Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/nslcd
Commit message (Collapse)AuthorAgeFilesLines
* Get files ready for 0.9.7 release0.9.7Arthur de Jong2016-08-141-2/+2
|
* Also honor ignorecase in PAMArthur de Jong2016-06-031-1/+1
| | | | | | | This avoids changing the cannonical username to the value as specified in LDAP when ignorecase is used. See https://github.com/arthurdejong/nss-pam-ldapd/issues/12
* Display human readable expiry messageMathieu Baeumler2016-02-131-8/+59
| | | | | Display a human readable message (days+hours, or hours+minutes, or seconds) when the password expiring warning is issued.
* Fix nss_disable_enumeration configurationArthur de Jong2016-02-131-1/+1
| | | | | | | This fixes a copy-paste bug where nss_disable_enumeration was incorrectly handled. Fixes c0366d8. Thanks Andrew W Elble for pointing this out.
* Add pam_authc_ppolicy optionMathieu Baeumler2016-01-063-19/+49
| | | | This option allows completely disabling ppolicy handling.
* Fix error handling on credential changeArthur de Jong2016-01-061-2/+4
| | | | | This fixes setting the correct LDAP error code and also fixes formatting in 027df03.
* Fix updating of 'shadowLastChange' attribute when ↵Vasilis Tsiligiannis2015-12-231-0/+9
| | | | | | | | | | chasing referrals This fixes a bug where 'shadowLastChange' attribute cannot be updated when chasing a referral. After a password is succesfully changed, the credentials for binding should also be updated with the new password for the session. Signed-off-by: Vasilis Tsiligiannis <vasilis.tsiligiannis@nokia.com>
* Correct file readability checkArthur de Jong2015-11-131-9/+2
| | | | | This uses access() instead of stat() to see if the file is readable by the current process. This fixes f089e01.
* Fail-over and retry on more errorsArthur de Jong2015-09-301-1/+4
| | | | | | Also try to fail over to another LDAP server on a larger number of errors. Specifically errors that point to problems connecting to the LDAP server.
* Open connection before do_try_search()Arthur de Jong2015-09-301-5/+5
| | | | | This is in preparation for splitting the BIND from the search phase for authentication.
* Loosen up file existence checkArthur de Jong2015-08-271-70/+65
| | | | | | | | | | | | | This changes the check (for configuration options that specify file names) to just check that the specified path is readable instead of ensisting that it points to a file. This allows tls_randfile to point to /dev/urandom (a character device) or a pipe. This fixes 6779a51. This also applies the same check to the krb5_ccname option. Thanks to Patrick McLean for pointing this out.
* Simplify password policy message handlingArthur de Jong2015-08-151-14/+20
| | | | | | | | | | | This simplifies the check for overwriging pending password expiry and grace logins warnigns and updates handling of the LDAP_CONTROL_PWEXPIRING control to be consistent with that of the expire value of LDAP_CONTROL_PASSWORDPOLICYRESPONSE. This also corrects the function name, also logs empty password policy responses in debug mode and documents the meaning of the various password policy values.
* Fix password policy expiration warningsMathieu Baeumler2015-08-151-3/+1
| | | | | | | | | | If a password expiration warning (pwdExpireWarning) is set in slapd, and the password is about to expire, slapd sends the timeBeforeExpiration value as part of the passwordPolicyResponse. nslcd would incorrectly instruct the PAM module to require immediate password change. This has been fixed for both timeBeforeExpiration and graceLoginsRemaining.
* Check file existence for configuration optionsArthur de Jong2015-07-191-5/+43
| | | | | | This adds addition checks to the tls_cacertdir, tls_cacertfile, tls_randfile, tls_cert and tls_key options to ensure that they point to an existing file when parsing nslcd.conf.
* Also fix signed integer bug in binsid2id()Arthur de Jong2015-06-132-2/+2
| | | This should have been part of d217632.
* Fixed signed 32bit overflow bug on 32bit systemsGeoffrey McRae2015-06-111-14/+18
|
* Allow configuration values longer than 63 charactersJed Liu2015-05-241-2/+2
|
* Implement disable_enumerationAndrew Elble2015-05-013-3/+17
| | | | | | | | | | If this option is present, functions which cause all user/group entries to be loaded (getpwent(), getgrent()) from the directory will not succeed in doing so. This can dramatically reduce ldap server load in situations where there are a great number of users and/or groups. Applications that depend on being able to sequentially read all users and/or groups may fail to operate correctly. This option is not recommended for most configurations.
* Implement nss_getgrent_skipmembersArthur de Jong2015-04-203-5/+16
| | | | | | | This option allows skipping group member list retrieval to improve performance with very large groups. This option results in inconsistent group membership information being presented that may confuse some applications.
* Avoid signal race condition on start-upArthur de Jong2015-04-162-3/+4
| | | | | | | This only restores the signal mask after signal handlers are in place and the daemon has completely daemonised to avoid a race condition in the start-up phase of nslcd where a signal could be sent to nslcd causing it to quit or fail to write information to the parent process.
* ENODATA is missing on FreeBSDArthur de Jong2015-03-221-1/+5
| | | | FreeBSD doesn't have ENODATA so we use ENOATTR instead.
* Various small fixes when using --with-module-nameArthur de Jong2015-03-222-4/+4
| | | | | | | This updates the test framework to support --with-module-name, ensures that exports.map is rebuilt when configure is re-ran, fixes parsing of nsswitch.conf (to determine what to return for passwd lookups) and fixes the check for _nss_ldap_version.
* Fix formatting of size_t valuesPatrick McLean2015-03-143-12/+12
| | | | | | | | In several places the code used a %d format to print a size_t variable. On amd64 at least size_t is an unsigned long, so use %lu instead. An alternative would be to use %ud for size_t and %zd fo ssize_t but not all platforms seem to support that formatter.
* Avoid comparison of static array to null pointerPatrick McLean2015-03-111-4/+4
| | | | | | | There are several places where a static length array in a struct is compared to a null pointer. These comparisons will always be false, since an array in a struct is not actually a pointer, so they can be removed.
* Don't let the oom killer kill nslcdPatrick McLean2015-03-111-0/+23
| | | | | Adjust the Linux OOM (Out-Of-Memory) killer score by -1000 for nslcd so that it should not be killed.
* Allow configuration of NSS and PAM namesArthur de Jong2015-01-191-3/+3
| | | | This introduces the --with-module-name configure option to allow building of NSS and PAM modules with different namespaces than ldap.
* Avoid accessing searches outside arrayArthur de Jong2015-01-191-1/+1
| | | | | | | Thanks David Binderma for pointing this out. Note that in practical situations this should not result in any errors due to the position of searches within the ldap_session struct.
* Fix format stringArthur de Jong2014-10-101-3/+3
| | | Thanks Jianhai Luan.
* Block signals sooner to avoid race conditionsArthur de Jong2014-10-041-11/+11
|
* uid_t/gid_t should be formatted as unsigned longJason Luan2014-09-304-20/+20
| | | | | | | | | mmkfilter_passwd_byuid()/mkfilter_group_bygid() get wrong filter string because "%d" will return negative when uid/gid larger than 2^31, and result to "Authentiction failure". This also changes the other places where uid_t or gid_t values are formatted.
* Fix issues with daemonisingArthur de Jong2014-09-281-14/+24
| | | | | | | | This fixes a problem with a buffer that could end up padded with garbage. This also clarifies the code a bit and adds extra logging for errors that could occur during daemonising.
* Minor comment spelling fixTim Harder2014-07-021-1/+1
|
* Check a socket's connectivity before trying to use itTim Harder2014-07-021-11/+37
| | | | | | | | | This alleviates some cases where multi-second lag occurs before a query returns due to some or all connections having been closed by the peer, e.g. a load balancer timing out old connections, but they are all tried before opening new connections. Tested and working on Linux.
* Fix copy-pastoArthur de Jong2014-07-021-2/+2
|
* Fix password modification by rootArthur de Jong2014-06-061-1/+1
| | | | This fixes 15fc13c.
* Fix code indentationArthur de Jong2014-06-061-1/+1
| | | | This fixes 2274b41.
* Clear buffers before free-ingArthur de Jong2014-05-172-0/+18
| | | | | This clears most buffers that may hold credentials at one point before free()ing the memory.
* Improve error logging of user login failuresArthur de Jong2014-05-041-2/+2
|
* Also extract policy controls on BIND failureArthur de Jong2014-05-041-10/+9
| | | | | | | | | This ensures that controls returned by an LDAP server as part of a failed BIND operation are also returned. This makes it possible to distinguish between a wrong password and an expired password. This also only logs the BIND operation result on DEBUG level (the error is logged later on).
* Log daemonising failuresArthur de Jong2014-05-042-0/+13
| | | | | This also clears errno in the main function to ensure that no incorrect errno value is logged on errors.
* Fix mapping group member attribute to empty stringArthur de Jong2014-05-041-1/+1
| | | | This fixes be94912.
* Make buffer size error logging consistentArthur de Jong2014-05-0417-19/+100
| | | | | This adds logging of most cases where a defined buffer is not large enough to hold provided data on error log level.
* Warn when binddn buffer is too smallArthur de Jong2014-05-044-9/+34
|
* Grow DN buffer sizeArthur de Jong2014-05-041-3/+3
| | | | | The buffer size seems to be a problem in environments with long names or environments with non-ASCII characters.
* Use larger nslcd password bufferushi2014-05-021-1/+1
| | | | | | I had some edge cases where 64 bytes were not enough. People are using password managers with long generated passwords. I increased the buffer size to 128.
* Support builtin Windows groupsDavy Defaud2014-01-311-0/+13
| | | | | | | | | | | This maps the gid (gidNumber) to an AD SID for builtin groups when searching a group by gid (RID) between 544 and 552. In that case the SID prefix is not the domain's prefix (S-1-5-21-dddddd-dddddd-dddddd) but the BUILTIN SID prefix (1-5-32). For example, if you add a user to the Administrators builtin group (S-1-5-32-544), now you should be able to get this group through nslcd, instead of receiving an error message.
* Update shadow.c to resolve pwdLastSet issuejoshuashire2014-01-251-1/+1
| | | | | | | We read the date into the buffer to the specified length to get it to the Unix time (i.e. seconds) from its AD value of nanoseconds, then convert it to days for shadow. If we use date rather than buffer we end up trying to convert the original nanosecond value.
* Use myldap_get_deref_values() to get member uidsArthur de Jong2014-01-051-0/+21
| | | | | | | This uses information from the deref control (if available) to get the username for each of the members of the group. Any missing deref member attribute values will be seen as nested groups and will be traversed if nested group support is enabled.
* Provide a myldap_get_deref_values() functionArthur de Jong2014-01-052-1/+156
| | | | | | | This function looks for deref response controls (LDAP_CONTROL_X_DEREF) in the entry and returns the information from the dereferenced attribute in two lists: dereferenced values and attribute values that could not be dereferenced.
* Skip member attributes in bymember searchArthur de Jong2014-01-051-2/+17
| | | | | | | This changes the group by member searches to not request the member attributes. This will speed up result parsing by a fraction because less data is transferred but will also cause the deref control not to be added to these searches.