$Id: ChangeLog,v 1.213 2007/03/03 07:12:01 lukeh Exp $ =============================================================== 184 Luke Howard * fix for BUG#312: pam_ldap does not try to reconnect when LDAP server closed the connection 183 Luke Howard * fix for BUG#291: don't suppress password policy errors which should not be suppressed 182 Luke Howard * fix for BUG#269: compile time error in call to ldap_sasl_interactive_bind_s() 181 Luke Howard * fix for BUG#256: don't send password policy request control if pam_lookup_policy no specified * fix for BUG#254: check gethostbyname() result * fix for BUG#237: typo in ldap_get_lderrno() implementation * fix for BUG#207: if ldap_start_tls_s() fails return PAM_AUTHINFO_UNAVAIL * fix for BUG#261: sslpath example wrong * fix for BUG#268: POLICY_ERROR_CHANGE_AFTER_RESET should be handled as POLICY_ERROR_PASSWORD_EXPIRED, other password policy errors to be treated as fatal 180 Luke Howard * from Peter Marschall : manual page installation fix * fix for BUG#210: use start_tls on referrals if configured to do so * when handling new password policy control, only fall through to account management module if a policy error was returned (CERT VU#778916) 179 Luke Howard * more manual page updates 178 Luke Howard * manual page updates 177 Luke Howard * fix for BUG#188: better documentation for OpenLDAP SSL options * add manual page 176 Luke Howard * fix for compilation with Netscape SDK 175 Luke Howard * fix BUG#182: don't send old password in exop password change unless pam_password is exop_send_old 174 Luke Howard * fix typo s/intereact/interact 173 Luke Howard * s/pam_sasl_mechanism/pam_sasl_mech/ for consistency with OpenLDAP ldap.conf 172 Luke Howard * preliminary SASL bind support 171 Luke Howard * use correct AIX link flags even if --with-ldap-dir is not specified 170 Luke Howard * sync ldap.conf with nss_ldap * AIX 5.2 port 169 Luke Howard * include password policy schema file * preliminary support for draft-behera-ldap-password-policy-07.txt 168 Luke Howard * define LDAP_DEPRECATED for compiling with OpenLDAP 2.2 * send old password when calling password change extended operation: if the password had expired the user may not be bound and so relying on the LDAP connection to be authenticated is unwise 167 Luke Howard * fix compilation error on Solaris 9 166 Luke Howard * fix signed/unsigned comparison issues * merge in LDAP debug patch from Howard Chu * fix BUG#126 (updating shadowLastChange) 165 Luke Howard * fix BUG#142 * don't set LDAP_OPT_X_TLS_REQUIRE_CERT if not specified in configuration file 164 Luke Howard * fix typo in ldapns.schema (!) 163 Luke Howard * fix typo in authorizedService patch * add ldapns.schema for authorizedServiceObject and hostObject 162 Luke Howard * support for service-based authorization (based on patch from Manon Goo) * add ignore_authinfo_unavail flag * pam_filter works again 161 Luke Howard * fix from Thorsten Kukuk (SuSE) to handle scope-less nss_base_passwd configuration 160 Luke Howard * AD password change fix * fix from Thorsten Kukuk (SuSE) to handle aborted password changes 159 Luke Howard * updated version information 158 Luke Howard * support for multiple service search descriptors from Symas 157 Luke Howard * BUG#120 feature: pam_password_prohibit_message * fix for BUG#105 * removed static function prototypes from pam_ldap.h * check for libnsl 156 Luke Howard * fix for bug #119 155 Luke Howard * proper for for non-experimental password change exop; broke compiling with older SDKs 154 Luke Howard * fix for bug #115 * PWEXPIRED fix from Howard Chu 153 Luke Howard * support non-experimental password change exop * patch from Howard Chu to use linker grouping on Solaris 152 Luke Howard * fix build breakage with OpenLDAP HEAD 151 Luke Howard * HP-UX port * import dlfcn.h on Solaris with Netscape SDK * export required symbols only on Linux, HP-UX, Darwin 150 Luke Howard * added depcomp for new automake 149 Luke Howard * OS X build fix * alias for RACF password changing * use LDAP_MOD_ADD when changing NDS passwords rather than LDAP_MOD_REPLACE; NDS documentation indicates that this should work, and this is required for RACF. * BUG#101: should build with recent automake/autoconf 148 Luke Howard * check for Netscape SDK without SSL; don't require pthreads for these 147 Luke Howard * make shadow.lstchg default -1 to not force password change when now shadow information present 146 Luke Howard * fix for BUG#91 / Debian Bug #144175: adhere to convention of the last change of the password being on the Unix Epoch implying a forced password change, and fix error propagation with expiring passwords 145 Luke Howard * patch for building on OpenLDAP 1.x from Nalin at RedHat 144 Luke Howard * avoid use of temporary variable when reporting non-existent configuration file; fix for local format string vulnerability reported at: http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0053.html * log correct configuration file name when reporting missing "host" directive 143 Luke Howard * specify runtime path for LDAP library correctly to native Solaris linker 142 Luke Howard * use native linker on Solaris 141 Luke Howard * support for headers in /usr/include/pam (Darwin) * integrated fix for BUG#79 140 Luke Howard * further fix for recall #8362: do not turn all users into template users 139 Luke Howard * fix for recall #8362: support template users when try_first_pass succeeds 138 Luke Howard * when flushing cached session data, check to see whether the application has requested a different configuration file due to a changed service 137 Luke Howard * treat exceeded time and size limits as a successful return code; we may still have a single entry back. * BUG#77: make configuration file paths configurable 136 Luke Howard * module stack fixes from Thorsten Kukuk 135 Luke Howard * revert UID check to getuid() per patch from Erich Schneider 134 Luke Howard * per suggest from Bill Welliver, check for effective UID being 0, not real UID * added ber_free() after ber_flatten() in extended operation password changing code 133 Luke Howard * Patch from Ed Golden for group_dn: set error code correctly 132 Luke Howard * Patch from Bob Guo to discard trailing whitespace in configuration file 131 Luke Howard * allow "*" wildcard value to be present in host attribute * added ignore_unknown_user option to all module functions; if the user could not be found and this option is set, PAM_IGNORE will be returned instead of PAM_USER_UNKNOWN 130 Luke Howard * don't return PAM_AUTH_ERR for authorization errors; return PAM_PERM_DENIED * reverted patch in pam_ldap-114: if a user doesn't exist in LDAP, pam_sm_acct_mgmt() returns PAM_IGNORE, rather than PAM_SUCCESS. * HEADS UP: in default configuration, disable checking the host attribute. This must now be manually enabled with pam_check_host_attr in ldap.conf. * HEADS UP: if checking the host attribute is enabled, and a user does not have any values for the host attribute, do not allow them to login. This avoids the ugly situation of having to add a dummy, invalid value for the host attribute for users that were not allowed to login to any host. 129 Luke Howard * don't return PAM_SYSTEM_ERR for LDAP-related errors * return PAM_AUTHINFO_UNAVAIL for directory-related (but not configuration-related) errors so that stacking modules will work properly (thanks to Brian Nelson for pointing this out) 127 Luke Howard * fixed segfault bug if nss_base_passwd contains a scope but no filter (BUG#69) 126 Luke Howard * fixed rebind prototype in pam_ldap.h for new OpenLDAP client library 125 Luke Howard * added ldap.conf stanza for AIX * added configurable checking host host attribute (pam_check_host_attr in ldap.conf) 124 Luke Howard * note in ldap.conf that the default encryption scheme for changing passwords is none (let the server do it) (BUG#65) * pass NULL as session handle for SSL options; they are set globally 123 Luke Howard * support for new OpenLDAP rebind procedure * do not try to open /etc/ldap.secret unless root * use LDAP_OPT_NETWORK_TIMEOUT if available 122 Luke Howard * make buildable with Sun's C compiler 121 Luke Howard * escape username only, not entire filter 120 Luke Howard * escape search filter to avoid wildcards etc * put prototypes back in, where did they go? 119 Luke Howard * with password change exop, use bind password not encoded old password for old password * added --disable-ssl option to configure for Debian * patch from Helmut Wirth to allow only a URI to be specified. * only set SSL options if we have values for those options 118 Luke Howard * in _set_ssl_options(), apply the options actually to the current session not a NULL pointer (which apparently worked with ldap_pvt_tls_set_option()) 117 Luke Howard * do not strdup a NULL pointer if we are root when changing passwords 116 Luke Howard * make sure old authentication token is zeroed out before freeing (now that we are storing the old authentication token privately) 115 Luke Howard * fix for updating passwords (consistent for Linux/Solaris) 114 Luke Howard * patch from Brian Nelson ; if a user doesn't exist in LDAP, then make pam_sm_acct_mgmt() return PAM_SUCCESS * another patch for correctly updating passwords on Solaris (which doesn't do preliminary password changing the same was as Linux-PAM) 113 Luke Howard * don't use ldap_pvt_tls_set_option(); it is private API 112 Luke Howard * SSL fix 111 Luke Howard * further patch from Tero to fix chfn/chsh * further patch from Jarkko for TLS/SSL using OpenLDAP: support for LDAPS, cipher suite selection, client key/cert authentication 110 Luke Howard * build on Mac OS X FCS; configure --libdir=/Library (this will only work properly on HFS+ volumes) 109 Luke Howard * patch from Tero Pelander for testing scope in nss_base_passwd * patch from Jarkko Turkulainen for client side certificate support 108 Luke Howard * patch from Thorsten Kukuk : The problem: pam_ldap does not abort in the second pam_sm_chauthtok call, if we really change the password and the user does not exist in the LDAP database (tested with pam_ldap-105 and pam_ldap-107). 107 Luke Howard * s/HAVE_LDAP_SET_REBIND_PROC_ARGS/LDAP_SET_REBIND_PROC_ARGS/ (typo causing prototype mismatch) 106 Luke Howard * URI support * cleaned up some warnings with older client libraries 105 Luke Howard * check for HAVE_LDAP_{SET,GET}_OPTION always 104 Luke Howard * check for ldap_set_option(), as LDAP_OPT_REFERRALS is defined for OpenLDAP 1.x but without the ldap_set_option() function 103 Luke Howard * patch from Thomas Noel to handle shadow expiry properly 102 Luke Howard * define macros LDAP_OPT_{OFF,ON} if not defined * make SECSPERDAY 86400LL 101 Luke Howard * fix uninitialized variable * retrieve password policy on actual password change, may not have been done if we were root. 100 Luke Howard * use -rpath on all platforms except Solaris, not just Linux 99 Luke Howard * use -shared not --shared * compile with -DPIC on FreeBSD 98 Luke Howard * merged ldap.conf 97 Luke Howard * %configure -> ./configure 96 Luke Howard * put some meaningful content in AUTHORS * new spec file from Joe Little 95 Luke Howard * add files for automake happiness 94 Luke Howard * default to LDAP protocol version 3 * documented exop in README * link on Solaris with -M mapfile * Solaris link with -Wl; will work with gcc only, I think * use sysconfdir, not etcdir 93 Luke Howard * made PAM_CLEAR the default for pam_password, as was originally the case. Don't break existing configurations! 92 Luke Howard * support for OpenLDAP password change extended operation, if available. Enable with pam_password exop in ldap.conf 91 Luke Howard * centralized authtok update code. The pam_crypt, pam_ad_passwd, and pam_nds_passwd configuration file keys are deprecated; instead the following configuration file key will be used: pam_password [clear|crypt|md5|nds|ad] See README for more information. (NB: The pam_crypt will continue to work so as to not compromise existing deployments.) 90 Luke Howard * support for correct rebind function prototype with OpenLDAP SDK 89 Luke Howard * support for connection timeout in Netscape SDK 88 Luke Howard * support for "referrals" and "restart" in ldap.conf * don't use ldap_perror() for logging TLS errors * optionally get scope/filter from "nss_base_passwd" value * accept on/yes/true for boolean configuration keys 87 Luke Howard * support for "timelimit" and "bind_timelimit" in ldap.conf * use "nss_base_passwd" for search base preferentially to "base" * fixed code order bug in setting TLS option; introduced by patch in pam_ldap-86 86 Luke Howard * patches from Norbert Klasen: * activate either Start TLS or LDAPS with OpenLDAP 2.x using "ssl start_tls" or "ssl yes" respectively in ldap.conf * Active Directory password changing 85 Luke Howard * patches from David Begley: * note about using --with-ldap-lib=netscape4 * patch to configure (regenerated from configure.in) * note about using gnumake * linking with lib{plc,plds,nspr}3 libraries for 4.1x Netscape SDK * use -G not --shared when building shared libraries on Solaris 84 Luke Howard * fixed typo in pam_ldap.c 83 Luke Howard * patch from nalin@redhat.com for StartTLS, enforce V3 * fixed up indenting * patch from David Begley to check for netscape4.1 lib 82 Luke Howard * s/conffile/config; forgot to patch properly 81 Luke Howard * use MAXPATHLEN instead of PATH_MAX; pam_ldap-80 failed on Solaris 80 Luke Howard * added support for configurable configuration files; you can now specify an alternate configuration file using the config= parameter in pam.conf. This patch was provided by scremer@dohle.com * added Solaris-specific linker flag patch from David Begley 79 Luke Howard * updated shipables for RC 78 Luke Howard * updated prebuild step for RC 77 Luke Howard * renamed _authenticate() to _do_authentication() to avoid name conflict with ONC RPC headers 76 Luke Howard * fixes to configure from David Begley; detect LDAP client libraries properly * fix to Makefile.am from David Begley; don't delete nss_ldap library on uninstall 75 Luke Howard * updated README with Solaris crypt(3) FAQ 74 Luke Howard * fixed support for NDS password changing, from Petr Olivka 73 Luke Howard * added support for OpenLDAP start TLS, from Alex Schlessinger 72 Luke Howard * added nasty_ssl_hack() constructor; this dlopens ourself so that we always remain loaded, and ssl_initialized is set across invocations of PAM. Probably the path should not be hardcoded but sourced from config.h. 71 Luke Howard * call ldapssl_client_init() once only (this doesn't have the desired effect because PAM unloads the library after pam_end() is called) 70 Luke Howard * in rebind proc, check session->info != NULL * in rebind proc, check {user,bind}{dn,pw} != NULL 68 Luke Howard * initialize tmplattr/tmpluser fields 67 Luke Howard * check _authenticate() return code before setting template user 66 Luke Howard * ypldapd locator support is now a configure option 65 Luke Howard * set shadowLastChange silently (allow it to fail) 64 Luke Howard * more consistent log messages (removed brackets) * set uid to nobody if unreadable from directory * support template users so users can login with a name without a local POSIX account. * PAM_AUTHTOK_RECOVERY_ERR (not ...RECOVER_ERR) on Soalris 63 Luke Howard * return PAM_MAXTRIES if number of tries exceeded 62 Luke Howard * new spec file from Dan Berry 61 Luke Howard * patch from norbert.klasen@zdv.uni-tuebingen.de (bug); was logging plaintext password in pam_ldap.c * log pam_strerror() not integer status code 60 Luke Howard * patch from Jungle Lin@judicial.gov.tw to fix logic bug in pam_sm_chauthtok() 59 Luke Howard * fixed some assumptions in chsh/chfn, need to look further at this though 58 Tom Lear * Debian bug #64217: remove redunant code in pam_ldap.c * Debian bug #64220: add minuid and maxuid parameters * Debian bug #65295: chsh/chfn implementation 55 Doug Nazar * md5 crypt support * rootbinddn support * rebind support for openldap * async ldap calls for bind * use_authtok support * autoconf/automake support 51 Luke Howard * updated spec file 50 Luke Howard * more patches from Scott Balneaves * use PAM_NEW_AUTHTOK_REQD instead of PAM_AUTHTOK_REQD * return PAM_SUCCESS for pam_sm_open_session() * reorganization of shadow code 49 Luke Howard * more patches from Scott Balneaves; now just check for shadow expiry date rather than shadowAccount object class * added deref parameter to ldap.conf for parity with OpenLDAP 48 Luke Howard * added patch from Scott Balneaves to read shadowAccount attributes 47 Luke Howard * removed _connect_anonymously() clause when updating shadowLastChange 46 Luke Howard * incorporated new spec file 44 Luke Howard * incorporated patch for shadowLastChange attribute 40 Luke Howard * added support for NDSv8 password changing (this is experimental) 39 Luke Howard * added some comments in Make.defs about different SDKs 38 Luke Howard * fixed typo in pam.d/ssh 37 Luke Howard * merged in BUG#37 branch * added Makefile.freebsd 36.BZ37.6 Luke Howard * updated ChangeLog (this file) 36.BZ37.5 Luke Howard * included FreeBSD porting fixes 36.BZ37.4 Luke Howard * send user credentials of bound_as_user is set, rather than if userpw != NULL 36.BZ37.3 Luke Howard * drop userpw if it is already set 36.BZ37.2 Luke Howard * fixed reordered include to compile properly 36.BZ37.1 Luke Howard * patch release with possible fix for BUG#37, where user credentials were not being forwarded to referred servers (whilst password changing) 36 Luke Howard * added -lresolv to library search path * incorporated stein@terminator.net's patches for RPM builds 35 Luke Howard * put /usr/ucblib back in linker search path on Solaris 33 Luke Howard * fixed pam_ldap.c to support compiling against an API which conforms to draft-ietf-ldapext-ldap-c-api-02.txt. Should make it easier to work with OpenLDAP 2. Netscape specific extensions are guarded with NETSCAPE_API_EXTENSIONS. 30 Luke Howard * fixed Make.defs for linking against OpenLDAP libldap (recall #279) * more SSL stuff 28 Luke Howard * added patch from gero@faveve.uni-stuttgart.de for parsing of ldap.conf with tabs * various patches hopefully to get SSL to work 27 Luke Howard * fix for recall 256: free() smasher 26 Luke Howard * added commented out flags for non-V3 SDKs 25 Luke Howard * removed ucblib search path 24 Luke Howard * compile with -D_REENTRANT and link against -lpthread to satisfy dependancies in libldapssl30. (BUG#7) 23 Luke Howard * no longer use LDAP_VERSION3 to select API (BUG#6) 21 Luke Howard * added rebind function * various stuff for RC added * broke out makefiles * ldap.conf keys case-insensitive for compat with OpenLDAP 17 Luke Howard * force users to change passwords if their account has expired * updated mapfile for Solaris 14 Luke Howard * fall back to /etc/ldap.conf if ypldapd is configured for configuration lookup * fixed up pam.conf 13 Luke Howard * added -lcrypt for Linux 12 Luke Howard * Use ldap_open() for V2 as ldap_init() doesn't work * Support hashing passwords locally for UMich crypt patched server * Tested against Microsoft Exchange Server * Fixed some errors in ldap.conf and mapfile 11 Luke Howard * Added support for group membership as in Chris' pam_ldap_auth module; see the pam_groupdn and pam_group_attribute configuration keys. * Changed pam_attribute to pam_login_attribute to avoid confusion with pam_group_attribute. * Support Netscape password expiration controls * Avoid authenticating users with empty passwords, even if the directory server does * Fill in pam_sm_{open,close}_session for completeness (they return PAM_IGNORE) 10 Luke Howard * tested with Linux-PAM 0.57 * made all functions static * added prototypes * LDAP connections can be persistent over an entire PAM session through the use of pam_set_data() and pam_get_data() * fixed some bugs 9 Luke Howard * first publically available version.