Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/nslcd/myldap.c
Commit message (Collapse)AuthorAgeFilesLines
* Retry connecting to the first URI after idle_timelimitArthur de Jong2021-05-261-0/+2
| | | | | | | | | | | This ensures that a connection to the first URI listed in the config file will be re-established once the connection is closed cleanly after the idle time. This ensures that the listed URIs are handled more in a primary/fallback manner if an idle time is configured. Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/46
* Fix handling of the pam_authc_ppolicy optionArthur de Jong2020-09-111-17/+13
| | | | | | | | | | | | | | Check the result of the BIND operation instead of that of the ldap_result() call when pam_authc_ppolicy is set to "no". This could have resulted in successful authentication if the BIND operation to the LDAP server timed out and pam_authc_ppolicy was set to "no" but should not result in successful authentication otherwise so it is unlikely that setting pam_authc_ppolicy to "no" ever worked as intended. The timeout also would have to occur on the BIND operation, not on setting up the connection. Fixes 31cd2cf
* Log the correct timeout valueArthur de Jong2019-12-271-3/+3
| | | | | | This fixes logging of the LDAP_OPT_TIMEOUT, LDAP_OPT_NETWORK_TIMEOUT and LDAP_X_OPT_CONNECT_TIMEOUT options to actually log the value of the bind_timelimit option instead of the timelimit option.
* Various spelling fixesArthur de Jong2019-09-171-8/+8
|
* Make password expiry messages correct and consistentArthur de Jong2018-08-061-8/+8
| | | | | Thanks to Têko Mihinto. See https://bugzilla.redhat.com/show_bug.cgi?id=1612543
* Implement myldap_bind() functionArthur de Jong2017-06-151-19/+26
| | | | | | | | | | | | | This function integrates the myldap_set_credentials() and myldap_get_policy_response() and performs the bind operation witout actually performing a search. The function performs a "fake" search that returns after performing the LDAP BIND operation. This replaces a number of dummy search operations that were there to ensure that the connection was open. This allows us to skip the search operation after authentication.
* Do not try all LDAP servers on failed authenticationArthur de Jong2016-09-041-0/+7
| | | | See https://bugs.launchpad.net/bugs/1618190
* Display human readable expiry messageMathieu Baeumler2016-02-131-8/+59
| | | | | Display a human readable message (days+hours, or hours+minutes, or seconds) when the password expiring warning is issued.
* Add pam_authc_ppolicy optionMathieu Baeumler2016-01-061-19/+29
| | | | This option allows completely disabling ppolicy handling.
* Fail-over and retry on more errorsArthur de Jong2015-09-301-1/+4
| | | | | | Also try to fail over to another LDAP server on a larger number of errors. Specifically errors that point to problems connecting to the LDAP server.
* Open connection before do_try_search()Arthur de Jong2015-09-301-5/+5
| | | | | This is in preparation for splitting the BIND from the search phase for authentication.
* Simplify password policy message handlingArthur de Jong2015-08-151-14/+20
| | | | | | | | | | | This simplifies the check for overwriging pending password expiry and grace logins warnigns and updates handling of the LDAP_CONTROL_PWEXPIRING control to be consistent with that of the expire value of LDAP_CONTROL_PASSWORDPOLICYRESPONSE. This also corrects the function name, also logs empty password policy responses in debug mode and documents the meaning of the various password policy values.
* Fix password policy expiration warningsMathieu Baeumler2015-08-151-3/+1
| | | | | | | | | | If a password expiration warning (pwdExpireWarning) is set in slapd, and the password is about to expire, slapd sends the timeBeforeExpiration value as part of the passwordPolicyResponse. nslcd would incorrectly instruct the PAM module to require immediate password change. This has been fixed for both timeBeforeExpiration and graceLoginsRemaining.
* Fix formatting of size_t valuesPatrick McLean2015-03-141-6/+6
| | | | | | | | In several places the code used a %d format to print a size_t variable. On amd64 at least size_t is an unsigned long, so use %lu instead. An alternative would be to use %ud for size_t and %zd fo ssize_t but not all platforms seem to support that formatter.
* Avoid comparison of static array to null pointerPatrick McLean2015-03-111-4/+4
| | | | | | | There are several places where a static length array in a struct is compared to a null pointer. These comparisons will always be false, since an array in a struct is not actually a pointer, so they can be removed.
* Avoid accessing searches outside arrayArthur de Jong2015-01-191-1/+1
| | | | | | | Thanks David Binderma for pointing this out. Note that in practical situations this should not result in any errors due to the position of searches within the ldap_session struct.
* Minor comment spelling fixTim Harder2014-07-021-1/+1
|
* Check a socket's connectivity before trying to use itTim Harder2014-07-021-11/+37
| | | | | | | | | This alleviates some cases where multi-second lag occurs before a query returns due to some or all connections having been closed by the peer, e.g. a load balancer timing out old connections, but they are all tried before opening new connections. Tested and working on Linux.
* Clear buffers before free-ingArthur de Jong2014-05-171-0/+2
| | | | | This clears most buffers that may hold credentials at one point before free()ing the memory.
* Also extract policy controls on BIND failureArthur de Jong2014-05-041-10/+9
| | | | | | | | | This ensures that controls returned by an LDAP server as part of a failed BIND operation are also returned. This makes it possible to distinguish between a wrong password and an expired password. This also only logs the BIND operation result on DEBUG level (the error is logged later on).
* Make buffer size error logging consistentArthur de Jong2014-05-041-0/+7
| | | | | This adds logging of most cases where a defined buffer is not large enough to hold provided data on error log level.
* Warn when binddn buffer is too smallArthur de Jong2014-05-041-1/+17
|
* Provide a myldap_get_deref_values() functionArthur de Jong2014-01-051-0/+148
| | | | | | | This function looks for deref response controls (LDAP_CONTROL_X_DEREF) in the entry and returns the information from the dereferenced attribute in two lists: dereferenced values and attribute values that could not be dereferenced.
* Request attribute deref via search controlArthur de Jong2014-01-051-1/+34
| | | | | | | | | | This uses the LDAP_CONTROL_X_DEREF control as descibed in draft-masarati-ldap-deref-00 to request the LDAP server to dereference member attribute values to uid attribute values in order to avoid doing extra searches. This control is currently only added for group search by looking for the member attribute in the search.
* Rename entry property to indicate storage typeArthur de Jong2014-01-051-20/+20
| | | | | | This changes entrye->rangedattributevalues to entry->buffers because the propery is not only used for ranged attribute values but for anything that can be freed with free().
* Ignore missing page controlsArthur de Jong2014-01-051-1/+2
| | | | | Since we could get arbitrray controls and are only interested in page controls we ignore failures to find page controls.
* Use do_try_search() also for paged searchesArthur de Jong2014-01-051-46/+24
| | | | | This also changes do_try_search() to support building continued paged controls and lays the groundwork for adding more search controls.
* Centralise buffer sizesArthur de Jong2013-12-181-4/+4
| | | | | | Common buffer sizes are now stored centrally so it can be easily and consistently updated if required. Some buffers remain with locally defined sizes that do not match a global buffer size.
* Also run invalidators on initial connectArthur de Jong2013-10-251-2/+13
| | | | | | This also invalidates the caches configured with reconnect_invalidate on the first successful search. This should handle the case more gracefully where caches were filled with negative hits before nslcd was running.
* Fix for common spelling mistakeArthur de Jong2013-08-281-1/+1
|
* Implement function for resetting reconnect timesArthur de Jong2013-08-211-0/+22
| | | | | | | | | | This implemens a myldap_immediate_reconnect() function that resets the reconnect timer to retry failing connections to the LDAP server upon the next search. This can be used to cut the reconnect_sleeptime and reconnect_retrytime sleeping periodss short if we have some indication that the LDAP server is available again.
* Rename nscd_invalidate option to reconnect_invalidateArthur de Jong2013-07-261-2/+2
| | | | | This also renames the internal nscd module to invalidator for both nslcd and pynslcd. The new invalidator module is now no longer nscd-specific.
* spelling fixesArthur de Jong2013-03-241-1/+1
|
* start the nscd invalidator and invalidate the nscd cache ↵Arthur de Jong2013-03-091-0/+4
| | | | after reconnecting to the LDAP server after failure
* return the password policy bind information via PAMArthur de Jong2013-03-031-0/+11
|
* request and parse password policy controls when doing ↵Arthur de Jong2013-03-031-6/+206
| | | | user authentication in nslcd
* pass the session along to the do_bind() functionArthur de Jong2013-03-031-8/+8
|
* have myldap_get_ranged_values() return a list of values ↵Arthur de Jong2013-01-121-19/+13
| | | | | | instead of a set git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1912 ef36b2f9-881f-0410-afb5-c4e39611909c
* fix memory leak in myldap_get_values_len() when using ↵Arthur de Jong2013-01-121-0/+6
| | | | | | ranged attributes (very unlikely to occur) git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1910 ef36b2f9-881f-0410-afb5-c4e39611909c
* fix a problem in memory handling in ↵Arthur de Jong2013-01-121-2/+4
| | | | | | myldap_get_values_len() if malloc() would fail git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1909 ef36b2f9-881f-0410-afb5-c4e39611909c
* fix typo in commentArthur de Jong2013-01-101-1/+1
| | | | git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1906 ef36b2f9-881f-0410-afb5-c4e39611909c
* update FIXMEsArthur de Jong2013-01-051-1/+0
| | | | git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1901 ef36b2f9-881f-0410-afb5-c4e39611909c
* inline most is_valid_...() functionsArthur de Jong2013-01-051-27/+11
| | | | git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1898 ef36b2f9-881f-0410-afb5-c4e39611909c
* log and return a diagnostic message instead of just the ↵Arthur de Jong2013-01-011-0/+26
| | | | | | LDAP error on password change failure git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1895 ef36b2f9-881f-0410-afb5-c4e39611909c
* fix setting restart option log message (fixes r1889)Arthur de Jong2013-01-011-2/+2
| | | | git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1892 ef36b2f9-881f-0410-afb5-c4e39611909c
* remove undocumented restart configuration optionArthur de Jong2012-12-301-4/+2
| | | | git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1889 ef36b2f9-881f-0410-afb5-c4e39611909c
* reorganise and rename configuration options to be in ↵Arthur de Jong2012-12-301-6/+6
| | | | | | line with manual page git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1888 ef36b2f9-881f-0410-afb5-c4e39611909c
* remove the ldc_ prefix from struct ldap_config fieldsArthur de Jong2012-12-301-82/+82
| | | | git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1887 ef36b2f9-881f-0410-afb5-c4e39611909c
* update C coding style to a more commonly used styleArthur de Jong2012-12-221-721/+756
| | | | git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1873 ef36b2f9-881f-0410-afb5-c4e39611909c
* fix logic error (use && instead of & for logical and)Arthur de Jong2012-12-201-1/+1
| | | | git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1868 ef36b2f9-881f-0410-afb5-c4e39611909c