Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/nslcd
Commit message (Collapse)AuthorAgeFilesLines
* Add an option to test the configuration fileArthur de Jong2024-02-241-1/+15
|
* Make configuration file to use configurableArthur de Jong2024-02-241-9/+22
|
* Use closefrom() if availableArthur de Jong2022-10-102-3/+11
| | | | | | One some systems _SC_OPEN_MAX can be *very* large. Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/53
* Fix off-by one error in closing file descriptorsArthur de Jong2022-10-101-1/+1
| | | | | This could leave file descriptor 3 open from the parent process starting nslcd.
* Increase password buffer lengthArthur de Jong2022-09-041-1/+1
| | | | | | | This allows passwords to contain up to 255 characters even though they are most likely don't add any meaningful password security. Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/52
* Support DNSLDAPS in uriArthur de Jong2021-11-191-6/+26
| | | | | | This supports both `uri DNSLDAPS` and `uri DNSLDAPS:some.domain` variants alongside the pre-existing `uri DNS` that was already supported generating ldaps URIs for all SRV records found.
* Support an empty search baseArthur de Jong2021-11-021-9/+5
| | | | | | | | | | | | This allows putting `base ""` in nslcd.conf to specify an empty search base. Note that the LDAP server needs to support this. With slapd this requires setting up an olcDefaultSearchBase attribute in the olcFrontendConfig object under cn=config or have the database have an empty suffix. Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/50
* Retry connecting to the first URI after idle_timelimitArthur de Jong2021-05-261-0/+2
| | | | | | | | | | | This ensures that a connection to the first URI listed in the config file will be re-established once the connection is closed cleanly after the idle time. This ensures that the listed URIs are handled more in a primary/fallback manner if an idle time is configured. Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/46
* Add tls_reqsan to check certificate SANArthur de Jong2021-01-231-13/+49
| | | | This option is passed to the LDAP library if it is supported.
* Add tls_crlfile to check local CRL fileArthur de Jong2021-01-231-2/+22
| | | | This option is passed to the LDAP library if it is supported.
* Add tls_crlcheck to check Certificate Revocation Listsebastienblavier2021-01-181-0/+52
| | | | | | This option is passed to the LDAP library if it is supported. Closes https://github.com/arthurdejong/nss-pam-ldapd/pull/41
* Fix handling of the pam_authc_ppolicy optionArthur de Jong2020-09-111-17/+13
| | | | | | | | | | | | | | Check the result of the BIND operation instead of that of the ldap_result() call when pam_authc_ppolicy is set to "no". This could have resulted in successful authentication if the BIND operation to the LDAP server timed out and pam_authc_ppolicy was set to "no" but should not result in successful authentication otherwise so it is unlikely that setting pam_authc_ppolicy to "no" ever worked as intended. The timeout also would have to occur on the BIND operation, not on setting up the connection. Fixes 31cd2cf
* Log the correct timeout valueArthur de Jong2019-12-271-3/+3
| | | | | | This fixes logging of the LDAP_OPT_TIMEOUT, LDAP_OPT_NETWORK_TIMEOUT and LDAP_X_OPT_CONNECT_TIMEOUT options to actually log the value of the bind_timelimit option instead of the timelimit option.
* Get files ready for 0.9.11 release0.9.11Arthur de Jong2019-10-061-2/+2
|
* Various spelling fixesArthur de Jong2019-09-178-20/+20
|
* Avoid logging unknown socket peer informationArthur de Jong2018-09-081-3/+15
| | | | | This avoids logging the client PID when the underlying socker layer cannot provide the relevant information.
* Make password expiry messages correct and consistentArthur de Jong2018-08-062-14/+14
| | | | | Thanks to Têko Mihinto. See https://bugzilla.redhat.com/show_bug.cgi?id=1612543
* Add domain variable for use in pam_authz_searchArthur de Jong2018-07-212-2/+7
| | | | | | | | | This adds a domain variable (if it can be determined on the system) that can be used in pam_authz_search and pam_authc_search filters to build search filters that search on the domain name (the FQDN without the starting host name). Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/8
* Allow logging longer linesArthur de Jong2018-07-211-1/+1
| | | | | | | This increases the buffer that holds log messages so longer messages can be logged. Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/26
* Create /var/run/nslcd/socket after dropping privilegesArthur de Jong2018-07-211-3/+3
| | | | | | | | | | This is needed to avoid a problem where a call to initgroups() can result in NSS lookups. If nscd is configured the mechanism to avoid loopback lookups using nss_ldap_enablelookups will not work and cause for delays on start-up. Note that this changes ownership of the socket to the user running nslcd.
* Increase size of hostname bufferArthur de Jong2018-02-172-13/+4
| | | | | | | | This increases the host name buffer to support host names (that include FQDNs) to 255 characters and removes the reliance on HOST_NAME_MAX and _POSIX_HOST_NAME_MAX which may be smaller in some situations. Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/22
* Increase size of config file tokenArthur de Jong2017-12-231-1/+1
| | | | | | | | This increases the maximum size of tokens that are read from the nslcd.conf configuration file to 256 characters. This was a problem for some very long uri values. Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/21
* Support spaces in attribute mapping expressionsArthur de Jong2017-10-131-5/+4
|
* Get files ready for 0.9.8 release0.9.8Arthur de Jong2017-06-261-2/+2
|
* Add the ability to offset UID and GID numbersSeth Wright2017-06-204-0/+21
|
* Use uint8_t instead of u_int8_tArthur de Jong2017-06-181-4/+4
| | | | | | The former seems to be available on more platforms than the latter. Fixes be26510.
* Also filter shadow entries by validnamesArthur de Jong2017-06-181-11/+24
|
* Fix and clarify a few commentsArthur de Jong2017-06-182-3/+3
|
* Allow skipping post-authentication search altogetherArthur de Jong2017-06-151-1/+1
|
* Implement myldap_bind() functionArthur de Jong2017-06-154-103/+84
| | | | | | | | | | | | | This function integrates the myldap_set_credentials() and myldap_get_policy_response() and performs the bind operation witout actually performing a search. The function performs a "fake" search that returns after performing the LDAP BIND operation. This replaces a number of dummy search operations that were there to ensure that the connection was open. This allows us to skip the search operation after authentication.
* Implement handling of pam_authc_search optionArthur de Jong2017-06-151-13/+42
| | | | | This allows performing a different, configurable search from the default BASE search after the BIND operation.
* Add pam_authc_search option parsingArthur de Jong2017-06-153-21/+48
|
* Reorganise PAM search var building functionsArthur de Jong2017-06-141-118/+133
| | | | | | | | | | This moves the autzsearch_var_add(), autzsearch_vars_free(), autzsearch_var_get() and do_autzsearches() functions to the top of the file using more generic names and introduces search_vars_new() in prepartion of other similar searches. This also renames the remaining authzsearch functions to authz_search to be consistent with the pam_authz_search option.
* Query ethernet addresses in compact and long formatArthur de Jong2017-06-131-10/+22
| | | | | | | | | | | This ensures that when querying the address 0:18:8a:54:1a:8b both that format and 00:18:8a:54:1a:8b is searched for in LDAP. This was triggerred by the fact that ether_ntoa() on FreeBSD returns the long format while glibc uses the compact format. Since we are no longer using the libc version of ether_ntoa() we can also drop the compatibility implementation of ether_ntoa_r().
* Log entries and lookups failing nss_min_uidArthur de Jong2017-06-071-2/+15
| | | | | | This logs (at debug level) any LDAP uidNumber attribute values (or translated objectSid attribute values) that are lower than nss_min_uid. It also logs getpwuid() requests for such uids.
* Exit with 0 when stopping nslcdArthur de Jong2017-02-071-1/+1
| | | | | | | When receiving a signal this will result in nslcd returning with a success exit code. Thanks Stanislav Moravec for pointing this out.
* Remove duplicate break statementArthur de Jong2016-09-041-1/+1
|
* Do not try all LDAP servers on failed authenticationArthur de Jong2016-09-041-0/+7
| | | | See https://bugs.launchpad.net/bugs/1618190
* Get files ready for 0.9.7 release0.9.7Arthur de Jong2016-08-141-2/+2
|
* Also honor ignorecase in PAMArthur de Jong2016-06-031-1/+1
| | | | | | | This avoids changing the cannonical username to the value as specified in LDAP when ignorecase is used. See https://github.com/arthurdejong/nss-pam-ldapd/issues/12
* Display human readable expiry messageMathieu Baeumler2016-02-131-8/+59
| | | | | Display a human readable message (days+hours, or hours+minutes, or seconds) when the password expiring warning is issued.
* Fix nss_disable_enumeration configurationArthur de Jong2016-02-131-1/+1
| | | | | | | This fixes a copy-paste bug where nss_disable_enumeration was incorrectly handled. Fixes c0366d8. Thanks Andrew W Elble for pointing this out.
* Add pam_authc_ppolicy optionMathieu Baeumler2016-01-063-19/+49
| | | | This option allows completely disabling ppolicy handling.
* Fix error handling on credential changeArthur de Jong2016-01-061-2/+4
| | | | | This fixes setting the correct LDAP error code and also fixes formatting in 027df03.
* Fix updating of 'shadowLastChange' attribute when ↵Vasilis Tsiligiannis2015-12-231-0/+9
| | | | | | | | | | chasing referrals This fixes a bug where 'shadowLastChange' attribute cannot be updated when chasing a referral. After a password is succesfully changed, the credentials for binding should also be updated with the new password for the session. Signed-off-by: Vasilis Tsiligiannis <vasilis.tsiligiannis@nokia.com>
* Correct file readability checkArthur de Jong2015-11-131-9/+2
| | | | | This uses access() instead of stat() to see if the file is readable by the current process. This fixes f089e01.
* Fail-over and retry on more errorsArthur de Jong2015-09-301-1/+4
| | | | | | Also try to fail over to another LDAP server on a larger number of errors. Specifically errors that point to problems connecting to the LDAP server.
* Open connection before do_try_search()Arthur de Jong2015-09-301-5/+5
| | | | | This is in preparation for splitting the BIND from the search phase for authentication.
* Loosen up file existence checkArthur de Jong2015-08-271-70/+65
| | | | | | | | | | | | | This changes the check (for configuration options that specify file names) to just check that the specified path is readable instead of ensisting that it points to a file. This allows tls_randfile to point to /dev/urandom (a character device) or a pipe. This fixes 6779a51. This also applies the same check to the krb5_ccname option. Thanks to Patrick McLean for pointing this out.
* Simplify password policy message handlingArthur de Jong2015-08-151-14/+20
| | | | | | | | | | | This simplifies the check for overwriging pending password expiry and grace logins warnigns and updates handling of the LDAP_CONTROL_PWEXPIRING control to be consistent with that of the expire value of LDAP_CONTROL_PASSWORDPOLICYRESPONSE. This also corrects the function name, also logs empty password policy responses in debug mode and documents the meaning of the various password policy values.