| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
If a password expiration warning (pwdExpireWarning) is set in slapd, and
the password is about to expire, slapd sends the timeBeforeExpiration
value as part of the passwordPolicyResponse.
nslcd would incorrectly instruct the PAM module to require immediate
password change. This has been fixed for both timeBeforeExpiration and
graceLoginsRemaining.
|
| |
|
|
|
|
| |
This adds addition checks to the tls_cacertdir, tls_cacertfile,
tls_randfile, tls_cert and tls_key options to ensure that they point to
an existing file when parsing nslcd.conf.
|
| |
|
| |
This should have been part of d217632.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
If this option is present, functions which cause all user/group entries
to be loaded (getpwent(), getgrent()) from the directory will not
succeed in doing so. This can dramatically reduce ldap server load in
situations where there are a great number of users and/or groups.
Applications that depend on being able to sequentially read all users
and/or groups may fail to operate correctly. This option is not
recommended for most configurations.
|
| |
|
|
|
|
|
| |
This option allows skipping group member list retrieval to improve
performance with very large groups. This option results in inconsistent
group membership information being presented that may confuse some
applications.
|
| |
|
|
|
|
|
| |
This only restores the signal mask after signal handlers are in place
and the daemon has completely daemonised to avoid a race condition in
the start-up phase of nslcd where a signal could be sent to nslcd
causing it to quit or fail to write information to the parent process.
|
| |
|
|
| |
FreeBSD doesn't have ENODATA so we use ENOATTR instead.
|
| |
|
|
|
|
|
| |
This updates the test framework to support --with-module-name, ensures
that exports.map is rebuilt when configure is re-ran, fixes parsing of
nsswitch.conf (to determine what to return for passwd lookups) and fixes
the check for _nss_ldap_version.
|
| |
|
|
|
|
|
|
| |
In several places the code used a %d format to print a size_t variable.
On amd64 at least size_t is an unsigned long, so use %lu instead.
An alternative would be to use %ud for size_t and %zd fo ssize_t but not
all platforms seem to support that formatter.
|
| |
|
|
|
|
|
| |
There are several places where a static length array in a struct is
compared to a null pointer. These comparisons will always be false,
since an array in a struct is not actually a pointer, so they can be
removed.
|
| |
|
|
|
| |
Adjust the Linux OOM (Out-Of-Memory) killer score by -1000 for nslcd so
that it should not be killed.
|
| |
|
|
| |
This introduces the --with-module-name configure option to allow building of NSS and
PAM modules with different namespaces than ldap.
|
| |
|
|
|
|
|
| |
Thanks David Binderma for pointing this out.
Note that in practical situations this should not result in any errors
due to the position of searches within the ldap_session struct.
|
| |
|
| |
Thanks Jianhai Luan.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
mmkfilter_passwd_byuid()/mkfilter_group_bygid() get wrong filter string
because "%d" will return negative when uid/gid larger than 2^31, and
result to "Authentiction failure".
This also changes the other places where uid_t or gid_t values are
formatted.
|
| |
|
|
|
|
|
|
| |
This fixes a problem with a buffer that could end up padded with
garbage.
This also clarifies the code a bit and adds extra logging for errors
that could occur during daemonising.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This alleviates some cases where multi-second lag occurs before a query
returns due to some or all connections having been closed by the peer,
e.g. a load balancer timing out old connections, but they are all tried
before opening new connections.
Tested and working on Linux.
|
| | |
|
| |
|
|
| |
This fixes 15fc13c.
|
| |
|
|
| |
This fixes 2274b41.
|
| |
|
|
|
| |
This clears most buffers that may hold credentials at one point before
free()ing the memory.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This ensures that controls returned by an LDAP server as part of a
failed BIND operation are also returned. This makes it possible to
distinguish between a wrong password and an expired password.
This also only logs the BIND operation result on DEBUG level (the error
is logged later on).
|
| |
|
|
|
| |
This also clears errno in the main function to ensure that no incorrect
errno value is logged on errors.
|
| |
|
|
| |
This fixes be94912.
|
| |
|
|
|
| |
This adds logging of most cases where a defined buffer is not large
enough to hold provided data on error log level.
|
| | |
|
| |
|
|
|
| |
The buffer size seems to be a problem in environments with long names or
environments with non-ASCII characters.
|
| |
|
|
|
|
| |
I had some edge cases where 64 bytes were not enough. People are using
password managers with long generated passwords. I increased the buffer
size to 128.
|
| |
|
|
|
|
|
|
|
|
|
| |
This maps the gid (gidNumber) to an AD SID for builtin groups when
searching a group by gid (RID) between 544 and 552. In that case the SID
prefix is not the domain's prefix (S-1-5-21-dddddd-dddddd-dddddd) but
the BUILTIN SID prefix (1-5-32).
For example, if you add a user to the Administrators builtin group
(S-1-5-32-544), now you should be able to get this group through nslcd,
instead of receiving an error message.
|
| |
|
|
|
|
|
| |
We read the date into the buffer to the specified length to get it to
the Unix time (i.e. seconds) from its AD value of nanoseconds, then
convert it to days for shadow. If we use date rather than buffer we end
up trying to convert the original nanosecond value.
|
| |
|
|
|
|
|
| |
This uses information from the deref control (if available) to get the
username for each of the members of the group. Any missing deref member
attribute values will be seen as nested groups and will be traversed if
nested group support is enabled.
|
| |
|
|
|
|
|
| |
This function looks for deref response controls (LDAP_CONTROL_X_DEREF)
in the entry and returns the information from the dereferenced attribute
in two lists: dereferenced values and attribute values that could not be
dereferenced.
|
| |
|
|
|
|
|
| |
This changes the group by member searches to not request the member
attributes. This will speed up result parsing by a fraction because less
data is transferred but will also cause the deref control not to be
added to these searches.
|
| |
|
|
|
|
|
|
|
|
| |
This uses the LDAP_CONTROL_X_DEREF control as descibed in
draft-masarati-ldap-deref-00 to request the LDAP server to dereference
member attribute values to uid attribute values in order to avoid doing
extra searches.
This control is currently only added for group search by looking for the
member attribute in the search.
|
| |
|
|
|
|
| |
This changes entrye->rangedattributevalues to entry->buffers because the
propery is not only used for ranged attribute values but for anything
that can be freed with free().
|
| |
|
|
|
| |
Since we could get arbitrray controls and are only interested in page
controls we ignore failures to find page controls.
|
| |
|
|
|
| |
This also changes do_try_search() to support building continued paged
controls and lays the groundwork for adding more search controls.
|
| |
|
|
|
|
| |
This allows remapping the member attribute to an empty string which
removes support for that attribute. This can reduce the number of search
operations if the attribute is not used.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Some pieces of code did not properly free() the value returned by
set_pop().
The leak in group code was related to the introduction of nested group
functionality in 41ba574 (merged in 3daa68d) so should only be present
in releases 0.9.0 forward.
The leak in the netgroup code only ended up in the Solaris version of
the NSS module and was introduced in 4ea9ad1 (merged in 5c8779d). This
leak is present in all releases from 0.8.0 forward.
|
| |
|
|
|
| |
This tries to avoid child processes ending up with a copy of the pipe
file descriptor that is used to signal readiness of the daemon.
|
| |
|
|
|
|
|
|
|
|
|
| |
This introduces a new daemonize module that provides functions for
closing all file descriptors, redirecting stdin/stdout/stderr to
/dev/null and a function for backgrounding an application while only
exiting the original process after the daemon process has indicated
readiness.
This is used to exit the original process only after the listening
socket has been set up and the worker threads have been started.
|
| |
|
|
|
| |
The configuration values are used in the cache to determine positive and
negative hit TTLs. This also allows completely disabling the cache.
|
| |
|
|
|
| |
This adds the cache nslcd.conf configuration option to configure the
dn2uid cache in nslcd with a positive and negative cache lifetime.
|
| |
|
|
|
| |
The positive value determines the time a found entry is valid, the
negative timeout determines the lifetime of not found entries.
|