File: ChangeLog

package info (click to toggle)
libpam-ldap 140-1
  • links: PTS
  • area: main
  • in suites: woody
  • size: 644 kB
  • ctags: 271
  • sloc: ansic: 3,168; sh: 2,267; perl: 156; makefile: 67
file content (692 lines) | stat: -rw-r--r-- 17,880 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
$Id: ChangeLog,v 1.140 2002/03/06 08:46:49 lukeh Exp $
===============================================================

140	Luke Howard <lukeh@padl.com>

	* further fix for recall #8362: do not turn
	  all users into template users

139	Luke Howard <lukeh@padl.com>

	* fix for recall #8362: support template users 
	  when try_first_pass succeeds

138	Luke Howard <lukeh@padl.com>

	* when flushing cached session data, check to see
	  whether the application has requested a different
	  configuration file due to a changed service

137	Luke Howard <lukeh@padl.com>

	* treat exceeded time and size limits as a successful
	  return code; we may still have a single entry back.
	* BUG#77: make configuration file paths configurable

136	Luke Howard <lukeh@padl.com>

	* module stack fixes from Thorsten Kukuk

135	Luke Howard <lukeh@padl.com>

	* revert UID check to getuid() per patch from
	  Erich Schneider
	
134	Luke Howard <lukeh@padl.com>

	* per suggest from Bill Welliver, check for
	  effective UID being 0, not real UID
	* added ber_free() after ber_flatten() in 
	  extended operation password changing code

133	Luke Howard <lukeh@padl.com>

	* Patch from Ed Golden for group_dn: set error
	  code correctly

132	Luke Howard <lukeh@padl.com>

	* Patch from Bob Guo to discard trailing whitespace
	  in configuration file

131	Luke Howard <lukeh@padl.com>

	* allow "*" wildcard value to be present in host
	  attribute
	* added ignore_unknown_user option to all module
	  functions; if the user could not be found and this
	  option is set, PAM_IGNORE will be returned instead
	  of PAM_USER_UNKNOWN

130	Luke Howard <lukeh@padl.com>

	* don't return PAM_AUTH_ERR for authorization errors;
	  return PAM_PERM_DENIED
	* reverted patch in pam_ldap-114: if a user doesn't
	  exist in LDAP, pam_sm_acct_mgmt() returns
	  PAM_IGNORE, rather than PAM_SUCCESS.
	* HEADS UP: in default configuration, disable checking
	  the host attribute. This must now be manually
	  enabled with pam_check_host_attr in ldap.conf.
	* HEADS UP: if checking the host attribute is
	  enabled, and a user does not have any values for
	  the host attribute, do not allow them to login.
	  This avoids the ugly situation of having to add
	  a dummy, invalid value for the host attribute for
	  users that were not allowed to login to any host.

129	Luke Howard <lukeh@padl.com>

	* don't return PAM_SYSTEM_ERR for LDAP-related errors
	* return PAM_AUTHINFO_UNAVAIL for directory-related
	  (but not configuration-related) errors so that
	  stacking modules will work properly (thanks to
	  Brian Nelson <bnelson@cis.ysu.edu> for pointing this
	  out)

127	Luke Howard <lukeh@padl.com>

	* fixed segfault bug if nss_base_passwd contains
	  a scope but no filter (BUG#69)

126	Luke Howard <lukeh@padl.com>

	* fixed rebind prototype in pam_ldap.h for new
	  OpenLDAP client library

125	Luke Howard <lukeh@padl.com>

	* added ldap.conf stanza for AIX
	* added configurable checking host host attribute
	  (pam_check_host_attr in ldap.conf)

124	Luke Howard <lukeh@padl.com>

	* note in ldap.conf that the default encryption
	  scheme for changing passwords is none (let
	  the server do it) (BUG#65)
	* pass NULL as session handle for SSL options;
	  they are set globally

123	Luke Howard <lukeh@padl.com>

	* support for new OpenLDAP rebind procedure
	* do not try to open /etc/ldap.secret unless root
	* use LDAP_OPT_NETWORK_TIMEOUT if available

122	Luke Howard <lukeh@padl.com>

	* make buildable with Sun's C compiler

121	Luke Howard <lukeh@padl.com>

	* escape username only, not entire filter

120	Luke Howard <lukeh@padl.com>

	* escape search filter to avoid wildcards etc
	* put prototypes back in, where did they go?

119	Luke Howard <lukeh@padl.com>

	* with password change exop, use bind password not encoded
	  old password for old password
	* added --disable-ssl option to configure for Debian
	* patch from Helmut Wirth <wirth@bison-soft.de> to allow
	  only a URI to be specified.
	* only set SSL options if we have values for those options

118	Luke Howard <lukeh@padl.com>

	* in _set_ssl_options(), apply the options actually to
	  the current session not a NULL pointer (which apparently
	  worked with ldap_pvt_tls_set_option())

117	Luke Howard <lukeh@padl.com>

	* do not strdup a NULL pointer if we are root
	  when changing passwords

116	Luke Howard <lukeh@padl.com>

	* make sure old authentication token is zeroed
	  out before freeing (now that we are storing the
	  old authentication token privately)

115	Luke Howard <lukeh@padl.com>

	* fix for updating passwords (consistent for Linux/Solaris)

114	Luke Howard <lukeh@padl.com>

	* patch from Brian Nelson <bnelson@cis.ysu.edu>; if
	  a user doesn't exist in LDAP, then make pam_sm_acct_mgmt()
	  return PAM_SUCCESS
	* another patch for correctly updating passwords on
	  Solaris (which doesn't do preliminary password changing
	  the same was as Linux-PAM)

113	Luke Howard <lukeh@padl.com>

	* don't use ldap_pvt_tls_set_option(); it is private API

112	Luke Howard <lukeh@padl.com>

	* SSL fix

111	Luke Howard <lukeh@padl.com>

	* further patch from Tero to fix chfn/chsh
	* further patch from Jarkko for TLS/SSL using
	  OpenLDAP: support for LDAPS, cipher suite
	  selection, client key/cert authentication

110	Luke Howard <lukeh@padl.com>

	* build on Mac OS X FCS; configure --libdir=/Library
	  (this will only work properly on HFS+ volumes)

109	Luke Howard <lukeh@padl.com>

	* patch from Tero Pelander <tpeland@tkukoulu.fi> for
	  testing scope in nss_base_passwd
	* patch from Jarkko Turkulainen <jt@wapit.com> for client
	  side certificate support

108	Luke Howard <lukeh@padl.com>

	* patch from Thorsten Kukuk <kukuk@suse.de>:
	  The problem: pam_ldap does not abort in the second
	  pam_sm_chauthtok call, if we really change the password
	  and the user does not exist in the LDAP database (tested
	  with pam_ldap-105 and pam_ldap-107).

107	Luke Howard <lukeh@padl.com>

	* s/HAVE_LDAP_SET_REBIND_PROC_ARGS/LDAP_SET_REBIND_PROC_ARGS/
	  (typo causing prototype mismatch)

106	Luke Howard <lukeh@padl.com>

	* URI support
	* cleaned up some warnings with older client 
	  libraries

105	Luke Howard <lukeh@padl.com>

	* check for HAVE_LDAP_{SET,GET}_OPTION always

104	Luke Howard <lukeh@padl.com>

	* check for ldap_set_option(), as LDAP_OPT_REFERRALS
	  is defined for OpenLDAP 1.x but without the
	  ldap_set_option() function

103	Luke Howard <lukeh@padl.com>

	* patch from Thomas Noel to handle shadow
	  expiry properly

102	Luke Howard <lukeh@padl.com>

	* define macros LDAP_OPT_{OFF,ON} if
	  not defined
	* make SECSPERDAY 86400LL

101	Luke Howard <lukeh@padl.com>

	* fix uninitialized variable
	* retrieve password policy on actual password
	  change, may not have been done if we were root.

100	Luke Howard <lukeh@padl.com>

	* use -rpath on all platforms except Solaris,
	  not just Linux

99	Luke Howard <lukeh@padl.com>

	* use -shared not --shared
	* compile with -DPIC on FreeBSD

98	Luke Howard <lukeh@padl.com>

	* merged ldap.conf

97	Luke Howard <lukeh@padl.com>

	* %configure -> ./configure

96	Luke Howard <lukeh@padl.com>

	* put some meaningful content in AUTHORS
	* new spec file from Joe Little

95	Luke Howard <lukeh@padl.com>

	* add files for automake happiness

94 	Luke Howard <lukeh@padl.com>

	* default to LDAP protocol version 3
	* documented exop in README
	* link on Solaris with -M mapfile
	* Solaris link with -Wl; will work with
	  gcc only, I think
	* use sysconfdir, not etcdir

93	Luke Howard <lukeh@padl.com>

	* made PAM_CLEAR the default for pam_password,
	  as was originally the case. Don't break
	  existing configurations!

92	Luke Howard <lukeh@padl.com>

	* support for OpenLDAP password change extended
	  operation, if available. Enable with 

		pam_password exop

	  in ldap.conf

91	Luke Howard <lukeh@padl.com>

	* centralized authtok update code. The pam_crypt,
	  pam_ad_passwd, and pam_nds_passwd configuration
	  file keys are deprecated; instead the following
	  configuration file key will be used:

		pam_password [clear|crypt|md5|nds|ad]

	  See README for more information. (NB: The
	  pam_crypt will continue to work so as to not
	  compromise existing deployments.)

90	Luke Howard <lukeh@padl.com>

	* support for correct rebind function prototype
	  with OpenLDAP SDK

89	Luke Howard <lukeh@padl.com>

	* support for connection timeout in Netscape SDK

88	Luke Howard <lukeh@padl.com>

	* support for "referrals" and "restart" in
	  ldap.conf
	* don't use ldap_perror() for logging TLS errors
	* optionally get scope/filter from 
	  "nss_base_passwd" value
	* accept on/yes/true for boolean configuration
	  keys

87	Luke Howard <lukeh@padl.com>

	* support for "timelimit" and "bind_timelimit" in 
	  ldap.conf
	* use "nss_base_passwd" for search base preferentially
	  to "base"
	* fixed code order bug in setting TLS option;
	  introduced by patch in pam_ldap-86

86	Luke Howard <lukeh@padl.com>

	* patches from Norbert Klasen:
	* activate either Start TLS or LDAPS with
	  OpenLDAP 2.x using "ssl start_tls" or
	  "ssl yes" respectively in ldap.conf
	* Active Directory password changing

85	Luke Howard <lukeh@padl.com>

	* patches from David Begley:
	* note about using --with-ldap-lib=netscape4
	* patch to configure (regenerated from configure.in)
	* note about using gnumake
	* linking with lib{plc,plds,nspr}3 libraries for
	  4.1x Netscape SDK
	* use -G not --shared when building shared
	  libraries on Solaris

84	Luke Howard <lukeh@padl.com>

	* fixed typo in pam_ldap.c

83	Luke Howard <lukeh@padl.com>

	* patch from nalin@redhat.com for StartTLS,
	  enforce V3
	* fixed up indenting
	* patch from David Begley to check for netscape4.1 lib

82	Luke Howard <lukeh@padl.com>

	* s/conffile/config; forgot to patch properly

81	Luke Howard <lukeh@padl.com>

	* use MAXPATHLEN instead of PATH_MAX; pam_ldap-80
	  failed on Solaris

80	Luke Howard <lukeh@padl.com>

	* added support for configurable configuration files;
	  you can now specify an alternate configuration file
	  using the config= parameter in pam.conf. This patch
	  was provided by scremer@dohle.com
	* added Solaris-specific linker flag patch from
	  David Begley

79	Luke Howard <lukeh@padl.com>

	* updated shipables for RC

78	Luke Howard <lukeh@padl.com>

	* updated prebuild step for RC

77	Luke Howard <lukeh@padl.com>
	
	* renamed _authenticate() to _do_authentication()
	  to avoid name conflict with ONC RPC headers

76	Luke Howard <lukeh@padl.com>

	* fixes to configure from David Begley;
	  detect LDAP client libraries properly
	* fix to Makefile.am from David Begley;
	  don't delete nss_ldap library on uninstall

75	Luke Howard <lukeh@padl.com>

	* updated README with Solaris crypt(3) FAQ

74	Luke Howard <lukeh@padl.com>

	* fixed support for NDS password changing,
	  from Petr Olivka <Petr.Olivka@vsb.cz>

73	Luke Howard <lukeh@padl.com>

	* added support for OpenLDAP start TLS, from
	  Alex Schlessinger <alex@hq.workspot.com>

72	Luke Howard <lukeh@padl.com>

	* added nasty_ssl_hack() constructor; this
	  dlopens ourself so that we always remain
	  loaded, and ssl_initialized is set across
	  invocations of PAM. Probably the path should
	  not be hardcoded but sourced from config.h.

71	Luke Howard <lukeh@padl.com>

	* call ldapssl_client_init() once only (this doesn't
	  have the desired effect because PAM unloads the
	  library after pam_end() is called)

70	Luke Howard <lukeh@padl.com>

	* in rebind proc, check session->info != NULL
	* in rebind proc, check {user,bind}{dn,pw} != NULL

68	Luke Howard <lukeh@padl.com>

	* initialize tmplattr/tmpluser fields

67	Luke Howard <lukeh@padl.com>

	* check _authenticate() return code before setting
	  template user

66	Luke Howard <lukeh@padl.com>

	* ypldapd locator support is now a configure option

65	Luke Howard <lukeh@padl.com>

	* set shadowLastChange silently (allow it to fail)

64	Luke Howard <lukeh@padl.com>

	* more consistent log messages (removed brackets)
	* set uid to nobody if unreadable from directory
	* support template users so users can login with
	  a name without a local POSIX account.
	* PAM_AUTHTOK_RECOVERY_ERR (not ...RECOVER_ERR) 
	  on Soalris

63	Luke Howard <lukeh@padl.com>

	* return PAM_MAXTRIES if number of tries exceeded

62	Luke Howard <lukeh@padl.com>

	* new spec file from Dan Berry

61	Luke Howard <lukeh@padl.com>

	* patch from norbert.klasen@zdv.uni-tuebingen.de (bug);
	  was logging plaintext password in pam_ldap.c
	* log pam_strerror() not integer status code

60	Luke Howard <lukeh@padl.com>

	* patch from Jungle Lin@judicial.gov.tw to fix
	  logic bug in pam_sm_chauthtok()

59	Luke Howard <lukeh@padl.com>

	* fixed some assumptions in chsh/chfn, need to look
	  further at this though

58	Tom Lear <tom@trap.mtview.ca.us>

	* Debian bug #64217: remove redunant code in pam_ldap.c
	* Debian bug #64220: add minuid and maxuid parameters
	* Debian bug #65295: chsh/chfn implementation

55	Doug Nazar <nazard@dragoninc.on.ca>

	* md5 crypt support
	* rootbinddn support
	* rebind support for openldap
	* async ldap calls for bind
	* use_authtok support
	* autoconf/automake support

51	Luke Howard <lukeh@padl.com>

	* updated spec file

50	Luke Howard <lukeh@padl.com>

	* more patches from Scott Balneaves
	* use PAM_NEW_AUTHTOK_REQD instead of PAM_AUTHTOK_REQD
	* return PAM_SUCCESS for pam_sm_open_session()
	* reorganization of shadow code

49	Luke Howard <lukeh@padl.com>

	* more patches from Scott Balneaves; now just check
	  for shadow expiry date rather than shadowAccount
	  object class
	* added deref parameter to ldap.conf for parity with
	  OpenLDAP

48	Luke Howard <lukeh@padl.com>

	* added patch from Scott Balneaves <sbalneav@legalaid.mb.ca>
	  to read shadowAccount attributes

47	Luke Howard <lukeh@padl.com>

	* removed _connect_anonymously() clause when updating
	  shadowLastChange

46	Luke Howard <lukeh@padl.com>

	* incorporated new spec file

44	Luke Howard <lukeh@padl.com>

	* incorporated patch for shadowLastChange attribute

40	Luke Howard <lukeh@padl.com>

	* added support for NDSv8 password changing
	  (this is experimental)

39	Luke Howard <lukeh@padl.com>

	* added some comments in Make.defs about different
	  SDKs

38	Luke Howard <lukeh@padl.com>

	* fixed typo in pam.d/ssh

37	Luke Howard <lukeh@padl.com>

	* merged in BUG#37 branch
	* added Makefile.freebsd

36.BZ37.6	Luke Howard <lukeh@padl.com>

	* updated ChangeLog (this file)

36.BZ37.5	Luke Howard <lukeh@padl.com>

	* included FreeBSD porting fixes

36.BZ37.4	Luke Howard <lukeh@padl.com>

	* send user credentials of bound_as_user is
	  set, rather than if userpw != NULL

36.BZ37.3	Luke Howard <lukeh@padl.com>

	* drop userpw if it is already set

36.BZ37.2	Luke Howard <lukeh@padl.com>

	* fixed reordered include to compile properly

36.BZ37.1	Luke Howard <lukeh@padl.com>

	* patch release with possible fix for BUG#37, where
	  user credentials were not being forwarded to
	  referred servers (whilst password changing)

36   Luke Howard <lukeh@padl.com>

	* added -lresolv to library search path
	* incorporated stein@terminator.net's patches for RPM
	  builds

35   Luke Howard <lukeh@padl.com>

	* put /usr/ucblib back in linker search path on Solaris

33   Luke Howard <lukeh@padl.com>

	* fixed pam_ldap.c to support compiling against an API
	  which conforms to draft-ietf-ldapext-ldap-c-api-02.txt.
	  Should make it easier to work with OpenLDAP 2. Netscape
	  specific extensions are guarded with NETSCAPE_API_EXTENSIONS.

30   Luke Howard <lukeh@padl.com>

	* fixed Make.defs for linking against OpenLDAP libldap
	  (recall #279)
	* more SSL stuff

28   Luke Howard <lukeh@padl.com>

	* added patch from gero@faveve.uni-stuttgart.de for
	  parsing of ldap.conf with tabs
	* various patches hopefully to get SSL to work

27   Luke Howard <lukeh@padl.com>

	* fix for recall 256: free() smasher 

26   Luke Howard <lukeh@padl.com>

	* added commented out flags for non-V3 SDKs

25   Luke Howard <lukeh@padl.com>

	* removed ucblib search path

24   Luke Howard <lukeh@padl.com>

	* compile with -D_REENTRANT and link against -lpthread
	  to satisfy dependancies in libldapssl30. (BUG#7)

23   Luke Howard <lukeh@padl.com>

	* no longer use LDAP_VERSION3 to select API
	  (BUG#6)

21   Luke Howard <lukeh@padl.com>

	* added rebind function
	* various stuff for RC added
	* broke out makefiles
	* ldap.conf keys case-insensitive for compat with
	  OpenLDAP

17   Luke Howard <lukeh@padl.com>

	* force users to change passwords if their account has
	  expired
	* updated mapfile for Solaris

14   Luke Howard <lukeh@padl.com>

	* fall back to /etc/ldap.conf if ypldapd is configured
	  for configuration lookup
	* fixed up pam.conf

13   Luke Howard <lukeh@padl.com>

	* added -lcrypt for Linux

12   Luke Howard <lukeh@padl.com>

	* Use ldap_open() for V2 as ldap_init() doesn't work
	* Support hashing passwords locally for UMich crypt
	  patched server
	* Tested against Microsoft Exchange Server
	* Fixed some errors in ldap.conf and mapfile

11   Luke Howard <lukeh@padl.com>

	* Added support for group membership as in Chris'
	  pam_ldap_auth module; see the pam_groupdn and
	  pam_group_attribute configuration keys.
	* Changed pam_attribute to pam_login_attribute to
	  avoid confusion with pam_group_attribute.
	* Support Netscape password expiration controls
	* Avoid authenticating users with empty passwords,
	  even if the directory server does
	* Fill in pam_sm_{open,close}_session for completeness
	  (they return PAM_IGNORE)

10   Luke Howard <lukeh@padl.com>

	* tested with Linux-PAM 0.57
	* made all functions static
	* added prototypes
	* LDAP connections can be persistent over an entire PAM
	  session through the use of pam_set_data() and
	  pam_get_data()
	* fixed some bugs
	
9   Luke Howard <lukeh@padl.com>

	* first publically available version.