1mod_ldap v2.9.2 2=============== 3 4mod_ldap is a ProFTPD module that performs user authentication and 5name/UID/quota lookups against an LDAP directory. 6 7**Please note:** Read the Changes section below for mod_ldap v2.9 changes; 8some significant changes have been made. Do *NOT* upgrade to mod_ldap v2.9 9or later before reading the Changes section. 10 11Sections: 121. Author 132. How do I set up mod_ldap? 143. Changes 154. Thanks 16 17 18========= 191. Author 20========= 21 22John Morrissey, <jwm@horde.net>, http://horde.net/~jwm/software/mod_ldap/. 23Feedback is much appreciated. If you're using mod_ldap successfully, are 24having problems getting mod_ldap up and running at your site, or have some 25code improvements or ideas for development, please let me know! 26 27 28============================ 292. How do I set up mod_ldap? 30============================ 31 32* tar xvzf proftpd-version.tar.gz 33* If you wish to use a newer version of mod_ldap that is not yet included 34 with a release version of ProFTPD, download the file mod_ldap.c and say: 35 36 cp -f mod_ldap.c proftpd-version/contrib 37 38* cd proftpd-version 39* ./configure --with-modules=mod_ldap 40* make 41* make install 42* The 'user-ldif' file contains a sample user ldif. Modify it to your liking 43 and say ldapadd -D your-root-dn -w your-root-dn-password < ldif 44* You are *strongly* encouraged to read up on the LDAP config-file 45 directives in proftpd-version/doc/Configuration.html. At bare minimum, 46 you'll need LDAPServer, LDAPBindDN, and LDAPUsers configuration directives 47 in your proftpd.conf. 48 49 A set of basic mod_ldap configuration directives would look like: 50 51 LDAPServer localhost 52 LDAPBindDN cn=your-dn,dc=example,dc=com dnpass 53 LDAPUsers "dc=users,dc=example,dc=com" 54 55 Of course, you will need to update these configuration directives with 56 the proper values for your environment. 57 58 59========== 603. Changes 61========== 62v2.9.2: 63- Prevent segmentation fault when no user filters (second and third 64 arguments to LDAPUsers) are specified. 65 66v2.9.1: 67- Handle potential NULL return value from crypt(). (Bug #3551) 68- Update README to mention the LDAPDNInfo -> LDAPBindDN change in v2.9.0. 69 70v2.9.0: 71- Overhaul configuration directives, hopefully yielding a more 72 straightforward, easier way to configure mod_ldap. 73 74 The LDAPDoAuth and LDAPDoUIDLookups directives have been combined into the 75 new LDAPUsers directive. The third argument to LDAPDoUIDLookups (the UID 76 filter template) is now the third argument to LDAPUsers. 77 78 LDAPDoGIDLookups is now LDAPGroups. 79 80 LDAPDoQuotaLookups is now obsolete. The default quota can be specified 81 with the new LDAPDefaultQuota directive. 82 83 Also, the on/off booleans on these directives have been removed. Now, if 84 the directive is present, the corresponding functionality will be enabled. 85 86 For example, the previous configuration: 87 88 LDAPDNInfo cn=your-dn,dc=example,dc=com dnpass 89 LDAPDoAuth on ou=people,dc=horde,dc=net (uid=%u) 90 LDAPDoUIDLookups on ou=people,dc=horde,dc=net (uidNumber=%u) 91 LDAPDoGIDLookups on ou=groups,dc=horde,dc=net 92 LDAPDoQuotaLookups on ou=people,dc=horde,dc=net (uid=%u) false,hard,10485760,0,0,0,0,0 93 94 becomes: 95 96 LDAPBindDN cn=your-dn,dc=example,dc=com dnpass 97 LDAPUsers ou=people,dc=horde,dc=net (uid=%u) (uidNumber=%u) 98 LDAPGroups ou=groups,dc=horde,dc=net 99 LDAPDefaultQuota false,hard,10485760,0,0,0,0,0 100 101- Remove OpenSSL local verification of password hashes; 'LDAPAuthBinds on' 102 should do exactly the same thing in a more secure and standard way. 103- Remove deprecated LDAPNegativeCache and LDAPUseSSL directives. 104- Add group members to debug output. 105- Various internal improvements to comments, log/debug messages, style, and 106 logic. 107 108v2.8.23: 109* Add support needed by mod_sftp_ldap for fetching user public keys. 110* Bad LDAP lookup can cause mod_ldap segfault under some conditions. 111 (Bug #3424) 112 113v2.8.22: 114* Disable the LDAPUseSSL directive, instead logging a warning so existing 115 configurations do not cause ProFTPD startup failure. Previous versions 116 enabled TLS when this directive was enabled. This behavior was incorrect, 117 since the intended behavior was to enable LDAPS/LDAP over SSL. To use 118 LDAPS, specify the ldaps:// protocol in the LDAPServerURL URL(s). 119 120 If you wish to continue using TLS, you must modify your configuration to 121 specify the ldap:// scheme in the LDAPServerURL URL and add the directive 122 'LDAPUseTLS on' to your configuration. 123* Add support for quota profiles. If a user entry doesn't have an ftpQuota 124 attribute, search for the DN contained in the user's ftpQuotaProfileDN 125 attribute (if present) and use the ftpQuota attribute present on that DN. 126 (Bug #2617) 127* Fix segfaults in debug logging on platforms whose printf() does not 128 gracefully handle NULL string pointers. (Bug #3346) 129* Escape LDAP filter metacharacters in inserted values when interpolating 130 filter templates. 131* Emit a debug warning when an LDAP URL is specified without an explicit 132 search scope. 133* Bug 2922 locks authentication for an account to the same module that 134 fetched the original account information. Remove the kludge wherein 135 "*" is passed to pr_auth_check() if we're doing auth binds to prevent 136 other modules from processing authentication. This has the convenient 137 side effect of making the UserPassword directive work with LDAP-sourced 138 accounts. Bump the required ProFTPD version to 1.3.1rc3. 139* Emit correct LDAP timeout in debug message, accounting for the default if 140 none was specified. Reported by Nikos Voutsinas <nvoutsin@noc.uoa.gr>. 141 142v2.8.21: 143* Implement an internal failover mechanism instead of relying on the LDAP 144 SDK's built-in failover (if any). Fixes failover regression introduced 145 in v2.8.19 when ldap_initialize() was first used. 146* Multiple LDAP URL arguments may now be passed to LDAPServer: 147 148 LDAPServer ldap://127.0.0.1/??sub ldap://172.16.0.1/??sub 149* When setting whether to dereference LDAP aliases after connecting to 150 the LDAP server, treat failure as a hard failure and refuse to continue 151 with that LDAP server. Previously, failure when specifying whether to 152 dereference aliases would be logged but the connection to that server 153 would continue. 154 155v2.8.20: 156* Prevent the use of LDAPSearchScope or LDAPUseSSL when LDAPServer specifies 157 a URL. Instead, the desired search scope and SSL setting should be 158 specified by the URL. 159* When using OpenSSL for local password verification (as opposed to 160 'LDAPAuthBinds on'), make the Base64 encoding buffer larger to ensure 161 we account for expansion resulting from the encoding. 162* Retrieve all LDAP attributes when calling pr_ldap_user_lookup() since 163 it will need various attributes (to perform home directory generation, 164 for one). Thanks to Nikos Voutsinas <nvoutsin@noc.uoa.gr>. 165 http://forums.proftpd.org/smf/index.php/topic,3562.0.html 166* Portability fix: don't use ldap_initialize() and ldap_unbind_ext_s() 167 unless we're building against the corresponding versions of the OpenLDAP 168 SDK. 169 170v2.8.19: 171* Fix compilation with old LDAP SDKs (LDAP_API_VERSION < 2000). Thanks to 172 Saju Paul <saju.paul@messageway.com>. 173* Define LDAP_SCOPE_DEFAULT if not defined by the SDK, fixing compilation 174 with (recent?) Sun LDAP headers. 175* Use the configured ldap_port in "connected..." debug message, not 176 LDAP_PORT. 177* Fix segfaults on client connect when an LDAP URL is used as an argument 178 to the LDAPServer directive. (Bug #3097) 179* Automatically enable LDAP TLS support based on a best guess as to whether 180 the installed LDAP SDK supports it. 181* Fixed missing ldap_init() -> ldap_initialize() when updating for latest 182 LDAP C API. Fixes segfaults on (some?) 64-bit systems. (Bug #3046) 183 184v2.8.18: 185* Remove all local caching code in favor of the recently added caching in 186 the ProFTPD Auth layer. 187* Silence some compiler warnings. 188* To verify non-crypt() password hashes locally with OpenSSL, it is no 189 longer necessary to edit mod_ldap.c to enable HAVE_OPENSSL. Instead, 190 build ProFTPD with the --enable-openssl argument to configure. 191 192v2.8.17: 193* Use non-deprecated LDAP API functions if the LDAP SDK is new enough to 194 comply with draft-ietf-ldapext-ldap-c-api-04. 195 196v2.8.16: 197* Add 'LDAPAliasDereference never|search|find|always' directive, which 198 defaults to never. This default is compatible with previous versions, 199 which did not support alias dereferencing. 200* Fix LDAPAttr support when more than one LDAPAttr directive is used. 201* Sync with ProFTPD API: set session.auth_mech to indicate that we've 202 successfully authenticated the user. 203* Eliminate segfaults when group information for an LDAP user is available 204 from other sources (such as mod_auth_unix). Thanks to Erick Briere 205 <Erick.Briere@afp.com>. 206* Make sure to count %u escapes as well as %v escapes when determining 207 filter length. 208* Fix parenthesizing in connection code. 209 210v2.8.15: 211* Erroneous release; contained 2.8.14 by mistake. 212 213v2.8.14: 214* Fix authentication when LDAPAuthBinds is enabled, which broke in 2.8.13. 215* Fix a typo in the group-by-name filter. 216 217v2.8.13: 218* This release REQUIRES ProFTPD 1.2.11rc1 or later. 219* mod_ldap now uses ProFTPD's CreateHome to create home directories. Some 220 LDAPHomedirOnDemand directives have been removed in favor of CreateHome. 221 The directives that apply to home directory path name generation still 222 exist, but have been renamed to LDAPGenerateHomedir. 223* The LDAP protocol version now defaults to LDAPv3. If you need to use 224 LDAPv2, say 'LDAPProtocolVersion 2' in your proftpd.conf. (Bug #2443) 225* LDAP attribute names are now configurable via proftpd.conf. For example, 226 if you want to change the uid attribute name, say 'LDAPAttr uid myUidAttr' 227 in your proftpd.conf. 228* The define to enable TLS support has been renamed to USE_LDAP_TLS. 229* The '%u' escape is now supported in all cases where '%v' is. 230* ProFTPD's UserPassword directive now works with LDAPAuthBinds enabled. 231 (Bug #2482) 232* Changed ldap_quota_lookup CMD to a HOOK. 233* Fixed a few compiler type warnings. 234 235v2.8.12: 236* Group code memory manipulation fixes (Phil Oester (phil at theoesters dot 237 com)) 238* Default quota support 239* LDAP connections created for authenticated binds now honor the LDAPUseTLS 240 directive. 241 242v2.8.11: 243* mod_quotatab limit support 244* Allow ATTR_* compiler defines to be overridden on the build command line, 245 e.g.: CFLAGS="-DUID_ATTR=foo" ./configure 246* The canonical username from the LDAP directory is now used in directory 247 creation. 248* LDAPForceHomedirOnDemand to force the use of the generated home directory 249 instead of the directory provided by the LDAP directory. 250* Support for permissions on LDAPHomedirOnDemand suffixes. You can say: 251 252 LDAPHomedirOnDemandSuffix foo:755 bar:700 253 254 in your proftpd.conf. 255* Support for %v escapes in LDAPDoAuth directive to allow fetching the 256 user's entry directly, without performing a search first. For example, 257 258 LDAPDoAuth on uid=%v,dc=example,dc=com 259 260 will fetch the entry uid=[username],dc=example,dc=com directly when a user 261 logs in, saving some effort on the part of the LDAP directory. 262* Leading directories are now checked for and creation is no longer 263 attempted if they already exist. 264* Miscellaneous pedanticism & cleanup in error messages and the code itself. 265 266v2.8.10: 267* Ditch ldap_build_filter() (non-portable and/or deprecated) in favor of 268 our own translation function. This should make mod_ldap build against 269 OpenLDAP 2.1.x and Novell eDirectory, among others. 270 271v2.8.9: 272* Added explicit OpenSSL link exception to the license. 273 274v2.8.8: 275* ProFTPD Bug 1659 - LDAP config handlers should use c->pool instead of 276 permanent_pool 277 278v2.8.7: 279* Properly drop root privs in the LDAPHomedirOnDemand code if we're 280 returning prematurely due to an error condition. 281* Small cleanup of the LDAPHomedirOnDemand directory creation code. 282 283v2.8.6: 284* Fix to the user-caching code that now prevents the cache from 285 returning an empty password struct in certain situations. 286 287v2.8.5: 288* Small fix in the group handlers - group lookups would sometimes be 289 attempted even if they were disabled. 290 291v2.8.4: 292* Fix for segfaults when optional arguments are omitted from 293 LDAPDoGIDLookups directive 294 295v2.8.3: 296* Secondary group support (thanks to Andreas Strodl for providing patches) 297* LDAPHomedirOnDemand modes are now absolute; they are no longer subject 298 to ProFTPD's umask. 299* LDAPDefault[UG]ID directives should now support the full range of 300 32-bit UIDs. 301* Sanity checking is now done on LDAPDefault[UG]ID arguments to ensure 302 they're numeric. 303* LDAPDoGIDLookups now takes an extra argument. Its arguments are now: 304 305 LDAPDoGIDLookups on|off group-base-dn by-name-filter by-uid-filter 306 307 by-name-filter defaults to (&(cn=%v)(objectclass=posixGroup)) and 308 by-uid-filter defaults to (&(gidNumber=%v)(objectclass=posixGroup)). 309 310v2.8.2: 311* Fixed a privilege escalation bug. If LDAPHomedirOnDemand is enabled and 312 creation of the user's home directory fails, the server does not 313 relinquish root privileges. There shouldn't be exploitable, but all 314 users with LDAPHomedirOnDemand enabled are encouraged to upgrade. 315 316v2.8.1: 317* Fixed a bug that prevented proper permissions being applied to home 318 directories created on demand. 319* Fixed an issue that would prevent per-VirtualHost configuration directives 320 from being properly recognized. 321 322v2.8: 323* The username escape sequence in search filter templates has changed. 324 You must now use %v instead of %u as the escape for the username. For 325 example, if you had: 326 327 LDAPDoAuth on dc=example,dc=com (uid=%u) 328 329 in your proftpd.conf with a previous version of mod_ldap, you will need 330 to change this to: 331 332 LDAPDoAuth on dc=example,dc=com (uid=%v) 333 334* LDAPAuthBinds is now enabled by default. I'm sick of hearing "Your 335 mod_ldap is broken; it won't talk to my LDAP server and I've ignored the 336 convenient error message about userPassword that mod_ldap logs." 337 338* The full path to user home directories is now created. Directories leading 339 up to the user's home directory are created root-owned and mode 755 (i.e., 340 they are not subject to the mode argument to LDAPHomedirOnDemand). Home 341 directory creation now works for all users, not just users with the same 342 UID/GID as the main ProFTPD server. Lastly, the mode argument to 343 LDAPHomedirOnDemand is no longer subject to ProFTPD's Umask. 344 345* TLS support (You'll need to edit mod_ldap.c to define USE_LDAPV3_TLS and 346 recompile proftpd, then say 'LDAPUseTLS on' in your proftpd.conf). This 347 may or may not work with non-OpenLDAP SDKs; I'd love to hear if anyone has 348 it working with the Mozilla LDAP SDK or any others. 349 350* The LDAP search sizelimit is now set to prevent LDAP server thrashing with 351 wildcarded usernames. 352 353* Basic caching support has been added. This should cut down on the number 354 of queries made to the directory server. In addition, negative caching 355 is now enabled by default. 356 357* LDAPHomedirOnDemandSuffix can now take multiple arguments (multiple 358 directories to create) and can be activated independently of 359 LDAPHomedirOnDemand. 360 361* With the addition of LDAPHomedirOnDemandPrefix, home directories can now 362 be completely autogenerated, removing the need for a homeDirectory 363 attribute in each user's LDAP entry. Say: 364 365 LDAPHomedirOnDemandPrefix /home 366 367 in your proftpd.conf to give users a home directory with the format 368 /home/username. In this example, the user joe would be given the home 369 directory /home/joe. 370 371* Attribute names are now #defines at the top of mod_ldap.c. You can now 372 change attribute names by editing mod_ldap.c and recompiling. 373 374* The LDAPDefaultUID and LDAPDefaultGID directives can now be forced; 375 enabling LDAPForceDefaultUID or LDAPForceDefaultGID will apply the 376 default UID or GID (respectively) even if a user has a different UID/GID 377 in his uidNumber or gidNumber attribute. 378 379* Fairly extensive code cleanup and comment syncing. 380 381v2.7.6: 382* Fixing the OpenLDAP 2 fixes. 383 384v2.7.5: 385* Fixes for OpenLDAP 2 support. 386* Fix LDAP authentication filter use; previously, the user-specified search 387 filter would not be used in the second stage of authenticating a user. 388 389v2.7.4: 390* The LDAPDefaultAuthScheme directive should function properly now. 391 392v2.7.3: 393* Removed some old, useless code. 394 395v2.7.2: 396* LDAPQueryTimeout fix. In mod_ldap v2.7.1, in some situations, the query 397 timeout could be set to -1, which would cause all LDAP lookups to fail. 398 399v2.7.1: 400* Ported MacGyver's portable UID/GID code to mod_ldap 401* The value passed to LDAPQueryTimeout is now honored (the timeout isn't 402 simply set to 1 second) 403 404v2.7: 405* Added a fix for picky LDAP servers like Sun Directory Services; using 406 AuthBinds with those LDAP servers would break in previous mod_ldap 407 versions. See the comments in the code for more details (search for "Sun 408 Directory Services"). 409* You can now pass a file mode to LDAPHomedirOnDemand to create home 410 directories with that mode. 411* Improved group support; mod_ldap now supports multiple memberUid 412 attributes for a group object. 413* Miscellaneous neatening/tightening of high-level auth/lookup handler 414 functions. 415* You can now specify custom LDAP search filters at runtime. See the 416 configuration guide (doc/Configuration.html) entries for LDAPDo* for more 417 details. 418* Objectclass is now enforced. You *must* have an objectclass attribute for 419 each of your LDAP objects. This attribute must have a value of 420 'posixAccount' ("objectclass: posixAccount"). For groups, this attribute 421 must have the value 'posixGroup' ("objectclass: posixGroup"). If you wish 422 to disable this objectclass enforcement, use the the LDAP filter 423 "(uid=%u)" for Auth and UID lookups (see doc/Configuration.html for how to 424 specify a custom LDAP search filter). 425* Removed allowedServices code. The functionality that allowedServices 426 provided can now be duplicated with a modified LDAP search filter. 427 428 For example, to replicate basic allowedServices checking, pass this LDAP 429 search filter to LDAPDoAuth: 430 (&(uid=%u)(|(allowedServices=*FTP*)(!(allowedService=*)))) 431 432 To emulate deniedServices checking, use this search filter: 433 (&(uid=%u)(!(deniedServices=*FTP*))) 434 435 To emulate *both* allowedServices and deniedServices checking, use this 436 filter (beware line wrap): 437 (&(uid=%u)(|(allowedServices=*FTP*)(!(allowedService=*)))(!(deniedServices=*FTP*))) 438 439v2.6.1: 440* Fixed a bug that would prevent proper search scope selection. 441 442v2.6: 443* HomedirOnDemandSuffix - create an additional subdirectory in a user's home 444 directory (/home/user/anotherdirectory) on demand 445* Minor group fixes/cleanups - supplementary groups now work properly 446* Password {scheme}s are now treated in a case-insensitive manner. 447* Password-hash support for any crypto method OpenSSL supports 448 To enable extended OpenSSL password hash support, edit mod_ldap.c and 449 uncomment #define HAVE_OPENSSL. You'll also need to edit Make.rules to 450 link against OpenSSL. Further details are provided in mod_ldap.c. 451* Runtime search scope selection; one-level or subtree searches can be 452 selected from proftpd.conf. 453 454v2.5.2: 455* Fixed a bug that would allow unauthorized users to log in when mod_ldap 456 is used with other authentication modules and LDAPAuthBinds is set to on. 457 458v2.5.1: 459* Fixed a one-line bug that broke password authentication when AuthBinds 460 weren't being used. 461 462v2.5: 463* Authenticated bind support added. mod_ldap now fetches all user information 464 except for userPassword as the DN specified in LDAPDNInfo and then re-binds 465 to the LDAP server as the connecting user with the user-supplied password. 466 If the bind succeeds, the user is allowed to log in. This also has the 467 added advantage of allowing mod_ldap to support any password encryption 468 scheme that your LDAP server supports. Also, a privileged DN is no longer 469 needed to read the userPassword attribute from the LDAP server. 470* Realized I wasn't checking the return value of find_config() for NULL 471 values, this would cause ProFTPD to segfault if certain config file 472 entries were not present. 473* Removed debugging code that might contain NULL values; passing a NULL 474 value to printf() and friends under Solaris causes a segfault. 475* Miscellaneous cleanups, code neatening. 476 477v2.0: 478* Config file syntax revamped: 479 LDAPServer localhost 480 LDAPDNInfo cn=your-dn,dc=horde,dc=net dnpass 481 LDAPQueryTimeout 5 482 LDAPDoAuth on "dc=users,dc=horde,dc=net" 483 LDAPDoUIDLookups on "dc=users,dc=horde,dc=net" 484 LDAPDoGIDLookups on "dc=groups,dc=horde,dc=net" 485 LDAPDefaultUID 35000 486 LDAPDefaultGID 1000 487 LDAPNegativeCache on 488 LDAPHomedirOnDemand on 489 LDAPDefaultAuthScheme clear 490* Configurable LDAP query timeout [Peter Deacon <peterd@iea-software.com>] 491* Cleartext password "encryption" scheme ("{clear}mypass") 492* UID-to-name and GID-to-name lookups in directory listings 493* Separate prefixes for user and group lookups 494* Can turn on/off UID-to-name and GID-to-name lookups independently 495* Default [UG]IDs. Say you want to have a web-toaster type of deal, with 496 all users having the same [UG]IDs. Just don't put [ug]idNumber attrs in 497 your LDAP database for those users, and set these configuration 498 directives. Any user that doesn't have a [UG]ID in the LDAP database will 499 have that info filled in with the default [UG]ID. 500* mod_ldap is now able to function in a pure virtual-user environment; 501 please note, however, that the loginShell LDAP attr still must be a 502 valid shell. You can turn this check off by saying RequireValidShell off 503 in your proftpd.conf 504* allowedServices attr: (I broke with objectclass here, couldn't find 505 something that seemed to fit this.) This attribute contains a 506 comma-deliminated list of services to allow this particular user. The 507 string "FTP" corresponds to FTP service. If no allowedServices attr is 508 present, all services will be allowed. 509* You can have alternate LDAP servers; just specify LDAPServer "host1 510 host2"; [Peter Deacon <peterd@iea-software.com>] 511* LDAPHomedirOnDemand to automatically create home directories in a 512 virtual-user environment. [patch: Bert Vermeulen <bert@be.easynet.net>] 513* LDAPDefaultAuthScheme to select the authentication scheme to use when 514 no {prefix} is present in a user's userPassword LDAP attr. 515 [patch: Bert Vermeulen <bert@be.easynet.net>] 516* Virtual hosting support may or may not work okay; theoretically, I think 517 adding LDAP configuration directives to a <VirtualHost> block will work, 518 but this hasn't been tested. 519 520New Tested Platforms: 521 522* Solaris 2.6 with Netscape Directory Server and the Mozilla LDAP C SDK, 523 available at http://www.mozilla.org/directory/csdk.html. 524 Peter Fabian <fabian@staff.matavnet.hu> 525* Solaris 7 with gcc 2.95.1 and OpenLDAP 1.2.7 526 Ralf Kruedewagen <Ralf.Kruedewagen@meocom.de> 527 528v1.2: 529* made the variables for the config entries static 530* moved the meat of the ldap querying code to a separate function, this 531 gets the individual getpw*() handlers down to about 15-20 lines each. 532 also paves the way for easy LDAP group lookups too. 533* explicitly set ld = NULL in p_endpwent(), looks like ldap_unbind() 534 doesn't always set it to NULL, and bad things happen later. 535* fixed a showstopper: if there's a user/group directive in proftpd.conf, 536 mod_ldap:getpwnam() will be called to look up the user. since the 537 LDAP config variables aren't initialized yet, the LDAP libraries crash 538 and burn upon encountering a NULL ldap_prefix. put some checks in 539 p_setpwent() to check for this and disable LDAP lookups before the 540 parent forks and the config is initialized. thanks to Sean Murphy 541 <smurphy@berbee.com> for sending me on this path. 542* modified pw_auth() so that it will assume crypt() if there's no leading 543 {scheme} in the password returned by the LDAP query. 544* pw_auth() turned off logging of unidentifiable password encryption 545 schemes; this would syslog the encrypted password returned by the ldap 546 server. many people have their logs tightened, but not all. 547* a few miscellaneous changes & cleanups 548 549v1.1: 550* Added $Libraries$ directive to mod_ldap so the module is now entirely 551 self-contained. 552* Changed one reference to sprintf() to snprintf() and changed uidstr 553 in p_getpwuid() to have a length of BUFSIZ. 554* Added config option (LDAPNegativeCache) to turn LDAP negative caching 555 on and off. The default is off (don't do LDAP negative caching). 556* Added entries to doc/Configuration.html for all the LDAP configuration 557 directives. 558* MacGyver added mod_ldap to the ProFTPD CVS tree; proftpd-ldap-1.1 559 is now in sync with ProFTPD CVS. 560 561v1.0: 562* Initial release of proftpd-ldap 563 564 565========= 5664. Thanks 567========= 568 569* Everyone listed in mod_ldap.c for contributing code. 570 571* James (james at wwnet dot net) for a copy of his LDAP module that he never 572 released 573* Krzysztof Dabrowski (brush at pol dot pl) for some big virtual-user ideas 574* Peter Deacon (peterd at iea-software dot com) for ideas 575* Peter Fabian (fabian at staff dot matavnet dot hu) for ideas and a tested 576 platform 577* Justin Hahn (jeh at profitlogic dot com) for good ideas and debate 578* Ralf Kruedewagen (Ralf dot Kruedewagen at meocom dot de) for a tested 579 platform 580* Steve Luzynski (steve at uniteone dot net) for extra help/testing/feedback 581* Scott Murphy (smurphy at berbee dot com) for a trouble report 582* Marcin Obara for lots of testing 583* Miguel Barreiro Paz (mbpaz at edu dot aytolacoruna dot es) for a supported 584 platform and new supported LDAP server 585* Everyone else who has sent feedback, bug reports, feature requests, 586 and ideas. 587