Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/nslcd
Commit message (Collapse)AuthorAgeFilesLines
* ENODATA is missing on FreeBSDArthur de Jong2015-03-221-1/+5
| | | | FreeBSD doesn't have ENODATA so we use ENOATTR instead.
* Various small fixes when using --with-module-nameArthur de Jong2015-03-222-4/+4
| | | | | | | This updates the test framework to support --with-module-name, ensures that exports.map is rebuilt when configure is re-ran, fixes parsing of nsswitch.conf (to determine what to return for passwd lookups) and fixes the check for _nss_ldap_version.
* Fix formatting of size_t valuesPatrick McLean2015-03-143-12/+12
| | | | | | | | In several places the code used a %d format to print a size_t variable. On amd64 at least size_t is an unsigned long, so use %lu instead. An alternative would be to use %ud for size_t and %zd fo ssize_t but not all platforms seem to support that formatter.
* Avoid comparison of static array to null pointerPatrick McLean2015-03-111-4/+4
| | | | | | | There are several places where a static length array in a struct is compared to a null pointer. These comparisons will always be false, since an array in a struct is not actually a pointer, so they can be removed.
* Don't let the oom killer kill nslcdPatrick McLean2015-03-111-0/+23
| | | | | Adjust the Linux OOM (Out-Of-Memory) killer score by -1000 for nslcd so that it should not be killed.
* Allow configuration of NSS and PAM namesArthur de Jong2015-01-191-3/+3
| | | | This introduces the --with-module-name configure option to allow building of NSS and PAM modules with different namespaces than ldap.
* Avoid accessing searches outside arrayArthur de Jong2015-01-191-1/+1
| | | | | | | Thanks David Binderma for pointing this out. Note that in practical situations this should not result in any errors due to the position of searches within the ldap_session struct.
* Fix format stringArthur de Jong2014-10-101-3/+3
| | | Thanks Jianhai Luan.
* Block signals sooner to avoid race conditionsArthur de Jong2014-10-041-11/+11
|
* uid_t/gid_t should be formatted as unsigned longJason Luan2014-09-304-20/+20
| | | | | | | | | mmkfilter_passwd_byuid()/mkfilter_group_bygid() get wrong filter string because "%d" will return negative when uid/gid larger than 2^31, and result to "Authentiction failure". This also changes the other places where uid_t or gid_t values are formatted.
* Fix issues with daemonisingArthur de Jong2014-09-281-14/+24
| | | | | | | | This fixes a problem with a buffer that could end up padded with garbage. This also clarifies the code a bit and adds extra logging for errors that could occur during daemonising.
* Minor comment spelling fixTim Harder2014-07-021-1/+1
|
* Check a socket's connectivity before trying to use itTim Harder2014-07-021-11/+37
| | | | | | | | | This alleviates some cases where multi-second lag occurs before a query returns due to some or all connections having been closed by the peer, e.g. a load balancer timing out old connections, but they are all tried before opening new connections. Tested and working on Linux.
* Fix copy-pastoArthur de Jong2014-07-021-2/+2
|
* Fix password modification by rootArthur de Jong2014-06-061-1/+1
| | | | This fixes 15fc13c.
* Fix code indentationArthur de Jong2014-06-061-1/+1
| | | | This fixes 2274b41.
* Clear buffers before free-ingArthur de Jong2014-05-172-0/+18
| | | | | This clears most buffers that may hold credentials at one point before free()ing the memory.
* Improve error logging of user login failuresArthur de Jong2014-05-041-2/+2
|
* Also extract policy controls on BIND failureArthur de Jong2014-05-041-10/+9
| | | | | | | | | This ensures that controls returned by an LDAP server as part of a failed BIND operation are also returned. This makes it possible to distinguish between a wrong password and an expired password. This also only logs the BIND operation result on DEBUG level (the error is logged later on).
* Log daemonising failuresArthur de Jong2014-05-042-0/+13
| | | | | This also clears errno in the main function to ensure that no incorrect errno value is logged on errors.
* Fix mapping group member attribute to empty stringArthur de Jong2014-05-041-1/+1
| | | | This fixes be94912.
* Make buffer size error logging consistentArthur de Jong2014-05-0417-19/+100
| | | | | This adds logging of most cases where a defined buffer is not large enough to hold provided data on error log level.
* Warn when binddn buffer is too smallArthur de Jong2014-05-044-9/+34
|
* Grow DN buffer sizeArthur de Jong2014-05-041-3/+3
| | | | | The buffer size seems to be a problem in environments with long names or environments with non-ASCII characters.
* Use larger nslcd password bufferushi2014-05-021-1/+1
| | | | | | I had some edge cases where 64 bytes were not enough. People are using password managers with long generated passwords. I increased the buffer size to 128.
* Support builtin Windows groupsDavy Defaud2014-01-311-0/+13
| | | | | | | | | | | This maps the gid (gidNumber) to an AD SID for builtin groups when searching a group by gid (RID) between 544 and 552. In that case the SID prefix is not the domain's prefix (S-1-5-21-dddddd-dddddd-dddddd) but the BUILTIN SID prefix (1-5-32). For example, if you add a user to the Administrators builtin group (S-1-5-32-544), now you should be able to get this group through nslcd, instead of receiving an error message.
* Update shadow.c to resolve pwdLastSet issuejoshuashire2014-01-251-1/+1
| | | | | | | We read the date into the buffer to the specified length to get it to the Unix time (i.e. seconds) from its AD value of nanoseconds, then convert it to days for shadow. If we use date rather than buffer we end up trying to convert the original nanosecond value.
* Use myldap_get_deref_values() to get member uidsArthur de Jong2014-01-051-0/+21
| | | | | | | This uses information from the deref control (if available) to get the username for each of the members of the group. Any missing deref member attribute values will be seen as nested groups and will be traversed if nested group support is enabled.
* Provide a myldap_get_deref_values() functionArthur de Jong2014-01-052-1/+156
| | | | | | | This function looks for deref response controls (LDAP_CONTROL_X_DEREF) in the entry and returns the information from the dereferenced attribute in two lists: dereferenced values and attribute values that could not be dereferenced.
* Skip member attributes in bymember searchArthur de Jong2014-01-051-2/+17
| | | | | | | This changes the group by member searches to not request the member attributes. This will speed up result parsing by a fraction because less data is transferred but will also cause the deref control not to be added to these searches.
* Request attribute deref via search controlArthur de Jong2014-01-051-1/+34
| | | | | | | | | | This uses the LDAP_CONTROL_X_DEREF control as descibed in draft-masarati-ldap-deref-00 to request the LDAP server to dereference member attribute values to uid attribute values in order to avoid doing extra searches. This control is currently only added for group search by looking for the member attribute in the search.
* Rename entry property to indicate storage typeArthur de Jong2014-01-051-20/+20
| | | | | | This changes entrye->rangedattributevalues to entry->buffers because the propery is not only used for ranged attribute values but for anything that can be freed with free().
* Ignore missing page controlsArthur de Jong2014-01-051-1/+2
| | | | | Since we could get arbitrray controls and are only interested in page controls we ignore failures to find page controls.
* Use do_try_search() also for paged searchesArthur de Jong2014-01-051-46/+24
| | | | | This also changes do_try_search() to support building continued paged controls and lays the groundwork for adding more search controls.
* Support blanking the member attributeArthur de Jong2014-01-052-3/+11
| | | | | | This allows remapping the member attribute to an empty string which removes support for that attribute. This can reduce the number of search operations if the attribute is not used.
* Fix typoArthur de Jong2014-01-051-1/+1
|
* Fix memory leaks related to set_pop()Arthur de Jong2014-01-051-2/+6
| | | | | | | | | | | | | Some pieces of code did not properly free() the value returned by set_pop(). The leak in group code was related to the introduction of nested group functionality in 41ba574 (merged in 3daa68d) so should only be present in releases 0.9.0 forward. The leak in the netgroup code only ended up in the Solaris version of the NSS module and was introduced in 4ea9ad1 (merged in 5c8779d). This leak is present in all releases from 0.8.0 forward.
* Close daemon pipe file descriptor on fork or execArthur de Jong2014-01-021-0/+18
| | | | | This tries to avoid child processes ending up with a copy of the pipe file descriptor that is used to signal readiness of the daemon.
* Properly daemonise nslcd and only exit when readyArthur de Jong2014-01-024-16/+288
| | | | | | | | | | | This introduces a new daemonize module that provides functions for closing all file descriptors, redirecting stdin/stdout/stderr to /dev/null and a function for backgrounding an application while only exiting the original process after the daemon process has indicated readiness. This is used to exit the original process only after the listening socket has been set up and the worker threads have been started.
* Use dn2uid cache optionsArthur de Jong2013-12-211-4/+7
| | | | | The configuration values are used in the cache to determine positive and negative hit TTLs. This also allows completely disabling the cache.
* Implement a cache configuration optionArthur de Jong2013-12-212-0/+98
| | | | | This adds the cache nslcd.conf configuration option to configure the dn2uid cache in nslcd with a positive and negative cache lifetime.
* Have positive and negative cache timeoutsArthur de Jong2013-12-211-9/+18
| | | | | The positive value determines the time a found entry is valid, the negative timeout determines the lifetime of not found entries.
* Support printing children search scopeArthur de Jong2013-12-211-0/+3
| | | | This fixes 2caeef4.
* Centralise buffer sizesArthur de Jong2013-12-1816-82/+93
| | | | | | Common buffer sizes are now stored centrally so it can be easily and consistently updated if required. Some buffers remain with locally defined sizes that do not match a global buffer size.
* Fix a number of compiler warningsArthur de Jong2013-10-298-16/+15
| | | | | This includes a number of small fixes for issues that were formerly masked by the incorrect AC_LANG_PROGRAM check.
* Compatibility definitions for {set,get,end}usershell()Arthur de Jong2013-10-291-0/+1
| | | | | This provides compatibility definitions for systems that don't have these functions (some Solaris flavours).
* Start invalidator after locking pidfileArthur de Jong2013-10-291-7/+9
| | | | | | This causes the pidfile to be written as the first thing after daemonising nslcd to minimise the race between service script completion and pidfile being locked.
* Also run invalidators on initial connectArthur de Jong2013-10-251-2/+13
| | | | | | This also invalidates the caches configured with reconnect_invalidate on the first successful search. This should handle the case more gracefully where caches were filled with negative hits before nslcd was running.
* Increase NSS_LDAP_CONFIG_MAX_BASES to 31Arthur de Jong2013-10-071-1/+1
| | | | This allows more search bases which may be useful in some environments.
* Use larger nslcd send buffersArthur de Jong2013-09-081-1/+1
| | | | | | | | | | | | | | By using bigger write buffers in nslcd we reduce the number of writes in nslcd and consequently the number of reads in the NSS and PAM modules for bigger responses. This reduces the number of system calls that are made during a request and brings a small performance improvement that is mainly measurable in the NSS module. A measurement showed 30-80% reduction in the number of system calls in the NSS module and around 10% reduction in CPU usage (CPU time, only small reduction in wallclock time). Thanks John Sullivan for pointing this out.