merge r917 from trunk

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@918 ef36b2f9-881f-0410-afb5-c4e39611909c

5 files changed, 42 insertions, 49 deletions

diff --git a/HACKING b/HACKING
index 8ec9072..55072b5 100644
--- a/HACKING
+++ b/HACKING
@@ -1,12 +1,13 @@
 
-This document tries to describe the software layout and design of the library.
+This document tries to describe the software layout and design of nss-ldapd.
 It should provide some help for contributing code to this package.
 
 CONTRIBUTING TO NSS-LDAPD
 =========================
 
-Contributions to nss-ldapd are most welcome. However not all contributions
-will be automatically integrated. Some notes:
+Contributions to nss-ldapd are most welcome. Integrating contributions
+will be done on a best-effort basis and can be made easier if the following
+are considered:
 
 * for large changes it is a good idea to send an email first
 * send your patches in unified diff (diff -u) format
@@ -14,7 +15,7 @@ will be automatically integrated. Some notes:
 * clearly state which problem you're trying to solve and how this is
   accomplished
 * please follow the existing coding conventions
-* patches will be integrated on a best-effort bases
+* patches
 * please test the patch and include information on testing with the patch
   (platforms tested, etc)
 * contributions will be acknowledged in the AUTHORS file
@@ -62,7 +63,8 @@ interfaces with libc and translates the NSS requests into simple generic
 requests (e.g. "get user with name test", "get group with gid 101" or "get all
 shadow entries"). Translating these requests into LDAP requests is then the
 job of the daemon (nslcd) so that the NSS part won't have to know anything
-about LDAP (in fact replacing it with another lookup method is very simple).
+about LDAP (in fact replacing it with another lookup method should be very
+simple).
 
                 nslcd  -> OpenLDAP -> LDAP server
                   ^
@@ -74,29 +76,32 @@ design goals
 * design as specified above
 * simpler configuration and semantics
 * simpler, clearer and completer documentation
-* split source code into directories (src, src/hacks, src/aix, src/irs, etc)
+* split source code into manageable parts
 * get rid of unneeded code and complexity
 * split complexity in two parts (LDAP interface in server, NSS interface in
   library)
 * have a stable, easily maintainable piece of quality software
 
 
-NSS PART
-========
+NSS MODULE
+==========
 
-The NSS part is implemented in files in the nss directory. The functions are
-split into files according to the database they support. All functions look
-like:
+The NSS module is implemented in the nss directory. The functions are split
+into files according to the database they support. Functions look like:
 
 _nss_ldap_FUNCTION_r(...)
   This function opens the connection to the nslcd (with a time-out) builds the
   correct data structures and does a request (write()) to the nslcd waiting
   for an answer (again with a time-out)
 
+The complete list of exported functions can be found in exports.linux and
+prototypes.h.
+
 Currently a number of macros are used to build most of the function bodies for
-these functions. A more elegant solution is welcome.
+these functions. Part of this is defined in the common/nslcd-prot.h file and
+the NSS-specific stuff is in nss/common.h.
 
-Some handy links:
+Some useful links:
 http://mirrors.usc.edu/pub/gnu/Manuals/glibc-2.2.3/html_chapter/libc_28.html#SEC596
 http://www.gnu.org/software/libc/manual/html_node/index.html
 
@@ -106,20 +111,18 @@ THE COMMUNICATIONS PROTOCOL
 
 The protocol used for communicating between the NSS library and the nslcd
 daemon is very simple and almost fully described in the nslcd.h header file.
-The nslcd-common.h header file defines some macros that are used for reading
-and writing protocol entities (strings, 32-bit integers, etc).
+The common/nslcd-prot.h header file defines some macros that are used for
+reading and writing protocol entities (strings, 32-bit integers, etc).
 
-Some of the protocol handling code is automatically generated from the macros
-defined in nslcd.h. This cannot be done automatically in every case though so
-changing the protocol requires manual checking in the relevant source files in
-both the nss and the nslcd directories.
+Every NSS database has a corresponding source file in the nss and the nslcd
+directory.
 
 If the protocol is changed in an incompatible way the protocol version should
 be incremented in nslcd.h. There is currently no versioning scheme available
 for this.
 
 A special module (common/tio.c) was made so we can define simpler semantics
-for time-out values and buffer sizes. Both tha NSS library and nslcd use this
+for time-out values and buffer sizes. Both the NSS library and nslcd use this
 module which means that it includes functionality that is needed for both
 (e.g. large write buffers for the server part and large resettable read
 buffers for the NSS part). Maybe building two modules from the same source
@@ -127,6 +130,9 @@ with different features in them is an option (e.g. the NSS part needs the
 read buffers and handling of SIGPIPE and the nslcd part needs the write
 buffers and possibly flushing in the background).
 
+The common directory also contains some other generally useful modules that
+are used in some components.
+
 
 SERVER PART
 ===========
@@ -137,7 +143,7 @@ the database specific functions.
 nslcd_FUNCION(...)
   This functions fills in the correct parameters from the request. This
   function should write responses to the stream. Almost all these functions
-  are generated from a macro in common.h.
+  are generated from a macro in nslcd/common.h.
 
 
 SECURITY NOTES
@@ -149,6 +155,3 @@ only potentially exploit bugs in the library and gain the privileges of the
 process that was doing the name lookups. In this case the privileges of the
 daemon are potentially exposed.
 
-The deamon should be changed to set a specific less-privileged user and
-group to minimize the riscs. Code for this is already in place. Configuration
-options should be added and the Debian packaging should use this.
diff --git a/README b/README
index 0deaf04..f2d3416 100644
--- a/README
+++ b/README
@@ -99,7 +99,7 @@ Currently the following name databases are supported:
 
 Note that for when using IPv6 hosts entries, the addresses in the LDAP
 directory must be in their preferred form. The same is true for mac addresses
-for the ethers database. Otherwise the address->entry lookups will not work.
+for the ethers database. Otherwise the address to entry lookups will not work.
 For more details on the preferred form see
   http://ldap.akbkhome.com/index.php/attribute/ipHostNumber.html
 and
@@ -131,9 +131,8 @@ unsupported features
 Since nss-ldapd was forked from nss_ldap most of the features that came with
 nss_ldap are available. However, not all features have extensively tested yet
 and may cause problems.
-- attribute value default and overrides have been removed (but may reappear
+- attribute value defaults and overrides have been removed (but may reappear
   some day if requested)
-- SSL/TLS support is untested but will be tested when the core code stabilizes
 - the configuration file formats are not fully compatible
 - nested groups are currently unsupported
 - rootbinddn/rootbindpw support is removed and is not likely to return
@@ -314,12 +313,14 @@ dc=com) the lookup is skipped and the value from the DN is used. A cache is
 maintained that holds on to DN to uid translations for 15 minutes
 (see DN2UID_CACHE_TIMEOUT in nslcd/passwd.c).
 
-In all cases, duplicate users are returned only once.
+In all cases, users that are specified as member multiple times are returned
+only once.
 
 Currently, having nested groups by uniqueMember values pointing to other
 groups, as well as the memberOf attribute in posixAccount entries are
 unsupported.
 
+
 MISC NOTES
 ==========
 
diff --git a/debian/control b/debian/control
index 94c3714..60662f6 100644
--- a/debian/control
+++ b/debian/control
@@ -2,6 +2,7 @@ Source: nss-ldapd
 Section: admin
 Priority: extra
 Maintainer: Arthur de Jong <adejong@debian.org>
+Uploaders: Richard A Nelson (Rick) <cowboy@debian.org>
 Standards-Version: 3.8.1
 Build-Depends: debhelper (>= 7), libkrb5-dev, libldap2-dev, libsasl2-dev, po-debconf (>= 0.5.0), docbook2x, docbook-xml, libpam0g-dev
 Homepage: http://ch.tudelft.nl/~arthur/nss-ldapd
diff --git a/man/nss-ldapd.conf.5.xml b/man/nss-ldapd.conf.5.xml
index 8f8d3da..b2de164 100644
--- a/man/nss-ldapd.conf.5.xml
+++ b/man/nss-ldapd.conf.5.xml
@@ -440,8 +440,6 @@
      </listitem>
     </varlistentry>
 
-<!-- FIXME: change the defaults to 10 and 20 seconds respectively -->
-
     <varlistentry>
      <term><option>idle_timelimit</option> <emphasis remap="I">SECONDS</emphasis></term>
      <listitem>
@@ -503,8 +501,8 @@
        Specifies whether to use <acronym>SSL</acronym>/<acronym>TLS</acronym> or not (the default is not to). If
        <emphasis remap="I">start_tls</emphasis>
        is specified then StartTLS is used rather than raw <acronym>LDAP</acronym> over <acronym>SSL</acronym>.
-       Not all <acronym>LDAP</acronym> client libraries support both <acronym>SSL</acronym>
-       and StartTLS, and all related configuration options.
+       Not all <acronym>LDAP</acronym> client libraries support both <acronym>SSL</acronym>,
+       StartTLS and all related configuration options.
       </para>
      </listitem>
     </varlistentry>
@@ -718,14 +716,4 @@
         manual developed by PADL Software Pty Ltd.</para>
  </refsect1>
 
- <refsect1 id="known_bugs">
-  <title>Known Bugs</title>
-  <para>
-   This manual page may be outdated and inaccurate and will be improved
-   in upcoming releases.
-   The features of <emphasis>nss-ldapd</emphasis> are still under
-   development so these options may change in a future release.
-  </para>
- </refsect1>
-
 </refentry>
diff --git a/nss-ldapd.conf b/nss-ldapd.conf
index ce51575..ab60f33 100644
--- a/nss-ldapd.conf
+++ b/nss-ldapd.conf
@@ -5,7 +5,7 @@
 # See the manual page nss-ldapd.conf(5) for more information.
 
 # The uri pointing to the LDAP server to use for name lookups.
-# Mulitple entries may be specified. The address that is used
+# Multiple entries may be specified. The address that is used
 # here should be resolvable without using LDAP (obviously).
 #uri ldap://127.0.0.1/
 #uri ldaps://127.0.0.1/
@@ -18,15 +18,15 @@ uri ldap://127.0.0.1/
 #ldap_version 3
 
 # The distinguished name of the search base.
-base dc=example,dc=net
+base dc=example,dc=com
 
 # The distinguished name to bind to the server with.
 # Optional: default is to bind anonymously.
-#binddn cn=proxyuser,dc=padl,dc=com
+#binddn cn=proxyuser,dc=example,dc=com
 
 # The credentials to bind with.
-# Note that if you set a bindpw you should check the permissions of this file.
 # Optional: default is no credentials.
+# Note that if you set a bindpw you should check the permissions of this file.
 #bindpw secret
 
 # The default search scope.
@@ -35,9 +35,9 @@ base dc=example,dc=net
 #scope base
 
 # Customize certain database lookups.
-#base   group  ou=Groups,dc=example,dc=net
-#base   passwd ou=People,dc=example,dc=net
-#base   shadow ou=People,dc=example,dc=net
+#base   group  ou=Groups,dc=example,dc=com
+#base   passwd ou=People,dc=example,dc=com
+#base   shadow ou=People,dc=example,dc=com
 #scope  group  onelevel
 #scope  hosts  sub