Arthur de Jong

Open Source / Free Software developer

Release 0.9.0 of nss-pam-ldapd


This is the first release of the new 0.9 development branch of nss-pam-ldapd. This includes a number of new features and will see some more development.

Amongst the most prominent new features are support for nested groups, utilities for updating user information and handling of password policy controls.

As such, this isn't the most stable version and should be used with caution. The 0.7 and 0.8 branches will remain to be supported with bug and security fixes for some time.

This version introduces a backwards incompatible protocol change which means it is no longer possible to use the NSS or PAM module from a previous release and nslcd from a newer release (or vice versa). Since these modules are generally loaded once per process, old versions of these modules could be present in longer running processes when upgrading.

A summary of the changes since 0.8.13:

  • backwards incompatible change to the communications protocol between nslcd and NSS and PAM modules to use network byte order to be able to work on mixed endian multiarch systems and do some restructuring
  • netgroup lookups now makes a distinction between empty netgroups and non-existing netgroups
  • the PAM protocol is now more consistent (cleaner support for password modification by root, have all request parameters in the same order and limit the information returned from the call)
  • request and handle password policy controls on LDAP authentication
  • implement support for nested groups which can be enabled with the nss_nested_groups option (thanks Steve Hill)
  • add a log option to configure log level and logging to plain files
  • add an nscd_invalidate option to invalidate the nscd cache after recovering from LDAP connection problems (to clear any negative cache entries) (this option was renamed to reconnect_invalidate in version 0.9.1)
  • allow trimming expressions with ${foo#bar} syntax in attribute mapping expressions (thanks Thorsten Glaser)
  • pynslcd supports trimming expressions with full shell glob matching
  • support password modification in pynslcd
  • support children search scope for systems that have it
  • add a getent.ldap utility to perform nslcd queries bypassing the libc NSS stack
  • implement functionality for changing user information and provide a chsh.ldap utility to allow users to change their login shell
  • remove deprecated use_sasl, reconnect_tries, reconnect_maxsleeptime and tls_checkpeer options which have been replaced long ago
  • allow names with one character in default validnames option and allow parentheses (taken from Fedora packages)
  • fall back to updating the lastChange attribute with the normal LDAP connection
  • dump full nslcd configuration at debug level on start-up
  • export an _nss_ldap_version symbol in the NSS module to make finding version mismatches easier (the NSS module version is logged from nslcd)
  • documentation improvements
  • update the coding style for the C source code to follow a more modern and commonly used coding convention
  • some parts of the code were refactored or rewritten to take into account the changes within the software (e.g. configuration file handling, reduction in the number of system calls for normal communication)
  • numerous smaller fixes
  • portability and robustness improvements to the tests
  • implement lookup_netgroup and lookup_shadow test commands for systems that cannot use getent to query these
  • guess the value for --with-pam-seclib-dir configure option if it is not specified
  • temporary disable the caching functionality of pynslcd
  • usability improvements in the pynslcd implementation
  • various fixes for Solaris

Get this release from the downloads section.

Some more ideas and features that may be implemented in the 0.9 series are:

  • see if we can find a proper solution for systems that organise users differently (e.g. FreeBSD doesn't have shadow information but has a login class)
  • rework the pynslcd caching functionality and get pynslcd production-ready
  • add more utilities for managing users, groups and other objects in LDAP (the rootpwmoddn option will probably be renamed to rootmoddn)
  • support SO_PASSCRED based authentication for clients doing nslcd requests (especially useful for the utility functions)

Ideas, comments and patches for functionality are more than welcome. Please drop a note on the nss-pam-ldapd-users mailing list with any ideas or patches you may have.