|
|
|
|
| |
In several places the code used a %d format to print a size_t variable.
On amd64 at least size_t is an unsigned long, so use %lu instead.
An alternative would be to use %ud for size_t and %zd fo ssize_t but not
all platforms seem to support that formatter.
|
|
|
|
|
|
|
| |
There are several places where a static length array in a struct is
compared to a null pointer. These comparisons will always be false,
since an array in a struct is not actually a pointer, so they can be
removed.
|
|
|
|
|
|
|
| |
Thanks David Binderma for pointing this out.
Note that in practical situations this should not result in any errors
due to the position of searches within the ldap_session struct.
|
| |
|
|
|
|
|
|
|
|
|
| |
This alleviates some cases where multi-second lag occurs before a query
returns due to some or all connections having been closed by the peer,
e.g. a load balancer timing out old connections, but they are all tried
before opening new connections.
Tested and working on Linux.
|
|
|
|
|
| |
This clears most buffers that may hold credentials at one point before
free()ing the memory.
|
|
|
|
|
|
|
|
|
| |
This ensures that controls returned by an LDAP server as part of a
failed BIND operation are also returned. This makes it possible to
distinguish between a wrong password and an expired password.
This also only logs the BIND operation result on DEBUG level (the error
is logged later on).
|
|
|
|
|
| |
This adds logging of most cases where a defined buffer is not large
enough to hold provided data on error log level.
|
| |
|
|
|
|
|
|
|
| |
This function looks for deref response controls (LDAP_CONTROL_X_DEREF)
in the entry and returns the information from the dereferenced attribute
in two lists: dereferenced values and attribute values that could not be
dereferenced.
|
|
|
|
|
|
|
|
|
|
| |
This uses the LDAP_CONTROL_X_DEREF control as descibed in
draft-masarati-ldap-deref-00 to request the LDAP server to dereference
member attribute values to uid attribute values in order to avoid doing
extra searches.
This control is currently only added for group search by looking for the
member attribute in the search.
|
|
|
|
|
|
| |
This changes entrye->rangedattributevalues to entry->buffers because the
propery is not only used for ranged attribute values but for anything
that can be freed with free().
|
|
|
|
|
| |
Since we could get arbitrray controls and are only interested in page
controls we ignore failures to find page controls.
|
|
|
|
|
| |
This also changes do_try_search() to support building continued paged
controls and lays the groundwork for adding more search controls.
|
|
|
|
|
|
| |
Common buffer sizes are now stored centrally so it can be easily and
consistently updated if required. Some buffers remain with locally
defined sizes that do not match a global buffer size.
|
|
|
|
|
|
| |
This also invalidates the caches configured with reconnect_invalidate on
the first successful search. This should handle the case more gracefully
where caches were filled with negative hits before nslcd was running.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This implemens a myldap_immediate_reconnect() function that resets the
reconnect timer to retry failing connections to the LDAP server upon the
next search.
This can be used to cut the reconnect_sleeptime and reconnect_retrytime
sleeping periodss short if we have some indication that the LDAP server
is available again.
|
|
|
|
|
| |
This also renames the internal nscd module to invalidator for both nslcd
and pynslcd. The new invalidator module is now no longer nscd-specific.
|
| |
|
|
|
|
| |
after reconnecting to the LDAP server after failure
|
| |
|
|
|
|
| |
user authentication in nslcd
|
| |
|
|
|
|
|
|
| |
instead of a set
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1912 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
ranged attributes (very unlikely to occur)
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1910 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
myldap_get_values_len() if malloc() would fail
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1909 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1906 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1901 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1898 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
LDAP error on password change failure
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1895 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1892 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1889 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
|
|
| |
line with manual page
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1888 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1887 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1873 ef36b2f9-881f-0410-afb5-c4e39611909c
|
|
|
|
| |
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1868 ef36b2f9-881f-0410-afb5-c4e39611909c
|