lists.arthurdejong.org
RSS feed

release 0.8.0 of nss-pam-ldapd

[Date Prev][Date Next] [Thread Prev][Thread Next]

release 0.8.0 of nss-pam-ldapd



I'm pleased to announce release 0.8.0 of nss-pam-ldapd. The 0.8 branch
is a new development branch of nss-pam-ldapd in which a number of new
features and implementations are introduced. As such, it isn't the most
stable version of nss-pam-ldapd but users are urged to try out this
release and send feedback.

The 0.7 branch will be supported with bug and security fixes at least
until the 0.8 branch has stabilised.

A summary of the changes since 0.7.13 (some more details further on):
* include Solaris support developed by Ted C. Cheng of Symas Corporation
* include an experimental partial implementation of nslcd in Python
  (disabled by default, see --enable-pynslcd configure option)
* implement a nss_min_uid option to filter user entries returned by LDAP
* implement a rootpwmodpw option that allows the root user to change a
  user's password without a password prompt
* try to update the shadowLastChange attribute on password change
* all log messages now include a description of the request to more
  easily track problems when not running in debug mode
* allow attribute mapping expressions for the userPassword attribute for
  passwd, group and shadow entries and by default map it to the
  unmatchable password ("*") to avoid accidentally leaking password
  information
* numerous compatibility improvements
* add --with-pam-seclib-dir and --with-pam-ldap-soname configure options
  to allow more control of hot to install the PAM module
* add --with-nss-flavour and --with-nss-maps configure options to
  support other C libraries and limit which NSS modules to install
* allow tilde (~) in user and group names
* improvements to the timeout mechanism (connections are now actively
  timed out using the idle_timelimit option)
* set socket timeouts on the LDAP connection to disconnect regardless of
  LDAP and possibly TLS handling of connection
* better disconnect/reconnect handling of error conditions
* some code improvements and cleanups and several smaller bug fixes
* all internal string comparisons are now also case sensitive (e.g. for
  providing DN to username lookups, etc)
* signal handling in the daemon was changed to behave more reliable
  across different threading implementations
* nslcd will now always return a positive authorisation result during
  authentication to avoid confusing the PAM module when it is only used
  for authorisation
* Debian packaging improvement: implement configuring SASL
  authentication using Debconf, based on a patch by Daniel Dehennin

More information on this release can be found at:
  http://arthurdejong.org/nss-pam-ldapd/news.html#20101230

Support for Solaris was kindly provided by Ted C. Cheng of Symas
Corporation but was subsequently updated to simplify the code and to
support both Glibc and Solaris with the same code base. As such, the
current code isn't very well tested and contributions on this are most
welcome. There have been reports of problems with the communication
between the NSS module and nslcd.

The idea with pynslcd is to offer an alternative implementation of nslcd
that has less and easier to maintain code (most modules are about a
third of the size of their C counterpart). This makes it simpler to
implement extra features (e.g. caching). The implementation is currently
still incomplete (mainly missing configuration file parsing, attribute
mapping, proper logging and the rpc, network, netgroup, service,
protocol and hostname maps) but work is under way and it already passes
most of the basic tests in the test environment.

Some more features that may be implemented in the 0.8 series are:
* updates of the logging system to rate-limit and more cleanly log
  warnings
* integration of FreeBSD support
* implement better filtering of information passed between NSS layer and
  LDAP server (e.g. make user and group name filtering configurable with
  regular expression)
* investigate switching to using environment variables to disable NSS
  module
* implementation of nested groups

If you are interested in any of these features please drop a note on the
nss-pam-ldapd-users mailing list. Any input and ideas are appreciated,
patches even more so. ;)

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --



--
To unsubscribe send an email to
nss-pam-ldapd-announce-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-announce