Arthur de Jong

Open Source / Free Software developer

Release 0.9.1 of nss-pam-ldapd


This is an update for the 0.9 development branch of nss-pam-ldapd that includes a number of new features. This branch will see more development and features added.

As such, this isn't the most stable version and should be used with caution. The 0.7 and 0.8 branches will remain to be supported with bug and security fixes for some time.

A summary of the changes since 0.9.0:

  • rename the nscd_invalidate option to reconnect_invalidate and allow flushing the nfsidmap cache with the new option
  • implement an -n switch to not daemonise (by Caleb Callaway)
  • nslcd will now return partial shadow information to non-root users to avoid authorisation problems with setgid shadow authentication helpers with some PAM stacks
  • nslcd will now retry failing LDAP connections after receiving SIGUSR1 (SIGUSR1 could be sent after re-establishing a network connection)
  • fix the way manual pages are installed in some situations
  • the code for the nslcd utilities (getent.ldap and chsh.ldap) is now installed in {prefix}/share/nslcd-utils
  • improve error and help output of the getent.ldap command
  • documentation updates
  • a number of tests were added and existing tests were extended
  • fix for a potential, small memory leak in PAM module regarding temporary saving of old password
  • a large number of bug fixes and improvements in pynslcd
  • hide passwords from the pynslcd debug output
  • support start_tls, pam_password_prohibit_message, nss_initgroups_ignoreusers and nss_min_uid in pynslcd
  • fix rootpwmodpw handling in pynslcd
  • complete a basic PAM implementation in pynslcd (some things such as shadow attribute checking remain to be implemented)
  • clean up the caching functionality in pynslcd (functionality is still disabled)

Get this release from the downloads section.

The pynslcd implementation is becoming more and more featureful and robust. It should be a reasonable replacement for nslcd in some environments. The biggest missing features are support for multiple LDAP servers with fail-over and support for authenticated LDAP connections for normal operations.
However, pynslcd is still not as well tested as nslcd.

Ideas, comments and patches for functionality are more than welcome. Please drop a note on the nss-pam-ldapd-users mailing list with any ideas or patches you may have.