2010-12-30: release 0.8.0 of nss-pam-ldapd
This is the first release in the 0.8 series of nss-pam-ldapd, a
new development branch of nss-pam-ldapd in which a number of new
features and implementations are introduced. As such, this isn't the most
stable version of nss-pam-ldapd but users are urged to try out
this release and send feedback.
Note that the 0.7 branch will be supported with bug and security fixes at
least until the 0.8 branch has stabilised.
A summary of the changes since 0.7.13:
include Solaris support developed by Ted C. Cheng of
Symas Corporation
include an experimental partial implementation of nslcd in Python
(disabled by default, see --enable-pynslcd configure
option)
implement a nss_min_uid
option to filter user entries returned by LDAP
implement a rootpwmodpw
option that allows the root user to change a user's password without
a password prompt
try to update the shadowLastChange attribute on password
change
all log messages now include a description of the request to more
easily track problems when not running in debug mode
allow attribute mapping expressions for the userPassword
attribute for passwd, group and shadow entries and by default map it
to the unmatchable password ("*") to avoid accidentally leaking
password information
numerous compatibility improvements
add --with-pam-seclib-dir and --with-pam-ldap-soname
configure options to allow more control of hot to install the PAM
module
add --with-nss-flavour and --with-nss-maps configure
options to support other C libraries and limit which NSS modules to
install
allow tilde (~) in user and group names
improvements to the timeout mechanism (connections are now actively
timed out using the idle_timelimit
option)
set socket timeouts on the LDAP connection to disconnect regardless of
LDAP and possibly TLS handling of connection
better disconnect/reconnect handling of error conditions
some code improvements and cleanups and several smaller bug fixes
all internal string comparisons are now also case sensitive (e.g. for
providing DN to username lookups, etc)
signal handling in the daemon was changed to behave more reliable
across different threading implementations
nslcd will now always return a positive authorisation result
during authentication to avoid confusing the PAM module when it is
only used for authorisation
Debian packaging improvement: implement configuring SASL
authentication using Debconf, based on a patch by Daniel Dehennin
2010-12-11: release 0.7.13 of nss-pam-ldapd
This is a bugfix release for the 0.7 series.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.12:
fix handling of idle_timelimit option
fix error code for problem while doing password modification
2010-10-29 release 0.7.12 of nss-pam-ldapd
This is a bugfix release for the 0.7 series.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.11:
set a short socket timeout when shutting down the connection to the
LDAP server to avoid disconnect problems when using TLS
2010-10-15: release 0.7.11 of nss-pam-ldapd
This is a bugfix release for the 0.7 series.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.10:
grow the buffer for the PAM ruser to not reject logins for users with
a ruser including a domain part
2010-09-24: release 0.7.10 of nss-pam-ldapd
This is a bugfix release for the 0.7 series.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.9:
handle errors from ldap_result() better and disconnect (and reconnect)
in more cases
2010-08-28: release 0.7.9 of nss-pam-ldapd
This is an update for the 0.7 series that brings some small improvements.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.8:
fix for --with-nss-ldap-soname configure option by Julien
Cristau
Debian packaging improvements
Get this release from the downloads section.
With this release the 0.7 series will be in bugfixes-only mode. It will
still receive bugfixes and security support for some time but not any major
new features.
See the mailing list post for more details.
2010-08-18: release 0.7.8 of nss-pam-ldapd
This is an update for the 0.7 series that brings some small improvements.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.7:
minor portability improvements and clean-ups (thanks Alexander V.
Chernikov and Ted C. Cheng)
don't expand variables in rest of ${var:-rest} and
${var:+rest} expressions if it is not needed
2010-07-03: release 0.7.7 of nss-pam-ldapd
This is an update for the 0.7 series that brings some small improvements.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.6:
refactoring and simplification of PAM module which also improves
logging
implement a nullok PAM option and disable empty passwords by
default
portability improvements and other minor code improvements
the mechanism to disable name lookups through LDAP from within the
nslcd process has been improved
the undocumented use_sasl option has been removed (specifying
sasl_mech now implies use_sasl)
the sasl_mech, sasl_realm, sasl_authcid,
sasl_authzid and sasl_secprops configuration options
are now documented
2010-05-27: release 0.7.6 of nss-pam-ldapd
This is an update for the 0.7 series that fixes a bug and brings some
small improvements.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.5:
fix a problem with empty attributes if expression-based attribute
mapping is used (patch by Nalin Dahyabhai)
make debug logging for pam_authz_search option a little more
informative
2010-05-14: release 0.7.5 of nss-pam-ldapd
This is an update for the 0.7.4 release that mainly fixes an annoying
bug when using the minimum_uid PAM option and includes some
improvements to the PAM module (20% code reduction with
new features added).
A summary of the changes since 0.7.4:
fix a problem in the session handling of the PAM module if the
minimum_uid option was used
refactor the PAM module code to be simpler and better maintainable
perform logging from PAM module to syslog and support the
debug option to log more information
2010-05-09: release 0.7.4 of nss-pam-ldapd
This is an update for the 0.7 series that fixes some bugs and brings some
new functionality.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.3:
perform proper fail-over when authenticating in the PAM module
add an nss_initgroups_ignoreusers option to ignore user name
to group lookups for the specified users
add an pam_authz_search option to perform a flexible
authorisation check on login (e.g. to restrict which users can login
to which hosts, etc)
implement a minimum_uid option for the PAM module to ignore
users that have a lower numeric user id
change the way retries are done to error out quicker if the LDAP
server is down for some time (this should make the system more
responsive when the LDAP server is unavailable) and rename the
reconnect_maxsleeptime option to reconnect_retrytime
to better describe the behaviour
only log "connected to LDAP server" if the previous connection
failed
2010-02-27: release 0.7.3 of nss-pam-ldapd
This is an update for the 0.7 series that fixes some bugs and brings some
new functionality.
This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.2:
allow password modification by root using the rootpwmoddn
configuration file option (the user will be prompted for the password
for rootpwmoddn instead of the user's password)
the LDAP password modify EXOP is first tried without the old password
and if that fails retried with the old password
when determining the domain name (used for some value of the
base and uri options) also try to use the hostname
aliases to build the domain name (patch by Jan Schampera)
perform locking on the pidfile on start-up to ensure that only one
nslcd process is running and implement a --check option
(patch by Jan Schampera)
2010-01-22: announcing nss-pam-ldapd mailing lists
To improve participation and sharing of ideas for the nss-pam-ldapd
project, three mailing lists have been set up.
These lists are open for subscription by anyone and have public
on-line archives.
The
nss-pam-ldapd-announce
mailing list will be used for announcements of new releases,
security advisories and any other important news regarding
nss-pam-ldapd.
The
nss-pam-ldapd-commits
mailing list can be used to keep up with the day-to-day commits to
the project.
The
nss-pam-ldapd-users
mailing list is a general discussion list for the project. Please send
your questions and patches there.
More details are available in the mailing lists section.