Blob Blame History Raw
2018-02-18  Arthur de Jong <arthur@arthurdejong.org>

	* [382b6ea] INSTALL, ar-lib, config.guess, config.sub, depcomp,
	  py-compile: Update files from latest automake

2018-02-17  Arthur de Jong <arthur@arthurdejong.org>

	* [e8a4705] tests/test_pylint.sh: Fix running pylint on distcheck

	  This sets PYTHONPATH so that both the source and build directories
	  are used to find constants.py.

2018-02-17  Arthur de Jong <arthur@arthurdejong.org>

	* [9a50971] common/expr.c, compat/attrs.h: Mark case blocks without
	  break statement

	  This avoids a gcc warning in non-empty case blocks without a
	  break statement by explicitly marking those blocks.

2018-02-16  Arthur de Jong <arthur@arthurdejong.org>

	* [c05e326] nslcd/cfg.c, nslcd/common.h: Increase size of hostname
	  buffer

	  This increases the host name buffer to support host names (that
	  include FQDNs) to 255 characters and removes the reliance on
	  HOST_NAME_MAX and _POSIX_HOST_NAME_MAX which may be smaller in
	  some situations.

	  Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/22

2017-12-23  Arthur de Jong <arthur@arthurdejong.org>

	* [9760dce] nslcd/cfg.c: Increase size of config file token

	  This increases the maximum size of tokens that are read from
	  the nslcd.conf configuration file to 256 characters. This was
	  a problem for some very long uri values.

	  Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/21

2017-10-13  Arthur de Jong <arthur@arthurdejong.org>

	* [8f76d24] nslcd/cfg.c, tests/test_cfg.c: Support spaces in
	  attribute mapping expressions

2017-06-26  Arthur de Jong <arthur@arthurdejong.org>

	* [47fd03b] AUTHORS, ChangeLog, NEWS, configure.ac,
	  man/chsh.ldap.1.xml, man/getent.ldap.1.xml, man/nslcd.8.xml,
	  man/nslcd.conf.5.xml, man/pam_ldap.8.xml, man/pynslcd.8.xml,
	  nslcd/nslcd.c, pynslcd/pynslcd.py, utils/cmdline.py: Get files
	  ready for 0.9.8 release

2017-06-25  Arthur de Jong <arthur@arthurdejong.org>

	* [7920d85] tests/test_ldapcmds.sh, tests/test_nsscmds.sh: Ignore
	  password hashes in consistent manner

	  This changes the getent and getent.ldap tests to ignore password
	  hashes that may be present in shadow lookups in a consistent
	  manner.

	  This also adds minor compatibility improvements.

2017-06-25  Arthur de Jong <arthur@arthurdejong.org>

	* [65695aa] pynslcd/cfg.py, pynslcd/mypidfile.py, pynslcd/pynslcd.py:
	  Create pidfile directory in pynslcd

	  This ensures that /var/run/nslcd is created (when it does not
	  exist) when starting pynslcd.

2017-06-25  Arthur de Jong <arthur@arthurdejong.org>

	* [419aab2] pynslcd/cfg.py, pynslcd/group.py, pynslcd/passwd.py:
	  Add nss_uid_offset and nss_gid_offset to pynslcd

2017-03-20  Seth Wright <seth@crosse.org>

	* [5103173] man/nslcd.conf.5.xml, nslcd/cfg.c, nslcd/cfg.h,
	  nslcd/group.c, nslcd/passwd.c: Add the ability to offset UID
	  and GID numbers

2017-06-18  Arthur de Jong <arthur@arthurdejong.org>

	* [fee74d9] tests/Makefile.am, tests/test_ldapcmds.sh: Portability
	  improvements to test_ldapcmds.sh

	  This fixes an issue with the export statement in POSIX shell
	  scripts, ensures that the commands in the output match those
	  in the script, strips password hashes for shadow lookups (for
	  systems without PAM where these are exposed) and only runs the
	  tests if we enabled the utils.

	  Fixes 246a1f3.

2017-06-17  Arthur de Jong <arthur@arthurdejong.org>

	* [5126b26] nslcd/ether.c: Use uint8_t instead of u_int8_t

	  The former seems to be available on more platforms than the latter.

	  Fixes be26510.

2017-06-17  Arthur de Jong <arthur@arthurdejong.org>

	* [fe3772f] compat/pam_compat.h: Fix HAVE_DECL_PAM_ERROR usage

	  The macro is supposed to be defined to 0 (instead of undefined)
	  if pam_info() and pam_error() are not found.

	  Fixes 3d5ab89.

2017-06-17  Arthur de Jong <arthur@arthurdejong.org>

	* [ca62f59] nslcd/shadow.c: Also filter shadow entries by validnames

2017-06-17  Arthur de Jong <arthur@arthurdejong.org>

	* [e68b85a] nslcd/passwd.c, nslcd/shadow.c: Fix and clarify a
	  few comments

2017-06-16  Arthur de Jong <arthur@arthurdejong.org>

	* [3d5ab89] compat/pam_compat.h, configure.ac: Fix pam_info()
	  and pam_error() replacement

	  On FreeBSD these are functions while on Linux they are macros
	  causing them to be incorrectly replaced on FreeBSD. This resulted
	  in a crash of the PAM module when e.g. presenting messages about
	  password expiry.

2017-06-16  Arthur de Jong <arthur@arthurdejong.org>

	* [b5d1dd2] tests/Makefile.am: Clean log from test_pamcmds.expect

	  This removes test_pamcmds.log that is generated by
	  test_pamcmds.expect when running the test suite. This avoids an
	  error in the distcheck target.

2017-06-16  Arthur de Jong <arthur@arthurdejong.org>

	* [246a1f3] tests/test_ldapcmds.sh: Fix running test_ldapcmds.sh
	  during distcheck

	  This ensures that Python can find both getent.py (from source
	  directory) and constants.py (from build directory) when running
	  the tests from the distcheck target.

	  This also makes the script more similar to test_nsscmds.sh.

	  Fixes 9c803d7.

2017-06-15  Arthur de Jong <arthur@arthurdejong.org>

	* [43862ba] : Add pam_authc_search option

	  This option can be used to configure the search operation that
	  should be performed after authentication.

2017-06-15  Arthur de Jong <arthur@arthurdejong.org>

	* [5141b09] man/nslcd.conf.5.xml, nslcd/pam.c: Allow skipping
	  post-authentication search altogether

2017-06-14  Arthur de Jong <arthur@arthurdejong.org>

	* [0cafb08] nslcd/myldap.c, nslcd/myldap.h, nslcd/pam.c,
	  nslcd/usermod.c: Implement myldap_bind() function

	  This function integrates the myldap_set_credentials() and
	  myldap_get_policy_response() and performs the bind operation
	  witout actually performing a search.

	  The function performs a "fake" search that returns after performing
	  the LDAP BIND operation.

	  This replaces a number of dummy search operations that were there
	  to ensure that the connection was open. This allows us to skip
	  the search operation after authentication.

2017-06-14  Arthur de Jong <arthur@arthurdejong.org>

	* [9564dd0] nslcd/pam.c: Implement handling of pam_authc_search
	  option

	  This allows performing a different, configurable search from
	  the default BASE search after the BIND operation.

2017-06-14  Arthur de Jong <arthur@arthurdejong.org>

	* [f72aaa2] man/nslcd.conf.5.xml: Document pam_authc_search option

2017-06-14  Arthur de Jong <arthur@arthurdejong.org>

	* [5d11cb8] nslcd/cfg.c, nslcd/cfg.h, nslcd/pam.c: Add
	  pam_authc_search option parsing

2017-06-14  Arthur de Jong <arthur@arthurdejong.org>

	* [bcc3a08] nslcd/pam.c, pynslcd/pam.py: Reorganise PAM search
	  var building functions

	  This moves the autzsearch_var_add(), autzsearch_vars_free(),
	  autzsearch_var_get() and do_autzsearches() functions to the top of
	  the file using more generic names and introduces search_vars_new()
	  in prepartion of other similar searches.

	  This also renames the remaining authzsearch functions to
	  authz_search to be consistent with the pam_authz_search option.

2017-06-13  Arthur de Jong <arthur@arthurdejong.org>

	* [ebc0f76] README, configure.ac, tests/test.ldif: Switch to
	  HTTPS URLs

2017-06-13  Arthur de Jong <arthur@arthurdejong.org>

	* [be26510] compat/ether.c, compat/ether.h, configure.ac,
	  nslcd/ether.c, pynslcd/ether.py: Query ethernet addresses in
	  compact and long format

	  This ensures that when querying the address 0:18:8a:54:1a:8b
	  both that format and 00:18:8a:54:1a:8b is searched for in LDAP.

	  This was triggerred by the fact that ether_ntoa() on FreeBSD
	  returns the long format while glibc uses the compact format.

	  Since we are no longer using the libc version of ether_ntoa() we
	  can also drop the compatibility implementation of ether_ntoa_r().

2017-06-07  Arthur de Jong <arthur@arthurdejong.org>

	* [becc883] nslcd/passwd.c: Log entries and lookups failing
	  nss_min_uid

	  This logs (at debug level) any LDAP uidNumber attribute values
	  (or translated objectSid attribute values) that are lower than
	  nss_min_uid.	It also logs getpwuid() requests for such uids.

2017-06-04  Arthur de Jong <arthur@arthurdejong.org>

	* [5a84be2] utils/chsh.py, utils/cmdline.py, utils/getent.py,
	  utils/nslcd.py, utils/shells.py, utils/users.py: Make nslcd-utils
	  Python 3 compatible

	  This changes the getent.ldap and chsh.ldap commands to be
	  compatible with Python 2 and Python 3 with the same code.

	  This does switch to raw I/O because Python 3 does not support
	  bufferred I/O on sockets.

2017-06-04  Arthur de Jong <arthur@arthurdejong.org>

	* [9c803d7] tests/Makefile.am, tests/test_ldapcmds.sh,
	  tests/test_nsscmds.sh, tests/testenv.sh: Add tests for getent.ldap
	  command

	  This more or less duplicates the tests from test_nsscmds.sh to
	  test_ldapcmds.sh with some modifications for the differences
	  in output.

	  This also extends the test_nsscmds.sh tests to handle the case
	  where shadow lookups do not go through LDAP.

2017-06-04  Arthur de Jong <arthur@arthurdejong.org>

	* [a357131] utils/getent.py: Fix output of getent.ldap networks

	  Contrary to the hosts output the network name is listed first.

2017-06-03  Arthur de Jong <arthur@arthurdejong.org>

	* [58c7a94] utils/getent.py: Fix IPv6 lookups in getent.ldap

2017-06-03  Arthur de Jong <arthur@arthurdejong.org>

	* [5173e55] man/getent.ldap.1.xml, utils/getent.py: Accept multiple
	  key arguments to getent.ldap

	  This allows supplying multiple arguments to getent.ldap that
	  will each act as a search key for lookups, similar to what normal
	  getent allows.

2017-02-07  Arthur de Jong <arthur@arthurdejong.org>

	* [53f797b] nslcd/nslcd.c: Exit with 0 when stopping nslcd

	  When receiving a signal this will result in nslcd returning with
	  a success exit code.

	  Thanks Stanislav Moravec for pointing this out.

2016-09-04  Arthur de Jong <arthur@arthurdejong.org>

	* [c12cd14] nslcd/nslcd.c: Remove duplicate break statement

2016-09-04  Arthur de Jong <arthur@arthurdejong.org>

	* [d8ad7b1] nslcd/myldap.c: Do not try all LDAP servers on failed
	  authentication

	  See https://bugs.launchpad.net/bugs/1618190

2016-08-30  Arthur de Jong <arthur@arthurdejong.org>

	* [a3da150] utils/nslcd.py: Replace Python assertions with exceptions

	  The assertions can be optimised out when compiling the modules
	  with -O which would break the protocol handling. This ensures
	  that errors are properly handled even if optimisation is enabled.

	  Thanks Yu-Chun Huang for reporting this.
	  https://github.com/arthurdejong/nss-pam-ldapd/issues/14

2016-08-14  Arthur de Jong <arthur@arthurdejong.org>

	* [c286bb5] AUTHORS, ChangeLog, NEWS, README, configure.ac,
	  man/chsh.ldap.1.xml, man/getent.ldap.1.xml, man/nslcd.8.xml,
	  man/nslcd.conf.5.xml, man/pam_ldap.8.xml, man/pynslcd.8.xml,
	  nslcd/nslcd.c, pynslcd/pynslcd.py, utils/cmdline.py: Get files
	  ready for 0.9.7 release

2016-08-14  Arthur de Jong <arthur@arthurdejong.org>

	* [db9494e] tests/Makefile.am: Only run doctests when building
	  pynslcd

2016-08-14  Arthur de Jong <arthur@arthurdejong.org>

	* [cb16e4c] nss/bsdnss.c: Avoid some warnings on FreeBSD

	  This adds casts to and from void * for the function pointers
	  that are passed around.

2016-07-27  Arthur de Jong <arthur@arthurdejong.org>

	* [b7a0b23] ChangeLog, ChangeLog-2013, Makefile.am: Archive 2013
	  ChangeLog entries

2016-07-27  Arthur de Jong <arthur@arthurdejong.org>

	* [e4df12c] config.guess, config.sub, install-sh: Update files
	  from latest automake

2016-07-27  Arthur de Jong <arthur@arthurdejong.org>

	* [db8034a] man/Makefile.am, utils/Makefile.am, utils/getent.py:
	  Also use module-name in utilities and man pages

	  This ensures that getent.ldap, chsh.ldap and manual pages with
	  ldap in the name will be installed with the name as specified
	  with --with-module-name.

	  Note that the manual page content still describes the working
	  within nss-pam-ldapd and still mention the ldap name.

2016-06-04  Arthur de Jong <arthur@arthurdejong.org>

	* [281b0ec] tests/test_doctest.sh: Ensure doctest also run in
	  distcheck

	  This fixes test_doctest.sh to also work when the build directory
	  is different from the source directory. This is needed because
	  constants.py is only available in the build directory.

2016-06-03  Arthur de Jong <arthur@arthurdejong.org>

	* [a89eda7] nslcd/pam.c: Also honor ignorecase in PAM

	  This avoids changing the cannonical username to the value as
	  specified in LDAP when ignorecase is used.

	  See https://github.com/arthurdejong/nss-pam-ldapd/issues/12

2016-06-03  Arthur de Jong <arthur@arthurdejong.org>

	* [7eb1d69] pynslcd/expr.py: Support ${var:offset:length} in pynslcd

2016-06-02  Arthur de Jong <arthur@arthurdejong.org>

	* [c90a537] pynslcd/attmap.py: Fix pynslcd expression representation

	  The problem was that the ExpressionMapping string value did not
	  include the quotes which will cause problems when printing the
	  expression (e.g.  when logging or dumping config, etc.).

2016-06-02  Arthur de Jong <arthur@arthurdejong.org>

	* [fd61bb6] tests/Makefile.am, tests/test_doctest.sh: Add test
	  for running doctests

2016-05-30  Giovanni Mascellani <mascellani@poisson.phc.unipi.it>

	* [2ba9560] common/expr.c, man/nslcd.conf.5.xml, tests/test_expr.c:
	  Support substituting expresions of type ${var:offset:length}

2016-05-30  Giovanni Mascellani <mascellani@poisson.phc.unipi.it>

	* [3a4860c] man/nslcd.conf.5.xml: Fix small typo

2016-05-24  Arthur de Jong <arthur@arthurdejong.org>

	* [917ded7] common/expr.c: Refactor out expression parsing to
	  functions

	  This moves the parsing of the various ${var...} expressions to
	  separate functions so they can be extended more easily.

2016-02-22  Arthur de Jong <arthur@arthurdejong.org>

	* [4be9c59] pam/pam.c: Fix logic error

	  This could result in a free(NULL) call. This code path can
	  only be triggered if pam_ldap changes the logged-in username
	  (introduced in 6a74d8d).

	  Thanks 依云, see
	  https://github.com/arthurdejong/nss-pam-ldapd/issues/11

2016-01-30  Mathieu Baeumler <mathieu.baeumler@gmail.com>

	* [985aec3] nslcd/myldap.c: Display human readable expiry message

	  Display a human readable message (days+hours, or hours+minutes,
	  or seconds) when the password expiring warning is issued.

2016-02-13  Arthur de Jong <arthur@arthurdejong.org>

	* [b795f6c] nslcd/cfg.c: Fix nss_disable_enumeration configuration

	  This fixes a copy-paste bug where nss_disable_enumeration was
	  incorrectly handled. Fixes c0366d8.

	  Thanks Andrew W Elble for pointing this out.

2016-01-18  Arthur de Jong <arthur@arthurdejong.org>

	* [525c996] tests/test.ldif, tests/test_nsscmds.sh: Add a few
	  IPv6 tests

	  This adds a few test hosts that have IPv6 addresses. This
	  ensures that we have an IPv6-only host and hosts which have
	  address values in different order in the ipHostNumber attribute
	  (although attribute order is probably not guaranteed).

2015-10-18  Mathieu Baeumler <mathieu.baeumler@gmail.com>

	* [31cd2cf] man/nslcd.conf.5.xml, nslcd/cfg.c, nslcd/cfg.h,
	  nslcd/myldap.c: Add pam_authc_ppolicy option

	  This option allows completely disabling ppolicy handling.

2016-01-06  Arthur de Jong <arthur@arthurdejong.org>

	* [117c9cb] nslcd/pam.c: Fix error handling on credential change

	  This fixes setting the correct LDAP error code and also fixes
	  formatting in 027df03.

2015-12-23  Vasilis Tsiligiannis <vasilis.tsiligiannis@nokia.com>

	* [027df03] nslcd/pam.c: Fix updating of 'shadowLastChange'
	  attribute when chasing referrals

	  This fixes a bug where 'shadowLastChange' attribute cannot be
	  updated when chasing a referral. After a password is succesfully
	  changed, the credentials for binding should also be updated with
	  the new password for the session.

	  Signed-off-by: Vasilis Tsiligiannis
	  <vasilis.tsiligiannis@nokia.com>

2015-11-13  Arthur de Jong <arthur@arthurdejong.org>

	* [fcea92d] nslcd/cfg.c: Correct file readability check

	  This uses access() instead of stat() to see if the file is
	  readable by the current process. This fixes f089e01.

2015-09-20  Arthur de Jong <arthur@arthurdejong.org>

	* [c879485] nslcd/myldap.c: Fail-over and retry on more errors

	  Also try to fail over to another LDAP server on a larger number
	  of errors. Specifically errors that point to problems connecting
	  to the LDAP server.

2015-08-29  Arthur de Jong <arthur@arthurdejong.org>

	* [3d09e28] nslcd/myldap.c: Open connection before do_try_search()

	  This is in preparation for splitting the BIND from the search
	  phase for authentication.

2015-08-27  Arthur de Jong <arthur@arthurdejong.org>

	* [f089e01] nslcd/cfg.c: Loosen up file existence check

	  This changes the check (for configuration options that specify
	  file names) to just check that the specified path is readable
	  instead of ensisting that it points to a file.

	  This allows tls_randfile to point to /dev/urandom (a character
	  device) or a pipe. This fixes 6779a51.

	  This also applies the same check to the krb5_ccname option.

	  Thanks to Patrick McLean for pointing this out.

2015-08-14  Arthur de Jong <arthur@arthurdejong.org>

	* [309f127] pam/pam.c: Have PAM module log messages to syslog

	  This logs informational messages that are presented to the user
	  tot syslog. This normally includes password expiry and grace
	  login information which may be useful to log.

2015-08-14  Arthur de Jong <arthur@arthurdejong.org>

	* [263a443] nslcd/myldap.c: Simplify password policy message handling

	  This simplifies the check for overwriging pending password
	  expiry and grace logins warnigns and updates handling of the
	  LDAP_CONTROL_PWEXPIRING control to be consistent with that of
	  the expire value of LDAP_CONTROL_PASSWORDPOLICYRESPONSE.

	  This also corrects the function name, also logs empty password
	  policy responses in debug mode and documents the meaning of the
	  various password policy values.

2015-07-09  Mathieu Baeumler <mathieu.baeumler@gmail.com>

	* [4302901] nslcd/myldap.c: Fix password policy expiration warnings

	  If a password expiration warning (pwdExpireWarning) is set in
	  slapd, and the password is about to expire, slapd sends the
	  timeBeforeExpiration value as part of the passwordPolicyResponse.

	  nslcd would incorrectly instruct the PAM module to require
	  immediate password change. This has been fixed for both
	  timeBeforeExpiration and graceLoginsRemaining.

2015-07-19  Arthur de Jong <arthur@arthurdejong.org>

	* [89b471b] ar-lib, autogen.sh, compile, configure.ac, depcomp,
	  install-sh, missing, py-compile, test-driver: Update files from
	  automake 1.15

	  This also includes the m4 directory when invoking aclocal because
	  not all versions seem to handle AC_CONFIG_MACRO_DIR.

2015-07-19  Arthur de Jong <arthur@arthurdejong.org>

	* [86a4618] m4/ax_tls.m4: Disable quoting in AX_TLS notfound case

	  This ensures that AS_IF does not generate an empty else clause
	  which will result in an invalid configure script.

2015-07-19  Arthur de Jong <arthur@arthurdejong.org>

	* [6779a51] nslcd/cfg.c: Check file existence for configuration
	  options

	  This adds addition checks to the tls_cacertdir, tls_cacertfile,
	  tls_randfile, tls_cert and tls_key options to ensure that they
	  point to an existing file when parsing nslcd.conf.

2015-07-19  Arthur de Jong <arthur@arthurdejong.org>

	* [a6c7c63] pynslcd/pynslcd.py: Work around bug in python-daemon

	  See https://bugs.debian.org/792871

2015-07-08  Arthur de Jong <arthur@arthurdejong.org>

	* [c32e8c0] m4/ax_pthread.m4, m4/ax_tls.m4: Update macros from
	  autoconf-archive

2015-06-14  Arthur de Jong <arthur@arthurdejong.org>

	* [d949bd4] AUTHORS, ChangeLog, NEWS, configure.ac,
	  man/chsh.ldap.1.xml, man/getent.ldap.1.xml, man/nslcd.8.xml,
	  man/nslcd.conf.5.xml, man/pam_ldap.8.xml, man/pynslcd.8.xml:
	  Get files ready for 0.9.6 release

2015-06-14  Arthur de Jong <arthur@arthurdejong.org>

	* [4236dd6] Makefile.am: Correctly insert emtpy lines in ChangeLog

2015-06-13  Arthur de Jong <arthur@arthurdejong.org>

	* [e916a2b] man/nslcd.conf.5.xml: Manual page improvements

2015-06-13  Arthur de Jong <arthur@arthurdejong.org>

	* [9a7921f] nslcd/common.c, nslcd/common.h: Also fix signed integer
	  bug in binsid2id()

	  This should have been part of d217632.

2015-06-11  Geoffrey McRae <gnif@xbmc.org>

	* [d217632] nslcd/common.c: Fixed signed 32bit overflow bug on
	  32bit systems

2015-05-23  Jed Liu <jed-nss-pam-ldapd-users@uma.litech.org>

	* [3add5f0] nslcd/cfg.c: Allow configuration values longer than
	  63 characters

2015-03-06  Arthur de Jong <arthur@arthurdejong.org>

	* [d58fba9] nss/netgroup.c: Provide innetgr function on Solaris

	  This implements a function in the Solaris version of the NSS module
	  to check if a specifc netgroup triplet is part of a netgroup.

	  This also avoids a compiler warning and includes improvements
	  and testing by Mark R Bannister.

2015-05-01  Andrew Elble <aweits@rit.edu>

	* [c0366d8] man/nslcd.conf.5.xml, nslcd/cfg.c, nslcd/cfg.h,
	  nslcd/nslcd.c, pynslcd/cfg.py, pynslcd/group.py, pynslcd/passwd.py,
	  pynslcd/shadow.py: Implement disable_enumeration

	  If this option is present, functions which cause all user/group
	  entries to be loaded (getpwent(), getgrent()) from the directory
	  will not succeed in doing so. This can dramatically reduce
	  ldap server load in situations where there are a great number
	  of users and/or groups.  Applications that depend on being able
	  to sequentially read all users and/or groups may fail to operate
	  correctly. This option is not recommended for most configurations.

2015-04-17  Arthur de Jong <arthur@arthurdejong.org>

	* [96045d2] man/nslcd.conf.5.xml, nslcd/cfg.c, nslcd/cfg.h,
	  nslcd/group.c, pynslcd/cfg.py, pynslcd/group.py: Implement
	  nss_getgrent_skipmembers

	  This option allows skipping group member list retrieval to
	  improve performance with very large groups. This option results
	  in inconsistent group membership information being presented
	  that may confuse some applications.

2015-04-15  Arthur de Jong <arthur@arthurdejong.org>

	* [530cc24] nslcd/daemonize.c, nslcd/nslcd.c: Avoid signal race
	  condition on start-up

	  This only restores the signal mask after signal handlers are in
	  place and the daemon has completely daemonised to avoid a race
	  condition in the start-up phase of nslcd where a signal could
	  be sent to nslcd causing it to quit or fail to write information
	  to the parent process.

2015-03-29  Arthur de Jong <arthur@arthurdejong.org>

	* [16fd8c6] AUTHORS, ChangeLog, NEWS, README, configure.ac,
	  man/chsh.ldap.1.xml, man/getent.ldap.1.xml, man/nslcd.8.xml,
	  man/pam_ldap.8.xml, man/pynslcd.8.xml: Get files ready for
	  0.9.5 release

2015-03-11  Tim Rice <tim@multitalents.net>

	* [ae08830] common/Makefile.am, compat/Makefile.am, configure.ac,
	  nss/Makefile.am, pam/Makefile.am: Use correct PIC arg for
	  non-GCC compilers

2015-03-22  Arthur de Jong <arthur@arthurdejong.org>

	* [fdbca17] config.sub: Update files from latest automake

2015-03-22  Arthur de Jong <arthur@arthurdejong.org>

	* [9f9a5c5] nss/networks.c: Fix for networks lookup under Solaris

	  This fixes a byte order issue when nscd is running.

2015-03-22  Arthur de Jong <arthur@arthurdejong.org>

	* [52ea3f5] configure.ac: Add checks to configure

	  This adds tests for a function and type used in the code.

2015-03-22  Arthur de Jong <arthur@arthurdejong.org>

	* [4ec1c08] nslcd/daemonize.c: ENODATA is missing on FreeBSD

	  FreeBSD doesn't have ENODATA so we use ENOATTR instead.

2015-03-22  Arthur de Jong <arthur@arthurdejong.org>

	* [b2563b0] compat/nss_compat.h, configure.ac: Remove use of
	  irs-nss.h

	  This was a compatibility leftover from the nss_ldap days.

2015-03-21  Arthur de Jong <arthur@arthurdejong.org>

	* [4c5a3c9] tests/test_clock.c: Prevent numer overflow in test_clock

2015-03-21  Arthur de Jong <arthur@arthurdejong.org>

	* [0420232] nslcd/nslcd.c, nslcd/nsswitch.c, nss/Makefile.am,
	  tests/testenv.sh: Various small fixes when using --with-module-name

	  This updates the test framework to support --with-module-name,
	  ensures that exports.map is rebuilt when configure is re-ran,
	  fixes parsing of nsswitch.conf (to determine what to return for
	  passwd lookups) and fixes the check for _nss_ldap_version.

2015-03-21  Arthur de Jong <arthur@arthurdejong.org>

	* [788475f] nss/common.h: Also support platforms without TLS

	  This disables the use of thread-local storage in the NSS module
	  when it is not available in libc. This results in the get*ent()
	  functions not being thread-safe. However, on most platforms they
	  are not expected to be thread-safe anyway.

2015-03-20  Dalibor Pospíšil <dapospis@redhat.com>

	* [95d621e] man/nslcd.conf.5.xml: Document that multiple URIs can
	  be specified

	  Update nslcd.conf man page that multiple URIs can be set by
	  using more uri lines or more URIs defined on one uri line.

	  https://bugzilla.redhat.com/show_bug.cgi?id=1204195

2015-03-11  Patrick McLean <chutzpah@gentoo.org>

	* [fa6affc] common/tio.c, nslcd/attmap.c, nslcd/cfg.c,
	  nslcd/myldap.c: Fix formatting of size_t values

	  In several places the code used a %d format to print a size_t
	  variable.  On amd64 at least size_t is an unsigned long, so use
	  %lu instead.

	  An alternative would be to use %ud for size_t and %zd fo ssize_t
	  but not all platforms seem to support that formatter.

2015-03-11  Patrick McLean <chutzpah@gentoo.org>

	* [246aba5] nslcd/myldap.c, pam/pam.c: Avoid comparison of static
	  array to null pointer

	  There are several places where a static length array in a struct
	  is compared to a null pointer. These comparisons will always
	  be false, since an array in a struct is not actually a pointer,
	  so they can be removed.

2015-03-10  Patrick McLean <chutzpah@gentoo.org>

	* [d0f896a] AUTHORS, nslcd/nslcd.c: Don't let the oom killer
	  kill nslcd

	  Adjust the Linux OOM (Out-Of-Memory) killer score by -1000 for
	  nslcd so that it should not be killed.

2015-01-19  Arthur de Jong <arthur@arthurdejong.org>

	* [ee82d2f] .gitignore, configure.ac, nslcd/nslcd.c,
	  nss/Makefile.am, nss/aliases.c, nss/bsdnss.c, nss/common.c,
	  nss/common.h, nss/ethers.c, nss/group.c, nss/hosts.c,
	  nss/netgroup.c, nss/networks.c, nss/passwd.c, nss/protocols.c,
	  nss/prototypes.h, nss/rpc.c, nss/services.c, nss/shadow.c,
	  pam/pam.c, pynslcd/constants.py.in, pynslcd/pynslcd.py: Allow
	  configuration of NSS and PAM names

	  This introduces the --with-module-name configure option to
	  allow building of NSS and PAM modules with different namespaces
	  than ldap.

2015-01-12  Mark R Bannister <dbis@proseconsulting.co.uk>

	* [ed8b312] nss/hosts.c: Fix uninitialised variable

	  This fixes a bug in the NSS library when encountering IPv6
	  addresses in the hosts map.

2014-12-12  Arthur de Jong <arthur@arthurdejong.org>

	* [8b33057] nslcd/myldap.c: Avoid accessing searches outside array

	  Thanks David Binderma for pointing this out.

	  Note that in practical situations this should not result in any
	  errors due to the position of searches within the ldap_session
	  struct.

2014-11-02  Arthur de Jong <arthur@arthurdejong.org>

	* [9ee854e] man/nslcd.conf.5.xml: Document that rootpwmoddn needs
	  to exist

	  See
	  http://lists.arthurdejong.org/nss-pam-ldapd-users/2014/msg00166.html

2014-10-10  Arthur de Jong <arthur@arthurdejong.org>

	* [4262122] nslcd/nslcd.c: Fix format string

	  Thanks Jianhai Luan.

2014-10-04  Arthur de Jong <arthur@arthurdejong.org>

	* [1d3b19b] nslcd/nslcd.c: Block signals sooner to avoid race
	  conditions

2014-08-27  Jason Luan <jianhai.luan@oracle.com>

	* [78627c9] nslcd/cfg.c, nslcd/group.c, nslcd/nslcd.c,
	  nslcd/passwd.c: uid_t/gid_t should be formatted as unsigned long

	  mmkfilter_passwd_byuid()/mkfilter_group_bygid() get wrong filter
	  string because "%d" will return negative when uid/gid larger
	  than 2^31, and result to "Authentiction failure".

	  This also changes the other places where uid_t or gid_t values
	  are formatted.

2014-09-21  Arthur de Jong <arthur@arthurdejong.org>

	* [a726d29] nslcd/daemonize.c: Fix issues with daemonising

	  This fixes a problem with a buffer that could end up padded
	  with garbage.

	  This also clarifies the code a bit and adds extra logging for
	  errors that could occur during daemonising.

2014-06-30  Tim Harder <radhermit@gmail.com>

	* [82e4423] nslcd/myldap.c: Minor comment spelling fix

2014-06-30  Tim Harder <radhermit@gmail.com>

	* [2950797] AUTHORS, nslcd/myldap.c: Check a socket's connectivity
	  before trying to use it

	  This alleviates some cases where multi-second lag occurs before a
	  query returns due to some or all connections having been closed
	  by the peer, e.g. a load balancer timing out old connections,
	  but they are all tried before opening new connections.

	  Tested and working on Linux.

2014-06-20  Arthur de Jong <arthur@arthurdejong.org>

	* [1765e34] nslcd/common.h: Fix copy-pasto

2014-06-12  Arthur de Jong <arthur@arthurdejong.org>

	* [9516479] tests/test.ldif, tests/test_nsscmds.sh: Use other IP
	  range for tests

	  This uses IP addresses from the RFC 5737 TEST-NET-1 range that is
	  meant for use in documentation. This avoids issues with running
	  the tests environments that also use the 10.0.0.0/8 range.

2014-06-06  Arthur de Jong <arthur@arthurdejong.org>

	* [b3cf0aa] AUTHORS, ChangeLog, NEWS, configure.ac,
	  man/chsh.ldap.1.xml, man/getent.ldap.1.xml, man/nslcd.8.xml,
	  man/nslcd.conf.5.xml, man/pam_ldap.8.xml, man/pynslcd.8.xml:
	  Get files ready for 0.9.4 release

2014-06-06  Arthur de Jong <arthur@arthurdejong.org>

	* [abb2452] nss/services.c: Return correct port number on Solaris

	  This is a small fix for when using nscd (which still does not
	  seem to work completely). The port is stored in network byte
	  order but should be printed in host byte order.

2014-06-06  Arthur de Jong <arthur@arthurdejong.org>

	* [b977d3f] tests/lookup_groupbyuser.c: Add missing include
	  for FreeBSD

2014-06-06  Arthur de Jong <arthur@arthurdejong.org>

	* [258d671] nslcd/pam.c: Fix password modification by root

	  This fixes 15fc13c.

2014-06-06  Arthur de Jong <arthur@arthurdejong.org>

	* [8eeb1cc] common/tio.c: Clear proper buffer length

	  This fixes 3d29861.

2014-06-06  Arthur de Jong <arthur@arthurdejong.org>

	* [3d65b84] nslcd/common.h: Fix code indentation

	  This fixes 2274b41.

2014-06-06  Arthur de Jong <arthur@arthurdejong.org>

	* [e867727] config.guess, config.sub: Update files from latest
	  automake

2014-06-05  Arthur de Jong <arthur@arthurdejong.org>

	* [f5ee208] pynslcd/cache.py: Fix comment

2014-06-05  Arthur de Jong <arthur@arthurdejong.org>

	* [13483f9] .gitignore, configure.ac, tests/Makefile.am,
	  tests/lookup_groupbyuser.c: Introduce lookup_groupbyuser test
	  command

	  This command can be used to perform a lookup using getgrouplist()
	  to present a list of returned numeric group ids. This can be
	  used to avoid the additional lookups that are done with the id
	  and groups commands.

2014-05-14  Arthur de Jong <arthur@arthurdejong.org>

	* [3d29861] common/tio.c, nslcd/myldap.c, nslcd/pam.c: Clear
	  buffers before free-ing

	  This clears most buffers that may hold credentials at one point
	  before free()ing the memory.

2014-05-08  Arthur de Jong <arthur@arthurdejong.org>

	* [aa1d810] HACKING: Clarify code contribution

2014-05-04  Arthur de Jong <arthur@arthurdejong.org>

	* [94eacb5] nslcd/pam.c: Improve error logging of user login failures

2014-05-04  Arthur de Jong <arthur@arthurdejong.org>

	* [ca36a50] nslcd/myldap.c: Also extract policy controls on
	  BIND failure

	  This ensures that controls returned by an LDAP server as part of
	  a failed BIND operation are also returned. This makes it possible
	  to distinguish between a wrong password and an expired password.

	  This also only logs the BIND operation result on DEBUG level
	  (the error is logged later on).

2014-05-04  Arthur de Jong <arthur@arthurdejong.org>

	* [d6163e2] configure.ac: Use FreeBSD lib directory and SONAME
	  on Dragonfly

2014-05-04  Arthur de Jong <arthur@arthurdejong.org>

	* [f6f3730] README, man/nslcd.conf.5.xml: Small documentation
	  improvements

	  This includes a number of minor changes to the documentation. This
	  also documents the children search scope (related to 2caeef4).

2014-05-04  Arthur de Jong <arthur@arthurdejong.org>

	* [ed79110] nslcd/daemonize.c, nslcd/nslcd.c: Log daemonising
	  failures

	  This also clears errno in the main function to ensure that no
	  incorrect errno value is logged on errors.

2014-05-04  Arthur de Jong <arthur@arthurdejong.org>

	* [18d05b0] .gitignore, tests/Makefile.am, tests/test_attmap.c:
	  Add a test for setting member attribute mapping

2014-05-04  Arthur de Jong <arthur@arthurdejong.org>

	* [fbea2a5] nslcd/attmap.c: Fix mapping group member attribute to
	  empty string

	  This fixes be94912.

2014-05-04  Arthur de Jong <arthur@arthurdejong.org>

	* [2274b41] nslcd/alias.c, nslcd/attmap.c, nslcd/cfg.c,
	  nslcd/common.h, nslcd/ether.c, nslcd/group.c, nslcd/host.c,
	  nslcd/invalidator.c, nslcd/myldap.c, nslcd/netgroup.c,
	  nslcd/network.c, nslcd/pam.c, nslcd/passwd.c, nslcd/protocol.c,
	  nslcd/rpc.c, nslcd/service.c, nslcd/shadow.c: Make buffer size
	  error logging consistent

	  This adds logging of most cases where a defined buffer is not
	  large enough to hold provided data on error log level.

2014-05-04  Arthur de Jong <arthur@arthurdejong.org>

	* [15fc13c] nslcd/myldap.c, nslcd/myldap.h, nslcd/pam.c,
	  nslcd/usermod.c: Warn when binddn buffer is too small

2014-05-04  Arthur de Jong <arthur@arthurdejong.org>

	* [f987891] nslcd/common.h: Grow DN buffer size

	  The buffer size seems to be a problem in environments with long
	  names or environments with non-ASCII characters.

2014-05-02  ushi <ushi@honkgong.info>

	* [119cebf] nslcd/common.h: Use larger nslcd password buffer

	  I had some edge cases where 64 bytes were not enough. People
	  are using password managers with long generated passwords. I
	  increased the buffer size to 128.

2014-03-12  Arthur de Jong <arthur@arthurdejong.org>

	* [8f12c15] AUTHORS, ChangeLog, NEWS, configure.ac,
	  man/chsh.ldap.1.xml, man/getent.ldap.1.xml, man/nslcd.8.xml,
	  man/nslcd.conf.5.xml, man/pam_ldap.8.xml, man/pynslcd.8.xml,
	  pynslcd/pynslcd.py: Get files ready for 0.9.3 release

2014-03-12  Arthur de Jong <arthur@arthurdejong.org>

	* [1ec7739] INSTALL, missing, test-driver: Update files from
	  recent automake

2014-03-10  Arthur de Jong <arthur@arthurdejong.org>

	* [44764f0] tests/Makefile.am, tests/test_myldap.sh,
	  tests/test_nsscmds.sh: Run the correct executables for the tests

	  This fixes issues with running the tests when using a separate
	  build directory (fixes ef0eddaa).

2014-03-10  Arthur de Jong <arthur@arthurdejong.org>

	* [77444ac] tests/test_myldap.sh: Fix nslcd-test.conf permissions
	  for test

	  This ensures that configuration file is not world readable when
	  the tests are run. This avoids test failure for the use of the
	  rootpwmodpw option.

2014-03-10  Arthur de Jong <arthur@arthurdejong.org>

	* [96e4171] common/nslcd-prot.h: Interpret transferred integers
	  as signed again

	  This fixes an issue with unsigned values ending up in signed
	  fields and missing sign extension.

	  See: https://bugs.debian.org/739330

2014-01-27  Nalin Dahyabhai <nalin@redhat.com>

	* [2d35feb] nss/hosts.c, nss/networks.c: Use right h_errnop for
	  retrying with larger buffer

	  The libc nsswitch code expects h_errno to be set to NETDB_INTERNAL
	  when it needs to try again with a larger buffer.

	  Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>

2014-01-27  Lukas Slebodnik <lslebodn@redhat.com>

	* [8532f40] nss/hosts.c, nss/networks.c: Fix crash when retrieving
	  large networks entries

	  If NSS_STATUS_TRYAGAIN is returned from read_one_hostent or
	  read_one_netent then fp will be closed and function tio_skipall
	  will be called with NULL pointer.  It could happend in functions:
	      _nss_ldap_getnetbyname_r _nss_ldap_getnetbyaddr_r
	      _nss_ldap_gethostbyname2_r _nss_ldap_gethostbyaddr_r

	  Fixes r548 (aka afd5d9b).

2014-01-30  Davy Defaud <davy.defaud@free.fr>

	* [4211961] nslcd/group.c: Support builtin Windows groups

	  This maps the gid (gidNumber) to an AD SID for builtin
	  groups when searching a group by gid (RID) between 544 and
	  552. In that case the SID prefix is not the domain's prefix
	  (S-1-5-21-dddddd-dddddd-dddddd) but the BUILTIN SID prefix
	  (1-5-32).

	  For example, if you add a user to the Administrators builtin
	  group (S-1-5-32-544), now you should be able to get this group
	  through nslcd, instead of receiving an error message.

2014-01-25  Arthur de Jong <arthur@arthurdejong.org>

	* [f6a0675] configure.ac: Add test for krb5 thread safety

	  This adds a test that checks the return value of
	  krb5_is_thread_safe() to see if krb5 is thread safe (during build)
	  and issues a warning if it is not.

	  nslcd does not directly link to krb5 but the library may be
	  loaded (by GSSAPI) if Kerberos is used to authenticate nslcd to
	  the LDAP server.

2014-01-25  Francois Tigeot <ftigeot@wolfpond.org>

	* [043838c] configure.ac: Also detect DragonFly as BSD

	  This fixes the detection of DragonFly as requiring the freebsd
	  NSS interface flavour.

2014-01-24  joshuashire <joshuashire@hotmail.com>

	* [2181cca] nslcd/shadow.c: Update shadow.c to resolve pwdLastSet
	  issue

	  We read the date into the buffer to the specified length to get it
	  to the Unix time (i.e. seconds) from its AD value of nanoseconds,
	  then convert it to days for shadow. If we use date rather than
	  buffer we end up trying to convert the original nanosecond value.

2014-01-05  Arthur de Jong <arthur@arthurdejong.org>

	* [c6c317e] : Implement deref control handling

	  This uses the LDAP_CONTROL_X_DEREF control as described in
	  draft-masarati-ldap-deref-00 to request the LDAP server to
	  dereference group member attribute values to uid attribute values.

	  This should reduce the number of searches that are required for
	  expanding group members that use the member attribute.

	  This mechanism could also be used to extract information on
	  nested groups but the gains are less clear there.

	  Not all LDAP servers support this control. In OpenLDAP, load the
	  (currently undocumented) deref overlay and enable it for the
	  database to take advantage of this improvement.

	  There is a functional difference when using this control. Any
	  returned deferred uid value returned by the LDAP server is accepted
	  as a member.	No checks are performed to see if the user matches
	  the search base and search filters set for passwd entries.

2014-01-05  Arthur de Jong <arthur@arthurdejong.org>

	* [309b4bb] README: Update documentation

	  This documents the way the deref controls are used.

2014-01-05  Arthur de Jong <arthur@arthurdejong.org>

	* [cecc024] nslcd/group.c: Use myldap_get_deref_values() to get
	  member uids

	  This uses information from the deref control (if available)
	  to get the username for each of the members of the group. Any
	  missing deref member attribute values will be seen as nested
	  groups and will be traversed if nested group support is enabled.

2014-01-05  Arthur de Jong <arthur@arthurdejong.org>

	* [c973834] configure.ac, nslcd/myldap.c, nslcd/myldap.h: Provide
	  a myldap_get_deref_values() function

	  This function looks for deref response controls
	  (LDAP_CONTROL_X_DEREF) in the entry and returns the information
	  from the dereferenced attribute in two lists: dereferenced values
	  and attribute values that could not be dereferenced.

2014-01-05  Arthur de Jong <arthur@arthurdejong.org>

	* [3992e15] nslcd/group.c: Skip member attributes in bymember search

	  This changes the group by member searches to not request the
	  member attributes. This will speed up result parsing by a fraction
	  because less data is transferred but will also cause the deref
	  control not to be added to these searches.

2013-12-28  Arthur de Jong <arthur@arthurdejong.org>

	* [15ee2fc] compat/Makefile.am, compat/derefctrl.c,
	  compat/ldap_compat.h, configure.ac: Provide replacement
	  ldap_create_deref_control()

	  This adds a test for a bug in OpenLDAP that allocated a
	  LDAP_CONTROL_PAGEDRESULTS control instead of a LDAP_CONTROL_X_DEREF
	  control.

2014-01-05  Arthur de Jong <arthur@arthurdejong.org>

	* [547e479] configure.ac, nslcd/myldap.c: Request attribute deref
	  via search control

	  This uses the LDAP_CONTROL_X_DEREF control as descibed in
	  draft-masarati-ldap-deref-00 to request the LDAP server to
	  dereference member attribute values to uid attribute values in
	  order to avoid doing extra searches.

	  This control is currently only added for group search by looking
	  for the member attribute in the search.

2014-01-04  Arthur de Jong <arthur@arthurdejong.org>

	* [c22eb08] nslcd/myldap.c: Rename entry property to indicate
	  storage type

	  This changes entrye->rangedattributevalues to entry->buffers
	  because the propery is not only used for ranged attribute values
	  but for anything that can be freed with free().

2014-01-03  Arthur de Jong <arthur@arthurdejong.org>

	* [f009c96] nslcd/myldap.c: Ignore missing page controls

	  Since we could get arbitrray controls and are only interested
	  in page controls we ignore failures to find page controls.

2014-01-03  Arthur de Jong <arthur@arthurdejong.org>

	* [4f6dfdd] nslcd/myldap.c: Use do_try_search() also for paged
	  searches

	  This also changes do_try_search() to support building continued
	  paged controls and lays the groundwork for adding more search
	  controls.

2014-01-05  Arthur de Jong <arthur@arthurdejong.org>

	* [be94912] nslcd/attmap.c, nslcd/group.c, pynslcd/group.py:
	  Support blanking the member attribute

	  This allows remapping the member attribute to an empty string
	  which removes support for that attribute. This can reduce the
	  number of search operations if the attribute is not used.

2014-01-05  Arthur de Jong <arthur@arthurdejong.org>

	* [0d3fa5d] nslcd/group.c: Fix typo

2014-01-05  Arthur de Jong <arthur@arthurdejong.org>

	* [8e74848] nslcd/group.c, nss/netgroup.c, tests/test_set.c:
	  Fix memory leaks related to set_pop()

	  Some pieces of code did not properly free() the value returned
	  by set_pop().

	  The leak in group code was related to the introduction of nested
	  group functionality in 41ba574 (merged in 3daa68d) so should
	  only be present in releases 0.9.0 forward.

	  The leak in the netgroup code only ended up in the Solaris
	  version of the NSS module and was introduced in 4ea9ad1 (merged in
	  5c8779d). This leak is present in all releases from 0.8.0 forward.

2014-01-04  Arthur de Jong <arthur@arthurdejong.org>

	* [3288942] tests/test_myldap.c: Fix compiler warnings in the
	  myldap test

2014-01-02  Arthur de Jong <arthur@arthurdejong.org>

	* [2b8fbc2] : Only exit nslcd when daemon is ready

	  This removes a race condition between the exit of the initial
	  nslcd process (as started by the init script) and nslcd services
	  being ready.

2014-01-02  Arthur de Jong <arthur@arthurdejong.org>

	* [3afedc4] compat/Makefile.am, compat/daemon.c, compat/daemon.h,
	  configure.ac: Remove daemon() replacement function

2014-01-02  Arthur de Jong <arthur@arthurdejong.org>

	* [907d49d] configure.ac, nslcd/daemonize.c: Close daemon pipe
	  file descriptor on fork or exec

	  This tries to avoid child processes ending up with a copy of
	  the pipe file descriptor that is used to signal readiness of
	  the daemon.

2014-01-02  Arthur de Jong <arthur@arthurdejong.org>

	* [42a1a3d] nslcd/Makefile.am, nslcd/daemonize.c, nslcd/daemonize.h,
	  nslcd/nslcd.c: Properly daemonise nslcd and only exit when ready

	  This introduces a new daemonize module that provides functions for
	  closing all file descriptors, redirecting stdin/stdout/stderr to
	  /dev/null and a function for backgrounding an application while
	  only exiting the original process after the daemon process has
	  indicated readiness.

	  This is used to exit the original process only after the listening
	  socket has been set up and the worker threads have been started.