| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
This alleviates some cases where multi-second lag occurs before a query
returns due to some or all connections having been closed by the peer,
e.g. a load balancer timing out old connections, but they are all tried
before opening new connections.
Tested and working on Linux.
|
|
|
|
This uses IP addresses from the RFC 5737 TEST-NET-1 range that is meant
for use in documentation. This avoids issues with running the tests
environments that also use the 10.0.0.0/8 range.
|
|
|
|
This is a small fix for when using nscd (which still does not seem to
work completely). The port is stored in network byte order but should be
printed in host byte order.
|
|
|
|
This fixes 15fc13c.
|
|
This fixes 3d29861.
|
|
This fixes 2274b41.
|
|
|
|
|
|
This command can be used to perform a lookup using getgrouplist() to
present a list of returned numeric group ids. This can be used to avoid
the additional lookups that are done with the id and groups commands.
|
|
This clears most buffers that may hold credentials at one point before
free()ing the memory.
|
|
|
|
|
|
This ensures that controls returned by an LDAP server as part of a
failed BIND operation are also returned. This makes it possible to
distinguish between a wrong password and an expired password.
This also only logs the BIND operation result on DEBUG level (the error
is logged later on).
|
|
|
|
This includes a number of minor changes to the documentation. This also
documents the children search scope (related to 2caeef4).
|
|
This also clears errno in the main function to ensure that no incorrect
errno value is logged on errors.
|
|
|
|
This fixes be94912.
|
|
This adds logging of most cases where a defined buffer is not large
enough to hold provided data on error log level.
|
|
|
|
The buffer size seems to be a problem in environments with long names or
environments with non-ASCII characters.
|
|
I had some edge cases where 64 bytes were not enough. People are using
password managers with long generated passwords. I increased the buffer
size to 128.
|
|
|
|
|
|
This fixes issues with running the tests when using a separate build
directory (fixes ef0eddaa).
|
|
This ensures that configuration file is not world readable when the
tests are run. This avoids test failure for the use of the rootpwmodpw
option.
|
|
This fixes an issue with unsigned values ending up in signed fields and
missing sign extension.
See:
https://bugs.debian.org/739330
|
|
The libc nsswitch code expects h_errno to be set to NETDB_INTERNAL when
it needs to try again with a larger buffer.
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
|
|
If NSS_STATUS_TRYAGAIN is returned from read_one_hostent or
read_one_netent then fp will be closed and function tio_skipall will be
called with NULL pointer.
It could happend in functions:
_nss_ldap_getnetbyname_r
_nss_ldap_getnetbyaddr_r
_nss_ldap_gethostbyname2_r
_nss_ldap_gethostbyaddr_r
Fixes r548 (aka afd5d9b).
|
|
This maps the gid (gidNumber) to an AD SID for builtin groups when
searching a group by gid (RID) between 544 and 552. In that case the SID
prefix is not the domain's prefix (S-1-5-21-dddddd-dddddd-dddddd) but
the BUILTIN SID prefix (1-5-32).
For example, if you add a user to the Administrators builtin group
(S-1-5-32-544), now you should be able to get this group through nslcd,
instead of receiving an error message.
|
|
This adds a test that checks the return value of krb5_is_thread_safe()
to see if krb5 is thread safe (during build) and issues a warning if it
is not.
nslcd does not directly link to krb5 but the library may be loaded (by
GSSAPI) if Kerberos is used to authenticate nslcd to the LDAP server.
|
|
This fixes the detection of DragonFly as requiring the freebsd NSS
interface flavour.
|
|
We read the date into the buffer to the specified length to get it to
the Unix time (i.e. seconds) from its AD value of nanoseconds, then
convert it to days for shadow. If we use date rather than buffer we end
up trying to convert the original nanosecond value.
|
|
This uses the LDAP_CONTROL_X_DEREF control as described in
draft-masarati-ldap-deref-00 to request the LDAP server to dereference
group member attribute values to uid attribute values.
This should reduce the number of searches that are required for
expanding group members that use the member attribute.
This mechanism could also be used to extract information on nested
groups but the gains are less clear there.
Not all LDAP servers support this control. In OpenLDAP, load the
(currently undocumented) deref overlay and enable it for the database to
take advantage of this improvement.
There is a functional difference when using this control. Any returned
deferred uid value returned by the LDAP server is accepted as a member.
No checks are performed to see if the user matches the search base and
search filters set for passwd entries.
|
|
This documents the way the deref controls are used.
|
|
This uses information from the deref control (if available) to get the
username for each of the members of the group. Any missing deref member
attribute values will be seen as nested groups and will be traversed if
nested group support is enabled.
|
|
This function looks for deref response controls (LDAP_CONTROL_X_DEREF)
in the entry and returns the information from the dereferenced attribute
in two lists: dereferenced values and attribute values that could not be
dereferenced.
|
|
This changes the group by member searches to not request the member
attributes. This will speed up result parsing by a fraction because less
data is transferred but will also cause the deref control not to be
added to these searches.
|
|
This adds a test for a bug in OpenLDAP that allocated a
LDAP_CONTROL_PAGEDRESULTS control instead of a LDAP_CONTROL_X_DEREF
control.
|
|
This uses the LDAP_CONTROL_X_DEREF control as descibed in
draft-masarati-ldap-deref-00 to request the LDAP server to dereference
member attribute values to uid attribute values in order to avoid doing
extra searches.
This control is currently only added for group search by looking for the
member attribute in the search.
|
|
This changes entrye->rangedattributevalues to entry->buffers because the
propery is not only used for ranged attribute values but for anything
that can be freed with free().
|
|
Since we could get arbitrray controls and are only interested in page
controls we ignore failures to find page controls.
|
|
This also changes do_try_search() to support building continued paged
controls and lays the groundwork for adding more search controls.
|
