2009-12-28: release 0.7.2 of nss-pam-ldapd
This is an update for the 0.7 series that fixes some bugs and brings some
new functionality.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.1:
some attributes may be mapped to a shell-like expression that expand
attributes from LDAP entries; this allows attributes overrides,
defaults and much more (as a result the passwdcn
attribute mapping has been removed because the gecos mapping is now
"${gecos:-$cn}" by default)
update the NSS module to follow the
change in Glibc
where the addr parameter of getnetbyaddr_r() was
changed from network-byte-order to host-byte-order
properly escape searches for uniqueMember attributes for
DN with a comma in an attribute value
miscellaneous improvements to the configure script implementing better
(and simpler) library detection
some general refactoring and other miscellaneous improvements
2009-11-22: security advisory: problems with case-insensitive LDAP lookups
Versions of nss-ldapd (now called nss-pam-ldapd) before
0.6.11 do not filter the results from an LDAP search query to only return
case-sensitive matches (many LDAP search queries are case-insensitive).
This results in users which differ in name but with the same numeric userid
to exist on the system.
This can cause problems on systems where privileges are assigned to
users based on their username with case-sensitive matching.
One such place is in determining group membership (even in LDAP),
another is in netgroups. This allows users to successfully log in with an
incorrect name and have incorrect privileges assigned
(e.g. user logs in as Joe and is no longer in the group denyaccess).
This issue also exposes a problem in nscd (GNU C Library Name Service Cache
Daemon) which does not support multiple users with the same numeric userid.
This could cause invalid information being entered into the nscd cache
which could deny services to affected users (e.g. this is known to cause
problems for SSH usage and Kerberos).
In some configurations this can be exploited remotely (Apache serving
user's public_html directories, SSH server or other services that may
perform username lookups).
If you are affected by this problem but cannot upgrade to a more recent
release, you may want to review the
change that went
into the 0.6.11 release.
For Debian lenny an updated version 0.6.7.2 was made.
This problem also affects the
nss_ldap
module from PADL Software Pty Ltd and probably also the nssov overlay from
OpenLDAP's slapd. Similar
problems may also affect other software that perform LDAP lookups.
References:
2009-10-20: release 0.7.1 of nss-pam-ldapd
This is an update for the 0.7 release that fixes some bugs, improves
portability and brings some new functionality, all mainly in the PAM
functionality.
This should be a reasonably stable and well tested release with the PAM
module being reasonably complete.
A summary of the changes since 0.7.0:
implement password changing by performing an LDAP password modify EXOP
request
fix return of authorisation check in PAM module (patch by Howard
Chu)
fix for problem when authenticating to LDAP entries without a uid
attribute in the DN
general code clean-up and portability improvements
provide more information with communication error messages
2009-09-04: release 0.7.0 of nss-pam-ldapd
This is a new release that brings with it amongst other things a name
change of the software and a name change of the configuration file.
These changes were done to reflect the addition of the PAM module as a
standard part of the software.
The PAM module is still under development but should be mostly functional
for authentication purposes. Other than that this should be a reasonably
stable and well tested release.
A summary of the changes since 0.6.11:
rename software to nss-pam-ldapd to indicate that PAM module
is now a standard part of the software
the PAM module is now built by default (the configure script can be
instructed whether or not to build certain parts)
the default configuration file name has been changed to
/etc/nslcd.conf
the default values for bind_timelimit and
reconnect_maxsleeptime werelowered from 30 to 10 seconds
password hashes are no longer returned to non-root users (based on a
patch by Alexander V. Chernikov)
a pam_ldap(8) manual page was added
unknown options in the configuration file can now be ignored with a
new --disable-configfile-checking configure option
Get this release from the downloads section.
If you were using the svn version note that the repository name and path in
the repository have changed. Either check out using the new location or
update your repository with the following two commands:
2009-07-12: release 0.6.11 of nss-ldapd
This release fixes a number of bugs in the 0.6.10 and earlier releases
and adds a couple of functionality improvements.
This should be a reasonably stable and well tested release.
changes since 0.6.10:
fix user name to groups mapping (a bug in buffer checking in
initgroups() that was introduced in 0.6.9)
fix a possible buffer overflow with too many uidNumber or
gidNumber attributes (thanks to David Binderman for finding
this)
lookups for group, netgroup, passwd, protocols, rpc, services and
shadow maps are now case-sensitive
test suite is now minimally documented
added --disable-sasl and --disable-kerberos
configure options
changed references to home page and contact email addresses to use
arthurdejong.org
2009-06-14: nss-ldapd homepage moved
Since I have completed my study at the Delft University quite some time ago,
the nss-ldapd homepage has been moved to
https://arthurdejong.org/nss-ldapd/.
The contact email address has also been changed to arthur@arthurdejong.org.
The subversion repository and viewvc URLs have also changed (see the
downloads section for details).
If you were using the svn repository before you can do
2009-06-03: release 0.6.10 of nss-ldapd
This release fixes a number of bugs in the 0.6.9 and earlier releases.
This should be a reasonably stable and well tested release.
This release includes improvements to the experimental PAM module
introduced in 0.6.9 and adds basic LDAP authentication to nslcd. The PAM
module is still disabled by default.
It is expected that the 0.7 release will include the PAM module by default
at which point the software will probably be renamed to nss-pam-ldapd
(suggestions for a better name are welcome).
changes since 0.6.9:
implement searching through multiple search bases, based on a patch
by Leigh Wedding
fix a segmentation fault that could occur when using any of the
tls_* options with a string parameter
miscellaneous improvements to the experimental PAM module
implement PAM authentication function in the nslcd daemon
the code for reading and writing protocol entries between the NSS
module and the daemon was improved
2009-05-09: release 0.6.9 of nss-ldapd
This release fixes a number of bugs in the 0.6.8 and earlier releases.
This should be a reasonably stable and well tested release.
This release introduces an experimental PAM module contributed by Howard
Chu from the OpenLDAP project that works together with the nssov overlay
in slapd. Work is underway to complete the needed functionality in
nss-ldapd's nslcd process. With this release the PAM module is disabled by
default.
changes since 0.6.8:
produce more detailed logging in debug mode and allow multiple
-d options to be specified to also include logging from the
LDAP library
some LDAP configuration options are now initialized globally instead
of per connection which should fix problems with the
tls_reqcert option
documentation improvements for the NSLCD protocol used between the NSS
module and the nslcd server
imported the new PAM module from the OpenLDAP nssov tree by Howard Chu
(note that the PAM-related NSLCD protocol is not yet finalised and
this module is not built by default)
in the configure script allow disabling of building certain
components
fix a bug with writing alternate service names and add checks for
validity of passed buffer in NSS module
2009-03-22: release 0.6.8 of nss-ldapd (security update)
This release fixes a security problem in 0.6.7 and earlier releases in the
Debian package configuration. A similar problem could also affect other
users.
The nss-ldapd.conf that is installed by the Debian package was
created world-readable which could cause problems if the bindpw option is
used. This has been fixed in the Debian package but other users should check
the permissions of the nss-ldapd.conf file when the bindpw
option is used (warnings have been added to the manual page and sample
nss-ldapd.conf)
The CVE project has assigned id
CVE-2009-1073
to this problem.
This release also includes the following changes since 0.6.7:
clean the environment and set LDAPNOINIT to disable parsing
of LDAP configuration files (~/.ldaprc,
/etc/ldap/ldap.conf, etc)
remove sslpath option because it wasn't used
correctly set SSL/TLS options when using StartTLS
rename the tls_checkpeer option to tls_reqcert,
deprecating the old name and supporting all values that OpenLDAP
supports
allow backslashes in user and group names execpt as first or last
character
check user and group names against LOGIN_NAME_MAX if it is
defined