forked from arthurdejong/nss-pam-ldapd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
2703 lines (1874 loc) · 82.9 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
changes from 0.9.4 to 0.9.5
---------------------------
* improve test suite (change IP range)
* handle situation better when server (or firewall) closed the connection
(thanks Tim Harder)
* make daemonising a little more robust and try to log more failures
* fix integer format strings (thanks Jianhai Luan and Patrick McLean)
* documentation updates (thanks Dalibor Pospíšil)
* fix range check for search access (thanks David Binderma)
* fix a bug in the NSS library when encountering IPv6 addresses in
the hosts map (thanks Mark R Bannister)
* allow configuring the name of the NSS and PAM modules (--with-module-name)
* adjust the Linux OOM (Out-Of-Memory) killer score to avoid killing nslcd
(thanks Patrick McLean)
* portability improvements (thanks Tim Rice)
changes from 0.9.3 to 0.9.4
---------------------------
* also handle password policy information on BIND failure (this makes it
possible to distinguish between a wrong password and an expired password)
* fix mapping the member attribute to an empty string
* any buffers that may have held passwords are cleared before the memory is
released
* increase buffer size for passwords to support extremely long passwords
(thanks ushi)
* increase buffer size for DN to support very long names or names with
non-ASCII characters
* log an error in almost all places where a defined buffer is not large
enough to hold the provided data instead of just (sometimes silently)
failing
* logging improvements (start-up problems, login failures)
* small improvement for Solaris
changes from 0.9.2 to 0.9.3
---------------------------
* make the dn2uid cache lifetime configurable with the cache configuration
option
* have the nslcd process only exit after the service is completely available
to avoid race conditions in the init script
* the nslcd daemon now properly daemonises (double fork)
* support mapping the member attribute to an empty string to disable the
functionality to do extra lookups for member DN to member uid translations
* implement deref control handling to request the LDAP server to dereference
group member attribute values to uid values
* support getting built-in groups from Active Directory (thanks Davy Defaud)
* fix for pwdLastSet attribute value handling (thanks Joshua Shire)
* fix a possible crash in the NSS module when retrieving large networks
entries (thanks Lukas Slebodnik)
* correct NSS h_errnop return value to indicate buffer too small (thanks
Nalin Dahyabhai)
* fix a bug with shadow values on 64-bit architectures
* automatically detect DragonFly as using the FreeBSD NSS interface (thanks
Francois Tigeot)
* add a build-time test to see if krb5 is thread-safe
* various minor bug fixes
changes from 0.9.1 to 0.9.2
---------------------------
* increase password value buffer size (by Bersl)
* avoid more broken pipe errors by using a low timeout when aborting reading
requested information from nslcd (thanks John Sullivan)
* only log broken pipe errors in debugging mode
* fix buffer overflow on interrupted read that is hard to trigger (thanks
John Sullivan)
* use clock_gettime() with CLOCK_MONOTONIC for timeout calculations to avoid
clock adjustments errors (thanks John Sullivan)
* extend test suite to test for CLOCK_MONOTONIC and timed IO timeout
calculations
* increase the maximum number of base statements per map to 31
* use larger nslcd send buffers to reduce the number of write operations in
nslcd and consequently the number of reads in the NSS and PAM modules
(thanks John Sullivan)
* also run invalidators after first successful search
* various clean-ups, portability improvements and fixes for compiler warnings
* import configure checks of Python modules
* provide a script for setting up slapd in a test environment, automatically
loaded with the required test data
* add script for evaluating test environment availability
* portability improvements in the test scripts and test environment
changes from 0.9.0 to 0.9.1
---------------------------
* rename the nscd_invalidate option to reconnect_invalidate and allow flushing
the nfsidmap cache with the new option
* implement an -n switch to not daemonise (by Caleb Callaway)
* nslcd will now return partial shadow information to non-root users to avoid
authorisation problems with setgid shadow authentication helpers with some
PAM stacks
* nslcd will now retry failing LDAP connections after receiving SIGUSR1
(SIGUSR1 could be sent after re-establishing a network connection)
* fix the way manual pages are installed in some situations
* the code for the nslcd utilities (getent.ldap and chsh.ldap) is now
installed in {prefix}/share/nslcd-utils
* improve error and help output of the getent.ldap command
* documentation updates
* a number of tests were added and existing tests were extended
* fix for a potential, small memory leak in PAM module regarding temporary
saving of old password
* a large number of bug fixes and improvements in pynslcd
* hide passwords from the pynslcd debug output
* support start_tls, pam_password_prohibit_message, nss_initgroups_ignoreusers
and nss_min_uid in pynslcd
* fix rootpwmodpw handling in pynslcd
* complete a basic PAM implementation in pynslcd (some things such as shadow
attribute checking remain to be implemented)
* clean up the caching functionality in pynslcd (functionality is still
disabled)
changes from 0.8.12 to 0.9.0
----------------------------
* backwards incompatible change to the communications protocol between nslcd
and NSS and PAM modules to use network byte order to be able to work on
mixed endian multiarch systems
* netgroup lookups now makes a distinction between empty netgroups and
non-existing netgroups
* the PAM protocol is now more consistent (cleaner support for password
modification by root, have all request parameters in the same order and
limit the information returned from the call)
* request and handle password policy controls on LDAP authentication
* implement support for nested groups which can be enabled with the
nss_nested_groups option (thanks Steve Hill)
* add a log option to configure log level and logging to plain files
* add an nscd_invalidate option to invalidate the nscd cache after recovering
from LDAP connection problems (to clear any negative cache entries)
* allow trimming expressions with ${foo#bar} syntax in attribute mapping
expressions (thanks Thorsten Glaser)
* pynslcd supports trimming expressions with full shell glob matching
* support password modification in pynslcd
* support children search scope for systems that have it
* add a getent.ldap utility to perform nslcd queries bypassing the libc NSS
stack
* implement functionality for changing user information and provide a
chsh.ldap utility to allow users to change their login shell
* remove deprecated use_sasl, reconnect_tries, reconnect_maxsleeptime and
tls_checkpeer options which have been replaced long ago
* allow names with one character in default validnames option and allow
parentheses (taken from Fedora packages)
* fall back to updating the lastChange attribute with the normal LDAP
connection
* dump full nslcd configuration at debug level on start-up
* export an _nss_ldap_version symbol in the NSS module to make finding version
mismatches easier (the NSS module version is logged from nslcd)
* documentation improvements
* update the coding style for the C source code to follow a more modern and
commonly used coding convention
* some parts of the code were refactored or rewritten to take into account the
changes within the software (e.g. configuration file handling, reduction in
the number of system calls for normal communication)
* numerous smaller fixes
* portability and robustness improvements to the tests
* implement lookup_netgroup and lookup_shadow test commands for systems that
cannot use getent to query these
* guess the value for --with-pam-seclib-dir configure option if it is not
specified
* temporary disable the caching functionality of pynslcd
* usability improvements in the pynslcd implementation
* various fixes for Solaris
changes from 0.8.11 to 0.8.12
-----------------------------
* fix a problem with the sasl_canonicalize option that would cause errors
on non-SASL enabled systems
* ensure that the file descriptors in the NSS and PAM modules for connecting
to nslcd are closed on exec of the process
* allow attribute options in attribute mapping expressions
* show reconnect messages when failing over to a different LDAP server or
re-establishing the connection to an LDAP server (the message accidentally
got hidden in 0.7.4)
* fix a problem with the pw_class attribute in FreeBSD (fixes 0.8.11)
* more fixes and improvements for Solaris (running under nscd may still give
problems though)
* small improvement to PAM error logging
* provide a pynslcd manual if pynslcd is built
changes from 0.8.10 to 0.8.11
-----------------------------
* add a pam_password_prohibit_message nslcd.conf option to deny password
change (thanks to Ted Cheng)
* add a sasl_canonicalize option to allow disabling of hostname
canonicalisation in OpenLDAP
* have the nslcd daemon load the nslcd user's supplementary groups to have
more flexibility with assigning group permissions
* fix logic error when falling back to getting ranged attribute values for
possibly binary attributes (thanks scan-build)
* fix a problem when storing negative hit to dn2uid cache (thanks scan-build)
* use poll() instead of select() for checking file descriptor activity to also
correctly work if more than FD_SETSIZE files are already open
* small portability improvements
* improve support for using Netscape LDAP libraries
* improvements and fixes to the Solaris NSS code
* grow all search filter buffers to 4096 bytes
* some improvements to the pynslcd implementation
* add an LDIF version of the ldapns.schema schema file
changes from 0.8.9 to 0.8.10
----------------------------
* documentation improvements
* fix a problem that causes the PAM module to prompt for a new password
even though the old one was wrong
* log successful password change in nslcd
* install default configuration file with reduced permissions (further
protection for CVE-2009-1073)
changes from 0.8.8 to 0.8.9
---------------------------
* allow the pam_authz_search option to be specified multiple times
* improvements to pynslcd adding support for pam_authz_search
* implement extra range checking of all numeric values
* make documentation up-to-date
* compatibility improvements, especially for FreeBSD
changes from 0.8.7 to 0.8.8
---------------------------
* fix a regression in the handling of PAM requests
* add the ldapns.schema file from pam_ldap to the tarball
changes from 0.8.6 to 0.8.7
---------------------------
* log the first 10 search results in debug mode to make debugging easier
(patch by Matthijs Kooijman)
* provide more detailed logging information for LDAP errors, this should
especially help for TLS related problems (based on a patch by Mel Flynn)
* fix logging of invalid pam_authz_search value
* when doing DNS queries for SRV records recognise default ldap and ldaps
ports
* make whether or not to do case-sensitive filtering configurable (patch by
Matthew L. Dailey)
* document the fact that each thread opens its own connection (patch by
Chris Hiestand)
* some small portability improvements
* try to prevent some of the Broken pipe messages in nslcd
* increase buffer used for pam_authz_search as suggested by Chris J Arges
* pynslcd now handles privileged requests correctly
* pynslcd now supports attribute mapping using the lower() and upper()
functions
changes from 0.8.5 to 0.8.6
---------------------------
* a number of code improvements by Jakub Hrozek
* fixes for FreeBSD (thanks Maxim Vetrov)
* include missing pynslcd files from tarball
* improvements to the pynslcd implementation
* implement an offline cache in pynslcd
* the Debian packaging was split from the main source tree
changes from 0.8.4 to 0.8.5
---------------------------
* support larger gecos values
* reduce loglevel of user not found messages to avoid spamming the logs
with useless information (thanks Wakko Warner)
* other logging improvements
* explicitly parse numbers as base 10 (thanks Jakub Hrozek)
* implement FreeBSD group membership NSS function (thanks Tom Judge)
* fix an issue with detecting the uid of the calling process and log
denied shadow requests in debug mode
* fix a typo in the disconnect logic code (thanks Martin Poole)
* implement configuration file handling in pynslcd and other pynslcd
improvements
* Debian packaging improvements
changes from 0.8.3 to 0.8.4
---------------------------
* switch to using the member attribute by default instead of
uniqueMember (backwards incompatible change)
* only return "x" as a password hash when the object has the shadowAccount
objectClass and nsswitch.conf is configured to do shadow lookups using
LDAP (this avoids some problems with pam_unix)
* fix problem with partial attribute name matches in DN (thanks Timothy
White)
* fix a problem with objectSid mappings with recent versions of OpenLDAP
(patch by Wesley Mason)
* set the socket timeout in a connection callback to avoid timeout
issues during the SSL handshake (patch by Stefan Völkel)
* check for unknown variables in pam_authz_search
* only check password expiration when authenticating, only check account
expiration when doing authorisation
* make buffer sizes consistent and grow all buffers holding string
representations of numbers to be able to hold 64-bit numbers
* update AX_PTHREAD from autoconf-archive
* support querying DNS SRV records from a different domain than the current
one (based on a patch by James M. Leddy)
* fix a problem with uninitialised memory while parsing the tls_ciphers
option
* implement bounds checking of numeric values read from LDAP (patch by
Jakub Hrozek)
* correctly support large uid and gid values from LDAP (patch by Jakub
Hrozek)
* improvements to the configure script (patch by Jakub Hrozek)
* Debian packaging improvements
changes from 0.8.2 to 0.8.3
---------------------------
* support using the objectSid attribute to provide numeric user and group
ids, based on a patch by Wesley Mason
* check shadow account and password expiry properties (similarly to what
pam_unix does) in the PAM handling code
* implement attribute mapping functionality in pynslcd
* relax default for validnames option to allow user names of only two
characters
* make user and group name validation errors a little more informative
* small portability improvements
* general code improvements and refactoring in pynslcd
* some simplifications in the protocol between the PAM module and nslcd
(without actual protocol changes so far)
* Debian packaging improvements
changes from 0.8.1 to 0.8.2
---------------------------
* fix problem with endless loop on incorrect password
* fix a communication problem between nslcd and the NSS and PAM modules when
running on Solaris 10
* fix a compilation issue on systems without HOST_NAME_MAX
* link to the resolv library for hstrerror() on platforms that need it
* ignore password change requests for users not in LDAP
* many clean-ups to the tests and added some new tests including some
integration tests for the PAM functionality
* some smaller code clean-ups and improvements
* improvements to pynslcd, including implementations for service, protocol and
rpc lookups
* implement a validnames option that can be used to filter valid user and
group names using a regular expression
* improvements to the way nslcd shuts down with hanging worker threads
changes from 0.8.0 to 0.8.1
---------------------------
* SECURITY FIX: the PAM module will allow authentication for users that do not
exist in LDAP, this allows login to local users with an
incorrect password (CVE-2011-0438)
the exploitability of the problem depends on the details of
the PAM stack and the use of the minimum_uid PAM option
* include a file that was missing for Solaris support
* add FreeBSD support, partially imported from the FreeBSD port (thanks to
Jacques Vidrine, Artem Kazakov and Alexander V. Chernikov)
* document how to replace name pam_check_service_attr and pam_check_host_attr
options in PADL's pam_ldap with with pam_authz_search in nss-pam-ldapd
* implement a fqdn variable that can be used in pam_authz_search filters
* create the directory to hold the socket and pidfile on startup
* implement host, network and netgroup support in pynslcd
changes from 0.7.13 to 0.8.0
----------------------------
* include Solaris support developed by Ted C. Cheng of Symas Corporation
* include an experimental partial implementation of nslcd in Python (disabled
by default, see --enable-pynslcd configure option)
* implement a nss_min_uid option to filter user entries returned by LDAP
* implement a rootpwmodpw option that allows the root user to change a user's
password without a password prompt
* try to update the shadowLastChange attribute on password change
* all log messages now include a description of the request to more easily
track problems when not running in debug mode
* allow attribute mapping expressions for the userPassword attribute for
passwd, group and shadow entries and by default map it to the unmatchable
password ("*") to avoid accidentally leaking password information
* numerous compatibility improvements
* add --with-pam-seclib-dir and --with-pam-ldap-soname configure options to
allow more control of hot to install the PAM module
* add --with-nss-flavour and --with-nss-maps configure options to support
other C libraries and limit which NSS modules to install
* allow tilde (~) in user and group names
* improvements to the timeout mechanism (connections are now actively timed
out using the idle_timelimit option)
* set socket timeouts on the LDAP connection to disconnect regardless of LDAP
and possibly TLS handling of connection
* better disconnect/reconnect handling of error conditions
* some code improvements and cleanups and several smaller bug fixes
* all internal string comparisons are now also case sensitive (e.g. for
providing DN to username lookups, etc)
* signal handling in the daemon was changed to behave more reliable across
different threading implementations
* nslcd will now always return a positive authorisation result during
authentication to avoid confusing the PAM module when it is only used for
authorisation
* Debian packaging improvement: implement configuring SASL authentication
using Debconf, based on a patch by Daniel Dehennin
changes from 0.7.12 to 0.7.13
-----------------------------
* fix handling of idle_timelimit option
* fix error code for problem while doing password modification
changes from 0.7.11 to 0.7.12
-----------------------------
* set a short socket timeout when shutting down the connection to the LDAP
server to avoid disconnect problems when using TLS
changes from 0.7.10 to 0.7.11
-----------------------------
* grow the buffer for the PAM ruser to not reject logins for users with
a ruser including a domain part
* Debian packaging improvements
changes from 0.7.9 to 0.7.10
----------------------------
* handle errors from ldap_result() better and disconnect (and reconnect)
in more cases
changes from 0.7.8 to 0.7.9
---------------------------
* fix for --with-nss-ldap-soname configure option by Julien Cristau
* Debian packaging improvements
changes from 0.7.7 to 0.7.8
---------------------------
* minor portability improvements and clean-ups (thanks Alexander V.
Chernikov and Ted C. Cheng)
* don't expand variables in rest of ${var:-rest} and ${var:+rest}
expressions if it is not needed
* Debian packaging improvements
changes from 0.7.6 to 0.7.7
---------------------------
* refactoring and simplification of PAM module which also improves logging
* implement a nullok PAM option and disable empty passwords by default
* portability improvements and other minor code improvements
* the mechanism to disable name lookups through LDAP from within the nslcd
process has been improved
* the undocumented use_sasl option has been removed (specifying sasl_mech now
implies use_sasl)
* the sasl_mech, sasl_realm, sasl_authcid, sasl_authzid and sasl_secprops
configuration options are now documented
* Debian packaging improvements
changes from 0.7.5 to 0.7.6
---------------------------
* fix a problem with empty attributes if expression-based attribute
mapping is used (patch by Nalin Dahyabhai)
* make debug logging for pam_authz_search option a little more informative
* documentation improvements
* Debian packaging improvements
changes from 0.7.4 to 0.7.5
---------------------------
* fix a problem in the session handling of the PAM module if the minimum_uid
option was used
* refactor the PAM module code to be simpler and better maintainable
* perform logging from PAM module to syslog and support the debug option to
log more information
changes from 0.7.3 to 0.7.4
---------------------------
* fix a buffer overflow that should have no security consequences
* perform proper fail-over when authenticating in the PAM module
* add an nss_initgroups_ignoreusers option to ignore user name to group
lookups for the specified users
* add an pam_authz_search option to perform a flexible authorisation check on
login (e.g. to restrict which users can login to which hosts, etc)
* implement a minimum_uid option for the PAM module to ignore users that have
a lower numeric user id
* change the way retries are done to error out quicker if the LDAP server is
down for some time (this should make the system more responsive when the
LDAP server is unavailable) and rename the reconnect_maxsleeptime option to
reconnect_retrytime to better describe the behaviour
* only log "connected to LDAP server" if the previous connection failed
* documentation improvements
changes from 0.7.2 to 0.7.3
---------------------------
* allow password modification by root using the rootpwmoddn configuration file
option (the user will be prompted for the password for rootpwmoddn instead
of the user's password)
* the LDAP password modify EXOP is first tried without the old password and if
that fails retried with the old password
* when determining the domain name (used for some value of the base and uri
options) also try to use the hostname aliases to build the domain name
(patch by Jan Schampera)
* perform locking on the pidfile on start-up to ensure that only one nslcd
process is running and implement a --check option (patch by Jan Schampera)
* documentation improvements
changes from 0.7.1 to 0.7.2
---------------------------
* some attributes may be mapped to a shell-like expression that expand
attributes from LDAP entries; this allows attributes overrides, defaults and
much more (as a result the passwd cn attribute mapping has been removed
because the gecos mapping is now "${gecos:-$cn}" by default)
* update the NSS module to follow the change in Glibc where the addr
parameter of getnetbyaddr_r() was changed from network-byte-order to
host-byte-order
* properly escape searches for uniqueMember attributes for DN with a comma in
an attribute value
* miscellaneous improvements to the configure script implementing better (and
simpler) library detection
* some general refactoring and other miscellaneous improvements
changes from 0.7.0 to 0.7.1
---------------------------
* implement password changing by performing an LDAP password modify EXOP
request
* fix return of authorisation check in PAM module (patch by Howard Chu)
* fix for problem when authenticating to LDAP entries without a uid attribute
in the DN
* general code clean-up and portability improvements
* provide more information with communication error messages
changes from 0.6.11 to 0.7.0
----------------------------
* rename software to nss-pam-ldapd to indicate that PAM module is now a
standard part of the software
* the PAM module is now built by default (the configure script can be
instructed whether or not to build certain parts)
* the default configuration file name has been changed to /etc/nslcd.conf
* the default values for bind_timelimit and reconnect_maxsleeptime were
lowered from 30 to 10 seconds
* password hashes are no longer returned to non-root users (based on a patch
by Alexander V. Chernikov)
* a pam_ldap(8) manual page was added
* unknown options in the configuration file can now be ignored with a new
--disable-configfile-checking configure option
changes from 0.6.10 to 0.6.11
-----------------------------
* fix user name to groups mapping (a bug in buffer checking in initgroups()
that was introduced in 0.6.9)
* fix a possible buffer overflow with too many uidNumber or gidNumber
attributes (thanks to David Binderman for finding this)
* lookups for group, netgroup, passwd, protocols, rpc, services and shadow
maps are now case-sensitive
* test suite is now minimally documented
* added --disable-sasl and --disable-kerberos configure options
* changed references to home page and contact email addresses to use
arthurdejong.org
* Debian packaging improvements
changes from 0.6.9 to 0.6.10
----------------------------
* implement searching through multiple search bases, based on a patch by Leigh
Wedding
* fix a segmentation fault that could occur when using any of the tls_*
options with a string parameter
* miscellaneous improvements to the experimental PAM module
* implement PAM authentication function in the nslcd daemon
* the code for reading and writing protocol entries between the NSS module and
the daemon was improved
* documentation updates
* removed SSL/TLS related warnings during startup
* Debian packaging improvements
changes from 0.6.8 to 0.6.9
---------------------------
* produce more detailed logging in debug mode and allow multiple -d options to
be specified to also include logging from the LDAP library
* some LDAP configuration options are now initialized globally instead of per
connection which should fix problems with the tls_reqcert option
* documentation improvements for the NSLCD protocol used between the NSS
module and the nslcd server
* imported the new PAM module from the OpenLDAP nssov tree by Howard Chu (note
that the PAM-related NSLCD protocol is not yet finalised and this module is
not built by default)
* in configure script allow disabling of building certain components
* fix a bug with writing alternate service names and add checks for
validity of passed buffer in NSS module
* Debian packaging improvements
changes from 0.6.7 to 0.6.8
---------------------------
* SECURITY FIX: the nss-ldapd.conf file that is installed by the Debian
package was created world-readable which could cause problems
if the bindpw option is used (CVE-2009-1073)
this has been fixed in the Debian package but other users
should check the permissions of the nss-ldapd.conf file when
the bindpw option is used (warnings have been added to the
manual page and sample nss-ldapd.conf)
* clean the environment and set LDAPNOINIT to disable parsing of LDAP
configuration files (.ldaprc, /etc/ldap/ldap.conf, etc)
* remove sslpath option because it wasn't used
* correctly set SSL/TLS options when using StartTLS
* rename the tls_checkpeer option to tls_reqcert, deprecating the old name and
supporting all values that OpenLDAP supports
* allow backslashes in user and group names except as first or last character
* check user and group names against LOGIN_NAME_MAX if it is defined
* fix for getpeercred() on Solaris by David Bartley
* Debian packaging improvements
changes form 0.6.6 to 0.6.7
---------------------------
* a fix for a problem in the Debian packaging that would cause user-configured
options be ignored
changes form 0.6.5 to 0.6.6
---------------------------
* Debian packaging improvements
* allow spaces in user and group names because it was causing problems in
some environments
* if ldap_set_option() fails log the option name instead of number
* retry connecting to LDAP server in more cases
changes form 0.6.4 to 0.6.5
---------------------------
* Debian package configuration translation updates
changes form 0.6.3 to 0.6.4
---------------------------
* fix for the tls_checkpeer option
* fix incorrect test for ssl option in combination with ldaps:// URIs
* improvements to Active Directory sample configuration
* implement looking up search base in rootDSE of LDAP server
changes form 0.6.2 to 0.6.3
---------------------------
* retry connection and search if getting results failed with connection
problems (some errors only occur when getting the results, not when starting
the search)
* add support for groups with up to around 150000 members (assuming user names
on average are a little under 10 characters)
* problem with possible SIGPIPE race condition was fixed by using send()
instead of write()
* add uid and gid configuration keywords that set the user and group of the
nslcd daemon
* add some documentation on supported group to member mappings
* add sanity checking to code for when clock moves backward
* log messages now include a session id that makes it easier to track errors
to requests (especially useful in debugging mode)
* miscellaneous portability improvements
* increase buffers and time-outs to handle large lookups more gracefully
* implement SASL authentication based on a patch by Dan White
* allow more characters in user and group names
changes form 0.6.1 to 0.6.2
---------------------------
* all user and group names are now checked for validity are specified in the
POSIX Portable Filename Character Set
* support retrieval of ranged attribute values as sometimes returned by Active
Directory
* added the threads keyword to configure the number of threads that should be
started in nslcd
* handle empty netgroups properly
* change the time-out and retry mechanism for connecting to the LDAP server to
return an error quickly if the LDAP server is known to be unavailable for a
long time (this removed the reconnect_tries option and changes the meaning
of the reconnect_sleeptime and reconnect_maxsleeptime options)
* increased the time-out values between the NSS module and nslcd because of
new retry mechanism
* implement new dict and set modules that use a hashtable to map keys
efficiently
* use the new set to store group membership to simplify memory management and
eliminate duplicate members
* the uniqueMember attribute now only supports DN values
* implement a cache for DN to user name lookups (15 minute timeout) used for
the uniqueMember attribute to save on doing LDAP searches for groups with a
lot of members, based on a patch by Petter Reinholdtsen
* improvements to the tests
* if any of the ldap calls return LDAP_UNAVAILABLE or LDAP_SERVER_DOWN the
connection is closed
* improve dependencies in LSB init script header to improve dependency based
booting
changes from 0.6 to 0.6.1
-------------------------
* numerous small fixes and compatibility improvements
* the I/O buffers between nslcd and NSS module are now dynamically sized and
tuned for common requests
* correctly follow referrals
* add StartTLS support by Ralf Haferkamp of SuSE
* miscellaneous documentation improvements
* remove code for handling rootbinddn/pw because it is unlikely to be
supported any time soon
* fix a problem with realloc()ed memory that was not referenced
* fix for a crash in group membership buffer growing code thanks to Petter
Reinholdtsen
* some improvements to the Active Directory sample configuration
* fix init script exit code with stop while not running
* fixes to the _nss_ldap_initgroups_dyn() function to properly handle the
buffer and limits passed by Glibc
* fixes to the member to groups search functions to correctly handle
uniqueMember attributes
* only return shadow entries to root users
* miscellaneous Debian packaging improvements
changes from 0.5 to 0.6
-----------------------
* fix parsing of map option in nss-ldapd.conf
* fix bug in handling of userPassword values
* remove warning about missing loginShell attribute
* support the uniqueMember LDAP attribute that holds DN values
* support ldap as a compat service in /etc/nsswitch.conf
* implement _nss_ldap_initgroups_dyn() to allow username->groups searches
* fix retry mechanism with get*ent() functions where a too small buffer was
passed by libc (to support groups with a lot of members)
* fix a bug in reporting of communications problems between nslcd and the NSS
library
* test and log failures of all LDAP library calls
* improved tests
* miscellaneous compatibility improvements to try to support more LDAP
libraries and platforms
* support compilation with OpenLDAP 2.4 and newer
* some configure script improvements
* Debian packaging improvements
changes from 0.4.1 to 0.5
-------------------------
* major structural changes in the LDAP lookup code using a newly implemented
module that does memory management, session handling, paging and all other
painful things with a simple interface
* rewritten LDAP query and result handling code, now generating warnings
about incorrect entries in the LDAP directory
* IPv6 addresses in host lookups are now supported
* added Kerberos ccname support (with the krb5_ccname option) thanks to
Andreas Schneider and Ralf Haferkamp from SuSE and remove --with-gssapi-dir,
--enable-configurable-krb5-ccname-gssapi and
--enable-configurable-krb5-ccname-env configure options and having automatic
detection instead
* added support for DNS SRV record lookups by specifying DNS as uri thanks to
Ralf Haferkamp and Michael Calmer from SuSE
* added support for DOMAIN as base DN which uses the host's domain to
construct a DN
* removed nss_connect_policy, bind_policy and sizelimit options
* cleaned up and documented reconnect logic with reconnect_tries,
reconnect_sleeptime and reconnect_maxsleeptime options
* configuration values with spaces in them (e.g. distinguished names) are now
handled properly
* fix a small memory leak in the I/O module
* miscellaneous code improvements (better source code comments, more
consistent logging, portability improvements, more tests, etc)
* improvements to documentation
changes from 0.4 to 0.4.1
-------------------------
* added French debconf translation by Cyril Brulebois
* added Japanese debconf translation by Kenshi Muto
* fix a problem with network name lookups where the lookup would result
in the wrong call to nslcd
* fix wrong default filter for rpc lookups
* fix a number of memory leaks (thanks valgrind)
(all memory leaks during normal operation should be fixed now)
changes from 0.3 to 0.4
-----------------------
* remove nss_schema configfile option
* temporary remove support for uniqueMember group membership attributes (will
be re-added in a later release)
* removed support for nested groups, if this is really needed (please ask or
file a bug if you want it) it can be re-added later on
* added missing docbook sources for manual pages to tarball
* major cleanups and simplifications in the core LDAP query code (we don't
need to worry about SIGPIPE because nslcd does that globally, locking
because a connection is only used by one thread) and more simplifications in
the the LDAP connection and query state
* get base, scope, filter and map configfile directives properly working
* simplifications in LDAP reconnect logic (some work remains to be done in
this area)
* issue warnings or errors for untested or unsupported configuration options
* properly handle multiple URIs in Debian configuration
* documentation improvements
changes from 0.2.1 to 0.3
-------------------------
* a bug in the communication buffer handling code was fixed
* a bug in the dictionary code was fixed (code not yet in use)
* a fix for the init script that used a wrong pidfile
* configuration file handling code was rewritten to be better maintainable
* some configuration file options have changed which means that compatibility
with the nss_ldap configuration file is lost
* configuration syntax is now documented in the nss-ldapd.conf(5) manual page
* support for dnsconfig was removed
* the configuration file no longer supports using multiple search bases
* removed nss_initgroups and nss_initgroups_ignoreusers options
* removed --enable-paged-results configure option and use pagesize
configuration file option to specify usage of paging at runtime
* added Portuguese debconf translation by Américo Monteiro
* Debian package configuration improvements and simplifications
* use docbook2x-man for generating manual pages
* miscellaneous documentation improvements including improved manual pages
* general code reorganisation and clean-ups to achieve another 9% code
reduction relative to 0.2.1 release (more than 40% relative to nss_ldap)
* SASL, Kerberos and SSL/TLS support remain untested
changes from 0.2 to 0.2.1
-------------------------
* fix permissions of server socket (this fixes a problem where non-root users
were unable to do lookups)
* fix configure script to properly check for pthread support
* small code improvements
* general build system cleanups
changes from 0.1 to 0.2
-----------------------
* fixes to the netgroup lookup code
* more simplifications and improvements in the code almost 5% code reduction
(compared to release 0.1) and 37% reduction in gcc warnings (from 443 in 251
to 389 in 0.1 and 244 in 0.2)
* a lot of code improvements thanks to flawfinder, more gcc warnings, splint
and rats
* license change from GNU Library General Public License to GNU Lesser General
Public License (with the permission of Luke Howard)
* fix logging code to be cleaner and always use our own logging module
* a start has been made to make the code more testable and initial work to set
up a testing framework has been done
* implemented a timeout mechanism in the communication between the NSS part
and the nslcd server part
changes from nss_ldap 251 to nss-ldapd 0.1
------------------------------------------
* initial release of nss-ldapd (should be functional but not yet stable enough
for production use)
* fork from the nss_ldap which was originally written by Luke Howard of PADL
Software Pty Ltd. changing package name to nss-ldapd and versioning scheme
* the functionality was split into a thin NSS library and a simple daemon
proxying the requests to the LDAP server (see README for rationale)
* a lot of dead and old compatibility code was removed (about 25% of the code
was removed) (more simplifications to come)
* the test code was rewritten
* build script simplifications
* default configuration file has been changed to /etc/nss-ldapd.conf
* most documentation has been updated and rewritten
* dropped support for non-glibc NSS interfaces and assumed OpenLDAP compatible
library
changes from 250 to 251
-----------------------
* remove doc/rfc2307.txt, it is available from
http://www.ietf.org/rfc/rfc2307.txt
* make objectClass a mappable attribute
changes from 249 to 250
-----------------------
* don't use static _nss_ldap_no_members buffer, causes crash when nss_ldap is
unloaded and memory is still referenced
* fix for BUG#249: tcsh closes file descriptors, confuses nss_ldap and hangs
(from David Houlder)
* fix for BUG#257: initgroups() broken in RFC2307bis support disabled
* fix for BUG#261: sslpath example wrong
* fix for BUG#263: compile do_triple_permutations() when IRS enabled
changes from 248 to 249
-----------------------
* fix for BUG#253: build broken on AIX
* fix for BUG#255: deadlock in initgroups
changes from 247 to 248
-----------------------
* fix regression in per-objectclass attribute mapping introduced in
nss_ldap-246
changes from 246 to 247
-----------------------
* double-check *ld != NULL even if mapped eror return from ldap_initialize()
returns NSS_SUCCESS
changes from 245 to 246
-----------------------
* paged results and RFC2307bis support are now always compiled in; they are by
default disabled unless you configured with --enable-paged-results and
--enable-rfc2307bis, respectively. See nss_ldap(5) for configuration
options.
* fix for BUG#219: paged results delivers wrong results
* fix for BUG#222: use asynchronous start TLS if available, using bind_timeout
value
* fix for BUG#235: make DNS SRV lookup domain configurable (nss_srv_domain)
* fix for BUG#240: return "*" rather than "x" for userPassword if not present
* fix for BUG#245: paged results broken since nss_ldap-241
* patch from Ralf Haferkamp <[email protected]>: compile fix for IPv6
* compile for Solaris
* schema mapping is always enabled, cleanup schema mapping code
* allow for map-specific objectclass mapping
* partial implementation of Solaris Simplified LDAP API, allows automountd
support on Solaris via nss_ldap
* for Linux automounter, always close connection after endautomntent() to
avoid persistent connection
* add nss_connect_policy argument to ldap.conf
changes from 244 to 245
-----------------------
* don't leak LDAP connection if do_bind() failed or descriptor owner had
changed. If do_bind() failed the underlying descriptor would also be leaked,
causing a large number of sockets to be consumed during failover
* add nss_initgroups_ignoreusers parameter to ldap.conf, returns NOTFOUND if
nss_ldap's initgroups() is called for users (comma separated)
* try to deal with systems that have headers for both versions of the SASL
library installed
* better logging of failed connections and reconnections
* patch from Dean Michaels <[email protected]>: build with Netscape 5
library on Solaris
* patch from Ralf Haferkamp <[email protected]>: manual page fix to bind_policy
changes from 243 to 244
-----------------------
* patch from Ralf Haferkamp <[email protected]>: enusre bytesleft macro does not
return values < 0
* include <sys/param.h> in ldap-nss.c