RSS feed

release 0.9.0 of nss-pam-ldapd

[Date Prev][Date Next] [Thread Prev][Thread Next]

release 0.9.0 of nss-pam-ldapd

I'm pleased to announce release 0.9.0 of nss-pam-ldapd. The 0.9 branch
is the new development branch of nss-pam-ldapd in which a number of new
features are and will be introduced.

Amongst the most prominent new features are support for nested groups,
utilities for updating user information and handling of password policy

As such, this isn't the most stable version and should be used with
caution for now. Users are encouraged to test this release and provide

The 0.7 and 0.8 branches will remain to be supported with bug and
security fixes for some time. Some of the features that have received
sufficient testing in the 0.9 series may be backported into the 0.8

A summary of the changes since 0.8.13 (some more details below):

* backwards incompatible change to the communications protocol between
  nslcd and NSS and PAM modules to use network byte order to be able to
  work on mixed endian multiarch systems and do some restructuring
* netgroup lookups now makes a distinction between empty netgroups and
  non-existing netgroups
* the PAM protocol is now more consistent (cleaner support for password
  modification by root, have all request parameters in the same order
  and limit the information returned from the call)
* request and handle password policy controls on LDAP authentication
* implement support for nested groups which can be enabled with the
  nss_nested_groups option (thanks Steve Hill)
* add a log option to configure log level and logging to plain files
* add an nscd_invalidate option to invalidate the nscd cache after
  recovering from LDAP connection problems (to clear any negative cache
* allow trimming expressions with ${foo#bar} syntax in attribute mapping
  expressions (thanks Thorsten Glaser)
* pynslcd supports trimming expressions with full shell glob matching
* support password modification in pynslcd
* support children search scope for systems that have it
* add a getent.ldap utility to perform nslcd queries bypassing the libc
  NSS stack
* implement functionality for changing user information and provide a
  chsh.ldap utility to allow users to change their login shell
* remove deprecated use_sasl, reconnect_tries, reconnect_maxsleeptime
  and tls_checkpeer options which have been replaced long ago
* allow names with one character in default validnames option and allow
  parentheses (taken from Fedora packages)
* fall back to updating the lastChange attribute with the normal LDAP
* dump full nslcd configuration at debug level on start-up
* export an _nss_ldap_version symbol in the NSS module to make finding
  version mismatches easier (the NSS module version is logged from
* documentation improvements
* update the coding style for the C source code to follow a more modern
  and commonly used coding convention
* some parts of the code were refactored or rewritten to take into
  account the changes within the software (e.g. configuration file
  handling, reduction in the number of system calls for normal
* numerous smaller fixes
* portability and robustness improvements to the tests
* implement lookup_netgroup and lookup_shadow test commands for systems
  that cannot use getent to query these
* guess the value for --with-pam-seclib-dir configure option if it is
  not specified
* temporary disable the caching functionality of pynslcd
* usability improvements in the pynslcd implementation
* various fixes for Solaris

This version introduces a backwards incompatible protocol change which
means it is no longer possible to use the NSS or PAM module of a
previous release and nslcd from a newer release (or vice versa). Since
these modules are generally loaded once per process, old versions of
these modules could be present in longer running processes when

The protocol has basically been stable since the beginning of the
project and a few inconveniences have piled up. Until the 0.9 series is
stable the protocol may change again in backwards incompatible ways.

This release introduces a switch to a more commonly used C coding style.
Also code was reviewed and refactored to be easier to maintain. This may
make it difficult to port patches. For help with porting or integration
into nss-pam-ldapd, send patches to the nss-pam-ldapd-users mailing

As previously announced, Git is now used for revision control and the
Subversion repository will only be used to maintain older releases.

This release includes contributions from many people. I would like to
thank everybody that contributed bug reports, patches and their time to
this release.

More information can be found at:

Some more ideas and features that may be implemented in the 0.9 series

* see if we can find a proper solution for systems that organise users
  differently (e.g. FreeBSD doesn't have shadow information
* rework the pynslcd caching functionality and get pynslcd
* add more utilities for managing users, groups and other objects in
  LDAP (the rootpwmoddn option will probably be renamed to rootmoddn)
* support a wider range of authentication mechanisms for the protocol
  between the NSS module and nslcd (especially useful for the utility

Ideas, comments and patches for functionality are more than welcome.
Please drop a note on the nss-pam-ldapd-users mailing list with any
ideas or patches you may have.

-- arthur - - --
To unsubscribe send an email to or see