December 15th, 2012· This update for the 0.7 series fixes two issues related to file descriptor handling.
November 19th, 2012· This version fixes a problem on FreeBSD, fixes a problem with the sasl_canonicalize option, and has improvements for Solaris.
· A few other smaller improvements have been made.
October 15th, 2012· This version fixes a few bugs, introduces the pam_password_prohibit_message and sasl_canonicalize options, loads the nslcd user's supplementary groups, and runs correctly in processes that have a high number of file descriptors open.
June 30th, 2012· This version marks the 0.8 series as stable and includes a number of documentation improvements, a bugfix, and a few other smaller changes.
April 28th, 2012· This is a quick update to fix a regression in the handling of PAM requests in the 0.8.7 release.
April 23rd, 2012· log the first 10 search results in debug mode to make debugging easier (patch by Matthijs Kooijman)
· provide more detailed logging information for LDAP errors, this should especially help for TLS related problems (based on a patch by Mel Flynn)
· fix logging of invalid pam_authz_search value
· when doing DNS queries for SRV records recognise default ldap and ldaps ports
· make whether or not to do case-sensitive filtering configurable (patch by Matthew L. Dailey)
· document the fact that each thread opens it's own connection (patch by Chris Hiestand)
· some small portability improvements
· try to prevent some of the Broken pipe messages in nslcd
· increase buffer used for pam_authz_search as suggested by Chris J Arges
· pynslcd now handles privileged requests correctly
· pynslcd now supports attribute mapping using the lower() and upper() functions
January 31st, 2012· This version includes a number of code improvements and some work being done on pynslcd, the Python implementation of nslcd, including an initial offline cache implementation.
January 1st, 2012· This version adds support for larger gecos values, improves logging, and handles numeric values from LDAP more carefully.
· It integrates FreeBSD improvements and fixes a few bugs.
· It brings the completion of pynslcd, the Python implementation of nslcd, closer.
· It should now be usable in test environments.
May 16th, 2011· support using the objectSid attribute to provide numeric user and group ids, based on a patch by Wesley Mason
· check shadow account and password expiry properties (similarly to what pam_unix does) in the PAM handling code
· implement attribute mapping functionality in pynslcd
· relax default for validnames option to allow user names of only two characters
· make user and group name validation errors a little more informative
· small portability improvements
· general code improvements and refactoring in pynslcd
· some simplifications in the protocol between the PAM module and nslcd (without actual protocol changes so far)
· Debian packaging improvements
March 28th, 2011· fix problem with endless loop on incorrect password
· fix a communication problem between nslcd and the NSS and PAM modules when running on Solaris 10
· fix a compilation issue on systems without HOST_NAME_MAX
· link to the resolv library for hstrerror() on platforms that need it
· ignore password change requests for users not in LDAP
· many clean-ups to the tests and added some new tests including some integration tests for the PAM functionality
· some smaller code clean-ups and improvements
· improvements to pynslcd, including implementations for service, protocol and rpc lookups
· implement a validnames option that can be used to filter valid user and group names using a regular expression
· improvements to the way nslcd shuts down with hanging worker threads
March 11th, 2011· This version fixes a serious security vulnerability that allows authentication with an incorrect password for local user accounts (CVE-2011-0438).
· This development release also includes a file that was missing for Solaris support, includes FreeBSD support that was partially taken from the FreeBSD port, and more work on the Python implementation of nslcd.
January 2nd, 2011· include Solaris support developed by Ted C. Cheng of Symas Corporation
· include an experimental partial implementation of nslcd in Python (disabled by default, see --enable-pynslcd configure option)
· implement a nss_min_uid option to filter user entries returned by LDAP
· implement a rootpwmodpw option that allows the root user to change a user's password without a password prompt
· try to update the shadowLastChange attribute on password change
· all log messages now include a description of the request to more easily track problems when not running in debug mode
· allow attribute mapping expressions for the userPassword attribute for passwd, group and shadow entries and by default map it to the unmatchable password ("*") to avoid accidentally leaking password information
· numerous compatibility improvements
· add --with-pam-seclib-dir and --with-pam-ldap-soname configure options to allow more control of hot to install the PAM module
· add --with-nss-flavour and --with-nss-maps configure options to support other C libraries and limit which NSS modules to install
· allow tilde (~) in user and group names
· improvements to the timeout mechanism (connections are now actively timed out using the idle_timelimit option)
· set socket timeouts on the LDAP connection to disconnect regardless of LDAP and possibly TLS handling of connection
· better disconnect/reconnect handling of error conditions
· some code improvements and cleanups and several smaller bug fixes
· all internal string comparisons are now also case sensitive (e.g. for providing DN to username lookups, etc)
· signal handling in the daemon was changed to behave more reliable across different threading implementations
· nslcd will now always return a positive authorisation result during authentication to avoid confusing the PAM module when it is only used for authorisation
· Debian packaging improvement: implement configuring SASL authentication using Debconf, based on a patch by Daniel Dehennin
December 13th, 2010· This version fixes a bug in the idle_timelimit disconnecting logic that would result in never disconnecting.
· The 0.7 series is in maintenance mode and will only receive bugfixes and security support.
· New features are targeted for a 0.8 release.
October 30th, 2010· Set a short socket timeout when shutting down the connection to the LDAP server to avoid disconnect problems when using TLS
October 16th, 2010· This version fixes a bug that prevented logins when a relatively long ruser PAM variable is set (e.g. when including a domain).
September 24th, 2010· This version fixes a bug that prevented fail-over to the second LDAP server in certain circumstances.
August 30th, 2010· fix for --with-nss-ldap-soname configure option by Julien Cristau
· Debian packaging improvements
August 19th, 2010· minor portability improvements and clean-ups (thanks Alexander V. Chernikov and Ted C. Cheng)
· don't expand variables in rest of ${var:-rest} and ${var:+rest} expressions if it is not needed
· Debian packaging improvements
July 4th, 2010· This is an update for the 0.7 series that brings some small improvements. This should be a reasonably stable and well tested release.
A summary of the changes since 0.7.6:
· refactoring and simplification of PAM module which also improves logging
· implement a nullok PAM option and disable empty passwords by default
· portability improvements and other minor code improvements
· the mechanism to disable name lookups through LDAP from within the nslcd process has been improved
· the undocumented use_sasl option has been removed (specifying sasl_mech now implies use_sasl)
· the sasl_mech, sasl_realm, sasl_authcid, sasl_authzid and sasl_secprops configuration options are now documented
· Debian packaging improvements
February 28th, 2010· allow password modification by root using the rootpwmoddn configuration file option (the user will be prompted for the password for rootpwmoddn instead of the user's password)
· the LDAP password modify EXOP is first tried without the old password and if that fails retried with the old password
· when determining the domain name (used for some value of the base and uri options) also try to use the hostname aliases to build the domain name (patch by Jan Schampera)
· perform locking on the pidfile on start-up to ensure that only one nslcd process is running and implement a --check option (patch by Jan Schampera)
· documentation improvements
October 23rd, 2009· implement password changing by performing an LDAP password modify EXOP request
· fix return of authorisation check in PAM module (patch by Howard Chu)
· fix for problem when authenticating to LDAP entries without a uid attribute in the DN
· general code clean-up and portability improvements
· provide more information with communication error messages
· Debian packaging improvements
Find us on Google+
