| Age | Commit message (Collapse) | Author |
|---|
|
This adds logging of most cases where a defined buffer is not large
enough to hold provided data on error log level.
|
|
|
|
The buffer size seems to be a problem in environments with long names or
environments with non-ASCII characters.
|
|
I had some edge cases where 64 bytes were not enough. People are using
password managers with long generated passwords. I increased the buffer
size to 128.
|
|
This maps the gid (gidNumber) to an AD SID for builtin groups when
searching a group by gid (RID) between 544 and 552. In that case the SID
prefix is not the domain's prefix (S-1-5-21-dddddd-dddddd-dddddd) but
the BUILTIN SID prefix (1-5-32).
For example, if you add a user to the Administrators builtin group
(S-1-5-32-544), now you should be able to get this group through nslcd,
instead of receiving an error message.
|
|
We read the date into the buffer to the specified length to get it to
the Unix time (i.e. seconds) from its AD value of nanoseconds, then
convert it to days for shadow. If we use date rather than buffer we end
up trying to convert the original nanosecond value.
|
|
This uses information from the deref control (if available) to get the
username for each of the members of the group. Any missing deref member
attribute values will be seen as nested groups and will be traversed if
nested group support is enabled.
|
|
This function looks for deref response controls (LDAP_CONTROL_X_DEREF)
in the entry and returns the information from the dereferenced attribute
in two lists: dereferenced values and attribute values that could not be
dereferenced.
|
|
This changes the group by member searches to not request the member
attributes. This will speed up result parsing by a fraction because less
data is transferred but will also cause the deref control not to be
added to these searches.
|
|
This uses the LDAP_CONTROL_X_DEREF control as descibed in
draft-masarati-ldap-deref-00 to request the LDAP server to dereference
member attribute values to uid attribute values in order to avoid doing
extra searches.
This control is currently only added for group search by looking for the
member attribute in the search.
|
|
This changes entrye->rangedattributevalues to entry->buffers because the
propery is not only used for ranged attribute values but for anything
that can be freed with free().
|
|
Since we could get arbitrray controls and are only interested in page
controls we ignore failures to find page controls.
|
|
This also changes do_try_search() to support building continued paged
controls and lays the groundwork for adding more search controls.
|
|
This allows remapping the member attribute to an empty string which
removes support for that attribute. This can reduce the number of search
operations if the attribute is not used.
|
|
|
|
Some pieces of code did not properly free() the value returned by
set_pop().
The leak in group code was related to the introduction of nested group
functionality in 41ba574 (merged in 3daa68d) so should only be present
in releases 0.9.0 forward.
The leak in the netgroup code only ended up in the Solaris version of
the NSS module and was introduced in 4ea9ad1 (merged in 5c8779d). This
leak is present in all releases from 0.8.0 forward.
|
|
This tries to avoid child processes ending up with a copy of the pipe
file descriptor that is used to signal readiness of the daemon.
|
|
This introduces a new daemonize module that provides functions for
closing all file descriptors, redirecting stdin/stdout/stderr to
/dev/null and a function for backgrounding an application while only
exiting the original process after the daemon process has indicated
readiness.
This is used to exit the original process only after the listening
socket has been set up and the worker threads have been started.
|
|
The configuration values are used in the cache to determine positive and
negative hit TTLs. This also allows completely disabling the cache.
|
|
This adds the cache nslcd.conf configuration option to configure the
dn2uid cache in nslcd with a positive and negative cache lifetime.
|
|
The positive value determines the time a found entry is valid, the
negative timeout determines the lifetime of not found entries.
|
|
This fixes 2caeef4.
|
|
Common buffer sizes are now stored centrally so it can be easily and
consistently updated if required. Some buffers remain with locally
defined sizes that do not match a global buffer size.
|
|
This includes a number of small fixes for issues that were formerly
masked by the incorrect AC_LANG_PROGRAM check.
|
|
This provides compatibility definitions for systems that don't have
these functions (some Solaris flavours).
|
|
This causes the pidfile to be written as the first thing after
daemonising nslcd to minimise the race between service script completion
and pidfile being locked.
|
|
This also invalidates the caches configured with reconnect_invalidate on
the first successful search. This should handle the case more gracefully
where caches were filled with negative hits before nslcd was running.
|
|
This allows more search bases which may be useful in some environments.
|
|
By using bigger write buffers in nslcd we reduce the number of writes in
nslcd and consequently the number of reads in the NSS and PAM modules
for bigger responses.
This reduces the number of system calls that are made during a request
and brings a small performance improvement that is mainly measurable in
the NSS module. A measurement showed 30-80% reduction in the number of
system calls in the NSS module and around 10% reduction in CPU usage
(CPU time, only small reduction in wallclock time).
Thanks John Sullivan for pointing this out.
|
|
See:
https://bugzilla.redhat.com/show_bug.cgi?id=1003011
|
|
With the smaller buffers some password hashes would be truncated.
|
|
|
|
|
|
This implements and documents handling of the SIGUSR1 signal in nslcd to
reset the reconnect_sleeptime and reconnect_retrytime timers to re-check
availability of the LDAP server.
|
|
This implemens a myldap_immediate_reconnect() function that resets the
reconnect timer to retry failing connections to the LDAP server upon the
next search.
This can be used to cut the reconnect_sleeptime and reconnect_retrytime
sleeping periodss short if we have some indication that the LDAP server
is available again.
|
|
This also returns everything except the password hash from the shadow
database to non-root users (nothing was returned before). This allows
non-root users to do PAM authentication in some configurations.
On some systems there is a setgid executable that is allowed to read
/etc/shadow for authentication by e.g. screensavers. Returning no shadow
information will cause pam_unix to deny authorisation in common
configurations.
See:
http://bugs.debian.org/706913
|
|
|
|
|
|
This fixes a few typos and an omission in the configuration file parsing
code.
|
|
This also renames the internal nscd module to invalidator for both nslcd
and pynslcd. The new invalidator module is now no longer nscd-specific.
|
|
This introduces an nfsidmap value for nscd_invalidate which will cause
the nfsidmap -c command to be run.
|
|
|
|
|
|
This is currently limited to supporting modification of the homeDirectory and
loginShell attributes.
Modifications as root currently use the rootpwmoddn and rootpwmodpw options.
|
|
|
|
This option can be used in both nslcd and pynslcd to enable recursive group
member lookups. By default the functionality is disabled. This also updates
the documentation.
|
|
This differs from the code provided by Steve Hill in that it avoids
(recursively) performing parallel LDAP searches by queueing groups and check
for extra members per queued group (in the forward lookup) or check for extra
parents (for the user to groups lookup).
For the reverse lookup handling the NSLCD_HANDLE macro could no longer be used
because extra care should be taken to free the sets before returning and two
search phases are needed.
|
|
This was part of a bigger change to implement nested groups, however most of
the other parts were re-implemented differently.
For the original changes, see:
http://lists.arthurdejong.org/nss-pam-ldapd-users/2013/msg00034.html
|
|
|
|
|
