merge r934 from trunk

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@935 ef36b2f9-881f-0410-afb5-c4e39611909c

24 files changed, 548 insertions, 205 deletions

diff --git a/ChangeLog b/ChangeLog
index a1026c2..f3abd8f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,140 @@
+2009-06-03 14:19  arthur
+
+	* [r925] nslcd/cfg.c: remove SSL/TLS warning messages during
+	  startup
+
+2009-06-03 14:08  arthur
+
+	* [r924] README: add note about creating a user to run nslcd
+
+2009-06-03 10:31  arthur
+
+	* [r923] nslcd/Makefile.am, nslcd/common.h, nslcd/nslcd.c,
+	  nslcd/pam.c: import preliminary version of PAM functionality into
+	  nslcd
+
+2009-06-03 10:27  arthur
+
+	* [r922] nslcd/common.h, nslcd/passwd.c: make lookup_dn2uid()
+	  available to other modules and split uid2dn() into uid2entry()
+	  and uid2dn() (from nss-pam-ldapd branch)
+
+2009-06-03 10:23  arthur
+
+	* [r921] nslcd/myldap.c, nslcd/myldap.h: implement
+	  myldap_set_credentials() and myldap_cpy_dn() which will be used
+	  in the PAM lookups (from nss-pam-ldapd branch)
+
+2009-06-03 10:16  arthur
+
+	* [r920] pam/pam.c: remove trailing spaces
+
+2009-06-03 10:14  arthur
+
+	* [r919] nslcd.h, pam/pam.c: change PAM authorisation request to
+	  also include ruser, rhost and tty (based on OpenLDAP cvs, r916 in
+	  nss-pam-ldapd branch)
+
+2009-06-03 09:08  arthur
+
+	* [r917] debian/control: add Richard A Nelson (Rick)
+	  <cowboy@debian.org> to uploaders
+
+2009-06-01 17:14  arthur
+
+	* [r914] HACKING, README, man/nss-ldapd.conf.5.xml, nss-ldapd.conf:
+	  clean up documentation
+
+2009-05-30 07:22  arthur
+
+	* [r910] nslcd/cfg.c: don't look inside the passed variable
+	  get_strdup() because it could point to uninitialized memory
+
+2009-05-29 21:30  arthur
+
+	* [r908] pam/common.h, pam/pam.c: partially refactor to follow
+	  local coding convention and introduce READ_PAM_CODE macro (r896
+	  from nss-pam-ldapd)
+
+2009-05-29 21:29  arthur
+
+	* [r907] pam/pam.c: tabs to spaces (r889 from nss-pam-ldapd)
+
+2009-05-29 21:29  arthur
+
+	* [r906] pam/common.h, pam/pam.c: make request-response functions
+	  simpler (r888 from nss-pam-ldapd)
+
+2009-05-29 21:24  arthur
+
+	* [r905] common/Makefile.am: remove unneeded EXTRA_DIST
+
+2009-05-29 21:22  arthur
+
+	* [r904] Makefile.am, common/Makefile.am, common/nslcd-prot.c,
+	  common/nslcd-prot.h, nslcd-common.h, nslcd/Makefile.am,
+	  nslcd/alias.c, nslcd/common.h, nslcd/ether.c, nslcd/group.c,
+	  nslcd/host.c, nslcd/netgroup.c, nslcd/network.c, nslcd/passwd.c,
+	  nslcd/protocol.c, nslcd/rpc.c, nslcd/service.c, nslcd/shadow.c,
+	  nss/Makefile.am, nss/aliases.c, nss/common.c, nss/common.h,
+	  nss/ethers.c, nss/group.c, nss/hosts.c, nss/netgroup.c,
+	  nss/networks.c, nss/passwd.c, nss/protocols.c, nss/rpc.c,
+	  nss/services.c, nss/shadow.c, pam/Makefile.am, pam/common.h,
+	  pam/pam.c, tests/Makefile.am: refactor protocol reading and
+	  writing macros to the common directory, use more logical names
+	  and in the PAM module no longer use NSS status codes (import of
+	  r887 from nss-pam-ldapd)
+
+2009-05-29 21:18  arthur
+
+	* [r903] tests/Makefile.am: add missing objects to test programs
+
+2009-05-24 09:23  arthur
+
+	* [r895] man/nss-ldapd.conf.5.xml: document that you can specify
+	  base option multiple times
+
+2009-05-24 09:12  arthur
+
+	* [r894] Makefile.am: also build PAM module for make distcheck
+
+2009-05-24 09:11  arthur
+
+	* [r893] nslcd/alias.c, nslcd/cfg.c, nslcd/common.h, nslcd/ether.c,
+	  nslcd/group.c, nslcd/host.c, nslcd/netgroup.c, nslcd/network.c,
+	  nslcd/passwd.c, nslcd/protocol.c, nslcd/rpc.c, nslcd/service.c,
+	  nslcd/shadow.c: initialise database modules only once after
+	  parsing config
+
+2009-05-24 08:56  arthur
+
+	* [r892] AUTHORS, nslcd/alias.c, nslcd/attmap.c, nslcd/cfg.c,
+	  nslcd/cfg.h, nslcd/common.h, nslcd/ether.c, nslcd/group.c,
+	  nslcd/host.c, nslcd/netgroup.c, nslcd/network.c, nslcd/passwd.c,
+	  nslcd/protocol.c, nslcd/rpc.c, nslcd/service.c, nslcd/shadow.c,
+	  tests/test_cfg.c, tests/test_myldap.c: support multiple search
+	  bases, partially based on a patch by Leigh Wedding
+	  <lwedding@bigpond.com>
+
+2009-05-24 08:03  arthur
+
+	* [r891] AUTHORS: don't mention Howard Chu twice
+
+2009-05-23 20:54  arthur
+
+	* [r890] debian/po/fi.po: added Finnish (fi) translation of debconf
+	  templates by Esko Arajärvi <edu@iki.fi>
+
+2009-05-16 07:01  arthur
+
+	* [r885] nss/common.h, pam/pam.c: quick fix for building PAM module
+
+2009-05-09 20:54  arthur
+
+	* [r881] ChangeLog, NEWS, TODO, configure.ac, debian/changelog,
+	  man/nslcd.8.xml, man/nss-ldapd.conf.5.xml: get files ready for
+	  0.6.9 release
+
 2009-05-09 20:53  arthur
 
 	* [r880] debian/libnss-ldapd.postinst: if base is blank disable the
diff --git a/HACKING b/HACKING
index 55072b5..52498c7 100644
--- a/HACKING
+++ b/HACKING
@@ -155,3 +155,9 @@ only potentially exploit bugs in the library and gain the privileges of the
 process that was doing the name lookups. In this case the privileges of the
 daemon are potentially exposed.
 
+
+TEST SETUP
+==========
+
+In the test directory there are a number of tests available. See the file
+README in the test directory for more details.
diff --git a/NEWS b/NEWS
index 4084be6..b793687 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,19 @@
+changes from 0.6.9 to 0.6.10
+----------------------------
+
+* implement searching through multiple search bases, based on a patch by Leigh
+  Wedding
+* fix a segmentation fault that could occur when using any of the tls_*
+  options with a string parameter
+* miscellaneous improvements to the experimental PAM module
+* implement PAM authentication function in the nslcd daemon
+* the code for reading and writing protocol entries between the NSS module and
+  the daemon was improved
+* documentation updates
+* removed SSL/TLS related warnings during startup
+* Debian packaging improvements
+
+
 changes from 0.6.8 to 0.6.9
 ---------------------------
 
@@ -32,7 +48,7 @@ changes from 0.6.7 to 0.6.8
 * correctly set SSL/TLS options when using StartTLS
 * rename the tls_checkpeer option to tls_reqcert, deprecating the old name and
   supporting all values that OpenLDAP supports
-* allow backslashes in user and group names execpt as first or last character
+* allow backslashes in user and group names except as first or last character
 * check user and group names against LOGIN_NAME_MAX if it is defined
 * fix for getpeercred() on Solaris by David Bartley
 * Debian packaging improvements
diff --git a/README b/README
index f2d3416..44214b5 100644
--- a/README
+++ b/README
@@ -160,6 +160,9 @@ The last step (make install) should install the libnss_ldap.so.* file and the
 daemon (nslcd). The boot process needs to be manually modified to start the
 daemon at the right time.
 
+Also it is recommended to create a dedicated user to run the nslcd daemon as.
+Configure this user in /etc/nss-ldapd.conf using the uid and gid options.
+
 
 CONFIGURATION
 =============
@@ -310,8 +313,8 @@ the uid attribute.
 
 If the DN value already contains a uid value (e.g. uid=arthur, dc=example,
 dc=com) the lookup is skipped and the value from the DN is used. A cache is
-maintained that holds on to DN to uid translations for 15 minutes
-(see DN2UID_CACHE_TIMEOUT in nslcd/passwd.c).
+maintained that holds on to DN to uid translations for 15 minutes (see
+DN2UID_CACHE_TIMEOUT in nslcd/passwd.c).
 
 In all cases, users that are specified as member multiple times are returned
 only once.
@@ -320,15 +323,25 @@ Currently, having nested groups by uniqueMember values pointing to other
 groups, as well as the memberOf attribute in posixAccount entries are
 unsupported.
 
-
-MISC NOTES
-==========
+case sensitivity
+----------------
 
 Most values in the NSS databases are considered case-sensitive (e.g. the user
-"Foo" is a different user from "foo"). Values in an LDAP database are however
-case-insensitive. This may cause problems in some corner cases, especially
-when nscd is used for caching. For example, when doing a lookup for the user
-"Foo" the user "foo" will be returned if it exists in the database.
+"Foo" is a different user from the user "foo"). Values in an LDAP database are
+however cosidered case-insensitive. nss-ldapd tries to solve this problem by
+adding an extra filtering layer and ensure that e.g. when looking for the user
+"foo" it will not return a user "Foo" that is found in LDAP.
+
+For the group, netgroup, passwd, protocols, rpc, services and shadow maps the
+matches will be checked case-sensitively and for aliases, ethers, hosts and
+networks matches will be case-insensitive (this seems to be what Glibc is
+doing currently with flat files). Only searching for groups by member the
+username matching is done case-insensitive. Note that in all cases the
+case-use in the LDAP directory is returned.
+
+Note however that having entries that only differ in case is a bad idea and
+will likely get you in trouble. One example of such a problem is that the DN
+uid=test,dc=example,dc=com is the same as uid=TEST,dc=example,dc=com.
 
 
 REPORTING BUGS
diff --git a/TODO b/TODO
index 9d201c6..603a522 100644
--- a/TODO
+++ b/TODO
@@ -1,9 +1,4 @@
-probably before we can call this stable
----------------------------------------
-* find problem with reachability of LDAP server
-
-other items
------------
+* test reachability problems with LDAP server more
 * document test suite (instructions for setting up environment (server), LDIF
   file, nsswitch.conf and nss-ldapd.conf)
 * write more unit tests
diff --git a/configure.ac b/configure.ac
index 041b1ac..36e48b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -32,8 +32,8 @@ version 2.1 of the License, or (at your option) any later version. See the
 configure.ac file for more details.])
 
 # initialize and set version and bugreport address
-AC_INIT([nss-ldapd],[0.6.9],[arthur@ch.tudelft.nl])
-RELEASE_MONTH="May 2009"
+AC_INIT([nss-ldapd],[0.6.10],[arthur@ch.tudelft.nl])
+RELEASE_MONTH="Jun 2009"
 AC_SUBST(RELEASE_MONTH)
 AC_CONFIG_SRCDIR([nslcd.h])
 
@@ -117,8 +117,8 @@ AM_CONDITIONAL([ENABLE_NSS], [test "x$enable_nss" = "xyes"])
 # check whether the PAM module should be built
 AC_MSG_CHECKING([whether to build the PAM module])
 AC_ARG_ENABLE(pam,
-              AS_HELP_STRING([--disable-pam],
-                             [build the PAM module [[default=yes]]]),,
+              AS_HELP_STRING([--enable-pam],
+                             [build the PAM module [[default=no]]]),,
               [enable_pam="yes"])
 AC_MSG_RESULT($enable_pam)
 AM_CONDITIONAL([ENABLE_PAM], [test "x$enable_pam" = "xyes"])
@@ -132,6 +132,24 @@ AC_ARG_ENABLE(nslcd,
 AC_MSG_RESULT($enable_nslcd)
 AM_CONDITIONAL([ENABLE_NSLCD], [test "x$enable_nslcd" = "xyes"])
 
+# check whether SASL support should be enabled
+AC_MSG_CHECKING([whether to enable SASL support])
+AC_ARG_ENABLE(sasl,
+              AS_HELP_STRING([--disable-sasl],
+                             [disable SASL support [[default=yes]]]),
+              [enable_sasl=$enableval],
+              [enable_sasl="yes"])
+AC_MSG_RESULT($enable_sasl)
+
+# check whether Kerberos support should be enabled
+AC_MSG_CHECKING([whether to enable Kerberos support])
+AC_ARG_ENABLE(kerberos,
+              AS_HELP_STRING([--disable-kerberos],
+                             [disable Kerberos support [[default=yes]]]),
+              [enable_kerberos=$enableval],
+              [enable_kerberos="yes"])
+AC_MSG_RESULT($enable_kerberos)
+
 AC_ARG_WITH(ldap-lib,
             AS_HELP_STRING([--with-ldap-lib=TYPE],
                            [select ldap library (auto|netscape5|netscape4|netscape3|umich|openldap) @<:@auto@:>@]))
@@ -180,11 +198,8 @@ AC_CHECK_HEADERS(netinet/ether.h)
 AC_CHECK_HEADERS(ctype.h)
 AC_CHECK_HEADERS(getopt.h)
 AC_CHECK_HEADERS(sys/un.h)
-AC_CHECK_HEADERS(sasl.h sasl/sasl.h)
 AC_CHECK_HEADERS(strings.h)
 AC_CHECK_HEADERS(gssldap.h)
-AC_CHECK_HEADERS(gsssasl.h)
-AC_CHECK_HEADERS(gssapi/gssapi_krb5.h gssapi.h)
 AC_CHECK_HEADERS(grp.h)
 AC_CHECK_HEADERS(sys/socket.h)
 AC_CHECK_HEADERS(sys/ucred.h)
@@ -194,6 +209,15 @@ then
   AC_CHECK_HEADERS(security/pam_modules.h)
   AC_CHECK_HEADERS(pam/pam_modules.h)
 fi
+if test "x$enable_sasl" = "xyes"
+then
+  AC_CHECK_HEADERS(sasl.h sasl/sasl.h)
+  AC_CHECK_HEADERS(gsssasl.h)
+fi
+if test "x$enable_kerberos" = "xyes"
+then
+  AC_CHECK_HEADERS(gssapi/gssapi_krb5.h gssapi.h)
+fi
 
 # set up directory with compatibility replacement files
 AC_CONFIG_LIBOBJ_DIR([compat])
@@ -280,13 +304,16 @@ AC_CHECK_TYPE(struct ucred,
     #include <sys/un.h>
     #include <sys/types.h>])
 
-AC_CHECK_TYPE(sasl_interact_t,
-    AC_DEFINE(HAVE_SASL_INTERACT_T,1,[Define to 1 if you have a `sasl_interact_t' definition.]),,[
-    #ifdef HAVE_SASL_SASL_H
-    #include <sasl/sasl.h>
-    #elif defined(HAVE_SASL_H)
-    #include <sasl.h>
-    #endif])
+if test "$enable_sasl" = "yes"
+then
+  AC_CHECK_TYPE(sasl_interact_t,
+      AC_DEFINE(HAVE_SASL_INTERACT_T,1,[Define to 1 if you have a `sasl_interact_t' definition.]),,[
+      #ifdef HAVE_SASL_SASL_H
+      #include <sasl/sasl.h>
+      #elif defined(HAVE_SASL_H)
+      #include <sasl.h>
+      #endif])
+fi
 
 # checks for LDAP library
 save_LIBS="$LIBS"
@@ -300,10 +327,13 @@ AC_CHECK_FUNCS(pthread_atfork)
 LIBS="$PTHREAD_LIBS $LIBS"
 CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
 
-AC_CHECK_LIB(gssapi, gss_krb5_ccache_name,[LIBS="-lgssapi $LIBS" found_gssapi_lib=yes],,$LIBS)
-if test -z "$found_gssapi_lib"
+if test "$enable_kerberos" = "yes"
 then
-  AC_CHECK_LIB(gssapi_krb5, gss_krb5_ccache_name,[LIBS="-lgssapi_krb5 $LIBS"],,$LIBS)
+  AC_CHECK_LIB(gssapi, gss_krb5_ccache_name,[LIBS="-lgssapi $LIBS" found_gssapi_lib=yes],,$LIBS)
+  if test -z "$found_gssapi_lib"
+  then
+    AC_CHECK_LIB(gssapi_krb5, gss_krb5_ccache_name,[LIBS="-lgssapi_krb5 $LIBS"],,$LIBS)
+  fi
 fi
 
 if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \)
@@ -343,14 +373,22 @@ then
   AC_CHECK_LIB(pthread, main)
 fi
 AC_CHECK_LIB(gssldap, ldap_gss_bind,[LIBS="-lgssldap $LIBS"],,$LIBS)
-AC_CHECK_LIB(sasl2, sasl_client_init)
 
-AC_CHECK_FUNCS(sasl_auxprop_request)
-AC_CHECK_FUNCS(gss_krb5_ccache_name)
+if test "$enable_sasl" = "yes"
+then
+  AC_CHECK_LIB(sasl2, sasl_client_init)
+  AC_CHECK_FUNCS(sasl_auxprop_request)
+  AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)
+fi
+if test "$enable_kerberos" = "yes"
+then
+  AC_CHECK_FUNCS(gss_krb5_ccache_name)
+fi
+
 AC_CHECK_FUNCS(ldap_parse_result ldap_memfree ldap_controls_free ldap_control_free)
 AC_CHECK_FUNCS(ldap_explode_dn ldap_explode_rdn ldap_set_option ldap_get_option)
 AC_CHECK_FUNCS(ldap_abandon ldap_simple_bind_s ldap_unbind ldap_set_rebind_proc)
-AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s ldap_initialize ldap_search_ext)
+AC_CHECK_FUNCS(ldap_initialize ldap_search_ext)
 AC_CHECK_FUNCS(ldap_create_control)
 AC_CHECK_FUNCS(ldap_domain2hostlist ldap_domain2dn)
 AC_CHECK_FUNCS(ldap_get_values ldap_value_free ldap_get_dn)
diff --git a/debian/changelog b/debian/changelog
index 3dac6ac..f46fbb4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+nss-ldapd (0.6.10) unstable; urgency=low
+
+  * implement searching through multiple search bases, based on a patch by
+    Leigh Wedding
+  * fix a segmentation fault that could occur when using any of the tls_*
+    options with a string parameter (closes: #531113)
+  * miscellaneous improvements to the experimental PAM module
+  * implement PAM authentication function in the nslcd daemon
+  * the code for reading and writing protocol entries between the NSS module
+    and the daemon was improved
+  * documentation updates
+  * removed SSL/TLS related warnings during startup
+  * added Finnish debconf translation by Esko Arajärvi (closes: #530284)
+  * added Richard A Nelson (Rick) <cowboy@debian.org> to uploaders
+
+ -- Arthur de Jong <adejong@debian.org>  Wed, 03 Jun 2009 15:00:00 +0200
+
 nss-ldapd (0.6.9) unstable; urgency=low
 
   * produce more detailed logging in debug mode and allow multiple -d options
diff --git a/man/nslcd.8.xml b/man/nslcd.8.xml
index d4972e8..f3076d8 100644
--- a/man/nslcd.8.xml
+++ b/man/nslcd.8.xml
@@ -36,9 +36,9 @@
  <refmeta>
   <refentrytitle>nslcd</refentrytitle>
   <manvolnum>8</manvolnum>
-  <refmiscinfo class="version">Version 0.6.9</refmiscinfo>
+  <refmiscinfo class="version">Version 0.6.10</refmiscinfo>
   <refmiscinfo class="manual">System Manager's Manual</refmiscinfo>
-  <refmiscinfo class="date">May 2009</refmiscinfo>
+  <refmiscinfo class="date">Jun 2009</refmiscinfo>
  </refmeta>
 
  <refnamediv id="name">
diff --git a/man/nss-ldapd.conf.5.xml b/man/nss-ldapd.conf.5.xml
index b2de164..6c1360c 100644
--- a/man/nss-ldapd.conf.5.xml
+++ b/man/nss-ldapd.conf.5.xml
@@ -36,9 +36,9 @@
  <refmeta>
   <refentrytitle>nss-ldapd.conf</refentrytitle>
   <manvolnum>5</manvolnum>
-  <refmiscinfo class="version">Version 0.6.9</refmiscinfo>
+  <refmiscinfo class="version">Version 0.6.10</refmiscinfo>
   <refmiscinfo class="manual">System Manager's Manual</refmiscinfo>
-  <refmiscinfo class="date">May 2009</refmiscinfo>
+  <refmiscinfo class="date">Jun 2009</refmiscinfo>
  </refmeta>
 
  <refnamediv id="name">
diff --git a/nslcd/alias.c b/nslcd/alias.c
index bcdd48a..ed744f1 100644
--- a/nslcd/alias.c
+++ b/nslcd/alias.c
@@ -94,34 +94,27 @@ void alias_init(void)
 static int write_alias(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqalias)
 {
   int32_t tmpint32,tmp2int32,tmp3int32;
-  const char *tmparr[2];
   const char **names,**members;
   int i;
   /* get the name of the alias */
-  if (reqalias!=NULL)
+  names=myldap_get_values(entry,attmap_alias_cn);
+  if ((names==NULL)||(names[0]==NULL))
   {
-    names=tmparr;
-    names[0]=reqalias;
-    names[1]=NULL;
-  }
-  else
-  {
-    names=myldap_get_values(entry,attmap_alias_cn);
-    if ((names==NULL)||(names[0]==NULL))
-    {
-      log_log(LOG_WARNING,"alias entry %s does not contain %s value",
-                          myldap_get_dn(entry),attmap_alias_cn);
-      return 0;
-    }
+    log_log(LOG_WARNING,"alias entry %s does not contain %s value",
+                        myldap_get_dn(entry),attmap_alias_cn);
+    return 0;
   }
   /* get the members of the alias */
   members=myldap_get_values(entry,attmap_alias_rfc822MailMember);
   /* for each name, write an entry */
   for (i=0;names[i]!=NULL;i++)
   {
-    WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
-    WRITE_STRING(fp,names[i]);
-    WRITE_STRINGLIST(fp,members);
+    if ((reqalias==NULL)||(strcasecmp(reqalias,names[i])==0))
+    {
+      WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
+      WRITE_STRING(fp,names[i]);
+      WRITE_STRINGLIST(fp,members);
+    }
   }
   return 0;
 }
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index 87a9bed..d7fde81 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -858,9 +858,7 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
     else if ( (strcasecmp(keyword,"tls_reqcert")==0) ||
               (strcasecmp(keyword,"tls_checkpeer")==0) )
     {
-      if (strcasecmp(keyword,"tls_reqcert")==0)
-        log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
-      else
+      if (strcasecmp(keyword,"tls_checkpeer")==0)
         log_log(LOG_WARNING,"%s:%d: option %s is deprecated (and will be removed in an upcoming release), use tls_reqcert instead",filename,lnr,keyword);
       get_reqcert(filename,lnr,keyword,&line,&i);
       get_eol(filename,lnr,keyword,&line);
@@ -869,7 +867,6 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
     }
     else if (strcasecmp(keyword,"tls_cacertdir")==0)
     {
-      log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
       get_strdup(filename,lnr,keyword,&line,&value);
       get_eol(filename,lnr,keyword,&line);
       /* TODO: check that the path is valid */
@@ -879,7 +876,6 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
     }
     else if (strcasecmp(keyword,"tls_cacertfile")==0)
     {
-      log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
       get_strdup(filename,lnr,keyword,&line,&value);
       get_eol(filename,lnr,keyword,&line);
       /* TODO: check that the path is valid */
@@ -889,7 +885,6 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
     }
     else if (strcasecmp(keyword,"tls_randfile")==0)
     {
-      log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
       get_strdup(filename,lnr,keyword,&line,&value);
       get_eol(filename,lnr,keyword,&line);
       /* TODO: check that the path is valid */
@@ -899,7 +894,6 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
     }
     else if (strcasecmp(keyword,"tls_ciphers")==0)
     {
-      log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
       get_restdup(filename,lnr,keyword,&line,&value);
       log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE,\"%s\")",value);
       LDAP_SET_OPTION(NULL,LDAP_OPT_X_TLS_CIPHER_SUITE,value);
@@ -907,7 +901,6 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
     }
     else if (strcasecmp(keyword,"tls_cert")==0)
     {
-      log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
       get_strdup(filename,lnr,keyword,&line,&value);
       get_eol(filename,lnr,keyword,&line);
       /* TODO: check that the path is valid */
@@ -917,7 +910,6 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
     }
     else if (strcasecmp(keyword,"tls_key")==0)
     {
-      log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
       get_strdup(filename,lnr,keyword,&line,&value);
       get_eol(filename,lnr,keyword,&line);
       /* TODO: check that the path is valid */
diff --git a/nslcd/ether.c b/nslcd/ether.c
index 1bfa200..4a1d6a0 100644
--- a/nslcd/ether.c
+++ b/nslcd/ether.c
@@ -124,21 +124,12 @@ static int write_ether(TFILE *fp,MYLDAP_ENTRY *entry,
   const char **names,**ethers;
   int i,j;
   /* get the name of the ether entry */
-  if (reqname!=NULL)
+  names=myldap_get_values(entry,attmap_ether_cn);
+  if ((names==NULL)||(names[0]==NULL))
   {
-    names=tmparr;
-    names[0]=reqname;
-    names[1]=NULL;
-  }
-  else
-  {
-    names=myldap_get_values(entry,attmap_ether_cn);
-    if ((names==NULL)||(names[0]==NULL))
-    {
-      log_log(LOG_WARNING,"ether entry %s does not contain %s value",
-                          myldap_get_dn(entry),attmap_ether_cn);
-      return 0;
-    }
+    log_log(LOG_WARNING,"ether entry %s does not contain %s value",
+                        myldap_get_dn(entry),attmap_ether_cn);
+    return 0;
   }
   /* get the addresses */
   if (reqether!=NULL)
@@ -160,12 +151,13 @@ static int write_ether(TFILE *fp,MYLDAP_ENTRY *entry,
   }
   /* write entries for all names and addresses */
   for (i=0;names[i]!=NULL;i++)
-    for (j=0;ethers[j]!=NULL;j++)
-    {
-      WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
-      WRITE_STRING(fp,names[i]);
-      WRITE_ETHER(fp,ethers[j]);
-    }
+    if ((reqname==NULL)||(strcasecmp(reqname,names[i])==0))
+      for (j=0;ethers[j]!=NULL;j++)
+      {
+        WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
+        WRITE_STRING(fp,names[i]);
+        WRITE_ETHER(fp,ethers[j]);
+      }
   return 0;
 }
 
diff --git a/nslcd/group.c b/nslcd/group.c
index 6bb7e8c..1926a33 100644
--- a/nslcd/group.c
+++ b/nslcd/group.c
@@ -145,7 +145,7 @@ void group_init(void)
 
 static int do_write_group(
     TFILE *fp,MYLDAP_ENTRY *entry,const char **names,gid_t gids[],int numgids,
-    const char *passwd,SET *members)
+    const char *passwd,SET *members,const char *reqname)
 {
   int32_t tmpint32;
   int i,j;
@@ -167,7 +167,7 @@ static int do_write_group(
       log_log(LOG_WARNING,"group entry %s contains invalid group name: \"%s\"",
                           myldap_get_dn(entry),names[i]);
     }
-    else
+    else if ((reqname==NULL)||(strcmp(reqname,names[i])==0))
     {
       for (j=0;j<numgids;j++)
       {
@@ -229,7 +229,6 @@ static int write_group(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname,
                        const gid_t *reqgid,int wantmembers,
                        MYLDAP_SESSION *session)
 {
-  const char *tmparr[2];
   const char **names,**gidvalues;
   const char *passwd;
   SET *members;
@@ -238,21 +237,12 @@ static int write_group(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname,
   char *tmp;
   int rc;
   /* get group name (cn) */
-  if (reqname!=NULL)
+  names=myldap_get_values(entry,attmap_group_cn);
+  if ((names==NULL)||(names[0]==NULL))
   {
-    names=tmparr;
-    names[0]=reqname;
-    names[1]=NULL;
-  }
-  else
-  {
-    names=myldap_get_values(entry,attmap_group_cn);
-    if ((names==NULL)||(names[0]==NULL))
-    {
-      log_log(LOG_WARNING,"group entry %s does not contain %s value",
-                          myldap_get_dn(entry),attmap_group_cn);
-      return 0;
-    }
+    log_log(LOG_WARNING,"group entry %s does not contain %s value",
+                        myldap_get_dn(entry),attmap_group_cn);
+    return 0;
   }
   /* get the group id(s) */
   if (reqgid!=NULL)
@@ -291,7 +281,7 @@ static int write_group(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname,
     members=NULL;
   /* write entries (split to a separate function so we can ensure the call
      to free() below in case a write fails) */
-  rc=do_write_group(fp,entry,names,gids,numgids,passwd,members);
+  rc=do_write_group(fp,entry,names,gids,numgids,passwd,members,reqname);
   /* free and return */
   if (members!=NULL)
     set_free(members);
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index 74dc822..5e35718 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -372,8 +372,8 @@ static int do_sasl_interact(LDAP UNUSED(*ld),unsigned UNUSED(flags),void *defaul
    This returns an LDAP result code. */
 static int do_bind(MYLDAP_SESSION *session,const char *uri)
 {
-#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
   int rc;
+#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
 #ifndef HAVE_SASL_INTERACT_T
   struct berval cred;
 #endif /* not HAVE_SASL_INTERACT_T */
diff --git a/nslcd/netgroup.c b/nslcd/netgroup.c
index 6c38216..58078f8 100644
--- a/nslcd/netgroup.c
+++ b/nslcd/netgroup.c
@@ -200,12 +200,19 @@ static int write_netgroup_triple(TFILE *fp,const char *triple)
   if (write_netgroup_triple(fp,triple)) \
     return -1;
 
-static int write_netgroup(TFILE *fp,MYLDAP_ENTRY *entry)
+static int write_netgroup(TFILE *fp,MYLDAP_ENTRY *entry, const char *reqname)
 {
   int32_t tmpint32;
   int i;
+  const char **names;
   const char **triples;
   const char **members;
+  /* get the netgroup name */
+  names=myldap_get_values(entry,attmap_netgroup_cn);
+  for (i=0;(names[i]!=NULL)&&(strcmp(reqname,names[i])!=0);i++)
+    /* nothing here */ ;
+  if (names[i]==NULL)
+    return 0; /* the name was not found */
   /* get the netgroup triples and member */
   triples=myldap_get_values(entry,attmap_netgroup_nisNetgroupTriple);
   members=myldap_get_values(entry,attmap_netgroup_memberNisNetgroup);
@@ -238,5 +245,5 @@ NSLCD_HANDLE(
   log_log(LOG_DEBUG,"nslcd_netgroup_byname(%s)",name);,
   NSLCD_ACTION_NETGROUP_BYNAME,
   mkfilter_netgroup_byname(name,filter,sizeof(filter)),
-  write_netgroup(fp,entry)
+  write_netgroup(fp,entry,name)
 )
diff --git a/nslcd/passwd.c b/nslcd/passwd.c
index 58bc8f3..3896aea 100644
--- a/nslcd/passwd.c
+++ b/nslcd/passwd.c
@@ -295,7 +295,6 @@ static int write_passwd(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser,
                         const uid_t *requid)
 {
   int32_t tmpint32;
-  const char *tmparr[2];
   const char **tmpvalues;
   char *tmp;
   const char **usernames;
@@ -308,21 +307,12 @@ static int write_passwd(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser,
   const char *shell;
   int i,j;
   /* get the usernames for this entry */
-  if (requser!=NULL)
+  usernames=myldap_get_values(entry,attmap_passwd_uid);
+  if ((usernames==NULL)||(usernames[0]==NULL))
   {
-    usernames=tmparr;
-    usernames[0]=requser;
-    usernames[1]=NULL;
-  }
-  else
-  {
-    usernames=myldap_get_values(entry,attmap_passwd_uid);
-    if ((usernames==NULL)||(usernames[0]==NULL))
-    {
-      log_log(LOG_WARNING,"passwd entry %s does not contain %s value",
-                          myldap_get_dn(entry),attmap_passwd_uid);
-      return 0;
-    }
+    log_log(LOG_WARNING,"passwd entry %s does not contain %s value",
+                        myldap_get_dn(entry),attmap_passwd_uid);
+    return 0;
   }
   /* get the password for this entry */
   if (myldap_has_objectclass(entry,"shadowAccount"))
@@ -436,27 +426,28 @@ static int write_passwd(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser,
   }
   /* write the entries */
   for (i=0;usernames[i]!=NULL;i++)
-  {
-    if (!isvalidname(usernames[i]))
-    {
-      log_log(LOG_WARNING,"passwd entry %s contains invalid user name: \"%s\"",
-                          myldap_get_dn(entry),usernames[i]);
-    }
-    else
+    if ((requser==NULL)||(strcmp(requser,usernames[i])==0))
     {
-      for (j=0;j<numuids;j++)
+      if (!isvalidname(usernames[i]))
       {
-        WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
-        WRITE_STRING(fp,usernames[i]);
-        WRITE_STRING(fp,passwd);
-        WRITE_TYPE(fp,uids[j],uid_t);
-        WRITE_TYPE(fp,gid,gid_t);
-        WRITE_STRING(fp,gecos);
-        WRITE_STRING(fp,homedir);
-        WRITE_STRING(fp,shell);
+        log_log(LOG_WARNING,"passwd entry %s contains invalid user name: \"%s\"",
+                            myldap_get_dn(entry),usernames[i]);
+      }
+      else
+      {
+        for (j=0;j<numuids;j++)
+        {
+          WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
+          WRITE_STRING(fp,usernames[i]);
+          WRITE_STRING(fp,passwd);
+          WRITE_TYPE(fp,uids[j],uid_t);
+          WRITE_TYPE(fp,gid,gid_t);
+          WRITE_STRING(fp,gecos);
+          WRITE_STRING(fp,homedir);
+          WRITE_STRING(fp,shell);
+        }
       }
     }
-  }
   return 0;
 }
 
diff --git a/nslcd/protocol.c b/nslcd/protocol.c
index 595427b..fadb66f 100644
--- a/nslcd/protocol.c
+++ b/nslcd/protocol.c
@@ -100,7 +100,7 @@ void protocol_init(void)
   protocol_attrs[2]=NULL;
 }
 
-static int write_protocol(TFILE *fp,MYLDAP_ENTRY *entry)
+static int write_protocol(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname)
 {
   int32_t tmpint32,tmp2int32,tmp3int32;
   const char *name;
@@ -108,6 +108,7 @@ static int write_protocol(TFILE *fp,MYLDAP_ENTRY *entry)
   const char **protos;
   char *tmp;
   int proto;
+  int i;
   /* get the most canonical name */
   name=myldap_get_rdn_value(entry,attmap_protocol_cn);
   /* get the other names for the protocol */
@@ -121,6 +122,14 @@ static int write_protocol(TFILE *fp,MYLDAP_ENTRY *entry)
   /* if the protocol name is not yet found, get the first entry */
   if (name==NULL)
     name=aliases[0];
+  /* check case of returned protocol entry */
+  if ((reqname!=NULL)&&(strcmp(reqname,name)!=0))
+  {
+    for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++)
+      /* nothing here */ ;
+    if (aliases[i]==NULL)
+      return 0; /* neither the name nor any of the aliases matched */
+  }
   /* get the protocol number */
   protos=myldap_get_values(entry,attmap_protocol_ipProtocolNumber);
   if ((protos==NULL)||(protos[0]==NULL))
@@ -157,7 +166,7 @@ NSLCD_HANDLE(
   log_log(LOG_DEBUG,"nslcd_protocol_byname(%s)",name);,
   NSLCD_ACTION_PROTOCOL_BYNAME,
   mkfilter_protocol_byname(name,filter,sizeof(filter)),
-  write_protocol(fp,entry)
+  write_protocol(fp,entry,name)
 )
 
 NSLCD_HANDLE(
@@ -168,7 +177,7 @@ NSLCD_HANDLE(
   log_log(LOG_DEBUG,"nslcd_protocol_bynumber(%d)",protocol);,
   NSLCD_ACTION_PROTOCOL_BYNUMBER,
   mkfilter_protocol_bynumber(protocol,filter,sizeof(filter)),
-  write_protocol(fp,entry)
+  write_protocol(fp,entry,NULL)
 )
 
 NSLCD_HANDLE(
@@ -178,5 +187,5 @@ NSLCD_HANDLE(
   log_log(LOG_DEBUG,"nslcd_protocol_all()");,
   NSLCD_ACTION_PROTOCOL_ALL,
   (filter=protocol_filter,0),
-  write_protocol(fp,entry)
+  write_protocol(fp,entry,NULL)
 )
diff --git a/nslcd/rpc.c b/nslcd/rpc.c
index 7480b4f..9958d48 100644
--- a/nslcd/rpc.c
+++ b/nslcd/rpc.c
@@ -101,7 +101,7 @@ void rpc_init(void)
 }
 
 /* write a single rpc entry to the stream */
-static int write_rpc(TFILE *fp,MYLDAP_ENTRY *entry)
+static int write_rpc(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqname)
 {
   int32_t tmpint32,tmp2int32,tmp3int32;
   const char *name;
@@ -109,6 +109,7 @@ static int write_rpc(TFILE *fp,MYLDAP_ENTRY *entry)
   const char **numbers;
   char *tmp;
   int number;
+  int i;
   /* get the most canonical name */
   name=myldap_get_rdn_value(entry,attmap_rpc_cn);
   /* get the other names for the rpc entries */
@@ -122,6 +123,14 @@ static int write_rpc(TFILE *fp,MYLDAP_ENTRY *entry)
   /* if the rpc name is not yet found, get the first entry */
   if (name==NULL)
     name=aliases[0];
+  /* check case of returned rpc entry */
+  if ((reqname!=NULL)&&(strcmp(reqname,name)!=0))
+  {
+    for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++)
+      /* nothing here */ ;
+    if (aliases[i]==NULL)
+      return 0; /* neither the name nor any of the aliases matched */
+  }
   /* get the rpc number */
   numbers=myldap_get_values(entry,attmap_rpc_oncRpcNumber);
   if ((numbers==NULL)||(numbers[0]==NULL))
@@ -158,7 +167,7 @@ NSLCD_HANDLE(
   log_log(LOG_DEBUG,"nslcd_rpc_byname(%s)",name);,
   NSLCD_ACTION_RPC_BYNAME,
   mkfilter_rpc_byname(name,filter,sizeof(filter)),
-  write_rpc(fp,entry)
+  write_rpc(fp,entry,name)
 )
 
 NSLCD_HANDLE(
@@ -169,7 +178,7 @@ NSLCD_HANDLE(
   log_log(LOG_DEBUG,"nslcd_rpc_bynumber(%d)",number);,
   NSLCD_ACTION_RPC_BYNUMBER,
   mkfilter_rpc_bynumber(number,filter,sizeof(filter)),
-  write_rpc(fp,entry)
+  write_rpc(fp,entry,NULL)
 )
 
 NSLCD_HANDLE(
@@ -179,5 +188,5 @@ NSLCD_HANDLE(
   log_log(LOG_DEBUG,"nslcd_rpc_all()");,
   NSLCD_ACTION_RPC_ALL,
   (filter=rpc_filter,0),
-  write_rpc(fp,entry)
+  write_rpc(fp,entry,NULL)
 )
diff --git a/nslcd/service.c b/nslcd/service.c
index 64129ca..cb9cf4f 100644
--- a/nslcd/service.c
+++ b/nslcd/service.c
@@ -127,14 +127,14 @@ void service_init(void)
   service_attrs[3]=NULL;
 }
 
-static int write_service(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqprotocol)
+static int write_service(TFILE *fp,MYLDAP_ENTRY *entry,
+                         const char *reqname,const char *reqprotocol)
 {
   int32_t tmpint32,tmp2int32,tmp3int32;
   const char *name;
   const char **aliases;
   const char **ports;
   const char **protocols;
-  const char *tmparr[2];
   char *tmp;
   int port;
   int i;
@@ -151,6 +151,14 @@ static int write_service(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqprotocol)
   /* if the service name is not yet found, get the first entry */
   if (name==NULL)
     name=aliases[0];
+  /* check case of returned servies entry */
+  if ((reqname!=NULL)&&(strcmp(reqname,name)!=0))
+  {
+    for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++)
+      /* nothing here */ ;
+    if (aliases[i]==NULL)
+      return 0; /* neither the name nor any of the aliases matched */
+  }
   /* get the service number */
   ports=myldap_get_values(entry,attmap_service_ipServicePort);
   if ((ports==NULL)||(ports[0]==NULL))
@@ -172,31 +180,23 @@ static int write_service(TFILE *fp,MYLDAP_ENTRY *entry,const char *reqprotocol)
     return 0;
   }
   /* get protocols */
-  if ((reqprotocol!=NULL)&&(*reqprotocol!='\0'))
+  protocols=myldap_get_values(entry,attmap_service_ipServiceProtocol);
+  if ((protocols==NULL)||(protocols[0]==NULL))
   {
-    protocols=tmparr;
-    protocols[0]=reqprotocol;
-    protocols[1]=NULL;
-  }
-  else
-  {
-    protocols=myldap_get_values(entry,attmap_service_ipServiceProtocol);
-    if ((protocols==NULL)||(protocols[0]==NULL))
-    {
-      log_log(LOG_WARNING,"service entry %s does not contain %s value",
-                          myldap_get_dn(entry),attmap_service_ipServiceProtocol);
-      return 0;
-    }
+    log_log(LOG_WARNING,"service entry %s does not contain %s value",
+                        myldap_get_dn(entry),attmap_service_ipServiceProtocol);
+    return 0;
   }
   /* write the entries */
   for (i=0;protocols[i]!=NULL;i++)
-  {
-    WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
-    WRITE_STRING(fp,name);
-    WRITE_STRINGLIST_EXCEPT(fp,aliases,name);
-    WRITE_INT32(fp,port);
-    WRITE_STRING(fp,protocols[i]);
-  }
+    if ((reqprotocol==NULL)||(*reqprotocol=='\0')||(strcmp(reqprotocol,protocols[i])==0))
+    {
+      WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
+      WRITE_STRING(fp,name);
+      WRITE_STRINGLIST_EXCEPT(fp,aliases,name);
+      WRITE_INT32(fp,port);
+      WRITE_STRING(fp,protocols[i]);
+    }
   return 0;
 }
 
@@ -210,7 +210,7 @@ NSLCD_HANDLE(
   log_log(LOG_DEBUG,"nslcd_service_byname(%s,%s)",name,protocol);,
   NSLCD_ACTION_SERVICE_BYNAME,
   mkfilter_service_byname(name,protocol,filter,sizeof(filter)),
-  write_service(fp,entry,protocol)
+  write_service(fp,entry,name,protocol)
 )
 
 NSLCD_HANDLE(
@@ -223,7 +223,7 @@ NSLCD_HANDLE(
   log_log(LOG_DEBUG,"nslcd_service_bynumber(%d,%s)",number,protocol);,
   NSLCD_ACTION_SERVICE_BYNUMBER,
   mkfilter_service_bynumber(number,protocol,filter,sizeof(filter)),
-  write_service(fp,entry,protocol)
+  write_service(fp,entry,NULL,protocol)
 )
 
 NSLCD_HANDLE(
@@ -233,5 +233,5 @@ NSLCD_HANDLE(
   log_log(LOG_DEBUG,"nslcd_service_all()");,
   NSLCD_ACTION_SERVICE_ALL,
   (filter=service_filter,0),
-  write_service(fp,entry,NULL)
+  write_service(fp,entry,NULL,NULL)
 )
diff --git a/nslcd/shadow.c b/nslcd/shadow.c
index ff46355..44c63db 100644
--- a/nslcd/shadow.c
+++ b/nslcd/shadow.c
@@ -192,7 +192,6 @@ static long to_date(const char *date,const char *attr)
 static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser)
 {
   int32_t tmpint32;
-  const char *tmparr[2];
   const char **tmpvalues;
   char *tmp;
   const char **usernames;
@@ -206,21 +205,12 @@ static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser)
   unsigned long flag;
   int i;
   /* get username */
-  if (requser!=NULL)
+  usernames=myldap_get_values(entry,attmap_shadow_uid);
+  if ((usernames==NULL)||(usernames[0]==NULL))
   {
-    usernames=tmparr;
-    usernames[0]=requser;
-    usernames[1]=NULL;
-  }
-  else
-  {
-    usernames=myldap_get_values(entry,attmap_shadow_uid);
-    if ((usernames==NULL)||(usernames[0]==NULL))
-    {
-      log_log(LOG_WARNING,"passwd entry %s does not contain %s value",
-                          myldap_get_dn(entry),attmap_shadow_uid);
-      return 0;
-    }
+    log_log(LOG_WARNING,"passwd entry %s does not contain %s value",
+                        myldap_get_dn(entry),attmap_shadow_uid);
+    return 0;
   }
   /* get password */
   passwd=get_userpassword(entry,attmap_shadow_userPassword);
@@ -249,18 +239,19 @@ static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser)
   }
   /* write the entries */
   for (i=0;usernames[i]!=NULL;i++)
-  {
-    WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
-    WRITE_STRING(fp,usernames[i]);
-    WRITE_STRING(fp,passwd);
-    WRITE_INT32(fp,lastchangedate);
-    WRITE_INT32(fp,mindays);
-    WRITE_INT32(fp,maxdays);
-    WRITE_INT32(fp,warndays);
-    WRITE_INT32(fp,inactdays);
-    WRITE_INT32(fp,expiredate);
-    WRITE_INT32(fp,flag);
-  }
+    if ((requser==NULL)||(strcmp(requser,usernames[i])==0))
+    {
+      WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
+      WRITE_STRING(fp,usernames[i]);
+      WRITE_STRING(fp,passwd);
+      WRITE_INT32(fp,lastchangedate);
+      WRITE_INT32(fp,mindays);
+      WRITE_INT32(fp,maxdays);
+      WRITE_INT32(fp,warndays);
+      WRITE_INT32(fp,inactdays);
+      WRITE_INT32(fp,expiredate);
+      WRITE_INT32(fp,flag);
+    }
   return 0;
 }
 
diff --git a/nss/group.c b/nss/group.c
index ea5e819..dbce82e 100644
--- a/nss/group.c
+++ b/nss/group.c
@@ -134,7 +134,7 @@ enum nss_status _nss_ldap_initgroups_dyn(
    for validity of the buffer works (renaming the parameters may cause
    confusion) */
 #define buffer groupsp
-#define buflen limit
+#define buflen *size
   NSS_BYNAME(NSLCD_ACTION_GROUP_BYMEMBER,
              user,
              read_gids(fp,skipgroup,start,size,groupsp,limit,errnop));
diff --git a/tests/README b/tests/README
new file mode 100644
index 0000000..79cfeb6
--- /dev/null
+++ b/tests/README
@@ -0,0 +1,81 @@
+
+This document tries to descrive the test in this directory. Most of these
+tests should be self-explanitory as they should be simple unit tests of the
+shipped modules (more unit tests are welcome).
+
+Since nss-ldapd is meant for providing data from an LDAP server for some tests
+you should have an LDAP server and for even other tests you need to have
+nss-ldapd installed (patches for using LD_PRELOAD or similar tricks instead
+are welcome).
+
+For this a test setup should be made (the tests are ignored if no such setup
+was detected). In my development environment I use a chroot jail with Debian.
+The instructions in this document assume a similar environment.
+
+
+TEST ENVIRONMENT
+================
+
+LDAP server configuration
+-------------------------
+
+An LDAP server listening on ldap://localhost and ldapi:// is assumed. This is
+acomplished on Debian by the following line in /etc/default/slapd:
+  SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
+
+Because there will be a lot of data in the database and to test paged results
+you need the following in /etc/ldap/slapd.conf:
+  sizelimit size.prtotal=unlimited
+
+The LDAP server should be set up to service up the dc=test,dc=tld DN as base.
+
+A sample test.ldif file is also available. Note that this file is currently
+not shipped in the released tarballs because it is quite large. Load the file
+into your LDAP server so that it can be served.
+
+Most of the names in the database have been randomly generated based on a
+combination of name-lists that were found on the Internet.
+
+
+nsswitch.conf
+-------------
+
+The /etc/nsswitch.conf file is expected to contain something like the
+following. All maps should be looked up through LDAP and some tests may expect
+the LDAP lookup to come after the files lookup.
+
+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap
+hosts:          files ldap dns mdns
+networks:       files ldap
+protocols:      db files ldap
+services:       db files ldap
+ethers:         db files ldap
+rpc:            db files ldap
+netgroup:       files ldap
+aliases:        files ldap
+
+nss-ldapd.conf
+--------------
+
+The /etc/nss-ldapd.conf file is expected to be configured like the following.
+
+uid nslcd
+gid nslcd
+uri ldapi:///
+base dc=test,dc=tld
+pagesize 100
+timelimit 2
+bind_timelimit 4
+reconnect_sleeptime 4
+reconnect_maxsleeptime 10
+filter group (|(objectClass=posixGroup)(objectClass=groupOfUniqueNames))
+
+
+OLD TESTS
+=========
+
+There are also a lot of old test files in this directory. Those files are of
+the form test_<map>.c. These files call the NSS module functions directly.
+These can probably all be removed and integrated into test_nsscmds.sh instead.
diff --git a/tests/test.ldif.gz b/tests/test.ldif.gz
new file mode 100644
index 0000000..a050d5c
--- /dev/null
+++ b/tests/test.ldif.gz
diff --git a/tests/test_nsscmds.sh b/tests/test_nsscmds.sh
index 63797e0..2469a97 100755
--- a/tests/test_nsscmds.sh
+++ b/tests/test_nsscmds.sh
@@ -2,7 +2,7 @@
 
 # test.sh - simple test script to check output of name lookup commands
 #
-# Copyright (C) 2007, 2008 Arthur de Jong
+# Copyright (C) 2007, 2008, 2009 Arthur de Jong
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -104,6 +104,11 @@ check "getent aliases bar2" << EOM
 bar2:           foobar@example.com
 EOM
 
+# get alias by different case
+check "getent aliases FOO" << EOM
+foo:            bar@example.com
+EOM
+
 ###########################################################################
 
 echo "test_nsscmds.sh: testing ether..."
@@ -118,6 +123,11 @@ check "getent ethers testhostalias" << EOM
 0:18:8a:54:1a:8e testhostalias
 EOM
 
+# get an entry by hostname with different case
+check "getent ethers TESTHOST" << EOM
+0:18:8a:54:1a:8e testhost
+EOM
+
 # get an entry by ethernet address
 check "getent ethers 0:18:8a:54:1a:8b" << EOM
 0:18:8a:54:1a:8b testhost2
@@ -148,6 +158,10 @@ EOM
 #users:*:100:arthur,test
 #EOM
 
+# group with different case should not be found
+check "getent group TESTGROUP" << EOM
+EOM
+
 check "getent group 6100" << EOM
 testgroup:*:6100:arthur,test
 EOM
@@ -194,6 +208,11 @@ check "getent hosts testhostalias" << EOM
 10.0.0.1        testhost testhostalias
 EOM
 
+# check hostname with different case
+check "getent hosts TESTHOST" << EOM
+10.0.0.1        testhost testhostalias
+EOM
+
 check "getent hosts 10.0.0.1" << EOM
 10.0.0.1        testhost testhostalias
 EOM
@@ -218,6 +237,12 @@ check "getent netgroup tstnetgroup" << EOM
 tstnetgroup          ( , arthur, ) (noot, , )
 EOM
 
+# check netgroup lookup with different case
+# Note: this should return nothing at all (this is a bug)
+check "getent netgroup TSTNETGROUP" << EOM
+TSTNETGROUP
+EOM
+
 ###########################################################################
 
 echo "test_nsscmds.sh: testing networks..."
@@ -226,6 +251,11 @@ check "getent networks testnet" << EOM
 testnet               10.0.0.0
 EOM
 
+# check network name with different case
+check "getent networks TESTNET" << EOM
+testnet               10.0.0.0
+EOM
+
 check "getent networks 10.0.0.0" << EOM
 testnet               10.0.0.0
 EOM
@@ -246,6 +276,10 @@ check "getent passwd arthur" << EOM
 arthur:x:1000:100:Arthur de Jong:/home/arthur:/bin/bash
 EOM
 
+# check username with different case
+check "getent passwd ARTHUR" << EOM
+EOM
+
 check "getent passwd 4089" << EOM
 jguzzetta:x:4089:1000:Josephine Guzzetta:/home/jguzzetta:/bin/bash
 EOM
@@ -267,6 +301,14 @@ check "getent protocols protfooalias" << EOM
 protfoo               140 protfooalias
 EOM
 
+# check protocol with different case
+check "getent protocols PROTFOO" << EOM
+EOM
+
+# test protocol alias with different case
+check "getent protocols PROTFOOALIAS" << EOM
+EOM
+
 check "getent protocols 140" << EOM
 protfoo               140 protfooalias
 EOM
@@ -291,6 +333,10 @@ check "getent rpc rpcfooalias" << EOM
 rpcfoo          160002  rpcfooalias
 EOM
 
+# test rpc name with different case
+check "getent rpc RPCFOO" << EOM
+EOM
+
 check "getent rpc 160002" << EOM
 rpcfoo          160002  rpcfooalias
 EOM
@@ -314,6 +360,14 @@ EOM
 check "getent services foosrv/udp" << EOM
 EOM
 
+# check with different case
+check "getent services FOOSRV" << EOM
+EOM
+
+# check protocol name case sensitivity (TCP is commonly an alias)
+check "getent services foosrv/tCp" << EOM
+EOM
+
 check "getent services 15349/tcp" << EOM
 foosrv                15349/tcp
 EOM
@@ -339,8 +393,16 @@ barsrv                15350/udp
 foosrv                15349/tcp
 EOM
 
+check "getent services sssin" << EOM
+sssin                 5000/tcp SSSIN
+EOM
+
+check "getent services SSSIN" << EOM
+sssin                 5000/tcp SSSIN
+EOM
+
 check "getent services | wc -l" << EOM
-`grep -c '^[^#].' /etc/services | awk '{print $1 + 3}'`
+`grep -c '^[^#].' /etc/services | awk '{print $1 + 4}'`
 EOM
 
 ###########################################################################
@@ -357,6 +419,10 @@ check "getent shadow arthur" << EOM
 arthur:*::100:200:7:2::0
 EOM
 
+# check case-sensitivity
+check "getent shadow ARTHUR" << EOM
+EOM
+
 # check if the number of passwd entries matches the number of shadow entries
 check "getent shadow | wc -l" << EOM
 `getent passwd | wc -l`