Tryag File Manager
Home
-
Turbo Force
Current Path :
/
proc
/
self
/
root
/
usr
/
share
/
doc
/
shared-pam_ldap-1.0
/
Upload File :
New :
File
Dir
//proc/self/root/usr/share/doc/shared-pam_ldap-1.0/ChangeLog
$Id: ChangeLog,v 1.213 2007/03/03 07:12:01 lukeh Exp $ =============================================================== 184 Luke Howard <lukeh@padl.com> * fix for BUG#312: pam_ldap does not try to reconnect when LDAP server closed the connection 183 Luke Howard <lukeh@padl.com> * fix for BUG#291: don't suppress password policy errors which should not be suppressed 182 Luke Howard <lukeh@padl.com> * fix for BUG#269: compile time error in call to ldap_sasl_interactive_bind_s() 181 Luke Howard <lukeh@padl.com> * fix for BUG#256: don't send password policy request control if pam_lookup_policy no specified * fix for BUG#254: check gethostbyname() result * fix for BUG#237: typo in ldap_get_lderrno() implementation * fix for BUG#207: if ldap_start_tls_s() fails return PAM_AUTHINFO_UNAVAIL * fix for BUG#261: sslpath example wrong * fix for BUG#268: POLICY_ERROR_CHANGE_AFTER_RESET should be handled as POLICY_ERROR_PASSWORD_EXPIRED, other password policy errors to be treated as fatal 180 Luke Howard <lukeh@padl.com> * from Peter Marschall <peter@adpm.de>: manual page installation fix * fix for BUG#210: use start_tls on referrals if configured to do so * when handling new password policy control, only fall through to account management module if a policy error was returned (CERT VU#778916) 179 Luke Howard <lukeh@padl.com> * more manual page updates 178 Luke Howard <lukeh@padl.com> * manual page updates 177 Luke Howard <lukeh@padl.com> * fix for BUG#188: better documentation for OpenLDAP SSL options * add manual page 176 Luke Howard <lukeh@padl.com> * fix for compilation with Netscape SDK 175 Luke Howard <lukeh@padl.com> * fix BUG#182: don't send old password in exop password change unless pam_password is exop_send_old 174 Luke Howard <lukeh@padl.com> * fix typo s/intereact/interact 173 Luke Howard <lukeh@padl.com> * s/pam_sasl_mechanism/pam_sasl_mech/ for consistency with OpenLDAP ldap.conf 172 Luke Howard <lukeh@padl.com> * preliminary SASL bind support 171 Luke Howard <lukeh@padl.com> * use correct AIX link flags even if --with-ldap-dir is not specified 170 Luke Howard <lukeh@padl.com> * sync ldap.conf with nss_ldap * AIX 5.2 port 169 Luke Howard <lukeh@padl.com> * include password policy schema file * preliminary support for draft-behera-ldap-password-policy-07.txt 168 Luke Howard <lukeh@padl.com> * define LDAP_DEPRECATED for compiling with OpenLDAP 2.2 * send old password when calling password change extended operation: if the password had expired the user may not be bound and so relying on the LDAP connection to be authenticated is unwise 167 Luke Howard <lukeh@padl.com> * fix compilation error on Solaris 9 166 Luke Howard <lukeh@padl.com> * fix signed/unsigned comparison issues * merge in LDAP debug patch from Howard Chu * fix BUG#126 (updating shadowLastChange) 165 Luke Howard <lukeh@padl.com> * fix BUG#142 * don't set LDAP_OPT_X_TLS_REQUIRE_CERT if not specified in configuration file 164 Luke Howard <lukeh@padl.com> * fix typo in ldapns.schema (!) 163 Luke Howard <lukeh@padl.com> * fix typo in authorizedService patch * add ldapns.schema for authorizedServiceObject and hostObject 162 Luke Howard <lukeh@padl.com> * support for service-based authorization (based on patch from Manon Goo) * add ignore_authinfo_unavail flag * pam_filter works again 161 Luke Howard <lukeh@padl.com> * fix from Thorsten Kukuk (SuSE) to handle scope-less nss_base_passwd configuration 160 Luke Howard <lukeh@padl.com> * AD password change fix * fix from Thorsten Kukuk (SuSE) to handle aborted password changes 159 Luke Howard <lukeh@padl.com> * updated version information 158 Luke Howard <lukeh@padl.com> * support for multiple service search descriptors from Symas 157 Luke Howard <lukeh@padl.com> * BUG#120 feature: pam_password_prohibit_message * fix for BUG#105 * removed static function prototypes from pam_ldap.h * check for libnsl 156 Luke Howard <lukeh@padl.com> * fix for bug #119 155 Luke Howard <lukeh@padl.com> * proper for for non-experimental password change exop; broke compiling with older SDKs 154 Luke Howard <lukeh@padl.com> * fix for bug #115 * PWEXPIRED fix from Howard Chu 153 Luke Howard <lukeh@padl.com> * support non-experimental password change exop * patch from Howard Chu to use linker grouping on Solaris 152 Luke Howard <lukeh@padl.com> * fix build breakage with OpenLDAP HEAD 151 Luke Howard <lukeh@padl.com> * HP-UX port * import dlfcn.h on Solaris with Netscape SDK * export required symbols only on Linux, HP-UX, Darwin 150 Luke Howard <lukeh@padl.com> * added depcomp for new automake 149 Luke Howard <lukeh@padl.com> * OS X build fix * alias for RACF password changing * use LDAP_MOD_ADD when changing NDS passwords rather than LDAP_MOD_REPLACE; NDS documentation indicates that this should work, and this is required for RACF. * BUG#101: should build with recent automake/autoconf 148 Luke Howard <lukeh@padl.com> * check for Netscape SDK without SSL; don't require pthreads for these 147 Luke Howard <lukeh@padl.com> * make shadow.lstchg default -1 to not force password change when now shadow information present 146 Luke Howard <lukeh@padl.com> * fix for BUG#91 / Debian Bug #144175: adhere to convention of the last change of the password being on the Unix Epoch implying a forced password change, and fix error propagation with expiring passwords 145 Luke Howard <lukeh@padl.com> * patch for building on OpenLDAP 1.x from Nalin at RedHat 144 Luke Howard <lukeh@padl.com> * avoid use of temporary variable when reporting non-existent configuration file; fix for local format string vulnerability reported at: http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0053.html * log correct configuration file name when reporting missing "host" directive 143 Luke Howard <lukeh@padl.com> * specify runtime path for LDAP library correctly to native Solaris linker 142 Luke Howard <lukeh@padl.com> * use native linker on Solaris 141 Luke Howard <lukeh@padl.com> * support for headers in /usr/include/pam (Darwin) * integrated fix for BUG#79 140 Luke Howard <lukeh@padl.com> * further fix for recall #8362: do not turn all users into template users 139 Luke Howard <lukeh@padl.com> * fix for recall #8362: support template users when try_first_pass succeeds 138 Luke Howard <lukeh@padl.com> * when flushing cached session data, check to see whether the application has requested a different configuration file due to a changed service 137 Luke Howard <lukeh@padl.com> * treat exceeded time and size limits as a successful return code; we may still have a single entry back. * BUG#77: make configuration file paths configurable 136 Luke Howard <lukeh@padl.com> * module stack fixes from Thorsten Kukuk 135 Luke Howard <lukeh@padl.com> * revert UID check to getuid() per patch from Erich Schneider 134 Luke Howard <lukeh@padl.com> * per suggest from Bill Welliver, check for effective UID being 0, not real UID * added ber_free() after ber_flatten() in extended operation password changing code 133 Luke Howard <lukeh@padl.com> * Patch from Ed Golden for group_dn: set error code correctly 132 Luke Howard <lukeh@padl.com> * Patch from Bob Guo to discard trailing whitespace in configuration file 131 Luke Howard <lukeh@padl.com> * allow "*" wildcard value to be present in host attribute * added ignore_unknown_user option to all module functions; if the user could not be found and this option is set, PAM_IGNORE will be returned instead of PAM_USER_UNKNOWN 130 Luke Howard <lukeh@padl.com> * don't return PAM_AUTH_ERR for authorization errors; return PAM_PERM_DENIED * reverted patch in pam_ldap-114: if a user doesn't exist in LDAP, pam_sm_acct_mgmt() returns PAM_IGNORE, rather than PAM_SUCCESS. * HEADS UP: in default configuration, disable checking the host attribute. This must now be manually enabled with pam_check_host_attr in ldap.conf. * HEADS UP: if checking the host attribute is enabled, and a user does not have any values for the host attribute, do not allow them to login. This avoids the ugly situation of having to add a dummy, invalid value for the host attribute for users that were not allowed to login to any host. 129 Luke Howard <lukeh@padl.com> * don't return PAM_SYSTEM_ERR for LDAP-related errors * return PAM_AUTHINFO_UNAVAIL for directory-related (but not configuration-related) errors so that stacking modules will work properly (thanks to Brian Nelson <bnelson@cis.ysu.edu> for pointing this out) 127 Luke Howard <lukeh@padl.com> * fixed segfault bug if nss_base_passwd contains a scope but no filter (BUG#69) 126 Luke Howard <lukeh@padl.com> * fixed rebind prototype in pam_ldap.h for new OpenLDAP client library 125 Luke Howard <lukeh@padl.com> * added ldap.conf stanza for AIX * added configurable checking host host attribute (pam_check_host_attr in ldap.conf) 124 Luke Howard <lukeh@padl.com> * note in ldap.conf that the default encryption scheme for changing passwords is none (let the server do it) (BUG#65) * pass NULL as session handle for SSL options; they are set globally 123 Luke Howard <lukeh@padl.com> * support for new OpenLDAP rebind procedure * do not try to open /etc/ldap.secret unless root * use LDAP_OPT_NETWORK_TIMEOUT if available 122 Luke Howard <lukeh@padl.com> * make buildable with Sun's C compiler 121 Luke Howard <lukeh@padl.com> * escape username only, not entire filter 120 Luke Howard <lukeh@padl.com> * escape search filter to avoid wildcards etc * put prototypes back in, where did they go? 119 Luke Howard <lukeh@padl.com> * with password change exop, use bind password not encoded old password for old password * added --disable-ssl option to configure for Debian * patch from Helmut Wirth <wirth@bison-soft.de> to allow only a URI to be specified. * only set SSL options if we have values for those options 118 Luke Howard <lukeh@padl.com> * in _set_ssl_options(), apply the options actually to the current session not a NULL pointer (which apparently worked with ldap_pvt_tls_set_option()) 117 Luke Howard <lukeh@padl.com> * do not strdup a NULL pointer if we are root when changing passwords 116 Luke Howard <lukeh@padl.com> * make sure old authentication token is zeroed out before freeing (now that we are storing the old authentication token privately) 115 Luke Howard <lukeh@padl.com> * fix for updating passwords (consistent for Linux/Solaris) 114 Luke Howard <lukeh@padl.com> * patch from Brian Nelson <bnelson@cis.ysu.edu>; if a user doesn't exist in LDAP, then make pam_sm_acct_mgmt() return PAM_SUCCESS * another patch for correctly updating passwords on Solaris (which doesn't do preliminary password changing the same was as Linux-PAM) 113 Luke Howard <lukeh@padl.com> * don't use ldap_pvt_tls_set_option(); it is private API 112 Luke Howard <lukeh@padl.com> * SSL fix 111 Luke Howard <lukeh@padl.com> * further patch from Tero to fix chfn/chsh * further patch from Jarkko for TLS/SSL using OpenLDAP: support for LDAPS, cipher suite selection, client key/cert authentication 110 Luke Howard <lukeh@padl.com> * build on Mac OS X FCS; configure --libdir=/Library (this will only work properly on HFS+ volumes) 109 Luke Howard <lukeh@padl.com> * patch from Tero Pelander <tpeland@tkukoulu.fi> for testing scope in nss_base_passwd * patch from Jarkko Turkulainen <jt@wapit.com> for client side certificate support 108 Luke Howard <lukeh@padl.com> * patch from Thorsten Kukuk <kukuk@suse.de>: The problem: pam_ldap does not abort in the second pam_sm_chauthtok call, if we really change the password and the user does not exist in the LDAP database (tested with pam_ldap-105 and pam_ldap-107). 107 Luke Howard <lukeh@padl.com> * s/HAVE_LDAP_SET_REBIND_PROC_ARGS/LDAP_SET_REBIND_PROC_ARGS/ (typo causing prototype mismatch) 106 Luke Howard <lukeh@padl.com> * URI support * cleaned up some warnings with older client libraries 105 Luke Howard <lukeh@padl.com> * check for HAVE_LDAP_{SET,GET}_OPTION always 104 Luke Howard <lukeh@padl.com> * check for ldap_set_option(), as LDAP_OPT_REFERRALS is defined for OpenLDAP 1.x but without the ldap_set_option() function 103 Luke Howard <lukeh@padl.com> * patch from Thomas Noel to handle shadow expiry properly 102 Luke Howard <lukeh@padl.com> * define macros LDAP_OPT_{OFF,ON} if not defined * make SECSPERDAY 86400LL 101 Luke Howard <lukeh@padl.com> * fix uninitialized variable * retrieve password policy on actual password change, may not have been done if we were root. 100 Luke Howard <lukeh@padl.com> * use -rpath on all platforms except Solaris, not just Linux 99 Luke Howard <lukeh@padl.com> * use -shared not --shared * compile with -DPIC on FreeBSD 98 Luke Howard <lukeh@padl.com> * merged ldap.conf 97 Luke Howard <lukeh@padl.com> * %configure -> ./configure 96 Luke Howard <lukeh@padl.com> * put some meaningful content in AUTHORS * new spec file from Joe Little 95 Luke Howard <lukeh@padl.com> * add files for automake happiness 94 Luke Howard <lukeh@padl.com> * default to LDAP protocol version 3 * documented exop in README * link on Solaris with -M mapfile * Solaris link with -Wl; will work with gcc only, I think * use sysconfdir, not etcdir 93 Luke Howard <lukeh@padl.com> * made PAM_CLEAR the default for pam_password, as was originally the case. Don't break existing configurations! 92 Luke Howard <lukeh@padl.com> * support for OpenLDAP password change extended operation, if available. Enable with pam_password exop in ldap.conf 91 Luke Howard <lukeh@padl.com> * centralized authtok update code. The pam_crypt, pam_ad_passwd, and pam_nds_passwd configuration file keys are deprecated; instead the following configuration file key will be used: pam_password [clear|crypt|md5|nds|ad] See README for more information. (NB: The pam_crypt will continue to work so as to not compromise existing deployments.) 90 Luke Howard <lukeh@padl.com> * support for correct rebind function prototype with OpenLDAP SDK 89 Luke Howard <lukeh@padl.com> * support for connection timeout in Netscape SDK 88 Luke Howard <lukeh@padl.com> * support for "referrals" and "restart" in ldap.conf * don't use ldap_perror() for logging TLS errors * optionally get scope/filter from "nss_base_passwd" value * accept on/yes/true for boolean configuration keys 87 Luke Howard <lukeh@padl.com> * support for "timelimit" and "bind_timelimit" in ldap.conf * use "nss_base_passwd" for search base preferentially to "base" * fixed code order bug in setting TLS option; introduced by patch in pam_ldap-86 86 Luke Howard <lukeh@padl.com> * patches from Norbert Klasen: * activate either Start TLS or LDAPS with OpenLDAP 2.x using "ssl start_tls" or "ssl yes" respectively in ldap.conf * Active Directory password changing 85 Luke Howard <lukeh@padl.com> * patches from David Begley: * note about using --with-ldap-lib=netscape4 * patch to configure (regenerated from configure.in) * note about using gnumake * linking with lib{plc,plds,nspr}3 libraries for 4.1x Netscape SDK * use -G not --shared when building shared libraries on Solaris 84 Luke Howard <lukeh@padl.com> * fixed typo in pam_ldap.c 83 Luke Howard <lukeh@padl.com> * patch from nalin@redhat.com for StartTLS, enforce V3 * fixed up indenting * patch from David Begley to check for netscape4.1 lib 82 Luke Howard <lukeh@padl.com> * s/conffile/config; forgot to patch properly 81 Luke Howard <lukeh@padl.com> * use MAXPATHLEN instead of PATH_MAX; pam_ldap-80 failed on Solaris 80 Luke Howard <lukeh@padl.com> * added support for configurable configuration files; you can now specify an alternate configuration file using the config= parameter in pam.conf. This patch was provided by scremer@dohle.com * added Solaris-specific linker flag patch from David Begley 79 Luke Howard <lukeh@padl.com> * updated shipables for RC 78 Luke Howard <lukeh@padl.com> * updated prebuild step for RC 77 Luke Howard <lukeh@padl.com> * renamed _authenticate() to _do_authentication() to avoid name conflict with ONC RPC headers 76 Luke Howard <lukeh@padl.com> * fixes to configure from David Begley; detect LDAP client libraries properly * fix to Makefile.am from David Begley; don't delete nss_ldap library on uninstall 75 Luke Howard <lukeh@padl.com> * updated README with Solaris crypt(3) FAQ 74 Luke Howard <lukeh@padl.com> * fixed support for NDS password changing, from Petr Olivka <Petr.Olivka@vsb.cz> 73 Luke Howard <lukeh@padl.com> * added support for OpenLDAP start TLS, from Alex Schlessinger <alex@hq.workspot.com> 72 Luke Howard <lukeh@padl.com> * added nasty_ssl_hack() constructor; this dlopens ourself so that we always remain loaded, and ssl_initialized is set across invocations of PAM. Probably the path should not be hardcoded but sourced from config.h. 71 Luke Howard <lukeh@padl.com> * call ldapssl_client_init() once only (this doesn't have the desired effect because PAM unloads the library after pam_end() is called) 70 Luke Howard <lukeh@padl.com> * in rebind proc, check session->info != NULL * in rebind proc, check {user,bind}{dn,pw} != NULL 68 Luke Howard <lukeh@padl.com> * initialize tmplattr/tmpluser fields 67 Luke Howard <lukeh@padl.com> * check _authenticate() return code before setting template user 66 Luke Howard <lukeh@padl.com> * ypldapd locator support is now a configure option 65 Luke Howard <lukeh@padl.com> * set shadowLastChange silently (allow it to fail) 64 Luke Howard <lukeh@padl.com> * more consistent log messages (removed brackets) * set uid to nobody if unreadable from directory * support template users so users can login with a name without a local POSIX account. * PAM_AUTHTOK_RECOVERY_ERR (not ...RECOVER_ERR) on Soalris 63 Luke Howard <lukeh@padl.com> * return PAM_MAXTRIES if number of tries exceeded 62 Luke Howard <lukeh@padl.com> * new spec file from Dan Berry 61 Luke Howard <lukeh@padl.com> * patch from norbert.klasen@zdv.uni-tuebingen.de (bug); was logging plaintext password in pam_ldap.c * log pam_strerror() not integer status code 60 Luke Howard <lukeh@padl.com> * patch from Jungle Lin@judicial.gov.tw to fix logic bug in pam_sm_chauthtok() 59 Luke Howard <lukeh@padl.com> * fixed some assumptions in chsh/chfn, need to look further at this though 58 Tom Lear <tom@trap.mtview.ca.us> * Debian bug #64217: remove redunant code in pam_ldap.c * Debian bug #64220: add minuid and maxuid parameters * Debian bug #65295: chsh/chfn implementation 55 Doug Nazar <nazard@dragoninc.on.ca> * md5 crypt support * rootbinddn support * rebind support for openldap * async ldap calls for bind * use_authtok support * autoconf/automake support 51 Luke Howard <lukeh@padl.com> * updated spec file 50 Luke Howard <lukeh@padl.com> * more patches from Scott Balneaves * use PAM_NEW_AUTHTOK_REQD instead of PAM_AUTHTOK_REQD * return PAM_SUCCESS for pam_sm_open_session() * reorganization of shadow code 49 Luke Howard <lukeh@padl.com> * more patches from Scott Balneaves; now just check for shadow expiry date rather than shadowAccount object class * added deref parameter to ldap.conf for parity with OpenLDAP 48 Luke Howard <lukeh@padl.com> * added patch from Scott Balneaves <sbalneav@legalaid.mb.ca> to read shadowAccount attributes 47 Luke Howard <lukeh@padl.com> * removed _connect_anonymously() clause when updating shadowLastChange 46 Luke Howard <lukeh@padl.com> * incorporated new spec file 44 Luke Howard <lukeh@padl.com> * incorporated patch for shadowLastChange attribute 40 Luke Howard <lukeh@padl.com> * added support for NDSv8 password changing (this is experimental) 39 Luke Howard <lukeh@padl.com> * added some comments in Make.defs about different SDKs 38 Luke Howard <lukeh@padl.com> * fixed typo in pam.d/ssh 37 Luke Howard <lukeh@padl.com> * merged in BUG#37 branch * added Makefile.freebsd 36.BZ37.6 Luke Howard <lukeh@padl.com> * updated ChangeLog (this file) 36.BZ37.5 Luke Howard <lukeh@padl.com> * included FreeBSD porting fixes 36.BZ37.4 Luke Howard <lukeh@padl.com> * send user credentials of bound_as_user is set, rather than if userpw != NULL 36.BZ37.3 Luke Howard <lukeh@padl.com> * drop userpw if it is already set 36.BZ37.2 Luke Howard <lukeh@padl.com> * fixed reordered include to compile properly 36.BZ37.1 Luke Howard <lukeh@padl.com> * patch release with possible fix for BUG#37, where user credentials were not being forwarded to referred servers (whilst password changing) 36 Luke Howard <lukeh@padl.com> * added -lresolv to library search path * incorporated stein@terminator.net's patches for RPM builds 35 Luke Howard <lukeh@padl.com> * put /usr/ucblib back in linker search path on Solaris 33 Luke Howard <lukeh@padl.com> * fixed pam_ldap.c to support compiling against an API which conforms to draft-ietf-ldapext-ldap-c-api-02.txt. Should make it easier to work with OpenLDAP 2. Netscape specific extensions are guarded with NETSCAPE_API_EXTENSIONS. 30 Luke Howard <lukeh@padl.com> * fixed Make.defs for linking against OpenLDAP libldap (recall #279) * more SSL stuff 28 Luke Howard <lukeh@padl.com> * added patch from gero@faveve.uni-stuttgart.de for parsing of ldap.conf with tabs * various patches hopefully to get SSL to work 27 Luke Howard <lukeh@padl.com> * fix for recall 256: free() smasher 26 Luke Howard <lukeh@padl.com> * added commented out flags for non-V3 SDKs 25 Luke Howard <lukeh@padl.com> * removed ucblib search path 24 Luke Howard <lukeh@padl.com> * compile with -D_REENTRANT and link against -lpthread to satisfy dependancies in libldapssl30. (BUG#7) 23 Luke Howard <lukeh@padl.com> * no longer use LDAP_VERSION3 to select API (BUG#6) 21 Luke Howard <lukeh@padl.com> * added rebind function * various stuff for RC added * broke out makefiles * ldap.conf keys case-insensitive for compat with OpenLDAP 17 Luke Howard <lukeh@padl.com> * force users to change passwords if their account has expired * updated mapfile for Solaris 14 Luke Howard <lukeh@padl.com> * fall back to /etc/ldap.conf if ypldapd is configured for configuration lookup * fixed up pam.conf 13 Luke Howard <lukeh@padl.com> * added -lcrypt for Linux 12 Luke Howard <lukeh@padl.com> * Use ldap_open() for V2 as ldap_init() doesn't work * Support hashing passwords locally for UMich crypt patched server * Tested against Microsoft Exchange Server * Fixed some errors in ldap.conf and mapfile 11 Luke Howard <lukeh@padl.com> * Added support for group membership as in Chris' pam_ldap_auth module; see the pam_groupdn and pam_group_attribute configuration keys. * Changed pam_attribute to pam_login_attribute to avoid confusion with pam_group_attribute. * Support Netscape password expiration controls * Avoid authenticating users with empty passwords, even if the directory server does * Fill in pam_sm_{open,close}_session for completeness (they return PAM_IGNORE) 10 Luke Howard <lukeh@padl.com> * tested with Linux-PAM 0.57 * made all functions static * added prototypes * LDAP connections can be persistent over an entire PAM session through the use of pam_set_data() and pam_get_data() * fixed some bugs 9 Luke Howard <lukeh@padl.com> * first publically available version.