From 09a3f66cfa3c85e39a0eccf18f0d20d9c49ccb5a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 31 2019 06:46:46 +0000 Subject: import nss-pam-ldapd-0.8.13-22.el7 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..18ffc9a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/nss-pam-ldapd-0.8.13.tar.gz diff --git a/.nss-pam-ldapd.metadata b/.nss-pam-ldapd.metadata new file mode 100644 index 0000000..91863d9 --- /dev/null +++ b/.nss-pam-ldapd.metadata @@ -0,0 +1 @@ +0567cfea104defabeacd88a3a3200b311b8071ec SOURCES/nss-pam-ldapd-0.8.13.tar.gz diff --git a/SOURCES/0016-Backport-of-request-and-parse-password-policy-contro.patch b/SOURCES/0016-Backport-of-request-and-parse-password-policy-contro.patch new file mode 100644 index 0000000..8bc5ef8 --- /dev/null +++ b/SOURCES/0016-Backport-of-request-and-parse-password-policy-contro.patch @@ -0,0 +1,335 @@ +From 329532b3ad43642d50815d089fa3e75746a694d8 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 13 Aug 2019 21:51:44 +0200 +Subject: [PATCH 16/23] Backport of request and parse password policy controls + when doing user authentication in nslcd + +--- + compat/ldap_compat.h | 14 +++ + configure.ac | 2 + + nslcd/myldap.c | 217 +++++++++++++++++++++++++++++++++++++++++-- + 3 files changed, 224 insertions(+), 9 deletions(-) + +diff --git a/compat/ldap_compat.h b/compat/ldap_compat.h +index 039932c..bca8e35 100644 +--- a/compat/ldap_compat.h ++++ b/compat/ldap_compat.h +@@ -70,4 +70,18 @@ int ldap_passwd_s(LDAP *ld,struct berval *user,struct berval *oldpw, + #endif /* LDAP_OPT_ERROR_STRING */ + #endif /* not LDAP_OPT_DIAGNOSTIC_MESSAGE */ + ++/* provide replacement oid definitions */ ++#ifndef LDAP_CONTROL_PWEXPIRED ++#define LDAP_CONTROL_PWEXPIRED "2.16.840.1.113730.3.4.4" ++#endif /* LDAP_CONTROL_PWEXPIRED */ ++#ifndef LDAP_CONTROL_PWEXPIRING ++#define LDAP_CONTROL_PWEXPIRING "2.16.840.1.113730.3.4.5" ++#endif /* LDAP_CONTROL_PWEXPIRING */ ++#ifndef LDAP_CONTROL_PASSWORDPOLICYREQUEST ++#define LDAP_CONTROL_PASSWORDPOLICYREQUEST "1.3.6.1.4.1.42.2.27.8.5.1" ++#endif /* LDAP_CONTROL_PASSWORDPOLICYREQUEST */ ++#ifndef LDAP_CONTROL_PASSWORDPOLICYRESPONSE ++#define LDAP_CONTROL_PASSWORDPOLICYRESPONSE "1.3.6.1.4.1.42.2.27.8.5.1" ++#endif /* LDAP_CONTROL_PASSWORDPOLICYRESPONSE */ ++ + #endif /* COMPAT__LDAP_COMPAT_H */ +diff --git a/configure.ac b/configure.ac +index bdb2792..344fa55 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -697,6 +697,8 @@ then + AC_CHECK_FUNCS(ldap_parse_result ldap_memfree ldap_controls_free ldap_control_free) + AC_CHECK_FUNCS(ldap_explode_dn ldap_explode_rdn ldap_set_option ldap_get_option) + AC_CHECK_FUNCS(ldap_abandon ldap_simple_bind_s ldap_unbind ldap_set_rebind_proc) ++ AC_CHECK_FUNCS(ldap_sasl_bind ldap_sasl_bind_s ldap_control_find) ++ AC_CHECK_FUNCS(ldap_parse_passwordpolicy_control ldap_passwordpolicy_err2txt) + AC_CHECK_FUNCS(ldap_initialize ldap_search_ext ldap_start_tls_s) + AC_CHECK_FUNCS(ldap_create_control ldap_extended_operation_s) + AC_CHECK_FUNCS(ldap_domain2hostlist ldap_domain2dn) +diff --git a/nslcd/myldap.c b/nslcd/myldap.c +index 895b682..64b7f13 100644 +--- a/nslcd/myldap.c ++++ b/nslcd/myldap.c +@@ -85,16 +85,20 @@ struct ldap_session + { + /* the connection */ + LDAP *ld; +- /* the username to bind with */ +- char binddn[256]; +- /* the password to bind with if any */ +- char bindpw[128]; + /* timestamp of last activity */ + time_t lastactivity; + /* index into ldc_uris: currently connected LDAP uri */ + int current_uri; + /* a list of searches registered with this session */ + struct myldap_search *searches[MAX_SEARCHES_IN_SESSION]; ++ /* the username to bind with */ ++ char binddn[256]; ++ /* the password to bind with if any */ ++ char bindpw[128]; ++ /* the authentication result (NSLCD_PAM_* code) */ ++ int policy_response; ++ /* the authentication message */ ++ char policy_message[1024]; + }; + + /* A search description set as returned by myldap_search(). */ +@@ -307,12 +311,14 @@ static MYLDAP_SESSION *myldap_session_new(void) + } + /* initialize the session */ + session->ld=NULL; +- session->binddn[0]='\0'; +- session->bindpw[0]='\0'; + session->lastactivity=0; + session->current_uri=0; + for (i=0;isearches[i]=NULL; ++ session->binddn[0]='\0'; ++ session->bindpw[0]='\0'; ++ session->policy_response = NSLCD_PAM_SUCCESS; ++ session->policy_message[0] = '\0'; + /* return the new session */ + return session; + } +@@ -398,6 +404,195 @@ static int do_sasl_interact(LDAP UNUSED(*ld),unsigned UNUSED(flags),void *defaul + } + #endif /* HAVE_SASL_INTERACT_T */ + ++#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE) ++static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPControl **ctrls) ++{ ++ int i; ++ int rc; ++ /* clear policy response information in session */ ++ session->policy_response = NSLCD_PAM_SUCCESS; ++ strncpy(session->policy_message, "", sizeof(session->policy_message)); ++ for (i = 0; ctrls[i] != NULL; i++) ++ { ++ if (strcmp(ctrls[i]->ldctl_oid, LDAP_CONTROL_PWEXPIRED) == 0) ++ { ++ /* check for expired control: force the user to change their password */ ++ log_log(LOG_DEBUG, "got LDAP_CONTROL_PWEXPIRED (password expired, user should change)"); ++ if (session->policy_response == NSLCD_PAM_SUCCESS) ++ session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; ++ } ++ else if (strcmp(ctrls[i]->ldctl_oid, LDAP_CONTROL_PWEXPIRING) == 0) ++ { ++ /* check for password expiration warning control: the password is about ++ to expire (returns the number of seconds remaining until the password ++ expires) */ ++ char seconds[32]; ++ long int sec; ++ mysnprintf(seconds, sizeof(seconds), "%.*s", (int)ctrls[i]->ldctl_value.bv_len, ++ ctrls[i]->ldctl_value.bv_val); ++ sec = atol(seconds); ++ log_log(LOG_DEBUG, "got LDAP_CONTROL_PWEXPIRING (password will expire in %ld seconds)", ++ sec); ++ /* return this warning to PAM */ ++ if (session->policy_response == NSLCD_PAM_SUCCESS) ++ { ++ session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "password will expire in %ld seconds", sec); ++ } ++ } ++ else if (strcmp(ctrls[i]->ldctl_oid, LDAP_CONTROL_PASSWORDPOLICYRESPONSE) == 0) ++ { ++ /* check for password policy control */ ++ int expire = 0, grace = 0; ++ LDAPPasswordPolicyError error = -1; ++ rc = ldap_parse_passwordpolicy_control(ld, ctrls[i], &expire, &grace, &error); ++ if (rc != LDAP_SUCCESS) ++ myldap_err(LOG_WARNING, ld, rc, "ldap_parse_passwordpolicy_control() failed (ignored)"); ++ else ++ { ++ /* log returned control information */ ++ if (error != PP_noError) ++ log_log(LOG_DEBUG, "got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (%s)", ++ ldap_passwordpolicy_err2txt(error)); ++ if (expire >= 0) ++ log_log(LOG_DEBUG, "got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (password will expire in %d seconds)", ++ expire); ++ if (grace >= 0) ++ log_log(LOG_DEBUG, "got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (%d grace logins left)", ++ grace); ++ /* return this information to PAM */ ++ if ((error == PP_passwordExpired) && ++ ((session->policy_response == NSLCD_PAM_SUCCESS) || ++ (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) ++ { ++ session->policy_response = NSLCD_PAM_AUTHTOK_EXPIRED; ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "%s", ldap_passwordpolicy_err2txt(error)); ++ } ++ else if ((error == PP_accountLocked) && ++ ((session->policy_response == NSLCD_PAM_SUCCESS) || ++ (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) ++ { ++ session->policy_response = NSLCD_PAM_ACCT_EXPIRED; ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "%s", ldap_passwordpolicy_err2txt(error)); ++ } ++ else if ((error == PP_changeAfterReset) && ++ (session->policy_response == NSLCD_PAM_SUCCESS)) ++ { ++ session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "%s", ldap_passwordpolicy_err2txt(error)); ++ } ++ else if ((error != PP_noError) && ++ ((session->policy_response == NSLCD_PAM_SUCCESS) || ++ (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) ++ { ++ session->policy_response = NSLCD_PAM_PERM_DENIED; ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "%s", ldap_passwordpolicy_err2txt(error)); ++ } ++ else if ((expire >= 0) && ++ ((session->policy_response == NSLCD_PAM_SUCCESS) || ++ (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) ++ { ++ session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "Password will expire in %d seconds", expire); ++ } ++ else if ((grace >= 0) && ++ (session->policy_response == NSLCD_PAM_SUCCESS)) ++ { ++ session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "Password expired, %d grace logins left", grace); ++ } ++ } ++ } ++ /* ignore any other controls */ ++ } ++} ++static int do_ppolicy_bind(MYLDAP_SESSION *session, LDAP *ld, const char *uri) ++{ ++ int rc, parserc; ++ struct berval cred; ++ LDAPControl passwd_policy_req; ++ LDAPControl *requestctrls[2]; ++ LDAPControl **responsectrls; ++ int msgid; ++ struct timeval timeout; ++ LDAPMessage *result; ++ /* build password policy request control */ ++ passwd_policy_req.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST; ++ passwd_policy_req.ldctl_value.bv_val = NULL; /* none */ ++ passwd_policy_req.ldctl_value.bv_len = 0; ++ passwd_policy_req.ldctl_iscritical = 0; /* not critical */ ++ requestctrls[0] = &passwd_policy_req; ++ requestctrls[1] = NULL; ++ /* build password berval */ ++ cred.bv_val = (char *)session->bindpw; ++ cred.bv_len = (session->bindpw == NULL) ? 0 : strlen(session->bindpw); ++ /* do a SASL simple bind with the binddn and bindpw */ ++ log_log(LOG_DEBUG, "ldap_sasl_bind(\"%s\",%s) (uri=\"%s\")", session->binddn, ++ ((session->bindpw != NULL) && (session->bindpw[0] != '\0')) ? "\"***\"" : "\"\"", uri); ++ rc = ldap_sasl_bind(ld, session->binddn, LDAP_SASL_SIMPLE, &cred, requestctrls, NULL, &msgid); ++ if (rc != LDAP_SUCCESS) ++ return rc; ++ if (msgid == -1) ++ { ++ myldap_err(LOG_WARNING, ld, rc,"ldap_sasl_bind() failed (msgid=-1, uri=%s)", uri); ++ return LDAP_OPERATIONS_ERROR; ++ } ++ /* get the result from the bind operation */ ++ timeout.tv_sec = nslcd_cfg->ldc_bind_timelimit; ++ timeout.tv_usec = 0; ++ result = NULL; ++ rc = ldap_result(ld, msgid, LDAP_MSG_ALL, &timeout, &result); ++ if (rc == -1) /* some error */ ++ { ++ if (ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &rc) != LDAP_SUCCESS) ++ rc = LDAP_UNAVAILABLE; ++ myldap_err(LOG_ERR, ld, rc, "ldap_result() failed"); ++ if (result != NULL) ++ ldap_msgfree(result); ++ return LDAP_LOCAL_ERROR; ++ } ++ if (rc == 0) /* the timeout expired */ ++ { ++ log_log(LOG_ERR, "ldap_result() timed out"); ++ if (result != NULL) ++ ldap_msgfree(result); ++ return LDAP_TIMEOUT; ++ } ++ /* parse the result from the bind operation (frees result, get controls) */ ++ responsectrls = NULL; ++ parserc = ldap_parse_result(ld, result, &rc, NULL, NULL, NULL, &responsectrls, 1); ++ if (parserc != LDAP_SUCCESS) ++ { ++ myldap_err(LOG_ERR, ld, parserc, "ldap_parse_result() failed"); ++ if (responsectrls != NULL) ++ ldap_controls_free(responsectrls); ++ return parserc; ++ } ++ if (rc != LDAP_SUCCESS) ++ { ++ myldap_err(LOG_ERR, ld, rc, "ldap_parse_result() failed"); ++ if (responsectrls != NULL) ++ ldap_controls_free(responsectrls); ++ return rc; ++ } ++ /* check the returned controls */ ++ if (responsectrls != NULL) ++ { ++ handle_ppasswd_controls(session, ld, responsectrls); ++ /* free controls */ ++ ldap_controls_free(responsectrls); ++ } ++ return LDAP_SUCCESS; ++} ++#endif /* no SASL, so no ppolicy */ ++ + #define LDAP_SET_OPTION(ld,option,invalue) \ + rc=ldap_set_option(ld,option,invalue); \ + if (rc!=LDAP_SUCCESS) \ +@@ -410,7 +605,7 @@ static int do_sasl_interact(LDAP UNUSED(*ld),unsigned UNUSED(flags),void *defaul + The binddn and bindpw parameters may be used to override the authentication + mechanism defined in the configuration. This returns an LDAP result + code. */ +-static int do_bind(LDAP *ld,const char *binddn,const char *bindpw,const char *uri) ++static int do_bind(MYLDAP_SESSION *session, LDAP *ld,const char *binddn,const char *bindpw,const char *uri) + { + int rc; + #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S +@@ -435,10 +630,14 @@ static int do_bind(LDAP *ld,const char *binddn,const char *bindpw,const char *ur + /* check if the binddn and bindpw are overwritten in the session */ + if ((binddn!=NULL)&&(binddn[0]!='\0')) + { ++#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE) ++ return do_ppolicy_bind(session, ld, uri); ++#else /* no SASL, so no ppolicy */ + /* do a simple bind */ + log_log(LOG_DEBUG,"ldap_simple_bind_s(\"%s\",%s) (uri=\"%s\")",binddn, + ((bindpw!=NULL)&&(bindpw[0]!='\0'))?"\"***\"":"\"\"",uri); + return ldap_simple_bind_s(ld,binddn,bindpw); ++#endif + } + /* perform SASL bind if requested and available on platform */ + #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S +@@ -504,7 +703,7 @@ static int do_rebind(LDAP *ld,LDAP_CONST char *url, + { + MYLDAP_SESSION *session=(MYLDAP_SESSION *)arg; + log_log(LOG_DEBUG,"rebinding to %s",url); +- return do_bind(ld,session->binddn,session->bindpw,url); ++ return do_bind(session,ld,session->binddn,session->bindpw,url); + } + #else /* not recent OpenLDAP */ + static int do_rebind(LDAP *ld,char **dnp,char **passwdp,int *authmethodp, +@@ -798,7 +997,7 @@ static int do_open(MYLDAP_SESSION *session) + } + /* bind to the server */ + errno=0; +- rc=do_bind(session->ld,session->binddn,session->bindpw, ++ rc=do_bind(session, session->ld,session->binddn,session->bindpw, + nslcd_cfg->ldc_uris[session->current_uri].uri); + if (rc!=LDAP_SUCCESS) + { +-- +2.20.1 + diff --git a/SOURCES/0017-Backport-of-passing-expiration-controls-back-to-PAM-.patch b/SOURCES/0017-Backport-of-passing-expiration-controls-back-to-PAM-.patch new file mode 100644 index 0000000..bc5de38 --- /dev/null +++ b/SOURCES/0017-Backport-of-passing-expiration-controls-back-to-PAM-.patch @@ -0,0 +1,106 @@ +From 289cd5ab7d125c8eb4a5e85800ab8f5f54dc4519 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 13 Aug 2019 22:06:12 +0200 +Subject: [PATCH 17/23] Backport of passing expiration controls back to PAM + client + +--- + nslcd/myldap.c | 11 +++++++++++ + nslcd/myldap.h | 5 +++++ + nslcd/pam.c | 15 ++++++++++++--- + 3 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/nslcd/myldap.c b/nslcd/myldap.c +index 64b7f13..9f6b4b0 100644 +--- a/nslcd/myldap.c ++++ b/nslcd/myldap.c +@@ -1024,6 +1024,17 @@ void myldap_set_credentials(MYLDAP_SESSION *session,const char *dn, + session->bindpw[sizeof(session->bindpw)-1]='\0'; + } + ++/* Get bind ppolicy results from the last bind operation. This function ++ returns a NSLCD_PAM_* code and optional message. */ ++void myldap_get_policy_response(MYLDAP_SESSION *session, int *response, ++ const char **message) ++{ ++ if (response != NULL) ++ *response = session->policy_response; ++ if (message != NULL) ++ *message = session->policy_message; ++} ++ + static int do_try_search(MYLDAP_SEARCH *search) + { + int rc; +diff --git a/nslcd/myldap.h b/nslcd/myldap.h +index f118f72..3a99765 100644 +--- a/nslcd/myldap.h ++++ b/nslcd/myldap.h +@@ -72,6 +72,11 @@ MUST_USE MYLDAP_SESSION *myldap_create_session(void); + void myldap_set_credentials(MYLDAP_SESSION *session,const char *dn, + const char *password); + ++/* Get bind ppolicy results from the last bind operation. This function ++ returns a NSLCD_PAM_* code and optional message. */ ++void myldap_get_policy_response(MYLDAP_SESSION *session, int *response, ++ const char **message); ++ + /* Closes all pending searches and deallocates any memory that is allocated + with these searches. This does not close the session. */ + void myldap_session_cleanup(MYLDAP_SESSION *session); +diff --git a/nslcd/pam.c b/nslcd/pam.c +index ee28725..40a8687 100644 +--- a/nslcd/pam.c ++++ b/nslcd/pam.c +@@ -41,13 +41,15 @@ + + /* set up a connection and try to bind with the specified DN and password, + returns an LDAP result code */ +-static int try_bind(const char *userdn,const char *password) ++static int try_bind(const char *userdn,const char *password, ++ int *authzrc, char *authzmsg, size_t authzmsgsz) + { + MYLDAP_SESSION *session; + MYLDAP_SEARCH *search; + MYLDAP_ENTRY *entry; + static const char *attrs[2]; + int rc; ++ const char *msg; + /* set up a new connection */ + session=myldap_create_session(); + if (session==NULL) +@@ -74,6 +76,13 @@ static int try_bind(const char *userdn,const char *password) + log_log(LOG_WARNING,"%s: lookup failed: %s",userdn,ldap_err2string(rc)); + } + } ++ /* get any policy response from the bind */ ++ myldap_get_policy_response(session, authzrc, &msg); ++ if ((msg != NULL) && (msg[0] != '\0')) ++ { ++ mysnprintf(authzmsg, authzmsgsz - 1, "%s", msg); ++ log_log(LOG_WARNING, "%s: %s", userdn, authzmsg); ++ } + /* close the session */ + myldap_session_close(session); + /* return results */ +@@ -297,7 +306,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid) + update_username(entry,username,sizeof(username)); + } + /* try authentication */ +- rc=try_bind(userdn,password); ++ rc = try_bind(userdn, password, &authzrc, authzmsg, sizeof(authzmsg)); + if (rc==LDAP_SUCCESS) + log_log(LOG_DEBUG,"bind successful"); + /* map result code */ +@@ -308,7 +317,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid) + default: rc=NSLCD_PAM_AUTH_ERR; + } + /* perform shadow attribute checks */ +- if (*username!='\0') ++ if ((*username != '\0') && (authzrc == NSLCD_PAM_SUCCESS)) + authzrc=check_shadow(session,username,authzmsg,sizeof(authzmsg),1,0); + /* write response */ + WRITE_INT32(fp,NSLCD_RESULT_BEGIN); +-- +2.20.1 + diff --git a/SOURCES/0018-Also-extract-policy-controls-on-BIND-failure.patch b/SOURCES/0018-Also-extract-policy-controls-on-BIND-failure.patch new file mode 100644 index 0000000..629e3c5 --- /dev/null +++ b/SOURCES/0018-Also-extract-policy-controls-on-BIND-failure.patch @@ -0,0 +1,62 @@ +From e5a7c13c7aa70ebe59764761020fc509dd0ec33a Mon Sep 17 00:00:00 2001 +From: Arthur de Jong +Date: Sun, 4 May 2014 23:16:03 +0200 +Subject: [PATCH 18/23] Also extract policy controls on BIND failure + +This ensures that controls returned by an LDAP server as part of a +failed BIND operation are also returned. This makes it possible to +distinguish between a wrong password and an expired password. + +This also only logs the BIND operation result on DEBUG level (the error +is logged later on). + +(cherry picked from commit ca36a50143eb38c9040c2567172b9bfb9dba1838) +--- + nslcd/myldap.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/nslcd/myldap.c b/nslcd/myldap.c +index 9f6b4b0..e33296f 100644 +--- a/nslcd/myldap.c ++++ b/nslcd/myldap.c +@@ -565,7 +565,7 @@ static int do_ppolicy_bind(MYLDAP_SESSION *session, LDAP *ld, const char *uri) + ldap_msgfree(result); + return LDAP_TIMEOUT; + } +- /* parse the result from the bind operation (frees result, get controls) */ ++ /* parse the result from the bind operation (frees result, gets controls) */ + responsectrls = NULL; + parserc = ldap_parse_result(ld, result, &rc, NULL, NULL, NULL, &responsectrls, 1); + if (parserc != LDAP_SUCCESS) +@@ -575,20 +575,19 @@ static int do_ppolicy_bind(MYLDAP_SESSION *session, LDAP *ld, const char *uri) + ldap_controls_free(responsectrls); + return parserc; + } +- if (rc != LDAP_SUCCESS) +- { +- myldap_err(LOG_ERR, ld, rc, "ldap_parse_result() failed"); +- if (responsectrls != NULL) +- ldap_controls_free(responsectrls); +- return rc; +- } +- /* check the returned controls */ ++ /* handle any returned controls */ + if (responsectrls != NULL) + { + handle_ppasswd_controls(session, ld, responsectrls); +- /* free controls */ + ldap_controls_free(responsectrls); + } ++ /* return the result of the BIND operation */ ++ if (rc != LDAP_SUCCESS) ++ { ++ myldap_err(LOG_DEBUG, ld, rc, "ldap_parse_result() result"); ++ return rc; ++ } ++ /* check the returned controls */ + return LDAP_SUCCESS; + } + #endif /* no SASL, so no ppolicy */ +-- +2.20.1 + diff --git a/SOURCES/0019-Fix-password-policy-expiration-warnings.patch b/SOURCES/0019-Fix-password-policy-expiration-warnings.patch new file mode 100644 index 0000000..a0690f2 --- /dev/null +++ b/SOURCES/0019-Fix-password-policy-expiration-warnings.patch @@ -0,0 +1,49 @@ +From e45d35b6da24c10137330fccecf681ddf32a628e Mon Sep 17 00:00:00 2001 +From: Mathieu Baeumler +Date: Thu, 9 Jul 2015 08:59:19 +0200 +Subject: [PATCH 19/23] Fix password policy expiration warnings + +If a password expiration warning (pwdExpireWarning) is set in slapd, and +the password is about to expire, slapd sends the timeBeforeExpiration +value as part of the passwordPolicyResponse. + +nslcd would incorrectly instruct the PAM module to require immediate +password change. This has been fixed for both timeBeforeExpiration and +graceLoginsRemaining. + +(cherry picked from commit 4302901a2708d55b24880b77437e3d782b0de1cb) +--- + nslcd/myldap.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/nslcd/myldap.c b/nslcd/myldap.c +index e33296f..9a24a27 100644 +--- a/nslcd/myldap.c ++++ b/nslcd/myldap.c +@@ -466,7 +466,7 @@ static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr + ((session->policy_response == NSLCD_PAM_SUCCESS) || + (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) + { +- session->policy_response = NSLCD_PAM_AUTHTOK_EXPIRED; ++ session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; + mysnprintf(session->policy_message, sizeof(session->policy_message), + "%s", ldap_passwordpolicy_err2txt(error)); + } +@@ -497,14 +497,12 @@ static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr + ((session->policy_response == NSLCD_PAM_SUCCESS) || + (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) + { +- session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; + mysnprintf(session->policy_message, sizeof(session->policy_message), + "Password will expire in %d seconds", expire); + } + else if ((grace >= 0) && + (session->policy_response == NSLCD_PAM_SUCCESS)) + { +- session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; + mysnprintf(session->policy_message, sizeof(session->policy_message), + "Password expired, %d grace logins left", grace); + } +-- +2.20.1 + diff --git a/SOURCES/0020-Simplify-password-policy-message-handling.patch b/SOURCES/0020-Simplify-password-policy-message-handling.patch new file mode 100644 index 0000000..523cae3 --- /dev/null +++ b/SOURCES/0020-Simplify-password-policy-message-handling.patch @@ -0,0 +1,124 @@ +From 10f9b55084a1b7d251752d5d9fe85f9d01fe93d7 Mon Sep 17 00:00:00 2001 +From: Arthur de Jong +Date: Fri, 14 Aug 2015 23:09:50 +0200 +Subject: [PATCH 20/23] Simplify password policy message handling + +This simplifies the check for overwriging pending password expiry and +grace logins warnigns and updates handling of the +LDAP_CONTROL_PWEXPIRING control to be consistent with that of the expire +value of LDAP_CONTROL_PASSWORDPOLICYRESPONSE. + +This also corrects the function name, also logs empty password policy +responses in debug mode and documents the meaning of the various +password policy values. + +(cherry picked from commit 263a44340badb1e553c997f2dfb4986fb2f4c28b) +--- + nslcd/myldap.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +diff --git a/nslcd/myldap.c b/nslcd/myldap.c +index 9a24a27..86a339e 100644 +--- a/nslcd/myldap.c ++++ b/nslcd/myldap.c +@@ -405,7 +405,7 @@ static int do_sasl_interact(LDAP UNUSED(*ld),unsigned UNUSED(flags),void *defaul + #endif /* HAVE_SASL_INTERACT_T */ + + #if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE) +-static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPControl **ctrls) ++static void handle_ppolicy_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPControl **ctrls) + { + int i; + int rc; +@@ -433,10 +433,9 @@ static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr + sec = atol(seconds); + log_log(LOG_DEBUG, "got LDAP_CONTROL_PWEXPIRING (password will expire in %ld seconds)", + sec); +- /* return this warning to PAM */ +- if (session->policy_response == NSLCD_PAM_SUCCESS) ++ /* return this warning so PAM can present it to the user */ ++ if (strlen(session->policy_message) == 0) + { +- session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; + mysnprintf(session->policy_message, sizeof(session->policy_message), + "password will expire in %ld seconds", sec); + } +@@ -452,9 +451,8 @@ static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr + else + { + /* log returned control information */ +- if (error != PP_noError) +- log_log(LOG_DEBUG, "got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (%s)", +- ldap_passwordpolicy_err2txt(error)); ++ log_log(LOG_DEBUG, "got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (%s)", ++ ldap_passwordpolicy_err2txt(error)); + if (expire >= 0) + log_log(LOG_DEBUG, "got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (password will expire in %d seconds)", + expire); +@@ -466,6 +464,7 @@ static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr + ((session->policy_response == NSLCD_PAM_SUCCESS) || + (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) + { ++ /* this means that the password has expired and must be reset */ + session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; + mysnprintf(session->policy_message, sizeof(session->policy_message), + "%s", ldap_passwordpolicy_err2txt(error)); +@@ -474,6 +473,8 @@ static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr + ((session->policy_response == NSLCD_PAM_SUCCESS) || + (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) + { ++ /* this means that the account is locked and the user cannot log ++ in (the bind probably failed already) */ + session->policy_response = NSLCD_PAM_ACCT_EXPIRED; + mysnprintf(session->policy_message, sizeof(session->policy_message), + "%s", ldap_passwordpolicy_err2txt(error)); +@@ -481,6 +482,8 @@ static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr + else if ((error == PP_changeAfterReset) && + (session->policy_response == NSLCD_PAM_SUCCESS)) + { ++ /* this indicates that the password must be changed before the ++ user is allowed to perform any other operation */ + session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; + mysnprintf(session->policy_message, sizeof(session->policy_message), + "%s", ldap_passwordpolicy_err2txt(error)); +@@ -489,20 +492,23 @@ static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr + ((session->policy_response == NSLCD_PAM_SUCCESS) || + (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) + { ++ /* any other error is assumed to mean that the operation failed */ + session->policy_response = NSLCD_PAM_PERM_DENIED; + mysnprintf(session->policy_message, sizeof(session->policy_message), + "%s", ldap_passwordpolicy_err2txt(error)); + } +- else if ((expire >= 0) && +- ((session->policy_response == NSLCD_PAM_SUCCESS) || +- (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) ++ /* both expire and grace should just be warnings to the user */ ++ if ((expire >= 0) && (strlen(session->policy_message) == 0)) + { ++ /* if no other error has happened, this indicates that the password ++ will soon expire (number of seconds) */ + mysnprintf(session->policy_message, sizeof(session->policy_message), + "Password will expire in %d seconds", expire); + } +- else if ((grace >= 0) && +- (session->policy_response == NSLCD_PAM_SUCCESS)) ++ else if ((grace >= 0) && (strlen(session->policy_message) == 0)) + { ++ /* this indicates the number of grace logins that are left before ++ no further login attempts will be allowed */ + mysnprintf(session->policy_message, sizeof(session->policy_message), + "Password expired, %d grace logins left", grace); + } +@@ -576,7 +582,7 @@ static int do_ppolicy_bind(MYLDAP_SESSION *session, LDAP *ld, const char *uri) + /* handle any returned controls */ + if (responsectrls != NULL) + { +- handle_ppasswd_controls(session, ld, responsectrls); ++ handle_ppolicy_controls(session, ld, responsectrls); + ldap_controls_free(responsectrls); + } + /* return the result of the BIND operation */ +-- +2.20.1 + diff --git a/SOURCES/0021-backport-the-pam_authc_ppolicy-option.patch b/SOURCES/0021-backport-the-pam_authc_ppolicy-option.patch new file mode 100644 index 0000000..25638cc --- /dev/null +++ b/SOURCES/0021-backport-the-pam_authc_ppolicy-option.patch @@ -0,0 +1,108 @@ +From 4861574af285c3ad0188424a567648673cfd7556 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 14 Aug 2019 09:33:59 +0200 +Subject: [PATCH 21/23] backport the pam_authc_ppolicy option + +--- + man/nslcd.conf.5.xml | 12 ++++++++++++ + nslcd/cfg.c | 11 +++++++++++ + nslcd/cfg.h | 3 +++ + nslcd/myldap.c | 19 +++++++++++-------- + 4 files changed, 37 insertions(+), 8 deletions(-) + +diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml +index d7fa9b8..7c2d45a 100644 +--- a/man/nslcd.conf.5.xml ++++ b/man/nslcd.conf.5.xml +@@ -733,6 +733,18 @@ + + + ++ ++ yes|no ++ ++ ++ This option specifies whether password policy controls are requested ++ and handled from the LDAP server when performing ++ user authentication. ++ By default the controls are requested and handled if available. ++ ++ ++ ++ + + + FILTER +diff --git a/nslcd/cfg.c b/nslcd/cfg.c +index b821fcd..e11d03a 100644 +--- a/nslcd/cfg.c ++++ b/nslcd/cfg.c +@@ -1205,6 +1205,17 @@ static void cfg_read(const char *filename,struct ldap_config *cfg) + { + parse_pam_password_prohibit_message_statement(filename,lnr,keyword,line,cfg); + } ++ else if (strcasecmp(keyword, "pam_authc_ppolicy") == 0) ++ { ++#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE) ++ get_boolean(filename,lnr,keyword,&line,&cfg->pam_authc_ppolicy); ++ get_eol(filename, lnr, keyword, &line); ++#else ++ log_log(LOG_ERR, "%s:%d: value %s not supported on platform", ++ filename, lnr, value); ++ exit(EXIT_FAILURE); ++#endif ++ } + #ifdef ENABLE_CONFIGFILE_CHECKING + /* fallthrough */ + else +diff --git a/nslcd/cfg.h b/nslcd/cfg.h +index 5356ace..4c044ca 100644 +--- a/nslcd/cfg.h ++++ b/nslcd/cfg.h +@@ -156,6 +156,9 @@ struct ldap_config + /* whether password changing should be denied and user prompted with + this message */ + char *pam_password_prohibit_message; ++#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE) ++ int pam_authc_ppolicy; /* whether to send password policy controls on bind */ ++#endif + }; + + /* this is a pointer to the global configuration, it should be available +diff --git a/nslcd/myldap.c b/nslcd/myldap.c +index 86a339e..738a782 100644 +--- a/nslcd/myldap.c ++++ b/nslcd/myldap.c +@@ -522,18 +522,21 @@ static int do_ppolicy_bind(MYLDAP_SESSION *session, LDAP *ld, const char *uri) + int rc, parserc; + struct berval cred; + LDAPControl passwd_policy_req; +- LDAPControl *requestctrls[2]; ++ LDAPControl *requestctrls[2] = { NULL, NULL }; + LDAPControl **responsectrls; + int msgid; + struct timeval timeout; + LDAPMessage *result; +- /* build password policy request control */ +- passwd_policy_req.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST; +- passwd_policy_req.ldctl_value.bv_val = NULL; /* none */ +- passwd_policy_req.ldctl_value.bv_len = 0; +- passwd_policy_req.ldctl_iscritical = 0; /* not critical */ +- requestctrls[0] = &passwd_policy_req; +- requestctrls[1] = NULL; ++ /* build policy request if pam_authc_ppolicy is set */ ++ if (nslcd_cfg->pam_authc_ppolicy) ++ { ++ passwd_policy_req.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST; ++ passwd_policy_req.ldctl_value.bv_val = NULL; /* none */ ++ passwd_policy_req.ldctl_value.bv_len = 0; ++ passwd_policy_req.ldctl_iscritical = 0; /* not critical */ ++ requestctrls[0] = &passwd_policy_req; ++ requestctrls[1] = NULL; ++ } + /* build password berval */ + cred.bv_val = (char *)session->bindpw; + cred.bv_len = (session->bindpw == NULL) ? 0 : strlen(session->bindpw); +-- +2.20.1 + diff --git a/SOURCES/0022-Backport-the-human-readable-password-policy-reply.patch b/SOURCES/0022-Backport-the-human-readable-password-policy-reply.patch new file mode 100644 index 0000000..e66141f --- /dev/null +++ b/SOURCES/0022-Backport-the-human-readable-password-policy-reply.patch @@ -0,0 +1,103 @@ +From d4849e30b0c27878ee1167784c82b15c371781a8 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 14 Aug 2019 09:39:53 +0200 +Subject: [PATCH 22/23] Backport the human readable password policy reply + +--- + nslcd/myldap.c | 66 ++++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 59 insertions(+), 7 deletions(-) + +diff --git a/nslcd/myldap.c b/nslcd/myldap.c +index 738a782..f83137a 100644 +--- a/nslcd/myldap.c ++++ b/nslcd/myldap.c +@@ -405,6 +405,63 @@ static int do_sasl_interact(LDAP UNUSED(*ld),unsigned UNUSED(flags),void *defaul + #endif /* HAVE_SASL_INTERACT_T */ + + #if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE) ++static void print_ppolicy_expiry(MYLDAP_SESSION *session, unsigned int sec) ++{ ++ unsigned int days = 0; ++ unsigned int hours = 0; ++ unsigned int minutes = 0; ++ /* return this warning so PAM can present it to the user */ ++ if (strlen(session->policy_message) != 0) ++ return; ++ if (sec > 24 * 3600) ++ { ++ days = sec / (24 * 3600); ++ sec -= days * 24 * 3600; ++ } ++ if (sec > 3600) ++ { ++ hours = sec / 3600; ++ sec -= (hours * 3600); ++ } ++ if (sec > 60) ++ { ++ minutes = sec / 60; ++ sec -= minutes * 60; ++ } ++ if (days > 1) ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "Password will expires in %u days", days); ++ else if (days > 0) ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "Password will expires in %u hours", hours + 24); ++ else if (hours > 1) ++ { ++ if (minutes > 1) ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "Password will expires in %u hours and %u minutes", ++ hours, minutes); ++ else ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "Password will expires in %u hours", hours); ++ } ++ else if (hours > 0) ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "Password will expires in %u minutes", minutes + 60); ++ else if (minutes > 1) ++ { ++ if (sec > 1) ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "Password will expires in %u minutes and %u seconds", ++ minutes, sec); ++ else ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "Password will expires in %u minutes", minutes); ++ } ++ else ++ mysnprintf(session->policy_message, sizeof(session->policy_message), ++ "Password will expires in %u seconds", sec); ++} ++ + static void handle_ppolicy_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPControl **ctrls) + { + int i; +@@ -434,11 +491,7 @@ static void handle_ppolicy_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr + log_log(LOG_DEBUG, "got LDAP_CONTROL_PWEXPIRING (password will expire in %ld seconds)", + sec); + /* return this warning so PAM can present it to the user */ +- if (strlen(session->policy_message) == 0) +- { +- mysnprintf(session->policy_message, sizeof(session->policy_message), +- "password will expire in %ld seconds", sec); +- } ++ print_ppolicy_expiry(session, (unsigned int)sec); + } + else if (strcmp(ctrls[i]->ldctl_oid, LDAP_CONTROL_PASSWORDPOLICYRESPONSE) == 0) + { +@@ -502,8 +555,7 @@ static void handle_ppolicy_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr + { + /* if no other error has happened, this indicates that the password + will soon expire (number of seconds) */ +- mysnprintf(session->policy_message, sizeof(session->policy_message), +- "Password will expire in %d seconds", expire); ++ print_ppolicy_expiry(session, (unsigned int)expire); + } + else if ((grace >= 0) && (strlen(session->policy_message) == 0)) + { +-- +2.20.1 + diff --git a/SOURCES/0023-Backport-typo-fixes-in-password-expiration-warnings.patch b/SOURCES/0023-Backport-typo-fixes-in-password-expiration-warnings.patch new file mode 100644 index 0000000..2f8aa3f --- /dev/null +++ b/SOURCES/0023-Backport-typo-fixes-in-password-expiration-warnings.patch @@ -0,0 +1,61 @@ +From ddd068c82cb039ddb4531d4817f75252eef51332 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 14 Aug 2019 09:41:24 +0200 +Subject: [PATCH 23/23] Backport typo fixes in password expiration warnings + +--- + nslcd/myldap.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/nslcd/myldap.c b/nslcd/myldap.c +index f83137a..4b53af2 100644 +--- a/nslcd/myldap.c ++++ b/nslcd/myldap.c +@@ -430,36 +430,36 @@ static void print_ppolicy_expiry(MYLDAP_SESSION *session, unsigned int sec) + } + if (days > 1) + mysnprintf(session->policy_message, sizeof(session->policy_message), +- "Password will expires in %u days", days); ++ "Password will expire in %u days", days); + else if (days > 0) + mysnprintf(session->policy_message, sizeof(session->policy_message), +- "Password will expires in %u hours", hours + 24); ++ "Password will expire in %u hours", hours + 24); + else if (hours > 1) + { + if (minutes > 1) + mysnprintf(session->policy_message, sizeof(session->policy_message), +- "Password will expires in %u hours and %u minutes", ++ "Password will expire in %u hours and %u minutes", + hours, minutes); + else + mysnprintf(session->policy_message, sizeof(session->policy_message), +- "Password will expires in %u hours", hours); ++ "Password will expire in %u hours", hours); + } + else if (hours > 0) + mysnprintf(session->policy_message, sizeof(session->policy_message), +- "Password will expires in %u minutes", minutes + 60); ++ "Password will expire in %u minutes", minutes + 60); + else if (minutes > 1) + { + if (sec > 1) + mysnprintf(session->policy_message, sizeof(session->policy_message), +- "Password will expires in %u minutes and %u seconds", ++ "Password will expire in %u minutes and %u seconds", + minutes, sec); + else + mysnprintf(session->policy_message, sizeof(session->policy_message), +- "Password will expires in %u minutes", minutes); ++ "Password will expire in %u minutes", minutes); + } + else + mysnprintf(session->policy_message, sizeof(session->policy_message), +- "Password will expires in %u seconds", sec); ++ "Password will expire in %u seconds", sec); + } + + static void handle_ppolicy_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPControl **ctrls) +-- +2.20.1 + diff --git a/SOURCES/0024-Allow-logging-longer-lines.patch b/SOURCES/0024-Allow-logging-longer-lines.patch new file mode 100644 index 0000000..ffadfda --- /dev/null +++ b/SOURCES/0024-Allow-logging-longer-lines.patch @@ -0,0 +1,27 @@ +From f50540857d5449ddb7dad31c99ba86de5bfeb4c6 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 13 Aug 2019 09:28:32 +0200 +Subject: [PATCH] Allow logging longer lines + +Resolves: +https://bugzilla.redhat.com/show_bug.cgi?id=1559524 +--- + nslcd/log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nslcd/log.c b/nslcd/log.c +index 27402f7..b4c0339 100644 +--- a/nslcd/log.c ++++ b/nslcd/log.c +@@ -122,7 +122,7 @@ void log_setrequest(const char *format, ...) + void log_log(int pri,const char *format, ...) + { + int res; +- char buffer[200]; ++ char buffer[512]; + va_list ap; + /* make the message */ + va_start(ap,format); +-- +2.20.1 + diff --git a/SOURCES/0025-Backport-of-Update-shadow.c-to-resolve-pwdLastSet-is.patch b/SOURCES/0025-Backport-of-Update-shadow.c-to-resolve-pwdLastSet-is.patch new file mode 100644 index 0000000..27851f9 --- /dev/null +++ b/SOURCES/0025-Backport-of-Update-shadow.c-to-resolve-pwdLastSet-is.patch @@ -0,0 +1,25 @@ +From 53f701c67021ddce1b554d2f85a96d9f28359bca Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 30 Aug 2019 12:52:42 +0200 +Subject: [PATCH] Backport of Update shadow.c to resolve pwdLastSet issue + +--- + nslcd/shadow.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nslcd/shadow.c b/nslcd/shadow.c +index f7dee7d..46dacc9 100644 +--- a/nslcd/shadow.c ++++ b/nslcd/shadow.c +@@ -135,7 +135,7 @@ static long to_date(const char *dn,const char *date,const char *attr) + strncpy(buffer,date,l); + buffer[l]='\0'; + errno=0; +- value=strtol(date,&tmp,10); ++ value=strtol(buffer,&tmp,10); + if ((*date=='\0')||(*tmp!='\0')) + { + log_log(LOG_WARNING,"%s: %s: non-numeric",dn,attr); +-- +2.21.0 + diff --git a/SOURCES/0026-RHEL-specific-Disable-the-password-policies-unless-e.patch b/SOURCES/0026-RHEL-specific-Disable-the-password-policies-unless-e.patch new file mode 100644 index 0000000..a145243 --- /dev/null +++ b/SOURCES/0026-RHEL-specific-Disable-the-password-policies-unless-e.patch @@ -0,0 +1,45 @@ +From c9fb441600acc02952372fc89097cf06a8eaca5f Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 17 Sep 2019 09:48:49 +0200 +Subject: [PATCH] RHEL-specific: Disable the password policies unless + explicitly enabled + +--- + nslcd/cfg.c | 1 + + nslcd/myldap.c | 8 ++++++++ + 2 files changed, 9 insertions(+) + +diff --git a/nslcd/cfg.c b/nslcd/cfg.c +index e11d03a..66908b2 100644 +--- a/nslcd/cfg.c ++++ b/nslcd/cfg.c +@@ -136,6 +136,7 @@ static void cfg_defaults(struct ldap_config *cfg) + parse_validnames_statement(__FILE__,__LINE__,"", + "/^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i",cfg); + cfg->pam_password_prohibit_message=NULL; ++ cfg->pam_authc_ppolicy = 0; + } + + /* simple strdup wrapper */ +diff --git a/nslcd/myldap.c b/nslcd/myldap.c +index 6eb91f8..a07829f 100644 +--- a/nslcd/myldap.c ++++ b/nslcd/myldap.c +@@ -689,6 +689,14 @@ static int do_bind(MYLDAP_SESSION *session, LDAP *ld,const char *binddn,const ch + if ((binddn!=NULL)&&(binddn[0]!='\0')) + { + #if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE) ++ /* RHEL-specific: Don't even call into the ppolicy_bind path unless ++ * the option was set explicitly to 1 to retain backwards compatibility ++ */ ++ if (nslcd_cfg->pam_authc_ppolicy == 0) { ++ log_log(LOG_DEBUG,"ldap_simple_bind_s(\"%s\",%s) (uri=\"%s\")",binddn, ++ ((bindpw!=NULL)&&(bindpw[0]!='\0'))?"\"***\"":"\"\"",uri); ++ return ldap_simple_bind_s(ld,binddn,bindpw); ++ } + return do_ppolicy_bind(session, ld, uri); + #else /* no SASL, so no ppolicy */ + /* do a simple bind */ +-- +2.21.0 + diff --git a/SOURCES/0027-RHEL-specific-document-the-ppolicy-option-default.patch b/SOURCES/0027-RHEL-specific-document-the-ppolicy-option-default.patch new file mode 100644 index 0000000..64f68f8 --- /dev/null +++ b/SOURCES/0027-RHEL-specific-document-the-ppolicy-option-default.patch @@ -0,0 +1,18 @@ +diff -up nss-pam-ldapd-0.8.13/man/nslcd.conf.5.ppolicy_option_default nss-pam-ldapd-0.8.13/man/nslcd.conf.5 +--- nss-pam-ldapd-0.8.13/man/nslcd.conf.5.ppolicy_option_default 2019-09-17 09:53:26.723676439 +0200 ++++ nss-pam-ldapd-0.8.13/man/nslcd.conf.5 2019-09-17 09:59:44.182750835 +0200 +@@ -360,6 +360,14 @@ vulnerabilities which allow denial of se + The default is to perform case-sensitve filtering of LDAP search + results for the above maps. + .TP ++\*(T<\fBpam_authc_ppolicy\fR\*(T> yes|no ++This option specifies whether password policy controls are requested ++and handled from the LDAP server when performing user authentication. ++ ++By default the controls are only requested and handled if this option ++is selected. This differs from the upstream default in order to retain ++backwards compatibility with previous RHEL-7 releases. ++.TP + \*(T<\fBpam_authz_search\fR\*(T> \fIFILTER\fR + This option allows flexible fine tuning of the authorisation check that + should be performed. The search filter specified is executed and diff --git a/SOURCES/nslcd.init b/SOURCES/nslcd.init new file mode 100644 index 0000000..1f5fe11 --- /dev/null +++ b/SOURCES/nslcd.init @@ -0,0 +1,86 @@ +#!/bin/sh +# +# chkconfig: - 12 88 +# description: Provides naming services using a directory server. +# processname: /usr/sbin/nslcd +# config: /etc/nslcd.conf +# pidfile: /var/run/nslcd/nslcd.pid +# + +### BEGIN INIT INFO +# Provides: nslcd +# Required-Start: $network +# Required-Stop: +# Default-Start: +# Default-Stop: +# Short-Description: naming services LDAP client daemon +# Description: Provides naming services using a directory server. +### END INIT INFO + +program=/usr/sbin/nslcd +prog=${program##*/} +pidfile=/var/run/nslcd/nslcd.pid + +if [ -f /etc/rc.d/init.d/functions ]; then + . /etc/rc.d/init.d/functions +fi + +RETVAL=0 + +start() { + echo -n $"Starting $prog: " + daemon $program + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog + return $RETVAL +} + +stop() { + echo -n $"Stopping $prog: " + killproc $program + RETVAL=$? + echo + if [ $RETVAL -eq 0 ]; then + rm -f /var/lock/subsys/$prog + fi +} + +restart() { + stop + start +} + +# See how we were called. +case "$1" in + start) + [ -f /var/lock/subsys/$prog ] && exit 0 + $1 + ;; + stop) + [ -f /var/lock/subsys/$prog ] || exit 0 + $1 + ;; + restart) + $1 + ;; + status) + status -p $pidfile $program + RETVAL=$? + ;; + condrestart|try-restart) + [ -f /var/lock/subsys/$prog ] && restart || : + ;; + reload) + echo "can't reload configuration, you have to restart it" + RETVAL=3 + ;; + force-reload) + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 1 + ;; +esac +exit $RETVAL diff --git a/SOURCES/nslcd.service b/SOURCES/nslcd.service new file mode 100644 index 0000000..2fec365 --- /dev/null +++ b/SOURCES/nslcd.service @@ -0,0 +1,16 @@ +[Unit] +Description=Naming services LDAP client daemon. +After=syslog.target network.target named.service dirsrv.target slapd.service +Wants=nss-user-lookup.target +Before=nss-user-lookup.target +Documentation=man:nslcd(8) man:nslcd.conf(5) + +[Service] +Type=forking +PIDFile=/var/run/nslcd/nslcd.pid +ExecStart=/usr/sbin/nslcd +RestartSec=10s +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/nslcd.tmpfiles b/SOURCES/nslcd.tmpfiles new file mode 100644 index 0000000..2230173 --- /dev/null +++ b/SOURCES/nslcd.tmpfiles @@ -0,0 +1,2 @@ +# nslcd needs a directory in /var/run to store its pid file and socket +d /var/run/nslcd 0755 nslcd root diff --git a/SOURCES/nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch b/SOURCES/nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch new file mode 100644 index 0000000..ff84f94 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch @@ -0,0 +1,30 @@ +From ec2ac2cc7eaa945f3d07d2528ddd4b8d9b8d38e1 Mon Sep 17 00:00:00 2001 +From: Arthur de Jong +Date: Sun, 6 Oct 2013 14:14:39 +0000 +Subject: [PATCH 3/3] in nslcd, log EPIPE only on debug level (4897033 from + 0.9) + +git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2032 ef36b2f9-881f-0410-afb5-c4e39611909c +--- + nslcd/common.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/nslcd/common.h b/nslcd/common.h +index 736d7c09c9cd6d333fc4caa0a15144cc83eb9ecd..c48decb58df5262f459e0862f677960c31e20df7 100644 +--- a/nslcd/common.h ++++ b/nslcd/common.h +@@ -43,7 +43,10 @@ + stream */ + + #define ERROR_OUT_WRITEERROR(fp) \ +- log_log(LOG_WARNING,"error writing to client: %s",strerror(errno)); \ ++ if (errno==EPIPE) \ ++ log_log(LOG_DEBUG, "error writing to client: %s", strerror(errno)); \ ++ else \ ++ log_log(LOG_WARNING, "error writing to client: %s", strerror(errno)); \ + return -1; + + #define ERROR_OUT_READERROR(fp) \ +-- +1.8.3.1 + diff --git a/SOURCES/nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch b/SOURCES/nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch new file mode 100644 index 0000000..f5e7067 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch @@ -0,0 +1,111 @@ +From 335f7e085b45556276d2c1f224648a7eed28e4fd Mon Sep 17 00:00:00 2001 +From: Arthur de Jong +Date: Sun, 6 Oct 2013 14:11:51 +0000 +Subject: [PATCH 2/3] use a timeout when skipping remaining result data + (c9e2f97 from 0.9) + +git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2031 ef36b2f9-881f-0410-afb5-c4e39611909c +--- + common/tio.c | 6 +++--- + common/tio.h | 4 ++-- + nss/common.h | 10 +++++++--- + 3 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/common/tio.c b/common/tio.c +index 9aef80ca91faedad8f75e09b9070d22ed4a0878d..780ea38f175482dfed5e1c754ef75e93ffd83768 100644 +--- a/common/tio.c ++++ b/common/tio.c +@@ -2,7 +2,7 @@ + tio.c - timed io functions + This file is part of the nss-pam-ldapd library. + +- Copyright (C) 2007, 2008, 2010, 2011, 2012 Arthur de Jong ++ Copyright (C) 2007, 2008, 2010, 2011, 2012, 2013 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public +@@ -298,7 +298,7 @@ int tio_skip(TFILE *fp, size_t count) + } + + /* Read all available data from the stream and empty the read buffer. */ +-int tio_skipall(TFILE *fp) ++int tio_skipall(TFILE *fp,int skiptimeout) + { + struct pollfd fds[1]; + int rv; +@@ -318,7 +318,7 @@ int tio_skipall(TFILE *fp) + /* see if any data is available */ + fds[0].fd=fp->fd; + fds[0].events=POLLIN; +- rv=poll(fds,1,0); ++ rv=poll(fds,1,skiptimeout); + /* check the poll() result */ + if (rv==0) + return 0; /* no file descriptor ready */ +diff --git a/common/tio.h b/common/tio.h +index cd3f370732e4c54815187bb8012fd5a5ff8972af..b38d458aedd660ff95ff2e57f9df790ffd51ff6d 100644 +--- a/common/tio.h ++++ b/common/tio.h +@@ -2,7 +2,7 @@ + tio.h - timed io functions + This file is part of the nss-pam-ldapd library. + +- Copyright (C) 2007, 2008, 2010, 2012 Arthur de Jong ++ Copyright (C) 2007, 2008, 2010, 2012, 2013 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public +@@ -59,7 +59,7 @@ int tio_read(TFILE *fp,void *buf,size_t count); + int tio_skip(TFILE *fp,size_t count); + + /* Read all available data from the stream and empty the read buffer. */ +-int tio_skipall(TFILE *fp); ++int tio_skipall(TFILE *fp,int skiptimeout); + + /* Write the specified buffer to the stream. */ + int tio_write(TFILE *fp,const void *buf,size_t count); +diff --git a/nss/common.h b/nss/common.h +index e8d8e0526499c252f69a558384ddae8504009d26..3f93a4fb4704092dd5b1a41b024d33abf59cba60 100644 +--- a/nss/common.h ++++ b/nss/common.h +@@ -2,7 +2,7 @@ + common.h - common functions for NSS lookups + + Copyright (C) 2006 West Consulting +- Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012 Arthur de Jong ++ Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public +@@ -35,6 +35,10 @@ + #include "solnss.h" + #endif /* NSS_FLAVOUR_SOLARIS */ + ++/* skip timeout determines the maximum time to wait when closing the ++ connection and reading whatever data that is available */ ++#define SKIP_TIMEOUT 500 ++ + /* These are macros for handling read and write problems, they are + NSS specific due to the return code so are defined here. They + genrally close the open file, set an error code and return with +@@ -127,7 +131,7 @@ + /* close socket and we're done */ \ + if ((retv==NSS_STATUS_SUCCESS)||(retv==NSS_STATUS_TRYAGAIN)) \ + { \ +- (void)tio_skipall(fp); \ ++ (void)tio_skipall(fp,SKIP_TIMEOUT); \ + (void)tio_close(fp); \ + } \ + return retv; +@@ -203,7 +207,7 @@ + NSS_AVAILCHECK; \ + if (fp!=NULL) \ + { \ +- (void)tio_skipall(fp); \ ++ (void)tio_skipall(fp,SKIP_TIMEOUT); \ + (void)tio_close(fp); \ + fp=NULL; \ + } \ +-- +1.8.3.1 + diff --git a/SOURCES/nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch b/SOURCES/nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch new file mode 100644 index 0000000..6c40f6e --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch @@ -0,0 +1,39 @@ +From 841dd859360ff07d705e869d2a402f6b181a14f9 Mon Sep 17 00:00:00 2001 +From: Arthur de Jong +Date: Sun, 1 Sep 2013 09:47:18 +0000 +Subject: [PATCH 1/3] fix buffer overflow on interrupted read (thanks John + Sullivan) (07a8170 from 0.9) + +git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2029 ef36b2f9-881f-0410-afb5-c4e39611909c +--- + AUTHORS | 1 + + common/tio.c | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/AUTHORS b/AUTHORS +index 5debe5f7c2a059e67f47098df8647c66eab85c13..65ee0789cb8c300c59f7b00b75e80b5b51d96ac9 100644 +--- a/AUTHORS ++++ b/AUTHORS +@@ -119,3 +119,4 @@ Maxim Vetrov + Matthew L. Dailey + Chris Hiestand + Jon Severinsson ++John Sullivan +diff --git a/common/tio.c b/common/tio.c +index 4456198fe84ea72966edb06700c0fff751dd3451..9aef80ca91faedad8f75e09b9070d22ed4a0878d 100644 +--- a/common/tio.c ++++ b/common/tio.c +@@ -283,8 +283,8 @@ int tio_read(TFILE *fp, void *buf, size_t count) + } + else if ((rv<0)&&(errno!=EINTR)&&(errno!=EAGAIN)) + return -1; /* something went wrong with the read */ +- /* skip the read part in the buffer */ +- fp->readbuffer.len=rv; ++ else if (rv>0) ++ fp->readbuffer.len=rv; /* skip the read part in the buffer */ + #ifdef DEBUG_TIO_STATS + fp->bytesread+=rv; + #endif /* DEBUG_TIO_STATS */ +-- +1.8.3.1 + diff --git a/SOURCES/nss-pam-ldapd-0.8.12-str-cmp.patch b/SOURCES/nss-pam-ldapd-0.8.12-str-cmp.patch new file mode 100644 index 0000000..1663ee1 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-str-cmp.patch @@ -0,0 +1,12 @@ +diff -up nss-pam-ldapd-0.8.13/nslcd/pam.c.str_cmp nss-pam-ldapd-0.8.13/nslcd/pam.c +--- nss-pam-ldapd-0.8.13/nslcd/pam.c.str_cmp 2017-10-23 21:18:19.867943857 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/pam.c 2017-10-23 21:18:35.935986527 +0200 +@@ -133,7 +133,7 @@ static void update_username(MYLDAP_ENTRY + return; + } + /* check if the username is different and update it if needed */ +- if (strcmp(username,value)!=0) ++ if (STR_CMP(username,value)!=0) + { + log_log(LOG_INFO,"username changed from \"%s\" to \"%s\"",username,value); + strcpy(username,value); diff --git a/SOURCES/nss-pam-ldapd-0.8.12-uid-overflow.patch b/SOURCES/nss-pam-ldapd-0.8.12-uid-overflow.patch new file mode 100644 index 0000000..815e82d --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-uid-overflow.patch @@ -0,0 +1,77 @@ +Always use a function that we know will catch out-of-range values for UIDs and +GIDs, which are currently unsigned 32-bit numbers everywhere, and which won't +produce a result that'll silently be truncated if we store the result in a +uid_t or gid_t. +--- nss-pam-ldapd/nslcd/common.c ++++ nss-pam-ldapd/nslcd/common.c +@@ -273,19 +273,23 @@ long int binsid2id(const char *binsid) + ((((long int)binsid[i+2])&0xff)<<16)|((((long int)binsid[i+3])&0xff)<<24); + } + +-#ifdef WANT_STRTOUI +-/* provide a strtoui() implementation, similar to strtoul() but returning ++/* provide a strtoid() implementation, similar to strtoul() but returning + an range-checked unsigned int instead */ +-unsigned int strtoui(const char *nptr,char **endptr,int base) ++unsigned int strtoid(const char *nptr,char **endptr,int base) + { +- unsigned long val; +- val=strtoul(nptr,endptr,base); +- if (val>UINT_MAX) ++ long long val; ++ /* use the fact that long long is 64-bit, even on 32-bit systems */ ++ val=strtoll(nptr,endptr,base); ++ if (val>UINT32_MAX) + { + errno=ERANGE; +- return UINT_MAX; ++ return UINT32_MAX; + } +- /* If errno was set by strtoul, we'll pass it back as-is */ +- return (unsigned int)val; ++ else if (val < 0) ++ { ++ errno=EINVAL; ++ return UINT32_MAX; ++ } ++ /* If errno was set, we'll pass it back as-is */ ++ return (uint32_t)val; + } +-#endif /* WANT_STRTOUI */ +--- nss-pam-ldapd/nslcd/common.h ++++ nss-pam-ldapd/nslcd/common.h +@@ -139,31 +139,9 @@ int nsswitch_db_uses_ldap(const char *fi + #endif /* _POSIX_HOST_NAME_MAX */ + #endif /* not HOST_NAME_MAX */ + +-/* provide strtouid() function alias */ +-#if SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_INT +-#define strtouid (uid_t)strtoul +-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_LONG_INT +-#define strtouid (uid_t)strtoull +-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_INT +-#define WANT_STRTOUI 1 +-#define strtouid (uid_t)strtoui +-#else +-#error unable to find implementation for strtouid() +-#endif +- +-/* provide strtouid() function alias */ +-#if SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_INT +-#define strtogid (gid_t)strtoul +-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_LONG_INT +-#define strtogid (gid_t)strtoull +-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_INT +-#ifndef WANT_STRTOUI +-#define WANT_STRTOUI 1 +-#endif +-#define strtogid (uid_t)strtoui +-#else +-#error unable to find implementation for strtogid() +-#endif ++uint32_t strtoid(const char *nptr,char **endptr,int base); ++#define strtouid (uid_t)strtoid ++#define strtogid (gid_t)strtoid + + #ifdef WANT_STRTOUI + /* provide a strtoui() if it is needed */ diff --git a/SOURCES/nss-pam-ldapd-0.8.12-validname.patch b/SOURCES/nss-pam-ldapd-0.8.12-validname.patch new file mode 100644 index 0000000..6f5244f --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-validname.patch @@ -0,0 +1,36 @@ +Defaults changed to allow opening and closing parentheses everywhere. Defaults +changed again to make characters after the first optional, and again to go back +to disallowing names which end with "\". +--- man/nslcd.conf.5.xml ++++ man/nslcd.conf.5.xml +@@ -712,7 +712,7 @@ + characters and the 'i' flag may be appended at the end to indicate + that the match should be case-insensetive. + The default value is +- /^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i ++ /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i + + + +--- nslcd/cfg.c ++++ nslcd/cfg.c +@@ -134,7 +134,7 @@ static void cfg_defaults(struct ldap_con + cfg->ldc_pam_authz_search[i]=NULL; + cfg->ldc_nss_min_uid=0; + parse_validnames_statement(__FILE__,__LINE__,"", +- "/^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i",cfg); ++ "/^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i",cfg); + cfg->pam_password_prohibit_message=NULL; + } + +--- tests/test_common.c ++++ tests/test_common.c +@@ -39,6 +39,8 @@ static void test_isvalidname(void) + assert(!isvalidname("\\foo\\bar")); + assert(!isvalidname("foo\\bar\\")); + assert(isvalidname("me")); /* try short name */ ++ assert(isvalidname("f")); ++ assert(isvalidname("(foo bar)")); + } + + /* the main program... */ diff --git a/SOURCES/nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch b/SOURCES/nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch new file mode 100644 index 0000000..c775131 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch @@ -0,0 +1,46 @@ +From e34fccc883e1fb6e7c0e1663e11ff9f96191971f Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 27 Jan 2014 17:04:32 +0100 +Subject: [PATCH 1/2] Fix use after free in read_hostent and read_netent. + +if NSS_STATUS_TRYAGAIN is returned from read_one_hostent or +read_one_netent function tio_skipall will be called with NULL pointer +It could happend in functions: + _nss_ldap_getnetbyname_r + _nss_ldap_getnetbyaddr_r + _nss_ldap_gethostbyname2_r + _nss_ldap_gethostbyaddr_r +--- + nss/hosts.c | 2 -- + nss/networks.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/nss/hosts.c b/nss/hosts.c +index 86b6a77..0e7027e 100644 +--- a/nss/hosts.c ++++ b/nss/hosts.c +@@ -51,8 +51,6 @@ + + #undef ERROR_OUT_BUFERROR + #define ERROR_OUT_BUFERROR(fp) \ +- (void)tio_close(fp); \ +- fp=NULL; \ + *errnop=ERANGE; \ + *h_errnop=TRY_AGAIN; \ + return NSS_STATUS_TRYAGAIN; +diff --git a/nss/networks.c b/nss/networks.c +index 859ef0e..1403b45 100644 +--- a/nss/networks.c ++++ b/nss/networks.c +@@ -51,8 +51,6 @@ + + #undef ERROR_OUT_BUFERROR + #define ERROR_OUT_BUFERROR(fp) \ +- (void)tio_close(fp); \ +- fp=NULL; \ + *errnop=ERANGE; \ + *h_errnop=TRY_AGAIN; \ + return NSS_STATUS_TRYAGAIN; +-- +1.8.5.3 + diff --git a/SOURCES/nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch b/SOURCES/nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch new file mode 100644 index 0000000..82b7c47 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch @@ -0,0 +1,41 @@ +From ec86b3d715ae9583288b12686a0552586caa6270 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 27 Jan 2014 17:17:33 +0100 +Subject: [PATCH 2/2] Use right h_errnop for retrying with larger buffer. + +The libc nsswitch code expects h_errno to be set to NETDB_INTERNAL when +it needs to try again with a larger buffer. +--- + nss/hosts.c | 2 +- + nss/networks.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nss/hosts.c b/nss/hosts.c +index 0e7027e..2bf4c86 100644 +--- a/nss/hosts.c ++++ b/nss/hosts.c +@@ -52,7 +52,7 @@ + #undef ERROR_OUT_BUFERROR + #define ERROR_OUT_BUFERROR(fp) \ + *errnop=ERANGE; \ +- *h_errnop=TRY_AGAIN; \ ++ *h_errnop=NETDB_INTERNAL; \ + return NSS_STATUS_TRYAGAIN; + + #undef ERROR_OUT_WRITEERROR +diff --git a/nss/networks.c b/nss/networks.c +index 1403b45..f3cb269 100644 +--- a/nss/networks.c ++++ b/nss/networks.c +@@ -52,7 +52,7 @@ + #undef ERROR_OUT_BUFERROR + #define ERROR_OUT_BUFERROR(fp) \ + *errnop=ERANGE; \ +- *h_errnop=TRY_AGAIN; \ ++ *h_errnop=NETDB_INTERNAL; \ + return NSS_STATUS_TRYAGAIN; + + #undef ERROR_OUT_WRITEERROR +-- +1.8.5.3 + diff --git a/SOURCES/nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch b/SOURCES/nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch new file mode 100644 index 0000000..be7a3b4 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch @@ -0,0 +1,17 @@ +diff -up nss-pam-ldapd-0.8.13/nslcd/myldap.c.avoid_lockout_on_bad_password nss-pam-ldapd-0.8.13/nslcd/myldap.c +--- nss-pam-ldapd-0.8.13/nslcd/myldap.c.avoid_lockout_on_bad_password 2017-10-24 12:04:22.275105596 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/myldap.c 2017-10-24 12:04:39.355175121 +0200 +@@ -967,6 +967,13 @@ static int do_retry_search(MYLDAP_SEARCH + /* try to start the search */ + pthread_mutex_unlock(&uris_mutex); + rc=do_try_search(search); ++ /* if we are authenticating a user and get an error regarding failed ++ password we should error out instead of trying all servers */ ++ if ((search->session->binddn[0] != '\0') && (rc == LDAP_INVALID_CREDENTIALS)) ++ { ++ do_close(search->session); ++ return rc; ++ } + if (rc==LDAP_SUCCESS) + { + pthread_mutex_lock(&uris_mutex); diff --git a/SOURCES/nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch b/SOURCES/nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch new file mode 100644 index 0000000..8d6ee6f --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch @@ -0,0 +1,35 @@ +diff -up nss-pam-ldapd-0.8.13/nslcd/myldap.c.long_password nss-pam-ldapd-0.8.13/nslcd/myldap.c +--- nss-pam-ldapd-0.8.13/nslcd/myldap.c.long_password 2017-10-24 12:38:29.315411416 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/myldap.c 2017-10-24 12:38:52.727517587 +0200 +@@ -88,7 +88,7 @@ struct ldap_session + /* the username to bind with */ + char binddn[256]; + /* the password to bind with if any */ +- char bindpw[64]; ++ char bindpw[128]; + /* timestamp of last activity */ + time_t lastactivity; + /* index into ldc_uris: currently connected LDAP uri */ +diff -up nss-pam-ldapd-0.8.13/nslcd/pam.c.long_password nss-pam-ldapd-0.8.13/nslcd/pam.c +--- nss-pam-ldapd-0.8.13/nslcd/pam.c.long_password 2017-10-24 12:39:50.761780765 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/pam.c 2017-10-24 12:41:15.083163153 +0200 +@@ -246,7 +246,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SES + int rc; + char username[256]; + char servicename[64]; +- char password[64]; ++ char password[128]; + const char *userdn; + MYLDAP_ENTRY *entry; + int authzrc=NSLCD_PAM_SUCCESS; +@@ -617,8 +617,8 @@ int nslcd_pam_pwmod(TFILE *fp,MYLDAP_SES + char userdn[256]; + int asroot; + char servicename[64]; +- char oldpassword[64]; +- char newpassword[64]; ++ char oldpassword[128]; ++ char newpassword[128]; + const char *binddn=NULL; /* the user performing the modification */ + MYLDAP_ENTRY *entry; + char authzmsg[1024]; diff --git a/SOURCES/nss-pam-ldapd-0.8.13-uid_formatting.patch b/SOURCES/nss-pam-ldapd-0.8.13-uid_formatting.patch new file mode 100644 index 0000000..b7557b2 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-uid_formatting.patch @@ -0,0 +1,98 @@ +diff -up nss-pam-ldapd-0.8.13/nslcd/group.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/group.c +--- nss-pam-ldapd-0.8.13/nslcd/group.c.uid_formatting 2013-02-23 22:24:00.000000000 +0100 ++++ nss-pam-ldapd-0.8.13/nslcd/group.c 2017-10-24 14:17:27.489696761 +0200 +@@ -109,10 +109,8 @@ static int mkfilter_group_bygid(gid_t gi + } + else + { +- return mysnprintf(buffer,buflen, +- "(&%s(%s=%d))", +- group_filter, +- attmap_group_gidNumber,(int)gid); ++ return mysnprintf(buffer,buflen,"(&%s(%s=%lu))", ++ group_filter,attmap_group_gidNumber,(unsigned long int)gid); + } + } + +diff -up nss-pam-ldapd-0.8.13/nslcd/nslcd.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/nslcd.c +--- nss-pam-ldapd-0.8.13/nslcd/nslcd.c.uid_formatting 2017-10-24 14:17:05.117590857 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/nslcd.c 2017-10-24 14:17:27.490696766 +0200 +@@ -402,8 +402,8 @@ static void handleconnection(int sock,MY + if (getpeercred(sock,&uid,&gid,&pid)) + log_log(LOG_DEBUG,"connection from unknown client: %s",strerror(errno)); + else +- log_log(LOG_DEBUG,"connection from pid=%d uid=%d gid=%d", +- (int)pid,(int)uid,(int)gid); ++ log_log(LOG_DEBUG,"connection from pid=%lu uid=%lu gid=%lu", ++ (unsigned long int)pid,(unsigned long int)uid,(unsigned long int)gid); + /* create a stream object */ + if ((fp=tio_fdopen(sock,READ_TIMEOUT,WRITE_TIMEOUT, + READBUFFER_MINSIZE,READBUFFER_MAXSIZE, +@@ -519,7 +519,7 @@ static void create_pidfile(const char *f + log_log(LOG_ERR,"cannot truncate pid file (%s): %s",filename,strerror(errno)); + exit(EXIT_FAILURE); + } +- mysnprintf(buffer,sizeof(buffer),"%d\n",(int)getpid()); ++ mysnprintf(buffer,sizeof(buffer),"%lu\n",(unsigned long int)getpid()); + if (write(fd,buffer,strlen(buffer))!=(int)strlen(buffer)) + { + log_log(LOG_ERR,"error writing pid file (%s): %s",filename,strerror(errno)); +@@ -755,11 +755,11 @@ int main(int argc,char *argv[]) + #ifdef HAVE_INITGROUPS + /* load supplementary groups */ + if (initgroups(nslcd_cfg->ldc_uidname,nslcd_cfg->ldc_gid)<0) +- log_log(LOG_WARNING,"cannot initgroups(\"%s\",%d) (ignored): %s", +- nslcd_cfg->ldc_uidname,(int)nslcd_cfg->ldc_gid,strerror(errno)); ++ log_log(LOG_WARNING,"cannot initgroups(\"%s\",%lu) (ignored): %s", ++ nslcd_cfg->ldc_uidname,(unsigned long int)nslcd_cfg->ldc_gid,strerror(errno)); + else +- log_log(LOG_DEBUG,"initgroups(\"%s\",%d) done", +- nslcd_cfg->ldc_uidname,(int)nslcd_cfg->ldc_gid); ++ log_log(LOG_DEBUG,"initgroups(\"%s\",%lu) done", ++ nslcd_cfg->ldc_uidname,(unsigned long int)nslcd_cfg->ldc_gid); + #else /* not HAVE_INITGROUPS */ + #ifdef HAVE_SETGROUPS + /* just drop all supplemental groups */ +@@ -777,20 +777,22 @@ int main(int argc,char *argv[]) + { + if (setgid(nslcd_cfg->ldc_gid)!=0) + { +- log_log(LOG_ERR,"cannot setgid(%d): %s",(int)nslcd_cfg->ldc_gid,strerror(errno)); ++ log_log(LOG_ERR,"cannot setgid(%lu): %s", ++ (unsigned long int)nslcd_cfg->ldc_gid,strerror(errno)); + exit(EXIT_FAILURE); + } +- log_log(LOG_DEBUG,"setgid(%d) done",(int)nslcd_cfg->ldc_gid); ++ log_log(LOG_DEBUG,"setgid(%lu) done",(unsigned long int)nslcd_cfg->ldc_gid); + } + /* change to nslcd uid */ + if (nslcd_cfg->ldc_uid!=NOUID) + { + if (setuid(nslcd_cfg->ldc_uid)!=0) + { +- log_log(LOG_ERR,"cannot setuid(%d): %s",(int)nslcd_cfg->ldc_uid,strerror(errno)); ++ log_log(LOG_ERR,"cannot setuid(%lu): %s", ++ (unsigned long int)nslcd_cfg->ldc_uid,strerror(errno)); + exit(EXIT_FAILURE); + } +- log_log(LOG_DEBUG,"setuid(%d) done",(int)nslcd_cfg->ldc_uid); ++ log_log(LOG_DEBUG,"setuid(%lu) done",(unsigned long int)nslcd_cfg->ldc_uid); + } + /* block all these signals so our worker threads won't handle them */ + sigemptyset(&signalmask); +diff -up nss-pam-ldapd-0.8.13/nslcd/passwd.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/passwd.c +--- nss-pam-ldapd-0.8.13/nslcd/passwd.c.uid_formatting 2013-02-23 22:24:00.000000000 +0100 ++++ nss-pam-ldapd-0.8.13/nslcd/passwd.c 2017-10-24 14:17:27.490696766 +0200 +@@ -115,10 +115,8 @@ static int mkfilter_passwd_byuid(uid_t u + } + else + { +- return mysnprintf(buffer,buflen, +- "(&%s(%s=%d))", +- passwd_filter, +- attmap_passwd_uidNumber,(int)uid); ++ return mysnprintf(buffer,buflen, "(&%s(%s=%lu))", ++ passwd_filter,attmap_passwd_uidNumber,(unsigned long int)uid); + } + } + diff --git a/SOURCES/nss-pam-ldapd-0.8.13-uri-man-fix.patch b/SOURCES/nss-pam-ldapd-0.8.13-uri-man-fix.patch new file mode 100644 index 0000000..f0dacb4 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-uri-man-fix.patch @@ -0,0 +1,24 @@ +diff -up nss-pam-ldapd-0.8.13/man/nslcd.conf.5.uri_list nss-pam-ldapd-0.8.13/man/nslcd.conf.5 +--- nss-pam-ldapd-0.8.13/man/nslcd.conf.5.uri_list 2017-10-24 14:08:54.429271306 +0200 ++++ nss-pam-ldapd-0.8.13/man/nslcd.conf.5 2017-10-24 14:09:31.691444445 +0200 +@@ -46,7 +46,7 @@ Note that you should use values that don + to resolve. + .SS "GENERAL CONNECTION OPTIONS" + .TP +-\*(T<\fBuri\fR\*(T> \fIURI\fR ++\*(T<\fBuri\fR\*(T> \fIURI\fR ... + Specifies the LDAP URI of the + server to connect to. + The URI scheme may be \*(T, +@@ -66,8 +66,9 @@ When using the ldapi scheme, %2f should + (e.g. ldapi://%2fvar%2frun%2fslapd%2fldapi/), although most of the + time this should not be needed. + +-This option may be specified multiple times. Normally, only the first +-server will be used with the following servers as fall-back (see ++This option may be specified multiple times and/or with more URIs on the ++line, separated by space. Normally, only the first server will be used ++with the following servers as fall-back (see + \*(T<\fBbind_timelimit\fR\*(T> below). + + If LDAP lookups are used for host name resolution, diff --git a/SOURCES/nss-pam-ldapd-0.8.13.tar.gz.sig b/SOURCES/nss-pam-ldapd-0.8.13.tar.gz.sig new file mode 100644 index 0000000..3a364d0 Binary files /dev/null and b/SOURCES/nss-pam-ldapd-0.8.13.tar.gz.sig differ diff --git a/SOURCES/nss-pam-ldapd-bz1676861-Increase-size-of-config-file-token.patch b/SOURCES/nss-pam-ldapd-bz1676861-Increase-size-of-config-file-token.patch new file mode 100644 index 0000000..79f03cf --- /dev/null +++ b/SOURCES/nss-pam-ldapd-bz1676861-Increase-size-of-config-file-token.patch @@ -0,0 +1,27 @@ +From 9760dcef59da6ffbf1826724fa79621d74255e06 Mon Sep 17 00:00:00 2001 +From: Arthur de Jong +Date: Sat, 23 Dec 2017 17:58:27 +0100 +Subject: [PATCH] Increase size of config file token + +This increases the maximum size of tokens that are read from the +nslcd.conf configuration file to 256 characters. This was a problem for +some very long uri values. + +Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/21 +--- + nslcd/cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nslcd/cfg.c b/nslcd/cfg.c +index a6cfeb32..60d860e7 100644 +--- a/nslcd/cfg.c ++++ b/nslcd/cfg.c +@@ -1265,7 +1265,7 @@ static void cfg_read(const char *filename, struct ldap_config *cfg) + char linebuf[MAX_LINE_LENGTH]; + char *line; + char keyword[32]; +- char token[64]; ++ char token[256]; + int i; + #ifdef LDAP_OPT_X_TLS + int rc; diff --git a/SOURCES/nss-pam-ldapd-exitcode.patch b/SOURCES/nss-pam-ldapd-exitcode.patch new file mode 100644 index 0000000..2b4f8fa --- /dev/null +++ b/SOURCES/nss-pam-ldapd-exitcode.patch @@ -0,0 +1,10 @@ +diff -up nss-pam-ldapd-0.8.14/nslcd/nslcd.c.retcode nss-pam-ldapd-0.8.14/nslcd/nslcd.c +--- nss-pam-ldapd-0.8.14/nslcd/nslcd.c.retcode 2017-02-08 09:52:39.687834074 +0100 ++++ nss-pam-ldapd-0.8.14/nslcd/nslcd.c 2017-02-08 09:52:54.630891580 +0100 +@@ -866,5 +866,5 @@ int main(int argc,char *argv[]) + log_log(LOG_ERR,"thread %d is still running, shutting down anyway",i); + } + /* we're done */ +- return EXIT_FAILURE; ++ return EXIT_SUCCESS; + } diff --git a/SOURCES/nss-pam-ldapd-rh-msgs-in-tests.patch b/SOURCES/nss-pam-ldapd-rh-msgs-in-tests.patch new file mode 100644 index 0000000..7a014f3 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-rh-msgs-in-tests.patch @@ -0,0 +1,30 @@ +diff -up nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect.rh_test_msgs nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect +--- nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect.rh_test_msgs 2014-01-20 15:32:33.253018468 +0100 ++++ nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect 2014-01-20 15:38:00.452957296 +0100 +@@ -40,7 +40,7 @@ proc reset_password {} { + expect { + "LDAP administrator password" { send "test\r"; exp_continue } + -regexp "(New|Retype new) password:" { send "test\r"; exp_continue } +- "password updated successfully" {} ++ "passwd: all authentication tokens updated successfully" {} + "Invalid credentials" abort + "Authentication token manipulation error" abort + default abort +@@ -114,7 +114,7 @@ proc test_login_unknown {uid passwd} { + expect { + "Password:" { send "$passwd\r"; exp_continue } + "Unknown id" {} +- "No passwd entry for user" {} ++ "su: user $uid does not exist" {} + "\$ " abort + default abort + } +@@ -156,7 +156,7 @@ expect { + } + expect { + -regexp "(New|Retype new) password:" { send "newpassword\r"; exp_continue } +- "password updated successfully" {} ++ "passwd: all authentication tokens updated successfully" {} + "Invalid credentials" abort + "Authentication token manipulation error" abort + "\$ " abort diff --git a/SPECS/nss-pam-ldapd.spec b/SPECS/nss-pam-ldapd.spec new file mode 100644 index 0000000..5f445d9 --- /dev/null +++ b/SPECS/nss-pam-ldapd.spec @@ -0,0 +1,694 @@ +%if 0%{?fedora} > 15 || 0%{?rhel} > 6 +%global systemd 1 +%global sysvinit 0 +%else +%global systemd 0 +%global sysvinit 1 +%endif + +# Fedora had these in F18, but we didn't cut over to use them until after F18 +# was frozen, so pretend it didn't happen until F19. +%if 0%{?fedora} > 18 || 0%{?rhel} > 6 +%global systemd_macros 1 +%else +%global systemd_macros 0 +%endif + +%if 0%{?fedora} > 14 || 0%{?rhel} > 6 +%global tmpfiles 1 +%else +%global tmpfiles 0 +%endif + +# Fedora had it in F17, but moving things around in already-released versions +# is a bad idea, so pretend it didn't happen until F19. +%if 0%{?fedora} > 18 || 0%{?rhel} > 6 +%global separate_usr 0 +%global nssdir %{_libdir} +%global pamdir %{_libdir}/security +%else +%global separate_usr 1 +%global nssdir /%{_lib} +%global pamdir /%{_lib}/security +%endif + +# For distributions that support it, build with RELRO +%if (0%{?fedora} > 15 || 0%{?rhel} >= 7) +%define _hardened_build 1 +%endif + +Name: nss-pam-ldapd +Version: 0.8.13 +Release: 22%{?dist} +Summary: An nsswitch module which uses directory servers +Group: System Environment/Base +License: LGPLv2+ +URL: http://arthurdejong.org/nss-pam-ldapd/ +Source0: http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz +Source1: http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz.sig +Source2: nslcd.init +Source3: nslcd.tmpfiles +Source4: nslcd.service +Patch1: nss-pam-ldapd-0.8.12-validname.patch +Patch2: nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch +Patch3: nss-pam-ldapd-0.8.12-uid-overflow.patch +Patch4: nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch +Patch5: nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch +Patch6: nss-pam-ldapd-rh-msgs-in-tests.patch +Patch7: nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch +Patch8: nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch +Patch9: nss-pam-ldapd-exitcode.patch +Patch10: nss-pam-ldapd-0.8.12-str-cmp.patch +Patch11: nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch +Patch12: nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch +Patch13: nss-pam-ldapd-0.8.13-uri-man-fix.patch +Patch14: nss-pam-ldapd-0.8.13-uid_formatting.patch +Patch15: nss-pam-ldapd-bz1676861-Increase-size-of-config-file-token.patch +# rhbz#1612543 - Password expiration notification is not sent if the LDAP user doesn't have the objectClass shadowAccount. +Patch16: 0016-Backport-of-request-and-parse-password-policy-contro.patch +Patch17: 0017-Backport-of-passing-expiration-controls-back-to-PAM-.patch +Patch18: 0018-Also-extract-policy-controls-on-BIND-failure.patch +Patch19: 0019-Fix-password-policy-expiration-warnings.patch +Patch20: 0020-Simplify-password-policy-message-handling.patch +Patch21: 0021-backport-the-pam_authc_ppolicy-option.patch +Patch22: 0022-Backport-the-human-readable-password-policy-reply.patch +Patch23: 0023-Backport-typo-fixes-in-password-expiration-warnings.patch +Patch24: 0024-Allow-logging-longer-lines.patch +# rhbz#1618558 - AD authentication on RHEL using nslcd fails with error "pwdLastSet: password changed in the future" +Patch25: 0025-Backport-of-Update-shadow.c-to-resolve-pwdLastSet-is.patch +# rhbz#1612543 - Password expiration notification is not sent if the LDAP user doesn't have the objectClass shadowAccount. +Patch26: 0026-RHEL-specific-Disable-the-password-policies-unless-e.patch +Patch27: 0027-RHEL-specific-document-the-ppolicy-option-default.patch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: openldap-devel, krb5-devel +BuildRequires: autoconf, automake +BuildRequires: pam-devel +Obsoletes: nss-ldapd < 0.7 +Provides: nss-ldapd = %{version}-%{release} + +# Obsolete PADL's nss_ldap +Provides: nss_ldap = 265-12 +Obsoletes: nss_ldap < 265-11 + +%if 0%{?fedora} > 18 || 0%{?rhel} > 6 +# Obsolete PADL's pam_ldap +Provides: pam_ldap = 185-15 +Obsoletes: pam_ldap < 185-15 +%global build_pam_ldap 1 +%else +# Pull in the pam_ldap module, which is its own package in F14 and later, to +# keep upgrades from removing the module. We used to disable nss-pam-ldapd's +# own pam_ldap.so when it wasn't mature enough. +Requires: pam_ldap%{?_isa} +%global build_pam_ldap 0 +%endif + +# Pull in nscd, which is recommended. +Requires: nscd +%if %{sysvinit} +Requires(post): /sbin/ldconfig, chkconfig, grep, sed +Requires(preun): chkconfig, initscripts +Requires(postun): /sbin/ldconfig, initscripts +%endif +%if %{systemd} +BuildRequires: systemd-units +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +Requires(post): systemd-sysv +%endif + +%description +The nss-pam-ldapd daemon, nslcd, uses a directory server to look up name +service information (users, groups, etc.) on behalf of a lightweight +nsswitch module. + +%prep +%setup -q +%patch1 -p0 -b .validname +%patch2 -p1 -b .epipe +%patch3 -p1 -b .overflow +%patch4 -p1 -b .skiptimeout +%patch5 -p1 -b .readall +%patch6 -p1 -b .test_msgs +%patch7 -p1 -b .use_after_free +%patch8 -p1 -b .errnop_val +%patch9 -p1 -b .exit_code +%patch10 -p1 -b .str_cmp +%patch11 -p1 -b .avoid_lockout_on_bad_password +%patch12 -p1 -b .long_password +%patch13 -p1 -b .uri_list +%patch14 -p1 -b .uid_formatting +%patch15 -p1 -b .config_token_size +%patch16 -p1 -b .backport_policy_control_daemon +%patch17 -p1 -b .backport_policy_control_pam +%patch18 -p1 -b .ppolicy_bind_failure +%patch19 -p1 -b .fix_expiration_warnings +%patch20 -p1 -b .simplify_msg_handling +%patch21 -p1 -b .ppolicy_option +%patch22 -p1 -b .ppolicy_human_readable +%patch23 -p1 -b .ppolicy_typos +%patch24 -p1 -b .long_log_lines +%patch25 -p1 -b .pwd_last_set +%patch26 -p1 -b .ppolicy_default +%patch27 -p1 -b .ppolicy_default_man +autoreconf -f -i + +%build +CFLAGS="$RPM_OPT_FLAGS -fPIC" ; export CFLAGS +%configure --libdir=%{nssdir} \ +%if %{build_pam_ldap} + --with-pam-seclib-dir=%{pamdir} +%else + --disable-pam +%endif +make %{?_smp_mflags} + +%check +make check + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT/{%{_initddir},%{_libdir},%{_unitdir}} +%if %{sysvinit} +install -p -m755 %{SOURCE2} $RPM_BUILD_ROOT/%{_initddir}/nslcd +%endif +%if %{systemd} +install -p -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/ +%endif + +%if 0%{?fedora} > 13 || 0%{?rhel} > 5 +%if %{separate_usr} +# Follow glibc's convention and provide a .so symlink so that people who know +# what to expect can link directly with the module. +if test %{_libdir} != /%{_lib} ; then + touch $RPM_BUILD_ROOT/rootfile + relroot=.. + while ! test -r $RPM_BUILD_ROOT/%{_libdir}/$relroot/rootfile ; do + relroot=../$relroot + done + ln -s $relroot/%{_lib}/libnss_ldap.so.2 \ + $RPM_BUILD_ROOT/%{_libdir}/libnss_ldap.so + rm $RPM_BUILD_ROOT/rootfile +fi +%else +ln -s libnss_ldap.so.2 $RPM_BUILD_ROOT/%{nssdir}/libnss_ldap.so +%endif +%endif + +sed -i -e 's,^uid.*,uid nslcd,g' -e 's,^gid.*,gid ldap,g' \ +$RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf +touch -r nslcd.conf $RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf +mkdir -p -m 0755 $RPM_BUILD_ROOT/var/run/nslcd +%if %{tmpfiles} +mkdir -p -m 0755 $RPM_BUILD_ROOT/%{_tmpfilesdir} +install -p -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_tmpfilesdir}/%{name}.conf +%endif + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root) +%doc AUTHORS ChangeLog COPYING HACKING NEWS README TODO +%{_sbindir}/* +%{nssdir}/*.so.* +%if %{build_pam_ldap} +%{pamdir}/pam_ldap.so +%endif +%{_mandir}/*/* +%attr(0600,root,root) %config(noreplace) %verify(not md5 size mtime) /etc/nslcd.conf +%if %{tmpfiles} +%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/%{name}.conf +%endif +%if %{sysvinit} +%attr(0755,root,root) %{_initddir}/nslcd +%endif +%if %{systemd} +%config(noreplace) %{_unitdir}/* +%endif +%attr(0755,nslcd,root) /var/run/nslcd +%if 0%{?fedora} > 13 || 0%{?rhel} > 5 +# This would be the only thing in the -devel subpackage, so we include it. It +# will conflict with nss_ldap, so only include it for releases where pam_ldap is +# its own package. +/%{_libdir}/*.so +%endif + +%pre +getent group ldap > /dev/null || \ +/usr/sbin/groupadd -r -g 55 ldap +getent passwd nslcd > /dev/null || \ +/usr/sbin/useradd -r -g ldap -c 'LDAP Client User' \ + -u 65 -d / -s /sbin/nologin nslcd 2> /dev/null || : + +%post +# The usual stuff. +%if %{sysvinit} +/sbin/chkconfig --add nslcd +%endif +%if %{systemd} +%if %{systemd_macros} +%systemd_post nslcd.service +%else +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +%endif +%endif +/sbin/ldconfig +# Import important non-default settings from nss_ldap or pam_ldap configuration +# files, but only the first time this package is installed. +comment="This comment prevents repeated auto-migration of settings." +if test -s /etc/nss-ldapd.conf ; then + source=/etc/nss-ldapd.conf +elif test -s /etc/nss_ldap.conf ; then + source=/etc/nss_ldap.conf +elif test -s /etc/pam_ldap.conf ; then + source=/etc/pam_ldap.conf +else + source=/etc/ldap.conf +fi +target=/etc/nslcd.conf +if test "$1" -eq "1" && ! grep -q -F "# $comment" $target 2> /dev/null ; then + # Try to make sure we only do this the first time. + echo "# $comment" >> $target + if grep -E -q '^uri[[:blank:]]' $source 2> /dev/null ; then + # Comment out the packaged default host/uri and replace it... + sed -i -r -e 's,^((host|uri)[[:blank:]].*),# \1,g' $target + # ... with the uri. + grep -E '^uri[[:blank:]]' $source >> $target + elif grep -E -q '^host[[:blank:]]' $source 2> /dev/null ; then + # Comment out the packaged default host/uri and replace it... + sed -i -r -e 's,^((host|uri)[[:blank:]].*),# \1,g' $target + # ... with the "host" reformatted as a URI. + scheme=ldap + # check for 'ssl on', which means we want to use ldaps:// + if grep -E -q '^ssl[[:blank:]]+on$' $source 2> /dev/null ; then + scheme=ldaps + fi + grep -E '^host[[:blank:]]' $source |\ + sed -r -e "s,^host[[:blank:]](.*),uri ${scheme}://\1/,g" >> $target + fi + # Base doesn't require any special logic. + if grep -E -q '^base[[:blank:]]' $source 2> /dev/null ; then + # Comment out the packaged default base and replace it. + sed -i -r -e 's,^(base[[:blank:]].*),# \1,g' $target + grep -E '^base[[:blank:]]' $source >> $target + fi + # Pull in these settings, if they're set, directly. + grep -E '^(binddn|bindpw|port|scope|ssl|pagesize)[[:blank:]]' $source 2> /dev/null >> $target + grep -E '^(tls_)' $source 2> /dev/null >> $target + grep -E '^(timelimit|bind_timelimit|idle_timelimit)[[:blank:]]' $source 2> /dev/null >> $target +fi +# If this is the first time we're being installed, and the system is already +# configured to use LDAP as a naming service, enable the daemon, but don't +# start it since we can never know if that's a safe thing to do. If this +# is an upgrade, leave the user's runlevel selections alone. +if [ "$1" -eq "1" ]; then + if grep -E -q '^USELDAP=yes$' /etc/sysconfig/authconfig 2> /dev/null ; then +%if %{sysvinit} + /sbin/chkconfig nslcd on +%endif +%if %{systemd} + /bin/systemctl --no-reload enable nslcd.service >/dev/null 2>&1 ||: +%endif + fi +fi +# Earlier versions of 0.7.6 of this package would have included both 'gid +# nslcd' (a group which doesn't exist) and 'gid ldap' (which we ensure exists). +# If we detect both, fix the configuration. +if grep -q '^gid nslcd' $target ; then + if grep -q '^gid ldap' $target ; then + sed -i -e 's,^gid nslcd$,# gid nslcd,g' $target + fi +fi +# In 0.8.4, the name of the attribute which was expected to contain the DNs of +# a group's members changed from "uniqueMember" to "member". Change any +# instances of "map group uniqueMember ..." to "map group member ...", unless +# "member" is already being mapped, in which case attempting this would +# probably just confuse things further. +if grep -E -q "^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+uniqueMember[[:blank:]]" $target ; then + if ! grep -E -q "^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+member[[:blank:]]" $target ; then + sed -i -r -e "s,^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+uniqueMember[[:blank:]](.*),map group member \1,g" $target + fi +fi +# Create the daemon's /var/run directory if it isn't there. +if ! test -d /var/run/nslcd ; then + mkdir -p -m 0755 /var/run/nslcd +fi +exit 0 + +%preun +if [ "$1" -eq "0" ]; then +%if %{sysvinit} + /sbin/service nslcd stop >/dev/null 2>&1 + /sbin/chkconfig --del nslcd +%endif +%if %{systemd} +%if %{systemd_macros} +%systemd_preun nslcd.service +%else + /bin/systemctl --no-reload disable nslcd.service > /dev/null 2>&1 || : + /bin/systemctl stop nslcd.service > /dev/null 2>&1 || : +%endif +%endif +fi +exit 0 + +%postun +/sbin/ldconfig +%if %{sysvinit} +if [ "$1" -ge "1" ]; then + /etc/rc.d/init.d/nslcd condrestart >/dev/null 2>&1 +fi +%endif +%if %{systemd} +%if %{systemd_macros} +%systemd_postun_with_restart nslcd.service +%else +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ]; then + /bin/systemctl try-restart nslcd.service >/dev/null 2>&1 +fi +%endif +%endif +exit 0 + +%if %{systemd} +%triggerun -- nss-pam-ldapd < 0.7.13-6 +# Save the current service runlevel info, in case the user wants to apply +# the enabled status manually later, by running +# "systemd-sysv-convert --apply nslcd". +%{_bindir}/systemd-sysv-convert --save nslcd >/dev/null 2>&1 ||: +# Do this because the old package's %%postun doesn't know we need to do it. +/sbin/chkconfig --del nslcd >/dev/null 2>&1 || : +# Do this because the old package's %%postun wouldn't have tried. +/bin/systemctl try-restart nslcd.service >/dev/null 2>&1 || : +exit 0 +%endif + +%changelog +* Tue Sep 17 2019 Jakub Hrozek - 0.8.13-22 +- Do not enable the password expiration controls by default +- Document the option and its default +- Resolves: rhbz#1612543 - Password expiration notification is not sent + if the LDAP user doesn't have the objectClass + shadowAccount. + +* Fri Aug 30 2019 Jakub Hrozek - 0.8.13-21 +- Resolves: rhbz#1618558 - AD authentication on RHEL using nslcd fails + with error "pwdLastSet: password changed in the + future" + +* Tue Aug 27 2019 Jakub Hrozek - 0.8.13-20 +- Resolves: rhbz#1714763 - [RHEL7] Correct startup dependencies for cgcred service for nslcd/LDAP clients + +* Thu Aug 22 2019 Jakub Hrozek - 0.8.13-19 +- Resolves: rhbz#1559524 - nslcd only prints 200 characters in error message + +* Wed Aug 21 2019 Jakub Hrozek - 0.8.13-18 +- Resolves: rhbz#1612543 - Password expiration notification is not sent if + the LDAP user doesn't have the objectClass shadowAccount. + +* Thu Mar 14 2019 Jakub Hrozek - 0.8.13-17 +- Resolves: rhbz#1676861 - nslcd fails to connect to ldap if fqdn is large + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-16 +- Resolves: rhbz#1151675 - NSLCD WRAPS LDAP USER UIDNUMBER > 2^31 SO UID + IS WRONG (AND A NEGATIVE NUMBER) + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-15 +- Resolves: rhbz#1204202 - fix doc to describe actual uri format in + nslcd.conf + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-14 +- Resolves: rhbz#1288429 - /etc/tmpfiles.d/nss-pam-ldapd.conf shipped when + /etc/tmpfiles.d is reserved for the local + administrator + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-13 +- Resolves: rhbz#1312297 - nslcd.service does not restart on failure + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-12 +- Resolves: rhbz#1425790 - Unable to authenticate with 64 character password + using nss-pam-ldapd + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-11 +- Resolves: rhbz#1497761 - Incorrect password tries to bind to all domain + controllers and locks user out + +* Mon Oct 23 2017 Jakub Hrozek - 0.8.13-10 +- Resolves: rhbz#1357493 - In RHEL 7, authentication failing when using + nslcd + pam_ldap where user has different in + nis/passwd and ldap. + +* Mon Oct 23 2017 Jakub Hrozek - 0.8.13-9 +- Resolves: rhbz#1420576 - 'systemctl status nslcd' always returns FAILURE + status even though the service is stopped with + 'systemctl stop nslcd + +* Wed Jan 29 2014 Jakub Hrozek 0.8.13-8 +- Fix a potential use-after-free in nsswitch module +- Resolves: rhbz#1036030 - New defect found in nss-pam-ldapd-0.8.13-4.el7 + +* Fri Jan 24 2014 Daniel Mach - 0.8.13-7 +- Mass rebuild 2014-01-24 + +* Mon Jan 20 2014 Jakub Hrozek 0.8.13-6 +- Change the error messages the tests expect to those printed on RH based + systems +- Resolves: rhbz#1044482 + +* Fri Dec 27 2013 Daniel Mach - 0.8.13-5 +- Mass rebuild 2013-12-27 + +* Fri Oct 18 2013 Nalin Dahyabhai 0.8.13-4 +- compile nslcd/log.c with -fPIC instead of the current hardened-build default + of -fPIE, which doesn't seem to avoid relocations for its thread-local + variables on s390x (#1002834) + +* Sat Oct 05 2013 Jakub Hrozek 0.8.13-3 +- Suppress Broken Pipe messages when requesting a large groupo +- Resolves: rhbz#1002829 + +* Wed Jul 31 2013 Jakub Hrozek 0.8.13-2 +- Build with _hardened_build macro + +* Mon May 6 2013 Nalin Dahyabhai 0.8.13-1 +- update to 0.8.13 +- correct a syntax error in the fix that was added for #832706 + +* Tue Apr 30 2013 Nalin Dahyabhai 0.8.12-4 +- in %%post, attempt to rewrite any instances of "map group uniqueMember ..." + to be "map group member ..." in nslcd.conf, as the attribute name changed + in 0.8.4 (via freeipa ticket #3589) + +* Thu Feb 14 2013 Fedora Release Engineering - 0.8.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jan 18 2013 Nalin Dahyabhai 0.8.12-2 +- drop local patch to make the client flush some more read buffers + +* Fri Jan 18 2013 Nalin Dahyabhai 0.8.12-1 +- update to 0.8.12 (#846793) +- make building pam_ldap conditional on the targeted release +- add "After=named.service dirsrv.target slapd.service" to nslcd.service, + to make sure that nslcd is started after them if they're to be started + on the local system (#832706) +- alter the versioned Obsoletes: on pam_ldap to include the F18 package +- use %%{_unitdir} when deciding where to put systemd configuration, based + on patch from Václav Pavlín (#850232) +- use new systemd macros for scriptlet hooks, when available, based on + patch from Václav Pavlín (#850232) + +* Sun Sep 09 2012 Jakub Hrozek 0.7.17-1 +- new upstream release 0.7.17 + +* Sun Aug 05 2012 Jakub Hrozek - 0.7.16-5 +- Obsolete PADL's nss_ldap + +* Sat Aug 04 2012 Jakub Hrozek - 0.7.16-4 +- Build the PAM module, obsoletes PADL's pam-ldap (#856006) + +* Fri Jul 20 2012 Fedora Release Engineering - 0.7.16-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon May 14 2012 Jakub Hrozek 0.7.16-2 +- backport upstream revision r1659 related to broken pipe when + requesting a large group +- use grep -E instead of egrep to avoid rpmlint warnings + +* Sat Apr 28 2012 Jakub Hrozek 0.7.16-1 +- new upstream release 0.7.16 + +* Thu Mar 15 2012 Jakub Hrozek 0.7.15-2 +- Do not print "Broken Pipe" error message when requesting a large group + +* Fri Mar 9 2012 Jakub Hrozek 0.7.15-1 +- new upstream release 0.7.15 + +* Fri Jan 13 2012 Fedora Release Engineering - 0.7.14-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Dec 16 2011 Jakub Hrozek 0.7.14-2 +- Do not overflow large UID/GID values on 32bit architectures + +* Mon Nov 28 2011 Nalin Dahyabhai +- use the same conditional test for deciding when to create the .so symlink as + we do later on for deciding when to include it in the package (#757004) + +* Fri Sep 23 2011 Jakub Hrozek 0.7.14-1 +- new upstream release 0.7.14 +- obsoletes nss-pam-ldapd-0.7.x-buffers.patch + +* Wed Aug 24 2011 Nalin Dahyabhai 0.7.13-8 +- include backported enhancement to take URIs in the form "dns:DOMAIN" in + addition to the already-implemented "dns" (#730309) + +* Thu Jul 14 2011 Nalin Dahyabhai 0.7.13-7 +- switch to only munging the contents of /etc/nslcd.conf on the very first + install (#706454) +- make sure that we have enough space to parse any valid GID value when + parsing a user's primary GID (#716822) +- backport support for the "validnames" option from SVN and use it to allow + parentheses characters by modifying the default setting (#690870), then + modify the default again to also allow shorter and shorter names to pass + muster (#706860) + +* Wed Jul 13 2011 Nalin Dahyabhai 0.7.13-6 +- convert to systemd-native startup (#716997) + +* Mon Jun 13 2011 Nalin Dahyabhai 0.7.13-5 +- change the file path Requires: we have for pam_ldap into a package name + Requires: (#601931) + +* Wed Mar 30 2011 Nalin Dahyabhai 0.7.13-4 +- tag nslcd.conf with %%verify(not md5 size mtime), since we always tweak + it in %%post (#692225) + +* Tue Mar 1 2011 Nalin Dahyabhai 0.7.13-3 +- add a tmpfiles configuration to ensure that /var/run/nslcd is created when + /var/run is completely empty at boot (#656643) + +* Tue Feb 08 2011 Fedora Release Engineering - 0.7.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Dec 13 2010 Nalin Dahyabhai 0.7.13-1 +- update to 0.7.13 + +* Fri Oct 29 2010 Nalin Dahyabhai 0.7.12-1 +- update to 0.7.12 + +* Fri Oct 15 2010 Nalin Dahyabhai 0.7.11-1 +- update to 0.7.11 + +* Wed Sep 29 2010 jkeating - 0.7.10-2 +- Rebuilt for gcc bug 634757 + +* Fri Sep 24 2010 Nalin Dahyabhai 0.7.10-1 +- update to 0.7.10 + +* Thu Sep 23 2010 Nalin Dahyabhai 0.7.9-2 +- when creating /var/run/nslcd in the buildroot, specify that 0755 is a + permissions value and not another directory name (#636880) + +* Mon Aug 30 2010 Nalin Dahyabhai 0.7.9-1 +- update to 0.7.9 + +* Wed Aug 18 2010 Nalin Dahyabhai 0.7.8-1 +- update to 0.7.8 + +* Wed Jul 7 2010 Nalin Dahyabhai 0.7.7-1 +- update to 0.7.7 + +* Mon Jun 28 2010 Nalin Dahyabhai 0.7.6-3 +- don't accidentally set multiple 'gid' settings in nslcd.conf, and try to + clean up after older versions of this package that did (#608314) + +* Thu May 27 2010 Nalin Dahyabhai 0.7.6-2 +- make inclusion of the .so symlink conditional on being on a sufficiently- + new Fedora where pam_ldap isn't part of the nss_ldap package, so having + this package conflict with nss_ldap doesn't require that pam_ldap be + removed (#596691) + +* Thu May 27 2010 Nalin Dahyabhai 0.7.6-1 +- update to 0.7.6 + +* Mon May 17 2010 Nalin Dahyabhai 0.7.5-3 +- switch to the upstream patch for #592411 + +* Fri May 14 2010 Nalin Dahyabhai 0.7.5-2 +- don't return an uninitialized buffer as the value for an optional attribute + that isn't present in the directory server entry (#592411) + +* Fri May 14 2010 Nalin Dahyabhai 0.7.5-1 +- update to 0.7.5 + +* Fri May 14 2010 Nalin Dahyabhai 0.7.4-1 +- update to 0.7.4 +- stop trying to migrate retry timeout parameters from old ldap.conf files +- add an explicit requires: on nscd to make sure it's at least available on + systems that are using nss-pam-ldapd; otherwise it's usually optional + +* Tue Mar 23 2010 Nalin Dahyabhai 0.7.3-1 +- update to 0.7.3 + +* Thu Feb 25 2010 Nalin Dahyabhai 0.7.2-2 +- bump release for post-review commit + +* Thu Feb 25 2010 Nalin Dahyabhai 0.7.2-1 +- add comments about why we have a .so link at all, and not a -devel subpackage + +* Wed Jan 13 2010 Nalin Dahyabhai +- obsolete/provides nss-ldapd +- import configuration from nss-ldapd.conf, too + +* Tue Jan 12 2010 Nalin Dahyabhai +- rename to nss-pam-ldapd +- also check for import settings in /etc/nss_ldap.conf and /etc/pam_ldap.conf + +* Thu Sep 24 2009 Nalin Dahyabhai 0.6.11-2 +- rebuild + +* Wed Sep 16 2009 Nalin Dahyabhai +- apply Mitchell Berger's patch to clean up the init script, use %%{_initddir}, + and correct the %%post so that it only thinks about turning on nslcd when + we're first being installed (#522947) +- tell status() where the pidfile is when the init script is called for that + +* Tue Sep 8 2009 Nalin Dahyabhai +- fix typo in a comment, capitalize the full name for "LDAP Client User" (more + from #516049) + +* Wed Sep 2 2009 Nalin Dahyabhai 0.6.11-1 +- update to 0.6.11 + +* Sat Jul 25 2009 Fedora Release Engineering - 0.6.10-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jun 18 2009 Nalin Dahyabhai 0.6.10-3 +- update URL: and Source: + +* Mon Jun 15 2009 Nalin Dahyabhai 0.6.10-2 +- add and own /var/run/nslcd +- convert hosts to uri during migration + +* Thu Jun 11 2009 Nalin Dahyabhai 0.6.10-1 +- update to 0.6.10 + +* Fri Apr 17 2009 Nalin Dahyabhai 0.6.8-1 +- bump release number to 1 (part of #491767) +- fix which group we check for during %%pre (part of #491767) + +* Tue Mar 24 2009 Nalin Dahyabhai +- require chkconfig by package rather than path (Jussi Lehtola, part of #491767) + +* Mon Mar 23 2009 Nalin Dahyabhai 0.6.8-0.1 +- update to 0.6.8 + +* Mon Mar 23 2009 Nalin Dahyabhai 0.6.7-0.1 +- start using a dedicated user + +* Wed Mar 18 2009 Nalin Dahyabhai 0.6.7-0.0 +- initial package (#445965)