merge r882 from trunk

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@883 ef36b2f9-881f-0410-afb5-c4e39611909c

11 files changed, 288 insertions, 32 deletions

diff --git a/ChangeLog b/ChangeLog
index 0d366db..a1026c2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,188 @@
+2009-05-09 20:53  arthur
+
+	* [r880] debian/libnss-ldapd.postinst: if base is blank disable the
+	  base option to let nslcd attempt search base autodiscovery
+
+2009-05-09 20:01  arthur
+
+	* [r879] nss/common.h: also close any open stream on buffer error
+
+2009-05-09 19:53  arthur
+
+	* [r878] nss/common.h, nss/group.c: check the buffer passed by
+	  Glibc for validity
+
+2009-05-09 19:52  arthur
+
+	* [r877] nslcd-common.h: make sure that when writing a list of
+	  strings the number of strings is always checked when excluding an
+	  entry
+
+2009-05-09 09:27  arthur
+
+	* [r876] ., AUTHORS, Makefile.am, configure.ac, debian,
+	  debian/copyright, nslcd.h, pam: import the PAM module from the
+	  nss-ldapd branch (r875) based on the OpenLDAP nssov tree and
+	  allow configuring which modules should be built (PAM module
+	  disabled by default)
+
+2009-05-09 07:50  arthur
+
+	* [r872] configure.ac, nslcd/nslcd.c: according to autoupdate
+	  RETSIGTYPE can be considered void always
+
+2009-05-08 10:29  arthur
+
+	* [r868] debian/copyright: aggregate years
+
+2009-05-07 22:40  arthur
+
+	* [r867] INSTALL, config.guess, config.sub: include updated files
+
+2009-05-07 22:14  arthur
+
+	* [r864] nslcd.h, nslcd/netgroup.c, nss/netgroup.c: prefix
+	  NETGROUP_TYPE macros with NSLCD_
+
+2009-05-07 20:36  arthur
+
+	* [r861] debian/po/gl.po: added Galician (gl) translation of
+	  debconf templates by Marce Villarino <mvillarino@gmail.com>
+
+2009-05-06 18:48  arthur
+
+	* [r860] debian/po/es.po: updated Spanish (es) translation of
+	  debconf templates by Francisco Javier Cuadrado
+	  <fcocuadrado@gmail.com>
+
+2009-05-05 20:55  arthur
+
+	* [r859] debian/po/ru.po: updated Russian (ru) translation of
+	  debconf templates by Yuri Kozlov <yuray@komyakino.ru>
+
+2009-05-05 20:48  arthur
+
+	* [r858] debian/po/ru.po: convert translation to UTF-8
+
+2009-05-03 19:47  arthur
+
+	* [r857] debian/po/sv.po: updated Swedish (sv) translation of
+	  debconf templates by Martin Ågren <martin.agren@gmail.com>
+
+2009-05-02 14:19  arthur
+
+	* [r856] debian/po/fr.po: updated French (fr) translation of
+	  debconf templates by Guillaume Delacour <gui@iroqwa.org>
+
+2009-05-01 15:45  arthur
+
+	* [r855] debian/po/it.po: fix incorrect references to nss-ldap
+	  (without the d at the end)
+
+2009-05-01 15:39  arthur
+
+	* [r854] man/nslcd.8.xml: document that you can specify -d multiple
+	  times
+
+2009-05-01 13:03  arthur
+
+	* [r853] nslcd/cfg.c, nslcd/cfg.h, nslcd/myldap.c: set most SSL/TLS
+	  related options globally instead of per connection
+
+2009-04-30 08:45  arthur
+
+	* [r852] nslcd/cfg.c, nslcd/cfg.h, nslcd/myldap.c, nslcd/myldap.h,
+	  nslcd/nslcd.c: move debugging initialisation to
+	  myldap_set_debuglevel() function
+
+2009-04-27 18:24  arthur
+
+	* [r851] debian/po/it.po: added Italian (it) translation of debconf
+	  templates by Vincenzo Campanella <vinz65@gmail.com>
+
+2009-04-25 21:29  arthur
+
+	* [r850] nslcd/myldap.c: produce more logging and get OpenLDAP
+	  logging working by logging to stderr (and implement temporary
+	  workaround for reqcert problems)
+
+2009-04-25 19:15  arthur
+
+	* [r849] nslcd/cfg.h: include ldap.h to ensure that struct
+	  ldap_config will be the same in every file
+
+2009-04-25 14:06  arthur
+
+	* [r848] nslcd/myldap.c: clear errno before ldap calls to get
+	  usable returned errno
+
+2009-04-25 12:32  arthur
+
+	* [r847] debian/po/pt.po: updated Portuguese (pt) translation of
+	  debconf templates by Américo Monteiro <a_monteiro@netcabo.pt>
+
+2009-04-22 19:18  arthur
+
+	* [r846] debian/libnss-ldapd.templates, debian/po/ca.po,
+	  debian/po/cs.po, debian/po/da.po, debian/po/de.po,
+	  debian/po/es.po, debian/po/fr.po, debian/po/ja.po,
+	  debian/po/nl.po, debian/po/pt.po, debian/po/pt_BR.po,
+	  debian/po/ru.po, debian/po/sv.po, debian/po/templates.pot,
+	  debian/po/vi.po: fix spelling in English debconf template (thanks
+	  Vincenzo Campanella)
+
+2009-04-22 19:12  arthur
+
+	* [r845] debian/po/ja.po: updated Japanese (ja) translation of
+	  debconf templates by Kenshi Muto <kmuto@debian.org>
+
+2009-04-22 19:06  arthur
+
+	* [r844] debian/po/da.po: updated Danish (da) translation of
+	  debconf templates by Jonas Smedegaard <dr@jones.dk>
+
+2009-04-21 19:25  arthur
+
+	* [r843] debian/libnss-ldapd.postrm, debian/libnss-ldapd.templates,
+	  debian/po/ca.po, debian/po/cs.po, debian/po/da.po,
+	  debian/po/de.po, debian/po/es.po, debian/po/fr.po,
+	  debian/po/ja.po, debian/po/nl.po, debian/po/pt.po,
+	  debian/po/pt_BR.po, debian/po/ru.po, debian/po/sv.po,
+	  debian/po/templates.pot, debian/po/vi.po: ask on removal and on
+	  purge whether to edit /etc/nsswitch.conf and remove ldap entries
+
+2009-04-19 13:51  arthur
+
+	* [r834] nslcd.h, nslcd/alias.c, nslcd/ether.c, nslcd/group.c,
+	  nslcd/host.c, nslcd/netgroup.c, nslcd/network.c, nslcd/passwd.c,
+	  nslcd/protocol.c, nslcd/rpc.c, nslcd/service.c, nslcd/shadow.c,
+	  nss/common.h, nss/group.c: clear up protocol description in
+	  nslcd.h, renaming NSLCD_RESULT_SUCCESS to NSLCD_RESULT_BEGIN
+
+2009-04-17 18:57  arthur
+
+	* [r830] nslcd.h: include definitions of PAM-related actions from
+	  current OpenLDAP work in nssov
+
+2009-04-17 18:56  arthur
+
+	* [r829] debian/libnss-ldapd.postrm: fix spelling in comment
+
+2009-04-04 10:02  arthur
+
+	* [r828] debian/libnss-ldapd.postrm: remove /var/run/nslcd on
+	  package removal
+
+2009-03-31 07:05  arthur
+
+	* [r827] debian/changelog: add CVE identifier
+
+2009-03-22 21:52  arthur
+
+	* [r825] ChangeLog, NEWS, TODO, configure.ac, debian/changelog,
+	  man/nslcd.8.xml, man/nss-ldapd.conf.5.xml: get files ready for
+	  0.6.8 release
+
 2009-03-22 21:20  arthur
 
 	* [r824] README, debian/copyright: update copyright year
diff --git a/NEWS b/NEWS
index 9e8949b..4084be6 100644
--- a/NEWS
+++ b/NEWS
@@ -1,9 +1,27 @@
+changes from 0.6.8 to 0.6.9
+---------------------------
+
+* produce more detailed logging in debug mode and allow multiple -d options to
+  be specified to also include logging from the LDAP library
+* some LDAP configuration options are now initialized globally instead of per
+  connection which should fix problems with the tls_reqcert option
+* documentation improvements for the NSLCD protocol used between the NSS
+  module and the nslcd server
+* imported the new PAM module from the OpenLDAP nssov tree by Howard Chu (note
+  that the PAM-related NSLCD protocol is not yet finalised and this module is
+  not built by default)
+* in configure script allow disabling of building certain components
+* fix a bug with writing alternate service names and add checks for
+  validity of passed buffer in NSS module
+* Debian packaging improvements
+
+
 changes from 0.6.7 to 0.6.8
 ---------------------------
 
 * SECURITY FIX: the nss-ldapd.conf file that is installed by the Debian
                 package was created world-readable which could cause problems
-                if the bindpw option is used
+                if the bindpw option is used (CVE-2009-1073)
                 this has been fixed in the Debian package but other users
                 should check the permissions of the nss-ldapd.conf file when
                 the bindpw option is used (warnings have been added to the
diff --git a/TODO b/TODO
index 3f0ede8..9d201c6 100644
--- a/TODO
+++ b/TODO
@@ -1,12 +1,9 @@
 probably before we can call this stable
 ---------------------------------------
 * find problem with reachability of LDAP server
-* Debian package: protect /etc/nss-ldapd.conf if bindpw is used
 
 other items
 -----------
-* probably document that you should use libpam-ldap for authentication without
-  exposing the passwords through NSS
 * document test suite (instructions for setting up environment (server), LDIF
   file, nsswitch.conf and nss-ldapd.conf)
 * write more unit tests
@@ -39,20 +36,13 @@ other items
 * see if we can use LD_LIBRARY_PATH to run our tests in so we don't need to
   install NSS library in system path
 * only parse configuration options if they are available on the platform
-* have some more general mechanism to disable NSS module in nslcd
+* have some more general mechanism to disable NSS lookups from nslcd
 * support searchbase autodetection
-* start the LDAP search and connection in myldap_get_entry() instead of
-  in myldap_search()
-* maybe use datagram sockets for NSS/nslcd communication
 * support multiple search bases
 * support memberOf attribute in passwd entries that map to groups
 * setnetgrent() may need to return an error if the netgroup is undefined
 * handle repeated calls to getent() better (see http://bugzilla.padl.com/show_bug.cgi?id=376)
-* make it possible to define nisNetgroup as a ou-like thing with
-  handling all sub-nisNetgroup objects as memberNisNetgroup, host objects as
-  nisNetgroupTriple (HOST,,), users as (,USER?,)
 * make it possible to start nslcd really early in the boot process and have
   it become available when it determines it can (other timeout/retry mechanism
   on startup)
-* if Debconf base is empty do something more useful
 * make lookups case-sensitive
diff --git a/configure.ac b/configure.ac
index f7dda72..041b1ac 100644
--- a/configure.ac
+++ b/configure.ac
@@ -32,8 +32,8 @@ version 2.1 of the License, or (at your option) any later version. See the
 configure.ac file for more details.])
 
 # initialize and set version and bugreport address
-AC_INIT([nss-ldapd],[0.6.8],[arthur@ch.tudelft.nl])
-RELEASE_MONTH="Mar 2009"
+AC_INIT([nss-ldapd],[0.6.9],[arthur@ch.tudelft.nl])
+RELEASE_MONTH="May 2009"
 AC_SUBST(RELEASE_MONTH)
 AC_CONFIG_SRCDIR([nslcd.h])
 
diff --git a/debian/changelog b/debian/changelog
index f087941..3dac6ac 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,35 @@
+nss-ldapd (0.6.9) unstable; urgency=low
+
+  * produce more detailed logging in debug mode and allow multiple -d options
+    to be specified to also include logging from the LDAP library
+  * some LDAP configuration options are now initialized globally instead of
+    per connection which should fix problems with the tls_reqcert option
+    (closes: #521617)
+  * documentation improvements for the NSLCD protocol used between the NSS
+    module and the nslcd server
+  * imported the new PAM module from the OpenLDAP nssov tree by Howard Chu
+    (note that the PAM-related NSLCD protocol is not yet finalised and this
+    module is not built by default)
+  * in configure script allow disabling of building certain components
+  * fix a problem with writing alternate service names and add checks for
+    validity of passed buffer in NSS module (closes: #527246)
+  * ask the user whether LDAP should be removed from /etc/nsswitch.conf at
+    package removal time (closes: #523483)
+  * remove /var/run/nslcd on package removal
+  * updated Danish debconf translation by Jonas Smedegaard (closes: #525075)
+  * updated Japanese debconf translation by Kenshi Muto (closes: #525085)
+  * updated Portugese debconf translation by Américo Monteiro
+    (closes: #525530)
+  * added Italian debconf translation by Vincenzo Campanella (closes: #525784)
+  * updated French debconf translation by Guillaume Delacour (closes: #526638)
+  * updated Swedish debconf translation by Martin Ågren (closes: #526757)
+  * updated Russian debconf translation by Yuri Kozlov (closes: #527102)
+  * updated Spanish debconf translation by Francisco Javier Cuadrado
+    (closes: #527242)
+  * added Galician debconf translation by Marce Villarino (closes: #527327)
+
+ -- Arthur de Jong <adejong@debian.org>  Sat, 09 May 2009 22:00:00 +0200
+
 nss-ldapd (0.6.8) unstable; urgency=high
 
   * SECURITY FIX: the nss-ldapd.conf file that is installed was created
diff --git a/debian/nslcd.postinst b/debian/nslcd.postinst
index 429c40c..a296420 100644
--- a/debian/nslcd.postinst
+++ b/debian/nslcd.postinst
@@ -150,7 +150,12 @@ then
   cfg_uris "$RET"
   # set search base
   db_get libnss-ldapd/ldap-base
-  cfg_set base "$RET"
+  if [ -n "$RET" ]
+  then
+    cfg_set base "$RET"
+  else
+    cfg_disable base
+  fi
   # set bind dn/pw
   db_get libnss-ldapd/ldap-binddn
   if [ -n "$RET" ]
diff --git a/man/nslcd.8.xml b/man/nslcd.8.xml
index 4cda483..d4972e8 100644
--- a/man/nslcd.8.xml
+++ b/man/nslcd.8.xml
@@ -36,9 +36,9 @@
  <refmeta>
   <refentrytitle>nslcd</refentrytitle>
   <manvolnum>8</manvolnum>
-  <refmiscinfo class="version">Version 0.6.8</refmiscinfo>
+  <refmiscinfo class="version">Version 0.6.9</refmiscinfo>
   <refmiscinfo class="manual">System Manager's Manual</refmiscinfo>
-  <refmiscinfo class="date">Mar 2009</refmiscinfo>
+  <refmiscinfo class="date">May 2009</refmiscinfo>
  </refmeta>
 
  <refnamediv id="name">
diff --git a/man/nss-ldapd.conf.5.xml b/man/nss-ldapd.conf.5.xml
index 2df32c1..630a52b 100644
--- a/man/nss-ldapd.conf.5.xml
+++ b/man/nss-ldapd.conf.5.xml
@@ -36,9 +36,9 @@
  <refmeta>
   <refentrytitle>nss-ldapd.conf</refentrytitle>
   <manvolnum>5</manvolnum>
-  <refmiscinfo class="version">Version 0.6.8</refmiscinfo>
+  <refmiscinfo class="version">Version 0.6.9</refmiscinfo>
   <refmiscinfo class="manual">System Manager's Manual</refmiscinfo>
-  <refmiscinfo class="date">Mar 2009</refmiscinfo>
+  <refmiscinfo class="date">May 2009</refmiscinfo>
  </refmeta>
 
  <refnamediv id="name">
diff --git a/nslcd-common.h b/nslcd-common.h
index e090783..2d21a85 100644
--- a/nslcd-common.h
+++ b/nslcd-common.h
@@ -3,7 +3,7 @@
                     protocol streams
 
    Copyright (C) 2006 West Consulting
-   Copyright (C) 2006, 2007 Arthur de Jong
+   Copyright (C) 2006, 2007, 2009 Arthur de Jong
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -116,15 +116,15 @@ static void debug_dump(const void *ptr,size_t size)
 
 #define WRITE_STRINGLIST_EXCEPT(fp,arr,not) \
   /* first determin length of array */ \
-  for (tmp3int32=0;(arr)[tmp3int32]!=NULL;tmp3int32++) \
-    /*noting*/ ; \
+  tmp3int32=0; \
+  for (tmp2int32=0;(arr)[tmp2int32]!=NULL;tmp2int32++) \
+    if (strcmp((arr)[tmp2int32],(not))!=0) \
+      tmp3int32++; \
   /* write number of strings (mius one because we intend to skip one) */ \
-  tmp3int32--; \
   DEBUG_PRINT("WRITE_STRLST: var="__STRING(arr)" num=%d",(int)tmp3int32); \
   WRITE_TYPE(fp,tmp3int32,int32_t); \
-  tmp3int32++; \
   /* write strings */ \
-  for (tmp2int32=0;tmp2int32<tmp3int32;tmp2int32++) \
+  for (tmp2int32=0;(arr)[tmp2int32]!=NULL;tmp2int32++) \
   { \
     if (strcmp((arr)[tmp2int32],(not))!=0) \
     { \
diff --git a/nss/common.h b/nss/common.h
index 29a52f5..3d2de88 100644
--- a/nss/common.h
+++ b/nss/common.h
@@ -2,7 +2,7 @@
    common.h - common functions for NSS lookups
 
    Copyright (C) 2006 West Consulting
-   Copyright (C) 2006, 2007, 2008 Arthur de Jong
+   Copyright (C) 2006, 2007, 2008, 2009 Arthur de Jong
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -120,6 +120,12 @@ TFILE *nslcd_client_open(void)
   TFILE *fp; \
   int32_t tmpint32; \
   enum nss_status retv; \
+  /* check that we have a valid buffer */ \
+  if ((buffer==NULL)||(buflen<=0)) \
+  { \
+      *errnop=EINVAL; \
+      return NSS_STATUS_UNAVAIL; \
+  } \
   /* open socket and write request */ \
   OPEN_SOCK(fp); \
   WRITE_REQUEST(fp,action); \
@@ -150,9 +156,8 @@ TFILE *nslcd_client_open(void)
 #define NSS_BYINT32(action,val,readfn) \
   NSS_BYGEN(action,WRITE_INT32(fp,val),readfn)
 
-/* This macro generates a simple setent() function body. A stream
-   is opened, a request is written and a check is done for
-   a response header. */
+/* This macro generates a simple setent() function body. This closes any
+   open streams so that NSS_GETENT() can open a new file. */
 #define NSS_SETENT(fp) \
   if (fp!=NULL) \
   { \
@@ -161,11 +166,25 @@ TFILE *nslcd_client_open(void)
   } \
   return NSS_STATUS_SUCCESS;
 
-/* This macro generates a getent() function body. A single entry
-   is read with the readfn() function. */
+/* This macro generates a getent() function body. If the stream is not yet
+   open, a new one is opened, a request is written and a check is done for
+   a response header. A single entry is read with the readfn() function. */
 #define NSS_GETENT(fp,action,readfn) \
   int32_t tmpint32; \
   enum nss_status retv; \
+  /* check that we have a valid buffer */ \
+  if ((buffer==NULL)||(buflen<=0)) \
+  { \
+      /* close stream */ \
+      if (fp!=NULL) \
+      { \
+        (void)tio_close(fp); \
+        fp=NULL; \
+      } \
+      /* indicate error */ \
+      *errnop=EINVAL; \
+      return NSS_STATUS_UNAVAIL; \
+  } \
   /* check that we have a valid file descriptor */ \
   if (fp==NULL) \
   { \
diff --git a/nss/group.c b/nss/group.c
index 33774ff..4fe0123 100644
--- a/nss/group.c
+++ b/nss/group.c
@@ -2,7 +2,7 @@
    group.c - NSS lookup functions for group database
 
    Copyright (C) 2006 West Consulting
-   Copyright (C) 2006, 2007, 2008 Arthur de Jong
+   Copyright (C) 2006, 2007, 2008, 2009 Arthur de Jong
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -130,9 +130,16 @@ enum nss_status _nss_ldap_initgroups_dyn(
         const char *user,gid_t skipgroup,long int *start,
         long int *size,gid_t **groupsp,long int limit,int *errnop)
 {
+/* temporarily map the buffer and buflen names so the check in NSS_BYNAME
+   for validity of the buffer works (renaming the parameters may cause
+   confusion) */
+#define buffer groupsp
+#define buflen limit
   NSS_BYNAME(NSLCD_ACTION_GROUP_BYMEMBER,
              user,
              read_gids(fp,skipgroup,start,size,groupsp,limit,errnop));
+#undef buffer
+#undef buflen
 }
 
 /* thread-local file pointer to an ongoing request */