path: root/ChangeLog

$Id$
===============================================================

251	Luke Howard <lukeh@padl.com>

	* remove doc/rfc2307.txt, it is available from
	  http://www.ietf.org/rfc/rfc2307.txt
	* make objectClass a mappable attribute

250	Luke Howard <lukeh@padl.com>

	* don't use static _nss_ldap_no_members buffer,
	  causes crash when nss_ldap is unloaded and memory
	  is still referenced
	* fix for BUG#249: tcsh closes file descriptors,
	  confuses nss_ldap and hangs (from David Houlder)
	* fix for BUG#257: initgroups() broken in RFC2307bis
	  support disabled
	* fix for BUG#261: sslpath example wrong
	* fix for BUG#263: compile do_triple_permutations()
	  when IRS enabled

249	Luke Howard <lukeh@padl.com>

	* fix for BUG#253: build broken on AIX
	* fix for BUG#255: deadlock in initgroups

248	Luke Howard <lukeh@padl.com>

	* fix regression in per-objectclass attribute mapping
	  introduced in nss_ldap-246

247	Luke Howard <lukeh@padl.com>

	* double-check *ld != NULL even if mapped eror return
	  from ldap_initialize() returns NSS_SUCCESS

246	Luke Howard <lukeh@padl.com>

	* paged results and RFC2307bis support are now always
	  compiled in; they are by default disabled unless
	  you configured with --enable-paged-results and
	  --enable-rfc2307bis, respectively. See nss_ldap(5)
	  for configuration options.
	* fix for BUG#219: paged results delivers wrong results
	* fix for BUG#222: use asynchronous start TLS if
	  available, using bind_timeout value
	* fix for BUG#235: make DNS SRV lookup domain
	  configurable (nss_srv_domain)
	* fix for BUG#240: return "*" rather than "x" for
	  userPassword if not present
	* fix for BUG#245: paged results broken since nss_ldap-241
	* patch from Ralf Haferkamp <rhafer@suse.de>:
	  compile fix for IPv6
	* compile for Solaris
	* schema mapping is always enabled, cleanup schema
	  mapping code
	* allow for map-specific objectclass mapping
	* partial implementation of Solaris Simplified LDAP
	  API, allows automountd support on Solaris via nss_ldap
	* for Linux automounter, always close connection after
	  endautomntent() to avoid persistent connection
	* add nss_connect_policy argument to ldap.conf

245	Luke Howard <lukeh@padl.com>

	* don't leak LDAP connection if do_bind() failed or
	  descriptor owner had changed. If do_bind() failed the
	  underlying descriptor would also be leaked, causing a
	  large number of sockets to be consumed during failover
	* add nss_initgroups_ignoreusers parameter to ldap.conf,
	  returns NOTFOUND if nss_ldap's initgroups() is called
	  for users (comma separated)
	* try to deal with systems that have headers for both
	  versions of the SASL library installed
	* better logging of failed connections and reconnections
	* patch from Dean Michaels <dean@interdynamix.com>:
	  build with Netscape 5 library on Solaris
	* patch from Ralf Haferkamp <rhafer@suse.de>:
	  manual page fix to bind_policy

244	Luke Howard <lukeh@padl.com>

	* patch from Ralf Haferkamp <rhafer@suse.de>:
	  enusre bytesleft macro does not return values < 0
	* include <sys/param.h> in ldap-nss.c

243	Luke Howard <lukeh@padl.com>

	* fix for BUG#225: invalid pointer dereferencing when
	  reading rootpw

242	Luke Howard <lukeh@padl.com>

	* fixes for compiling on Solaris 10

241	Luke Howard <lukeh@padl.com>

	* new, more robust reconnection logic
	* both "host" and "uri" directives can be used in
	  ldap.conf
	* new (undocumented) nss_reconnect_tries,
	  nss_reconnect_sleeptime, nss_reconnect_maxsleeptime,
	  nss_reconnect_maxconntries directives
	* reload configuration file if changed

240	Luke Howard <lukeh@padl.com>

	* new API for resolving automounts (requires custom
	  autofs plugin for Linux at present):
	  _nss_ldap_setautomntent(), _nss_ldap_getautomntent(),
	  _nss_ldap_endautomntent(), _nss_ldap_getautomntbyname_r()
	* fix for BUG#200: rename SOCKLEN_T as it conflicts on AIX
	* fix for BUG#205: accept line feeds in ldap.conf
	* fix for BUG#211: nss_ldap fails to start TLS on referred
	  connections
	* fix for BUG#213: initgroups crash if RFC2307bis undefined
	* turn down reconnection logging volume

239	Luke Howard <lukeh@padl.com>

	* support for initgroups using backlinks (selectable
	  at runtime if RFC2307bis support is enabled, using
	  the nss_initgroups backlink configuration directive)
	* support for dynamically expanding filter sizes
	* from Peter Marschall <peter@adpm.de>:
	  revert the deletion of blanks/tabs in ldap.conf that
	  happened between 235 and 238
	* from Peter Marschall <peter@adpm.de>:
	  This patch changes configure.in and Makefile.am so that
	  ldap.conf gets installed in the place and with the name
	  that is given to the configure option --with-ldap-conf-file.
	  In addition to that it fixes a long standing bug in
	  Makefile.am that tries to install a file before the
	  destination directory is guaranteed to be created (hunk #3),
	  and uses $(mkinstalldirs) for AIX (hunk #2).

238	Luke Howard <lukeh@padl.com>

	* more manual page updates

237	Luke Howard <lukeh@padl.com>

	* more manual page updates

236	Luke Howard <lukeh@padl.com>

	* fix for BUG#201: typo in ldap-schema.c causing build
	  to fail
	* add manual page for nss_ldap

235	Luke Howard <lukeh@padl.com>

	* fix for BUG#198: make pagesize configurable
	* fix for BUG#199: correct fix for BUG#138
	  (blind last char remove in ldap.secret)

234	Luke Howard <lukeh@padl.com>

	* don't reacquire global lock in do_next_page()
	* restore old "bind_policy hard" behaviour (don't try to
	  reconnect if initialization failed). The behaviour
	  introduced in nss_ldap-227 can be enabled with
	  "bind_policy hard_init".

233	Luke Howard <lukeh@padl.com>

	* if do_open() returns NSS_UNAVAIL, don't try to do
	  server reconnect; only do it if NSS_TRYAGAIN is returned
	  This should fix the problems introduced by the fixes in
	  nss_ldap-227 (delayed binding)

232	Luke Howard <lukeh@padl.com>

	* fix for BUG#138 (blind last char remove in ldap.secret)

230	Luke Howard <lukeh@padl.com>

	* don't free gss_krb5_ccache_name() output (Heimdal)

229	Luke Howard <lukeh@padl.com>

	* more debugging in initgroups and _nss_ldap_getentry()
	* fix _nss_ldap_getentry() enumeration behaviour, and
	  optimize by not searching if the requested attribute
	  cannot be mapped

228	Luke Howard <lukeh@padl.com>

	* fix for BUG#188: better documentation for OpenLDAP
	  SSL options
	* fix for BUG#189: do not configure tls_checkpeer
	  unless it is explicitly specifier in ldap.conf
	* fix for BUG#190: set ls_state to LS_UNINITIALIZED
	  after fork

227	Luke Howard <lukeh@padl.com>

	* separate initializing LDAP session with actually
	  connecting to the DSA, so that we don't try to
	  bind until we actually need to search (which allows
	  the retry logic in the search function to also apply
	  to binding). NB: this will only provide improved
	  behaviour for LDAP client libraries that support
	  ldap_init() or ldap_initialize() rather than ldap_open
	* fix for BUG#183: support pw_change and pw_expire
	  on BSD
	* fix for BUG#187: NSS_BUFLEN_DEFAULT causing problems
	  on IRS platforms
	* fix for glibc 2.1 from Alexander Spannagel

226	Luke Howard <lukeh@padl.com>

	* make LDAP_NSS_NGROUPS configurable with
	  --with-ngroups (experts only) option

225	Luke Howard <lukeh@padl.com>

	* make LDAP_NSS_NGROUPS 64 - better choice for
	  small directories

224	Luke Howard <lukeh@padl.com>

	* don't double-free on realloc() failure in
	  do_parse_group_members()
	* don't pass LDAP session as an argument, as
	  it may refer to a stale LDAP handle. If this
	  does not work we will need to replace LDAPMessage
	  pointers with pointers to a structure that
	  contains a reference-counted LDAP handle as well
	  as the message
	* fix crasher when internal group membership
	  buffer was reallocated (introduced with nested
	  group expansion code)
	* immediately return NSS_TRYAGAIN and errno=ERANGE
	  if there is not enough buffer space to handle
	  LDAP_NSS_NGROUPS groups; this prevents getgrXXX()
	  from expensive repeated directory searches when
	  there is a priori knowledge that group memberships
	  are large

223	Luke Howard <lukeh@padl.com>

	* allow empty lines in /etc/ldap.conf
	* do loop detection in nested groups
	* fixes for building with IRS on FreeBSD 4.10

222	Luke Howard <lukeh@padl.com>

	* fix deadlock in _nss_ldap_getentry()
	* support more AIX usersec attributes
	* more AIX porting fixes
	* support Heimdal as well as MIT Kerberos

221	Luke Howard <lukeh@padl.com>

	* AIX fix from <carlos.celso@embraer.com.br>
	  Recall #169033
	* support for expansion of nested RFC2307bis groups
	* support for searching using range retrieval
	* fix memory leak with private contexts
	* fix memory leak in do_result()
	* implement _nss_ldap_getentry for AIX enumeration
	* implement netgroups for IRS/AIX
	* remove dependency on Berkeley DB - schema mapping
	  and RFC2307bis no longer requires DB
	* remove old NeXT cruft in resolve.c

220	Luke Howard <lukeh@padl.com>

	* fix for BUG#169: getntohost() on Solaris
	* fix for BUG#170: _nss_ldap_getgroupsbymember_r fails
	  to return all groups when NSCD is running and
	  attribute mapping is enabled on Solaris
	* fix for BUG#173: reinstate use of sigaction()
	  (XXX what is the correct fix here?)
	* fix for BUG#174: innetgr() depth checking

218	Luke Howard <lukeh@padl.com>

	* fix for BUG#168: set errnop to ENOENT if not found
	* check for -lgssapi before -lgssapi_krb5

217	Luke Howard <lukeh@padl.com>
	
	* fix for BUG#167: compilation fails on Solaris

216	Luke Howard <lukeh@padl.com>

	* patch from Thorsten Kukuk to avoid overwriting
	  sockaddr storage for IPv6; use struct
	  sockaddr_storage if available
	* fix for BUG#153: use asynchronous search API
	  in initgroups()
	* fix for BUG#157: check for __pthread_once rather
	  than __pthread_atfork on glibc, as the latter is
	  no longer exported
	* fix for BUG#158: escape netgroup search filters
	  correctly
	* fix for BUG#161: remove redundant lock in
	  _nss_ldap_innetgr()
	* fix for BUG#164: set schema element array size
	  to LM_NONE + 1 not LM_NONE
	* fix for BUG#165: make _nss_ldap_result() private
	* fix for BUG#166: chase all nested netgroups in
	  innetgr()
	* fix deadlock if getXXXent() called without first
	  calling setXXXent()
	* only request gidNumber attribute when initgroups()
	  (avoids sending back rest of a group's entry)
	* don't request any attributes when mapping a user
	  to a DN (we want the DN only)

215	Luke Howard <lukeh@padl.com>

	* choose between using native GSS-API and putenv()
	  for setting ccache path
	* per-map attribute mapping for attributes that
	  appear in multiple maps

214	Luke Howard <lukeh@padl.com>

	* define LDAP_DEPRECATED for compiling against
	  OpenLDAP 2.2

213	Luke Howard <lukeh@padl.com>

	* fix netgroup compilation error when debugging is
	  enabled
	* support GSS-API for setting ccache name
	* initgroups() should require user to be a POSIX
	  account	
	* define LOGNAME_MAX for HP-UX
	* do not use sigprocmask() - this blocks rather
	  than disabling signals
	* SASL version check fix from Howard Chu

212	Luke Howard <lukeh@padl.com>

	* Solaris netgroup support test release
	* fix crasher in do_sasl_interact()
	* do_sasl_interact() needs to strdup() result for
	  Cyrus SASL 1.x but not 2.x
	* merge in LDAP debug patch from Howard Chu
	* try alternate search descriptors on NSS_NOTFOUND
	  as well as NSS_SUCCESS

211	Luke Howard <lukeh@padl.com>

	* do AT_OC_MAP cache initialization at config init
	* BSD build fixes
	* replace [h]errno2nssstat lookup tables with switch
	  statement; should help building on AIX!

210	Luke Howard <lukeh@padl.com>

	* initialize DBT structures
	* fix SASL crasher

209	Luke Howard <lukeh@padl.com>

	* fix SASL breakage

208	Luke Howard <lukeh@padl.com>

	* use socklen_t not int
	* remove OpenLDAP SASL code
	* incorporated patches from (see below) Geert Jansen
	* add the "sasl_secprops" option to configure SASL
	  security layers (usage as for OpenLDAP ldap.conf)
	* add the "krb5_ccname" option to specify the
	  location of the Kerberos ticket cache
	  (requires --enable-configurable-krb5-ccname for
	  now as it is a fairly coarse solution to a lack
	  of appropriate API in the Kerberos libraries)
	* add support for native Active Directory password
	  policy attributes (enabled if shadowLastChange is
	  mapped to pwdLastSet)
	* add "nss_override_attribute_value" and
	  "nss_default_attribute_value" keywords for over-
	  riding and setting default attribute values,
	  respectively

207	Luke Howard <lukeh@padl.com>

	* work without LDAP_OPT_X_TLS_RANDOM_FILE
	* fix schema mapping regression from nss_ldap-205;
	  attribute mapping now works again

205	Luke Howard <lukeh@padl.com>

	* build with Sleepycat DB without db185 compat layer
	  (tested with 4.x; needs testing on 3.x)

204	Luke Howard <lukeh@padl.com>

	* Linux netgroup implementation from Larry Lile
	* Multiple service search descriptor support from
	  Symas
	* IPv6 patch from Thorsten Kukuk at SuSE

203	Luke Howard <lukeh@padl.com>

	* fix for BUG#115
	* fix for BUG#121

202	Luke Howard <lukeh@padl.com>

	* getsockname() fixes from Howard Chu
	* configuration parser crasher fix

201	Luke Howard <lukeh@padl.com>

	* Berkeley DB fixes from Howard Chu
	* Netscape client library build fix

200	Luke Howard <lukeh@padl.com>

	* use sigprocmask() if available to block SIGPIPE
	* fix build breakage with OpenLDAP HEAD

199	Luke Howard <lukeh@padl.com>

	* HP-UX port
	* BUG#111: incorrect debugging statement in
	  _nss_ldap_enter()
	* export required symbols only on Linux
	* corrected symbol names for glibc alias enumeration
	  functions
	* the DNS response parser doesn't stop after parsing the
	  right number of records, and doesn't handle long responses
	  (Nalin at RedHat)

198	 Luke Howard <lukeh@padl.com>

	* BUG#108: fix potential buffer overflow in dnsconfig.c
	  (could be triggered if no flat file configuration
	  for nss_ldap and large DNS SRV data for domain;
	  because nss_ldap in SRV mode trusts DNS we do
	  not believe this to be exploitable to elevate
	  privilege in the default configuration)
	* do not malloc() configuration structure; use
	  buffer

197	Luke Howard <lukeh@padl.com>

	* improved AIX documentation from Dejan Muhamedagic
	* define LDAP_OPT_SSL for Solaris 9

196	Luke Howard <lukeh@padl.com>

	* return NSS_TRYAGAIN not NSS_NOTFOUND for insufficient
	  buffer space in dn2uid_cache_get()
	* support automake 1.5 and friends
	* out of box build on AIX 4.3.3
	* fixed BUG#104: do_ssl_options() return code ignored

195	Luke Howard <lukeh@padl.com>

	* fixed BUG#98: large groups cause buffer length
	  wraparound with rfc2307bis

194	Luke Howard <lukeh@padl.com>

	* bugfix for Debian Bug report #147553: lack of global
	  mutex use in initgroups()

193	Luke Howard <lukeh@padl.com>

	* support for PADL GSS-SASL client library

192	Luke Howard <lukeh@padl.com>

	* more carefully compare cached socket and peer
	  addresses

191	Luke Howard <lukeh@padl.com>

	* added configurable [hard|soft] reconnect, see the
	  bind_policy parameter in ldap.conf.

190	Luke Howard <lukeh@padl.com>

	* check for Netscape 4 SDK without SSL; don't require
	  pthreads for these

189	Luke Howard <lukeh@padl.com>

	* patch for building on OpenLDAP 1.x from Nalin
	  at RedHat

188	Luke Howard <lukeh@padl.com>

	* specify runtime path for LDAP library correctly to
	  native Solaris linker
	* check for gcc correctly
	* use native linker on Solaris and AIX

187	Luke Howard <lukeh@padl.com>

	* make bogusSd in ldap-nss.c conditional on
	  !HAVE_LDAP_LD_FREE
	* merge in paged result support from Max Caines
	* bugfixes for Debian Bug report #140854

186	Luke Howard <lukeh@padl.com>

	* incorporated patch for Debian Bug report #140854,
	  where nss_ldap could in some cases close a
	  descriptor it did not own. Patch was provided
	  by Luca Filipozzi.

185	Luke Howard <lukeh@padl.com>

	* updated copyrights
	* fix for BUG#82: set close on exec (Debian bug 136953)

184	Luke Howard <lukeh@padl.com>

	* return NSS_TRYAGAIN if no buffer space in ldap-grp.c

183	Luke Howard <lukeh@padl.com>

	* return error strings in AIX authentication routine
	* initialise schema in getgroupsbymember()
	* fix for tls_checkpeer; pass NULL session in to
	  set global option
	* BUG#77: configurable config file locations

181	Luke Howard <lukeh@padl.com>

	* ignore SIGPIPE whilst inside nss_ldap library routines
	  to prevent crashing on down LDAP server; possible fix
	  for Debian bug 130006
	* removed --enable-no-so-keepalive; always try to
	  disable SO_KEEPALIVE on underlying socket to LDAP
	  server
	* include local copy of irs.h under AIX
	* general cleanup of locking code
	* _nss_ldap_no_members appears to only need defining for
	  when RFC2307bis is enabled

180	Luke Howard <lukeh@padl.com>

	* pull in libpthreads on AIX

179	Luke Howard <lukeh@padl.com>

	* a couple more patches for AIX

178	Luke Howard <lukeh@padl.com>

	* patch from Gabor Gombas for AIX support
	* Makefile.am: sasl.o needed by NSS_LDAP
	* aix_authmeth.c: method_passwordexpired is
	  really method_passwdexpired; but since the struct
	  was bzero()ed no need to set it to NULL
	* configure.in: support both gcc and xlc_r
	* exports.aix: sv_byport was not exported
	* ldap-grp.c: getgrset() returned group names instead of
	  gid numbers

177	Luke Howard <lukeh@padl.com>

	* patch for building on AIX from IBM
	* added simple authentication support for AIX
	* cleaned up SASL patch to not break if Cyrus
	  SASL is not installed

176	Luke Howard <lukeh@padl.com>

	* fixed bug in SASL patch which had required
	  OpenLDAP headers
	
175	Luke Howard <lukeh@padl.com>

	* incorporated GSS-API SASL patches
	* rebind to server on LDAP_LOCAL_ERROR

174	Luke Howard <lukeh@padl.com>

	* added patches from Maxim Batourine for compiling
	  with Sun workshop compiler
	* added notes re: 64-bit compile on Solaris from
	  above source

173	Luke Howard <lukeh@padl.com>

	* notes on IRS in doc/README.IRS
	* added irs.h for AIX compat
	* patch from Bob Guo for stripping trailing
	  spaces in ldap.conf.

172	Luke Howard <lukeh@padl.com>

	* fixed schema mapping bug by storing a copy of the
	  mapped schema in the Berkeley DB rather than the
	  element itself. Because the DB library returns
	  static storage, this was causing problems where
	  the schema mapping calls were used to build the
	  attribute table in ldap-schema.c. This bugfix was
	  sponsored by n2h2.com; thanks!

171	Luke Howard <lukeh@padl.com>

	* added ldap.conf stanza for AIX
	* workaround for schema mapping bug.

170	Luke Howard <lukeh@padl.com>

	* use _nss_ldap_getrdnvalue() for determining canonical	
	  group name

169	Luke Howard <lukeh@padl.com>

	* fixed typo in ldap-service.c; prefix filters now
	  with _nss_ldap

168	Luke Howard <lukeh@padl.com>

	* initialize old_handler to SIG_DFL
	* incorporate Stephan Cremer's mapping patches,
	  a big thanks to Stephan for these!
	* use LDAP_OPT_NETWORK_TIMEOUT if available for
	  network connect timeout
	* removed hard-coded schema mapping for
	  authPassword, NDS and MSSFU

167	Luke Howard <lukeh@padl.com>

	* support for new OpenLDAP rebind proc prototype
	* in rebind function, respect timeout
	* fix for PADL Release Control

166	Luke Howard <lukeh@padl.com>

	* corrected small typos

165	Luke Howard <lukeh@padl.com>

	* posixMember is a distinguished name, don't pretend it
	  is a login name
	* cleaned up code referencing different member syntaxes

164	Luke Howard <lukeh@padl.com>

	* removed IDS_UID code, never worked properly

163	Luke Howard <lukeh@padl.com>

	* removed context_free function, usage confusing

162	Luke Howard <lukeh@padl.com>

	* in reconnect harness, do not treat entry not found
	  errors as requiring a reconnect

161	Luke Howard <lukeh@padl.com>

	* hopefully fixed use of synchronous searches in
	  _nss_ldap_getbyname()

160	Luke Howard <lukeh@padl.com>

	* patch from RedHat to check for DB3, override
	  install user/group optionally
	* use synchoronous searches for _nss_ldap_getbyname()
	* only set SSL options if we have values for those
	  options

159	Luke Howard <lukeh@padl.com>

	* make do_ssl_options() take a config parameter;
	  avoid segfault with SSL?

158	Luke Howard <lukeh@padl.com>

	* in the distinguished name to login cache (dn2uid)
	  make sure we use the AT(uid) macro for the uid
	  attribute rather than the hard-coded value of "uid"
	  This should enable the cache for MSSFU support.

157	Luke Howard <lukeh@padl.com>

	* for MSSFU, use posixMember for group memberships
	  rather than member (reported by Andy Rechenberg)
	* ignore SIGPIPE before calling do_close() for
	  idle_timeout

156	Luke Howard <lukeh@padl.com>

	* logic was around the wrong way in do_search(),
	  all searches were broken!
	* --disable-ssl option for configure
	* removed "Obsoletes: pam_ldap" from spec file

155	Luke Howard <lukeh@padl.com>

	* do not use private API when setting OpenLDAP TLS
	  options (do_ssl_options())
	
154	Luke Howard <lukeh@padl.com>

	* notes from Scott M. Stone <sstone@foo3.com>
	* idle timeout patch from Steve Barrus

153	Luke Howard <lukeh@padl.com>

	* SSL fix

152	Luke Howard <lukeh@padl.com>

	* further patch from Jarkko for TLS/SSL auth:
	  support for LDAPS/cipher suite selection/
	  client key/cert authentication

151	Luke Howard <lukeh@padl.com>

	* patch from Andrew Rechenberg for Active
	  Directory schema support
	* patch from Jarkko Turkulainen <jt@wapit.com> for
	  peer certificate support with OpenLDAP

150	Luke Howard <lukeh@padl.com>

	* patch from Anselm Kruis for URI support

149	Luke Howard <lukeh@padl.com>

	* fixed compile on Solaris, broken in 145 by
	  malformed Linux patch
	
148	Luke Howard <lukeh@padl.com>

	* check for HAVE_LDAP_SET_OPTION always

147	Luke Howard <lukeh@padl.com>

	* check for ldap_set_option(), as LDAP_OPT_REFERRALS
	  is defined for OpenLDAP 1.x but without the
	  ldap_set_option() function

146	Luke Howard <lukeh@padl.com>

	* mass reindentation, GNU style
	* patch from Simon Wilkinson <sxw@sxw.org.uk>
	  for compatibility with old initgroups entry
	  point
	* request authPassword attribute if
	  --enable-authpassword
	* authPassword support in ldap-spwd.c (shadow)

145	Luke Howard <lukeh@padl.com>

	* preliminary support for authPassword attribute
	* updated COPYING
	* patch from Szymon Juraszczyk to suppot
	  _nss_ldap_initgroups_dyn prototype

144	Luke Howard <lukeh@padl.com>

	* when specifying filters with nss_base_XXX,
	  only escape the filter argument not the entire
	  filter

143	Luke Howard <lukeh@padl.com>

	* patch from nalin@redhat.com to avoid
	  corrupting the heap when the configuration
	  file exists but has no host and base values.
	  _nss_ldap_readconfigfromdns() will write to
	  the region which was already freed.

142	Luke Howard <lukeh@padl.com>

	* patch from Simon Wilkinson <sxw@sxw.org.uk>
	  for memory leak in ldap-service.c

141	Luke Howard <lukeh@padl.com>

	* fix for BUG#54 (AIX detection broken)
	* use -rpath on all platforms except Solaris,
	  not just Linux

140	Luke Howard <lukeh@padl.com>

	* fix configure bug for DISABLE_SO_KEEPALIVE
	* fix alignment bug in util.c; this was causing
	  Solaris to crash whenever per-map search
	  descriptors were specified in ldap.conf

139	Luke Howard <lukeh@padl.com>

	* updated INSTALL file with boilerplate
	* fixed pointer error in ldap-nss.c

138	Luke Howard <lukeh@padl.com>

	* close config file FILE * if out of buffer space
	  for parsing search descriptor
	* fixed bug where non-recognized directives in
	  ldap.conf would cause the configuration file to
	  not be parsed at all, if they were the last
	  entries in the config file.
	
137.1	Luke Howard <lukeh@padl.com>

	* patch from nalin@redhat.com; return { NULL } not
	  NULL for no group members
	* cleaned up usage of libc-lock.h weak aliases
	  to pthreads API; use in ltf.c also
	* use __libc_atfork() or pthread_atfork() to
	  close off connection on fork, rather than
	  checking PIDs; this is expensive and breaks
	  on Linux where each thread may have a
	  different PID.

137	Gabor Gombas <gombasg@inf.elte.hu>

	* build nss_ldap as a loadable module on AIX
	* doco on AIX

136	Luke Howard <lukeh@padl.com>

	* define -DPIC for FreeBSD
	* link with -shared not --shared
	* fixes for AIX

135	Luke Howard <lukeh@padl.com>

	* merged ldap.conf
	* fixed bug in concatenating relative search
	  bases in ldap-nss.c (profile support)

134	Luke Howard <lukeh@padl.com>

	* fixed Makefile.am
	* reordered DB search order in util.c

133	Luke Howard <lukeh@padl.com>

	* make /usr/lib directory in Makefile.am
	* new spec file from Joe Little

132	Luke Howard <lukeh@padl.com>

	* fixed rebind preprocessor logic

131	Luke Howard <lukeh@padl.com>

	* created files for automake happiness

130	Luke Howard <lukeh@padl.com>

	* fixed typo preventing build with Netscape
	  client library

129	Luke Howard <lukeh@padl.com>

	* updated version number
	* fixed build bug on Solaris

128	Luke Howard <lukeh@padl.com>

	* fixed logic bug in util.c introduced in
	  nss_ldap-127

127	Luke Howard <lukeh@padl.com>

	* updating copyright notices
	* autoconf support; IRIX and OSF/1 support has
	  been dropped (dl-*.[ch]) as no one really
	  used this, the implementation was a hack,
	  and these operating systems have their
	  own LDAP implementations now
	* added support for "referrals" and "restart"
	  options to ldap.conf
	* use OpenLDAP 2.x rebind proc with correct
	  arguments
	* added "timelimit" and "bind_timelimit"
	  directives to ldap.conf
	* fixed bug with dereferencing aliases
	* preliminary support for profiles; recognise
	  profile semantics in ldap-nss.c/util.c
	* parity with pam_ldap; "ssl" directive in
	  ldap.conf can now specify "yes" or
	  "start_tls" for Start TLS
	* hopefully fixed Berkeley DB include
	  mess in util.c
	* fixed potential buffer overflow in util.c
	* default to LDAP protocol version 3
	* fixed leaks in util.c, dnsconfig.c
	* accept on/yes/true for boolean configuration
	  values
	* tested building on FreeBSD, Solaris 8, Linux
	* tested functionality on RedHat 6.2

126	Luke Howard <lukeh@padl.com>

125	Luke Howard <lukeh@padl.com>

	* fixed up Linux Makefiles to build libnss_ldap

124	Luke Howard <lukeh@padl.com>

	* patch from nalin@redhat.com for StartTLS
	* fixed up indenting

123	Luke Howard <lukeh@padl.com>

	* rolled in BUG#52 branch with fixes for AIX

122.BZ52.2	Luke Howard <lukeh@padl.com>

	* included ldap-schema.c; omitted from previous
	  checkpoint

122.BZ52.1	Luke Howard <lukeh@padl.com>

	* preliminary fix for BUG#52 (support for different
	  naming contexts for each map)
	* fixed bug in enumerating services map

122	Luke Howard <lukeh@padl.com>

	* fixed BUG#50 (check return value of ldap_simple_bind())

121	Luke Howard <lukeh@padl.com>

	* fixed BUG#49 (fix acknowledged race condition)

120	Luke Howard <lukeh@padl.com>

	* added Makefile.aix and exports.aix (forgot)

119	Luke Howard <lukeh@padl.com>

	* patch from Gabor Gombas <gombasg@inf.elte.hu>
	  to support AIX implementation of BIND IRS

118	Luke Howard <lukeh@padl.com>

	* Makefile.RPM.openldap2 from Joe Little

117	Luke Howard <lukeh@padl.com>

	* permanently ignore SIGPIPE when using SSL. This
	  bug should be fixed properly.

116	Luke Howard <lukeh@padl.com>

	* added irs-nss.diff and README.IRS from Emile
	  Heitor

115	Luke Howard <lukeh@padl.com>

	* fixed filter escaping
	* call ldapssl_client_init() once only
	* include db_185.h not db.h for dn2uid cache
	* fixes for FreeBSD (IRS) support from Emile
	  Heitor

113	Luke Howard <lukeh@padl.com>

	* patch from Ben Collins to escape '*' in filters

110	Luke Howrad <lukeh@padl.com>

	* patch from Phlilip Liu for async binds

109	Luke Howard <lukeh@padl.com>

	* omit socket check for -DSSL; it doesn't work
	* updated CONTRIBUTORS
	* updated README re HAVE_LDAP_LD_FREE

108	Luke Howard <lukeh@padl.com>

	* included "deref" option in /etc/ldap.conf, compatible
	  with OpenLDAP syntax. Patch from Michael Mattice.

107	Luke Howard <lukeh@padl.com>

	* fixed argument to _nss_ldap_getent() in ldap-ethers.c

106.2	Luke Howard <lukeh@padl.com>

	* if root, use rootbinddn/rootbindpw in rebind proc
	* include objectClass in pwd required attributes

106.1	Luke Howard <lukeh@padl.com>

	* if user is a shadowAccount, then don't return password
	  in getpwent(), getpwuid() or getpwnam()
	* incorporated patch (from Doug Nazar):
	* allow getgrent() to be called without setgrent();
	  note arguments to _nss_ldap_getent() have changed.
	* return NSS_NOTFOUND instead of NSS_UNAVAIL at the
	  end of a search
	* initialize len for getpeername()

105	Luke Howard <lukeh@padl.com>

	* incorporated patch for deadlock under Solaris (from
	  Dave Begley)

104	Luke Howard <lukeh@padl.com>

	* new spec file

103	Luke Howard <lukeh@padl.com>

	* don't call ldap_parse_result() with V2 API

102	Luke Howard <lukeh@padl.com>

	* added defines for LDAP_MSG_ONE et al if not in ldap.h
	* removed LDAP_MORE_RESULTS_TO_RETURN test

101	Luke Howard <lukeh@padl.com>

	* fixed spec file

100	Luke Howard <lukeh@padl.com>

	* support for asynchronous search API!
	* added some contributors
	* notes about ldap_ld_free()
	* merged in ChangeLog

99	Luke Howard <lukeh@padl.com>

	* added some netgroup implementation tips
	* do_close_no_unbind() cleanup

98	Luke Howard <lukeh@padl.com>

	* /etc/nss_ldap.secret -> /etc/ldap.secret (sorry,
	  Doug!)
	* deleted crypt-mechanism code. Junk.
	* fixed call to _nss_ldap_read() after changing
	  prototypes in nss_ldap-88

97	Luke Howard <lukeh@padl.com>

	* #ifndef HAVE_LDAP_LD_FREE, still call ldap_unbind(),
	  but having closed the descriptor.

96	Luke Howard <lukeh@padl.com>

	* re-orged

95	Luke Howard <lukeh@padl.com>

	* disable SO_KEEPALIVE on socket rather than blocking
	  SIGPIPE. Need to figure out the right way to do this.

94	Luke Howard <lukeh@padl.com>

	* committed some changes for the parent/child close
	  problem. It relies on internal libldap APIs so
	  it may be non-portable but should work with OpenLDAP
	  and Netscape client libraries, and perhaps most UMich-
	  derived client libraries. There's a possible workaround
	  for client libraries without this; undefine
	  HAVE_LDAP_LD_FREE to test this.

93	Luke Howard <lukeh@padl.com>

	* important fix: make sure return status is reset
	  after do_open() == NSS_SUCCESS, just in case
	  no entries are returned. This bug was introduced
	  in nss_ldap-88 and could potentially cause a
	  security hole.

92	Luke Howard <lukeh@padl.com>

	* signal handling fix: don't restore handler
	  unnecessarily.
	* don't open nss_ldap.secret unless a root pw
	  is specified in ldap.conf

91	Luke Howard <lukeh@padl.com>

	* reorganized SIGPIPE blocking code
	* added SSL support

90	Luke Howard <lukeh@padl.com>

	* only reconnect if we've changed to/from root

89	Luke Howard <lukeh@padl.com>

	* cleaned up a few things

88	Luke Howard <lukeh@padl.com>

	* added breaks to switch in _nss_ldap_lookup
	  (thanks to Nathan.Hawkins@FMR.COM for pointing
	   this out)
	* save signal handler and ignore SIGPIPE for
	  appropriate sections of do_open() and confirm
	  connection is still active (patch from
	  rpatel@globix.com)
	* allow root users to bind as a different user,
	  to provide quasi-shadow password support (patch
	  from nazard@dragoninc.on.ca)
	* under Linux, make Makefile look at last libc
	  version (patch from nazard@dragoninc.on.ca)
	* never clobber nsswitch.ldap/ldap.conf when
	  making install (patch from nazard@dragoninc.on.ca)
	* change do_open() to not unbind the parent ldap
	  connection when the pid changes but simply open a
	  new connection (patch from nazard@dragoninc.on.ca)
	* changed _nss_ldap_lookup() and _nss_ldap_read()
	  prototypes to return NSS_STATUS error codes,
	  so that NSS_UNAVAIL percolates as appropriate.
	
87	Luke Howard <lukeh@padl.com>

	* fixed looking up DN-membered groups by member. Thanks
	  to Jeff Mandel for spotting this hard to find bug.

86	Luke Howard <lukeh@padl.com>

	* member for NDS vs uniqueMember (needs further
	  investigation; -DNDS)

85	Luke Howard <lukeh@padl.com>

	* check non-NULLity of userdn before freeing
	* use AT(uid) for groupsbymember filter

84	Luke Howard <lukeh@padl.com>

	* implemented _nss_ldap_initgroups()

81	Luke Howard <lukeh@padl.com>

	* removed extraneous do_sleep() code
	* updated spec file

80	Luke Howard <lukeh@padl.com>

	* (really 2.80) changed version number a la Solaris 7!
	* cleaned up schema stuff into ldap-schema.h

2.79	Luke Howard <lukeh@padl.com>

	* implemented exponential backoff reconnect logic

2.78	Luke Howard <lukeh@padl.com>

	* removed ldap.conf.ragenet from lineup
	* removed spurious do_close()

2.76	Luke Howard <lukeh@padl.com>

	* added -lresolv to Solaris makefiles

2.75	Luke Howard <lukeh@padl.com>

	* incorporated RPM patches from stein@terminator.net

2.72	Luke Howard <lukeh@padl.com>

	* implemented getgroupsbymember() for Solaris.
	  Supplementary groups should be initialized now.
	  (NB: doesn't appear to be quite working for
	  RFC2307bis yet.)
 	* GNU indent-ified

2.71	Luke Howard <lukeh@padl.com>

	* removed -DDEBUG as default build flag

2.70	Luke Howard <lukeh@padl.com>

	* put /usr/ucblib back into linker search path for
	  Solaris.

2.69	Luke Howard <lukeh@padl.com>

	* added timeout, unavailable, and server busy
	  conditions to rebind logic
	* indent -gnu all source files

2.68	Luke Howard <lukeh@padl.com>

	* mods for glibc 2.1 (__set_errno is obselete it seems)

2.65	Luke Howard <lukeh@padl.com>

	* mods to compile with OpenLDAP 2

2.64	Luke Howard <lukeh@padl.com>

	* changed alias schema to Sun SDS nisMailAlias schema
	* updated TODO list to reflect Bugzilla entries
	* restored capitalization of attributes for "niceness"

2.63	Luke Howard <lukeh@padl.com>

	* added patch from gero@faveve.uni-stuttgart.de for
	  parsing of ldap.conf with tabs
	* some fixes for BSDI BSD/OS IRS

2.62 	Luke Howard <lukeh@padl.com>

	* added experimental support for DN-membered groups;
	  to enable, define RFC2307BIS
	* fixed align bug (where buflen wasn't being
	  decremented after pointer alignment)

2.61	Luke Howard <lukeh@padl.com>

	* added warning about compiling with DS 4.1 LDAP SDK

2.60	Luke Howard <lukeh@padl.com>

	* fixed missing close brace

2.59	Luke Howard <lukeh@padl.com>

	* pw_comment field defaults to pw_gecos (Solaris only)

2.56	Luke Howard <lukeh@padl.com>

	* fixed Makefile.linux.mozilla NSSLIBVER

2.55	Luke Howard <lukeh@padl.com>

	* merged in glibc-2.1 branch

2.54.6	Luke Howard <lukeh@padl.com>

	* misc fixes.

2.54.5	Luke Howard <lukeh@padl.com>

	* misc fixes.

2.54.4	Luke Howard <lukeh@padl.com>

	* glibc-2.1 patches from bcollins@debian.org

2.54.3	Luke Howard <lukeh@padl.com>

	* glibc-2.1 support. (Recall #93)
	* set erange correctly on Solaris (related to above)

2.51	Luke Howaed <lukeh@padl.com>

	* added rebind function

2.51	Luke Howard <lukeh@padl.com>

	* added stuff for RC

2.49	Luke Howard <lukeh@padl.com>

	* configuration file is now case insensitive

2.47  Luke Howard <lukeh@xedoc.com>

	* RFC2052BIS (_ldap._tcp) support

2.45	Luke Howard <lukeh@xedoc.com>

	* added #include <stdlib.h> to globals.c

2.44	Luke Howard <lukeh@xedoc.com>

	* NULL search base allowed (omit basedn from config file)

2.42	Luke Howard <lukeh@xedoc.com>

	* fixed potential crasher in dnsconfig.c
	* LDAP session is now persistent for performance reasons.
	  Removed references to the session anywhere outside
	  ldap-nss.c. The process ID is cached and the session
	  reopened after a fork().

2.39	Luke Howard <lukeh@xedoc.com>

	* fixed warning in ldap-ethers.c (removed const from
	  struct ether)
	* added ldap_version keyword to ldap.conf for parity with
	  pam_ldap

2.38	Luke Howard <lukeh@xedoc.com>

	* debugged ldap_explode_rdn() code
	* added support for Mozilla LDAP client library; see
	  Makefile.linux.mozilla and ltf.c for more information.
	  Thanks to Netscape for making their library
	  available.

2.37	Luke Howard <lukeh@xedoc.com>

	* moved to CVS repository and Linux as development
	  environment
	* incorporated ldap-service.c fix from Greg

2.36	Luke Howard <lukeh@xedoc.com>

	* util.c: will use ldap_explode_rdn() if it exists

2.35	Luke Howard <lukeh@xedoc.com>

	* made util.c compile again. Silly me.

2.34	Luke Howard <lukeh@xedoc.com>

	* fixed #endif in testpw.c
	* fixed another DN freeing leak in util.c
	* added RFC 2307 to distribution (fixed the two
	  typos in it:
	* fixed bug in ...getrdnvalue() (thanks, Greg)

% diff rfc2307.txt ~/rfc2307.txt
480c480
<           MUST ( cn $ ipProtocolNumber )
---
>           MUST ( cn $ ipProtocolNumber $ description )
1038c1038
<         lester:X5/DBrWPOQQaI:10:10:Lester:/home/lester:/bin/csh
---
>         lester:X5/DBrWPOQQaI:10:10:Lester:/home/lester:/bin/sh

2.33	Luke Howard <lukeh@xedoc.com>

	* rolled in more patches from greg@rage.net:
	* removed _r from setXXXent and endXXXent functions
	  for GNU_NSS
	* cleaned up testpw.c to use pthreads and protos
	* fixed prototype for gethostbyaddr_r on GNU_NSS
	* braced conditional in getservbyname_r
	* merged in Makefile.linux and README.LINUX diffs
	* added htons(port) in getservbyport_r
	* added nsswitch.test
	* added ldaptest.pl
	* added ldap.conf.ragenet

2.32	Luke Howard <lukeh@xedoc.com>

	* moved Makefile to Makefile.solaris
	* cleaned up mutex code for Linux, hopefully

2.31	Luke Howard <lukeh@xedoc.com>

	* fixed leak in util.c (need to free dn)
	* rolled in patches from greg@rage.net:
	* fixed ldap-ethers.c to use struct ether
	* fixed bracing in ldap-hosts.c (?)
	* added SSLEAY patch to ldap-nss.h
	* fixed locking in ldap-nss.h
	* Makefile changes incorporated into Makefile.linux

2.30	Luke Howard <lukeh@xedoc.com>

	* synced into DevMan repository again
	* RFC 2307 is the one!

2.29e	Luke Howard <lhoward@apple.com>

	* util.c: fixed memory leak (call to ldap_value_free())

2.29d	Luke Howard <lhoward@apple.com>

	* ldap-ethers.c: fixed to use HOSTNAME attribute

2.29c	Luke Howard <lhoward@apple.com>

	* ieee8022Device -> ieee802Device

2.29b	Luke Howard <lhoward@apple.com>

	* added ieee8022Device and bootableDevice classes,
	  at Sun's request.

2.29a	Luke Howard <lhoward@apple.com>

	* dc -> cn

2.29	Luke Howard <lukeh@xedoc.com>

	* changed host/network/ethers naming schema
	  see the -02 draft revision for more info

2.28	Luke Howard <lukeh@xedoc.com>

	* ldap-pwd.c, ldap-spwd.c: fixed tmpbuf stuff. Yuck.

2.27	Luke Howard <lukeh@xedoc.com>

	* ANNOUNCE: reflected draft-howard-nis-schema-01.txt
	* ldap-spwd.c: default for shadow integer values is -1, not 0
	  and fixed crasher (thanks to dj@gregor.com)

2.26	Luke Howard <lukeh@xedoc.com>

	* globals.c: added offset stuff back for mapping errnumbers.
	  Weird: this stuff *was* in an earlier version of the work
	  area. I have no idea where it went. Scary.

2.25	Luke Howard <lukeh@xedoc.com>

	* irs-nss.h: added prototype for irs_ldap_acc()
	* ldap-*.[ch]: removed redundent PARSER macro
	* unbroke for GNU NSS (context_key_t changed to context_handle_t)

2.24	Luke Howard <lukeh@xedoc.com>

	* irs-nss.c: added dispatch table for IRS library
	* testpw5.c: added additional test program
	* ldap-nss.c: removed spurious debug statement
	* ldap-nss.c, util.c, dnsconfig.c: cleaned up memory
	  allocation for config. (This could be improved, but
	  there is no longer a static ldap_config_t structure.)
	* Makefile: general cleanup

2.23	Luke Howard <lukeh@xedoc.com>

	* default destructor is now simply wrapped around by individual backend
	  destructors
	* __EXTENSIONS__ defined for Solaris 2.6 to import strncasecmp()
	* getbyname: fixed crasher in ldap-nss.c due to uninitialized variable
	* ldap-parse.h, assorted others: tidied up resolver calls to use
	  NSS_ARGS() macro and not to interfere with the previous backend's
	  status (bad thing!)
	* ldap-service.c: cleaned up potential uninitialized var in parser
	* ldap-nss.c: no valued arrays are now { NULL } instead of NULL.

2.22	Luke Howard <lukeh@xedoc.com>

	* testpw.c: XXX problem. dies with segfault, but gdb doesn't give
	  me enough information; it's definitely within nss_ldap.so though.
	  I just can't see the symbols. (Maybe dbx would be better...)
	  However, testpw doesn't work at *all* under 2.5.1, and technically
	  it shouldn't as it's not linked against liblthread. I haven't been
	  able to duplicate this with testpw2, which is the same code linked
	  with the thread library.
	* backported to NeXT

2.21	Luke Howard <lukeh@xedoc.com>

	* resolve.h: renamed functions so as to keep namespace clean
	* snprintf.h: tidied up for systems which already have snprintf()
	  and renamed anyway to keep namespace clean (_nss_ldap_snprintf)
	* ldap-*.h: made character constants const to avoid nasty warnings
	* globals.[ch]: as above
	* README, TODO, ANNOUNCE: general documentation updates
	* ldap-nss.c, et al: general work on Solaris 2.6 port, to get
	  nscd working. Lots of fiddling with the locking.
	* Major architectural changes to Solaris NSS implementation.
	  Thread specific data is now stored in the backend, where it
	  should be: just like it is in IRS. Locking is a little more
	  coarse now, but it will do for the moment.
	* Paul Henson's DCE module gave me the inspiration to do the
	  backend stuff the "right" way -- thanks, Paul!
	* As a result, a lot of the bugs listed in TODO have mysteriously
	  fixed themselves. :-)

2.20	Luke Howard <lukeh@xedoc.com>

	* Makefile.*: ensured resolve.[ch] and dnsconfig.[ch] were there.
	* Makefile: should link now with gcc -shared instead of requiring
	  cc.

2.19	Luke Howard <lukeh@xedoc.com>

	* testpw4.c: added irs hostbyname() test
	* Makefile: added correct flags to build position indepdenent
	  code with Sun's compiler (thanks, Bill). Added SRV sources.
	* testpw.c: works under NeXT, cleaned up a bit.
	* ldap.conf: documented what this file does
	* util.c: ignore blank lines in ldap.conf properly
	* resolve.h: fixed up for Solaris

2.18	Luke Howard <lukeh@xedoc.com>

	* ldap-network.c: fixed infinite loop in getnetbyname()
	* util.c: goto out causes a compiler warning under Solaris.
	  Documented this. Should fix this, I suppose, but we need
	  to break out of two blocks. (We could remove the code that
	  handles multivalued DNs, as it's fairly unlikely that someone
	  will use a DN of o=Xedoc+dc=xedoc,c=US+dc=com, but who knows?)
	* ldap-ethers.c: line 215, result was not assigned to an
	  lvalue (should have been args->status, not args). Fixed.

2.17	Luke Howard <lukeh@xedoc.com>

	* Cleaned up documentation and testpw4.c
	* dnsconfig.c: Fixed strtok() bug which was clobbering domain

2.16	Luke Howard <lukeh@xedoc.com>

	* util.c (_nss_ldap_readconfig) fixed strtok() typo

2.15	Luke Howard <lukeh@xedoc.com>

	* dnsconfig.c: got DNS SRV support working under NEXTSTEP
	* util.c: (_nss_ldap_getdomainname) made host and network DN parsing
          compliant with current draft

2.2 - 2.14	Luke Howard <lukeh@xedoc.com>

	* I'll get around to merging in the RCS log here one day.
	  Nothing very exciting happened, I just backported the code to
	  NEXTSTEP and compiled it.

2.1 	Luke Howard <lukeh@xedoc.com>

	* merged in old RCS tree (now nss_ldap 0.2)

1.x	Luke Howard <lukeh@xedoc.com>

	* old RCS repository (corresponds to nss_ldap 0.1)