$Id: ChangeLog,v 1.116 2001/07/23 14:40:51 lukeh Exp $ =============================================================== 122 Luke Howard * make buildable with Sun's C compiler 121 Luke Howard * escape username only, not entire filter 120 Luke Howard * escape search filter to avoid wildcards etc * put prototypes back in, where did they go? 119 Luke Howard * with password change exop, use bind password not encoded old password for old password * added --disable-ssl option to configure for Debian * patch from Helmut Wirth to allow only a URI to be specified. * only set SSL options if we have values for those options 118 Luke Howard * in _set_ssl_options(), apply the options actually to the current session not a NULL pointer (which apparently worked with ldap_pvt_tls_set_option()) 117 Luke Howard * do not strdup a NULL pointer if we are root when changing passwords 116 Luke Howard * make sure old authentication token is zeroed out before freeing (now that we are storing the old authentication token privately) 115 Luke Howard * fix for updating passwords (consistent for Linux/Solaris) 114 Luke Howard * patch from Brian Nelson ; if a user doesn't exist in LDAP, then make pam_sm_acct_mgmt() return PAM_SUCCESS * another patch for correctly updating passwords on Solaris (which doesn't do preliminary password changing the same was as Linux-PAM) 113 Luke Howard * don't use ldap_pvt_tls_set_option(); it is private API 112 Luke Howard * SSL fix 111 Luke Howard * further patch from Tero to fix chfn/chsh * further patch from Jarkko for TLS/SSL using OpenLDAP: support for LDAPS, cipher suite selection, client key/cert authentication 110 Luke Howard * build on Mac OS X FCS; configure --libdir=/Library (this will only work properly on HFS+ volumes) 109 Luke Howard * patch from Tero Pelander for testing scope in nss_base_passwd * patch from Jarkko Turkulainen for client side certificate support 108 Luke Howard * patch from Thorsten Kukuk : The problem: pam_ldap does not abort in the second pam_sm_chauthtok call, if we really change the password and the user does not exist in the LDAP database (tested with pam_ldap-105 and pam_ldap-107). 107 Luke Howard * s/HAVE_LDAP_SET_REBIND_PROC_ARGS/LDAP_SET_REBIND_PROC_ARGS/ (typo causing prototype mismatch) 106 Luke Howard * URI support * cleaned up some warnings with older client libraries 105 Luke Howard * check for HAVE_LDAP_{SET,GET}_OPTION always 104 Luke Howard * check for ldap_set_option(), as LDAP_OPT_REFERRALS is defined for OpenLDAP 1.x but without the ldap_set_option() function 103 Luke Howard * patch from Thomas Noel to handle shadow expiry properly 102 Luke Howard * define macros LDAP_OPT_{OFF,ON} if not defined * make SECSPERDAY 86400LL 101 Luke Howard * fix uninitialized variable * retrieve password policy on actual password change, may not have been done if we were root. 100 Luke Howard * use -rpath on all platforms except Solaris, not just Linux 99 Luke Howard * use -shared not --shared * compile with -DPIC on FreeBSD 98 Luke Howard * merged ldap.conf 97 Luke Howard * %configure -> ./configure 96 Luke Howard * put some meaningful content in AUTHORS * new spec file from Joe Little 95 Luke Howard * add files for automake happiness 94 Luke Howard * default to LDAP protocol version 3 * documented exop in README * link on Solaris with -M mapfile * Solaris link with -Wl; will work with gcc only, I think * use sysconfdir, not etcdir 93 Luke Howard * made PAM_CLEAR the default for pam_password, as was originally the case. Don't break existing configurations! 92 Luke Howard * support for OpenLDAP password change extended operation, if available. Enable with pam_password exop in ldap.conf 91 Luke Howard * centralized authtok update code. The pam_crypt, pam_ad_passwd, and pam_nds_passwd configuration file keys are deprecated; instead the following configuration file key will be used: pam_password [clear|crypt|md5|nds|ad] See README for more information. (NB: The pam_crypt will continue to work so as to not compromise existing deployments.) 90 Luke Howard * support for correct rebind function prototype with OpenLDAP SDK 89 Luke Howard * support for connection timeout in Netscape SDK 88 Luke Howard * support for "referrals" and "restart" in ldap.conf * don't use ldap_perror() for logging TLS errors * optionally get scope/filter from "nss_base_passwd" value * accept on/yes/true for boolean configuration keys 87 Luke Howard * support for "timelimit" and "bind_timelimit" in ldap.conf * use "nss_base_passwd" for search base preferentially to "base" * fixed code order bug in setting TLS option; introduced by patch in pam_ldap-86 86 Luke Howard * patches from Norbert Klasen: * activate either Start TLS or LDAPS with OpenLDAP 2.x using "ssl start_tls" or "ssl yes" respectively in ldap.conf * Active Directory password changing 85 Luke Howard * patches from David Begley: * note about using --with-ldap-lib=netscape4 * patch to configure (regenerated from configure.in) * note about using gnumake * linking with lib{plc,plds,nspr}3 libraries for 4.1x Netscape SDK * use -G not --shared when building shared libraries on Solaris 84 Luke Howard * fixed typo in pam_ldap.c 83 Luke Howard * patch from nalin@redhat.com for StartTLS, enforce V3 * fixed up indenting * patch from David Begley to check for netscape4.1 lib 82 Luke Howard * s/conffile/config; forgot to patch properly 81 Luke Howard * use MAXPATHLEN instead of PATH_MAX; pam_ldap-80 failed on Solaris 80 Luke Howard * added support for configurable configuration files; you can now specify an alternate configuration file using the config= parameter in pam.conf. This patch was provided by scremer@dohle.com * added Solaris-specific linker flag patch from David Begley 79 Luke Howard * updated shipables for RC 78 Luke Howard * updated prebuild step for RC 77 Luke Howard * renamed _authenticate() to _do_authentication() to avoid name conflict with ONC RPC headers 76 Luke Howard * fixes to configure from David Begley; detect LDAP client libraries properly * fix to Makefile.am from David Begley; don't delete nss_ldap library on uninstall 75 Luke Howard * updated README with Solaris crypt(3) FAQ 74 Luke Howard * fixed support for NDS password changing, from Petr Olivka 73 Luke Howard * added support for OpenLDAP start TLS, from Alex Schlessinger 72 Luke Howard * added nasty_ssl_hack() constructor; this dlopens ourself so that we always remain loaded, and ssl_initialized is set across invocations of PAM. Probably the path should not be hardcoded but sourced from config.h. 71 Luke Howard * call ldapssl_client_init() once only (this doesn't have the desired effect because PAM unloads the library after pam_end() is called) 70 Luke Howard * in rebind proc, check session->info != NULL * in rebind proc, check {user,bind}{dn,pw} != NULL 68 Luke Howard * initialize tmplattr/tmpluser fields 67 Luke Howard * check _authenticate() return code before setting template user 66 Luke Howard * ypldapd locator support is now a configure option 65 Luke Howard * set shadowLastChange silently (allow it to fail) 64 Luke Howard * more consistent log messages (removed brackets) * set uid to nobody if unreadable from directory * support template users so users can login with a name without a local POSIX account. * PAM_AUTHTOK_RECOVERY_ERR (not ...RECOVER_ERR) on Soalris 63 Luke Howard * return PAM_MAXTRIES if number of tries exceeded 62 Luke Howard * new spec file from Dan Berry 61 Luke Howard * patch from norbert.klasen@zdv.uni-tuebingen.de (bug); was logging plaintext password in pam_ldap.c * log pam_strerror() not integer status code 60 Luke Howard * patch from Jungle Lin@judicial.gov.tw to fix logic bug in pam_sm_chauthtok() 59 Luke Howard * fixed some assumptions in chsh/chfn, need to look further at this though 58 Tom Lear * Debian bug #64217: remove redunant code in pam_ldap.c * Debian bug #64220: add minuid and maxuid parameters * Debian bug #65295: chsh/chfn implementation 55 Doug Nazar * md5 crypt support * rootbinddn support * rebind support for openldap * async ldap calls for bind * use_authtok support * autoconf/automake support 51 Luke Howard * updated spec file 50 Luke Howard * more patches from Scott Balneaves * use PAM_NEW_AUTHTOK_REQD instead of PAM_AUTHTOK_REQD * return PAM_SUCCESS for pam_sm_open_session() * reorganization of shadow code 49 Luke Howard * more patches from Scott Balneaves; now just check for shadow expiry date rather than shadowAccount object class * added deref parameter to ldap.conf for parity with OpenLDAP 48 Luke Howard * added patch from Scott Balneaves to read shadowAccount attributes 47 Luke Howard * removed _connect_anonymously() clause when updating shadowLastChange 46 Luke Howard * incorporated new spec file 44 Luke Howard * incorporated patch for shadowLastChange attribute 40 Luke Howard * added support for NDSv8 password changing (this is experimental) 39 Luke Howard * added some comments in Make.defs about different SDKs 38 Luke Howard * fixed typo in pam.d/ssh 37 Luke Howard * merged in BUG#37 branch * added Makefile.freebsd 36.BZ37.6 Luke Howard * updated ChangeLog (this file) 36.BZ37.5 Luke Howard * included FreeBSD porting fixes 36.BZ37.4 Luke Howard * send user credentials of bound_as_user is set, rather than if userpw != NULL 36.BZ37.3 Luke Howard * drop userpw if it is already set 36.BZ37.2 Luke Howard * fixed reordered include to compile properly 36.BZ37.1 Luke Howard * patch release with possible fix for BUG#37, where user credentials were not being forwarded to referred servers (whilst password changing) 36 Luke Howard * added -lresolv to library search path * incorporated stein@terminator.net's patches for RPM builds 35 Luke Howard * put /usr/ucblib back in linker search path on Solaris 33 Luke Howard * fixed pam_ldap.c to support compiling against an API which conforms to draft-ietf-ldapext-ldap-c-api-02.txt. Should make it easier to work with OpenLDAP 2. Netscape specific extensions are guarded with NETSCAPE_API_EXTENSIONS. 30 Luke Howard * fixed Make.defs for linking against OpenLDAP libldap (recall #279) * more SSL stuff 28 Luke Howard * added patch from gero@faveve.uni-stuttgart.de for parsing of ldap.conf with tabs * various patches hopefully to get SSL to work 27 Luke Howard * fix for recall 256: free() smasher 26 Luke Howard * added commented out flags for non-V3 SDKs 25 Luke Howard * removed ucblib search path 24 Luke Howard * compile with -D_REENTRANT and link against -lpthread to satisfy dependancies in libldapssl30. (BUG#7) 23 Luke Howard * no longer use LDAP_VERSION3 to select API (BUG#6) 21 Luke Howard * added rebind function * various stuff for RC added * broke out makefiles * ldap.conf keys case-insensitive for compat with OpenLDAP 17 Luke Howard * force users to change passwords if their account has expired * updated mapfile for Solaris 14 Luke Howard * fall back to /etc/ldap.conf if ypldapd is configured for configuration lookup * fixed up pam.conf 13 Luke Howard * added -lcrypt for Linux 12 Luke Howard * Use ldap_open() for V2 as ldap_init() doesn't work * Support hashing passwords locally for UMich crypt patched server * Tested against Microsoft Exchange Server * Fixed some errors in ldap.conf and mapfile 11 Luke Howard * Added support for group membership as in Chris' pam_ldap_auth module; see the pam_groupdn and pam_group_attribute configuration keys. * Changed pam_attribute to pam_login_attribute to avoid confusion with pam_group_attribute. * Support Netscape password expiration controls * Avoid authenticating users with empty passwords, even if the directory server does * Fill in pam_sm_{open,close}_session for completeness (they return PAM_IGNORE) 10 Luke Howard * tested with Linux-PAM 0.57 * made all functions static * added prototypes * LDAP connections can be persistent over an entire PAM session through the use of pam_set_data() and pam_get_data() * fixed some bugs 9 Luke Howard * first publically available version.