Softpedia >Linux >System >Networking >nss-pam-ldapd >  Changelog

nss-pam-ldapd Changelog

What's new in nss-pam-ldapd 0.8.14

Jan 9, 2015
  • implement an -n switch to not daemonise (by Caleb Callaway)
  • increase password value buffer size (by Bersl)
  • fix for pwdLastSet attribute value handling (thanks Joshua Shire)
  • fix buffer overflow on interrupted read that is hard to trigger (thanks John Sullivan)
  • fix a possible crash in the NSS module when retrieving large networks entries (thanks Lukas Slebodnik)
  • avoid more broken pipe errors by using a low timeout when aborting reading requested information from nslcd (thanks John Sullivan)
  • only log broken pipe errors in debugging mode
  • ignore SIGUSR1 and SIGUSR2 for future compatibility

New in nss-pam-ldapd 0.9.4 (Jan 9, 2015)

  • also handle password policy information on BIND failure (this makes it possible to distinguish between a wrong password and an expired password)
  • fix mapping the member attribute to an empty string
  • any buffers that may have held passwords are cleared before the memory is released
  • increase buffer size for passwords to support extremely long passwords (thanks ushi)
  • increase buffer size for DN to support very long names or names with non-ASCII characters
  • log an error in almost all places where a defined buffer is not large enough to hold the provided data instead of just (sometimes silently) failing
  • logging improvements (start-up problems, login failures)
  • small improvement for Solaris

New in nss-pam-ldapd 0.9.2 (Dec 10, 2013)

  • Increase password value buffer size (by Bersl)
  • Avoid more broken pipe errors by using a low timeout when aborting reading requested Information from nslcd (thanks John Sullivan)
  • Only log broken pipe errors in debugging mode
  • Fix buffer overflow on interrupted read that is hard to trigger (thanks John Sullivan)
  • Use clock_gettime() with CLOCK_MONOTONIC for timeout calculations to avoid clock adjustments errors (thanks John Sullivan)
  • Extend test suite to test for CLOCK_MONOTONIC and timed IO timeout calculations
  • Increase the maximum number of base statements per map to 31
  • Use larger nslcd send buffers to reduce the number of write operations in nslcd and consequently the number of reads in the NSS and PAM modules (thanks John Sullivan)
  • Also run invalidators after first successful search
  • Various clean-ups, portability improvements and fixes for compiler warnings
  • Import configure checks of Python modules
  • Provide a script for setting up slapd in a test environment, automatically loaded with the required test data
  • Add script for evaluating test environment availability
  • Portability improvements in the test scripts and test environment

New in nss-pam-ldapd 0.7.19 (Dec 9, 2013)

  • Use the more portable EBADF instead of EBADFD (thanks Steven Chamberlain)
  • Fix buffer overflow on interrupted read that is hard to trigger (thanks John Sullivan)
  • Extra sanity check to ensure not too many file descriptors are open

New in nss-pam-ldapd 0.7.18 (Dec 15, 2012)

  • This update for the 0.7 series fixes two issues related to file descriptor handling.

New in nss-pam-ldapd 0.8.12 (Nov 19, 2012)

  • This version fixes a problem on FreeBSD, fixes a problem with the sasl_canonicalize option, and has improvements for Solaris.
  • A few other smaller improvements have been made.

New in nss-pam-ldapd 0.8.11 (Oct 15, 2012)

  • This version fixes a few bugs, introduces the pam_password_prohibit_message and sasl_canonicalize options, loads the nslcd user's supplementary groups, and runs correctly in processes that have a high number of file descriptors open.

New in nss-pam-ldapd 0.8.10 (Jun 30, 2012)

  • This version marks the 0.8 series as stable and includes a number of documentation improvements, a bugfix, and a few other smaller changes.

New in nss-pam-ldapd 0.8.8 (Apr 28, 2012)

  • This is a quick update to fix a regression in the handling of PAM requests in the 0.8.7 release.

New in nss-pam-ldapd 0.8.7 (Apr 23, 2012)

  • log the first 10 search results in debug mode to make debugging easier (patch by Matthijs Kooijman)
  • provide more detailed logging information for LDAP errors, this should especially help for TLS related problems (based on a patch by Mel Flynn)
  • fix logging of invalid pam_authz_search value
  • when doing DNS queries for SRV records recognise default ldap and ldaps ports
  • make whether or not to do case-sensitive filtering configurable (patch by Matthew L. Dailey)
  • document the fact that each thread opens it's own connection (patch by Chris Hiestand)
  • some small portability improvements
  • try to prevent some of the Broken pipe messages in nslcd
  • increase buffer used for pam_authz_search as suggested by Chris J Arges
  • pynslcd now handles privileged requests correctly
  • pynslcd now supports attribute mapping using the lower() and upper() functions

New in nss-pam-ldapd 0.8.6 (Jan 31, 2012)

  • This version includes a number of code improvements and some work being done on pynslcd, the Python implementation of nslcd, including an initial offline cache implementation.

New in nss-pam-ldapd 0.8.5 (Jan 1, 2012)

  • This version adds support for larger gecos values, improves logging, and handles numeric values from LDAP more carefully.
  • It integrates FreeBSD improvements and fixes a few bugs.
  • It brings the completion of pynslcd, the Python implementation of nslcd, closer.
  • It should now be usable in test environments.

New in nss-pam-ldapd 0.8.3 (May 16, 2011)

  • support using the objectSid attribute to provide numeric user and group ids, based on a patch by Wesley Mason
  • check shadow account and password expiry properties (similarly to what pam_unix does) in the PAM handling code
  • implement attribute mapping functionality in pynslcd
  • relax default for validnames option to allow user names of only two characters
  • make user and group name validation errors a little more informative
  • small portability improvements
  • general code improvements and refactoring in pynslcd
  • some simplifications in the protocol between the PAM module and nslcd (without actual protocol changes so far)
  • Debian packaging improvements

New in nss-pam-ldapd 0.8.2 (Mar 28, 2011)

  • fix problem with endless loop on incorrect password
  • fix a communication problem between nslcd and the NSS and PAM modules when running on Solaris 10
  • fix a compilation issue on systems without HOST_NAME_MAX
  • link to the resolv library for hstrerror() on platforms that need it
  • ignore password change requests for users not in LDAP
  • many clean-ups to the tests and added some new tests including some integration tests for the PAM functionality
  • some smaller code clean-ups and improvements
  • improvements to pynslcd, including implementations for service, protocol and rpc lookups
  • implement a validnames option that can be used to filter valid user and group names using a regular expression
  • improvements to the way nslcd shuts down with hanging worker threads

New in nss-pam-ldapd 0.8.1 (Mar 11, 2011)

  • This version fixes a serious security vulnerability that allows authentication with an incorrect password for local user accounts (CVE-2011-0438).
  • This development release also includes a file that was missing for Solaris support, includes FreeBSD support that was partially taken from the FreeBSD port, and more work on the Python implementation of nslcd.

New in nss-pam-ldapd 0.8.0 (Jan 2, 2011)

  • include Solaris support developed by Ted C. Cheng of Symas Corporation
  • include an experimental partial implementation of nslcd in Python (disabled by default, see --enable-pynslcd configure option)
  • implement a nss_min_uid option to filter user entries returned by LDAP
  • implement a rootpwmodpw option that allows the root user to change a user's password without a password prompt
  • try to update the shadowLastChange attribute on password change
  • all log messages now include a description of the request to more easily track problems when not running in debug mode
  • allow attribute mapping expressions for the userPassword attribute for passwd, group and shadow entries and by default map it to the unmatchable password ("*") to avoid accidentally leaking password information
  • numerous compatibility improvements
  • add --with-pam-seclib-dir and --with-pam-ldap-soname configure options to allow more control of hot to install the PAM module
  • add --with-nss-flavour and --with-nss-maps configure options to support other C libraries and limit which NSS modules to install
  • allow tilde (~) in user and group names
  • improvements to the timeout mechanism (connections are now actively timed out using the idle_timelimit option)
  • set socket timeouts on the LDAP connection to disconnect regardless of LDAP and possibly TLS handling of connection
  • better disconnect/reconnect handling of error conditions
  • some code improvements and cleanups and several smaller bug fixes
  • all internal string comparisons are now also case sensitive (e.g. for providing DN to username lookups, etc)
  • signal handling in the daemon was changed to behave more reliable across different threading implementations
  • nslcd will now always return a positive authorisation result during authentication to avoid confusing the PAM module when it is only used for authorisation
  • Debian packaging improvement: implement configuring SASL authentication using Debconf, based on a patch by Daniel Dehennin

New in nss-pam-ldapd 0.7.13 (Dec 13, 2010)

  • This version fixes a bug in the idle_timelimit disconnecting logic that would result in never disconnecting.
  • The 0.7 series is in maintenance mode and will only receive bugfixes and security support.
  • New features are targeted for a 0.8 release.

New in nss-pam-ldapd 0.7.12 (Oct 30, 2010)

  • Set a short socket timeout when shutting down the connection to the LDAP server to avoid disconnect problems when using TLS

New in nss-pam-ldapd 0.7.11 (Oct 16, 2010)

  • This version fixes a bug that prevented logins when a relatively long ruser PAM variable is set (e.g. when including a domain).

New in nss-pam-ldapd 0.7.10 (Sep 24, 2010)

  • This version fixes a bug that prevented fail-over to the second LDAP server in certain circumstances.

New in nss-pam-ldapd 0.7.9 (Aug 30, 2010)

  • fix for --with-nss-ldap-soname configure option by Julien Cristau
  • Debian packaging improvements

New in nss-pam-ldapd 0.7.8 (Aug 19, 2010)

  • minor portability improvements and clean-ups (thanks Alexander V. Chernikov and Ted C. Cheng)
  • don't expand variables in rest of ${var:-rest} and ${var:+rest} expressions if it is not needed
  • Debian packaging improvements

New in nss-pam-ldapd 0.7.7 (Jul 4, 2010)

  • This is an update for the 0.7 series that brings some small improvements. This should be a reasonably stable and well tested release.
  • A summary of the changes since 0.7.6:
  • refactoring and simplification of PAM module which also improves logging
  • implement a nullok PAM option and disable empty passwords by default
  • portability improvements and other minor code improvements
  • the mechanism to disable name lookups through LDAP from within the nslcd process has been improved
  • the undocumented use_sasl option has been removed (specifying sasl_mech now implies use_sasl)
  • the sasl_mech, sasl_realm, sasl_authcid, sasl_authzid and sasl_secprops configuration options are now documented
  • Debian packaging improvements

New in nss-pam-ldapd 0.7.3 (Feb 28, 2010)

  • allow password modification by root using the rootpwmoddn configuration file option (the user will be prompted for the password for rootpwmoddn instead of the user's password)
  • the LDAP password modify EXOP is first tried without the old password and if that fails retried with the old password
  • when determining the domain name (used for some value of the base and uri options) also try to use the hostname aliases to build the domain name (patch by Jan Schampera)
  • perform locking on the pidfile on start-up to ensure that only one nslcd process is running and implement a --check option (patch by Jan Schampera)
  • documentation improvements

New in nss-pam-ldapd 0.7.1 (Oct 23, 2009)

  • implement password changing by performing an LDAP password modify EXOP request
  • fix return of authorisation check in PAM module (patch by Howard Chu)
  • fix for problem when authenticating to LDAP entries without a uid attribute in the DN
  • general code clean-up and portability improvements
  • provide more information with communication error messages
  • Debian packaging improvements