1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
|
2016-08-14 Arthur de Jong <arthur@arthurdejong.org>
* [db9494e] tests/Makefile.am: Only run doctests when building
pynslcd
2016-08-14 Arthur de Jong <arthur@arthurdejong.org>
* [cb16e4c] nss/bsdnss.c: Avoid some warnings on FreeBSD
This adds casts to and from void * for the function pointers
that are passed around.
2016-07-27 Arthur de Jong <arthur@arthurdejong.org>
* [b7a0b23] ChangeLog, ChangeLog-2013, Makefile.am: Archive 2013
ChangeLog entries
2016-07-27 Arthur de Jong <arthur@arthurdejong.org>
* [e4df12c] config.guess, config.sub, install-sh: Update files
from latest automake
2016-07-27 Arthur de Jong <arthur@arthurdejong.org>
* [db8034a] man/Makefile.am, utils/Makefile.am, utils/getent.py:
Also use module-name in utilities and man pages
This ensures that getent.ldap, chsh.ldap and manual pages with
ldap in the name will be installed with the name as specified
with --with-module-name.
Note that the manual page content still describes the working
within nss-pam-ldapd and still mention the ldap name.
2016-06-04 Arthur de Jong <arthur@arthurdejong.org>
* [281b0ec] tests/test_doctest.sh: Ensure doctest also run in
distcheck
This fixes test_doctest.sh to also work when the build directory
is different from the source directory. This is needed because
constants.py is only available in the build directory.
2016-06-03 Arthur de Jong <arthur@arthurdejong.org>
* [a89eda7] nslcd/pam.c: Also honor ignorecase in PAM
This avoids changing the cannonical username to the value as
specified in LDAP when ignorecase is used.
See https://github.com/arthurdejong/nss-pam-ldapd/issues/12
2016-06-03 Arthur de Jong <arthur@arthurdejong.org>
* [7eb1d69] pynslcd/expr.py: Support ${var:offset:length} in pynslcd
2016-06-02 Arthur de Jong <arthur@arthurdejong.org>
* [c90a537] pynslcd/attmap.py: Fix pynslcd expression representation
The problem was that the ExpressionMapping string value did not
include the quotes which will cause problems when printing the
expression (e.g. when logging or dumping config, etc.).
2016-06-02 Arthur de Jong <arthur@arthurdejong.org>
* [fd61bb6] tests/Makefile.am, tests/test_doctest.sh: Add test
for running doctests
2016-05-30 Giovanni Mascellani <mascellani@poisson.phc.unipi.it>
* [2ba9560] common/expr.c, man/nslcd.conf.5.xml, tests/test_expr.c:
Support substituting expresions of type ${var:offset:length}
2016-05-30 Giovanni Mascellani <mascellani@poisson.phc.unipi.it>
* [3a4860c] man/nslcd.conf.5.xml: Fix small typo
2016-05-24 Arthur de Jong <arthur@arthurdejong.org>
* [917ded7] common/expr.c: Refactor out expression parsing to
functions
This moves the parsing of the various ${var...} expressions to
separate functions so they can be extended more easily.
2016-02-22 Arthur de Jong <arthur@arthurdejong.org>
* [4be9c59] pam/pam.c: Fix logic error
This could result in a free(NULL) call. This code path can
only be triggered if pam_ldap changes the logged-in username
(introduced in 6a74d8d).
Thanks 依云, see
https://github.com/arthurdejong/nss-pam-ldapd/issues/11
2016-01-30 Mathieu Baeumler <mathieu.baeumler@gmail.com>
* [985aec3] nslcd/myldap.c: Display human readable expiry message
Display a human readable message (days+hours, or hours+minutes,
or seconds) when the password expiring warning is issued.
2016-02-13 Arthur de Jong <arthur@arthurdejong.org>
* [b795f6c] nslcd/cfg.c: Fix nss_disable_enumeration configuration
This fixes a copy-paste bug where nss_disable_enumeration was
incorrectly handled. Fixes c0366d8.
Thanks Andrew W Elble for pointing this out.
2016-01-18 Arthur de Jong <arthur@arthurdejong.org>
* [525c996] tests/test.ldif, tests/test_nsscmds.sh: Add a few
IPv6 tests
This adds a few test hosts that have IPv6 addresses. This
ensures that we have an IPv6-only host and hosts which have
address values in different order in the ipHostNumber attribute
(although attribute order is probably not guaranteed).
2015-10-18 Mathieu Baeumler <mathieu.baeumler@gmail.com>
* [31cd2cf] man/nslcd.conf.5.xml, nslcd/cfg.c, nslcd/cfg.h,
nslcd/myldap.c: Add pam_authc_ppolicy option
This option allows completely disabling ppolicy handling.
2016-01-06 Arthur de Jong <arthur@arthurdejong.org>
* [117c9cb] nslcd/pam.c: Fix error handling on credential change
This fixes setting the correct LDAP error code and also fixes
formatting in 027df03.
2015-12-23 Vasilis Tsiligiannis <vasilis.tsiligiannis@nokia.com>
* [027df03] nslcd/pam.c: Fix updating of 'shadowLastChange'
attribute when chasing referrals
This fixes a bug where 'shadowLastChange' attribute cannot be
updated when chasing a referral. After a password is succesfully
changed, the credentials for binding should also be updated with
the new password for the session.
Signed-off-by: Vasilis Tsiligiannis
<vasilis.tsiligiannis@nokia.com>
2015-11-13 Arthur de Jong <arthur@arthurdejong.org>
* [fcea92d] nslcd/cfg.c: Correct file readability check
This uses access() instead of stat() to see if the file is
readable by the current process. This fixes f089e01.
2015-09-20 Arthur de Jong <arthur@arthurdejong.org>
* [c879485] nslcd/myldap.c: Fail-over and retry on more errors
Also try to fail over to another LDAP server on a larger number
of errors. Specifically errors that point to problems connecting
to the LDAP server.
2015-08-29 Arthur de Jong <arthur@arthurdejong.org>
* [3d09e28] nslcd/myldap.c: Open connection before do_try_search()
This is in preparation for splitting the BIND from the search
phase for authentication.
2015-08-27 Arthur de Jong <arthur@arthurdejong.org>
* [f089e01] nslcd/cfg.c: Loosen up file existence check
This changes the check (for configuration options that specify
file names) to just check that the specified path is readable
instead of ensisting that it points to a file.
This allows tls_randfile to point to /dev/urandom (a character
device) or a pipe. This fixes 6779a51.
This also applies the same check to the krb5_ccname option.
Thanks to Patrick McLean for pointing this out.
2015-08-14 Arthur de Jong <arthur@arthurdejong.org>
* [309f127] pam/pam.c: Have PAM module log messages to syslog
This logs informational messages that are presented to the user
tot syslog. This normally includes password expiry and grace
login information which may be useful to log.
2015-08-14 Arthur de Jong <arthur@arthurdejong.org>
* [263a443] nslcd/myldap.c: Simplify password policy message handling
This simplifies the check for overwriging pending password
expiry and grace logins warnigns and updates handling of the
LDAP_CONTROL_PWEXPIRING control to be consistent with that of
the expire value of LDAP_CONTROL_PASSWORDPOLICYRESPONSE.
This also corrects the function name, also logs empty password
policy responses in debug mode and documents the meaning of the
various password policy values.
2015-07-09 Mathieu Baeumler <mathieu.baeumler@gmail.com>
* [4302901] nslcd/myldap.c: Fix password policy expiration warnings
If a password expiration warning (pwdExpireWarning) is set in
slapd, and the password is about to expire, slapd sends the
timeBeforeExpiration value as part of the passwordPolicyResponse.
nslcd would incorrectly instruct the PAM module to require
immediate password change. This has been fixed for both
timeBeforeExpiration and graceLoginsRemaining.
2015-07-19 Arthur de Jong <arthur@arthurdejong.org>
* [89b471b] ar-lib, autogen.sh, compile, configure.ac, depcomp,
install-sh, missing, py-compile, test-driver: Update files from
automake 1.15
This also includes the m4 directory when invoking aclocal because
not all versions seem to handle AC_CONFIG_MACRO_DIR.
2015-07-19 Arthur de Jong <arthur@arthurdejong.org>
* [86a4618] m4/ax_tls.m4: Disable quoting in AX_TLS notfound case
This ensures that AS_IF does not generate an empty else clause
which will result in an invalid configure script.
2015-07-19 Arthur de Jong <arthur@arthurdejong.org>
* [6779a51] nslcd/cfg.c: Check file existence for configuration
options
This adds addition checks to the tls_cacertdir, tls_cacertfile,
tls_randfile, tls_cert and tls_key options to ensure that they
point to an existing file when parsing nslcd.conf.
2015-07-19 Arthur de Jong <arthur@arthurdejong.org>
* [a6c7c63] pynslcd/pynslcd.py: Work around bug in python-daemon
See https://bugs.debian.org/792871
2015-07-08 Arthur de Jong <arthur@arthurdejong.org>
* [c32e8c0] m4/ax_pthread.m4, m4/ax_tls.m4: Update macros from
autoconf-archive
2015-06-14 Arthur de Jong <arthur@arthurdejong.org>
* [d949bd4] AUTHORS, ChangeLog, NEWS, configure.ac,
man/chsh.ldap.1.xml, man/getent.ldap.1.xml, man/nslcd.8.xml,
man/nslcd.conf.5.xml, man/pam_ldap.8.xml, man/pynslcd.8.xml:
Get files ready for 0.9.6 release
2015-06-14 Arthur de Jong <arthur@arthurdejong.org>
* [4236dd6] Makefile.am: Correctly insert emtpy lines in ChangeLog
2015-06-13 Arthur de Jong <arthur@arthurdejong.org>
* [e916a2b] man/nslcd.conf.5.xml: Manual page improvements
2015-06-13 Arthur de Jong <arthur@arthurdejong.org>
* [9a7921f] nslcd/common.c, nslcd/common.h: Also fix signed integer
bug in binsid2id()
This should have been part of d217632.
2015-06-11 Geoffrey McRae <gnif@xbmc.org>
* [d217632] nslcd/common.c: Fixed signed 32bit overflow bug on
32bit systems
2015-05-23 Jed Liu <jed-nss-pam-ldapd-users@uma.litech.org>
* [3add5f0] nslcd/cfg.c: Allow configuration values longer than
63 characters
2015-03-06 Arthur de Jong <arthur@arthurdejong.org>
* [d58fba9] nss/netgroup.c: Provide innetgr function on Solaris
This implements a function in the Solaris version of the NSS module
to check if a specifc netgroup triplet is part of a netgroup.
This also avoids a compiler warning and includes improvements
and testing by Mark R Bannister.
2015-05-01 Andrew Elble <aweits@rit.edu>
* [c0366d8] man/nslcd.conf.5.xml, nslcd/cfg.c, nslcd/cfg.h,
nslcd/nslcd.c, pynslcd/cfg.py, pynslcd/group.py, pynslcd/passwd.py,
pynslcd/shadow.py: Implement disable_enumeration
If this option is present, functions which cause all user/group
entries to be loaded (getpwent(), getgrent()) from the directory
will not succeed in doing so. This can dramatically reduce
ldap server load in situations where there are a great number
of users and/or groups. Applications that depend on being able
to sequentially read all users and/or groups may fail to operate
correctly. This option is not recommended for most configurations.
2015-04-17 Arthur de Jong <arthur@arthurdejong.org>
* [96045d2] man/nslcd.conf.5.xml, nslcd/cfg.c, nslcd/cfg.h,
nslcd/group.c, pynslcd/cfg.py, pynslcd/group.py: Implement
nss_getgrent_skipmembers
This option allows skipping group member list retrieval to
improve performance with very large groups. This option results
in inconsistent group membership information being presented
that may confuse some applications.
2015-04-15 Arthur de Jong <arthur@arthurdejong.org>
* [530cc24] nslcd/daemonize.c, nslcd/nslcd.c: Avoid signal race
condition on start-up
This only restores the signal mask after signal handlers are in
place and the daemon has completely daemonised to avoid a race
condition in the start-up phase of nslcd where a signal could
be sent to nslcd causing it to quit or fail to write information
to the parent process.
2015-03-29 Arthur de Jong <arthur@arthurdejong.org>
* [16fd8c6] AUTHORS, ChangeLog, NEWS, README, configure.ac,
man/chsh.ldap.1.xml, man/getent.ldap.1.xml, man/nslcd.8.xml,
man/pam_ldap.8.xml, man/pynslcd.8.xml: Get files ready for
0.9.5 release
2015-03-11 Tim Rice <tim@multitalents.net>
* [ae08830] common/Makefile.am, compat/Makefile.am, configure.ac,
nss/Makefile.am, pam/Makefile.am: Use correct PIC arg for
non-GCC compilers
2015-03-22 Arthur de Jong <arthur@arthurdejong.org>
* [fdbca17] config.sub: Update files from latest automake
2015-03-22 Arthur de Jong <arthur@arthurdejong.org>
* [9f9a5c5] nss/networks.c: Fix for networks lookup under Solaris
This fixes a byte order issue when nscd is running.
2015-03-22 Arthur de Jong <arthur@arthurdejong.org>
* [52ea3f5] configure.ac: Add checks to configure
This adds tests for a function and type used in the code.
2015-03-22 Arthur de Jong <arthur@arthurdejong.org>
* [4ec1c08] nslcd/daemonize.c: ENODATA is missing on FreeBSD
FreeBSD doesn't have ENODATA so we use ENOATTR instead.
2015-03-22 Arthur de Jong <arthur@arthurdejong.org>
* [b2563b0] compat/nss_compat.h, configure.ac: Remove use of
irs-nss.h
This was a compatibility leftover from the nss_ldap days.
2015-03-21 Arthur de Jong <arthur@arthurdejong.org>
* [4c5a3c9] tests/test_clock.c: Prevent numer overflow in test_clock
2015-03-21 Arthur de Jong <arthur@arthurdejong.org>
* [0420232] nslcd/nslcd.c, nslcd/nsswitch.c, nss/Makefile.am,
tests/testenv.sh: Various small fixes when using --with-module-name
This updates the test framework to support --with-module-name,
ensures that exports.map is rebuilt when configure is re-ran,
fixes parsing of nsswitch.conf (to determine what to return for
passwd lookups) and fixes the check for _nss_ldap_version.
2015-03-21 Arthur de Jong <arthur@arthurdejong.org>
* [788475f] nss/common.h: Also support platforms without TLS
This disables the use of thread-local storage in the NSS module
when it is not available in libc. This results in the get*ent()
functions not being thread-safe. However, on most platforms they
are not expected to be thread-safe anyway.
2015-03-20 Dalibor Pospíšil <dapospis@redhat.com>
* [95d621e] man/nslcd.conf.5.xml: Document that multiple URIs can
be specified
Update nslcd.conf man page that multiple URIs can be set by
using more uri lines or more URIs defined on one uri line.
https://bugzilla.redhat.com/show_bug.cgi?id=1204195
2015-03-11 Patrick McLean <chutzpah@gentoo.org>
* [fa6affc] common/tio.c, nslcd/attmap.c, nslcd/cfg.c,
nslcd/myldap.c: Fix formatting of size_t values
In several places the code used a %d format to print a size_t
variable. On amd64 at least size_t is an unsigned long, so use
%lu instead.
An alternative would be to use %ud for size_t and %zd fo ssize_t
but not all platforms seem to support that formatter.
2015-03-11 Patrick McLean <chutzpah@gentoo.org>
* [246aba5] nslcd/myldap.c, pam/pam.c: Avoid comparison of static
array to null pointer
There are several places where a static length array in a struct
is compared to a null pointer. These comparisons will always
be false, since an array in a struct is not actually a pointer,
so they can be removed.
2015-03-10 Patrick McLean <chutzpah@gentoo.org>
* [d0f896a] AUTHORS, nslcd/nslcd.c: Don't let the oom killer
kill nslcd
Adjust the Linux OOM (Out-Of-Memory) killer score by -1000 for
nslcd so that it should not be killed.
2015-01-19 Arthur de Jong <arthur@arthurdejong.org>
* [ee82d2f] .gitignore, configure.ac, nslcd/nslcd.c,
nss/Makefile.am, nss/aliases.c, nss/bsdnss.c, nss/common.c,
nss/common.h, nss/ethers.c, nss/group.c, nss/hosts.c,
nss/netgroup.c, nss/networks.c, nss/passwd.c, nss/protocols.c,
nss/prototypes.h, nss/rpc.c, nss/services.c, nss/shadow.c,
pam/pam.c, pynslcd/constants.py.in, pynslcd/pynslcd.py: Allow
configuration of NSS and PAM names
This introduces the --with-module-name configure option to
allow building of NSS and PAM modules with different namespaces
than ldap.
2015-01-12 Mark R Bannister <dbis@proseconsulting.co.uk>
* [ed8b312] nss/hosts.c: Fix uninitialised variable
This fixes a bug in the NSS library when encountering IPv6
addresses in the hosts map.
2014-12-12 Arthur de Jong <arthur@arthurdejong.org>
* [8b33057] nslcd/myldap.c: Avoid accessing searches outside array
Thanks David Binderma for pointing this out.
Note that in practical situations this should not result in any
errors due to the position of searches within the ldap_session
struct.
2014-11-02 Arthur de Jong <arthur@arthurdejong.org>
* [9ee854e] man/nslcd.conf.5.xml: Document that rootpwmoddn needs
to exist
See
http://lists.arthurdejong.org/nss-pam-ldapd-users/2014/msg00166.html
2014-10-10 Arthur de Jong <arthur@arthurdejong.org>
* [4262122] nslcd/nslcd.c: Fix format string
Thanks Jianhai Luan.
2014-10-04 Arthur de Jong <arthur@arthurdejong.org>
* [1d3b19b] nslcd/nslcd.c: Block signals sooner to avoid race
conditions
2014-08-27 Jason Luan <jianhai.luan@oracle.com>
* [78627c9] nslcd/cfg.c, nslcd/group.c, nslcd/nslcd.c,
nslcd/passwd.c: uid_t/gid_t should be formatted as unsigned long
mmkfilter_passwd_byuid()/mkfilter_group_bygid() get wrong filter
string because "%d" will return negative when uid/gid larger
than 2^31, and result to "Authentiction failure".
This also changes the other places where uid_t or gid_t values
are formatted.
2014-09-21 Arthur de Jong <arthur@arthurdejong.org>
* [a726d29] nslcd/daemonize.c: Fix issues with daemonising
This fixes a problem with a buffer that could end up padded
with garbage.
This also clarifies the code a bit and adds extra logging for
errors that could occur during daemonising.
2014-06-30 Tim Harder <radhermit@gmail.com>
* [82e4423] nslcd/myldap.c: Minor comment spelling fix
2014-06-30 Tim Harder <radhermit@gmail.com>
* [2950797] AUTHORS, nslcd/myldap.c: Check a socket's connectivity
before trying to use it
This alleviates some cases where multi-second lag occurs before a
query returns due to some or all connections having been closed
by the peer, e.g. a load balancer timing out old connections,
but they are all tried before opening new connections.
Tested and working on Linux.
2014-06-20 Arthur de Jong <arthur@arthurdejong.org>
* [1765e34] nslcd/common.h: Fix copy-pasto
2014-06-12 Arthur de Jong <arthur@arthurdejong.org>
* [9516479] tests/test.ldif, tests/test_nsscmds.sh: Use other IP
range for tests
This uses IP addresses from the RFC 5737 TEST-NET-1 range that is
meant for use in documentation. This avoids issues with running
the tests environments that also use the 10.0.0.0/8 range.
2014-06-06 Arthur de Jong <arthur@arthurdejong.org>
* [b3cf0aa] AUTHORS, ChangeLog, NEWS, configure.ac,
man/chsh.ldap.1.xml, man/getent.ldap.1.xml, man/nslcd.8.xml,
man/nslcd.conf.5.xml, man/pam_ldap.8.xml, man/pynslcd.8.xml:
Get files ready for 0.9.4 release
2014-06-06 Arthur de Jong <arthur@arthurdejong.org>
* [abb2452] nss/services.c: Return correct port number on Solaris
This is a small fix for when using nscd (which still does not
seem to work completely). The port is stored in network byte
order but should be printed in host byte order.
2014-06-06 Arthur de Jong <arthur@arthurdejong.org>
* [b977d3f] tests/lookup_groupbyuser.c: Add missing include
for FreeBSD
2014-06-06 Arthur de Jong <arthur@arthurdejong.org>
* [258d671] nslcd/pam.c: Fix password modification by root
This fixes 15fc13c.
2014-06-06 Arthur de Jong <arthur@arthurdejong.org>
* [8eeb1cc] common/tio.c: Clear proper buffer length
This fixes 3d29861.
2014-06-06 Arthur de Jong <arthur@arthurdejong.org>
* [3d65b84] nslcd/common.h: Fix code indentation
This fixes 2274b41.
2014-06-06 Arthur de Jong <arthur@arthurdejong.org>
* [e867727] config.guess, config.sub: Update files from latest
automake
2014-06-05 Arthur de Jong <arthur@arthurdejong.org>
* [f5ee208] pynslcd/cache.py: Fix comment
2014-06-05 Arthur de Jong <arthur@arthurdejong.org>
* [13483f9] .gitignore, configure.ac, tests/Makefile.am,
tests/lookup_groupbyuser.c: Introduce lookup_groupbyuser test
command
This command can be used to perform a lookup using getgrouplist()
to present a list of returned numeric group ids. This can be
used to avoid the additional lookups that are done with the id
and groups commands.
2014-05-14 Arthur de Jong <arthur@arthurdejong.org>
* [3d29861] common/tio.c, nslcd/myldap.c, nslcd/pam.c: Clear
buffers before free-ing
This clears most buffers that may hold credentials at one point
before free()ing the memory.
2014-05-08 Arthur de Jong <arthur@arthurdejong.org>
* [aa1d810] HACKING: Clarify code contribution
2014-05-04 Arthur de Jong <arthur@arthurdejong.org>
* [94eacb5] nslcd/pam.c: Improve error logging of user login failures
2014-05-04 Arthur de Jong <arthur@arthurdejong.org>
* [ca36a50] nslcd/myldap.c: Also extract policy controls on
BIND failure
This ensures that controls returned by an LDAP server as part of
a failed BIND operation are also returned. This makes it possible
to distinguish between a wrong password and an expired password.
This also only logs the BIND operation result on DEBUG level
(the error is logged later on).
2014-05-04 Arthur de Jong <arthur@arthurdejong.org>
* [d6163e2] configure.ac: Use FreeBSD lib directory and SONAME
on Dragonfly
2014-05-04 Arthur de Jong <arthur@arthurdejong.org>
* [f6f3730] README, man/nslcd.conf.5.xml: Small documentation
improvements
This includes a number of minor changes to the documentation. This
also documents the children search scope (related to 2caeef4).
2014-05-04 Arthur de Jong <arthur@arthurdejong.org>
* [ed79110] nslcd/daemonize.c, nslcd/nslcd.c: Log daemonising
failures
This also clears errno in the main function to ensure that no
incorrect errno value is logged on errors.
2014-05-04 Arthur de Jong <arthur@arthurdejong.org>
* [18d05b0] .gitignore, tests/Makefile.am, tests/test_attmap.c:
Add a test for setting member attribute mapping
2014-05-04 Arthur de Jong <arthur@arthurdejong.org>
* [fbea2a5] nslcd/attmap.c: Fix mapping group member attribute to
empty string
This fixes be94912.
2014-05-04 Arthur de Jong <arthur@arthurdejong.org>
* [2274b41] nslcd/alias.c, nslcd/attmap.c, nslcd/cfg.c,
nslcd/common.h, nslcd/ether.c, nslcd/group.c, nslcd/host.c,
nslcd/invalidator.c, nslcd/myldap.c, nslcd/netgroup.c,
nslcd/network.c, nslcd/pam.c, nslcd/passwd.c, nslcd/protocol.c,
nslcd/rpc.c, nslcd/service.c, nslcd/shadow.c: Make buffer size
error logging consistent
This adds logging of most cases where a defined buffer is not
large enough to hold provided data on error log level.
2014-05-04 Arthur de Jong <arthur@arthurdejong.org>
* [15fc13c] nslcd/myldap.c, nslcd/myldap.h, nslcd/pam.c,
nslcd/usermod.c: Warn when binddn buffer is too small
2014-05-04 Arthur de Jong <arthur@arthurdejong.org>
* [f987891] nslcd/common.h: Grow DN buffer size
The buffer size seems to be a problem in environments with long
names or environments with non-ASCII characters.
2014-05-02 ushi <ushi@honkgong.info>
* [119cebf] nslcd/common.h: Use larger nslcd password buffer
I had some edge cases where 64 bytes were not enough. People
are using password managers with long generated passwords. I
increased the buffer size to 128.
2014-03-12 Arthur de Jong <arthur@arthurdejong.org>
* [8f12c15] AUTHORS, ChangeLog, NEWS, configure.ac,
man/chsh.ldap.1.xml, man/getent.ldap.1.xml, man/nslcd.8.xml,
man/nslcd.conf.5.xml, man/pam_ldap.8.xml, man/pynslcd.8.xml,
pynslcd/pynslcd.py: Get files ready for 0.9.3 release
2014-03-12 Arthur de Jong <arthur@arthurdejong.org>
* [1ec7739] INSTALL, missing, test-driver: Update files from
recent automake
2014-03-10 Arthur de Jong <arthur@arthurdejong.org>
* [44764f0] tests/Makefile.am, tests/test_myldap.sh,
tests/test_nsscmds.sh: Run the correct executables for the tests
This fixes issues with running the tests when using a separate
build directory (fixes ef0eddaa).
2014-03-10 Arthur de Jong <arthur@arthurdejong.org>
* [77444ac] tests/test_myldap.sh: Fix nslcd-test.conf permissions
for test
This ensures that configuration file is not world readable when
the tests are run. This avoids test failure for the use of the
rootpwmodpw option.
2014-03-10 Arthur de Jong <arthur@arthurdejong.org>
* [96e4171] common/nslcd-prot.h: Interpret transferred integers
as signed again
This fixes an issue with unsigned values ending up in signed
fields and missing sign extension.
See: https://bugs.debian.org/739330
2014-01-27 Nalin Dahyabhai <nalin@redhat.com>
* [2d35feb] nss/hosts.c, nss/networks.c: Use right h_errnop for
retrying with larger buffer
The libc nsswitch code expects h_errno to be set to NETDB_INTERNAL
when it needs to try again with a larger buffer.
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
2014-01-27 Lukas Slebodnik <lslebodn@redhat.com>
* [8532f40] nss/hosts.c, nss/networks.c: Fix crash when retrieving
large networks entries
If NSS_STATUS_TRYAGAIN is returned from read_one_hostent or
read_one_netent then fp will be closed and function tio_skipall
will be called with NULL pointer. It could happend in functions:
_nss_ldap_getnetbyname_r _nss_ldap_getnetbyaddr_r
_nss_ldap_gethostbyname2_r _nss_ldap_gethostbyaddr_r
Fixes r548 (aka afd5d9b).
2014-01-30 Davy Defaud <davy.defaud@free.fr>
* [4211961] nslcd/group.c: Support builtin Windows groups
This maps the gid (gidNumber) to an AD SID for builtin
groups when searching a group by gid (RID) between 544 and
552. In that case the SID prefix is not the domain's prefix
(S-1-5-21-dddddd-dddddd-dddddd) but the BUILTIN SID prefix
(1-5-32).
For example, if you add a user to the Administrators builtin
group (S-1-5-32-544), now you should be able to get this group
through nslcd, instead of receiving an error message.
2014-01-25 Arthur de Jong <arthur@arthurdejong.org>
* [f6a0675] configure.ac: Add test for krb5 thread safety
This adds a test that checks the return value of
krb5_is_thread_safe() to see if krb5 is thread safe (during build)
and issues a warning if it is not.
nslcd does not directly link to krb5 but the library may be
loaded (by GSSAPI) if Kerberos is used to authenticate nslcd to
the LDAP server.
2014-01-25 Francois Tigeot <ftigeot@wolfpond.org>
* [043838c] configure.ac: Also detect DragonFly as BSD
This fixes the detection of DragonFly as requiring the freebsd
NSS interface flavour.
2014-01-24 joshuashire <joshuashire@hotmail.com>
* [2181cca] nslcd/shadow.c: Update shadow.c to resolve pwdLastSet
issue
We read the date into the buffer to the specified length to get it
to the Unix time (i.e. seconds) from its AD value of nanoseconds,
then convert it to days for shadow. If we use date rather than
buffer we end up trying to convert the original nanosecond value.
2014-01-05 Arthur de Jong <arthur@arthurdejong.org>
* [c6c317e] : Implement deref control handling
This uses the LDAP_CONTROL_X_DEREF control as described in
draft-masarati-ldap-deref-00 to request the LDAP server to
dereference group member attribute values to uid attribute values.
This should reduce the number of searches that are required for
expanding group members that use the member attribute.
This mechanism could also be used to extract information on
nested groups but the gains are less clear there.
Not all LDAP servers support this control. In OpenLDAP, load the
(currently undocumented) deref overlay and enable it for the
database to take advantage of this improvement.
There is a functional difference when using this control. Any
returned deferred uid value returned by the LDAP server is accepted
as a member. No checks are performed to see if the user matches
the search base and search filters set for passwd entries.
2014-01-05 Arthur de Jong <arthur@arthurdejong.org>
* [309b4bb] README: Update documentation
This documents the way the deref controls are used.
2014-01-05 Arthur de Jong <arthur@arthurdejong.org>
* [cecc024] nslcd/group.c: Use myldap_get_deref_values() to get
member uids
This uses information from the deref control (if available)
to get the username for each of the members of the group. Any
missing deref member attribute values will be seen as nested
groups and will be traversed if nested group support is enabled.
2014-01-05 Arthur de Jong <arthur@arthurdejong.org>
* [c973834] configure.ac, nslcd/myldap.c, nslcd/myldap.h: Provide
a myldap_get_deref_values() function
This function looks for deref response controls
(LDAP_CONTROL_X_DEREF) in the entry and returns the information
from the dereferenced attribute in two lists: dereferenced values
and attribute values that could not be dereferenced.
2014-01-05 Arthur de Jong <arthur@arthurdejong.org>
* [3992e15] nslcd/group.c: Skip member attributes in bymember search
This changes the group by member searches to not request the
member attributes. This will speed up result parsing by a fraction
because less data is transferred but will also cause the deref
control not to be added to these searches.
2013-12-28 Arthur de Jong <arthur@arthurdejong.org>
* [15ee2fc] compat/Makefile.am, compat/derefctrl.c,
compat/ldap_compat.h, configure.ac: Provide replacement
ldap_create_deref_control()
This adds a test for a bug in OpenLDAP that allocated a
LDAP_CONTROL_PAGEDRESULTS control instead of a LDAP_CONTROL_X_DEREF
control.
2014-01-05 Arthur de Jong <arthur@arthurdejong.org>
* [547e479] configure.ac, nslcd/myldap.c: Request attribute deref
via search control
This uses the LDAP_CONTROL_X_DEREF control as descibed in
draft-masarati-ldap-deref-00 to request the LDAP server to
dereference member attribute values to uid attribute values in
order to avoid doing extra searches.
This control is currently only added for group search by looking
for the member attribute in the search.
2014-01-04 Arthur de Jong <arthur@arthurdejong.org>
* [c22eb08] nslcd/myldap.c: Rename entry property to indicate
storage type
This changes entrye->rangedattributevalues to entry->buffers
because the propery is not only used for ranged attribute values
but for anything that can be freed with free().
2014-01-03 Arthur de Jong <arthur@arthurdejong.org>
* [f009c96] nslcd/myldap.c: Ignore missing page controls
Since we could get arbitrray controls and are only interested
in page controls we ignore failures to find page controls.
2014-01-03 Arthur de Jong <arthur@arthurdejong.org>
* [4f6dfdd] nslcd/myldap.c: Use do_try_search() also for paged
searches
This also changes do_try_search() to support building continued
paged controls and lays the groundwork for adding more search
controls.
2014-01-05 Arthur de Jong <arthur@arthurdejong.org>
* [be94912] nslcd/attmap.c, nslcd/group.c, pynslcd/group.py:
Support blanking the member attribute
This allows remapping the member attribute to an empty string
which removes support for that attribute. This can reduce the
number of search operations if the attribute is not used.
2014-01-05 Arthur de Jong <arthur@arthurdejong.org>
* [0d3fa5d] nslcd/group.c: Fix typo
2014-01-05 Arthur de Jong <arthur@arthurdejong.org>
* [8e74848] nslcd/group.c, nss/netgroup.c, tests/test_set.c:
Fix memory leaks related to set_pop()
Some pieces of code did not properly free() the value returned
by set_pop().
The leak in group code was related to the introduction of nested
group functionality in 41ba574 (merged in 3daa68d) so should
only be present in releases 0.9.0 forward.
The leak in the netgroup code only ended up in the Solaris
version of the NSS module and was introduced in 4ea9ad1 (merged in
5c8779d). This leak is present in all releases from 0.8.0 forward.
2014-01-04 Arthur de Jong <arthur@arthurdejong.org>
* [3288942] tests/test_myldap.c: Fix compiler warnings in the
myldap test
2014-01-02 Arthur de Jong <arthur@arthurdejong.org>
* [2b8fbc2] : Only exit nslcd when daemon is ready
This removes a race condition between the exit of the initial
nslcd process (as started by the init script) and nslcd services
being ready.
2014-01-02 Arthur de Jong <arthur@arthurdejong.org>
* [3afedc4] compat/Makefile.am, compat/daemon.c, compat/daemon.h,
configure.ac: Remove daemon() replacement function
2014-01-02 Arthur de Jong <arthur@arthurdejong.org>
* [907d49d] configure.ac, nslcd/daemonize.c: Close daemon pipe
file descriptor on fork or exec
This tries to avoid child processes ending up with a copy of
the pipe file descriptor that is used to signal readiness of
the daemon.
2014-01-02 Arthur de Jong <arthur@arthurdejong.org>
* [42a1a3d] nslcd/Makefile.am, nslcd/daemonize.c, nslcd/daemonize.h,
nslcd/nslcd.c: Properly daemonise nslcd and only exit when ready
This introduces a new daemonize module that provides functions for
closing all file descriptors, redirecting stdin/stdout/stderr to
/dev/null and a function for backgrounding an application while
only exiting the original process after the daemon process has
indicated readiness.
This is used to exit the original process only after the listening
socket has been set up and the worker threads have been started.
|