2004-08-05: started 2004-09-16: add debian stuff to dist tarball 2004-12-16: conf_path is defined as a global in cfg.c. Use that one here. 2006-02-24: - Changes originally from Steve Dickson to fix library logging and debugging. Add externally visible routine to set debugging level and logging routine. Change all warnx() calls to use new IDMAP_LOG macro. - In the umich_ldap code, move calls to ldap_init() and ldap_bind() into a subroutine. Don't do a bind since it isn't necessary for LDAPv3. - Change libtool versioning to reflect interface change. 2006-02-24: Don't use Verbosity from config file. 2006-03-21: - Properly detect error returns from getpwnam_r() and handle them. - Parse and use the "Nobody-User" and "Nobody-Group" entries from the idmapd.conf file. - If a translation fails, always attempt to return information for the "nobody" user or group (as defined above). - Add changes from Daniel Wachdorf . These changes in the umich_ldap code: - allow configurable parameters to map objectclass names and attribute names - allow configurable use of SLL to connect to the LDAP server - allow configuration of a user DN and password to do an authenticated bind to the LDAP server. NOTE: These changes change the way to define an alternate subtree to search for People and Group objects. A full DN should be specified for "LDAP_people_base" or "LDAP_group_base". The *_subtree options are no longer used. - Add an example idmapd.conf file to the distribution (original from Dan). - Minor updates to the libtest program, which is now included in the distribution. 2006-04-20: Don't do "nobody" mapping in the library. Return -ENOENT if unable to do the requested mapping. Caller can then take the appropriate action regarding the mapping failure. 2006-09-05: Patch from Mike Frysinger , to allow libnfsidmap to be built without requiring ldap. 2006-11-02: Patch from Glenn Machin to honor the buffer size in umich_id_to_name() before copying name into buffer. Fix a few memory leaks. 2007-01-19: A patch from Glenn Machin : There is also a problem with a 32 element subgroup. Given that a user can be in 30 to 150 groups here at Sandia we need to have some way to select the groups to use and not just hope the group in the ACE is one of the users first 32. So additional filtering is needed. So attached is a patch to umich_ldap.c and libtest.c which does a number of things. All are controlled via attributes in the idmapd.conf file. Below is an explanation of the features: 1) LDAP_use_memberof_for_groups (default is false) Setting this value to true changes the way umich_gss_princ_to_grouplist() goes about getting subgroup gids from the directory. When set to true the account memberof attributes are used to identify the user's groups, then each group is looked up to get the gid. The idmapd.conf attribute "NFSv4_member_of_attr = memberof" specifies the person attribute to use to get the list of groups. 2) NFSv4_grouplist_filter (default is NULL) This feature allows the admin to add a filter to umich_gss_princ_to_grouplist() when searching for the list of groups. This feature helps with the 32 group subgroup limit. Groups can be tagged with an attribute which this filter can use to restrict the groups to be used by the NFS server. For instance we can tag groups with the attribute snlResource and have values set for specific services and machines. So for example if I set NFSv4_grouplist_filter to the value "(|(snlResource=machine:vmtest1)(snlResource=central_svc:CSTR))" I can restrict the groups to only those groups associated with the machine vmtest1 or the central service CSTR. This speeds up the search when LDAP_use_memberof_for_groups is false. In fact this feature is more valuable than LDAP_use_memberof_for_groups so if you need to pick one to support I would ask you to consider this one. 3) LDAP_timeout_seconds (default is 4) The allows you to change the tv_sec timeout used for the ldapsearch_st calls. 2008-07-30: Changes since libnfsidmap-0.20: The main library has been changed to load "plugin" libraries to perform the mappings. This decouples the main library from any ldap (and sasl, etc.) dependencies. Several translation methods (plugins) may now be specified in the idmapd.conf file. While a plugin returns -ENOENT, the next is called until a mapping is found, or there are no more plugins to try. A "static" mapping plugin from David Härdeman has been added. A "gums" mapping plugin from Olga Kornievskaia has been added. Olga also did most of the work to convert the code to use this new plugin architecture. The interface is changed to add two new functions, nfs4_gss_princ_to_ids_ex(), and nfs4_gss_princ_to_grouplist_ex() which allow extra information to be passed to these mapping functions. 2009-07-29: Changes since libnfsidmap-0.21: From Steve Dickson : Allows mappings to be correct "right out of the box" when DNS is set up correctly and stops idmapper from dying when there is no domain name set. Move the default processing for the "Local-Realm" config option into the main config file processing function and adds missing documentation for the previously added configuration option. From Steve Dickson : Print a debug log message "when the krb5 realm can not be used since it does not match the DNS domain name or the 'Local-Realm' variable defined in /etc/idmad.conf" Move the idmapd.conf manpage from nfs-utils and update it to match the current functionality. 2009-08-26: Changes since libnfsidmap-0.22 (which was never officially announced): From Guillaume Rousse : Changes to install, and look for, the plugin libraries in a separate libnfsidmap directory.