lists.arthurdejong.org
RSS feed

nss-pam-ldapd branch master updated. 0.9.1-37-g503644b

[Date Prev][Date Next] [Thread Prev][Thread Next]

nss-pam-ldapd branch master updated. 0.9.1-37-g503644b

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "nss-pam-ldapd".

The branch, master has been updated
       via  503644bdd089836230d2e52a14b23236d5926f41 (commit)
       via  6be316e88f686b29d502a69536f7773b1636e9ea (commit)
      from  1d8db24de6fce25997b1e672c497daf9b60ac725 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=503644bdd089836230d2e52a14b23236d5926f41

commit 503644bdd089836230d2e52a14b23236d5926f41
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Sun Oct 27 14:09:41 2013 +0100

    Update documentation

diff --git a/HACKING b/HACKING
index 366c48e..3fa25c2 100644
--- a/HACKING
+++ b/HACKING
@@ -1,4 +1,3 @@
-
 This document tries to describe the software layout and design of
 nss-pam-ldapd. It should provide some help for contributing code to this
 package.
@@ -11,8 +10,9 @@ will be done on a best-effort basis and can be made easier if 
the following
 are considered:
 
 * for large changes it is a good idea to send an email first
-* send your patches in unified diff (diff -u) format
-* try to use the svn version of the software to develop the patch
+* send your patches in unified diff (diff -u) format, Git patches or Git pull
+  requests
+* try to use the Git version of the software to develop the patch
 * clearly state which problem you're trying to solve and how this is
   accomplished
 * please follow the existing coding conventions
@@ -30,28 +30,28 @@ contribute. All contributions will be acknowledged in the 
AUTHORS file.
 BUILD DEPENDENCIES
 ==================
 
-For building svn snapshots the following tools are needed:
+For building Git snapshots the following tools are needed:
 
-* autoconf (2.65 is used but 2.61 is minimal)
-* automake (1.11 is used)
+* autoconf (2.65 is currently used but 2.61 is minimal)
+* automake (1.14 is currently used but older versions may also work)
 * OpenLDAP libraries (2.4 is generally used)
 * PAM libraries
 * optionally a Kerberos library (MIT Kerberos is tested)
 * optionally a SASL library (only Cyrus SASL is tested)
 * docbook2x for generating the manual pages
 
-To build the svn snapshot run the autogen.sh shell script to build the
+To build the Git snapshot run the autogen.sh shell script to build the
 configure script. When developing patches please use --enable-warnings with
-configure and don't introduce too many new warnings.
+configure and avoid introducing new warnings.
 
 
 RELEASE VERSIONING
 ==================
 
 The versioning scheme of nss-pam-ldapd is a simple major.minor.micro
-numbering. The idea is to keep a stable (x.y) branch that only gets bug
-fixes and small enhancements while development goes in another branch.
-Backwards incompatible changes should be announced clearly.
+numbering. The idea is to keep a stable (x.y) branch that only gets bug fixes
+and small enhancements while development goes in another branch. Backwards
+incompatible changes should be announced clearly.
 
 
 GENERAL DESIGN
@@ -63,10 +63,11 @@ requests (e.g. "get user with name test", "get group with 
gid 101" or "get all
 shadow entries").
 
 Another part is the PAM module which handles authentication requests from the
-system.
+system. The PAM operations are also translated into atomic, stateless
+requests.
 
-Both these parts translate the queries in a higher-level simple protocol used
-to communicate with the nslcd daemon. This daemon translates the requests into
+Both these parts translate the queries in a simple protocol used to
+communicate with the nslcd daemon. This daemon translates the requests into
 LDAP searches. As a result, the NSS and PAM modules don't need to known
 anything about LDAP (in fact replacing it with another lookup method should be
 very simple) and don't have to link with the LDAP libraries.
@@ -77,6 +78,11 @@ very simple) and don't have to link with the LDAP libraries.
                  /
   PAM stack -> pam_ldap.so
 
+An alternative implementation of nslcd in Python is provided as pynslcd. This
+implementation is less mature but it easier to add advanced features there. A
+collection of utilities is also provided that communicate with nslcd that can
+provide additional functions.
+
 design goals
 ------------
 * make it as simple as possible
@@ -84,7 +90,7 @@ design goals
 * simpler, clearer and completer documentation
 * split source code into manageable parts
 * get rid of unneeded code and complexity
-* have a stable, easily maintainable piece of quality software
+* have a stable, easily maintainable piece of high quality software
 
 
 NSS MODULE
@@ -115,9 +121,9 @@ Currently a number of macros are used to build most of the 
function bodies for
 these functions. Part of this is defined in the common/nslcd-prot.h file and
 the NSS-specific stuff is in nss/common.h.
 
-For memory management, the general mechanism that is expected to be used is
-to return NSS_STATUS_TRYAGAIN and set errno to ERANGE. This causes glibc to
-retry the request with a larger buffer.
+For memory management, the general mechanism that is expected to be used is to
+return NSS_STATUS_TRYAGAIN and set errno to ERANGE. This causes glibc to retry
+the request with a larger buffer.
 
 Some useful links:
 http://www.gnu.org/software/libc/manual/html_node/index.html
@@ -137,14 +143,17 @@ back-end can presumably also be created.
 Earlier versions of Solaris expected the NSS functions to return the binary
 representation of the lookups (e.g. struct passwd) but later versions expect a
 string representation of the data to be returned (just like a single line out
-of /etc/passwd was read) but only if running from nscd. If args->buf.result
-is NULL a string representation is requested (except for ether by address
-lookup which is special).
+of /etc/passwd was read) but only if running from nscd. If args->buf.result is
+NULL a string representation is requested (except for ether by address lookup
+which is special).
 
 Source and documentation pointers for Solaris NSS:
-http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/
-http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/head/nss_common.h
-http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/head/nss_dbdefs.h
+https://java.net/projects/solaris/sources/on-src/show/usr/src/lib/nsswitch
+https://java.net/projects/solaris/sources/on-src/content/usr/src/head/nss_common.h
+https://java.net/projects/solaris/sources/on-src/content/usr/src/head/nss_dbdefs.h
+https://hg.openindiana.org/upstream/illumos/illumos-gate/file/tip/usr/src/lib/nsswitch
+https://hg.openindiana.org/upstream/illumos/illumos-gate/file/tip/usr/src/head/nss_common.h
+https://hg.openindiana.org/upstream/illumos/illumos-gate/file/tip/usr/src/head/nss_dbdefs.h
 
 FreeBSD C Libarary notes
 ------------------------
@@ -155,15 +164,15 @@ implement NSS support on FreeBSD.
 
 Pointers for more documentation on this is welcome. Some information is
 available here:
-http://nixdoc.net/man-pages/FreeBSD/man3/nsdispatch.3.html
-ftp://ftp8.tw.freebsd.org/pub/branches/-current/src/include/nss.h
+http://www.freebsd.org/cgi/man.cgi?query=nsdispatch
+https://github.com/freebsd/freebsd/blob/master/include/nss.h
 
 
 PAM MODULE
 ==========
 
 The PAM module is implemented in the pam directory. Implementation is fairly
-straight-forward. The PAM module stores some state between PAM calls in a
+straight-forward. The PAM module stores some state between calls to nslcd in a
 struct. The calls to nslcd are however stateless. The PAM module may supply
 some information that help lookups (most notably DNs of user entries).
 
@@ -194,14 +203,14 @@ If the protocol is changed in an incompatible way the 
protocol version should
 be incremented in nslcd.h. There is currently no versioning scheme available
 for this.
 
-A special module (common/tio.c) was made so we can define simpler semantics
-for time-out values and buffer sizes. All components use this module which
-means that it includes functionality that is needed for both (e.g. large write
-buffers for the server part and large resettable read buffers for the NSS
-part). Maybe building two modules from the same source with different features
-in them is an option (e.g. the NSS part needs the read buffers and handling of
-SIGPIPE and the nslcd part needs the write buffers and possibly flushing in
-the background).
+A communications module (common/tio.c) was made so we can define simpler
+semantics for time-out values and buffer sizes. All components use this module
+which means that it includes functionality that is needed for both (e.g. large
+write buffers for the server part and large resettable read buffers for the
+NSS part). Maybe building two modules from the same source with different
+features in them is an option (e.g. the NSS part needs the read buffers and
+handling of SIGPIPE and the nslcd part needs the write buffers and possibly
+flushing in the background).
 
 The common directory also contains some other generally useful modules that
 are used in some components.
@@ -217,15 +226,18 @@ nslcd_FUNCION(...)
   This functions fills in the correct parameters from the request. This
   function should write responses to the stream.
 
+Big parts of the request handling functions are generated by macros because
+the structure is very similar across the different NSS requests.
+
 
 SECURITY NOTES
 ==============
 
-This design does open up the system to more potential security issues because
-there is now a local interface to a daemon with privileges. Before (with
-nss_ldap) processes could only potentially exploit bugs in the library and
-gain the privileges of the process that was doing the name lookups. In this
-case the privileges of the daemon are potentially exposed.
+This design does open up the system to more potential security issues
+(relative to nss_ldap) because there is now a local interface to a daemon with
+privileges. With nss_ldad, processes could only potentially exploit bugs in
+the library and gain the privileges of the process that was doing the name
+lookups. In this case the privileges of the daemon are potentially exposed.
 
 Extra care should be taken with processes that normally require extra
 privileges (getting shadow entries, authentication, updating session
@@ -235,6 +247,11 @@ Any user on the system can perform nslcd queries so either 
the nslcd daemon
 needs to check the userid of the caller or the request needs to contain the
 needed credentials itself.
 
+On the other hand the design also offers some security improvements. It is
+much easier to handle security updates of the LDAP, SSL or related libraries
+and access to privileged LDAP configuration information can be much better
+constrained.
+
 
 TEST SET-UP
 ===========
diff --git a/README b/README
index 7e707af..d5a996a 100644
--- a/README
+++ b/README
@@ -64,7 +64,7 @@ It is also possible to use the thin NSS and PAM modules 
together with the
 nssov overlay in the OpenLDAP server (slapd).
 
 The three parts (NSS module, PAM module, and nslcd server) can be built
-separately and are not srtongly tied together. This means that for instance
+separately and are not strongly tied together. This means that for instance
 you can still use pam_ldap and use the NSS module from nss-pam-ldapd or use an
 alternative implementation of nslcd (for instance with the nssov slapd overlay
 or the pynslcd implementation).
@@ -76,13 +76,13 @@ The fork from nss_ldap was done to implement some major 
design changes to fix
 some structural problems in the library.
 
 One of those problems were host name lookups through LDAP which could cause
-deadlocks. Another is that nss_ldap loaded an SSL library into an executable
+deadlocks. Another is that nss_ldap loaded an SSL library into executables
 that may not be designed to load it (e.g. problem with suid applications).
 
 A number of refactoring steps were done to simplify the code and improve
 maintainability. Legacy code was removed and support for non-Linux operating
 systems was initially removed to make the code more readable. Portability was
-re-added after the refactoring.
+re-added using compatibility wrappers.
 
 The most practical improvements over nss_ldap are:
 - the LDAP library is not loaded for every process doing LDAP lookups
@@ -92,8 +92,8 @@ The most practical improvements over nss_ldap are:
   no longer looked up using the ldap method
 - avoid problems with TLS connections in suid binaries and other process-local
   configuration
-- the setup is easier to debug because logging on the server component can be
-  enabled without affecting running processes
+- it is easier to debug because logging in nslcd can be enabled without
+  the need to restart all processes doing name lookups
 - unavailability timeouts are global instead of per-process
 
 comparison to pam_ldap
@@ -119,10 +119,11 @@ Currently the following name databases are supported:
   aliases, ethers, group, hosts, netgroup, networks, passwd, protocols, rpc,
   services and shadow
 
-When using IPv6 ipHostNumber attributes, the address must be in the preferred
-form as defined in section 2.2 of RFC1884, specifically the format as returned
-by inet_ntop(3). All leading zeros should be omitted and the longest range of
-zeroes should be replaced with :: (e.g. fe80::218:bff:fe55:c9f).
+When using IPv6 ipHostNumber attributes, the address in LDAP must be in the
+preferred form as defined in section 2.2 of RFC1884, specifically the format
+as returned by inet_ntop(3). All leading zeros should be omitted and the
+longest range of zeroes should be replaced with :: (e.g.
+fe80::218:bff:fe55:c9f).
 
 MAC addresses in the macAddress attribute should be in maximal, colon
 separated hex notation (e.g. 00:00:92:90:ee:e2).
@@ -133,8 +134,8 @@ common autofs implementation (on GNU/Linux) currently uses 
its own method for
 getting the maps from LDAP.
 
 Although mail aliases are exposed through NSS, most mail servers parse
-/etc/aliases by themselves and getting aliases from LDAP requires some
-configuration in the mail server.
+/etc/aliases themselves (bypassing NSS) and getting aliases from LDAP requires
+some configuration in the mail server.
 
 The publickey, bootparams and netmasks are currently unsupported. Some
 investigation should be done if these are needed for anything, which

http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=6be316e88f686b29d502a69536f7773b1636e9ea

commit 6be316e88f686b29d502a69536f7773b1636e9ea
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Sun Oct 27 13:43:10 2013 +0100

    Specify m4 directory in configure script

diff --git a/autogen.sh b/autogen.sh
index 431ba45..59a5d45 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -15,7 +15,7 @@ do
 done
 
 # generate aclocal.m4 from configure.ac
-aclocal -I m4
+aclocal
 
 # generate config.h.in from configure.ac
 autoheader --warnings=all --force
diff --git a/configure.ac b/configure.ac
index 4f49cc6..f9a501c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -39,6 +39,7 @@ AC_INIT([nss-pam-ldapd],
 RELEASE_MONTH="Aug 2013"
 AC_SUBST(RELEASE_MONTH)
 AC_CONFIG_SRCDIR([nslcd.h])
+AC_CONFIG_MACRO_DIR([m4])
 
 # some initialisation
 AC_CANONICAL_TARGET

-----------------------------------------------------------------------

Summary of changes:
 HACKING      |   97 ++++++++++++++++++++++++++++++++++------------------------
 README       |   23 +++++++-------
 autogen.sh   |    2 +-
 configure.ac |    1 +
 4 files changed, 71 insertions(+), 52 deletions(-)


hooks/post-receive
-- 
nss-pam-ldapd
-- 
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/