| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
|
| |
One some systems _SC_OPEN_MAX can be *very* large.
Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/53
|
|
|
|
|
| |
This could leave file descriptor 3 open from the parent process starting
nslcd.
|
|
|
|
|
|
|
| |
This allows passwords to contain up to 255 characters even though they
are most likely don't add any meaningful password security.
Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/52
|
|
|
|
|
|
| |
This supports both `uri DNSLDAPS` and `uri DNSLDAPS:some.domain`
variants alongside the pre-existing `uri DNS` that was already supported
generating ldaps URIs for all SRV records found.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows putting `base ""` in nslcd.conf to specify an empty search
base.
Note that the LDAP server needs to support this. With slapd this
requires setting up an olcDefaultSearchBase attribute in the
olcFrontendConfig object under cn=config or have the database have an
empty suffix.
Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/50
|
|
|
|
|
|
|
|
|
|
|
| |
This ensures that a connection to the first URI listed in the config
file will be re-established once the connection is closed cleanly after
the idle time.
This ensures that the listed URIs are handled more in a primary/fallback
manner if an idle time is configured.
Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/46
|
|
|
|
| |
This option is passed to the LDAP library if it is supported.
|
|
|
|
| |
This option is passed to the LDAP library if it is supported.
|
|
|
|
|
|
| |
This option is passed to the LDAP library if it is supported.
Closes https://github.com/arthurdejong/nss-pam-ldapd/pull/41
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Check the result of the BIND operation instead of that of the
ldap_result() call when pam_authc_ppolicy is set to "no".
This could have resulted in successful authentication if the BIND
operation to the LDAP server timed out and pam_authc_ppolicy was set to
"no" but should not result in successful authentication otherwise so it
is unlikely that setting pam_authc_ppolicy to "no" ever worked as
intended. The timeout also would have to occur on the BIND operation,
not on setting up the connection.
Fixes 31cd2cf
|
|
|
|
|
|
| |
This fixes logging of the LDAP_OPT_TIMEOUT, LDAP_OPT_NETWORK_TIMEOUT and
LDAP_X_OPT_CONNECT_TIMEOUT options to actually log the value of the
bind_timelimit option instead of the timelimit option.
|
| |
|
| |
|
|
|
|
|
| |
This avoids logging the client PID when the underlying socker layer
cannot provide the relevant information.
|
|
|
|
|
| |
Thanks to Têko Mihinto.
See https://bugzilla.redhat.com/show_bug.cgi?id=1612543
|
|
|
|
|
|
|
|
|
| |
This adds a domain variable (if it can be determined on the system) that
can be used in pam_authz_search and pam_authc_search filters to build
search filters that search on the domain name (the FQDN without the
starting host name).
Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/8
|
|
|
|
|
|
|
| |
This increases the buffer that holds log messages so longer messages can
be logged.
Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/26
|
|
|
|
|
|
|
|
|
|
| |
This is needed to avoid a problem where a call to initgroups() can
result in NSS lookups. If nscd is configured the mechanism to avoid
loopback lookups using nss_ldap_enablelookups will not work and cause
for delays on start-up.
Note that this changes ownership of the socket to the user running
nslcd.
|
|
|
|
|
|
|
|
| |
This increases the host name buffer to support host names (that include
FQDNs) to 255 characters and removes the reliance on HOST_NAME_MAX and
_POSIX_HOST_NAME_MAX which may be smaller in some situations.
Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/22
|
|
|
|
|
|
|
|
| |
This increases the maximum size of tokens that are read from the
nslcd.conf configuration file to 256 characters. This was a problem for
some very long uri values.
Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/21
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
The former seems to be available on more platforms than the latter.
Fixes be26510.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function integrates the myldap_set_credentials() and
myldap_get_policy_response() and performs the bind operation witout
actually performing a search.
The function performs a "fake" search that returns after performing the
LDAP BIND operation.
This replaces a number of dummy search operations that were there to
ensure that the connection was open. This allows us to skip the search
operation after authentication.
|
|
|
|
|
| |
This allows performing a different, configurable search from the default
BASE search after the BIND operation.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This moves the autzsearch_var_add(), autzsearch_vars_free(),
autzsearch_var_get() and do_autzsearches() functions to the top of the
file using more generic names and introduces search_vars_new() in
prepartion of other similar searches.
This also renames the remaining authzsearch functions to authz_search to
be consistent with the pam_authz_search option.
|
|
|
|
|
|
|
|
|
|
|
| |
This ensures that when querying the address 0:18:8a:54:1a:8b both that
format and 00:18:8a:54:1a:8b is searched for in LDAP.
This was triggerred by the fact that ether_ntoa() on FreeBSD returns the
long format while glibc uses the compact format.
Since we are no longer using the libc version of ether_ntoa() we can
also drop the compatibility implementation of ether_ntoa_r().
|
|
|
|
|
|
| |
This logs (at debug level) any LDAP uidNumber attribute values (or
translated objectSid attribute values) that are lower than nss_min_uid.
It also logs getpwuid() requests for such uids.
|
|
|
|
|
|
|
| |
When receiving a signal this will result in nslcd returning with a
success exit code.
Thanks Stanislav Moravec for pointing this out.
|
| |
|
|
|
|
| |
See https://bugs.launchpad.net/bugs/1618190
|
| |
|
|
|
|
|
|
|
| |
This avoids changing the cannonical username to the value as specified
in LDAP when ignorecase is used.
See https://github.com/arthurdejong/nss-pam-ldapd/issues/12
|
|
|
|
|
| |
Display a human readable message (days+hours, or hours+minutes, or
seconds) when the password expiring warning is issued.
|
|
|
|
|
|
|
| |
This fixes a copy-paste bug where nss_disable_enumeration was
incorrectly handled. Fixes c0366d8.
Thanks Andrew W Elble for pointing this out.
|
|
|
|
| |
This option allows completely disabling ppolicy handling.
|
|
|
|
|
| |
This fixes setting the correct LDAP error code and also fixes formatting
in 027df03.
|
|
|
|
|
|
|
|
|
|
| |
chasing referrals
This fixes a bug where 'shadowLastChange' attribute cannot be updated when
chasing a referral. After a password is succesfully changed, the credentials
for binding should also be updated with the new password for the session.
Signed-off-by: Vasilis Tsiligiannis <vasilis.tsiligiannis@nokia.com>
|
|
|
|
|
| |
This uses access() instead of stat() to see if the file is readable by
the current process. This fixes f089e01.
|
|
|
|
|
|
| |
Also try to fail over to another LDAP server on a larger number of
errors. Specifically errors that point to problems connecting to the
LDAP server.
|
|
|
|
|
| |
This is in preparation for splitting the BIND from the search phase for
authentication.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This changes the check (for configuration options that specify file
names) to just check that the specified path is readable instead of
ensisting that it points to a file.
This allows tls_randfile to point to /dev/urandom (a character device)
or a pipe. This fixes 6779a51.
This also applies the same check to the krb5_ccname option.
Thanks to Patrick McLean for pointing this out.
|
|
|
|
|
|
|
|
|
|
|
| |
This simplifies the check for overwriging pending password expiry and
grace logins warnigns and updates handling of the
LDAP_CONTROL_PWEXPIRING control to be consistent with that of the expire
value of LDAP_CONTROL_PASSWORDPOLICYRESPONSE.
This also corrects the function name, also logs empty password policy
responses in debug mode and documents the meaning of the various
password policy values.
|