%define pam_ldap_version 183 Summary: NSS library and PAM module for LDAP. Name: nss_ldap Version: 253 Release: 42%{?dist} Source0: ftp://ftp.padl.com/pub/nss_ldap-%{version}.tar.gz Source1: ftp://ftp.padl.com/pub/pam_ldap-%{pam_ldap_version}.tar.gz Source3: nss_ldap.versions Source4: pam_ldap.versions Source5: README.TLS Source6: version.c Source7: dlopen.sh Patch0: pam_ldap-183-dnsconfig.patch Patch1: pam_ldap-180-local_users.patch Patch2: nss_ldap-253-parse.patch Patch3: pam_ldap-180-install-perms.patch Patch4: pam_ldap-180-bind.patch Patch5: nss_ldap-250-mock64.patch Patch7: pam_ldap-182-manpointer.patch Patch8: nss_ldap-256-resolver.patch Patch9: pam_ldap-176-referral-passwd.patch Patch10: pam_ldap-176-referral-passwd2.patch Patch11: pam_ldap-176-exop-modify.patch Patch12: pam_ldap-183-rebind_control.patch Patch13: nss_ldap-257-slash.patch Patch14: nss_ldap-257-port.patch Patch15: nss_ldap-253-pthread_atfork.patch Patch16: nss_ldap-253-groupsize.patch Patch17: nss_ldap-253-sigpipe_atfork.patch Patch18: nss_ldap-253-netgroups.patch Patch19: nss_ldap-250-fix-fdleak.patch Patch20: nss_ldap-253-ent_internal.patch Patch21: nss_ldap_bind_timelimit.patch Patch22: nss_ldap-253-sigmask.patch Patch23: nss_ldap-253-checkcase.patch Patch24: nss_ldap-253-depth.patch Patch25: nss_ldap-254-configerr.patch Patch26: nss_ldap-263-errnop.patch Patch27: nss_ldap-253-leak.patch Patch29: pam_ldap-185-expiration4.patch Patch30: nss_ldap-253-child2.patch Patch31: nss_ldap-253-fix-uninit.patch Patch32: pam_ldap-183-fix-tls-memleak.patch Patch33: nss_ldap-253-padl-bug-418.patch Patch34: nss_ldap-265-erange.patch Patch35: nss_ldap-skipmembers.patch Patch36: nss_ldap-getent-disconnect.dif Patch37: nss_ldap-double-ldap_msgfree.dif Patch38: pam_ldap-176-authenticateOnChangeExpiredAuthtok.patch URL: http://www.padl.com/ License: LGPL Group: System Environment/Base BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildPrereq: autoconf, automake, libtool BuildPrereq: krb5-devel, openssl-devel >= 0.9.8e-18, /usr/include/security/pam_modules.h BuildPrereq: libtool BuildPrereq: cyrus-sasl-devel >= 2.1, openldap-devel >= 2.3.43-7 BuildPrereq: krb5-devel >= 1.4, keyutils-libs-devel, libselinux-devel Requires: nscd Obsoletes: pam_ldap Prereq: grep, mktemp, sed, textutils, /sbin/ldconfig %description This package includes two LDAP access clients: nss_ldap and pam_ldap. Nss_ldap is a set of C library extensions that allow X.500 and LDAP directory servers to be used as a primary source of aliases, ethers, groups, hosts, networks, protocol, users, RPCs, services, and shadow passwords (instead of or in addition to using flat files or NIS). Pam_ldap is a module for Linux-PAM that supports password changes, V2 clients, Netscape's SSL, ypldapd, Netscape Directory Server password policies, access authorization, and crypted hashes. %prep %setup -q -c -a 1 cp nss_ldap-%{version}/ldap.conf ldap.conf.nss_ldap cp pam_ldap-%{pam_ldap_version}/ldap.conf ldap.conf.pam_ldap cp nss_ldap-%{version}/resolve.c pam_ldap-%{pam_ldap_version}/ cp nss_ldap-%{version}/resolve.h pam_ldap-%{pam_ldap_version}/ cp nss_ldap-%{version}/snprintf.c pam_ldap-%{pam_ldap_version}/ cp nss_ldap-%{version}/snprintf.h pam_ldap-%{pam_ldap_version}/ pushd nss_ldap-%{version} %patch2 -p1 -b .parse %patch5 -p1 -b .mock64 %patch8 -p1 -b .resolver %patch13 -p1 -b .slash %patch14 -p1 -b .port %patch15 -p1 -b .pthread_atfork %patch16 -p1 -b .groupsize %patch17 -p1 -b .sigpipe_atfork %patch18 -p1 -b .netgroups %patch19 -p1 -b .fix_fdleak %patch20 -p1 -b .ent_internal %patch21 -p2 -b .bind_timelimit %patch22 -p1 -b .sigmask %patch23 -p1 -b .checkcase %patch24 -p1 -b .depth %patch25 -p1 -b .configerr %patch26 -p1 -b .errnop %patch27 -p1 -b .leak %patch30 -p1 -b .child %patch31 -p1 -b .fix-uninit %patch33 -p1 -b .padl-bug-418 %patch34 -p1 -b .erange %patch35 -p1 -b .skipmembers %patch36 -p1 -b .getent-disconnect %patch37 -p1 -b .double-ldap_msgfree autoreconf popd pushd pam_ldap-%{pam_ldap_version} %patch0 -p1 -b .dnsconfig %patch3 -p1 -b .install-perms %patch4 -p1 -b .bind %patch1 -p1 -b .local_users %patch7 -p1 -b .manpointer %patch9 -p1 -b .referral-passwd %patch10 -p1 -b .referral-passwd2 %patch11 -p1 -b .exop-modify %patch12 -p1 -b .rebind_control %patch29 -p1 -b .expiration4 %patch32 -p1 -b .fix-tls-memleak %patch38 -p1 -b .authenticateOnChangeExpiredAuthtok autoreconf popd rm -f pam.d/*.pam_console cp nss_ldap-%{version}/ANNOUNCE ANNOUNCE.nss_ldap cp nss_ldap-%{version}/AUTHORS AUTHORS.nss_ldap cp nss_ldap-%{version}/ChangeLog ChangeLog.nss_ldap cp nss_ldap-%{version}/COPYING COPYING.nss_ldap cp nss_ldap-%{version}/NEWS NEWS.nss_ldap cp nss_ldap-%{version}/README README.nss_ldap cp nss_ldap-%{version}/nsswitch.ldap nsswitch.ldap cp pam_ldap-%{pam_ldap_version}/AUTHORS AUTHORS.pam_ldap cp pam_ldap-%{pam_ldap_version}/ChangeLog ChangeLog.pam_ldap cp pam_ldap-%{pam_ldap_version}/COPYING COPYING.pam_ldap cp pam_ldap-%{pam_ldap_version}/COPYING.LIB COPYING.LIB.pam_ldap cp pam_ldap-%{pam_ldap_version}/NEWS NEWS.pam_ldap cp pam_ldap-%{pam_ldap_version}/README README.pam_ldap if test -d %{_datadir}/libtool/config ; then ltconfigdir=%{_datadir}/libtool/config else ltconfigdir=%{_datadir}/libtool fi cp ${ltconfigdir}/config.{sub,guess} nss_ldap-%{version}/ cp ${ltconfigdir}/config.{sub,guess} pam_ldap-%{pam_ldap_version}/ %build # We're building modules here, so make sure -fPIC is always used. CFLAGS="$RPM_OPT_FLAGS -fPIC -fno-strict-aliasing"; export CFLAGS # Build pam_ldap. pushd pam_ldap-%{pam_ldap_version} %configure --libdir=/%{_lib} make %{?_smp_mflags} # Relink using the version script and the -z nodelete flag. rm pam_ldap.so make pam_ldap_so_LDFLAGS="-shared -Wl,-z,nodelete -Wl,--version-script=$RPM_SOURCE_DIR/pam_ldap.versions" popd # Figure out which version of the OpenLDAP libraries we're built with, and # from that determine with which SASL library it is that we need to link. %{__cc} -o version $RPM_OPT_FLAGS $RPM_SOURCE_DIR/version.c -lldap case `./version` in 200??) libsasl=sasl ;; 201??|*) libsasl=sasl2 ;; esac # Build nss_ldap, linking statically with libraries which live outside of /lib # so that systems on which /usr is on a different partition can umount /usr # properly at shutdown-time. pushd nss_ldap-%{version} LDAPLIBS="-lldap -llber -l${libsasl} -lldap -llber -lssl -lcrypto -lgssapi_krb5 -lkrb5 -lk5crypto -lkrb5support -lz" STATICLIBS="$LDAPLIBS" SHAREDLIBS=" -lkeyutils -ldl -lselinux -lresolv -lpthread_nonshared -lc" # This is ugly, but if libcom_err is in / and not in /usr, then we want to link # dynamically. Otherwise, we need to link statically with libcom_err. if test -r /usr/kerberos/%{_lib}/libcom_err.a ; then LIBS="-L/usr/kerberos/%{_lib} -Wl,-Bstatic $STATICLIBS -lcom_err -Wl,-Bdynamic $SHAREDLIBS" else LIBS="-L/usr/kerberos/%{_lib} -Wl,-Bstatic $STATICLIBS -Wl,-Bdynamic -lcom_err $SHAREDLIBS" fi if test -r %{_libdir}/nss_ldap-openldap ; then CFLAGS="-I%{_libdir}/nss_ldap-openldap/include $CFLAGS" CPPFLAGS="-I%{_libdir}/nss_ldap-openldap/include $CPPFLAGS" LIBS="-L%{_libdir}/nss_ldap-openldap/%{_lib} $LIBS" fi export LIBS %configure \ --libdir=/%{_lib} \ --enable-rfc2307bis \ --enable-configurable-krb5-ccname-gssapi make %{?_smp_mflags} # Relink using the version script, pulling in the needed libraries statically, # forcing the soname, and adding the -z nodelete flag. rm nss_ldap.so make LIBS="$LIBS" nss_ldap_so_LDFLAGS="-shared -Wl,-z,nodelete -Wl,--version-script=$RPM_SOURCE_DIR/nss_ldap.versions -Wl,-soname=libnss_ldap.so.2" popd # Check that the modules are actually loadable. $RPM_SOURCE_DIR/dlopen.sh ./nss_ldap-%{version}/nss_ldap.so $RPM_SOURCE_DIR/dlopen.sh -lpam ./pam_ldap-%{pam_ldap_version}/pam_ldap.so %install [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/{etc,%{_lib}/security,%{_libdir}} # Let the nss_ldap install target do its thing. libcver=`basename /%{_lib}/libnss_files-*.so .so | tail -n 1 | cut -f2 -d-` make -C nss_ldap-%{version} install \ DESTDIR=$RPM_BUILD_ROOT \ INST_UID=`id -un` INST_GID=`id -gn` \ LIBC_VERS=$libcver # Install the nsswitch module in a fashion similar to those which are part of # glibc. This should let us know if the version of glibc which nss_ldap was # built against is different from the installed version, even if that's not # always useful. NOTE: the name is otherwise purely cosmetic, as glibc finds # the module using its soname. install -m755 nss_ldap-%{version}/nss_ldap.so \ $RPM_BUILD_ROOT/%{_lib}/libnss_ldap-${libcver}.so # Create a relative symlink from libdir to /%{_lib}. install -m755 -d $RPM_BUILD_ROOT/%{_libdir} touch $RPM_BUILD_ROOT/rootfile root=.. while [ ! -e $RPM_BUILD_ROOT/%{_libdir}/${root}/rootfile ] ; do root=${root}/.. done pushd $RPM_BUILD_ROOT/%{_libdir} ln -s ${root}/%{_lib}/libnss_ldap.so.? libnss_ldap.so popd rm $RPM_BUILD_ROOT/rootfile # Install the module for PAM. pushd pam_ldap-%{pam_ldap_version} make install DESTDIR=$RPM_BUILD_ROOT # Install the default configuration file, but change the search bases to # something generic to avoid overloading padl.com servers and to match # good practice when using DNS domains in example configurations. sed 's|dc=padl|dc=example|g' ldap.conf > $RPM_BUILD_ROOT/etc/ldap.conf chmod 644 $RPM_BUILD_ROOT/etc/ldap.conf popd # Remove a doc file from /etc; we'll included it as a %%doc file. rm $RPM_BUILD_ROOT/etc/nsswitch.ldap # Remove soname links which are redundant. rm -f $RPM_BUILD_ROOT/%{_libdir}/libnss_ldap.so.? %clean [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT %post /sbin/ldconfig # Fix a logic mismatch between what the version of authconfig in RHL 7.2 would # generate and this version of pam_ldap. if grep -q '^account required /lib/security/pam_ldap.so$' /etc/pam.d/system-auth ; then newfile=`mktemp /etc/pam.d/system-auth-XXXXXX` if [ ! -z "$newfile" ] ; then cat /etc/pam.d/system-auth > $newfile sed 's,account required /lib/security/pam_ldap.so,account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so,g' $newfile > /etc/pam.d/system-auth rm -f $newfile fi fi %postun -p /sbin/ldconfig %files %defattr(-,root,root) %attr(0755,root,root) /%{_lib}/libnss_ldap-*.so %attr(0755,root,root) /%{_lib}/libnss_ldap.so.? %attr(0755,root,root) /%{_lib}/security/*.so* %attr(0755,root,root) %{_libdir}/libnss_ldap.so %attr(0644,root,root) %{_mandir}/man5/*.5* %attr(0644,root,root) %config(noreplace) /etc/ldap.conf %doc nsswitch.ldap *.nss_ldap *.pam_ldap pam_ldap-%{pam_ldap_version}/pam.d $RPM_SOURCE_DIR/README.TLS %doc pam_ldap-%{pam_ldap_version}/ldapns.schema %changelog * Thu Mar 17 2011 Nalin Dahyabhai <nalin@redhat.com> - 253-42 - add Ross Tyler's patch to always require authentication during password change requests for expired passwords, so that modules which check password quality (pam_cracklib) will always have the old password on-hand to examine as well (#667758) * Mon Mar 14 2011 Nalin Dahyabhai <nalin@redhat.com> - 253-41 - backport fixes for upstream #350 (parsing results when the connection is gone) and #351 (double-free of message chain) (#684889) * Thu Mar 10 2011 Nalin Dahyabhai <nalin@redhat.com> - 253-40 - return any non-success errors in setnetgrent(), not just netgroup-not-found errors (#664609, more of #445972) * Thu Mar 10 2011 Nalin Dahyabhai <nalin@redhat.com> - 253-39 - add backport of the "nss_getgrent_skipmembers" option (via Masahiro Matsuya, #646329) * Wed Mar 9 2011 Nalin Dahyabhai <nalin@redhat.com> - 253-38 - add a build-time requirement on a sufficiently-new openssl-devel to ensure that we get SHA-2 hashes when we're using TLS, because we still static-link the nss_ldap module (#683349) * Thu Dec 9 2010 Nalin Dahyabhai <nalin@redhat.com> - 253-37 - add proposed patch for upstream #421: sometimes errno gets reset before we return control to libc (#661630) * Thu Dec 9 2010 Nalin Dahyabhai <nalin@redhat.com> - 253-36 - tweak patch for postponing the connection drop in a newly-forked child until we're first called so that it doesn't try to close sockets which we just assumed were our own (more of #474181) * Thu Dec 2 2010 Nalin Dahyabhai <nalin@redhat.com> - 253-35 - don't unconditionaly set up a new LDAP structure every time we try to read someone's supplemental groups list, regardless of whether or not we did so previously, and clean the connection up completely if we fail to get a response or parse it (#654650, from upstream #418 and #392 via Olivier Fourdan) * Wed Dec 1 2010 Nalin Dahyabhai <nalin@redhat.com> - 253-34 - link nss_ldap and pam_ldap with -z nodelete so that memory allocated by library dependencies which is lost at unload doesn't leak, for the sake of applications which call PAM for authentication many times over (Mark Goodwin, #511238) - fix some memory leaks in pam_ldap (upstream #326,#333, part of #511238) - fix an uninitialized variable error (Mark Goodwin, part of #511238) * Thu Sep 23 2010 Nalin Dahyabhai <nalin@redhat.com> - 253-33 - drop patch for #546151, not needed after all - tweak the patch for #537358 a bit * Tue Sep 21 2010 Nalin Dahyabhai <nalin@redhat.com> - 253-32 - add revised testing patch to postpone the connection drop in a newly-forked child until we're first called (#474181) * Thu Aug 5 2010 Nalin Dahyabhai <nalin@redhat.com> - 253-31 - add testing patch to postpone the connection drop in a newly-forked child until we're first called (#474181) * Fri Jul 30 2010 Nalin Dahyabhai <nalin@redhat.com> - 253-30 - report the remaining life of soon-to-be-expired passwords with granularity in hours, if possible (Masahiro Matsuya, #537358) * Fri Jul 30 2010 Nalin Dahyabhai <nalin@redhat.com> - 253-29 - when the user's password has expired, come right out and say it (Masahiro Matsuya, #546151) * Mon Jul 12 2010 Nalin Dahyabhai <nalin@redhat.com> - 253-28 - set close-on-exec on the dummy socket created in the child atfork() (#500397) * Mon Jul 12 2010 Nalin Dahyabhai <nalin@redhat.com> - 253-27 - pull in backported fix for upstream #378, which returns NETDB_INTERNAL in h_errno in cases when nss_ldap's run out of space in the supplied buffer and libc provided us with an h_errno variable to set for it to also check (Jason Luo, #468807) * Thu Jun 10 2010 Nalin Dahyabhai <nalin@redhat.com> - 253-26 - pull in fix for upstream #313, which returns a clean error when we've failed to parse our configuration correctly, in this case due either to a larger-than-handled nss_initgroups_ignoreusers setting (#584157) or the lack of any servers being configured (#538498) * Fri Dec 11 2009 Nalin Dahyabhai <nalin@redhat.com> - 253-25 - avoid deadlock when one of our lookups recurses into our own host resolution routine, which would otherwise cause a deadlock or a crash (#448883) - provisionally add an "nss_check_case" option which, when enabled, will ignore entries for which the result didn't case-exact match the query, regardless of the comparison performed by the directory (#508621,#518911) * Thu Dec 10 2009 Nalin Dahyabhai <nalin@redhat.com> - 253-24 - update build dependency on openldap to 2.3.43-7 to get fixes for referral chasing (#510522) which affected nss_ldap (#472920) * Wed Dec 9 2009 Nalin Dahyabhai <nalin@redhat.com> - 253-23 - unblock SIGPIPE while closing the connection in the child's part of atfork(), so that it can get delivered before we reset the signal handler (#454315) * Tue Sep 29 2009 Nalin Dahyabhai <nalin@redhat.com> - 253-22 - add patch to not assume we got a result for our start_tls request within the bind timelimit (Jatin Nansi, #499302) * Tue May 26 2009 Nalin Dahyabhai <nalin@redhat.com> - 253-21 - drop build requirement and explicit link with fipscheck (#502593) * Tue May 19 2009 Nalin Dahyabhai <nalin@redhat.com> - 253-20 - re-enable patch for #457258, accidentally disabled for previous build * Tue May 19 2009 Nalin Dahyabhai <nalin@redhat.com> - 253-19 - don't close a oneshot connection while we're in the middle of answering a specific query (#488857) * Tue May 5 2009 Nalin Dahyabhai <nalin@redhat.com> - 253-18 - turn the default for paged results back off (#486321) - pull in fix for leaking descriptors from version 255 (#428837) - replace our proposed patch for being stricter about malformed entries with the version upstream went with, and start applying it (#457258) * Thu Oct 16 2008 Nalin Dahyabhai <nalin@redhat.com> - 253-17 - add buildrequirement on fipscheck-devel * Tue Oct 6 2008 Nalin Dahyabhai <nalin@redhat.com> - 253-16 - add nscd,gdm to the default list of nss_initgroups_ignoreusers (#466526) * Thu Aug 28 2008 Nalin Dahyabhai <nalin@redhat.com> - 253-15 - build nss_ldap with --enable-paged-results (#444185) - add patch to make netgroup enumeration fail due to lack of entries in setnetgrent(), rather than in getnetgrent(), to match how other mechanisms work (Jose Plans, #445972) * Mon Jul 14 2008 Nalin Dahyabhai <nalin@redhat.com> - 253-14 - build with -fno-strict-aliasing, mainly for pam_ldap (internal toolset, #455285) * Mon Jul 7 2008 Nalin Dahyabhai <nalin@redhat.com> - 253-13 - block SIGPIPE in the atfork handler, so that it doesn't trip up when attempting to drop a connection to the server (#448014) * Mon Apr 28 2008 Nalin Dahyabhai <nalin@redhat.com> - 253-12 - rebuild * Thu Apr 24 2008 Nalin Dahyabhai <nalin@redhat.com> - 253-11 - backport changes to group parsing from version 254 to fix heap corruption when parsing nested groups (#444031) * Fri Jan 18 2008 Nalin Dahyabhai <nalin@redhat.com> - 253-10 - remove unnecessary nss_ldap linkage to libnsl (part of #427370) * Thu Jan 3 2008 Nalin Dahyabhai <nalin@redhat.com> - 253-9 - rebuild * Tue Nov 13 2007 Nalin Dahyabhai <nalin@redhat.com> - 253-8 - incorporate Tomas Janousek's fix to prevent re-use of connections across fork() (#252337) * Fri Nov 2 2007 Nalin Dahyabhai <nalin@redhat.com> - 253-7 - add keyutils-libs-devel and libselinux-devel as a buildrequires: in order to static link with newer Kerberos (#427370) * Fri Nov 2 2007 Nalin Dahyabhai <nalin@redhat.com> - 253-6 - suppress password-expired errors encountered during referral chases during modify requests (#335661) - interpret server-supplied policy controls when chasing referrals, so that we don't give up when following a referral for a password change after reset (#335661) - don't attempt to change the password using ldap_modify if the password change mode is "exop_send_old" (we already didn't for "exop") (#364501) - don't drop the supplied password if the directory server indicates that the password needs to be changed because it's just been reset: we may need it to chase a referral later (#335661) - correctly detect libresolv and build a URI using discovered settings, so that server discovery can work again (#254172) - honor the "port" setting again by correctly detecting when a URI doesn't already specify one (#326351) * Thu Jul 5 2007 Nalin Dahyabhai <nalin@redhat.com> - 253-5 - drop unnecessary patch for #246541 * Tue Jul 3 2007 Nalin Dahyabhai <nalin@redhat.com> - 253-4 - add dbus,radvd,tomcat,radiusd,news,mailman to the default list of nss_initgroups_ignoreusers (#243753) * Tue Jul 3 2007 Nalin Dahyabhai <nalin@redhat.com> - resize the supplemental GID array when it gets too large and an array size limit isn't set (Gavin Romig-Koch, #246541) * Mon Nov 20 2006 Nalin Dahyabhai <nalin@redhat.com> - 253-3 - rebuild * Mon Nov 20 2006 Nalin Dahyabhai <nalin@redhat.com> - 253-2 - update to pam_ldap 183, resolving CVE-2006-5170 (#216421) * Fri Sep 22 2006 Nalin Dahyabhai <nalin@redhat.com> - 253-1 - update to 253 - closes a crasher when glibc's initgroups backend passes in a zero-length, NULL buffer to start - includes lookup_nssldap updates for autofs * Tue Sep 12 2006 Nalin Dahyabhai <nalin@redhat.com> - 251-2 - configure with --enable-configurable-krb5-ccname-gssapi instead of --enable-configurable-krb5-ccname, the latter of which doesn't actually do anything (Howard Wilkinson) * Thu Aug 3 2006 Nalin Dahyabhai <nalin@redhat.com> - 251-1 - update to 251 * Tue Jul 25 2006 Nalin Dahyabhai <nalin@redhat.com> - 250-6 - note the location of the man pages in /etc/ldap.conf (part of #146815) * Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 250-5.1 - rebuild * Tue May 16 2006 Nalin Dahyabhai <nalin@redhat.com> - 250-5 - adjust nss_ldap's makefile rule to more correctly deduce the right soversion for nsswitch modules (#191927) * Mon May 8 2006 Nalin Dahyabhai <nalin@redhat.com> - 250-4 - update the list of local users to include named,avahi,haldaemon (from #186527) * Tue May 2 2006 Nalin Dahyabhai <nalin@redhat.com> - 250-3 - update to pam_ldap 182 * Mon May 1 2006 Nalin Dahyabhai <nalin@redhat.com> - 250-2 - update to pam_ldap 181 - fix syntax error in pam_ldap.c (upstream #269) * Thu Apr 27 2006 Nalin Dahyabhai <nalin@redhat.com> - 250-1 - update to 250 - configure default time limits for binding/searching/idling * Fri Feb 24 2006 Nalin Dahyabhai <nalin@redhat.com> - 249-1 - update to 249, which incorporates the fix for #182464 * Thu Feb 23 2006 Nalin Dahyabhai <nalin@redhat.com> - 248-3 - fix deadlock in initgroups() (#182464, upstream #255) * Mon Feb 13 2006 Jesse Keating <jkeating@redhat.com> - 248-2.2 - rebump for build order issues during double-long bump * Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 248-2.1 - bump again for double-long bug on ppc(64) * Thu Feb 9 2006 Nalin Dahyabhai <nalin@redhat.com> - 248-2 - set "nss_initgroups_ignoreusers root,ldap" in the default configuration file, so that nss_ldap will assume that there are no supplemental groups for this user to be found in the directory server (#180657) * Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 248-1.1 - rebuilt for new gcc4.1 snapshot and glibc changes * Wed Jan 25 2006 Nalin Dahyabhai <nalin@redhat.com> 248-1 - update to nss_ldap 248 * Tue Jan 24 2006 Nalin Dahyabhai <nalin@redhat.com> 246-1 - update to nss_ldap 246 * Wed Jan 11 2006 Nalin Dahyabhai <nalin@redhat.com> 245-1 - update to nss_ldap 245 - add patch from upcoming 246 release to change the placeholder used when userPassword is unreadable from "x" to "*" (upstream #240) * Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com> - rebuilt * Mon Nov 21 2005 Nalin Dahyabhai <nalin@redhat.com> 244-2 - rebuild with new libldap and friends (#173794) * Thu Oct 27 2005 Nalin Dahyabhai <nalin@redhat.com> 244-1 - update to nss_ldap 244 * Tue Oct 4 2005 Nalin Dahyabhai <nalin@redhat.com> 243-1 - update to nss_ldap 243 * Wed Sep 28 2005 Nalin Dahyabhai <nalin@redhat.com> 242-2 - own the symlink for the module's soname (#169288) * Tue Sep 27 2005 Nalin Dahyabhai <nalin@redhat.com> 242-1 - update to nss_ldap 242 * Mon Sep 12 2005 Nalin Dahyabhai <nalin@redhat.com> 241-1 - update to nss_ldap 241 * Thu Sep 7 2005 Nalin Dahyabhai <nalin@redhat.com> 240-2 - install the pam_ldap man page (part of #167764) * Wed Aug 31 2005 Nalin Dahyabhai <nalin@redhat.com> 240-1 - update to nss_ldap 240 * Wed Aug 17 2005 Nalin Dahyabhai <nalin@redhat.com> 239-1 - update to nss_ldap 239 - provide a libnss_ldap.so link for directly linking with nss_ldap, as glibc does for the modules it provides * Wed Aug 17 2005 Nalin Dahyabhai <nalin@redhat.com> 234-6 - rebuild * Wed Aug 17 2005 Nalin Dahyabhai <nalin@redhat.com> 234-5 - update to pam_ldap 180 to get fix for vulnerability from parsing password policy controls which don't contain error numbers (#166164, CAN-2005-2497) * Fri May 20 2005 Nalin Dahyabhai <nalin@redhat.com> 234-4 - override glibc version detection so that mismatches between the versions of 32- and 64-bit glibc don't result in our %%install installing the module with a different name than the 'make install' target uses * Fri May 20 2005 Nalin Dahyabhai <nalin@redhat.com> 234-3 - fix type mismatch bug in patch for using non-blocking start_tls in preference to the blocking version when it's available (#156582) * Wed Mar 16 2005 Nalin Dahyabhai <nalin@redhat.com> 234-2 - rebuild * Mon Feb 28 2005 Nalin Dahyabhai <nalin@redhat.com> 234-1 - update to nss_ldap 234 - configure with --enable-configurable-krb5-ccname * Wed Feb 2 2005 Nalin Dahyabhai <nalin@redhat.com> 232-2 - prefer using libraries in %{_libdir}/nss_ldap-openldap if we find any - use ldap_start_tls in preference to ldap_start_tls_s, if found, so that we can time out if the server has gone catatonic * Mon Jan 24 2005 Nalin Dahyabhai <nalin@redhat.com> 232-1 - update to version 232 * Fri Dec 31 2004 Nalin Dahyabhai <nalin@redhat.com> 227-1 - update to version 227 - force nss_ldap to mimic pam_ldap's behavior when the tls_checkpeer setting is unconfigured in ldap.conf * Fri Dec 31 2004 Nalin Dahyabhai <nalin@redhat.com> 226-3 - fix misleading doc comment in /etc/ldap.conf -- the checkpeer setting follows libldap's default, which is dependent on the version of OpenLDAP which which this package is linked (part of #143622) * Thu Oct 28 2004 Nalin Dahyabhai <nalin@redhat.com> 226-2 - rebuild * Thu Oct 28 2004 Nalin Dahyabhai <nalin@redhat.com> 226-1 - update to nss_ldap 226, pam_ldap 176 - rework pam_ldap dns autoconfig patch - require automake instead of automake15, because autoreconf uses the current version (#129877) * Tue Aug 31 2004 Nalin Dahyabhai <nalin@redhat.com> 220-3 - rebuild * Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com> - rebuilt * Mon Jun 7 2004 Nalin Dahyabhai <nalin@redhat.com> 220-1 - update to 220, pam_ldap 169 * Thu Apr 15 2004 Nalin Dahyabhai <nalin@redhat.com> - fail at build-time if the modules produced can't be loaded - fix missing module in pam_ldap build * Thu Mar 25 2004 Nalin Dahyabhai <nalin@redhat.com> 217-1 - include patch to set errno to ENOENT when returning NSS_STATUS_NOTFOUND to glibc * Tue Mar 23 2004 Nalin Dahyabhai <nalin@redhat.com> - update to 217 * Wed Mar 10 2004 Nalin Dahyabhai <nalin@redhat.com> 212-1 - update to 212, pam_ldap 167 - link nss_ldap with libgssapi_krb5, the static libsasl2 includes the gssapi mech, at least for now, and we pick up its unresolved symbols at link-time - fix out-of-bounds error at initialization-time (part of #101269) - include pam_ldap's authorization schema files for slapd as a doc file * Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com> - rebuilt * Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com> - rebuilt * Tue Nov 25 2003 Nalin Dahyabhai <nalin@redhat.com> 207-6 - rebuild * Thu Nov 20 2003 Nalin Dahyabhai <nalin@redhat.com> 207-5 - fix objectclass and attribute mapping, which failed due to uninitialized fields in mapping index structures, fixed upstream in 210 (#110547) * Mon Nov 10 2003 Nalin Dahyabhai <nalin@redhat.com> 207-4 - link with the proper libsasl (1 or 2) for the version of OpenLDAP we are linking with (#106801) * Thu Aug 14 2003 Nalin Dahyabhai <nalin@redhat.com> 207-3 - link dynamically with libcom_err if it isn't in /usr/kerberos/%{_lib} (which we assume means that it's in /%{_lib}) * Wed Aug 13 2003 Nalin Dahyabhai <nalin@redhat.com> 207-2 - relax openldap-devel buildreq to 2.0.27 * Thu Jun 5 2003 Nalin Dahyabhai <nalin@redhat.com> 207-1 - update to build with newer OpenLDAP - add README.TLS to remind people that in order for TLS support to be usable, the server's certificate has to pass validation checks made by the client * Sun Mar 09 2003 Florian La Roche <Florian.LaRoche@redhat.de> - move pam into /lib64/security directory * Wed Jan 22 2003 Tim Powers <timp@redhat.com> - rebuilt * Wed Jan 15 2003 Nalin Dahyabhai <nalin@redhat.com> 202-4 - rework static link order to account for libssl requiring libkrb5 - force assembly locking on %%ix86 systems - link with libz, which libssl also requires * Thu Dec 12 2002 Elliot Lee <sopwith@redhat.com> 202-3 - Fix wildcard for symlink in %%install * Thu Nov 14 2002 Nalin Dahyabhai <nalin@redhat.com> 202-2 - apply DB patches from sleepycat.com - correctly point nss_ldap at the bundled DB library - create /%%{_lib} instead of /lib to install into * Wed Oct 2 2002 Nalin Dahyabhai <nalin@redhat.com> 202-1 - update to nss_ldap 202, pam_ldap 153 - update DB from 4.0.14 to 4.1.24.NC - try to address multilib path changes * Tue Aug 27 2002 Nalin Dahyabhai <nalin@redhat.com> 198-3 - rebuild * Fri Aug 9 2002 Nalin Dahyabhai <nalin@redhat.com> 198-2 - handle larger-than-expected DNS responses correctly * Wed Aug 7 2002 Nalin Dahyabhai <nalin@redhat.com> 198-1 - update to nss_ldap 198, closing a possible buffer overflow in DNS autoconfig * Fri Jul 19 2002 Nalin Dahyabhai <nalin@redhat.com> 197-1 - update to nss_ldap 197, pam_ldap 150 * Fri Jun 21 2002 Tim Powers <timp@redhat.com> - automated rebuild * Mon Jun 10 2002 Nalin Dahyabhai <nalin@redhat.com> 194-1 - update to nss_ldap 194, pam_ldap 148 * Sun May 26 2002 Tim Powers <timp@redhat.com> - automated rebuild * Mon May 20 2002 Nalin Dahyabhai <nalin@redhat.com> 189-3 - rebuild in new environment * Thu May 16 2002 Nalin Dahyabhai <nalin@redhat.com> 189-2 - build for RHL 7.2/7.3 * Thu May 16 2002 Nalin Dahyabhai <nalin@redhat.com> 189-1.7 - build for RHL 7/7.1 * Thu May 16 2002 Nalin Dahyabhai <nalin@redhat.com> 189-1.6 - fix up logic generated by authconfig from RHL 7.2 in %%post - build for RHL 6.x * Wed May 15 2002 Nalin Dahyabhai <nalin@redhat.com> - the triggerun should be a trigger postun * Tue May 7 2002 Nalin Dahyabhai <nalin@redhat.com> 189-1 - rebuild for RHL 7.2/7.3 * Tue May 7 2002 Nalin Dahyabhai <nalin@redhat.com> 189-0.7 - rebuild for RHL 7/7.1 * Tue May 7 2002 Nalin Dahyabhai <nalin@redhat.com> 189-0.6 - update to nss_ldap 189, pam_ldap 145 * Tue May 7 2002 Nalin Dahyabhai <nalin@redhat.com> 188-1 - rebuild for RHL 7.2/7.3 * Tue May 7 2002 Nalin Dahyabhai <nalin@redhat.com> 188-0.7 - rebuild for RHL 7/7.1 * Tue May 7 2002 Nalin Dahyabhai <nalin@redhat.com> 188-0.6 - rebuild for RHL 6.2 - change dependency on pam-devel to /usr/include/security/pam_modules.h - drop build deps on cyrus-sasl-devel and openldap >= 2.x - modify pam_ldap versions file so that binutils from RHL 6.2 can parse it - update to nss_ldap 188 - update to pam_ldap 144 * Fri Apr 5 2002 Nalin Dahyabhai <nalin@redhat.com> 185-1 - update to nss_ldap 185 - update to pam_ldap 140 * Thu Feb 28 2002 Nalin Dahyabhai <nalin@redhat.com> 184-1 - update to pam_ldap 138 - enable rfc2307bis schema support - version the pam_ldap module - add the proper soname to the nss_ldap module and remove the symlink - add a trigger to run ldconfig again when an upgrade removes the symlink, which used to be in this package (doh!) - fix the symlink from %%{_libdir} to the module (for linking directly to it) * Thu Feb 14 2002 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 184, pam_ldap 137 * Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 181-1 - update to nss_ldap 181, pam_ldap 136 * Thu Dec 20 2001 Nalin Dahyabhai <nalin@redhat.com> 175-1 - update to nss_ldap 175, pam_ldap 135 * Tue Nov 27 2001 Nalin Dahyabhai <nalin@redhat.com> 174-1 - update to nss_ldap 174 * Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 173-3 - update to pam_ldap 134 * Wed Oct 31 2001 Nalin Dahyabhai <nalin@redhat.com> 173-2 - build nss_ldap with --enable-schema-mapping * Mon Oct 29 2001 Nalin Dahyabhai <nalin@redhat.com> 173-1 - update to nss_ldap 173, which includes doc updates - update to pam_ldap 133, which simplifies the dnsconfig patch quite a bit * Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> - update to pam_ldap 125, making checking of host attributes configurable * Fri Aug 31 2001 Nalin Dahyabhai <nalin@redhat.com> - link statically with libldap again, because libldap is linked with other shared libraries now (keeping us from having files in /usr open when we go to shut the system down) * Thu Aug 30 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 172, fixing schema mapping code - update to pam_ldap 124, incorporating TLS default option and doc fixes * Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 167, adding support for rebinds * Tue Jul 24 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 164, fixing the timeout problem correctly - update to pam_ldap 122, fixing escaping of user name in filters * Thu Jul 12 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 163, fixing the timeout problem - update to pam_ldap 120 - add gdbm-devel as a buildprereq, because we list it in $LIBS (#48999) - add db3-devel as a buildprereq (#48999) - add pam-devel as a buildprereq (#48999) * Tue Jul 10 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 161 - attempt to fix hangs when no timeout is specified, or the timeout is 0 * Mon Jul 9 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 160, pam_ldap 119 * Thu Jun 28 2001 Nalin Dahyabhai <nalin@redhat.com> - patch cleanups * Tue Jun 26 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 159, pam_ldap 118 * Tue Jun 19 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 153, pam_ldap 117 * Tue May 29 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 152, pam_ldap 111 * Mon May 21 2001 Nalin Dahyabhai <nalin@redhat.com> - update to pam_ldap 108 * Wed Apr 25 2001 Nalin Dahyabhai <nalin@redhat.com> - update to pam_ldap 107 * Thu Apr 19 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 150 (incorporates the fail patch) - update to pam_ldap 106 * Wed Mar 7 2001 Nalin Dahyabhai <nalin@redhat.com> - make nss_ldap fail when attempting to startup TLS fails, because that's what we do when LDAPS doesn't work (and what pam_ldap does already) - add DNS autoconfiguration to pam_ldap * Tue Mar 6 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 149, minor fixes for compile glitches - update to pam_ldap 105, minor fixes (as above) and handles shadow expiration * Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com> - rebuild in new environment * Wed Feb 28 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 146 to get a faster initgroups() back-end * Mon Feb 12 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 143 to get the official fix for the heap corruption * Fri Feb 9 2001 Nalin Dahyabhai <nalin@redhat.com> - fix heap corruption when falling back to DNS SRV records for configuration * Mon Feb 5 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 142, fixes a memory leak * Mon Jan 29 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 140, fixes a configure bug and an alignment problem * Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 139 * Mon Jan 15 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 138, which folds in our patch for initgroups - change the default search base in ldap.conf to dc=example,dc=com * Wed Jan 10 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 137 and pam_ldap 99 - try to not cause a segfault in _nss_ldap_initgroups * Wed Jan 3 2001 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 124 and pam_ldap 82 * Thu Dec 28 2000 Nalin Dahyabhai <nalin@redhat.com> - add a requires: for nscd * Thu Dec 14 2000 Nalin Dahyabhai <nalin@redhat.com> - version the NSS module so that it works properly with programs which have been linked statically to a different version of an LDAP library, like Netscape Communicator * Wed Dec 6 2000 Nalin Dahyabhai <nalin@redhat.com> - BuildPrereq gdbm-devel - pass RPM_OPT_FLAGS as CFLAGS to %%configure - if protocol version is 2, explicitly set protocol version to 3 before trying to start TLS - add STARTTLS support to nss_ldap - work around a build-time problem on ia64 * Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com> - BuildPrereq cyrus-sasl-devel instead of cyrus-sasl * Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 123 and pam_ldap 82 * Fri Oct 27 2000 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 122 - link statically with libsasl, require the first devel package that supplied it * Thu Oct 19 2000 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 120 and pam_ldap 77 * Wed Oct 4 2000 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 116 and pam_ldap 74 * Fri Sep 7 2000 Nalin Dahyabhai <nalin@redhat.com> - rebuild in new environment * Thu Jul 27 2000 Nalin Dahyabhai <nalin@redhat.com> - update to pam_ldap 67 to fix a bug in template user code - convert symlink in /usr/lib to a relative one (#16132) * Thu Jul 27 2000 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 113 and pam_ldap 66 * Wed Jul 12 2000 Prospector <bugzilla@redhat.com> - automatic rebuild * Tue Jun 27 2000 Matt Wilson <msw@redhat.com> - changed all the -,- in attr statements to root,root * Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com> - update pam_ldap to 63 * Wed May 31 2000 Nalin Dahyabhai <nalin@redhat.com> - update pam_ldap to 56 * Tue May 30 2000 Nalin Dahyabhai <nalin@redhat.com> - update pam_ldap to 55 - back out no-threads patch for pam_ldap, not needed any more * Thu May 25 2000 Nalin Dahyabhai <nalin@redhat.com> - update to 110 - revert prototype patch, looks like a problem with the new glibc after all * Fri May 19 2000 Nalin Dahyabhai <nalin@redhat.com> - get libpthread out of the NSS module - fix prototype problems in getpwXXX() * Mon May 15 2000 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 109 * Sat Apr 29 2000 Nalin Dahyabhai <nalin@redhat.com> - update pam_ldap 51 * Tue Apr 25 2000 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 108 and pam_ldap 49 * Thu Apr 20 2000 Nalin Dahyabhai <nalin@redhat.com> - update to pam_ldap 48 * Thu Mar 30 2000 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 107 - note: check http://www.advogato.org/person/lukeh/ for Luke's changelog * Tue Mar 21 2000 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 106 * Wed Feb 9 2000 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 105 * Mon Feb 7 2000 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 104 and pam_ldap 46 - disable link against libpthread in pam_ldap * Tue Feb 1 2000 Nalin Dahyabhai <nalin@redhat.com> - remove migration tools, because this package requires openldap now, which also includes them * Fri Jan 28 2000 Nalin Dahyabhai <nalin@redhat.com> - update to nss_ldap 103 * Mon Jan 24 2000 Preston Brown <pbrown@redhat.com> - fix typo in linuxconf-pair pam cfg file (#7800) * Tue Jan 11 2000 Preston Brown <pbrown@redhat.com> - v99, made it require pam_ldap - added perl migration tools - integrate pam_ldap stuff * Fri Oct 22 1999 Bill Nottingham <notting@redhat.com> - statically link ldap libraries (they're in /usr/lib) * Tue Aug 10 1999 Cristian Gafton <gafton@redhat.com> - use the ldap.conf file as an external source - don't forcibly build the support for version 3 - imported the default spec file from the tarball and fixed it up for RH 6.1