1$Id: ChangeLog,v 1.217 2010/11/08 00:55:08 lukeh Exp $ 2=============================================================== 3 4186 Luke Howard <lukeh@padlcom> 5 6 * fix for BUG#424: build fails on Darwin 7 8185 Luke Howard <lukeh@padlcom> 9 10 * fix for BUG#232: LDAP write on userPassword fails 11 when chasing referral and cached policy error is 12 POLICY_ERROR_PASSWORD_EXPIRED 13 * fix for BUG#366: only request attributes that are 14 actually used 15 * fix for BUG#394: canonicalize PAM_USER name 16 17184 Luke Howard <lukeh@padl.com> 18 19 * fix for BUG#312: pam_ldap does not try to reconnect 20 when LDAP server closed the connection 21 22183 Luke Howard <lukeh@padl.com> 23 24 * fix for BUG#291: don't suppress password policy 25 errors which should not be suppressed 26 27182 Luke Howard <lukeh@padl.com> 28 29 * fix for BUG#269: compile time error in call to 30 ldap_sasl_interactive_bind_s() 31 32181 Luke Howard <lukeh@padl.com> 33 34 * fix for BUG#256: don't send password policy request 35 control if pam_lookup_policy no specified 36 * fix for BUG#254: check gethostbyname() result 37 * fix for BUG#237: typo in ldap_get_lderrno() 38 implementation 39 * fix for BUG#207: if ldap_start_tls_s() fails 40 return PAM_AUTHINFO_UNAVAIL 41 * fix for BUG#261: sslpath example wrong 42 * fix for BUG#268: POLICY_ERROR_CHANGE_AFTER_RESET 43 should be handled as POLICY_ERROR_PASSWORD_EXPIRED, 44 other password policy errors to be treated as fatal 45 46180 Luke Howard <lukeh@padl.com> 47 48 * from Peter Marschall <peter@adpm.de>: 49 manual page installation fix 50 * fix for BUG#210: use start_tls on referrals if 51 configured to do so 52 * when handling new password policy control, only 53 fall through to account management module if a 54 policy error was returned (CERT VU#778916) 55 56179 Luke Howard <lukeh@padl.com> 57 58 * more manual page updates 59 60178 Luke Howard <lukeh@padl.com> 61 62 * manual page updates 63 64177 Luke Howard <lukeh@padl.com> 65 66 * fix for BUG#188: better documentation for OpenLDAP 67 SSL options 68 * add manual page 69 70176 Luke Howard <lukeh@padl.com> 71 72 * fix for compilation with Netscape SDK 73 74175 Luke Howard <lukeh@padl.com> 75 76 * fix BUG#182: don't send old password in exop 77 password change unless pam_password is exop_send_old 78 79174 Luke Howard <lukeh@padl.com> 80 81 * fix typo s/intereact/interact 82 83173 Luke Howard <lukeh@padl.com> 84 85 * s/pam_sasl_mechanism/pam_sasl_mech/ for 86 consistency with OpenLDAP ldap.conf 87 88172 Luke Howard <lukeh@padl.com> 89 90 * preliminary SASL bind support 91 92171 Luke Howard <lukeh@padl.com> 93 94 * use correct AIX link flags even if --with-ldap-dir 95 is not specified 96 97170 Luke Howard <lukeh@padl.com> 98 99 * sync ldap.conf with nss_ldap 100 * AIX 5.2 port 101 102169 Luke Howard <lukeh@padl.com> 103 104 * include password policy schema file 105 * preliminary support for 106 draft-behera-ldap-password-policy-07.txt 107 108168 Luke Howard <lukeh@padl.com> 109 110 * define LDAP_DEPRECATED for compiling with 111 OpenLDAP 2.2 112 * send old password when calling password change 113 extended operation: if the password had expired 114 the user may not be bound and so relying on the 115 LDAP connection to be authenticated is unwise 116 117167 Luke Howard <lukeh@padl.com> 118 119 * fix compilation error on Solaris 9 120 121166 Luke Howard <lukeh@padl.com> 122 123 * fix signed/unsigned comparison issues 124 * merge in LDAP debug patch from Howard Chu 125 * fix BUG#126 (updating shadowLastChange) 126 127165 Luke Howard <lukeh@padl.com> 128 129 * fix BUG#142 130 * don't set LDAP_OPT_X_TLS_REQUIRE_CERT if not specified 131 in configuration file 132 133164 Luke Howard <lukeh@padl.com> 134 135 * fix typo in ldapns.schema (!) 136 137163 Luke Howard <lukeh@padl.com> 138 139 * fix typo in authorizedService patch 140 * add ldapns.schema for authorizedServiceObject and 141 hostObject 142 143162 Luke Howard <lukeh@padl.com> 144 145 * support for service-based authorization 146 (based on patch from Manon Goo) 147 * add ignore_authinfo_unavail flag 148 * pam_filter works again 149 150161 Luke Howard <lukeh@padl.com> 151 152 * fix from Thorsten Kukuk (SuSE) to handle scope-less 153 nss_base_passwd configuration 154 155160 Luke Howard <lukeh@padl.com> 156 157 * AD password change fix 158 * fix from Thorsten Kukuk (SuSE) to handle aborted 159 password changes 160 161159 Luke Howard <lukeh@padl.com> 162 163 * updated version information 164 165158 Luke Howard <lukeh@padl.com> 166 167 * support for multiple service search descriptors from 168 Symas 169 170157 Luke Howard <lukeh@padl.com> 171 172 * BUG#120 feature: pam_password_prohibit_message 173 * fix for BUG#105 174 * removed static function prototypes from pam_ldap.h 175 * check for libnsl 176 177156 Luke Howard <lukeh@padl.com> 178 179 * fix for bug #119 180 181155 Luke Howard <lukeh@padl.com> 182 183 * proper for for non-experimental password change exop; 184 broke compiling with older SDKs 185 186154 Luke Howard <lukeh@padl.com> 187 188 * fix for bug #115 189 * PWEXPIRED fix from Howard Chu 190 191153 Luke Howard <lukeh@padl.com> 192 193 * support non-experimental password change exop 194 * patch from Howard Chu to use linker grouping on 195 Solaris 196 197152 Luke Howard <lukeh@padl.com> 198 199 * fix build breakage with OpenLDAP HEAD 200 201151 Luke Howard <lukeh@padl.com> 202 203 * HP-UX port 204 * import dlfcn.h on Solaris with Netscape SDK 205 * export required symbols only on Linux, HP-UX, Darwin 206 207150 Luke Howard <lukeh@padl.com> 208 209 * added depcomp for new automake 210 211149 Luke Howard <lukeh@padl.com> 212 213 * OS X build fix 214 * alias for RACF password changing 215 * use LDAP_MOD_ADD when changing NDS passwords rather 216 than LDAP_MOD_REPLACE; NDS documentation indicates 217 that this should work, and this is required for RACF. 218 * BUG#101: should build with recent automake/autoconf 219 220148 Luke Howard <lukeh@padl.com> 221 222 * check for Netscape SDK without SSL; don't require 223 pthreads for these 224 225147 Luke Howard <lukeh@padl.com> 226 227 * make shadow.lstchg default -1 to not force 228 password change when now shadow information present 229 230146 Luke Howard <lukeh@padl.com> 231 232 * fix for BUG#91 / Debian Bug #144175: adhere to 233 convention of the last change of the password being 234 on the Unix Epoch implying a forced password change, 235 and fix error propagation with expiring passwords 236 237145 Luke Howard <lukeh@padl.com> 238 239 * patch for building on OpenLDAP 1.x from Nalin 240 at RedHat 241 242144 Luke Howard <lukeh@padl.com> 243 244 * avoid use of temporary variable when reporting 245 non-existent configuration file; fix for local 246 format string vulnerability reported at: 247 http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0053.html 248 * log correct configuration file name when reporting 249 missing "host" directive 250 251143 Luke Howard <lukeh@padl.com> 252 253 * specify runtime path for LDAP library correctly to 254 native Solaris linker 255 256142 Luke Howard <lukeh@padl.com> 257 258 * use native linker on Solaris 259 260141 Luke Howard <lukeh@padl.com> 261 262 * support for headers in /usr/include/pam (Darwin) 263 * integrated fix for BUG#79 264 265140 Luke Howard <lukeh@padl.com> 266 267 * further fix for recall #8362: do not turn 268 all users into template users 269 270139 Luke Howard <lukeh@padl.com> 271 272 * fix for recall #8362: support template users 273 when try_first_pass succeeds 274 275138 Luke Howard <lukeh@padl.com> 276 277 * when flushing cached session data, check to see 278 whether the application has requested a different 279 configuration file due to a changed service 280 281137 Luke Howard <lukeh@padl.com> 282 283 * treat exceeded time and size limits as a successful 284 return code; we may still have a single entry back. 285 * BUG#77: make configuration file paths configurable 286 287136 Luke Howard <lukeh@padl.com> 288 289 * module stack fixes from Thorsten Kukuk 290 291135 Luke Howard <lukeh@padl.com> 292 293 * revert UID check to getuid() per patch from 294 Erich Schneider 295 296134 Luke Howard <lukeh@padl.com> 297 298 * per suggest from Bill Welliver, check for 299 effective UID being 0, not real UID 300 * added ber_free() after ber_flatten() in 301 extended operation password changing code 302 303133 Luke Howard <lukeh@padl.com> 304 305 * Patch from Ed Golden for group_dn: set error 306 code correctly 307 308132 Luke Howard <lukeh@padl.com> 309 310 * Patch from Bob Guo to discard trailing whitespace 311 in configuration file 312 313131 Luke Howard <lukeh@padl.com> 314 315 * allow "*" wildcard value to be present in host 316 attribute 317 * added ignore_unknown_user option to all module 318 functions; if the user could not be found and this 319 option is set, PAM_IGNORE will be returned instead 320 of PAM_USER_UNKNOWN 321 322130 Luke Howard <lukeh@padl.com> 323 324 * don't return PAM_AUTH_ERR for authorization errors; 325 return PAM_PERM_DENIED 326 * reverted patch in pam_ldap-114: if a user doesn't 327 exist in LDAP, pam_sm_acct_mgmt() returns 328 PAM_IGNORE, rather than PAM_SUCCESS. 329 * HEADS UP: in default configuration, disable checking 330 the host attribute. This must now be manually 331 enabled with pam_check_host_attr in ldap.conf. 332 * HEADS UP: if checking the host attribute is 333 enabled, and a user does not have any values for 334 the host attribute, do not allow them to login. 335 This avoids the ugly situation of having to add 336 a dummy, invalid value for the host attribute for 337 users that were not allowed to login to any host. 338 339129 Luke Howard <lukeh@padl.com> 340 341 * don't return PAM_SYSTEM_ERR for LDAP-related errors 342 * return PAM_AUTHINFO_UNAVAIL for directory-related 343 (but not configuration-related) errors so that 344 stacking modules will work properly (thanks to 345 Brian Nelson <bnelson@cis.ysu.edu> for pointing this 346 out) 347 348127 Luke Howard <lukeh@padl.com> 349 350 * fixed segfault bug if nss_base_passwd contains 351 a scope but no filter (BUG#69) 352 353126 Luke Howard <lukeh@padl.com> 354 355 * fixed rebind prototype in pam_ldap.h for new 356 OpenLDAP client library 357 358125 Luke Howard <lukeh@padl.com> 359 360 * added ldap.conf stanza for AIX 361 * added configurable checking host host attribute 362 (pam_check_host_attr in ldap.conf) 363 364124 Luke Howard <lukeh@padl.com> 365 366 * note in ldap.conf that the default encryption 367 scheme for changing passwords is none (let 368 the server do it) (BUG#65) 369 * pass NULL as session handle for SSL options; 370 they are set globally 371 372123 Luke Howard <lukeh@padl.com> 373 374 * support for new OpenLDAP rebind procedure 375 * do not try to open /etc/ldap.secret unless root 376 * use LDAP_OPT_NETWORK_TIMEOUT if available 377 378122 Luke Howard <lukeh@padl.com> 379 380 * make buildable with Sun's C compiler 381 382121 Luke Howard <lukeh@padl.com> 383 384 * escape username only, not entire filter 385 386120 Luke Howard <lukeh@padl.com> 387 388 * escape search filter to avoid wildcards etc 389 * put prototypes back in, where did they go? 390 391119 Luke Howard <lukeh@padl.com> 392 393 * with password change exop, use bind password not encoded 394 old password for old password 395 * added --disable-ssl option to configure for Debian 396 * patch from Helmut Wirth <wirth@bison-soft.de> to allow 397 only a URI to be specified. 398 * only set SSL options if we have values for those options 399 400118 Luke Howard <lukeh@padl.com> 401 402 * in _set_ssl_options(), apply the options actually to 403 the current session not a NULL pointer (which apparently 404 worked with ldap_pvt_tls_set_option()) 405 406117 Luke Howard <lukeh@padl.com> 407 408 * do not strdup a NULL pointer if we are root 409 when changing passwords 410 411116 Luke Howard <lukeh@padl.com> 412 413 * make sure old authentication token is zeroed 414 out before freeing (now that we are storing the 415 old authentication token privately) 416 417115 Luke Howard <lukeh@padl.com> 418 419 * fix for updating passwords (consistent for Linux/Solaris) 420 421114 Luke Howard <lukeh@padl.com> 422 423 * patch from Brian Nelson <bnelson@cis.ysu.edu>; if 424 a user doesn't exist in LDAP, then make pam_sm_acct_mgmt() 425 return PAM_SUCCESS 426 * another patch for correctly updating passwords on 427 Solaris (which doesn't do preliminary password changing 428 the same was as Linux-PAM) 429 430113 Luke Howard <lukeh@padl.com> 431 432 * don't use ldap_pvt_tls_set_option(); it is private API 433 434112 Luke Howard <lukeh@padl.com> 435 436 * SSL fix 437 438111 Luke Howard <lukeh@padl.com> 439 440 * further patch from Tero to fix chfn/chsh 441 * further patch from Jarkko for TLS/SSL using 442 OpenLDAP: support for LDAPS, cipher suite 443 selection, client key/cert authentication 444 445110 Luke Howard <lukeh@padl.com> 446 447 * build on Mac OS X FCS; configure --libdir=/Library 448 (this will only work properly on HFS+ volumes) 449 450109 Luke Howard <lukeh@padl.com> 451 452 * patch from Tero Pelander <tpeland@tkukoulu.fi> for 453 testing scope in nss_base_passwd 454 * patch from Jarkko Turkulainen <jt@wapit.com> for client 455 side certificate support 456 457108 Luke Howard <lukeh@padl.com> 458 459 * patch from Thorsten Kukuk <kukuk@suse.de>: 460 The problem: pam_ldap does not abort in the second 461 pam_sm_chauthtok call, if we really change the password 462 and the user does not exist in the LDAP database (tested 463 with pam_ldap-105 and pam_ldap-107). 464 465107 Luke Howard <lukeh@padl.com> 466 467 * s/HAVE_LDAP_SET_REBIND_PROC_ARGS/LDAP_SET_REBIND_PROC_ARGS/ 468 (typo causing prototype mismatch) 469 470106 Luke Howard <lukeh@padl.com> 471 472 * URI support 473 * cleaned up some warnings with older client 474 libraries 475 476105 Luke Howard <lukeh@padl.com> 477 478 * check for HAVE_LDAP_{SET,GET}_OPTION always 479 480104 Luke Howard <lukeh@padl.com> 481 482 * check for ldap_set_option(), as LDAP_OPT_REFERRALS 483 is defined for OpenLDAP 1.x but without the 484 ldap_set_option() function 485 486103 Luke Howard <lukeh@padl.com> 487 488 * patch from Thomas Noel to handle shadow 489 expiry properly 490 491102 Luke Howard <lukeh@padl.com> 492 493 * define macros LDAP_OPT_{OFF,ON} if 494 not defined 495 * make SECSPERDAY 86400LL 496 497101 Luke Howard <lukeh@padl.com> 498 499 * fix uninitialized variable 500 * retrieve password policy on actual password 501 change, may not have been done if we were root. 502 503100 Luke Howard <lukeh@padl.com> 504 505 * use -rpath on all platforms except Solaris, 506 not just Linux 507 50899 Luke Howard <lukeh@padl.com> 509 510 * use -shared not --shared 511 * compile with -DPIC on FreeBSD 512 51398 Luke Howard <lukeh@padl.com> 514 515 * merged ldap.conf 516 51797 Luke Howard <lukeh@padl.com> 518 519 * %configure -> ./configure 520 52196 Luke Howard <lukeh@padl.com> 522 523 * put some meaningful content in AUTHORS 524 * new spec file from Joe Little 525 52695 Luke Howard <lukeh@padl.com> 527 528 * add files for automake happiness 529 53094 Luke Howard <lukeh@padl.com> 531 532 * default to LDAP protocol version 3 533 * documented exop in README 534 * link on Solaris with -M mapfile 535 * Solaris link with -Wl; will work with 536 gcc only, I think 537 * use sysconfdir, not etcdir 538 53993 Luke Howard <lukeh@padl.com> 540 541 * made PAM_CLEAR the default for pam_password, 542 as was originally the case. Don't break 543 existing configurations! 544 54592 Luke Howard <lukeh@padl.com> 546 547 * support for OpenLDAP password change extended 548 operation, if available. Enable with 549 550 pam_password exop 551 552 in ldap.conf 553 55491 Luke Howard <lukeh@padl.com> 555 556 * centralized authtok update code. The pam_crypt, 557 pam_ad_passwd, and pam_nds_passwd configuration 558 file keys are deprecated; instead the following 559 configuration file key will be used: 560 561 pam_password [clear|crypt|md5|nds|ad] 562 563 See README for more information. (NB: The 564 pam_crypt will continue to work so as to not 565 compromise existing deployments.) 566 56790 Luke Howard <lukeh@padl.com> 568 569 * support for correct rebind function prototype 570 with OpenLDAP SDK 571 57289 Luke Howard <lukeh@padl.com> 573 574 * support for connection timeout in Netscape SDK 575 57688 Luke Howard <lukeh@padl.com> 577 578 * support for "referrals" and "restart" in 579 ldap.conf 580 * don't use ldap_perror() for logging TLS errors 581 * optionally get scope/filter from 582 "nss_base_passwd" value 583 * accept on/yes/true for boolean configuration 584 keys 585 58687 Luke Howard <lukeh@padl.com> 587 588 * support for "timelimit" and "bind_timelimit" in 589 ldap.conf 590 * use "nss_base_passwd" for search base preferentially 591 to "base" 592 * fixed code order bug in setting TLS option; 593 introduced by patch in pam_ldap-86 594 59586 Luke Howard <lukeh@padl.com> 596 597 * patches from Norbert Klasen: 598 * activate either Start TLS or LDAPS with 599 OpenLDAP 2.x using "ssl start_tls" or 600 "ssl yes" respectively in ldap.conf 601 * Active Directory password changing 602 60385 Luke Howard <lukeh@padl.com> 604 605 * patches from David Begley: 606 * note about using --with-ldap-lib=netscape4 607 * patch to configure (regenerated from configure.in) 608 * note about using gnumake 609 * linking with lib{plc,plds,nspr}3 libraries for 610 4.1x Netscape SDK 611 * use -G not --shared when building shared 612 libraries on Solaris 613 61484 Luke Howard <lukeh@padl.com> 615 616 * fixed typo in pam_ldap.c 617 61883 Luke Howard <lukeh@padl.com> 619 620 * patch from nalin@redhat.com for StartTLS, 621 enforce V3 622 * fixed up indenting 623 * patch from David Begley to check for netscape4.1 lib 624 62582 Luke Howard <lukeh@padl.com> 626 627 * s/conffile/config; forgot to patch properly 628 62981 Luke Howard <lukeh@padl.com> 630 631 * use MAXPATHLEN instead of PATH_MAX; pam_ldap-80 632 failed on Solaris 633 63480 Luke Howard <lukeh@padl.com> 635 636 * added support for configurable configuration files; 637 you can now specify an alternate configuration file 638 using the config= parameter in pam.conf. This patch 639 was provided by scremer@dohle.com 640 * added Solaris-specific linker flag patch from 641 David Begley 642 64379 Luke Howard <lukeh@padl.com> 644 645 * updated shipables for RC 646 64778 Luke Howard <lukeh@padl.com> 648 649 * updated prebuild step for RC 650 65177 Luke Howard <lukeh@padl.com> 652 653 * renamed _authenticate() to _do_authentication() 654 to avoid name conflict with ONC RPC headers 655 65676 Luke Howard <lukeh@padl.com> 657 658 * fixes to configure from David Begley; 659 detect LDAP client libraries properly 660 * fix to Makefile.am from David Begley; 661 don't delete nss_ldap library on uninstall 662 66375 Luke Howard <lukeh@padl.com> 664 665 * updated README with Solaris crypt(3) FAQ 666 66774 Luke Howard <lukeh@padl.com> 668 669 * fixed support for NDS password changing, 670 from Petr Olivka <Petr.Olivka@vsb.cz> 671 67273 Luke Howard <lukeh@padl.com> 673 674 * added support for OpenLDAP start TLS, from 675 Alex Schlessinger <alex@hq.workspot.com> 676 67772 Luke Howard <lukeh@padl.com> 678 679 * added nasty_ssl_hack() constructor; this 680 dlopens ourself so that we always remain 681 loaded, and ssl_initialized is set across 682 invocations of PAM. Probably the path should 683 not be hardcoded but sourced from config.h. 684 68571 Luke Howard <lukeh@padl.com> 686 687 * call ldapssl_client_init() once only (this doesn't 688 have the desired effect because PAM unloads the 689 library after pam_end() is called) 690 69170 Luke Howard <lukeh@padl.com> 692 693 * in rebind proc, check session->info != NULL 694 * in rebind proc, check {user,bind}{dn,pw} != NULL 695 69668 Luke Howard <lukeh@padl.com> 697 698 * initialize tmplattr/tmpluser fields 699 70067 Luke Howard <lukeh@padl.com> 701 702 * check _authenticate() return code before setting 703 template user 704 70566 Luke Howard <lukeh@padl.com> 706 707 * ypldapd locator support is now a configure option 708 70965 Luke Howard <lukeh@padl.com> 710 711 * set shadowLastChange silently (allow it to fail) 712 71364 Luke Howard <lukeh@padl.com> 714 715 * more consistent log messages (removed brackets) 716 * set uid to nobody if unreadable from directory 717 * support template users so users can login with 718 a name without a local POSIX account. 719 * PAM_AUTHTOK_RECOVERY_ERR (not ...RECOVER_ERR) 720 on Soalris 721 72263 Luke Howard <lukeh@padl.com> 723 724 * return PAM_MAXTRIES if number of tries exceeded 725 72662 Luke Howard <lukeh@padl.com> 727 728 * new spec file from Dan Berry 729 73061 Luke Howard <lukeh@padl.com> 731 732 * patch from norbert.klasen@zdv.uni-tuebingen.de (bug); 733 was logging plaintext password in pam_ldap.c 734 * log pam_strerror() not integer status code 735 73660 Luke Howard <lukeh@padl.com> 737 738 * patch from Jungle Lin@judicial.gov.tw to fix 739 logic bug in pam_sm_chauthtok() 740 74159 Luke Howard <lukeh@padl.com> 742 743 * fixed some assumptions in chsh/chfn, need to look 744 further at this though 745 74658 Tom Lear <tom@trap.mtview.ca.us> 747 748 * Debian bug #64217: remove redunant code in pam_ldap.c 749 * Debian bug #64220: add minuid and maxuid parameters 750 * Debian bug #65295: chsh/chfn implementation 751 75255 Doug Nazar <nazard@dragoninc.on.ca> 753 754 * md5 crypt support 755 * rootbinddn support 756 * rebind support for openldap 757 * async ldap calls for bind 758 * use_authtok support 759 * autoconf/automake support 760 76151 Luke Howard <lukeh@padl.com> 762 763 * updated spec file 764 76550 Luke Howard <lukeh@padl.com> 766 767 * more patches from Scott Balneaves 768 * use PAM_NEW_AUTHTOK_REQD instead of PAM_AUTHTOK_REQD 769 * return PAM_SUCCESS for pam_sm_open_session() 770 * reorganization of shadow code 771 77249 Luke Howard <lukeh@padl.com> 773 774 * more patches from Scott Balneaves; now just check 775 for shadow expiry date rather than shadowAccount 776 object class 777 * added deref parameter to ldap.conf for parity with 778 OpenLDAP 779 78048 Luke Howard <lukeh@padl.com> 781 782 * added patch from Scott Balneaves <sbalneav@legalaid.mb.ca> 783 to read shadowAccount attributes 784 78547 Luke Howard <lukeh@padl.com> 786 787 * removed _connect_anonymously() clause when updating 788 shadowLastChange 789 79046 Luke Howard <lukeh@padl.com> 791 792 * incorporated new spec file 793 79444 Luke Howard <lukeh@padl.com> 795 796 * incorporated patch for shadowLastChange attribute 797 79840 Luke Howard <lukeh@padl.com> 799 800 * added support for NDSv8 password changing 801 (this is experimental) 802 80339 Luke Howard <lukeh@padl.com> 804 805 * added some comments in Make.defs about different 806 SDKs 807 80838 Luke Howard <lukeh@padl.com> 809 810 * fixed typo in pam.d/ssh 811 81237 Luke Howard <lukeh@padl.com> 813 814 * merged in BUG#37 branch 815 * added Makefile.freebsd 816 81736.BZ37.6 Luke Howard <lukeh@padl.com> 818 819 * updated ChangeLog (this file) 820 82136.BZ37.5 Luke Howard <lukeh@padl.com> 822 823 * included FreeBSD porting fixes 824 82536.BZ37.4 Luke Howard <lukeh@padl.com> 826 827 * send user credentials of bound_as_user is 828 set, rather than if userpw != NULL 829 83036.BZ37.3 Luke Howard <lukeh@padl.com> 831 832 * drop userpw if it is already set 833 83436.BZ37.2 Luke Howard <lukeh@padl.com> 835 836 * fixed reordered include to compile properly 837 83836.BZ37.1 Luke Howard <lukeh@padl.com> 839 840 * patch release with possible fix for BUG#37, where 841 user credentials were not being forwarded to 842 referred servers (whilst password changing) 843 84436 Luke Howard <lukeh@padl.com> 845 846 * added -lresolv to library search path 847 * incorporated stein@terminator.net's patches for RPM 848 builds 849 85035 Luke Howard <lukeh@padl.com> 851 852 * put /usr/ucblib back in linker search path on Solaris 853 85433 Luke Howard <lukeh@padl.com> 855 856 * fixed pam_ldap.c to support compiling against an API 857 which conforms to draft-ietf-ldapext-ldap-c-api-02.txt. 858 Should make it easier to work with OpenLDAP 2. Netscape 859 specific extensions are guarded with NETSCAPE_API_EXTENSIONS. 860 86130 Luke Howard <lukeh@padl.com> 862 863 * fixed Make.defs for linking against OpenLDAP libldap 864 (recall #279) 865 * more SSL stuff 866 86728 Luke Howard <lukeh@padl.com> 868 869 * added patch from gero@faveve.uni-stuttgart.de for 870 parsing of ldap.conf with tabs 871 * various patches hopefully to get SSL to work 872 87327 Luke Howard <lukeh@padl.com> 874 875 * fix for recall 256: free() smasher 876 87726 Luke Howard <lukeh@padl.com> 878 879 * added commented out flags for non-V3 SDKs 880 88125 Luke Howard <lukeh@padl.com> 882 883 * removed ucblib search path 884 88524 Luke Howard <lukeh@padl.com> 886 887 * compile with -D_REENTRANT and link against -lpthread 888 to satisfy dependancies in libldapssl30. (BUG#7) 889 89023 Luke Howard <lukeh@padl.com> 891 892 * no longer use LDAP_VERSION3 to select API 893 (BUG#6) 894 89521 Luke Howard <lukeh@padl.com> 896 897 * added rebind function 898 * various stuff for RC added 899 * broke out makefiles 900 * ldap.conf keys case-insensitive for compat with 901 OpenLDAP 902 90317 Luke Howard <lukeh@padl.com> 904 905 * force users to change passwords if their account has 906 expired 907 * updated mapfile for Solaris 908 90914 Luke Howard <lukeh@padl.com> 910 911 * fall back to /etc/ldap.conf if ypldapd is configured 912 for configuration lookup 913 * fixed up pam.conf 914 91513 Luke Howard <lukeh@padl.com> 916 917 * added -lcrypt for Linux 918 91912 Luke Howard <lukeh@padl.com> 920 921 * Use ldap_open() for V2 as ldap_init() doesn't work 922 * Support hashing passwords locally for UMich crypt 923 patched server 924 * Tested against Microsoft Exchange Server 925 * Fixed some errors in ldap.conf and mapfile 926 92711 Luke Howard <lukeh@padl.com> 928 929 * Added support for group membership as in Chris' 930 pam_ldap_auth module; see the pam_groupdn and 931 pam_group_attribute configuration keys. 932 * Changed pam_attribute to pam_login_attribute to 933 avoid confusion with pam_group_attribute. 934 * Support Netscape password expiration controls 935 * Avoid authenticating users with empty passwords, 936 even if the directory server does 937 * Fill in pam_sm_{open,close}_session for completeness 938 (they return PAM_IGNORE) 939 94010 Luke Howard <lukeh@padl.com> 941 942 * tested with Linux-PAM 0.57 943 * made all functions static 944 * added prototypes 945 * LDAP connections can be persistent over an entire PAM 946 session through the use of pam_set_data() and 947 pam_get_data() 948 * fixed some bugs 949 9509 Luke Howard <lukeh@padl.com> 951 952 * first publically available version. 953 954