From 8f12c15ec91c9cf12ed08f8fdd943e9a7c0a7c12 Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Wed, 12 Mar 2014 21:55:13 +0100 Subject: Get files ready for 0.9.3 release --- AUTHORS | 4 + ChangeLog | 353 ++++++++++++++++++++++++++++++++++++++++++++++++++ NEWS | 25 ++++ configure.ac | 4 +- man/chsh.ldap.1.xml | 6 +- man/getent.ldap.1.xml | 6 +- man/nslcd.8.xml | 6 +- man/nslcd.conf.5.xml | 6 +- man/pam_ldap.8.xml | 6 +- man/pynslcd.8.xml | 6 +- pynslcd/pynslcd.py | 4 +- 11 files changed, 404 insertions(+), 22 deletions(-) diff --git a/AUTHORS b/AUTHORS index 27437d6..c50674f 100644 --- a/AUTHORS +++ b/AUTHORS @@ -124,3 +124,7 @@ Steve Hill Caleb Callaway Bersl John Sullivan +Joshua Shire +Francois Tigeot +Davy Defaud +Lukas Slebodnik diff --git a/ChangeLog b/ChangeLog index c7854f2..0ef95f6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,356 @@ +2014-03-12 Arthur de Jong + + * [1ec7739] INSTALL, missing, test-driver: Update files from + recent automake + +2014-03-10 Arthur de Jong + + * [44764f0] tests/Makefile.am, tests/test_myldap.sh, + tests/test_nsscmds.sh: Run the correct executables for the tests + + This fixes issues with running the tests when using a separate + build directory (fixes ef0eddaa). + +2014-03-10 Arthur de Jong + + * [77444ac] tests/test_myldap.sh: Fix nslcd-test.conf permissions + for test + + This ensures that configuration file is not world readable when + the tests are run. This avoids test failure for the use of the + rootpwmodpw option. + +2014-03-10 Arthur de Jong + + * [96e4171] common/nslcd-prot.h: Interpret transferred integers + as signed again + + This fixes an issue with unsigned values ending up in signed + fields and missing sign extension. + + See: https://bugs.debian.org/739330 + +2014-01-27 Nalin Dahyabhai + + * [2d35feb] nss/hosts.c, nss/networks.c: Use right h_errnop for + retrying with larger buffer + + The libc nsswitch code expects h_errno to be set to NETDB_INTERNAL + when it needs to try again with a larger buffer. + + Signed-off-by: Lukas Slebodnik + +2014-01-27 Lukas Slebodnik + + * [8532f40] nss/hosts.c, nss/networks.c: Fix crash when retrieving + large networks entries + + If NSS_STATUS_TRYAGAIN is returned from read_one_hostent or + read_one_netent then fp will be closed and function tio_skipall + will be called with NULL pointer. It could happend in functions: + _nss_ldap_getnetbyname_r _nss_ldap_getnetbyaddr_r + _nss_ldap_gethostbyname2_r _nss_ldap_gethostbyaddr_r + + Fixes r548 (aka afd5d9b). + +2014-01-30 Davy Defaud + + * [4211961] nslcd/group.c: Support builtin Windows groups + + This maps the gid (gidNumber) to an AD SID for builtin + groups when searching a group by gid (RID) between 544 and + 552. In that case the SID prefix is not the domain's prefix + (S-1-5-21-dddddd-dddddd-dddddd) but the BUILTIN SID prefix + (1-5-32). + + For example, if you add a user to the Administrators builtin + group (S-1-5-32-544), now you should be able to get this group + through nslcd, instead of receiving an error message. + +2014-01-25 Arthur de Jong + + * [f6a0675] configure.ac: Add test for krb5 thread safety + + This adds a test that checks the return value of + krb5_is_thread_safe() to see if krb5 is thread safe (during build) + and issues a warning if it is not. + + nslcd does not directly link to krb5 but the library may be + loaded (by GSSAPI) if Kerberos is used to authenticate nslcd to + the LDAP server. + +2014-01-25 Francois Tigeot + + * [043838c] configure.ac: Also detect DragonFly as BSD + + This fixes the detection of DragonFly as requiring the freebsd + NSS interface flavour. + +2014-01-24 joshuashire + + * [2181cca] nslcd/shadow.c: Update shadow.c to resolve pwdLastSet + issue + + We read the date into the buffer to the specified length to get it + to the Unix time (i.e. seconds) from its AD value of nanoseconds, + then convert it to days for shadow. If we use date rather than + buffer we end up trying to convert the original nanosecond value. + +2014-01-05 Arthur de Jong + + * [c6c317e] : Implement deref control handling + + This uses the LDAP_CONTROL_X_DEREF control as described in + draft-masarati-ldap-deref-00 to request the LDAP server to + dereference group member attribute values to uid attribute values. + + This should reduce the number of searches that are required for + expanding group members that use the member attribute. + + This mechanism could also be used to extract information on + nested groups but the gains are less clear there. + + Not all LDAP servers support this control. In OpenLDAP, load the + (currently undocumented) deref overlay and enable it for the + database to take advantage of this improvement. + + There is a functional difference when using this control. Any + returned deferred uid value returned by the LDAP server is accepted + as a member. No checks are performed to see if the user matches + the search base and search filters set for passwd entries. + +2014-01-05 Arthur de Jong + + * [309b4bb] README: Update documentation + + This documents the way the deref controls are used. + +2014-01-05 Arthur de Jong + + * [cecc024] nslcd/group.c: Use myldap_get_deref_values() to get + member uids + + This uses information from the deref control (if available) + to get the username for each of the members of the group. Any + missing deref member attribute values will be seen as nested + groups and will be traversed if nested group support is enabled. + +2014-01-05 Arthur de Jong + + * [c973834] configure.ac, nslcd/myldap.c, nslcd/myldap.h: Provide + a myldap_get_deref_values() function + + This function looks for deref response controls + (LDAP_CONTROL_X_DEREF) in the entry and returns the information + from the dereferenced attribute in two lists: dereferenced values + and attribute values that could not be dereferenced. + +2014-01-05 Arthur de Jong + + * [3992e15] nslcd/group.c: Skip member attributes in bymember search + + This changes the group by member searches to not request the + member attributes. This will speed up result parsing by a fraction + because less data is transferred but will also cause the deref + control not to be added to these searches. + +2013-12-28 Arthur de Jong + + * [15ee2fc] compat/Makefile.am, compat/derefctrl.c, + compat/ldap_compat.h, configure.ac: Provide replacement + ldap_create_deref_control() + + This adds a test for a bug in OpenLDAP that allocated a + LDAP_CONTROL_PAGEDRESULTS control instead of a LDAP_CONTROL_X_DEREF + control. + +2014-01-05 Arthur de Jong + + * [547e479] configure.ac, nslcd/myldap.c: Request attribute deref + via search control + + This uses the LDAP_CONTROL_X_DEREF control as descibed in + draft-masarati-ldap-deref-00 to request the LDAP server to + dereference member attribute values to uid attribute values in + order to avoid doing extra searches. + + This control is currently only added for group search by looking + for the member attribute in the search. + +2014-01-04 Arthur de Jong + + * [c22eb08] nslcd/myldap.c: Rename entry property to indicate + storage type + + This changes entrye->rangedattributevalues to entry->buffers + because the propery is not only used for ranged attribute values + but for anything that can be freed with free(). + +2014-01-03 Arthur de Jong + + * [f009c96] nslcd/myldap.c: Ignore missing page controls + + Since we could get arbitrray controls and are only interested + in page controls we ignore failures to find page controls. + +2014-01-03 Arthur de Jong + + * [4f6dfdd] nslcd/myldap.c: Use do_try_search() also for paged + searches + + This also changes do_try_search() to support building continued + paged controls and lays the groundwork for adding more search + controls. + +2014-01-05 Arthur de Jong + + * [be94912] nslcd/attmap.c, nslcd/group.c, pynslcd/group.py: + Support blanking the member attribute + + This allows remapping the member attribute to an empty string + which removes support for that attribute. This can reduce the + number of search operations if the attribute is not used. + +2014-01-05 Arthur de Jong + + * [0d3fa5d] nslcd/group.c: Fix typo + +2014-01-05 Arthur de Jong + + * [8e74848] nslcd/group.c, nss/netgroup.c, tests/test_set.c: + Fix memory leaks related to set_pop() + + Some pieces of code did not properly free() the value returned + by set_pop(). + + The leak in group code was related to the introduction of nested + group functionality in 41ba574 (merged in 3daa68d) so should + only be present in releases 0.9.0 forward. + + The leak in the netgroup code only ended up in the Solaris + version of the NSS module and was introduced in 4ea9ad1 (merged in + 5c8779d). This leak is present in all releases from 0.8.0 forward. + +2014-01-04 Arthur de Jong + + * [3288942] tests/test_myldap.c: Fix compiler warnings in the + myldap test + +2014-01-02 Arthur de Jong + + * [2b8fbc2] : Only exit nslcd when daemon is ready + + This removes a race condition between the exit of the initial + nslcd process (as started by the init script) and nslcd services + being ready. + +2014-01-02 Arthur de Jong + + * [3afedc4] compat/Makefile.am, compat/daemon.c, compat/daemon.h, + configure.ac: Remove daemon() replacement function + +2014-01-02 Arthur de Jong + + * [907d49d] configure.ac, nslcd/daemonize.c: Close daemon pipe + file descriptor on fork or exec + + This tries to avoid child processes ending up with a copy of + the pipe file descriptor that is used to signal readiness of + the daemon. + +2014-01-02 Arthur de Jong + + * [42a1a3d] nslcd/Makefile.am, nslcd/daemonize.c, nslcd/daemonize.h, + nslcd/nslcd.c: Properly daemonise nslcd and only exit when ready + + This introduces a new daemonize module that provides functions for + closing all file descriptors, redirecting stdin/stdout/stderr to + /dev/null and a function for backgrounding an application while + only exiting the original process after the daemon process has + indicated readiness. + + This is used to exit the original process only after the listening + socket has been set up and the worker threads have been started. + +2013-12-28 Arthur de Jong + + * [e3f0453] configure.ac: Re-organise ldap function tests + +2013-12-21 Arthur de Jong + + * [3ce5ef9] : Make dn2uid cache tuneable + + This introduces a new cache configuration option that allows + setting positive and negative cache lifetimes for the dn2uid cache. + +2013-12-21 Arthur de Jong + + * [19f3cc3] tests/test_cfg.c: Add a test for new configuration option + +2013-12-21 Arthur de Jong + + * [09969cf] man/nslcd.conf.5.xml: Document cache option in + manual page + +2013-12-21 Arthur de Jong + + * [a0c90d2] nslcd/passwd.c: Use dn2uid cache options + + The configuration values are used in the cache to determine + positive and negative hit TTLs. This also allows completely + disabling the cache. + +2013-12-21 Arthur de Jong + + * [99ad1b4] nslcd/cfg.c, nslcd/cfg.h: Implement a cache configuration + option + + This adds the cache nslcd.conf configuration option to configure + the dn2uid cache in nslcd with a positive and negative cache + lifetime. + +2013-12-19 Arthur de Jong + + * [82bac61] nslcd/passwd.c: Have positive and negative cache timeouts + + The positive value determines the time a found entry is valid, + the negative timeout determines the lifetime of not found entries. + +2013-12-19 Arthur de Jong + + * [b9ec6df] nslcd/cfg.c: Support printing children search scope + + This fixes 2caeef4. + +2013-12-18 Arthur de Jong + + * [9f02853] nslcd/alias.c, nslcd/common.c, nslcd/common.h, + nslcd/ether.c, nslcd/group.c, nslcd/host.c, nslcd/myldap.c, + nslcd/netgroup.c, nslcd/network.c, nslcd/pam.c, nslcd/passwd.c, + nslcd/protocol.c, nslcd/rpc.c, nslcd/service.c, nslcd/shadow.c, + nslcd/usermod.c: Centralise buffer sizes + + Common buffer sizes are now stored centrally so it can be easily + and consistently updated if required. Some buffers remain with + locally defined sizes that do not match a global buffer size. + +2013-11-25 Arthur de Jong + + * [23a41ce] compat/pam_get_authtok.c, compat/pam_prompt.c, + configure.ac, pam/pam.c: Add a test for pam_get_item() argument + type + + This checks whether pam_get_item() takes a const void ** or void + ** item value argument and defines a PAM_ITEM_CONST macro that + is const when it should. This avoids some compiler warnings. + +2013-10-30 Arthur de Jong + + * [81bfb8b] ChangeLog, NEWS, configure.ac, man/chsh.ldap.1.xml, + man/getent.ldap.1.xml, man/nslcd.8.xml, man/nslcd.conf.5.xml, + man/pam_ldap.8.xml, man/pynslcd.8.xml: Get files ready for + 0.9.2 release + 2013-10-29 Arthur de Jong * [ef0edda] tests/test_myldap.sh, tests/test_nsscmds.sh, diff --git a/NEWS b/NEWS index 3403e90..79a3d2d 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,28 @@ +changes from 0.9.2 to 0.9.3 +--------------------------- + +* make the dn2uid cache lifetime configurable with the cache configuration + option +* have the nslcd process only exit after the service is completely available + to avoid race conditions in the init script +* the nslcd daemon now properly daemonises (double fork) +* support mapping the member attribute to an empty string to disable the + functionality to do extra lookups for member DN to member uid translations +* implement deref control handling to request the LDAP server to dereference + group member attribute values to uid values +* support getting built-in groups from Active Directory (thanks Davy Defaud) +* fix for pwdLastSet attribute value handling (thanks Joshua Shire) +* fix a possible crash in the NSS module when retrieving large networks + entries (thanks Lukas Slebodnik) +* correct NSS h_errnop return value to indicate buffer too small (thanks + Nalin Dahyabhai) +* fix a bug with shadow values on 64-bit architectures +* automatically detect DragonFly as using the FreeBSD NSS interface (thanks + Francois Tigeot) +* add a build-time test to see if krb5 is thread-safe +* various minor bug fixes + + changes from 0.9.1 to 0.9.2 --------------------------- diff --git a/configure.ac b/configure.ac index 213c510..16e9701 100644 --- a/configure.ac +++ b/configure.ac @@ -33,10 +33,10 @@ configure.ac file for more details.]) # initialize and set version and bugreport address AC_INIT([nss-pam-ldapd], - [0.9.2], + [0.9.3], [nss-pam-ldapd-users@lists.arthurdejong.org],, [http://arthurdejong.org/nss-pam-ldapd/]) -RELEASE_MONTH="Oct 2013" +RELEASE_MONTH="Mar 2014" AC_SUBST(RELEASE_MONTH) AC_CONFIG_SRCDIR([nslcd.h]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/man/chsh.ldap.1.xml b/man/chsh.ldap.1.xml index 0e7d530..2f10ca8 100644 --- a/man/chsh.ldap.1.xml +++ b/man/chsh.ldap.1.xml @@ -5,7 +5,7 @@